wogiflow 2.1.2 → 2.2.0

package/scripts/flow-standards-learner.js

@@ -18,8 +18,10 @@ const {
   readFile,
   writeFile,
   getConfig,
-  color
+  color,
+  escapeRegex
 } = require('./flow-utils');
+const { getTodayDate } = require('./flow-output');
 
 // ============================================================================
 // Constants
@@ -101,6 +103,158 @@ const VIOLATION_LEARNING_MAP = {
   }
 };
 
+// ============================================================================
+// Enforcement Gap Detection
+// ============================================================================
+
+/**
+ * Check if a pattern has an existing rule in decisions.md
+ * @param {string} patternId - kebab-case pattern identifier
+ * @param {string} [description] - description to also search for
+ * @returns {{ exists: boolean, ruleText: string|null, section: string|null }}
+ */
+function checkEnforcementGap(patternId, description) {
+  if (!fileExists(DECISIONS_PATH)) {
+    return { exists: false, ruleText: null, section: null };
+  }
+
+  const content = readFile(DECISIONS_PATH, '');
+
+  // Extract description words for fuzzy matching (separate from patternId)
+  const STOPWORDS = new Set(['code', 'file', 'data', 'type', 'that', 'this', 'with', 'from', 'have', 'been', 'each', 'when', 'should', 'must', 'function', 'class', 'module']);
+  const descriptionWords = description
+    ? description.split(/\s+/)
+        .filter(w => w.length >= 4 && !STOPWORDS.has(w.toLowerCase()))
+        .map(w => w.toLowerCase())
+        .slice(0, 5)
+    : [];
+
+  // Find which section contains the match
+  const sections = content.split(/^## /m).slice(1);
+  for (const section of sections) {
+    const sectionTitle = section.split('\n')[0].trim();
+    const sectionLower = section.toLowerCase();
+
+    // Check if pattern ID appears in this section (exact match — most reliable)
+    if (sectionLower.includes(patternId.toLowerCase())) {
+      // Extract the rule block (from ### to next ### or end of section)
+      // escapeRegex prevents ReDoS from patternId with regex metacharacters
+      const escapedId = escapeRegex(patternId).replace(/-/g, '[\\s-]');
+      const ruleMatch = section.match(new RegExp(
+        `### [^\\n]*${escapedId}[^\\n]*\\n([\\s\\S]*?)(?=###|$)`,
+        'i'
+      ));
+      return {
+        exists: true,
+        ruleText: ruleMatch ? ruleMatch[0].trim().slice(0, 2000) : section.trim().slice(0, 2000),
+        section: `## ${sectionTitle}`
+      };
+    }
+
+    // Fuzzy fallback: check description words ONLY (patternId excluded to avoid weak matches)
+    // Proportional threshold: at least 50% of words must match, minimum 3
+    if (descriptionWords.length >= 3) {
+      const matchCount = descriptionWords.filter(word => sectionLower.includes(word)).length;
+      const threshold = Math.max(3, Math.ceil(descriptionWords.length * 0.5));
+      if (matchCount >= threshold) {
+        return {
+          exists: true,
+          ruleText: section.trim().slice(0, 2000),
+          section: `## ${sectionTitle}`
+        };
+      }
+    }
+  }
+
+  return { exists: false, ruleText: null, section: null };
+}
+
+/**
+ * Record a pattern from an audit finding (wraps recordViolationPattern with audit-specific logic).
+ * Creates a synthetic learning object from audit cluster data.
+ *
+ * @param {Object} cluster - Clustered audit pattern
+ * @param {string} cluster.patternId - kebab-case canonical name
+ * @param {string} cluster.category - architecture, code-style, security, etc.
+ * @param {string} cluster.description - one-sentence description
+ * @param {number} cluster.instanceCount - number of files affected
+ * @param {Object[]} [cluster.instances] - array of { file, detail }
+ * @returns {Object} Result with status, count, shouldPromote
+ */
+function recordAuditPattern(cluster) {
+  const safeDesc = sanitizeForMarkdown(cluster.description, 100);
+  // Build a synthetic learning object compatible with recordViolationPattern
+  const learning = {
+    canLearn: true,
+    violationType: cluster.category,
+    category: mapAuditCategoryToLearnerCategory(cluster.category),
+    subcategory: cluster.patternId,
+    patternName: safeDesc,
+    preventionPrompt: `Avoid: ${safeDesc}`,
+    ruleTemplate: buildAuditRuleTemplate(cluster),
+    message: `${cluster.instanceCount} instances found across project (audit source)`,
+    source: 'audit'
+  };
+
+  return recordViolationPattern(learning);
+}
+
+/**
+ * Map audit category names to learner category names
+ */
+function mapAuditCategoryToLearnerCategory(auditCategory) {
+  const map = {
+    'architecture': 'architecture',
+    'code-style': 'code-style',
+    'security': 'security',
+    'performance': 'code-style',
+    'consistency': 'code-style',
+    'dependencies': 'architecture',
+    'tech-debt': 'architecture',
+    'modernization': 'code-style'
+  };
+  return map[auditCategory] || 'code-style';
+}
+
+/**
+ * Sanitize a value for safe interpolation into markdown state files.
+ * Strips heading markers, pipe chars (break tables), and newlines.
+ * Prevents prompt injection via decisions.md or feedback-patterns.md.
+ *
+ * @param {string} value - Raw string
+ * @param {number} [maxLen=200] - Maximum length
+ * @returns {string} Sanitized string
+ */
+function sanitizeForMarkdown(value, maxLen = 200) {
+  return String(value)
+    .replace(/^#+\s/gm, '')    // strip heading markers
+    .replace(/\|/g, '-')       // replace pipes (break table formatting)
+    .replace(/`{3,}/g, '')     // strip code fence markers (prevent breakout)
+    .replace(/[<>]/g, '')      // strip angle brackets (prevent HTML injection)
+    .replace(/[\r\n]+/g, ' ')  // collapse newlines
+    .slice(0, maxLen)
+    .trim();
+}
+
+/**
+ * Build a rule template from an audit cluster
+ */
+function buildAuditRuleTemplate(cluster) {
+  const safeDesc = sanitizeForMarkdown(cluster.description, 200);
+  const files = (cluster.instances || [])
+    .slice(0, 5)
+    .map(i => `\`${sanitizeForMarkdown(i.file, 100)}\``)
+    .join(', ');
+
+  const moreCount = (cluster.instanceCount || 0) - 5;
+  const filesList = moreCount > 0 ? `${files}, and ${moreCount} more` : files;
+
+  return `### ${safeDesc}
+**Source**: Audit pattern promotion (${cluster.instanceCount} instances)
+**Files**: ${filesList || 'Multiple files'}
+**Rule**: ${safeDesc}`;
+}
+
 // ============================================================================
 // Pattern Analysis
 // ============================================================================
@@ -223,7 +377,10 @@ function recordViolationPattern(learning) {
 
   // Check if pattern already exists in table
   const dateStr = getTodayDate();
-  const patternRegex = new RegExp(`\\|\\s*[\\d-]+\\s*\\|\\s*${patternKey.replace(/[-]/g, '[-]?')}\\s*\\|\\s*(\\d+)\\s*\\|`, 'i');
+  // escapeRegex prevents ReDoS from patternKey with regex metacharacters
+  // Hyphens are required (not optional) — patternKey is kebab-case and must match exactly
+  const escapedKey = escapeRegex(patternKey);
+  const patternRegex = new RegExp(`\\|\\s*[\\d-]+\\s*\\|\\s*${escapedKey}\\s*\\|\\s*(\\d+)\\s*\\|`, 'i');
 
   if (patternRegex.test(content)) {
     // Update existing count
@@ -362,8 +519,10 @@ ${learning.ruleTemplate}
   try {
     let patternsContent = readFile(FEEDBACK_PATTERNS_PATH, '');
     const patternKey = `${learning.violationType}-${learning.patternName}`.replace(/\s+/g, '-').toLowerCase();
+    // escapeRegex prevents ReDoS from patternKey with regex metacharacters
+    const escapedPromoteKey = escapeRegex(patternKey);
     patternsContent = patternsContent.replace(
-      new RegExp(`(\\|\\s*[\\d-]+\\s*\\|\\s*${patternKey}\\s*\\|\\s*\\d+\\s*\\|)\\s*-\\s*\\|\\s*Monitor\\s*\\|`, 'i'),
+      new RegExp(`(\\|\\s*[\\d-]+\\s*\\|\\s*${escapedPromoteKey}\\s*\\|\\s*\\d+\\s*\\|)\\s*-\\s*\\|\\s*Monitor\\s*\\|`, 'i'),
       `$1 decisions.md | **PROMOTED** |`
     );
     fs.writeFileSync(FEEDBACK_PATTERNS_PATH, patternsContent, 'utf-8');
@@ -680,8 +839,13 @@ Examples:
 module.exports = {
   analyzeViolationForLearning,
   recordViolationPattern,
+  recordAuditPattern,
   promoteToDecisions,
   syncToRulesDir,
+  checkEnforcementGap,
+  mapAuditCategoryToLearnerCategory,
+  buildAuditRuleTemplate,
+  sanitizeForMarkdown,
   getPreventionPrompts,
   formatPreventionPrompts,
   learnFromViolations,

package/scripts/flow-task-checkpoint.js

@@ -72,6 +72,7 @@ function getDefaultCheckpoint() {
       currentIndex: -1
     },
     changedFiles: [],
+    criteria: [],
     verificationResults: [],
     explorationSummary: null,
     completedPhases: [],
@@ -129,6 +130,7 @@ async function saveCheckpoint(params) {
         specPath: params.specPath || existing.specPath,
         scenarios: params.scenarios || existing.scenarios,
         changedFiles: params.changedFiles || existing.changedFiles,
+        criteria: params.criteria || existing.criteria,
         verificationResults: params.verificationResults || existing.verificationResults,
         explorationSummary: params.explorationSummary || existing.explorationSummary,
         lastUpdated: new Date().toISOString(),

package/scripts/flow-version-check.js

@@ -124,6 +124,7 @@ function checkClaudeCodeVersionOnce() {
     { version: [2, 1, 50], features: 'worktree hooks, agent isolation' },
     { version: [2, 1, 72], features: 'ConfigChange/InstructionsLoaded hooks, effort levels' },
     { version: [2, 1, 76], features: 'PostCompact hook (state recovery after compaction)' },
+    { version: [2, 1, 77], features: 'Elicitation hooks, worktree sparse checkout, 128k output tokens, compaction circuit breaker' },
   ];
 
   const disabledFeatures = SOFT_GATES

package/scripts/hooks/core/commit-log-gate.js

@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+
+/**
+ * Wogi Flow - Commit Log Gate (Core Module)
+ *
+ * Blocks git commit when there's an active task but request-log.md
+ * hasn't been staged. Mechanical enforcement — same pattern as routing gate.
+ *
+ * Whitelist (commit allowed without log entry):
+ * - No active task in ready.json
+ * - Merge commits
+ * - State-only commits (all files under .workflow/ or .claude/)
+ * - Gate disabled via config.enforcement.commitLogGate.enabled: false
+ *
+ * v1.0: Initial implementation — pre-commit blocking gate
+ */
+
+const { execFileSync } = require('node:child_process');
+const { getConfig, getReadyData } = require('../../flow-utils');
+
+/**
+ * Check if a Bash command contains a git commit
+ * @param {string} command - The Bash command string
+ * @returns {boolean}
+ */
+function isGitCommit(command) {
+  if (!command || typeof command !== 'string') return false;
+  // Match git commit at start or after chain operators (&&, ;, ||)
+  return /(?:^|&&\s*|;\s*|\|\|\s*)git\s+commit\b/.test(command.trim());
+}
+
+/**
+ * Check if the command is a merge-related commit (whitelisted)
+ * @param {string} command - The Bash command string
+ * @returns {boolean}
+ */
+function isMergeCommit(command) {
+  // git merge --continue or similar
+  if (/git\s+merge/.test(command)) return true;
+  // Commit message starts with "Merge" (from -m flag)
+  const msgMatch = command.match(/-m\s+["']([^"']*)/);
+  if (msgMatch && /^Merge\b/i.test(msgMatch[1])) return true;
+  return false;
+}
+
+/**
+ * Get list of staged file paths (relative to repo root)
+ * @returns {string[]}
+ */
+function getStagedFiles() {
+  try {
+    const output = execFileSync('git', ['diff', '--cached', '--name-only'], {
+      encoding: 'utf-8',
+      timeout: 3000,
+      stdio: ['pipe', 'pipe', 'pipe']
+    });
+    return output.trim().split('\n').filter(Boolean);
+  } catch (err) {
+    if (process.env.DEBUG) {
+      console.error(`[commit-log-gate] getStagedFiles error: ${err.message}`);
+    }
+    return [];
+  }
+}
+
+/**
+ * Check if a git commit should be blocked due to missing request-log entry.
+ *
+ * @param {string} command - The Bash command being executed
+ * @param {Object} [config] - Pre-loaded config (optional)
+ * @returns {{ allowed: boolean, blocked: boolean, reason?: string, message?: string }}
+ */
+function checkCommitLogGate(command, config) {
+  // Only check git commit commands
+  if (!isGitCommit(command)) {
+    return { allowed: true, blocked: false };
+  }
+
+  // Load config if not provided
+  if (!config) {
+    try { config = getConfig(); } catch (err) { config = {}; }
+  }
+
+  // Check if gate is enabled (default: enabled when enforcement section exists)
+  if (config.enforcement?.commitLogGate?.enabled === false) {
+    return { allowed: true, blocked: false };
+  }
+
+  // Check for active task in ready.json
+  let readyData;
+  try {
+    readyData = getReadyData();
+  } catch (err) {
+    // Can't read ready.json → fail-open (don't block work)
+    return { allowed: true, blocked: false };
+  }
+
+  if (!readyData.inProgress || readyData.inProgress.length === 0) {
+    // No active task → allow (non-task commit)
+    return { allowed: true, blocked: false };
+  }
+
+  // Whitelist merge commits
+  if (isMergeCommit(command)) {
+    return { allowed: true, blocked: false };
+  }
+
+  // Get staged files to check
+  const stagedFiles = getStagedFiles();
+  if (stagedFiles.length === 0) {
+    // No staged files → commit will fail on its own, don't add noise
+    return { allowed: true, blocked: false };
+  }
+
+  // Whitelist state-only commits (e.g., pre-compact, wogi-pre-compact state saves)
+  const allStateOrConfig = stagedFiles.every(f =>
+    f.startsWith('.workflow/') || f.startsWith('.claude/')
+  );
+  if (allStateOrConfig) {
+    return { allowed: true, blocked: false };
+  }
+
+  // Check if request-log.md is in staged changes
+  const hasLogEntry = stagedFiles.some(f => f.endsWith('request-log.md'));
+  if (hasLogEntry) {
+    return { allowed: true, blocked: false };
+  }
+
+  // Block: active task + code changes but no log entry
+  const task = readyData.inProgress[0];
+  const taskId = (typeof task === 'string' ? task : task.id) || 'unknown';
+
+  return {
+    allowed: false,
+    blocked: true,
+    reason: 'commit_without_log_entry',
+    message: [
+      `BLOCKED: Active task ${taskId} but request-log.md is not staged.`,
+      'Add a request-log entry before committing.',
+      'Append a ### R-[N] entry to .workflow/state/request-log.md following the existing format,',
+      'then stage it: git add .workflow/state/request-log.md'
+    ].join(' ')
+  };
+}
+
+module.exports = { checkCommitLogGate, isGitCommit, isMergeCommit };

package/scripts/hooks/core/post-compact.js

@@ -8,13 +8,21 @@
  *
  * Purpose: Restore critical state that may have been lost during compaction.
  * - Re-inject durable session context (current task, completed steps, remaining work)
- * - Re-inject active decisions and routing state
+ * - Re-inject acceptance criteria with completion status
+ * - Re-inject changed files and last request-log entry
  * - Ensure routing-pending flag is set (compaction = new context, needs re-routing)
  *
  * This hook is non-blocking (fail-open). Compaction should never be prevented
  * by a state restoration failure.
+ *
+ * v2.0: Hoisted shared requires, added criteria/files/log restoration,
+ *       fixed criteria done status to read from scenarios.completed[]
  */
 
+const path = require('node:path');
+const fs = require('node:fs');
+const { PATHS, safeJsonParse, getReadyData } = require('../../flow-utils');
+
 /**
  * Sanitize a string value before injecting into AI context.
  * Strips markdown heading markers and truncates to prevent prompt manipulation.
@@ -65,7 +73,6 @@ function handlePostCompact() {
 
   // 2. Check for active task in ready.json (fallback if no durable session)
   try {
-    const { getReadyData } = require('../../flow-utils');
     const readyData = getReadyData();
     if (Array.isArray(readyData.inProgress) && readyData.inProgress.length > 0) {
       const task = readyData.inProgress[0];
@@ -82,6 +89,77 @@ function handlePostCompact() {
     }
   }
 
+  // 2b. Load acceptance criteria and changed files from task checkpoint
+  try {
+    const checkpointPath = path.join(PATHS.state, 'task-checkpoint.json');
+    const checkpoint = safeJsonParse(checkpointPath, null);
+    if (checkpoint && checkpoint.taskId) {
+      // Inject acceptance criteria with completion status
+      // Derive done status from scenarios.completed[] (the authoritative source)
+      // rather than criteria[].done (which is never updated after initialization)
+      const completedIndices = new Set(
+        (checkpoint.scenarios?.completed || []).map(s => s.index)
+      );
+
+      if (Array.isArray(checkpoint.criteria) && checkpoint.criteria.length > 0) {
+        const criteriaLines = checkpoint.criteria.slice(0, 15).map((c, i) => {
+          const isDone = completedIndices.has(i);
+          const status = isDone ? '✓' : '○';
+          return `  ${status} ${sanitize(c.text || c.description || c.id, 120)}`;
+        });
+        const done = checkpoint.criteria.filter((_, i) => completedIndices.has(i)).length;
+        contextParts.push(`**Acceptance Criteria** (${done}/${checkpoint.criteria.length} done):\n${criteriaLines.join('\n')}`);
+      }
+
+      // Inject changed files list
+      if (Array.isArray(checkpoint.changedFiles) && checkpoint.changedFiles.length > 0) {
+        const files = checkpoint.changedFiles.slice(0, 20).map(f => `  - ${sanitize(f, 100)}`);
+        contextParts.push(`**Changed files this session** (${checkpoint.changedFiles.length}):\n${files.join('\n')}`);
+      }
+    }
+
+    // Fallback: get changed files from git if checkpoint doesn't have them
+    if (!checkpoint || !checkpoint.changedFiles || checkpoint.changedFiles.length === 0) {
+      try {
+        const { execFileSync } = require('node:child_process');
+        const gitFiles = execFileSync('git', ['diff', '--name-only', 'HEAD'], {
+          encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe']
+        }).trim();
+        if (gitFiles) {
+          const files = gitFiles.split('\n').filter(Boolean).slice(0, 20);
+          contextParts.push(`**Uncommitted changes** (${files.length} files):\n${files.map(f => `  - ${f}`).join('\n')}`);
+        }
+      } catch (_err) {
+        // git not available or no changes — skip silently
+      }
+    }
+  } catch (err) {
+    if (process.env.DEBUG) {
+      console.error(`[post-compact] Criteria/files restore failed: ${err.message}`);
+    }
+  }
+
+  // 2c. Load last request-log entry number
+  try {
+    const logPath = path.join(PATHS.state, 'request-log.md');
+    if (fs.existsSync(logPath)) {
+      const content = fs.readFileSync(logPath, 'utf-8');
+      // Find the last R-NNN entry
+      const matches = content.match(/^### R-(\d+)/gm);
+      if (matches && matches.length > 0) {
+        const lastEntry = matches[0]; // First match = most recent (file is reverse-chronological)
+        const num = lastEntry.match(/R-(\d+)/)?.[1];
+        if (num) {
+          contextParts.push(`**Last request-log entry**: R-${num} (next entry should be R-${parseInt(num, 10) + 1})`);
+        }
+      }
+    }
+  } catch (err) {
+    if (process.env.DEBUG) {
+      console.error(`[post-compact] Request-log read failed: ${err.message}`);
+    }
+  }
+
   // 3. Re-set routing-pending flag
   // After compaction, the AI has fresh context and may try to act without routing.
   // Setting routing-pending ensures the next tool use goes through routing checks.
@@ -99,8 +177,6 @@ function handlePostCompact() {
 
   // 4. Load current workflow phase
   try {
-    const { PATHS, safeJsonParse } = require('../../flow-utils');
-    const path = require('node:path');
     const phasePath = path.join(PATHS.state, 'workflow-phase.json');
     const phaseData = safeJsonParse(phasePath, {});
     if (phaseData.phase && phaseData.phase !== 'idle') {
@@ -112,6 +188,35 @@ function handlePostCompact() {
     }
   }
 
+  // 5. Check for auto-compaction circuit breaker state (Claude Code 2.1.76+)
+  // Claude Code stops auto-compaction after 3 consecutive failures.
+  // If we detect repeated compactions in quick succession, warn about potential issues.
+  try {
+    const compactStatePath = path.join(PATHS.state, '.compact-tracker.json');
+    const tracker = safeJsonParse(compactStatePath, { count: 0, lastAt: null });
+    const now = Date.now();
+    const lastAt = tracker.lastAt ? new Date(tracker.lastAt).getTime() : 0;
+    const timeSinceLast = now - lastAt;
+
+    // If compaction happened less than 2 minutes ago, increment counter
+    if (timeSinceLast < 2 * 60 * 1000 && lastAt > 0) {
+      tracker.count = (tracker.count || 0) + 1;
+    } else {
+      tracker.count = 1;
+    }
+    tracker.lastAt = new Date().toISOString();
+
+    fs.writeFileSync(compactStatePath, JSON.stringify(tracker, null, 2));
+
+    if (tracker.count >= 3) {
+      contextParts.push('**WARNING**: Multiple compactions detected in quick succession. Claude Code 2.1.76+ stops auto-compaction after 3 consecutive failures. If context keeps growing, consider starting a new session.');
+    }
+  } catch (err) {
+    if (process.env.DEBUG) {
+      console.error(`[post-compact] Compact tracker failed: ${err.message}`);
+    }
+  }
+
   // Build the result
   if (contextParts.length === 0) {
     return {

package/scripts/hooks/core/task-completed.js

@@ -93,6 +93,12 @@ async function handleTaskCompleted(input) {
       completedTask.status = 'completed';
       completedTask.completedAt = new Date().toISOString();
 
+      // Strip progress prefix from title (e.g., "[3/5] Title" → "Title")
+      // Done inside the lock to avoid race conditions with progress tracker
+      if (completedTask.title) {
+        completedTask.title = completedTask.title.replace(/^\[\d+\/\d+\]\s*/, '');
+      }
+
       // Remove from inProgress
       ready.inProgress = ready.inProgress.filter(t =>
         (typeof t === 'string' ? t : t.id) !== completedTask.id
@@ -140,6 +146,19 @@ async function handleTaskCompleted(input) {
       }
     }
 
+    // Clear progress tracker state on task completion
+    if (result.completed) {
+      try {
+        const { clearProgress } = require('../../flow-progress-tracker');
+        clearProgress();
+      } catch (err) {
+        // Non-fatal — progress tracker may not exist in older installs
+        if (process.env.DEBUG) {
+          console.error(`[Task Completed] Progress clear failed: ${err.message}`);
+        }
+      }
+    }
+
     // Update durable history if it exists (under lock to prevent concurrent corruption)
     if (result.completed) {
       try {

package/scripts/hooks/entry/claude-code/post-tool-use.js

@@ -113,6 +113,26 @@ async function main() {
               if (process.env.DEBUG) console.error(`[post-tool-use] setCurrentTask: ${err.message}`);
             }
 
+            // v7.0: Initialize task checkpoint with criteria for PostCompact recovery
+            try {
+              const { saveCheckpoint } = require('../../../flow-task-checkpoint');
+              const criteriaList = (task.acceptanceCriteria || task.scenarios || [])
+                .map((c, i) => ({
+                  id: `ac-${i + 1}`,
+                  text: typeof c === 'string' ? c : (c.description || c.title || `Criterion ${i + 1}`),
+                  done: false
+                }));
+              await saveCheckpoint({
+                taskId,
+                taskTitle,
+                currentPhase: 'coding',
+                criteria: criteriaList,
+                changedFiles: []
+              });
+            } catch (err) {
+              if (process.env.DEBUG) console.error(`[post-tool-use] Checkpoint init: ${err.message}`);
+            }
+
             if (process.env.DEBUG) {
               console.error(`[post-tool-use] Initialized durable session for ${taskId} (prompt-path bridge)`);
             }
@@ -126,6 +146,31 @@ async function main() {
       }
     }
 
+    // Auto registry scan after successful git commit (fire-and-forget)
+    // v7.0: Mechanical enforcement — AI no longer needs to remember to run registry scan.
+    // Runs after every commit, regardless of task level (L3 included).
+    if (toolName === 'Bash' && toolInput.command && !toolFailed) {
+      const { isGitCommit } = require('../../core/commit-log-gate');
+      if (isGitCommit(toolInput.command)) {
+        try {
+          const { RegistryManager } = require('../../../flow-registry-manager');
+          const manager = new RegistryManager();
+          manager.loadPlugins();
+          manager.activatePlugins();
+          manager.scanAll().catch((err) => {
+            if (process.env.DEBUG) {
+              console.error(`[post-tool-use] Auto registry scan failed: ${err.message}`);
+            }
+          });
+        } catch (err) {
+          // Non-blocking — registry manager may not be available
+          if (process.env.DEBUG) {
+            console.error(`[post-tool-use] Registry manager load error: ${err.message}`);
+          }
+        }
+      }
+    }
+
     // Only run validation for Edit/Write
     if (toolName !== 'Edit' && toolName !== 'Write') {
       console.log(JSON.stringify({ continue: true }));
@@ -140,6 +185,21 @@ async function main() {
       return;
     }
 
+    // v7.0: Track changed files in task checkpoint (continuous state persistence)
+    // This ensures the PostCompact hook can restore the changed files list
+    // after auto-compaction, making /wogi-pre-compact redundant for file tracking.
+    if (filePath && !filePath.includes('.workflow/') && !filePath.includes('.claude/')) {
+      try {
+        const { trackChangedFile } = require('../../../flow-task-checkpoint');
+        trackChangedFile(filePath);
+      } catch (err) {
+        // Non-blocking — checkpoint may not exist yet (no active task)
+        if (process.env.DEBUG) {
+          console.error(`[post-tool-use] File tracking: ${err.message}`);
+        }
+      }
+    }
+
     // Run validation
     const coreResult = await runValidation({
       filePath,

package/scripts/hooks/entry/claude-code/pre-tool-use.js

@@ -17,6 +17,7 @@ const { checkComponentReuse } = require('../../core/component-check');
 const { checkTodoWriteGate } = require('../../core/todowrite-gate');
 const { checkRoutingGate, clearRoutingPending, hasActiveTask } = require('../../core/routing-gate');
 const { checkPhaseGate } = require('../../core/phase-gate');
+const { checkCommitLogGate } = require('../../core/commit-log-gate');
 const { claudeCodeAdapter } = require('../../adapters/claude-code');
 const { markSkillPending } = require('../../../flow-durable-session');
 const { getConfig } = require('../../../flow-utils');
@@ -242,6 +243,32 @@ async function main() {
       }
     }
 
+    // Commit log gate check (for Bash git commit commands)
+    // v9.0: Block git commit when active task has no request-log entry staged.
+    // Same mechanical enforcement pattern as routing gate.
+    if (toolName === 'Bash' && toolInput.command) {
+      try {
+        const commitLogResult = checkCommitLogGate(toolInput.command, config);
+        if (commitLogResult.blocked) {
+          coreResult = {
+            allowed: false,
+            blocked: true,
+            reason: `Commit log gate: ${commitLogResult.reason}`,
+            message: commitLogResult.message
+          };
+          const output = claudeCodeAdapter.transformResult('PreToolUse', coreResult);
+          console.log(JSON.stringify(output));
+          process.exit(0);
+          return;
+        }
+      } catch (err) {
+        // Fail-open for commit log gate — don't block work if gate has issues
+        if (process.env.DEBUG) {
+          console.error(`[Hook] Commit log gate error (fail-open): ${err.message}`);
+        }
+      }
+    }
+
     // Strict adherence check (for Bash commands)
     // v5.0: Block AI from using wrong package manager or port
     if (toolName === 'Bash') {