@fitlab-ai/agent-infra 0.6.2-alpha.1 → 0.6.3

package/lib/sandbox/credentials.ts

@@ -92,6 +92,11 @@ type ResolvedTool = {
   };
 };
 
+export type ClaudeCredentialOutcome =
+  | { status: 'OK' }
+  | { status: 'SKIPPED' }
+  | { status: 'NOT_APPLICABLE' };
+
 type CredentialPayload = {
   claudeAiOauth?: CredentialPayload;
   scopes?: unknown;
@@ -584,17 +589,17 @@ export function formatRemaining(expiresAt: unknown): string {
   return hours > 0 ? `${hours}h ${minutes}m` : `${minutes}m`;
 }
 
-export function assertClaudeCredentialsAvailable(
+export function prepareClaudeCredentials(
   home: string,
   project: string,
   resolvedTools: ResolvedTool[],
   extractFn: (home: string) => string | null = extractClaudeCredentialsBlob,
   writeFn: (home: string, project: string, blob: string) => void = writeClaudeCredentialsFile,
   inspectFn: (home: string) => CredentialInspection = inspectClaudeKeychainStatus
-): void {
+): ClaudeCredentialOutcome {
   const claudeCodeEntry = resolvedTools.find(({ tool }) => tool.id === 'claude-code');
   if (!claudeCodeEntry) {
-    return;
+    return { status: 'NOT_APPLICABLE' };
   }
 
   let blob: string | null = null;
@@ -602,33 +607,51 @@ export function assertClaudeCredentialsAvailable(
   const hasCustomExtractFn = extractFn !== extractClaudeCredentialsBlob;
   if (hasCustomInspectFn || !hasCustomExtractFn) {
     const inspection = inspectFn(home);
-    if (inspection.status === 'KEYCHAIN_LOCKED') {
-      throw new Error([
-        'Claude Code credentials are stored in the macOS keychain, but the keychain is locked.',
-        '',
-        buildLockedGuidance()
-      ].join('\n'));
+    switch (inspection.status) {
+      case 'OK':
+        blob = inspection.blob;
+        break;
+      case 'MISSING':
+        return { status: 'SKIPPED' };
+      case 'KEYCHAIN_LOCKED':
+        throw new Error([
+          'Claude Code credentials are stored in the macOS keychain, but the keychain is locked.',
+          '',
+          buildLockedGuidance()
+        ].join('\n'));
+      case 'STALE_ACCESS':
+        throw new Error([
+          'Claude Code credentials on host are invalid or expired.',
+          '',
+          'The sandbox needs valid Claude Code OAuth credentials so the container can use Claude Code.',
+          '',
+          'To fix:',
+          '  1. On the host, run "claude" once and complete the OAuth login flow.',
+          '  2. Verify with "claude /status" that you see your subscription.',
+          '  3. Re-run "ai sandbox create".'
+        ].join('\n'));
+      case 'KEYCHAIN_ERROR':
+        throw new Error([
+          'Claude Code credentials could not be read from the host keychain.',
+          '',
+          inspection.detail ? `Detail: ${inspection.detail}` : 'Detail: unknown keychain error',
+          '',
+          'To fix:',
+          '  1. Unlock or repair the host keychain, then re-run "ai sandbox create".',
+          '  2. For SSH / CI, set AGENT_INFRA_CLAUDE_CREDENTIALS_FILE to an absolute path containing a valid credentials blob.'
+        ].join('\n'));
+      default: {
+        const _exhaustive: never = inspection;
+        throw new Error(`Unhandled Claude Code credential inspection status: ${(_exhaustive as { status: string }).status}`);
+      }
     }
-    blob = inspection.status === 'OK' ? inspection.blob : null;
   } else {
     blob = extractFn(home);
-  }
-
-  if (!blob) {
-    throw new Error([
-      'Claude Code credentials not found on host.',
-      '',
-      'The sandbox needs your Claude Code OAuth credentials so the container can use Claude Code.',
-      '',
-      'To fix:',
-      '  1. On the host, run "claude" once and complete the OAuth login flow.',
-      '  2. Verify with "claude /status" that you see your subscription.',
-      '  3. Re-run "ai sandbox create".',
-      '',
-      'Alternatively, if you do not need Claude Code in this sandbox,',
-      'remove "claude-code" from the "sandbox.tools" array in .agents/.airc.json.'
-    ].join('\n'));
+    if (!blob) {
+      return { status: 'SKIPPED' };
+    }
   }
 
   writeFn(home, project, blob);
+  return { status: 'OK' };
 }

package/lib/sandbox/index.ts

@@ -6,6 +6,7 @@ Commands:
   refresh                      Sync host Claude Code credentials to all sandbox copies
   ls                           List sandboxes for the current project
   rm <branch> [--all]          Remove a sandbox or all sandboxes
+  prune [--dry-run]            Remove orphaned per-branch state dirs
   vm status|start|stop         Manage the sandbox VM (macOS) or check the backend (Windows)
   rebuild [--quiet]            Rebuild the sandbox image
 
@@ -33,7 +34,7 @@ export async function runSandbox(args: string[]): Promise<void> {
     }
     case 'exec': {
       const { enter } = await import('./commands/enter.ts');
-      const exitCode = enter(rest);
+      const exitCode = await enter(rest);
       if (typeof exitCode === 'number' && exitCode !== 0) {
         process.exitCode = exitCode;
       }
@@ -57,6 +58,11 @@ export async function runSandbox(args: string[]): Promise<void> {
       await rm(rest);
       break;
     }
+    case 'prune': {
+      const { prune } = await import('./commands/prune.ts');
+      await prune(rest);
+      break;
+    }
     case 'vm': {
       const { vm } = await import('./commands/vm.ts');
       await vm(rest);

package/lib/sandbox/managed-fs.ts

@@ -0,0 +1,27 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { run } from './shell.ts';
+
+export function assertManagedPath(root: string, target: string): void {
+  const resolvedRoot = path.resolve(root);
+  const resolvedTarget = path.resolve(target);
+  const relative = path.relative(resolvedRoot, resolvedTarget);
+  if (relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative))) {
+    return;
+  }
+
+  throw new Error(`Refusing to remove path outside managed sandbox root: ${target}`);
+}
+
+export function removeManagedDir(root: string, dir: string): void {
+  assertManagedPath(root, dir);
+  fs.rmSync(dir, { recursive: true, force: true });
+}
+
+export function removeWorktreeDir(repoRoot: string, worktreeBase: string, dir: string): void {
+  try {
+    run('git', ['-C', repoRoot, 'worktree', 'remove', dir, '--force']);
+  } catch {
+    removeManagedDir(worktreeBase, dir);
+  }
+}

package/lib/sandbox/tools.ts

@@ -28,7 +28,7 @@ function createBuiltinTools(home: string, project: string): Record<string, Sandb
     'claude-code': {
       id: 'claude-code',
       name: 'Claude Code',
-      npmPackage: '@anthropic-ai/claude-code',
+      npmPackage: '@anthropic-ai/claude-code@stable',
       sandboxBase: hostJoin(home, '.agent-infra', 'sandboxes', 'claude-code'),
       containerMount: '/home/devuser/.claude',
       versionCmd: 'claude --version',

package/lib/version.ts

@@ -1,8 +1,15 @@
-import { readFileSync } from 'node:fs';
+import { existsSync, readFileSync } from 'node:fs';
 
-const { version } = JSON.parse(
-  readFileSync(new URL('../package.json', import.meta.url), 'utf8')
-);
+const packageJsonUrl = [
+  new URL('../package.json', import.meta.url),
+  new URL('../../package.json', import.meta.url),
+].find((url) => existsSync(url));
+
+if (!packageJsonUrl) {
+  throw new Error('Unable to locate package.json for agent-infra version');
+}
+
+const { version } = JSON.parse(readFileSync(packageJsonUrl, 'utf8'));
 const VERSION = `v${version}`;
 
 export { VERSION };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fitlab-ai/agent-infra",
-  "version": "0.6.2-alpha.1",
+  "version": "0.6.3",
   "description": "Bootstrap tool for AI multi-tool collaboration infrastructure — works with Claude Code, Codex, Gemini CLI, and OpenCode",
   "license": "MIT",
   "type": "module",
@@ -57,6 +57,7 @@
     "test:smoke": "npm run build && node --experimental-strip-types --no-warnings --test tests/templates/*.test.ts tests/core/airc.test.ts tests/core/release.test.ts tests/core/metadata-sync-workflow.test.ts tests/core/pr-label-workflow.test.ts tests/core/status-label-workflow.test.ts tests/core/test-tier-coverage.test.ts tests/cli/lib.test.ts tests/cli/sync-templates.test.ts tests/scripts/sync-templates-platform-gating.test.ts",
     "test:core": "npm run build && node --experimental-strip-types --no-warnings --test tests/templates/*.test.ts tests/core/airc.test.ts tests/core/release.test.ts tests/core/metadata-sync-workflow.test.ts tests/core/pr-label-workflow.test.ts tests/core/status-label-workflow.test.ts tests/core/test-tier-coverage.test.ts tests/cli/lib.test.ts tests/cli/sync-templates.test.ts tests/scripts/sync-templates-platform-gating.test.ts tests/cli/cli.test.ts tests/cli/merge.test.ts tests/cli/sandbox.test.ts tests/core/custom-skills.test.ts tests/core/custom-tuis.test.ts tests/core/demo-regen.test.ts tests/scripts/find-existing-task.test.ts tests/scripts/platform-adapter-defaults.test.ts",
     "test": "npm run build && node --experimental-strip-types --no-warnings --test tests/cli/*.test.ts tests/templates/*.test.ts tests/core/*.test.ts tests/scripts/*.test.ts",
+    "test:coverage": "npm run build && node --experimental-strip-types --no-warnings --test --experimental-test-coverage --test-coverage-exclude='tests/**' --test-reporter=spec --test-reporter-destination=stdout --test-reporter=lcov --test-reporter-destination=coverage.lcov tests/cli/*.test.ts tests/templates/*.test.ts tests/core/*.test.ts tests/scripts/*.test.ts",
     "prepublishOnly": "npm run build && node --experimental-strip-types --no-warnings --test tests/cli/*.test.ts tests/templates/*.test.ts tests/core/*.test.ts tests/scripts/*.test.ts"
   },
   "devDependencies": {
@@ -64,5 +65,8 @@
     "@types/node": "^25.9.1",
     "@types/semver": "^7.7.1",
     "typescript": "~6.0"
+  },
+  "optionalDependencies": {
+    "@lydell/node-pty": "^1.2.0-beta.12"
   }
 }

package/templates/.agents/README.en.md

@@ -193,6 +193,23 @@ Each source should mirror the `.agents/skills/` layout and include `SKILL.md` at
 - Built-in skills are not overridable by custom sources; if a source skill name conflicts with a built-in skill, the source copy is skipped
 - Use `files.ejected` if the project must take ownership of a built-in skill or command
 
+## File Ownership and Sync Strategy
+
+The `files` field in `.agents/.airc.json` groups project files into three categories:
+
+| Category | When the template has the file | When the template does not have the file | Cleanup behavior |
+|----------|--------------------------------|------------------------------------------|------------------|
+| `managed` | Write from the template and overwrite | Treat as removed from the template | Delete the local project copy |
+| `merged` | Merge semantically by AI or humans | Do not write from the template | Keep the local project copy |
+| `ejected` | May be created from the template first; skip overwrite once it exists | Do not write from the template | Keep the local project copy |
+
+`ejected` has two common uses:
+
+1. **Taking over a built-in file**: the project needs full control over a rule, command, or config file that originally came from the template.
+2. **Declaring a project-only file**: the project owns a file under a managed directory wildcard, but the template does not contain that file; list it in `files.ejected` so sync does not treat it as a removed template file.
+
+`ejected` entries support literal paths or globs, using the same matching rules as `merged`.
+
 ## Custom TUI Configuration
 
 Use the top-level `.agents/.airc.json` `customTUIs` array when your team uses an AI TUI that is not one of the built-in command targets. This config lets agent-infra show the correct next-step commands and generate command files for project custom skills by learning from an existing command in the custom TUI directory.
@@ -257,6 +274,7 @@ When writing or updating `.agents/skills/*/SKILL.md` files and their templates,
 
 - Keep SKILL.md as concise as possible; move detailed rules, long templates, and large script blocks into a sibling `reference/` or `scripts/` directory.
 - Store declarative configuration in a sibling `config/` directory, for example `config/verify.json`.
+  When `required_sections` or `required_patterns` contain language-specific text, provide `config/verify.en.json` and `config/verify.zh-CN.json`; sync strips the selected language variant back to `config/verify.json`.
 - Use explicit navigation in the skeleton, such as: `Read reference/xxx.md before executing this step.`
 - Keep scripts in `scripts/` and execute them instead of inlining long bash blocks.
 
@@ -269,6 +287,7 @@ node .agents/scripts/validate-artifact.js gate <skill-name> <task-dir> [artifact
 ```
 
 - Each skill declares its own checks in `config/verify.json`; keep the file focused on what that skill must validate
+- For language-specific artifact headings or anchors, keep only `required_sections` and language-specific `required_patterns` different between `config/verify.en.json` and `config/verify.zh-CN.json`
 - If a skill also prints next-step guidance, run the gate first and only show those instructions after the gate passes
 - For user-facing final validation, prefer `--format text` so the reply contains a readable summary instead of raw JSON
 - Shared validation logic belongs in `.agents/scripts/validate-artifact.js`; do not move detailed rules back into SKILL.md

package/templates/.agents/README.zh-CN.md

@@ -193,6 +193,23 @@ args: "<task-id>"   # 可选
 - 自定义 source 不能覆盖内置 skill；如果与内置 skill 同名，会跳过该 source skill
 - 如果项目必须接管某个内置 skill 或命令，请使用 `files.ejected`
 
+## 文件归属与同步策略
+
+`.agents/.airc.json` 的 `files` 字段把项目文件分为三类：
+
+| 类别 | 模板中存在时 | 模板中不存在时 | 清理行为 |
+|------|--------------|----------------|----------|
+| `managed` | 从模板写入并覆盖 | 视为模板已下线 | 删除项目本地副本 |
+| `merged` | 由 AI 或人工语义合并 | 不从模板写入 | 保留项目本地副本 |
+| `ejected` | 首次可从模板创建，已存在时跳过覆盖 | 不从模板写入 | 保留项目本地副本 |
+
+`ejected` 有两种常见用法：
+
+1. **接管内置文件**：项目需要完全控制原本来自模板的规则、命令或配置文件，避免后续同步覆盖本地内容。
+2. **声明项目独占文件**：项目自己的文件落在 managed 目录通配下，但模板中没有同名文件；把它列入 `files.ejected`，避免同步时被当作模板已下线文件删除。
+
+`ejected` 条目支持字面路径或 glob，匹配规则与 `merged` 相同。
+
 ## 自定义 TUI 配置
 
 当团队使用的 AI TUI 不属于内置命令目标时，可以在 `.agents/.airc.json` 顶层配置 `customTUIs` 数组。该配置用于让 agent-infra 输出正确的下一步命令，并通过学习自定义 TUI 目录中的既有命令文件，为项目自定义 skill 生成同格式命令。
@@ -257,6 +274,7 @@ args: "<task-id>"   # 可选
 
 - SKILL.md 正文尽可能精简，把详细规则、长模板和大段脚本拆分到同级 `reference/` 或 `scripts/` 目录。
 - 声明式配置统一放在同级 `config/` 目录，例如 `config/verify.json`。
+  当 `required_sections` 或 `required_patterns` 包含语言相关文案时，提供 `config/verify.en.json` 和 `config/verify.zh-CN.json`；sync 会把选中的语言变体剥离为 `config/verify.json`。
 - 骨架中使用明确导航，例如：`执行此步骤前，先读取 reference/xxx.md。`
 - 长脚本继续放在 `scripts/` 目录，优先执行脚本而不是内联大段 bash。
 
@@ -269,6 +287,7 @@ node .agents/scripts/validate-artifact.js gate <skill-name> <task-dir> [artifact
 ```
 
 - 每个 skill 在自己的 `config/verify.json` 中声明需要检查的事项
+- 对语言相关的产物标题或锚点，`config/verify.en.json` 和 `config/verify.zh-CN.json` 之间只应让 `required_sections` 与语言相关的 `required_patterns` 不同
 - 如果 skill 还会展示“下一步”提示，必须先通过完成校验，再输出这些指引
 - 面向用户展示最终校验结果时，优先使用 `--format text` 输出可读摘要，而不是原始 JSON
 - 共享逻辑集中在 `.agents/scripts/validate-artifact.js`，不要把详细校验规则重新塞回 SKILL.md

package/templates/.agents/rules/create-issue.github.en.md

@@ -149,13 +149,13 @@ gh api "repos/$upstream_repo/issues/{issue-number}" -X PATCH \
 
 Failure is non-blocking.
 
-### 6.5 Set Issue Fields (Optional)
+### 7. Set Issue Fields (Optional)
 
 If `has_push=true`, read `.agents/rules/issue-fields.md` and follow Flow A to write any applicable non-empty `priority`, `effort`, `start_date`, and `target_date` values from `task.md`.
 
 Field write failures are non-blocking.
 
-### 7. Write Back task.md
+### 8. Write Back task.md
 
 Update task.md:
 
@@ -164,7 +164,7 @@ Update task.md:
 
 > Do NOT append an Activity Log entry here. The Issue creation event is already captured by the GitHub Issue itself and by the frontmatter `issue_number` field; the Activity Log only records the single `create-task` skill execution anchor (`Task Created`), written by the caller SKILL step 3.
 
-### 8. Return the Result
+### 9. Return the Result
 
 Hand the following back to the caller `create-task`:
 

package/templates/.agents/rules/create-issue.github.zh-CN.md

@@ -149,13 +149,13 @@ gh api "repos/$upstream_repo/issues/{issue-number}" -X PATCH \
 
 设置失败不阻断流程。
 
-### 6.5 设置 Issue 字段（可选）
+### 7. 设置 Issue 字段（可选）
 
 如果 `has_push=true`，读取 `.agents/rules/issue-fields.md`，按流程 A 写入 `task.md` 中适用且非空的 `priority`、`effort`、`start_date` 和 `target_date`。
 
 字段写入失败不阻断流程。
 
-### 7. 回写 task.md
+### 8. 回写 task.md
 
 更新 task.md：
 
@@ -164,7 +164,7 @@ gh api "repos/$upstream_repo/issues/{issue-number}" -X PATCH \
 
 > 不要在此追加 Activity Log 条目。Issue 创建事件已由 GitHub Issue 自身和 frontmatter `issue_number` 承载；Activity Log 仅记录 `create-task` skill 一次执行的整体锚点（`Task Created`），由调用方 SKILL 步骤 3 写入。
 
-### 8. 返回结果
+### 9. 返回结果
 
 把以下信息回传给调用方 `create-task`：
 

package/templates/.agents/skills/analyze-task/SKILL.en.md

@@ -13,6 +13,20 @@ description: "Analyze a task and produce a requirements document"
 
 Version stamp rule: when creating or updating `task.md` frontmatter, read `.agents/rules/version-stamp.md` first and write or refresh `agent_infra_version`.
 
+## Step 0: State Check (pre-execution hard gate)
+
+After loading workflow / skill / rules instructions, and before any task-state judgment or user-visible conclusion, run the state check first. Reading instruction files does not count as an external-state action or conclusion.
+
+Run these commands and paste the raw output into both the user-facing reply and this round's `## State Check` section:
+
+```bash
+git status -s
+ls -la .agents/workspace/active/{task-id}/
+tail .agents/workspace/active/{task-id}/task.md
+```
+
+Before the state check is complete, do not make external-state assertions such as "the code is unchanged", "tests passed", or "there are no other references", including in reasoning. This gate is only a structural floor; evidence pairing and authenticity still require the report template and review discipline.
+
 ## Steps
 
 ### 1. Verify Prerequisites
@@ -49,6 +63,8 @@ If `task.md` contains these source fields, also read the corresponding source in
 
 ### 4. Perform Requirements Analysis
 
+Before analysis begins: if `start_date` in the frontmatter is empty, write today's date immediately (command: `date +%F`, format `YYYY-MM-DD`); keep any existing value. Before writing, read `.agents/rules/version-stamp.md` and refresh `updated_at` / `agent_infra_version` at the same time.
+
 Follow the `analysis` step in `.agents/workflows/feature-development.yaml`:
 
 **Required tasks** (analysis only, no business code changes):
@@ -70,6 +86,10 @@ Create `.agents/workspace/active/{task-id}/{analysis-artifact}`.
 - **Analysis round**: Round {analysis-round}
 - **Artifact file**: `{analysis-artifact}`
 
+## State Check
+
+> Paste the raw Step 0 state-check command output; each command starts with `$ `.
+
 ## Requirement Source
 
 **Source type**: {User description / Issue / Code Scanning / Dependabot / Other}
@@ -116,6 +136,14 @@ Update `.agents/workspace/active/{task-id}/task.md`:
 - Record the analysis artifact for this round: `{analysis-artifact}` (Round `{analysis-round}`)
 - If the task template contains a `## Analysis` section, update it to link to `{analysis-artifact}`
 - Mark requirement-analysis as complete in workflow progress and include the actual round when the task template supports it
+- Before appending the workflow Activity Log entry, re-estimate `priority` based on the analysis findings (business impact, risks, dependencies, blockers). If the re-estimated value differs from the current value in `task.md`:
+  - Overwrite the `priority` field in frontmatter with the new value
+  - Prepend an Activity Log entry recording the transition (placed before the `Requirement Analysis (Round N)` entry):
+    ```
+    - {YYYY-MM-DD HH:mm:ss±HH:MM} — **Analysis Re-estimate** by {agent} — priority {old} → {new} (rationale: {short basis grounded in this analysis})
+    ```
+  Both entries may share the same timestamp; ordering is conveyed by list position only.
+  If the re-estimated value matches the current value, skip the Re-estimate entry. The Flow A sync that follows reads the possibly updated frontmatter and propagates the new value to the Issue automatically.
 - **Append** to `## Activity Log` (do NOT overwrite previous entries):
   ```
   - {YYYY-MM-DD HH:mm:ss±HH:MM} — **Requirement Analysis (Round {N})** by {agent} — Analysis completed → {analysis-artifact}
@@ -126,6 +154,7 @@ If task.md contains a valid `issue_number`, perform these sync actions (skip and
 - Set `status: pending-design-work` by following issue-sync.md
 - Create or update the task comment marker defined in `.agents/rules/issue-sync.md` (follow the task.md comment sync rule in issue-sync.md)
 - Publish the `{analysis-artifact}` comment
+- Read `.agents/rules/issue-fields.md` and follow Flow A to sync every non-empty Issue field (`priority`/`effort`/`start_date`/`target_date`) from `task.md` to the Issue (idempotent; skip without blocking when `has_push=false` or the fetch/write fails)
 
 ### 7. Verification Gate
 

package/templates/.agents/skills/analyze-task/SKILL.zh-CN.md

@@ -13,6 +13,20 @@ description: "分析任务并输出需求分析文档"
 
 版本戳规则：创建或更新 `task.md` frontmatter 时，先读取 `.agents/rules/version-stamp.md`，并写入或刷新 `agent_infra_version`。
 
+## 第 0 步：状态核对（执行前硬约束）
+
+在加载 workflow / skill / rules 指令之后、做任何任务状态判断或用户可见结论之前，必须先执行状态核对。指令类文件读取不算对外动作或结论。
+
+运行以下命令，并把原文粘贴到回复正文和本轮产物的 `## 状态核对` 段：
+
+```bash
+git status -s
+ls -la .agents/workspace/active/{task-id}/
+tail .agents/workspace/active/{task-id}/task.md
+```
+
+状态核对完成前，禁止任何关于外部状态的断言（例如“代码没变”“测试已通过”“没有其他引用”），包括思考阶段。本门禁只提供结构下限；逐条证据配对和真实性仍需按报告模板与审查要求核对。
+
 ## 执行步骤
 
 ### 1. 验证前置条件
@@ -49,6 +63,8 @@ description: "分析任务并输出需求分析文档"
 
 ### 4. 执行需求分析
 
+开始分析前：若 frontmatter 的 `start_date` 为空，立即写入当日日期（命令 `date +%F`，格式 `YYYY-MM-DD`）；已有值则保留。写入前先读取 `.agents/rules/version-stamp.md`，并同步刷新 `updated_at` / `agent_infra_version`。
+
 遵循 `.agents/workflows/feature-development.yaml` 中的 `analysis` 步骤：
 
 **必要任务**（仅分析，不编写业务代码）：
@@ -70,6 +86,10 @@ description: "分析任务并输出需求分析文档"
 - **分析轮次**：Round {analysis-round}
 - **产物文件**：`{analysis-artifact}`
 
+## 状态核对
+
+> 粘贴第 0 步状态核对命令原文；每条命令以 `$ ` 开头。
+
 ## 需求来源
 
 **来源类型**：{用户描述 / Issue / Code Scanning / Dependabot / 其他}
@@ -116,6 +136,14 @@ date "+%Y-%m-%d %H:%M:%S%:z"
 - 记录本轮分析产物：`{analysis-artifact}`（Round `{analysis-round}`）
 - 如任务模板包含 `## 分析` 段落，更新为指向 `{analysis-artifact}` 的链接
 - 在工作流进度中标记 requirement-analysis 为已完成，并注明实际轮次（如果任务模板支持）
+- 在追加工作流 Activity Log 条目之前，基于分析结果（业务影响、风险、依赖、阻塞条件）重估 `priority`。若重估值与 `task.md` 当前值不一致：
+  - 用新值覆盖 frontmatter 的 `priority` 字段
+  - 在 `Requirement Analysis (Round N)` 条目之前追加一条转移记录：
+    ```
+    - {YYYY-MM-DD HH:mm:ss±HH:MM} — **Analysis Re-estimate** by {agent} — priority {old} → {new} (rationale: {基于本轮分析的简短依据})
+    ```
+  两条条目可共用同一时间戳，顺序仅通过列表位置表达。
+  若重估值与当前值一致，跳过 Re-estimate 条目。后续 Flow A 同步会读取可能更新过的 frontmatter，并自动把新值同步到 Issue。
 - **追加**到 `## Activity Log`（不要覆盖之前的记录）：
   ```
   - {YYYY-MM-DD HH:mm:ss±HH:MM} — **Requirement Analysis (Round {N})** by {agent} — Analysis completed → {analysis-artifact}
@@ -126,6 +154,7 @@ date "+%Y-%m-%d %H:%M:%S%:z"
 - 按 issue-sync.md 设置 `status: pending-design-work`
 - 创建或更新 `.agents/rules/issue-sync.md` 中定义的 task 评论标记（按 issue-sync.md 的 task.md 评论同步规则）
 - 发布 `{analysis-artifact}` 评论
+- 读取 `.agents/rules/issue-fields.md`，按流程 A 把 `task.md` 中所有非空的 Issue 字段（`priority`/`effort`/`start_date`/`target_date`）同步到 Issue（幂等；`has_push=false` 或取数/写入失败时跳过，不阻断）
 
 ### 7. 完成校验
 

package/templates/.agents/skills/analyze-task/config/verify.en.json

@@ -0,0 +1,51 @@
+{
+  "skill": "analyze-task",
+  "checks": {
+    "task-meta": {
+      "required_fields": [
+        "id",
+        "type",
+        "workflow",
+        "status",
+        "created_at",
+        "updated_at",
+        "agent_infra_version",
+        "current_step",
+        "assigned_to"
+      ],
+      "expected_step": "requirement-analysis"
+    },
+    "artifact": {
+      "file_pattern": "analysis.md|analysis-r{N}.md",
+      "required_sections": [
+        "Requirement Source",
+        "Requirement Understanding",
+        "Related Files",
+        "Impact Assessment",
+        "Technical Risks",
+        "Effort and Complexity Assessment",
+        "State Check"
+      ],
+      "freshness_minutes": 30,
+      "required_patterns": [
+        "^\\$ "
+      ]
+    },
+    "activity-log": {
+      "expected_action_pattern": "Requirement Analysis \\(Round \\d+\\)",
+      "freshness_minutes": 30
+    },
+    "platform-sync": {
+      "when": "issue_number_exists",
+      "expected_status_label": "status: pending-design-work",
+      "expected_comment_marker": "<!-- sync-issue:{task-id}:{artifact-stem} -->",
+      "verify_comment_content": true,
+      "verify_task_comment_content": true,
+      "verify_issue_type": true,
+      "verify_issue_fields": false,
+      "verify_milestone": true,
+      "expected_status_label_key": "pendingDesignWork",
+      "expected_comment_marker_key": "artifact"
+    }
+  }
+}

package/templates/.agents/skills/analyze-task/config/{verify.json → verify.zh-CN.json}

@@ -23,9 +23,13 @@
         "相关文件",
         "影响评估",
         "技术风险",
-        "工作量和复杂度评估"
+        "工作量和复杂度评估",
+        "状态核对"
       ],
-      "freshness_minutes": 30
+      "freshness_minutes": 30,
+      "required_patterns": [
+        "^\\$ "
+      ]
     },
     "activity-log": {
       "expected_action_pattern": "Requirement Analysis \\(Round \\d+\\)",

package/templates/.agents/skills/complete-task/SKILL.en.md

@@ -12,6 +12,20 @@ description: "Mark a task as completed and archive it"
 
 Version stamp rule: when creating or updating `task.md` frontmatter, read `.agents/rules/version-stamp.md` first and write or refresh `agent_infra_version`.
 
+## Step 0: State Check (pre-execution hard gate)
+
+After loading workflow / skill / rules instructions, and before any task-state judgment or user-visible conclusion, run the state check first. Reading instruction files does not count as an external-state action or conclusion.
+
+Run these commands and paste the raw output into both the user-facing reply and this round's `## State Check` section:
+
+```bash
+git status -s
+ls -la .agents/workspace/active/{task-id}/
+tail .agents/workspace/active/{task-id}/task.md
+```
+
+Before the state check is complete, do not make external-state assertions such as "the code is unchanged", "tests passed", or "there are no other references", including in reasoning. This gate is only a structural floor; evidence pairing and authenticity still require the report template and review discipline.
+
 ## Steps
 
 ### 1. Verify Task Exists
@@ -64,6 +78,7 @@ Update `.agents/workspace/active/{task-id}/task.md`:
 - `completed_at`: {current timestamp}
 - `updated_at`: {current timestamp}
 - `agent_infra_version`: value from `.agents/rules/version-stamp.md`
+- Add or update the `## State Check` section with the raw Step 0 audit command output, including `$ ` prompt lines, before `## Activity Log`
 - Mark all workflow steps as complete
 - Verify and check off all items in `## Completion Checklist` (change `- [ ]` to `- [x]`)
 - **Append** to `## Activity Log` (do NOT overwrite previous entries):
@@ -98,6 +113,7 @@ If a valid `issue_number` exists:
 - Backfill checked `## Requirements` items to the Issue body by following the requirements-checkbox sync steps in issue-sync.md
 - Do not set any `status:` label — status labels are automatically cleared when the Issue is closed
 - Finally create or update the summary comment marked with the summary marker defined in `.agents/rules/issue-sync.md`
+- Read `.agents/rules/issue-fields.md` and follow Flow A to sync every non-empty Issue field (`priority`/`effort`/`start_date`/`target_date`) from `task.md` to the Issue (idempotent; skip without blocking when `has_push=false` or the fetch/write fails)
 
 ### 7. Verification Gate
 

package/templates/.agents/skills/complete-task/SKILL.zh-CN.md

@@ -12,6 +12,20 @@ description: "标记任务完成并归档"
 
 版本戳规则：创建或更新 `task.md` frontmatter 时，先读取 `.agents/rules/version-stamp.md`，并写入或刷新 `agent_infra_version`。
 
+## 第 0 步：状态核对（执行前硬约束）
+
+在加载 workflow / skill / rules 指令之后、做任何任务状态判断或用户可见结论之前，必须先执行状态核对。指令类文件读取不算对外动作或结论。
+
+运行以下命令，并把原文粘贴到回复正文和本轮产物的 `## 状态核对` 段：
+
+```bash
+git status -s
+ls -la .agents/workspace/active/{task-id}/
+tail .agents/workspace/active/{task-id}/task.md
+```
+
+状态核对完成前，禁止任何关于外部状态的断言（例如“代码没变”“测试已通过”“没有其他引用”），包括思考阶段。本门禁只提供结构下限；逐条证据配对和真实性仍需按报告模板与审查要求核对。
+
 ## 执行步骤
 
 ### 1. 验证任务存在
@@ -64,6 +78,7 @@ date "+%Y-%m-%d %H:%M:%S%:z"
 - `completed_at`：{当前时间戳}
 - `updated_at`：{当前时间戳}
 - `agent_infra_version`：按 `.agents/rules/version-stamp.md` 取值
+- 新增或更新 `## 状态核对` 段，粘贴第 0 步审计命令原文（含 `$ ` 前缀行），放在 `## 活动日志` 之前
 - 标记所有工作流步骤为已完成
 - 逐项验证并勾选 `## 完成检查清单` 中的所有条目（将 `- [ ]` 改为 `- [x]`）
 - **追加**到 `## Activity Log`（不要覆盖之前的记录）：
@@ -98,6 +113,7 @@ ls .agents/workspace/completed/{task-id}/task.md
 - 按 issue-sync.md 的需求复选框同步步骤，兜底同步 `## 需求` 中已勾选的条目到 Issue body
 - 不要设置 `status:` label — Issue 关闭后 status label 会被自动清除
 - 最后创建或更新 `.agents/rules/issue-sync.md` 中定义的 summary 评论标记对应的 summary 评论
+- 读取 `.agents/rules/issue-fields.md`，按流程 A 把 `task.md` 中所有非空的 Issue 字段（`priority`/`effort`/`start_date`/`target_date`）同步到 Issue（幂等；`has_push=false` 或取数/写入失败时跳过，不阻断）
 
 ### 7. 完成校验
 

package/templates/.agents/skills/complete-task/config/{verify.json → verify.en.json}

@@ -33,6 +33,16 @@
       "verify_issue_fields": false,
       "verify_milestone": true,
       "expected_comment_marker_key": "summary"
+    },
+    "artifact": {
+      "file_pattern": "task.md",
+      "required_sections": [
+        "State Check"
+      ],
+      "required_patterns": [
+        "^\\$ "
+      ],
+      "freshness_minutes": 30
     }
   }
 }