@doingdev/opencode-claude-manager-plugin 0.1.52 → 0.1.54

package/README.md

@@ -81,7 +81,7 @@ If you are testing locally, point OpenCode at the local package or plugin file u
 
 - `approval_policy` — view the current tool approval policy.
 - `approval_decisions` — view recent tool approval decisions.
-- `approval_update` — add/remove rules, change default action, or enable/disable approval.
+- `approval_update` — add/remove rules, enable/disable approval, or clear decision history. Policy uses a **deny-list**: tools not matching any rule are **allowed**; use explicit **deny** rules to block. `defaultAction` is always `allow` (cannot be set to deny).
 
 ## Agent hierarchy
 

package/dist/claude/tool-approval-manager.js

@@ -3,6 +3,13 @@ import path from 'node:path';
 import { isFileNotFoundError, writeJsonAtomically } from '../util/fs-helpers.js';
 const DEFAULT_MAX_DECISIONS = 500;
 const INPUT_PREVIEW_MAX = 300;
+function normalizePolicy(policy) {
+    return {
+        ...policy,
+        rules: [...policy.rules],
+        defaultAction: 'allow',
+    };
+}
 function getDefaultRules() {
     return [
         // Safe read-only tools
@@ -125,12 +132,12 @@ export class ToolApprovalManager {
     maxDecisions;
     persistPath;
     constructor(policy, maxDecisions, persistPath) {
-        this.policy = {
+        this.policy = normalizePolicy({
             rules: policy?.rules ?? getDefaultRules(),
-            defaultAction: policy?.defaultAction ?? 'allow',
+            defaultAction: 'allow',
             defaultDenyMessage: policy?.defaultDenyMessage ?? 'Tool call denied by approval policy.',
             enabled: policy?.enabled ?? true,
-        };
+        });
         this.maxDecisions = maxDecisions ?? DEFAULT_MAX_DECISIONS;
         this.persistPath = persistPath ?? null;
     }
@@ -141,12 +148,12 @@ export class ToolApprovalManager {
         try {
             const content = await fs.readFile(this.persistPath, 'utf8');
             const loaded = JSON.parse(content);
-            this.policy = {
+            this.policy = normalizePolicy({
                 rules: loaded.rules ?? getDefaultRules(),
-                defaultAction: loaded.defaultAction ?? 'allow',
+                defaultAction: 'allow',
                 defaultDenyMessage: loaded.defaultDenyMessage ?? 'Tool call denied by approval policy.',
                 enabled: loaded.enabled ?? true,
-            };
+            });
         }
         catch (error) {
             if (!isFileNotFoundError(error)) {
@@ -167,7 +174,7 @@ export class ToolApprovalManager {
         }
         const inputJson = safeJsonStringify(input);
         const matchedRule = this.findMatchingRule(toolName, inputJson);
-        const action = matchedRule?.action ?? this.policy.defaultAction;
+        const action = matchedRule?.action ?? 'allow';
         const denyMessage = action === 'deny'
             ? (matchedRule?.denyMessage ?? this.policy.defaultDenyMessage ?? 'Denied by policy.')
             : undefined;
@@ -201,7 +208,7 @@ export class ToolApprovalManager {
         return { ...this.policy, rules: [...this.policy.rules] };
     }
     async setPolicy(policy) {
-        this.policy = { ...policy, rules: [...policy.rules] };
+        this.policy = normalizePolicy(policy);
         await this.persistPolicy();
     }
     async addRule(rule, position) {
@@ -223,7 +230,10 @@ export class ToolApprovalManager {
         return true;
     }
     async setDefaultAction(action) {
-        this.policy.defaultAction = action;
+        if (action === 'deny') {
+            throw new Error('defaultAction cannot be deny; unmatched tools are always allowed. Add explicit deny rules instead.');
+        }
+        this.policy = normalizePolicy(this.policy);
         await this.persistPolicy();
     }
     async setEnabled(enabled) {

package/dist/manager/team-orchestrator.d.ts

@@ -18,7 +18,8 @@ export declare class TeamOrchestrator {
     private readonly teamStore;
     private readonly transcriptStore;
     private readonly engineerSessionPrompt;
-    constructor(sessions: ClaudeSessionService, teamStore: TeamStateStore, transcriptStore: TranscriptStore, engineerSessionPrompt: string);
+    private readonly architectSystemPrompt;
+    constructor(sessions: ClaudeSessionService, teamStore: TeamStateStore, transcriptStore: TranscriptStore, engineerSessionPrompt: string, architectSystemPrompt: string);
     getOrCreateTeam(cwd: string, teamId: string): Promise<TeamRecord>;
     listTeams(cwd: string): Promise<TeamRecord[]>;
     recordWrapperSession(cwd: string, teamId: string, engineer: EngineerName, wrapperSessionId: string): Promise<void>;
@@ -44,6 +45,9 @@ export declare class TeamOrchestrator {
         challengerEngineer: EngineerName;
         model?: string;
         abortSignal?: AbortSignal;
+        onLeadEvent?: ClaudeSessionEventHandler;
+        onChallengerEvent?: ClaudeSessionEventHandler;
+        onSynthesisEvent?: ClaudeSessionEventHandler;
     }): Promise<SynthesizedPlanResult>;
     private updateEngineer;
     private reserveEngineer;

package/dist/manager/team-orchestrator.js

@@ -6,11 +6,13 @@ export class TeamOrchestrator {
     teamStore;
     transcriptStore;
     engineerSessionPrompt;
-    constructor(sessions, teamStore, transcriptStore, engineerSessionPrompt) {
+    architectSystemPrompt;
+    constructor(sessions, teamStore, transcriptStore, engineerSessionPrompt, architectSystemPrompt) {
         this.sessions = sessions;
         this.teamStore = teamStore;
         this.transcriptStore = transcriptStore;
         this.engineerSessionPrompt = engineerSessionPrompt;
+        this.architectSystemPrompt = architectSystemPrompt;
     }
     async getOrCreateTeam(cwd, teamId) {
         const existing = await this.teamStore.getTeam(cwd, teamId);
@@ -203,6 +205,7 @@ export class TeamOrchestrator {
                 message: buildPlanDraftRequest('lead', input.request),
                 model: input.model,
                 abortSignal: input.abortSignal,
+                onEvent: input.onLeadEvent,
             }),
             this.dispatchEngineer({
                 teamId: input.teamId,
@@ -212,6 +215,7 @@ export class TeamOrchestrator {
                 message: buildPlanDraftRequest('challenger', input.request),
                 model: input.model,
                 abortSignal: input.abortSignal,
+                onEvent: input.onChallengerEvent,
             }),
         ]);
         const drafts = [
@@ -221,7 +225,7 @@ export class TeamOrchestrator {
         const synthesisResult = await this.sessions.runTask({
             cwd: input.cwd,
             prompt: buildSynthesisPrompt(input.request, drafts),
-            systemPrompt: buildSynthesisSystemPrompt(),
+            systemPrompt: buildSynthesisSystemPrompt(this.architectSystemPrompt),
             persistSession: false,
             includePartialMessages: false,
             permissionMode: 'acceptEdits',
@@ -230,7 +234,7 @@ export class TeamOrchestrator {
             effort: 'high',
             settingSources: ['user', 'project', 'local'],
             abortSignal: input.abortSignal,
-        });
+        }, input.onSynthesisEvent);
         const parsedSynthesis = parseSynthesisResult(synthesisResult.finalText);
         return {
             teamId: input.teamId,
@@ -361,20 +365,8 @@ function buildPlanDraftRequest(perspective, request) {
         `User request: ${request}`,
     ].join('\n');
 }
-function buildSynthesisSystemPrompt() {
-    return [
-        'You are synthesizing two independent engineering plans into one stronger plan.',
-        'Compare them on clarity, feasibility, risk, and fit to the user request.',
-        'Prefer the simplest path that fully addresses the goal.',
-        'If the plans disagree on something only the user can decide, surface exactly one recommended question and one recommended answer.',
-        'Use this output format exactly:',
-        '## Synthesis',
-        '<combined plan>',
-        '## Recommended Question',
-        '<question or NONE>',
-        '## Recommended Answer',
-        '<answer or NONE>',
-    ].join('\n');
+function buildSynthesisSystemPrompt(architectSystemPrompt) {
+    return architectSystemPrompt;
 }
 function buildSynthesisPrompt(request, drafts) {
     return [

package/dist/plugin/agent-hierarchy.d.ts

@@ -1,5 +1,6 @@
 import type { EngineerName, ManagerPromptRegistry } from '../types/contracts.js';
 export declare const AGENT_CTO = "cto";
+export declare const AGENT_ARCHITECT = "architect";
 export declare const ENGINEER_AGENT_IDS: {
     readonly Tom: "tom";
     readonly John: "john";
@@ -41,5 +42,13 @@ export declare function buildEngineerAgentConfig(prompts: ManagerPromptRegistry,
     permission: AgentPermission;
     prompt: string;
 };
+export declare function buildArchitectAgentConfig(prompts: ManagerPromptRegistry): {
+    description: string;
+    mode: "subagent";
+    hidden: boolean;
+    color: string;
+    permission: AgentPermission;
+    prompt: string;
+};
 export declare function denyRestrictedToolsGlobally(permissions: Record<string, ToolPermission>): void;
 export {};

package/dist/plugin/agent-hierarchy.js

@@ -1,5 +1,6 @@
 import { TEAM_ENGINEERS } from '../team/roster.js';
 export const AGENT_CTO = 'cto';
+export const AGENT_ARCHITECT = 'architect';
 export const ENGINEER_AGENT_IDS = {
     Tom: 'tom',
     John: 'john',
@@ -10,7 +11,6 @@ export const ENGINEER_AGENT_IDS = {
 export const ENGINEER_AGENT_NAMES = TEAM_ENGINEERS;
 const CTO_ONLY_TOOL_IDS = [
     'team_status',
-    'plan_with_team',
     'reset_engineer',
     'list_transcripts',
     'list_history',
@@ -38,6 +38,27 @@ const CTO_READONLY_TOOLS = {
     todoread: 'allow',
     question: 'allow',
 };
+function buildArchitectPermissions() {
+    const denied = {};
+    for (const toolId of ALL_RESTRICTED_TOOL_IDS) {
+        denied[toolId] = 'deny';
+    }
+    return {
+        '*': 'deny',
+        read: 'allow',
+        grep: 'allow',
+        glob: 'allow',
+        list: 'allow',
+        codesearch: 'allow',
+        webfetch: 'deny',
+        websearch: 'deny',
+        lsp: 'deny',
+        todowrite: 'deny',
+        todoread: 'deny',
+        question: 'deny',
+        ...denied,
+    };
+}
 function buildCtoPermissions() {
     const denied = {};
     for (const toolId of ALL_RESTRICTED_TOOL_IDS) {
@@ -51,6 +72,7 @@ function buildCtoPermissions() {
     for (const engineer of ENGINEER_AGENT_NAMES) {
         taskPermissions[ENGINEER_AGENT_IDS[engineer]] = 'allow';
     }
+    taskPermissions[AGENT_ARCHITECT] = 'allow';
     return {
         '*': 'deny',
         ...CTO_READONLY_TOOLS,
@@ -89,6 +111,16 @@ export function buildEngineerAgentConfig(prompts, engineer) {
         prompt: `You are ${engineer}.\n\n${prompts.engineerAgentPrompt}`,
     };
 }
+export function buildArchitectAgentConfig(prompts) {
+    return {
+        description: 'Synthesizes two engineer plan drafts into one stronger, actionable plan.',
+        mode: 'subagent',
+        hidden: false,
+        color: '#D97757',
+        permission: buildArchitectPermissions(),
+        prompt: prompts.architectSystemPrompt,
+    };
+}
 export function denyRestrictedToolsGlobally(permissions) {
     for (const toolId of ALL_RESTRICTED_TOOL_IDS) {
         permissions[toolId] ??= 'deny';

package/dist/plugin/claude-manager.plugin.js

@@ -2,7 +2,7 @@ import { tool } from '@opencode-ai/plugin';
 import { managerPromptRegistry } from '../prompts/registry.js';
 import { isEngineerName } from '../team/roster.js';
 import { TeamOrchestrator } from '../manager/team-orchestrator.js';
-import { AGENT_CTO, ENGINEER_AGENT_IDS, ENGINEER_AGENT_NAMES, buildCtoAgentConfig, buildEngineerAgentConfig, denyRestrictedToolsGlobally, } from './agent-hierarchy.js';
+import { AGENT_CTO, AGENT_ARCHITECT, ENGINEER_AGENT_IDS, ENGINEER_AGENT_NAMES, buildCtoAgentConfig, buildEngineerAgentConfig, buildArchitectAgentConfig, denyRestrictedToolsGlobally, } from './agent-hierarchy.js';
 import { getActiveTeamSession, getOrCreatePluginServices, getPersistedActiveTeam, getWrapperSessionMapping, setActiveTeamSession, setPersistedActiveTeam, setWrapperSessionMapping, } from './service-factory.js';
 const MODEL_ENUM = ['claude-opus-4-6', 'claude-sonnet-4-6'];
 const MODE_ENUM = ['explore', 'implement', 'verify'];
@@ -15,6 +15,7 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
             config.permission ??= {};
             denyRestrictedToolsGlobally(config.permission);
             config.agent[AGENT_CTO] ??= buildCtoAgentConfig(managerPromptRegistry);
+            config.agent[AGENT_ARCHITECT] ??= buildArchitectAgentConfig(managerPromptRegistry);
             for (const engineer of ENGINEER_AGENT_NAMES) {
                 config.agent[ENGINEER_AGENT_IDS[engineer]] ??= buildEngineerAgentConfig(managerPromptRegistry, engineer);
             }
@@ -126,9 +127,12 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                         challengerEngineer: args.challengerEngineer,
                         model: args.model,
                         abortSignal: context.abort,
+                        onLeadEvent: (event) => reportClaudeEvent(context, args.leadEngineer, event),
+                        onChallengerEvent: (event) => reportClaudeEvent(context, args.challengerEngineer, event),
+                        onSynthesisEvent: (event) => reportArchitectEvent(context, event),
                     });
                     context.metadata({
-                        title: '✅ Plan synthesis complete',
+                        title: '✅ Architect finished',
                         metadata: {
                             teamId: result.teamId,
                             lead: result.leadEngineer,
@@ -289,7 +293,7 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                 },
             }),
             approval_update: tool({
-                description: 'Update the tool approval policy. Add or remove rules, change the default action, enable or disable approvals, or clear decision history.',
+                description: 'Update the tool approval policy. Add or remove rules, enable or disable approvals, or clear decision history. Unmatched tools are always allowed; block only with explicit deny rules (defaultAction cannot be set to deny).',
                 args: {
                     action: tool.schema.enum([
                         'addRule',
@@ -336,6 +340,11 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                         if (!args.defaultAction) {
                             return JSON.stringify({ error: 'setDefault requires defaultAction' });
                         }
+                        if (args.defaultAction === 'deny') {
+                            return JSON.stringify({
+                                error: 'defaultAction cannot be deny; unmatched tools are always allowed. Add explicit deny rules instead.',
+                            });
+                        }
                         await services.approvalManager.setDefaultAction(args.defaultAction);
                     }
                     else if (args.action === 'setEnabled') {
@@ -553,6 +562,78 @@ function reportClaudeEvent(context, engineer, event) {
         });
     }
 }
+function reportArchitectEvent(context, event) {
+    if (event.type === 'error') {
+        context.metadata({
+            title: `❌ Architect hit an error`,
+            metadata: {
+                sessionId: event.sessionId,
+                error: event.text.slice(0, 200),
+            },
+        });
+        return;
+    }
+    if (event.type === 'init') {
+        context.metadata({
+            title: `⚡ Architect session ready`,
+            metadata: {
+                sessionId: event.sessionId,
+            },
+        });
+        return;
+    }
+    if (event.type === 'tool_call') {
+        let toolName;
+        let toolId;
+        let toolArgs;
+        try {
+            const parsed = JSON.parse(event.text);
+            toolName = parsed.name;
+            toolId = parsed.id;
+            if (typeof parsed.input === 'string') {
+                try {
+                    toolArgs = JSON.parse(parsed.input);
+                }
+                catch {
+                    toolArgs = parsed.input;
+                }
+            }
+            else {
+                toolArgs = parsed.input;
+            }
+        }
+        catch {
+            // event.text is not valid JSON — fall back to generic title
+        }
+        const toolDescription = formatToolDescription(toolName ?? '', toolArgs);
+        context.metadata({
+            title: toolDescription
+                ? `⚡ Architect → ${toolDescription}`
+                : toolName
+                    ? `⚡ Architect → ${toolName}`
+                    : `⚡ Architect is using Claude Code tools`,
+            metadata: {
+                sessionId: event.sessionId,
+                ...(toolName !== undefined && { toolName }),
+                ...(toolId !== undefined && { toolId }),
+                ...(toolArgs !== undefined && { toolArgs }),
+            },
+        });
+        return;
+    }
+    if (event.type === 'assistant' || event.type === 'partial') {
+        const isThinking = event.text.startsWith('<thinking>');
+        const stateLabel = event.type === 'partial' && isThinking ? 'is thinking' : 'is working';
+        context.metadata({
+            title: `⚡ Architect ${stateLabel}`,
+            metadata: {
+                sessionId: event.sessionId,
+                preview: event.text.slice(0, 160),
+                isThinking,
+            },
+        });
+    }
+}
 function annotateToolRun(context, title, metadata) {
     context.metadata({
         title,

package/dist/plugin/service-factory.js

@@ -24,7 +24,7 @@ export function getOrCreatePluginServices(worktree) {
     const teamStore = new TeamStateStore();
     const transcriptStore = new TranscriptStore();
     const manager = new PersistentManager(gitOps, transcriptStore);
-    const orchestrator = new TeamOrchestrator(sessionService, teamStore, transcriptStore, managerPromptRegistry.engineerSessionPrompt);
+    const orchestrator = new TeamOrchestrator(sessionService, teamStore, transcriptStore, managerPromptRegistry.engineerSessionPrompt, managerPromptRegistry.architectSystemPrompt);
     const services = {
         manager,
         sessions: sessionService,

package/dist/prompts/registry.js

@@ -27,7 +27,7 @@ export const managerPromptRegistry = {
         '',
         'Plan and decompose:',
         '- Break work into independent pieces that can run in parallel. Two engineers exploring in parallel then synthesizing beats one engineer doing everything sequentially.',
-        '- For medium or large tasks, dispatch two engineers with complementary perspectives (lead plan + challenger review), then synthesize.',
+        '- For medium or large tasks, delegate dual-engineer exploration to two engineers, then task the `architect` subagent to synthesize their independent plans into one stronger plan.',
         '- Define clear success criteria before delegating. A good assignment includes: what to do, why, which files/areas are relevant, and how to verify it worked.',
         '',
         'Delegate through the Task tool:',
@@ -76,6 +76,21 @@ export const managerPromptRegistry = {
         'Report blockers immediately with exact error output. Do not retry silently more than once.',
         'Do not run git commit, git push, git reset, git checkout, or git stash.',
     ].join('\n'),
+    architectSystemPrompt: [
+        'You are the Architect. Your role is to synthesize two independent engineering plans into one stronger, unified plan.',
+        'Compare the lead and challenger plans on clarity, feasibility, risk, and fit to the user request.',
+        'Prefer the simplest path that fully addresses the goal. Surface tradeoffs honestly.',
+        'If the plans disagree on something only the user can decide, surface exactly one recommended question and one recommended answer.',
+        'Do not editorialize or over-explain. Be direct and concise.',
+        '',
+        'Use this output format exactly:',
+        '## Synthesis',
+        '<combined plan>',
+        '## Recommended Question',
+        '<question or NONE>',
+        '## Recommended Answer',
+        '<answer or NONE>',
+    ].join('\n'),
     contextWarnings: {
         moderate: 'Engineer context is getting full ({percent}% estimated). Reuse is still fine, but keep the next prompt focused.',
         high: 'Engineer context is heavy ({percent}% estimated, {turns} turns, ${cost}). Prefer a narrowly scoped follow-up or internal compaction.',

package/dist/src/claude/tool-approval-manager.js

@@ -3,6 +3,13 @@ import path from 'node:path';
 import { isFileNotFoundError, writeJsonAtomically } from '../util/fs-helpers.js';
 const DEFAULT_MAX_DECISIONS = 500;
 const INPUT_PREVIEW_MAX = 300;
+function normalizePolicy(policy) {
+    return {
+        ...policy,
+        rules: [...policy.rules],
+        defaultAction: 'allow',
+    };
+}
 function getDefaultRules() {
     return [
         // Safe read-only tools
@@ -125,12 +132,12 @@ export class ToolApprovalManager {
     maxDecisions;
     persistPath;
     constructor(policy, maxDecisions, persistPath) {
-        this.policy = {
+        this.policy = normalizePolicy({
             rules: policy?.rules ?? getDefaultRules(),
-            defaultAction: policy?.defaultAction ?? 'allow',
+            defaultAction: 'allow',
             defaultDenyMessage: policy?.defaultDenyMessage ?? 'Tool call denied by approval policy.',
             enabled: policy?.enabled ?? true,
-        };
+        });
         this.maxDecisions = maxDecisions ?? DEFAULT_MAX_DECISIONS;
         this.persistPath = persistPath ?? null;
     }
@@ -141,12 +148,12 @@ export class ToolApprovalManager {
         try {
             const content = await fs.readFile(this.persistPath, 'utf8');
             const loaded = JSON.parse(content);
-            this.policy = {
+            this.policy = normalizePolicy({
                 rules: loaded.rules ?? getDefaultRules(),
-                defaultAction: loaded.defaultAction ?? 'allow',
+                defaultAction: 'allow',
                 defaultDenyMessage: loaded.defaultDenyMessage ?? 'Tool call denied by approval policy.',
                 enabled: loaded.enabled ?? true,
-            };
+            });
         }
         catch (error) {
             if (!isFileNotFoundError(error)) {
@@ -167,7 +174,7 @@ export class ToolApprovalManager {
         }
         const inputJson = safeJsonStringify(input);
         const matchedRule = this.findMatchingRule(toolName, inputJson);
-        const action = matchedRule?.action ?? this.policy.defaultAction;
+        const action = matchedRule?.action ?? 'allow';
         const denyMessage = action === 'deny'
             ? (matchedRule?.denyMessage ?? this.policy.defaultDenyMessage ?? 'Denied by policy.')
             : undefined;
@@ -201,7 +208,7 @@ export class ToolApprovalManager {
         return { ...this.policy, rules: [...this.policy.rules] };
     }
     async setPolicy(policy) {
-        this.policy = { ...policy, rules: [...policy.rules] };
+        this.policy = normalizePolicy(policy);
         await this.persistPolicy();
     }
     async addRule(rule, position) {
@@ -223,7 +230,10 @@ export class ToolApprovalManager {
         return true;
     }
     async setDefaultAction(action) {
-        this.policy.defaultAction = action;
+        if (action === 'deny') {
+            throw new Error('defaultAction cannot be deny; unmatched tools are always allowed. Add explicit deny rules instead.');
+        }
+        this.policy = normalizePolicy(this.policy);
         await this.persistPolicy();
     }
     async setEnabled(enabled) {

package/dist/src/manager/team-orchestrator.d.ts

@@ -18,7 +18,8 @@ export declare class TeamOrchestrator {
     private readonly teamStore;
     private readonly transcriptStore;
     private readonly engineerSessionPrompt;
-    constructor(sessions: ClaudeSessionService, teamStore: TeamStateStore, transcriptStore: TranscriptStore, engineerSessionPrompt: string);
+    private readonly architectSystemPrompt;
+    constructor(sessions: ClaudeSessionService, teamStore: TeamStateStore, transcriptStore: TranscriptStore, engineerSessionPrompt: string, architectSystemPrompt: string);
     getOrCreateTeam(cwd: string, teamId: string): Promise<TeamRecord>;
     listTeams(cwd: string): Promise<TeamRecord[]>;
     recordWrapperSession(cwd: string, teamId: string, engineer: EngineerName, wrapperSessionId: string): Promise<void>;
@@ -44,6 +45,9 @@ export declare class TeamOrchestrator {
         challengerEngineer: EngineerName;
         model?: string;
         abortSignal?: AbortSignal;
+        onLeadEvent?: ClaudeSessionEventHandler;
+        onChallengerEvent?: ClaudeSessionEventHandler;
+        onSynthesisEvent?: ClaudeSessionEventHandler;
     }): Promise<SynthesizedPlanResult>;
     private updateEngineer;
     private reserveEngineer;

package/dist/src/manager/team-orchestrator.js

@@ -6,11 +6,13 @@ export class TeamOrchestrator {
     teamStore;
     transcriptStore;
     engineerSessionPrompt;
-    constructor(sessions, teamStore, transcriptStore, engineerSessionPrompt) {
+    architectSystemPrompt;
+    constructor(sessions, teamStore, transcriptStore, engineerSessionPrompt, architectSystemPrompt) {
         this.sessions = sessions;
         this.teamStore = teamStore;
         this.transcriptStore = transcriptStore;
         this.engineerSessionPrompt = engineerSessionPrompt;
+        this.architectSystemPrompt = architectSystemPrompt;
     }
     async getOrCreateTeam(cwd, teamId) {
         const existing = await this.teamStore.getTeam(cwd, teamId);
@@ -203,6 +205,7 @@ export class TeamOrchestrator {
                 message: buildPlanDraftRequest('lead', input.request),
                 model: input.model,
                 abortSignal: input.abortSignal,
+                onEvent: input.onLeadEvent,
             }),
             this.dispatchEngineer({
                 teamId: input.teamId,
@@ -212,6 +215,7 @@ export class TeamOrchestrator {
                 message: buildPlanDraftRequest('challenger', input.request),
                 model: input.model,
                 abortSignal: input.abortSignal,
+                onEvent: input.onChallengerEvent,
             }),
         ]);
         const drafts = [
@@ -221,7 +225,7 @@ export class TeamOrchestrator {
         const synthesisResult = await this.sessions.runTask({
             cwd: input.cwd,
             prompt: buildSynthesisPrompt(input.request, drafts),
-            systemPrompt: buildSynthesisSystemPrompt(),
+            systemPrompt: buildSynthesisSystemPrompt(this.architectSystemPrompt),
             persistSession: false,
             includePartialMessages: false,
             permissionMode: 'acceptEdits',
@@ -230,7 +234,7 @@ export class TeamOrchestrator {
             effort: 'high',
             settingSources: ['user', 'project', 'local'],
             abortSignal: input.abortSignal,
-        });
+        }, input.onSynthesisEvent);
         const parsedSynthesis = parseSynthesisResult(synthesisResult.finalText);
         return {
             teamId: input.teamId,
@@ -361,20 +365,8 @@ function buildPlanDraftRequest(perspective, request) {
         `User request: ${request}`,
     ].join('\n');
 }
-function buildSynthesisSystemPrompt() {
-    return [
-        'You are synthesizing two independent engineering plans into one stronger plan.',
-        'Compare them on clarity, feasibility, risk, and fit to the user request.',
-        'Prefer the simplest path that fully addresses the goal.',
-        'If the plans disagree on something only the user can decide, surface exactly one recommended question and one recommended answer.',
-        'Use this output format exactly:',
-        '## Synthesis',
-        '<combined plan>',
-        '## Recommended Question',
-        '<question or NONE>',
-        '## Recommended Answer',
-        '<answer or NONE>',
-    ].join('\n');
+function buildSynthesisSystemPrompt(architectSystemPrompt) {
+    return architectSystemPrompt;
 }
 function buildSynthesisPrompt(request, drafts) {
     return [

package/dist/src/plugin/agent-hierarchy.d.ts

@@ -1,5 +1,6 @@
 import type { EngineerName, ManagerPromptRegistry } from '../types/contracts.js';
 export declare const AGENT_CTO = "cto";
+export declare const AGENT_ARCHITECT = "architect";
 export declare const ENGINEER_AGENT_IDS: {
     readonly Tom: "tom";
     readonly John: "john";
@@ -41,5 +42,13 @@ export declare function buildEngineerAgentConfig(prompts: ManagerPromptRegistry,
     permission: AgentPermission;
     prompt: string;
 };
+export declare function buildArchitectAgentConfig(prompts: ManagerPromptRegistry): {
+    description: string;
+    mode: "subagent";
+    hidden: boolean;
+    color: string;
+    permission: AgentPermission;
+    prompt: string;
+};
 export declare function denyRestrictedToolsGlobally(permissions: Record<string, ToolPermission>): void;
 export {};

package/dist/src/plugin/agent-hierarchy.js

@@ -1,5 +1,6 @@
 import { TEAM_ENGINEERS } from '../team/roster.js';
 export const AGENT_CTO = 'cto';
+export const AGENT_ARCHITECT = 'architect';
 export const ENGINEER_AGENT_IDS = {
     Tom: 'tom',
     John: 'john',
@@ -10,7 +11,6 @@ export const ENGINEER_AGENT_IDS = {
 export const ENGINEER_AGENT_NAMES = TEAM_ENGINEERS;
 const CTO_ONLY_TOOL_IDS = [
     'team_status',
-    'plan_with_team',
     'reset_engineer',
     'list_transcripts',
     'list_history',
@@ -38,6 +38,27 @@ const CTO_READONLY_TOOLS = {
     todoread: 'allow',
     question: 'allow',
 };
+function buildArchitectPermissions() {
+    const denied = {};
+    for (const toolId of ALL_RESTRICTED_TOOL_IDS) {
+        denied[toolId] = 'deny';
+    }
+    return {
+        '*': 'deny',
+        read: 'allow',
+        grep: 'allow',
+        glob: 'allow',
+        list: 'allow',
+        codesearch: 'allow',
+        webfetch: 'deny',
+        websearch: 'deny',
+        lsp: 'deny',
+        todowrite: 'deny',
+        todoread: 'deny',
+        question: 'deny',
+        ...denied,
+    };
+}
 function buildCtoPermissions() {
     const denied = {};
     for (const toolId of ALL_RESTRICTED_TOOL_IDS) {
@@ -51,6 +72,7 @@ function buildCtoPermissions() {
     for (const engineer of ENGINEER_AGENT_NAMES) {
         taskPermissions[ENGINEER_AGENT_IDS[engineer]] = 'allow';
     }
+    taskPermissions[AGENT_ARCHITECT] = 'allow';
     return {
         '*': 'deny',
         ...CTO_READONLY_TOOLS,
@@ -89,6 +111,16 @@ export function buildEngineerAgentConfig(prompts, engineer) {
         prompt: `You are ${engineer}.\n\n${prompts.engineerAgentPrompt}`,
     };
 }
+export function buildArchitectAgentConfig(prompts) {
+    return {
+        description: 'Synthesizes two engineer plan drafts into one stronger, actionable plan.',
+        mode: 'subagent',
+        hidden: false,
+        color: '#D97757',
+        permission: buildArchitectPermissions(),
+        prompt: prompts.architectSystemPrompt,
+    };
+}
 export function denyRestrictedToolsGlobally(permissions) {
     for (const toolId of ALL_RESTRICTED_TOOL_IDS) {
         permissions[toolId] ??= 'deny';

package/dist/src/plugin/claude-manager.plugin.js

@@ -2,7 +2,7 @@ import { tool } from '@opencode-ai/plugin';
 import { managerPromptRegistry } from '../prompts/registry.js';
 import { isEngineerName } from '../team/roster.js';
 import { TeamOrchestrator } from '../manager/team-orchestrator.js';
-import { AGENT_CTO, ENGINEER_AGENT_IDS, ENGINEER_AGENT_NAMES, buildCtoAgentConfig, buildEngineerAgentConfig, denyRestrictedToolsGlobally, } from './agent-hierarchy.js';
+import { AGENT_CTO, AGENT_ARCHITECT, ENGINEER_AGENT_IDS, ENGINEER_AGENT_NAMES, buildCtoAgentConfig, buildEngineerAgentConfig, buildArchitectAgentConfig, denyRestrictedToolsGlobally, } from './agent-hierarchy.js';
 import { getActiveTeamSession, getOrCreatePluginServices, getPersistedActiveTeam, getWrapperSessionMapping, setActiveTeamSession, setPersistedActiveTeam, setWrapperSessionMapping, } from './service-factory.js';
 const MODEL_ENUM = ['claude-opus-4-6', 'claude-sonnet-4-6'];
 const MODE_ENUM = ['explore', 'implement', 'verify'];
@@ -15,6 +15,7 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
             config.permission ??= {};
             denyRestrictedToolsGlobally(config.permission);
             config.agent[AGENT_CTO] ??= buildCtoAgentConfig(managerPromptRegistry);
+            config.agent[AGENT_ARCHITECT] ??= buildArchitectAgentConfig(managerPromptRegistry);
             for (const engineer of ENGINEER_AGENT_NAMES) {
                 config.agent[ENGINEER_AGENT_IDS[engineer]] ??= buildEngineerAgentConfig(managerPromptRegistry, engineer);
             }
@@ -126,9 +127,12 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                         challengerEngineer: args.challengerEngineer,
                         model: args.model,
                         abortSignal: context.abort,
+                        onLeadEvent: (event) => reportClaudeEvent(context, args.leadEngineer, event),
+                        onChallengerEvent: (event) => reportClaudeEvent(context, args.challengerEngineer, event),
+                        onSynthesisEvent: (event) => reportArchitectEvent(context, event),
                     });
                     context.metadata({
-                        title: '✅ Plan synthesis complete',
+                        title: '✅ Architect finished',
                         metadata: {
                             teamId: result.teamId,
                             lead: result.leadEngineer,
@@ -289,7 +293,7 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                 },
             }),
             approval_update: tool({
-                description: 'Update the tool approval policy. Add or remove rules, change the default action, enable or disable approvals, or clear decision history.',
+                description: 'Update the tool approval policy. Add or remove rules, enable or disable approvals, or clear decision history. Unmatched tools are always allowed; block only with explicit deny rules (defaultAction cannot be set to deny).',
                 args: {
                     action: tool.schema.enum([
                         'addRule',
@@ -336,6 +340,11 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                         if (!args.defaultAction) {
                             return JSON.stringify({ error: 'setDefault requires defaultAction' });
                         }
+                        if (args.defaultAction === 'deny') {
+                            return JSON.stringify({
+                                error: 'defaultAction cannot be deny; unmatched tools are always allowed. Add explicit deny rules instead.',
+                            });
+                        }
                         await services.approvalManager.setDefaultAction(args.defaultAction);
                     }
                     else if (args.action === 'setEnabled') {
@@ -553,6 +562,78 @@ function reportClaudeEvent(context, engineer, event) {
         });
     }
 }
+function reportArchitectEvent(context, event) {
+    if (event.type === 'error') {
+        context.metadata({
+            title: `❌ Architect hit an error`,
+            metadata: {
+                sessionId: event.sessionId,
+                error: event.text.slice(0, 200),
+            },
+        });
+        return;
+    }
+    if (event.type === 'init') {
+        context.metadata({
+            title: `⚡ Architect session ready`,
+            metadata: {
+                sessionId: event.sessionId,
+            },
+        });
+        return;
+    }
+    if (event.type === 'tool_call') {
+        let toolName;
+        let toolId;
+        let toolArgs;
+        try {
+            const parsed = JSON.parse(event.text);
+            toolName = parsed.name;
+            toolId = parsed.id;
+            if (typeof parsed.input === 'string') {
+                try {
+                    toolArgs = JSON.parse(parsed.input);
+                }
+                catch {
+                    toolArgs = parsed.input;
+                }
+            }
+            else {
+                toolArgs = parsed.input;
+            }
+        }
+        catch {
+            // event.text is not valid JSON — fall back to generic title
+        }
+        const toolDescription = formatToolDescription(toolName ?? '', toolArgs);
+        context.metadata({
+            title: toolDescription
+                ? `⚡ Architect → ${toolDescription}`
+                : toolName
+                    ? `⚡ Architect → ${toolName}`
+                    : `⚡ Architect is using Claude Code tools`,
+            metadata: {
+                sessionId: event.sessionId,
+                ...(toolName !== undefined && { toolName }),
+                ...(toolId !== undefined && { toolId }),
+                ...(toolArgs !== undefined && { toolArgs }),
+            },
+        });
+        return;
+    }
+    if (event.type === 'assistant' || event.type === 'partial') {
+        const isThinking = event.text.startsWith('<thinking>');
+        const stateLabel = event.type === 'partial' && isThinking ? 'is thinking' : 'is working';
+        context.metadata({
+            title: `⚡ Architect ${stateLabel}`,
+            metadata: {
+                sessionId: event.sessionId,
+                preview: event.text.slice(0, 160),
+                isThinking,
+            },
+        });
+    }
+}
 function annotateToolRun(context, title, metadata) {
     context.metadata({
         title,

package/dist/src/plugin/service-factory.js

@@ -24,7 +24,7 @@ export function getOrCreatePluginServices(worktree) {
     const teamStore = new TeamStateStore();
     const transcriptStore = new TranscriptStore();
     const manager = new PersistentManager(gitOps, transcriptStore);
-    const orchestrator = new TeamOrchestrator(sessionService, teamStore, transcriptStore, managerPromptRegistry.engineerSessionPrompt);
+    const orchestrator = new TeamOrchestrator(sessionService, teamStore, transcriptStore, managerPromptRegistry.engineerSessionPrompt, managerPromptRegistry.architectSystemPrompt);
     const services = {
         manager,
         sessions: sessionService,

package/dist/src/prompts/registry.js

@@ -27,7 +27,7 @@ export const managerPromptRegistry = {
         '',
         'Plan and decompose:',
         '- Break work into independent pieces that can run in parallel. Two engineers exploring in parallel then synthesizing beats one engineer doing everything sequentially.',
-        '- For medium or large tasks, dispatch two engineers with complementary perspectives (lead plan + challenger review), then synthesize.',
+        '- For medium or large tasks, delegate dual-engineer exploration to two engineers, then task the `architect` subagent to synthesize their independent plans into one stronger plan.',
         '- Define clear success criteria before delegating. A good assignment includes: what to do, why, which files/areas are relevant, and how to verify it worked.',
         '',
         'Delegate through the Task tool:',
@@ -76,6 +76,21 @@ export const managerPromptRegistry = {
         'Report blockers immediately with exact error output. Do not retry silently more than once.',
         'Do not run git commit, git push, git reset, git checkout, or git stash.',
     ].join('\n'),
+    architectSystemPrompt: [
+        'You are the Architect. Your role is to synthesize two independent engineering plans into one stronger, unified plan.',
+        'Compare the lead and challenger plans on clarity, feasibility, risk, and fit to the user request.',
+        'Prefer the simplest path that fully addresses the goal. Surface tradeoffs honestly.',
+        'If the plans disagree on something only the user can decide, surface exactly one recommended question and one recommended answer.',
+        'Do not editorialize or over-explain. Be direct and concise.',
+        '',
+        'Use this output format exactly:',
+        '## Synthesis',
+        '<combined plan>',
+        '## Recommended Question',
+        '<question or NONE>',
+        '## Recommended Answer',
+        '<answer or NONE>',
+    ].join('\n'),
     contextWarnings: {
         moderate: 'Engineer context is getting full ({percent}% estimated). Reuse is still fine, but keep the next prompt focused.',
         high: 'Engineer context is heavy ({percent}% estimated, {turns} turns, ${cost}). Prefer a narrowly scoped follow-up or internal compaction.',

package/dist/src/types/contracts.d.ts

@@ -2,6 +2,7 @@ export interface ManagerPromptRegistry {
     ctoSystemPrompt: string;
     engineerAgentPrompt: string;
     engineerSessionPrompt: string;
+    architectSystemPrompt: string;
     contextWarnings: {
         moderate: string;
         high: string;
@@ -186,7 +187,11 @@ export interface ToolApprovalRule {
 }
 export interface ToolApprovalPolicy {
     rules: ToolApprovalRule[];
-    defaultAction: 'allow' | 'deny';
+    /**
+     * Always `allow`: tools that do not match any rule are allowed.
+     * Blocking is done only with explicit `deny` rules (deny-list contract).
+     */
+    defaultAction: 'allow';
     defaultDenyMessage?: string;
     enabled: boolean;
 }

package/dist/test/claude-manager.plugin.test.js

@@ -1,6 +1,6 @@
 import { describe, expect, it } from 'vitest';
 import { ClaudeManagerPlugin } from '../src/plugin/claude-manager.plugin.js';
-import { AGENT_CTO, ENGINEER_AGENT_IDS, ENGINEER_AGENT_NAMES, } from '../src/plugin/agent-hierarchy.js';
+import { AGENT_CTO, AGENT_ARCHITECT, ENGINEER_AGENT_IDS, ENGINEER_AGENT_NAMES, } from '../src/plugin/agent-hierarchy.js';
 describe('ClaudeManagerPlugin', () => {
     it('configures CTO with orchestration tools and question access', async () => {
         const plugin = await ClaudeManagerPlugin({
@@ -26,7 +26,6 @@ describe('ClaudeManagerPlugin', () => {
             todoread: 'allow',
             question: 'allow',
             team_status: 'allow',
-            plan_with_team: 'allow',
             reset_engineer: 'allow',
             git_diff: 'allow',
             git_commit: 'allow',
@@ -42,6 +41,7 @@ describe('ClaudeManagerPlugin', () => {
             maya: 'allow',
             sara: 'allow',
             alex: 'allow',
+            architect: 'allow',
         });
     });
     it('configures every named engineer with only the claude bridge tool', async () => {
@@ -63,13 +63,33 @@ describe('ClaudeManagerPlugin', () => {
                 claude: 'allow',
                 git_diff: 'deny',
                 git_commit: 'deny',
-                plan_with_team: 'deny',
                 reset_engineer: 'deny',
             });
             expect(agent.permission).not.toHaveProperty('read');
             expect(agent.permission).not.toHaveProperty('grep');
         }
     });
+    it('configures architect as a read-only subagent for plan synthesis', async () => {
+        const plugin = await ClaudeManagerPlugin({
+            worktree: '/tmp/project',
+        });
+        const config = {};
+        await plugin.config?.(config);
+        const agents = (config.agent ?? {});
+        const architect = agents[AGENT_ARCHITECT];
+        expect(architect).toBeDefined();
+        expect(architect.mode).toBe('subagent');
+        expect(architect.description.toLowerCase()).toContain('synthesiz');
+        expect(architect.permission).toMatchObject({
+            '*': 'deny',
+            read: 'allow',
+            grep: 'allow',
+            glob: 'allow',
+            list: 'allow',
+            codesearch: 'allow',
+            claude: 'deny',
+        });
+    });
     it('registers the named engineer bridge and team status tools', async () => {
         const plugin = await ClaudeManagerPlugin({
             worktree: '/tmp/project',

package/dist/test/prompt-registry.test.js

@@ -4,7 +4,8 @@ describe('managerPromptRegistry', () => {
     it('gives the CTO explicit orchestration guidance', () => {
         expect(managerPromptRegistry.ctoSystemPrompt).toContain('You are a principal engineer orchestrating a team of AI-powered engineers');
         expect(managerPromptRegistry.ctoSystemPrompt).toContain('Task tool');
-        expect(managerPromptRegistry.ctoSystemPrompt).toContain('dispatch two engineers with complementary perspectives');
+        expect(managerPromptRegistry.ctoSystemPrompt).toContain('dual-engineer');
+        expect(managerPromptRegistry.ctoSystemPrompt).toContain('architect');
         expect(managerPromptRegistry.ctoSystemPrompt).toContain('question');
         expect(managerPromptRegistry.ctoSystemPrompt).toContain('Tom, John, Maya, Sara, and Alex');
         expect(managerPromptRegistry.ctoSystemPrompt).not.toContain('clear_session');
@@ -28,4 +29,12 @@ describe('managerPromptRegistry', () => {
         expect(managerPromptRegistry.contextWarnings.high).toContain('{turns}');
         expect(managerPromptRegistry.contextWarnings.critical).toContain('near capacity');
     });
+    it('gives the architect synthesis guidance with complete output format', () => {
+        expect(managerPromptRegistry.architectSystemPrompt).toContain('Architect');
+        expect(managerPromptRegistry.architectSystemPrompt).toContain('synthesiz');
+        expect(managerPromptRegistry.architectSystemPrompt).toContain('two independent');
+        expect(managerPromptRegistry.architectSystemPrompt).toContain('## Synthesis');
+        expect(managerPromptRegistry.architectSystemPrompt).toContain('## Recommended Question');
+        expect(managerPromptRegistry.architectSystemPrompt).toContain('## Recommended Answer');
+    });
 });

package/dist/test/report-claude-event.test.js

@@ -180,7 +180,7 @@ describe('second invocation continuity', () => {
         // ── Phase 1: first task via orchestrator (no real SDK needed) ──────────
         const store = new TeamStateStore();
         await store.setActiveTeam(tempRoot, 'cto-1');
-        const orchestrator = new TeamOrchestrator({ runTask: vi.fn() }, store, { appendEvents: vi.fn(async () => undefined) }, 'Base prompt');
+        const orchestrator = new TeamOrchestrator({ runTask: vi.fn() }, store, { appendEvents: vi.fn(async () => undefined) }, 'Base prompt', 'Architect prompt');
         await orchestrator.recordWrapperSession(tempRoot, 'cto-1', 'Tom', 'wrapper-tom-1');
         await orchestrator.recordWrapperExchange(tempRoot, 'cto-1', 'Tom', 'wrapper-tom-1', 'explore', 'Investigate the auth flow', 'Found two race conditions in the token refresh path.');
         // ── Phase 2: process restart ───────────────────────────────────────────
@@ -206,7 +206,7 @@ describe('second invocation continuity', () => {
         // ── Phase 1: pre-seed Tom with a claudeSessionId ───────────────────────
         const store = new TeamStateStore();
         await store.setActiveTeam(tempRoot, 'cto-1');
-        const orchestrator = new TeamOrchestrator({ runTask: vi.fn() }, store, { appendEvents: vi.fn(async () => undefined) }, 'Base prompt');
+        const orchestrator = new TeamOrchestrator({ runTask: vi.fn() }, store, { appendEvents: vi.fn(async () => undefined) }, 'Base prompt', 'Architect prompt');
         await orchestrator.getOrCreateTeam(tempRoot, 'cto-1');
         await store.updateTeam(tempRoot, 'cto-1', (team) => ({
             ...team,

package/dist/test/team-orchestrator.test.js

@@ -35,7 +35,7 @@ describe('TeamOrchestrator', () => {
             outputTokens: 300,
             contextWindowSize: 200_000,
         });
-        const orchestrator = new TeamOrchestrator({ runTask }, new TeamStateStore('.state'), { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt');
+        const orchestrator = new TeamOrchestrator({ runTask }, new TeamStateStore('.state'), { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt', 'Architect prompt');
         const first = await orchestrator.dispatchEngineer({
             teamId: 'team-1',
             cwd: tempRoot,
@@ -74,7 +74,7 @@ describe('TeamOrchestrator', () => {
     it('rejects work when the same engineer is already busy', async () => {
         tempRoot = await mkdtemp(join(tmpdir(), 'team-orchestrator-'));
         const store = new TeamStateStore('.state');
-        const orchestrator = new TeamOrchestrator({ runTask: vi.fn() }, store, { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt');
+        const orchestrator = new TeamOrchestrator({ runTask: vi.fn() }, store, { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt', 'Architect prompt');
         const team = await orchestrator.getOrCreateTeam(tempRoot, 'team-1');
         await store.saveTeam({
             ...team,
@@ -112,7 +112,7 @@ describe('TeamOrchestrator', () => {
             events: [],
             finalText: '## Synthesis\nCombined plan\n## Recommended Question\nShould we migrate now?\n## Recommended Answer\nNo, defer it.',
         });
-        const orchestrator = new TeamOrchestrator({ runTask }, new TeamStateStore('.state'), { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt');
+        const orchestrator = new TeamOrchestrator({ runTask }, new TeamStateStore('.state'), { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt', 'Architect prompt');
         const result = await orchestrator.planWithTeam({
             teamId: 'team-1',
             cwd: tempRoot,
@@ -126,9 +126,58 @@ describe('TeamOrchestrator', () => {
         expect(result.recommendedAnswer).toBe('No, defer it.');
         expect(runTask).toHaveBeenCalledTimes(3);
     });
+    it('invokes lead, challenger, and synthesis event callbacks', async () => {
+        tempRoot = await mkdtemp(join(tmpdir(), 'team-orchestrator-'));
+        const runTask = vi.fn(async (input, onEvent) => {
+            // Simulate event callbacks being invoked by the session
+            if (onEvent) {
+                await Promise.resolve(onEvent({ type: 'init', text: 'initialized' }));
+            }
+            // Return appropriate result based on call count
+            const calls = runTask.mock.calls.length;
+            if (calls === 1) {
+                return {
+                    sessionId: 'ses_tom',
+                    events: [{ type: 'init', text: 'initialized', sessionId: 'ses_tom' }],
+                    finalText: 'Lead plan',
+                };
+            }
+            else if (calls === 2) {
+                return {
+                    sessionId: 'ses_maya',
+                    events: [{ type: 'init', text: 'initialized', sessionId: 'ses_maya' }],
+                    finalText: 'Challenger plan',
+                };
+            }
+            else {
+                return {
+                    sessionId: undefined,
+                    events: [{ type: 'init', text: 'initialized', sessionId: undefined }],
+                    finalText: '## Synthesis\nSynthesis\n## Recommended Question\nNONE\n## Recommended Answer\nNONE',
+                };
+            }
+        });
+        const orchestrator = new TeamOrchestrator({ runTask }, new TeamStateStore('.state'), { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt', 'Architect prompt');
+        const onLeadEvent = vi.fn();
+        const onChallengerEvent = vi.fn();
+        const onSynthesisEvent = vi.fn();
+        await orchestrator.planWithTeam({
+            teamId: 'team-1',
+            cwd: tempRoot,
+            request: 'Plan the refactor',
+            leadEngineer: 'Tom',
+            challengerEngineer: 'Maya',
+            onLeadEvent,
+            onChallengerEvent,
+            onSynthesisEvent,
+        });
+        expect(onLeadEvent).toHaveBeenCalled();
+        expect(onChallengerEvent).toHaveBeenCalled();
+        expect(onSynthesisEvent).toHaveBeenCalled();
+    });
     it('persists wrapper session memory for an engineer', async () => {
         tempRoot = await mkdtemp(join(tmpdir(), 'team-orchestrator-'));
-        const orchestrator = new TeamOrchestrator({ runTask: vi.fn() }, new TeamStateStore('.state'), { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt');
+        const orchestrator = new TeamOrchestrator({ runTask: vi.fn() }, new TeamStateStore('.state'), { appendEvents: vi.fn(async () => { }) }, 'Base engineer prompt', 'Architect prompt');
         await orchestrator.recordWrapperSession(tempRoot, 'team-1', 'Tom', 'wrapper-tom');
         await orchestrator.recordWrapperExchange(tempRoot, 'team-1', 'Tom', 'wrapper-tom', 'explore', 'Investigate the auth flow and compare approaches', 'The auth flow uses one shared validator and the cookie refresh path is the main risk.');
         const team = await orchestrator.getOrCreateTeam(tempRoot, 'team-1');

package/dist/test/tool-approval-manager.test.js

@@ -73,13 +73,12 @@ describe('ToolApprovalManager', () => {
             const result = manager.evaluate('Bash', { command: 'rm -rf /' });
             expect(result).toEqual({ behavior: 'allow' });
         });
-        it('uses default action when no rule matches', () => {
+        it('allows tools when no rule matches (deny-list contract)', () => {
             const manager = new ToolApprovalManager({
                 rules: [],
-                defaultAction: 'deny',
             });
             const result = manager.evaluate('SomeUnknownTool', {});
-            expect(result.behavior).toBe('deny');
+            expect(result.behavior).toBe('allow');
         });
         it('first matching rule wins', () => {
             const manager = new ToolApprovalManager({
@@ -175,24 +174,22 @@ describe('ToolApprovalManager', () => {
             const manager = new ToolApprovalManager();
             expect(await manager.removeRule('nonexistent')).toBe(false);
         });
-        it('setPolicy replaces entire policy', async () => {
+        it('setPolicy replaces entire policy and normalizes defaultAction to allow', async () => {
             const manager = new ToolApprovalManager();
             await manager.setPolicy({
                 rules: [{ id: 'only', toolPattern: '*', action: 'deny' }],
-                defaultAction: 'deny',
+                defaultAction: 'allow',
                 enabled: true,
             });
             expect(manager.getPolicy().rules).toHaveLength(1);
-            expect(manager.getPolicy().defaultAction).toBe('deny');
+            expect(manager.getPolicy().defaultAction).toBe('allow');
         });
-        it('setDefaultAction changes the fallback', async () => {
+        it('setDefaultAction rejects deny', async () => {
             const manager = new ToolApprovalManager({
                 rules: [],
                 enabled: true,
-                defaultAction: 'allow',
             });
-            await manager.setDefaultAction('deny');
-            expect(manager.evaluate('Unknown', {}).behavior).toBe('deny');
+            await expect(manager.setDefaultAction('deny')).rejects.toThrow(/defaultAction cannot be deny/);
         });
         it('setEnabled toggles the manager', async () => {
             const manager = new ToolApprovalManager({
@@ -205,7 +202,6 @@ describe('ToolApprovalManager', () => {
                     },
                 ],
                 enabled: true,
-                defaultAction: 'deny',
             });
             expect(manager.evaluate('Read', {}).behavior).toBe('deny');
             await manager.setEnabled(false);

package/dist/types/contracts.d.ts

@@ -2,6 +2,7 @@ export interface ManagerPromptRegistry {
     ctoSystemPrompt: string;
     engineerAgentPrompt: string;
     engineerSessionPrompt: string;
+    architectSystemPrompt: string;
     contextWarnings: {
         moderate: string;
         high: string;
@@ -186,7 +187,11 @@ export interface ToolApprovalRule {
 }
 export interface ToolApprovalPolicy {
     rules: ToolApprovalRule[];
-    defaultAction: 'allow' | 'deny';
+    /**
+     * Always `allow`: tools that do not match any rule are allowed.
+     * Blocking is done only with explicit `deny` rules (deny-list contract).
+     */
+    defaultAction: 'allow';
     defaultDenyMessage?: string;
     enabled: boolean;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@doingdev/opencode-claude-manager-plugin",
-  "version": "0.1.52",
+  "version": "0.1.54",
   "description": "OpenCode plugin that orchestrates Claude Code sessions.",
   "keywords": [
     "opencode",