sneakoscope 1.13.0 → 1.14.1

package/README.md

@@ -10,14 +10,15 @@ SKS does not try to clone every other harness. It focuses on one thing: making C
 
 ## Current Release
 
-SKS **1.13.0** focuses on the DFix Extreme Speed Kernel and Codex hook trust warning-zero: DFix now records error signatures, path decisions, patch runner results, verification selection, rollback plans, wrongness/cache hints, and speed budgets, while hooks validate the latest 10-event Codex schema including `SubagentStart` and `SubagentStop`.
+SKS **1.14.1** is an extreme stabilization release for hook trust, real imagegen smoke checks, PPT E2E review evidence, Codex 0.133 compatibility, and Scout multi-session intake. Scout runs now carry `engine_run_id`, `scout_session_id`, output-schema metadata, isolated benchmark artifacts, read-only guard v2 evidence, and speedup-claim caps for mock/static paths.
 
 ```bash
 sks features complete --json
 sks ux-review run --image <path> --generate-callouts --json
 sks ppt fixture --mock --json
 sks dfix fixture --json
-sks hooks trust-doctor --json
+sks hooks trust-doctor --actual --json
+sks hooks install --managed --json
 ```
 
 Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release gate status lives in [docs/release-readiness.md](docs/release-readiness.md).
@@ -115,7 +116,7 @@ sks selftest --mock
 
 ## What Sneakoscope Adds
 
-`sks` adds a tmux Codex CLI runtime, Codex App `$` commands, Team/QA/PPT/Research/DB/GX/Wiki routes, OpenClaw skill generation, Context7-gated current docs, TriWiki context packs, DB safety, design SSOT policy, skill dreaming, release checks, and Honest Mode.
+`sks` adds a tmux Codex CLI runtime, Codex App `$` commands, Team/QA/PPT/Research/DB/GX/Wiki routes, OpenClaw and Hermes skill generation, Context7-gated current docs, TriWiki context packs, DB safety, design SSOT policy, skill dreaming, release checks, and Honest Mode.
 
 ## Report-Only Planning Surfaces
 
@@ -409,7 +410,7 @@ SKS does not install Git pre-commit hooks. Release metadata is changed only by e
 
 TriWiki is intentionally sparse: `sks wiki sweep` records demote, soft-forget, archive, delete, promote-to-skill, and promote-to-rule candidates instead of injecting every old claim into future prompts. `sks harness fixture` validates the broader Harness Growth Factory contract: deliberate forgetting fixtures, skill card metadata, experiment schema, tool-error taxonomy, permission profiles, MultiAgentV2 defaults, and tmux cockpit view coverage. `sks code-structure scan` flags handwritten files above 1000/2000/3000-line thresholds so new logic can be extracted before command files become harder to maintain.
 
-## OpenClaw Agent Usage
+## OpenClaw And Hermes Agent Usage
 
 Sneakoscope can generate an OpenClaw skill package for agents that need to operate SKS-enabled repositories.
 
@@ -430,6 +431,23 @@ SKS_OPENCLAW=1 sks proof-field scan --intent "small CLI change" --changed src/cl
 
 If OpenClaw runs in a sandbox, grant shell execution only for trusted workspaces. Database, migration, and destructive work still follows SKS safety routes.
 
+Sneakoscope can also generate a Hermes Agent skill package for the Hermes `/skills` surface.
+
+```sh
+sks hermes install
+sks hermes status --json
+sks hermes path
+```
+
+By default this writes `~/.hermes/skills/sneakoscope-codex/` with `SKILL.md`, a README, `hermes-config.example.yaml`, and `skill-bundle.example.yaml`. Set `HERMES_HOME` or pass `--dir` for a custom location. Hermes agents should invoke `/sneakoscope-codex` with the terminal toolset enabled and run shell commands with `SKS_HERMES=1`; this enables non-interactive dependency/update prompts while leaving SKS DB, migration, and destructive-operation safety routes intact. If you use Hermes `skills.external_dirs`, remember writable external directories can be updated by Hermes, so protect shared skill folders with filesystem permissions when needed.
+
+```sh
+SKS_HERMES=1 sks root --json
+SKS_HERMES=1 sks commands --json
+SKS_HERMES=1 sks dollar-commands --json
+SKS_HERMES=1 sks status --json
+```
+
 ## Prompt `$` Commands
 
 Use these inside Codex App or another agent prompt. They are prompt commands, not terminal commands.

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.13.0"
+version = "1.14.1"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.13.0"
+version = "1.14.1"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.13.0"),
+        Some("--version") => println!("sks-rs 1.14.1"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.13.0';
+const FAST_PACKAGE_VERSION = '1.14.1';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,6 +1,6 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.13.0",
+  "version": "1.14.1",
   "typescript": true,
   "mjs_runtime_files": 0,
   "files": [
@@ -18,6 +18,8 @@
     "cli/feature-commands.js",
     "cli/help-fast.d.ts",
     "cli/help-fast.js",
+    "cli/hermes-command.d.ts",
+    "cli/hermes-command.js",
     "cli/install-helpers.d.ts",
     "cli/install-helpers.js",
     "cli/main.d.ts",
@@ -92,6 +94,8 @@
     "commands/harness.js",
     "commands/help.d.ts",
     "commands/help.js",
+    "commands/hermes.d.ts",
+    "commands/hermes.js",
     "commands/hook.d.ts",
     "commands/hook.js",
     "commands/hooks.d.ts",
@@ -186,6 +190,8 @@
     "core/codex-app.js",
     "core/codex-compat/codex-0-132.d.ts",
     "core/codex-compat/codex-0-132.js",
+    "core/codex-compat/codex-0-133.d.ts",
+    "core/codex-compat/codex-0-133.js",
     "core/codex-compat/codex-compat-report.d.ts",
     "core/codex-compat/codex-compat-report.js",
     "core/codex-compat/codex-config-policy.d.ts",
@@ -212,10 +218,18 @@
     "core/codex-compat/codex-version.js",
     "core/codex-exec-output-schema.d.ts",
     "core/codex-exec-output-schema.js",
+    "core/codex-hooks/codex-hook-actual-discovery.d.ts",
+    "core/codex-hooks/codex-hook-actual-discovery.js",
     "core/codex-hooks/codex-hook-config-writer.d.ts",
     "core/codex-hooks/codex-hook-config-writer.js",
     "core/codex-hooks/codex-hook-hash.d.ts",
     "core/codex-hooks/codex-hook-hash.js",
+    "core/codex-hooks/codex-hook-managed-install.d.ts",
+    "core/codex-hooks/codex-hook-managed-install.js",
+    "core/codex-hooks/codex-hook-official-hash-oracle.d.ts",
+    "core/codex-hooks/codex-hook-official-hash-oracle.js",
+    "core/codex-hooks/codex-hook-official-parity.d.ts",
+    "core/codex-hooks/codex-hook-official-parity.js",
     "core/codex-hooks/codex-hook-state-writer.d.ts",
     "core/codex-hooks/codex-hook-state-writer.js",
     "core/codex-hooks/codex-hook-trust-doctor.d.ts",
@@ -358,6 +372,8 @@
     "core/evidence/evidence-schema.js",
     "core/evidence/evidence-store.d.ts",
     "core/evidence/evidence-store.js",
+    "core/evidence/flagship-proof-graph-validator.d.ts",
+    "core/evidence/flagship-proof-graph-validator.js",
     "core/feature-fixture-runner.d.ts",
     "core/feature-fixture-runner.js",
     "core/feature-fixtures.d.ts",
@@ -406,6 +422,8 @@
     "core/harness-conflicts.js",
     "core/harness-guard.d.ts",
     "core/harness-guard.js",
+    "core/hermes.d.ts",
+    "core/hermes.js",
     "core/hooks-runtime.d.ts",
     "core/hooks-runtime.js",
     "core/hproof.d.ts",
@@ -426,6 +444,10 @@
     "core/image-ux-review/real-callout-extractor.js",
     "core/image-ux-review/recapture.d.ts",
     "core/image-ux-review/recapture.js",
+    "core/imagegen/gpt-image-2-request-validator.d.ts",
+    "core/imagegen/gpt-image-2-request-validator.js",
+    "core/imagegen/imagegen-capability.d.ts",
+    "core/imagegen/imagegen-capability.js",
     "core/init.d.ts",
     "core/init.js",
     "core/json-schema-validator.d.ts",

package/dist/cli/command-registry.d.ts

@@ -47,6 +47,7 @@ export declare const COMMANDS: {
     auth: CommandEntry;
     hooks: CommandEntry;
     openclaw: CommandEntry;
+    hermes: CommandEntry;
     tmux: CommandEntry;
     mad: CommandEntry;
     'mad-sks': CommandEntry;
@@ -132,6 +133,7 @@ export declare const TYPED_COMMANDS: {
     auth: CommandEntry;
     hooks: CommandEntry;
     openclaw: CommandEntry;
+    hermes: CommandEntry;
     tmux: CommandEntry;
     mad: CommandEntry;
     'mad-sks': CommandEntry;

package/dist/cli/command-registry.js

@@ -100,6 +100,7 @@ export const COMMANDS = {
     auth: entry('beta', 'Alias for codex-lb auth commands', 'dist/commands/codex-lb.js', directCommand(() => import('../commands/codex-lb.js'), 'dist/commands/codex-lb.js')),
     hooks: entry('beta', 'Explain and inspect Codex hooks', 'dist/commands/hooks.js', directCommand(() => import('../commands/hooks.js'), 'dist/commands/hooks.js')),
     openclaw: entry('labs', 'Create OpenClaw skill package', 'dist/commands/openclaw.js', directCommand(() => import('../commands/openclaw.js'), 'dist/commands/openclaw.js')),
+    hermes: entry('labs', 'Create Hermes Agent skill package', 'dist/commands/hermes.js', directCommand(() => import('../commands/hermes.js'), 'dist/commands/hermes.js')),
     tmux: entry('beta', 'Open/check SKS tmux UI', 'dist/commands/tmux.js', directCommand(() => import('../commands/tmux.js'), 'dist/commands/tmux.js')),
     mad: entry('beta', 'MAD-SKS tmux permission launcher', 'dist/commands/mad-sks.js', directCommand(() => import('../commands/mad-sks.js'), 'dist/commands/mad-sks.js')),
     'mad-sks': entry('beta', 'MAD-SKS scoped permission modifier', 'dist/commands/mad-sks.js', directCommand(() => import('../commands/mad-sks.js'), 'dist/commands/mad-sks.js')),

package/dist/cli/feature-commands.js

@@ -12,6 +12,8 @@ import { validateCodexFixtureOutputs } from '../core/codex-compat/codex-hook-sch
 import { codexHookWarningCheck } from '../core/codex-compat/codex-hook-warning-detector.js';
 import { codexHookTrustDoctor } from '../core/codex-hooks/codex-hook-trust-doctor.js';
 import { writeTrustedHashStateForHooksFile } from '../core/codex-hooks/codex-hook-state-writer.js';
+import { installManagedCodexHooks } from '../core/codex-hooks/codex-hook-managed-install.js';
+import { writeCodexHookOfficialParityReport } from '../core/codex-hooks/codex-hook-official-parity.js';
 const flag = (args, name) => args.includes(name);
 export async function featuresCommand(sub = 'list', args = []) {
     const action = sub || 'list';
@@ -122,7 +124,7 @@ export async function hooksCommand(sub = 'explain', args = []) {
         return;
     }
     if (action === 'doctor' || action === 'trust-doctor') {
-        const report = await codexHookTrustDoctor(root, { fix: flag(args, '--fix'), managed: flag(args, '--managed') });
+        const report = await codexHookTrustDoctor(root, { fix: flag(args, '--fix'), managed: flag(args, '--managed'), actual: flag(args, '--actual') });
         if (flag(args, '--json'))
             return console.log(JSON.stringify(report, null, 2));
         console.log(`Hooks trust doctor: ${report.ok ? 'ok' : 'blocked'}`);
@@ -133,9 +135,10 @@ export async function hooksCommand(sub = 'explain', args = []) {
         return;
     }
     if (action === 'trust-state') {
-        const report = await codexHookTrustDoctor(root, { managed: flag(args, '--managed') });
+        const report = await codexHookTrustDoctor(root, { managed: flag(args, '--managed'), actual: flag(args, '--actual') });
+        const anyReport = report;
         if (flag(args, '--json'))
-            return console.log(JSON.stringify({ schema: 'sks.codex-hook-trust-state-command.v1', ok: report.ok, entries: report.entries, trust: report.trust }, null, 2));
+            return console.log(JSON.stringify({ schema: flag(args, '--actual') ? 'sks.codex-hook-trust-state-command.v2' : 'sks.codex-hook-trust-state-command.v1', ok: report.ok, actual: flag(args, '--actual'), entries: report.entries, trust: report.trust, sources: anyReport.sources || [], managed_dirs: anyReport.managed_dirs || [], blockers: anyReport.blockers || [] }, null, 2));
         console.log(`Hook trust entries: ${report.entries.length}`);
         return;
     }
@@ -148,11 +151,59 @@ export async function hooksCommand(sub = 'explain', args = []) {
             process.exitCode = 1;
         return;
     }
+    if (action === 'repair') {
+        if (flag(args, '--trusted')) {
+            const parity = await writeCodexHookOfficialParityReport(root);
+            if (!parity.official_hash_available) {
+                const blocked = {
+                    schema: 'sks.codex-hooks-repair.v1',
+                    ok: false,
+                    mode: 'trusted',
+                    status: 'blocked',
+                    blocker: 'official_hash_oracle_unavailable',
+                    next_command: 'sks hooks repair --managed --json',
+                    parity
+                };
+                if (flag(args, '--json'))
+                    return console.log(JSON.stringify(blocked, null, 2));
+                console.log('Hooks trusted repair blocked: official hash oracle unavailable. Run `sks hooks repair --managed --json`.');
+                process.exitCode = 1;
+                return;
+            }
+        }
+        const report = await installManagedCodexHooks(root);
+        const result = {
+            ...report,
+            schema: 'sks.codex-hooks-repair.v1',
+            mode: 'managed',
+            next_command: 'sks hooks trust-doctor --actual --json',
+            actions: ['requirements_toml_managed_install_default']
+        };
+        if (flag(args, '--json'))
+            return console.log(JSON.stringify(result, null, 2));
+        console.log(`Hooks managed repair: ${report.ok ? 'ok' : 'blocked'}`);
+        if (!report.ok)
+            process.exitCode = 1;
+        return;
+    }
     if (action === 'install') {
-        const report = await writeTrustedHashStateForHooksFile(root);
+        const report = flag(args, '--managed')
+            ? await installManagedCodexHooks(root)
+            : await writeTrustedHashStateForHooksFile(root, undefined, undefined, { allowSksHashFallback: flag(args, '--trusted'), reason: 'Use --managed unless you intentionally accept SKS-only trusted_hash fallback with --trusted.' });
+        if (flag(args, '--json'))
+            return console.log(JSON.stringify({ ...report, schema: flag(args, '--managed') ? 'sks.codex-hooks-managed-install.v1' : 'sks.codex-hook-install-command.v2', mode: flag(args, '--managed') ? 'managed' : flag(args, '--project') ? 'project' : 'trust-state-only', trusted: flag(args, '--trusted') }, null, 2));
+        console.log(flag(args, '--managed') ? `Hooks managed install: ${report.ok ? 'ok' : 'blocked'}` : `Hooks install trust state: ${report.ok ? 'ok' : 'blocked'}`);
+        if (!report.ok)
+            process.exitCode = 1;
+        return;
+    }
+    if (action === 'actual-parity' || action === 'official-parity' || (action === 'parity' && flag(args, '--official'))) {
+        const report = await writeCodexHookOfficialParityReport(root);
         if (flag(args, '--json'))
-            return console.log(JSON.stringify({ ...report, schema: 'sks.codex-hook-install-command.v1', ok: true, mode: flag(args, '--managed') ? 'managed' : flag(args, '--project') ? 'project' : 'trust-state-only', trusted: flag(args, '--trusted') }, null, 2));
-        console.log(`Hooks install trust state updated: ${report.updated}`);
+            return console.log(JSON.stringify(report, null, 2));
+        console.log(`Hooks official parity: ${report.ok ? 'ok' : 'blocked'} (${report.path})`);
+        if (!report.ok)
+            process.exitCode = 1;
         return;
     }
     if (action === 'replay') {
@@ -204,7 +255,7 @@ export async function hooksCommand(sub = 'explain', args = []) {
         return;
     }
     if (action !== 'explain') {
-        console.error('Usage: sks hooks explain|status|doctor|trust-report|trust-state|trust-doctor|trust-fix|install|replay <fixture.json>|codex-schema|codex-validate|warning-check|replay-codex-fixtures [--json]');
+        console.error('Usage: sks hooks explain|status|doctor|trust-report|trust-state|trust-doctor|trust-fix|install|repair|actual-parity|official-parity|parity --official|replay <fixture.json>|codex-schema|codex-validate|warning-check|replay-codex-fixtures [--json]');
         process.exitCode = 1;
         return;
     }

package/dist/cli/hermes-command.d.ts

@@ -0,0 +1,2 @@
+export declare function hermesCommand(args?: any): Promise<void>;
+//# sourceMappingURL=hermes-command.d.ts.map

package/dist/cli/hermes-command.js

@@ -0,0 +1,99 @@
+import path from 'node:path';
+import { HERMES_SKILL_NAME, buildHermesSkillFiles, defaultHermesSkillDir, installHermesSkill } from '../core/hermes.js';
+import { exists } from '../core/fsx.js';
+const flag = (args, name) => args.includes(name);
+function readFlagValue(args, name, fallback) {
+    const i = args.indexOf(name);
+    return i >= 0 && args[i + 1] ? args[i + 1] : fallback;
+}
+function positionalArgs(args = []) {
+    const out = [];
+    const valueFlags = new Set(['--dir']);
+    for (let i = 0; i < args.length; i++) {
+        const arg = String(args[i]);
+        if (valueFlags.has(arg)) {
+            i++;
+            continue;
+        }
+        if (!arg.startsWith('--'))
+            out.push(arg);
+    }
+    return out;
+}
+export async function hermesCommand(args = []) {
+    const action = args[0] || 'help';
+    const targetDir = readFlagValue(args, '--dir', defaultHermesSkillDir());
+    const resultOptions = {
+        targetDir,
+        force: flag(args, '--force'),
+        dryRun: flag(args, '--dry-run')
+    };
+    if (action === 'path') {
+        const result = { skill: HERMES_SKILL_NAME, target_dir: path.resolve(targetDir) };
+        if (flag(args, '--json'))
+            return console.log(JSON.stringify(result, null, 2));
+        console.log(result.target_dir);
+        return;
+    }
+    if (action === 'status') {
+        const files = buildHermesSkillFiles();
+        const target = path.resolve(targetDir);
+        const installed = await exists(path.join(target, 'SKILL.md'));
+        const result = {
+            schema: 'sks.hermes-skill-status.v1',
+            ok: true,
+            skill: HERMES_SKILL_NAME,
+            target_dir: target,
+            installed,
+            expected_files: Object.keys(files),
+            env_mode: 'SKS_HERMES=1',
+            slash_command: `/${HERMES_SKILL_NAME}`
+        };
+        if (flag(args, '--json'))
+            return console.log(JSON.stringify(result, null, 2));
+        console.log(`Hermes skill: ${installed ? 'installed' : 'not installed'} ${target}`);
+        return;
+    }
+    if (action === 'print') {
+        const files = buildHermesSkillFiles();
+        const file = (positionalArgs(args.slice(1))[0] || 'SKILL.md');
+        if (!files[file]) {
+            console.error(`Unknown Hermes skill file: ${file}`);
+            console.error(`Files: ${Object.keys(files).join(', ')}`);
+            process.exitCode = 1;
+            return;
+        }
+        console.log(files[file]);
+        return;
+    }
+    if (action === 'install') {
+        const result = await installHermesSkill(resultOptions);
+        if (flag(args, '--json'))
+            return console.log(JSON.stringify(result, null, 2));
+        if (!result.ok) {
+            console.error(`Hermes skill install blocked: ${result.reason}`);
+            console.error(`Target: ${result.target_dir}`);
+            process.exitCode = 1;
+            return;
+        }
+        console.log(`Hermes skill ${result.status}: ${result.target_dir}`);
+        console.log(`Use it in Hermes as /${HERMES_SKILL_NAME} and run SKS shell commands with SKS_HERMES=1.`);
+        return;
+    }
+    console.log(`Hermes
+
+Usage:
+  sks hermes install [--dir path] [--force] [--dry-run] [--json]
+  sks hermes status [--dir path] [--json]
+  sks hermes path [--dir path] [--json]
+  sks hermes print [SKILL.md|README.md|hermes-config.example.yaml|skill-bundle.example.yaml]
+
+Default skill: ${HERMES_SKILL_NAME}
+Default path:  ${defaultHermesSkillDir()}
+
+After install, open Hermes and invoke:
+
+/${HERMES_SKILL_NAME} Use SKS in this repository.
+`);
+}
+//# sourceMappingURL=hermes-command.js.map

package/dist/cli/install-helpers.js

@@ -2063,7 +2063,7 @@ export async function maybePromptCodexUpdateForLaunch(args = [], opts = {}) {
     return installCodexLatest(command, latest.version, current);
 }
 export function shouldAutoApproveInstall(args = [], env = process.env) {
-    return hasFlag(args, '--yes') || hasFlag(args, '-y') || isOpenClawRuntime(env);
+    return hasFlag(args, '--yes') || hasFlag(args, '-y') || isAgentRuntime(env);
 }
 function canAskYesNo() {
     return Boolean(input.isTTY && output.isTTY && process.env.CI !== 'true');
@@ -2071,8 +2071,18 @@ function canAskYesNo() {
 function hasFlag(args = [], name) {
     return args.includes(name);
 }
-function isOpenClawRuntime(env = process.env) {
-    return ['SKS_OPENCLAW', 'OPENCLAW', 'OPENCLAW_AGENT', 'OPENCLAW_RUN_ID', 'OPENCLAW_SESSION_ID']
+function isAgentRuntime(env = process.env) {
+    return [
+        'SKS_OPENCLAW',
+        'OPENCLAW',
+        'OPENCLAW_AGENT',
+        'OPENCLAW_RUN_ID',
+        'OPENCLAW_SESSION_ID',
+        'SKS_HERMES',
+        'HERMES_AGENT',
+        'HERMES_RUN_ID',
+        'HERMES_SESSION_ID'
+    ]
         .some((key) => /^(1|true|yes|y)$/i.test(String(env[key] || '').trim()));
 }
 async function installCodexLatest(command, latestVersion, previousVersion = null) {

package/dist/commands/hermes.d.ts

@@ -0,0 +1,2 @@
+export declare function run(_command: any, args?: any): Promise<void>;
+//# sourceMappingURL=hermes.d.ts.map

package/dist/commands/hermes.js

@@ -0,0 +1,5 @@
+import { hermesCommand } from '../cli/hermes-command.js';
+export async function run(_command, args = []) {
+    return hermesCommand(args);
+}
+//# sourceMappingURL=hermes.js.map