qualia-framework 7.0.1 → 7.2.0

package/tests/runner.js

@@ -2655,12 +2655,12 @@ describe("install.js", () => {
     }
   });
 
-  it("15 hooks installed (v6.13: task-write-guard added — R1 plan-contract file-scope guard)", () => {
+  it("16 hooks installed (secret-guard added — commit-time secret gate)", () => {
     const tmpHome = fs.mkdtempSync(path.join(os.tmpdir(), "qualia-install-"));
     try {
       runInstall("QS-FAWZI-11", tmpHome);
       const hooks = fs.readdirSync(path.join(tmpHome, ".claude", "hooks")).filter(f => f.endsWith(".js"));
-      assert.equal(hooks.length, 15, `expected 15 hooks, got ${hooks.length}: ${hooks.join(", ")}`);
+      assert.equal(hooks.length, 16, `expected 16 hooks, got ${hooks.length}: ${hooks.join(", ")}`);
       assert.ok(hooks.includes("fawzi-approval-guard.js"), "fawzi-approval-guard.js must be installed");
       assert.ok(hooks.includes("pre-compact.js"), "pre-compact.js must be installed (v6.3.2 sidecar-snapshot mechanism)");
       assert.ok(hooks.includes("task-write-guard.js"), "task-write-guard.js must be installed (v6.13 R1 guard)");

package/tests/runtime-parity.test.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# Qualia Framework — Claude/Codex hook-registration parity
+#
+# A blocking gate that runs on Claude but not Codex is a silent hole: the
+# framework's gates-over-prompts guarantee only holds if every deterministic
+# guard fires on BOTH supported runtimes. This suite asserts the Codex hook
+# registration in bin/install.js carries the same critical blocking gates as
+# the Claude registration. The regression it guards: task-write-guard.js was
+# registered on Claude (Edit|Write) but omitted on Codex, so off-contract /
+# fabricated-file writes went unblocked on Codex.
+#
+# Run: bash tests/runtime-parity.test.sh
+
+PASS=0
+FAIL=0
+INSTALL="$(cd "$(dirname "$0")/.." && pwd)/bin/install.js"
+
+pass() { echo "  ✓ $1"; PASS=$((PASS + 1)); }
+fail_case() { echo "  ✗ $1"; echo "    $2"; FAIL=$((FAIL + 1)); }
+
+echo "runtime-parity.test.sh — Claude/Codex hook registration parity"
+echo ""
+
+if [ ! -f "$INSTALL" ]; then
+  fail_case "install.js exists" "$INSTALL not found"
+  echo "=== Results: $PASS passed, $FAIL failed ==="
+  exit 1
+fi
+
+# Extract the Codex hook registration object (const qualiaHooks = { ... };).
+CODEX_BLOCK=$(awk '/const qualiaHooks = \{/{f=1} f{print} f&&/^    \};/{exit}' "$INSTALL")
+
+if [ -z "$CODEX_BLOCK" ]; then
+  fail_case "locate Codex qualiaHooks block" "could not extract 'const qualiaHooks = { ... }' from install.js"
+  echo "=== Results: $PASS passed, $FAIL failed ==="
+  exit 1
+fi
+pass "located the Codex qualiaHooks registration block"
+
+# Critical blocking gates that MUST be registered on Codex (superset check).
+CRITICAL_GATES="task-write-guard.js branch-guard.js migration-guard.js pre-deploy-gate.js supabase-destructive-guard.js fawzi-approval-guard.js secret-guard.js"
+
+for gate in $CRITICAL_GATES; do
+  if echo "$CODEX_BLOCK" | grep -q "$gate"; then
+    pass "Codex registers $gate"
+  else
+    fail_case "Codex missing $gate" "blocking gate registered on Claude but absent from the Codex hooks block"
+  fi
+done
+
+# Specifically pin the regression: task-write-guard must be in the Edit|Write
+# group (where file writes are gated), not merely present somewhere.
+EDIT_GROUP=$(echo "$CODEX_BLOCK" | awk '/matcher: "Edit\|Write"/{f=1} f{print} f&&/\],/{exit}')
+if echo "$EDIT_GROUP" | grep -q "task-write-guard.js"; then
+  pass "task-write-guard.js is in the Codex Edit|Write group"
+else
+  fail_case "task-write-guard in Edit|Write" "task-write-guard.js not found in the Codex Edit|Write matcher group"
+fi
+
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+[ "$FAIL" = "0" ]

package/tests/secret-guard.test.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# Qualia Framework — hooks/secret-guard.js behavior tests
+# The commit-time gate that enforces two constitution non-negotiables:
+# never commit service_role keys; never commit .env files.
+#
+# Run: bash tests/secret-guard.test.sh
+
+PASS=0
+FAIL=0
+GUARD="$(cd "$(dirname "$0")/../hooks" && pwd)/secret-guard.js"
+NODE="${NODE:-node}"
+
+TMP_DIRS=()
+cleanup() { for d in "${TMP_DIRS[@]}"; do [ -d "$d" ] && rm -rf "$d"; done; }
+trap cleanup EXIT
+mktmp() { local T; T=$(mktemp -d); TMP_DIRS+=("$T"); echo "$T"; }
+pass() { echo "  ✓ $1"; PASS=$((PASS + 1)); }
+fail_case() { echo "  ✗ $1"; echo "    $2"; FAIL=$((FAIL + 1)); }
+
+# Build a throwaway git repo with the given file staged; run the guard via a
+# simulated `git commit` PreToolUse payload; echo the exit code.
+run_guard_on_repo() {
+  local repo="$1"
+  ( cd "$repo" && printf '{"tool_input":{"command":"git commit -m wip"}}' | $NODE "$GUARD" >/tmp/sg.out 2>&1 )
+  echo $?
+}
+
+echo "secret-guard.test.sh — hooks/secret-guard.js behavioral tests"
+echo ""
+
+if [ ! -f "$GUARD" ]; then
+  fail_case "secret-guard exists" "$GUARD not found"; echo "=== Results: $PASS passed, $FAIL failed ==="; exit 1
+fi
+pass "secret-guard.js exists"
+$NODE --check "$GUARD" 2>/dev/null && pass "secret-guard.js syntax is valid" || fail_case "syntax" "node --check failed"
+
+git --version >/dev/null 2>&1 || { echo "  - git unavailable, skipping behavioral tests"; echo "=== Results: $PASS passed, $FAIL failed ==="; [ "$FAIL" = 0 ]; exit $?; }
+
+init_repo() {
+  local R; R=$(mktmp)
+  ( cd "$R" && git init -q && git config user.email t@t.co && git config user.name t ) 2>/dev/null
+  echo "$R"
+}
+
+# ── Clean staged file → allow (exit 0) ────────────────────────────────
+R=$(init_repo)
+echo "export const x = 1;" > "$R/app.ts"
+( cd "$R" && git add app.ts ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+[ "$RC" = "0" ] && pass "clean staged file → allowed (exit 0)" || fail_case "clean allow" "exit=$RC $(cat /tmp/sg.out)"
+
+# ── Staged private key → block (exit 2), value never printed ──────────
+R=$(init_repo)
+printf -- "-----BEGIN RSA PRIVATE KEY-----\nMIIabc123\n-----END RSA PRIVATE KEY-----\n" > "$R/key.pem"
+( cd "$R" && git add key.pem ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+if [ "$RC" = "2" ] && grep -q "key.pem" /tmp/sg.out && ! grep -q "MIIabc123" /tmp/sg.out; then
+  pass "staged private key → blocked (exit 2), value not printed"
+else
+  fail_case "private key block" "exit=$RC out=$(head -c 160 /tmp/sg.out)"
+fi
+
+# ── Staged .env file → block ──────────────────────────────────────────
+R=$(init_repo)
+echo "API_KEY=whatever" > "$R/.env"
+( cd "$R" && git add -f .env ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+[ "$RC" = "2" ] && grep -q "\.env" /tmp/sg.out && pass "staged .env file → blocked (exit 2)" || fail_case ".env block" "exit=$RC out=$(head -c 160 /tmp/sg.out)"
+
+# ── .env.example → allowed (template, not a secret) ──────────────────
+R=$(init_repo)
+echo "API_KEY=" > "$R/.env.example"
+( cd "$R" && git add .env.example ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+[ "$RC" = "0" ] && pass ".env.example → allowed (template, not flagged)" || fail_case ".env.example allow" "exit=$RC out=$(head -c 160 /tmp/sg.out)"
+
+# ── service_role key assignment → block ──────────────────────────────
+R=$(init_repo)
+echo 'const k = "SUPABASE_SERVICE_ROLE_KEY=abcdef0123456789abcdef0123456789";' > "$R/cfg.ts"
+( cd "$R" && git add cfg.ts ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+[ "$RC" = "2" ] && pass "service_role key assignment → blocked (exit 2)" || fail_case "service_role block" "exit=$RC out=$(head -c 160 /tmp/sg.out)"
+
+# ── Non-commit command → self-filter exits 0 silently ────────────────
+R=$(init_repo)
+echo "API_KEY=whatever" > "$R/.env"; ( cd "$R" && git add -f .env ) 2>/dev/null
+RC=$( ( cd "$R" && printf '{"tool_input":{"command":"git status"}}' | $NODE "$GUARD" >/dev/null 2>&1 ); echo $? )
+[ "$RC" = "0" ] && pass "non-commit command (git status) → self-filters, exit 0" || fail_case "self-filter" "exit=$RC"
+
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+[ "$FAIL" = "0" ]

package/tests/state.test.sh

@@ -1604,6 +1604,41 @@ else
   fail_case "operate handoff ungated" "out=$OUT"
 fi
 
+# 64. A5 increment failed-status gap closure (regression: A5 sets status
+#     "failed" on a failed verify, unlike the legacy "verified"+fail path).
+#     Asserts: next_command routes to gap closure (not the /qualia dead-end),
+#     re-plan is allowed from "failed", gap_cycles increments, and the
+#     circuit breaker fires at the limit.
+TMP=$(make_project)
+make_valid_plan "$TMP" 1                              # plan + contract + evidence for phase 1
+touch "$TMP/.planning/phase-1-verification.md"        # fail verify only needs the file to exist
+(cd "$TMP" && $NODE "$STATE_JS" migrate >/dev/null 2>&1)
+A5ID=inc-0001-foundation
+a5() { (cd "$TMP" && $NODE "$STATE_JS" transition --to "$1" ${2:+--verification "$2"} --id "$A5ID" 2>&1); }
+a5 planned >/dev/null 2>&1   # ensure planned (no-op if already)
+a5 built >/dev/null 2>&1
+VF=$(a5 verified fail)
+if echo "$VF" | grep -q '"status": "failed"' && echo "$VF" | grep -q '"next_command": "/qualia-plan 1 --gaps"'; then
+  pass "A5 failed verify → status=failed, next_command=/qualia-plan 1 --gaps (no dead-end)"
+else
+  fail_case "A5 failed next_command" "out=$VF"
+fi
+RP1=$(a5 planned)
+if echo "$RP1" | grep -q '"ok": true' && echo "$RP1" | grep -q '"gap_cycles": 1'; then
+  pass "A5 failed → planned gap closure allowed, gap_cycles=1"
+else
+  fail_case "A5 replan-from-failed" "out=$RP1"
+fi
+a5 built >/dev/null 2>&1; a5 verified fail >/dev/null 2>&1
+RP2=$(a5 planned)
+a5 built >/dev/null 2>&1; a5 verified fail >/dev/null 2>&1
+RP3=$(a5 planned)
+if echo "$RP2" | grep -q '"gap_cycles": 2' && echo "$RP3" | grep -q "GAP_CYCLE_LIMIT"; then
+  pass "A5 gap_cycles=2 then circuit breaker fires (GAP_CYCLE_LIMIT) at default limit"
+else
+  fail_case "A5 breaker" "rp2=$RP2 rp3=$RP3"
+fi
+
 # ─── Summary ─────────────────────────────────────────────
 echo ""
 echo "=== Results: $PASS passed, $FAIL failed ==="