@gajae-code/coding-agent 0.6.4 → 0.7.0

package/src/prompts/agents/init.md

@@ -5,7 +5,7 @@ thinking-level: medium
 hide: true
 ---
 
-Generate AGENTS.md by launching multiple `explore` agents in parallel (via `task` tool) scanning different areas (core src, tests, configs/build, scripts/docs), then synthesize findings into a single file.
+Generate AGENTS.md by launching multiple canonical role agents in parallel (via `task` tool, usually `planner` or `architect`) scanning different areas (core src, tests, configs/build, scripts/docs), then synthesize findings into a single file.
 
 <structure>
 - **Project Overview**: Brief description of project purpose

package/src/prompts/system/plan-mode-active.md

@@ -82,7 +82,7 @@ The plan MUST be scannable yet detailed enough to execute.
 
 <procedure>
 ### Phase 1: Understand
-You MUST focus on the request and associated code. You SHOULD launch parallel explore agents when scope spans multiple areas.
+You MUST focus on the request and associated code. You SHOULD launch parallel canonical role agents (`planner` or `architect`) when scope spans multiple areas.
 
 ### Phase 2: Design
 You MUST draft an approach based on exploration. You MUST consider trade-offs briefly, then choose.

package/src/prompts/tools/ast-grep.md

@@ -38,5 +38,5 @@ Performs structural code search using AST matching via native ast-grep.
 <critical>
 - Avoid repo-root scans — narrow `paths` first
 - Parse issues are query failure, not evidence of absence: repair the pattern or tighten `paths` before concluding "no matches"
-- For broad/open-ended exploration across subsystems, use Task tool with explore subagent first
+- For broad/open-ended inspection across subsystems, delegate a bounded fact-finding task to an appropriate canonical role agent (`planner` or `architect`) first
 </critical>

package/src/prompts/tools/search.md

@@ -21,5 +21,5 @@ Searches files using powerful regex matching.
 - You MUST use the built-in `search` tool for any content search. NEVER shell out to `grep`, `rg`, `ripgrep`, `ag`, `ack`, `git grep`, `awk`, `sed`-for-search, or any other CLI search via Bash — even for a single match, even "just to check quickly", even piped through other commands.
 - Bash `grep`/`rg` loses `.gitignore` semantics, bypasses result limits, and wastes tokens. The `search` tool is faster, structured, and already wired into the workspace — there is no scenario where Bash search is preferable.
 - If you catch yourself typing `grep`, `rg`, or `| grep` in a Bash command, stop and re-issue the lookup through the `search` tool instead.
-- If the search is open-ended, requiring multiple rounds, you MUST use the Task tool with the explore subagent instead of chaining `search` calls yourself.
+- If the search is open-ended and requires multiple rounds across subsystems, delegate a bounded fact-finding task to an appropriate canonical role agent (`planner` for sequencing/context maps or `architect` for read-only architecture assessment) instead of chaining broad `search` calls yourself.
 </critical>

package/src/prompts/tools/task.md

@@ -28,13 +28,12 @@ Subagents have no conversation history. Every fact, file path, and direction the
 {{/if}}
 {{#if independentMode}}- `.inheritContext`: independent mode cannot inherit parent conversation. Omit it or set `"none"`; any non-`none` value is rejected before scheduling.{{/if}}
 {{#if customSchemaEnabled}}- `schema`: JTD schema for expected structured output (do not put format rules in assignments){{/if}}
-- `spawnPlan` (optional): required before any batch with more than 4 tasks, and before a reviewer agent spawns `explore`; include whyParallel, whyNotLocal, independence, expectedReceiptShape, and maxInlineTokens.
+- `spawnPlan` (optional): required before any batch with more than 4 tasks; include whyParallel, whyNotLocal, independence, expectedReceiptShape, and maxInlineTokens.
 {{#if isolationEnabled}}- `isolated`: run in isolated env; use when tasks edit overlapping files{{/if}}
 </parameters>
 
 <rules>
 - HARD runtime gate: calls with more than 4 tasks are rejected before any child launches unless `spawnPlan` is complete.
-- Reviewer->explore gate: a `reviewer` spawning `explore` is rejected before launch unless `spawnPlan` is complete, even for a single task.
 - NEVER assign tasks to run project-wide build/test/lint. Caller verifies after the batch.
 - **Subagents do not verify, lint, or format.** Every assignment MUST instruct the subagent to skip all gates and formatters. You run them once at the end across the union of changed files — avoids redundant runs and racing formatter passes.
 {{#if ircEnabled}}

package/src/research-plan/index.ts

@@ -0,0 +1 @@
+export * from "./ledger";

package/src/research-plan/ledger.ts

@@ -0,0 +1,177 @@
+export type ResearchPlanConfidence = "low" | "medium" | "high";
+
+export type ResearchEvidenceVerdict = "support" | "contradict" | "uncertain";
+
+export interface ResearchPlanItem {
+	claim: string;
+	confidence: ResearchPlanConfidence;
+	unknowns: string[];
+	evidenceNeeded: string[];
+	counterexampleQueries: string[];
+	sourceConflictPolicy: string;
+	dropCondition: string;
+	verifierChecks: string[];
+}
+
+export interface ResearchEvidenceEntry {
+	claim: string;
+	source: string;
+	confidence: ResearchPlanConfidence;
+	verdict: ResearchEvidenceVerdict;
+	notes?: string;
+}
+
+export interface ResearchLedgerVerdict {
+	claim: string;
+	finalVerdict: "accepted" | "rejected" | "uncertain";
+	survivingSources: ResearchEvidenceEntry[];
+	rejectReason?: string;
+	unresolvedUnknowns: string[];
+}
+
+export interface ResearchPlanValidationResult {
+	valid: boolean;
+	errors: string[];
+}
+
+const CONFIDENCE_VALUES = new Set<ResearchPlanConfidence>(["low", "medium", "high"]);
+const EVIDENCE_VERDICTS = new Set<ResearchEvidenceVerdict>(["support", "contradict", "uncertain"]);
+
+function isNonEmptyString(value: unknown): value is string {
+	return typeof value === "string" && value.trim().length > 0;
+}
+
+function validateStringArray(value: unknown, field: string, minLength = 1): string[] {
+	if (!Array.isArray(value)) return [`${field} must be an array`];
+	if (value.length < minLength) return [`${field} must contain at least ${minLength} item(s)`];
+	return value.flatMap((item, index) =>
+		isNonEmptyString(item) ? [] : [`${field}[${index}] must be a non-empty string`],
+	);
+}
+
+export function validateResearchPlanItem(item: Partial<ResearchPlanItem>): ResearchPlanValidationResult {
+	const errors: string[] = [];
+	if (!isNonEmptyString(item.claim)) errors.push("claim must be a non-empty string");
+	if (!item.confidence || !CONFIDENCE_VALUES.has(item.confidence)) {
+		errors.push("confidence must be one of: low, medium, high");
+	}
+	errors.push(...validateStringArray(item.unknowns, "unknowns", 0));
+	errors.push(...validateStringArray(item.evidenceNeeded, "evidenceNeeded"));
+	errors.push(...validateStringArray(item.counterexampleQueries, "counterexampleQueries"));
+	if (!isNonEmptyString(item.sourceConflictPolicy)) errors.push("sourceConflictPolicy must be a non-empty string");
+	if (!isNonEmptyString(item.dropCondition)) errors.push("dropCondition must be a non-empty string");
+	errors.push(...validateStringArray(item.verifierChecks, "verifierChecks"));
+	return { valid: errors.length === 0, errors };
+}
+
+export function validateResearchEvidenceEntry(entry: Partial<ResearchEvidenceEntry>): ResearchPlanValidationResult {
+	const errors: string[] = [];
+	if (!isNonEmptyString(entry.claim)) errors.push("claim must be a non-empty string");
+	if (!isNonEmptyString(entry.source)) errors.push("source must be a non-empty string");
+	if (!entry.confidence || !CONFIDENCE_VALUES.has(entry.confidence)) {
+		errors.push("confidence must be one of: low, medium, high");
+	}
+	if (!entry.verdict || !EVIDENCE_VERDICTS.has(entry.verdict)) {
+		errors.push("verdict must be one of: support, contradict, uncertain");
+	}
+	return { valid: errors.length === 0, errors };
+}
+
+function lower(value: string): string {
+	return value.toLowerCase();
+}
+
+function matchesDropCondition(item: ResearchPlanItem, evidence: ResearchEvidenceEntry[]): string | undefined {
+	const condition = lower(item.dropCondition);
+	const contradiction = evidence.find(entry => entry.verdict === "contradict");
+	if (contradiction && /(counterexample|contradict|conflict|falsif)/.test(condition)) {
+		return `dropCondition matched by contradictory source: ${contradiction.source}`;
+	}
+	const unresolved = evidence.find(entry => entry.verdict === "uncertain");
+	if (unresolved && /(unknown|unresolved|uncertain)/.test(condition)) {
+		return `dropCondition matched by unresolved evidence: ${unresolved.source}`;
+	}
+	return undefined;
+}
+
+function sourceConflictReason(item: ResearchPlanItem, evidence: ResearchEvidenceEntry[]): string | undefined {
+	const supporting = evidence.filter(entry => entry.verdict === "support");
+	const contradicting = evidence.filter(entry => entry.verdict === "contradict");
+	if (supporting.length === 0 || contradicting.length === 0) return undefined;
+	const policy = lower(item.sourceConflictPolicy);
+	if (/(reject|drop|do not accept|prefer contradiction|requires resolution)/.test(policy)) {
+		return `sourceConflictPolicy rejected mixed support/contradiction (${supporting.length} support, ${contradicting.length} contradict)`;
+	}
+	return "source conflict remains unresolved";
+}
+
+export function evaluateResearchLedger(
+	item: ResearchPlanItem,
+	evidence: readonly ResearchEvidenceEntry[],
+): ResearchLedgerVerdict {
+	const relevantEvidence = evidence.filter(entry => entry.claim === item.claim);
+	const invalidItem = validateResearchPlanItem(item);
+	if (!invalidItem.valid) {
+		return {
+			claim: item.claim,
+			finalVerdict: "rejected",
+			survivingSources: [],
+			rejectReason: `invalid research plan item: ${invalidItem.errors.join("; ")}`,
+			unresolvedUnknowns: item.unknowns,
+		};
+	}
+	const invalidEvidence = relevantEvidence.flatMap(entry => validateResearchEvidenceEntry(entry).errors);
+	if (invalidEvidence.length > 0) {
+		return {
+			claim: item.claim,
+			finalVerdict: "rejected",
+			survivingSources: [],
+			rejectReason: `invalid evidence entry: ${invalidEvidence.join("; ")}`,
+			unresolvedUnknowns: item.unknowns,
+		};
+	}
+	if (relevantEvidence.length === 0) {
+		return {
+			claim: item.claim,
+			finalVerdict: "uncertain",
+			survivingSources: [],
+			rejectReason: "no evidence collected for claim",
+			unresolvedUnknowns: item.unknowns,
+		};
+	}
+	const supporting = relevantEvidence.filter(entry => entry.verdict === "support");
+	const firstContradiction = relevantEvidence.find(entry => entry.verdict === "contradict");
+	let dropReason = matchesDropCondition(item, relevantEvidence) ?? sourceConflictReason(item, relevantEvidence);
+	// A counterexample with no surviving support falsifies the claim regardless of how the
+	// dropCondition / sourceConflictPolicy prose is worded. Without this, a purely contradicted
+	// claim would slip through as "uncertain" and reopen the hallucination survival path the
+	// evidence ledger exists to close (a contested claim already rejects via sourceConflictReason).
+	if (!dropReason && firstContradiction && supporting.length === 0) {
+		dropReason = `claim contradicted by counterexample with no supporting evidence: ${firstContradiction.source}`;
+	}
+	if (dropReason) {
+		return {
+			claim: item.claim,
+			finalVerdict: "rejected",
+			survivingSources: supporting,
+			rejectReason: dropReason,
+			unresolvedUnknowns: item.unknowns,
+		};
+	}
+	const uncertain = relevantEvidence.some(entry => entry.verdict === "uncertain");
+	if (uncertain || supporting.length === 0) {
+		return {
+			claim: item.claim,
+			finalVerdict: "uncertain",
+			survivingSources: supporting,
+			rejectReason: uncertain ? "unresolved uncertainty remains" : "no supporting evidence survived verification",
+			unresolvedUnknowns: item.unknowns,
+		};
+	}
+	return {
+		claim: item.claim,
+		finalVerdict: "accepted",
+		survivingSources: supporting,
+		unresolvedUnknowns: [],
+	};
+}

package/src/rlm/artifacts.ts

@@ -1,12 +1,17 @@
 /**
- * RLM session artifact layout under <cwd>/.gjc/rlm/<sessionId>/.
+ * RLM session artifact layout under <cwd>/.gjc/_session-{gjcSessionId}/rlm/<rlmSessionId>/.
+ *
+ * The GJC session id (process boundary) scopes the directory; the RLM session id
+ * names the individual research run within it. The two ids are kept distinct.
  */
 import * as fs from "node:fs/promises";
 import * as path from "node:path";
 import { readNotebookDocument } from "../edit/notebook";
+import { rlmArtifactRoot } from "../gjc-runtime/session-layout";
+import { resolveGjcSessionForWrite } from "../gjc-runtime/session-resolution";
 import type { RlmArtifactPaths } from "./types";
 
-export const RLM_DIR_SEGMENT = path.join(".gjc", "rlm");
+export const RLM_DIR_SEGMENT = "rlm";
 
 const SESSION_ID_RE = /^[A-Za-z0-9_-]+$/;
 
@@ -25,7 +30,11 @@ export function resolveRlmArtifactPaths(cwd: string, sessionId: string): RlmArti
 	if (!isValidRlmSessionId(sessionId)) {
 		throw new Error(`Invalid RLM session id: ${JSON.stringify(sessionId)}`);
 	}
-	const dir = path.join(cwd, RLM_DIR_SEGMENT, sessionId);
+	const dir = rlmArtifactRoot(
+		cwd,
+		resolveGjcSessionForWrite(cwd, { envSessionId: process.env.GJC_SESSION_ID }).gjcSessionId,
+		sessionId,
+	);
 	return {
 		dir,
 		notebookPath: path.join(dir, "notebook.ipynb"),

package/src/rlm/index.ts

@@ -11,6 +11,7 @@ import { getProjectDir } from "@gajae-code/utils";
 import { type Args, parseArgs } from "../cli/args";
 import { disposeKernelSessionsByOwner } from "../eval/py/executor";
 import type { CustomTool } from "../extensibility/custom-tools/types";
+import { resolveSessionIdFromSources, writeSessionActivityMarker } from "../gjc-runtime/session-resolution";
 import { type RlmPreset, runRootCommand } from "../main";
 import rlmReportCommandPrompt from "../prompts/system/rlm-report-command.md" with { type: "text" };
 import type { CreateAgentSessionOptions } from "../sdk";
@@ -231,10 +232,35 @@ async function writeRlmMetadata(input: {
 		successfulRuns: input.successfulRuns,
 	};
 	await Bun.write(input.paths.metadataPath, `${JSON.stringify(metadata, null, 2)}\n`);
+	// Best-effort: update the per-session activity marker so latest-session auto-detect
+	// accounts for RLM-only generated output (AC2). Never let marker failure break RLM.
+	const gjcSessionId = resolveSessionIdFromSources({ envSessionId: process.env.GJC_SESSION_ID })?.gjcSessionId;
+	if (gjcSessionId) {
+		await writeSessionActivityMarker(input.cwd, gjcSessionId, { writer: "rlm" }).catch(() => {});
+	}
 }
 
+/**
+ * RLM artifacts are scoped under a GJC session directory and resolving their
+ * paths is a *write* (it must pick a concrete session). When `gjc rlm` runs
+ * standalone — no parent agent, no `GJC_SESSION_ID` in the environment — there is
+ * no session to resolve and `resolveGjcSessionForWrite` throws
+ * `missing_for_write`. Establish a dedicated GJC session id in that case and pin
+ * it into the environment so artifact-path resolution, the per-session activity
+ * marker, and the child agent's workflow state all share one writable session.
+ *
+ * Returns the resolved (existing or freshly generated) GJC session id.
+ */
+export function ensureRlmGjcSessionId(): string {
+	const existing = resolveSessionIdFromSources({ envSessionId: process.env.GJC_SESSION_ID })?.gjcSessionId;
+	if (existing) return existing;
+	const generated = `rlm-${generateRlmSessionId()}`;
+	process.env.GJC_SESSION_ID = generated;
+	return generated;
+}
 export async function runRlmCommand(argv: string[]): Promise<void> {
 	const cwd = getProjectDir();
+	ensureRlmGjcSessionId();
 	const { dataPath, resumeSessionId, minSuccessfulRuns, rest } = extractRlmFlags(argv);
 	const dataContext = await loadRlmDataContext(cwd, dataPath);
 

package/src/runtime-mcp/config-writer.ts

@@ -149,6 +149,52 @@ export async function updateMCPServer(filePath: string, name: string, config: MC
 	await writeMCPConfigFile(filePath, updated);
 }
 
+/**
+ * Result of an {@link upsertMCPServer} call.
+ * - `added`: server did not exist and was written.
+ * - `updated`: server existed and was overwritten because `force` was set.
+ * - `skipped`: server existed and `force` was not set, so nothing was written.
+ */
+export type UpsertMCPServerResult =
+	| { status: "added" }
+	| { status: "updated" }
+	| { status: "skipped"; reason: "exists" };
+
+/**
+ * Add an MCP server, or overwrite an existing one only when `force` is set.
+ *
+ * Collision-aware wrapper over {@link addMCPServer} / {@link updateMCPServer} used by
+ * `gjc migrate`. Never connects to the server. Reuses the underlying writers so the
+ * rest of the config file (including `disabledServers`) is preserved on update.
+ *
+ * @throws Error if the server name or config is invalid (validated before any write).
+ */
+export async function upsertMCPServer(
+	filePath: string,
+	name: string,
+	config: MCPServerConfig,
+	options: { force?: boolean } = {},
+): Promise<UpsertMCPServerResult> {
+	// Validate name up front so an invalid name fails regardless of collision state.
+	const nameError = validateServerName(name);
+	if (nameError) {
+		throw new Error(nameError);
+	}
+
+	const existing = await getMCPServer(filePath, name);
+	if (existing) {
+		if (!options.force) {
+			return { status: "skipped", reason: "exists" };
+		}
+		// updateMCPServer preserves the rest of MCPConfigFile, incl. disabledServers.
+		await updateMCPServer(filePath, name, config);
+		return { status: "updated" };
+	}
+
+	await addMCPServer(filePath, name, config);
+	return { status: "added" };
+}
+
 /**
  * Remove an MCP server from a config file.
  *

package/src/sdk.ts

@@ -79,6 +79,12 @@ import type { HindsightSessionState } from "./hindsight/state";
 import { LocalProtocolHandler, type LocalProtocolOptions } from "./internal-urls";
 import { LSP_STARTUP_EVENT_CHANNEL, type LspStartupEvent } from "./lsp/startup-events";
 import { resolveMemoryBackend } from "./memory-backend";
+import { createNotificationsExtension } from "./notifications";
+import {
+	getNotificationConfig,
+	type NotificationConfig,
+	shouldRegisterNotificationsExtension,
+} from "./notifications/config";
 import asyncResultTemplate from "./prompts/tools/async-result.md" with { type: "text" };
 import { AgentRegistry, MAIN_AGENT_ID } from "./registry/agent-registry";
 import { MCPManager } from "./runtime-mcp";
@@ -1238,6 +1244,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			getPlanModeState: () => session?.getPlanModeState(),
 			getGoalModeState: () => session?.getGoalModeState(),
 			getWorkflowGateEmitter: () => session?.getWorkflowGateEmitter(),
+			getAskAnswerSource: () => session?.getAskAnswerSource(),
 			getGoalRuntime: () => session?.goalRuntime,
 			getClientBridge: () => session?.clientBridge,
 			getCompactContext: () => session.formatCompactContext(),
@@ -1386,6 +1393,15 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 		if (customTools.length > 0) {
 			inlineExtensions.push(createCustomToolsExtension(customTools));
 		}
+		let notificationCfg: NotificationConfig | undefined;
+		try {
+			notificationCfg = getNotificationConfig(Settings.instance);
+		} catch {
+			notificationCfg = undefined;
+		}
+		if (shouldRegisterNotificationsExtension({ env: process.env, cfg: notificationCfg })) {
+			inlineExtensions.push(createNotificationsExtension);
+		}
 
 		// Extension/module discovery is quarantined; retain only the private
 		// runtime needed for bundled product extensions, explicitly supplied SDK

package/src/session/agent-session.ts

@@ -183,6 +183,11 @@ import type { HookCommandContext } from "../extensibility/hooks/types";
 import type { Skill, SkillWarning } from "../extensibility/skills";
 import { expandSlashCommand, type FileSlashCommand } from "../extensibility/slash-commands";
 import { buildGjcRuntimeSessionEnv, consumePendingGoalModeRequest } from "../gjc-runtime/goal-mode-request";
+import {
+	assertNonEmptyGjcSessionId,
+	modeStatePath as sessionModeStatePath,
+	sessionStateDir,
+} from "../gjc-runtime/session-layout";
 import { persistCoordinatorRuntimeStateFromEvent } from "../gjc-runtime/session-state-sidecar";
 import { writeArtifact } from "../gjc-runtime/state-writer";
 import { requestGjcWorkerIntegrationAttempt } from "../gjc-runtime/team-runtime";
@@ -233,8 +238,9 @@ import {
 	type DiscoverableTool,
 	type DiscoverableToolSearchIndex,
 } from "../tool-discovery/tool-index";
-import type { ToolSession } from "../tools";
+import type { AskAnswerSource, ToolSession } from "../tools";
 import { AskTool } from "../tools/ask";
+import { getAskAnswerSource as getAskAnswerSourceFromRegistry } from "../tools/ask-answer-registry";
 import { assertEditableFile } from "../tools/auto-generated-guard";
 import { releaseTabsForOwner } from "../tools/browser/tab-supervisor";
 import type { CheckpointState } from "../tools/checkpoint";
@@ -308,17 +314,11 @@ export type AgentSessionEvent =
 	| { type: "todo_reminder"; todos: TodoItem[]; attempt: number; maxAttempts: number }
 	| { type: "todo_auto_clear" }
 	| { type: "irc_message"; message: CustomMessage }
+	| { type: "subagent_steer_message"; message: CustomMessage }
 	| { type: "notice"; level: "info" | "warning" | "error"; message: string; source?: string }
 	| { type: "thinking_level_changed"; thinkingLevel: ThinkingLevel | undefined }
 	| { type: "goal_updated"; goal: Goal | null; state?: GoalModeState };
 
-/**
- * Safe path component pattern used to validate session-id segments before
- * joining them into `.gjc/state` paths. Mirrors the regex used by the
- * `gjc state` runtime selector resolver.
- */
-const SAFE_PATH_COMPONENT = /^[A-Za-z0-9_-][A-Za-z0-9._-]{0,63}$/;
-
 function isUnderProjectGjc(cwd: string, targetPath: string): boolean {
 	const relative = path.relative(path.join(path.resolve(cwd), ".gjc"), path.resolve(targetPath));
 	return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
@@ -1370,21 +1370,17 @@ export class AgentSession {
 	getActiveSkillPhase(): string | undefined {
 		const active = this.#activeSkillState;
 		if (!active) return undefined;
-		// Path safety: refuse to read mode-state files when the skill or
-		// session-id are not safe path components. The `skill` tool
-		// interprets undefined as a non-terminal phase, so chaining is
-		// refused — there is no risk of bypassing the guard via a custom
-		// skill name with `..` or a session-id with separators.
 		if (!isCanonicalGjcWorkflowSkill(active.skill)) return undefined;
-		if (active.sessionId !== undefined && !SAFE_PATH_COMPONENT.test(active.sessionId)) {
-			return undefined;
-		}
+		const sessionId = active.sessionId ?? this.sessionManager.getSessionId();
 		try {
-			const stateDir = path.join(this.sessionManager.getCwd(), ".gjc", "state");
-			const segments = active.sessionId
-				? [stateDir, "sessions", encodeURIComponent(active.sessionId).replaceAll(".", "%2E")]
-				: [stateDir];
-			const filePath = path.join(...segments, `${active.skill}-state.json`);
+			assertNonEmptyGjcSessionId(sessionId, "AgentSession.getActiveSkillPhase");
+			// Keep the session-state-dir construction explicit here so the chain guard
+			// refuses to fall back to a legacy root `.gjc/state` read.
+			const stateDir = sessionStateDir(this.sessionManager.getCwd(), sessionId);
+			const filePath = path.join(
+				stateDir,
+				path.basename(sessionModeStatePath(this.sessionManager.getCwd(), sessionId, active.skill)),
+			);
 			const raw = fs.readFileSync(filePath, "utf-8");
 			const parsed = JSON.parse(raw) as { current_phase?: unknown };
 			return typeof parsed.current_phase === "string" ? parsed.current_phase : undefined;
@@ -3763,7 +3759,7 @@ export class AgentSession {
 	 * prompts or tool execution can run.
 	 */
 	#wrapToolForDeepInterviewMutationGuard<T extends AgentTool>(tool: T): T {
-		if (!["edit", "write", "ast_edit", "bash"].includes(tool.name)) return tool;
+		if (!["edit", "write", "ast_edit"].includes(tool.name)) return tool;
 		return new Proxy(tool, {
 			get: (target, prop) => {
 				if (prop !== "execute") return Reflect.get(target, prop, target);
@@ -4391,6 +4387,10 @@ export class AgentSession {
 		return this.#workflowGateEmitter;
 	}
 
+	getAskAnswerSource(): AskAnswerSource | undefined {
+		return getAskAnswerSourceFromRegistry(this.sessionId);
+	}
+
 	setWorkflowGateEmitter(emitter: WorkflowGateEmitter | undefined): void {
 		this.#workflowGateEmitter = emitter;
 		if (emitter) {
@@ -5459,6 +5459,16 @@ export class AgentSession {
 			return;
 		}
 
+		// No explicit delivery mode: only a live stream makes prompt() throw
+		// AgentBusyError, so queue the message as steering while streaming.
+		// Compaction is intentionally NOT diverted here: prompt() handles an
+		// in-flight compaction internally, and #queueSteer would otherwise park
+		// the message in the steering queue with no turn to consume it.
+		if (this.isStreaming) {
+			await this.#queueSteer(text, images);
+			return;
+		}
+
 		// Use prompt() with expandPromptTemplates: false to skip command handling and template expansion
 		await this.prompt(text, {
 			expandPromptTemplates: false,
@@ -5862,12 +5872,46 @@ export class AgentSession {
 		return this.#activeModelProfile;
 	}
 
+	/**
+	 * The model selector ("provider/id") that resume restores as the session
+	 * default — the latest session-log `model_change` with role="default".
+	 * Model-profile activation snapshots this before mutating the session so a
+	 * failed-activation rollback can restore the pre-activation resume default
+	 * instead of promoting a transient runtime model to the resume default.
+	 */
+	getSessionDefaultModelSelector(): string | undefined {
+		return this.sessionManager.buildSessionContext().models.default;
+	}
+
+	/**
+	 * Re-assert the session resume default ("provider/id") in the session log
+	 * WITHOUT touching the live runtime model. Appends a `model_change` with
+	 * role="default"; never writes to global settings (apply-for-this-session
+	 * semantics). Used by model-profile activation rollback to neutralize the
+	 * profile main model the failed activation already recorded as the default.
+	 */
+	recordResumeDefaultModel(selector: string): void {
+		this.sessionManager.appendModelChange(selector, "default");
+	}
+
 	/**
 	 * Set model temporarily (for this session only).
 	 * Validates API key, saves to session log but NOT to settings.
+	 *
+	 * The change is recorded in the session log as `role: "temporary"` by
+	 * default, which means it is NOT restored as the session default on resume —
+	 * transient retry/fallback/context-promotion/plan switches must not clobber
+	 * the user's explicit pick (issue #849). Model-profile activation passes
+	 * `persistAsSessionDefault: true` so the profile's main model becomes the
+	 * session default and survives resume, while still not being written to
+	 * global settings (new sessions keep the global default).
 	 * @throws Error if no API key available for the model
 	 */
-	async setModelTemporary(model: Model, thinkingLevel?: ThinkingLevel): Promise<void> {
+	async setModelTemporary(
+		model: Model,
+		thinkingLevel?: ThinkingLevel,
+		options?: { persistAsSessionDefault?: boolean },
+	): Promise<void> {
 		const previousEditMode = this.#resolveActiveEditMode();
 		const apiKey = await this.#modelRegistry.getApiKey(model, this.sessionId);
 		if (!apiKey) {
@@ -5876,7 +5920,10 @@ export class AgentSession {
 
 		this.#clearActiveRetryFallback();
 		this.#setModelWithProviderSessionReset(model);
-		this.sessionManager.appendModelChange(`${model.provider}/${model.id}`, "temporary");
+		this.sessionManager.appendModelChange(
+			`${model.provider}/${model.id}`,
+			options?.persistAsSessionDefault ? "default" : "temporary",
+		);
 		this.settings.getStorage()?.recordModelUsage(`${model.provider}/${model.id}`);
 
 		// Apply explicit thinking level if given; otherwise prefer the model's
@@ -9095,6 +9142,63 @@ export class AgentSession {
 		void this.#emitSessionEvent({ type: "irc_message", message: record });
 	}
 
+	emitSubagentSteerObservation(args: { from: string; to: string; body: string; timestamp?: number }): void {
+		const timestamp = args.timestamp ?? Date.now();
+		const observationId = crypto.randomUUID();
+		const message: CustomMessage = {
+			role: "custom",
+			customType: "subagent:steer",
+			content: `[Steer \`${args.from}\` ⇨ \`${args.to}\` (queued)]\n\n${args.body}`,
+			display: true,
+			details: { observationId, from: args.from, to: args.to, body: args.body, state: "queued" },
+			attribution: "agent",
+			timestamp,
+		};
+		void this.#emitSessionEvent({ type: "subagent_steer_message", message });
+		this.#forwardSubagentSteerRelayToMain({
+			from: args.from,
+			to: args.to,
+			body: args.body,
+			observationId,
+			timestamp,
+		});
+	}
+
+	#forwardSubagentSteerRelayToMain(args: {
+		from: string;
+		to: string;
+		body: string;
+		observationId: string;
+		timestamp: number;
+	}): void {
+		const registry = this.#agentRegistry;
+		if (!registry) return;
+		if (this.#agentId === MAIN_AGENT_ID) return;
+		const mainRef = registry.get(MAIN_AGENT_ID);
+		const mainSession = mainRef?.session;
+		if (!mainSession || mainSession === this) return;
+		const record: CustomMessage = {
+			role: "custom",
+			customType: "subagent:steer:relay",
+			content: `[Steer \`${args.from}\` ⇨ \`${args.to}\` (queued)]\n\n${args.body}`,
+			display: true,
+			details: {
+				observationId: args.observationId,
+				from: args.from,
+				to: args.to,
+				body: args.body,
+				state: "queued",
+			},
+			attribution: "agent",
+			timestamp: args.timestamp,
+		};
+		mainSession.emitSubagentSteerRelayObservation(record);
+	}
+
+	emitSubagentSteerRelayObservation(record: CustomMessage): void {
+		void this.#emitSessionEvent({ type: "subagent_steer_message", message: record });
+	}
+
 	/**
 	 * Run a single ephemeral side-channel turn against this session's current
 	 * model + system prompt + history.  No tools are used; the side request

package/src/session/auth-storage.ts

@@ -7,6 +7,9 @@ export type {
 	ApiKeyCredential,
 	AuthCredential,
 	AuthCredentialEntry,
+	AuthCredentialIfAbsentReason,
+	AuthCredentialIfAbsentResult,
+	AuthCredentialIfAbsentSnapshotResult,
 	AuthCredentialStore,
 	AuthStorageData,
 	AuthStorageOptions,