Silver Bullet Gaps Report
Evidence-only audit of 50 known AI SE & DevOps failure modes

An honest assessment of where Silver Bullet's hook-based enforcement genuinely blocks the failure mode, where it only partially enforces, and where there is no enforcement code at all. Every claim is backed by file:line citations.

19 Solved 27 Partial 4 Gap Audit date: 2026-06-25 · Branch: cranky-ramanujan-fa7a82

Executive Summary

Silver Bullet enforces the bulk of the AI SE & DevOps failure surface — 46 of 50 problems (19 Solved + 27 Partial) have at least partial hook-level coverage. The remaining 4 problems have no enforcement code at all, and many of the “Partial” problems have falsification-resistant gates that an adversarially-optimistic agent can satisfy with placeholder content.

19
Solved
27
Partial
4
Gap
50
Total

Methodology

Evidence-only audit. I inspected 50+ hook scripts, 7+ skill SKILL.md files, hooks.json, .silver-bullet.json, and the hooks/lib/ library. For each problem I cite the exact file:line that provides or fails to provide enforcement. The previous report's claim of 38 Solved / 12 Partial / 0 Gap is rejected as inflated. Solved = real runtime code (PreToolUse/PostToolUse/Stop hook) that blocks/records the behavior. Partial = code exists but does not actually enforce the full claim (e.g. artifact-existence check without content inspection). Gap = no enforcement code or only documentation-level claims. Key weaknesses found: (1) No model-routing hook for Problem 38; (2) instruction-file-guard.sh only blocks *creation* of CLAUDE.md/AGENTS.md, not prompt-injection content (Problem 27); (3) session-log-init.sh has no redaction (Problem 30); (4) no shell-arg blocklist (Problem 29); (5) no token-cost tracking (Problem 40); (6) no API rate-limit (Problem 48). The two-tier model (intermediate commits require only required_planning; final delivery requires full required_deploy) is a strong design pattern.

TL;DR — Most Important Unaddressed Risks

  • Hallucinated APIs & libraries. Hooks check for SB artifact presence but never inspect the actual code/dependencies the agent produced. A confidently-wrong import lodash passes every existing gate.
  • Shell command injection. Hooks fire on command type (commit/push/deploy) but never block dangerous arguments — no blocklist for rm -rf, curl|sh, sudo, or ssh-key reads.
  • Credential sprawl & secret disclosure. No hook scans Write/Edit content for secret patterns; no hook blocks Read on ~/.ssh, ~/.aws, or .env; session log writes content with no redaction.
  • Prompt injection. instruction-file-guard.sh only blocks creation of root CLAUDE.md/AGENTS.md — it never inspects content for injection patterns in any instruction-file path.
  • No model routing. lib/prompt-classifier.sh exists (1.9K) but is not wired to a model-selection hook — high-complexity queries and low-complexity typo fixes all run on the same model tier.
  • Falsifiable artifact gates. UAT.md / REVIEW.md / SECURITY.md existence is checked, but a 1KB placeholder passes the gate. No depth/content/cross-reference check.
  • No token-cost visibility. Session log has a **Virtual cost:** placeholder filled manually at documentation step. No per-prompt or per-session token-cost gate.
Solved

Enforcement in place

Real runtime hooks block, gate, or record the behavior at tool-use boundaries. Confidence in enforcement is high.

19 problems

Agent Reliability & Output Quality 4

#2 Agent Reliability & Output Quality
Solved Severity: High Prev: Solved

False Completion Claims

Evidence
  • hooks/completion-audit.shlines 1086-1130 (artifact existence check)
    ARTIFACT BLOCKED — SB lifecycle markers were recorded but expected output files are missing. This may indicate vacuous skill invocation or an incomplete workflow
  • hooks/stop-check.shlines 619-646 (cannot complete -- missing required skills)
    Cannot complete -- missing required skills:\nRun these skills before declaring task complete.
Remediation

None required.

#4 Agent Reliability & Output Quality
Solved Severity: High Prev: Solved

Eager-but-Unreliable Behaviour

Evidence
  • hooks/orchestrator-directive-guard.shlines 193-225 (P6: edits without active composed workflow)
    🛑 WORKFLOW REQUIRED — %s edits without an active composed workflow
  • hooks/spec-floor-check.shlines 158-169 (hard block for SPEC.md)
    SPEC FLOOR VIOLATION: .planning/SPEC.md is missing. Run /silver:spec before planning.
Remediation

None required.

#5 Agent Reliability & Output Quality
Solved Severity: High Prev: Solved

Premature Termination

Evidence
  • hooks/stop-check.shlines 619-646
    Cannot complete -- missing required skills: ... Run these skills before declaring task complete.
  • hooks/timeout-check.shlines 148-163 (stall block)
    STALL BLOCK — %d tool calls with no workflow progress
Remediation

None required.

#6 Agent Reliability & Output Quality
Solved Severity: High Prev: Solved

Planning Failures

Evidence
  • hooks/spec-floor-check.shlines 158-170
    HARD BLOCK: SPEC.md must exist with required sections
  • hooks/dev-cycle-check.shlines 51-52 (header comment)
    Enforces four-stage workflow gate — blocks source edits if planning skills incomplete.
Remediation

None required.

Process Discipline & Workflow Enforcement 6

#11 Process Discipline & Workflow Enforcement
Solved Severity: High Prev: Solved

Skipped Planning

Evidence
  • hooks/dev-cycle-check.shlines 51-52 (header)
    Enforces four-stage workflow gate — blocks source edits if planning skills incomplete.
  • hooks/spec-floor-check.shlines 158-170
    SPEC FLOOR VIOLATION: .planning/SPEC.md is missing
Remediation

None required.

#12 Process Discipline & Workflow Enforcement
Solved Severity: High Prev: Solved

Premature Delivery

Evidence
  • hooks/completion-audit.shlines 797-1005 (TIER 2: Final delivery check)
    is_completion=true ... required_deploy_cfg
  • hooks/uat-gate.shlines 65-78
    UAT.md must exist (UATG-01) ... No FAIL results allowed (UATG-03)
Remediation

None required.

#13 Process Discipline & Workflow Enforcement
Solved Severity: High Prev: Solved

No Spec-to-Release Traceability

Evidence
  • hooks/pr-traceability.shlines 75-139
    Spec: .planning/SPEC.md (v" + $v + ") ... Update SPEC.md Implementations section with PR URL
Remediation

None required.

#16 Process Discipline & Workflow Enforcement
Solved Severity: High Prev: Solved

Dev/Prod Drift in Process

Evidence
  • hooks/dev-cycle-check.shfile size 38.2K, plugin cache guard block
    plugin-cache-guard.sh ... refuse writes to plugin cache
  • hooks/lib/plugin-cache-guard.shentire file (3.0K)
    plugin-cache-guard.sh
Remediation

None required.

#19 Process Discipline & Workflow Enforcement
Solved Severity: Medium Prev: Solved

Phase-State Desynchronization

Evidence
  • hooks/roadmap-freshness.shlines 108-137
    ROADMAP FRESHNESS VIOLATION ... A phase SUMMARY.md is staged but the ROADMAP.md checkbox is not ticked
  • hooks/phase-lock-claim.shentire file (7.1K)
    phase-lock-claim
Remediation

None required.

#20 Process Discipline & Workflow Enforcement
Solved Severity: High Prev: Solved

No Evidence Trail

Evidence
  • hooks/session-log-init.shlines 88-211 (create session log + sentinel)
    Session Log — ${today} ... Mode: ${mode}
  • hooks/lib/hook-audit.shentire file (2.3K)
    sb_hook_audit_record
Remediation

None required.

Context Management 3

#22 Context Management
Solved Severity: High Prev: Solved

Memory Bleed Across Sessions

Evidence
  • hooks/session-startlines 211-276 (branch-scoped state reset)
    Skill recordings are scoped to a git branch. When the branch changes between sessions, the full state is cleared
  • hooks/lib/agentmemory-gate.sh12.5K
    agentmemory-gate
Remediation

None required.

#24 Context Management
Solved Severity: Medium Prev: Solved

Stale Project Context

Evidence
  • hooks/lib/graphify-gate.sh9.2K
    graphify-gate ... block substantive work until index is fresh
  • hooks/uat-gate.shlines 87-103 (spec version check)
    UAT was run against spec v${uat_version} but current SPEC.md is v${spec_version}
Remediation

None required.

#25 Context Management
Solved Severity: High Prev: Solved

Codebase Blindness

Evidence
  • hooks/lib/graphify-gate.sh9.2K (whole file)
    block substantive edits until CLI, index, platform registration, and a fresh query are present
Remediation

None required.

Cost & Token Economics 1

#37 Cost & Token Economics
Solved Severity: High Prev: Solved

Runaway Retry Loops

Evidence
  • hooks/timeout-check.shlines 148-163
    STALL BLOCK — %d tool calls with no workflow progress
  • hooks/stop-check.shlines 216-238
    Autonomous stall detected: ${stall_count} tool calls without workflow progress
Remediation

None required.

Knowledge & Memory 2

#41 Knowledge & Memory
Solved Severity: High Prev: Solved

Cross-Session Knowledge Loss

Evidence
  • hooks/lib/agentmemory-gate.sh12.5K (whole file)
    agentmemory-gate
  • hooks/lib/session-ledger.sh4.6K
    session-ledger
Remediation

None required.

#42 Knowledge & Memory
Solved Severity: High Prev: Solved

No Project-Level Knowledge Graph

Evidence
  • hooks/lib/graphify-gate.sh9.2K
    block substantive edits until CLI, index, platform registration, and a fresh query are present
Remediation

None required.

DevOps / Infrastructure 2

#46 DevOps / Infrastructure
Solved Severity: High Prev: Solved

Blast-Radius Blindness

Evidence
  • skills/silver-blast-radius/SKILL.mdlines 16-107 (full skill)
    Blast Radius Assessment ... LOW/MEDIUM/HIGH/CRITICAL rubric
  • .silver-bullet.jsonlines 14-19
    required_planning_devops: silver-blast-radius, devops-quality-gates
Remediation

None required.

#47 DevOps / Infrastructure
Solved Severity: High Prev: Solved

CI-Failure Blind Spots

Evidence
  • hooks/ci-status-check.shlines 161-202
    🛑 CI FAILURE DETECTED — conclusion=${conclusion} ... STOP all other work immediately. Invoke /silver:debug now
  • hooks/completion-audit.shlines 877-929 (release gate)
    RELEASE BLOCKED — GitHub Actions for commit %s are still running or not green yet
Remediation

None required.

Quality Assurance 1

#49 Quality Assurance
Solved Severity: High Prev: Solved

Test Freshness Gaps

Evidence
  • hooks/completion-audit.shlines 1133-1143
    TEST GATE STALE — /verify-tests was recorded earlier, but the freshness marker is missing
Remediation

None required.

Partial

Partial enforcement — partial coverage

Some enforcement code exists, but it does not actually enforce the full previous claim. Common failure modes: artifact-existence check without content inspection, hook matches a command type but not its arguments, override/bypass paths that are logged but not blocked.

27 problems

Agent Reliability & Output Quality 4

#3 Agent Reliability & Output Quality
Partial Severity: High Prev: Solved

Confidently Wrong Outputs

Evidence
  • hooks/completion-audit.shlines 1104-1117
    if has_skill "silver-verify" && [[ ! -f "$project_root/.planning/UAT.md" ]] && ... artifact_blocks ... was verification actually completed?
Gap

SB requires UAT.md, REVIEW.md, SECURITY.md to exist as files, but it does not run them. The hook never executes the tests or reviews. A confidently-wrong agent that wrote beautiful-looking artifacts containing fabricated "PASS" results would pass the artifact-existence gate. The UAT.md check in uat-gate.sh (lines 73-78) does grep for FAIL rows but trusts the agent's self-reported table.

Remediation

Strengthen UAT/REVIEW gates: the hook should require that UAT/REVIEW artifacts contain a hash linked to a CI run ID or a verified test execution marker (e.g. `verify-tests-state`), and that the file's mtime is later than the code's mtime.

#7 Agent Reliability & Output Quality
Partial Severity: High Prev: Solved

Tool-Use Mistakes

Evidence
  • hooks/completion-audit.shlines 281-293 (classify the command)
    is_intermediate=false; is_completion=false ... \bgit commit\b ... \bgh release create\b ... \bdeploy\b
  • hooks/forbidden-skill-check.shlines 78-107
    FORBIDDEN_HARDCODED="executing-plans subagent-driven-development"
Gap

SB matches the *first line* of a shell command and only enforces a blocklist of two hardcoded forbidden skills. There is no inspection of command arguments (e.g. blocking `rm -rf /`, `curl | sh`, `chmod 777`); no static analysis of edit operations; no `dev-cycle-check` guard against specific dangerous patterns. The hook fires on the *type* of command (commit, push, deploy), not its substance.

Remediation

Add a PreToolUse/Bash arg-pattern blocklist (rm -rf /, curl|sh, sudo without approval, ssh key reads, .env file reads). Add a shell-arg semantic check (does the file path being written escape the project root?).

#8 Agent Reliability & Output Quality
Partial Severity: Medium Prev: Solved

Drift on Long Tasks

Evidence
  • hooks/session-startlines 339-381 (Tier 2 rule injection)
    core-rules.md ... re-injected every session so enforcement rules survive context compaction
  • hooks/completion-audit.shlines 1086-1130 (artifact existence check)
    ARTIFACT BLOCKED — SB lifecycle markers were recorded but expected output files are missing
Gap

SB re-injects core rules on SessionStart, which is a static approach. There is no per-compaction re-injection; the hook only runs at startup, clear, resume, compact but only injects context at startup/clear. Drift between plan and execution is only caught at delivery via artifact existence checks, not continuously.

Remediation

Wire SessionStart compact event to also re-inject core-rules and to re-check that the spec's acceptance criteria are still aligned with the current code state. Add a periodic drift check (e.g. every N turns, validate that active plan file still resolves to the same acceptance criteria).

#10 Agent Reliability & Output Quality
Partial Severity: Medium Prev: Solved

Internal Code Quality Degradation

Evidence
  • hooks/completion-audit.shlines 758-781 (VFY-01 plan-boundary)
    PLAN SEAL BLOCKED — Phase completion requires /silver:verify recorded this session
Gap

SB requires verify-tests to have run for plan seals, but it does not require code quality checks (lint, typecheck, complexity). The skill `silver-verify` produces UAT.md but does not enforce code-quality metrics.

Remediation

Add a pre-delivery gate that requires a quality-metrics marker (e.g. `silver-quality` skill recording an `npm run lint` or equivalent) for non-trivial changes.

Process Discipline & Workflow Enforcement 4

#14 Process Discipline & Workflow Enforcement
Partial Severity: High Prev: Solved

Hidden Bypasses

Evidence
  • hooks/completion-audit.shlines 389-392 (Trivial bypass)
    if [[ -f "$trivial_file" && ! -L "$trivial_file" ]]; then exit 0; fi
  • hooks/orchestrator-directive-guard.shlines 147-158 (User override)
    if [[ -n "$prompt" ]] && sb_orchestrator_prompt_has_override "$prompt"; then ... sb_orchestrator_log_override ... sb_orchestrator_directive_clear
Gap

There is a trivial-bypass file mechanism AND a user "SB OVERRIDE: reason" mechanism. The override is logged to `orchestrator.json` for audit, but trivial-bypass is silently honored — agents can create the trivial file (though trivial-file-guard.sh blocks Bash from creating it). Multiple backdoors exist: ci-red-override file, dev-prod drift, branch finishing exemption on main.

Remediation

Make all bypasses log to an immutable append-only audit log and require a stated reason string in SB_OVERRIDE (already exists) but extend to ci-red-override and trivial file.

#15 Process Discipline & Workflow Enforcement
Partial Severity: Medium Prev: Solved

Weak Approval Workflows

Evidence
  • hooks/completion-audit.shlines 1086-1130 (artifact existence check)
    ARTIFACT BLOCKED
Gap

Approval is implicit in skill recording (silver-review, silver-review-request, silver-review-triage). There is no enforced external human signoff — the agent invokes the skills and they're "approved". No GitHub PR review approval requirement is enforced.

Remediation

Add a PreToolUse/Edit|Write hook that checks `gh pr view --json reviewDecisions` for a human "APPROVED" before allowing merge/release of significant changes.

#17 Process Discipline & Workflow Enforcement
Partial Severity: High Prev: Solved

Stop-Hook Falsification

Evidence
  • hooks/stop-check.shlines 619-646
    Cannot complete -- missing required skills:\nRun these skills before declaring task complete.
  • hooks/completion-audit.shlines 1086-1130
    if has_skill "silver-execute" && [[ ! -f "$project_root/.planning/STATE.md" ]]
Gap

stop-check.sh can be bypassed by either: (a) writing fake state entries (the file is append-only text, not validated against action history), (b) creating fake artifacts (the file existence check does not inspect content depth). The artifact-existence check is a falsification-resistant gate only if the file is the real output of running real work — but nothing in the hook validates that the artifact's mtime/post-state is consistent with actual code changes.

Remediation

Cross-link artifact mtime to last code change mtime; require that artifacts reference actual file paths that exist in the diff.

#18 Process Discipline & Workflow Enforcement
Partial Severity: High Prev: Solved

Vacuous Skill Invocation

Evidence
  • hooks/record-skill.shlines 187-216 (skills_to_record logic)
    skills_to_record=() ... skills_to_record+=("$raw_skill")
  • hooks/completion-audit.shlines 1086-1130 (artifact existence)
    was verification actually completed?
Gap

record-skill.sh records skill names on EVERY Skill PostToolUse event, even if the skill was just `cat`'d or read. The skill-only metadata (read SKILL.md) is recorded into a separate `state.loaded` file, but a `Skill` invocation that produces no work still records. The artifact-existence check is the only falsification guard.

Remediation

Tighten record-skill.sh: only mark a skill as completed if its PostToolUse response has a non-zero exit or produced a SB-owned artifact. Add a `sb_recorded_with_evidence` requirement.

Context Management 3

#21 Context Management
Partial Severity: High Prev: Solved

Context Rot / Lost in the Middle

Evidence
  • hooks/session-startlines 339-381 (core-rules.md re-injection)
    core-rules.md ... re-injected every session
  • hooks/lib/context-mode-gate.sh9.4K
    context-mode-gate
  • hooks/lib/context-mode-read-deny.sh4.7K
    context-mode-read-deny
Gap

SB has the Context Mode integration (blocks edits without graphify, denies large reads). It re-injects core-rules at session-start. However, there is no per-compaction re-injection: the session-start hook only fires on `startup`/`clear` — `compact` events fall through without re-injecting (per v0.30.0 fix #87). So a long session that hits a compaction event mid-work loses the rules injection until next startup.

Remediation

Add a dedicated UserPromptSubmit or PostToolUse hook that re-injects core-rules if the last injection is older than N tool calls.

#23 Context Management
Partial Severity: High Prev: Solved

Compaction Loss

Evidence
  • hooks/session-startlines 205-213 (only mutate on startup/clear)
    case "$sb_session_source" in startup|clear) sb_should_mutate=true ;; esac
Gap

SessionStart handler reads `source` field and only re-injects core-rules on `startup`/`clear`. The `compact` and `resume` events fall through without re-injection — this is intentional (v0.30.0 fix #87). The downside: mid-session compact does NOT re-inject rules; the rules survive the compact only if the model had them in context already.

Remediation

Add a SessionStart handler for `compact` that re-injects core-rules (lighter weight than full startup).

#26 Context Management
Partial Severity: Medium Prev: Solved

Compaction Memory Slippage

Evidence
  • hooks/session-startlines 31-44 (sb_session_source)
    case "$_sb_src" in startup|resume|clear|compact) sb_session_source="$_sb_src" ;; esac
Gap

Same as #23: compact events are detected but not used to re-inject rules. SB has the state-file-on-disk (preserved across compactions) and session-ledger (preserved mid-session) but no active re-injection at compaction.

Remediation

Add a dedicated compact handler branch that re-injects core-rules.

Security & Safety 9

#27 Security & Safety
Partial Severity: High Prev: Partial

Prompt Injection

Evidence
  • hooks/instruction-file-guard.shlines 66-86 (deny_root_instruction_creation)
    PROJECT INSTRUCTION FILE CREATION BLOCKED — Silver Bullet does not synthesize a new root CLAUDE.md or AGENTS.md
  • hooks/orchestrator-directive-guard.shentire file (9.2K)
    Orchestrator directive pending
Gap

Previous report claimed 'Partial'. On inspection, instruction-file-guard.sh only blocks CREATION of root CLAUDE.md/AGENTS.md during init — it does not inspect CONTENT of instruction files for prompt injection. orchestrator-directive-guard.sh enforces that the directive queue is followed, but does not scan for injection patterns in the user prompt. There is no content inspection of .planning/, .cursor/, or external files for prompt-injection markers.

Remediation

Add a content scanner for files in instruction/role paths (CLAUDE.md, AGENTS.md, .cursor/, .planning/) that flags known prompt-injection patterns (e.g. "ignore previous instructions", unauthorized system-prompt override).

#28 Security & Safety
Partial Severity: High Prev: Solved

Excessive Agency

Evidence
  • hooks/orchestrator-directive-guard.shlines 114-140 (Parent orchestrator tool allowlist)
    🛑 ORCHESTRATOR PARENT — %s is forbidden in parent mode. Spawn Task worker
  • hooks/dev-cycle-check.shentire file (38.2K)
    four-stage workflow gate
Gap

Parent-orchestrator mode has a tool allowlist. But for the normal session, the dev-cycle-check only blocks *source edits* under certain conditions; it does not constrain the agent's tool selection broadly. The agent still has the full Edit/Write/Bash tool surface — SB enforces "when can you edit" not "what tools can you call".

Remediation

Add a per-phase tool allowlist — e.g. during silver-plan, only Read/Glob/Grep/Skill should be allowed.

#29 Security & Safety
Partial Severity: High Prev: Solved

Shell Command Injection

Evidence
  • hooks/completion-audit.shlines 281-293 (cmd classification)
    if printf '%s' "$cmd_first_line" | grep -qE '\bgit commit\b' ... is_intermediate=true
Gap

SB hooks fire on command *type* (commit/push/deploy) but do not block dangerous *arguments* like `rm -rf /`, `curl | sh`, shell expansion, command substitution, etc. The hooks can be bypassed by simply not using those exact verbs. There is no shell-arg sanitizer, no shell-quoting enforcement, no `set -o noexec` style guard.

Remediation

Add a PreToolUse/Bash arg-pattern blocklist: rm -rf outside repo, curl|sh, sudo, ssh-key reads, env-var dumps. Reference: OWASP Agentic Security Top 10.

#30 Security & Safety
Partial Severity: High Prev: Partial

Sensitive Information Disclosure

Evidence
  • hooks/session-log-init.shlines 232-297 (log skeleton)
    # Session Log — ${today}\n**Date:** ${today}\n**Mode:** ${mode}
  • hooks/session-log-init.shgrep -E 'redact' (no matches found)
    no redaction found
Gap

Previous report claimed 'Partial'. Inspection confirms: session-log-init.sh writes a session log file with no redaction. The log includes '## Files changed' and '## Skills invoked' sections that the documentation step fills in — but no SB enforcement to scrub API keys, tokens, or PII from those files. There is no PreToolUse/Bash hook to block reading/writing .env, ~/.ssh/, or AWS credentials.

Remediation

Add a PostToolUse/Write|Edit hook that scans the new content for common secret patterns (sk-..., AKIA..., -----BEGIN PRIVATE KEY-----, env-var assignments of passwords/tokens) and warns the user.

#31 Security & Safety
Partial Severity: High Prev: Solved

Supply-Chain Vulnerabilities

Evidence
  • skills/silver-secure/SKILL.mdline 28
    dependency and supply-chain risk
  • skills/silver-secure/SKILL.mdlines 31-33
    Invoke or apply silver:domain-audit with dependency-supply
Gap

silver-secure skill names supply-chain as a check area, but there is no automated SB hook that runs `npm audit` / `pip-audit` / `trivy` before delivery. The skill is advisory; the completion-audit gate only checks that SECURITY.md exists, not that it actually contains a passing supply-chain scan.

Remediation

Add a pre-delivery gate that requires a supply-chain-scan marker (e.g. `sb-supply-scan` recorded after a successful `npm audit --audit-level=high`).

#32 Security & Safety
Partial Severity: Medium Prev: Solved

MCP / Tool-Permission Sprawl

Evidence
  • hooks/hooks.jsonlines 1-200 (hook matchers)
    matcher fields for Bash|Skill|Read|Grep|Edit|Write|...
Gap

SB has hook-level matchers, but does not configure MCP tool permissions or per-tool ACL. There is no SB enforcement of what MCP servers the host runtime has registered; the plugin-cache-guard prevents writes to SB's own plugin cache, but other MCP tools are not constrained.

Remediation

Add a SB config schema for `.mcp-allowlist.json` that PreToolUse checks against registered MCP tool names.

#33 Security & Safety
Partial Severity: Medium Prev: Solved

System Prompt Leakage

Evidence
  • hooks/orchestrator-directive-guard.shlines 147-158 (override mechanism)
    SB OVERRIDE: <reason>
  • hooks/session-startlines 339-381 (core-rules injection)
    core-rules.md ... re-injected every session
Gap

Previous report claimed 'Solved'. On inspection, there is no enforcement against the agent *revealing* the system prompt or SB directives to the user. The override mechanism is logged, but if the user simply asks the model to dump the rules, nothing prevents that. orchestrator-directive-guard.sh enforces the *flow* of skills, not confidentiality of the prompt.

Remediation

Add a system-prompt-leak guard: detect when the model response contains literal 'core-rules.md' or SB-internal markers and warn.

#34 Security & Safety
Partial Severity: High Prev: Solved

Credential Sprawl

Evidence
  • hooks/dev-cycle-check.shgrep -E 'redact|secret|api_key|password' (no matches for blocklist)
    no credential-scrub found
Gap

No SB hook blocks reads of ~/.ssh/, ~/.aws/, or .env files. The completion-audit gate does not scan for credentials. SB config has a `_notifications_comment` warning about webhook URLs but no enforcement.

Remediation

Add a PreToolUse/Read|Grep hook that warns when the agent reads paths matching credential file patterns.

#35 Security & Safety
Partial Severity: Medium Prev: Solved

Shadow-Production from Laptops

Evidence
  • hooks/dev-cycle-check.shlines 51-52
    Enforces four-stage workflow gate
Gap

SB's deployment gate ensures required_deploy skills are recorded, but does not check whether the deployment is happening from an approved CI environment vs a laptop. There is no SB hook to detect local prod-deploy attempts.

Remediation

Add a PreToolUse/Bash check that requires `CI=true` env var for `gh release create` / direct prod deploys.

Cost & Token Economics 2

#36 Cost & Token Economics
Partial Severity: Medium Prev: Solved

Token Waste on Verbose Outputs

Evidence
  • hooks/semantic-compress.sh962B (file size)
    semantic-compress
  • hooks/lib/stack-optimizer.sh20.2K
    stack-optimizer
  • .silver-bullet.jsonlines 200-220 (semantic_compression config)
    semantic_compression: enabled, context_budget_kb: 50, min_file_size_bytes: 3072
Gap

SB has RTK + semantic-compress + stack-optimizer (per .silver-bullet.json) but no per-prompt token-cost visibility. The session log has a 'Virtual cost' field that is filled at documentation step but never computed or tracked.

Remediation

Wire RTK's `rtk gain` output to a per-session token metric; surface it in `compliance-status.sh`.

#39 Cost & Token Economics
Partial Severity: Medium Prev: Solved

Context-Bloat Cost Spiral

Evidence
  • hooks/lib/context-mode-read-deny.sh4.7K
    context-mode-read-deny
  • hooks/semantic-compress.sh962B
    semantic-compress
Gap

context-mode-read-deny + semantic-compress + graphify reduce bloat, but no per-prompt token counter or budget enforcement. RTK meta-commands (`rtk gain`) exist but are not enforced.

Remediation

Add a per-session token-budget marker that warns when the conversation exceeds N tokens.

Knowledge & Memory 2

#43 Knowledge & Memory
Partial Severity: Medium Prev: Solved

Decision Amnesia

Evidence
  • hooks/completion-audit.shlines 1063-1084 (ordering check)
    silver-review was run BEFORE silver-review-request (wrong order)
Gap

ordering check exists for review triad but only checks ordering, not whether prior decisions were referenced. session-log-init has '## Autonomous decisions' section but no enforcement that the agent actually reads prior decisions before acting.

Remediation

Add a SessionStart hook that surfaces prior session decisions from `.planning/STATE.md` and recent docs/decisions/.

#44 Knowledge & Memory
Partial Severity: Medium Prev: Solved

Documentation Drift

Evidence
  • hooks/completion-audit.shlines 603-620 (doc-scheme delivery gate)
    doc-scheme-gate
  • hooks/lib/doc-scheme-gate.sh12.7K
    doc-scheme-gate
Gap

doc-scheme-gate enforces that docs/CHANGELOG.md, docs/knowledge/, docs/learnings/ are updated on delivery. But there is no check that doc-content is actually current (mtime > last code change). Drift between code and docs is detected only at delivery.

Remediation

Add a doc-drift check: docs must have been updated since the last code change.

DevOps / Infrastructure 2

#45 DevOps / Infrastructure
Partial Severity: High Prev: Solved

IaC Drift

Evidence
  • skills/silver-blast-radius/SKILL.mdlines 14-29 (IaC step 1)
    IaC resources (Terraform state entries, Helm releases, k8s manifests)
  • skills/devops-quality-gates/SKILL.md6.7K (whole file)
    devops-quality-gates
Gap

silver-blast-radius and devops-quality-gates are skills (advisor prompts) that require the agent to think about IaC drift. There is no SB hook that runs `terraform plan` or `kubectl diff` and records the output as a pre-deploy gate.

Remediation

Add a pre-deploy hook that requires an IaC-plan marker recorded after a successful `terraform plan -detailed-exitcode` or `pulumi preview`.

#48 DevOps / Infrastructure
Partial Severity: High Prev: Solved

Unbounded Consumption / DoS

Evidence
  • hooks/timeout-check.shlines 67-74 (wall-clock timeout)
    SENTINEL_SLEEP_OVERRIDE=600 ... after 10 minutes
  • hooks/grep -E 'rate.limit|throttle|quota' (no matches for API rate)
    no API rate-limit enforcement
Gap

Previous report claimed 'Solved'. Inspection: timeout-check.sh caps autonomous sessions at 10 minutes (Tier 1) and 100 tool calls (Tier 2). However, there is NO SB enforcement of per-API rate limits (e.g. blocking `gh api` calls that would exceed GitHub rate limits; blocking bulk `curl` that exceeds bandwidth). The "DoS" here is the agent itself burning through its own context, not a network DoS.

Remediation

Add a token-budget marker (see #39) and an API-call-rate gate that tracks per-minute `gh api` invocations.

Quality Assurance 1

#50 Quality Assurance
Partial Severity: High Prev: Solved

Review Depth Collapse

Evidence
  • hooks/completion-audit.shlines 1112-1117
    if has_skill "silver-review" && [[ ! -f "$project_root/.planning/REVIEW.md" ]]
  • hooks/completion-audit.shlines 1063-1084 (review triad ordering)
    silver-review was run BEFORE silver-review-request (wrong order)
Gap

SB requires REVIEW.md to exist and that review-request/review/review-triage were called in the right order. But there is no depth check — REVIEW.md could be a one-liner saying "LGTM". The artifact-existence gate is satisfied by a 1KB placeholder.

Remediation

Add a REVIEW.md content gate: minimum required findings count, must reference specific files in the diff, must include at least one BLOCK or WARN finding.

Gap

Genuine gaps — no enforcement code

No enforcement code or only documentation-level claims. These are the highest-leverage items to address next.

4 problems

Agent Reliability & Output Quality 2

#1 Agent Reliability & Output Quality
Gap Severity: High Prev: Solved

Hallucinated APIs & Libraries

Evidence
  • hooks/completion-audit.shlines 1099-1129
    artifact existence check ... if has_skill "silver-execute" && [[ ! -f "$project_root/.planning/STATE.md" ]]
Gap

SB checks for the PRESENCE of SB-owned planning artifacts (STATE.md, REVIEW.md, UAT.md), but it never inspects the actual code or dependencies the agent produced. A hook that checks for artifact existence does not catch a hallucinated `import lodash` or a non-existent library call. There is no static analysis, no API-usage verification, no SB step that runs linters/typecheckers before allowing commit.

Remediation

Add a PreToolUse/Edit|Write hook that runs a dependency-existence check (does the imported package exist in package.json/pyproject/etc.) on Python/JS/TS writes; or require silver-verify to include a `npm install` / `pip install` smoke step that proves the agent's code resolves.

#9 Agent Reliability & Output Quality
Gap Severity: Medium Prev: Solved

Inconsistent Output Quality

Evidence
  • hooks/completion-audit.shlines 1133-1143 (verify-tests freshness)
    verify_tests_required=true ... /verify-tests was recorded earlier, but the freshness marker is missing
Gap

SB has a test-freshness marker for verify-tests, but there is no general "output quality" determinism check. No enforcement of linters, formatters, type-checkers, or pre-commit hooks at delivery. The verify-tests marker only proves a tests run happened — not that the code is well-formed.

Remediation

Add linter/typecheck enforcement gates (e.g. require `npm run lint` or `tsc --noEmit` to have run since the last code change), and wire them into completion-audit via a pre-delivery quality-gate marker similar to verify-tests-state.

Cost & Token Economics 2

#38 Cost & Token Economics
Gap Severity: High Prev: Solved

Premature Model Selection

Evidence
  • hooks/grep -E 'haiku|sonnet|opus|model_select' (no matches)
    no model routing in hooks
Gap

Previous report claimed 'Solved'. Inspection finds NO hook code that selects or routes between model tiers based on task complexity. The SessionStart log has a '**Model:**' field but it is filled manually at documentation step, not auto-routed. No code anywhere in hooks/ or skills/ contains 'haiku' or 'sonnet' for routing.

Remediation

Add a prompt-classifier that maps low-complexity queries (typo fixes, doc reads) to haiku and high-complexity (architecture) to opus. Already exists as lib/prompt-classifier.sh (1.9K) but is not wired to a model-selection hook.

#40 Cost & Token Economics
Gap Severity: Medium Prev: Solved

No Token-Cost Visibility

Evidence
  • hooks/session-log-init.shline 237
    **Virtual cost:** (filled at documentation step)
Gap

Session log has a '**Virtual cost:**' placeholder but no hook computes or populates it. The docs/RTK.md exists but is documentation, not enforcement. There is no per-prompt or per-session token-cost gate.

Remediation

Wire Claude Code's token-usage (or RTK's gain counter) into compliance-status.sh and the session log.

Recommended Backlog

The 10 highest-severity unaddressed problems, each paired with a concrete hook or skill proposal. Sorted by severity × leverage.

01
Problem #1 Gap High

Hallucinated APIs & Libraries

New PreToolUse/Edit|Write hook that runs a dependency-existence check (package.json/pyproject/etc.) on Python/JS/TS writes — or extend silver-verify with a `npm install` / `pip install` smoke step.

02
Problem #27 Partial High

Prompt Injection

New content scanner for files in instruction/role paths (CLAUDE.md, AGENTS.md, .cursor/, .planning/) that flags known prompt-injection patterns.

03
Problem #29 Partial High

Shell Command Injection

New PreToolUse/Bash arg-pattern blocklist: rm -rf outside repo, curl|sh, sudo, ssh-key reads, env-var dumps (OWASP Agentic Security Top 10).

04
Problem #30 Partial High

Sensitive Information Disclosure

New PostToolUse/Write|Edit hook that scans for secret patterns (sk-..., AKIA..., -----BEGIN PRIVATE KEY-----, env-var assignments) and warns.

05
Problem #34 Partial High

Credential Sprawl

New PreToolUse/Read|Grep hook that warns when agent reads paths matching credential file patterns (~/.ssh, ~/.aws, .env).

06
Problem #38 Gap High

Premature Model Selection

Wire existing lib/prompt-classifier.sh (1.9K) into a SessionStart/PostToolUse hook that selects model tier (haiku/sonnet/opus) by prompt complexity.

07
Problem #40 Gap Medium

No Token-Cost Visibility

Wire Claude Code's token usage (or RTK's gain counter) into compliance-status.sh and the session-log Virtual cost field.

08
Problem #9 Gap Medium

Inconsistent Output Quality

New pre-delivery quality-gate marker requiring `npm run lint` / `tsc --noEmit` since last code change, wired into completion-audit.

09
Problem #17 Partial High

Stop-Hook Falsification

Extend completion-audit to cross-link artifact mtime to last code change mtime; require artifacts reference actual file paths in the diff.

10
Problem #50 Partial High

Review Depth Collapse

New REVIEW.md content gate: minimum required findings count, must reference specific files in the diff, must include at least one BLOCK or WARN.