feat: add task-graph validation hook and plan audit completeness gate

ducdmdev · ducdmdev · commit 851794121bb4 · 2026-03-24T09:40:35.000+07:00
New hook: validate-task-graph.sh (SubagentStart)
- Validates task-graph.json schema before teammate spawn
- Checks: valid JSON, required fields, dependency references, cycle detection
- Blocks (exit 2) on invalid schema or circular dependencies
- 12 test assertions, all passing

Plan audit completeness:
- Mandatory Plan Audit Result table in progress.md (7 checks)
- Hard gate: DO NOT present plan until all 7 rows filled
- Template added to workspace-templates.md
diff --git a/docs/workspace-templates.md b/docs/workspace-templates.md
@@ -57,6 +57,20 @@ Append-only log of significant decisions.
 
 - [{timestamp}] {decision and reasoning}
 
+## Plan Audit Result
+
+Filled by the lead during Phase 1a Step 3 (plan audit). All 7 rows must be completed before presenting the plan to the user.
+
+| # | Check | Status | Notes |
+|---|-------|--------|-------|
+| 1 | Task completeness | {PASS/FAIL} | {notes} |
+| 2 | Dependency coherence | {PASS/FAIL} | {notes} |
+| 3 | File reference validity | {PASS/FAIL} | {notes} |
+| 4 | Scope coverage | {PASS/FAIL} | {notes} |
+| 5 | Reference freshness | {PASS/FAIL} | {notes} |
+| 6 | Feasibility | {PASS/FAIL} | {notes} |
+| 7 | Parallelizability | {PASS/FAIL} | {notes} |
+
 ## Plan Proposals
 
 | Teammate | Task | Proposal | Status | Revisions |
diff --git a/hooks/hooks.json b/hooks/hooks.json
@@ -75,6 +75,15 @@
       }
     ],
     "SubagentStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/scripts/validate-task-graph.sh",
+            "timeout": 15
+          }
+        ]
+      },
       {
         "hooks": [
           {
diff --git a/scripts/validate-task-graph.sh b/scripts/validate-task-graph.sh
@@ -0,0 +1,117 @@
+#!/bin/bash
+# Hook: SubagentStart
+# Validates task-graph.json schema and checks for circular dependencies
+# BEFORE teammates are spawned. Blocks if invalid or cyclic.
+#
+# Exit 0 = valid (allow spawn)
+# Exit 2 = invalid (block spawn with feedback)
+
+# Graceful jq fallback — can't validate without jq
+if ! command -v jq &>/dev/null; then
+  exit 0
+fi
+
+INPUT=$(cat)
+CWD=$(echo "$INPUT" | jq -r '.cwd // empty')
+TEAM=$(echo "$INPUT" | jq -r '.team_name // empty')
+
+# Need both to locate task-graph.json
+if [ -z "$CWD" ] || [ -z "$TEAM" ]; then
+  exit 0
+fi
+
+# Resolve workspace path (with -fix suffix fallback for remediation teams)
+GRAPH_FILE="$CWD/.agent-team/$TEAM/task-graph.json"
+if [ ! -f "$GRAPH_FILE" ]; then
+  BASE_NAME="${TEAM%-fix}"
+  if [ "$BASE_NAME" != "$TEAM" ] && [ -f "$CWD/.agent-team/$BASE_NAME/task-graph.json" ]; then
+    GRAPH_FILE="$CWD/.agent-team/$BASE_NAME/task-graph.json"
+  else
+    # No task-graph.json — allow spawn (workspace may not be initialized yet)
+    exit 0
+  fi
+fi
+
+# --- Check 1: Valid JSON ---
+GRAPH=$(jq '.' "$GRAPH_FILE" 2>/dev/null)
+if [ -z "$GRAPH" ]; then
+  echo "BLOCKED: task-graph.json exists but is not valid JSON. Fix the file before spawning teammates." >&2
+  echo "File: $GRAPH_FILE" >&2
+  exit 2
+fi
+
+# --- Check 2: Has nodes object with at least 1 entry ---
+NODE_COUNT=$(echo "$GRAPH" | jq '.nodes | length // 0' 2>/dev/null)
+if [ -z "$NODE_COUNT" ] || [ "$NODE_COUNT" -eq 0 ]; then
+  # Empty nodes is OK — plan stage may not have populated yet
+  exit 0
+fi
+
+# --- Check 3: Required fields on each node ---
+MISSING_FIELDS=$(echo "$GRAPH" | jq -r '
+  [.nodes | to_entries[] |
+    select(
+      (.value.subject == null) or
+      (.value.status == null) or
+      (.value.depends_on == null)
+    ) | .key
+  ] | join(", ")
+' 2>/dev/null)
+
+if [ -n "$MISSING_FIELDS" ] && [ "$MISSING_FIELDS" != "" ]; then
+  echo "BLOCKED: task-graph.json nodes missing required fields (subject, status, depends_on)." >&2
+  echo "Affected nodes: $MISSING_FIELDS" >&2
+  echo "Fix the task-graph.json schema before spawning teammates." >&2
+  exit 2
+fi
+
+# --- Check 4: depends_on references point to existing node IDs ---
+DANGLING=$(echo "$GRAPH" | jq -r '
+  .nodes as $nodes |
+  [.nodes | to_entries[] | .value.depends_on[]? |
+    select($nodes[.] == null)
+  ] | unique | join(", ")
+' 2>/dev/null)
+
+if [ -n "$DANGLING" ] && [ "$DANGLING" != "" ]; then
+  echo "BLOCKED: task-graph.json has dangling dependency references." >&2
+  echo "Missing node IDs: $DANGLING" >&2
+  echo "All depends_on entries must reference existing node IDs." >&2
+  exit 2
+fi
+
+# --- Check 5: Cycle detection (DFS) ---
+HAS_CYCLE=$(echo "$GRAPH" | jq '
+  def has_cycle(id; visited):
+    if (visited | index(id)) then true
+    elif (.nodes[id] == null) then false
+    else
+      . as $g |
+      any(.nodes[id].depends_on[]; . as $dep | $g | has_cycle($dep; visited + [id]))
+    end;
+  . as $root |
+  any(.nodes | keys[]; . as $k | $root | has_cycle($k; []))
+' 2>/dev/null)
+
+if [ "$HAS_CYCLE" = "true" ]; then
+  # Find the cycle for error message
+  CYCLE_NODES=$(echo "$GRAPH" | jq -r '
+    def find_cycle(id; visited):
+      if (visited | index(id)) then [id]
+      elif (.nodes[id] == null) then []
+      else
+        . as $g |
+        [.nodes[id].depends_on[] | . as $dep | $g | find_cycle($dep; visited + [id])] |
+        add // []
+      end;
+    . as $root |
+    [.nodes | keys[] | . as $k | $root | find_cycle($k; [])] | add | unique | join(" -> ")
+  ' 2>/dev/null)
+  echo "BLOCKED: Circular dependency detected in task-graph.json." >&2
+  echo "Cycle involves: $CYCLE_NODES" >&2
+  echo "Fix the dependency graph before spawning teammates. Remove or reorder depends_on entries to break the cycle." >&2
+  exit 2
+fi
+
+# All checks passed
+exit 0
diff --git a/skills/plan/SKILL.md b/skills/plan/SKILL.md
@@ -176,6 +176,23 @@ Both paths converge here. Every plan is audited before the user sees it.
 
 The Team Lead performs the audit inline -- reading the plan file, cross-referencing codebase state, and evaluating each check. No separate skill invocation needed.
 
+**MANDATORY: Record audit results in progress.md.** Before proceeding to Step 4 or Phase 1b, you MUST fill in this table in the workspace `progress.md`:
+
+```markdown
+## Plan Audit Result
+| # | Check | Status | Notes |
+|---|-------|--------|-------|
+| 1 | Task completeness | {PASS/FAIL} | {notes} |
+| 2 | Dependency coherence | {PASS/FAIL} | {notes} |
+| 3 | File reference validity | {PASS/FAIL} | {notes} |
+| 4 | Scope coverage | {PASS/FAIL} | {notes} |
+| 5 | Reference freshness | {PASS/FAIL} | {notes} |
+| 6 | Feasibility | {PASS/FAIL} | {notes} |
+| 7 | Parallelizability | {PASS/FAIL} | {notes} |
+```
+
+**DO NOT present the plan to the user (Phase 2) until all 7 rows are filled.** This is a hard gate — incomplete audits produce incomplete plans.
+
 #### Step 4 -- User Decision Gate
 
 Present to user regardless of audit status:
diff --git a/tests/hooks/test-validate-task-graph.sh b/tests/hooks/test-validate-task-graph.sh
@@ -0,0 +1,180 @@
+#!/bin/bash
+# Tests for scripts/validate-task-graph.sh (SubagentStart hook)
+# Validates task-graph.json schema and cycle detection before teammate spawn
+
+source "$(dirname "$0")/../lib/test-helpers.sh"
+
+HOOK="$PROJECT_ROOT/scripts/validate-task-graph.sh"
+
+echo "ValidateTaskGraph hook tests"
+echo "============================"
+
+if ! command -v jq &>/dev/null; then
+  printf "  ${YELLOW}SKIP${RESET} all — jq not installed (hooks degrade gracefully without it)\n"
+  exit 0
+fi
+
+# --- Test 1: No task-graph.json — allow (exit 0) ---
+setup_temp_dir
+setup_mock_workspace "test-team"
+cd "$TEST_TEMP_DIR"
+run_hook "$HOOK" '{"cwd":"'"$TEST_TEMP_DIR"'","team_name":"test-team","hook_event_name":"SubagentStart"}'
+assert_exit_code 0 "$HOOK_EXIT" "1: Allow when no task-graph.json"
+cleanup_temp_dir
+
+# --- Test 2: Valid task-graph.json — allow (exit 0) ---
+setup_temp_dir
+setup_mock_workspace "test-team"
+setup_mock_task_graph "test-team"
+cd "$TEST_TEMP_DIR"
+run_hook "$HOOK" '{"cwd":"'"$TEST_TEMP_DIR"'","team_name":"test-team","hook_event_name":"SubagentStart"}'
+assert_exit_code 0 "$HOOK_EXIT" "2: Allow valid task-graph.json"
+cleanup_temp_dir
+
+# --- Test 3: Malformed JSON — block (exit 2) ---
+setup_temp_dir
+setup_mock_workspace "test-team"
+echo "not valid json {{{" > "$TEST_TEMP_DIR/.agent-team/test-team/task-graph.json"
+cd "$TEST_TEMP_DIR"
+run_hook "$HOOK" '{"cwd":"'"$TEST_TEMP_DIR"'","team_name":"test-team","hook_event_name":"SubagentStart"}'
+assert_exit_code 2 "$HOOK_EXIT" "3: Block malformed JSON"
+assert_stderr_contains "not valid JSON" "$HOOK_STDERR" "3: Error mentions invalid JSON"
+cleanup_temp_dir
+
+# --- Test 4: Missing required fields — block (exit 2) ---
+setup_temp_dir
+setup_mock_workspace "test-team"
+cat > "$TEST_TEMP_DIR/.agent-team/test-team/task-graph.json" <<'GRAPH'
+{
+  "team": "test",
+  "nodes": {
+    "#1": {
+      "subject": "Task 1"
+    }
+  }
+}
+GRAPH
+cd "$TEST_TEMP_DIR"
+run_hook "$HOOK" '{"cwd":"'"$TEST_TEMP_DIR"'","team_name":"test-team","hook_event_name":"SubagentStart"}'
+assert_exit_code 2 "$HOOK_EXIT" "4: Block missing required fields"
+assert_stderr_contains "missing required fields" "$HOOK_STDERR" "4: Error mentions missing fields"
+cleanup_temp_dir
+
+# --- Test 5: Dangling dependency reference — block (exit 2) ---
+setup_temp_dir
+setup_mock_workspace "test-team"
+cat > "$TEST_TEMP_DIR/.agent-team/test-team/task-graph.json" <<'GRAPH'
+{
+  "team": "test",
+  "nodes": {
+    "#1": {
+      "subject": "Task 1",
+      "owner": "impl-1",
+      "status": "pending",
+      "depends_on": ["#99"],
+      "completed_at": null,
+      "output_files": [],
+      "critical_path": false,
+      "convergence_point": false
+    }
+  }
+}
+GRAPH
+cd "$TEST_TEMP_DIR"
+run_hook "$HOOK" '{"cwd":"'"$TEST_TEMP_DIR"'","team_name":"test-team","hook_event_name":"SubagentStart"}'
+assert_exit_code 2 "$HOOK_EXIT" "5: Block dangling dependency"
+assert_stderr_contains "dangling dependency" "$HOOK_STDERR" "5: Error mentions dangling ref"
+cleanup_temp_dir
+
+# --- Test 6: Circular dependency — block (exit 2) ---
+setup_temp_dir
+setup_mock_workspace "test-team"
+cat > "$TEST_TEMP_DIR/.agent-team/test-team/task-graph.json" <<'GRAPH'
+{
+  "team": "test",
+  "nodes": {
+    "#1": {
+      "subject": "Task 1",
+      "owner": "impl-1",
+      "status": "pending",
+      "depends_on": ["#2"],
+      "completed_at": null,
+      "output_files": [],
+      "critical_path": false,
+      "convergence_point": false
+    },
+    "#2": {
+      "subject": "Task 2",
+      "owner": "impl-2",
+      "status": "pending",
+      "depends_on": ["#1"],
+      "completed_at": null,
+      "output_files": [],
+      "critical_path": false,
+      "convergence_point": false
+    }
+  }
+}
+GRAPH
+cd "$TEST_TEMP_DIR"
+run_hook "$HOOK" '{"cwd":"'"$TEST_TEMP_DIR"'","team_name":"test-team","hook_event_name":"SubagentStart"}'
+assert_exit_code 2 "$HOOK_EXIT" "6: Block circular dependency"
+assert_stderr_contains "Circular dependency" "$HOOK_STDERR" "6: Error mentions cycle"
+cleanup_temp_dir
+
+# --- Test 7: Empty nodes — allow (exit 0) ---
+setup_temp_dir
+setup_mock_workspace "test-team"
+echo '{"team":"test","nodes":{}}' > "$TEST_TEMP_DIR/.agent-team/test-team/task-graph.json"
+cd "$TEST_TEMP_DIR"
+run_hook "$HOOK" '{"cwd":"'"$TEST_TEMP_DIR"'","team_name":"test-team","hook_event_name":"SubagentStart"}'
+assert_exit_code 0 "$HOOK_EXIT" "7: Allow empty nodes"
+cleanup_temp_dir
+
+# --- Test 8: Valid graph with dependencies — allow (exit 0) ---
+setup_temp_dir
+setup_mock_workspace "test-team"
+cat > "$TEST_TEMP_DIR/.agent-team/test-team/task-graph.json" <<'GRAPH'
+{
+  "team": "test",
+  "nodes": {
+    "#1": {
+      "subject": "Task 1",
+      "owner": "impl-1",
+      "status": "pending",
+      "depends_on": [],
+      "completed_at": null,
+      "output_files": ["src/a.ts"],
+      "critical_path": true,
+      "convergence_point": false
+    },
+    "#2": {
+      "subject": "Task 2",
+      "owner": "impl-2",
+      "status": "pending",
+      "depends_on": ["#1"],
+      "completed_at": null,
+      "output_files": ["src/b.ts"],
+      "critical_path": false,
+      "convergence_point": false
+    },
+    "#3": {
+      "subject": "Review",
+      "owner": "reviewer",
+      "status": "pending",
+      "depends_on": ["#1", "#2"],
+      "completed_at": null,
+      "output_files": [],
+      "critical_path": false,
+      "convergence_point": true
+    }
+  }
+}
+GRAPH
+cd "$TEST_TEMP_DIR"
+run_hook "$HOOK" '{"cwd":"'"$TEST_TEMP_DIR"'","team_name":"test-team","hook_event_name":"SubagentStart"}'
+assert_exit_code 0 "$HOOK_EXIT" "8: Allow valid graph with dependencies"
+cleanup_temp_dir
+
+print_summary
+exit "$TESTS_FAILED"

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,15 @@`
`75`	`75`	`}`
`76`	`76`	`],`
`77`	`77`	`"SubagentStart": [`
	`78`	`+ {`
	`79`	`+ "hooks": [`
	`80`	`+ {`
	`81`	`+ "type": "command",`
	`82`	`+ "command": "${CLAUDE_PLUGIN_ROOT}/scripts/validate-task-graph.sh",`
	`83`	`+ "timeout": 15`
	`84`	`+ }`
	`85`	`+ ]`
	`86`	`+ },`
`78`	`87`	`{`
`79`	`88`	`"hooks": [`
`80`	`89`	`{`