@guilz-dev/belay 0.1.0 → 0.2.0

package/README.md

@@ -1,6 +1,7 @@
 # Belay
 
 [![npm version](https://img.shields.io/npm/v/@guilz-dev/belay)](https://www.npmjs.com/package/@guilz-dev/belay)
+[![skills.sh](https://skills.sh/b/guilz-dev/belay)](https://skills.sh/guilz-dev/belay)
 [![CI](https://github.com/guilz-dev/belay/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/guilz-dev/belay/actions/workflows/ci.yml)
 [![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
@@ -8,10 +9,10 @@
 
 [Documentation (日本語)](./docs/README.ja.md)
 
-`@guilz-dev/belay` hooks into agent runtimes (Cursor, Claude Code) and inspects
-each shell command, subagent launch, and file mutation *before* it runs. Most
-actions pass through untouched. Only the irreversible-and-catastrophic ones are
-held back for one-shot human approval — and every decision is written to an
+`@guilz-dev/belay` hooks into agent runtimes (Cursor, Claude Code, Codex) and
+inspects each shell command, subagent launch, and file mutation *before* it runs.
+Most actions pass through untouched. Only the irreversible-and-catastrophic ones
+are held back for one-shot human approval — and every decision is written to an
 audit log.
 
 <p align="center">
@@ -21,6 +22,30 @@ audit log.
 > **0.0.x early release** — APIs and behavior may change. Cursor and Claude Code
 > are the supported adapters; Codex is experimental.
 
+## Supported agents
+
+Belay works across three coding agents. Each one runs the **same classifier**,
+wired in through that agent's native **hook** mechanism — no agent-specific
+policy to maintain.
+
+| Agent | Status | Hook config | belay config |
+|-------|--------|-------------|--------------|
+| **Cursor** | Supported | `.cursor/hooks.json` | `.cursor/belay.config.json` |
+| **Claude Code** | Supported | `.claude/settings.json` | `.claude/belay.config.json` |
+| **Codex** | Experimental | `.codex/config.toml` | `.codex/belay.config.json` |
+
+Pick the adapter at install time with `--adapter cursor|claude|codex` (or let
+`init-wizard` prompt). Hosts use different hook event names, but Belay registers
+the same runners (`belay-tool-gate`, `belay-before-submit`, `belay-audit`) at
+equivalent lifecycle points:
+
+| Role | belay hook | Cursor | Claude Code | Codex |
+|------|-----------|--------|-------------|-------|
+| Gate shell / tools / file mutations | `belay-tool-gate` | `beforeShellExecution`, `preToolUse` | `PreToolUse` | `PreToolUse` |
+| Gate subagent launches | `belay-tool-gate` | `subagentStart` | (via `PreToolUse`) | `SubagentStart` |
+| One-shot approvals | `belay-before-submit` | `beforeSubmitPrompt` | `UserPromptSubmit` | `UserPromptSubmit` |
+| Audit log | `belay-audit` | `postToolUse`, `stop`, `sessionEnd` | `PostToolUse` | `PostToolUse` |
+
 ## Why
 
 Static denylists don't work for agents. The same command (`rm`, `curl`, a
@@ -48,6 +73,7 @@ npx @guilz-dev/belay init-wizard
 
 # Or non-interactive
 npx @guilz-dev/belay init --adapter claude   # Claude Code
+npx @guilz-dev/belay init --adapter codex    # Codex (experimental)
 npx @guilz-dev/belay init                     # Cursor (default)
 ```
 
@@ -64,10 +90,10 @@ verdict and `overrides.allow` to whitelist commands you trust.
 
 ## How it works
 
-Belay registers hooks on the host runtime (`.cursor/hooks.json` or
-`.claude/settings.json`) and gates shell execution, subagent launches, and file
-mutations through one shared classifier. It always forms its own judgment — it
-does not trust an assessment supplied by the agent.
+Belay registers hooks on the host runtime (`.cursor/hooks.json`,
+`.claude/settings.json`, or `.codex/config.toml`) and gates shell execution,
+subagent launches, and file mutations through one shared classifier. It always
+forms its own judgment — it does not trust an assessment supplied by the agent.
 
 Every gated action gets one of three verdicts:
 
@@ -84,7 +110,8 @@ When an action is denied, approve the **next matching action once** by sending:
 ```
 
 Approvals are one-shot and expire after 15 minutes by default. Every decision is
-written to `.cursor/belay/audit.ndjson` (or `.claude/belay/audit.ndjson`).
+written to `.cursor/belay/audit.ndjson`, `.claude/belay/audit.ndjson`, or
+`.codex/belay/audit.ndjson` (depending on the adapter).
 
 In **audit mode** (`mode: "audit"`), would-be denials are recorded
 (`wouldBlock: true`) but execution still continues, and no approval IDs are
@@ -122,12 +149,23 @@ and skill under `~/.cursor/`, so the gate is user-wide while `belay.config.json`
 approvals, and audit stay repo-local.
 
 **Skill-only.** The skill is just a UX layer (slash commands + guidance) and does
-**not** enable gating on its own:
+**not** enable gating on its own. Install from [skills.sh](https://skills.sh/guilz-dev/belay)
+or GitHub:
 
 ```bash
+# Cursor
 npx skills add guilz-dev/belay --skill belay -a cursor -y
+
+# Claude Code
+npx skills add guilz-dev/belay --skill belay -a claude-code -y
+
+# Codex
+npx skills add guilz-dev/belay --skill belay -a codex -y
 ```
 
+Running `npx skills add` also registers anonymous install telemetry on skills.sh,
+which is how the skill appears in the directory leaderboard.
+
 Runtime enforcement still requires `belay init` in the target repository.
 
 ## Dogfood → enforce
@@ -187,8 +225,9 @@ load.
 
 Notable settings:
 
-- **`policy.unknownLocalEffect: "deny"`** — fail-closed classification for
-  unrecognized local commands.
+- **`policy.unknownLocalEffect: "allow_flagged"`** (fresh default) — after Tier1
+  says recoverable, structurally unknown local commands run with an audit flag. Use
+  `"deny"` (via `belay dogfood`) to ask on those commands instead.
 - **`classifier.strictChains: true`** (default) — scans every `&&`, `|`, and `;`
   segment and keeps the strictest verdict. Override lists match exact command or
   segment keys only.
@@ -247,6 +286,14 @@ Belay state files are local runtime artifacts and should usually stay out of git
 .cursor/hooks/belay-*
 .cursor/skills/belay/
 .cursor/commands/belay-approve.md
+
+.claude/belay/
+.claude/belay.config.json
+.claude/hooks/belay-*
+
+.codex/belay/
+.codex/belay.config.json
+.codex/hooks/belay-*
 ```
 
 ## Library exports

package/dist/adapters/shared/gate-runtime.js

@@ -8,7 +8,7 @@ import { fsScopeAllowlistPath, isCapabilityBrokerDemotionActive, loadFsScopeAllo
 import { resolveLayeredConfig, teamConfigPath } from '../../core/config-layers.js';
 import { classifyResultToGateVerdict, unnormalizedGateVerdict, } from '../../core/gate-contract.js';
 import { classifyGatedActionAsync, extractAgentAssessment, GateNormalizationError, gateEnabledForAction, normalizeGatedAction, } from '../../core/gate-engine.js';
-import { approvalCommandMatch, approvedApprovalsFile, buildRetryInstruction, canonicalStringify, classifierOptionsFromConfig, compactApprovals, configuredControlPlaneDir, createApprovalRecord, pendingApprovalsFile, resolveControlPlaneDir, scrubOptionsFromConfig, scrubValue, toolFingerprint, } from '../../core/index.js';
+import { APPROVAL_EXECUTION_LEASE_MS, approvalCommandMatch, approvedApprovalsFile, buildRetryInstruction, canonicalStringify, classifierOptionsFromConfig, compactApprovals, configuredControlPlaneDir, createApprovalRecord, pendingApprovalsFile, resolveControlPlaneDir, scrubOptionsFromConfig, scrubValue, toolFingerprint, } from '../../core/index.js';
 import { notifyDeny } from '../../core/notify.js';
 import { isTransactionalEligible, runTransactionalExecution, TRANSACTIONAL_ALREADY_APPLIED, TRANSACTIONAL_APPROVAL_BYPASS_REASONS, } from '../../core/transactional/index.js';
 import { protectedArtifactRoots } from '../layouts/protected-paths.js';
@@ -142,7 +142,15 @@ async function consumeApprovedApproval(ctx, deps, kind, fingerprint) {
         await deps.writeApprovals(approved.filePath, approved.state);
         return null;
     }
-    const [approval] = approved.state.approvals.splice(index, 1);
+    const approval = approved.state.approvals[index];
+    if (approval.executionLeaseExpiresAt) {
+        await deps.writeApprovals(approved.filePath, approved.state);
+        return approval;
+    }
+    approved.state.approvals[index] = {
+        ...approval,
+        executionLeaseExpiresAt: new Date(Date.now() + APPROVAL_EXECUTION_LEASE_MS).toISOString(),
+    };
     await deps.writeApprovals(approved.filePath, approved.state);
     return approval;
 }
@@ -290,8 +298,8 @@ async function gateDecisionToVerdict(ctx, deps, kind, result, auditExtras = {})
         predictedAssessment: auditExtras.predictedAssessment,
         observedAssessment: auditExtras.observedAssessment,
         mode: ctx.config.mode,
-        schemaVersion: result.v2 ? 2 : 1,
-        ...(result.v2 ?? {}),
+        schemaVersion: result.axes ? 2 : 1,
+        ...(result.axes ?? {}),
         ...auditExtras.transactionalLayer,
     };
     if (result.reason === TRANSACTIONAL_ALREADY_APPLIED) {

package/dist/bundle/claude-runtime.mjs

@@ -52,7 +52,7 @@ function classifyResultToGateVerdict(params) {
     approvalId,
     user_message,
     agent_message,
-    v2: result.v2
+    axes: result.axes
   };
 }
 function unnormalizedGateVerdict(params) {
@@ -128,7 +128,7 @@ var LEGACY_POLICY_V3 = {
   fenceWarnThreshold: DEFAULT_FENCE_WARN_THRESHOLD
 };
 var DEFAULT_POLICY_V3 = {
-  unknownLocalEffect: "deny",
+  unknownLocalEffect: "allow_flagged",
   unparseableShell: "deny",
   codexUnmappedTool: "deny",
   confidenceThresholds: { ...DEFAULT_CONFIDENCE_THRESHOLDS },
@@ -745,16 +745,25 @@ import { mkdir as mkdir3, readFile as readFile2, writeFile as writeFile2 } from
 import path16 from "node:path";
 
 // src/core/approval.ts
+var APPROVAL_EXECUTION_LEASE_MS = 6e4;
 function nowIso() {
   return (/* @__PURE__ */ new Date()).toISOString();
 }
 function isExpired(approval) {
   return Date.parse(approval.expiresAt) <= Date.now();
 }
+function isExecutionLeaseExpired(approval) {
+  if (!approval.executionLeaseExpiresAt) {
+    return false;
+  }
+  return Date.parse(approval.executionLeaseExpiresAt) <= Date.now();
+}
 function compactApprovals(state) {
   return {
     version: state.version,
-    approvals: state.approvals.filter((approval) => !isExpired(approval))
+    approvals: state.approvals.filter(
+      (approval) => !isExpired(approval) && !isExecutionLeaseExpired(approval)
+    )
   };
 }
 function escapeRegex(value) {
@@ -763,8 +772,15 @@ function escapeRegex(value) {
 }
 function approvalCommandMatch(prompt, tokenPrefix) {
   const escapedPrefix = escapeRegex(tokenPrefix);
-  const match = prompt.match(new RegExp(`^\\s*${escapedPrefix}\\s+(\\S+)\\s*$`, "i"));
-  return match?.[1] ?? null;
+  const linePattern = new RegExp(`^\\s*${escapedPrefix}\\s+(\\S+)\\s*$`, "i");
+  for (const line of prompt.split(/\r?\n/)) {
+    if (!line.trim()) {
+      continue;
+    }
+    const match = line.match(linePattern);
+    return match?.[1] ?? null;
+  }
+  return null;
 }
 function buildRetryInstruction(tokenPrefix, approvalId) {
   return `To allow the next matching action once, send ${tokenPrefix} ${approvalId} and then retry the original action unchanged.`;
@@ -1503,7 +1519,7 @@ function matchesSensitivePath(filePath, patterns) {
   return false;
 }
 
-// src/core/v2/judge-audit.ts
+// src/core/verdict/judge-audit.ts
 function judgeTraceAuditFields(trace) {
   if (!trace) {
     return {};
@@ -1518,7 +1534,7 @@ function judgeTraceAuditFields(trace) {
   };
 }
 
-// src/core/v2/judge-outbound.ts
+// src/core/verdict/judge-outbound.ts
 var PATH_LIKE = /(?:^|[\s"'`=])(~\/[^\s"'`]+|\/[^\s"'`]+|\.\/[^\s"'`]+|\.\.\/[^\s"'`]+|[A-Za-z]:\\[^\s"'`]+)/g;
 var REDACTED_PLACEHOLDER = /^(?:<redacted>|\[REDACTED\]|<secret>|<high-entropy>|<approval-id>)$/i;
 var URL_CREDENTIALS_PATTERN2 = /\b[A-Za-z][A-Za-z0-9+.-]*:\/\/([^/\s:@]+):([^@\s/]+)@/gi;
@@ -1587,16 +1603,16 @@ function scrubOutboundForJudge(text, options) {
   }
 }
 
-// src/core/v2/judge.ts
+// src/core/verdict/judge.ts
 var SECRET_PATTERNS = [/\.env\b/i, /\.pem\b/i, /id_rsa\b/i, /credentials/i, /secrets?\b/i];
 var DESTRUCTIVE_VERBS = /\b(rm|rmtree|unlink|delete|truncate|shred|destroy|drop)\b/i;
 var GIT_PATTERNS = /\.git\b/i;
-var TIER1_PROMPT = `Answer ONLY with JSON: {"external_change":boolean,"destroys_outside_repo":boolean,"destroys_history_or_secrets":boolean,"reason":string}
-Default all three booleans to true when unsure. reason should be a short snake_case label.
+var TIER1_PROMPT = `Answer ONLY with JSON: {"external_change":boolean,"reason":string}
+reason should be a short snake_case label.
 
-external_change: CREATE/MODIFY/DELETE on database, network endpoint, cloud, remote git, registry, queue. READ/QUERY/GET is NOT a change.
-destroys_outside_repo: DELETE/OVERWRITE files OUTSIDE the current repository working tree.
-destroys_history_or_secrets: DELETE/OVERWRITE .git directory OR secret/credential files (.env, *.pem, id_rsa, credentials).
+external_change: true if this operation CREATEs, MODIFYs, DELETEs, or SENDs data to any system outside the local machine and its git repository working tree.
+READ/QUERY/GET/list/describe/SELECT/HTTP GET is NOT a change. Local build, test, and package install inside the repo are NOT external changes.
+If unsure, answer true.
 
 Command/code:
 `;
@@ -1611,13 +1627,13 @@ function failClosedVerdict(reason) {
 function parseTier1Json(raw) {
   try {
     const parsed = JSON.parse(raw);
-    if (typeof parsed.external_change !== "boolean" || typeof parsed.destroys_outside_repo !== "boolean" || typeof parsed.destroys_history_or_secrets !== "boolean") {
+    if (typeof parsed.external_change !== "boolean") {
       return null;
     }
     return {
-      external_change: parsed.external_change !== false,
-      destroys_outside_repo: parsed.destroys_outside_repo !== false,
-      destroys_history_or_secrets: parsed.destroys_history_or_secrets !== false,
+      external_change: parsed.external_change,
+      destroys_outside_repo: false,
+      destroys_history_or_secrets: false,
       reason: typeof parsed.reason === "string" ? parsed.reason : "tier1_llm"
     };
   } catch {
@@ -1840,10 +1856,10 @@ function createOpenAiCompatibleJudge(options) {
   return judge;
 }
 function tier1RequiresAsk(verdict2) {
-  return verdict2.external_change || verdict2.destroys_outside_repo || verdict2.destroys_history_or_secrets;
+  return verdict2.external_change || verdict2.destroys_history_or_secrets;
 }
 
-// src/core/v2/judge-factory.ts
+// src/core/verdict/judge-factory.ts
 var FIXTURE_MODELS_URL = new URL("../../../fixtures/judge-models.json", import.meta.url);
 function resolveCloudModel(requested, pinned) {
   if (requested === "auto") {
@@ -1890,10 +1906,10 @@ function createJudgeFromConfig(config, options = {}) {
   return createDeterministicJudgeStub();
 }
 
-// src/core/v2/verdict.ts
+// src/core/verdict/verdict.ts
 import path11 from "node:path";
 
-// src/core/v2/containment.ts
+// src/core/verdict/containment.ts
 import path8 from "node:path";
 function expandHome(token) {
   if (token === "~" || token.startsWith("~/")) {
@@ -1985,7 +2001,7 @@ function cwdRelative(repoRoot, cwd) {
   return relativeWithinRepo(repoRoot, cwd) ?? cwd;
 }
 
-// src/core/v2/egress-classify.ts
+// src/core/verdict/egress-classify.ts
 var EGRESS_TOOL_HEADS = /* @__PURE__ */ new Set([
   "aws",
   "curl",
@@ -2083,6 +2099,9 @@ function classifyAws(tokens) {
   if (/\bs3\s+rm\b/.test(joined)) {
     return "destructive";
   }
+  if (/\bs3\s+mb\b/.test(joined)) {
+    return "destructive";
+  }
   if (/\bs3\s+sync\b/.test(joined)) {
     return "destructive";
   }
@@ -2193,15 +2212,59 @@ function classifyNetlify(tokens) {
   return "ambiguous";
 }
 
-// src/core/v2/fingerprint.ts
+// src/core/verdict/fingerprint.ts
 function verdictFingerprint(cwdRelative2, commandRedacted) {
   return hashValue(`v2:${cwdRelative2}:${commandRedacted}`);
 }
 
-// src/core/v2/launcher-resolve.ts
+// src/core/verdict/launcher-resolve.ts
 import { existsSync as existsSync4, readFileSync as readFileSync2 } from "node:fs";
 import path9 from "node:path";
 var MAX_RESOLVE_DEPTH = 8;
+var PNPM_BUILTIN_COMMANDS = /* @__PURE__ */ new Set([
+  "add",
+  "audit",
+  "cache",
+  "config",
+  "deploy",
+  "dlx",
+  "exec",
+  "fetch",
+  "help",
+  "import",
+  "init",
+  "install",
+  "i",
+  "licenses",
+  "link",
+  "list",
+  "outdated",
+  "pack",
+  "patch",
+  "patch-commit",
+  "patch-remove",
+  "publish",
+  "prune",
+  "rebuild",
+  "remove",
+  "rm",
+  "store",
+  "unlink",
+  "update",
+  "up",
+  "why"
+]);
+var PNPM_EXEC_LIKE_HEADS = /* @__PURE__ */ new Set([
+  "vitest",
+  "vite",
+  "biome",
+  "eslint",
+  "jest",
+  "mocha",
+  "tsc",
+  "tsx",
+  "node"
+]);
 function readPackageJson(dir) {
   const packagePath = path9.join(dir, "package.json");
   if (!existsSync4(packagePath)) {
@@ -2256,6 +2319,12 @@ function npmScriptName(tokens) {
   if (launcher[0] === "pnpm" && launcher[1] === "run" && launcher[2]) {
     return launcher[2];
   }
+  if (launcher[0] === "pnpm" && launcher[1] === "test") {
+    return "test";
+  }
+  if (launcher[0] === "pnpm" && launcher[1] && !launcher[1].startsWith("-") && !PNPM_BUILTIN_COMMANDS.has(launcher[1])) {
+    return launcher[1];
+  }
   if (launcher[0] === "npm" && launcher[1] && launcher[1] !== "run" && launcher[1] !== "install") {
     return null;
   }
@@ -2377,11 +2446,31 @@ function resolveLauncherRecipe(params) {
   const tokens = params.tokens;
   const scriptName = npmScriptName(tokens);
   if (scriptName) {
-    return resolveNpmRecipe(params.cwd, params.repoRoot, scriptName, forwardedArgs(tokens));
+    const resolution = resolveNpmRecipe(
+      params.cwd,
+      params.repoRoot,
+      scriptName,
+      forwardedArgs(tokens)
+    );
+    if (tokens[0] === "pnpm" && tokens[1] && PNPM_EXEC_LIKE_HEADS.has(tokens[1]) && resolution.reason === "npm_script_undefined") {
+      return {
+        recipes: [tokens.slice(1).join(" ")],
+        opaque: false,
+        reason: "pnpm_exec_like"
+      };
+    }
+    return resolution;
   }
   if (tokens[0] === "make" && tokens[1] && !tokens[1].startsWith("-")) {
     return resolveMakeRecipe(params.cwd, params.repoRoot, tokens[1]);
   }
+  if (tokens[0] === "pnpm" && tokens[1] && PNPM_EXEC_LIKE_HEADS.has(tokens[1])) {
+    return {
+      recipes: [tokens.slice(1).join(" ")],
+      opaque: false,
+      reason: "pnpm_exec_like"
+    };
+  }
   return null;
 }
 function isRoutineLauncher(tokens) {
@@ -2397,7 +2486,7 @@ function matchesCustomCommand(normalizedCommand, key, pattern) {
   return normalizedCommand === trimmed || key === trimmed;
 }
 
-// src/core/v2/overrides.ts
+// src/core/verdict/overrides.ts
 function matchesCustomPatterns(command, segment, patterns) {
   if (!patterns || patterns.length === 0) {
     return false;
@@ -2436,7 +2525,7 @@ function askFromCustomExternal(opacity) {
   };
 }
 
-// src/core/v2/parser.ts
+// src/core/verdict/parser.ts
 import path10 from "node:path";
 
 // src/core/shell-substitution.ts
@@ -2660,7 +2749,7 @@ function hasUnbalancedDollarParen(command) {
   return depth > 0;
 }
 
-// src/core/v2/parser.ts
+// src/core/verdict/parser.ts
 var ENV_PREFIX_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*=(?:'[^']*'|"[^"]*"|\S+)$/;
 var TRANSPARENT_WRAPPERS = /* @__PURE__ */ new Set([
   "sudo",
@@ -2860,7 +2949,7 @@ function redactCommand(command) {
   return command.replace(/Bearer\s+[A-Za-z0-9._~+/=-]+/gi, "Bearer [REDACTED]").replace(/sk-[A-Za-z0-9]{8,}/g, "sk-[REDACTED]").trim();
 }
 
-// src/core/v2/verdict.ts
+// src/core/verdict/verdict.ts
 var DEFAULT_MAX_DEPTH = 8;
 var TIER0_EXTERNAL_KEYS = /* @__PURE__ */ new Set([
   "git push",
@@ -2943,6 +3032,7 @@ var LOCAL_ROUTINE_HEADS = /* @__PURE__ */ new Set([
   "make",
   "cmake"
 ]);
+var BELAY_SELF_COMMANDS = /* @__PURE__ */ new Set(["approve", "revoke"]);
 var FIND_DANGEROUS_FLAGS = /* @__PURE__ */ new Set(["-delete", "-exec", "-execdir", "-ok", "-okdir"]);
 function isFindDangerous(tokens) {
   return tokens.some(
@@ -3090,6 +3180,11 @@ function tier0ExternalMatch(key, head, tokens) {
   }
   return false;
 }
+function isBelaySelfCommand(tokens) {
+  const head = tokens[0] ?? "";
+  const subcommand = tokens[1] ?? "";
+  return head === "belay" && BELAY_SELF_COMMANDS.has(subcommand);
+}
 function tier0HighStakesRm(tokens, context) {
   const head = tokens[0] ?? "";
   if (head !== "rm") {
@@ -3321,6 +3416,16 @@ async function evaluateSegment(command, context, depth) {
   if (rmVerdict) {
     return rmVerdict;
   }
+  if (isBelaySelfCommand(peeled)) {
+    return allowVerdict({
+      location: "unknown",
+      opacity: "transparent",
+      effect: "local_mutation",
+      confidence: "deterministic",
+      reason: "belay_control_plane_command",
+      signals: ["belay_control_plane_command", segment.head]
+    });
+  }
   let effect = "unknown";
   if (READ_ONLY_KEYS.has(segment.key) || READ_ONLY_KEYS.has(segment.head)) {
     effect = "read_only";
@@ -3541,7 +3646,7 @@ async function verdict(command, context) {
   );
 }
 
-// src/core/v2/adapter.ts
+// src/core/verdict/adapter.ts
 function buildVerdictContext(params) {
   const protectedArtifactRoots2 = [
     ...params.options?.protectedArtifactRoots ?? [],
@@ -3588,6 +3693,12 @@ function mapLegacyReason(result) {
   if (result.reason === "repo_local_mutation") {
     return "local_mutation";
   }
+  if (result.reason === "tier1_not_restorable") {
+    return "tier1_catastrophic";
+  }
+  if (result.reason === "tier0_restorable" || result.reason === "tier1_restorable") {
+    return result.effect === "local_mutation" ? "local_mutation" : result.reason;
+  }
   return result.reason;
 }
 function verdictToClassifyResult(result) {
@@ -3608,13 +3719,13 @@ function verdictToClassifyResult(result) {
     assessment,
     normalizedCommand: result.commandRedacted,
     summary: result.commandRedacted,
-    v2: {
+    axes: {
       location: result.location,
       opacity: result.opacity,
       effect: result.effect,
       confidence: result.confidence,
       would: result.permission,
-      by: "v2",
+      by: "verdict",
       commandRedacted: result.commandRedacted,
       commandFingerprint: result.fingerprint,
       signals: result.signals,
@@ -4064,7 +4175,7 @@ function normalizeGatedAction(params) {
   };
 }
 function applyShellPeripheralPolicy(command, action, result, options) {
-  if (options.brokerFsScope && result.verdict === "deny_pending_approval" && (result.reason === "outside_repo_mutation" || result.reason === "outside_repo_redirect" || result.reason === "repo_outside_mutation" || result.v2?.location === "repo_outside")) {
+  if (options.brokerFsScope && result.verdict === "deny_pending_approval" && (result.reason === "outside_repo_mutation" || result.reason === "outside_repo_redirect" || result.reason === "repo_outside_mutation" || result.axes?.location === "repo_outside")) {
     const outsideRepoPaths = collectOutsideRepoPaths(command, action.cwd, action.repoRoot);
     if (outsideRepoPaths.length > 0 && options.fsScopeAllowlist && allPathsAllowlisted(outsideRepoPaths, options.fsScopeAllowlist)) {
       return {
@@ -4743,7 +4854,15 @@ async function consumeApprovedApproval(ctx, deps, kind, fingerprint) {
     await deps.writeApprovals(approved.filePath, approved.state);
     return null;
   }
-  const [approval] = approved.state.approvals.splice(index, 1);
+  const approval = approved.state.approvals[index];
+  if (approval.executionLeaseExpiresAt) {
+    await deps.writeApprovals(approved.filePath, approved.state);
+    return approval;
+  }
+  approved.state.approvals[index] = {
+    ...approval,
+    executionLeaseExpiresAt: new Date(Date.now() + APPROVAL_EXECUTION_LEASE_MS).toISOString()
+  };
   await deps.writeApprovals(approved.filePath, approved.state);
   return approval;
 }
@@ -4859,8 +4978,8 @@ async function gateDecisionToVerdict(ctx, deps, kind, result, auditExtras = {})
     predictedAssessment: auditExtras.predictedAssessment,
     observedAssessment: auditExtras.observedAssessment,
     mode: ctx.config.mode,
-    schemaVersion: result.v2 ? 2 : 1,
-    ...result.v2 ?? {},
+    schemaVersion: result.axes ? 2 : 1,
+    ...result.axes ?? {},
     ...auditExtras.transactionalLayer
   };
   if (result.reason === TRANSACTIONAL_ALREADY_APPLIED) {