substrate-ai 0.20.57 → 0.20.59

package/dist/cli/index.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { FileStateStore, RunManifest, SUBSTRATE_OWNED_SETTINGS_KEYS, SupervisorLock, VALID_PHASES, WorkGraphRepository, ZERO_FINDINGS_BY_AUTHOR, ZERO_FINDING_COUNTS, ZERO_PROBE_AUTHOR_METRICS, aggregateProbeAuthorMetrics, buildPipelineStatusOutput, createDatabaseAdapter, createStateStore, findPackageRoot, formatOutput, formatPipelineStatusHuman, formatPipelineSummary, formatTokenTelemetry, getAllDescendantPids, getAutoHealthData, getSubstrateDefaultSettings, inspectProcessTree, parseDbTimestampAsUtc, parseRuntimeProbes, registerHealthCommand, resolveBmadMethodSrcPath, resolveBmadMethodVersion, resolveMainRepoRoot, resolveRunManifest, rollupFindingCounts, rollupFindingsByAuthor, rollupProbeAuthorByClass, rollupProbeAuthorMetrics } from "../health-PdI4-96I.js";
+import { FileStateStore, RunManifest, SUBSTRATE_OWNED_SETTINGS_KEYS, SupervisorLock, VALID_PHASES, WorkGraphRepository, ZERO_FINDINGS_BY_AUTHOR, ZERO_FINDING_COUNTS, ZERO_PROBE_AUTHOR_METRICS, aggregateProbeAuthorMetrics, buildPipelineStatusOutput, createDatabaseAdapter, createStateStore, findPackageRoot, formatOutput, formatPipelineStatusHuman, formatPipelineSummary, formatTokenTelemetry, getAllDescendantPids, getAutoHealthData, getSubstrateDefaultSettings, inspectProcessTree, parseDbTimestampAsUtc, parseRuntimeProbes, registerHealthCommand, resolveBmadMethodSrcPath, resolveBmadMethodVersion, resolveMainRepoRoot, resolveRunManifest, rollupFindingCounts, rollupFindingsByAuthor, rollupProbeAuthorByClass, rollupProbeAuthorMetrics } from "../health-CzYD6ghE.js";
 import { createLogger } from "../logger-KeHncl-f.js";
 import { createEventBus } from "../helpers-CElYrONe.js";
 import { AdapterRegistry, BudgetConfigSchema, CURRENT_CONFIG_FORMAT_VERSION, CURRENT_TASK_GRAPH_VERSION, ConfigError, CostTrackerConfigSchema, DEFAULT_CONFIG, DoltClient, DoltNotInstalled, GlobalSettingsSchema, InMemoryDatabaseAdapter, IngestionServer, MonitorDatabaseImpl, OPERATIONAL_FINDING, PartialGlobalSettingsSchema, PartialProviderConfigSchema, ProvidersSchema, RoutingRecommender, STORY_METRICS, TelemetryConfigSchema, addTokenUsage, aggregateTokenUsageForRun, checkDoltInstalled, compareRunMetrics, createAmendmentRun, createConfigSystem, createDecision, createDoltClient, createPipelineRun, getActiveDecisions, getAllCostEntriesFiltered, getBaselineRunMetrics, getDecisionsByCategory, getDecisionsByPhaseForRun, getLatestCompletedRun, getLatestRun, getPipelineRunById, getPlanningCostTotal, getRetryableEscalations, getRunMetrics, getRunningPipelineRuns, getSessionCostSummary, getSessionCostSummaryFiltered, getStoryMetricsForRun, getTokenUsageSummary, incrementRunRestarts, initSchema, initializeDolt, listRunMetrics, loadParentRunDecisions, supersedeDecision, tagRunAsBaseline, updatePipelineRun } from "../dist-W2emvN3F.js";
 import "../adapter-registry-DXLMTmfD.js";
-import { AdapterTelemetryPersistence, AppError, DoltRepoMapMetaRepository, DoltSymbolRepository, ERR_REPO_MAP_STORAGE_WRITE, EpicIngester, GLOBSTAR, GitClient, GrammarLoader, Minimatch, Minipass, RepoMapInjector, RepoMapModule, RepoMapQueryEngine, RepoMapStorage, SymbolParser, createContextCompiler, createDispatcher, createEventEmitter, createImplementationOrchestrator, createPackLoader, createPhaseOrchestrator, createStopAfterGate, createTelemetryAdvisor, escape, formatPhaseCompletionSummary, getFactoryRunSummaries, getScenarioResultsForRun, getTwinRunsForRun, listGraphRuns, registerExportCommand, registerFactoryCommand, registerRunCommand, registerScenariosCommand, resolveStoryKeys, runAnalysisPhase, runPlanningPhase, runProbeAuthor, runSolutioningPhase, unescape, validateStopAfterFromConflict } from "../run-DcDoaG12.js";
+import { AdapterTelemetryPersistence, AppError, DoltRepoMapMetaRepository, DoltSymbolRepository, ERR_REPO_MAP_STORAGE_WRITE, EpicIngester, GLOBSTAR, GitClient, GrammarLoader, Minimatch, Minipass, RepoMapInjector, RepoMapModule, RepoMapQueryEngine, RepoMapStorage, SymbolParser, createContextCompiler, createDispatcher, createEventEmitter, createImplementationOrchestrator, createPackLoader, createPhaseOrchestrator, createStopAfterGate, createTelemetryAdvisor, escape, formatPhaseCompletionSummary, getFactoryRunSummaries, getScenarioResultsForRun, getTwinRunsForRun, listGraphRuns, registerExportCommand, registerFactoryCommand, registerRunCommand, registerScenariosCommand, resolveStoryKeys, runAnalysisPhase, runPlanningPhase, runProbeAuthor, runSolutioningPhase, unescape, validateStopAfterFromConflict } from "../run-BGXvVIwO.js";
 import "../errors-CKFu8YI9.js";
 import "../routing-CcBOCuC9.js";
 import "../decisions-C0pz9Clx.js";
@@ -7484,7 +7484,7 @@ async function runStatusAction(options) {
 			logger$13.debug({ err }, "Work graph query failed, continuing without work graph data");
 		}
 		if (run === void 0) {
-			const { inspectProcessTree: inspectProcessTree$1 } = await import("../health-HmyFdWEf.js");
+			const { inspectProcessTree: inspectProcessTree$1 } = await import("../health-CsE9INpp.js");
 			const substrateDirPath = join(projectRoot, ".substrate");
 			const processInfo = inspectProcessTree$1({
 				projectRoot,
@@ -9030,7 +9030,7 @@ async function runSupervisorAction(options, deps = {}) {
 								await initSchema(expAdapter);
 								const { runRunAction: runPipeline } = await import(
 									/* @vite-ignore */
-									"../run-BF8oeJhG.js"
+									"../run-BupqUzci.js"
 );
 								const runStoryFn = async (opts) => {
 									const exitCode = await runPipeline({

package/dist/{health-HmyFdWEf.js → health-CsE9INpp.js}

@@ -1,4 +1,4 @@
-import { DEFAULT_STALL_THRESHOLD_SECONDS, getAllDescendantPids, getAutoHealthData, inspectProcessTree, isOrchestratorProcessLine, registerHealthCommand, runHealthAction } from "./health-PdI4-96I.js";
+import { DEFAULT_STALL_THRESHOLD_SECONDS, getAllDescendantPids, getAutoHealthData, inspectProcessTree, isOrchestratorProcessLine, registerHealthCommand, runHealthAction } from "./health-CzYD6ghE.js";
 import "./logger-KeHncl-f.js";
 import "./dist-W2emvN3F.js";
 import "./decisions-C0pz9Clx.js";

package/dist/{health-PdI4-96I.js → health-CzYD6ghE.js}

@@ -1,19 +1,22 @@
 import { createLogger } from "./logger-KeHncl-f.js";
 import { DoltClient, DoltQueryError, LEARNING_FINDING, createDatabaseAdapter$1 as createDatabaseAdapter, createDecision, getDecisionsByCategory, getLatestRun, getPipelineRunById, initSchema } from "./dist-W2emvN3F.js";
 import { createRequire } from "module";
+import * as path$1 from "path";
 import { dirname, join } from "path";
 import { readFile } from "fs/promises";
 import { EventEmitter } from "node:events";
 import { YAMLException, load } from "js-yaml";
 import { existsSync, promises, readFileSync, readdirSync, statSync } from "node:fs";
 import { spawn, spawnSync } from "node:child_process";
-import * as path$1 from "node:path";
+import * as path$2 from "node:path";
 import { basename as basename$1, dirname as dirname$1, join as join$1, resolve as resolve$1 } from "node:path";
 import { z } from "zod";
 import { mkdir as mkdir$1, open, readFile as readFile$1, unlink, writeFile as writeFile$1 } from "node:fs/promises";
+import * as fs from "fs";
 import { existsSync as existsSync$1 } from "fs";
 import { createRequire as createRequire$1 } from "node:module";
 import { fileURLToPath } from "node:url";
+import { execSync as execSync$1 } from "child_process";
 
 //#region rolldown:runtime
 var __create = Object.create;
@@ -481,20 +484,20 @@ function detectCycles(edges) {
 	}
 	const visited = new Set();
 	const visiting = new Set();
-	const path$2 = [];
+	const path$3 = [];
 	function dfs(node) {
 		if (visiting.has(node)) {
-			const cycleStart = path$2.indexOf(node);
-			return [...path$2.slice(cycleStart), node];
+			const cycleStart = path$3.indexOf(node);
+			return [...path$3.slice(cycleStart), node];
 		}
 		if (visited.has(node)) return null;
 		visiting.add(node);
-		path$2.push(node);
+		path$3.push(node);
 		for (const neighbor of adj.get(node) ?? []) {
 			const cycle = dfs(neighbor);
 			if (cycle !== null) return cycle;
 		}
-		path$2.pop();
+		path$3.pop();
 		visiting.delete(node);
 		visited.add(node);
 		return null;
@@ -2928,6 +2931,32 @@ const SEVERITY_PREFIX = {
 	info: "INFO"
 };
 /**
+* source-ac-shellout-npx-fallback — Story 67-3, obs_2026-05-03_023 fix #3.
+*
+* Severity: warn. Emitted by SourceAcShelloutCheck when a bare `npx <package>`
+* invocation (without `--no-install`) is detected in a story-modified source file.
+* A bare `npx <package>` without `--no-install` falls through to the public npm
+* registry on first use if the package binary is not locally installed —
+* a dependency-confusion attack vector.
+*/
+const CATEGORY_SHELLOUT_NPX_FALLBACK = "source-ac-shellout-npx-fallback";
+/**
+* cross-story-concurrent-modification — Story 68-1, Epic 66/67 cross-story-interaction fix.
+*
+* Severity: warn (defensive rollout per Story 60-16 pattern). Emitted by
+* CrossStoryConsistencyCheck (Layer 2) when post-completion analysis shows two
+* concurrent stories modified the same file AND interface signatures differ
+* between their commits.
+*
+* Motivating incidents: Epic 66 run a832487a (66-1+66-2+66-7 concurrent dispatch)
+* + Epic 67 run a59e4c96 (67-1+67-2 methodology-pack.test.ts budget constant race).
+*
+* NOTE: Promotion to 'error' is deferred pending empirical low-false-positive
+* validation across multiple substrate-on-substrate dispatch runs. Do NOT change
+* severity to 'error' until at least 3 consecutive runs with zero false positives.
+*/
+const CATEGORY_CROSS_STORY_CONCURRENT_MODIFICATION = "cross-story-concurrent-modification";
+/**
 * Render a list of findings into the multi-line human-readable string that
 * populates VerificationResult.details. One line per finding:
 *
@@ -3444,15 +3473,15 @@ function findCodeEvidence(opts) {
 		reason: `AC text references ${token}, which is in files_modified`
 	};
 	for (const token of tokens) {
-		const base = path$1.basename(token);
-		const match = filesModified.find((f) => path$1.basename(f) === base);
+		const base = path$2.basename(token);
+		const match = filesModified.find((f) => path$2.basename(f) === base);
 		if (match !== void 0) return {
 			found: true,
 			reason: `AC text references ${token}; matching basename ${match} is in files_modified`
 		};
 	}
 	for (const token of tokens) try {
-		if (existsSync(path$1.join(workingDir, token))) return {
+		if (existsSync(path$2.join(workingDir, token))) return {
 			found: true,
 			reason: `AC text references ${token}, which exists in working tree`
 		};
@@ -3462,7 +3491,7 @@ function findCodeEvidence(opts) {
 		const acMentionRe = new RegExp(`\\bAC\\s*:?\\s*#?\\s*${num}\\b`, "i");
 		const testFiles = filesModified.filter(isTestFilePath);
 		for (const testFile of testFiles) try {
-			const content = readFileSync(path$1.join(workingDir, testFile), "utf-8");
+			const content = readFileSync(path$2.join(workingDir, testFile), "utf-8");
 			if (acMentionRe.test(content)) return {
 				found: true,
 				reason: `${testFile} mentions ${acId}`
@@ -3790,11 +3819,11 @@ function parseRuntimeProbes(storyContent) {
 	const validation = RuntimeProbeListSchema.safeParse(parsed);
 	if (!validation.success) {
 		const first = validation.error.issues[0];
-		const path$2 = first?.path.join(".") ?? "";
+		const path$3 = first?.path.join(".") ?? "";
 		const message = first?.message ?? "schema validation failed";
 		return {
 			kind: "invalid",
-			error: `probe list is malformed at ${path$2 || "<root>"}: ${message}`
+			error: `probe list is malformed at ${path$3 || "<root>"}: ${message}`
 		};
 	}
 	const probes = validation.data;
@@ -4552,18 +4581,18 @@ function existsAnywhereUnderRoot(root, base) {
 		depth: 0
 	}];
 	while (stack.length > 0) {
-		const { path: path$2, depth } = stack.pop();
+		const { path: path$3, depth } = stack.pop();
 		if (depth > MAX_WALK_DEPTH) continue;
 		let entries;
 		try {
-			entries = readdirSync(path$2);
+			entries = readdirSync(path$3);
 		} catch {
 			continue;
 		}
 		for (const entry of entries) {
 			if (SKIP_DIRS.has(entry)) continue;
 			if (entry === base) return true;
-			const full = join$1(path$2, entry);
+			const full = join$1(path$3, entry);
 			try {
 				const s = statSync(full);
 				if (s.isDirectory()) stack.push({
@@ -5106,6 +5135,286 @@ var SourceAcFidelityCheck = class {
 	}
 };
 
+//#endregion
+//#region packages/sdlc/dist/verification/checks/source-ac-shellout-check.js
+/** Matches `npx <name>` but NOT `npx --no-install <name>`. */
+const NPX_PATTERN = /npx\s+(?!--no-install)([a-zA-Z0-9_@\-/]+)/g;
+/**
+* Returns `true` when the line (after trimming leading whitespace) starts with
+* a single-line comment marker (`//` or `#`). Block comments (/* … *\/) are not
+* matched here — they are handled by the string-literal context check.
+*/
+function isCommentLine(line) {
+	const trimmed = line.trimStart();
+	return trimmed.startsWith("//") || trimmed.startsWith("#");
+}
+/**
+* Returns `true` when `matchIndex` falls inside a single-quoted (`'...'`),
+* double-quoted (`"..."`), or template-literal (`` `...` ``) region of the line,
+* OR when the line is a shebang (`#!...`).
+*
+* Implementation: scan character-by-character from index 0, toggling
+* `inSingle`, `inDouble`, `inTemplate` flags at unescaped quote characters.
+* An escaped quote is one where the immediately preceding character is `\`.
+* (Note: this is a heuristic — it does not handle `\\` or complex escape
+* sequences correctly. For a static-analysis severity:warn heuristic, the
+* simplification is acceptable.)
+*/
+function isInStringLiteralContext(line, matchIndex) {
+	if (line.trimStart().startsWith("#!")) return true;
+	let inSingle = false;
+	let inDouble = false;
+	let inTemplate = false;
+	for (let i = 0; i < matchIndex; i++) {
+		const char = line[i];
+		const escaped = i > 0 && line[i - 1] === "\\";
+		if (!escaped) {
+			if (char === "'" && !inDouble && !inTemplate) inSingle = !inSingle;
+			else if (char === "\"" && !inSingle && !inTemplate) inDouble = !inDouble;
+			else if (char === "`" && !inSingle && !inDouble) inTemplate = !inTemplate;
+		}
+	}
+	return inSingle || inDouble || inTemplate;
+}
+/**
+* Reads the file at `absolutePath` and returns every line/match pair where
+* a bare `npx <name>` (without `--no-install`) appears inside a string-literal
+* context on a non-comment line.
+*
+* Returns 1-indexed line numbers.
+*/
+function scanFile(absolutePath) {
+	const content = fs.readFileSync(absolutePath, "utf-8");
+	const lines = content.split("\n");
+	const results = [];
+	for (let i = 0; i < lines.length; i++) {
+		const line = lines[i];
+		if (line === void 0) continue;
+		if (isCommentLine(line)) continue;
+		NPX_PATTERN.lastIndex = 0;
+		let match;
+		const linePattern = new RegExp(NPX_PATTERN.source, "g");
+		while ((match = linePattern.exec(line)) !== null) {
+			const name = match[1];
+			if (name !== void 0 && isInStringLiteralContext(line, match.index)) results.push({
+				lineNum: i + 1,
+				name
+			});
+		}
+	}
+	return results;
+}
+/**
+* Standalone function implementing the shellout check logic.
+* Exported separately so tests can call it directly without instantiating the class.
+*/
+async function runShelloutCheck(context) {
+	const start = Date.now();
+	const findings = [];
+	let modifiedFiles = context.devStoryResult?.files_modified ?? [];
+	if (modifiedFiles.length === 0) try {
+		const output = execSync$1("git diff --name-only HEAD~1", {
+			cwd: context.workingDir,
+			encoding: "utf-8"
+		});
+		modifiedFiles = output.trim().split("\n").filter((f) => f.length > 0);
+	} catch {
+		return {
+			status: "pass",
+			details: "source-ac-shellout: no modified files available — skipping check",
+			duration_ms: Date.now() - start,
+			findings: []
+		};
+	}
+	const filesToCheck = modifiedFiles.filter((f) => !f.endsWith(".md"));
+	if (filesToCheck.length === 0) return {
+		status: "pass",
+		details: "source-ac-shellout: no non-.md modified files — skipping check",
+		duration_ms: Date.now() - start,
+		findings: []
+	};
+	for (const relPath of filesToCheck) {
+		const absPath = path$1.join(context.workingDir, relPath);
+		let matches;
+		try {
+			matches = scanFile(absPath);
+		} catch {
+			continue;
+		}
+		for (const { lineNum, name } of matches) findings.push({
+			category: CATEGORY_SHELLOUT_NPX_FALLBACK,
+			severity: "warn",
+			message: `npx fallback detected in ${relPath}:${lineNum}: "npx ${name}" — bare \`npx <package>\` without \`--no-install\` falls through to the public npm registry on first use. If \`<package>\` isn't a registered binary in your dev dependencies, this is a dependency-confusion vector. Use absolute path or \`npx --no-install <package>\` instead.`
+		});
+	}
+	const status = findings.some((f) => f.severity === "error") ? "fail" : findings.some((f) => f.severity === "warn") ? "warn" : "pass";
+	return {
+		status,
+		details: findings.length > 0 ? renderFindings(findings) : "source-ac-shellout: no bare npx fallback patterns detected",
+		duration_ms: Date.now() - start,
+		findings
+	};
+}
+/**
+* VerificationCheck class for the shellout static-analysis gate.
+*
+* name  = 'source-ac-shellout'
+* tier  = 'A' (fast — file I/O only, no LLM, no subprocess except optional git fallback)
+*/
+var SourceAcShelloutCheck = class {
+	name = "source-ac-shellout";
+	tier = "A";
+	async run(context) {
+		return runShelloutCheck(context);
+	}
+};
+
+//#endregion
+//#region packages/sdlc/dist/verification/checks/cross-story-consistency-check.js
+/**
+* Matches added/removed export interface or type declarations.
+* Example: `+export interface Foo {` or `-export type Bar =`
+*/
+const INTERFACE_CHANGE_PATTERN = /^[+-]\s*(export\s+(?:interface|type)\s+\w+)/;
+/**
+* Matches added/removed constant assignments.
+* Example: `+const BUDGET_LIMIT = 32000` or `-const BUDGET_LIMIT = 30000`
+* Also matches `export const`, `let`, `var`.
+*/
+const CONST_CHANGE_PATTERN = /^[+-]\s*(?:export\s+)?(?:const|let|var)\s+\w+\s*=/;
+/**
+* Compute the set of file paths that collide between the current story's
+* modified files and the prior stories' modified files.
+*
+* Uses `context._crossStoryConflictingFiles` as a direct override when
+* supplied (test-hook / runtime-probe path). Otherwise computes the
+* intersection of `devStoryResult.files_modified` ∩ `priorStoryFiles`.
+*/
+function computeCollisionPaths(context) {
+	if (context._crossStoryConflictingFiles !== void 0 && context._crossStoryConflictingFiles.length > 0) return context._crossStoryConflictingFiles;
+	const currentFiles = context.devStoryResult?.files_modified ?? [];
+	const priorFiles = context.priorStoryFiles ?? [];
+	if (currentFiles.length === 0 || priorFiles.length === 0) return [];
+	const priorSet = new Set(priorFiles);
+	return currentFiles.filter((f) => priorSet.has(f));
+}
+/**
+* Parse a unified diff text for type signature changes or constant reassignments.
+*
+* Returns `true` when the diff contains any added or removed export
+* interface/type declaration OR any added/removed constant assignment —
+* indicating a potential interface-level change that concurrent story authors
+* should review.
+*/
+function diffContainsInterfaceOrConstChange(diffText) {
+	const lines = diffText.split("\n");
+	for (const line of lines) {
+		if (INTERFACE_CHANGE_PATTERN.test(line)) return true;
+		if (CONST_CHANGE_PATTERN.test(line)) return true;
+	}
+	return false;
+}
+/**
+* Run `git diff --no-renames <commitSha>^...<commitSha> -- <file>` to get
+* the per-file diff for the story's commit.
+*
+* Returns `null` when git is unavailable or the file wasn't part of the commit.
+*/
+function getDiffForFile(workingDir, commitSha, filePath) {
+	try {
+		return execSync$1(`git diff --no-renames ${commitSha}~1 ${commitSha} -- ${filePath}`, {
+			cwd: workingDir,
+			encoding: "utf-8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+	} catch {
+		return null;
+	}
+}
+/**
+* Get numstat diff for a story commit to confirm a file was modified.
+* Returns lines like: `5\t3\tsrc/foo.ts`
+*/
+function getNumstatDiff(workingDir, commitSha) {
+	try {
+		return execSync$1(`git diff --no-renames --numstat ${commitSha}~1 ${commitSha}`, {
+			cwd: workingDir,
+			encoding: "utf-8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+	} catch {
+		return null;
+	}
+}
+/**
+* Standalone function implementing the cross-story consistency check logic.
+* Exported separately so tests can call it directly without instantiating the class.
+*/
+async function runCrossStoryConsistencyCheck(context) {
+	const start = Date.now();
+	const findings = [];
+	if ((context.priorStoryFiles === void 0 || context.priorStoryFiles.length === 0) && (context._crossStoryConflictingFiles === void 0 || context._crossStoryConflictingFiles.length === 0)) return {
+		status: "pass",
+		details: "cross-story-consistency: no Tier B context (priorStoryFiles absent) — skipping check",
+		duration_ms: Date.now() - start,
+		findings: []
+	};
+	const collisionPaths = computeCollisionPaths(context);
+	if (collisionPaths.length > 0) findings.push({
+		category: "cross-story-file-collision",
+		severity: "warn",
+		message: `Layer 1 collision: story "${context.storyKey}" shares ${collisionPaths.length} file(s) with concurrent stories: ${collisionPaths.join(", ")}. Recommended action: serialize these stories to avoid race conditions. Motivating incidents: Epic 66 (a832487a), Epic 67 (a59e4c96).`
+	});
+	const shouldRunLayer2 = context.buildCheckPassed !== false && collisionPaths.length > 0;
+	if (shouldRunLayer2) {
+		const numstat = getNumstatDiff(context.workingDir, context.commitSha);
+		const binaryFiles = new Set();
+		if (numstat !== null) for (const line of numstat.split("\n")) {
+			const binMatch = /^-\t-\t(.+)$/.exec(line.trim());
+			if (binMatch?.[1]) binaryFiles.add(binMatch[1]);
+		}
+		for (const filePath of collisionPaths) {
+			if (binaryFiles.has(filePath)) continue;
+			const normalizedPath = filePath.replace(/\\/g, "/");
+			const diffText = getDiffForFile(context.workingDir, context.commitSha, normalizedPath);
+			if (diffText === null) continue;
+			if (diffContainsInterfaceOrConstChange(diffText)) findings.push({
+				category: CATEGORY_CROSS_STORY_CONCURRENT_MODIFICATION,
+				severity: "warn",
+				message: `Layer 2 interface/constant change in shared file "${filePath}": this story's commit modified export signatures or constants that may conflict with concurrent story changes. Manual review recommended. (Epic 66/67 reconciliation pattern: verify working-tree coherence via build + tests before treating pipeline outcome as definitive.)`
+			});
+		}
+	}
+	const status = findings.some((f) => f.severity === "error") ? "fail" : findings.some((f) => f.severity === "warn") ? "warn" : "pass";
+	return {
+		status,
+		details: findings.length > 0 ? renderFindings(findings) : "cross-story-consistency: no file collisions detected between concurrent stories",
+		duration_ms: Date.now() - start,
+		findings
+	};
+}
+/**
+* VerificationCheck class for cross-story consistency analysis.
+*
+* name  = 'cross-story-consistency'
+* tier  = 'B' (requires cross-story context; skipped for single-story runs)
+*/
+var CrossStoryConsistencyCheck = class {
+	name = "cross-story-consistency";
+	tier = "B";
+	async run(context) {
+		return runCrossStoryConsistencyCheck(context);
+	}
+};
+
 //#endregion
 //#region packages/sdlc/dist/verification/verification-pipeline.js
 /**
@@ -5232,7 +5541,9 @@ function createDefaultVerificationPipeline(bus, config) {
 		new AcceptanceCriteriaEvidenceCheck(),
 		new BuildCheck(),
 		new RuntimeProbeCheck(),
-		new SourceAcFidelityCheck()
+		new SourceAcFidelityCheck(),
+		new SourceAcShelloutCheck(),
+		new CrossStoryConsistencyCheck()
 	];
 	return new VerificationPipeline(bus, checks);
 }
@@ -6595,7 +6906,7 @@ function inspectProcessTree(opts) {
 		}
 		const lines = psOutput.split("\n");
 		if (substrateDirPath !== void 0) try {
-			const readFileSyncFn = readFileSyncOverride ?? ((path$2, encoding) => readFileSync(path$2, encoding));
+			const readFileSyncFn = readFileSyncOverride ?? ((path$3, encoding) => readFileSync(path$3, encoding));
 			const pidContent = readFileSyncFn(join(substrateDirPath, "orchestrator.pid"), "utf-8");
 			const pid = parseInt(pidContent.trim(), 10);
 			if (!isNaN(pid) && pid > 0) {
@@ -7030,4 +7341,4 @@ function registerHealthCommand(program, _version = "0.0.0", projectRoot = proces
 
 //#endregion
 export { BMAD_BASELINE_TOKENS_FULL, DEFAULT_STALL_THRESHOLD_SECONDS, DoltMergeConflict, FileStateStore, FindingsInjector, RunManifest, RuntimeProbeListSchema, STOP_AFTER_VALID_PHASES, STORY_KEY_PATTERN$1 as STORY_KEY_PATTERN, SUBSTRATE_OWNED_SETTINGS_KEYS, SupervisorLock, VALID_PHASES, WorkGraphRepository, ZERO_FINDINGS_BY_AUTHOR, ZERO_FINDING_COUNTS, ZERO_PROBE_AUTHOR_METRICS, __commonJS, __require, __toESM, aggregateProbeAuthorMetrics, applyConfigToGraph, buildPipelineStatusOutput, createDatabaseAdapter$1 as createDatabaseAdapter, createDefaultVerificationPipeline, createGraphOrchestrator, createSdlcCodeReviewHandler, createSdlcCreateStoryHandler, createSdlcDevStoryHandler, createSdlcPhaseHandler, createStateStore, detectCycles, detectsEventDrivenAC, detectsStateIntegratingAC, extractTargetFilesFromStoryContent, findPackageRoot, formatOutput, formatPipelineStatusHuman, formatPipelineSummary, formatTokenTelemetry, getAllDescendantPids, getAutoHealthData, getSubstrateDefaultSettings, inspectProcessTree, isOrchestratorProcessLine, parseDbTimestampAsUtc, parseRuntimeProbes, registerHealthCommand, renderFindings, resolveBmadMethodSrcPath, resolveBmadMethodVersion, resolveGraphPath, resolveMainRepoRoot, resolveRunManifest, rollupFindingCounts, rollupFindingsByAuthor, rollupProbeAuthorByClass, rollupProbeAuthorMetrics, runHealthAction, validateStoryKey };
-//# sourceMappingURL=health-PdI4-96I.js.map
+//# sourceMappingURL=health-CzYD6ghE.js.map

package/dist/index.d.ts

@@ -2263,6 +2263,16 @@ interface OrchestratorEvents {
     /** Tail of subprocess stdout captured at kill time (~64KB max, UTF-8) */
     stdoutTail?: string;
   };
+  /**
+   * Two or more concurrent stories have overlapping target file paths.
+   * Story 68-1: closes Epic 66 (a832487a) + Epic 67 (a59e4c96) cross-story-interaction class.
+   * Mirror of CoreEvents['dispatch:cross-story-file-collision']; both must stay in sync.
+   */
+  'dispatch:cross-story-file-collision': {
+    storyKeys: string[];
+    collisionPaths: string[];
+    recommendedAction: 'serialize' | 'warn';
+  };
   /** Watchdog detected no progress for an extended period */
   'orchestrator:stall': {
     runId: string;

package/dist/{run-DcDoaG12.js → run-BGXvVIwO.js}

@@ -1,4 +1,4 @@
-import { BMAD_BASELINE_TOKENS_FULL, DoltMergeConflict, FileStateStore, FindingsInjector, RunManifest, RuntimeProbeListSchema, STOP_AFTER_VALID_PHASES, STORY_KEY_PATTERN, VALID_PHASES, WorkGraphRepository, __commonJS, __require, __toESM, applyConfigToGraph, buildPipelineStatusOutput, createDatabaseAdapter, createDefaultVerificationPipeline, createGraphOrchestrator, createSdlcCodeReviewHandler, createSdlcCreateStoryHandler, createSdlcDevStoryHandler, createSdlcPhaseHandler, detectCycles, detectsEventDrivenAC, detectsStateIntegratingAC, extractTargetFilesFromStoryContent, formatOutput, formatPipelineSummary, formatTokenTelemetry, inspectProcessTree, parseDbTimestampAsUtc, renderFindings, resolveGraphPath, resolveMainRepoRoot, validateStoryKey } from "./health-PdI4-96I.js";
+import { BMAD_BASELINE_TOKENS_FULL, DoltMergeConflict, FileStateStore, FindingsInjector, RunManifest, RuntimeProbeListSchema, STOP_AFTER_VALID_PHASES, STORY_KEY_PATTERN, VALID_PHASES, WorkGraphRepository, __commonJS, __require, __toESM, applyConfigToGraph, buildPipelineStatusOutput, createDatabaseAdapter, createDefaultVerificationPipeline, createGraphOrchestrator, createSdlcCodeReviewHandler, createSdlcCreateStoryHandler, createSdlcDevStoryHandler, createSdlcPhaseHandler, detectCycles, detectsEventDrivenAC, detectsStateIntegratingAC, extractTargetFilesFromStoryContent, formatOutput, formatPipelineSummary, formatTokenTelemetry, inspectProcessTree, parseDbTimestampAsUtc, renderFindings, resolveGraphPath, resolveMainRepoRoot, validateStoryKey } from "./health-CzYD6ghE.js";
 import { createLogger } from "./logger-KeHncl-f.js";
 import { TypedEventBusImpl, createEventBus, createTuiApp, isTuiCapable, printNonTtyWarning, sleep } from "./helpers-CElYrONe.js";
 import { ADVISORY_NOTES, Categorizer, ConsumerAnalyzer, DEFAULT_GLOBAL_SETTINGS, DispatcherImpl, DoltClient, ESCALATION_DIAGNOSIS, EXPERIMENT_RESULT, EfficiencyScorer, IngestionServer, LogTurnAnalyzer, OPERATIONAL_FINDING, Recommender, RoutingRecommender, RoutingResolver, RoutingTelemetry, RoutingTokenAccumulator, RoutingTuner, STORY_METRICS, STORY_OUTCOME, SubstrateConfigSchema, TEST_EXPANSION_FINDING, TEST_PLAN, TelemetryNormalizer, TelemetryPipeline, TurnAnalyzer, addTokenUsage, aggregateTokenUsageForRun, aggregateTokenUsageForStory, callLLM, createConfigSystem, createDatabaseAdapter$1, createDecision, createPipelineRun, createRequirement, detectInterfaceChanges, getArtifactByTypeForRun, getArtifactsByRun, getDecisionsByCategory, getDecisionsByPhase, getDecisionsByPhaseForRun, getLatestRun, getPipelineRunById, getRunMetrics, getRunningPipelineRuns, getStoryMetricsForRun, getTokenUsageSummary, initSchema, listRequirements, loadModelRoutingConfig, registerArtifact, updatePipelineRun, updatePipelineRunConfig, upsertDecision, writeRunMetrics, writeStoryMetrics } from "./dist-W2emvN3F.js";
@@ -15326,6 +15326,132 @@ function createImplementationOrchestrator(deps) {
 			await sleep(gcPauseMs);
 		}
 	}
+	function extractFilePathsFromStoryContent(content) {
+		const paths = new Set();
+		const atPattern = /@\s+([a-zA-Z][^\s`()\n]+\.[a-zA-Z0-9]+)/g;
+		let m;
+		while ((m = atPattern.exec(content)) !== null) {
+			const p = m[1]?.trim();
+			if (p !== void 0 && p.includes("/") && !p.startsWith("http")) paths.add(p.replace(/[.)]+$/, ""));
+		}
+		const backtickPattern = /`([a-zA-Z][^`\n ]+\.[a-zA-Z0-9]{1,6})`/g;
+		while ((m = backtickPattern.exec(content)) !== null) {
+			const p = m[1]?.trim();
+			if (p !== void 0 && p.includes("/") && !p.includes(" ") && !p.startsWith("http")) paths.add(p);
+		}
+		return paths;
+	}
+	/**
+	* Story 68-1: Pre-dispatch cross-story file collision detection.
+	*
+	* Before dispatching a batch with multiple concurrent groups, checks whether
+	* any two stories from different groups share file paths in their story specs.
+	* When collisions are found:
+	*   1. Emits `dispatch:cross-story-file-collision` event for operator visibility.
+	*   2. Merges colliding groups so they execute sequentially.
+	*
+	* Best-effort: if story files are missing, unreadable, or contain no parseable
+	* paths, the original groups are returned unchanged.
+	*/
+	function detectAndSerializeConcurrentFileCollisions(batchGroups) {
+		if (batchGroups.length <= 1) return batchGroups;
+		const root = projectRoot ?? process.cwd();
+		const artifactsDir = join$1(root, "_bmad-output", "implementation-artifacts");
+		if (!existsSync(artifactsDir)) return batchGroups;
+		const storyFileMap = new Map();
+		const allStoryKeys = batchGroups.flat();
+		let artifactFiles;
+		try {
+			artifactFiles = readdirSync(artifactsDir);
+		} catch {
+			return batchGroups;
+		}
+		const STALE_SUFFIX = /\.stale-\d+\.md$/;
+		for (const storyKey of allStoryKeys) try {
+			const match$2 = artifactFiles.find((f$1) => f$1.startsWith(`${storyKey}-`) && f$1.endsWith(".md") && !STALE_SUFFIX.test(f$1));
+			if (!match$2) continue;
+			const content = readFileSync(join$1(artifactsDir, match$2), "utf-8");
+			const paths = extractFilePathsFromStoryContent(content);
+			if (paths.size > 0) storyFileMap.set(storyKey, paths);
+		} catch {}
+		if (storyFileMap.size === 0) return batchGroups;
+		const parent = Array.from({ length: batchGroups.length }, (_, i) => i);
+		function find(x) {
+			while (parent[x] !== x) {
+				parent[x] = parent[parent[x]];
+				x = parent[x];
+			}
+			return x;
+		}
+		function union(x, y) {
+			const rx = find(x);
+			const ry = find(y);
+			if (rx !== ry) parent[rx] = ry;
+		}
+		let collisionCount = 0;
+		const collisionEvents = [];
+		for (let i = 0; i < batchGroups.length; i++) for (let j$1 = i + 1; j$1 < batchGroups.length; j$1++) {
+			if (find(i) === find(j$1)) continue;
+			const groupA = batchGroups[i] ?? [];
+			const groupB = batchGroups[j$1] ?? [];
+			const filesA = new Set();
+			const filesB = new Set();
+			const keysA = [];
+			const keysB = [];
+			for (const key of groupA) {
+				const files = storyFileMap.get(key);
+				if (files !== void 0) {
+					keysA.push(key);
+					for (const f$1 of files) filesA.add(f$1);
+				}
+			}
+			for (const key of groupB) {
+				const files = storyFileMap.get(key);
+				if (files !== void 0) {
+					keysB.push(key);
+					for (const f$1 of files) filesB.add(f$1);
+				}
+			}
+			if (keysA.length === 0 || keysB.length === 0) continue;
+			const collisionPaths = [...filesA].filter((f$1) => filesB.has(f$1));
+			if (collisionPaths.length > 0) {
+				union(i, j$1);
+				collisionCount++;
+				collisionEvents.push({
+					storyKeys: [...keysA, ...keysB],
+					collisionPaths
+				});
+			}
+		}
+		if (collisionCount === 0) return batchGroups;
+		for (const evt of collisionEvents) {
+			try {
+				eventBus.emit("dispatch:cross-story-file-collision", {
+					storyKeys: evt.storyKeys,
+					collisionPaths: evt.collisionPaths,
+					recommendedAction: "serialize"
+				});
+			} catch {}
+			logger$26.info({
+				storyKeys: evt.storyKeys,
+				collisionPaths: evt.collisionPaths
+			}, "Cross-story file collision detected — serializing affected groups to prevent race conditions");
+		}
+		const mergedGroupMap = new Map();
+		for (let i = 0; i < batchGroups.length; i++) {
+			const group = batchGroups[i] ?? [];
+			const root2 = find(i);
+			const existing = mergedGroupMap.get(root2) ?? [];
+			mergedGroupMap.set(root2, [...existing, ...group]);
+		}
+		const result = [...mergedGroupMap.values()];
+		logger$26.info({
+			originalGroupCount: batchGroups.length,
+			mergedGroupCount: result.length,
+			collisionCount
+		}, "Story groups re-arranged after cross-story collision detection");
+		return result;
+	}
 	/**
 	* Promise pool: run up to maxConcurrency groups at a time.
 	*
@@ -15617,7 +15743,10 @@ function createImplementationOrchestrator(deps) {
 				logger$26.warn({ err: snapErr }, "Failed to capture package snapshot — continuing without protection");
 			}
 			try {
-				for (const batchGroups of batches) await runWithConcurrency(batchGroups, config.maxConcurrency);
+				for (const rawBatchGroups of batches) {
+					const batchGroups = detectAndSerializeConcurrentFileCollisions(rawBatchGroups);
+					await runWithConcurrency(batchGroups, config.maxConcurrency);
+				}
 			} catch (err) {
 				stopHeartbeat();
 				_state = "FAILED";
@@ -45472,4 +45601,4 @@ function registerRunCommand(program, _version = "0.0.0", projectRoot = process.c
 
 //#endregion
 export { AdapterTelemetryPersistence, AppError, DoltRepoMapMetaRepository, DoltSymbolRepository, ERR_REPO_MAP_STORAGE_WRITE, EpicIngester, GLOBSTAR$1 as GLOBSTAR, GitClient, GrammarLoader, Minimatch$1 as Minimatch, Minipass, RepoMapInjector, RepoMapModule, RepoMapQueryEngine, RepoMapStorage, SymbolParser, createContextCompiler, createDispatcher, createEventEmitter, createImplementationOrchestrator, createPackLoader, createPhaseOrchestrator, createStopAfterGate, createTelemetryAdvisor, escape$1 as escape, formatPhaseCompletionSummary, getFactoryRunSummaries, getScenarioResultsForRun, getTwinRunsForRun, listGraphRuns, normalizeGraphSummaryToStatus, registerExportCommand, registerFactoryCommand, registerRunCommand, registerScenariosCommand, resolveMaxReviewCycles, resolveProbeAuthorStateIntegrating, resolveStoryKeys, runAnalysisPhase, runPlanningPhase, runProbeAuthor, runRunAction, runSolutioningPhase, unescape$1 as unescape, validateStopAfterFromConflict, wireNdjsonEmitter };
-//# sourceMappingURL=run-DcDoaG12.js.map
+//# sourceMappingURL=run-BGXvVIwO.js.map

package/dist/{run-BF8oeJhG.js → run-BupqUzci.js}

@@ -1,8 +1,8 @@
-import "./health-PdI4-96I.js";
+import "./health-CzYD6ghE.js";
 import "./logger-KeHncl-f.js";
 import "./helpers-CElYrONe.js";
 import "./dist-W2emvN3F.js";
-import { normalizeGraphSummaryToStatus, registerRunCommand, resolveMaxReviewCycles, resolveProbeAuthorStateIntegrating, runRunAction, wireNdjsonEmitter } from "./run-DcDoaG12.js";
+import { normalizeGraphSummaryToStatus, registerRunCommand, resolveMaxReviewCycles, resolveProbeAuthorStateIntegrating, runRunAction, wireNdjsonEmitter } from "./run-BGXvVIwO.js";
 import "./routing-CcBOCuC9.js";
 import "./decisions-C0pz9Clx.js";
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "substrate-ai",
-  "version": "0.20.57",
+  "version": "0.20.59",
   "description": "Substrate — multi-agent orchestration daemon for AI coding agents",
   "type": "module",
   "license": "MIT",

package/packs/bmad/prompts/create-story.md

@@ -108,6 +108,20 @@ Use this exact format for each item:
 
 **Behavioral signals (runtime-dependent even when the artifact ships as TypeScript / JavaScript / Python source):** the AC describes the implementation invoking a **subprocess** (`execSync`, `spawn`, `child_process`), reading or writing the **filesystem outside test tmpdirs** (`fs.read*`, `fs.write*`, `path.join(homedir(), ...)`), running **git operations** (`git log`, `git push`, `git merge`), querying a **database** (Dolt, mysql, sqlite, postgres), making **network requests** (`fetch`, `axios`, `http.get`), or scanning a **registry / configuration source** ("queries the registry", "scans the fleet").
 
+**Shell-script generation signals (runtime-dependent even when the artifact ships as source: the generated script runs on a live host, installs into `.git/hooks/`, or registers with the OS):** the AC describes the implementation generating or installing a script that a user or system event invokes — the correctness of that script can only be confirmed by running it in a real or ephemeral environment, not by inspecting source code alone. Signal types to recognize:
+
+- **Hook generators**: code that writes or installs git hooks (`pre-push`, `post-merge`, `pre-commit`, `post-commit`, `post-rewrite`), configures `husky` or other hook managers, or writes files to `.git/hooks/*`.
+- **Install scripts**: commands like `vg install`, `<binary> install`, or AC phrases like "installs the X hook", "writes the X script", "generates a wrapper for Y".
+- **Lifecycle scripts**: generates npm `prepublish`, `postinstall`, or `prepare` scripts; writes entries into `package.json` `scripts` field programmatically.
+- **Service generators**: generates systemd `.service` or `.timer` unit files, podman/docker image build scripts, or any file invoked by a scheduler or init system.
+- **Wrapper scripts**: produces `#!/bin/sh`-style shell wrappers around binaries (e.g., `#!/bin/sh` / `exec node "$@"` shape), shim generators, or delegate-to-binary shell scripts.
+
+Phrase patterns to flag as shell-script generation signals: "writes a hook", "generates a script", "installs a pre-push hook", "creates a wrapper", "emits a shell script", "writes to .git/hooks/", "creates a systemd unit".
+
+Strata Stories 3-3+3-4 shipped LGTM_WITH_NOTES with a real dependency-confusion attack vector (`npx strata` fallback) because the verification gate accepted shell-script-generating code without a canonical-invocation probe. See `obs_2026-05-03_023` (create-story prompt enforce probe section for shell-out boundaries).
+
+If any shell-script generation signal fires, the story MUST include a `## Runtime Probes` section that invokes the canonical user trigger in a fresh fixture project, not direct-call the script.
+
 **Architectural-level signals (the same external-state interactions described at higher abstraction levels — runtime-dependent identically):** the AC names a **named external dependency** (service, package, agent, skill, mesh, registry, queue, outbox, store, daemon, etc.) AND describes any **interaction verb** (queries, publishes, consumes, calls, writes to, reads from, subscribes to, registers with, delegates to, reaches for, persists to). Phrase patterns to recognize as the architectural-level equivalents of the code-API enumeration above:
 
 - `queries <service-or-skill>` (network / database) — e.g., "queries agent-mesh's `query-reports` skill", "queries the Dolt registry"

package/packs/bmad/prompts/probe-author.md

@@ -312,6 +312,59 @@ Read from an npm/package registry or fleet-config source. Precede the registry p
   description: npm registry resolves @substrate-ai/sdlc and returns a semver version string
 ```
 
+## Shell-script generation probe shapes
+
+Shell-script generation ACs describe a generator that produces a lifecycle script — a pre-push hook, a postinstall wrapper, a systemd unit startup shim, or a cron-job body — that the **user** then invokes through a canonical mechanism (`git push`, `npm install`, etc.). This AC class was identified in obs_2026-05-03_023 (strata 3-3+3-4 incident: a pre-push hook generator shipped SHIP_IT with a dependency-confusion attack vector because the verification probe direct-called the generated script with synthetic inputs rather than invoking the canonical user trigger).
+
+**Why the fresh-fixture requirement is critical:**
+
+(a) The orchestrator's working tree may have global state (installed binaries, config files) that a typical user environment does not. A probe run against substrate's own working tree silently satisfies preconditions that would fail in a fresh project.
+
+(b) The canonical user invocation runs in the user's project root — not substrate's. A probe that bypasses the install + wiring step (e.g., calls `bash .git/hooks/pre-push` directly) cannot detect that the hook was installed to the wrong path, was installed with the wrong mode, or was wired to the wrong trigger event.
+
+(c) Defects like dependency-confusion (`npx <package>` fallback to global registry) only manifest when no local binary exists. On the orchestrator's machine, `node_modules/.bin/strata` satisfies the lookup before npm's fallback fires — masking the defect from any probe that runs inside the substrate working tree.
+
+**Three rules for shell-script generation probes:**
+
+1. **Fresh fixture in `mktemp -d`** — never run against substrate's own project tree. The working tree silently satisfies probes that would fail in a user's fresh environment. Create a throwaway `mktemp -d` directory, `git init` it, and install the generator into it via the canonical install command.
+
+2. **Canonical user trigger** — `git push` for a pre-push hook, `npm install` for a postinstall hook, NOT direct script invocation (`bash .git/hooks/pre-push`). Direct invocation skips the wiring layer that determines whether the hook actually fires on the user's machine. See the trigger table in "Probes for event-driven mechanisms must invoke the production trigger" above.
+
+3. **Observable post-condition** — assert filesystem or process state the user would observe (e.g., `test -f .findings/history.jsonl`), not just exit code. A script that exits 0 without writing the expected artifact satisfies exit-code-only probes but silently fails the user. The assertion target must be the output the user can inspect after the event fires.
+
+**Canonical worked example (strata 3-3 pre-push hook scenario — obs_2026-05-03_023 fix #1):**
+
+```yaml
+- name: pre-push-hook-fires-on-real-push-and-archives-findings
+  sandbox: twin
+  command: |
+    set -e
+    FIXTURE=$(mktemp -d)
+    cd "$FIXTURE"
+    npm init -y >/dev/null
+    git init -q
+    git config user.email t@example.com && git config user.name test
+    # install via canonical user invocation (no global packages)
+    node <REPO_ROOT>/dist/cli.js vg install
+    # produce a finding-eligible change
+    mkdir -p src
+    echo "import x from 'lodash';" > src/bad.ts
+    git add . && git commit -qm "initial"
+    # trigger canonical user-facing event via git push (pre-push hook fires here)
+    REMOTE=$(mktemp -d)
+    git init --bare -q "$REMOTE"
+    git remote add origin "$REMOTE"
+    git push origin main 2>&1 || true
+    # assert observable post-condition
+    test -f .findings/history.jsonl && echo "ARCHIVE_PRESENT" || echo "ARCHIVE_MISSING"
+  expect_stdout_regex:
+    - ARCHIVE_PRESENT
+  description: >-
+    strata 3-3 canonical pre-push hook shape — fresh fixture (mktemp -d),
+    canonical user trigger (git push), observable post-condition assertion
+    (obs_2026-05-03_023 fix #1)
+```
+
 ## Mission
 
 Author runtime probes for the story described above. Use the AC sections provided: