npm - wogiflow - Versions diffs - 1.9.6 → 1.9.7 - Mend

wogiflow 1.9.6 → 1.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/.claude/commands/wogi-onboard.md CHANGED Viewed

@@ -701,7 +701,7 @@ Display:
     for (const reqs of [featureReqs, bugfixReqs, refactorReqs]) {
       reqs.push('requestLogEntry');
     }
-    featureReqs.push('appMapUpdate');
+    featureReqs.push('registryUpdate');
     config.qualityGates = {
       feature: { require: featureReqs },

package/.claude/commands/wogi-research.md CHANGED Viewed

@@ -25,6 +25,46 @@ This command is **automatically triggered** (when strict mode is enabled) for:
 5. **Integration Questions**: "How to integrate X with Y?"
 6. **Comparison Questions**: "What can we learn from X?", "How does X compare to Y?"
+## Step 0: Config Loading (MANDATORY — before all phases)
+Before ANY research phase, read the project's config to determine depth, format, and verification requirements:
+```bash
+cat .workflow/config.json | grep -A 30 '"research"'
+```
+**Extract and apply these settings:**
+1. **Determine depth** (in priority order):
+   - CLI flag (`--deep`, `--quick`, etc.) → use that depth
+   - If auto-triggered (no flag): classify question type and look up `research.triggers`:
+     - Capability question ("Does X support Y?") → `triggers.capabilityQuestions` (default: `"standard"`)
+     - Feasibility question ("Is it possible to...") → `triggers.feasibilityQuestions` (default: `"deep"`)
+     - Existence question ("Is there a...") → `triggers.existenceQuestions` (default: `"standard"`)
+     - Architecture question ("How does X work?") → `triggers.architectureQuestions` (default: `"deep"`)
+     - Integration question ("How to integrate X with Y?") → `triggers.integrationQuestions` (default: `"deep"`)
+     - Comparison question ("How does X compare to Y?") → `triggers.comparisonQuestions` (default: `"deep"`)
+   - Fallback: `research.defaultDepth` (default: `"standard"`)
+2. **Apply format flags** from config:
+   - `requireVerificationFormat: true` → ALL assumptions must have `[VERIFIED]`/`[UNVERIFIED]` markers
+   - `requireCitations: true` → ALL claims must have an Evidence Chain entry
+   - `assumptionTracking: true` → Assumption Stack table is MANDATORY in output
+   - `negativeEvidenceRule: true` → Negative claims require exhaustive search evidence
+3. **Display header block** (MANDATORY):
+   ```markdown
+   ## Research Report
+   **Question:** [the question]
+   **Depth:** [resolved depth from step 1]
+   **Flow:** [Standard/Comparison]
+   **Config applied:** requireVerification=[yes/no], citations=[yes/no], assumptionTracking=[yes/no]
+   ```
+**If config.json has no `research` section or is unreadable**: use defaults (depth: standard, all format flags: true).
+---
 ## Research Protocol Phases
 There are two flows depending on question type:
@@ -199,6 +239,7 @@ In `.workflow/config.json`:
     "enabled": true,
     "defaultDepth": "standard",
     "autoTrigger": true,
+    "requireVerificationFormat": true,
     "maxTokensPerDepth": {
       "quick": 5000,
       "standard": 20000,
@@ -210,7 +251,15 @@ In `.workflow/config.json`:
     "cacheExpiryHours": 24,
     "budgetMode": "soft",
     "negativeEvidenceRule": true,
-    "assumptionTracking": true
+    "assumptionTracking": true,
+    "triggers": {
+      "capabilityQuestions": "standard",
+      "feasibilityQuestions": "deep",
+      "existenceQuestions": "standard",
+      "architectureQuestions": "deep",
+      "integrationQuestions": "deep",
+      "comparisonQuestions": "deep"
+    }
   }
 }
 ```
@@ -269,6 +318,26 @@ When `research.requireCitations` is enabled and `research.autoTrigger` is true:
 - Claims without citations are flagged
 - Negative claims require exhaustive search evidence
+## Output Checklist (MANDATORY — self-verify before presenting)
+Before presenting ANY research report, verify ALL of these are present. If any is missing, add it before outputting.
+| # | Check | Required When |
+|---|-------|---------------|
+| 1 | **Header block** with Question, Depth, Flow, Config applied | Always |
+| 2 | **Conclusion** section with direct answer | Always |
+| 3 | **Assumption Stack** table with `[VERIFIED]`/`[UNVERIFIED]` markers | `assumptionTracking: true` (default) |
+| 4 | **Evidence Chain** table with Claim, Source Type, Source Location, Confidence | `requireCitations: true` (default) |
+| 5 | **Confidence level** (HIGH/MEDIUM/LOW) | Always |
+| 6 | **Searches Performed** list (web + local) | Always |
+| 7 | **Negative Evidence format** for any "X doesn't exist" claims | `negativeEvidenceRule: true` (default) |
+| 8 | **Comparison table** (External Feature / Local Equivalent / Status) | Comparison flow only |
+| 9 | **Recommendation Verification** (EXISTS/PARTIAL/MISSING markers) | Comparison flow only |
+**Self-check prompt**: "Have I included all mandatory sections per config? Is every assumption marked? Is every claim cited?"
+If the report is missing any required section, DO NOT present it — add the missing section first.
 ## CLI Compatibility
 This command currently supports Claude Code only.

package/.claude/commands/wogi-start.md CHANGED Viewed

@@ -302,7 +302,7 @@ If violations found: fix, re-run, only proceed when all pass. Violations auto-re
 **First**: Run `node node_modules/wogiflow/scripts/flow-spec-verifier.js verify wf-XXXXXXXX` — verify all spec deliverables exist. If missing → STOP, create them.
 **Then**: Check `config.qualityGates` for task type. Gates are type-specific:
-- **feature**: loopComplete, tests, appMapUpdate, requestLogEntry, integrationWiring, standardsCompliance
+- **feature**: loopComplete, tests, registryUpdate, requestLogEntry, integrationWiring, standardsCompliance
 - **bugfix**: loopComplete, tests, requestLogEntry, standardsCompliance, learningEnforcement
 - **refactor**: loopComplete, tests, noNewFeatures, smokeTest, standardsCompliance
 - **chore**: requestLogEntry, outstandingFindings
@@ -311,7 +311,8 @@ If violations found: fix, re-run, only proceed when all pass. Violations auto-re
 **Fallback behavior**: Task types not listed above (docs, style, test, perf, etc.) inherit the **feature** gates. This is intentional — feature gates are the most comprehensive and serve as a safe default.
-**Key automated gates** (v1.9.2):
+**Key automated gates** (v1.9.7):
+- `registryUpdate` → runs `flow registry-manager scan` on ALL active registries (app-map, function-map, api-map, schema-map, service-map). Auto-updates maps when new entries found. Replaces old `appMapUpdate` no-op gate.
 - `integrationWiring` → calls `verifyWiring()` — checks created files are imported/used
 - `standardsCompliance` → calls `runTaskStandardsCheck()` — checks naming, security, decisions.md rules
 - `outstandingFindings` → reads `last-review.json` — blocks if unresolved critical/high findings exist
@@ -328,7 +329,7 @@ Reflection: "Have I introduced any bugs or regressions?"
 1. Reflection: "Does this match what the user asked for?"
 2. Close out all TodoWrite items for this task
 3. Move task to recentlyCompleted in ready.json
-4. Update request-log.md, app-map.md, function-map.md, api-map.md as needed
+4. Registry maps auto-updated by `registryUpdate` quality gate (runs `flow registry-manager scan` on all active registries — app-map, function-map, api-map, schema-map, service-map)
 5. If `config.webmcp.enabled` and UI files created: run `node node_modules/wogiflow/scripts/flow-webmcp-generator.js scan`
 6. Commit: `feat: Complete wf-XXXXXXXX - [title]`
 7. Show completion summary

package/.claude/docs/config-reference.md CHANGED Viewed

@@ -163,7 +163,7 @@ Customize which checks are required per task type.
 {
   "qualityGates": {
     "feature": {
-      "require": ["loopComplete", "tests", "appMapUpdate", "requestLogEntry"],
+      "require": ["loopComplete", "tests", "registryUpdate", "requestLogEntry"],
       "optional": ["review"]
     },
     "bugfix": {
@@ -174,7 +174,7 @@ Customize which checks are required per task type.
 }
 ```
-**Available gates**: `loopComplete`, `tests`, `generatedTestsPass`, `uiVerification`, `apiVerification`, `appMapUpdate`, `requestLogEntry`, `integrationWiring`, `standardsCompliance`, `outstandingFindings`, `preRelease`, `noNewFeatures`, `smokeTest`, `learningEnforcement`, `review`, `docs`, `webmcpVerification`
+**Available gates**: `loopComplete`, `tests`, `generatedTestsPass`, `uiVerification`, `apiVerification`, `registryUpdate`, `requestLogEntry`, `integrationWiring`, `standardsCompliance`, `outstandingFindings`, `preRelease`, `noNewFeatures`, `smokeTest`, `learningEnforcement`, `review`, `docs`, `webmcpVerification`
 **Task types**: `feature`, `bugfix`, `refactor`, `chore`, `release`, `fix`

package/.claude/docs/knowledge-base/02-task-execution/03-verification.md CHANGED Viewed

@@ -62,7 +62,7 @@ Quality gates are requirements that must pass before a task can be completed.
 {
   "qualityGates": {
     "feature": {
-      "require": ["tests", "appMapUpdate", "requestLogEntry"],
+      "require": ["tests", "registryUpdate", "requestLogEntry"],
       "optional": ["review", "docs"]
     },
     "bugfix": {
@@ -84,7 +84,7 @@ Quality gates are requirements that must pass before a task can be completed.
 | `tests` | npm test passes |
 | `lint` | npm run lint passes (with auto-fix) |
 | `typecheck` | npm run typecheck passes |
-| `appMapUpdate` | New components added to app-map.md |
+| `registryUpdate` | All registry maps (app-map, function-map, api-map, schema-map, service-map) auto-scanned |
 | `requestLogEntry` | Task logged in request-log.md |
 | `noNewFeatures` | (Refactor) No new functionality added |
 | `integrationWiring` | Created files are imported/used somewhere (not orphaned) |
@@ -134,7 +134,7 @@ Running quality gates...
   ✓ lint passed (auto-fixed)
   ✓ typecheck passed
   ✓ requestLogEntry (found in request-log)
-  ○ appMapUpdate (verify manually if components created)
+  ✓ registryUpdate (auto-scanned: app-map.md updated)
 All gates passed!
 ```

package/.claude/docs/knowledge-base/02-task-execution/05-session-review.md CHANGED Viewed

@@ -196,7 +196,7 @@ Session review can be added to quality gates:
 {
   "qualityGates": {
     "feature": {
-      "require": ["tests", "sessionReview", "appMapUpdate"]
+      "require": ["tests", "sessionReview", "registryUpdate"]
     }
   }
 }

package/.claude/docs/knowledge-base/02-task-execution/README.md CHANGED Viewed

@@ -122,7 +122,7 @@ Comprehensive code review before finalizing changes.
   },
   "qualityGates": {
     "feature": {
-      "require": ["tests", "appMapUpdate", "requestLogEntry"]
+      "require": ["tests", "registryUpdate", "requestLogEntry"]
     }
   }
 }

package/.claude/docs/knowledge-base/02-task-execution/trade-offs.md CHANGED Viewed

@@ -141,7 +141,7 @@ Every configuration decision in WogiFlow involves trade-offs. Understanding thes
 {
   "qualityGates": {
     "feature": {
-      "require": ["tests", "lint", "typecheck", "appMapUpdate", "requestLogEntry", "review"]
+      "require": ["tests", "lint", "typecheck", "registryUpdate", "requestLogEntry", "review"]
     }
   }
 }

package/.claude/docs/knowledge-base/configuration/README.md CHANGED Viewed

@@ -127,7 +127,7 @@ cat .workflow/config.json
   },
   "qualityGates": {
     "feature": {
-      "require": ["tests", "appMapUpdate", "requestLogEntry", "review"]
+      "require": ["tests", "registryUpdate", "requestLogEntry", "review"]
     }
   }
 }

package/.claude/docs/knowledge-base/configuration/all-options.md CHANGED Viewed

@@ -410,7 +410,7 @@ Per-task-type quality requirements that must pass before task completion.
   "qualityGates": {
     "preTaskBaseline": { "enabled": false },
     "feature": {
-      "require": ["loopComplete", "tests", "appMapUpdate", "requestLogEntry", "integrationWiring", "standardsCompliance"],
+      "require": ["loopComplete", "tests", "registryUpdate", "requestLogEntry", "integrationWiring", "standardsCompliance"],
       "optional": ["review", "docs", "webmcpVerification"]
     },
     "bugfix": {
@@ -433,7 +433,7 @@ Per-task-type quality requirements that must pass before task completion.
 | `qualityGates.bugfix.require` | string[] | See above | Required gates for bugfix tasks |
 | `qualityGates.refactor.require` | string[] | See above | Required gates for refactor tasks |
-Available gate values: `loopComplete`, `tests`, `appMapUpdate`, `requestLogEntry`, `integrationWiring`, `standardsCompliance`, `learningEnforcement`, `resolutionPopulated`, `noNewFeatures`, `smokeTest`, `review`, `docs`, `webmcpVerification`.
+Available gate values: `loopComplete`, `tests`, `registryUpdate`, `requestLogEntry`, `integrationWiring`, `standardsCompliance`, `learningEnforcement`, `resolutionPopulated`, `noNewFeatures`, `smokeTest`, `review`, `docs`, `webmcpVerification`.
 ---

package/.workflow/templates/claude-md.hbs CHANGED Viewed

@@ -210,12 +210,9 @@ When creating tasks programmatically, always call `generateTaskId(title)` — ne
 ### After Completing:
 1. Update `request-log.md` with tags
-2. Update `app-map.md` if components created/deleted/renamed
-3. Update `function-map.md` if utilities created/deleted/renamed — run `npx flow function-index scan`
-4. Update `api-map.md` if endpoints created/deleted/renamed — run `npx flow api-index scan`
-5. Update other active registry maps if relevant — run `npx flow registry-manager scan`
-6. Run quality gates (lint, typecheck, test)
-7. Provide completion report
+2. Registry maps (app-map, function-map, api-map, schema-map, service-map) are **auto-updated** by the `registryUpdate` quality gate — it runs `flow registry-manager scan` on all active registries
+3. Run quality gates (lint, typecheck, test)
+4. Provide completion report
 ## Auto-Validation (CRITICAL)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "1.9.6",
+  "version": "1.9.7",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {

package/scripts/flow-config-defaults.js CHANGED Viewed

@@ -302,7 +302,7 @@ const CONFIG_DEFAULTS = {
   qualityGates: {
     preTaskBaseline: { enabled: false },
     feature: {
-      require: ['loopComplete', 'tests', 'generatedTestsPass', 'uiVerification', 'apiVerification', 'appMapUpdate', 'requestLogEntry', 'integrationWiring', 'standardsCompliance'],
+      require: ['loopComplete', 'tests', 'generatedTestsPass', 'uiVerification', 'apiVerification', 'registryUpdate', 'requestLogEntry', 'integrationWiring', 'standardsCompliance'],
       optional: ['review', 'docs', 'webmcpVerification']
     },
     bugfix: {

package/scripts/flow-done CHANGED Viewed

@@ -76,8 +76,8 @@ for gate in gates:
         except:
             print('  \033[0;33m○\033[0m requestLogEntry (verify manually)')
-    elif gate == 'appMapUpdate':
-        print('  \033[0;33m○\033[0m appMapUpdate (verify manually if components created)')
+    elif gate == 'appMapUpdate' or gate == 'registryUpdate':
+        print('  \033[0;33m○\033[0m registryUpdate (verify manually if components created)')
     else:
         print(f'  \033[0;33m○\033[0m {gate} (manual check)')

package/scripts/flow-done.js CHANGED Viewed

@@ -121,6 +121,20 @@ try {
 // v5.2 verification profiles
 const { loadProfile: loadVerificationProfile } = require('./flow-verification-profile');
+// v1.9.7 registry map update gate — lazy-loaded to avoid startup cost
+// Loaded inside the registryUpdate gate branch only
+let _registryManagerModule = undefined; // undefined = not yet loaded, null = load failed
+function getRegistryManager() {
+  if (_registryManagerModule === undefined) {
+    try {
+      _registryManagerModule = require('./flow-registry-manager');
+    } catch (err) {
+      _registryManagerModule = null;
+    }
+  }
+  return _registryManagerModule;
+}
 // Path for last failure artifact
 const LAST_FAILURE_PATH = path.join(PATHS.state, 'last-failure.json');
@@ -338,8 +352,111 @@ function runQualityGates(taskId, taskType) {
         if (process.env.DEBUG) console.error(`[DEBUG] requestLogEntry check: ${err.message}`);
         console.log(`  ${color('yellow', '○')} requestLogEntry (could not check)`);
       }
-    } else if (gate === 'appMapUpdate') {
-      console.log(`  ${color('yellow', '○')} appMapUpdate (verify manually if components created)`);
+    } else if (gate === 'appMapUpdate' || gate === 'registryUpdate') {
+      // v1.9.7: Programmatic registry scan — replaces manual "verify manually" no-op.
+      // Runs flow-registry-manager scan on all active registries, comparing modified files
+      // against registry entries to detect missing registrations.
+      // v1.9.8: Deprecation warning for old gate name
+      if (gate === 'appMapUpdate') {
+        console.log(`  ${color('yellow', '⚠')} appMapUpdate is deprecated — update config.json qualityGates to use 'registryUpdate'`);
+      }
+      const registryMod = getRegistryManager();
+      if (registryMod) {
+        try {
+          console.log('  Running registry update check...');
+          const modifiedFiles = getModifiedFiles();
+          // Get map file timestamps BEFORE scan (to detect changes)
+          const mapFiles = ['app-map.md', 'function-map.md', 'api-map.md', 'schema-map.md', 'service-map.md'];
+          const beforeHashes = {};
+          for (const mf of mapFiles) {
+            const mapPath = path.join(PATHS.state, mf);
+            try {
+              beforeHashes[mf] = fs.existsSync(mapPath) ? fs.statSync(mapPath).mtimeMs : 0;
+            } catch (err) {
+              beforeHashes[mf] = 0;
+            }
+          }
+          // Detect active plugins to check if scan is needed (lightweight, no async)
+          const { RegistryManager } = registryMod;
+          const manager = new RegistryManager();
+          manager.loadPlugins();
+          manager.detectStack();
+          manager.activatePlugins();
+          // Only scan if there are active plugins
+          if (manager.activePlugins.length > 0) {
+            // scanAll is async but we need sync behavior in quality gates
+            // Use spawnSync to run the scan as a child process
+            // v1.9.8: Added cwd, write JSON to stderr to avoid stdout pollution from require() side-effects
+            const scanResult = spawnSync('node', [
+              '-e',
+              `const {RegistryManager} = require(${JSON.stringify(path.join(__dirname, 'flow-registry-manager'))});
+              const m = new RegistryManager(); m.loadPlugins(); m.detectStack(); m.activatePlugins();
+              m.scanAll().then(r => { process.stderr.write('SCAN_RESULT:' + JSON.stringify(r)); process.exit(0); })
+              .catch(err => { process.stderr.write('SCAN_RESULT:' + JSON.stringify({error: err.message})); process.exit(1); });`
+            ], {
+              encoding: 'utf-8',
+              stdio: ['pipe', 'pipe', 'pipe'],
+              timeout: 30000,
+              cwd: process.cwd()
+            });
+            if (scanResult.status === 0) {
+              // Extract scan result from stderr (after SCAN_RESULT: marker) to avoid stdout pollution
+              const stderrOutput = scanResult.stderr || '';
+              const markerIdx = stderrOutput.indexOf('SCAN_RESULT:');
+              const jsonStr = markerIdx >= 0 ? stderrOutput.slice(markerIdx + 'SCAN_RESULT:'.length) : '{}';
+              const results = safeJsonParseString(jsonStr, {});
+              // Check which map files were updated
+              const updatedMaps = [];
+              for (const mf of mapFiles) {
+                const mapPath = path.join(PATHS.state, mf);
+                try {
+                  const afterMtime = fs.existsSync(mapPath) ? fs.statSync(mapPath).mtimeMs : 0;
+                  if (afterMtime > beforeHashes[mf]) {
+                    updatedMaps.push(mf);
+                  }
+                } catch (err) {
+                  // ignore
+                }
+              }
+              // Check if modified files include patterns that should be in registries
+              const relevantExtensions = ['.js', '.ts', '.jsx', '.tsx', '.vue', '.svelte'];
+              const codeFiles = modifiedFiles.filter(f => relevantExtensions.some(ext => f.endsWith(ext)));
+              const nonTestFiles = codeFiles.filter(f => !f.includes('test') && !f.includes('spec') && !f.includes('__test'));
+              const activeIds = manager.activePlugins.map(p => p.constructor.id);
+              const scanSummary = Object.entries(results)
+                .filter(([id, r]) => r.success && !r.empty)
+                .map(([id]) => id);
+              if (updatedMaps.length > 0) {
+                console.log(`  ${color('green', '✓')} registryUpdate (auto-scanned: ${updatedMaps.join(', ')} updated)`);
+              } else if (scanSummary.length > 0) {
+                console.log(`  ${color('green', '✓')} registryUpdate (scanned ${activeIds.join(', ')} — maps already current)`);
+              } else if (nonTestFiles.length === 0) {
+                console.log(`  ${color('green', '✓')} registryUpdate (no registrable code files modified)`);
+              } else {
+                console.log(`  ${color('green', '✓')} registryUpdate (scanned — no new entries found)`);
+              }
+            } else {
+              console.log(`  ${color('yellow', '⚠')} registryUpdate (scan error — degraded to manual check)`);
+              if (process.env.DEBUG) console.error(`[DEBUG] registry scan stderr: ${scanResult.stderr}`);
+            }
+          } else {
+            console.log(`  ${color('green', '✓')} registryUpdate (no active registry plugins)`);
+          }
+        } catch (err) {
+          // Graceful degradation — don't block task completion on scan errors
+          console.log(`  ${color('yellow', '⚠')} registryUpdate (error: ${truncateOutput(err.message, 3, 200)} — verify manually)`);
+        }
+      } else {
+        console.log(`  ${color('yellow', '⚠')} registryUpdate (registry manager not available — verify manually)`);
+      }
     } else if (gate === 'loopComplete') {
       // v2.1: Explicit loop completion check
       const activeLoop = getActiveLoop();

package/scripts/hooks/entry/claude-code/pre-tool-use.js CHANGED Viewed

@@ -213,8 +213,35 @@ async function main() {
     // v7.0: Subagents exempt — spawned by main agent which already went through routing.
     // v7.1: Defense-in-depth — only bypass when an active task exists.
     // v8.0: Added Agent, WebSearch, WebFetch to close bypass vectors.
+    // v8.1: Whitelist read-only git commands — Claude naturally runs git status/log/diff
+    //        to gather context before routing. These are pure reads with no side effects.
     const skipRoutingGateForSubagent = isSubagent && hasActiveTask();
-    if (!skipRoutingGateForSubagent && (toolName === 'Bash' || toolName === 'EnterPlanMode' || toolName === 'Read' || toolName === 'Glob' || toolName === 'Grep' || toolName === 'Edit' || toolName === 'Write' || toolName === 'NotebookEdit' || toolName === 'Agent' || toolName === 'WebSearch' || toolName === 'WebFetch')) {
+    // Read-only git commands whitelist — allowed before routing.
+    // These are pure read operations that cannot bypass task tracking.
+    // Safety: reject commands with shell chaining operators to prevent abuse.
+    let skipRoutingGateForReadOnlyGit = false;
+    if (toolName === 'Bash' && toolInput.command) {
+      const cmd = toolInput.command.trim();
+      const READ_ONLY_GIT_PREFIXES = [
+        'git status', 'git log', 'git diff', 'git branch',
+        'git show', 'git rev-parse', 'git remote -v', 'git tag -l',
+        'git ls-files', 'git describe'
+      ];
+      // Block shell chaining operators AND control characters that could bypass prefix matching
+      const SHELL_CHAIN_OPERATORS = /[;&|`$()\n\r\\]/;
+      // Block destructive flags that could appear after an otherwise-safe prefix
+      const DESTRUCTIVE_GIT_FLAGS = /\s-[dD]\b|\s--delete\b|\s--force\b|\s--hard\b|\s--prune\b/;
+      if (
+        READ_ONLY_GIT_PREFIXES.some(prefix => cmd.startsWith(prefix)) &&
+        !SHELL_CHAIN_OPERATORS.test(cmd) &&
+        !DESTRUCTIVE_GIT_FLAGS.test(cmd)
+      ) {
+        skipRoutingGateForReadOnlyGit = true;
+      }
+    }
+    if (!skipRoutingGateForSubagent && !skipRoutingGateForReadOnlyGit && (toolName === 'Bash' || toolName === 'EnterPlanMode' || toolName === 'Read' || toolName === 'Glob' || toolName === 'Grep' || toolName === 'Edit' || toolName === 'Write' || toolName === 'NotebookEdit' || toolName === 'Agent' || toolName === 'WebSearch' || toolName === 'WebFetch')) {
       try {
         const routingResult = checkRoutingGate(toolName, config);
         if (routingResult.blocked) {

package/.claude/rules/_internal/README.md DELETED Viewed

@@ -1,64 +0,0 @@
----
-alwaysApply: false
-description: "Meta-documentation about how project rules are organized"
----
-# Project Rules
-This directory contains coding rules and patterns for this project, organized by category.
-## Structure
-```
-.claude/rules/
-├── code-style/           # Naming conventions, formatting
-│   └── naming-conventions.md
-├── security/             # Security patterns and practices
-│   └── security-patterns.md
-├── architecture/         # Design decisions and patterns
-│   ├── component-reuse.md
-│   └── model-management.md
-└── README.md
-```
-## How Rules Work
-Rules are automatically loaded by Claude Code based on:
-- **alwaysApply: true** - Rule is always loaded
-- **alwaysApply: false** - Rule is loaded based on `globs` or `description` relevance
-- **globs** - File patterns that trigger rule loading
-## Adding New Rules
-1. Choose the appropriate category subdirectory
-2. Create a `.md` file with frontmatter:
-```yaml
----
-alwaysApply: false
-description: "Brief description for relevance matching"
-globs: src/**/*.ts  # Optional: only load for these files
----
-```
-3. Write the rule content in markdown
-## Categories
-| Category | Purpose |
-|----------|---------|
-| code-style | Naming conventions, formatting, file structure |
-| security | Security patterns, input validation, safe practices |
-| architecture | Design decisions, component patterns, system organization |
-## Auto-Generation
-Some rules can be auto-generated from `.workflow/state/decisions.md`:
-```bash
-node scripts/flow-rules-sync.js
-```
-The sync script will route rules to appropriate category subdirectories.
----
-Last updated: 2026-01-12

package/.claude/rules/_internal/document-structure.md DELETED Viewed

@@ -1,77 +0,0 @@
----
-alwaysApply: false
-description: "All AI-context documents must use PIN markers for targeted context loading"
-globs: ".workflow/**/*.md"
----
-# Document Structure for AI Context
-All documents in `.workflow/` that are used as AI context MUST follow the PIN standard.
-## Required Structure
-### 1. Header with PIN List
-Every document starts with a comment listing all pins in the document:
-```markdown
-<!-- PINS: pin1, pin2, pin3 -->
-```
-### 2. Section PIN Markers
-Each major section has a PIN marker comment:
-```markdown
-### Section Title
-<!-- PIN: section-specific-pin -->
-[Content]
-```
-### 3. PIN Naming Convention
-- Use kebab-case: `user-authentication`, not `userAuthentication`
-- Use semantic names: `error-handling`, not `eh`
-- Use compound names for specificity: `json-parse-safety`
-## Why PINs Matter
-The PIN system enables:
-1. **Targeted context loading**: Only load sections relevant to current task
-2. **Cheaper model routing**: Haiku can fetch only relevant sections for Opus
-3. **Change detection**: Hash sections independently for smart invalidation
-4. **Cross-reference**: Link sections by PIN across documents
-## Example Document
-```markdown
-# Config Reference
-<!-- PINS: database, authentication, api-keys, environment -->
-## Database Settings
-<!-- PIN: database -->
-| Setting | Default | Description |
-|---------|---------|-------------|
-## Authentication
-<!-- PIN: authentication -->
-| Setting | Default | Description |
-|---------|---------|-------------|
-```
-## Parsing
-The PIN system automatically parses documents with:
-- `flow-section-index.js` - Generates section index with pins
-- `flow-section-resolver.js` - Resolves sections by PIN lookup
-- `getSectionsByPins(['auth', 'security'])` - Fetch only relevant sections
-## Files That Must Have PINs
-| File | Required PINs |
-|------|---------------|
-| `decisions.md` | Per coding rule/pattern |
-| `app-map.md` | Per component/screen |
-| `product.md` | Per product section |
-| `stack.md` | Per technology |
-## Validation
-Run `node scripts/flow-section-index.js --force` to regenerate the index.
-Check `.workflow/state/section-index.json` for indexed sections and their pins.