@cyanautomation/kaseki-agent 1.64.0 → 1.64.1

package/kaseki-agent.sh

@@ -470,143 +470,15 @@ validate_scouting_artifact_with_node() {
   local final_artifact="$2"
   local validation_error_file="$3"
 
-  # shellcheck disable=SC2016
-  node -e '
-const fs = require("node:fs");
-const input = process.argv[1];
-const output = process.argv[2];
-const errorLog = process.argv[3];
-const jsonlLog = "/results/scouting-validation-errors.jsonl";
-
-function actualType(value) {
-  if (value === null) return "null";
-  if (Array.isArray(value)) return "array";
-  return typeof value;
-}
-
-function appendValidationFailure(reasonCode, error) {
-  fs.appendFileSync(jsonlLog, JSON.stringify({
-    timestamp: new Date().toISOString(),
-    reason_code: reasonCode,
-    ...error,
-  }) + "\n");
-}
-
-function summarize(errors) {
-  const critical = errors.filter((error) => error.severity === "critical").length;
-  const warning = errors.filter((error) => error.severity === "warning").length;
-  const counts = [];
-  if (critical) counts.push(`${critical} critical`);
-  if (warning) counts.push(`${warning} warning`);
-  const fields = errors.slice(0, 2).map((error) => error.field).join(", ");
-  const suffix = errors.length > 2 ? `, +${errors.length - 2} more` : "";
-  return `${counts.join(", ")} scouting validation ${errors.length === 1 ? "error" : "errors"}: ${fields}${suffix}`;
-}
-
-let artifact;
-try {
-  artifact = JSON.parse(fs.readFileSync(input, "utf8"));
-} catch (err) {
-  const reasonCode = "malformed_json";
-  const error = {
-    field: "root",
-    expected: "exactly one valid JSON object",
-    actual: err && err.message ? String(err.message) : "JSON parse failed",
-    severity: "critical",
-    suggestion: "ensure exactly one valid JSON object is written to /results/scouting-candidate.json",
-  };
-  appendValidationFailure(reasonCode, error);
-  fs.writeFileSync(errorLog, JSON.stringify({
-    reason_code: reasonCode,
-    details: summarize([error]),
-    errors: [error],
-  }) + "\n");
-  process.exit(1);
+  node "$SCOUTING_ALLOWLIST_HELPER" validate \
+    "$candidate_artifact" \
+    "$final_artifact" \
+    "$validation_error_file" \
+    "/results/scouting-validation-errors.jsonl" \
+    >/dev/null \
+    2>> /results/scouting-stderr.log
 }
 
-const errors = [];
-const addError = (field, expected, actual, severity, suggestion) => {
-  errors.push({ field, expected, actual, severity, suggestion });
-};
-const arrayKeys = ["requirements", "relevant_files", "observations", "plan", "validation", "risks", "test_impact"];
-
-if (!artifact || Array.isArray(artifact) || typeof artifact !== "object") {
-  addError("root", "object", actualType(artifact), "critical", "Scouting artifact must be a JSON object, not an array/null/primitive");
-} else {
-  if (typeof artifact.task !== "string" || !artifact.task.trim()) {
-    addError("task", "non-empty string", typeof artifact.task === "string" ? "empty string" : actualType(artifact.task), "critical", "task must be a non-empty string describing the requested work");
-  }
-  for (const key of arrayKeys) {
-    if (!Array.isArray(artifact[key])) {
-      addError(key, "array", actualType(artifact[key]), "critical", `${key} must be an array in the scouting handoff`);
-    }
-  }
-  if (Array.isArray(artifact.relevant_files)) {
-    artifact.relevant_files.forEach((item, index) => {
-      if (!item || typeof item.path !== "string" || typeof item.reason !== "string") {
-        addError(`relevant_files[${index}]`, "object with string path and string reason", actualType(item), "warning", "Each relevant_files entry must include path and reason strings");
-      }
-    });
-  }
-  if (Array.isArray(artifact.test_impact)) {
-    artifact.test_impact.forEach((item, index) => {
-      if (!item || typeof item.path !== "string" || !item.path.trim() || typeof item.reason !== "string" || !item.reason.trim()) {
-        addError(`test_impact[${index}]`, "object with non-empty string path and non-empty string reason", actualType(item), "critical", "Each test_impact entry must include the impacted test path and expectation reason strings");
-      }
-      // Validate optional test_examples field
-      if (item.test_examples !== undefined) {
-        if (!Array.isArray(item.test_examples)) {
-          addError(`test_impact[${index}].test_examples`, "array of example objects or undefined", actualType(item.test_examples), "warning", "test_examples must be an array of objects with type, pattern, description, before, and after fields");
-        } else {
-          item.test_examples.forEach((example, exIdx) => {
-            if (!example || typeof example !== "object" || !["added_assertion", "modified_assertion", "added_test_case", "added_pattern"].includes(example.type)) {
-              addError(`test_impact[${index}].test_examples[${exIdx}].type`, "added_assertion|modified_assertion|added_test_case|added_pattern", actualType(example && example.type), "warning", "Each test_example must have a valid type");
-            }
-            if (!example || typeof example.pattern !== "string") {
-              addError(`test_impact[${index}].test_examples[${exIdx}].pattern`, "string", actualType(example && example.pattern), "warning", "Each test_example must have a pattern string");
-            }
-            if (!example || typeof example.before !== "string" || typeof example.after !== "string") {
-              addError(`test_impact[${index}].test_examples[${exIdx}]`, "before and after strings", "missing or invalid", "warning", "Each test_example must have before and after code snippets");
-            }
-          });
-        }
-      }
-    });
-  }
-
-  // Validate suggested_allowlist (optional but if present, must be valid)
-  if (artifact.suggested_allowlist) {
-    if (typeof artifact.suggested_allowlist !== "object" || Array.isArray(artifact.suggested_allowlist)) {
-      addError("suggested_allowlist", "object", actualType(artifact.suggested_allowlist), "warning", "suggested_allowlist must be an object with agent_patterns and validation_patterns arrays");
-    } else {
-      if (!Array.isArray(artifact.suggested_allowlist.agent_patterns)) {
-        addError("suggested_allowlist.agent_patterns", "array of strings", actualType(artifact.suggested_allowlist.agent_patterns), "warning", "agent_patterns must be an array of glob pattern strings");
-      } else if (!artifact.suggested_allowlist.agent_patterns.every((p) => typeof p === "string")) {
-        addError("suggested_allowlist.agent_patterns", "array of strings", "array with non-strings", "warning", "All agent_patterns entries must be strings");
-      }
-      if (!Array.isArray(artifact.suggested_allowlist.validation_patterns)) {
-        addError("suggested_allowlist.validation_patterns", "array of strings", actualType(artifact.suggested_allowlist.validation_patterns), "warning", "validation_patterns must be an array of glob pattern strings");
-      } else if (!artifact.suggested_allowlist.validation_patterns.every((p) => typeof p === "string")) {
-        addError("suggested_allowlist.validation_patterns", "array of strings", "array with non-strings", "warning", "All validation_patterns entries must be strings");
-      }
-    }
-  }
-}
-
-if (errors.length) {
-  const onlyTaskMissing = errors.length === 1 && errors[0].field === "task";
-  const reasonCode = onlyTaskMissing ? "missing_required_fields" : "schema_mismatch";
-  for (const error of errors) appendValidationFailure(reasonCode, error);
-  fs.writeFileSync(errorLog, JSON.stringify({
-    reason_code: reasonCode,
-    details: summarize(errors),
-    errors,
-  }) + "\n");
-  process.exit(1);
-}
-fs.writeFileSync(output, JSON.stringify(artifact, null, 2) + "\n");
-' "$candidate_artifact" "$final_artifact" "$validation_error_file" 2>> /results/scouting-stderr.log
-}
 # Validate scouting artifact and emit structured reason code
 validate_scouting_artifact() {
   local candidate_artifact="$1"
@@ -1258,52 +1130,58 @@ run_expectation_mismatch_detector() {
   fi
 }
 
+resolve_allowlist_helper() {
+  local script_dir="$1"
+  local script_relative_helper="$script_dir/scripts/allowlist-helper.sh"
+  local fallback_helper="${KASEKI_ALLOWLIST_HELPER_FALLBACK:-/app/scripts/allowlist-helper.sh}"
+
+  if [ -r "$script_relative_helper" ]; then
+    printf '%s\n' "$script_relative_helper"
+    return 0
+  fi
+
+  if [ -r "$fallback_helper" ]; then
+    printf '%s\n' "$fallback_helper"
+    return 0
+  fi
+
+  printf 'ERROR: Allowlist helper is not readable. Expected packaged helper at %s or fallback helper at %s. This worker image or mounted template is incomplete; rebuild the image or restore scripts/allowlist-helper.sh.\n' \
+    "$script_relative_helper" \
+    "$fallback_helper" >&2
+  return 66
+}
+
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-ALLOWLIST_HELPER="$SCRIPT_DIR/scripts/allowlist-helper.sh"
-if [ ! -r "$ALLOWLIST_HELPER" ] && [ -r /app/scripts/allowlist-helper.sh ]; then
-  ALLOWLIST_HELPER="/app/scripts/allowlist-helper.sh"
+ALLOWLIST_HELPER="$(resolve_allowlist_helper "$SCRIPT_DIR")"
+allowlist_helper_status=$?
+if [ "$allowlist_helper_status" -ne 0 ]; then
+  exit "$allowlist_helper_status"
+fi
+SCOUTING_ALLOWLIST_HELPER="$SCRIPT_DIR/scripts/scouting-allowlist.js"
+if [ ! -r "$SCOUTING_ALLOWLIST_HELPER" ] && [ -r /app/scripts/scouting-allowlist.js ]; then
+  SCOUTING_ALLOWLIST_HELPER="/app/scripts/scouting-allowlist.js"
 fi
 # shellcheck source=scripts/allowlist-helper.sh
 . "$ALLOWLIST_HELPER"
+if [ "${KASEKI_AGENT_HELPER_RESOLUTION_CHECK:-0}" = "1" ]; then
+  build_allowlist_regex "${KASEKI_CHANGED_FILES_ALLOWLIST:-}" >/dev/null
+  printf 'allowlist_helper=%s\n' "$ALLOWLIST_HELPER"
+  exit 0
+fi
 
 derive_allowlist_from_scouting() {
-  local scouting_artifact agent_patterns validation_patterns
+  local scouting_artifact
   scouting_artifact="${1:?missing scouting artifact path}"
-  
+
   if [ ! -f "$scouting_artifact" ]; then
     printf 'derive_allowlist_from_scouting: scouting artifact not found: %s\n' "$scouting_artifact" >&2
     return 1
   fi
-  
-  # Extract patterns from scouting.json
-  agent_patterns="$(node -e "
-    try {
-      const fs = require('node:fs');
-      const artifact = JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));
-      if (artifact && artifact.suggested_allowlist && Array.isArray(artifact.suggested_allowlist.agent_patterns)) {
-        console.log(artifact.suggested_allowlist.agent_patterns.join(' '));
-      }
-    } catch (e) {
-      console.error('Error parsing scouting artifact:', e.message);
-    }
-  " "$scouting_artifact" 2>/dev/null)"
-  
-  validation_patterns="$(node -e "
-    try {
-      const fs = require('node:fs');
-      const artifact = JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));
-      if (artifact && artifact.suggested_allowlist && Array.isArray(artifact.suggested_allowlist.validation_patterns)) {
-        console.log(artifact.suggested_allowlist.validation_patterns.join(' '));
-      }
-    } catch (e) {
-      console.error('Error parsing scouting artifact:', e.message);
-    }
-  " "$scouting_artifact" 2>/dev/null)"
-  
-  printf '%s\n' "$agent_patterns"
-  printf '%s\n' "$validation_patterns"
+
+  node "$SCOUTING_ALLOWLIST_HELPER" derive "$scouting_artifact"
 }
 
+
 validate_allowlist_patterns() {
   local patterns_str test_regex
   patterns_str="${1:-}"
@@ -4542,6 +4420,14 @@ Determine if the agent successfully met the requirements specified in the goal-s
 
 For each dimension, provide evidence by citing specific file locations, test names, or validation results.
 
+## Success Criteria Assessment Contract
+
+Use this contract when reading the goal-setting artifact:
+
+- GOAL_CHECK_CONTRACT_PER_CRITERION_SMART: Assess each success criterion or acceptance criterion independently against all five SMART dimensions (Specific, Measurable, Achievable, Relevant, Time-bound), not just the overall goal.
+- GOAL_CHECK_CONTRACT_EVIDENCE_REQUIRED: For every met or unmet criterion assessment, cite concrete evidence from the diff, changed files, tests, validation results, or other listed artifacts.
+- GOAL_CHECK_CONTRACT_MEASURABLE_ACCEPTANCE_CRITERIA: Treat measurable acceptance criteria as observable pass/fail conditions; flag vague goals or intent statements as insufficient unless the implementation evidence maps them to concrete, verifiable outcomes.
+
 ## Evidence Requirements
 
 Evidence must be SPECIFIC and VERIFIABLE. Reference concrete artifacts:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanautomation/kaseki-agent",
-  "version": "1.64.0",
+  "version": "1.64.1",
   "description": "Admin/helper/doctor toolbox and local API client for Kaseki diagnostics, setup, and API-backed coding-agent task workflows",
   "type": "module",
   "license": "MIT",

package/scripts/collect-feedback.js

@@ -8,9 +8,10 @@
  *   node collect-feedback.js run-evaluation <instance_name> <run_evaluation_json> <metadata_json>
  */
 
-const fs = require('fs');
+import fs from 'node:fs';
+import { fileURLToPath } from 'node:url';
 
-function parseJson(filePath) {
+export function parseJson(filePath) {
   try {
     if (!filePath || !fs.existsSync(filePath)) {
       return {};
@@ -22,7 +23,7 @@ function parseJson(filePath) {
   }
 }
 
-function collectGoalCheckFeedback(instanceName, goalSettingPath, goalCheckPath, metadataPath) {
+export function collectGoalCheckFeedback(instanceName, goalSettingPath, goalCheckPath, metadataPath) {
   const goalSetting = parseJson(goalSettingPath);
   const goalCheck = parseJson(goalCheckPath);
   const metadata = parseJson(metadataPath);
@@ -67,7 +68,7 @@ function collectGoalCheckFeedback(instanceName, goalSettingPath, goalCheckPath,
   return feedback;
 }
 
-function collectRunEvaluationFeedback(instanceName, runEvaluationPath, metadataPath) {
+export function collectRunEvaluationFeedback(instanceName, runEvaluationPath, metadataPath) {
   const runEvaluation = parseJson(runEvaluationPath);
   const metadata = parseJson(metadataPath);
 
@@ -88,7 +89,7 @@ function collectRunEvaluationFeedback(instanceName, runEvaluationPath, metadataP
   return feedback;
 }
 
-function extractOutcomes(metadata) {
+export function extractOutcomes(metadata) {
   return {
     validation_passed: metadata.validation_passed === true,
     coding_attempts: metadata.coding_attempts || 1,
@@ -97,7 +98,7 @@ function extractOutcomes(metadata) {
   };
 }
 
-function computeCorrelationNotes(qualityScore, verdict, outcomes) {
+export function computeCorrelationNotes(qualityScore, verdict, outcomes) {
   const notes = [];
 
   if (qualityScore >= 85 && !verdict.met) {
@@ -116,14 +117,14 @@ function computeCorrelationNotes(qualityScore, verdict, outcomes) {
   return notes;
 }
 
-function parseStageValues(stageValues) {
+export function parseStageValues(stageValues) {
   return stageValues.map((s) => ({
     stage: s.stage || 'unknown',
     value: s.value || 'unknown',
   }));
 }
 
-function parseImprovements(improvements) {
+export function parseImprovements(improvements) {
   return improvements.map((imp) => ({
     category: imp.category || 'unknown',
     priority: imp.priority || 'medium',
@@ -164,4 +165,6 @@ function main() {
   console.log(JSON.stringify(feedback));
 }
 
-main();
+if (process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1]) {
+  main();
+}

package/scripts/kaseki-setup-host.sh

@@ -256,29 +256,46 @@ run_checkout_freshness_probe() {
   # Phase 4: Use parallel privilege tool testing when running as root
   # Runs setpriv, runuser, and sudo in parallel; returns on first success
   # This reduces probe time from ~6 seconds (sequential 3×2s timeouts) to ~2 seconds (first success)
+  local probe_exit_status=0
   if [ "$(id -u)" -eq "$KASEKI_CONTAINER_UID" ] && [ "$(id -g)" -eq "$KASEKI_CONTAINER_GID" ]; then
-    "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+    if "${probe_command[@]}" >/dev/null 2>"$stderr_file"; then
+      probe_exit_status=0
+    else
+      probe_exit_status=$?
+    fi
   elif [ "$(id -u)" -eq 0 ]; then
     # Phase 4: Parallel privilege tool testing
-    run_privilege_tools_parallel "$checkout_dir" "$stderr_file" "$resolved_user_name" "$resolved_group_name" "${probe_command[@]}" || true
+    if run_privilege_tools_parallel "$checkout_dir" "$stderr_file" "$resolved_user_name" "$resolved_group_name" "${probe_command[@]}"; then
+      probe_exit_status=0
+    else
+      probe_exit_status=$?
+    fi
   else
-    "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+    if "${probe_command[@]}" >/dev/null 2>"$stderr_file"; then
+      probe_exit_status=0
+    else
+      probe_exit_status=$?
+    fi
   fi
 
-  if [ -s "$stderr_file" ]; then
+  if [ "$probe_exit_status" -eq 0 ]; then
+    probe_status="ok"
+    probe_detail="Checkout freshness probe passed for ${checkout_dir} as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
+  else
     probe_status="failed"
     local stderr_tail
-    stderr_tail="$(tail -n 1 "$stderr_file" | tr -d '\r')"
-    if printf '%s' "$stderr_tail" | grep -Eiq 'unknown user|unknown group|no passwd entry|user .* does not exist|group .* does not exist|sudo: .*unknown|sudo: .*invalid|runuser: .*does not exist|runuser: user .* does not exist|runuser: group .* does not exist|unable to initialize policy plugin|unable to set user context|timed out'; then
-      probe_detail="Checkout freshness probe failed: probe could not impersonate UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID} due to host user/group mapping, privilege-tool configuration issue, or timeout: ${stderr_tail}"
-      probe_remediation="Configure a valid host method to run commands as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID} (or ensure passwd/group mappings exist for that UID/GID), then rerun ./scripts/kaseki-setup-host.sh --fix. If the issue is timeout, try increasing KASEKI_PRIV_TOOL_TIMEOUT."
+    if [ -s "$stderr_file" ]; then
+      stderr_tail="$(tail -n 1 "$stderr_file" | tr -d '\r')"
+    else
+      stderr_tail="probe command exited with status ${probe_exit_status} without stderr output"
+    fi
+    if printf '%s' "$stderr_tail" | grep -Eiq 'unknown user|unknown group|no passwd entry|user .* does not exist|group .* does not exist|sudo: .*unknown|sudo: .*invalid|runuser: .*does not exist|runuser: user .* does not exist|runuser: group .* does not exist|unable to initialize policy plugin|error initializing audit plugin|sudoers_audit|unable to set user context|timed out|no usable privilege tool'; then
+      probe_detail="Checkout freshness probe failed: probe could not impersonate UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID} due to host user/group mapping, host privilege-tool configuration (including sudo policy/audit plugins), or timeout: ${stderr_tail}"
+      probe_remediation="Fix host privilege-tool configuration for sudo/policy/audit plugins (for example sudoers_audit), or configure another valid host method to run commands as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID} (and ensure passwd/group mappings exist for that UID/GID), then rerun ./scripts/kaseki-setup-host.sh --fix. If the issue is timeout, try increasing KASEKI_PRIV_TOOL_TIMEOUT."
     else
       probe_detail="Checkout freshness probe failed when running git metadata access as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}: ${stderr_tail}"
       probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
     fi
-  else
-    probe_status="ok"
-    probe_detail="Checkout freshness probe passed for ${checkout_dir} as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
   fi
   cleanup_probe_stderr_file
 
@@ -352,71 +369,112 @@ run_privilege_tools_parallel() {
   local resolved_group_name="$4"
   shift 4
   local probe_command=("$@")
-  
+  : >"$stderr_file"
+
   local temp_dir
   temp_dir=$(mktemp -d)
-  export temp_dir  # Make accessible to trap handler in subshell contexts
   local success_marker="$temp_dir/success"
   local pids=()
-  
+  local failure_stderr_files=()
+  local setpriv_stderr="$temp_dir/setpriv.stderr"
+  local runuser_stderr="$temp_dir/runuser.stderr"
+  local sudo_stderr="$temp_dir/sudo.stderr"
+
   cleanup_parallel() {
-    # shellcheck disable=SC2317
-    rm -rf "$temp_dir"
+    rm -rf "${temp_dir:-}"
   }
-  trap cleanup_parallel EXIT
-  
+
+  stop_parallel_jobs() {
+    local pid
+    for pid in "${pids[@]}"; do
+      kill "$pid" 2>/dev/null || true
+    done
+    for pid in "${pids[@]}"; do
+      wait "$pid" 2>/dev/null || true
+    done
+  }
+
+  copy_selected_failure_stderr() {
+    local candidate
+    for candidate in "${failure_stderr_files[@]}"; do
+      if [ -s "$candidate" ]; then
+        cp "$candidate" "$stderr_file"
+        return 0
+      fi
+    done
+    printf 'no usable privilege tool succeeded for %s\n' "$checkout_dir" >"$stderr_file"
+  }
+
   # Test 1: setpriv (fastest, preferred)
   if [ "$(id -u)" -eq 0 ] && command -v setpriv >/dev/null 2>&1; then
+    failure_stderr_files+=("$setpriv_stderr")
     (
-      timeout "$KASEKI_PRIV_TOOL_TIMEOUT" setpriv --reuid "$KASEKI_CONTAINER_UID" --regid "$KASEKI_CONTAINER_GID" --clear-groups -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" && touch "$success_marker"
+      if timeout "$KASEKI_PRIV_TOOL_TIMEOUT" setpriv --reuid "$KASEKI_CONTAINER_UID" --regid "$KASEKI_CONTAINER_GID" --clear-groups -- "${probe_command[@]}" >/dev/null 2>"$setpriv_stderr"; then
+        touch "$success_marker"
+      fi
     ) &
     pids+=("$!")
   fi
-  
+
   # Test 2: runuser (if resolved user/group available)
   if [ "$(id -u)" -eq 0 ] && command -v runuser >/dev/null 2>&1 && [ -n "$resolved_user_name" ] && [ -n "$resolved_group_name" ]; then
+    failure_stderr_files+=("$runuser_stderr")
     (
-      timeout "$KASEKI_PRIV_TOOL_TIMEOUT" runuser -u "$resolved_user_name" -g "$resolved_group_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" && touch "$success_marker"
+      if timeout "$KASEKI_PRIV_TOOL_TIMEOUT" runuser -u "$resolved_user_name" -g "$resolved_group_name" -- "${probe_command[@]}" >/dev/null 2>"$runuser_stderr"; then
+        touch "$success_marker"
+      fi
     ) &
     pids+=("$!")
   fi
-  
+
   # Test 3: sudo (fallback, slowest)
   if [ "$(id -u)" -eq 0 ] && command -v sudo >/dev/null 2>&1; then
+    failure_stderr_files+=("$sudo_stderr")
     (
       if [ -n "$resolved_user_name" ] && [ -n "$resolved_group_name" ]; then
-        timeout "$KASEKI_PRIV_TOOL_TIMEOUT" sudo -u "$resolved_user_name" -g "$resolved_group_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file"
+        timeout "$KASEKI_PRIV_TOOL_TIMEOUT" sudo -u "$resolved_user_name" -g "$resolved_group_name" -- "${probe_command[@]}" >/dev/null 2>"$sudo_stderr"
       elif [ -n "$resolved_user_name" ]; then
-        timeout "$KASEKI_PRIV_TOOL_TIMEOUT" sudo -u "$resolved_user_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file"
+        timeout "$KASEKI_PRIV_TOOL_TIMEOUT" sudo -u "$resolved_user_name" -- "${probe_command[@]}" >/dev/null 2>"$sudo_stderr"
       else
-        timeout "$KASEKI_PRIV_TOOL_TIMEOUT" sudo -u "#${KASEKI_CONTAINER_UID}" -g "${KASEKI_CONTAINER_GID}" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file"
+        timeout "$KASEKI_PRIV_TOOL_TIMEOUT" sudo -u "#${KASEKI_CONTAINER_UID}" -g "${KASEKI_CONTAINER_GID}" -- "${probe_command[@]}" >/dev/null 2>"$sudo_stderr"
       fi && touch "$success_marker"
     ) &
     pids+=("$!")
   fi
-  
+
+  if [ "${#pids[@]}" -eq 0 ]; then
+    copy_selected_failure_stderr
+    cleanup_parallel
+    return 1
+  fi
+
   # Wait for any process to succeed (check success marker while processes run)
-  local timeout_elapsed=0
-  local max_wait=$((KASEKI_PRIV_TOOL_TIMEOUT + 1))
-  while [ $timeout_elapsed -lt $max_wait ]; do
+  local wait_attempt=0
+  local max_wait_attempts=$(( (KASEKI_PRIV_TOOL_TIMEOUT + 1) * 10 ))
+  while [ "$wait_attempt" -lt "$max_wait_attempts" ]; do
     if [ -f "$success_marker" ]; then
-      # Kill remaining background processes
-      for pid in "${pids[@]}"; do
-        kill "$pid" 2>/dev/null || true
-      done
+      stop_parallel_jobs
+      cleanup_parallel
       return 0
     fi
     sleep 0.1
-    timeout_elapsed=$(( timeout_elapsed + 1 ))
+    wait_attempt=$(( wait_attempt + 1 ))
   done
-  
+
   # Wait for all processes to complete
   for pid in "${pids[@]}"; do
     wait "$pid" 2>/dev/null || true
   done
-  
-  # Check if any succeeded
-  [ -f "$success_marker" ] && return 0
+
+  # Check if any succeeded. On success, leave the shared stderr empty so failed
+  # parallel attempts cannot turn a successful privilege probe into a failure.
+  if [ -f "$success_marker" ]; then
+    cleanup_parallel
+    return 0
+  fi
+
+  copy_selected_failure_stderr
+  cleanup_parallel
   return 1
 }
 

package/scripts/scouting-allowlist.js

@@ -0,0 +1,229 @@
+#!/usr/bin/env node
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+export const DEFAULT_CHANGED_FILES_ALLOWLIST = 'src/lib/parser.ts tests/parser.validation.ts';
+export const DEFAULT_VALIDATION_ALLOWLIST = '';
+
+export function actualType(value) {
+  if (value === null) return 'null';
+  if (Array.isArray(value)) return 'array';
+  return typeof value;
+}
+
+function summarize(errors) {
+  const critical = errors.filter((error) => error.severity === 'critical').length;
+  const warning = errors.filter((error) => error.severity === 'warning').length;
+  const counts = [];
+  if (critical) counts.push(`${critical} critical`);
+  if (warning) counts.push(`${warning} warning`);
+  const fields = errors.slice(0, 2).map((error) => error.field).join(', ');
+  const suffix = errors.length > 2 ? `, +${errors.length - 2} more` : '';
+  return `${counts.join(', ')} scouting validation ${errors.length === 1 ? 'error' : 'errors'}: ${fields}${suffix}`;
+}
+
+function appendJsonl(file, value) {
+  fs.mkdirSync(path.dirname(file), { recursive: true });
+  fs.appendFileSync(file, JSON.stringify(value) + '\n');
+}
+
+function readArtifact(inputPath) {
+  return JSON.parse(fs.readFileSync(inputPath, 'utf8'));
+}
+
+export function validateScoutingArtifactObject(artifact) {
+  const errors = [];
+  const addError = (field, expected, actual, severity, suggestion) => {
+    errors.push({ field, expected, actual, severity, suggestion });
+  };
+  const arrayKeys = ['requirements', 'relevant_files', 'observations', 'plan', 'validation', 'risks', 'test_impact'];
+
+  if (!artifact || Array.isArray(artifact) || typeof artifact !== 'object') {
+    addError('root', 'object', actualType(artifact), 'critical', 'Scouting artifact must be a JSON object, not an array/null/primitive');
+  } else {
+    if (typeof artifact.task !== 'string' || !artifact.task.trim()) {
+      addError('task', 'non-empty string', typeof artifact.task === 'string' ? 'empty string' : actualType(artifact.task), 'critical', 'task must be a non-empty string describing the requested work');
+    }
+    for (const key of arrayKeys) {
+      if (!Array.isArray(artifact[key])) {
+        addError(key, 'array', actualType(artifact[key]), 'critical', `${key} must be an array in the scouting handoff`);
+      }
+    }
+    if (Array.isArray(artifact.relevant_files)) {
+      artifact.relevant_files.forEach((item, index) => {
+        if (!item || typeof item.path !== 'string' || typeof item.reason !== 'string') {
+          addError(`relevant_files[${index}]`, 'object with string path and string reason', actualType(item), 'warning', 'Each relevant_files entry must include path and reason strings');
+        }
+      });
+    }
+    if (Array.isArray(artifact.test_impact)) {
+      artifact.test_impact.forEach((item, index) => {
+        if (!item || typeof item.path !== 'string' || !item.path.trim() || typeof item.reason !== 'string' || !item.reason.trim()) {
+          addError(`test_impact[${index}]`, 'object with non-empty string path and non-empty string reason', actualType(item), 'critical', 'Each test_impact entry must include the impacted test path and expectation reason strings');
+        }
+        if (item && typeof item === 'object' && item.test_examples !== undefined) {
+          if (!Array.isArray(item.test_examples)) {
+            addError(`test_impact[${index}].test_examples`, 'array of example objects or undefined', actualType(item.test_examples), 'warning', 'test_examples must be an array of objects with type, pattern, description, before, and after fields');
+          } else {
+            item.test_examples.forEach((example, exIdx) => {
+              if (!example || typeof example !== 'object' || !['added_assertion', 'modified_assertion', 'added_test_case', 'added_pattern'].includes(example.type)) {
+                addError(`test_impact[${index}].test_examples[${exIdx}].type`, 'added_assertion|modified_assertion|added_test_case|added_pattern', actualType(example && example.type), 'warning', 'Each test_example must have a valid type');
+              }
+              if (!example || typeof example.pattern !== 'string') {
+                addError(`test_impact[${index}].test_examples[${exIdx}].pattern`, 'string', actualType(example && example.pattern), 'warning', 'Each test_example must have a pattern string');
+              }
+              if (!example || typeof example.before !== 'string' || typeof example.after !== 'string') {
+                addError(`test_impact[${index}].test_examples[${exIdx}]`, 'before and after strings', 'missing or invalid', 'warning', 'Each test_example must have before and after code snippets');
+              }
+            });
+          }
+        }
+      });
+    }
+
+    if (artifact.suggested_allowlist) {
+      if (typeof artifact.suggested_allowlist !== 'object' || Array.isArray(artifact.suggested_allowlist)) {
+        addError('suggested_allowlist', 'object', actualType(artifact.suggested_allowlist), 'warning', 'suggested_allowlist must be an object with agent_patterns and validation_patterns arrays');
+      } else {
+        if (!Array.isArray(artifact.suggested_allowlist.agent_patterns)) {
+          addError('suggested_allowlist.agent_patterns', 'array of strings', actualType(artifact.suggested_allowlist.agent_patterns), 'warning', 'agent_patterns must be an array of glob pattern strings');
+        } else if (!artifact.suggested_allowlist.agent_patterns.every((p) => typeof p === 'string')) {
+          addError('suggested_allowlist.agent_patterns', 'array of strings', 'array with non-strings', 'warning', 'All agent_patterns entries must be strings');
+        }
+        if (!Array.isArray(artifact.suggested_allowlist.validation_patterns)) {
+          addError('suggested_allowlist.validation_patterns', 'array of strings', actualType(artifact.suggested_allowlist.validation_patterns), 'warning', 'validation_patterns must be an array of glob pattern strings');
+        } else if (!artifact.suggested_allowlist.validation_patterns.every((p) => typeof p === 'string')) {
+          addError('suggested_allowlist.validation_patterns', 'array of strings', 'array with non-strings', 'warning', 'All validation_patterns entries must be strings');
+        }
+      }
+    }
+  }
+
+  if (errors.length) {
+    const onlyTaskMissing = errors.length === 1 && errors[0].field === 'task';
+    return {
+      status: 'rejected',
+      reason_code: onlyTaskMissing ? 'missing_required_fields' : 'schema_mismatch',
+      details: summarize(errors),
+      errors,
+    };
+  }
+
+  return { status: 'ok', reason_code: 'valid', details: 'artifact validation passed', errors: [] };
+}
+
+export function validateScoutingArtifact(inputPath, outputPath, options = {}) {
+  let artifact;
+  try {
+    artifact = readArtifact(inputPath);
+  } catch (err) {
+    const error = {
+      field: 'root',
+      expected: 'exactly one valid JSON object',
+      actual: err && err.message ? String(err.message) : 'JSON parse failed',
+      severity: 'critical',
+      suggestion: 'ensure exactly one valid JSON object is written to /results/scouting-candidate.json',
+    };
+    const result = { status: 'rejected', reason_code: 'malformed_json', details: summarize([error]), errors: [error] };
+    writeValidationArtifacts(result, options);
+    return result;
+  }
+
+  const result = validateScoutingArtifactObject(artifact);
+  if (result.status === 'ok' && outputPath) {
+    fs.writeFileSync(outputPath, JSON.stringify(artifact, null, 2) + '\n');
+  }
+  writeValidationArtifacts(result, options);
+  return result;
+}
+
+function writeValidationArtifacts(result, options) {
+  const { errorLog, jsonlLog } = options;
+  if (result.status === 'ok') return;
+  if (jsonlLog) {
+    for (const error of result.errors) {
+      appendJsonl(jsonlLog, { timestamp: new Date().toISOString(), reason_code: result.reason_code, ...error });
+    }
+  }
+  if (errorLog) {
+    fs.writeFileSync(errorLog, JSON.stringify({ reason_code: result.reason_code, details: result.details, errors: result.errors }) + '\n');
+  }
+}
+
+export function deriveAllowlistFromScoutingArtifact(artifact) {
+  return {
+    agentAllowlist: artifact && artifact.suggested_allowlist && Array.isArray(artifact.suggested_allowlist.agent_patterns)
+      ? artifact.suggested_allowlist.agent_patterns.join(' ')
+      : '',
+    validationAllowlist: artifact && artifact.suggested_allowlist && Array.isArray(artifact.suggested_allowlist.validation_patterns)
+      ? artifact.suggested_allowlist.validation_patterns.join(' ')
+      : '',
+  };
+}
+
+export function deriveAllowlistFromScouting(inputPath) {
+  return deriveAllowlistFromScoutingArtifact(readArtifact(inputPath));
+}
+
+export function mergeAllowlists(scoutingPatterns = '', userPatterns = '') {
+  if (scoutingPatterns && userPatterns) return `${scoutingPatterns} ${userPatterns}`;
+  return scoutingPatterns || userPatterns || '';
+}
+
+export function deriveScoutingAllowlistOrDefault(inputPath, options = {}) {
+  const defaultChangedFilesAllowlist = options.defaultChangedFilesAllowlist ?? DEFAULT_CHANGED_FILES_ALLOWLIST;
+  const defaultValidationAllowlist = options.defaultValidationAllowlist ?? DEFAULT_VALIDATION_ALLOWLIST;
+  const validation = validateScoutingArtifact(inputPath, undefined, options);
+
+  if (validation.status !== 'ok') {
+    return {
+      validation,
+      agentAllowlist: defaultChangedFilesAllowlist,
+      validationAllowlist: defaultValidationAllowlist,
+      source: 'default_after_rejection',
+    };
+  }
+
+  const derived = deriveAllowlistFromScouting(inputPath);
+  return {
+    validation,
+    agentAllowlist: mergeAllowlists(derived.agentAllowlist, defaultChangedFilesAllowlist),
+    validationAllowlist: mergeAllowlists(derived.validationAllowlist, defaultValidationAllowlist),
+    source: derived.agentAllowlist || derived.validationAllowlist ? 'merged_scouting' : 'default_after_absent_suggestion',
+  };
+}
+
+function printJson(value) {
+  process.stdout.write(JSON.stringify(value));
+}
+
+function main(argv) {
+  const [command, ...args] = argv;
+  if (command === 'validate') {
+    const [inputPath, outputPath, errorLog, jsonlLog] = args;
+    const result = validateScoutingArtifact(inputPath, outputPath, { errorLog, jsonlLog });
+    printJson(result);
+    process.exitCode = result.status === 'ok' ? 0 : 1;
+    return;
+  }
+  if (command === 'derive') {
+    const result = deriveAllowlistFromScouting(args[0]);
+    process.stdout.write(`${result.agentAllowlist}\n${result.validationAllowlist}\n`);
+    return;
+  }
+  if (command === 'orchestrate') {
+    printJson(deriveScoutingAllowlistOrDefault(args[0], {
+      defaultChangedFilesAllowlist: args[1] ?? DEFAULT_CHANGED_FILES_ALLOWLIST,
+      defaultValidationAllowlist: args[2] ?? DEFAULT_VALIDATION_ALLOWLIST,
+    }));
+    return;
+  }
+  process.stderr.write('usage: scouting-allowlist.js <validate|derive|orchestrate> ...\n');
+  process.exitCode = 64;
+}
+
+const thisFile = fileURLToPath(import.meta.url);
+if (process.argv[1] && path.resolve(process.argv[1]) === thisFile) {
+  main(process.argv.slice(2));
+}