@bradheitmann/odin-sentinel 0.4.4 → 0.4.6

package/protocol/bootstrap-skill.md

@@ -7,19 +7,24 @@ updated: 2026-05-11
 
 # Sentinel Coordination Protocol
 
+SCP_PUBLIC_VERSION: 0.4.6
+MIN_COMPATIBLE_CHILD_MCP: 0.4.5
+
+Public install readiness: configure the ODIN MCP server, install native skill context where supported or use full prompt fallback, keep governed team roles in CMUX, verify auth/account readiness without printing secrets, smoke-test local inference if used, and validate role compatibility before launch. Private local skill copies may differ intentionally; public release checks compare repo-internal public artifacts only.
+
 Use this skill for SCP policy introduction, repo landing, adoption-gate proof, controlled dissemination, active multi-agent control loops, and automated team lifecycle management. SCP is a governance layer for multi-team agent operation; it complements other coordination layers and `AGENTS.md` files where present. It sits above them after activation.
 
 ## Source Of Truth
 
 Master editable source:
 
-- the active canonical SCP skill directory for the local installation, normally `~/.agents/skills/sentinel-coordination-protocol/`.
+- the repository-distributed SCP protocol bundle, or an operator-declared canonical SCP skill source outside this public package.
 
-All other installed copies are synchronized runtime snapshots, not independent policy forks. Any agent modifying this skill must edit the master first, then propagate the full skill directory to the installed harness targets and verify matching hashes.
+All installed copies are synchronized runtime snapshots, not independent policy forks. Any agent modifying SCP policy must edit the declared source first, then propagate the full skill/protocol bundle to the installed harness targets and verify matching hashes.
 
-Use `scripts/sync-installations.sh` from the master directory after edits. Do not hand-edit a runtime copy under `~/.codex`, `~/.claude`, `~/.config/goose`, `~/.config/opencode`, `~/.opencode`, `~/.crush`, `~/.cursor`, `~/.kilocode`, `~/.openhands`, `~/.pi`, or `~/.zed` except as a temporary emergency patch that is immediately backported to the master and resynced.
+Use the operator-declared sync procedure after edits. Do not hand-edit generated runtime copies except as a temporary emergency patch that is immediately backported to the declared source and resynced.
 
-Portable curated skill/session records may live under the skill directory, for example `decisions/YYYY-MM-DD-<slug>.md` and optionally `CHANGELOG.md`. Raw evidence belongs under `.odin/local/audit/<session-id>/` or the declared `evidence_path`. Do not create empty folders just to satisfy policy; create `decisions/` only when writing the first curated decision record.
+Portable curated skill/session records may live under the declared source, for example `decisions/YYYY-MM-DD-<slug>.md` and optionally `CHANGELOG.md`. Raw audit evidence belongs under `.odin/audit/<session-id>/` or the declared `evidence_path`. Do not create empty folders just to satisfy policy; create `decisions/` only when writing the first curated decision record.
 
 ## Non-Negotiables
 
@@ -267,7 +272,7 @@ Team PMs and team ODINs may coordinate laterally when needed, but lateral messag
 
 ODINs must establish a lateral ODIN mesh at bootstrap. `A/EXEC-ODIN` and each `TEAM ODIN` must exchange a short introduction containing role, team, reports-to/coordinates-with chain, team composition, active agent occupants, model/harness/cost tier, known blockers, and next poll time. This is a meta-communication layer, not command authority.
 
-During active execution, `A/EXEC-ODIN` should run an ODIN round-robin health pass on a declared cadence, default 10 minutes unless the user or `EXEC PM` sets another cadence. The executive ODIN starts with its own executive-office health note, sends it to the first team ODIN, and instructs each team ODIN to append its short team composition/status/health note and forward to the next ODIN. The final team ODIN returns the appended packet to `A/EXEC-ODIN`. `A/EXEC-ODIN` compiles the packet, may ask `EXEC DISPATCH` / `SWITCHBOARD` for outstanding communication or waiting-agent notes, then sends a concise status report to `EXEC PM`.
+During active execution, `A/EXEC-ODIN` should run an ODIN round-robin health pass on a declared cadence, default 30 seconds unless the user or `EXEC PM` sets another cadence. The executive ODIN starts with its own executive-office health note, sends it to the first team ODIN, and instructs each team ODIN to append its short team composition/status/health note and forward to the next ODIN. The final team ODIN returns the appended packet to `A/EXEC-ODIN`. `A/EXEC-ODIN` compiles the packet, may ask `EXEC DISPATCH` / `SWITCHBOARD` for outstanding communication or waiting-agent notes, then sends a concise status report to `EXEC PM`.
 
 ODIN mesh reports must stay short by default and include: team, active occupants, provider/model/harness mix, blocked agents, permission waits, plan-mode/quota/provider failures, role breaches, delivery failures, outstanding relays, and recommended intervention. ODINs may request temporary secondment of another control-plane agent through `EXEC PM` when a PM/ODIN lane fails, but they must not directly reassign agents or expand topology without authorization.
 
@@ -660,7 +665,7 @@ If a control-plane pane begins product/source/test implementation, authors worke
 
 Editing canonical skills, adapters, runtime skill copies, sync scripts, lifecycle ledgers, branch state, or policy text is a control-plane governance mutation and requires `[SCP-CONTROL-PLANE-MUTATION]` before or with the mutation. ODIN/control-plane roles must not self-accept governance mutations they authored. Acceptance requires independent QA, user ratification, or explicitly named `EXEC PM` ratification after evidence review. An authorized control-plane mutation may be reported as implemented and validation complete, but remains pending ratification until the named ratifier accepts the evidence.
 
-Canonical SCP audit, research, ODIN, and control-plane outputs must be written under a durable governance path such as `.odin/local/audit/<audit-id>/` or another declared `evidence_path`. `/tmp` may be used for intermediate captures, cache, delivery-proof repair, or mirrors only. Before `[SCP-FINISH]`, any `/tmp` artifact used for a claim must be copied, summarized, hashed, or explicitly declared non-canonical in the durable audit ledger.
+Canonical SCP audit, research, ODIN, and control-plane outputs must be written under a durable governance path such as `.odin/audit/<audit-id>/` or another declared `evidence_path`. `/tmp` may be used for intermediate captures, cache, delivery-proof repair, or mirrors only. Before `[SCP-FINISH]`, any `/tmp` artifact used for a claim must be copied, summarized, hashed, or explicitly declared non-canonical in the durable audit ledger.
 
 `repo_clean` must not be used as shorthand for `governance_clean`. Governance-surface mutations outside the active repository require separate reporting: `external_skill_paths_touched`, `runtime_targets`, `hash_before_after_or_current_hash`, `sync_log_path`, `validation_command`, and `unsynced_or_dirty_runtime_paths`. A clean git worktree proves only the repository checkout state. It does not prove canonical skill, Codex skill, Claude skill, adapter, CMUX runtime, or `/tmp` artifact state.
 
@@ -694,7 +699,7 @@ Continuing past a HALT without remediation is itself a protocol breach. ODIN mus
 
 ### Health Escalation
 
-The ODIN mesh runs round-robin health checks per `odin_mesh.health_round_robin_minutes` (default 10). Per-agent escalation ladder:
+The ODIN mesh runs round-robin health checks per `odin_mesh.health_round_robin_seconds` (default 30). Per-agent escalation ladder:
 
 - **1 missed heartbeat** — warn the affected agent.
 - **2 missed heartbeats** — escalate to `A/EXEC-ODIN` via the mesh aggregator.
@@ -1410,7 +1415,7 @@ git diff --cached --name-status
 
 If upstream is not the declared branch authority, stop before mutation. If `HEAD` and `@{u}` differ for a branch-visible closure claim, stop before mutation.
 
-If excluded or out-of-scope debris appears, especially `project/planning/story-reviews/**`, runtime logs, holdout paths, design artifacts, external memory paths, or non-branchable paths, stop and require `EXEC PM` classification before lifecycle mutation or evidence verdict.
+If excluded or out-of-scope debris appears, especially private story-review planning paths, runtime logs, holdout paths, design artifacts, external memory paths, or non-branchable paths, stop and require `EXEC PM` classification before lifecycle mutation or evidence verdict.
 
 Before any `status: Done`, `PHASE: VERIFIED`, `VERDICT: PASS`, active-to-done move, commit, or push, run the slice/evidence validators required by the dispatch. At minimum for slice/evidence work:
 
@@ -1432,14 +1437,14 @@ If a closure/evidence hook fails after a lifecycle move or verdict attempt, mark
   - Read `00-SCP-protocol.md`, especially sections 0, 6, 7, 8, 10, 18, and 20.
 
 2. Land the package, but do not activate it.
-  - Canonical package path: `project/planning/org/agentic-executive-mgmt/`.
+  - Canonical package path: the operator-declared governance planning package path.
   - Package landing branch: use a deterministic ops branch unless the user supplies another branch.
   - Ledger branch: `ops/ledger` for `ledger.yaml`.
   - If branch topology is ambiguous or conflicts with current repo state, stop and ask the user.
 
 3. Create adoption-gate scaffolding.
-  - `project/planning/org/agentic-executive-mgmt/artifacts/adoption/adoption-gate.md`
-  - `project/planning/org/agentic-executive-mgmt/ledger.yaml`
+  - governance adoption gate artifact
+  - governance ledger artifact
   - `tools/agentic-executive-mgmt/audit/banned-phrases.txt`
   - `tools/agentic-executive-mgmt/qa-review/RUBRIC.md`
   - Other artifact directories required by the SCP package.

package/protocol/closeout.yaml

@@ -1,4 +1,10 @@
-version: 0.2.1
+version: 0.4.6
+active_watch_terminal_states:
+  - RELEASED_BY_OPERATOR
+  - HANDED_OFF
+  - PARKED_IDLE
+  - FAILED
+  - WATCH_UNSUPPORTED
 modes:
   PARK_FOR_CONTINUITY:
     description: Keep role slots open, park occupants, save handoffs, and preserve continuity.

package/protocol/delegation.yaml

@@ -1,4 +1,4 @@
-version: 0.3.0
+version: 0.4.6
 delegation_contract:
   required_fields:
     - receipt_type

package/protocol/model-profiles.yaml

@@ -1,7 +1,61 @@
-version: 0.2.1
+version: 0.4.6
 policy:
   semantics: Recommended starter profiles, not bundled dependencies or availability guarantees.
   runtime_requirement: Users must install and configure their own harnesses. Launchers must verify local harness/model availability before dispatch and apply fallbacks when unavailable.
+  governed_launch_probe_required: true
+  visible_output_timeout_seconds_default: 60
+  provisioning_prompt: Are all intended harnesses provisioned with accounts, plans, API keys, or local inference credentials so they will not malfunction when spun up?
+  zero_secret_output: true
+  secret_provider_status_only:
+    - Doppler
+    - 1Password CLI (op)
+    - environment variable names
+    - direnv
+    - mise
+    - dotenv-style file presence
+    - GitHub auth
+    - local provider config files
+  model_responsiveness_statuses:
+    - MODEL_READY
+    - MODEL_SLOW
+    - MODEL_STALLED
+    - MODEL_REASONING_ONLY
+    - STREAMING_PROTOCOL_MISMATCH
+    - MODEL_UNREACHABLE
+harness_capabilities:
+  Codex:
+    can_hydrate_deferred_mcp_tools_at_boot: true
+    native_skill_invocation: true
+    scp_skill_recommended: true
+  Claude Code:
+    can_hydrate_deferred_mcp_tools_at_boot: true
+    native_skill_invocation: true
+    scp_skill_recommended: true
+  Droid:
+    can_hydrate_deferred_mcp_tools_at_boot: true
+    native_skill_invocation: false
+    scp_skill_recommended: false
+  Goose:
+    local_inference_smoke_test_required: true
+    visible_content_required_within_seconds: 60
+    reasoning_content_only_class: MODEL_REASONING_ONLY
+    streaming_mismatch_class: STREAMING_PROTOCOL_MISMATCH
+  Crush:
+    permission_prompt_class: BLOCKED_BY_PERMISSION
+  OpenHands:
+    missing_inference_credentials_class: BLOCKED_BY_API_KEY
+    provider_config_blocker_class: AUTH_PROVIDER_BLOCKED
+  KiloCode:
+    login_commands:
+      - kilo auth login
+      - /connect
+    login_blocker_class: BLOCKED_BY_LOGIN
+  Pi:
+    role_compatibility_failure_class: ROLE_COMPATIBILITY_FAILED
+  Aider:
+    auth_probe_required: true
+  NanoCoder:
+    auth_probe_required: true
 profiles:
   A/EXEC-PM:
     model: GPT-5.5-class frontier reasoning model

package/protocol/receipts/boot-receipt.yaml

@@ -13,6 +13,42 @@ required_fields:
   - write_scope
   - evidence_path
   - current_task
+receipt_types:
+  - SCP_BOOT_RECEIPT
+  - SCP_MIN_BOOT_RECEIPT
+minimum_compatible_mcp_version: 0.4.5
+field_types:
+  role: string
+  authority_layer: string
+  team: string
+  terminal_locator: string
+  branch: string
+  cwd: string
+  model_harness: string
+  permission_mode: string
+  may_implement: boolean
+  may_qa_accept: boolean
+  reports_to: string
+  write_scope: string_array
+  evidence_path: string
+  current_task: string
+write_scope_policy:
+  empty_array_valid_for:
+    - no current write assignment
+    - may_implement false roles
+    - DEV roles in BOOTSTRAPPED_IDLE before assignment
+  null_policy: invalid; use [] for unassigned scope
+allowed_lifecycle_states:
+  - SURFACE_PROVISIONED
+  - BOOTSTRAPPED_IDLE
+  - ACTIVE_WATCH
+  - VACANT_ROLE_SLOT
+  - AGENT_SUBSTITUTION_REQUIRED
+  - RELEASED_BY_OPERATOR
+  - HANDED_OFF
+  - PARKED_IDLE
+  - FAILED
+  - WATCH_UNSUPPORTED
 recommended_fields:
   - upstream
   - head_sha
@@ -25,6 +61,12 @@ recommended_fields:
   - parent_surface_ref
   - column_index
   - team_letter
+  - lifecycle_state
+  - mcp_version
+  - scp_context_source
+receipt_type_policy:
+  SCP_BOOT_RECEIPT: full governed occupant receipt after role/context/readiness are known
+  SCP_MIN_BOOT_RECEIPT: minimal bootstrap-only receipt for orientation or pre-dispatch identity proof
 staffing_audit:
   description: >-
     For any role outside the executive office (team != "A"), the boot receipt

package/protocol/receipts/team-manifest.yaml

@@ -7,3 +7,44 @@ required_fields:
   - model_profile
   - handoff_sources
   - startup_objectives
+role_slot_schema:
+  required_fields:
+    - role_slot
+    - harness
+    - readiness_status
+    - layout_locator
+    - scp_context_source
+  layout_locator_fields:
+    - workspace
+    - pane
+    - surface
+  readiness_statuses:
+    - PASS
+    - FAIL
+    - WAIVED_BY_EXEC_PM
+    - SUBSTITUTION_APPROVED_BY_EXEC_PM
+    - NON_GOVERNED_ONE_SHOT_ONLY
+    - VACANT_ROLE_SLOT
+watcher_assignments:
+  A/EXEC-ODIN:
+    watches:
+      - executive_office
+      - team_odins
+      - cross_team_drift
+      - missing_receipts
+      - stale_proof
+  TEAM_ODIN:
+    watches:
+      - own_team_pm
+      - own_dev_slots
+      - own_qa_slots
+      - own_shadow_slots
+  A/EXEC-ASST:
+    may_maintain:
+      - delivery_proof_ledger
+      - heartbeat_ledger
+minimum_compatible_mcp_version: 0.4.5
+scp_context_sources:
+  - native sentinel-coordination-protocol skill
+  - odin-sentinel MCP at or above minimum version
+  - full injected SCP protocol text

package/protocol/roles.yaml

@@ -1,10 +1,13 @@
-version: 0.3.0
+version: 0.4.6
 roles:
   EXEC_PM:
     title: EXEC PM
     layer: executive
     may_implement_default: false
     may_qa_accept_default: false
+    must_actively_watch: false
+    may_intervene: false
+    authority_layer: executive
     purpose: Intent, priority, authorization, escalation, and claim framing.
     authority:
       sole_staffing_authority:
@@ -38,6 +41,28 @@ roles:
     layer: meta_control
     may_implement_default: false
     may_qa_accept_default: false
+    must_actively_watch: true
+    may_intervene: true
+    authority_layer: meta_control
+    normal_successor_state_after_receipt: ACTIVE_WATCH
+    watch_contract:
+      default_poll_interval_seconds: 30
+      watch_warn_after_seconds: 300
+      stalled_after_seconds: 600
+      watches:
+        - executive_office_health
+        - team_odin_health
+        - cross_team_drift
+        - stale_proof
+        - blocked_panes
+        - context_exhaustion
+        - missing_receipts
+      may_inject_corrective_prompts: true
+      forbidden:
+        - implement product work
+        - QA-accept work
+        - route business priorities
+        - override EXEC PM launch/activation authority
     purpose: Governance health, polling, delivery proof, role boundaries, and closeout hygiene.
     authority:
       intervention_authority:
@@ -80,24 +105,36 @@ roles:
     layer: executive_support
     may_implement_default: false
     may_qa_accept_default: false
+    must_actively_watch: false
+    may_intervene: false
+    authority_layer: executive_support
     purpose: Ledger, reminders, pane inventory, artifact index, and delivery checks.
   EXEC_RSCH:
     title: EXEC RSCH
     layer: research
     may_implement_default: false
     may_qa_accept_default: false
+    must_actively_watch: false
+    may_intervene: false
+    authority_layer: research
     purpose: Read-only strategy, alternatives, context recovery, and risk analysis.
   EXEC_QA:
     title: EXEC QA
     layer: quality
     may_implement_default: false
     may_qa_accept_default: true
+    must_actively_watch: false
+    may_intervene: false
+    authority_layer: quality
     purpose: Independent adversarial audit of process, evidence, closure language, and drift.
   TEAM_PM:
     title: TEAM PM
     layer: pod_control
     may_implement_default: false
     may_qa_accept_default: false
+    must_actively_watch: false
+    may_intervene: false
+    authority_layer: pod_control
     purpose: Pod task routing, worker activation, and reporting.
     forbidden_actions:
       - spawn agents on own pod or any other pod
@@ -118,6 +155,28 @@ roles:
     layer: meta_control
     may_implement_default: false
     may_qa_accept_default: false
+    must_actively_watch: true
+    may_intervene: true
+    authority_layer: meta_control
+    normal_successor_state_after_receipt: ACTIVE_WATCH
+    watch_contract:
+      default_poll_interval_seconds: 30
+      watch_warn_after_seconds: 300
+      stalled_after_seconds: 600
+      watches:
+        - own_team_pm
+        - own_dev_slots
+        - own_qa_slots
+        - own_shadow_slots
+      reports_to:
+        - own TEAM PM
+        - A/EXEC-ODIN
+      may_inject_corrective_prompts: true
+      forbidden:
+        - implement product work
+        - QA-accept work
+        - route business priorities
+        - override EXEC PM launch/activation authority
     purpose: Pod health monitoring, polling, blockers, freezes, and lateral ODIN mesh awareness.
     authority:
       intervention_authority:
@@ -152,16 +211,25 @@ roles:
     layer: implementation
     may_implement_default: true
     may_qa_accept_default: false
+    must_actively_watch: false
+    may_intervene: false
+    authority_layer: implementation
     purpose: Bounded implementation inside exact write scope with evidence.
   QA_WORKER:
     title: QA WORKER
     layer: quality
     may_implement_default: false
     may_qa_accept_default: true
+    must_actively_watch: false
+    may_intervene: false
+    authority_layer: quality
     purpose: Independent verification of worker evidence and acceptance criteria.
   SHADOW_REVIEWER:
     title: SHADOW REVIEWER
     layer: review
     may_implement_default: false
     may_qa_accept_default: false
+    must_actively_watch: false
+    may_intervene: false
+    authority_layer: review
     purpose: Independent critique, risk surfacing, and second-pass review.

package/protocol/topology.yaml

@@ -1,4 +1,4 @@
-version: 0.3.0
+version: 0.4.6
 default_topology:
   executive_office:
     team: A
@@ -18,39 +18,81 @@ default_topology:
   fresh_repo_default_pods: 1
   odin_mesh:
     bootstrap_identity_exchange: true
-    health_round_robin_minutes: 10
+    health_round_robin_seconds: 30
     aggregator: A/EXEC-ODIN
-surface_layout:
-  description: >-
-    Canonical CMUX surface layout rule for EXEC PM. Teams arrive as letters
-    (Team A is executive; Team B onward are development pods). Columns are
-    equal width. Surfaces stack vertically inside a column with at most two
-    surfaces per column. Team A always occupies column 0. When the team count
-    is odd and at least 3, column 0 holds only Team A (the "tall column").
-  rules:
-    max_surfaces_per_column: 2
-    column_widths: equal
-    exec_team_column: 0
-    tall_column_when_odd_team: A
-  custodianship:
-    sole_custodian: A/EXEC-PM
-    includes:
-      - cmux new-split
-      - cmux new-surface
-      - cmux move-surface
-      - cmux close-surface
-  pre_staffing_gate: >-
-    Before adding any agent beyond A/EXEC, EXEC PM must (1) call
-    odin.compute_surface_layout for teamCount=N+1, (2) execute the splits
-    required to reach that layout via cmux, (3) confirm each new surface
-    is empty and addressable via cmux list-pane-surfaces, and only then
-    (4) dispatch the spawn to the newly created surface.
-  reference_layouts:
-    teams_1: "[A]"
-    teams_2: "[A] [B]"
-    teams_3: "[A] [B/C]"
-    teams_4: "[A/D] [B/C]"
-    teams_5: "[A] [B/C] [D/E]"
-    teams_6: "[A/F] [B/C] [D/E]"
-    teams_7: "[A] [B/C] [D/E] [F/G]"
-    teams_8: "[A/H] [B/C] [D/E] [F/G]"
+  launch_phases:
+    - SURFACE_PROVISIONED
+    - OCCUPANT_READINESS
+    - OCCUPANT_LAUNCH
+    - BOOT_RECEIPT_VALIDATION
+    - TEAM_ACTIVATION
+    - ACTIVE_WATCH
+  readiness_gate:
+    minimum_mcp_version: 0.4.5
+    cmux_required_for_governed_team: true
+    occupant_launch_allowed_when:
+      - PASS
+      - WAIVED_BY_EXEC_PM
+      - SUBSTITUTION_APPROVED_BY_EXEC_PM
+    team_activation_allowed_states:
+      - BOOTSTRAPPED_IDLE
+      - ACTIVE_WATCH
+      - VACANT_ROLE_SLOT
+      - AGENT_SUBSTITUTION_REQUIRED
+    safe_auth_failure_outcomes:
+      - choose a different harness
+      - receive setup guidance without pasting secrets
+      - mark slot VACANT_ROLE_SLOT
+      - request EXEC PM-approved substitution
+  surface_layout:
+    description: >-
+      Canonical CMUX surface layout rule for EXEC PM. Governed team bootstrap
+      uses human_cmux_quad by default: one CMUX workspace with four panes/regions
+      (executive office, Team B pod, Team C pod, blockers/status/intake).
+      Legacy columns remain available for compatibility but tab-only layout is
+      degraded unless explicitly approved.
+    canonical_profile: human_cmux_quad
+    human_cmux_quad:
+      workspace_policy: A/EXEC-PM remains in the same CMUX workspace as all governed teams
+      quadrants:
+        A: executive office
+        B: Team B pod
+        C: Team C pod
+        D: blockers/status/intake or overflow
+      empty_role_slots_before_launch: true
+      reject_tab_only_unless_degraded_mode_approved: true
+      reject_split_workspace_without_routing_proof: true
+      no_cmux_governed_status: NOT_GOVERNED_NO_CMUX
+    legacy_columns:
+      description: >-
+        Teams arrive as letters (Team A is executive; Team B onward are
+        development pods). Columns are equal width. Surfaces stack vertically
+        inside a column with at most two surfaces per column. Team A always
+        occupies column 0.
+    rules:
+      max_surfaces_per_column: 2
+      column_widths: equal
+      exec_team_column: 0
+      tall_column_when_odd_team: A
+    custodianship:
+      sole_custodian: A/EXEC-PM
+      includes:
+        - cmux new-split
+        - cmux new-surface
+        - cmux move-surface
+        - cmux close-surface
+    pre_staffing_gate: >-
+      Before adding any agent beyond A/EXEC, EXEC PM must (1) call
+      odin.compute_surface_layout for teamCount=N+1, (2) execute the splits
+      required to reach that layout via cmux, (3) confirm each new surface
+      is empty and addressable via cmux list-pane-surfaces, and only then
+      (4) dispatch the spawn to the newly created surface.
+    reference_layouts:
+      teams_1: "[A]"
+      teams_2: "[A] [B]"
+      teams_3: "[A] [B/C]"
+      teams_4: "[A/D] [B/C]"
+      teams_5: "[A] [B/C] [D/E]"
+      teams_6: "[A/F] [B/C] [D/E]"
+      teams_7: "[A] [B/C] [D/E] [F/G]"
+      teams_8: "[A/H] [B/C] [D/E] [F/G]"

package/scripts/audit/public-surface.mjs

@@ -1,6 +1,22 @@
 import { execFileSync } from "node:child_process";
 import { readdirSync, readFileSync, statSync } from "node:fs";
 import { join } from "node:path";
+import { pathToFileURL } from "node:url";
+
+const PUBLIC_ROOTS = [
+  "README.md",
+  "AGENTS.md",
+  "CLAUDE.md",
+  "LICENSE",
+  "package.json",
+  "docs/",
+  "protocol/",
+  "templates/",
+  "plugins/",
+  "scripts/audit/"
+];
+
+const EXCLUDED_PREFIXES = [".git/", "dist/", "node_modules/", "project/" + "planning" + "/", "." + "edge-" + "agentic" + "/local/", "tests/"];
 
 function walk(dir) {
   return readdirSync(dir).flatMap((entry) => {
@@ -11,6 +27,11 @@ function walk(dir) {
   });
 }
 
+export function isPublicAuditFile(file) {
+  if (EXCLUDED_PREFIXES.some((prefix) => file.startsWith(prefix))) return false;
+  return PUBLIC_ROOTS.some((root) => file === root || file.startsWith(root));
+}
+
 function filesToAudit() {
   try {
     const tracked = execFileSync("git", ["ls-files"], {
@@ -25,19 +46,16 @@ function filesToAudit() {
     return `${tracked}\n${untracked}`
       .split("\n")
       .filter(Boolean)
-      .filter((file) => !file.startsWith("pnpm-lock.yaml"));
+      .filter((file) => file !== "pnpm-lock.yaml")
+      .filter(isPublicAuditFile);
   } catch {
-    return walk(".");
+    return walk(".").filter(isPublicAuditFile);
   }
 }
 
-const publicFiles = filesToAudit();
-
-// Install and protocol documentation legitimately references agent harness
-// config directories and tilde home paths. The path-style rules below skip
-// these files; the rest of the rules still apply.
 const BUNDLED_DOC = new Set([
   "README.md",
+  "docs/guides/quickstart-prompts.md",
   "protocol/bootstrap-" + "sk" + "ill.md",
   "plugins/sentinel-coordination-protocol/" + "sk" + "ills/sentinel-coordination-protocol/SK" + "ILL.md"
 ]);
@@ -46,7 +64,9 @@ const forbidden = [
   { name: "macOS home path", pattern: new RegExp(`/${"Users"}/[A-Za-z0-9._-]+/`) },
   { name: "Linux home path", pattern: /\/home\/[A-Za-z0-9._-]+\// },
   { name: "tilde home path", pattern: /~\//, exemptFiles: BUNDLED_DOC },
-  { name: "local agent config path", pattern: new RegExp(`\\.${"codex"}|\\.${"claude"}|\\.${"agents"}`, "i"), exemptFiles: BUNDLED_DOC },
+  { name: "local agent config path", pattern: new RegExp(`\\.(?:${"codex"}|${"claude"}|${"agents"})(?:/|$)`, "i"), exemptFiles: BUNDLED_DOC },
+  { name: "local evidence path", pattern: new RegExp(`\\.${"edge-" + "agentic"}/local`, "i") },
+  { name: "private planning path", pattern: new RegExp(`project/${"planning"}/`, "i") },
   {
     name: "private project or account marker",
     pattern: new RegExp(
@@ -57,20 +77,29 @@ const forbidden = [
   { name: "secret-looking assignment", pattern: /(api[_-]?key|secret|token|password)\s*[:=]\s*["'][^"']+["']/i }
 ];
 
-const findings = [];
-
-for (const file of publicFiles) {
-  const text = readFileSync(file, "utf8");
-  for (const rule of forbidden) {
-    if (rule.exemptFiles?.has(file)) continue;
-    if (rule.pattern.test(text)) {
-      findings.push(`${file}: ${rule.name}`);
+export function auditPublicSurface(fileTextByPath) {
+  const findings = [];
+  for (const [file, text] of Object.entries(fileTextByPath)) {
+    if (!isPublicAuditFile(file)) continue;
+    for (const rule of forbidden) {
+      if (rule.exemptFiles?.has(file)) continue;
+      if (rule.pattern.test(text)) findings.push(`${file}: ${rule.name}`);
     }
   }
+  return findings;
 }
 
-if (findings.length > 0) {
-  throw new Error(`Public surface audit failed:\n${findings.join("\n")}`);
+export function main() {
+  const publicFiles = filesToAudit();
+  const findings = auditPublicSurface(Object.fromEntries(publicFiles.map((file) => [file, readFileSync(file, "utf8")])));
+
+  if (findings.length > 0) {
+    throw new Error(`Public surface audit failed:\n${findings.join("\n")}`);
+  }
+
+  console.log(`Public surface audit PASS: ${publicFiles.length} files checked`);
 }
 
-console.log(`Public surface audit PASS: ${publicFiles.length} files checked`);
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
+  main();
+}