soloforge 1.4.3 → 1.4.5

package/dist/adapters/shared/workflow_template.js

@@ -109,7 +109,7 @@ export function validateWorkflowRuleSources(rootDir) {
     };
 }
 /** 当前嵌入的权威规则校验和 — 由 `npm run update-workflow-checksum` 更新。 */
-const EMBEDDED_CHECKSUM = "3620b50bb23320b5";
+const EMBEDDED_CHECKSUM = "1329a153ea580993";
 function getEmbeddedChecksum() {
     return EMBEDDED_CHECKSUM;
 }

package/dist/bin/soloforge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"soloforge.d.ts","sourceRoot":"","sources":["../../src/bin/soloforge.ts"],"names":[],"mappings":";AA87BA,OAAO,EAAE,0BAA0B,EAAE,MAAM,gDAAgD,CAAC"}
+{"version":3,"file":"soloforge.d.ts","sourceRoot":"","sources":["../../src/bin/soloforge.ts"],"names":[],"mappings":";AAshCA,OAAO,EAAE,0BAA0B,EAAE,MAAM,gDAAgD,CAAC"}

package/dist/bin/soloforge.js

@@ -18,6 +18,7 @@ import { isReadForbidden } from "../engine/privacy_secret_contract.js";
 import { routeIntent } from "../engine/intent_router.js";
 import { debugLog, debug, userInfo, userWarn, userError, internalWarn, jsonSafeError, initLoggerFromEnv } from "../engine/logger.js";
 import { auditControlPlaneProject, isSoloforgeStateBypassCommand } from "../engine/control_plane_contract.js";
+import { getDesignLifecycleArtifactPaths } from "../engine/design_lifecycle_contract.js";
 const command = process.argv[2];
 const args = process.argv.slice(3);
 async function main() {
@@ -174,7 +175,7 @@ async function main() {
   generate-trae       生成 .trae/mcp.json 和 .trae/rules/project_rules.md
   generate-codex      生成 .codex/ 配置和 AGENTS.md
   check-write         PreToolUse hook，用于范围检查（读取 stdin JSON）
-  check-bash          PreToolUse hook，阻止 Bash 直接篡改 .soloforge/state
+  check-bash          PreToolUse hook，阻止 Bash 直接篡改 .soloforge/state 或绕过受控任务写业务实现
   doctor              审计 MCP 控制面、适配器 hook、状态可信和恢复路径
   post-bash           PostToolUse hook，用于跟踪 Bash 执行结果
   validate            验证项目配置和知识文件（config.yaml 可选，缺失时自动推断）
@@ -698,61 +699,11 @@ async function cmdCheckWrite() {
         if (result.severity === "warning") {
             jsonSafeError(JSON.stringify(result));
         }
-        // 问题六十二: Claude Code 直接 Edit/Write 也必须遵守设计产物就绪门。
-        // 设计资产本身允许继续修订；非设计文件在产物包复验通过前禁止写入。
         const relativeFilePath = path.relative(projectRealPath, targetFilePath).replaceAll(path.sep, "/");
-        const isDesignArtifactFile = /^docs\/architecture\//.test(relativeFilePath) ||
-            /^docs\/api\/openapi\.(?:ya?ml|json)$/.test(relativeFilePath) ||
-            /^db\/(?:migrations|schema)\//.test(relativeFilePath);
-        if (!isDesignArtifactFile) {
-            const { TaskContextManager } = await import("../engine/task_context.js");
-            const stateDir = path.join(projectPath, ".soloforge", "state");
-            const implementationSource = isImplementationSourcePath(relativeFilePath);
-            if (fss.existsSync(stateDir)) {
-                const manager = new TaskContextManager(stateDir);
-                const currentTask = await manager.getCurrentTask();
-                const designPack = currentTask?.design_artifact_pack;
-                if (implementationSource && currentTask && ["classifying", "clarifying", "expanding"].includes(currentTask.status)) {
-                    process.stdout.write(JSON.stringify({
-                        hookSpecificOutput: {
-                            hookEventName: "PreToolUse",
-                            permissionDecision: "deny",
-                            permissionDecisionReason: `当前 SoloForge 任务仍处于 ${currentTask.status}，说明分类、澄清或意图膨胀未闭合。不得绕过 sf_expand 直接写业务实现；请先运行 soloforge next 或 sf_status action=archive_stale confirm=true 处理任务状态。`,
-                        },
-                    }));
-                    process.exit(0);
-                }
-                if (implementationSource && !currentTask && hasDesignArtifacts(projectPath)) {
-                    process.stdout.write(JSON.stringify({
-                        hookSpecificOutput: {
-                            hookEventName: "PreToolUse",
-                            permissionDecision: "deny",
-                            permissionDecisionReason: "检测到项目已有架构/详细/API/数据库设计产物，但当前没有受控 SoloForge 任务。不得绕过 sf_classify/sf_expand 直接写业务实现；请先运行 soloforge next 或通过 MCP 建立编码任务。",
-                        },
-                    }));
-                    process.exit(0);
-                }
-                if (implementationSource && currentTask && !designPack && hasDesignArtifacts(projectPath)) {
-                    process.stdout.write(JSON.stringify({
-                        hookSpecificOutput: {
-                            hookEventName: "PreToolUse",
-                            permissionDecision: "deny",
-                            permissionDecisionReason: "检测到项目已有设计产物，但当前任务缺少 design_artifact_pack 复验状态。不得直接写业务实现；请先运行 soloforge audit-design-artifacts，并通过 sf_expand/sf_verify 绑定设计产物包。",
-                        },
-                    }));
-                    process.exit(0);
-                }
-                if (designPack && designPack.status !== "implementation_ready") {
-                    process.stdout.write(JSON.stringify({
-                        hookSpecificOutput: {
-                            hookEventName: "PreToolUse",
-                            permissionDecision: "deny",
-                            permissionDecisionReason: `设计产物包状态为 ${designPack.status}，请先完善 docs/architecture、docs/api/openapi 或 db/migrations|schema 并通过复验，再写入业务实现`,
-                        },
-                    }));
-                    process.exit(0);
-                }
-            }
+        const implementationGateReason = await evaluateImplementationWriteGate(projectPath, relativeFilePath);
+        if (implementationGateReason) {
+            denyPreToolUse(implementationGateReason);
+            process.exit(0);
         }
         process.exit(0); // 允许
     }
@@ -790,19 +741,76 @@ function isImplementationSourcePath(relativeFilePath) {
         return false;
     return /\.(?:java|kt|kts|scala|ts|tsx|js|jsx|mjs|cjs|py|go|rs|php|rb|cs|swift|vue|svelte|sql|xml|yml|yaml|properties)$/.test(relativeFilePath);
 }
+function isDesignArtifactPath(relativeFilePath) {
+    const lifecyclePaths = getDesignLifecycleArtifactPaths();
+    if ([
+        lifecyclePaths.decision_record,
+        lifecyclePaths.architecture_document,
+        lifecyclePaths.database_document,
+        lifecyclePaths.api_document,
+        lifecyclePaths.optional_detail_design_document,
+        lifecyclePaths.slice_plan,
+        lifecyclePaths.consistency_report,
+        lifecyclePaths.traceability_matrix,
+        lifecyclePaths.openapi,
+    ].includes(relativeFilePath))
+        return true;
+    return /^docs\/architecture\//.test(relativeFilePath) ||
+        /^docs\/traceability\//.test(relativeFilePath) ||
+        /^docs\/api\/openapi\.(?:ya?ml|json)$/.test(relativeFilePath) ||
+        /^db\/(?:migrations?|schema|changelog)\//.test(relativeFilePath) ||
+        /(?:^|\/)(?:src\/main\/resources\/)?db\/(?:migrations?|schema|changelog)\//.test(relativeFilePath);
+}
+function denyPreToolUse(reason) {
+    process.stdout.write(JSON.stringify({
+        hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            permissionDecision: "deny",
+            permissionDecisionReason: reason,
+        },
+    }));
+}
+async function evaluateImplementationWriteGate(projectPath, relativeFilePath) {
+    // 问题六十二/七十三: Edit/Write/Bash 都必须遵守同一编码前门禁。
+    // 设计资产本身允许继续修订；非设计业务实现文件在产物包复验通过前禁止写入。
+    if (isDesignArtifactPath(relativeFilePath) || !isImplementationSourcePath(relativeFilePath))
+        return undefined;
+    const stateDir = path.join(projectPath, ".soloforge", "state");
+    if (!fss.existsSync(stateDir))
+        return undefined;
+    const { TaskContextManager } = await import("../engine/task_context.js");
+    const manager = new TaskContextManager(stateDir);
+    const currentTask = await manager.getCurrentTask();
+    const designPack = currentTask?.design_artifact_pack;
+    if (currentTask && ["classifying", "clarifying", "expanding"].includes(currentTask.status)) {
+        return `当前 SoloForge 任务仍处于 ${currentTask.status}，说明分类、澄清或意图膨胀未闭合。不得绕过 sf_expand，不得取消/归档当前任务后改用 Bash/Edit/Write 直接写业务实现，也不得把 Bash 作为恢复路径。请先运行 soloforge next 查看阻断项；按返回的 auto_resolvable 或 recovery_command 补齐后重新 sf_expand。只有 soloforge next 明确判定 current-task 陈旧且用户确认时，才可运行 sf_status action=archive_stale confirm=true；归档后仍必须重新 sf_classify → sf_expand 建立受控编码任务。`;
+    }
+    if (!currentTask && hasDesignArtifacts(projectPath)) {
+        return "检测到项目已有架构/详细/API/数据库设计产物，但当前没有受控 SoloForge 任务。不得绕过 sf_classify/sf_expand 直接写业务实现，不得改用 Bash/Edit/Write 先写代码再补验证；请先运行 soloforge next 或通过 MCP 建立编码任务。";
+    }
+    if (currentTask && !designPack && hasDesignArtifacts(projectPath)) {
+        return "检测到项目已有设计产物，但当前任务缺少 design_artifact_pack 复验状态。不得取消任务后直接写业务实现，不得改用 Bash 绕过；请先运行 soloforge audit-design-artifacts，并通过 sf_expand/sf_verify 绑定设计产物包。";
+    }
+    if (designPack && designPack.status !== "implementation_ready") {
+        return `设计产物包状态为 ${designPack.status}，不得改用 Bash/Edit/Write 绕过设计复验；请先完善 docs/architecture、docs/traceability、docs/api/openapi 或 db/migration|migrations|schema|changelog 并通过复验，再写入业务实现`;
+    }
+    return undefined;
+}
 function hasDesignArtifacts(projectPath) {
+    const lifecyclePaths = getDesignLifecycleArtifactPaths();
     const candidates = [
-        path.join(projectPath, "docs", "architecture", "00-架构决策记录.md"),
-        path.join(projectPath, "docs", "architecture", "01-架构设计文档.md"),
-        path.join(projectPath, "docs", "architecture", "02-数据库设计文档.md"),
-        path.join(projectPath, "docs", "architecture", "03-API接口规格文档.md"),
-        path.join(projectPath, "docs", "architecture", "04-详细设计文档.md"),
-        path.join(projectPath, "docs", "architecture", "99-设计一致性验收报告.md"),
-        path.join(projectPath, "docs", "api", "openapi.yaml"),
+        lifecyclePaths.decision_record,
+        lifecyclePaths.architecture_document,
+        lifecyclePaths.database_document,
+        lifecyclePaths.api_document,
+        lifecyclePaths.optional_detail_design_document,
+        lifecyclePaths.slice_plan,
+        lifecyclePaths.consistency_report,
+        lifecyclePaths.traceability_matrix,
+        lifecyclePaths.openapi,
         path.join(projectPath, "docs", "api", "openapi.yml"),
-        path.join(projectPath, "db", "migrations"),
-        path.join(projectPath, "db", "migration"),
-    ];
+        ...lifecyclePaths.sql_roots,
+    ].map((candidate) => path.join(projectPath, candidate));
     return candidates.some((candidate) => fss.existsSync(candidate));
 }
 async function cmdPostBash() {
@@ -824,6 +832,68 @@ function extractBashCommand(rawInput) {
         return trimmed;
     }
 }
+function unquoteShellToken(token) {
+    if (!token)
+        return undefined;
+    const trimmed = token.trim();
+    if ((trimmed.startsWith("\"") && trimmed.endsWith("\"")) || (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
+        return trimmed.slice(1, -1);
+    }
+    return trimmed;
+}
+function addShellPathToken(targets, token) {
+    const value = unquoteShellToken(token);
+    if (!value || value === "-" || value.startsWith("$"))
+        return;
+    targets.add(value.replace(/[),;]+$/, ""));
+}
+function addSourcePathTokens(targets, commandText) {
+    const pathTokenPattern = /"([^"]+\.(?:java|kt|kts|scala|ts|tsx|js|jsx|mjs|cjs|py|go|rs|php|rb|cs|swift|vue|svelte|sql|xml|ya?ml|properties))"|'([^']+\.(?:java|kt|kts|scala|ts|tsx|js|jsx|mjs|cjs|py|go|rs|php|rb|cs|swift|vue|svelte|sql|xml|ya?ml|properties))'|([^\s'";&|()<>]+\.(?:java|kt|kts|scala|ts|tsx|js|jsx|mjs|cjs|py|go|rs|php|rb|cs|swift|vue|svelte|sql|xml|ya?ml|properties))/gi;
+    for (const match of commandText.matchAll(pathTokenPattern)) {
+        addShellPathToken(targets, match[1] || match[2] || match[3]);
+    }
+}
+function extractBashWriteTargets(commandText) {
+    const command = commandText.replace(/\s+/g, " ").trim();
+    const targets = new Set();
+    const redirectionPattern = /(?:^|[^<])>>?\s*(?:"([^"]+)"|'([^']+)'|([^\s;&|]+))/g;
+    for (const match of command.matchAll(redirectionPattern)) {
+        addShellPathToken(targets, match[1] || match[2] || match[3]);
+    }
+    const teePattern = /(?:^|[\s;&|()])tee\s+(?:-[A-Za-z]+\s+)*(?:"([^"]+)"|'([^']+)'|([^\s;&|]+))/g;
+    for (const match of command.matchAll(teePattern)) {
+        addShellPathToken(targets, match[1] || match[2] || match[3]);
+    }
+    const writeApiPattern = /(?:writeFileSync|writeFile|write_text)\s*\(\s*["']([^"']+)["']/g;
+    for (const match of command.matchAll(writeApiPattern)) {
+        addShellPathToken(targets, match[1]);
+    }
+    const pythonOpenWritePattern = /open\s*\(\s*["']([^"']+)["']\s*,\s*["'][^"']*[wa+][^"']*["']/g;
+    for (const match of command.matchAll(pythonOpenWritePattern)) {
+        addShellPathToken(targets, match[1]);
+    }
+    const pathlibWritePattern = /(?:Path|pathlib\.Path)\s*\(\s*["']([^"']+)["']\s*\)\.write_text/g;
+    for (const match of command.matchAll(pathlibWritePattern)) {
+        addShellPathToken(targets, match[1]);
+    }
+    const mutatingCommandPattern = /(?:^|[\s;&|()])(?:rm|mv|cp|touch|chmod|chown)\b/i;
+    const inPlaceEditPattern = /(?:^|[\s;&|()])(?:(?:g?sed)\s+[^;&|]*\s-i\b|perl\s+[^;&|]*\s-pi\b)/i;
+    if (mutatingCommandPattern.test(command) || inPlaceEditPattern.test(command)) {
+        addSourcePathTokens(targets, command);
+    }
+    return [...targets];
+}
+function resolveProjectRelativeTarget(projectPath, targetPath) {
+    const rawTargetFilePath = path.isAbsolute(targetPath) ? path.normalize(targetPath) : path.resolve(projectPath, targetPath);
+    const projectRealPath = fss.realpathSync(projectPath);
+    const targetFilePath = rawTargetFilePath === projectPath || rawTargetFilePath.startsWith(projectPath + path.sep)
+        ? path.join(projectRealPath, path.relative(projectPath, rawTargetFilePath))
+        : rawTargetFilePath;
+    const relativeFilePath = path.relative(projectRealPath, targetFilePath).replaceAll(path.sep, "/");
+    if (relativeFilePath === "" || relativeFilePath.startsWith("../") || path.isAbsolute(relativeFilePath))
+        return undefined;
+    return relativeFilePath;
+}
 async function cmdCheckBash() {
     debugLog("CLI: 执行 cmdCheckBash");
     try {
@@ -834,13 +904,19 @@ async function cmdCheckBash() {
         const stdin = Buffer.concat(chunks).toString();
         const commandText = extractBashCommand(stdin || args.join(" "));
         if (isSoloforgeStateBypassCommand(commandText)) {
-            process.stdout.write(JSON.stringify({
-                hookSpecificOutput: {
-                    hookEventName: "PreToolUse",
-                    permissionDecision: "deny",
-                    permissionDecisionReason: "禁止通过 Bash 直接修改 .soloforge/state；请使用 SoloForge MCP 工具，例如 sf_status action=archive_stale confirm=true。",
-                },
-            }));
+            denyPreToolUse("禁止通过 Bash 直接修改 .soloforge/state；请使用 SoloForge MCP 工具，例如 sf_status action=archive_stale confirm=true。");
+            process.exit(0);
+        }
+        const projectPath = resolveProjectPath();
+        for (const target of extractBashWriteTargets(commandText)) {
+            const relativeTarget = resolveProjectRelativeTarget(projectPath, target);
+            if (!relativeTarget)
+                continue;
+            const implementationGateReason = await evaluateImplementationWriteGate(projectPath, relativeTarget);
+            if (implementationGateReason) {
+                denyPreToolUse(`禁止通过 Bash 直接写业务实现文件 ${relativeTarget}；${implementationGateReason}`);
+                process.exit(0);
+            }
         }
         process.exit(0);
     }
@@ -1494,6 +1570,12 @@ async function cmdAuditDesignArtifacts() {
         userInfo(`  hard_fail: ${result.findings.filter((finding) => finding.severity === "hard_fail").length}`);
         for (const finding of result.findings) {
             userInfo(`  ${finding.severity === "hard_fail" ? "❌" : "⚠️"} [${finding.code}] ${finding.message_zh}`);
+            if (finding.template_path)
+                userInfo(`     模板: ${finding.template_path}`);
+            if (finding.recovery_command)
+                userInfo(`     命令: ${finding.recovery_command}`);
+            if (finding.recovery_zh)
+                userInfo(`     恢复: ${finding.recovery_zh}`);
         }
         if (result.passed)
             userInfo("✅ 设计产物包复验通过，可作为后续实现输入");
@@ -2434,7 +2516,20 @@ async function cmdNext() {
             if (plan.project_knowledge_context.selected.length > 0) {
                 userInfo("  下一步会优先参考:");
                 for (const item of plan.project_knowledge_context.selected) {
-                    userInfo(`    - ${item.name} (${item.rel_path}, ${item.consumption})`);
+                    userInfo(`    - ${item.name} (${item.rel_path}, ${item.enforcement ?? item.consumption})`);
+                    if (item.reason_zh)
+                        userInfo(`      原因: ${item.reason_zh}`);
+                    if (item.verification_command)
+                        userInfo(`      复验: ${item.verification_command}`);
+                }
+            }
+            if (plan.project_knowledge_context.blocked && plan.project_knowledge_context.blocked.length > 0) {
+                userInfo("  必须先处理:");
+                for (const item of plan.project_knowledge_context.blocked) {
+                    userInfo(`    - ${item.name} (${item.rel_path})`);
+                    userInfo(`      原因: ${item.reason_zh}`);
+                    if (item.recovery)
+                        userInfo(`      恢复: ${item.recovery}`);
                 }
             }
         }
@@ -2848,14 +2943,30 @@ async function cmdAuditProjectKnowledge() {
     userInfo(`  hard_fail: ${report.hard_fail_count}`);
     userInfo(`  warning: ${report.warning_count}`);
     for (const asset of report.assets) {
-        if (asset.findings.length === 0)
-            continue;
         userInfo(`  - ${asset.rel_path} (${asset.identity}/${asset.consumption})`);
+        userInfo(`    创建: ${asset.evidence.created_by}；索引: ${asset.evidence.indexed_by}`);
+        if (asset.lifecycle_stages.length > 0)
+            userInfo(`    阶段: ${asset.lifecycle_stages.join(", ")}`);
+        if (asset.path_patterns.length > 0)
+            userInfo(`    路径: ${asset.path_patterns.join(", ")}`);
+        if (asset.traceability_ids.length > 0)
+            userInfo(`    追踪: ${asset.traceability_ids.join(", ")}`);
+        if (asset.verification_commands.length > 0)
+            userInfo(`    复验: ${asset.verification_commands.join(" / ")}`);
+        if (asset.evidence.last_consumed_at) {
+            userInfo(`    最近消费: ${asset.evidence.last_consumption_consumer}/${asset.evidence.last_consumption_action} ${asset.evidence.last_consumed_task} @ ${asset.evidence.last_consumed_at}`);
+        }
         for (const finding of asset.findings) {
             const mark = finding.severity === "hard_fail" ? "❌" : finding.severity === "warning" ? "⚠️" : "ℹ️";
             userInfo(`    ${mark} [${finding.code}] ${finding.message_zh}`);
         }
     }
+    if (report.recent_consumption.length > 0) {
+        userInfo("  最近消费证据:");
+        for (const item of report.recent_consumption.slice(0, 10)) {
+            userInfo(`    - ${item.rel_path ?? item.asset_id}: ${item.consumer}/${item.action ?? "unknown"} ${item.lifecycle_stage ?? "unknown_stage"} ${item.task_id_or_route} ${item.decision ?? ""}`);
+        }
+    }
     if (report.recommended_next_steps.length > 0) {
         userInfo("  下一步:");
         for (const step of report.recommended_next_steps)