wogiflow 2.33.0 → 2.34.2

package/scripts/flow-scheduled-runner.js

@@ -58,6 +58,36 @@ const {
 
 const { runInWorktree } = require('./flow-worktree');
 
+// F16 (R-379): named constant for stderr-truncation cap so the meaning is
+// inspectable and tunable in one place (decisions.md Code Quality §1).
+const MAX_STDERR_BYTES = 4096;
+
+// F10 (R-379): redact secret-shaped strings from stderr BEFORE we post it
+// to a public GH Issue. Conservative — only strips the well-known token
+// shapes (Anthropic API keys, GitHub PATs/fine-grained). Real users may
+// have other tokens in their environment; this is best-effort, not a
+// guarantee. The right defense remains "don't echo secrets in error
+// messages in the first place"; this is the defense-in-depth pass.
+const SECRET_REDACTION_PATTERNS = [
+  // Anthropic API keys — sk-ant-…
+  { re: /sk-ant-[a-zA-Z0-9_\-]{20,}/g, replacement: '[REDACTED:anthropic-key]' },
+  // GitHub PATs — ghp_…  (classic), github_pat_… (fine-grained)
+  { re: /ghp_[a-zA-Z0-9]{36}/g, replacement: '[REDACTED:github-pat-classic]' },
+  { re: /github_pat_[a-zA-Z0-9_]{22,}/g, replacement: '[REDACTED:github-pat-fg]' },
+  // OAuth-shaped bearer tokens — only when they appear next to the literal
+  // "Authorization: Bearer" header (avoid stripping every JWT in stderr).
+  { re: /(Authorization:\s*Bearer\s+)[A-Za-z0-9_\-.]{20,}/gi, replacement: '$1[REDACTED:bearer]' },
+];
+
+function redactSecrets(text) {
+  if (typeof text !== 'string') return '';
+  let out = text;
+  for (const { re, replacement } of SECRET_REDACTION_PATTERNS) {
+    out = out.replace(re, replacement);
+  }
+  return out;
+}
+
 const { PATHS, getConfig, safeJsonParse } = require('./flow-utils');
 
 // ============================================================
@@ -148,7 +178,7 @@ function recordUsage(jobName, tokens, now = Date.now()) {
   const key = new Date(now).toISOString().slice(0, 10);
   const log = readUsageLog();
   if (!log[key]) log[key] = {};
-  log[key][jobName] = (log[key][jobName] || 0) + tokens;
+  log[key][jobName] = (log[key][jobName] ?? 0) + tokens;
   writeUsageLog(log);
   return log;
 }
@@ -180,7 +210,10 @@ function listDedupIssues(jobName, repo) {
   const r = execSafe('gh', args);
   if (!r.ok) return [];
   try {
-    const parsed = JSON.parse(r.stdout || '[]');
+    // F19 (R-379): use safeJsonParse for prototype-pollution guard, even
+    // though gh's output is trusted today — consistent with the project
+    // convention (security-patterns.md §2).
+    const parsed = safeJsonParse(r.stdout || '[]', []);
     if (!Array.isArray(parsed)) return [];
     return parsed.map((x) => x && x.number).filter((n) => Number.isFinite(n));
   } catch (_err) {
@@ -206,9 +239,9 @@ function openFailureIssue(jobName, summary, stderr, repo) {
     `### Summary`,
     summary,
     ``,
-    `### stderr (last 4 KB)`,
+    `### stderr (last ${MAX_STDERR_BYTES} bytes, secrets redacted)`,
     '```',
-    (stderr || '').slice(-4096),
+    redactSecrets((stderr || '').slice(-MAX_STDERR_BYTES)),
     '```',
   ].join('\n');
   const argv = ['issue', 'create', '--title', title, '--body', body, '--label', FAILURE_LABEL];
@@ -409,19 +442,31 @@ async function runOnce(jobName, ctx) {
   }
   return withTimeout(
     ({ signal }) => handler({ ...ctx, signal }),
-    ctx.timeoutMs || DEFAULT_JOB_TIMEOUT_MS,
+    ctx.timeoutMs ?? DEFAULT_JOB_TIMEOUT_MS,
   );
 }
 
 async function runJobWithRetry(jobName, ctx) {
   const first = await runOnce(jobName, ctx);
-  if (first.ok) return first;
 
-  // Retry once on transient failures only.
-  if (first.error && isTransientError(first.error)) {
+  // F5 (R-379): handlers catch internally (via execSafe / try-catch) and
+  // return `{passed:false, ...}` rather than throwing, so `withTimeout`
+  // wraps them as `{ok:true, result:{...}}`. Without this branch, the
+  // transient-retry path is unreachable because `first.ok` is almost
+  // always true. Look at the INNER result for transient signals too.
+  const transientInOuter = !first.ok && first.error && isTransientError(first.error);
+  const transientInInner =
+    first.ok &&
+    first.result &&
+    first.result.passed === false &&
+    typeof first.result.message === 'string' &&
+    isTransientError({ message: first.result.message });
+
+  if (transientInOuter || transientInInner) {
     await new Promise((r) => setTimeout(r, TRANSIENT_RETRY_DELAY_MS));
     return runOnce(jobName, ctx);
   }
+
   return first;
 }
 

package/scripts/flow-standards-checker.js

@@ -451,6 +451,43 @@ function checkSecurityPatterns(file, _securityRules) {
 
   // Hard-coded security checks from security-patterns.md
 
+  // 0. execSync / execAsync with template-string commands containing
+  //    interpolated values (R-379 standards-gate hardening).
+  //    security-patterns.md §8 mandates execFile* with array args for any
+  //    subprocess that includes dynamic data. Three independent review rounds
+  //    have caught this pattern in scripts/hooks/core/git-safety-gate.js;
+  //    making the check mechanical so it can't slip past again.
+  //
+  //    Scoped to scripts/hooks/ and lib/ — these are the places the rule binds.
+  //    Test files and CLI tools that build complex pipelines often legitimately
+  //    use template-string shells (e.g. for documented one-off scripts).
+  //
+  //    Match shape: execSync(`...${...}...`) — any backtick literal containing
+  //    a ${...} expression passed to execSync (or its aliases).
+  const inScopeForExecSyncCheck =
+    /(?:^|\/)scripts\/hooks\//.test(file.path) ||
+    /(?:^|\/)lib\//.test(file.path);
+  if (inScopeForExecSyncCheck) {
+    const execSyncTemplateRe =
+      /\b(?:execSync|execAsync)\s*\(\s*`[^`]*\$\{[^`]*`/g;
+    let m;
+    while ((m = execSyncTemplateRe.exec(content)) !== null) {
+      const beforeMatch = content.substring(0, m.index);
+      const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1;
+      violations.push({
+        type: 'security',
+        severity: 'must-fix',
+        file: file.path,
+        line: lineNumber,
+        message:
+          'execSync with template-string command (contains ${...} interpolation) — ' +
+          'use execFileSync("bin", ["arg1", interpolatedVar]) instead (no shell layer). ' +
+          'Three review rounds have caught this exact pattern; mechanical now.',
+        rule: 'security-patterns.md §8 (R-379 standards-gate hardening)',
+      });
+    }
+  }
+
   // 1. Raw JSON.parse — strengthened by Track B (2026-04-13).
   // Original heuristic only flagged JSON.parse OUTSIDE try blocks. This missed
   // SEC-001 (raw JSON.parse on user-config inside a try block — which loses the

package/scripts/flow-utils.js

@@ -781,6 +781,8 @@ const {
 module.exports = {
   // Explicit re-exports from flow-paths.js
   getProjectRoot: flowPaths.getProjectRoot,
+  getCanonicalStateDir: flowPaths.getCanonicalStateDir,
+  isLinkedWorktree: flowPaths.isLinkedWorktree,
   PROJECT_ROOT: flowPaths.PROJECT_ROOT,
   PACKAGE_ROOT: flowPaths.PACKAGE_ROOT,
   PACKAGE_PATHS: flowPaths.PACKAGE_PATHS,

package/scripts/hooks/adapters/claude-code.js

@@ -191,7 +191,11 @@ class ClaudeCodeAdapter extends BaseAdapter {
       case 'PostToolUse':
         return this.transformPostToolUse(coreResult);
       case 'Stop':
-      case 'SubagentStop':
+        // SubagentStop intentionally omitted: not in CLAUDE_CODE_EVENTS
+        // (commented out at line 70), so generateConfig() never emits a
+        // hook entry for it. The fall-through case is unreachable by
+        // construction (F12 / R-379). If SubagentStop support is wanted,
+        // re-add to CLAUDE_CODE_EVENTS + HOOK_TIMEOUTS + this switch.
         return this.transformStop(coreResult);
       case 'SessionEnd':
         return this.transformSessionEnd(coreResult);
@@ -537,7 +541,7 @@ Run: /wogi-start ${coreResult.nextTaskId}`;
       ...(coreResult.message && { systemMessage: coreResult.message }),
       hookSpecificOutput: {
         hookEventName: 'TaskCreated',
-        linked: coreResult.linked || false,
+        linked: coreResult.linked ?? false,
         wogiTaskId: coreResult.wogiTaskId || null
       }
     };

package/scripts/hooks/core/git-safety-gate.js

@@ -108,14 +108,19 @@ function getAffectedFileCount(targetRef) {
 
 /**
  * Create a backup branch at current HEAD.
+ *
+ * Uses `execFileSync` (no shell) per `security-patterns.md §8` — the branch
+ * name is timestamp-derived and currently safe, but going through the shell
+ * with template-string interpolation is the wrong-by-default pattern.
+ *
  * @returns {string|null} Branch name or null on failure.
  */
 function createBackupBranch() {
-  const { execSync } = require('node:child_process');
+  const { execFileSync } = require('node:child_process');
   const timestamp = new Date().toISOString().replace(/[:.]/g, '-').slice(0, 19);
   const branchName = `backup/pre-reset-${timestamp}`;
   try {
-    execSync(`git branch "${branchName}"`, {
+    execFileSync('git', ['branch', branchName], {
       encoding: 'utf-8', cwd: PATHS.root, stdio: ['pipe', 'pipe', 'pipe']
     });
     return branchName;
@@ -126,20 +131,27 @@ function createBackupBranch() {
 
 /**
  * Clean up old backup branches, keeping only the most recent N.
+ *
+ * Uses `execFileSync` (no shell) per `security-patterns.md §8`. Branch names
+ * pulled from `git branch --list` output and passed back to `git branch -D`
+ * never touch a shell.
+ *
  * @param {number} keep
  */
 function rotateBackupBranches(keep) {
-  const { execSync } = require('node:child_process');
+  const { execFileSync } = require('node:child_process');
   try {
-    const branches = execSync('git branch --list "backup/pre-reset-*" --sort=-creatordate', {
-      encoding: 'utf-8', cwd: PATHS.root, stdio: ['pipe', 'pipe', 'pipe']
-    }).trim().split('\n').map(b => b.trim()).filter(Boolean);
+    const branches = execFileSync(
+      'git',
+      ['branch', '--list', 'backup/pre-reset-*', '--sort=-creatordate'],
+      { encoding: 'utf-8', cwd: PATHS.root, stdio: ['pipe', 'pipe', 'pipe'] }
+    ).trim().split('\n').map(b => b.trim()).filter(Boolean);
 
     if (branches.length > keep) {
       const toDelete = branches.slice(keep);
       for (const branch of toDelete) {
         try {
-          execSync(`git branch -D "${branch}"`, {
+          execFileSync('git', ['branch', '-D', branch], {
             cwd: PATHS.root, stdio: ['pipe', 'pipe', 'pipe']
           });
         } catch (_err) {
@@ -170,27 +182,34 @@ function rotateBackupBranches(keep) {
  * `git checkout .` / `git restore .` through either way. This was BUG-1.
  *
  * @param {Object} [opts]
- * @param {Function} [opts.exec] - execSync replacement for testing (string cmd → string stdout, throws on error).
+ * @param {Function} [opts.exec] - execFileSync-shaped replacement for testing.
+ *   Signature: `(file, args, opts) → stdout`. Throws on non-zero exit. Default
+ *   uses `child_process.execFileSync` so no shell layer is involved — closes
+ *   the security-patterns.md §8 violation that earlier versions had.
  * @returns {{ status: 'no-changes' | 'stashed' | 'failed', error?: string, stashRef?: string }}
  */
 function autoStash(opts = {}) {
-  const exec = opts.exec || require('node:child_process').execSync;
+  const exec = opts.exec || require('node:child_process').execFileSync;
   const runOpts = { encoding: 'utf-8', cwd: PATHS.root, stdio: ['pipe', 'pipe', 'pipe'] };
 
   // 1. Anything to stash?
   let status;
   try {
-    status = exec('git status --porcelain', runOpts).trim();
+    status = exec('git', ['status', '--porcelain'], runOpts).trim();
   } catch (err) {
     return { status: 'failed', error: `git status failed: ${err.message || err}` };
   }
   if (!status) return { status: 'no-changes' };
 
-  // 2. Attempt the stash.
+  // 2. Attempt the stash. TOCTOU-resistant message (F18): include a random
+  //    UUID-style suffix so two parallel runs can't collide on the stash@{0}
+  //    verification step and so substring matches can't be forged by an
+  //    attacker-controlled stash with the same timestamp prefix.
   const timestamp = new Date().toISOString().slice(0, 19);
-  const stashMessage = `auto-backup-${timestamp}`;
+  const nonce = require('node:crypto').randomBytes(6).toString('hex');
+  const stashMessage = `auto-backup-${timestamp}-${nonce}`;
   try {
-    exec(`git stash push -m "${stashMessage}"`, runOpts);
+    exec('git', ['stash', 'push', '-m', stashMessage], runOpts);
   } catch (err) {
     return { status: 'failed', error: `git stash push failed: ${err.message || err}` };
   }
@@ -198,11 +217,11 @@ function autoStash(opts = {}) {
   // 3. VERIFY the stash actually saved (BUG-1 / wf-2d3d09b8). A zero exit code
   //    from `git stash push` is NOT proof: lock contention, broken hooks, or
   //    edge cases can leave the working tree unchanged with status 0. Confirm
-  //    by reading `git stash list` and matching our timestamped message at
+  //    by reading `git stash list` and matching our nonce-suffixed message at
   //    stash@{0}.
   let stashList;
   try {
-    stashList = exec('git stash list', runOpts);
+    stashList = exec('git', ['stash', 'list'], runOpts);
   } catch (err) {
     return { status: 'failed', error: `stash verification (git stash list) failed: ${err.message || err}` };
   }

package/scripts/hooks/core/long-input-enforcement.js

@@ -252,18 +252,28 @@ function hasTaskSignals(text) {
 }
 
 /**
- * Detect whether the current prompt is a channel-dispatched message in
- * worker mode. UserPromptSubmit gets `parsedInput.source` from Claude
- * Code's hook payload — channel-dispatched prompts arrive with a
- * channel-specific source identifier. We also check env vars to confirm
- * worker context. Defensive: returns false in any edge case.
+ * Detect ANY channel-source message — manager↔worker dispatches and worker→
+ * manager `## Results` status replies, in either direction (wf-e5e57361 / RC3).
+ * Channel traffic is inter-agent transport, NOT user input. Dual detection:
+ *   1. `source` carries the channel/notification marker (channel server delivers
+ *      via `notifications/claude/channel`), OR
+ *   2. the content arrives wrapped in a leading `<channel ...>` tag
+ *      (workspace-channel-server buildInstructions).
+ * Independent of worker/manager mode — a status reply trips the gate on the
+ * MANAGER too, which is the deadlock this skip removes.
  */
-function isChannelDispatchInWorker(source, env = process.env) {
-  if (!env.WOGI_WORKSPACE_ROOT) return false;
-  if (!env.WOGI_REPO_NAME || env.WOGI_REPO_NAME === 'manager') return false;
-  // Channel-dispatched prompts have specific source markers.
-  if (typeof source !== 'string') return false;
-  return /channel|notifications/i.test(source);
+function isChannelSourceMessage(text, source, env = process.env) {
+  // Source field is set by the channel notification path — unconditional signal.
+  if (typeof source === 'string' && /channel|notifications/i.test(source)) return true;
+  // Leading <channel> tag: trust it ONLY in workspace mode (F4, wf-0381b27b).
+  // Otherwise a solo user whose prose literally starts with "<channel" (e.g.
+  // asking about the channel tag) would be mis-skipped. Channel-wrapped
+  // messages only ever arrive when WOGI_WORKSPACE_ROOT is set.
+  if (env && env.WOGI_WORKSPACE_ROOT && typeof text === 'string') {
+    const lead = text.trimStart().slice(0, 16).toLowerCase();
+    if (lead.startsWith('<channel')) return true;
+  }
+  return false;
 }
 
 /**
@@ -289,6 +299,17 @@ function shouldForceExtractReview({ text, source, env = process.env } = {}) {
   if (isSkillBodyEcho(text)) {
     return { forced: false, level: 'pass', reason: 'skill-body-echo' };
   }
+  // wf-e5e57361 (RC3): channel-source messages are INTER-AGENT transport
+  // (manager↔worker dispatches and `## Results` replies), not user prompts.
+  // Firing the gate on them wrote a long-input-pending marker that deadlocked
+  // against the routing gate (worker/manager could reach neither /wogi-start nor
+  // the dismiss path). Source fidelity for dispatched specs is enforced at the
+  // manager AUTHORING layer (Logic Constitution 11.6 + flow-source-fidelity.js),
+  // where the USER's verbatim prompt still trips this gate normally — not here on
+  // the transport layer. Skip channel traffic entirely.
+  if (isChannelSourceMessage(text, source, env)) {
+    return { forced: false, level: 'pass', reason: 'channel-source' };
+  }
   if (!detectLongFormPrompt(text)) {
     return { forced: false, level: 'pass', reason: 'below-long-input-threshold' };
   }
@@ -302,38 +323,27 @@ function shouldForceExtractReview({ text, source, env = process.env } = {}) {
   if (!hasTaskSignals(text)) {
     return { forced: false, level: 'suggest', reason: 'long-but-no-task-signals' };
   }
-  // Worker receiving channel-dispatched long-form without source-link:
-  // STRICT — this is the wogi-hub 2026-04-27 failure mode.
-  if (isChannelDispatchInWorker(source, env)) {
-    return { forced: true, level: 'strict', reason: 'channel-dispatch-without-source-link' };
-  }
-  // Any other session: long-form + task-like + no source-link → force.
+  // (RC3) The former STRICT branch for channel-dispatch-in-worker is superseded
+  // by the channel-source skip above: channel traffic never reaches here. The
+  // wogi-hub 2026-04-27 manager-compression failure is now prevented at the
+  // manager AUTHORING layer, not by force-blocking the worker on receipt.
+  // Any non-channel session: long-form + task-like + no source-link → force.
   return { forced: true, level: 'force', reason: 'long-form-task-without-source-link' };
 }
 
-function buildEnforcementMessage(reason, level) {
-  const header = level === 'strict'
-    ? '🚨 STRICT P11.5 ENFORCEMENT — manager compression detected'
-    : '🚨 P11.5 ENFORCEMENT — long-form prompt without source-link';
+function buildEnforcementMessage(reason, _level) {
+  // Only the 'force' level reaches here now — channel-source (the former
+  // 'strict' path) is skipped upstream in shouldForceExtractReview (RC3,
+  // wf-e5e57361). `_level` is retained for signature/back-compat.
   const body = [];
-  body.push(header);
+  body.push('🚨 P11.5 ENFORCEMENT — long-form prompt without source-link');
   body.push('');
-  if (level === 'strict') {
-    body.push('This prompt arrived via channel-dispatch in worker mode and qualifies as');
-    body.push('long-form (>40 lines OR ≥5 discrete items) without a source-link. The');
-    body.push('manager that dispatched this message SHOULD have included a path to a spec');
-    body.push('with `## Original Request (verbatim)`. It did not. This is the exact failure');
-    body.push('shape that caused the wogi-hub 2026-04-27 Customers > Services regression.');
-    body.push('');
-    body.push('You MUST reverse the compression at this layer:');
-  } else {
-    body.push('This prompt qualifies as long-form (>40 lines OR ≥5 discrete items) AND');
-    body.push('contains task-creating signals (imperatives + structured items). Per P11.5,');
-    body.push('long-form work-creating prompts MUST go through /wogi-extract-review so');
-    body.push('every item is captured and reconciled.');
-    body.push('');
-    body.push('You MUST:');
-  }
+  body.push('This prompt qualifies as long-form (>40 lines OR ≥5 discrete items) AND');
+  body.push('contains task-creating signals (imperatives + structured items). Per P11.5,');
+  body.push('long-form work-creating prompts MUST go through /wogi-extract-review so');
+  body.push('every item is captured and reconciled.');
+  body.push('');
+  body.push('You MUST:');
   body.push('  1. Invoke `Skill(skill="wogi-extract-review")` BEFORE any other work.');
   body.push('  2. Let extract-review run its 6-phase pipeline (extract → review → topics →');
   body.push('     map → clarify → stories) on this prompt.');
@@ -483,7 +493,7 @@ module.exports = {
   hasTaskSignals,
   isSystemOriginatedContent,
   isSkillBodyEcho,
-  isChannelDispatchInWorker,
+  isChannelSourceMessage,
   shouldForceExtractReview,
   buildEnforcementMessage,
   markLongInputPending,

package/scripts/hooks/core/overdue-dispatches.js

@@ -53,7 +53,7 @@ function formatLine(record, now) {
  */
 function sweepAndReconcile(workspaceRoot) {
   let reconciled = 0;
-  let readMessages, reconcileDispatch, readDispatches;
+  let readMessages, reconcileDispatch, readDispatches, refreshDispatchDeadline;
   try {
     const libMessages = path.resolve(__dirname, '..', '..', '..', 'lib', 'workspace-messages.js');
     const libTracking = path.resolve(__dirname, '..', '..', '..', 'lib', 'workspace-dispatch-tracking.js');
@@ -61,6 +61,7 @@ function sweepAndReconcile(workspaceRoot) {
     const tracking = require(libTracking);
     reconcileDispatch = tracking.reconcileDispatch;
     readDispatches = tracking.readDispatches;
+    refreshDispatchDeadline = tracking.refreshDispatchDeadline;
   } catch (_err) {
     return 0; // Fail-open
   }
@@ -78,13 +79,32 @@ function sweepAndReconcile(workspaceRoot) {
     if (r.taskId && !byTaskId.has(r.taskId)) byTaskId.set(r.taskId, r);
   }
 
-  // Pull both message types. readMessages throws on missing dir internally
-  // but guards with existsSync, so it's safe.
+  // S3 (wf-d3ae1717): heartbeats refresh the deadline (work ongoing, NOT a
+  // silent halt); terminal types resolve the dispatch. worker-progress is
+  // applied FIRST so a heartbeat that arrived before a terminal doesn't keep a
+  // since-resolved dispatch alive.
+  try {
+    const heartbeats = readMessages(workspaceRoot, { type: 'worker-progress' });
+    if (refreshDispatchDeadline) {
+      for (const hb of heartbeats) {
+        const taskId = hb.taskId;
+        if (!taskId || !byTaskId.has(taskId)) continue;
+        try { refreshDispatchDeadline(workspaceRoot, taskId); } catch (_err) { /* per-record */ }
+      }
+    }
+  } catch (_err) { /* heartbeats are best-effort */ }
+
+  // Pull terminal message types. readMessages throws on missing dir internally
+  // but guards with existsSync, so it's safe. worker-blocked / worker-idle /
+  // worker-awaiting-approval are terminal stops alongside the legacy pair.
   let messages = [];
   try {
     const completes = readMessages(workspaceRoot, { type: 'task-complete' });
     const stops = readMessages(workspaceRoot, { type: 'worker-stopped' });
-    messages = completes.concat(stops);
+    const blocked = readMessages(workspaceRoot, { type: 'worker-blocked' });
+    const idle = readMessages(workspaceRoot, { type: 'worker-idle' });
+    const awaiting = readMessages(workspaceRoot, { type: 'worker-awaiting-approval' });
+    messages = completes.concat(stops, blocked, idle, awaiting);
   } catch (_err) {
     return 0;
   }
@@ -93,8 +113,10 @@ function sweepAndReconcile(workspaceRoot) {
     const taskId = msg.taskId || (msg.type === 'task-complete' ? msg.subject : null);
     if (!taskId || !byTaskId.has(taskId)) continue;
     try {
-      const status = msg.type === 'worker-stopped' ? 'graceful-stop' : 'completed';
-      const reason = msg.type === 'worker-stopped' ? (msg.reason || 'graceful') : null;
+      // task-complete → completed; everything else is a non-overdue graceful
+      // stop (the reason field distinguishes blocked / awaiting / idle / graceful).
+      const status = msg.type === 'task-complete' ? 'completed' : 'graceful-stop';
+      const reason = msg.type === 'task-complete' ? null : (msg.reason || msg.type);
       const result = reconcileDispatch(workspaceRoot, taskId, status, reason);
       if (result) {
         reconciled++;

package/scripts/hooks/core/phase-gate.js

@@ -14,9 +14,13 @@
 
 const path = require('node:path');
 const fs = require('node:fs');
-const { getConfig, PATHS, safeJsonParse } = require('../../flow-utils');
+const { getConfig, safeJsonParse, getCanonicalStateDir, isLinkedWorktree } = require('../../flow-utils');
 
-const PHASE_FILE = path.join(PATHS.state, 'workflow-phase.json');
+// RC2 (wf-e5e57361): resolve the phase file from the CANONICAL (main-repo) state
+// dir, worktree-stable, so the gate cannot be evaded by operating from a git
+// worktree where the gitignored phase file is absent. In the main working tree
+// the canonical path equals `PATHS.state/workflow-phase.json`.
+function phaseFilePath() { return path.join(getCanonicalStateDir(), 'workflow-phase.json'); }
 
 // 2 hours in milliseconds
 const STALE_PHASE_TTL_MS = 2 * 60 * 60 * 1000;
@@ -94,7 +98,7 @@ function isPhaseGateEnabled(config) {
 function getCurrentPhase() {
   const defaults = { phase: 'idle', taskId: null, updatedAt: null, previousPhase: null };
   try {
-    const data = safeJsonParse(PHASE_FILE, null);
+    const data = safeJsonParse(phaseFilePath(), null);
     if (!data || !data.phase || !PHASES.includes(data.phase)) {
       return defaults;
     }
@@ -114,11 +118,12 @@ function getCurrentPhase() {
  */
 function writePhaseState(state) {
   try {
-    const dir = path.dirname(PHASE_FILE);
+    const phaseFile = phaseFilePath();
+    const dir = path.dirname(phaseFile);
     if (!fs.existsSync(dir)) {
       fs.mkdirSync(dir, { recursive: true });
     }
-    fs.writeFileSync(PHASE_FILE, JSON.stringify(state, null, 2) + '\n', 'utf-8');
+    fs.writeFileSync(phaseFile, JSON.stringify(state, null, 2) + '\n', 'utf-8');
     // Update aggregated hook status
     try {
       const { setPhase } = require('../../flow-hook-status');
@@ -298,6 +303,30 @@ function checkPhaseGate(toolName, toolInput, config) {
     }
   }
 
+  // RC2 (wf-e5e57361) fail-CLOSED: if the phase resolves to the idle default
+  // (no phase file found) while running inside a linked git worktree AND a task
+  // is in-progress per canonical state, this is the gate-evasion shape. Block
+  // mutation tools rather than letting "idle" wave them through.
+  if (current.phase === 'idle' && !current.taskId &&
+      (toolName === 'Edit' || toolName === 'Write' || toolName === 'Bash')) {
+    try {
+      if (isLinkedWorktree()) {
+        const ready = safeJsonParse(path.join(getCanonicalStateDir(), 'ready.json'), { inProgress: [] });
+        if (Array.isArray(ready.inProgress) && ready.inProgress.length > 0) {
+          return {
+            allowed: false,
+            blocked: true,
+            reason: 'phase_worktree_failclosed',
+            message: 'Phase gate (RC2): operating from a git worktree while a task is ' +
+              'in progress, but no phase state is resolvable. Gates are NOT evadable from a ' +
+              'worktree — return to the main working tree and satisfy the gate legitimately, ' +
+              'or channel-escalate. Do NOT create worktrees or write markers to bypass gating.'
+          };
+        }
+      }
+    } catch (_err) { /* fail-open on detection error */ }
+  }
+
   const bashCommand = toolInput?.command || '';
   const allowed = isToolAllowedInPhase(toolName, current.phase, bashCommand);