npm - qualia-framework - Versions diffs - 7.0.1 → 7.2.0 - Mend

qualia-framework 7.0.1 → 7.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/CHANGELOG.md +76 -0
package/bin/cli.js +6 -1
package/bin/dep-verify.mjs +328 -0
package/bin/install.js +15 -0
package/bin/qualia-ui.js +186 -1
package/bin/report-payload.js +4 -1
package/bin/runtime-manifest.js +1 -0
package/bin/state.js +11 -4
package/bin/statusline.js +7 -1
package/bin/trust-score.js +1 -1
package/hooks/pre-deploy-gate.js +54 -3
package/hooks/secret-guard.js +162 -0
package/hooks/session-start.js +1 -0
package/package.json +4 -1
package/skills/qualia-build/SKILL.md +8 -1
package/skills/qualia-report/SKILL.md +11 -0
package/skills/qualia-ship/SKILL.md +17 -1
package/skills/qualia-verify/SKILL.md +11 -4
package/tests/bin.test.sh +2 -2
package/tests/dep-verify.test.sh +247 -0
package/tests/hooks.test.sh +97 -0
package/tests/install-smoke.test.sh +4 -3
package/tests/journey-spine.test.sh +171 -0
package/tests/lib.test.sh +4 -4
package/tests/run-all.sh +4 -0
package/tests/runner.js +2 -2
package/tests/runtime-parity.test.sh +62 -0
package/tests/secret-guard.test.sh +92 -0
package/tests/state.test.sh +35 -0

package/skills/qualia-verify/SKILL.md CHANGED Viewed

@@ -76,9 +76,11 @@ Verify the {L} concerns of this phase. Every finding needs file:line evidence an
 Write your findings as a JSON array to .planning/phase-{N}-panel-{L}.json:
   [{\"file\":\"path\",\"line\":N,\"severity\":\"CRITICAL|HIGH|MEDIUM|LOW\",\"title\":\"one-line claim\"}]
 Empty array [] if the {L} lens is clean. Also append a human '## {L} lens' section to .planning/phase-{N}-verification.md.
-", subagent_type="qualia-verifier", description="Verify phase {N} — {L} lens")
+", subagent_type="qualia-verifier", model="sonnet", description="Verify phase {N} — {L} lens")
 ```
+**Model routing.** Panel verifiers do *finding* work — grep code against acceptance criteria and the shared machine evidence — which is high-recall but low-judgment, so they run on **`sonnet`**. Spend the frontier model where the verdict is actually decided: the skeptic vote (§3c step 2). This is the intelligent-model-routing OpEx lever applied to verification — cheaper on the wide finding pass, frontier on the narrow adjudication.
 ### 3b. Browser QA (if phase touched frontend)
 If plan Files include `.tsx`/`.jsx`/`.css`/`.scss` or `app/`/`pages/`/`components/` paths, spawn browser QA parallel:
@@ -129,6 +131,8 @@ Return exactly one line: REAL — {file:line reason}   OR   NOT_REAL — {file:l
 ", subagent_type="qualia-verifier", description="Skeptic {i}/3 — {title}")
 ```
+Skeptics deliberately **omit `model=`** so they inherit the session's frontier model: their REAL/NOT_REAL judgment is what flips a CRITICAL/HIGH verdict, and that is the one step in the pipeline where model strength most changes the outcome. Route cheap on the finding pass, never on the adjudication.
 Tally each finding's votes into `.planning/phase-{N}-panel.json` (`votes.real` / `votes.notReal`).
 **3. Aggregate** deterministically:
@@ -196,13 +200,16 @@ Write the deterministic eval artifact before changing state:
 node ${QUALIA_BIN}/harness-eval.js --phase {N} --run --write
 ```
-Run the zero-token anti-slop scan as a deterministic gate (same role as `migration-guard`/`branch-guard` — the scanner exits non-zero on CRITICAL design tells). A CRITICAL finding is a verification FAIL, not a soft note:
+Run the zero-token deterministic gates (same role as `migration-guard`/`branch-guard` — each exits non-zero on a hard fault). A non-zero exit is a verification FAIL, not a soft note:
 ```bash
-node ${QUALIA_BIN}/slop-detect.mjs --severity=critical
+node ${QUALIA_BIN}/slop-detect.mjs --severity=critical   # CRITICAL design tells (the slop half)
+node ${QUALIA_BIN}/dep-verify.mjs --severity=critical     # hallucinated/slopsquatted imports (the correctness half)
 ```
-The phase is PASS only if ALL of these agree: the panel verdict (§3c `verify-panel.js` exit 0), the harness-eval status, and the anti-slop scan. If any is FAIL/non-zero, mark the phase FAIL. The state machine also refuses PASS when a contract exists but `.planning/evidence/phase-{N}-contract-run.json` is missing/failing, or when the verification report contains `INSUFFICIENT EVIDENCE`.
+`dep-verify` flags any import whose package is BOTH undeclared in `package.json` AND absent from `node_modules` — the exact signature of an AI-invented or typosquatted dependency (the #1 named AI-generated-code security failure mode). It is the correctness/security companion to the design-focused `slop-detect`.
+The phase is PASS only if ALL of these agree: the panel verdict (§3c `verify-panel.js` exit 0), the harness-eval status, the anti-slop scan, and the dependency scan. If any is FAIL/non-zero, mark the phase FAIL. The state machine also refuses PASS when a contract exists but `.planning/evidence/phase-{N}-contract-run.json` is missing/failing, or when the verification report contains `INSUFFICIENT EVIDENCE`.
 ```bash
 node ${QUALIA_BIN}/state.js transition --to verified --phase {N} --verification {pass|fail} --evidence .planning/evals/harness-eval-*.json

package/tests/bin.test.sh CHANGED Viewed

@@ -495,8 +495,8 @@ fi
 # usage-capture added in v6.9.1 — UserPromptSubmit telemetry capture;
 # task-write-guard added in v6.13 — R1 runtime plan-contract file-scope guard)
 HOOK_COUNT=$(ls "$TMP/.claude/hooks/"*.js 2>/dev/null | wc -l)
-if [ "$HOOK_COUNT" -eq 15 ]; then
-  pass "15 hooks installed in hooks/ (incl. task-write-guard v6.13)"
+if [ "$HOOK_COUNT" -eq 16 ]; then
+  pass "16 hooks installed in hooks/ (incl. task-write-guard + secret-guard)"
 else
   fail_case "hook count" "got $HOOK_COUNT"
 fi

package/tests/dep-verify.test.sh ADDED Viewed

@@ -0,0 +1,247 @@
+#!/bin/bash
+# Qualia Framework — bin/dep-verify.mjs behavior tests
+# Verifies the hallucinated/slopsquatted-dependency gate catches what it claims:
+# imports that are neither declared in package.json nor installed in node_modules.
+#
+# Run: bash tests/dep-verify.test.sh
+PASS=0
+FAIL=0
+DEP_VERIFY="$(cd "$(dirname "$0")/../bin" && pwd)/dep-verify.mjs"
+NODE="${NODE:-node}"
+TMP_DIRS=()
+cleanup() {
+  for d in "${TMP_DIRS[@]}"; do
+    [ -d "$d" ] && rm -rf "$d"
+  done
+}
+trap cleanup EXIT
+mktmp() {
+  local TMP
+  TMP=$(mktemp -d)
+  TMP_DIRS+=("$TMP")
+  echo "$TMP"
+}
+pass() { echo "  ✓ $1"; PASS=$((PASS + 1)); }
+fail_case() { echo "  ✗ $1"; echo "    $2"; FAIL=$((FAIL + 1)); }
+echo "dep-verify.test.sh — bin/dep-verify.mjs behavioral tests"
+echo ""
+# ── Sanity: file exists and parses ────────────────────────────────────
+if [ ! -f "$DEP_VERIFY" ]; then
+  fail_case "dep-verify exists" "$DEP_VERIFY not found"
+  echo "=== Results: $PASS passed, $FAIL failed ==="
+  exit 1
+fi
+pass "dep-verify.mjs exists at expected path"
+if $NODE --check "$DEP_VERIFY" 2>/dev/null; then
+  pass "dep-verify.mjs syntax is valid"
+else
+  fail_case "syntax check" "node --check failed on $DEP_VERIFY"
+fi
+# ── Declared dependency: should pass (exit 0) ─────────────────────────
+TMP=$(mktmp)
+cat > "$TMP/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": { "react": "^19.0.0" } }
+EOF
+cat > "$TMP/declared.tsx" <<'EOF'
+import { useState } from 'react';
+import { thing } from './local-module';
+import fs from 'node:fs';
+export const x = useState;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP/declared.tsx" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "exits 0 when imports are declared / relative / builtin"
+else
+  fail_case "declared deps" "expected exit 0, got $EXIT_CODE"
+fi
+# ── Hallucinated package: undeclared AND not installed → exit 1 ────────
+TMP2=$(mktmp)
+cat > "$TMP2/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": { "react": "^19.0.0" } }
+EOF
+cat > "$TMP2/bad.tsx" <<'EOF'
+import { toast } from 'react-use-magic-toast-9000';
+export const t = toast;
+EOF
+EXIT_CODE=0
+OUT=$($NODE "$DEP_VERIFY" "$TMP2/bad.tsx" 2>&1) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] && echo "$OUT" | grep -q "react-use-magic-toast-9000"; then
+  pass "exits 1 and names the hallucinated package"
+else
+  fail_case "hallucinated dep" "exit=$EXIT_CODE out=$(echo "$OUT" | head -c 120)"
+fi
+# ── Installed-but-undeclared (phantom): should NOT flag ───────────────
+TMP3=$(mktmp)
+cat > "$TMP3/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+mkdir -p "$TMP3/node_modules/left-pad"
+cat > "$TMP3/uses-installed.js" <<'EOF'
+const lp = require('left-pad');
+module.exports = lp;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP3/uses-installed.js" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "does NOT flag a package that is installed in node_modules (low false positives)"
+else
+  fail_case "installed phantom" "expected exit 0, got $EXIT_CODE"
+fi
+# ── tsconfig path alias should be ignored ─────────────────────────────
+TMP4=$(mktmp)
+cat > "$TMP4/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP4/tsconfig.json" <<'EOF'
+{ "compilerOptions": { "paths": { "@app/*": ["src/*"] } } }
+EOF
+cat > "$TMP4/alias.tsx" <<'EOF'
+import { Button } from '@app/components/button';
+export const B = Button;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP4/alias.tsx" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "ignores tsconfig path aliases (@app/*)"
+else
+  fail_case "path alias" "expected exit 0, got $EXIT_CODE"
+fi
+# ── Commented-out import must not trigger ─────────────────────────────
+TMP5=$(mktmp)
+cat > "$TMP5/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP5/commented.ts" <<'EOF'
+// import { x } from 'definitely-not-real-pkg';
+export const y = 1;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP5/commented.ts" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "ignores commented-out imports"
+else
+  fail_case "commented import" "expected exit 0, got $EXIT_CODE"
+fi
+# ── String/regex awareness: import sharing a line with a // -bearing
+#    string or regex literal must STILL be caught (no silent false negative) ──
+TMP6=$(mktmp)
+cat > "$TMP6/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP6/sameline.ts" <<'EOF'
+const re = /url:\/\//; import { x } from 'hallucinated-sameline';
+EOF
+EXIT_CODE=0
+OUT=$($NODE "$DEP_VERIFY" "$TMP6/sameline.ts" 2>&1) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] && echo "$OUT" | grep -q "hallucinated-sameline"; then
+  pass "catches an import on the same line as a regex literal (no false negative)"
+else
+  fail_case "regex-sameline FN" "exit=$EXIT_CODE out=$(echo "$OUT" | head -c 120)"
+fi
+# ── Import syntax INSIDE a string literal must NOT be flagged (no FP) ──
+TMP7=$(mktmp)
+cat > "$TMP7/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP7/strlit.ts" <<'EOF'
+export const example = "import { fake } from 'made-up-package'";
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP7/strlit.ts" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "does NOT flag import syntax inside a string literal (no false positive)"
+else
+  fail_case "string-literal FP" "expected exit 0, got $EXIT_CODE"
+fi
+# ── Scoped hallucinated package → flagged and named ───────────────────
+TMP8=$(mktmp)
+cat > "$TMP8/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP8/scoped.tsx" <<'EOF'
+import { thing } from '@hallucinated-scope/nonexistent-pkg';
+export const t = thing;
+EOF
+EXIT_CODE=0
+OUT=$($NODE "$DEP_VERIFY" "$TMP8/scoped.tsx" 2>&1) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] && echo "$OUT" | grep -q "@hallucinated-scope/nonexistent-pkg"; then
+  pass "flags a scoped hallucinated package (@scope/name)"
+else
+  fail_case "scoped dep" "exit=$EXIT_CODE out=$(echo "$OUT" | head -c 120)"
+fi
+# ── Protocol specifier (virtual:/https:) must NOT be flagged ──────────
+TMP9=$(mktmp)
+cat > "$TMP9/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP9/proto.ts" <<'EOF'
+import config from 'virtual:generated-config';
+export const c = config;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP9/proto.ts" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "ignores protocol specifiers (virtual:, https:)"
+else
+  fail_case "protocol specifier" "expected exit 0, got $EXIT_CODE"
+fi
+# ── Directory scan: flags src/, skips node_modules/ (production invocation) ──
+TMPD=$(mktmp)
+cat > "$TMPD/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": { "react": "^19.0.0" } }
+EOF
+mkdir -p "$TMPD/src" "$TMPD/node_modules/some-pkg"
+echo "import { useState } from 'react';" > "$TMPD/src/good.ts"
+echo "import { z } from 'ghost-pkg-in-src';" > "$TMPD/src/bad.ts"
+echo "import { q } from 'ghost-inside-node-modules';" > "$TMPD/node_modules/some-pkg/index.ts"
+EXIT_CODE=0
+OUT=$($NODE "$DEP_VERIFY" "$TMPD" 2>&1) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] && echo "$OUT" | grep -q "ghost-pkg-in-src" && ! echo "$OUT" | grep -q "ghost-inside-node-modules"; then
+  pass "directory scan flags src/ and skips node_modules/"
+else
+  fail_case "directory scan" "exit=$EXIT_CODE out=$(echo "$OUT" | head -c 160)"
+fi
+# ── --json flag produces JSON output (exit 1 + ok:false on findings) ──
+EXIT_CODE=0
+JSON_OUT=$($NODE "$DEP_VERIFY" --json "$TMP2/bad.tsx" 2>/dev/null) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] \
+   && echo "$JSON_OUT" | head -1 | grep -qE "^[\{\[]" \
+   && echo "$JSON_OUT" | grep -q '"findings"' \
+   && echo "$JSON_OUT" | grep -q '"ok": false'; then
+  pass "--json produces JSON with ok:false and exits 1 on findings"
+else
+  fail_case "--json output" "exit=$EXIT_CODE first line: '$(echo "$JSON_OUT" | head -c 80)'"
+fi
+# ── Missing path → invocation error (exit 2) ──────────────────────────
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" /nonexistent/path/xyz >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "2" ]; then
+  pass "exits 2 on a missing path (invocation error)"
+else
+  fail_case "missing path" "expected exit 2, got $EXIT_CODE"
+fi
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+[ "$FAIL" = "0" ]

package/tests/hooks.test.sh CHANGED Viewed

@@ -494,6 +494,103 @@ else
 fi
 rm -rf "$TMP" "$QH"
+# --- pre-deploy-gate: dependency-verification gate (dep-verify.mjs wired into ship) ---
+# Build a tmp QUALIA_HOME carrying bin/dep-verify.mjs so the gate can find it.
+DEP_SRC="$(cd "$(dirname "$0")/../bin" && pwd)/dep-verify.mjs"
+# Hallucinated import (undeclared + not installed) → blocked with diagnostic
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+cp "$DEP_SRC" "$QH/bin/dep-verify.mjs"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo "import { z } from 'totally-made-up-pkg-xyz';" > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 2 ] && echo "$OUT" | grep -qi "hallucinated"; then
+  echo "  ✓ hallucinated import → blocked by dependency gate (exit 2)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ hallucinated import → dependency block (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+# Clean file (no external imports) → dependency gate passes → exit 0
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+cp "$DEP_SRC" "$QH/bin/dep-verify.mjs"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo 'export default function P(){return null;}' > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 0 ] && echo "$OUT" | grep -q "Dependencies"; then
+  echo "  ✓ clean imports → dependency gate passes (exit 0)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ clean imports → dependency gate passes (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+# QUALIA_SKIP_DEPCHECK=1 by non-OWNER → blocked (OWNER-only escape)
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+cp "$DEP_SRC" "$QH/bin/dep-verify.mjs"
+echo '{"role":"EMPLOYEE"}' > "$QH/.qualia-config.json"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo "import { z } from 'totally-made-up-pkg-xyz';" > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_SKIP_DEPCHECK=1 QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 2 ] && echo "$OUT" | grep -q "OWNER-only"; then
+  echo "  ✓ QUALIA_SKIP_DEPCHECK by non-OWNER → blocked (OWNER-only)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ QUALIA_SKIP_DEPCHECK non-OWNER block (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+# QUALIA_SKIP_DEPCHECK=1 by OWNER → allowed through (the escape valve works)
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+cp "$DEP_SRC" "$QH/bin/dep-verify.mjs"
+echo '{"role":"OWNER"}' > "$QH/.qualia-config.json"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo "import { z } from 'totally-made-up-pkg-xyz';" > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_SKIP_DEPCHECK=1 QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 0 ] && echo "$OUT" | grep -qi "Dependency check skipped"; then
+  echo "  ✓ QUALIA_SKIP_DEPCHECK by OWNER → allowed (escape valve works)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ QUALIA_SKIP_DEPCHECK OWNER allow (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+# Fail-closed: a crashing/non-completing dep-verify must BLOCK, not pass
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+# A stub scanner that exits 2 (invocation error) — must be treated as FAIL.
+printf '#!/usr/bin/env node\nprocess.exit(2);\n' > "$QH/bin/dep-verify.mjs"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo 'export default function P(){return null;}' > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 2 ] && echo "$OUT" | grep -qi "did not complete"; then
+  echo "  ✓ dep-verify non-completion → blocked, not silently passed (fail-closed)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ dep-verify fail-closed (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
 # Scanner absent (older install) → gate skips silently → exit 0
 TMP=$(mktemp -d)
 QH=$(mktemp -d)

package/tests/install-smoke.test.sh CHANGED Viewed

@@ -124,12 +124,13 @@ else
 fi
 if [ -d "$HOME_DIR/.claude/hooks" ] \
-  && [ "$(find "$HOME_DIR/.claude/hooks" -maxdepth 1 -name '*.js' | wc -l | tr -d ' ')" = "15" ] \
+  && [ "$(find "$HOME_DIR/.claude/hooks" -maxdepth 1 -name '*.js' | wc -l | tr -d ' ')" = "16" ] \
   && [ -f "$HOME_DIR/.claude/hooks/fawzi-approval-guard.js" ] \
   && [ -f "$HOME_DIR/.claude/hooks/pre-compact.js" ] \
   && [ -f "$HOME_DIR/.claude/hooks/usage-capture.js" ] \
-  && [ -f "$HOME_DIR/.claude/hooks/task-write-guard.js" ]; then
-  pass "packaged install has 15 hooks including task-write-guard (v6.13)"
+  && [ -f "$HOME_DIR/.claude/hooks/task-write-guard.js" ] \
+  && [ -f "$HOME_DIR/.claude/hooks/secret-guard.js" ]; then
+  pass "packaged install has 16 hooks including task-write-guard + secret-guard"
 else
   fail_case "packaged hook set mismatch"
 fi

package/tests/journey-spine.test.sh ADDED Viewed

@@ -0,0 +1,171 @@
+#!/bin/bash
+# journey-spine.test.sh — lifecycle cosmetic layer (bin/qualia-ui.js spine/onboard/
+# phase-complete/clockout + barTicks + statusline progress bar).
+# Run: bash tests/journey-spine.test.sh
+PASS=0
+FAIL=0
+BIN_DIR="$(cd "$(dirname "$0")/../bin" && pwd)"
+NODE="${NODE:-node}"
+UI="$BIN_DIR/qualia-ui.js"
+STATE="$BIN_DIR/state.js"
+STATUSLINE="$BIN_DIR/statusline.js"
+# strip ANSI for column-accurate assertions
+strip() { sed 's/\x1b\[[0-9;]*m//g'; }
+assert_contains()     { if echo "$2" | strip | grep -qF -- "$3"; then echo "  ✓ $1"; PASS=$((PASS+1)); else echo "  ✗ $1 (missing '$3')"; FAIL=$((FAIL+1)); fi; }
+assert_not_contains() { if echo "$2" | strip | grep -qF -- "$3"; then echo "  ✗ $1 (should not contain '$3')"; FAIL=$((FAIL+1)); else echo "  ✓ $1"; PASS=$((PASS+1)); fi; }
+echo "journey-spine.test.sh — lifecycle cosmetic layer"
+echo ""
+$NODE -c "$UI" 2>/dev/null && { echo "  ✓ qualia-ui syntax valid"; PASS=$((PASS+1)); } || { echo "  ✗ qualia-ui syntax invalid"; FAIL=$((FAIL+1)); }
+# ── barTicks: scaling + clamping ──
+TICKS=$($NODE -e 'const u=require(process.argv[1]); console.log(["a"+u.barTicks(4,5),"b"+u.barTicks(0,5),"c"+u.barTicks(5,5),"d"+u.barTicks(9,5),"e"+u.barTicks(2,0)].join("\n"))' "$UI" | strip)
+assert_contains "barTicks 4/5 → 4 filled"        "$TICKS" "a▰▰▰▰▱"
+assert_contains "barTicks 0/5 → all empty"        "$TICKS" "b▱▱▱▱▱"
+assert_contains "barTicks 5/5 → all filled"       "$TICKS" "c▰▰▰▰▰"
+assert_contains "barTicks clamps over-fill to 5"  "$TICKS" "d▰▰▰▰▰"
+assert_contains "barTicks total<1 → empty string" "$TICKS" "e"
+# ── onboard card ──
+ONB=$($NODE "$UI" onboard "Maria" 2>&1)
+assert_contains "onboard greets by name"          "$ONB" "welcome aboard, Maria"
+assert_contains "onboard shows milestone flow"    "$ONB" "Plan"
+assert_contains "onboard shows the first move"    "$ONB" "/qualia"
+# ── phase-complete card ──
+PC=$($NODE "$UI" phase-complete 3 "Checkout flow" tasks=6 mdone=4 mtotal=5 streak=3 next=/qualia-build nextname="Order confirmation" 2>&1)
+assert_contains "phase-complete shows phase + name"     "$PC" "PHASE 3 COMPLETE"
+assert_contains "phase-complete shows task count"       "$PC" "6 tasks"
+assert_contains "phase-complete shows milestone bar"    "$PC" "4/5 phases"
+assert_contains "phase-complete 'one more' at 4/5"      "$PC" "one more to close the milestone"
+assert_contains "phase-complete shows streak"           "$PC" "3 phases shipped today"
+assert_contains "phase-complete shows next command"     "$PC" "/qualia-build"
+# streak of 1 must NOT render (not a streak)
+PC1=$($NODE "$UI" phase-complete 1 "Cart" streak=1 2>&1)
+assert_not_contains "phase-complete hides streak=1"     "$PC1" "shipped today"
+# milestone complete wording at full
+PCFULL=$($NODE "$UI" phase-complete 5 "Polish" mdone=5 mtotal=5 2>&1)
+assert_contains "phase-complete 'ready to close' at 5/5" "$PCFULL" "milestone ready to close"
+# ── clockout card ──
+CO=$($NODE "$UI" clockout "Maria" date="Thu Jun 25" phases=3 tasks=14 commits=9 mdone=4 mtotal=5 streak=4 erp=ok 2>&1)
+assert_contains "clockout names the employee"     "$CO" "CLOCK OUT"
+assert_contains "clockout shows shipped phases"   "$CO" "3 phases"
+assert_contains "clockout shows commits"          "$CO" "9 commits"
+assert_contains "clockout shows milestone %"      "$CO" "80%"
+assert_contains "clockout shows streak"           "$CO" "4 days"
+assert_contains "clockout confirms ERP upload"    "$CO" "uploaded to ERP"
+CO_Q=$($NODE "$UI" clockout "Maria" erp=queued 2>&1)
+assert_contains "clockout queued state"           "$CO_Q" "queued"
+# ── spine: needs a multi-milestone project fixture ──
+TMP=$(mktemp -d)
+(
+  cd "$TMP"
+  $NODE "$STATE" init --project "acme-portal" \
+    --phases '[{"name":"Cart","goal":"x"},{"name":"Checkout","goal":"y"},{"name":"Receipts","goal":"z"}]' >/dev/null 2>&1
+  mkdir -p .planning
+  cat > .planning/JOURNEY.md <<'JEOF'
+---
+project: "acme-portal"
+---
+## Milestone 1 · Foundations
+1. **Auth**
+## Milestone 2 · Commerce
+1. **Cart**
+## Milestone 3 · Growth
+1. **Referrals**
+## Milestone 4 · Handoff
+1. **Docs**
+JEOF
+)
+SPINE=$(cd "$TMP" && $NODE "$UI" spine 2>&1)
+assert_contains "spine renders the Journey label"  "$SPINE" "Journey"
+assert_contains "spine renders all 4 milestones"   "$SPINE" "M4"
+assert_contains "spine shows current marker ◆"     "$SPINE" "◆"
+assert_contains "spine shows 'you are here'"       "$SPINE" "you are here"
+# caret column == current-marker column (exact alignment)
+ALIGN=$(cd "$TMP" && $NODE "$UI" spine 2>&1 | strip | $NODE -e '
+  let s=""; process.stdin.on("data",d=>s+=d).on("end",()=>{
+    const lines=s.split("\n").filter(l=>l.length);
+    const spine=lines.find(l=>l.includes("Journey"));
+    const caret=lines.find(l=>l.includes("you are here"));
+    if(!spine||!caret){console.log("NOLINES");return;}
+    const markerCol=spine.indexOf("◆");
+    const caretCol=caret.indexOf("↑");
+    console.log(markerCol===caretCol?"ALIGNED":("MISALIGNED "+markerCol+" vs "+caretCol));
+  });
+')
+assert_contains "spine caret aligns under current marker" "$ALIGN" "ALIGNED"
+# spine self-skips with <2 milestones (single-milestone project)
+TMP2=$(mktemp -d)
+( cd "$TMP2" && $NODE "$STATE" init --project "solo" --phases '[{"name":"A","goal":"x"}]' >/dev/null 2>&1 )
+SPINE2=$(cd "$TMP2" && $NODE "$UI" spine 2>&1)
+assert_not_contains "spine self-skips single-milestone project" "$SPINE2" "you are here"
+# spine outside any project → no crash, no output
+SPINE3=$(cd / && $NODE "$UI" spine 2>&1)
+assert_not_contains "spine no-ops outside a project" "$SPINE3" "Journey"
+# ── statusline: the always-visible progress bar ──
+TMP3=$(mktemp -d); mkdir -p "$TMP3/.planning"
+cat > "$TMP3/.planning/tracking.json" <<'TEOF'
+{"phase":3,"total_phases":5,"status":"building","milestone":2,"milestone_name":"Commerce","tasks_done":2,"tasks_total":6,"blockers":[]}
+TEOF
+SL=$(printf '{"workspace":{"current_dir":"%s"},"cost":{"total_cost_usd":0},"duration_ms":0}' "$TMP3" | $NODE "$STATUSLINE" 2>&1)
+assert_contains "statusline shows P3/5"            "$SL" "P3/5"
+assert_contains "statusline shows the tick bar"    "$SL" "▰▰▰▱▱"
+# ── skill-wiring smoke: run the ACTUAL ship/report closing bash ──
+# These mirror the exact variable plumbing in skills/qualia-ship/SKILL.md and
+# skills/qualia-report/SKILL.md (state.js parsing + ${VAR:+…} expansions), so a
+# regression in the wiring — not just the renderer — is caught.
+TMP4=$(mktemp -d)
+( cd "$TMP4" && $NODE "$STATE" init --project "wired" \
+    --phases '[{"name":"Cart","goal":"x"},{"name":"Checkout","goal":"y"},{"name":"Receipts","goal":"z"}]' >/dev/null 2>&1 )
+# ---- /qualia-ship closing block (verbatim plumbing) ----
+SHIP_OUT=$(cd "$TMP4" && {
+  PHASE_NUM=$($NODE "$STATE" check 2>/dev/null | $NODE -pe 'try{JSON.parse(require("fs").readFileSync(0)).phase||""}catch{""}')
+  PHASE_NAME=$($NODE "$STATE" check 2>/dev/null | $NODE -pe 'try{JSON.parse(require("fs").readFileSync(0)).phase_name||""}catch{""}')
+  TOTAL_PHASES=$($NODE "$STATE" check 2>/dev/null | $NODE -pe 'try{JSON.parse(require("fs").readFileSync(0)).total_phases||""}catch{""}')
+  TASKS_DONE=4
+  $NODE "$UI" phase-complete "${PHASE_NUM:-?}" "$PHASE_NAME" \
+    ${TASKS_DONE:+tasks=$TASKS_DONE} \
+    ${PHASE_NUM:+mdone=$PHASE_NUM} ${TOTAL_PHASES:+mtotal=$TOTAL_PHASES} \
+    next=/qualia-handoff
+} 2>&1)
+assert_contains "ship wiring → resolves phase number into card" "$SHIP_OUT" "PHASE 1 COMPLETE"
+assert_contains "ship wiring → tasks plumbed through"   "$SHIP_OUT" "4 tasks"
+assert_contains "ship wiring → milestone bar plumbed"   "$SHIP_OUT" "phases"
+assert_contains "ship wiring → next command set"        "$SHIP_OUT" "/qualia-handoff"
+assert_not_contains "ship wiring → no literal \${VAR"   "$SHIP_OUT" '${'
+# ---- /qualia-report closing block (verbatim plumbing) ----
+REPORT_OUT=$(cd "$TMP4" && {
+  EMP_NAME=$($NODE -pe 'try{JSON.parse(require("fs").readFileSync(process.env.HOME+"/.claude/.qualia-config.json","utf8")).installed_by||""}catch{""}' 2>/dev/null)
+  MDONE=$($NODE "$STATE" check 2>/dev/null | $NODE -pe 'try{JSON.parse(require("fs").readFileSync(0)).phase||""}catch{""}')
+  MTOTAL=$($NODE "$STATE" check 2>/dev/null | $NODE -pe 'try{JSON.parse(require("fs").readFileSync(0)).total_phases||""}catch{""}')
+  COUNT=9
+  ERP_RESULT=ok
+  $NODE "$UI" clockout "$EMP_NAME" date="2026-06-25" \
+    ${COUNT:+commits=$COUNT} \
+    ${MDONE:+mdone=$MDONE} ${MTOTAL:+mtotal=$MTOTAL} \
+    ${ERP_RESULT:+erp=$ERP_RESULT}
+} 2>&1)
+assert_contains "report wiring → renders CLOCK OUT"     "$REPORT_OUT" "CLOCK OUT"
+assert_contains "report wiring → commit count plumbed"  "$REPORT_OUT" "9 commits"
+assert_contains "report wiring → milestone % plumbed"   "$REPORT_OUT" "%"
+assert_contains "report wiring → erp result plumbed"    "$REPORT_OUT" "uploaded to ERP"
+assert_not_contains "report wiring → no literal \${VAR" "$REPORT_OUT" '${'
+rm -rf "$TMP" "$TMP2" "$TMP3" "$TMP4"
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+[ "$FAIL" -eq 0 ]

package/tests/lib.test.sh CHANGED Viewed

@@ -532,10 +532,10 @@ TMP=$(mktmp)
 mkdir -p "$TMP/home/.claude/bin" "$TMP/home/.claude/hooks" "$TMP/home/.claude/knowledge/daily-log" "$TMP/home/.claude/qualia-design" "$TMP/home/.claude/agents" "$TMP/home/.claude/qualia-templates" "$TMP/project"
 echo '{"installed_by":"Test","role":"OWNER","version":"6.3.0","erp":{"enabled":false}}' > "$TMP/home/.claude/.qualia-config.json"
 touch "$TMP/home/.claude/CLAUDE.md" "$TMP/home/.claude/settings.json"
-for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js recall.js vault-access.js repo-map.js design-tokens.js batch-plan.js state-ledger.js plan-contract.js contract-runner.js agent-status.js analyze-gate.js verify-panel.js wave-plan.js eval-runner.js branch-hygiene.js last-report.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs erp-retry.js erp-event.js work-packet.js report-payload.js project-snapshot.js project-sync.js codex-goal.js planning-hygiene.js prune-deprecated.js learning-candidates.js status-snapshot.js security-scan.js auto-report.js; do
+for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js recall.js vault-access.js repo-map.js design-tokens.js batch-plan.js state-ledger.js plan-contract.js contract-runner.js agent-status.js analyze-gate.js verify-panel.js wave-plan.js eval-runner.js branch-hygiene.js last-report.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs dep-verify.mjs erp-retry.js erp-event.js work-packet.js report-payload.js project-snapshot.js project-sync.js codex-goal.js planning-hygiene.js prune-deprecated.js learning-candidates.js status-snapshot.js security-scan.js auto-report.js; do
   touch "$TMP/home/.claude/bin/$f"
 done
-for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js; do
+for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js secret-guard.js; do
   touch "$TMP/home/.claude/hooks/$h"
 done
 touch "$TMP/home/.claude/knowledge/index.md" "$TMP/home/.claude/knowledge/agents.md" "$TMP/home/.claude/agents/visual-evaluator.md" "$TMP/home/.claude/qualia-guide.md" "$TMP/home/.claude/qualia-templates/help.html"
@@ -647,10 +647,10 @@ TMP=$(mktmp)
 mkdir -p "$TMP/.claude/bin" "$TMP/.claude/hooks" "$TMP/.claude/knowledge/daily-log" "$TMP/.claude/qualia-design" "$TMP/.claude/agents" "$TMP/.claude/qualia-templates" "$TMP/project/.planning"
 echo '{"installed_by":"Test","role":"OWNER","erp":{"enabled":false}}' > "$TMP/.claude/.qualia-config.json"
 touch "$TMP/.claude/CLAUDE.md" "$TMP/.claude/settings.json"
-for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js recall.js vault-access.js repo-map.js design-tokens.js batch-plan.js state-ledger.js plan-contract.js contract-runner.js agent-status.js analyze-gate.js verify-panel.js wave-plan.js eval-runner.js branch-hygiene.js last-report.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs erp-retry.js erp-event.js work-packet.js report-payload.js project-snapshot.js project-sync.js codex-goal.js planning-hygiene.js prune-deprecated.js learning-candidates.js status-snapshot.js security-scan.js auto-report.js; do
+for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js recall.js vault-access.js repo-map.js design-tokens.js batch-plan.js state-ledger.js plan-contract.js contract-runner.js agent-status.js analyze-gate.js verify-panel.js wave-plan.js eval-runner.js branch-hygiene.js last-report.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs dep-verify.mjs erp-retry.js erp-event.js work-packet.js report-payload.js project-snapshot.js project-sync.js codex-goal.js planning-hygiene.js prune-deprecated.js learning-candidates.js status-snapshot.js security-scan.js auto-report.js; do
   touch "$TMP/.claude/bin/$f"
 done
-for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js; do
+for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js secret-guard.js; do
   touch "$TMP/.claude/hooks/$h"
 done
 touch "$TMP/.claude/knowledge/index.md" "$TMP/.claude/knowledge/agents.md"

package/tests/run-all.sh CHANGED Viewed

@@ -18,6 +18,9 @@ SUITES=(
   "refs"
   "install-smoke"
   "slop-detect"
+  "dep-verify"
+  "runtime-parity"
+  "secret-guard"
   "agent-status"
   "analyze-gate"
   "instructions"
@@ -32,6 +35,7 @@ SUITES=(
   "repo-map"
   "design-tokens"
   "batch-plan"
+  "journey-spine"
 )
 FAILED=()