feat: carve cso into skeleton + on-demand section (security-safe)

Scope-dependent audit Phases 2-11 move to sections/audit-phases.md. Mode dispatch (## Arguments, ## Mode Resolution), always-run Phases 0/1, and the Phase 12 false-positive-filtering exceptions stay ALWAYS-LOADED in the skeleton. Skeleton 79,383 -> 65,117 B (-18%); union preserved. Adds a cso CARVE_GUARDS entry with an earliest-use invariant (mustPrecedeStop): mode dispatch must appear before any STOP-Read, so a directive that decides which sections to read can't be stranded behind the STOP that reads them (codex outside-voice #6). carve-guard-checks gains the mustPrecedeStop check. parity moves cso monolith -> generated carved entry. cso-preserved.test.ts strengthened: phrases checked against the union, plus an always-loaded contract on the skeleton (dispatch + FP-filtering, codex #5). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 18:50:03 +02:00 · 2026-06-07 17:57:50 -07:00
parent 672cbf6f30
commit 12ab68dda0
9 changed files with 662 additions and 558 deletions
@@ -88,6 +88,19 @@ export function checkOrdering(root: string, guard: CarveGuard): string[] {
    }
  }

+  // 3b. Earliest-use: dispatch directives must appear BEFORE the first STOP
+  // (codex #6 — a directive that governs which sections to read can't sit after
+  // the STOP that reads them).
+  const firstStopIdx = skeleton.indexOf(STOP);
+  for (const anchor of guard.staticInvariants.mustPrecedeStop ?? []) {
+    const at = skeleton.indexOf(anchor);
+    if (at < 0) {
+      failures.push(`mustPrecedeStop anchor missing from skeleton: "${anchor}"`);
+    } else if (firstStopIdx >= 0 && at > firstStopIdx) {
+      failures.push(`mustPrecedeStop anchor "${anchor}" appears AFTER the STOP (stranded)`);
+    }
+  }
+
  // 4. Heavy body moved out of the skeleton but is preserved in the union.
  for (const moved of guard.staticInvariants.mustMoveToSection) {
    if (skeleton.includes(moved)) {
@@ -31,6 +31,14 @@ export interface CarveStaticInvariants {
   * universal STOP/section-index checks E2 already runs).
   */
  mustStayInSkeleton: string[];
+  /**
+   * Substrings that MUST appear in the skeleton BEFORE the first STOP-Read
+   * (earliest-use, codex #6). For cso: mode-dispatch directives (## Arguments,
+   * ## Mode Resolution) must be resolved before any section is read — a dispatch
+   * directive stranded after the STOP can't govern which sections to read.
+   * Empty/undefined = skip (most skills).
+   */
+  mustPrecedeStop?: string[];
  /**
   * Substrings that MUST be in the union (skeleton + sections) but MUST NOT be in
   * the skeleton — i.e. the heavy body that the carve relocated. Empty = skip.
@@ -225,6 +233,38 @@ export const CARVE_GUARDS: Record<string, CarveGuard> = {
    minUnionBytes: 72_000,
    mustContain: ['Typography', 'Color', 'Aesthetic Direction'],
  },
+  cso: {
+    skill: 'cso',
+    expectedSections: ['audit-phases.md'],
+    requiredReads: ['audit-phases.md'],
+    scenario:
+      'Run a security audit on this repository in --owasp mode (OWASP Top 10 only). Resolve the mode, do the Phase 0 stack detection and Phase 1 attack-surface census, then run the scoped audit phases and produce the findings report. Skip any step that needs network access.',
+    staticInvariants: {
+      // Dispatch + always-run + FP-filtering phases are ALWAYS loaded (security).
+      mustStayInSkeleton: [
+        '## Arguments',
+        '## Mode Resolution',
+        '### Phase 0',
+        '### Phase 1',
+        '### Phase 12',
+        '### Phase 13',
+        '### Phase 14',
+      ],
+      // Earliest-use: mode must be resolvable before any section is read (codex #6).
+      mustPrecedeStop: ['## Arguments', '## Mode Resolution'],
+      // Scope-dependent audit detail moved to the section.
+      mustMoveToSection: [
+        '### Phase 2: Secrets Archaeology',
+        '### Phase 9: OWASP Top 10 Assessment',
+        '### Phase 10: STRIDE Threat Model',
+      ],
+      gateAfterStop: undefined,
+    },
+    behavioral: 'prompt',
+    maxSkeletonBytes: 70_000,
+    minUnionBytes: 72_000,
+    mustContain: ['OWASP', 'STRIDE', 'daily', 'comprehensive', 'verif'],
+  },
 };

 /** Sorted carved-skill names. Consumers derive their lists from this — no parallel lists. */
@@ -205,13 +205,7 @@ export function runParityChecks(opts: {
 * from the size-budget / static / behavioral guards.
 */
 const MONOLITH_INVARIANTS: ParityInvariant[] = [
-  {
-    skill: 'cso',
-    mustContain: ['OWASP', 'STRIDE', 'daily', 'comprehensive', 'verif'],
-    mustHaveHeadings: ['## Preamble', '## When to invoke'],
-    maxSizeRatio: 1.05,
-    minBytes: 30_000,
-  },
+  // cso is now carved — its invariant is generated from CARVE_GUARDS below.
  {
    skill: 'review',
    mustContain: ['confidence', 'P1', 'P2'],