wogiflow 2.20.0 → 2.21.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "2.20.0",
+  "version": "2.21.0",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {
@@ -10,7 +10,7 @@
   },
   "scripts": {
     "flow": "./scripts/flow",
-    "test": "NODE_ENV=test node --test tests/auto-compact-prompt.test.js tests/flow-paths.test.js tests/flow-io.test.js tests/flow-config-loader.test.js tests/flow-damage-control.test.js tests/flow-output.test.js tests/flow-constants.test.js tests/flow-session-state.test.js tests/flow-hooks-integration.test.js tests/flow-utils.test.js tests/flow-security.test.js tests/flow-memory-db.test.js tests/flow-durable-session.test.js tests/flow-skill-matcher.test.js tests/flow-bridge.test.js tests/flow-proactive-compact.test.js tests/flow-cascade-completion.test.js tests/flow-capture-gate.test.js tests/flow-correction-detector-hybrid.test.js tests/flow-promote.test.js tests/flow-archive-runs.test.js tests/flow-memory.test.js tests/flow-hooks-pre-tool-helpers.test.js tests/flow-hooks-bugfix-scope-gate.test.js tests/flow-hooks-routing-gate.test.js tests/flow-hooks-phase-read-gate.test.js tests/flow-hooks-commit-log-gate.test.js tests/flow-hooks-deploy-gate.test.js tests/flow-hooks-todowrite-gate.test.js tests/flow-hooks-git-safety-gate.test.js tests/flow-hooks-scope-mutation-gate.test.js tests/flow-hooks-strike-gate.test.js tests/flow-hooks-component-check.test.js tests/flow-hooks-scope-gate.test.js tests/flow-hooks-implementation-gate.test.js tests/flow-hooks-research-gate.test.js tests/flow-hooks-loop-check.test.js tests/flow-hooks-manager-boundary-gate.test.js tests/flow-hooks-phase-gate.test.js tests/flow-hooks-pre-tool-orchestrator.test.js tests/flow-hooks-observation-capture.test.js tests/flow-hooks-task-gate.test.js tests/flow-durable-session-suspension.test.js tests/flow-health-mcp-scopes.test.js tests/flow-lean-config.test.js tests/flow-workspace-autopickup.test.js && NODE_ENV=test node tests/run-quality-gates.test.js",
+    "test": "NODE_ENV=test node --test tests/auto-compact-prompt.test.js tests/flow-paths.test.js tests/flow-io.test.js tests/flow-config-loader.test.js tests/flow-damage-control.test.js tests/flow-output.test.js tests/flow-constants.test.js tests/flow-session-state.test.js tests/flow-hooks-integration.test.js tests/flow-utils.test.js tests/flow-security.test.js tests/flow-memory-db.test.js tests/flow-durable-session.test.js tests/flow-skill-matcher.test.js tests/flow-bridge.test.js tests/flow-proactive-compact.test.js tests/flow-cascade-completion.test.js tests/flow-capture-gate.test.js tests/flow-correction-detector-hybrid.test.js tests/flow-promote.test.js tests/flow-archive-runs.test.js tests/flow-memory.test.js tests/flow-hooks-pre-tool-helpers.test.js tests/flow-hooks-bugfix-scope-gate.test.js tests/flow-hooks-routing-gate.test.js tests/flow-hooks-phase-read-gate.test.js tests/flow-hooks-commit-log-gate.test.js tests/flow-hooks-deploy-gate.test.js tests/flow-hooks-todowrite-gate.test.js tests/flow-hooks-git-safety-gate.test.js tests/flow-hooks-scope-mutation-gate.test.js tests/flow-hooks-strike-gate.test.js tests/flow-hooks-component-check.test.js tests/flow-hooks-scope-gate.test.js tests/flow-hooks-implementation-gate.test.js tests/flow-hooks-research-gate.test.js tests/flow-hooks-loop-check.test.js tests/flow-hooks-manager-boundary-gate.test.js tests/flow-hooks-phase-gate.test.js tests/flow-hooks-pre-tool-orchestrator.test.js tests/flow-hooks-observation-capture.test.js tests/flow-hooks-task-gate.test.js tests/flow-durable-session-suspension.test.js tests/flow-health-mcp-scopes.test.js tests/flow-lean-config.test.js tests/flow-workspace-autopickup.test.js tests/flow-worker-boundary-gate.test.js tests/flow-worker-question-classifier.test.js && NODE_ENV=test node tests/run-quality-gates.test.js",
     "test:syntax": "find scripts/ lib/ -name '*.js' -not -path '*/node_modules/*' -exec node --check {} +",
     "lint": "eslint scripts/ lib/ tests/",
     "lint:ci": "eslint scripts/ lib/ tests/ --max-warnings 0",

package/scripts/flow-config-defaults.js

@@ -399,8 +399,14 @@ const CONFIG_DEFAULTS = {
     managerCanSkipGates: false,
     _comment_autoPickupChannelDispatches: 'v2.20.0+: After task completion, if channel-dispatched tasks are queued in ready.json, the task-completed hook injects additionalContext instructing the AI to auto-invoke /wogi-start on the next queued task in the same turn. Prevents "Sauteed worker" silent stalls between queued dispatches. The Stop hook also blocks end-of-turn when queued dispatches exist but no task is in progress — making "awaiting signal" language mechanically impossible as a terminal state.',
     autoPickupChannelDispatches: true,
-    _comment_diagnosticCurlBypass: 'v2.20.0+: When true, PreToolUse routing gate allows narrow curl-to-manager-port when replying to channel messages tagged INTROSPECTION or DIAGNOSTIC, with body starting "## ". Unblocks diagnostic round-trips without forcing fake task creation. Scope: localhost:8800 only.',
-    diagnosticCurlBypass: true
+    _comment_blockAskUserQuestionInWorker: 'v2.20.1+: When true, PreToolUse blocks AskUserQuestion in workspace worker mode. The user only sees the manager terminal, so direct prompts from workers stall silently. Block message instructs channel-dispatch "## QUESTION:" to the manager. Closes the v2.20.0 gap where workers could still prompt the user directly when their queue was empty.',
+    blockAskUserQuestionInWorker: true,
+    _comment_aiWorkerQuestionClassifier: 'v2.21.0+: When true, Stop hook runs a Haiku classifier on the final assistant message in worker mode. If the message ends by asking the user a question (detected semantically, not via regex), the stop is blocked with channel-dispatch instructions. Degrades to no-op when ANTHROPIC_API_KEY is absent. Uses existing flow-model-caller infrastructure.',
+    aiWorkerQuestionClassifier: {
+      enabled: true,
+      minConfidence: 70,
+      model: 'anthropic:claude-3-5-haiku-latest'
+    }
   },
   checkpoint: { enabled: false },
   regressionTesting: { enabled: false },

package/scripts/flow-worker-question-classifier.js

@@ -0,0 +1,256 @@
+'use strict';
+
+/**
+ * Wogi Flow — Worker Question Classifier (v2.21.0+)
+ *
+ * AI-based semantic detector that runs at Stop-hook time in workspace worker
+ * mode and answers ONE question about the AI's final assistant message:
+ *
+ *   "Does this message end by asking the user a question that expects
+ *    a user response?"
+ *
+ * If YES + confidence >= threshold + worker mode → Stop hook blocks the turn
+ * with instructions to channel-dispatch `## QUESTION:` to the manager instead.
+ *
+ * Why AI, not regex: the hedging vocabulary is infinite ("let me know",
+ * "should I", "which option", "?", "thoughts?", "any preference?"). User
+ * explicitly requested AI logic over regex in the 2026-04-16 session.
+ *
+ * Design mirrors flow-conclusion-classifier.js / flow-correction-detector.js:
+ *   - Uses existing flow-model-caller.js infrastructure (same plan tokens
+ *     Claude Code already uses)
+ *   - ANTHROPIC_API_KEY absent → returns `{ classified: false, reason:
+ *     'no-credentials' }` — Stop hook treats as no-op, does NOT block.
+ *     This matches the established fail-open pattern.
+ *   - Transcript parsing is defensive — missing, empty, or malformed
+ *     transcript returns `{ classified: false, reason: <specific> }`.
+ *   - JSON response from Haiku validated for shape + prototype-pollution.
+ *   - Fail-open on model error — if the classifier breaks, legitimate
+ *     stops are not affected. A silent-stall false-negative is recoverable;
+ *     a false-positive block on every turn is not.
+ */
+
+const fs = require('node:fs');
+
+const DEFAULT_MIN_CONFIDENCE = 70;
+const DEFAULT_MODEL = 'anthropic:claude-3-5-haiku-latest';
+const MAX_MESSAGE_CHARS = 8000;     // Classifier input cap
+const MAX_TOKENS = 300;             // Classifier output cap (tiny JSON)
+const TEMPERATURE = 0.0;            // Deterministic classification
+
+// Shared prototype-pollution guard (same as flow-conclusion-classifier).
+const { DANGEROUS_KEYS } = require('./flow-io');
+
+/**
+ * Extract the final assistant message from a Claude Code transcript JSONL file.
+ *
+ * Claude Code writes one JSON object per line. Each object represents an event
+ * (user message, assistant message, tool call, tool result, etc.). We scan
+ * backward for the last event where the content resembles an assistant-authored
+ * text block (has `role: 'assistant'` OR `type: 'assistant'` shape).
+ *
+ * Defensive: any IO / parse error returns null. Caller treats null as no-op.
+ *
+ * @param {string} transcriptPath - Absolute path to the JSONL transcript
+ * @returns {string|null} The text of the last assistant message, or null
+ */
+function extractLastAssistantMessage(transcriptPath) {
+  if (!transcriptPath || typeof transcriptPath !== 'string') return null;
+  let raw;
+  try {
+    raw = fs.readFileSync(transcriptPath, 'utf-8');
+  } catch (_err) {
+    return null;
+  }
+  if (!raw || raw.length === 0) return null;
+
+  // Scan from end for lines we can parse as assistant messages.
+  const lines = raw.split('\n');
+  for (let i = lines.length - 1; i >= 0; i--) {
+    const line = lines[i].trim();
+    if (!line) continue;
+    let entry;
+    try {
+      entry = JSON.parse(line);
+    } catch (_err) {
+      continue;  // Skip unparseable lines — transcript may be mid-write.
+    }
+    const text = extractAssistantText(entry);
+    if (text) return text.slice(0, MAX_MESSAGE_CHARS);
+  }
+  return null;
+}
+
+/**
+ * Pull assistant-authored text out of a single transcript entry. The transcript
+ * format has evolved across Claude Code versions — we accept any of:
+ *   - { role: 'assistant', content: 'string' }
+ *   - { role: 'assistant', content: [{ type: 'text', text: '...' }] }
+ *   - { type: 'assistant', message: { content: [{ type: 'text', text: '...' }] } }
+ *   - { type: 'assistant', text: '...' }
+ */
+function extractAssistantText(entry) {
+  if (!entry || typeof entry !== 'object') return null;
+
+  // Direct role/type check.
+  const isAssistant =
+    entry.role === 'assistant' ||
+    entry.type === 'assistant' ||
+    (entry.message && entry.message.role === 'assistant');
+  if (!isAssistant) return null;
+
+  // Pull the content wherever it lives.
+  const content = entry.content ?? entry.message?.content ?? entry.text;
+  if (typeof content === 'string') return content;
+  if (Array.isArray(content)) {
+    // Collect text blocks only — skip tool_use / tool_result blocks.
+    const texts = content
+      .filter(b => b && typeof b === 'object' && (b.type === 'text' || typeof b.text === 'string'))
+      .map(b => String(b.text || ''))
+      .filter(Boolean);
+    if (texts.length > 0) return texts.join('\n').trim();
+  }
+  return null;
+}
+
+/**
+ * Build the Haiku classifier prompt. Kept as a pure string for testability.
+ *
+ * Designed to minimize false positives:
+ *   - Rhetorical questions ("Did the tests pass? Yes.") → NO
+ *   - Narration with trailing "?" ("the question is how to proceed") → NO
+ *   - Actual open-ended ask ("Should I use A or B?" with no answer given) → YES
+ */
+function buildClassifierPrompt(lastMessage) {
+  return `You classify whether an AI assistant's final message to a WORKSPACE WORKER session ends by asking the USER a question that expects a user response.
+
+Context: in workspace mode, workers are autonomous and MUST NOT prompt the user directly — the user only sees the manager terminal, so direct questions stall silently. Workers that need user input MUST channel-dispatch "## QUESTION:" to the manager instead.
+
+Your job: classify YES only when the worker's final message contains an OPEN question the worker is waiting on the user to answer. Classify NO for rhetorical questions that the worker answers itself, narrative descriptions, or questions that have an accompanying decision.
+
+[MESSAGE_START]
+${String(lastMessage || '').slice(0, MAX_MESSAGE_CHARS)}
+[MESSAGE_END]
+
+Return JSON only, no prose, no markdown fences:
+{"isUserQuestion": true|false, "confidence": 0-100, "reason": "one short sentence"}
+
+Examples:
+- "Should I proceed with A or B? Let me know." → {"isUserQuestion": true, "confidence": 95, "reason": "open choice awaiting user decision"}
+- "Did the tests pass? Yes, all 12 passed." → {"isUserQuestion": false, "confidence": 90, "reason": "rhetorical, answered inline"}
+- "I finished the task. Awaiting your signal." → {"isUserQuestion": true, "confidence": 85, "reason": "hedging terminal state awaiting user"}
+- "Task complete. Next: wf-abc12345 — starting now." → {"isUserQuestion": false, "confidence": 95, "reason": "action statement, no question"}`;
+}
+
+/**
+ * Guard parsed JSON response against prototype pollution. Mirrors
+ * flow-conclusion-classifier.hasDangerousKeys.
+ */
+function hasDangerousKeys(value) {
+  if (!value || typeof value !== 'object') return false;
+  if (Array.isArray(value)) return value.some(hasDangerousKeys);
+  for (const key of Object.keys(value)) {
+    if (DANGEROUS_KEYS.has(key)) return true;
+    if (hasDangerousKeys(value[key])) return true;
+  }
+  return false;
+}
+
+/**
+ * Classify the worker's last assistant message.
+ *
+ * @param {Object} opts
+ * @param {string} opts.transcriptPath - Absolute path to session JSONL transcript
+ * @param {number} [opts.minConfidence] - Confidence threshold (default 70)
+ * @param {string} [opts.model] - Model override (default haiku)
+ * @returns {Promise<{
+ *   classified: boolean,
+ *   isUserQuestion?: boolean,
+ *   confidence?: number,
+ *   reason?: string,
+ *   lastMessage?: string
+ * }>}
+ */
+async function classifyWorkerQuestion(opts = {}) {
+  const minConfidence = Number.isFinite(opts.minConfidence) ? opts.minConfidence : DEFAULT_MIN_CONFIDENCE;
+  const model = opts.model || DEFAULT_MODEL;
+
+  // Fail-open gates — any reason to skip returns { classified: false }.
+  if (!process.env.ANTHROPIC_API_KEY) {
+    return { classified: false, reason: 'no-credentials' };
+  }
+  if (!opts.transcriptPath) {
+    return { classified: false, reason: 'no-transcript-path' };
+  }
+
+  const lastMessage = extractLastAssistantMessage(opts.transcriptPath);
+  if (!lastMessage || lastMessage.length < 10) {
+    return { classified: false, reason: 'no-last-message', lastMessage };
+  }
+
+  let callModel;
+  try {
+    ({ callModel } = require('./flow-model-caller'));
+  } catch (_err) {
+    return { classified: false, reason: 'no-model-caller' };
+  }
+
+  let result;
+  try {
+    result = await callModel(model, buildClassifierPrompt(lastMessage), {
+      temperature: TEMPERATURE,
+      maxTokens: MAX_TOKENS
+    });
+  } catch (err) {
+    if (process.env.DEBUG) {
+      console.error(`[worker-question-classifier] model call failed: ${err.message}`);
+    }
+    return { classified: false, reason: 'model-error' };
+  }
+
+  // flow-model-caller returns { success, response, ... } where `response` is the text.
+  // Earlier classifiers read `.content`; accept both shapes for resilience.
+  const raw = String(result?.response ?? result?.content ?? '').trim();
+  if (!raw) return { classified: false, reason: 'empty-response' };
+
+  const jsonMatch = raw.match(/\{[\s\S]*\}/);
+  if (!jsonMatch) return { classified: false, reason: 'non-json-response' };
+
+  let parsed;
+  try {
+    parsed = JSON.parse(jsonMatch[0]);
+  } catch (_err) {
+    return { classified: false, reason: 'json-parse-error' };
+  }
+
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    return { classified: false, reason: 'bad-shape' };
+  }
+  if (hasDangerousKeys(parsed)) {
+    return { classified: false, reason: 'dangerous-keys' };
+  }
+
+  const isUserQuestion = Boolean(parsed.isUserQuestion);
+  const confidence = Number.isFinite(parsed.confidence) ? Math.round(parsed.confidence) : 0;
+  const reason = typeof parsed.reason === 'string' ? parsed.reason.slice(0, 240) : '';
+
+  return {
+    classified: true,
+    isUserQuestion,
+    confidence,
+    reason,
+    lastMessage,
+    blocked: isUserQuestion && confidence >= minConfidence,
+    minConfidence
+  };
+}
+
+module.exports = {
+  classifyWorkerQuestion,
+  extractLastAssistantMessage,
+  extractAssistantText,
+  buildClassifierPrompt,
+  hasDangerousKeys,
+  DEFAULT_MIN_CONFIDENCE,
+  DEFAULT_MODEL
+};

package/scripts/hooks/core/pre-tool-orchestrator.js

@@ -177,7 +177,7 @@ function runPreToolGates(ctx, deps) {
   ]);
   if (!skipRoutingGateForSubagent && !skipRoutingGateForReadOnlyGit && GATED_TOOLS.has(toolName)) {
     try {
-      const routingResult = deps.checkRoutingGate(toolName, config, toolInput);
+      const routingResult = deps.checkRoutingGate(toolName, config);
       if (routingResult.blocked) {
         return {
           allowed: false,
@@ -215,6 +215,28 @@ function runPreToolGates(ctx, deps) {
     }
   }
 
+  // Worker boundary (v2.20.1) — parallel to manager boundary.
+  // Blocks tools that prompt the user directly (AskUserQuestion) in worker
+  // mode, since the user only sees the manager terminal. Forces workers to
+  // channel-dispatch ## QUESTION: to the manager instead.
+  if (process.env.WOGI_WORKSPACE_ROOT && process.env.WOGI_REPO_NAME && process.env.WOGI_REPO_NAME !== 'manager') {
+    try {
+      if (typeof deps.checkWorkerBoundary === 'function') {
+        const workerResult = deps.checkWorkerBoundary(toolName, toolInput, config);
+        if (workerResult.blocked) {
+          return {
+            allowed: false,
+            blocked: true,
+            reason: workerResult.reason,
+            message: workerResult.message,
+          };
+        }
+      }
+    } catch (err) {
+      if (process.env.DEBUG) console.error(`[Hook] Worker boundary gate error (fail-open): ${err.message}`);
+    }
+  }
+
   // Commit log gate
   if (toolName === 'Bash' && toolInput.command) {
     try {

package/scripts/hooks/core/routing-gate.js

@@ -285,10 +285,9 @@ function isRoutingPending() {
  *
  * @param {string} toolName - The tool being called (e.g., 'Bash')
  * @param {Object} [config] - Pre-loaded config (optional, falls back to getConfig())
- * @param {Object} [toolInput] - Tool input (optional, used for v2.20.0 diagnostic bypass)
  * @returns {{ allowed: boolean, blocked: boolean, reason: string, message: string|null }}
  */
-function checkRoutingGate(toolName, config, toolInput) {
+function checkRoutingGate(toolName, config) {
   // Gate ALL tools that allow the AI to act without routing through /wogi-start.
   // Edit/Write/NotebookEdit were the critical gap: AI could edit ready.json (exempt
   // from task gate) to create a fake active task, then edit anything freely.
@@ -318,26 +317,6 @@ function checkRoutingGate(toolName, config, toolInput) {
   // This meant any in-progress task from a prior turn bypassed routing entirely.
   // The only way to clear routing-pending is to invoke a /wogi-* skill.
 
-  // Gap D (v2.20.0) — diagnostic curl bypass for workspace workers.
-  // When a manager sends an INTROSPECTION/DIAGNOSTIC channel message, the
-  // worker needs to curl-reply to localhost:8800 with a structured "## " body.
-  // Without this bypass, answering diagnostic questions forces the worker to
-  // create a fake task just to satisfy routing — which is itself an
-  // anti-pattern. Narrow allowlist: Bash + curl + localhost:manager-port +
-  // body starts with "## " + config flag enabled.
-  try {
-    if (toolName === 'Bash' && isDiagnosticCurlBypass(toolInput, config)) {
-      return {
-        allowed: true,
-        blocked: false,
-        reason: 'diagnostic_curl_bypass',
-        message: null
-      };
-    }
-  } catch (_err) {
-    // Fail-closed — if bypass check errors, default to the normal block path.
-  }
-
   // Block: routing is pending and no /wogi-* command has been invoked this turn
   // NOTE: This message is shown to the AI as permissionDecisionReason.
   // It must be prescriptive enough that the AI invokes /wogi-start instead of
@@ -358,66 +337,6 @@ function checkRoutingGate(toolName, config, toolInput) {
   };
 }
 
-/**
- * Gap D — recognize a narrow curl-to-manager bypass for diagnostic replies.
- *
- * Allowed iff ALL hold:
- *   - config.workspace.diagnosticCurlBypass !== false
- *   - Tool is Bash and command contains a single curl to
- *     http(s)://(127\\.0\\.0\\.1|localhost):{managerPort} (default 8800)
- *   - The curl body (`-d`, `--data`, `--data-binary`, `--data-raw`) starts
- *     with "## " (structured channel reply marker)
- *   - Body contains one of the diagnostic markers: "INTROSPECTION",
- *     "DIAGNOSTIC", "## QUESTION:", or "## ANSWER:" (so generic curl-to-8800
- *     doesn't escape routing — only diagnostic/question/answer replies do)
- *
- * This bypass is specifically NARROW by design — we want to unblock diagnostic
- * round-trips without opening a back door. Generic curl to any URL, curl to a
- * different port, or curl with a non-"## " body all still hit the normal block.
- *
- * @param {Object} toolInput - Bash tool input ({ command: string, ... })
- * @param {Object} config - Loaded config
- * @returns {boolean}
- */
-function isDiagnosticCurlBypass(toolInput, config) {
-  if (!toolInput || typeof toolInput !== 'object') return false;
-  if (config?.workspace?.diagnosticCurlBypass === false) return false;
-
-  const command = String(toolInput.command || '');
-  if (!command.includes('curl')) return false;
-
-  // Must target localhost or 127.0.0.1 on the manager port.
-  const managerPort = process.env.WOGI_MANAGER_PORT ||
-                      String(config?.workspace?.managerPort || '8800');
-  // Validate port shape first — prevents regex injection.
-  if (!/^\d{2,5}$/.test(String(managerPort))) return false;
-  const portPattern = new RegExp(
-    `https?://(?:127\\.0\\.0\\.1|localhost):${managerPort}(?:[/\\s"'\\\\]|$)`
-  );
-  if (!portPattern.test(command)) return false;
-
-  // Extract the body argument. Recognized flags: -d, --data, --data-binary,
-  // --data-raw, --data-urlencode. The body can be:
-  //   (a) literal string: -d "## ANSWER: ..."
-  //   (b) @-  (from stdin — we can't inspect)
-  //   (c) @filename
-  const bodyMatch = command.match(
-    /--data(?:-binary|-raw|-urlencode)?\s+(['"])([\s\S]*?)\1|-d\s+(['"])([\s\S]*?)\3/
-  );
-  const literalBody = bodyMatch ? (bodyMatch[2] || bodyMatch[4] || '') : '';
-
-  // Stdin / file bodies (@-) cannot be inspected — we conservatively reject
-  // them for this bypass. The worker should use literal `-d "## ..."` instead.
-  if (/--data(?:-binary|-raw|-urlencode)?\s+@|-d\s+@/.test(command) && !literalBody) {
-    return false;
-  }
-
-  if (!literalBody.startsWith('## ')) return false;
-
-  // Final marker check — body must contain one of the diagnostic markers.
-  const markers = ['INTROSPECTION', 'DIAGNOSTIC', '## QUESTION:', '## ANSWER:'];
-  return markers.some(m => literalBody.includes(m));
-}
 
 /**
  * Increment the stop-attempt counter in the routing flag.
@@ -467,7 +386,6 @@ function incrementStopAttempts(maxAttempts = 10) {
 }
 
 module.exports = {
-  isDiagnosticCurlBypass,
   isRoutingGateEnabled,
   hasActiveTask,
   setRoutingPending,

package/scripts/hooks/core/worker-boundary-gate.js

@@ -0,0 +1,105 @@
+'use strict';
+
+/**
+ * Wogi Flow - Worker Boundary Gate (v2.20.1+)
+ *
+ * Mirror of manager-boundary-gate, but for workspace WORKERS.
+ *
+ * Problem this solves: a worker running in workspace mode cannot prompt the
+ * user directly — the user only sees the manager terminal. When a worker
+ * calls AskUserQuestion, its terminal shows a prompt nobody will ever type
+ * into. The worker stalls silently.
+ *
+ * Contract: in workspace worker mode, questions to the user MUST be
+ * channel-dispatched to the manager via `## QUESTION:`. The manager relays
+ * to the user, gets the answer, and channel-dispatches back.
+ *
+ * This gate blocks the `AskUserQuestion` tool in worker mode with a message
+ * giving the exact curl command to escalate properly.
+ *
+ * Scope:
+ *   - Only fires in workspace worker mode (WOGI_WORKSPACE_ROOT +
+ *     WOGI_REPO_NAME !== 'manager').
+ *   - No-op in single-repo mode (no WOGI_WORKSPACE_ROOT).
+ *   - No-op for the manager (manager SHOULD prompt the user — that is the
+ *     manager's job).
+ *   - Respects `config.workspace.blockAskUserQuestionInWorker` (default true).
+ *
+ * This is the missing piece after v2.20.0: v2.20.0 blocked hedging BETWEEN
+ * queued tasks but not worker-asks-user-directly when the queue is empty.
+ */
+
+/**
+ * Check if a tool call violates worker-role boundaries.
+ *
+ * @param {string} toolName - Tool being called
+ * @param {Object} toolInput - Tool input parameters (unused for AskUserQuestion)
+ * @param {Object} [config] - Loaded config (optional)
+ * @returns {{ blocked: boolean, reason?: string, message?: string }}
+ */
+function checkWorkerBoundary(toolName, toolInput, config) {
+  // Only active in workspace worker mode.
+  if (!isWorkspaceWorker()) {
+    return { blocked: false };
+  }
+
+  // Config toggle — default on.
+  if (config?.workspace?.blockAskUserQuestionInWorker === false) {
+    return { blocked: false };
+  }
+
+  // Block list: tools that prompt the user directly.
+  // `AskUserQuestion` is the primary case — Claude Code's built-in
+  // interactive-question tool. If more user-prompting tools emerge, add them
+  // here (be surgical — only tools that actually expect a user reply).
+  const USER_PROMPT_TOOLS = new Set(['AskUserQuestion']);
+
+  if (!USER_PROMPT_TOOLS.has(toolName)) {
+    return { blocked: false };
+  }
+
+  const repoName = process.env.WOGI_REPO_NAME || 'worker';
+  const managerPort = process.env.WOGI_MANAGER_PORT || '8800';
+
+  return {
+    blocked: true,
+    reason: 'worker-boundary-askuser',
+    message: [
+      `WORKER BOUNDARY: Cannot use ${toolName} in workspace worker mode.`,
+      '',
+      'The user ONLY sees the manager terminal. If you prompt the user here,',
+      'nobody will see it — your session will stall silently.',
+      '',
+      'Channel-dispatch the question to the manager instead:',
+      '',
+      `  curl -s -X POST http://127.0.0.1:${managerPort} \\`,
+      `    -H "X-Wogi-From: ${repoName}" \\`,
+      `    --data-binary "## QUESTION: <your question for the user>"`,
+      '',
+      'The manager will relay to the user, capture the answer, and',
+      'channel-dispatch a follow-up task to you with the resolved context.',
+      '',
+      'If you genuinely do NOT need the user — make a reasonable decision',
+      'and note it in your reply to the manager (autonomous mode contract).'
+    ].join('\n')
+  };
+}
+
+/**
+ * Detect workspace worker mode. Requires both env vars:
+ *   WOGI_WORKSPACE_ROOT — set by the worker spawn path
+ *   WOGI_REPO_NAME     — must NOT be 'manager'
+ *
+ * @returns {boolean}
+ */
+function isWorkspaceWorker() {
+  if (!process.env.WOGI_WORKSPACE_ROOT) return false;
+  const repo = process.env.WOGI_REPO_NAME;
+  if (!repo || repo === 'manager') return false;
+  return true;
+}
+
+module.exports = {
+  checkWorkerBoundary,
+  isWorkspaceWorker
+};

package/scripts/hooks/entry/claude-code/pre-tool-use.js

@@ -48,6 +48,8 @@ let checkGitSafety = _noop;
 try { checkGitSafety = require('../../core/git-safety-gate').checkGitSafety; } catch (_err) { if (process.env.DEBUG) console.error(`[Hook] Git safety gate not loaded: ${_err.message}`); }
 let checkManagerBoundary = _noop;
 try { checkManagerBoundary = require('../../core/manager-boundary-gate').checkManagerBoundary; } catch (_err) { if (process.env.DEBUG) console.error(`[Hook] Manager boundary gate not loaded: ${_err.message}`); }
+let checkWorkerBoundary = _noop;
+try { checkWorkerBoundary = require('../../core/worker-boundary-gate').checkWorkerBoundary; } catch (_err) { if (process.env.DEBUG) console.error(`[Hook] Worker boundary gate not loaded: ${_err.message}`); }
 
 const { claudeCodeAdapter } = require('../../adapters/claude-code');
 const { markSkillPending } = require('../../../flow-durable-session');
@@ -84,7 +86,7 @@ runHook('PreToolUse', async ({ input, parsedInput }) => {
     recordPhaseRead, checkPhaseReadGate, clearPhaseReads,
     checkDeployGate, checkWriteBlock,
     checkStrikeGate, checkBugfixScope, checkScopeMutation,
-    checkGitSafety, checkManagerBoundary,
+    checkGitSafety, checkManagerBoundary, checkWorkerBoundary,
     // Side-effect helpers
     markSkillPending,
     // Config + runtime

package/scripts/hooks/entry/claude-code/stop.js

@@ -242,6 +242,66 @@ runHook('Stop', async ({ parsedInput }) => {
     }
   }
 
+  // G3 (v2.21.0) — AI-based worker-question classifier.
+  //
+  // If the worker ends a turn with a question to the user in free text (no tool
+  // call, just hedging), Gap B above won't fire when the queue is empty.
+  // Regex-based detection was rejected as brittle. Instead: a single Haiku call
+  // classifies the final assistant message. If it IS an open question to the
+  // user → block with escalation instructions.
+  //
+  // Fail-open throughout: missing API key, missing transcript, model errors,
+  // malformed responses all skip cleanly. Silent-stall false-negatives recover;
+  // blocking legitimate stops on classifier bugs does not.
+  try {
+    const isWorker = process.env.WOGI_WORKSPACE_ROOT &&
+                     process.env.WOGI_REPO_NAME &&
+                     process.env.WOGI_REPO_NAME !== 'manager';
+    if (isWorker) {
+      const { getConfig } = require('../../../flow-utils');
+      const config = getConfig();
+      const clf = config.workspace?.aiWorkerQuestionClassifier;
+      const enabled = clf?.enabled !== false;  // default true
+      if (enabled && parsedInput?.transcriptPath) {
+        const { classifyWorkerQuestion } = require('../../../flow-worker-question-classifier');
+        const result = await classifyWorkerQuestion({
+          transcriptPath: parsedInput.transcriptPath,
+          minConfidence: Number.isFinite(clf?.minConfidence) ? clf.minConfidence : 70,
+          model: typeof clf?.model === 'string' ? clf.model : undefined
+        });
+        if (result?.blocked) {
+          const port = process.env.WOGI_MANAGER_PORT || '8800';
+          const repo = process.env.WOGI_REPO_NAME;
+          const msg = [
+            `WORKER→USER QUESTION DETECTED (confidence ${result.confidence}%, threshold ${result.minConfidence}%):`,
+            `  "${String(result.reason || '').slice(0, 200)}"`,
+            '',
+            'In workspace mode, workers CANNOT ask the user directly — the user only sees',
+            'the manager terminal. Your question will stall silently.',
+            '',
+            'Channel-dispatch to the manager instead, THEN end the turn:',
+            '',
+            `  curl -s -X POST http://127.0.0.1:${port} \\`,
+            `    -H "X-Wogi-From: ${repo}" \\`,
+            `    --data-binary "## QUESTION: <your question>"`,
+            '',
+            'The manager will relay to the user, capture the answer, and dispatch a',
+            'follow-up task to you with the resolved context.',
+            '',
+            'If you don\'t actually need the user — make a reasonable autonomous decision',
+            'and note it in your ## Results reply to the manager. Then end the turn.'
+          ].join('\n');
+          return { __raw: true, continue: true, stopReason: msg };
+        }
+      }
+    }
+  } catch (err) {
+    // Fail-OPEN — classifier errors must not block legitimate stops.
+    if (process.env.DEBUG) {
+      console.error(`[Stop] Worker question classifier error (fail-open): ${err.message}`);
+    }
+  }
+
   // Check if loop can exit
   return await checkLoopExit();
 }, { failMode: 'warn', failOutput: { continue: false } });