wogiflow 1.0.48 → 1.0.50

package/.claude/commands/wogi-research.md

@@ -0,0 +1,223 @@
+# /wogi-research - Zero-Trust Research Protocol
+
+Execute rigorous research before answering questions about capabilities, feasibility, or existence.
+
+## Usage
+
+```
+/wogi-research "Does X support Y?"          # Standard depth
+/wogi-research --quick "Simple question"    # Quick check (5K tokens)
+/wogi-research --deep "Architecture query"  # Deep audit (50K tokens)
+/wogi-research --exhaustive "Critical decision" # Full audit (100K tokens)
+```
+
+## When This is Required
+
+This command is **automatically triggered** (when strict mode is enabled) for:
+
+1. **Capability Questions**: "Does X support Y?", "Can X do Y?"
+2. **Feasibility Questions**: "Is it possible to...", "Can we..."
+3. **Existence Questions**: "Is there a...", "Does X exist?"
+4. **Architecture Questions**: "How does X work?", "How is X structured?"
+5. **Integration Questions**: "How to integrate X with Y?"
+
+## Research Protocol Phases
+
+### Phase 1: Scope Mapping
+- Identify all potentially relevant local files
+- Identify external tools/libraries mentioned
+- Generate search keywords
+- Create `research-scope.json`
+
+### Phase 2: Local Evidence Gathering
+- Read ALL files identified in scope (not just the first match)
+- Extract relevant code snippets and documentation
+- Log findings to research notes
+- **DO NOT SKIP FILES** - partial reading leads to false conclusions
+
+### Phase 3: External Verification
+- For each external tool/library:
+  - Web search: "[tool] documentation [feature] [current year]"
+  - Read official docs (top 3 results minimum)
+  - Extract quotes with URLs
+- **ASSUME training data is 2+ years stale**
+
+### Phase 4: Assumption Check
+- List ALL assumptions made during research
+- Tag each assumption:
+  - `[VERIFIED]` with HIGH confidence + source
+  - `[UNVERIFIED]` with LOW confidence - **MUST be verified before proceeding**
+- Loop back to Phase 2/3 for any unverified assumptions
+
+### Phase 5: Synthesis
+- Generate research report with:
+  - Answer to original question
+  - Evidence chain (every claim → source)
+  - Confidence level (HIGH/MEDIUM/LOW)
+  - Caveats and uncertainties
+  - List of searches performed
+
+## Critical Rules
+
+### The Negative Evidence Rule
+
+**FORBIDDEN conclusions:**
+- "X is not supported"
+- "There is no Y"
+- "It doesn't exist"
+- "X cannot do Y"
+
+**REQUIRED format for negative claims:**
+```
+I searched the following sources and found no evidence of X:
+1. [source 1] - searched for [terms]
+2. [source 2] - searched for [terms]
+3. [official docs URL] - no mention found
+
+However, my search may be incomplete. Before concluding X doesn't exist:
+- Check if there's a different name for this feature
+- Verify with the latest official documentation
+- Consider that the feature may be in development
+```
+
+### The Version Paranoia Rule
+
+For ANY external tool (npm packages, CLIs, APIs, frameworks):
+```
+ASSUME: Training data is 2+ years old
+ACTION: ALWAYS web search "[tool] latest documentation [current year]"
+        BEFORE making capability claims
+```
+
+### The Assumption Stack
+
+Before answering, explicitly list:
+```markdown
+## My Assumptions
+1. [VERIFY] Gemini CLI version supports hooks → Confidence: LOW (training data)
+2. [OK] Project uses JavaScript → Confidence: HIGH (read package.json)
+3. [VERIFY] settings.json format → Confidence: LOW (haven't read docs)
+```
+
+Any assumption marked `[VERIFY]` with `LOW` confidence **MUST** be verified.
+
+## Evidence Chain Format
+
+Every claim needs a traceable source:
+
+```markdown
+| Claim | Source Type | Source Location | Confidence |
+|-------|-------------|-----------------|------------|
+| "Hooks are supported" | Live Docs | github.com/x/docs/hooks | HIGH |
+| "Settings format is X" | File Read | .gemini/settings.json | HIGH |
+| "Feature Y exists" | Training Data | None | LOW - VERIFY |
+```
+
+## Depth Tiers
+
+| Depth | Token Budget | Actions | Use For |
+|-------|--------------|---------|---------|
+| `--quick` | 5K | 1-2 files, no web search | Simple factual lookups |
+| (default) | 20K | All relevant files, 1 web search | Most questions |
+| `--deep` | 50K | Full file audit, multiple web searches | Architecture/feasibility |
+| `--exhaustive` | 100K+ | Everything + user confirmation gates | Production decisions |
+
+## Output
+
+The command generates:
+
+1. **research-report.md** - Full research findings with citations
+2. **Console summary** - Key findings and confidence level
+3. **Cached verifications** - Stored in `.workflow/state/research-cache.json`
+
+## Configuration
+
+In `.workflow/config.json`:
+
+```json
+{
+  "research": {
+    "enabled": true,
+    "defaultDepth": "standard",
+    "strictMode": true,
+    "autoTrigger": true,
+    "maxTokensPerDepth": {
+      "quick": 5000,
+      "standard": 20000,
+      "deep": 50000,
+      "exhaustive": 100000
+    },
+    "requireCitations": true,
+    "cacheVerifications": true,
+    "cacheExpiryHours": 24,
+    "budgetMode": "soft",
+    "negativeEvidenceRule": true,
+    "assumptionTracking": true
+  }
+}
+```
+
+## Examples
+
+### Example 1: Capability Question
+
+```
+User: Does Gemini CLI support hooks?
+
+/wogi-research "Does Gemini CLI support hooks?"
+```
+
+Research output:
+```
+## Research Report
+
+**Question:** Does Gemini CLI support hooks?
+**Depth:** standard
+**Confidence:** HIGH
+
+### Conclusion
+Yes, Gemini CLI supports hooks since version X.
+
+### Evidence Chain
+| Claim | Source | Confidence |
+|-------|--------|------------|
+| Hooks supported | https://github.com/gemini-cli/docs/hooks | HIGH |
+| Configuration in .gemini/settings.json | File read | HIGH |
+
+### Searches Performed
+1. Web: "Gemini CLI hooks documentation 2026"
+2. Local: .gemini/settings.json
+3. Local: .gemini/**/*.md
+```
+
+### Example 2: Architecture Question
+
+```
+User: How does the authentication flow work in this codebase?
+
+/wogi-research --deep "How does the authentication flow work?"
+```
+
+This will:
+1. Search for auth-related files
+2. Read all matches (not just first)
+3. Trace the flow through the codebase
+4. Generate a comprehensive report
+
+## Integration with Hooks
+
+When `research.strictMode` is enabled and `research.autoTrigger` is true:
+- Capability/feasibility questions automatically trigger research
+- Claims without citations are flagged
+- Negative claims require exhaustive search evidence
+
+## CLI Compatibility
+
+This command works across all supported CLIs:
+- Claude Code
+- Gemini CLI
+- Codex (OpenAI)
+- OpenCode
+- Cline/Cursor
+
+State is stored in `.workflow/` for cross-CLI persistence.

package/.claude/docs/commands.md

@@ -141,6 +141,15 @@ When user types these commands, execute the corresponding action immediately.
 |---------|--------|
 | `/wogi-guided-edit` | Guide through multi-file changes step by step. Shows each edit for approval. |
 
+### Research Protocol (Zero-Trust)
+
+| Command | Action |
+|---------|--------|
+| `/wogi-research [question]` | Execute rigorous research before answering capability/feasibility questions. Phases: scope mapping, evidence gathering, external verification, assumption check, synthesis. |
+| `/wogi-research --quick [q]` | Quick research (5K tokens) - 1-2 files, no web search. |
+| `/wogi-research --deep [q]` | Deep research (50K tokens) - full file audit, multiple web searches. |
+| `/wogi-research --exhaustive [q]` | Exhaustive research (100K+ tokens) - everything + user confirmation gates. |
+
 ### Planning & Documentation
 
 | Command | Action |
@@ -312,6 +321,14 @@ npx flow onboard                  # Analyze existing project & set up context
 ./scripts/flow figma confirm <f>  # Interactive confirmation
 ./scripts/flow figma generate     # Generate code from decisions
 ./scripts/flow figma server       # Start MCP server
+
+# Research Protocol
+./scripts/flow research "q"       # Execute research protocol
+./scripts/flow research --quick   # Quick research (5K tokens)
+./scripts/flow research --deep    # Deep research (50K tokens)
+./scripts/flow research --exhaustive # Full audit (100K+ tokens)
+./scripts/flow research cache     # Show cached verifications
+./scripts/flow research cache clear # Clear verification cache
 ```
 
 ## Command Execution

package/.workflow/bridges/base-bridge.js

@@ -109,26 +109,64 @@ class BaseBridge {
 
   /**
    * Safe JSON parse that checks for prototype pollution (fallback when flow-utils unavailable)
+   *
+   * NOTE: This is a fallback implementation. When flow-utils is available,
+   * safeJsonParse from flow-utils is used instead (it performs recursive
+   * validation of the parsed object). This fallback only does pre-parse
+   * string checking which is less comprehensive but better than nothing.
+   *
    * @param {string} content - JSON string to parse
    * @returns {Object|null} Parsed object or null if invalid
    */
   safeJsonParseContent(content) {
-    // Check for prototype pollution attempts (case-insensitive)
-    const contentLower = content.toLowerCase();
-    if (contentLower.includes('__proto__') ||
-        contentLower.includes('constructor') ||
-        contentLower.includes('prototype')) {
-      this.log('Warning: Potential prototype pollution detected in JSON');
+    if (!content || typeof content !== 'string') {
       return null;
     }
 
+    // Check for prototype pollution attempts
+    // These patterns look for dangerous keys that could be used for prototype pollution
+    const dangerousPatterns = [
+      /__proto__/i,
+      /"constructor"\s*:/,
+      /"prototype"\s*:/
+    ];
+
+    for (const pattern of dangerousPatterns) {
+      if (pattern.test(content)) {
+        this.log('Warning: Potential prototype pollution detected in JSON');
+        return null;
+      }
+    }
+
     try {
       const parsed = JSON.parse(content);
       if (parsed === null || typeof parsed !== 'object') {
         return null;
       }
+
+      // Additional check: verify no __proto__ keys in parsed result
+      // (JSON.parse could still create them in some edge cases)
+      const hasProtoKey = (obj) => {
+        if (!obj || typeof obj !== 'object') return false;
+        if (Object.prototype.hasOwnProperty.call(obj, '__proto__')) return true;
+        for (const value of Object.values(obj)) {
+          if (typeof value === 'object' && value !== null && hasProtoKey(value)) {
+            return true;
+          }
+        }
+        return false;
+      };
+
+      if (hasProtoKey(parsed)) {
+        this.log('Warning: __proto__ key detected in parsed JSON');
+        return null;
+      }
+
       return parsed;
-    } catch {
+    } catch (err) {
+      if (process.env.DEBUG) {
+        this.log(`JSON parse error: ${err.message}`);
+      }
       return null;
     }
   }
@@ -164,7 +202,8 @@ class BaseBridge {
   ensureCliFolder() {
     const cliFolder = path.join(this.projectDir, this.getCliFolder());
     if (!fs.existsSync(cliFolder)) {
-      fs.mkdirSync(cliFolder, { recursive: true });
+      // Use explicit permissions (0o755 = rwxr-xr-x) to avoid relying on umask
+      fs.mkdirSync(cliFolder, { recursive: true, mode: 0o755 });
       this.log(`Created ${this.getCliFolder()}/`);
     }
   }
@@ -181,9 +220,9 @@ class BaseBridge {
       return;
     }
 
-    // Ensure target directory exists
+    // Ensure target directory exists with explicit permissions
     if (!fs.existsSync(targetSkillsDir)) {
-      fs.mkdirSync(targetSkillsDir, { recursive: true });
+      fs.mkdirSync(targetSkillsDir, { recursive: true, mode: 0o755 });
     }
 
     // Copy skills
@@ -214,9 +253,9 @@ class BaseBridge {
   syncRules() {
     const rulesDir = path.join(this.projectDir, this.getRulesPath());
 
-    // Ensure rules directory exists
+    // Ensure rules directory exists with explicit permissions
     if (!fs.existsSync(rulesDir)) {
-      fs.mkdirSync(rulesDir, { recursive: true });
+      fs.mkdirSync(rulesDir, { recursive: true, mode: 0o755 });
     }
 
     // Copy any existing rules from .workflow/rules/ if present
@@ -244,9 +283,9 @@ class BaseBridge {
     // Knowledge files to sync
     const knowledgeFiles = ['stack.md', 'architecture.md', 'testing.md'];
 
-    // Ensure CLI docs directory exists
+    // Ensure CLI docs directory exists with explicit permissions
     if (!fs.existsSync(cliDocsDir)) {
-      fs.mkdirSync(cliDocsDir, { recursive: true });
+      fs.mkdirSync(cliDocsDir, { recursive: true, mode: 0o755 });
     }
 
     let syncedCount = 0;
@@ -359,6 +398,76 @@ class BaseBridge {
     return results;
   }
 
+  // ==================== Template Utility Methods ====================
+
+  /**
+   * Load a partial template from .workflow/templates/partials/
+   * @param {string} partialName - Name of the partial (without .hbs extension)
+   * @returns {string} Partial content or empty string if not found
+   */
+  loadPartial(partialName) {
+    const partialPath = path.join(
+      this.projectDir,
+      this.workflowDir,
+      'templates',
+      'partials',
+      `${partialName}.hbs`
+    );
+
+    try {
+      if (fs.existsSync(partialPath)) {
+        return fs.readFileSync(partialPath, 'utf-8');
+      }
+    } catch (err) {
+      this.log(`Warning: Could not load partial ${partialName}: ${err.message}`);
+    }
+    return '';
+  }
+
+  /**
+   * Process partial includes in template content
+   * Replaces {{> partial-name}} with the partial content
+   * @param {string} content - Template content
+   * @returns {string} Content with partials included
+   */
+  processPartials(content) {
+    // Match {{> partial-name}} pattern
+    const partialRegex = /\{\{>\s*([a-zA-Z0-9_-]+)\s*\}\}/g;
+
+    return content.replace(partialRegex, (match, partialName) => {
+      const partialContent = this.loadPartial(partialName);
+      if (!partialContent) {
+        this.log(`Warning: Partial not found: ${partialName}`);
+        return `<!-- Partial not found: ${partialName} -->`;
+      }
+      return partialContent;
+    });
+  }
+
+  /**
+   * Get nested value from config object using dot notation
+   * @param {Object} obj - The object to search
+   * @param {string} path - Dot-separated path (e.g., 'hooks.rules.taskGating')
+   * @returns {*} The value or undefined
+   */
+  getNestedValue(obj, path) {
+    if (!path || typeof path !== 'string') return undefined;
+
+    const parts = path.split('.');
+    let current = obj;
+
+    for (const part of parts) {
+      if (current === null || current === undefined) return undefined;
+      // Security: skip dangerous property names
+      if (part === '__proto__' || part === 'constructor' || part === 'prototype') {
+        return undefined;
+      }
+      current = current[part];
+    }
+
+    return current;
+  }
+
   // ==================== Utility Methods ====================
 
   /**
@@ -366,7 +475,7 @@ class BaseBridge {
    */
   copyDirRecursive(source, target) {
     if (!fs.existsSync(target)) {
-      fs.mkdirSync(target, { recursive: true });
+      fs.mkdirSync(target, { recursive: true, mode: 0o755 });
     }
 
     const items = fs.readdirSync(source);

package/.workflow/bridges/claude-bridge.js

@@ -59,12 +59,21 @@ class ClaudeBridge extends BaseBridge {
 
   /**
    * Generate CLAUDE.md from Handlebars-like template
-   * Supports: {{variable}}, {{config.path}}, {{#if}}, {{#each}}, {{/if}}, {{/each}}
+   * Supports: {{variable}}, {{config.path}}, {{#if}}, {{#each}}, {{/if}}, {{/each}}, {{> partial}}
    */
   generateFromTemplate(templatePath, config) {
-    const template = fs.readFileSync(templatePath, 'utf-8');
+    let template;
+    try {
+      template = fs.readFileSync(templatePath, 'utf-8');
+    } catch (err) {
+      this.log(`Warning: Could not read template ${templatePath}: ${err.message}`);
+      return this.generateDefaultClaudeMd(config);
+    }
     let content = template;
 
+    // Process {{> partial}} includes first (before other processing)
+    content = this.processPartials(content);
+
     // Process {{#if config.path.to.value}}...{{/if}} blocks
     // Non-greedy match to handle nested conditions
     content = this.processConditionals(content, config);
@@ -340,24 +349,47 @@ Last synced: ${new Date().toISOString()}
   }
 
   /**
-   * Generate settings.local.json with wildcard permissions
-   * Claude Code 2.1.0+ supports wildcards like Bash(npm *)
+   * Generate settings.local.json with permissions
+   * NOTE: Requires Claude Code 2.1.7+ which fixed wildcard matching of shell operators.
+   * See security-patterns.md rule #6 for details.
    */
   generateSettings(config) {
     const projectDir = this.projectDir;
 
-    // Base wildcard permissions - covers most common use cases
+    // Permission rules - balancing security with workflow convenience
+    // Wildcards are safe in 2.1.7+ (shell operators rejected)
     const wildcardPermissions = [
-      // Package managers
-      'Bash(npm *)',
+      // Package managers - specific safe operations
+      'Bash(npm install *)',
+      'Bash(npm run *)',
+      'Bash(npm test *)',
+      'Bash(npm exec *)',
+      'Bash(npm ci)',
+      'Bash(npm audit *)',
+      'Bash(npm outdated *)',
+      'Bash(npm ls *)',
+      'Bash(npm version *)',
       'Bash(npx *)',
-      'Bash(yarn *)',
-      'Bash(pnpm *)',
-      'Bash(pip *)',
-      'Bash(python *)',
-      'Bash(python3 *)',
-
-      // Git operations
+      'Bash(yarn install *)',
+      'Bash(yarn add *)',
+      'Bash(yarn remove *)',
+      'Bash(yarn run *)',
+      'Bash(yarn test *)',
+      'Bash(yarn build *)',
+      'Bash(yarn dev *)',
+      'Bash(pnpm install *)',
+      'Bash(pnpm add *)',
+      'Bash(pnpm remove *)',
+      'Bash(pnpm run *)',
+      'Bash(pnpm test *)',
+      'Bash(pnpm build *)',
+      'Bash(pnpm dev *)',
+      'Bash(pip install *)',
+      'Bash(pip list *)',
+      'Bash(python -m *)',
+      'Bash(python3 -m *)',
+
+      // Git operations - all safe read/write operations
       'Bash(git status)',
       'Bash(git status *)',
       'Bash(git diff *)',
@@ -386,18 +418,14 @@ Last synced: ${new Date().toISOString()}
       'Bash(./scripts/flow *)',
       'Bash(./scripts/flow)',
 
-      // Common utilities
+      // Safe read-only utilities
       'Bash(ls *)',
       'Bash(tree *)',
-      'Bash(cat *)',
-      'Bash(head *)',
-      'Bash(tail *)',
       'Bash(wc *)',
-      'Bash(grep *)',
-      'Bash(find *)',
       'Bash(chmod +x *)',  // Only make executable, not arbitrary permissions
-      'Bash(node *)',
-      'Bash(bash *)',
+      'Bash(node --check *)',
+      'Bash(node --version)',
+      'Bash(bash -n *)',  // Syntax check only
       'Bash(open *)',
       'Bash(test *)',
 

package/.workflow/bridges/codex-bridge.js

@@ -47,6 +47,28 @@ class CodexBridge extends BaseBridge {
     return path.join('.codex', 'rules');
   }
 
+  /**
+   * Register template partials with Handlebars
+   */
+  registerPartials() {
+    if (!Handlebars) return;
+
+    const partialsDir = path.join(this.projectDir, this.workflowDir, 'templates', 'partials');
+    if (!fs.existsSync(partialsDir)) return;
+
+    try {
+      const partialFiles = fs.readdirSync(partialsDir).filter(f => f.endsWith('.hbs'));
+      for (const file of partialFiles) {
+        const partialName = path.basename(file, '.hbs');
+        const partialContent = fs.readFileSync(path.join(partialsDir, file), 'utf-8');
+        Handlebars.registerPartial(partialName, partialContent);
+        this.log(`Registered partial: ${partialName}`);
+      }
+    } catch (err) {
+      this.log(`Warning: Could not register partials: ${err.message}`);
+    }
+  }
+
   /**
    * Generate AGENTS.md content
    */
@@ -55,6 +77,9 @@ class CodexBridge extends BaseBridge {
 
     // Try to use Handlebars template with proper error handling
     if (Handlebars) {
+      // Register partials before compiling
+      this.registerPartials();
+
       try {
         const templatePath = path.join(this.projectDir, this.workflowDir, 'templates', 'agents-md.hbs');
         if (fs.existsSync(templatePath)) {
@@ -68,7 +93,7 @@ class CodexBridge extends BaseBridge {
       }
     }
 
-    // Fallback to inline generation
+    // Fallback to inline generation (includes partial content directly)
     return this.generateAgentsMdFallback(context);
   }
 

package/.workflow/bridges/cursor-bridge.js

@@ -55,6 +55,28 @@ class CursorBridge extends BaseBridge {
     return path.join('.cursor', 'rules');
   }
 
+  /**
+   * Register template partials with Handlebars
+   */
+  registerPartials() {
+    if (!Handlebars) return;
+
+    const partialsDir = path.join(this.projectDir, this.workflowDir, 'templates', 'partials');
+    if (!fs.existsSync(partialsDir)) return;
+
+    try {
+      const partialFiles = fs.readdirSync(partialsDir).filter(f => f.endsWith('.hbs'));
+      for (const file of partialFiles) {
+        const partialName = path.basename(file, '.hbs');
+        const partialContent = fs.readFileSync(path.join(partialsDir, file), 'utf-8');
+        Handlebars.registerPartial(partialName, partialContent);
+        this.log(`Registered partial: ${partialName}`);
+      }
+    } catch (err) {
+      this.log(`Warning: Could not register partials: ${err.message}`);
+    }
+  }
+
   /**
    * Generate rules content (.mdc format with YAML frontmatter)
    */
@@ -63,6 +85,9 @@ class CursorBridge extends BaseBridge {
 
     // Try to use Handlebars template
     if (Handlebars) {
+      // Register partials before compiling
+      this.registerPartials();
+
       const templatePath = path.join(this.projectDir, this.workflowDir, 'templates', 'cursor-rules.mdc.hbs');
       if (fs.existsSync(templatePath)) {
         try {
@@ -75,7 +100,7 @@ class CursorBridge extends BaseBridge {
       }
     }
 
-    // Fallback to inline generation
+    // Fallback to inline generation (includes partial content directly)
     return this.generateRulesFallback(context);
   }
 

package/.workflow/bridges/gemini-bridge.js

@@ -70,7 +70,7 @@ class GeminiBridge extends BaseBridge {
 
   /**
    * Generate GEMINI.md from Handlebars-like template
-   * Supports: {{variable}}, {{config.path}}, {{#if}}, {{#each}}, {{/if}}, {{/each}}
+   * Supports: {{variable}}, {{config.path}}, {{#if}}, {{#each}}, {{/if}}, {{/each}}, {{> partial}}
    */
   generateFromTemplate(templatePath, config) {
     let template;
@@ -82,6 +82,9 @@ class GeminiBridge extends BaseBridge {
     }
     let content = template;
 
+    // Process {{> partial}} includes first (before other processing)
+    content = this.processPartials(content);
+
     // Process {{#if config.path.to.value}}...{{/if}} blocks
     content = this.processConditionals(content, config);