wogiflow 2.30.0 → 2.30.2

package/scripts/hooks/core/task-gate.js

@@ -7,6 +7,45 @@
  * Checks if there's an active task before allowing implementation actions.
  *
  * Returns a standardized result that adapters transform for specific CLIs.
+ *
+ * --------------------------------------------------------------------------
+ * "Active task" state-source contract (wf-c573961f, 2026-05-11)
+ * --------------------------------------------------------------------------
+ *
+ * The task-gate consults FOUR state sources to determine if a task is active.
+ * External tooling that mutates task state MUST satisfy this contract or the
+ * gate will reject Edits/Writes with `no_active_task` or `task_missing_routing_proof`.
+ *
+ *   1. `.workflow/state/ready.json` → `inProgress[]`
+ *      The task object must be the first element of inProgress, with a valid
+ *      `wf-XXXXXXXX` id (validateTaskId).
+ *
+ *   2. `.workflow/state/durable-session.json` → `{ taskId, status: 'active' }`
+ *      Fallback path when inProgress is empty. Also requires routing proof.
+ *
+ *   3. Task object `routedAt` field (ISO timestamp)
+ *      Set automatically by `flow start` / `createQuickTask` / `moveTaskAsync`
+ *      when a task legitimately enters inProgress.
+ *
+ *   4. `.workflow/state/.routing-receipt-<taskId>` (dotfile, JSON)
+ *      Anti-bypass receipt written by the same callers that set `routedAt`.
+ *      The dual mechanism is defense-in-depth: AI editing ready.json directly
+ *      can spoof `routedAt`, but the receipt file is harder to forge silently.
+ *
+ * The gate accepts the task if EITHER (3) routedAt is set, OR (4) the
+ * receipt file exists, OR the task has a legacy `startedAt` field (pre-
+ * routedAt migration). One of these MUST be true; otherwise the task is
+ * rejected as "manually inserted".
+ *
+ * Documented helpers for external tooling:
+ *   - `writeRoutingReceipt(taskId, options)` — produces a valid receipt for
+ *     a task that's already in inProgress (e.g., after `flow bug` then a
+ *     manual move). This is the documented "I know what I'm doing" escape
+ *     hatch that closes the 2026-05-10 wogiflow-cli bug-report issue.
+ *
+ * Single source of truth in the future: see the deferred follow-up epic
+ * referenced in wf-c573961f's bug spec ("Approach 1 / consolidate to
+ * .workflow/state/active-task.json"). That work is out of L2 scope.
  */
 
 const fs = require('node:fs');
@@ -314,7 +353,7 @@ function checkTaskGate(options = {}, config) {
         return {
           allowed: false,
           blocked: true,
-          message: `Task ${taskId} is in inProgress but has no routing proof (missing routedAt and no routing receipt file).\n\nThis usually means the task was inserted into ready.json manually instead of through /wogi-start.\n\nTo fix:\n1. Use /wogi-start ${taskId} to properly route this task\n2. Or remove it from inProgress and start fresh: /wogi-ready`,
+          message: `Task ${taskId} is in inProgress but has no routing proof (missing routedAt and no routing receipt file).\n\nThis usually means the task was inserted into ready.json manually instead of through /wogi-start.\n\nTo fix:\n1. RECOMMENDED — Use /wogi-start ${taskId} to properly route this task.\n2. Or remove it from inProgress and start fresh: /wogi-ready\n3. Or, if you know what you're doing (e.g. after \`flow bug\` + manual move), write a routing receipt:\n     node -e "require('./scripts/hooks/core/task-gate').writeRoutingReceipt('${taskId}', { via: 'manual' })"\n\nSee scripts/hooks/core/task-gate.js header for the "active task" state-source contract.`,
           reason: 'task_missing_routing_proof'
         };
       }
@@ -410,6 +449,42 @@ function checkTaskGate(options = {}, config) {
   };
 }
 
+/**
+ * Write a routing receipt for a task. This is the documented external API
+ * for satisfying the routing-proof requirement (state source #4) when the
+ * task is in inProgress but was placed there by a caller that didn't write
+ * a receipt (e.g., manual edit, or `flow bug` then move).
+ *
+ * Returns `{ ok: true, path }` on success or `{ ok: false, reason }` on
+ * failure. Validates taskId format before writing.
+ *
+ * wf-c573961f: previously this functionality was inlined in createQuickTask
+ * and not exported, leaving external tooling no documented way to satisfy
+ * the gate. The bug-report author hit exactly this — they updated four
+ * state files but couldn't discover the receipt-file requirement.
+ *
+ * @param {string} taskId - wf-XXXXXXXX format
+ * @param {Object} [options]
+ * @param {string} [options.via='external'] - audit field stored in the receipt
+ * @returns {{ok: boolean, path?: string, reason?: string}}
+ */
+function writeRoutingReceipt(taskId, options = {}) {
+  if (typeof taskId !== 'string' || !validateTaskId(taskId).valid) {
+    return { ok: false, reason: `invalid taskId format: ${taskId}` };
+  }
+  try {
+    const receiptPath = path.join(PATHS.state, `.routing-receipt-${taskId}`);
+    fs.writeFileSync(receiptPath, JSON.stringify({
+      taskId,
+      routedAt: new Date().toISOString(),
+      via: options.via || 'external'
+    }, null, 2));
+    return { ok: true, path: receiptPath };
+  } catch (err) {
+    return { ok: false, reason: err.message };
+  }
+}
+
 /**
  * Generate warning message (when not blocking)
  */
@@ -523,6 +598,7 @@ module.exports = {
   getActiveTask,
   checkTaskGate,
   createQuickTask,
+  writeRoutingReceipt,
   generateBlockMessage,
   generateWarningMessage
 };

package/scripts/hooks/entry/claude-code/stop.js

@@ -17,12 +17,26 @@ const { isRoutingPending, incrementStopAttempts } = require('../../core/routing-
 const { runHook } = require('../shared/hook-runner');
 
 runHook('Stop', async ({ parsedInput }) => {
+  // wf-35742353 — Gate priority: if long-input-pending is active, it is the
+  // top-priority remediation. The UserPromptSubmit hook already surfaced the
+  // full long-input message on prompt arrival; firing routing-enforcement
+  // and research-required gates now would issue conflicting "do this NOW"
+  // instructions in the same turn. Defer the lower-priority Stop-hook gates
+  // until long-input-pending is resolved.
+  //
+  // Fail-open: any error reading the marker falls through to normal gate flow.
+  let longInputActive = false;
+  try {
+    const { isLongInputPending } = require('../../core/long-input-enforcement');
+    longInputActive = isLongInputPending();
+  } catch (_err) { /* fail-open */ }
+
   // v6.2: Routing enforcement check — catches text-only response bypass
   // If routing-pending flag is still set when the AI tries to stop, it means
   // the AI responded to the user's message without ever invoking a /wogi-* command.
   // This is the exact bypass we need to prevent (especially after context compaction).
   try {
-    if (isRoutingPending()) {
+    if (isRoutingPending() && !longInputActive) {
       // Use counter-based approach instead of clearing immediately.
       // This gives the AI multiple chances to comply before giving up.
       // Gap 4 fix: clearing immediately made this single-shot protection.
@@ -260,7 +274,15 @@ runHook('Stop', async ({ parsedInput }) => {
   // turn was classified as diagnostic (Tier 2/3 from CLAUDE.md), check that
   // the AI made enough Read calls against evidence paths before answering.
   // If not, re-prompt with a violation message forcing a redo. Fail-open.
+  //
+  // wf-35742353 — Skip this gate when long-input-pending is active. The user's
+  // prompt isn't yet captured, so demanding evidence-reading would issue a
+  // conflicting remediation. The diagnostic marker will still be present when
+  // long-input resolves; the gate fires correctly then.
   try {
+    if (longInputActive) {
+      // skip — defer to long-input remediation
+    } else {
     const { checkResearchRequiredGate } = require('../../core/research-required-gate');
     const { getConfig } = require('../../../flow-utils');
     const config = getConfig();
@@ -276,6 +298,7 @@ runHook('Stop', async ({ parsedInput }) => {
       // Soft re-prompt: force the AI to redo with reads
       return { __raw: true, continue: true, stopReason: result.message };
     }
+    } // end else (wf-35742353 long-input-active skip)
   } catch (err) {
     if (process.env.DEBUG) {
       console.error(`[Stop] Research-required gate error (fail-open): ${err.message}`);

package/scripts/postinstall.js

@@ -148,6 +148,31 @@ function createMinimalStructure() {
       }, null, 2), { mode: FILE_MODE });
     }
   }
+
+  // wf-2eafdab0 (AC2/H2): Create forbidden-patterns.json from template on fresh
+  // installs. Idempotent — never overwrites an existing file. Without this, the
+  // declarative-forbidden-pattern feature ships as a silent no-op (the v2.30.0
+  // bug this commit fixes).
+  const forbiddenPatternsPath = path.join(STATE_DIR, 'forbidden-patterns.json');
+  if (!fs.existsSync(forbiddenPatternsPath)) {
+    const fpTemplate = path.join(STATE_DIR, 'forbidden-patterns.json.template');
+    try {
+      const rawContent = fs.existsSync(fpTemplate)
+        ? fs.readFileSync(fpTemplate, 'utf-8')
+        : '[]';
+      const parsed = safeJsonParseString(rawContent, []);
+      fs.writeFileSync(
+        forbiddenPatternsPath,
+        JSON.stringify(parsed, null, 2),
+        { mode: FILE_MODE }
+      );
+    } catch (err) {
+      if (process.env.DEBUG) {
+        console.error(`[postinstall] forbidden-patterns template error: ${err.message}`);
+      }
+      fs.writeFileSync(forbiddenPatternsPath, '[]\n', { mode: FILE_MODE });
+    }
+  }
 }
 
 /**