wogiflow 2.34.1 → 2.34.2

package/.workflow/templates/partials/methodology-rules.hbs

@@ -48,10 +48,12 @@ All fail-open. Bypass for tests via `--skip-gates`. Config: `storyFlow.*`.
 
 - **Tool-First Turn**: every turn after `UserPromptSubmit` must contain ≥1 tool call. In strict mode (default), the first content block must be `tool_use`. Pure-text responses are invisible to the user.
 - **Three-State End-of-Turn**: exactly one of ACTION (`/wogi-start <nextId>`), ESCALATION (channel-dispatch `## QUESTION:`), or IDLE.
+- **Never idle while in-progress**: IDLE is valid ONLY when nothing is in-progress. If a task is in-progress and you hit an approval / phase-read / architect / research gate, that is NOT a stopping point — PROCEED by satisfying the gate legitimately (read the phase doc, decompose, provide evidence; autonomous = pre-approved), or ESCALATE via channel. The Stop-hook continuation gate drives a proceed-or-escalate continuation and auto-escalates to the manager after repeated no-progress turns.
+- **Gate circumvention is PROHIBITED**: never create a git worktree to reach an "ungated" context, never hand-write gate-satisfying markers, never edit `.workflow/state` files to fake gate satisfaction, never change directory to dodge a gate. Gates resolve phase from the canonical main-repo state, not your cwd — circumvention is both forbidden and ineffective.
 - **Hedging forbidden**: "awaiting your signal", "let me know", "standing by", "should I continue".
 - **No direct user prompts**: `AskUserQuestion` is blocked; questions go through channel dispatch.
 
-Enforced by: `worker-tool-first-gate.js` (G1/G4/Gap B), `worker-boundary-gate.js`, `flow-worker-question-classifier.js`. Config: `workspace.toolFirstTurnGate.{enabled,strict}`, `workspace.blockAskUserQuestionInWorker`, `workspace.aiWorkerQuestionClassifier.*`. Long-form: `.claude/rules/_internal/worker-tool-first-turn.md`.
+Enforced by: `worker-tool-first-gate.js` (G1/G4/Gap B), `worker-continuation-gate.js` (in-progress stall fallback — RC1, wf-e5e57361), `worker-boundary-gate.js`, `flow-worker-question-classifier.js`; phase resolved worktree-stably via `getCanonicalStateDir()` with fail-closed for in-progress tasks (RC2). Config: `workspace.toolFirstTurnGate.{enabled,strict}`, `workspace.continuationGate.*`, `workspace.blockAskUserQuestionInWorker`, `workspace.aiWorkerQuestionClassifier.*`. Long-form: `.claude/rules/_internal/worker-tool-first-turn.md`.
 
 ---
 

package/lib/workspace-channel-server.js

@@ -147,6 +147,16 @@ When you receive a message:
 SUSTAINED EXECUTION — a task dispatch runs to COMPLETION across turns:
 A "/wogi-" dispatch (especially one you decompose into sub-tasks) is NOT a one-turn request. Work through ALL sub-tasks in the same session; the Stop hook's continuation gate will keep you going while the task is in-progress with work remaining. Do NOT stop to "report progress" mid-task — only reply when the task is COMPLETE or you are ESCALATING a blocker.
 
+NEVER IDLE WHILE A TASK IS IN-PROGRESS: If you hit an approval / phase-read / architect / research gate, that is NOT a stopping point. Exactly one of these must happen:
+  • PROCEED by SATISFYING the gate legitimately — read the required phase doc, decompose the task, provide the required evidence. In autonomous mode you are PRE-APPROVED; do not wait for approval that no one is there to give.
+  • ESCALATE to the manager via channel ("## QUESTION: <blocker>") if you genuinely need the manager/user, then end the turn.
+
+GATE CIRCUMVENTION IS PROHIBITED (and pointless — gates resolve phase from the canonical main-repo state, not your working directory):
+  ✗ Do NOT create a git worktree to reach an "ungated" context.
+  ✗ Do NOT hand-write gate-satisfying markers, or edit .workflow/state files, to fake gate satisfaction.
+  ✗ Do NOT change directory to dodge a gate.
+A blocked tool call is an instruction to satisfy the gate, never a puzzle to route around.
+
 CRITICAL — REPLY TO THE MANAGER WHEN THE TASK IS DONE OR BLOCKED:
 When the dispatched task is complete (or you must escalate), you MUST send results back using the workspace_send_message tool with to: "manager". The user only sees the manager terminal — if you don't reply, they never see your results.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "2.34.1",
+  "version": "2.34.2",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {

package/scripts/flow-io.js

@@ -607,6 +607,23 @@ async function acquireLock(filePath, options = {}) {
           await require('node:timers/promises').setTimeout(delay);
           continue;
         }
+      } else if (err.code === 'ENOENT' && attempt < retries) {
+        // Race: a concurrent cleanup (another process's release() or
+        // cleanupStaleLocks) removed the lock dir between our mkdirSync and the
+        // info.json write, so writeFileSync(lockInfoFile) failed ENOENT. This is
+        // transient — retry rather than failing hard. (Pre-existing flaky-lock
+        // root cause surfaced by parallel test runs; wf-0381b27b.)
+        //
+        // Remove only our EMPTY orphan dir if one lingers: rmdirSync succeeds
+        // only when the dir is empty, so we never clobber another holder's lock
+        // (its info.json would make this ENOTEMPTY → we leave it for the normal
+        // EEXIST/stale path on the next attempt).
+        try { fs.rmdirSync(lockDir); } catch (_e) { /* gone, or now held by another */ }
+        const delay = exponentialBackoff
+          ? retryDelay * Math.pow(2, attempt)
+          : retryDelay * (attempt + 1);
+        await require('node:timers/promises').setTimeout(delay);
+        continue;
       }
 
       throw new Error(`Failed to acquire lock for ${filePath}: ${err.message}`, { cause: err });

package/scripts/flow-paths.js

@@ -64,6 +64,85 @@ function getProjectRoot() {
   return process.cwd();
 }
 
+// ============================================================
+// Worktree-stable canonical resolution (wf-e5e57361 / RC2)
+// ============================================================
+//
+// `git rev-parse --show-toplevel` is NOT worktree-stable: from inside a linked
+// git worktree it returns the WORKTREE root, not the main repository root. State
+// files under `.workflow/state/` are gitignored, so a worktree never carries them
+// (e.g. `workflow-phase.json`). That made the phase gates fail-open to an
+// unrestricted "idle" phase when a process ran from a worktree — an "ungated
+// context" a worker could reach by `git worktree add`. The fix: resolve gate
+// state from the CANONICAL (main-repo) location via `--git-common-dir`, which IS
+// worktree-stable (it always points at the main repo's `.git`).
+//
+// Both values come from a single `git rev-parse` call, memoized per-process.
+
+let _gitInfo; // { topLevel, mainRoot } | null
+function resolveGitInfo() {
+  if (_gitInfo !== undefined) return _gitInfo;
+  try {
+    // One call returns two lines: show-toplevel, then git-common-dir (absolute).
+    const out = execSync('git rev-parse --path-format=absolute --show-toplevel --git-common-dir', {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe']
+    }).trim();
+    const [topLevel, commonDir] = out.split('\n').map(s => s.trim());
+    if (topLevel && commonDir) {
+      // commonDir is `<mainRoot>/.git` in both the main tree and any worktree.
+      _gitInfo = { topLevel: path.resolve(topLevel), mainRoot: path.dirname(path.resolve(commonDir)) };
+      return _gitInfo;
+    }
+  } catch (_err) { /* not a git repo / git unavailable */ }
+  _gitInfo = null;
+  return _gitInfo;
+}
+
+/**
+ * Resolve the canonical (main-repo) `.workflow/state` directory, stable across
+ * git worktrees. Falls back to the cwd-relative STATE_DIR when git is
+ * unavailable or the canonical state dir doesn't exist (no regression vs prior
+ * behavior). An explicit `WOGI_CANONICAL_STATE_DIR` env var overrides everything
+ * (used by tests and by callers that already resolved it).
+ *
+ * @returns {string} Absolute path to the canonical `.workflow/state` directory
+ */
+let _canonicalStateDir; // memo
+function getCanonicalStateDir() {
+  if (_canonicalStateDir !== undefined) return _canonicalStateDir;
+  if (process.env.WOGI_CANONICAL_STATE_DIR && fs.existsSync(process.env.WOGI_CANONICAL_STATE_DIR)) {
+    _canonicalStateDir = process.env.WOGI_CANONICAL_STATE_DIR;
+    return _canonicalStateDir;
+  }
+  const info = resolveGitInfo();
+  if (info && info.mainRoot) {
+    const candidate = path.join(info.mainRoot, '.workflow', 'state');
+    if (fs.existsSync(candidate)) {
+      _canonicalStateDir = candidate;
+      return _canonicalStateDir;
+    }
+  }
+  _canonicalStateDir = STATE_DIR; // fallback: cwd-relative (current behavior)
+  return _canonicalStateDir;
+}
+
+/**
+ * True when the current working directory is inside a LINKED git worktree
+ * (i.e. the working-tree top-level differs from the main repository root). Used
+ * to fail gates CLOSED for in-progress tasks rather than fail-open to "idle"
+ * when phase state cannot be resolved. Returns false outside git or on the main
+ * working tree.
+ *
+ * @returns {boolean}
+ */
+function isLinkedWorktree() {
+  if (process.env.WOGI_FORCE_WORKTREE === '1') return true; // test seam
+  const info = resolveGitInfo();
+  if (!info) return false;
+  return info.topLevel !== info.mainRoot;
+}
+
 // ============================================================
 // Package Root (where wogiflow npm package lives)
 // ============================================================
@@ -283,6 +362,8 @@ function checkSpecMigration() {
 
 module.exports = {
   getProjectRoot,
+  getCanonicalStateDir,
+  isLinkedWorktree,
   PROJECT_ROOT,
   PACKAGE_ROOT,
   PACKAGE_PATHS,

package/scripts/flow-utils.js

@@ -781,6 +781,8 @@ const {
 module.exports = {
   // Explicit re-exports from flow-paths.js
   getProjectRoot: flowPaths.getProjectRoot,
+  getCanonicalStateDir: flowPaths.getCanonicalStateDir,
+  isLinkedWorktree: flowPaths.isLinkedWorktree,
   PROJECT_ROOT: flowPaths.PROJECT_ROOT,
   PACKAGE_ROOT: flowPaths.PACKAGE_ROOT,
   PACKAGE_PATHS: flowPaths.PACKAGE_PATHS,

package/scripts/hooks/core/long-input-enforcement.js

@@ -252,18 +252,28 @@ function hasTaskSignals(text) {
 }
 
 /**
- * Detect whether the current prompt is a channel-dispatched message in
- * worker mode. UserPromptSubmit gets `parsedInput.source` from Claude
- * Code's hook payload — channel-dispatched prompts arrive with a
- * channel-specific source identifier. We also check env vars to confirm
- * worker context. Defensive: returns false in any edge case.
+ * Detect ANY channel-source message — manager↔worker dispatches and worker→
+ * manager `## Results` status replies, in either direction (wf-e5e57361 / RC3).
+ * Channel traffic is inter-agent transport, NOT user input. Dual detection:
+ *   1. `source` carries the channel/notification marker (channel server delivers
+ *      via `notifications/claude/channel`), OR
+ *   2. the content arrives wrapped in a leading `<channel ...>` tag
+ *      (workspace-channel-server buildInstructions).
+ * Independent of worker/manager mode — a status reply trips the gate on the
+ * MANAGER too, which is the deadlock this skip removes.
  */
-function isChannelDispatchInWorker(source, env = process.env) {
-  if (!env.WOGI_WORKSPACE_ROOT) return false;
-  if (!env.WOGI_REPO_NAME || env.WOGI_REPO_NAME === 'manager') return false;
-  // Channel-dispatched prompts have specific source markers.
-  if (typeof source !== 'string') return false;
-  return /channel|notifications/i.test(source);
+function isChannelSourceMessage(text, source, env = process.env) {
+  // Source field is set by the channel notification path — unconditional signal.
+  if (typeof source === 'string' && /channel|notifications/i.test(source)) return true;
+  // Leading <channel> tag: trust it ONLY in workspace mode (F4, wf-0381b27b).
+  // Otherwise a solo user whose prose literally starts with "<channel" (e.g.
+  // asking about the channel tag) would be mis-skipped. Channel-wrapped
+  // messages only ever arrive when WOGI_WORKSPACE_ROOT is set.
+  if (env && env.WOGI_WORKSPACE_ROOT && typeof text === 'string') {
+    const lead = text.trimStart().slice(0, 16).toLowerCase();
+    if (lead.startsWith('<channel')) return true;
+  }
+  return false;
 }
 
 /**
@@ -289,6 +299,17 @@ function shouldForceExtractReview({ text, source, env = process.env } = {}) {
   if (isSkillBodyEcho(text)) {
     return { forced: false, level: 'pass', reason: 'skill-body-echo' };
   }
+  // wf-e5e57361 (RC3): channel-source messages are INTER-AGENT transport
+  // (manager↔worker dispatches and `## Results` replies), not user prompts.
+  // Firing the gate on them wrote a long-input-pending marker that deadlocked
+  // against the routing gate (worker/manager could reach neither /wogi-start nor
+  // the dismiss path). Source fidelity for dispatched specs is enforced at the
+  // manager AUTHORING layer (Logic Constitution 11.6 + flow-source-fidelity.js),
+  // where the USER's verbatim prompt still trips this gate normally — not here on
+  // the transport layer. Skip channel traffic entirely.
+  if (isChannelSourceMessage(text, source, env)) {
+    return { forced: false, level: 'pass', reason: 'channel-source' };
+  }
   if (!detectLongFormPrompt(text)) {
     return { forced: false, level: 'pass', reason: 'below-long-input-threshold' };
   }
@@ -302,38 +323,27 @@ function shouldForceExtractReview({ text, source, env = process.env } = {}) {
   if (!hasTaskSignals(text)) {
     return { forced: false, level: 'suggest', reason: 'long-but-no-task-signals' };
   }
-  // Worker receiving channel-dispatched long-form without source-link:
-  // STRICT — this is the wogi-hub 2026-04-27 failure mode.
-  if (isChannelDispatchInWorker(source, env)) {
-    return { forced: true, level: 'strict', reason: 'channel-dispatch-without-source-link' };
-  }
-  // Any other session: long-form + task-like + no source-link → force.
+  // (RC3) The former STRICT branch for channel-dispatch-in-worker is superseded
+  // by the channel-source skip above: channel traffic never reaches here. The
+  // wogi-hub 2026-04-27 manager-compression failure is now prevented at the
+  // manager AUTHORING layer, not by force-blocking the worker on receipt.
+  // Any non-channel session: long-form + task-like + no source-link → force.
   return { forced: true, level: 'force', reason: 'long-form-task-without-source-link' };
 }
 
-function buildEnforcementMessage(reason, level) {
-  const header = level === 'strict'
-    ? '🚨 STRICT P11.5 ENFORCEMENT — manager compression detected'
-    : '🚨 P11.5 ENFORCEMENT — long-form prompt without source-link';
+function buildEnforcementMessage(reason, _level) {
+  // Only the 'force' level reaches here now — channel-source (the former
+  // 'strict' path) is skipped upstream in shouldForceExtractReview (RC3,
+  // wf-e5e57361). `_level` is retained for signature/back-compat.
   const body = [];
-  body.push(header);
+  body.push('🚨 P11.5 ENFORCEMENT — long-form prompt without source-link');
   body.push('');
-  if (level === 'strict') {
-    body.push('This prompt arrived via channel-dispatch in worker mode and qualifies as');
-    body.push('long-form (>40 lines OR ≥5 discrete items) without a source-link. The');
-    body.push('manager that dispatched this message SHOULD have included a path to a spec');
-    body.push('with `## Original Request (verbatim)`. It did not. This is the exact failure');
-    body.push('shape that caused the wogi-hub 2026-04-27 Customers > Services regression.');
-    body.push('');
-    body.push('You MUST reverse the compression at this layer:');
-  } else {
-    body.push('This prompt qualifies as long-form (>40 lines OR ≥5 discrete items) AND');
-    body.push('contains task-creating signals (imperatives + structured items). Per P11.5,');
-    body.push('long-form work-creating prompts MUST go through /wogi-extract-review so');
-    body.push('every item is captured and reconciled.');
-    body.push('');
-    body.push('You MUST:');
-  }
+  body.push('This prompt qualifies as long-form (>40 lines OR ≥5 discrete items) AND');
+  body.push('contains task-creating signals (imperatives + structured items). Per P11.5,');
+  body.push('long-form work-creating prompts MUST go through /wogi-extract-review so');
+  body.push('every item is captured and reconciled.');
+  body.push('');
+  body.push('You MUST:');
   body.push('  1. Invoke `Skill(skill="wogi-extract-review")` BEFORE any other work.');
   body.push('  2. Let extract-review run its 6-phase pipeline (extract → review → topics →');
   body.push('     map → clarify → stories) on this prompt.');
@@ -483,7 +493,7 @@ module.exports = {
   hasTaskSignals,
   isSystemOriginatedContent,
   isSkillBodyEcho,
-  isChannelDispatchInWorker,
+  isChannelSourceMessage,
   shouldForceExtractReview,
   buildEnforcementMessage,
   markLongInputPending,

package/scripts/hooks/core/phase-gate.js

@@ -14,9 +14,13 @@
 
 const path = require('node:path');
 const fs = require('node:fs');
-const { getConfig, PATHS, safeJsonParse } = require('../../flow-utils');
+const { getConfig, safeJsonParse, getCanonicalStateDir, isLinkedWorktree } = require('../../flow-utils');
 
-const PHASE_FILE = path.join(PATHS.state, 'workflow-phase.json');
+// RC2 (wf-e5e57361): resolve the phase file from the CANONICAL (main-repo) state
+// dir, worktree-stable, so the gate cannot be evaded by operating from a git
+// worktree where the gitignored phase file is absent. In the main working tree
+// the canonical path equals `PATHS.state/workflow-phase.json`.
+function phaseFilePath() { return path.join(getCanonicalStateDir(), 'workflow-phase.json'); }
 
 // 2 hours in milliseconds
 const STALE_PHASE_TTL_MS = 2 * 60 * 60 * 1000;
@@ -94,7 +98,7 @@ function isPhaseGateEnabled(config) {
 function getCurrentPhase() {
   const defaults = { phase: 'idle', taskId: null, updatedAt: null, previousPhase: null };
   try {
-    const data = safeJsonParse(PHASE_FILE, null);
+    const data = safeJsonParse(phaseFilePath(), null);
     if (!data || !data.phase || !PHASES.includes(data.phase)) {
       return defaults;
     }
@@ -114,11 +118,12 @@ function getCurrentPhase() {
  */
 function writePhaseState(state) {
   try {
-    const dir = path.dirname(PHASE_FILE);
+    const phaseFile = phaseFilePath();
+    const dir = path.dirname(phaseFile);
     if (!fs.existsSync(dir)) {
       fs.mkdirSync(dir, { recursive: true });
     }
-    fs.writeFileSync(PHASE_FILE, JSON.stringify(state, null, 2) + '\n', 'utf-8');
+    fs.writeFileSync(phaseFile, JSON.stringify(state, null, 2) + '\n', 'utf-8');
     // Update aggregated hook status
     try {
       const { setPhase } = require('../../flow-hook-status');
@@ -298,6 +303,30 @@ function checkPhaseGate(toolName, toolInput, config) {
     }
   }
 
+  // RC2 (wf-e5e57361) fail-CLOSED: if the phase resolves to the idle default
+  // (no phase file found) while running inside a linked git worktree AND a task
+  // is in-progress per canonical state, this is the gate-evasion shape. Block
+  // mutation tools rather than letting "idle" wave them through.
+  if (current.phase === 'idle' && !current.taskId &&
+      (toolName === 'Edit' || toolName === 'Write' || toolName === 'Bash')) {
+    try {
+      if (isLinkedWorktree()) {
+        const ready = safeJsonParse(path.join(getCanonicalStateDir(), 'ready.json'), { inProgress: [] });
+        if (Array.isArray(ready.inProgress) && ready.inProgress.length > 0) {
+          return {
+            allowed: false,
+            blocked: true,
+            reason: 'phase_worktree_failclosed',
+            message: 'Phase gate (RC2): operating from a git worktree while a task is ' +
+              'in progress, but no phase state is resolvable. Gates are NOT evadable from a ' +
+              'worktree — return to the main working tree and satisfy the gate legitimately, ' +
+              'or channel-escalate. Do NOT create worktrees or write markers to bypass gating.'
+          };
+        }
+      }
+    } catch (_err) { /* fail-open on detection error */ }
+  }
+
   const bashCommand = toolInput?.command || '';
   const allowed = isToolAllowedInPhase(toolName, current.phase, bashCommand);
 

package/scripts/hooks/core/phase-read-gate.js

@@ -23,10 +23,31 @@
 
 const path = require('node:path');
 const fs = require('node:fs');
-const { PATHS, safeJsonParse } = require('../../flow-utils');
+const { PATHS, safeJsonParse, getCanonicalStateDir, isLinkedWorktree } = require('../../flow-utils');
 
+// Exported for tests (main-tree path). The gate resolves these paths CANONICALLY
+// at call time (see workflowPhasePath / phaseReadsPath) so it cannot be evaded
+// from a git worktree, where the gitignored phase file is absent (wf-e5e57361 /
+// RC2). In the main working tree the canonical path equals this constant.
 const PHASE_READS_FILE = path.join(PATHS.state, 'phase-reads.json');
-const WORKFLOW_PHASE_FILE = path.join(PATHS.state, 'workflow-phase.json');
+
+// Lazy canonical resolvers — `stateDir` override is injectable for tests.
+function workflowPhasePath(stateDir) { return path.join(stateDir || getCanonicalStateDir(), 'workflow-phase.json'); }
+function phaseReadsPath(stateDir) { return path.join(stateDir || getCanonicalStateDir(), 'phase-reads.json'); }
+
+/**
+ * True if the canonical ready.json shows a task in-progress. Used to fail the
+ * gate CLOSED (rather than open) when phase state is unresolvable inside a
+ * worktree of an in-progress task — the gate-evasion shape from RC2.
+ */
+function hasCanonicalInProgressTask(stateDir) {
+  try {
+    const ready = safeJsonParse(path.join(stateDir || getCanonicalStateDir(), 'ready.json'), { inProgress: [] });
+    return Array.isArray(ready.inProgress) && ready.inProgress.length > 0;
+  } catch (_err) {
+    return false;
+  }
+}
 
 // Maps workflow phases to required instruction files
 const PHASE_FILE_REGISTRY = {
@@ -80,7 +101,8 @@ function recordPhaseRead(filePath) {
   // fail-open semantics mean a lost write just means the gate asks for a
   // re-read — safe degradation, not a correctness bug.
   try {
-    const existing = safeJsonParse(PHASE_READS_FILE, {});
+    const readsFile = phaseReadsPath();
+    const existing = safeJsonParse(readsFile, {});
     if (!existing.reads) existing.reads = {};
 
     existing.reads[matchedPhase] = {
@@ -88,7 +110,8 @@ function recordPhaseRead(filePath) {
       at: new Date().toISOString()
     };
 
-    fs.writeFileSync(PHASE_READS_FILE, JSON.stringify(existing, null, 2));
+    fs.mkdirSync(path.dirname(readsFile), { recursive: true });
+    fs.writeFileSync(readsFile, JSON.stringify(existing, null, 2));
 
     if (process.env.DEBUG) {
       console.error(`[PhaseReadGate] Recorded read of ${PHASE_FILE_REGISTRY[matchedPhase]} for phase ${matchedPhase}`);
@@ -113,8 +136,10 @@ function recordPhaseRead(filePath) {
  *
  * @param {string} toolName
  * @param {Object} [config] - Optional config object
+ * @param {Object} [deps] - Injectable seams for tests:
+ *   { stateDir, isLinkedWorktree, hasInProgressTask }
  */
-function checkPhaseReadGate(toolName, config) {
+function checkPhaseReadGate(toolName, config, deps = {}) {
   try {
     // Respect phaseReadGate config with fallback to phaseGate (backwards compat).
     // If phaseReadGate.enabled is explicitly false, skip. If it's undefined,
@@ -129,10 +154,32 @@ function checkPhaseReadGate(toolName, config) {
       return { blocked: false };
     }
 
-    // Read current phase
-    const phaseData = safeJsonParse(WORKFLOW_PHASE_FILE, null);
+    // RC2 (wf-e5e57361): resolve phase from the CANONICAL state dir, not cwd —
+    // a git worktree lacks the gitignored phase file, so a cwd-relative read
+    // would fail-open to an unrestricted "idle" phase ("ungated context").
+    const stateDir = deps.stateDir || getCanonicalStateDir();
+    const inWorktree = (deps.isLinkedWorktree || isLinkedWorktree);
+    const hasInProgress = (deps.hasInProgressTask || hasCanonicalInProgressTask);
+
+    // Read current phase (canonically)
+    const phaseData = safeJsonParse(workflowPhasePath(stateDir), null);
     if (!phaseData || !phaseData.phase) {
-      return { blocked: false }; // No phase data = fail-open
+      // RC2 fail-CLOSED: a missing phase file inside a linked worktree while a
+      // task is in-progress (per canonical ready.json) is the gate-evasion
+      // shape — block mutation tools instead of failing open.
+      if ((toolName === 'Edit' || toolName === 'Write' || toolName === 'Bash') &&
+          inWorktree(stateDir) && hasInProgress(stateDir)) {
+        return {
+          blocked: true,
+          message: 'Phase gate (RC2): a task is in progress but the workflow phase ' +
+            'could not be resolved, and you appear to be operating from a git worktree. ' +
+            'Gates are NOT evadable by working from a worktree — phase is resolved from ' +
+            'the canonical (main-repo) state. Return to the main working tree and satisfy ' +
+            'the gate legitimately, or channel-escalate to the manager. Do NOT create ' +
+            'worktrees or write gate-satisfying markers to bypass this.'
+        };
+      }
+      return { blocked: false }; // No phase data = fail-open (normal main-tree)
     }
 
     const currentPhase = phaseData.phase;
@@ -149,7 +196,7 @@ function checkPhaseReadGate(toolName, config) {
     }
 
     // Check if that file has been read
-    const readData = safeJsonParse(PHASE_READS_FILE, {});
+    const readData = safeJsonParse(phaseReadsPath(stateDir), {});
     const reads = readData.reads || {};
 
     if (reads[currentPhase]) {
@@ -182,7 +229,9 @@ function checkPhaseReadGate(toolName, config) {
  */
 function clearPhaseReads() {
   try {
-    fs.writeFileSync(PHASE_READS_FILE, JSON.stringify({ reads: {} }, null, 2));
+    const readsFile = phaseReadsPath();
+    fs.mkdirSync(path.dirname(readsFile), { recursive: true });
+    fs.writeFileSync(readsFile, JSON.stringify({ reads: {} }, null, 2));
   } catch (_err) {
     if (process.env.DEBUG) {
       console.error(`[PhaseReadGate] Failed to clear phase reads: ${_err.message}`);
@@ -194,6 +243,9 @@ module.exports = {
   recordPhaseRead,
   checkPhaseReadGate,
   clearPhaseReads,
+  hasCanonicalInProgressTask,
+  workflowPhasePath,
+  phaseReadsPath,
   PHASE_FILE_REGISTRY,
   PHASE_READS_FILE
 };