wogiflow 2.30.4 → 2.31.1

package/.claude/commands/wogi-self-adversary.md

@@ -0,0 +1,130 @@
+# /wogi-self-adversary — Self-adversary decision loop
+
+Iterate a generator and adversary on different models until you reach ≥95% confidence on an implementation-class decision. Only escalate to the user if confidence stays low after the loop.
+
+**Triggers**: invoked by the AI itself when blocked by the self-adversary PreToolUse gate (wf-e399bd8d), OR by the user directly.
+
+## Usage
+
+```bash
+/wogi-self-adversary "<question + brief context>"
+```
+
+The argument should be the question the AI was about to ask the user, optionally followed by relevant context (files, prior decisions, constraints). Both will be passed to the loop.
+
+## How it works
+
+For Claude inside this skill — read carefully, then execute.
+
+### Step 1: Parse the argument
+
+The ARGUMENTS string contains the question + context. Split on a sensible boundary (first newline, or `--context:` separator if present). If no clear split, treat the entire argument as the question and leave context empty.
+
+### Step 2: Run the loop
+
+```js
+const { runSelfAdversaryLoop } = require('wogiflow/scripts/flow-self-adversary-loop');
+const result = await runSelfAdversaryLoop({
+  question: questionText,
+  context: contextText,
+  maxIterations: 8,
+  targetConfidence: 95
+});
+```
+
+Or via Bash if a CLI wrapper exists; otherwise invoke through Node inline.
+
+### Step 3: Handle the result
+
+**Three possible outcomes:**
+
+**A. `escalate: false`** — confident decision reached.
+
+1. Display the decision + confidence + iteration count to the user as a summary.
+2. Write the completion marker so the next `AskUserQuestion` (if any) is allowed:
+   ```js
+   const gate = require('wogiflow/scripts/hooks/core/self-adversary-gate');
+   gate.writeCompletionMarker({
+     question: questionText,
+     decision: result.decision,
+     confidence: result.confidence,
+     iterationCount: result.iterationCount
+   });
+   ```
+3. ACT on the decision in your subsequent tool calls — no more asking, no hedging.
+
+**B. `escalate: true` (reason: `low-confidence` / `max-iterations-exhausted`)** — loop ran but couldn't converge.
+
+1. Write the escalation marker (allows the next `AskUserQuestion` to pass without re-blocking):
+   ```js
+   gate.writeEscalationMarker({
+     question: questionText,
+     decision: result.decision,
+     confidence: result.confidence,
+     iterationCount: result.iterationCount,
+     reason: result.reason
+   });
+   ```
+2. Surface to the user with: the question, what the loop concluded (best decision + confidence), why iteration couldn't push past the threshold, and what specific resolution you need from them.
+3. Call `AskUserQuestion` (which now passes the gate).
+
+**C. `escalate: true` (reason: `no-credentials` / `model-error` / etc.)** — loop couldn't run.
+
+1. Note the failure mode briefly to the user.
+2. Write the escalation marker and surface the original question.
+
+### Step 4: Audit trail
+
+Append a one-line summary to `.workflow/state/self-adversary-log.json` (append-only, ring-buffered at 100):
+
+```json
+{
+  "timestamp": "...",
+  "questionHash": "...",
+  "iterations": N,
+  "finalConfidence": X,
+  "outcome": "decided" | "escalated",
+  "reason": "..."
+}
+```
+
+This lets the user audit how often the loop converges vs escalates. Helps tune `targetConfidence` and `maxIterations` over time.
+
+## Configuration
+
+`.workflow/config.json`:
+
+```json
+{
+  "selfAdversaryGate": {
+    "enabled": true,
+    "targetConfidence": 95,
+    "maxIterations": 8,
+    "generatorModel": "anthropic:claude-sonnet-4-6",
+    "adversaryModel": "anthropic:claude-3-5-haiku-latest"
+  }
+}
+```
+
+- `enabled: false` — disables both the PreToolUse gate AND prevents the skill from running. Reverts to "always ask the user".
+- `targetConfidence` — clamped to [50, 99]; default 95.
+- `maxIterations` — clamped to [1, 12]; default 8.
+
+## Files
+
+| File | Purpose |
+|---|---|
+| `scripts/flow-self-adversary-loop.js` | Core loop (generator ↔ adversary, iteration memory in-process). |
+| `scripts/flow-impl-question-classifier.js` | Haiku classifier — implementation vs product/architecture/sensitive. |
+| `scripts/hooks/core/self-adversary-gate.js` | PreToolUse intercept + markers. |
+| `.workflow/state/self-adversary-complete.json` | Single-use marker, allows next AskUserQuestion. |
+| `.workflow/state/self-adversary-escalation.json` | Single-use marker, allows next AskUserQuestion after loop concluded "needs-user". |
+| `.workflow/state/self-adversary-log.json` | Append-only audit trail. |
+
+## Why this exists
+
+User directive 2026-05-11 (wf-e399bd8d):
+
+> "Always do highest standards, best approach, don't compromise on quality for token savings. Challenge yourself a few times and most of the times you get to a point where you already know what to do with very high confidence, 90 or 95+ percent. When you have doubt that you'll be able to challenge yourself, use adversary research. And do it in a few iterations until you're confident. And only if you're still not confident, then ask the user."
+
+The pattern maps to Self-Refine (Madaan et al. 2023) + Reflexion (Shinn et al. 2023) + Multi-Agent Reflexion (different-model adversary escapes local optima). WogiFlow already runs an Architect+Adversary loop at the PLAN level (IGR Step 1.55/1.57). This skill is the implementation-decision analogue, finer-grained, runs during coding rather than spec_review.

package/.claude/docs/config-schema.md

@@ -0,0 +1,219 @@
+# WogiFlow Config Schema Reference
+
+Authoritative reference for `.workflow/config.json` keys. Defaults live in `scripts/flow-config-defaults.js`.
+
+Created: 2026-05-11 (wf-6e31850e A-5)
+
+---
+
+## Gates
+
+### `deferralGate` (wf-f9912af6, wf-b8839d99)
+
+Prevents AI from silently writing `status: deferred*` to review/audit findings without user authorization.
+
+| Key | Type | Default | Description |
+|---|---|---|---|
+| `enabled` | bool | `true` | Master switch |
+| `authTtlSeconds` | int | `600` | Auth marker lifetime (10 min) |
+| `classifyUserPrompts` | bool | `true` | Run AI classifier at UserPromptSubmit |
+| `minClassifierConfidence` | int | `75` | Confidence threshold for treating intent as actionable |
+
+### `selfAdversaryGate` (wf-e399bd8d)
+
+Intercepts AskUserQuestion for implementation-class questions, requires self-adversary loop first.
+
+| Key | Type | Default | Description |
+|---|---|---|---|
+| `enabled` | bool | `true` | Master switch |
+| `targetConfidence` | int | `95` | Loop terminates when confidence ≥ this. Range [50, 99]. |
+| `maxIterations` | int | `8` | Loop iteration cap. Range [1, 12]. |
+| `generatorModel` | string | `anthropic:claude-sonnet-4-6` | Model for the GENERATOR pass |
+| `adversaryModel` | string | `anthropic:claude-3-5-haiku-latest` | Model for the ADVERSARY pass (MUST differ from generator) |
+
+### `longInputGate` (P11.5 mechanical enforcement)
+
+Forces long-form prompts without source-link through `/wogi-extract-review`.
+
+| Key | Type | Default | Description |
+|---|---|---|---|
+| `enabled` | bool | `true` | Master switch |
+| `lineThreshold` | int | `40` | Lines above which prompt is considered long-form |
+| `itemThreshold` | int | `5` | Discrete-item count above which prompt is considered long-form |
+
+### `researchRequiredGate` (wf-5cd71b1f)
+
+Forces evidence-reading before answering diagnostic prompts.
+
+| Key | Type | Default | Description |
+|---|---|---|---|
+| `enabled` | bool | `true` | Master switch |
+| `requiredEvidence` | int | `2` | Minimum Read calls against evidence prefixes |
+| `maxAttempts` | int | `3` | Soft re-prompt attempts before hard-stop |
+
+### `phaseGate`
+
+Controls Edit/Write/Bash blocking based on workflow phase.
+
+| Key | Type | Default | Description |
+|---|---|---|---|
+| `hooks.rules.phaseGate.enabled` | bool | `false` | Strict; only blocks when `true`. State writing happens regardless (wf-88a08fd4). |
+| `hooks.rules.phaseReadGate.enabled` | bool | `true` | Block Edit/Write/Bash until current phase's docs file is read |
+
+### `taskGate`
+
+Controls whether Edit/Write/Bash require an active task.
+
+| Key | Type | Default | Description |
+|---|---|---|---|
+| `enforcement.taskGating.enabled` | bool | `true` | Master switch |
+| `enforcement.taskGating.blockWithoutTask` | bool | `true` | Block edits without active task |
+| `enforcement.taskGating.autoCreateTask` | bool | `false` | Auto-create quick task for ad-hoc edits |
+| `enforcement.strictMode` | bool | `true` | Strict-mode shortcut |
+| `enforcement.requireTaskForImplementation` | bool | `true` | Requires task for implementation edits |
+| `enforcement.blockAutoTask` | bool | `false` | Block edits even when auto-task was created |
+
+## Review system
+
+### `review.framingPass` (IGR v6.0 Phase 0)
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+| `itemReconciliation` | bool | `true` |
+| `adversaryInExploratory` | bool | `false` |
+
+### `review.evidenceTiers` (IGR v6.0)
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+| `capByTier` | bool | `true` |
+
+### `review.confidenceTiers` (IGR v6.0)
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+
+### `review.adversaryPass` (IGR v6.0 Phase 2.8)
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+| `adversaryModel` | object | mapping: agents-on-X → adversary-on-Y |
+| `applySeverityAdjustments` | bool | `true` |
+| `applyScopeDrift` | bool | `true` |
+| `blockOnBlockVerdict` | bool | `true` |
+
+### `review.completionTruthGate`
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+| `requireInteractiveForFixed` | bool | `true` |
+
+### `review.gitVerifiedClaims`
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+| `verifyFileCreation` | bool | `true` |
+| `verifyContentMatch` | bool | `true` |
+| `blockOnMismatch` | bool | `true` |
+
+### `review.agents`
+
+| Key | Type | Default |
+|---|---|---|
+| `core` | array | `["code-logic", "security", "architecture"]` |
+| `optional` | array | `["performance"]` |
+| `projectRules` | bool | `true` |
+| `projectRulesSource` | string | `"decisions.md"` |
+| `maxParallelAgents` | int | `6` |
+
+### `review.minFindings` / `review.requireJustificationIfClean`
+
+| Key | Type | Default |
+|---|---|---|
+| `minFindings` | int | `3` |
+| `requireJustificationIfClean` | bool | `true` |
+
+## IGR (Intent-Grounded Reasoning)
+
+### `intentGroundedReasoning`
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+
+### `architectRequired` (wf-037f8d66)
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+
+## Workspace mode
+
+### `workspace`
+
+| Key | Type | Default |
+|---|---|---|
+| `toolFirstTurnGate.enabled` | bool | `true` |
+| `toolFirstTurnGate.strict` | bool | `true` |
+| `aiWorkerQuestionClassifier.enabled` | bool | `true` |
+| `aiWorkerQuestionClassifier.minConfidence` | int | `70` |
+| `aiWorkerQuestionClassifier.model` | string | `claude-3-5-haiku-latest` |
+| `blockAskUserQuestionInWorker` | bool | `true` |
+| `autoPickupChannelDispatches` | bool | `true` |
+
+## Autonomous mode
+
+### `autonomousMode`
+
+| Key | Type | Default |
+|---|---|---|
+| `cascadeStrategy` | string | `"auto"` |
+| `maxAdversaryInvocations` | int | `30` |
+| `stalenessThresholdMs` | int | `3600000` |
+
+## Sprint reset
+
+### `sprintReset`
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+| `criteriaPerSprint` | int | `3` |
+| `minTaskCriteria` | int | `5` |
+
+## Misc
+
+### `mainModeQuestionClassifier`
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+| `minConfidence` | int | `70` |
+| `model` | string | `claude-3-5-haiku-latest` |
+
+### `taskBoundaryReset`
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | varies |
+| `autoPickupNextTask` | bool | `true` |
+
+### `bulkOrchestrator`
+
+| Key | Type | Default |
+|---|---|---|
+| `enabled` | bool | `true` |
+| `parallelLimit` | int | `3` |
+| `useWorktrees` | bool | `true` |
+| `onFailure` | string | `"stop-dependent"` |
+| `summaryDepth` | string | `"standard"` |
+
+---
+
+This is a hand-curated reference. The authoritative source is `scripts/flow-config-defaults.js` — when in doubt, read that file.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "2.30.4",
+  "version": "2.31.1",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {
@@ -10,7 +10,7 @@
   },
   "scripts": {
     "flow": "./scripts/flow",
-    "test": "NODE_ENV=test node --test tests/auto-compact-prompt.test.js tests/flow-paths.test.js tests/flow-io.test.js tests/flow-audit-gates.test.js tests/flow-standards-hook-three-layer.test.js tests/flow-correction-detector-reconcile.test.js tests/flow-correction-backfill.test.js tests/flow-audit-gates-feature-output-health.test.js tests/flow-config-loader.test.js tests/flow-damage-control.test.js tests/flow-output.test.js tests/flow-constants.test.js tests/flow-session-state.test.js tests/flow-hooks-integration.test.js tests/flow-utils.test.js tests/flow-security.test.js tests/flow-memory-db.test.js tests/flow-durable-session.test.js tests/flow-skill-matcher.test.js tests/flow-bridge.test.js tests/flow-proactive-compact.test.js tests/flow-cascade-completion.test.js tests/flow-capture-gate.test.js tests/flow-correction-detector-hybrid.test.js tests/flow-promote.test.js tests/flow-archive-runs.test.js tests/flow-memory.test.js tests/flow-hooks-pre-tool-helpers.test.js tests/flow-hooks-bugfix-scope-gate.test.js tests/flow-hooks-routing-gate.test.js tests/flow-hooks-phase-read-gate.test.js tests/flow-hooks-commit-log-gate.test.js tests/flow-hooks-deploy-gate.test.js tests/flow-hooks-todowrite-gate.test.js tests/flow-hooks-git-safety-gate.test.js tests/flow-hooks-scope-mutation-gate.test.js tests/flow-hooks-strike-gate.test.js tests/flow-hooks-component-check.test.js tests/flow-hooks-scope-gate.test.js tests/flow-hooks-implementation-gate.test.js tests/flow-hooks-research-gate.test.js tests/flow-hooks-loop-check.test.js tests/flow-hooks-manager-boundary-gate.test.js tests/flow-hooks-phase-gate.test.js tests/flow-hooks-pre-tool-orchestrator.test.js tests/flow-hooks-observation-capture.test.js tests/flow-hooks-task-gate.test.js tests/flow-durable-session-suspension.test.js tests/flow-health-mcp-scopes.test.js tests/flow-lean-config.test.js tests/flow-workspace-autopickup.test.js tests/flow-worker-boundary-gate.test.js tests/flow-worker-question-classifier.test.js tests/flow-completion-truth-gate-contradictions.test.js tests/flow-structure-sensor.test.js tests/flow-workspace-dispatch-tracking.test.js tests/workspace-ipc-sqlite.test.js tests/workspace-ipc-multi-worker.test.js tests/flow-story-gates.test.js tests/flow-workspace-restart-handoff.test.js tests/flow-wogi-claude-wrapper.test.js tests/flow-wave1-integrations.test.js tests/flow-wave2-integrations.test.js tests/flow-wave3-integrations.test.js tests/flow-commit-claims-gate.test.js tests/auto-review.test.js tests/gate-telemetry-surface.test.js tests/agents-md-alias.test.js tests/flow-skill-manage.test.js tests/fuzzy-patch.test.js tests/mode-schema.test.js tests/flow-feature-dossier.test.js tests/flow-autonomous-mode.test.js tests/flow-epic-cascade.test.js tests/flow-workspace-summary.test.js tests/flow-hooks-research-evidence-gate.test.js tests/flow-worker-mcp-strip.test.js tests/flow-orchestrate-corrections.test.js tests/flow-source-fidelity.test.js tests/flow-hooks-long-input-enforcement.test.js tests/workspace-channel-tracking.test.js tests/flow-hooks-deletion-log.test.js tests/flow-task-boundary-reset.test.js tests/flow-deferral-gate.test.js tests/flow-research-required-gate.test.js tests/flow-standards-forbidden-patterns.test.js tests/flow-hooks-architect-required-gate.test.js tests/flow-architect-runs.test.js && NODE_ENV=test node tests/run-quality-gates.test.js",
+    "test": "NODE_ENV=test node --test tests/auto-compact-prompt.test.js tests/flow-paths.test.js tests/flow-io.test.js tests/flow-audit-gates.test.js tests/flow-standards-hook-three-layer.test.js tests/flow-correction-detector-reconcile.test.js tests/flow-correction-backfill.test.js tests/flow-audit-gates-feature-output-health.test.js tests/flow-config-loader.test.js tests/flow-damage-control.test.js tests/flow-output.test.js tests/flow-constants.test.js tests/flow-session-state.test.js tests/flow-hooks-integration.test.js tests/flow-utils.test.js tests/flow-security.test.js tests/flow-memory-db.test.js tests/flow-durable-session.test.js tests/flow-skill-matcher.test.js tests/flow-bridge.test.js tests/flow-proactive-compact.test.js tests/flow-cascade-completion.test.js tests/flow-capture-gate.test.js tests/flow-correction-detector-hybrid.test.js tests/flow-promote.test.js tests/flow-archive-runs.test.js tests/flow-memory.test.js tests/flow-hooks-pre-tool-helpers.test.js tests/flow-hooks-bugfix-scope-gate.test.js tests/flow-hooks-routing-gate.test.js tests/flow-hooks-phase-read-gate.test.js tests/flow-hooks-commit-log-gate.test.js tests/flow-hooks-deploy-gate.test.js tests/flow-hooks-todowrite-gate.test.js tests/flow-hooks-git-safety-gate.test.js tests/flow-hooks-scope-mutation-gate.test.js tests/flow-hooks-strike-gate.test.js tests/flow-hooks-component-check.test.js tests/flow-hooks-scope-gate.test.js tests/flow-hooks-implementation-gate.test.js tests/flow-hooks-research-gate.test.js tests/flow-hooks-loop-check.test.js tests/flow-hooks-manager-boundary-gate.test.js tests/flow-hooks-phase-gate.test.js tests/flow-hooks-pre-tool-orchestrator.test.js tests/flow-hooks-observation-capture.test.js tests/flow-hooks-task-gate.test.js tests/flow-durable-session-suspension.test.js tests/flow-health-mcp-scopes.test.js tests/flow-lean-config.test.js tests/flow-workspace-autopickup.test.js tests/flow-worker-boundary-gate.test.js tests/flow-worker-question-classifier.test.js tests/flow-completion-truth-gate-contradictions.test.js tests/flow-structure-sensor.test.js tests/flow-workspace-dispatch-tracking.test.js tests/workspace-ipc-sqlite.test.js tests/workspace-ipc-multi-worker.test.js tests/flow-story-gates.test.js tests/flow-workspace-restart-handoff.test.js tests/flow-wogi-claude-wrapper.test.js tests/flow-wave1-integrations.test.js tests/flow-wave2-integrations.test.js tests/flow-wave3-integrations.test.js tests/flow-commit-claims-gate.test.js tests/auto-review.test.js tests/gate-telemetry-surface.test.js tests/agents-md-alias.test.js tests/flow-skill-manage.test.js tests/fuzzy-patch.test.js tests/mode-schema.test.js tests/flow-feature-dossier.test.js tests/flow-autonomous-mode.test.js tests/flow-epic-cascade.test.js tests/flow-workspace-summary.test.js tests/flow-hooks-research-evidence-gate.test.js tests/flow-worker-mcp-strip.test.js tests/flow-orchestrate-corrections.test.js tests/flow-source-fidelity.test.js tests/flow-hooks-long-input-enforcement.test.js tests/workspace-channel-tracking.test.js tests/flow-hooks-deletion-log.test.js tests/flow-task-boundary-reset.test.js tests/flow-deferral-gate.test.js tests/flow-research-required-gate.test.js tests/flow-standards-forbidden-patterns.test.js tests/flow-hooks-architect-required-gate.test.js tests/flow-architect-runs.test.js tests/flow-installer-forbidden-patterns.test.js tests/flow-deferral-classifier-ai.test.js tests/flow-no-defer-policy.test.js tests/flow-self-adversary-loop.test.js tests/flow-impl-question-classifier.test.js tests/flow-hooks-self-adversary-gate.test.js && NODE_ENV=test node tests/run-quality-gates.test.js",
     "test:syntax": "find scripts/ lib/ -name '*.js' -not -path '*/node_modules/*' -exec node --check {} +",
     "lint": "eslint scripts/ lib/ tests/",
     "lint:ci": "eslint scripts/ lib/ tests/ --max-warnings 0",

package/scripts/flow-defer-auth.js

@@ -32,17 +32,48 @@ function parseArgs(argv) {
 }
 
 function cmdGrant(args) {
-  // wf-b8839d99: Refuse to grant when invoked from a non-TTY context (i.e.,
-  // from Claude Code's Bash tool or any subprocess pipeline). The AI cannot
-  // self-issue deferral authorization — the gate exists precisely to prevent
-  // that. A human running this CLI from a terminal has stdin.isTTY === true;
-  // an AI subprocess does not.
+  // wf-b8839d99: Refuse to grant when invoked from a non-TTY context.
+  // wf-6e31850e (S-5): Defense-in-depth — also check parent process name.
+  // PTY allocation can fake TTY; checking parent process binds the gate to
+  // an actual shell. Falls back gracefully if /proc isn't queryable (macOS,
+  // restricted environments) — keeps the TTY check as primary signal.
   //
-  // Override: --i-am-human bypasses the TTY check. Provided so out-of-band
-  // automation (CI scripts, etc.) can still grant deliberately; the flag
-  // signals intent. Caveat: if the AI passes this flag, that's an explicit
-  // policy violation that shows up in shell history / commit logs.
-  const isHuman = Boolean(process.stdin.isTTY) || args['i-am-human'] === true;
+  // Override: --i-am-human bypasses both checks. Logged to shell history;
+  // CI pipelines that need to grant must explicitly opt in.
+  function detectParentShell() {
+    try {
+      const ppid = process.ppid;
+      if (!ppid) return null;
+      // Linux: /proc/<ppid>/comm contains the parent process name
+      const fs = require('node:fs');
+      try {
+        const comm = fs.readFileSync(`/proc/${ppid}/comm`, 'utf-8').trim();
+        if (/^(bash|zsh|fish|sh|ksh|dash|tcsh)$/.test(comm)) return comm;
+        return `not-a-shell:${comm}`;
+      } catch (_err) {
+        // macOS / Windows / restricted: fall back to ps
+        const { execSync } = require('node:child_process');
+        try {
+          const out = execSync(`ps -p ${ppid} -o comm=`, { encoding: 'utf-8', timeout: 1000 }).trim();
+          const base = require('node:path').basename(out);
+          if (/^(-?bash|-?zsh|-?fish|-?sh|-?ksh|-?dash|-?tcsh)$/.test(base)) return base;
+          return `not-a-shell:${base}`;
+        } catch (_err2) {
+          return null; // ps unavailable — fall back to TTY check only
+        }
+      }
+    } catch (_err) {
+      return null;
+    }
+  }
+
+  const ttySignal = Boolean(process.stdin.isTTY);
+  const parentShell = detectParentShell();
+  const parentIsShell = parentShell && !parentShell.startsWith('not-a-shell:');
+  const parentSignal = parentShell === null ? null : parentIsShell; // null = couldn't detect
+  // Human if: explicit --i-am-human OR (TTY AND (parent is shell OR parent undetectable))
+  const isHuman = args['i-am-human'] === true ||
+                  (ttySignal && parentSignal !== false);
   if (!isHuman) {
     console.error('grant: refused — non-TTY invocation detected.');
     console.error('');

package/scripts/flow-deferral-classifier-ai.js

@@ -169,7 +169,9 @@ async function classifyUserDeferralIntent(userPrompt, options = {}) {
     });
   } catch (err) {
     if (process.env.DEBUG) {
-      console.error(`[deferral-classifier-ai] model call failed: ${err.message}`);
+      // wf-6e31850e (S-2): sanitize potential API-key leakage in error messages.
+      const safe = String(err.message || '').replace(/sk-[A-Za-z0-9_-]{10,}/g, 'sk-***');
+      console.error(`[deferral-classifier-ai] model call failed: ${safe}`);
     }
     return { classified: false, reason: 'model-error' };
   }

package/scripts/flow-impl-question-classifier.js

@@ -0,0 +1,178 @@
+'use strict';
+
+/**
+ * Wogi Flow — Implementation-Question Classifier (wf-e399bd8d)
+ *
+ * Classifies an "AI is about to ask the user" question to decide whether
+ * the self-adversary loop should run first or the question should reach
+ * the user directly.
+ *
+ * Four categories:
+ *   implementation — code structure, library/algorithm choice, naming,
+ *                    refactor mechanics, testing approach. The AI should
+ *                    self-adversary (likely high enough confidence).
+ *   product        — domain semantics, user-facing behavior, what to
+ *                    SHOW the user, what counts as "done" for the
+ *                    business. The AI cannot self-adversary; ask user.
+ *   architecture   — system-design tradeoffs (DB choice, deployment
+ *                    topology, public API shape). Tier-3: existing
+ *                    researchReasoningGate handles this with adversary;
+ *                    the new loop can also handle it but caller decides.
+ *   sensitive      — destructive operations (delete, force-push, drop),
+ *                    cross-boundary commitments (notify users, send
+ *                    emails). Always ask.
+ *
+ * The classifier is a small Haiku call. Fail-open: any error → ask
+ * (treat as if classification said "product"), preserving prior
+ * behavior. This avoids the failure shape from wf-b8839d99 (regex
+ * silently misclassifying).
+ *
+ * Note: this is interpretation of an AI-AUTHORED question (the question
+ * the AI is about to ask the user). It is NOT user-input parsing — so
+ * the "no regex on user answers" rule from wf-b8839d99 doesn't constrain
+ * us. We still use AI here because hedging vocabulary for implementation
+ * vs product is unbounded.
+ */
+
+const DEFAULT_MIN_CONFIDENCE = 75;
+const DEFAULT_MODEL = 'anthropic:claude-3-5-haiku-latest';
+const MAX_QUESTION_CHARS = 3000;
+const MAX_TOKENS = 300;
+const TEMPERATURE = 0.0;
+
+const { DANGEROUS_KEYS } = require('./flow-io');
+
+function hasDangerousKeys(value) {
+  if (!value || typeof value !== 'object') return false;
+  if (Array.isArray(value)) return value.some(hasDangerousKeys);
+  for (const key of Object.keys(value)) {
+    if (DANGEROUS_KEYS.has(key)) return true;
+    if (hasDangerousKeys(value[key])) return true;
+  }
+  return false;
+}
+
+function buildClassifierPrompt(questionText) {
+  return `You classify the type of question an AI development assistant is about to ask the user. The user has instructed the AI to STOP asking implementation-class questions — instead, the AI should iterate generator↔adversary on a different model until ≥95% confidence. Product, architecture, or sensitive questions still reach the user normally.
+
+[QUESTION_START]
+${String(questionText || '').slice(0, MAX_QUESTION_CHARS)}
+[QUESTION_END]
+
+Four categories:
+
+  IMPLEMENTATION — code structure, library or algorithm choice, naming,
+    refactor mechanics, test framework picks, error-handling shape, code
+    organization, idiom selection. The AI can reason this out with research.
+
+  PRODUCT — domain semantics, user-facing behavior decisions, feature
+    scope, what counts as "done" for the business, copy/tone, UX flow
+    decisions. The AI cannot reason its way to these without the owner.
+
+  ARCHITECTURE — system-design tradeoffs (database choice, deployment
+    topology, public API shape, multi-tenant boundaries). High-stakes;
+    self-adversary alone may not be enough but more iteration helps.
+
+  SENSITIVE — destructive operations (delete data, force-push, drop
+    table), cross-boundary commitments (notify users, send emails),
+    legal/compliance gates. Always ask the user.
+
+CRITICAL RULES:
+  1. When ambiguous, return PRODUCT — the cost of mis-asking is low, the
+     cost of mis-acting is high.
+  2. Even if the question phrasing is technical, ask whether the ANSWER
+     depends on user-only knowledge. "Which date format do users
+     prefer?" — phrasing is technical, answer is product.
+  3. Confidence: only ≥80 if the category is unambiguous.
+
+Return JSON only, no prose, no markdown fences:
+{
+  "category": "implementation" | "product" | "architecture" | "sensitive",
+  "confidence": 0-100,
+  "reason": "one short sentence"
+}
+
+Examples:
+- "Should this be a map() or for-loop?" → {"category":"implementation","confidence":95,"reason":"pure code-style choice"}
+- "Which date format do users prefer?" → {"category":"product","confidence":90,"reason":"answer depends on user preference"}
+- "Should we use Postgres or MongoDB?" → {"category":"architecture","confidence":85,"reason":"system-design tradeoff"}
+- "OK to delete the migration table?" → {"category":"sensitive","confidence":95,"reason":"destructive operation"}
+- "Should I add error handling here?" → {"category":"implementation","confidence":85,"reason":"code-quality choice the AI can research"}`;
+}
+
+async function classifyImplementationQuestion(questionText, options = {}) {
+  const minConfidence = Number.isFinite(options.minConfidence) ? options.minConfidence : DEFAULT_MIN_CONFIDENCE;
+  const model = options.model || DEFAULT_MODEL;
+
+  if (typeof questionText !== 'string' || questionText.trim().length === 0) {
+    return { classified: false, reason: 'empty-question' };
+  }
+  if (!process.env.ANTHROPIC_API_KEY) {
+    return { classified: false, reason: 'no-credentials' };
+  }
+
+  let callModel;
+  try {
+    ({ callModel } = require('./flow-model-caller'));
+  } catch (_err) {
+    return { classified: false, reason: 'no-model-caller' };
+  }
+
+  let result;
+  try {
+    result = await callModel(model, buildClassifierPrompt(questionText), {
+      temperature: TEMPERATURE,
+      maxTokens: MAX_TOKENS
+    });
+  } catch (err) {
+    if (process.env.DEBUG) {
+      // wf-6e31850e (S-2): sanitize potential API-key leakage in error messages.
+      const safe = String(err.message || '').replace(/sk-[A-Za-z0-9_-]{10,}/g, 'sk-***');
+      console.error(`[impl-question-classifier] model call failed: ${safe}`);
+    }
+    return { classified: false, reason: 'model-error' };
+  }
+
+  const raw = String(result?.response ?? result?.content ?? '').trim();
+  if (!raw) return { classified: false, reason: 'empty-response' };
+
+  const jsonMatch = raw.match(/\{[\s\S]*\}/);
+  if (!jsonMatch) return { classified: false, reason: 'non-json-response' };
+
+  let parsed;
+  try {
+    parsed = JSON.parse(jsonMatch[0]);
+  } catch (_err) {
+    return { classified: false, reason: 'json-parse-error' };
+  }
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    return { classified: false, reason: 'bad-shape' };
+  }
+  if (hasDangerousKeys(parsed)) {
+    return { classified: false, reason: 'dangerous-keys' };
+  }
+
+  const categoryRaw = String(parsed.category || '').toLowerCase();
+  const category = ['implementation', 'product', 'architecture', 'sensitive'].includes(categoryRaw)
+    ? categoryRaw
+    : 'product'; // fail-safe default
+  const confidence = Number.isFinite(parsed.confidence) ? Math.round(parsed.confidence) : 0;
+  const reason = typeof parsed.reason === 'string' ? parsed.reason.slice(0, 240) : '';
+
+  return {
+    classified: true,
+    category,
+    confidence,
+    reason,
+    shouldRunLoop: category === 'implementation' && confidence >= minConfidence,
+    minConfidence
+  };
+}
+
+module.exports = {
+  classifyImplementationQuestion,
+  buildClassifierPrompt,
+  hasDangerousKeys,
+  DEFAULT_MIN_CONFIDENCE,
+  DEFAULT_MODEL
+};