fix: Extend sidecar .blocked protection to doc review path

The .blocked sidecar fail-closed mechanism only protected the code
review path (DUAL_GATE_PASSED), leaving doc review unguarded during
lock contention. This caused stop-guard and auto-loop hooks to miss
pending doc reviews when state writes were lost to race conditions.

- stop-guard: sidecar now forces DOC_REVIEW_PASSED=false + skips
  stale-state reconciliation when sidecar present
- 3 auto-loop hooks: add sidecar check with HAS_* fail-closed
  forcing and stale-state skip
- post-edit-format: merge 5 sequential jq writes into 1 atomic
  call for doc section; conditional sidecar clear on write success
- post-tool-review-state: clear stale sidecar only after
  successful locked update_state write

Author: sd0xdev

hooks/post-compact-auto-loop.sh

@@ -51,8 +51,22 @@ CODE_PASSED=$(jq -r '.code_review.passed // false' "$STATE_FILE" 2>/dev/null ||
 DOC_PASSED=$(jq -r '.doc_review.passed // false' "$STATE_FILE" 2>/dev/null || echo "false")
 PRE_PASSED=$(jq -r '.precommit.passed // false' "$STATE_FILE" 2>/dev/null || echo "false")
 
+# === Sidecar fail-closed marker ===
+if [[ -f "${STATE_FILE}.blocked" ]]; then
+  CODE_PASSED="false"
+  DOC_PASSED="false"
+  PRE_PASSED="false"
+  # Fail-closed: if no change flags set, sidecar means state write failed — assume changes exist
+  [[ "$HAS_CODE" != "true" && "$HAS_DOC" != "true" ]] && { HAS_CODE="true"; HAS_DOC="true"; }
+fi
+
 # Stale-state reconciliation (one-way: true→false only, same as stop-guard)
-GIT_PORCELAIN=$(git status --porcelain -uno 2>/dev/null || echo "__GIT_UNAVAILABLE__")
+# Skip when sidecar present — would undo fail-closed HAS_* forcing
+if [[ -f "${STATE_FILE}.blocked" ]]; then
+  GIT_PORCELAIN="__GIT_UNAVAILABLE__"
+else
+  GIT_PORCELAIN=$(git status --porcelain -uno 2>/dev/null || echo "__GIT_UNAVAILABLE__")
+fi
 if [[ "$GIT_PORCELAIN" != "__GIT_UNAVAILABLE__" ]]; then
   if [[ "$HAS_CODE" == "true" ]]; then
     if ! echo "$GIT_PORCELAIN" | grep -qE '\.(ts|tsx|js|jsx|mjs|cjs|py|pyw|go|rs|java|kt|kts|rb|php|swift|c|cpp|cc|h|hpp|cs|scala|ex|exs)($|\s|")'; then

hooks/post-edit-format.sh

@@ -349,22 +349,61 @@ fi
 # Track doc changes (.md, .mdx)
 if echo "$file_path" | grep -Eq '\.(md|mdx)$'; then
   if _lock; then
-    update_change_flag "has_doc_change"
+    # Atomic: merge flag set + review invalidation + aggregate gate reset (3 ops → 1 jq call)
+    init_state_file
+    _doc_now=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+    _doc_has_agg=$(jq 'has("aggregate_gate")' "$STATE_FILE" 2>/dev/null || echo "false")
+    _doc_tmp=$(mktemp)
+    _doc_write_ok=false
+    if [[ "$_doc_has_agg" == "true" ]]; then
+      jq --arg now "$_doc_now" '
+        .has_doc_change = true
+        | .updated_at = $now
+        | .doc_review.passed = false
+        | .aggregate_gate.executed = false
+        | .aggregate_gate.gate = null
+        | .aggregate_gate.reason = null
+      ' "$STATE_FILE" > "$_doc_tmp" && mv "$_doc_tmp" "$STATE_FILE" && _doc_write_ok=true
+    else
+      jq --arg now "$_doc_now" '
+        .has_doc_change = true
+        | .updated_at = $now
+        | .doc_review.passed = false
+      ' "$STATE_FILE" > "$_doc_tmp" && mv "$_doc_tmp" "$STATE_FILE" && _doc_write_ok=true
+    fi
+    # Non-critical array appends (graceful, own size guards)
     _track_changed_file "$file_path"
     _track_session_touched_file "$file_path" || true
-    invalidate_review "doc_review"
-    invalidate_aggregate_gate
-    # Clear any stale sidecar marker (successful locked write supersedes prior lock-failure markers)
-    rm -f "${STATE_FILE}.blocked" 2>/dev/null || true
+    # Clear sidecar only on successful write (fail-closed: preserve sidecar if write failed)
+    if [[ "$_doc_write_ok" == "true" ]]; then
+      rm -f "${STATE_FILE}.blocked" 2>/dev/null || true
+    fi
     _unlock
     echo "[Edit Hook] Doc change detected: $file_path" >&2
     echo "[Edit Hook] Invalidated doc_review + aggregate_gate" >&2
   else
-    # Fail-closed: sidecar marker (atomic) + best-effort unlocked writes
+    # Fail-closed: sidecar marker (atomic) + best-effort single unlocked jq write
     echo "edit_lock_contention" > "${STATE_FILE}.blocked" 2>/dev/null || true
-    update_change_flag "has_doc_change" 2>/dev/null || true
-    invalidate_review "doc_review" 2>/dev/null || true
-    invalidate_aggregate_gate 2>/dev/null || true
+    init_state_file
+    _doc_now=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+    _doc_has_agg=$(jq 'has("aggregate_gate")' "$STATE_FILE" 2>/dev/null || echo "false")
+    _doc_tmp=$(mktemp)
+    if [[ "$_doc_has_agg" == "true" ]]; then
+      jq --arg now "$_doc_now" '
+        .has_doc_change = true
+        | .updated_at = $now
+        | .doc_review.passed = false
+        | .aggregate_gate.executed = false
+        | .aggregate_gate.gate = null
+        | .aggregate_gate.reason = null
+      ' "$STATE_FILE" > "$_doc_tmp" 2>/dev/null && mv "$_doc_tmp" "$STATE_FILE" 2>/dev/null || rm -f "$_doc_tmp" 2>/dev/null
+    else
+      jq --arg now "$_doc_now" '
+        .has_doc_change = true
+        | .updated_at = $now
+        | .doc_review.passed = false
+      ' "$STATE_FILE" > "$_doc_tmp" 2>/dev/null && mv "$_doc_tmp" "$STATE_FILE" 2>/dev/null || rm -f "$_doc_tmp" 2>/dev/null
+    fi
     echo "[Edit Hook] Doc change detected (degraded — lock contention, sidecar marker set): $file_path" >&2
   fi
 fi

hooks/post-skill-auto-loop.sh

@@ -50,8 +50,22 @@ CODE_PASSED=$(jq -r '.code_review.passed // false' "$STATE_FILE" 2>/dev/null ||
 DOC_PASSED=$(jq -r '.doc_review.passed // false' "$STATE_FILE" 2>/dev/null || echo "false")
 PRE_PASSED=$(jq -r '.precommit.passed // false' "$STATE_FILE" 2>/dev/null || echo "false")
 
+# === Sidecar fail-closed marker ===
+if [[ -f "${STATE_FILE}.blocked" ]]; then
+  CODE_PASSED="false"
+  DOC_PASSED="false"
+  PRE_PASSED="false"
+  # Fail-closed: if no change flags set, sidecar means state write failed — assume changes exist
+  [[ "$HAS_CODE" != "true" && "$HAS_DOC" != "true" ]] && { HAS_CODE="true"; HAS_DOC="true"; }
+fi
+
 # Stale-state reconciliation (one-way: true→false only, same as stop-guard/post-compact)
-GIT_PORCELAIN=$(git status --porcelain -uno 2>/dev/null || echo "__GIT_UNAVAILABLE__")
+# Skip when sidecar present — would undo fail-closed HAS_* forcing
+if [[ -f "${STATE_FILE}.blocked" ]]; then
+  GIT_PORCELAIN="__GIT_UNAVAILABLE__"
+else
+  GIT_PORCELAIN=$(git status --porcelain -uno 2>/dev/null || echo "__GIT_UNAVAILABLE__")
+fi
 if [[ "$GIT_PORCELAIN" != "__GIT_UNAVAILABLE__" ]]; then
   if [[ "$HAS_CODE" == "true" ]]; then
     if ! echo "$GIT_PORCELAIN" | grep -qE '\.(ts|tsx|js|jsx|mjs|cjs|py|pyw|go|rs|java|kt|kts|rb|php|swift|c|cpp|cc|h|hpp|cs|scala|ex|exs)($|\s|")'; then

hooks/post-tool-review-state.sh

@@ -178,12 +178,15 @@ update_state() {
     # Update using jq
     local tmp
     tmp=$(mktemp)
-    jq --arg key "$key" \
+    if jq --arg key "$key" \
        --argjson executed "$executed" \
        --argjson passed "$passed" \
        --arg now "$now" \
        '.[$key].executed = $executed | .[$key].passed = $passed | .[$key].last_run = $now | .updated_at = $now' \
-       "$STATE_FILE" > "$tmp" && mv "$tmp" "$STATE_FILE"
+       "$STATE_FILE" > "$tmp" && mv "$tmp" "$STATE_FILE"; then
+      # Successful locked write → state is consistent, clear stale sidecar
+      rm -f "${STATE_FILE}.blocked" 2>/dev/null || true
+    fi
     _unlock
   else
     # Fail-open for review state (not as critical as aggregate gate)

hooks/stop-guard.sh

@@ -115,8 +115,11 @@ if [[ -f "$STATE_FILE" ]]; then
     GUARD_MODE="strict"
     SIDECAR_REASON=$(cat "${STATE_FILE}.blocked" 2>/dev/null || echo "unknown")
     echo "[Stop Guard] Sidecar blocked marker found (reason: $SIDECAR_REASON)" >&2
-    # Force aggregate gate to BLOCKED regardless of JSON state
+    # Force aggregate gate + doc review to BLOCKED regardless of JSON state
     DUAL_GATE_PASSED="false"
+    DOC_REVIEW_PASSED="false"
+    # Fail-closed: sidecar means state may be corrupted, assume changes exist
+    [[ "$HAS_CODE_CHANGE" != "true" && "$HAS_DOC_CHANGE" != "true" ]] && { HAS_CODE_CHANGE="true"; HAS_DOC_CHANGE="true"; }
   fi
 
   # === Dual mode: prefer aggregate_gate + force strict blocking ===
@@ -153,7 +156,12 @@ if [[ -f "$STATE_FILE" ]]; then
   fi
 
   # === Stale-state git check (with cross-platform timeout) ===
-  if command -v timeout &>/dev/null; then
+  # Skip stale-state reconciliation when sidecar is present — sidecar means state is
+  # unreliable, so git-based downgrade would undo the fail-closed HAS_* forcing above.
+  if [[ -f "${STATE_FILE}.blocked" ]]; then
+    # Sidecar present → skip stale-state reconciliation (would undo fail-closed HAS_* forcing)
+    GIT_PORCELAIN="__GIT_UNAVAILABLE__"
+  elif command -v timeout &>/dev/null; then
     GIT_PORCELAIN=$(timeout 5 git status --porcelain -uno 2>/dev/null || echo "__GIT_UNAVAILABLE__")
   elif command -v gtimeout &>/dev/null; then
     GIT_PORCELAIN=$(gtimeout 5 git status --porcelain -uno 2>/dev/null || echo "__GIT_UNAVAILABLE__")

hooks/user-prompt-review-guard.sh

@@ -48,6 +48,15 @@ CODE_PASSED=$(jq -r '.code_review.passed // false' "$STATE_FILE" 2>/dev/null ||
 DOC_PASSED=$(jq -r '.doc_review.passed // false' "$STATE_FILE" 2>/dev/null || echo "false")
 PRE_PASSED=$(jq -r '.precommit.passed // false' "$STATE_FILE" 2>/dev/null || echo "false")
 
+# === Sidecar fail-closed marker ===
+if [[ -f "${STATE_FILE}.blocked" ]]; then
+  CODE_PASSED="false"
+  DOC_PASSED="false"
+  PRE_PASSED="false"
+  # Fail-closed: if no change flags set, sidecar means state write failed — assume changes exist
+  [[ "$HAS_CODE" != "true" && "$HAS_DOC" != "true" ]] && { HAS_CODE="true"; HAS_DOC="true"; }
+fi
+
 # Early exit: no changes tracked = nothing to remind
 if [[ "$HAS_CODE" != "true" && "$HAS_DOC" != "true" ]]; then
   exit 0
@@ -56,7 +65,10 @@ fi
 # --- Stale-state reconciliation (one-way: true→false only) ---
 # Only run git status when state has pending changes (performance optimization)
 # Include untracked files (no -uno) to avoid false downgrade when only new files exist
-if command -v timeout &>/dev/null; then
+# Skip when sidecar present — would undo fail-closed HAS_* forcing
+if [[ -f "${STATE_FILE}.blocked" ]]; then
+  GIT_PORCELAIN="__GIT_UNAVAILABLE__"
+elif command -v timeout &>/dev/null; then
   GIT_PORCELAIN=$(timeout 3 git status --porcelain 2>/dev/null || echo "__GIT_UNAVAILABLE__")
 elif command -v gtimeout &>/dev/null; then
   GIT_PORCELAIN=$(gtimeout 3 git status --porcelain 2>/dev/null || echo "__GIT_UNAVAILABLE__")

test/hooks/post-compact-auto-loop.test.js

@@ -510,6 +510,25 @@ test('R10 strategic reset injected at threshold', () => {
   );
 });
 
+test('sidecar .blocked marker forces doc review injection', () => {
+  const cwd = makeTempDir('sd0x-pc-sidecar-doc-');
+  const binDir = setupStubBin();
+  writeStateFile(cwd, {
+    has_code_change: false,
+    has_doc_change: true,
+    code_review: { passed: false },
+    doc_review: { passed: true },
+    precommit: { passed: false },
+  });
+  writeFileSync(join(cwd, '.claude_review_state.json.blocked'), 'lock_failure');
+  const result = runHook({ cwd, binDir });
+  assert.equal(result.status, 0);
+  assert.ok(
+    result.stdout.includes('/codex-review-doc'),
+    'sidecar should force doc review injection despite doc_review.passed=true'
+  );
+});
+
 test('R10 strategic reset fires only once', () => {
   const cwd = makeTempDir('sd0x-pc-r10-once-');
   const binDir = setupStubBin();

test/hooks/post-edit-format.test.js

@@ -86,6 +86,21 @@ if (query && query.includes('.passed = false') && vars.key) {
   process.exit(0);
 }
 
+// Handle atomic doc write: .has_doc_change = true | .updated_at = $now | .doc_review.passed = false [| aggregate_gate reset]
+if (query && query.includes('has_doc_change = true') && query.includes('doc_review.passed = false')) {
+  data.has_doc_change = true;
+  data.updated_at = vars.now || '';
+  if (!data.doc_review) data.doc_review = {};
+  data.doc_review.passed = false;
+  if (query.includes('aggregate_gate.executed = false') && data.aggregate_gate) {
+    data.aggregate_gate.executed = false;
+    data.aggregate_gate.gate = null;
+    data.aggregate_gate.reason = null;
+  }
+  process.stdout.write(JSON.stringify(data));
+  process.exit(0);
+}
+
 // Handle has("aggregate_gate") check
 if (query && query.includes('has("aggregate_gate")')) {
   process.stdout.write(Object.prototype.hasOwnProperty.call(data, 'aggregate_gate') ? 'true' : 'false');
@@ -655,6 +670,35 @@ test('code edit clears sidecar .blocked marker', () => {
   );
 });
 
+test('doc edit atomic state update — flag + review + aggregate in single write', () => {
+  const workDir = makeTempDir('sd0x-format-doc-atomic-');
+  const binDir = setupStubBin();
+  writeFileSync(
+    join(workDir, '.claude_review_state.json'),
+    JSON.stringify({
+      has_doc_change: false,
+      has_code_change: false,
+      code_review: { executed: false, passed: false, last_run: '' },
+      doc_review: { executed: true, passed: true, last_run: 'T1' },
+      precommit: { executed: false, passed: false, last_run: '' },
+      aggregate_gate: { executed: true, gate: 'READY', reason: null },
+    })
+  );
+  runHook({
+    cwd: workDir,
+    binDir,
+    filePath: '/project/docs/readme.md',
+    env: { HOOK_NO_FORMAT: '1' },
+  });
+  const state = readState(workDir);
+  assert.ok(state, 'state file should exist');
+  assert.equal(state.has_doc_change, true, 'should set has_doc_change');
+  assert.equal(state.doc_review.passed, false, 'should invalidate doc_review');
+  assert.equal(state.aggregate_gate.executed, false, 'should reset aggregate_gate.executed');
+  assert.equal(state.aggregate_gate.gate, null, 'should null aggregate_gate.gate');
+  assert.ok(state.updated_at, 'should set updated_at');
+});
+
 test('doc edit does NOT invalidate code_review', () => {
   const workDir = makeTempDir('sd0x-format-doc-no-code-invalidate-');
   const binDir = setupStubBin();

test/hooks/stop-guard.test.js

@@ -1159,6 +1159,34 @@ test('dual mode: sidecar .blocked marker forces block', () => {
   assert.equal(payload.ok, false);
 });
 
+test('sidecar .blocked marker forces doc review block (doc-only change)', () => {
+  const workDir = makeTempDir('sd0x-stop-guard-sidecar-doc-');
+  const binDir = setupStubBin();
+  const transcriptPath = join(workDir, 'transcript.json');
+  writeFileSync(transcriptPath, '[]');
+  writeFileSync(
+    join(workDir, '.claude_review_state.json'),
+    JSON.stringify({
+      has_code_change: false,
+      has_doc_change: true,
+      doc_review: { passed: true },
+      code_review: { passed: false },
+      precommit: { passed: false },
+    })
+  );
+  // Sidecar should override doc_review.passed to false
+  writeFileSync(join(workDir, '.claude_review_state.json.blocked'), 'lock_failure');
+  const result = runHook({
+    cwd: workDir,
+    binDir,
+    input: { transcript_path: transcriptPath },
+    env: { STOP_GUARD_MODE: 'strict' },
+  });
+  assert.equal(result.status, 2, 'sidecar should block doc-only change');
+  const payload = parseJson(result.stdout);
+  assert.equal(payload.ok, false);
+});
+
 test('backward compat: no review_mode field behaves as single mode', () => {
   const workDir = makeTempDir('sd0x-stop-guard-compat-');
   const binDir = setupStubBin();

test/hooks/user-prompt-review-guard.test.js

@@ -165,6 +165,24 @@ test('stale state: git clean but state says code changed → reconcile to false
   assert.equal(result.stdout.trim(), '', 'should reconcile stale state and stay silent');
 });
 
+test('sidecar .blocked marker forces doc review reminder', () => {
+  const { dir, cooldownFile } = createWorkDir({
+    has_doc_change: true,
+    has_code_change: false,
+    doc_review: { passed: true },
+    code_review: { passed: false },
+    precommit: { passed: false },
+  });
+  writeFileSync(join(dir, 'README.md'), '# modified');
+  writeFileSync(join(dir, '.claude_review_state.json.blocked'), 'lock_failure');
+  const result = runHook(dir, { REVIEW_GUARD_COOLDOWN: '0', REVIEW_GUARD_COOLDOWN_FILE: cooldownFile });
+  assert.equal(result.status, 0);
+  assert.ok(
+    result.stdout.includes('/codex-review-doc'),
+    'sidecar should force doc review reminder despite doc_review.passed=true'
+  );
+});
+
 test('hook always exits 0 (non-blocking)', () => {
   const { dir, cooldownFile } = createWorkDir({
     has_code_change: true,