Summary
/cchores preflight check 6 validates the source path of its coded security helpers, while every runtime invocation of those helpers uses the installed path. On a stale or partial install the two diverge, so preflight can pass while the run fails mid-pipeline (or, worse, the runtime path check and the preflight check disagree about whether the redactor exists).
Where
In skills/cchores/SKILL.md:
- Preflight (BND-002), check 6 names the redactor as
scripts/redact-secrets.sh (and "its secret-pattern set") — a source-relative path.
- Every runtime invocation uses the installed path: INV-003 / INV-006 call
bash .correctless/scripts/cchores-fence-issue.sh, INV-013 calls bash .correctless/scripts/cchores-emit.sh and .correctless/scripts/redact-secrets.sh, INV-008 calls .correctless/scripts/cchores-regression-oracle.sh, etc.
The preflight check and the code it is supposed to gate do not reference the same path.
Why it matters
- On a normal installed target project there is no top-level
scripts/ dir at all — only .correctless/scripts/. So preflight check 6 as written (scripts/redact-secrets.sh) would not even find the redactor on a real install; the prose only "works" by being read loosely.
- On the correctless source repo, both exist: source
scripts/ (complete) and installed .correctless/scripts/ (was stale this session, missing all the cchores helpers). Preflight check 6 against the source path would pass while the runtime invocation against .correctless/scripts/ would fail.
- Observed 2026-06-19: the
.correctless/scripts/ install was missing redact-secrets.sh, cchores-emit.sh, cchores-fence-issue.sh, the oracle, the selector, and cauto-lock.sh, plus .correctless/config/secret-patterns.txt. The run correctly fail-closed only because I checked the installed path by hand — the SKILL's own preflight text would have checked the source path.
Fix
Preflight must check the exact path the runtime invokes — .correctless/scripts/<helper>.sh and .correctless/config/secret-patterns.txt (with the documented fallbacks) — not the source-relative scripts/<helper>.sh. Every preflight existence/executable check should be expressed against the installed path so "preflight green ⇒ the runtime invocation will resolve" actually holds.
This is the same shape as the pre-deliver-gate-must-match-post-deliver-gate class (PMB-018): a gate that validates a different artifact than the one the gated code uses provides false assurance.
Severity
Medium — fail-closed behavior means no data loss, but the preflight gives false assurance: it can pass against a path the run never uses, and on a real installed project the source-relative check can't find the helper at all.
Summary
/cchorespreflight check 6 validates the source path of its coded security helpers, while every runtime invocation of those helpers uses the installed path. On a stale or partial install the two diverge, so preflight can pass while the run fails mid-pipeline (or, worse, the runtime path check and the preflight check disagree about whether the redactor exists).Where
In
skills/cchores/SKILL.md:scripts/redact-secrets.sh(and "its secret-pattern set") — a source-relative path.bash .correctless/scripts/cchores-fence-issue.sh, INV-013 callsbash .correctless/scripts/cchores-emit.shand.correctless/scripts/redact-secrets.sh, INV-008 calls.correctless/scripts/cchores-regression-oracle.sh, etc.The preflight check and the code it is supposed to gate do not reference the same path.
Why it matters
scripts/dir at all — only.correctless/scripts/. So preflight check 6 as written (scripts/redact-secrets.sh) would not even find the redactor on a real install; the prose only "works" by being read loosely.scripts/(complete) and installed.correctless/scripts/(was stale this session, missing all the cchores helpers). Preflight check 6 against the source path would pass while the runtime invocation against.correctless/scripts/would fail..correctless/scripts/install was missingredact-secrets.sh,cchores-emit.sh,cchores-fence-issue.sh, the oracle, the selector, andcauto-lock.sh, plus.correctless/config/secret-patterns.txt. The run correctly fail-closed only because I checked the installed path by hand — the SKILL's own preflight text would have checked the source path.Fix
Preflight must check the exact path the runtime invokes —
.correctless/scripts/<helper>.shand.correctless/config/secret-patterns.txt(with the documented fallbacks) — not the source-relativescripts/<helper>.sh. Every preflight existence/executable check should be expressed against the installed path so "preflight green ⇒ the runtime invocation will resolve" actually holds.This is the same shape as the pre-deliver-gate-must-match-post-deliver-gate class (PMB-018): a gate that validates a different artifact than the one the gated code uses provides false assurance.
Severity
Medium — fail-closed behavior means no data loss, but the preflight gives false assurance: it can pass against a path the run never uses, and on a real installed project the source-relative check can't find the helper at all.