wogiflow 2.29.1 → 2.29.3

package/.claude/docs/intent-grounded-reasoning.md

@@ -18,7 +18,7 @@ Research finding: across 1,309 user messages mined, first-pass agent output was
 | 1 | **Intent Bootstrap** — scaffolds product/domain/glossary/user-journeys artifacts; agnostic trap-zone detector finds structural ambiguities | `scripts/flow-intent-bootstrap.js` + `scripts/flow-trap-zone.js` |
 | 2 | **Intent Framing Pass** — per-task reasoning step; produces a Framing Artifact resolving ambiguities before any other work | `scripts/flow-intent-framing.js` |
 | 3 | **Architect Pass** — read-only sub-agent produces an 8-section pre-spec plan | `scripts/flow-architect-pass.js` + persona `.workflow/agents/architect.md` |
-| 4 | **Logic Adversary** — separate sub-agent on a different model critiques the plan against the 11-principle Logic Constitution (v2 adds Principle 11 — Platform Capability Grounding) | `scripts/flow-logic-adversary.js` + rubric `.workflow/rubrics/logic-constitution-v2.md` |
+| 4 | **Logic Adversary** — separate sub-agent on a different model critiques the plan against the 11-principle Logic Constitution (v3 default: P11 + sub-principles 11.1–11.6 covering observed-behavior, project rules, sibling features, generative edge-case taxonomy, stacked-story integration, and temporal source coverage) | `scripts/flow-logic-adversary.js` + rubric `.workflow/rubrics/logic-constitution-v3.md` |
 | 5 | **Session Correction Memory** — detects user corrections during a session and cross-references back to gates that passed the contradicted work | extensions in `scripts/flow-correction-detector.js` |
 | 6 | **Completion Truth Gate** — audits "done" claims against Tier 0–4 evidence; downgrades language when evidence is insufficient | `scripts/flow-completion-truth-gate.js` |
 | 7 | **Pipeline wiring + rollout** — integrates all above into `/wogi-start`, the gate registry, the eval framework | (this story) |

package/.workflow/templates/partials/methodology-rules.hbs

@@ -135,6 +135,66 @@ If artifacts don't exist yet, run `node scripts/flow-intent-bootstrap.js bootstr
 
 ---
 
+### Source Fidelity Rule (Verbatim Source Preservation)
+
+When a long-form user request becomes a spec, channel-dispatch message, or any artifact that downstream actors will execute, the **verbatim source MUST be preserved alongside the structured derivation**.
+
+The lossy step in cross-session/cross-worker compression is almost always at the spec-authoring layer (manager summarizing user input into a "contract"). Downstream actors then build the summary's interpretation, missing items the user explicitly named. Adversary checks won't catch this because the adversary sees only the spec, not the original prompt.
+
+**Mandatory structure for any spec or dispatch derived from a long user prompt** (>40 lines OR ≥5 discrete items):
+
+1. **`## Original Request (verbatim)` block** — the user's prompt unmodified. Required at the top of the spec body.
+
+2. **`## Item Manifest` block** — enumerated list reconciling every source item to either:
+   - A specific AC in the spec, OR
+   - An explicit `defer-with-reason: <user-cited reason>` entry. The deferral is the user's call, not the AI's. AI-judged "low priority" is NOT a valid reason.
+
+3. **Channel-dispatch links the spec, not summarizes it.** Manager-to-worker channel messages that create work MUST include either the verbatim source OR a path to a saved spec file containing the verbatim source. Bare "summary contracts" sent without source link are forbidden.
+
+**Why this rule exists:** the 2026-04-27 wogi-hub Customers > Services incident — user provided a ~50-line spec for a UI page; manager compressed into a 5-bullet "owner-locked decisions" channel-dispatch message; downstream FE worker built the bullet contract literally; result was 5 of 12 user-named features built. The build looked locally correct but didn't match the user's actual ask. Three existing safeguards all failed to catch it: long-input gate (output rolled up, not preserved as canonical), feature dossier (didn't exist for this feature — chicken-and-egg), anti-deferral rule (text only, no mechanical enforcement at spec-write time).
+
+**Anti-rationalization checklist** — if any of these thoughts cross your mind, you are about to violate the rule:
+- *"I've captured the key decisions in N bullets"* → WRONG. Items the user named are not yours to filter.
+- *"The downstream worker doesn't need the full prompt; the spec is enough"* → WRONG. The spec is YOUR interpretation. The worker should be able to verify against source.
+- *"The user's prompt was rambling; my summary is cleaner"* → WRONG. Cleanliness is not authority to filter user-named items.
+- *"This is just an internal manager message; the user won't see it"* → WRONG. That's exactly when the lossy step happens; verbatim preservation is more important here, not less.
+- *"The long-input gate already extracted the items"* → WRONG IF you don't pin its output as canonical and reconcile every spec against it.
+
+**Enforcement:** Logic Constitution v3 sub-principle 11.6 (Temporal Source Coverage). Adversary verifies every spec against its `Original Request (verbatim)` block before approval. Specs missing the block when source qualifies for it → BLOCKED at spec_review approval. Verifier CLI: `node scripts/flow-source-fidelity.js check <spec-file>`. Worker-side fallback: `scripts/hooks/core/long-input-enforcement.js` injects forcing instruction at UserPromptSubmit when channel-dispatch arrives long-form without source-link.
+
+---
+
+### Cross-Story Integration Tier-3 Rule
+
+When Story B layers behavior on top of infrastructure shipped by Story A (or any prior commit), Story B's IGR pass MUST treat that infrastructure as an audited dependency, not as a given. Within-module unit tests that pin Story B's local behavior do NOT verify that Story A's contract holds for Story B's usage.
+
+**Mandatory for every layering story:**
+
+1. **Architect output names upstream dependencies.** A "Dependencies" section lists prior stories/commits + the specific contract relied on (interface signature, file format, transport, invariant). "I'm reusing Story A's X" is not enough; quote the contract.
+
+2. **Adversary challenges the dependency.** "What if Story A's invariant doesn't hold? What's the failure mode? What evidence proves Story A's contract is intact for THIS usage?" The adversary's job is finding the assumption Story B silently inherits.
+
+3. **At least one Tier-3 integration test exercises the chain end-to-end.** Not a unit test of Story B in isolation — a test that simulates a real run through both stories' code paths. If Story A's output flows into Story B's input, the test feeds a real Story-A output through Story B and asserts the output. Mark the test `// regression-tier3` so future readers know its purpose.
+
+4. **Pre-release gate verifies stacked coverage.** Before tagging a release, identify any commits that layer on prior commits in the same release. For each, confirm a Tier-3 integration test exists. Missing Tier-3 + stacked stories → block release.
+
+**Why:** unit tests within a story boundary catch the story's own bugs but miss every regression where the story's correct behavior depends on a broken upstream. The 2026-04-26 incident (audit-channel-transport-001) was caused by exactly this gap: Story A stripped MCP servers including the workspace-channel transport itself; Story B layered task-completion routing on top; both stories' tests passed; manager dispatch silently failed in production. Self-IGR caught Story B's local correctness but missed that the upstream contract was broken.
+
+**Anti-rationalization:**
+- *"The upstream story has its own tests"* → WRONG. Their tests pin THEIR contract. Your Tier-3 test pins YOUR usage of their contract.
+- *"It's expensive to set up an integration test"* → WRONG. The 2026-04-26 incident cost a v2.29.1 hot-fix release. Set up time amortizes; regression cost compounds.
+- *"Self-IGR is enough; we don't need the actual adversary subagent"* → WRONG. Self-IGR pattern-matches on the same model that wrote the plan; the cross-story dependency is exactly the blind spot a different-model adversary catches.
+
+**How to apply** (concrete checks for any layering story):
+- `git log --oneline <prior-N-commits>` — which earlier work does this story sit on?
+- For each, write the contract you're relying on: "Story A delivers X via Y."
+- `grep -r "<Story A's interface>"` — is the contract still intact in HEAD?
+- Write the Tier-3 test BEFORE writing Story B's code. If the test cannot be written without first standing up infrastructure that makes the integration verifiable, that's a signal the architecture needs that infrastructure too.
+
+Enforced by: Logic Constitution v3 sub-principle 11.5 (Stacked-story integration verification). Pre-release gate consumes this signal before tagging.
+
+---
+
 ### Autonomous Walk-Away Mode
 
 The user can dump N items, say "go until you finish" / "autonomous mode" / "run this autonomously" / "don't bother me, just do it" (or similar phrases — see `flow-autonomous-detector.js`), and walk away. While the run is active:

package/lib/commands/team-connection.js

@@ -11,6 +11,7 @@ const fs = require('node:fs');
 const path = require('node:path');
 const http = require('node:http');
 const https = require('node:https');
+const { safeJsonParseStringStrip } = require('../../scripts/flow-io');
 
 const CONNECTION_FILE = '.workflow/team-connection.json';
 const REQUEST_TIMEOUT_MS = 15000;
@@ -18,36 +19,12 @@ const MAX_RESPONSE_BYTES = 1 * 1024 * 1024; // 1 MB cap on response body
 
 /**
  * Safely parse JSON with prototype pollution protection.
- * Checks for dangerous keys in parsed objects (including nested).
+ * Delegates to flow-io's canonical safeJsonParseStringStrip (audit dup-004
+ * consolidation 2026-04-26). Behavior preserved verbatim — both impls
+ * recursively strip __proto__/constructor/prototype keys.
  */
 function safeParseJson(str, fallback) {
-  try {
-    const obj = JSON.parse(str);
-    if (obj && typeof obj === 'object') {
-      stripDangerousKeys(obj);
-    }
-    return obj;
-  } catch (_err) {
-    return fallback;
-  }
-}
-
-/**
- * Recursively strip __proto__, constructor, prototype keys from an object.
- */
-function stripDangerousKeys(obj) {
-  if (!obj || typeof obj !== 'object') return;
-  const dangerous = ['__proto__', 'constructor', 'prototype'];
-  for (const key of dangerous) {
-    if (Object.hasOwn(obj, key)) {
-      delete obj[key];
-    }
-  }
-  for (const key of Object.keys(obj)) {
-    if (obj[key] && typeof obj[key] === 'object') {
-      stripDangerousKeys(obj[key]);
-    }
-  }
+  return safeJsonParseStringStrip(str, fallback);
 }
 
 /**

package/lib/mode-schema.js

@@ -2,6 +2,7 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
+const { DANGEROUS_KEYS } = require('../scripts/flow-io');
 
 const MODES_DIR = path.join(process.cwd(), '.workflow', 'modes');
 
@@ -17,7 +18,7 @@ const REQUIRED_FIELDS = ['name', 'roleDefinition', 'whenToUse'];
 const OPTIONAL_FIELDS = ['customInstructions', 'allowedToolGroups'];
 const ALL_FIELDS = new Set([...REQUIRED_FIELDS, ...OPTIONAL_FIELDS]);
 
-const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+// DANGEROUS_KEYS imported from scripts/flow-io canonical (audit dup-002 / wf-9fc4970b).
 
 function parseModeYaml(content, sourceLabel = '<inline>') {
   const result = Object.create(null);

package/lib/utils.js

@@ -74,32 +74,18 @@ function findProjectRoot() {
  * @returns {Object} Parsed object or default value
  */
 function safeJsonParseContent(content, defaultValue = null) {
-  try {
-    // Check for prototype pollution attempts in raw content
-    // Covers various quote styles and whitespace variants
-    if (/__proto__|constructor\s*["'`:]|prototype\s*["'`:]/i.test(content)) {
-      console.warn('[safeJsonParse] Suspicious content detected');
-      return defaultValue;
-    }
-
-    const parsed = JSON.parse(content);
-
-    // Validate it's an object (not primitive)
-    if (typeof parsed !== 'object' || parsed === null) {
-      return parsed; // Allow primitives to pass through
-    }
-
-    // Additional check: ensure no proto/constructor keys were added
-    const keys = Object.getOwnPropertyNames(parsed);
-    if (keys.includes('__proto__') || keys.includes('constructor') || keys.includes('prototype')) {
-      console.warn('[safeJsonParse] Prototype pollution attempt detected');
-      return defaultValue;
-    }
-
-    return parsed;
-  } catch (_err) {
-    return defaultValue;
-  }
+  // Delegates to flow-io's canonical safeJsonParseStringStrip (audit dup-004
+  // consolidation 2026-04-26). Two intentional behavior improvements over
+  // the prior local impl:
+  //   1. Strip semantic (recursive) replaces the buggy regex-based reject
+  //      that produced false positives on any text containing the word
+  //      "constructor" (e.g. legitimate string values).
+  //   2. Primitives no longer pass through (return defaultValue). All
+  //      callers in lib/workspace-*.js parse JSON objects, not primitives.
+  // Risk assessment: cloud-compat verified by user's regression test
+  // coverage prior to this consolidation.
+  const { safeJsonParseStringStrip } = require('../scripts/flow-io');
+  return safeJsonParseStringStrip(content, defaultValue);
 }
 
 /**

package/lib/wogi-claude

@@ -132,9 +132,32 @@ fi
 # worker's `.mcp.json` doesn't define `wogi-workspace-channel` (e.g.
 # this is not a workspace member), fall back to the empty MCP config
 # (the strip is harmless in non-workspace contexts).
+#
+# SEC-003 fix (2026-04-26): validate WOGI_WORKSPACE_ROOT before using it as
+# a destination path. Without validation, an attacker who can set the env
+# var could redirect the channel-only MCP config write to an arbitrary
+# path. Rules:
+#   1. Must be absolute (start with /).
+#   2. Must point to an existing directory.
+#   3. Must NOT contain '..' segments (traversal guard).
+# On any validation failure, fall back to $(pwd) which is bounded by the
+# current working directory.
 __wogi_empty_mcp_config=""
 if [ "$__wogi_strip_mcp" -eq 1 ]; then
-  __wogi_empty_mcp_config="${WOGI_WORKSPACE_ROOT:-$(pwd)}/.workflow/state/worker-channel-only-mcp.json"
+  __wogi_workspace_root_raw="${WOGI_WORKSPACE_ROOT:-}"
+  __wogi_workspace_root_safe=""
+  if [ -n "$__wogi_workspace_root_raw" ] \
+     && [ "${__wogi_workspace_root_raw#/}" != "$__wogi_workspace_root_raw" ] \
+     && [ -d "$__wogi_workspace_root_raw" ] \
+     && [ "${__wogi_workspace_root_raw#*..}" = "$__wogi_workspace_root_raw" ]; then
+    __wogi_workspace_root_safe="$__wogi_workspace_root_raw"
+  else
+    __wogi_workspace_root_safe="$(pwd)"
+    if [ -n "$__wogi_workspace_root_raw" ]; then
+      echo "[wogi-claude] WARNING: WOGI_WORKSPACE_ROOT='$__wogi_workspace_root_raw' failed validation (must be absolute, exist, no '..'); falling back to $(pwd)" >&2
+    fi
+  fi
+  __wogi_empty_mcp_config="$__wogi_workspace_root_safe/.workflow/state/worker-channel-only-mcp.json"
   __wogi_member_mcp_path="$(pwd)/.mcp.json"
   if command -v node >/dev/null 2>&1; then
     # Use the dedicated helper (testable; see tests/flow-worker-mcp-strip.test.js).
@@ -155,14 +178,30 @@ if [ "$__wogi_strip_mcp" -eq 1 ]; then
     else
       # Helper not found — fall back to inline extraction (legacy code path
       # for installs that pre-date the helper script).
+      #
+      # arch-004 (2026-04-26): even in the fallback, scrub prototype-pollution
+      # keys from the parsed .mcp.json before re-emitting. This keeps the
+      # bash-inline path consistent with the canonical helper's safety
+      # guarantees (no raw JSON.parse without proto-scrub).
       node -e '
         const fs = require("fs");
         const path = require("path");
+        const DANGEROUS = new Set(["__proto__","constructor","prototype"]);
+        function strip(v, d) {
+          if (d > 256 || !v || typeof v !== "object") return v;
+          if (Array.isArray(v)) { for (const x of v) strip(x, d+1); return v; }
+          for (const k of Object.getOwnPropertyNames(v)) {
+            if (DANGEROUS.has(k)) { delete v[k]; continue; }
+            strip(v[k], d+1);
+          }
+          return v;
+        }
         const [src, out] = process.argv.slice(1);
         let channelEntry = null;
         try {
           if (fs.existsSync(src)) {
             const cfg = JSON.parse(fs.readFileSync(src, "utf-8"));
+            strip(cfg, 0);
             const ws = cfg && cfg.mcpServers && cfg.mcpServers["wogi-workspace-channel"];
             if (ws) channelEntry = ws;
           }

package/lib/workspace-messages.js

@@ -11,6 +11,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const { safeReadJson } = require('./utils');
+const { DANGEROUS_KEYS } = require('../scripts/flow-io');
 const crypto = require('node:crypto');
 
 // ============================================================
@@ -170,7 +171,7 @@ function updateMessageStatus(workspaceRoot, messageId, newStatus, extra = {}) {
     message.updatedAt = new Date().toISOString();
     // Safe merge: filter dangerous keys to prevent prototype pollution
     if (extra && typeof extra === 'object') {
-      const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+      // DANGEROUS_KEYS imported from scripts/flow-io canonical (audit dup-002 / wf-9fc4970b).
       for (const [key, value] of Object.entries(extra)) {
         if (!DANGEROUS_KEYS.has(key)) {
           message[key] = value;

package/lib/workspace.js

@@ -17,7 +17,7 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
-const { safeJsonParse } = require('../scripts/flow-io');
+const { safeJsonParse, safeJsonParseStringStrip } = require('../scripts/flow-io');
 
 /**
  * wf-f747f993 — resolve the claude-spawning command for workspace sessions.
@@ -61,20 +61,13 @@ function resolveClaudeSpawnCommand(role, flags) {
 // Constants
 // ============================================================
 
-// Proto-pollution safe JSON parse (finding-007)
-const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+// Proto-pollution safe JSON parse (finding-007).
+// Delegates to flow-io's canonical safeJsonParseStringStrip (audit dup-004
+// consolidation 2026-04-26). Behavior change vs prior local impl: dangerous
+// key deletion is now RECURSIVE (was top-level only). Strict improvement —
+// previous impl missed nested __proto__ in package.json or workspace metadata.
 function safeParseJson(str, fallback) {
-  try {
-    const obj = JSON.parse(str);
-    if (obj && typeof obj === 'object') {
-      for (const key of Object.keys(obj)) {
-        if (DANGEROUS_KEYS.has(key)) delete obj[key];
-      }
-    }
-    return obj;
-  } catch (_err) {
-    return fallback;
-  }
+  return safeJsonParseStringStrip(str, fallback);
 }
 
 const WORKSPACE_CONFIG_FILE = 'wogi-workspace.json';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "2.29.1",
+  "version": "2.29.3",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {
@@ -10,7 +10,7 @@
   },
   "scripts": {
     "flow": "./scripts/flow",
-    "test": "NODE_ENV=test node --test tests/auto-compact-prompt.test.js tests/flow-paths.test.js tests/flow-io.test.js tests/flow-config-loader.test.js tests/flow-damage-control.test.js tests/flow-output.test.js tests/flow-constants.test.js tests/flow-session-state.test.js tests/flow-hooks-integration.test.js tests/flow-utils.test.js tests/flow-security.test.js tests/flow-memory-db.test.js tests/flow-durable-session.test.js tests/flow-skill-matcher.test.js tests/flow-bridge.test.js tests/flow-proactive-compact.test.js tests/flow-cascade-completion.test.js tests/flow-capture-gate.test.js tests/flow-correction-detector-hybrid.test.js tests/flow-promote.test.js tests/flow-archive-runs.test.js tests/flow-memory.test.js tests/flow-hooks-pre-tool-helpers.test.js tests/flow-hooks-bugfix-scope-gate.test.js tests/flow-hooks-routing-gate.test.js tests/flow-hooks-phase-read-gate.test.js tests/flow-hooks-commit-log-gate.test.js tests/flow-hooks-deploy-gate.test.js tests/flow-hooks-todowrite-gate.test.js tests/flow-hooks-git-safety-gate.test.js tests/flow-hooks-scope-mutation-gate.test.js tests/flow-hooks-strike-gate.test.js tests/flow-hooks-component-check.test.js tests/flow-hooks-scope-gate.test.js tests/flow-hooks-implementation-gate.test.js tests/flow-hooks-research-gate.test.js tests/flow-hooks-loop-check.test.js tests/flow-hooks-manager-boundary-gate.test.js tests/flow-hooks-phase-gate.test.js tests/flow-hooks-pre-tool-orchestrator.test.js tests/flow-hooks-observation-capture.test.js tests/flow-hooks-task-gate.test.js tests/flow-durable-session-suspension.test.js tests/flow-health-mcp-scopes.test.js tests/flow-lean-config.test.js tests/flow-workspace-autopickup.test.js tests/flow-worker-boundary-gate.test.js tests/flow-worker-question-classifier.test.js tests/flow-completion-truth-gate-contradictions.test.js tests/flow-structure-sensor.test.js tests/flow-workspace-dispatch-tracking.test.js tests/workspace-ipc-sqlite.test.js tests/workspace-ipc-multi-worker.test.js tests/flow-story-gates.test.js tests/flow-workspace-restart-handoff.test.js tests/flow-wogi-claude-wrapper.test.js tests/flow-wave1-integrations.test.js tests/flow-wave2-integrations.test.js tests/flow-wave3-integrations.test.js tests/flow-commit-claims-gate.test.js tests/auto-review.test.js tests/gate-telemetry-surface.test.js tests/agents-md-alias.test.js tests/flow-skill-manage.test.js tests/fuzzy-patch.test.js tests/mode-schema.test.js tests/flow-feature-dossier.test.js tests/flow-autonomous-mode.test.js tests/flow-epic-cascade.test.js tests/flow-workspace-summary.test.js tests/flow-hooks-research-evidence-gate.test.js tests/flow-worker-mcp-strip.test.js && NODE_ENV=test node tests/run-quality-gates.test.js",
+    "test": "NODE_ENV=test node --test tests/auto-compact-prompt.test.js tests/flow-paths.test.js tests/flow-io.test.js tests/flow-config-loader.test.js tests/flow-damage-control.test.js tests/flow-output.test.js tests/flow-constants.test.js tests/flow-session-state.test.js tests/flow-hooks-integration.test.js tests/flow-utils.test.js tests/flow-security.test.js tests/flow-memory-db.test.js tests/flow-durable-session.test.js tests/flow-skill-matcher.test.js tests/flow-bridge.test.js tests/flow-proactive-compact.test.js tests/flow-cascade-completion.test.js tests/flow-capture-gate.test.js tests/flow-correction-detector-hybrid.test.js tests/flow-promote.test.js tests/flow-archive-runs.test.js tests/flow-memory.test.js tests/flow-hooks-pre-tool-helpers.test.js tests/flow-hooks-bugfix-scope-gate.test.js tests/flow-hooks-routing-gate.test.js tests/flow-hooks-phase-read-gate.test.js tests/flow-hooks-commit-log-gate.test.js tests/flow-hooks-deploy-gate.test.js tests/flow-hooks-todowrite-gate.test.js tests/flow-hooks-git-safety-gate.test.js tests/flow-hooks-scope-mutation-gate.test.js tests/flow-hooks-strike-gate.test.js tests/flow-hooks-component-check.test.js tests/flow-hooks-scope-gate.test.js tests/flow-hooks-implementation-gate.test.js tests/flow-hooks-research-gate.test.js tests/flow-hooks-loop-check.test.js tests/flow-hooks-manager-boundary-gate.test.js tests/flow-hooks-phase-gate.test.js tests/flow-hooks-pre-tool-orchestrator.test.js tests/flow-hooks-observation-capture.test.js tests/flow-hooks-task-gate.test.js tests/flow-durable-session-suspension.test.js tests/flow-health-mcp-scopes.test.js tests/flow-lean-config.test.js tests/flow-workspace-autopickup.test.js tests/flow-worker-boundary-gate.test.js tests/flow-worker-question-classifier.test.js tests/flow-completion-truth-gate-contradictions.test.js tests/flow-structure-sensor.test.js tests/flow-workspace-dispatch-tracking.test.js tests/workspace-ipc-sqlite.test.js tests/workspace-ipc-multi-worker.test.js tests/flow-story-gates.test.js tests/flow-workspace-restart-handoff.test.js tests/flow-wogi-claude-wrapper.test.js tests/flow-wave1-integrations.test.js tests/flow-wave2-integrations.test.js tests/flow-wave3-integrations.test.js tests/flow-commit-claims-gate.test.js tests/auto-review.test.js tests/gate-telemetry-surface.test.js tests/agents-md-alias.test.js tests/flow-skill-manage.test.js tests/fuzzy-patch.test.js tests/mode-schema.test.js tests/flow-feature-dossier.test.js tests/flow-autonomous-mode.test.js tests/flow-epic-cascade.test.js tests/flow-workspace-summary.test.js tests/flow-hooks-research-evidence-gate.test.js tests/flow-worker-mcp-strip.test.js tests/flow-orchestrate-corrections.test.js tests/flow-source-fidelity.test.js tests/flow-hooks-long-input-enforcement.test.js && NODE_ENV=test node tests/run-quality-gates.test.js",
     "test:syntax": "find scripts/ lib/ -name '*.js' -not -path '*/node_modules/*' -exec node --check {} +",
     "lint": "eslint scripts/ lib/ tests/",
     "lint:ci": "eslint scripts/ lib/ tests/ --max-warnings 0",

package/scripts/flow

@@ -1068,6 +1068,10 @@ case "${1:-}" in
         # long-input is the new name, transcript-digest kept for backward compatibility
         node "$SCRIPT_DIR/flow-long-input.js" "${@:2}"
         ;;
+    long-input-pending)
+        # P11.6 mechanical-enforcement marker management
+        node "$SCRIPT_DIR/flow-long-input-pending.js" "${@:2}"
+        ;;
     permissions)
         # Permission management (session vs permanent)
         node "$SCRIPT_DIR/flow-permissions.js" "${@:2}"

package/scripts/flow-autonomous-detector.js

@@ -36,16 +36,38 @@ const TRIGGER_PHRASES = [
   'do them all without asking'
 ];
 
-const STOP_PHRASES = [
+// CL-001 fix (2026-04-26): split into EXACT and EXPLICIT phrase lists.
+//
+// Previously detectStop() did a startsWith/endsWith match on every phrase,
+// which silently deactivated autonomous mode when the user said things like
+// "wait for the build then continue" or "hold on let me check, then proceed"
+// or "stop being so verbose but keep working" — common conversational words
+// at the start/end of a message would falsely trigger deactivation.
+//
+// New semantic:
+//   EXACT_STOP_PHRASES — exact match only (common short words; if the user
+//     actually means it as a stop command, they'll type just that)
+//   EXPLICIT_STOP_PHRASES — substring match (unambiguous because they
+//     mention "autonomous" by name)
+const EXACT_STOP_PHRASES = [
   'stop',
   'pause',
   'hold on',
-  'wait',
+  'wait'
+];
+
+const EXPLICIT_STOP_PHRASES = [
   'cancel autonomous',
   'exit autonomous',
-  'leave autonomous mode'
+  'leave autonomous mode',
+  'stop autonomous',
+  'pause autonomous',
+  'end autonomous'
 ];
 
+// Backwards-compat: union for any external caller that imported STOP_PHRASES.
+const STOP_PHRASES = [...EXACT_STOP_PHRASES, ...EXPLICIT_STOP_PHRASES];
+
 function normalize(s) {
   return String(s || '').toLowerCase().replace(/\s+/g, ' ').trim();
 }
@@ -66,7 +88,10 @@ function detect(message) {
 function detectStop(message) {
   const text = normalize(message);
   if (!text) return false;
-  return STOP_PHRASES.some(p => text === p || text.startsWith(p + ' ') || text.endsWith(' ' + p));
+  // EXACT phrases require equality (don't match mid-message)
+  if (EXACT_STOP_PHRASES.includes(text)) return true;
+  // EXPLICIT phrases match anywhere (unambiguous due to "autonomous" word)
+  return EXPLICIT_STOP_PHRASES.some(p => text.includes(p));
 }
 
 /**

package/scripts/flow-autonomous-mode.js

@@ -97,7 +97,15 @@ function finalize({ endReason = 'queue-drained', completed = [] } = {}) {
  * POST one or more COMPLETION-SUMMARY lines to the manager's channel-dispatch
  * HTTP bus. Synchronous + best-effort — finalize() must not throw if the
  * manager is unreachable.
+ *
+ * CL-003 fix (2026-04-26): per-call timeout reduced from 5s → 2s. On any
+ * failure, abort the remaining chunks and bubble up a coherent error
+ * (instead of looping through 5×N seconds and leaving the manager with a
+ * partial chunk set). Worst-case wall-clock cost: ~2s × 1 (first failure
+ * short-circuits) instead of unbounded N×5s for chunked payloads.
  */
+const POST_TIMEOUT_MS = 2000;
+
 function postSummaryToManager(payload) {
   const { execFileSync } = require('node:child_process');
   const ws = require('./flow-workspace-summary');
@@ -106,14 +114,26 @@ function postSummaryToManager(payload) {
   const lines = ws.encodeMessage(enriched);
   const port = process.env.WOGI_MANAGER_PORT || '8800';
   const repo = process.env.WOGI_REPO_NAME;
+  let sent = 0;
   for (const line of lines) {
-    execFileSync('curl', [
-      '-s', '-X', 'POST',
-      `http://127.0.0.1:${port}`,
-      '-H', `X-Wogi-From: ${repo}`,
-      '-H', `X-Wogi-TaskId: ${taskId}`,
-      '--data-binary', line
-    ], { stdio: 'ignore', timeout: 5000 });
+    try {
+      execFileSync('curl', [
+        '-s', '--fail', '-X', 'POST',
+        `http://127.0.0.1:${port}`,
+        '-H', `X-Wogi-From: ${repo}`,
+        '-H', `X-Wogi-TaskId: ${taskId}`,
+        '--data-binary', line
+      ], { stdio: 'ignore', timeout: POST_TIMEOUT_MS });
+      sent++;
+    } catch (err) {
+      // Short-circuit on first failure: don't waste 2s × remaining chunks.
+      // Manager already received `sent` chunks (possibly 0); throw a
+      // coherent error so finalize() can record it on result.posted.
+      const total = lines.length;
+      throw new Error(
+        `manager-unreachable after ${sent}/${total} chunks: ${err.message}`
+      );
+    }
   }
 }
 

package/scripts/flow-completion-summary.js

@@ -21,6 +21,8 @@
 const path = require('node:path');
 const { PATHS } = require('./flow-paths');
 const { writeJson } = require('./flow-io');
+// CL-006 (2026-04-26): consolidated formatDuration to flow-time-format.
+const { formatDuration } = require('./flow-time-format');
 
 const SEP = '━'.repeat(58);
 
@@ -28,22 +30,6 @@ function summaryPath(runId) {
   return path.join(PATHS.state, `autonomous-run-summary-${runId}.json`);
 }
 
-function pad2(n) { return String(n).padStart(2, '0'); }
-
-function formatDuration(startedAt, endedAt) {
-  if (!startedAt || !endedAt) return '0:00';
-  const ms = new Date(endedAt).getTime() - new Date(startedAt).getTime();
-  if (!Number.isFinite(ms) || ms < 0) return '0:00';
-  const sec = Math.floor(ms / 1000);
-  const m = Math.floor(sec / 60);
-  const s = sec % 60;
-  if (m >= 60) {
-    const h = Math.floor(m / 60);
-    return `${h}:${pad2(m % 60)}:${pad2(s)}`;
-  }
-  return `${m}:${pad2(s)}`;
-}
-
 /**
  * Build the full payload object — used for both terminal render and
  * persisted JSON. Caller passes raw collected data; this normalizes shape.

package/scripts/flow-id.js

@@ -97,6 +97,36 @@ function isLegacyTaskId(id) {
   return /^(TASK|BUG)-\d{3,}$/i.test(id);
 }
 
+/**
+ * Coarse ID validation used at task-write time. Accepts any valid Wogi ID
+ * shape (task, sub-task, review-fix, review-finding, epic, feature, plan,
+ * slug, legacy). Returns boolean — for finer-grained format detection use
+ * `validateTaskId()`.
+ *
+ * Extracted from flow-utils.js (audit Story 12 — flow-utils decomposition,
+ * pattern-validator extraction). flow-utils.js keeps this name as a
+ * re-export for backwards compat with its 302 importers.
+ *
+ * @param {string} id
+ * @returns {boolean}
+ */
+function isValidWogiId(id) {
+  if (!id || typeof id !== 'string') return false;
+  // Standard task, sub-task, review fix (wf-cr-), review finding (wf-rv-)
+  if (/^wf-[a-f0-9]{8}(-\d{2})?$/i.test(id)) return true;
+  if (/^wf-cr-[a-f0-9]{6}$/i.test(id)) return true;
+  if (/^wf-rv-[a-f0-9]{8}$/i.test(id)) return true;
+  // Epic, feature, plan IDs
+  if (/^(ep|ft|pl)-[a-f0-9]{8}$/i.test(id)) return true;
+  // Slug format: wf-<alphanum>[<alphanum or hyphen>]*<alphanum>, 5-64 chars.
+  // For manager-dispatched descriptive IDs. Path-safe (no dots/separators).
+  // Keep this in sync with validateTaskId() 'slug' branch above.
+  if (/^wf-[a-z0-9][a-z0-9-]{0,60}[a-z0-9]$/i.test(id)) return true;
+  // Legacy format
+  if (/^(TASK|BUG)-\d{3,}$/i.test(id)) return true;
+  return false;
+}
+
 module.exports = {
   generateHashId,
   generateTaskId,
@@ -105,4 +135,5 @@ module.exports = {
   generatePlanId,
   validateTaskId,
   isLegacyTaskId,
+  isValidWogiId,
 };

package/scripts/flow-io.js

@@ -246,6 +246,82 @@ function safeJsonParseString(jsonString, defaultValue = null) {
   }
 }
 
+/**
+ * Recursively strip prototype-pollution keys from a parsed object/array.
+ * Mutates in place; returns the same reference. Use when the caller wants
+ * to filter dangerous content rather than reject the whole payload.
+ *
+ * Sibling to checkForDangerousKeys (which DETECTS without modifying). This
+ * is the strip variant used by lib/* JSON parsers that want to keep
+ * structurally-valid content but defang any __proto__/constructor/prototype
+ * keys nested anywhere in the tree.
+ */
+// Sentinel returned when stripDangerousKeys hits the depth cap. Distinct from
+// `null` (legitimate JSON value) so callers can distinguish "hit the cap" from
+// "successfully scrubbed null".
+const STRIP_TOO_DEEP = Object.freeze({ __wogiTooDeep: true });
+
+const STRIP_MAX_DEPTH = 256;
+
+function stripDangerousKeys(value, depth = 0) {
+  // SEC-001 fix (2026-04-26): bound recursion AND fail-safe at the cap.
+  // Previous impl returned the partially-stripped value, which left dangerous
+  // keys live in subtrees past depth 32 — caller could then merge them and
+  // pollute Object.prototype. New behavior: return STRIP_TOO_DEEP sentinel so
+  // safeJsonParseStringStrip can fall back to defaultValue. Cap raised from
+  // 32 → 256 so legitimate nesting never trips it.
+  if (depth > STRIP_MAX_DEPTH) return STRIP_TOO_DEEP;
+  if (!value || typeof value !== 'object') return value;
+  if (Array.isArray(value)) {
+    for (let i = 0; i < value.length; i++) {
+      const r = stripDangerousKeys(value[i], depth + 1);
+      if (r === STRIP_TOO_DEEP) return STRIP_TOO_DEEP;
+    }
+    return value;
+  }
+  for (const key of Object.getOwnPropertyNames(value)) {
+    if (DANGEROUS_KEYS.has(key)) {
+      delete value[key];
+      continue;
+    }
+    const r = stripDangerousKeys(value[key], depth + 1);
+    if (r === STRIP_TOO_DEEP) return STRIP_TOO_DEEP;
+  }
+  return value;
+}
+
+/**
+ * Parse a JSON string and STRIP any prototype-pollution keys recursively.
+ * Returns the sanitized parsed object (or defaultValue on parse error).
+ *
+ * Differs from safeJsonParseString: that function REJECTS the whole payload
+ * if dangerous keys are present (returns defaultValue). This function
+ * returns the parsed object with dangerous keys removed. Pick based on
+ * threat model:
+ *   - reject (safeJsonParseString)  — fail-loud, refuse hostile content
+ *   - strip (safeJsonParseStringStrip) — fail-soft, sanitize and proceed
+ *
+ * Added as part of audit dup-004 consolidation (2026-04-26): unifies the
+ * lib/utils.safeJsonParseContent / lib/workspace.safeParseJson /
+ * lib/commands/team-connection.safeParseJson trio under a single canonical
+ * helper. Preserves the lib/* "strip and proceed" semantic.
+ *
+ * @param {string} jsonString
+ * @param {*} [defaultValue=null]
+ * @returns {object|Array|*} sanitized parsed value, or defaultValue
+ */
+function safeJsonParseStringStrip(jsonString, defaultValue = null) {
+  try {
+    const parsed = JSON.parse(jsonString);
+    if (typeof parsed !== 'object' || parsed === null) return defaultValue;
+    const stripped = stripDangerousKeys(parsed);
+    if (stripped === STRIP_TOO_DEEP) return defaultValue;
+    return stripped;
+  } catch (_err) {
+    return defaultValue;
+  }
+}
+
 // ============================================================
 // Text File Operations
 // ============================================================
@@ -694,6 +770,8 @@ module.exports = {
   writeJson,
   safeJsonParse,
   safeJsonParseString,
+  safeJsonParseStringStrip,
+  stripDangerousKeys,
 
   // Text File Operations
   readFile,