fix(hooks): deleting or breaking DONE.md mid-session no longer bypasses the gate

[alexandertomana]

The problem

The stop hook had two fail-open holes, each one command away from disarming the gate mid-session:

1. rm DONE.md was a total bypass. The hook short-circuits with exit 0 when findDonefile() comes up empty — before any guard can run. The no_done_edits guard's documented "or deleted" finding was unreachable through the hook path, because the hook needs the donefile to load before guards exist. One rm and the agent stops freely.

2. Corrupting DONE.md was also a bypass. loadConfig() throws → warn on stderr → allow. Reasonable for a human's config typo; exploitable as a one-edit off switch for the exact file the agent is incentivized to break.

Both contradict the README's stated guarantee (no_done_edits ... "DONE.md modified or deleted mid-session → fail") and the FAQ ("Won't the agent just edit DONE.md?").

The fix

The session baseline (.donegate/baseline.json) already records donefile_path + donefile_sha — it just wasn't consulted on these paths. Now:

• Missing donefile + orphaned baseline → the hook walks up looking for a .donegate/baseline.json whose recorded donefile has vanished, and bounces the stop with restore instructions ({"decision":"block", ...} / followup_message).
• Unparseable donefile whose hash no longer matches the baseline → same treatment, with the parse error in the report.

Verified end-to-end through the built CLI:

$ donegate baseline --quiet && rm DONE.md
$ echo '{"session_id":"s1", ...}' | donegate hook claude
{"decision":"block","reason":"donegate: NOT DONE — DONE.md was deleted mid-session (attempt 1/3). ..."}

What deliberately did NOT change

• No-trap guarantees hold. Both new paths share the per-session bounce budget (the default 3 — the donefile that would configure gate.max_bounces is exactly what's missing/unreadable), then give up loudly. Cursor aborted/ctrl-c turns are never gated. Repos that never opted in (no donefile, no baseline) remain silent no-ops.
• Pre-existing breakage still fails open. A donefile that was already broken when the session started (no baseline, or hash unchanged) warns and allows, as before — a config typo must never trap an agent that didn't cause it.
• The give-up paths tell humans the legitimate off switch: delete .donegate/ too when removing donegate for real.

Also in this PR

• docs/threat-model.md — an honest map: what the gate catches outright, what it deliberately can't (semantic cheats like weakened assertions, command indirection through package.json, attacks on donegate's own state from inside the sandbox), and why donegate install ci + branch protection is the actual security boundary.
• README: guards framed as a "ratchet, not a sandbox" with a pointer to the threat model; FAQ updated to cover delete/corrupt; hooks docs explain the new behavior.
• Refactor: the three blocking paths share one bounceOrGiveUp() helper instead of triplicating the protocol JSON + bounce-state logic.

Tests

Three new cases in test/hooks.test.ts (79 total, all passing): deletion bounces ×3 then gives up then recovers on restore; corruption bounces then recovers on repair; cursor aborted turns stay ungated even with the donefile gone. node dist/cli.js check (the repo's own gate) is clean, all six guards green.

🤖 Generated with Claude Code