fix: enforce strict codex-worker delegation

Author: zenus

.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
       "name": "humanize",
       "source": "./",
       "description": "Humanize - An iterative development plugin that uses a Codex CLI worker (gpt-5.4) for implementation and a separate Codex CLI analyzer/reviewer (gpt-5.4, non-codex) for independent review (cross-vendor style).",
-      "version": "1.11.3"
+      "version": "1.11.4"
     }
   ]
 }

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "humanize",
   "description": "Humanize - An iterative development plugin that uses a Codex CLI worker (gpt-5.4) for implementation and a separate Codex CLI analyzer/reviewer (gpt-5.4, non-codex) for independent review (cross-vendor style).",
-  "version": "1.11.3",
+  "version": "1.11.4",
   "author": {
     "name": "humania-org"
   },

README.md

@@ -1,6 +1,6 @@
 # Humanize
 
-**Current Version: 1.11.3**
+**Current Version: 1.11.4**
 
 > Derived from the [GAAC (GitHub-as-a-Context)](https://github.com/SihaoLiu/gaac) project.
 

hooks/lib/loop-common.sh

@@ -941,6 +941,58 @@ is_in_any_loop_dir() {
     is_in_humanize_loop_dir "$path" || is_in_pr_loop_dir "$path"
 }
 
+# Returns 0 when the active RLCR loop is in strict delegation mode for Claude.
+# This applies only to implementation rounds in agent-teams mode.
+strict_delegation_mode_active() {
+    [[ "${STATE_AGENT_TEAMS:-false}" == "true" ]] || return 1
+    [[ "${STATE_DELEGATION_ENFORCEMENT:-warn}" == "strict" ]] || return 1
+    [[ "${STATE_REVIEW_STARTED:-}" == "false" ]] || return 1
+    return 0
+}
+
+# Allow Claude to keep coordination artifacts up to date even in strict mode.
+# Source-code changes must go through /humanize:codex-worker.
+is_delegation_coordinator_path() {
+    local path="$1"
+    local path_lower
+    local basename_lower
+
+    path_lower=$(to_lower "$path")
+    basename_lower=$(basename "$path_lower")
+
+    if echo "$path_lower" | grep -q '\.humanize/'; then
+        return 0
+    fi
+
+    [[ "$basename_lower" == "bitlesson.md" ]]
+}
+
+# Standard message for blocking direct Claude implementation in strict mode.
+# Usage: strict_delegation_blocked_message "edit" "`path`" "$current_round"
+strict_delegation_blocked_message() {
+    local action="$1"
+    local target="$2"
+    local current_round="$3"
+    local fallback="# Strict Delegation Required
+
+This RLCR loop is running in strict delegation mode for round {{CURRENT_ROUND}}.
+
+Claude must not {{ACTION}} {{TARGET}} directly. In strict mode, source-code changes
+must go through \`/humanize:codex-worker\`.
+
+Allowed coordinator actions:
+- update \`.humanize/\` coordination files
+- update \`bitlesson.md\` when required by the workflow
+- inspect files, diffs, and run non-mutating commands
+
+Next step: invoke \`/humanize:codex-worker\` for the coding task, then continue coordinating from Claude."
+
+    load_and_render_safe "$TEMPLATE_DIR" "block/strict-delegation-required.md" "$fallback" \
+        "ACTION=$action" \
+        "TARGET=$target" \
+        "CURRENT_ROUND=$current_round"
+}
+
 # Find the most recent active PR loop directory with state.md
 # Similar to find_active_loop but for PR loops
 # Outputs the directory path to stdout, or empty string if none found

hooks/loop-bash-validator.sh

@@ -17,6 +17,38 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" && pwd)"
 source "$SCRIPT_DIR/lib/loop-common.sh"
 
+bash_command_looks_mutating() {
+    local command_lower="$1"
+    local patterns=(
+        '(^|[[:space:]])(mkdir|touch|install|ln|chmod|chown|chgrp|rm|mv|cp|truncate|patch)([[:space:]]|$)'
+        '(^|[[:space:]])git[[:space:]]+([^[:space:]]+[[:space:]]+)*(add|commit|apply|am|cherry-pick|merge|rebase|restore)([[:space:]]|$)'
+        '(^|[[:space:]])sed[[:space:]]+-i([[:space:]]|$)'
+        '(^|[[:space:]])awk[[:space:]]+-i[[:space:]]+inplace([[:space:]]|$)'
+        '(^|[[:space:]])perl[[:space:]]+-[^[:space:]]*i'
+        '(^|[[:space:]])tee([[:space:]]|$)'
+        '(^|[[:space:]])dd[[:space:]].*of='
+    )
+
+    for pattern in "${patterns[@]}"; do
+        if echo "$command_lower" | grep -qE "$pattern"; then
+            return 0
+        fi
+    done
+
+    if echo "$command_lower" | grep -qE '(^|[;&|])[[:space:]]*(cat|echo|printf)[^|;]*>>?[[:space:]]*[^[:space:]]+'; then
+        if ! echo "$command_lower" | grep -qE '>>?[[:space:]]*/dev/null([[:space:];|&]|$)'; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
+bash_command_targets_coordination_artifact() {
+    local command_lower="$1"
+    echo "$command_lower" | grep -qE '(^|[^[:alnum:]_])bitlesson\.md($|[^[:alnum:]_])|\.humanize/'
+}
+
 # ========================================
 # Parse Hook Input
 # ========================================
@@ -85,6 +117,11 @@ if [[ -n "$ACTIVE_LOOP_DIR" ]]; then
     fi
     CURRENT_ROUND="$STATE_CURRENT_ROUND"
 
+    if strict_delegation_mode_active && bash_command_looks_mutating "$COMMAND_LOWER" && ! bash_command_targets_coordination_artifact "$COMMAND_LOWER"; then
+        strict_delegation_blocked_message "run code-modifying Bash commands against" "the repository" "$CURRENT_ROUND" >&2
+        exit 2
+    fi
+
     # ========================================
     # Block Git Push When push_every_round is false
     # ========================================

hooks/loop-edit-validator.sh

@@ -34,6 +34,23 @@ FILE_PATH_LOWER=$(to_lower "$FILE_PATH")
 # Extract session_id from hook input for session-aware loop filtering
 HOOK_SESSION_ID=$(extract_session_id "$HOOK_INPUT")
 
+# Precompute active RLCR state for delegation enforcement and round validation.
+PROJECT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+LOOP_BASE_DIR="$PROJECT_ROOT/.humanize/rlcr"
+ACTIVE_LOOP_DIR=$(find_active_loop "$LOOP_BASE_DIR" "$HOOK_SESSION_ID")
+CURRENT_ROUND=""
+STRICT_DELEGATION_ACTIVE="false"
+
+if [[ -n "$ACTIVE_LOOP_DIR" ]]; then
+    STATE_FILE_TO_PARSE=$(resolve_active_state_file "$ACTIVE_LOOP_DIR")
+    if [[ -n "$STATE_FILE_TO_PARSE" ]] && parse_state_file "$STATE_FILE_TO_PARSE" 2>/dev/null; then
+        CURRENT_ROUND="${STATE_CURRENT_ROUND:-0}"
+        if strict_delegation_mode_active; then
+            STRICT_DELEGATION_ACTIVE="true"
+        fi
+    fi
+fi
+
 # ========================================
 # Block Todos and Prompt Files
 # ========================================
@@ -84,6 +101,10 @@ fi
 # ========================================
 
 if ! is_in_humanize_loop_dir "$FILE_PATH"; then
+    if [[ "$STRICT_DELEGATION_ACTIVE" == "true" ]] && ! is_delegation_coordinator_path "$FILE_PATH"; then
+        strict_delegation_blocked_message "edit" "\`$FILE_PATH\`" "${CURRENT_ROUND:-0}" >&2
+        exit 2
+    fi
     exit 0
 fi
 
@@ -93,7 +114,7 @@ fi
 
 PROJECT_ROOT="${PROJECT_ROOT:-${CLAUDE_PROJECT_DIR:-$(pwd)}}"
 LOOP_BASE_DIR="${LOOP_BASE_DIR:-$PROJECT_ROOT/.humanize/rlcr}"
-ACTIVE_LOOP_DIR="${LOOP_DIR:-$(find_active_loop "$LOOP_BASE_DIR" "$HOOK_SESSION_ID")}"
+ACTIVE_LOOP_DIR="${ACTIVE_LOOP_DIR:-$(find_active_loop "$LOOP_BASE_DIR" "$HOOK_SESSION_ID")}"
 
 if [[ -z "$ACTIVE_LOOP_DIR" ]]; then
     exit 0

hooks/loop-write-validator.sh

@@ -51,6 +51,23 @@ FILE_PATH_LOWER=$(to_lower "$FILE_PATH")
 # Extract session_id from hook input for session-aware loop filtering
 HOOK_SESSION_ID=$(extract_session_id "$HOOK_INPUT")
 
+# Precompute active RLCR state for delegation enforcement and round validation.
+PROJECT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+LOOP_BASE_DIR="$PROJECT_ROOT/.humanize/rlcr"
+ACTIVE_LOOP_DIR=$(find_active_loop "$LOOP_BASE_DIR" "$HOOK_SESSION_ID")
+CURRENT_ROUND=""
+STRICT_DELEGATION_ACTIVE="false"
+
+if [[ -n "$ACTIVE_LOOP_DIR" ]]; then
+    STATE_FILE_TO_PARSE=$(resolve_active_state_file "$ACTIVE_LOOP_DIR")
+    if [[ -n "$STATE_FILE_TO_PARSE" ]] && parse_state_file "$STATE_FILE_TO_PARSE" 2>/dev/null; then
+        CURRENT_ROUND="${STATE_CURRENT_ROUND:-0}"
+        if strict_delegation_mode_active; then
+            STRICT_DELEGATION_ACTIVE="true"
+        fi
+    fi
+fi
+
 # ========================================
 # Block Todos and Prompt Files
 # ========================================
@@ -106,6 +123,10 @@ IN_HUMANIZE_LOOP_DIR=$(is_in_humanize_loop_dir "$FILE_PATH" && echo "true" || ec
 
 # If not a summary file, not a finalize summary, and not in .humanize/rlcr, allow normally
 if [[ "$IS_SUMMARY_FILE" == "false" ]] && [[ "$IS_FINALIZE_SUMMARY" == "false" ]] && [[ "$IN_HUMANIZE_LOOP_DIR" == "false" ]]; then
+    if [[ "$STRICT_DELEGATION_ACTIVE" == "true" ]] && ! is_delegation_coordinator_path "$FILE_PATH"; then
+        strict_delegation_blocked_message "write to" "\`$FILE_PATH\`" "${CURRENT_ROUND:-0}" >&2
+        exit 2
+    fi
     exit 0
 fi
 
@@ -126,7 +147,7 @@ fi
 # Re-initialize if not set by earlier todos check
 PROJECT_ROOT="${PROJECT_ROOT:-${CLAUDE_PROJECT_DIR:-$(pwd)}}"
 LOOP_BASE_DIR="${LOOP_BASE_DIR:-$PROJECT_ROOT/.humanize/rlcr}"
-ACTIVE_LOOP_DIR="${LOOP_DIR:-$(find_active_loop "$LOOP_BASE_DIR" "$HOOK_SESSION_ID")}"
+ACTIVE_LOOP_DIR="${ACTIVE_LOOP_DIR:-$(find_active_loop "$LOOP_BASE_DIR" "$HOOK_SESSION_ID")}"
 
 if [[ -z "$ACTIVE_LOOP_DIR" ]]; then
     exit 0

prompt-template/block/strict-delegation-required.md

@@ -0,0 +1,13 @@
+# Strict Delegation Required
+
+This RLCR loop is running in strict delegation mode for round {{CURRENT_ROUND}}.
+
+Claude must not {{ACTION}} {{TARGET}} directly. In strict mode, source-code changes
+must go through `/humanize:codex-worker`.
+
+Allowed coordinator actions:
+- update `.humanize/` coordination files
+- update `bitlesson.md` when required by the workflow
+- inspect files, diffs, and run non-mutating commands
+
+Next step: invoke `/humanize:codex-worker` for the coding task, then continue coordinating from Claude.

scripts/setup-rlcr-loop.sh

@@ -56,7 +56,7 @@ AGENT_TEAMS_EXPLICIT="false"
 WORKTREE_TEAMS_EXPLICIT="false"
 WORKTREE_ROOT=""
 BITLESSON_ALLOW_EMPTY_NONE="true"
-DELEGATION_ENFORCEMENT="${HUMANIZE_CODEX_DELEGATION_ENFORCEMENT:-warn}"
+DELEGATION_ENFORCEMENT="${HUMANIZE_CODEX_DELEGATION_ENFORCEMENT:-strict}"
 
 show_help() {
     cat <<HELP_EOF
@@ -111,7 +111,7 @@ OPTIONS:
                        one concrete lesson entry in `bitlesson.md`
   HUMANIZE_CODEX_DELEGATION_ENFORCEMENT
                        Delegation enforcement level for agent-team prompting.
-                       Allowed values: warn, strict (default: warn)
+                       Allowed values: warn, strict (default: strict)
   -h, --help           Show this help message
 
 DESCRIPTION:

tests/robustness/test-hook-system-robustness.sh

@@ -154,6 +154,38 @@ else
     fail "Path traversal to state.md" "exit 2 (blocked)" "exit $EXIT_CODE, result: $RESULT"
 fi
 
+# Test 5c: Strict delegation blocks direct source edits outside .humanize
+echo ""
+echo "Test 5c: Strict delegation blocks direct source edits"
+mkdir -p "$TEST_DIR/strict-edit/.humanize/rlcr/2026-01-19_13-00-00"
+cat > "$TEST_DIR/strict-edit/.humanize/rlcr/2026-01-19_13-00-00/state.md" << 'EOF'
+---
+current_round: 2
+max_iterations: 42
+plan_file: plan.md
+start_branch: main
+base_branch: main
+push_every_round: false
+codex_model: o3-mini
+codex_effort: medium
+codex_timeout: 1200
+review_started: false
+plan_tracked: false
+agent_teams: true
+delegation_enforcement: strict
+---
+EOF
+JSON='{"tool_name":"Edit","tool_input":{"file_path":"'"$TEST_DIR"'/strict-edit/src/app.py","old_string":"old","new_string":"new"}}'
+set +e
+RESULT=$(echo "$JSON" | CLAUDE_PROJECT_DIR="$TEST_DIR/strict-edit" bash "$PROJECT_ROOT/hooks/loop-edit-validator.sh" 2>&1)
+EXIT_CODE=$?
+set -e
+if [[ $EXIT_CODE -eq 2 ]] && echo "$RESULT" | grep -qi "strict delegation required"; then
+    pass "Strict delegation blocks direct source edits (exit 2)"
+else
+    fail "Strict delegation source edit" "exit 2 with strict delegation message" "exit $EXIT_CODE, result: $RESULT"
+fi
+
 # ========================================
 # Plan File Validator Tests
 # ========================================
@@ -381,6 +413,38 @@ else
     fail "Unrelated command" "allowed through" "exit $EXIT_CODE, result: $RESULT"
 fi
 
+# Test 12d: Strict delegation blocks mutating Bash before direct implementation
+echo ""
+echo "Test 12d: Strict delegation blocks mutating Bash commands"
+mkdir -p "$TEST_DIR/strict-bash/.humanize/rlcr/2026-01-19_13-30-00"
+cat > "$TEST_DIR/strict-bash/.humanize/rlcr/2026-01-19_13-30-00/state.md" << 'EOF'
+---
+current_round: 2
+max_iterations: 42
+plan_file: plan.md
+start_branch: main
+base_branch: main
+push_every_round: false
+codex_model: o3-mini
+codex_effort: medium
+codex_timeout: 1200
+review_started: false
+plan_tracked: false
+agent_teams: true
+delegation_enforcement: strict
+---
+EOF
+JSON='{"tool_name":"Bash","tool_input":{"command":"touch src/new_file.py"}}'
+set +e
+RESULT=$(echo "$JSON" | CLAUDE_PROJECT_DIR="$TEST_DIR/strict-bash" bash "$PROJECT_ROOT/hooks/loop-bash-validator.sh" 2>&1)
+EXIT_CODE=$?
+set -e
+if [[ $EXIT_CODE -eq 2 ]] && echo "$RESULT" | grep -qi "strict delegation required"; then
+    pass "Strict delegation blocks mutating Bash commands (exit 2)"
+else
+    fail "Strict delegation Bash mutation" "exit 2 with strict delegation message" "exit $EXIT_CODE, result: $RESULT"
+fi
+
 # Test 13: Edit validator handles newlines in strings
 echo ""
 echo "Test 13: Edit validator handles newlines in strings"
@@ -410,6 +474,52 @@ else
     fail "Binary content handling" "exit < 128" "exit $EXIT_CODE"
 fi
 
+# Test 14b: Strict delegation blocks direct source writes outside .humanize
+echo ""
+echo "Test 14b: Strict delegation blocks direct source writes"
+mkdir -p "$TEST_DIR/strict-write/.humanize/rlcr/2026-01-19_14-00-00"
+cat > "$TEST_DIR/strict-write/.humanize/rlcr/2026-01-19_14-00-00/state.md" << 'EOF'
+---
+current_round: 2
+max_iterations: 42
+plan_file: plan.md
+start_branch: main
+base_branch: main
+push_every_round: false
+codex_model: o3-mini
+codex_effort: medium
+codex_timeout: 1200
+review_started: false
+plan_tracked: false
+agent_teams: true
+delegation_enforcement: strict
+---
+EOF
+JSON='{"tool_name":"Write","tool_input":{"file_path":"'"$TEST_DIR"'/strict-write/src/new_file.py","content":"print(1)"}}'
+set +e
+RESULT=$(echo "$JSON" | CLAUDE_PROJECT_DIR="$TEST_DIR/strict-write" bash "$PROJECT_ROOT/hooks/loop-write-validator.sh" 2>&1)
+EXIT_CODE=$?
+set -e
+if [[ $EXIT_CODE -eq 2 ]] && echo "$RESULT" | grep -qi "strict delegation required"; then
+    pass "Strict delegation blocks direct source writes (exit 2)"
+else
+    fail "Strict delegation source write" "exit 2 with strict delegation message" "exit $EXIT_CODE, result: $RESULT"
+fi
+
+# Test 14c: Strict delegation still allows bitlesson.md updates
+echo ""
+echo "Test 14c: Strict delegation allows bitlesson.md writes"
+JSON='{"tool_name":"Write","tool_input":{"file_path":"'"$TEST_DIR"'/strict-write/bitlesson.md","content":"# BitLesson\n"}}'
+set +e
+RESULT=$(echo "$JSON" | CLAUDE_PROJECT_DIR="$TEST_DIR/strict-write" bash "$PROJECT_ROOT/hooks/loop-write-validator.sh" 2>&1)
+EXIT_CODE=$?
+set -e
+if [[ $EXIT_CODE -eq 0 ]] && ! echo "$RESULT" | grep -q '"decision".*:.*"block"'; then
+    pass "Strict delegation allows bitlesson.md writes"
+else
+    fail "Strict delegation bitlesson allow" "exit 0 without block" "exit $EXIT_CODE, result: $RESULT"
+fi
+
 # ========================================
 # Concurrent Access Tests
 # ========================================