wogiflow 2.26.2 → 2.29.0

package/scripts/hooks/core/routing-gate.js

@@ -385,6 +385,62 @@ function incrementStopAttempts(maxAttempts = 10) {
   }
 }
 
+/**
+ * Remove the routing-pending flag file WITHOUT writing a cleared-marker.
+ *
+ * Distinct from clearRoutingPending(): that writes a 15s cleared-marker to
+ * suppress re-setting during skill chains. This helper just deletes the flag
+ * so stale pending state (e.g. from a crashed prior turn) can't block tools
+ * on the next check. The cleared-marker path is left untouched — so if a
+ * /wogi-* skill is actively executing, its suppression window is preserved.
+ *
+ * Used by phase transitions: moving between phases should not leave stale
+ * pending flags blocking tools, but must not create a bypass window either.
+ *
+ * @returns {{ removed: boolean }}
+ */
+function removeRoutingFlag() {
+  try {
+    fs.unlinkSync(ROUTING_FLAG_PATH);
+    return { removed: true };
+  } catch (err) {
+    if (err.code === 'ENOENT') return { removed: true };
+    if (process.env.DEBUG) {
+      console.error(`[routing-gate] removeRoutingFlag failed: ${err.message}`);
+    }
+    return { removed: false };
+  }
+}
+
+/**
+ * Reset routing state entirely — delete BOTH the pending flag and the
+ * cleared-marker. Leaves a clean slate so the next UserPromptSubmit re-arms
+ * the gate normally without any inherited bypass window.
+ *
+ * Used by PostCompact: compaction produces fresh context, so any in-flight
+ * skill-chain suppression or stale pending flag from the pre-compact turn
+ * is no longer relevant. Caller is responsible for re-arming via
+ * setRoutingPending() if the post-reset state needs a pending flag.
+ *
+ * @returns {{ reset: boolean }}
+ */
+function resetRoutingState() {
+  let ok = true;
+  for (const p of [ROUTING_FLAG_PATH, ROUTING_CLEARED_PATH]) {
+    try {
+      fs.unlinkSync(p);
+    } catch (err) {
+      if (err.code !== 'ENOENT') {
+        ok = false;
+        if (process.env.DEBUG) {
+          console.error(`[routing-gate] resetRoutingState unlink ${p} failed: ${err.message}`);
+        }
+      }
+    }
+  }
+  return { reset: ok };
+}
+
 module.exports = {
   isRoutingGateEnabled,
   hasActiveTask,
@@ -394,6 +450,8 @@ module.exports = {
   isRoutingRecentlyCleared,
   checkRoutingGate,
   incrementStopAttempts,
+  removeRoutingFlag,
+  resetRoutingState,
   ROUTING_FLAG_PATH,
   ROUTING_CLEARED_PATH
 };

package/scripts/hooks/core/session-context.js

@@ -138,6 +138,12 @@ const KNOWN_STATE_FILES = new Set([
   '.routing-pending',
   '.routing-cleared',
   '.gates-passed.json',
+
+  // Task-boundary restart machinery (wf-39e9dc09, R-336, wf-f267ea2a)
+  'task-just-completed',
+  'task-boundary-last-triggered',
+  'task-boundary-clean-completion.json',
+  'pending-question.json',
 ]);
 
 /** Known directory names within state/ (not files) */
@@ -871,6 +877,108 @@ function formatContextForInjection(context) {
     // Non-critical — history file may not exist; continue with normal context
   }
 
+  // AUTO-PICKUP after clean completion (wf-f267ea2a).
+  // When the prior task completed cleanly AND the ready queue is non-empty AND
+  // no pending-question marker exists, instruct the AI to immediately invoke
+  // /wogi-start <nextReadyId> on the first user message rather than asking
+  // "what's next?". This is the main-mode mirror of workspace.autoPickupChannelDispatches.
+  //
+  // Marker is consumed (deleted) on every SessionStart that observes it,
+  // regardless of whether AUTO-PICKUP fires — so a stale marker can't loop
+  // across unrelated future restarts. Fail-open throughout: any error or
+  // missing config falls back to the default "proceed with next instruction".
+  try {
+    const cleanMarkerPath = path.join(PATHS.state, 'task-boundary-clean-completion.json');
+    if (fs.existsSync(cleanMarkerPath)) {
+      const config = getConfig();
+      const tbr = config.taskBoundaryReset || {};
+      const flagEnabled = tbr.autoPickupNextTask !== false; // default true
+      const pendingQuestionPath = path.join(PATHS.state, 'pending-question.json');
+      const hasPendingQuestion = fs.existsSync(pendingQuestionPath);
+
+      // Read the marker for diagnostic context (which task completed)
+      const markerPayload = safeJsonParse(cleanMarkerPath, null);
+
+      // Find next ready task. Prefer the first non-epic task — epics are
+      // containers whose work lives in their child stories, and auto-picking an
+      // epic produces a restart loop (wogi-start on an epic has no actionable
+      // next step when its children are not yet ready-queue tasks). If the
+      // queue contains only epics, emit no auto-pickup (safer to stop the loop
+      // than to re-enter it).
+      //
+      // Cascade-after-decomposition (Story E / wf-e28b6cd8): when the marker
+      // carries a `nextTaskId` (set by the cascade helper after epic
+      // decomposition), use that explicitly. Verify the ID still exists in
+      // ready.json before honoring it; if missing/stale, fall back to default
+      // first-actionable resolution.
+      let nextTaskId = null;
+      let nextTaskTitle = null;
+      try {
+        const ready = getReadyData();
+        const queue = Array.isArray(ready?.ready) ? ready.ready : [];
+        if (markerPayload && markerPayload.nextTaskId) {
+          const explicit = queue.find(t => t && t.id === markerPayload.nextTaskId);
+          if (explicit) {
+            nextTaskId = explicit.id;
+            nextTaskTitle = explicit.title || null;
+          }
+        }
+        if (!nextTaskId) {
+          const firstActionable = queue.find(t => t && t.type !== 'epic');
+          if (firstActionable) {
+            nextTaskId = firstActionable.id || null;
+            nextTaskTitle = firstActionable.title || null;
+          }
+        }
+      } catch (_err) { /* fall through — no auto-pickup if ready.json unreadable */ }
+
+      const shouldInject = flagEnabled && !hasPendingQuestion && nextTaskId;
+
+      if (shouldInject) {
+        output += `### ⚡ AUTO-PICKUP MODE ACTIVE\n`;
+        output += `Prior task **${markerPayload?.completedTaskId || 'unknown'}** (${markerPayload?.completedTaskTitle || 'no title'}) completed cleanly. The next ready task is **${nextTaskId}** — ${nextTaskTitle || '(no title)'}.\n\n`;
+        output += `**ON THE FIRST USER MESSAGE IN THIS SESSION (regardless of content): immediately invoke \`Skill(skill="wogi-start", args="${nextTaskId}")\`.**\n\n`;
+        output += `Do NOT ask "what's next?". Do NOT summarize prior work. Do NOT propose alternatives. The user has authorized autonomous continuation across this epic. If you have a question that genuinely cannot be resolved by self-challenge, use \`flow ask "<question>"\` so the next restart defers correctly (R-336).\n\n`;
+      }
+
+      // Always consume the marker (single-use), regardless of whether we injected
+      try { fs.unlinkSync(cleanMarkerPath); } catch (_err) { /* best effort */ }
+    }
+  } catch (_err) {
+    // Non-critical — fall through to default context
+  }
+
+  // Autonomous walk-away mode rehydration (wf-d712002e / Story C).
+  // Disk is canonical; cache evaporates at SIGTERM. SessionStart re-hydrates
+  // the cache from disk and surfaces the active-mode reminder so the AI
+  // continues to honor autonomous routing across task-boundary restarts.
+  // Stale-flag detection (older than autonomousMode.stalenessThresholdMs,
+  // default 1h) emits an interruption notice and clears the flag — no
+  // auto-resume; the user must explicitly say "continue" / "resume".
+  try {
+    const sessionState = require('../../flow-session-state');
+    const result = sessionState.rehydrateAutonomousFromDisk();
+    if (result.hydrated && result.mode) {
+      const mode = result.mode;
+      output += `### ⚡ AUTONOMOUS MODE ACTIVE\n`;
+      output += `Walk-away run \`${mode.runId}\` is in progress (trigger: "${mode.trigger}", started ${mode.activatedAt}).\n\n`;
+      output += `**Routing rules** for this run:\n`;
+      output += `- productBehavior / ux questions → \`queue-for-review\` (do NOT ask the user; \`flow-question-queue\` collects them).\n`;
+      output += `- engineering / naming / implementation → decide autonomously.\n`;
+      output += `- low-confidence technical → self-adversarial challenge to ≥90% confidence; if still uncertain after the cap, queue.\n`;
+      output += `- Blocking errors (typecheck/test/conflict) → fix autonomously; only surface if fundamentally un-fixable.\n\n`;
+      output += `**No hedging**. Forbidden phrases (per feedback-patterns.md 2026-04-16): "let me know if", "should I continue", "awaiting your signal", "standing by", "would you like me to". The user is walked away; there is no one to answer until the run ends.\n\n`;
+      output += `**Exit conditions**: ready queue drains, user types "stop"/"pause", or fatal error. On exit: render completion summary (terminal block + JSON payload at \`autonomous-run-summary-${mode.runId}.json\`).\n\n`;
+    } else if (result.reason === 'stale' && result.staleMode) {
+      const stale = result.staleMode;
+      output += `### ⚠️ Autonomous Run Interrupted\n`;
+      output += `A previous autonomous run (\`${stale.runId}\`, started ${stale.activatedAt}) exceeded the staleness threshold and has been cleared.\n\n`;
+      output += `Review \`.workflow/state/autonomous-run-summary-${stale.runId}.json\` (if present) to see what completed before the interruption. The session is now in standard interactive mode. To resume, the user must explicitly say "continue" / "resume autonomous run" — do not auto-restart.\n\n`;
+    }
+  } catch (_err) {
+    // Non-critical — autonomous-mode injection failure must not block session start
+  }
+
   // Workspace worker auto-resume (wf-restart-handoff / 2.22.2).
   // CRITICAL priority — shown at the top so the model acts on it before
   // anything else. Fires when a worker session starts with queued channel

package/scripts/hooks/core/session-end-memory-proposals.js

@@ -0,0 +1,65 @@
+'use strict';
+
+/**
+ * Wogi Flow — Session End: Memory Proposal Surfacing
+ *
+ * Reads pending IGR-artifact edit proposals staged by `flow memory propose`
+ * and returns a structured summary for the session-end adapter to display.
+ *
+ * Agent-proposed edits do NOT auto-apply. The user reviews at session-end
+ * and runs `flow memory approve <id>` / `flow memory reject <id>`.
+ *
+ * Story: wf-4434851f (IGR artifact edit proposals).
+ */
+
+const store = require('../../../lib/memory-proposal-store');
+
+function summarizePendingMemoryProposals() {
+  let pending;
+  try {
+    pending = store.listProposals({ status: 'pending' });
+  } catch (_err) {
+    return null;
+  }
+  if (!pending || pending.length === 0) return null;
+
+  const byOp = { append: 0, 'replace-section': 0, 'replace-all': 0 };
+  const byBlock = {};
+  const previews = [];
+  for (const p of pending) {
+    byOp[p.op] = (byOp[p.op] || 0) + 1;
+    byBlock[p.block] = (byBlock[p.block] || 0) + 1;
+    try {
+      previews.push(store.previewProposal(p));
+    } catch (_err) {
+      // Non-fatal — skip a broken preview but keep the rest.
+    }
+  }
+
+  return {
+    count: pending.length,
+    byOp,
+    byBlock,
+    proposals: pending,
+    previews,
+    message: formatMessage(pending.length, byOp, previews),
+  };
+}
+
+function formatMessage(count, byOp, previews) {
+  const plural = count !== 1 ? 's' : '';
+  const breakdown = Object.entries(byOp)
+    .filter(([, n]) => n > 0)
+    .map(([op, n]) => `${n} ${op}`)
+    .join(', ');
+  return [
+    `${count} pending memory proposal${plural} (${breakdown}):`,
+    ...previews,
+    '',
+    'Review:  flow memory list',
+    'Approve: flow memory approve <id>',
+    'Reject:  flow memory reject  <id> [--reason <text>]',
+  ].join('\n');
+}
+
+module.exports = { summarizePendingMemoryProposals };

package/scripts/hooks/core/session-end-skill-proposals.js

@@ -0,0 +1,58 @@
+'use strict';
+
+/**
+ * Wogi Flow — Session End: Skill Proposal Surfacing
+ *
+ * Reads pending skill proposals staged by `flow skill propose|patch|remove`
+ * and returns a structured summary for the session-end adapter to display.
+ *
+ * Agent-proposed changes do NOT auto-apply. The user reviews at session-end
+ * and runs `flow skill promote <name>` / `flow skill reject <name>`.
+ */
+
+const store = require('../../../lib/skill-proposal-store');
+
+function summarizePendingProposals() {
+  let pending;
+  try {
+    pending = store.listProposals({ status: 'pending' });
+  } catch (_err) {
+    return null;
+  }
+  if (!pending || pending.length === 0) return null;
+
+  const byAction = { propose: 0, patch: 0, remove: 0 };
+  const lines = [];
+  for (const p of pending) {
+    byAction[p.action] = (byAction[p.action] || 0) + 1;
+    const icon = p.action === 'propose' ? '+' : p.action === 'patch' ? '~' : '-';
+    const rationale = p.rationale ? ` — ${p.rationale}` : '';
+    lines.push(`  ${icon} ${p.skillName} (${p.action}, ${p.id})${rationale}`);
+  }
+
+  return {
+    count: pending.length,
+    byAction,
+    proposals: pending,
+    lines,
+    message: formatMessage(pending.length, byAction, lines),
+  };
+}
+
+function formatMessage(count, byAction, lines) {
+  const plural = count !== 1 ? 's' : '';
+  const breakdown = Object.entries(byAction)
+    .filter(([, n]) => n > 0)
+    .map(([a, n]) => `${n} ${a}`)
+    .join(', ');
+  return [
+    `${count} pending skill proposal${plural} (${breakdown}):`,
+    ...lines,
+    '',
+    'Review with: flow skill pending',
+    'Approve:     flow skill promote <name>',
+    'Discard:     flow skill reject <name>',
+  ].join('\n');
+}
+
+module.exports = { summarizePendingProposals };

package/scripts/hooks/core/session-end.js

@@ -68,6 +68,31 @@ function handleSessionEnd(input) {
       result.logged = false;
     }
 
+    // Surface pending skill proposals staged by `flow skill propose|patch|remove`.
+    // These await user approval (`flow skill promote|reject`) at session end.
+    try {
+      const { summarizePendingProposals } = require('./session-end-skill-proposals');
+      const summary = summarizePendingProposals();
+      if (summary) {
+        result.pendingSkillProposals = summary;
+      }
+    } catch (_err) {
+      // Non-critical — never block session end
+    }
+
+    // Surface pending IGR-artifact memory proposals staged by `flow memory
+    // propose`. These await user approval (`flow memory approve|reject`) at
+    // session end. Story: wf-4434851f.
+    try {
+      const { summarizePendingMemoryProposals } = require('./session-end-memory-proposals');
+      const summary = summarizePendingMemoryProposals();
+      if (summary) {
+        result.pendingMemoryProposals = summary;
+      }
+    } catch (_err) {
+      // Non-critical — never block session end
+    }
+
     // Scratch directory cleanup — remove temp files created during session
     try {
       const fs = require('node:fs');

package/scripts/hooks/core/setup-handler.js

@@ -45,7 +45,7 @@ function getSetupConfig() {
  * @returns {Object} Result: { needsSetup, message, action, context }
  */
 function handleSetup(options = {}) {
-  const { trigger = 'init' } = options;
+  const { _trigger = 'init' } = options;
 
   if (!isSetupEnabled()) {
     return {

package/scripts/hooks/core/task-boundary-reset.js

@@ -51,6 +51,7 @@ const { safeJsonParse } = require('../../flow-io');
 
 const PENDING_MARKER_FILE = 'task-just-completed';
 const LAST_TRIGGERED_FILE = 'task-boundary-last-triggered';
+const CLEAN_COMPLETION_MARKER_FILE = 'task-boundary-clean-completion.json';
 // Window during which a recentlyCompleted[0] entry is considered "fresh
 // enough" to retro-mark Phase 1 from the Stop hook. Large enough to cover
 // a slow quality-gate run; small enough that a session opened hours later
@@ -69,6 +70,56 @@ function getLastTriggeredPath() {
   return path.join(PATHS.state, LAST_TRIGGERED_FILE);
 }
 
+function getCleanCompletionMarkerPath() {
+  return path.join(PATHS.state, CLEAN_COMPLETION_MARKER_FILE);
+}
+
+/**
+ * Write the clean-completion marker when Phase 2 successfully restarts after a
+ * cleanly-completed task. The next session's SessionStart hook reads this
+ * marker to decide whether to inject an AUTO-PICKUP block (wf-f267ea2a).
+ *
+ * Best-effort — failure here does NOT abort the restart; auto-pickup just
+ * won't fire for this restart.
+ */
+function writeCleanCompletionMarker(taskId, taskTitle, options = {}) {
+  // Durable write (Story E / wf-e28b6cd8 — Blocker M2 fix).
+  //
+  // Original failure mode: writeFileSync schedules the data; the kernel buffers
+  // it; SIGTERM is dispatched; the process exits before the buffer reaches
+  // disk. The restarted session sees no marker → cascade silently fails.
+  //
+  // Fix: write to a tmp file, fsync the FILE, atomic-rename to final, fsync
+  // the DIRECTORY. The directory fsync is what guarantees the rename itself
+  // is durable across the SIGTERM/relaunch boundary.
+  try {
+    const p = getCleanCompletionMarkerPath();
+    const dir = path.dirname(p);
+    fs.mkdirSync(dir, { recursive: true });
+    const payload = {
+      version: 1,
+      completedTaskId: taskId || null,
+      completedTaskTitle: taskTitle || null,
+      completedAt: new Date().toISOString(),
+      ...(options.nextTaskId ? { nextTaskId: options.nextTaskId } : {})
+    };
+    const data = JSON.stringify(payload);
+    const tmp = `${p}.tmp.${process.pid}.${Math.random().toString(36).slice(2, 8)}`;
+    const fd = fs.openSync(tmp, 'w');
+    try {
+      fs.writeSync(fd, data);
+      fs.fsyncSync(fd);
+    } finally {
+      fs.closeSync(fd);
+    }
+    fs.renameSync(tmp, p);
+    try {
+      const dfd = fs.openSync(dir, 'r');
+      try { fs.fsyncSync(dfd); } finally { fs.closeSync(dfd); }
+    } catch (_err) { /* directory fsync is best-effort */ }
+  } catch (_err) { /* best effort — auto-pickup just won't fire if this fails */ }
+}
+
 function readLastTriggered() {
   try {
     return safeJsonParse(getLastTriggeredPath(), null);
@@ -155,9 +206,13 @@ function checkPreconditions() {
  * Returns a result object for diagnostics; never throws. If something goes
  * wrong, the Stop hook should continue with its normal flow.
  *
- * @returns {{ triggered: boolean, reason?: string, flagPath?: string, parentPid?: number }}
+ * @param {Object} [opts]
+ * @param {string} [opts.transcriptPath] - Claude Code transcript path, used by
+ *   the main-mode question classifier safety net. When absent, the classifier
+ *   step is skipped (fail-open).
+ * @returns {Promise<{ triggered: boolean, reason?: string, flagPath?: string, parentPid?: number }>}
  */
-function consumeAndTriggerRestart() {
+async function consumeAndTriggerRestart(opts = {}) {
   const markerPath = getPendingMarkerPath();
   if (!fs.existsSync(markerPath)) {
     return { triggered: false, reason: 'no-pending-marker' };
@@ -173,6 +228,42 @@ function consumeAndTriggerRestart() {
     }
   } catch (_err) { /* flow-ask may not be present in older installs; degrade open */ }
 
+  // Main-mode question classifier safety net (wf-191d5f6e). Catches the case
+  // where the AI ends a turn with an open user-facing question but forgot to
+  // call `flow ask` first. On a YES classification, auto-write the
+  // pending-question marker and defer the restart. Fail-open throughout —
+  // any error or skip falls through to normal restart logic.
+  try {
+    const isWorker = process.env.WOGI_WORKSPACE_ROOT &&
+                     process.env.WOGI_REPO_NAME &&
+                     process.env.WOGI_REPO_NAME !== 'manager';
+    if (!isWorker) {
+      const config = getConfig();
+      const clf = config.mainModeQuestionClassifier;
+      const enabled = clf?.enabled !== false;  // default true
+      if (enabled && opts.transcriptPath) {
+        const { classifyQuestion } = require('../../flow-worker-question-classifier');
+        const result = await classifyQuestion({
+          mode: 'main',
+          transcriptPath: opts.transcriptPath,
+          minConfidence: Number.isFinite(clf?.minConfidence) ? clf.minConfidence : 70,
+          model: typeof clf?.model === 'string' ? clf.model : undefined
+        });
+        if (result?.blocked) {
+          try {
+            const { markQuestionPending } = require('../../flow-ask');
+            markQuestionPending(`auto-deferred: ${String(result.reason || 'classifier detected open question').slice(0, 500)}`);
+          } catch (_err) { /* best effort — marker write failure falls through to restart */ }
+          return { triggered: false, reason: 'auto-deferred-question-detected' };
+        }
+      }
+    }
+  } catch (err) {
+    if (process.env.DEBUG) {
+      console.error(`[task-boundary-reset] main-mode classifier error (fail-open): ${err.message}`);
+    }
+  }
+
   const pre = checkPreconditions();
   if (!pre.ready) {
     if (process.env.DEBUG) {
@@ -210,6 +301,13 @@ function consumeAndTriggerRestart() {
     return { triggered: false, reason: `flag-write-failed: ${err.message}` };
   }
 
+  // Write the clean-completion marker so the NEXT session's SessionStart
+  // hook can inject the AUTO-PICKUP block (wf-f267ea2a). This is gated on
+  // config.taskBoundaryReset.autoPickupNextTask in session-context.js — the
+  // marker is always written here when Phase 2 fires (cheap, harmless), and
+  // session-context decides whether to act on it.
+  writeCleanCompletionMarker(markerPayload?.taskId, markerPayload?.taskTitle);
+
   // SIGTERM our parent (claude). The wrapper sees the flag on claude's exit
   // and restarts. If SIGTERM turns out to not shut claude down cleanly in
   // real testing, try SIGHUP or SIGINT as fallbacks (see spec wf-39e9dc09).
@@ -329,6 +427,8 @@ module.exports = {
   checkPreconditions,
   hasPendingMarker,
   getPendingMarkerPath,
+  getCleanCompletionMarkerPath,
+  writeCleanCompletionMarker,
 
   // Back-compat: earlier code calls this name. Route it to Phase 1 so existing
   // wiring in task-completed.js still does the right thing (mark the marker,
@@ -352,8 +452,14 @@ if (require.main === module) {
     process.exit(0);
   }
   if (arg === 'consume') {
-    console.log(JSON.stringify(consumeAndTriggerRestart(), null, 2));
-    process.exit(0);
+    consumeAndTriggerRestart().then((r) => {
+      console.log(JSON.stringify(r, null, 2));
+      process.exit(0);
+    }).catch((err) => {
+      console.error(err.message);
+      process.exit(1);
+    });
+    return;
   }
   console.log('Usage: node task-boundary-reset.js <check|has-pending|mark|consume>');
   process.exit(2);

package/scripts/hooks/core/worker-boundary-gate.js

@@ -99,7 +99,78 @@ function isWorkspaceWorker() {
   return true;
 }
 
+/**
+ * Path-discipline gate (Story B / wf-ab59f0e4 — Phase 4.5).
+ *
+ * Single-writer invariant: workers NEVER write into the workspace-manager
+ * tree (`<workspace>/.workspace/**`); the manager NEVER writes into worker
+ * member-repo `.workflow/state/**` paths. Cross-process state coordination
+ * happens exclusively via the channel-dispatch HTTP bus.
+ *
+ * Without this check, a confused worker (or hostile prompt-injection
+ * payload that talked the worker into editing manager state) could corrupt
+ * `dispatched-tasks.json` for ALL workers in the workspace. The check
+ * fails LOUD (block + clear error) so the boundary violation is impossible
+ * to ignore — silent corruption is the worst-case alternative.
+ *
+ * Returns the same `{ blocked, reason?, message? }` shape as
+ * `checkWorkerBoundary` so the caller can compose the two checks.
+ *
+ * @param {string} toolName
+ * @param {Object} toolInput - { file_path } for Edit/Write
+ * @returns {{ blocked: boolean, reason?: string, message?: string }}
+ */
+function checkPathDiscipline(toolName, toolInput) {
+  if (!process.env.WOGI_WORKSPACE_ROOT) return { blocked: false };
+  const writeTools = new Set(['Edit', 'Write', 'NotebookEdit']);
+  if (!writeTools.has(toolName)) return { blocked: false };
+  const filePath = toolInput && (toolInput.file_path || toolInput.notebook_path);
+  if (typeof filePath !== 'string' || !filePath) return { blocked: false };
+
+  const repo = process.env.WOGI_REPO_NAME || '';
+  const root = process.env.WOGI_WORKSPACE_ROOT;
+  const managerStateDir = `${root.replace(/\/+$/, '')}/.workspace/`;
+  const memberStateDirRegex = /\/members?\/[^/]+\/\.workflow\/state\//;
+
+  if (repo && repo !== 'manager') {
+    if (filePath.startsWith(managerStateDir)) {
+      return {
+        blocked: true,
+        reason: 'path-discipline-worker',
+        message: [
+          `PATH DISCIPLINE: workers MUST NOT write to manager-owned files.`,
+          ``,
+          `Blocked: ${filePath}`,
+          ``,
+          `${managerStateDir}** is owned by the manager process.`,
+          `Use the channel-dispatch HTTP bus to communicate with the manager;`,
+          `never edit shared workspace state directly. See Story B (wf-ab59f0e4)`,
+          `Phase 4.5 in .workflow/changes/wf-ab59f0e4.md.`
+        ].join('\n')
+      };
+    }
+  }
+
+  if (repo === 'manager' && memberStateDirRegex.test(filePath)) {
+    return {
+      blocked: true,
+      reason: 'path-discipline-manager',
+      message: [
+        `PATH DISCIPLINE: manager MUST NOT write to worker member-repo state.`,
+        ``,
+        `Blocked: ${filePath}`,
+        ``,
+        `Worker member-repos own their own .workflow/state/. Send a channel`,
+        `dispatch to the worker if state changes are needed there.`
+      ].join('\n')
+    };
+  }
+
+  return { blocked: false };
+}
+
 module.exports = {
   checkWorkerBoundary,
+  checkPathDiscipline,
   isWorkspaceWorker
 };