@harness-engineering/orchestrator 0.4.6 → 0.6.0

package/dist/index.mjs

@@ -1144,7 +1144,7 @@ var ClaimManager = class {
     const claimResult = await this.tracker.claimIssue(issueId, this.orchestratorId);
     if (!claimResult.ok) return claimResult;
     if (this.verifyDelayMs > 0) {
-      await new Promise((resolve6) => setTimeout(resolve6, this.verifyDelayMs));
+      await new Promise((resolve7) => setTimeout(resolve7, this.verifyDelayMs));
     }
     const statesResult = await this.tracker.fetchIssueStatesByIds([issueId]);
     if (!statesResult.ok) return statesResult;
@@ -1870,11 +1870,11 @@ var BackendsMapSchema = z2.record(z2.string(), BackendDefSchema);
 function crossFieldRoutingIssues(backends, routing) {
   const issues = [];
   const names = new Set(Object.keys(backends));
-  const checkRef = (path17, name) => {
+  const checkRef = (path22, name) => {
     if (name !== void 0 && !names.has(name)) {
       issues.push({
-        path: path17,
-        message: `routing.${path17.join(".")} references unknown backend '${name}'. Defined: [${[...names].join(", ")}].`
+        path: path22,
+        message: `routing.${path22.join(".")} references unknown backend '${name}'. Defined: [${[...names].join(", ")}].`
       });
     }
   };
@@ -2544,7 +2544,7 @@ var WorkspaceHooks = class {
     if (!command) {
       return Ok7(void 0);
     }
-    return new Promise((resolve6) => {
+    return new Promise((resolve7) => {
       const filteredEnv = {};
       for (const [k, v] of Object.entries(process.env)) {
         if (v != null && !k.includes("SECRET") && !k.includes("TOKEN") && !k.includes("PASSWORD")) {
@@ -2557,19 +2557,19 @@ var WorkspaceHooks = class {
       });
       const timeout = setTimeout(() => {
         child.kill();
-        resolve6(Err5(new Error(`Hook ${hookName} timed out after ${this.config.timeoutMs}ms`)));
+        resolve7(Err5(new Error(`Hook ${hookName} timed out after ${this.config.timeoutMs}ms`)));
       }, this.config.timeoutMs);
       child.on("exit", (code) => {
         clearTimeout(timeout);
         if (code === 0) {
-          resolve6(Ok7(void 0));
+          resolve7(Ok7(void 0));
         } else {
-          resolve6(Err5(new Error(`Hook ${hookName} failed with exit code ${code}`)));
+          resolve7(Err5(new Error(`Hook ${hookName} failed with exit code ${code}`)));
         }
       });
       child.on("error", (error) => {
         clearTimeout(timeout);
-        resolve6(Err5(error));
+        resolve7(Err5(error));
       });
     });
   }
@@ -2609,7 +2609,7 @@ var MockBackend = class {
       content: "Thinking...",
       sessionId: session.sessionId
     };
-    await new Promise((resolve6) => setTimeout(resolve6, 100));
+    await new Promise((resolve7) => setTimeout(resolve7, 100));
     yield {
       type: "thought",
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
@@ -2661,7 +2661,7 @@ var PromptRenderer = class {
 
 // src/orchestrator.ts
 import { EventEmitter } from "events";
-import * as path16 from "path";
+import * as path19 from "path";
 import { randomUUID as randomUUID5 } from "crypto";
 import { writeTaint } from "@harness-engineering/core";
 
@@ -3635,11 +3635,11 @@ function detectLegacyFields(agent) {
 }
 function buildCase1Warnings(presentLegacy, suppressLocalGroup) {
   const warnings = [];
-  for (const path17 of presentLegacy) {
-    if (CASE1_ALWAYS_SUPPRESS.has(path17)) continue;
-    if (suppressLocalGroup && CASE1_LOCAL_GROUP.has(path17)) continue;
+  for (const path22 of presentLegacy) {
+    if (CASE1_ALWAYS_SUPPRESS.has(path22)) continue;
+    if (suppressLocalGroup && CASE1_LOCAL_GROUP.has(path22)) continue;
     warnings.push(
-      `Ignoring legacy field '${path17}': 'agent.backends' is set and takes precedence. See ${MIGRATION_GUIDE}.`
+      `Ignoring legacy field '${path22}': 'agent.backends' is set and takes precedence. See ${MIGRATION_GUIDE}.`
     );
   }
   return warnings;
@@ -3667,7 +3667,7 @@ function migrateAgentConfig(agent) {
   }
   const { backends, routing } = synthesizeBackendsAndRouting(agent);
   const warnings = presentLegacy.map(
-    (path17) => `Deprecated config field '${path17}' is in use. Migrate to 'agent.backends' / 'agent.routing'. See ${MIGRATION_GUIDE}.`
+    (path22) => `Deprecated config field '${path22}' is in use. Migrate to 'agent.backends' / 'agent.routing'. See ${MIGRATION_GUIDE}.`
   );
   return {
     config: { ...agent, backends, routing },
@@ -3756,6 +3756,10 @@ var BackendRouter = class {
         const intel = this.routing.intelligence;
         return intel?.[useCase.layer] ?? this.routing.default;
       }
+      case "isolation": {
+        const iso = this.routing.isolation;
+        return iso?.[useCase.tier] ?? this.routing.default;
+      }
       case "maintenance":
       case "chat":
         return this.routing.default;
@@ -3779,8 +3783,8 @@ var BackendRouter = class {
   validateReferences() {
     const known = new Set(Object.keys(this.backends));
     const missing = [];
-    const check = (path17, name) => {
-      if (name !== void 0 && !known.has(name)) missing.push({ path: path17, name });
+    const check = (path22, name) => {
+      if (name !== void 0 && !known.has(name)) missing.push({ path: path22, name });
     };
     check("default", this.routing.default);
     check("quick-fix", this.routing["quick-fix"]);
@@ -3789,8 +3793,11 @@ var BackendRouter = class {
     check("diagnostic", this.routing.diagnostic);
     check("intelligence.sel", this.routing.intelligence?.sel);
     check("intelligence.pesl", this.routing.intelligence?.pesl);
+    check("isolation.none", this.routing.isolation?.none);
+    check("isolation.container", this.routing.isolation?.container);
+    check("isolation.remote-sandbox", this.routing.isolation?.["remote-sandbox"]);
     if (missing.length > 0) {
-      const detail = missing.map(({ path: path17, name }) => `routing.${path17} -> '${name}'`).join("; ");
+      const detail = missing.map(({ path: path22, name }) => `routing.${path22} -> '${name}'`).join("; ");
       const known_ = [...known].join(", ") || "(none)";
       throw new Error(
         `BackendRouter: routing references unknown backend(s): ${detail}. Defined backends: [${known_}].`
@@ -3807,11 +3814,11 @@ import {
   Ok as Ok10,
   Err as Err7
 } from "@harness-engineering/types";
-function resolveExitCode(code, command, resolve6) {
+function resolveExitCode(code, command, resolve7) {
   if (code === 0) {
-    resolve6(Ok10(void 0));
+    resolve7(Ok10(void 0));
   } else {
-    resolve6(
+    resolve7(
       Err7({
         category: "agent_not_found",
         message: `Claude command '${command}' not found or failed`
@@ -3819,8 +3826,8 @@ function resolveExitCode(code, command, resolve6) {
     );
   }
 }
-function resolveSpawnError(command, resolve6) {
-  resolve6(Err7({ category: "agent_not_found", message: `Claude command '${command}' not found` }));
+function resolveSpawnError(command, resolve7) {
+  resolve7(Err7({ category: "agent_not_found", message: `Claude command '${command}' not found` }));
 }
 var JUST_PAST_GRACE_MS = 5 * 6e4;
 var PRIMARY_LIMIT_RE = /You[\u2019']ve hit your limit.*resets\s+(\d{1,2}(?::\d{2})?\s*(?:am|pm))\s*\(([^)]+)\)/i;
@@ -4133,10 +4140,10 @@ var ClaudeBackend = class {
       errRl.close();
     }
     if (exitCode === null) {
-      await new Promise((resolve6) => {
+      await new Promise((resolve7) => {
         child.on("exit", (code) => {
           exitCode = code;
-          resolve6(null);
+          resolve7(null);
         });
       });
     }
@@ -4158,10 +4165,10 @@ var ClaudeBackend = class {
     return Ok10(void 0);
   }
   async healthCheck() {
-    return new Promise((resolve6) => {
+    return new Promise((resolve7) => {
       const child = spawn2(this.command, ["--version"]);
-      child.on("exit", (code) => resolveExitCode(code, this.command, resolve6));
-      child.on("error", () => resolveSpawnError(this.command, resolve6));
+      child.on("exit", (code) => resolveExitCode(code, this.command, resolve7));
+      child.on("error", () => resolveSpawnError(this.command, resolve7));
     });
   }
 };
@@ -4784,7 +4791,7 @@ var PiBackend = class {
       } else {
         resolvedModelName = this.config.model;
       }
-      const piSdk = await import("@mariozechner/pi-coding-agent");
+      const piSdk = await import("@earendil-works/pi-coding-agent");
       const model = buildLocalModel({
         model: resolvedModelName,
         endpoint: this.config.endpoint,
@@ -4939,7 +4946,7 @@ var PiBackend = class {
   }
   async healthCheck() {
     try {
-      await import("@mariozechner/pi-coding-agent");
+      await import("@earendil-works/pi-coding-agent");
       return Ok15(void 0);
     } catch (err) {
       return Err12({
@@ -4950,6 +4957,547 @@ var PiBackend = class {
   }
 };
 
+// src/agent/backends/ssh.ts
+import { spawn as spawn3 } from "child_process";
+import {
+  Ok as Ok16,
+  Err as Err13
+} from "@harness-engineering/types";
+var DEFAULT_TIMEOUT_MS2 = 9e4;
+var FORBIDDEN_HOST_CHARS = /[;&|`$()\n\r<>]/;
+var SshBackend = class {
+  name = "ssh";
+  config;
+  spawnImpl;
+  constructor(config) {
+    if (!config.host || typeof config.host !== "string") {
+      throw new Error("SshBackend: `host` is required");
+    }
+    if (FORBIDDEN_HOST_CHARS.test(config.host) || config.host.startsWith("-")) {
+      throw new Error(
+        `SshBackend: invalid host '${config.host}' (contains shell metacharacters or starts with '-')`
+      );
+    }
+    if (!config.remoteCommand || typeof config.remoteCommand !== "string") {
+      throw new Error("SshBackend: `remoteCommand` is required");
+    }
+    if (config.user !== void 0 && /[\s;&|`$]/.test(config.user)) {
+      throw new Error(`SshBackend: invalid user '${config.user}'`);
+    }
+    this.config = {
+      host: config.host,
+      remoteCommand: config.remoteCommand,
+      sshBinary: config.sshBinary ?? "ssh",
+      sshOptions: config.sshOptions ?? [],
+      timeoutMs: config.timeoutMs ?? DEFAULT_TIMEOUT_MS2,
+      ...config.user !== void 0 ? { user: config.user } : {},
+      ...config.port !== void 0 ? { port: config.port } : {},
+      ...config.identityFile !== void 0 ? { identityFile: config.identityFile } : {}
+    };
+    this.spawnImpl = config.spawnImpl ?? spawn3;
+  }
+  /**
+   * Builds the argv passed to the `ssh` binary. Exported as a method on
+   * the class so tests can assert the exact shape without spawning.
+   *
+   * Layout: `[options..., target, '--', remoteCommand]`
+   */
+  buildSshArgs() {
+    const args = [];
+    if (this.config.identityFile) {
+      args.push("-i", this.config.identityFile);
+    }
+    if (this.config.port !== void 0) {
+      args.push("-p", String(this.config.port));
+    }
+    args.push("-o", "BatchMode=yes");
+    for (const opt of this.config.sshOptions) {
+      args.push("-o", opt);
+    }
+    const target = this.config.user ? `${this.config.user}@${this.config.host}` : this.config.host;
+    args.push(target);
+    args.push("--");
+    args.push(this.config.remoteCommand);
+    return args;
+  }
+  async startSession(params) {
+    const session = {
+      sessionId: `ssh-session-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      workspacePath: params.workspacePath,
+      backendName: this.name,
+      startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      ...params.systemPrompt !== void 0 && { systemPrompt: params.systemPrompt }
+    };
+    return Ok16(session);
+  }
+  async *runTurn(session, params) {
+    const child = this.spawnImpl(this.config.sshBinary, this.buildSshArgs(), {
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const payload = JSON.stringify({
+      kind: "turn",
+      prompt: params.prompt,
+      isContinuation: params.isContinuation,
+      systemPrompt: session.systemPrompt
+    });
+    try {
+      child.stdin.write(payload + "\n");
+      child.stdin.end();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "failed to write to ssh stdin";
+      try {
+        child.kill("SIGTERM");
+      } catch {
+      }
+      return errResult(session.sessionId, message);
+    }
+    const timeout = setTimeout(() => {
+      try {
+        child.kill("SIGTERM");
+      } catch {
+      }
+    }, this.config.timeoutMs);
+    let finalUsage = { inputTokens: 0, outputTokens: 0, totalTokens: 0 };
+    let success = true;
+    let lastError;
+    try {
+      for await (const line of readLines(child.stdout)) {
+        let event;
+        try {
+          event = parseEvent(line, session.sessionId);
+        } catch (err) {
+          const message = err instanceof Error ? err.message : "unparseable ssh event";
+          success = false;
+          lastError = message;
+          break;
+        }
+        if (!event) continue;
+        if (event.usage) finalUsage = event.usage;
+        if (event.type === "error" && typeof event.content === "string") {
+          lastError = event.content;
+          success = false;
+        }
+        yield event;
+      }
+      const exitCode = await waitForExit(child);
+      if (exitCode !== 0 && exitCode !== null) {
+        success = false;
+        lastError = lastError ?? `ssh exited with code ${exitCode}`;
+      }
+    } finally {
+      clearTimeout(timeout);
+    }
+    return {
+      success,
+      sessionId: session.sessionId,
+      usage: finalUsage,
+      ...lastError !== void 0 ? { error: lastError } : {}
+    };
+  }
+  async stopSession(_session) {
+    return Ok16(void 0);
+  }
+  async healthCheck() {
+    const args = [...this.buildSshArgs()];
+    args[args.length - 1] = "true";
+    return new Promise((resolve7) => {
+      let child;
+      try {
+        child = this.spawnImpl(this.config.sshBinary, args, {
+          stdio: ["ignore", "ignore", "pipe"]
+        });
+      } catch (err) {
+        resolve7(
+          Err13({
+            category: "agent_not_found",
+            message: err instanceof Error ? err.message : "failed to spawn ssh"
+          })
+        );
+        return;
+      }
+      let stderr = "";
+      child.stderr?.on("data", (chunk) => {
+        stderr += chunk.toString();
+      });
+      const timer = setTimeout(() => {
+        try {
+          child.kill("SIGTERM");
+        } catch {
+        }
+      }, this.config.timeoutMs);
+      child.on("close", (code) => {
+        clearTimeout(timer);
+        if (code === 0) {
+          resolve7(Ok16(void 0));
+        } else {
+          resolve7(
+            Err13({
+              category: "agent_not_found",
+              message: `ssh health check failed (exit=${code ?? "null"}): ${stderr.slice(0, 500)}`
+            })
+          );
+        }
+      });
+      child.on("error", (err) => {
+        clearTimeout(timer);
+        resolve7(Err13({ category: "agent_not_found", message: err.message }));
+      });
+    });
+  }
+};
+function errResult(sessionId, message) {
+  return {
+    success: false,
+    sessionId,
+    usage: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+    error: message
+  };
+}
+function parseEvent(line, sessionId) {
+  const trimmed = line.trim();
+  if (trimmed.length === 0) return null;
+  const raw = JSON.parse(trimmed);
+  if (typeof raw.type !== "string") {
+    throw new Error(`ssh event missing 'type': ${trimmed.slice(0, 200)}`);
+  }
+  const ev = {
+    type: raw.type,
+    timestamp: typeof raw.timestamp === "string" ? raw.timestamp : (/* @__PURE__ */ new Date()).toISOString(),
+    sessionId
+  };
+  if (typeof raw.subtype === "string") ev.subtype = raw.subtype;
+  if (raw.content !== void 0) ev.content = raw.content;
+  if (isUsage(raw.usage)) ev.usage = raw.usage;
+  return ev;
+}
+function isUsage(u) {
+  if (!u || typeof u !== "object") return false;
+  const o = u;
+  return typeof o.inputTokens === "number" && typeof o.outputTokens === "number" && typeof o.totalTokens === "number";
+}
+async function* readLines(stream) {
+  let buffer = "";
+  for await (const chunk of stream) {
+    buffer += typeof chunk === "string" ? chunk : chunk.toString("utf-8");
+    let idx;
+    while ((idx = buffer.indexOf("\n")) >= 0) {
+      yield buffer.slice(0, idx);
+      buffer = buffer.slice(idx + 1);
+    }
+  }
+  if (buffer.length > 0) yield buffer;
+}
+function waitForExit(child) {
+  return new Promise((resolve7) => {
+    if (child.exitCode !== null) {
+      resolve7(child.exitCode);
+      return;
+    }
+    child.once("close", (code) => resolve7(code));
+    child.once("error", () => resolve7(null));
+  });
+}
+
+// src/agent/backends/serverless.ts
+import { spawn as spawn4 } from "child_process";
+import {
+  Ok as Ok17,
+  Err as Err14
+} from "@harness-engineering/types";
+var ServerlessBackend = class {
+  handles = /* @__PURE__ */ new Map();
+  async startSession(params) {
+    const start = await this.coldStart(params);
+    if (!start.ok) return start;
+    const session = {
+      sessionId: `${this.name}-session-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      workspacePath: params.workspacePath,
+      backendName: this.name,
+      startedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.handles.set(session.sessionId, start.value);
+    return Ok17(session);
+  }
+  async *runTurn(session, params) {
+    const handle = this.handles.get(session.sessionId);
+    if (!handle) {
+      return {
+        success: false,
+        sessionId: session.sessionId,
+        usage: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+        error: `no serverless handle for session ${session.sessionId}`
+      };
+    }
+    return yield* this.runOnHandle(handle, params, session);
+  }
+  async stopSession(session) {
+    const handle = this.handles.get(session.sessionId);
+    if (!handle) return Ok17(void 0);
+    this.handles.delete(session.sessionId);
+    return this.teardown(handle);
+  }
+};
+var FORBIDDEN_IMAGE_CHARS = /[;&|`$()\n\r<>]/;
+var BLOCKED_DOCKER_FLAGS = [
+  "--privileged",
+  "--cap-add",
+  "--security-opt",
+  "--pid",
+  "--ipc",
+  "--userns"
+];
+var DEFAULT_OCI_TIMEOUT_MS = 9e4;
+var OciServerlessBackend = class extends ServerlessBackend {
+  name = "serverless:oci";
+  config;
+  spawnImpl;
+  envSource;
+  constructor(config) {
+    super();
+    if (!config.image || typeof config.image !== "string") {
+      throw new Error("OciServerlessBackend: `image` is required");
+    }
+    if (FORBIDDEN_IMAGE_CHARS.test(config.image) || config.image.startsWith("-")) {
+      throw new Error(
+        `OciServerlessBackend: invalid image '${config.image}' (contains shell metacharacters or starts with '-')`
+      );
+    }
+    this.config = {
+      image: config.image,
+      pullPolicy: config.pullPolicy ?? "if-not-present",
+      runtime: config.runtime ?? "docker",
+      envPassthrough: config.envPassthrough ?? [],
+      timeoutMs: config.timeoutMs ?? DEFAULT_OCI_TIMEOUT_MS,
+      extraArgs: sanitizeExtraArgs(config.extraArgs),
+      ...config.registry !== void 0 ? { registry: config.registry } : {}
+    };
+    this.spawnImpl = config.spawnImpl ?? spawn4;
+    this.envSource = config.envSource ?? process.env;
+  }
+  /** Builds the argv for `docker run -d ...`. Exposed for tests. */
+  buildRunArgs() {
+    const env = this.collectEnv();
+    const args = ["run", "-d", "--rm"];
+    for (const [k, v] of Object.entries(env)) {
+      args.push("-e", `${k}=${v}`);
+    }
+    for (const ea of this.config.extraArgs) {
+      args.push(ea);
+    }
+    args.push("--");
+    args.push(this.config.image);
+    return args;
+  }
+  /** Builds the argv for `docker exec <id> -- agent`. Exposed for tests. */
+  buildExecArgs(handleId) {
+    return ["exec", "-i", handleId, "/agent"];
+  }
+  async coldStart(_params) {
+    if (this.config.pullPolicy === "always") {
+      const pull = await this.runOneShot(this.config.runtime, ["pull", this.config.image]);
+      if (!pull.ok) return pull;
+    }
+    const result = await this.runOneShot(this.config.runtime, this.buildRunArgs());
+    if (!result.ok) return result;
+    const id = result.value.trim().split(/\s+/)[0] ?? "";
+    if (!id) {
+      return Err14({
+        category: "response_error",
+        message: "OciServerlessBackend: empty container id from runtime"
+      });
+    }
+    return Ok17({ id, adapter: this.name });
+  }
+  async *runOnHandle(handle, params, session) {
+    const child = this.spawnImpl(this.config.runtime, this.buildExecArgs(handle.id), {
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const payload = JSON.stringify({
+      kind: "turn",
+      prompt: params.prompt,
+      isContinuation: params.isContinuation
+    });
+    try {
+      child.stdin.write(payload + "\n");
+      child.stdin.end();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "failed to write to docker stdin";
+      return turnFailure(session.sessionId, message);
+    }
+    const timeout = setTimeout(() => {
+      try {
+        child.kill("SIGTERM");
+      } catch {
+      }
+    }, this.config.timeoutMs);
+    let finalUsage = { inputTokens: 0, outputTokens: 0, totalTokens: 0 };
+    let success = true;
+    let lastError;
+    try {
+      for await (const line of readLines2(child.stdout)) {
+        const ev = tryParseEvent(line, session.sessionId);
+        if (!ev) continue;
+        if (ev.usage) finalUsage = ev.usage;
+        if (ev.type === "error" && typeof ev.content === "string") {
+          success = false;
+          lastError = ev.content;
+        }
+        yield ev;
+      }
+      const code = await waitForExit2(child);
+      if (code !== 0 && code !== null) {
+        success = false;
+        lastError = lastError ?? `runtime exec exited with code ${code}`;
+      }
+    } finally {
+      clearTimeout(timeout);
+    }
+    return {
+      success,
+      sessionId: session.sessionId,
+      usage: finalUsage,
+      ...lastError !== void 0 ? { error: lastError } : {}
+    };
+  }
+  async teardown(handle) {
+    if (handle.adapter !== this.name) {
+      return Err14({
+        category: "response_error",
+        message: `handle adapter mismatch: got '${handle.adapter}', expected '${this.name}'`
+      });
+    }
+    const stop = await this.runOneShot(this.config.runtime, ["stop", handle.id]);
+    if (!stop.ok) return stop;
+    return Ok17(void 0);
+  }
+  async healthCheck() {
+    return mapOk(
+      await this.runOneShot(this.config.runtime, ["version", "--format", "{{.Server.Version}}"])
+    );
+  }
+  collectEnv() {
+    const out = {};
+    for (const key of this.config.envPassthrough) {
+      const val = this.envSource[key];
+      if (typeof val === "string") out[key] = val;
+    }
+    return out;
+  }
+  runOneShot(binary, args) {
+    return new Promise((resolve7) => {
+      let child;
+      try {
+        child = this.spawnImpl(binary, args, {
+          stdio: ["ignore", "pipe", "pipe"]
+        });
+      } catch (err) {
+        resolve7(
+          Err14({
+            category: "agent_not_found",
+            message: err instanceof Error ? err.message : "failed to spawn runtime"
+          })
+        );
+        return;
+      }
+      let stdout = "";
+      let stderr = "";
+      child.stdout?.on("data", (chunk) => {
+        stdout += typeof chunk === "string" ? chunk : chunk.toString("utf-8");
+      });
+      child.stderr?.on("data", (chunk) => {
+        stderr += typeof chunk === "string" ? chunk : chunk.toString("utf-8");
+      });
+      const timer = setTimeout(() => {
+        try {
+          child.kill("SIGTERM");
+        } catch {
+        }
+      }, this.config.timeoutMs);
+      child.on("close", (code) => {
+        clearTimeout(timer);
+        if (code === 0) {
+          resolve7(Ok17(stdout));
+        } else {
+          resolve7(
+            Err14({
+              category: "response_error",
+              message: `runtime '${binary} ${args.join(" ")}' exited ${code ?? "null"}: ${stderr.slice(0, 500)}`
+            })
+          );
+        }
+      });
+      child.on("error", (err) => {
+        clearTimeout(timer);
+        resolve7(Err14({ category: "agent_not_found", message: err.message }));
+      });
+    });
+  }
+};
+function sanitizeExtraArgs(extraArgs) {
+  if (!extraArgs) return [];
+  return extraArgs.filter((arg) => !BLOCKED_DOCKER_FLAGS.some((flag) => arg.startsWith(flag)));
+}
+function mapOk(r) {
+  return r.ok ? Ok17(void 0) : r;
+}
+function turnFailure(sessionId, message) {
+  return {
+    success: false,
+    sessionId,
+    usage: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+    error: message
+  };
+}
+function tryParseEvent(line, sessionId) {
+  const trimmed = line.trim();
+  if (!trimmed) return null;
+  let raw;
+  try {
+    raw = JSON.parse(trimmed);
+  } catch {
+    return null;
+  }
+  if (!raw || typeof raw !== "object") return null;
+  const o = raw;
+  if (typeof o.type !== "string") return null;
+  const ev = {
+    type: o.type,
+    timestamp: typeof o.timestamp === "string" ? o.timestamp : (/* @__PURE__ */ new Date()).toISOString(),
+    sessionId
+  };
+  if (typeof o.subtype === "string") ev.subtype = o.subtype;
+  if (o.content !== void 0) ev.content = o.content;
+  if (isUsage2(o.usage)) ev.usage = o.usage;
+  return ev;
+}
+function isUsage2(u) {
+  if (!u || typeof u !== "object") return false;
+  const o = u;
+  return typeof o.inputTokens === "number" && typeof o.outputTokens === "number" && typeof o.totalTokens === "number";
+}
+async function* readLines2(stream) {
+  let buffer = "";
+  for await (const chunk of stream) {
+    buffer += typeof chunk === "string" ? chunk : chunk.toString("utf-8");
+    let idx;
+    while ((idx = buffer.indexOf("\n")) >= 0) {
+      yield buffer.slice(0, idx);
+      buffer = buffer.slice(idx + 1);
+    }
+  }
+  if (buffer.length > 0) yield buffer;
+}
+function waitForExit2(child) {
+  return new Promise((resolve7) => {
+    if (child.exitCode !== null) {
+      resolve7(child.exitCode);
+      return;
+    }
+    child.once("close", (code) => resolve7(code));
+    child.once("error", () => resolve7(null));
+  });
+}
+
 // src/agent/backend-factory.ts
 function makeGetModel(model) {
   if (typeof model === "string") return () => model;
@@ -4999,6 +5547,35 @@ function createBackend(def, options = {}) {
         ...def.timeoutMs !== void 0 ? { timeoutMs: def.timeoutMs } : {}
       });
     }
+    case "ssh": {
+      return new SshBackend({
+        host: def.host,
+        remoteCommand: def.remoteCommand,
+        ...def.user !== void 0 ? { user: def.user } : {},
+        ...def.port !== void 0 ? { port: def.port } : {},
+        ...def.identityFile !== void 0 ? { identityFile: def.identityFile } : {},
+        ...def.sshOptions !== void 0 ? { sshOptions: def.sshOptions } : {},
+        ...def.sshBinary !== void 0 ? { sshBinary: def.sshBinary } : {}
+      });
+    }
+    case "serverless": {
+      switch (def.adapter) {
+        case "oci":
+          return new OciServerlessBackend({
+            image: def.image,
+            ...def.registry !== void 0 ? { registry: def.registry } : {},
+            ...def.pullPolicy !== void 0 ? { pullPolicy: def.pullPolicy } : {},
+            ...def.envPassthrough !== void 0 ? { envPassthrough: def.envPassthrough } : {},
+            ...def.runtime !== void 0 ? { runtime: def.runtime } : {}
+          });
+        default: {
+          const exhaustive = def.adapter;
+          throw new Error(
+            `createBackend: unknown serverless adapter ${JSON.stringify(exhaustive)}`
+          );
+        }
+      }
+    }
     default: {
       const exhaustive = def;
       throw new Error(`createBackend: unknown backend type ${JSON.stringify(exhaustive)}`);
@@ -5008,13 +5585,13 @@ function createBackend(def, options = {}) {
 
 // src/agent/backends/container.ts
 import {
-  Err as Err13
+  Err as Err15
 } from "@harness-engineering/types";
 function toAgentError(message, details) {
   return { category: "response_error", message, details };
 }
 var BLOCKED_FLAGS = ["--privileged", "--cap-add", "--security-opt", "--pid", "--ipc", "--userns"];
-function sanitizeExtraArgs(extraArgs) {
+function sanitizeExtraArgs2(extraArgs) {
   if (!extraArgs) return [];
   return extraArgs.filter((arg) => !BLOCKED_FLAGS.some((flag) => arg.startsWith(flag)));
 }
@@ -5040,7 +5617,7 @@ var ContainerBackend = class {
     }
     const result = await this.secretBackend.resolveSecrets(this.secretKeys);
     if (!result.ok) {
-      return Err13(toAgentError(`Secret resolution failed: ${result.error.message}`, result.error));
+      return Err15(toAgentError(`Secret resolution failed: ${result.error.message}`, result.error));
     }
     return { ok: true, value: result.value };
   }
@@ -5053,7 +5630,7 @@ var ContainerBackend = class {
       network: this.containerConfig.network ?? "none",
       env
     };
-    const sanitized = sanitizeExtraArgs(this.containerConfig.extraArgs);
+    const sanitized = sanitizeExtraArgs2(this.containerConfig.extraArgs);
     if (sanitized.length > 0) {
       opts.extraArgs = sanitized;
     }
@@ -5065,7 +5642,7 @@ var ContainerBackend = class {
     const createOpts = this.buildCreateOpts(params, envResult.value);
     const containerResult = await this.runtime.createContainer(createOpts);
     if (!containerResult.ok) {
-      return Err13(
+      return Err15(
         toAgentError(
           `Container creation failed: ${containerResult.error.message}`,
           containerResult.error
@@ -5090,7 +5667,7 @@ var ContainerBackend = class {
       this.containerHandles.delete(session.sessionId);
       const removeResult = await this.runtime.removeContainer(handle);
       if (!removeResult.ok) {
-        return Err13(
+        return Err15(
           toAgentError(
             `Container removal failed: ${removeResult.error.message}`,
             removeResult.error
@@ -5103,7 +5680,7 @@ var ContainerBackend = class {
   async healthCheck() {
     const runtimeResult = await this.runtime.healthCheck();
     if (!runtimeResult.ok) {
-      return Err13({
+      return Err15({
         category: "agent_not_found",
         message: `Container runtime unhealthy: ${runtimeResult.error.message}`,
         details: runtimeResult.error
@@ -5114,16 +5691,16 @@ var ContainerBackend = class {
 };
 
 // src/agent/runtime/docker.ts
-import { execFile as execFile3, spawn as spawn3 } from "child_process";
-import { Ok as Ok16, Err as Err14 } from "@harness-engineering/types";
+import { execFile as execFile3, spawn as spawn5 } from "child_process";
+import { Ok as Ok18, Err as Err16 } from "@harness-engineering/types";
 function dockerExec(args) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve7, reject) => {
     execFile3("docker", args, (error, stdout) => {
       if (error) {
         reject(error);
         return;
       }
-      resolve6(stdout.trim());
+      resolve7(stdout.trim());
     });
   });
 }
@@ -5148,9 +5725,9 @@ var DockerRuntime = class {
       args.push(opts.image);
       args.push("sleep", "infinity");
       const containerId = await dockerExec(args);
-      return Ok16({ containerId, runtime: this.name });
+      return Ok18({ containerId, runtime: this.name });
     } catch (error) {
-      return Err14({
+      return Err16({
         category: "container_create_failed",
         message: `Failed to create container: ${error instanceof Error ? error.message : String(error)}`,
         details: error
@@ -5172,7 +5749,7 @@ var DockerRuntime = class {
       }
     }
     execArgs.push(handle.containerId, ...cmd);
-    const child = spawn3("docker", execArgs);
+    const child = spawn5("docker", execArgs);
     const readline3 = await import("readline");
     const rl = readline3.createInterface({ input: child.stdout, terminal: false });
     try {
@@ -5182,11 +5759,11 @@ var DockerRuntime = class {
     } finally {
       rl.close();
     }
-    const exitCode = await new Promise((resolve6) => {
+    const exitCode = await new Promise((resolve7) => {
       if (child.exitCode !== null) {
-        resolve6(child.exitCode);
+        resolve7(child.exitCode);
       } else {
-        child.on("exit", (code) => resolve6(code ?? 1));
+        child.on("exit", (code) => resolve7(code ?? 1));
       }
     });
     return exitCode;
@@ -5194,9 +5771,9 @@ var DockerRuntime = class {
   async removeContainer(handle) {
     try {
       await dockerExec(["rm", "-f", handle.containerId]);
-      return Ok16(void 0);
+      return Ok18(void 0);
     } catch (error) {
-      return Err14({
+      return Err16({
         category: "container_remove_failed",
         message: `Failed to remove container: ${error instanceof Error ? error.message : String(error)}`,
         details: error
@@ -5206,9 +5783,9 @@ var DockerRuntime = class {
   async healthCheck() {
     try {
       await dockerExec(["info", "--format", "{{.ServerVersion}}"]);
-      return Ok16(void 0);
+      return Ok18(void 0);
     } catch (error) {
-      return Err14({
+      return Err16({
         category: "runtime_not_found",
         message: `Docker is not available: ${error instanceof Error ? error.message : String(error)}`,
         details: error
@@ -5218,7 +5795,7 @@ var DockerRuntime = class {
 };
 
 // src/agent/secrets/env.ts
-import { Ok as Ok17, Err as Err15 } from "@harness-engineering/types";
+import { Ok as Ok19, Err as Err17 } from "@harness-engineering/types";
 var EnvSecretBackend = class {
   name = "env";
   async resolveSecrets(keys) {
@@ -5226,7 +5803,7 @@ var EnvSecretBackend = class {
     for (const key of keys) {
       const value = process.env[key];
       if (value === void 0) {
-        return Err15({
+        return Err17({
           category: "secret_not_found",
           message: `Environment variable '${key}' is not set`,
           key
@@ -5234,24 +5811,24 @@ var EnvSecretBackend = class {
       }
       secrets[key] = value;
     }
-    return Ok17(secrets);
+    return Ok19(secrets);
   }
   async healthCheck() {
-    return Ok17(void 0);
+    return Ok19(void 0);
   }
 };
 
 // src/agent/secrets/onepassword.ts
 import { execFile as execFile4 } from "child_process";
-import { Ok as Ok18, Err as Err16 } from "@harness-engineering/types";
+import { Ok as Ok20, Err as Err18 } from "@harness-engineering/types";
 function opExec(args) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve7, reject) => {
     execFile4("op", args, (error, stdout) => {
       if (error) {
         reject(error);
         return;
       }
-      resolve6(stdout.trim());
+      resolve7(stdout.trim());
     });
   });
 }
@@ -5268,21 +5845,21 @@ var OnePasswordSecretBackend = class {
         const value = await opExec(["read", `op://${this.vault}/${key}/password`]);
         secrets[key] = value;
       } catch (error) {
-        return Err16({
+        return Err18({
           category: "access_denied",
           message: `Failed to read secret '${key}' from 1Password: ${error instanceof Error ? error.message : String(error)}`,
           key
         });
       }
     }
-    return Ok18(secrets);
+    return Ok20(secrets);
   }
   async healthCheck() {
     try {
       await opExec(["--version"]);
-      return Ok18(void 0);
+      return Ok20(void 0);
     } catch (error) {
-      return Err16({
+      return Err18({
         category: "provider_unavailable",
         message: `1Password CLI is not available: ${error instanceof Error ? error.message : String(error)}`
       });
@@ -5292,15 +5869,15 @@ var OnePasswordSecretBackend = class {
 
 // src/agent/secrets/vault.ts
 import { execFile as execFile5 } from "child_process";
-import { Ok as Ok19, Err as Err17 } from "@harness-engineering/types";
+import { Ok as Ok21, Err as Err19 } from "@harness-engineering/types";
 function vaultExec(args, env) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve7, reject) => {
     execFile5("vault", args, { env: { ...process.env, ...env } }, (error, stdout) => {
       if (error) {
         reject(error);
         return;
       }
-      resolve6(stdout.trim());
+      resolve7(stdout.trim());
     });
   });
 }
@@ -5323,11 +5900,11 @@ var VaultSecretBackend = class {
     } catch (error) {
       const msg = error instanceof Error ? error.message : String(error);
       const category = error instanceof SyntaxError ? "access_denied" : "access_denied";
-      return Err17({ category, message: `Failed to read from Vault: ${msg}` });
+      return Err19({ category, message: `Failed to read from Vault: ${msg}` });
     }
     const missing = keys.find((k) => !(k in data));
     if (missing) {
-      return Err17({
+      return Err19({
         category: "secret_not_found",
         message: `Secret key '${missing}' not found in Vault path '${this.path}'`,
         key: missing
@@ -5335,14 +5912,14 @@ var VaultSecretBackend = class {
     }
     const secrets = {};
     for (const key of keys) secrets[key] = data[key];
-    return Ok19(secrets);
+    return Ok21(secrets);
   }
   async healthCheck() {
     try {
       await vaultExec(["version"]);
-      return Ok19(void 0);
+      return Ok21(void 0);
     } catch (error) {
-      return Err17({
+      return Err19({
         category: "provider_unavailable",
         message: `Vault CLI is not available: ${error instanceof Error ? error.message : String(error)}`
       });
@@ -5488,6 +6065,8 @@ function buildAnalysisProvider(args) {
       return buildClaudeCliProvider(def, args, layerModel);
     case "mock":
     case "gemini":
+    case "ssh":
+    case "serverless":
       logger.warn(
         `Intelligence pipeline disabled for layer '${layer}': routed backend '${backendName}' has type '${def.type}' which has no AnalysisProvider implementation.`
       );
@@ -5670,7 +6249,7 @@ function buildExplicitProvider(provider, selModel, config) {
 
 // src/server/http.ts
 import * as http from "http";
-import * as path14 from "path";
+import * as path15 from "path";
 import { assertPortUsable } from "@harness-engineering/core";
 
 // src/server/websocket.ts
@@ -5733,7 +6312,7 @@ import { z as z3 } from "zod";
 // src/server/utils.ts
 var DEFAULT_MAX_BYTES = 1048576;
 function readBody(req, maxBytes = DEFAULT_MAX_BYTES) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve7, reject) => {
     let body = "";
     let bytes = 0;
     req.on("data", (chunk) => {
@@ -5745,7 +6324,7 @@ function readBody(req, maxBytes = DEFAULT_MAX_BYTES) {
       }
       body += String(chunk);
     });
-    req.on("end", () => resolve6(body));
+    req.on("end", () => resolve7(body));
     req.on("error", reject);
   });
 }
@@ -5911,7 +6490,7 @@ function handlePlansRoute(req, res, plansDir) {
 }
 
 // src/server/routes/chat-proxy.ts
-import { spawn as spawn4 } from "child_process";
+import { spawn as spawn6 } from "child_process";
 import { randomUUID as randomUUID4 } from "crypto";
 import * as readline2 from "readline";
 import { z as z6 } from "zod";
@@ -5997,7 +6576,7 @@ async function handleChatRequest(req, res, command) {
     });
     emit(res, { type: "session", sessionId });
     const args = buildArgs(parsed.prompt, sessionId, isFirstTurn, parsed.system);
-    child = spawn4(command, args, { env: buildChildEnv(), stdio: "pipe" });
+    child = spawn6(command, args, { env: buildChildEnv(), stdio: "pipe" });
     child.stdin?.end();
     let clientDisconnected = false;
     res.on("close", () => {
@@ -6881,36 +7460,577 @@ function handleV1TelemetryRoute(req, res, deps) {
   return false;
 }
 
-// src/server/routes/sessions.ts
-import * as fs11 from "fs/promises";
-import * as path11 from "path";
+// src/server/routes/v1/proposals.ts
 import { z as z13 } from "zod";
-var SessionCreateSchema = z13.object({
-  sessionId: z13.string().min(1)
-}).passthrough();
-var UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-function isSafeId(id) {
-  return UUID_RE2.test(id) || path11.basename(id) === id && !id.includes("..");
-}
-function jsonResponse(res, status, data) {
-  res.writeHead(status, { "Content-Type": "application/json" });
-  res.end(JSON.stringify(data));
-}
-function extractSessionId(url) {
-  const segments = new URL(url, "http://localhost").pathname.split(path11.posix.sep);
-  const id = segments.pop();
-  return id && id !== "sessions" ? id : null;
-}
-async function handleList(res, sessionsDir) {
-  try {
-    const entries = await fs11.readdir(sessionsDir, { withFileTypes: true });
-    const sessions = [];
-    for (const entry of entries) {
-      if (!entry.isDirectory()) continue;
-      try {
-        const content = await fs11.readFile(
-          path11.join(sessionsDir, entry.name, "session.json"),
-          "utf-8"
+import {
+  getProposal as getProposal3,
+  listProposals,
+  updateProposal as updateProposal3,
+  ProposalNotFoundError as ProposalNotFoundError3
+} from "@harness-engineering/core";
+import {
+  EditProposalInputSchema
+} from "@harness-engineering/types";
+
+// src/proposals/gate.ts
+import { parse as parseYaml } from "yaml";
+import {
+  getProposal,
+  updateProposal,
+  ProposalNotFoundError
+} from "@harness-engineering/core";
+var GateRunError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "GateRunError";
+  }
+};
+var SKILL_NAME_RE = /^[a-z][a-z0-9-]*$/;
+function checkSkillYaml(yaml) {
+  const findings = [];
+  let doc;
+  try {
+    doc = parseYaml(yaml);
+  } catch (err) {
+    findings.push({
+      severity: "error",
+      title: "skill.yaml does not parse",
+      detail: err instanceof Error ? err.message : String(err)
+    });
+    return findings;
+  }
+  if (!doc || typeof doc !== "object") {
+    findings.push({
+      severity: "error",
+      title: "skill.yaml top-level is not a mapping",
+      detail: "Expected a YAML document with keys at the root (name, version, description, \u2026)."
+    });
+    return findings;
+  }
+  const obj = doc;
+  if (typeof obj["name"] !== "string") {
+    findings.push({
+      severity: "error",
+      title: "skill.yaml missing `name`",
+      detail: "Every skill must declare its kebab-case name."
+    });
+  }
+  if (typeof obj["version"] !== "string") {
+    findings.push({
+      severity: "error",
+      title: "skill.yaml missing `version`",
+      detail: "Every skill must declare a semver version string."
+    });
+  }
+  if (typeof obj["description"] !== "string") {
+    findings.push({
+      severity: "warning",
+      title: "skill.yaml missing `description`",
+      detail: "Description is strongly recommended for discoverability."
+    });
+  }
+  return findings;
+}
+function checkSkillMd(md) {
+  const findings = [];
+  if (md.trim().length < 40) {
+    findings.push({
+      severity: "error",
+      title: "SKILL.md is too short",
+      detail: "A skill needs a meaningful description (at least 40 non-whitespace characters)."
+    });
+  }
+  if (!/^#\s+\S/m.test(md)) {
+    findings.push({
+      severity: "warning",
+      title: "SKILL.md has no top-level heading",
+      detail: "Convention: open SKILL.md with `# <Skill Name>`."
+    });
+  }
+  return findings;
+}
+function checkName(name) {
+  if (SKILL_NAME_RE.test(name)) return [];
+  return [
+    {
+      severity: "error",
+      title: "skill name violates the kebab-case rule",
+      detail: `"${name}" must match /^[a-z][a-z0-9-]*$/. Use only lowercase letters, digits, and hyphens; start with a letter.`
+    }
+  ];
+}
+function checkDiff(diff) {
+  const findings = [];
+  if (!diff.includes("---") || !diff.includes("+++")) {
+    findings.push({
+      severity: "error",
+      title: "Refinement diff is not in unified-diff format",
+      detail: "Diffs must include both `---` and `+++` headers."
+    });
+  }
+  if (!/^@@\s/m.test(diff)) {
+    findings.push({
+      severity: "warning",
+      title: "Refinement diff has no hunk marker",
+      detail: "A unified diff typically contains at least one `@@` line."
+    });
+  }
+  return findings;
+}
+function deriveFindings(proposal) {
+  const findings = [];
+  findings.push(...checkName(proposal.content.name));
+  if (proposal.kind === "new-skill") {
+    findings.push(...checkSkillYaml(proposal.content.skillYaml ?? ""));
+    findings.push(...checkSkillMd(proposal.content.skillMd ?? ""));
+  } else if (proposal.kind === "refinement") {
+    findings.push(...checkDiff(proposal.content.diff ?? ""));
+  }
+  return findings;
+}
+async function runGate(projectPath, proposalId) {
+  const proposal = await getProposal(projectPath, proposalId);
+  if (!proposal) throw new ProposalNotFoundError(proposalId);
+  if (proposal.status === "approved" || proposal.status === "rejected") {
+    throw new GateRunError(
+      `proposal ${proposalId} is already ${proposal.status}; cannot re-run the gate`
+    );
+  }
+  const findings = deriveFindings(proposal);
+  const runAt = (/* @__PURE__ */ new Date()).toISOString();
+  const hasError = findings.some((f) => f.severity === "error");
+  const nextStatus = hasError ? "gate-failed" : "gate-running";
+  const updated = await updateProposal(projectPath, proposalId, {
+    status: nextStatus,
+    gate: { lastRunAt: runAt, findings }
+  });
+  return {
+    proposalId: updated.id,
+    status: updated.status,
+    findings,
+    runAt
+  };
+}
+
+// src/proposals/promote.ts
+import * as fs11 from "fs";
+import * as path11 from "path";
+import { parse as parseYaml2, stringify as stringifyYaml } from "yaml";
+import {
+  getProposal as getProposal2,
+  updateProposal as updateProposal2,
+  ProposalNotFoundError as ProposalNotFoundError2
+} from "@harness-engineering/core";
+var GateNotReadyError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "GateNotReadyError";
+  }
+};
+var PromotionError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "PromotionError";
+  }
+};
+var GATE_FRESHNESS_MS = 24 * 60 * 60 * 1e3;
+function skillDir(projectPath, name) {
+  return path11.join(projectPath, "agents", "skills", "claude-code", name);
+}
+function readIfExists(p) {
+  try {
+    return fs11.readFileSync(p, "utf-8");
+  } catch {
+    return null;
+  }
+}
+function injectProvenanceIntoYaml(yamlText, proposalId) {
+  let doc;
+  try {
+    doc = parseYaml2(yamlText);
+  } catch (err) {
+    throw new PromotionError(
+      `skill.yaml does not parse: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!doc || typeof doc !== "object") {
+    throw new PromotionError("skill.yaml top-level is not a mapping");
+  }
+  const obj = doc;
+  obj["provenance"] = "agent-proposed";
+  obj["originatingProposalId"] = proposalId;
+  return stringifyYaml(obj);
+}
+function assertGateReady(proposal) {
+  if (proposal.status !== "gate-running") {
+    throw new GateNotReadyError(
+      `proposal ${proposal.id} is in status "${proposal.status}"; the gate must pass before promotion`
+    );
+  }
+  const findings = proposal.gate?.findings ?? [];
+  if (findings.some((f) => f.severity === "error")) {
+    throw new GateNotReadyError(
+      `proposal ${proposal.id} has unresolved gate errors; re-run the gate after edits`
+    );
+  }
+  if (!proposal.gate?.lastRunAt) {
+    throw new GateNotReadyError(`proposal ${proposal.id} has no gate run on record`);
+  }
+  const ageMs = Date.now() - Date.parse(proposal.gate.lastRunAt);
+  if (!Number.isFinite(ageMs) || ageMs > GATE_FRESHNESS_MS) {
+    throw new GateNotReadyError(
+      `proposal ${proposal.id} gate run is older than 24h; re-run before approving`
+    );
+  }
+}
+async function promoteNewSkill(projectPath, proposal) {
+  const target = skillDir(projectPath, proposal.content.name);
+  if (fs11.existsSync(target)) {
+    throw new PromotionError(
+      `a catalog skill already exists at ${target}; use a refinement proposal to update it`
+    );
+  }
+  fs11.mkdirSync(target, { recursive: true });
+  const yamlOut = injectProvenanceIntoYaml(proposal.content.skillYaml ?? "", proposal.id);
+  fs11.writeFileSync(path11.join(target, "skill.yaml"), yamlOut);
+  fs11.writeFileSync(path11.join(target, "SKILL.md"), proposal.content.skillMd ?? "");
+  return { skillPath: target };
+}
+async function promoteRefinement(projectPath, proposal) {
+  if (!proposal.targetSkill) {
+    throw new PromotionError("refinement proposal is missing targetSkill");
+  }
+  const target = skillDir(projectPath, proposal.targetSkill);
+  if (!fs11.existsSync(target)) {
+    throw new PromotionError(
+      `target skill ${proposal.targetSkill} does not exist at ${target}; cannot refine`
+    );
+  }
+  const yamlPath = path11.join(target, "skill.yaml");
+  const before = readIfExists(yamlPath) ?? "";
+  const after = injectProvenanceIntoYaml(before, proposal.id);
+  if (after === before) {
+    throw new PromotionError(
+      "no metadata changes detected; check that the reviewer applied the proposed diff before approving"
+    );
+  }
+  fs11.writeFileSync(yamlPath, after);
+  return { skillPath: target };
+}
+async function promote(projectPath, proposalId, decidedBy) {
+  const proposal = await getProposal2(projectPath, proposalId);
+  if (!proposal) throw new ProposalNotFoundError2(proposalId);
+  assertGateReady(proposal);
+  const out = proposal.kind === "new-skill" ? await promoteNewSkill(projectPath, proposal) : await promoteRefinement(projectPath, proposal);
+  await updateProposal2(projectPath, proposalId, {
+    status: "approved",
+    decision: {
+      decidedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      decidedBy,
+      action: "approved"
+    }
+  });
+  return {
+    proposalId,
+    skillPath: out.skillPath,
+    provenance: "agent-proposed"
+  };
+}
+
+// src/proposals/events.ts
+function emit3(bus, topic, data) {
+  bus.emit(topic, data);
+}
+function emitProposalCreated(bus, proposal) {
+  const data = {
+    id: proposal.id,
+    kind: proposal.kind,
+    name: proposal.content.name,
+    proposedBy: proposal.proposedBy,
+    justification: proposal.source.justification
+  };
+  if (proposal.targetSkill) data.targetSkill = proposal.targetSkill;
+  emit3(bus, "proposal.created", data);
+}
+function emitProposalApproved(bus, proposal) {
+  const data = {
+    id: proposal.id,
+    kind: proposal.kind,
+    name: proposal.content.name,
+    decidedBy: proposal.decision?.decidedBy ?? "(unknown)"
+  };
+  if (proposal.targetSkill) data.targetSkill = proposal.targetSkill;
+  emit3(bus, "proposal.approved", data);
+}
+function emitProposalRejected(bus, proposal) {
+  const data = {
+    id: proposal.id,
+    kind: proposal.kind,
+    name: proposal.content.name,
+    decidedBy: proposal.decision?.decidedBy ?? "(unknown)",
+    reason: proposal.decision?.reason ?? "(no reason given)"
+  };
+  emit3(bus, "proposal.rejected", data);
+}
+
+// src/server/routes/v1/proposals.ts
+var LIST_RE = /^\/api\/v1\/proposals(?:\?.*)?$/;
+var SINGLE_RE = /^\/api\/v1\/proposals\/([^/?]+)(?:\?.*)?$/;
+var RUN_GATE_RE = /^\/api\/v1\/proposals\/([^/?]+)\/run-gate(?:\?.*)?$/;
+var APPROVE_RE = /^\/api\/v1\/proposals\/([^/?]+)\/approve(?:\?.*)?$/;
+var REJECT_RE = /^\/api\/v1\/proposals\/([^/?]+)\/reject(?:\?.*)?$/;
+var ProposalStatusValues = [
+  "open",
+  "gate-running",
+  "gate-failed",
+  "approved",
+  "rejected"
+];
+var RejectBody = z13.object({
+  reason: z13.string().min(1).max(280)
+});
+function sendJSON8(res, status, body) {
+  res.writeHead(status, { "Content-Type": "application/json" });
+  res.end(JSON.stringify(body));
+}
+function getDecidedBy(req, deps) {
+  if (deps.decidedByResolver) return deps.decidedByResolver(req);
+  const token = req._authToken;
+  return token?.id ?? "unknown";
+}
+function parseStatusFromQuery(url) {
+  const queryIdx = url.indexOf("?");
+  if (queryIdx === -1) return void 0;
+  const params = new URLSearchParams(url.slice(queryIdx + 1));
+  const raw = params.get("status");
+  if (!raw) return void 0;
+  if (raw === "all") return "all";
+  if (ProposalStatusValues.includes(raw)) return raw;
+  return void 0;
+}
+async function handleList(req, res, deps) {
+  const url = req.url ?? "";
+  const status = parseStatusFromQuery(url);
+  const proposals = await listProposals(deps.projectPath, status ? { status } : {});
+  sendJSON8(res, 200, proposals);
+}
+async function handleGet(res, deps, id) {
+  const proposal = await getProposal3(deps.projectPath, id);
+  if (!proposal) {
+    sendJSON8(res, 404, { error: "Proposal not found" });
+    return;
+  }
+  sendJSON8(res, 200, proposal);
+}
+async function handleRunGate(res, deps, id) {
+  try {
+    const result = await runGate(deps.projectPath, id);
+    sendJSON8(res, 200, result);
+  } catch (err) {
+    if (err instanceof ProposalNotFoundError3) {
+      sendJSON8(res, 404, { error: err.message });
+      return;
+    }
+    if (err instanceof GateRunError) {
+      sendJSON8(res, 409, { error: err.message });
+      return;
+    }
+    sendJSON8(res, 500, {
+      error: "gate run failed",
+      detail: err instanceof Error ? err.message : "unknown"
+    });
+  }
+}
+async function handleApprove(req, res, deps, id) {
+  const decidedBy = getDecidedBy(req, deps);
+  try {
+    const result = await promote(deps.projectPath, id, decidedBy);
+    const proposal = await getProposal3(deps.projectPath, id);
+    if (proposal) emitProposalApproved(deps.bus, proposal);
+    sendJSON8(res, 200, { promotion: result, proposal });
+  } catch (err) {
+    if (err instanceof ProposalNotFoundError3) {
+      sendJSON8(res, 404, { error: err.message });
+      return;
+    }
+    if (err instanceof GateNotReadyError) {
+      sendJSON8(res, 409, { error: err.message });
+      return;
+    }
+    if (err instanceof PromotionError) {
+      sendJSON8(res, 422, { error: err.message });
+      return;
+    }
+    sendJSON8(res, 500, {
+      error: "approve failed",
+      detail: err instanceof Error ? err.message : "unknown"
+    });
+  }
+}
+async function handleReject(req, res, deps, id) {
+  let raw;
+  try {
+    raw = await readBody(req);
+  } catch (err) {
+    sendJSON8(res, 413, { error: err instanceof Error ? err.message : "Body too large" });
+    return;
+  }
+  let json;
+  try {
+    json = raw.length > 0 ? JSON.parse(raw) : {};
+  } catch {
+    sendJSON8(res, 400, { error: "Invalid JSON body" });
+    return;
+  }
+  const parsed = RejectBody.safeParse(json);
+  if (!parsed.success) {
+    sendJSON8(res, 400, { error: "Invalid body", issues: parsed.error.issues });
+    return;
+  }
+  const proposal = await getProposal3(deps.projectPath, id);
+  if (!proposal) {
+    sendJSON8(res, 404, { error: "Proposal not found" });
+    return;
+  }
+  if (proposal.status === "approved" || proposal.status === "rejected") {
+    sendJSON8(res, 409, {
+      error: `proposal already ${proposal.status}; cannot reject`
+    });
+    return;
+  }
+  const decidedBy = getDecidedBy(req, deps);
+  const updated = await updateProposal3(deps.projectPath, id, {
+    status: "rejected",
+    decision: {
+      decidedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      decidedBy,
+      action: "rejected",
+      reason: parsed.data.reason
+    }
+  });
+  emitProposalRejected(deps.bus, updated);
+  sendJSON8(res, 200, updated);
+}
+async function handleEdit(req, res, deps, id) {
+  let raw;
+  try {
+    raw = await readBody(req);
+  } catch (err) {
+    sendJSON8(res, 413, { error: err instanceof Error ? err.message : "Body too large" });
+    return;
+  }
+  let json;
+  try {
+    json = JSON.parse(raw);
+  } catch {
+    sendJSON8(res, 400, { error: "Invalid JSON body" });
+    return;
+  }
+  const parsed = EditProposalInputSchema.safeParse(json);
+  if (!parsed.success) {
+    sendJSON8(res, 400, { error: "Invalid body", issues: parsed.error.issues });
+    return;
+  }
+  const existing = await getProposal3(deps.projectPath, id);
+  if (!existing) {
+    sendJSON8(res, 404, { error: "Proposal not found" });
+    return;
+  }
+  if (existing.status === "approved" || existing.status === "rejected") {
+    sendJSON8(res, 409, {
+      error: `proposal already ${existing.status}; cannot edit`
+    });
+    return;
+  }
+  const mergedContent = {
+    ...existing.content,
+    ...parsed.data.content,
+    name: parsed.data.content.name ?? existing.content.name,
+    description: parsed.data.content.description ?? existing.content.description
+  };
+  try {
+    const updated = await updateProposal3(deps.projectPath, id, {
+      content: mergedContent,
+      status: "open",
+      gate: void 0
+    });
+    sendJSON8(res, 200, updated);
+  } catch (err) {
+    sendJSON8(res, 422, {
+      error: "edit failed",
+      detail: err instanceof Error ? err.message : "unknown"
+    });
+  }
+}
+function handleV1ProposalsRoute(req, res, deps) {
+  const url = req.url ?? "";
+  const method = req.method ?? "GET";
+  if (method === "GET" && LIST_RE.test(url)) {
+    void handleList(req, res, deps);
+    return true;
+  }
+  const runGateMatch = method === "POST" ? RUN_GATE_RE.exec(url) : null;
+  if (runGateMatch) {
+    void handleRunGate(res, deps, runGateMatch[1]);
+    return true;
+  }
+  const approveMatch = method === "POST" ? APPROVE_RE.exec(url) : null;
+  if (approveMatch) {
+    void handleApprove(req, res, deps, approveMatch[1]);
+    return true;
+  }
+  const rejectMatch = method === "POST" ? REJECT_RE.exec(url) : null;
+  if (rejectMatch) {
+    void handleReject(req, res, deps, rejectMatch[1]);
+    return true;
+  }
+  if (method === "PATCH") {
+    const m = SINGLE_RE.exec(url);
+    if (m) {
+      void handleEdit(req, res, deps, m[1]);
+      return true;
+    }
+  }
+  if (method === "GET") {
+    const m = SINGLE_RE.exec(url);
+    if (m) {
+      void handleGet(res, deps, m[1]);
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/server/routes/sessions.ts
+import * as fs12 from "fs/promises";
+import * as path12 from "path";
+import { z as z14 } from "zod";
+var SessionCreateSchema = z14.object({
+  sessionId: z14.string().min(1)
+}).passthrough();
+var UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function isSafeId(id) {
+  return UUID_RE2.test(id) || path12.basename(id) === id && !id.includes("..");
+}
+function jsonResponse(res, status, data) {
+  res.writeHead(status, { "Content-Type": "application/json" });
+  res.end(JSON.stringify(data));
+}
+function extractSessionId(url) {
+  const segments = new URL(url, "http://localhost").pathname.split(path12.posix.sep);
+  const id = segments.pop();
+  return id && id !== "sessions" ? id : null;
+}
+async function handleList2(res, sessionsDir) {
+  try {
+    const entries = await fs12.readdir(sessionsDir, { withFileTypes: true });
+    const sessions = [];
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+      try {
+        const content = await fs12.readFile(
+          path12.join(sessionsDir, entry.name, "session.json"),
+          "utf-8"
         );
         sessions.push(JSON.parse(content));
       } catch {
@@ -6928,13 +8048,13 @@ async function handleList(res, sessionsDir) {
     jsonResponse(res, 500, { error: "Failed to list sessions" });
   }
 }
-async function handleGet(res, id, sessionsDir) {
+async function handleGet2(res, id, sessionsDir) {
   if (!isSafeId(id)) {
     jsonResponse(res, 400, { error: "Invalid sessionId" });
     return;
   }
   try {
-    const content = await fs11.readFile(path11.join(sessionsDir, id, "session.json"), "utf-8");
+    const content = await fs12.readFile(path12.join(sessionsDir, id, "session.json"), "utf-8");
     jsonResponse(res, 200, JSON.parse(content));
   } catch (err) {
     if (err.code === "ENOENT") {
@@ -6957,9 +8077,9 @@ async function handleCreate(req, res, sessionsDir) {
       jsonResponse(res, 400, { error: "Invalid sessionId" });
       return;
     }
-    const sessionDir = path11.join(sessionsDir, session.sessionId);
-    await fs11.mkdir(sessionDir, { recursive: true });
-    await fs11.writeFile(path11.join(sessionDir, "session.json"), JSON.stringify(session, null, 2));
+    const sessionDir = path12.join(sessionsDir, session.sessionId);
+    await fs12.mkdir(sessionDir, { recursive: true });
+    await fs12.writeFile(path12.join(sessionDir, "session.json"), JSON.stringify(session, null, 2));
     jsonResponse(res, 200, { ok: true });
   } catch {
     jsonResponse(res, 500, { error: "Failed to save session" });
@@ -6973,10 +8093,10 @@ async function handleUpdate(req, res, url, sessionsDir) {
       return;
     }
     const body = await readBody(req);
-    const updates = z13.record(z13.unknown()).parse(JSON.parse(body));
-    const sessionFilePath = path11.join(sessionsDir, id, "session.json");
-    const current = JSON.parse(await fs11.readFile(sessionFilePath, "utf-8"));
-    await fs11.writeFile(sessionFilePath, JSON.stringify({ ...current, ...updates }, null, 2));
+    const updates = z14.record(z14.unknown()).parse(JSON.parse(body));
+    const sessionFilePath = path12.join(sessionsDir, id, "session.json");
+    const current = JSON.parse(await fs12.readFile(sessionFilePath, "utf-8"));
+    await fs12.writeFile(sessionFilePath, JSON.stringify({ ...current, ...updates }, null, 2));
     jsonResponse(res, 200, { ok: true });
   } catch {
     jsonResponse(res, 500, { error: "Failed to update session" });
@@ -6989,7 +8109,7 @@ async function handleDelete(res, url, sessionsDir) {
       jsonResponse(res, 400, { error: "Missing or invalid sessionId" });
       return;
     }
-    await fs11.rm(path11.join(sessionsDir, id), { recursive: true, force: true });
+    await fs12.rm(path12.join(sessionsDir, id), { recursive: true, force: true });
     jsonResponse(res, 200, { ok: true });
   } catch {
     jsonResponse(res, 500, { error: "Failed to delete session" });
@@ -7002,8 +8122,8 @@ function handleSessionsRoute(req, res, sessionsDir) {
   switch (method) {
     case "GET": {
       const id = extractSessionId(url);
-      if (id) void handleGet(res, id, sessionsDir);
-      else void handleList(res, sessionsDir);
+      if (id) void handleGet2(res, id, sessionsDir);
+      else void handleList2(res, sessionsDir);
       return true;
     }
     case "POST":
@@ -7093,20 +8213,20 @@ function handleStreamsRoute(req, res, recorder) {
 }
 
 // src/server/routes/auth.ts
-import { z as z14 } from "zod";
+import { z as z15 } from "zod";
 import {
   TokenScopeSchema,
   BridgeKindSchema,
   AuthTokenPublicSchema
 } from "@harness-engineering/types";
-var CreateBodySchema = z14.object({
-  name: z14.string().min(1).max(100),
-  scopes: z14.array(TokenScopeSchema).min(1),
+var CreateBodySchema = z15.object({
+  name: z15.string().min(1).max(100),
+  scopes: z15.array(TokenScopeSchema).min(1),
   bridgeKind: BridgeKindSchema.optional(),
-  tenantId: z14.string().optional(),
-  expiresAt: z14.string().datetime().optional()
+  tenantId: z15.string().optional(),
+  expiresAt: z15.string().datetime().optional()
 });
-function sendJSON8(res, status, body) {
+function sendJSON9(res, status, body) {
   res.writeHead(status, { "Content-Type": "application/json" });
   res.end(JSON.stringify(body));
 }
@@ -7116,19 +8236,19 @@ async function handlePost(req, res, store) {
     raw = await readBody(req);
   } catch (err) {
     const msg = err instanceof Error ? err.message : "Failed to read body";
-    sendJSON8(res, 413, { error: msg });
+    sendJSON9(res, 413, { error: msg });
     return;
   }
   let json;
   try {
     json = JSON.parse(raw);
   } catch {
-    sendJSON8(res, 400, { error: "Invalid JSON body" });
+    sendJSON9(res, 400, { error: "Invalid JSON body" });
     return;
   }
   const parsed = CreateBodySchema.safeParse(json);
   if (!parsed.success) {
-    sendJSON8(res, 422, { error: "Invalid body", issues: parsed.error.issues });
+    sendJSON9(res, 422, { error: "Invalid body", issues: parsed.error.issues });
     return;
   }
   try {
@@ -7141,37 +8261,37 @@ async function handlePost(req, res, store) {
     if (parsed.data.expiresAt !== void 0) input.expiresAt = parsed.data.expiresAt;
     const result = await store.create(input);
     const publicRecord = AuthTokenPublicSchema.parse(result.record);
-    sendJSON8(res, 200, {
+    sendJSON9(res, 200, {
       ...publicRecord,
       token: result.token
     });
   } catch (err) {
     const msg = err instanceof Error ? err.message : "Failed to create token";
     if (msg.includes("already exists")) {
-      sendJSON8(res, 409, { error: msg });
+      sendJSON9(res, 409, { error: msg });
       return;
     }
-    sendJSON8(res, 500, { error: "Internal error creating token" });
+    sendJSON9(res, 500, { error: "Internal error creating token" });
   }
 }
-async function handleList2(res, store) {
+async function handleList3(res, store) {
   try {
     const list = await store.list();
-    sendJSON8(res, 200, list);
+    sendJSON9(res, 200, list);
   } catch {
-    sendJSON8(res, 500, { error: "Internal error listing tokens" });
+    sendJSON9(res, 500, { error: "Internal error listing tokens" });
   }
 }
 async function handleDelete2(res, store, id) {
   try {
     const ok = await store.revoke(id);
     if (!ok) {
-      sendJSON8(res, 404, { error: "Token not found" });
+      sendJSON9(res, 404, { error: "Token not found" });
       return;
     }
-    sendJSON8(res, 200, { deleted: true });
+    sendJSON9(res, 200, { deleted: true });
   } catch {
-    sendJSON8(res, 500, { error: "Internal error revoking token" });
+    sendJSON9(res, 500, { error: "Internal error revoking token" });
   }
 }
 var DELETE_PATH_RE2 = /^\/api\/v1\/auth\/tokens\/([^/?]+)(?:\?.*)?$/;
@@ -7185,7 +8305,7 @@ function handleAuthRoute(req, res, store) {
     return true;
   }
   if (method === "GET" && pathname === "/api/v1/auth/tokens") {
-    void handleList2(res, store);
+    void handleList3(res, store);
     return true;
   }
   if (method === "DELETE") {
@@ -7196,12 +8316,12 @@ function handleAuthRoute(req, res, store) {
       return true;
     }
   }
-  sendJSON8(res, 405, { error: "Method not allowed" });
+  sendJSON9(res, 405, { error: "Method not allowed" });
   return true;
 }
 
 // src/server/routes/local-model.ts
-function sendJSON9(res, status, body) {
+function sendJSON10(res, status, body) {
   res.writeHead(status, { "Content-Type": "application/json" });
   res.end(JSON.stringify(body));
 }
@@ -7209,36 +8329,36 @@ function handleLocalModelRoute(req, res, getStatus) {
   const { method, url } = req;
   if (url !== "/api/v1/local-model/status") return false;
   if (method !== "GET") {
-    sendJSON9(res, 405, { error: "Method not allowed" });
+    sendJSON10(res, 405, { error: "Method not allowed" });
     return true;
   }
   if (!getStatus) {
-    sendJSON9(res, 503, { error: "Local backend not configured" });
+    sendJSON10(res, 503, { error: "Local backend not configured" });
     return true;
   }
   const status = getStatus();
   if (!status) {
-    sendJSON9(res, 503, { error: "Local backend not configured" });
+    sendJSON10(res, 503, { error: "Local backend not configured" });
     return true;
   }
-  sendJSON9(res, 200, status);
+  sendJSON10(res, 200, status);
   return true;
 }
 function handleLocalModelsRoute(req, res, getStatuses) {
   const { method, url } = req;
   if (url !== "/api/v1/local-models/status") return false;
   if (method !== "GET") {
-    sendJSON9(res, 405, { error: "Method not allowed" });
+    sendJSON10(res, 405, { error: "Method not allowed" });
     return true;
   }
   const statuses = getStatuses ? getStatuses() : [];
-  sendJSON9(res, 200, statuses);
+  sendJSON10(res, 200, statuses);
   return true;
 }
 
 // src/server/static.ts
-import * as fs12 from "fs";
-import * as path12 from "path";
+import * as fs13 from "fs";
+import * as path13 from "path";
 var MIME_TYPES = {
   ".html": "text/html; charset=utf-8",
   ".js": "application/javascript; charset=utf-8",
@@ -7258,29 +8378,29 @@ var MIME_TYPES = {
 function handleStaticFile(req, res, dashboardDir) {
   const { method, url } = req;
   if (method !== "GET") return false;
-  const apiPrefix = path12.posix.join(path12.posix.sep, "api", path12.posix.sep);
-  const wsPath = path12.posix.join(path12.posix.sep, "ws");
+  const apiPrefix = path13.posix.join(path13.posix.sep, "api", path13.posix.sep);
+  const wsPath = path13.posix.join(path13.posix.sep, "ws");
   if (url?.startsWith(apiPrefix) || url === wsPath) return false;
   const urlPath = new URL(url ?? "/", "http://localhost").pathname;
-  const requestedPath = path12.join(dashboardDir, urlPath === "/" ? "index.html" : urlPath);
-  const resolved = path12.resolve(requestedPath);
-  if (!resolved.startsWith(path12.resolve(dashboardDir))) {
-    return serveFile(path12.join(dashboardDir, "index.html"), res);
+  const requestedPath = path13.join(dashboardDir, urlPath === "/" ? "index.html" : urlPath);
+  const resolved = path13.resolve(requestedPath);
+  if (!resolved.startsWith(path13.resolve(dashboardDir))) {
+    return serveFile(path13.join(dashboardDir, "index.html"), res);
   }
-  if (fs12.existsSync(resolved) && fs12.statSync(resolved).isFile()) {
+  if (fs13.existsSync(resolved) && fs13.statSync(resolved).isFile()) {
     return serveFile(resolved, res);
   }
-  const indexPath = path12.join(dashboardDir, "index.html");
-  if (fs12.existsSync(indexPath)) {
+  const indexPath = path13.join(dashboardDir, "index.html");
+  if (fs13.existsSync(indexPath)) {
     return serveFile(indexPath, res);
   }
   return false;
 }
 function serveFile(filePath, res) {
-  const ext = path12.extname(filePath).toLowerCase();
+  const ext = path13.extname(filePath).toLowerCase();
   const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
   try {
-    const content = fs12.readFileSync(filePath);
+    const content = fs13.readFileSync(filePath);
     res.writeHead(200, { "Content-Type": contentType });
     res.end(content);
     return true;
@@ -7290,8 +8410,8 @@ function serveFile(filePath, res) {
 }
 
 // src/server/plan-watcher.ts
-import * as fs13 from "fs";
-import * as path13 from "path";
+import * as fs14 from "fs";
+import * as path14 from "path";
 var PlanWatcher = class {
   plansDir;
   queue;
@@ -7305,11 +8425,11 @@ var PlanWatcher = class {
    * Creates the directory if it does not exist.
    */
   start() {
-    fs13.mkdirSync(this.plansDir, { recursive: true });
-    this.watcher = fs13.watch(this.plansDir, (eventType, filename) => {
+    fs14.mkdirSync(this.plansDir, { recursive: true });
+    this.watcher = fs14.watch(this.plansDir, (eventType, filename) => {
       if (eventType === "rename" && filename && filename.endsWith(".md")) {
-        const filePath = path13.join(this.plansDir, filename);
-        if (fs13.existsSync(filePath)) {
+        const filePath = path14.join(this.plansDir, filename);
+        if (fs14.existsSync(filePath)) {
           void this.handleNewPlan(filename);
         }
       }
@@ -7362,8 +8482,8 @@ function parseToken(raw) {
   return { id: raw.slice(0, dot), secret: raw.slice(dot + 1) };
 }
 var TokenStore = class {
-  constructor(path17) {
-    this.path = path17;
+  constructor(path22) {
+    this.path = path22;
   }
   path;
   cache = null;
@@ -7470,8 +8590,8 @@ import { appendFile, mkdir as mkdir8 } from "fs/promises";
 import { dirname as dirname5 } from "path";
 import { AuthAuditEntrySchema } from "@harness-engineering/types";
 var AuditLogger = class {
-  constructor(path17, opts = {}) {
-    this.path = path17;
+  constructor(path22, opts = {}) {
+    this.path = path22;
     this.opts = opts;
   }
   path;
@@ -7555,6 +8675,43 @@ var V1_BRIDGE_ROUTES = [
     scope: "subscribe-webhook",
     description: "Webhook delivery queue depth + DLQ stats."
   },
+  // Hermes Phase 4 — skill proposal review queue.
+  {
+    method: "GET",
+    pattern: /^\/api\/v1\/proposals(?:\?.*)?$/,
+    scope: "read-status",
+    description: "List skill proposals (open + decided)."
+  },
+  {
+    method: "GET",
+    pattern: /^\/api\/v1\/proposals\/[^/]+(?:\?.*)?$/,
+    scope: "read-status",
+    description: "Get a single skill proposal."
+  },
+  {
+    method: "POST",
+    pattern: /^\/api\/v1\/proposals\/[^/]+\/run-gate(?:\?.*)?$/,
+    scope: "manage-proposals",
+    description: "Run the soundness-review gate against a proposal."
+  },
+  {
+    method: "POST",
+    pattern: /^\/api\/v1\/proposals\/[^/]+\/approve(?:\?.*)?$/,
+    scope: "manage-proposals",
+    description: "Approve a proposal \u2014 promotes the skill into the catalog."
+  },
+  {
+    method: "POST",
+    pattern: /^\/api\/v1\/proposals\/[^/]+\/reject(?:\?.*)?$/,
+    scope: "manage-proposals",
+    description: "Reject a proposal with a one-line reason."
+  },
+  {
+    method: "PATCH",
+    pattern: /^\/api\/v1\/proposals\/[^/]+(?:\?.*)?$/,
+    scope: "manage-proposals",
+    description: "Edit proposal content (resets gate to not-run)."
+  },
   // ── Phase 5 bridge primitives ──
   {
     method: "GET",
@@ -7566,9 +8723,9 @@ var V1_BRIDGE_ROUTES = [
 function isV1Bridge(method, url) {
   return V1_BRIDGE_ROUTES.some((r) => r.method === method && r.pattern.test(url));
 }
-function requiredBridgeScope(method, path17) {
+function requiredBridgeScope(method, path22) {
   for (const r of V1_BRIDGE_ROUTES) {
-    if (r.method === method && r.pattern.test(path17)) return r.scope;
+    if (r.method === method && r.pattern.test(path22)) return r.scope;
   }
   return null;
 }
@@ -7578,24 +8735,24 @@ function hasScope(held, required) {
   if (held.includes("admin")) return true;
   return held.includes(required);
 }
-function requiredScopeForRoute(method, path17) {
-  const bridgeScope = requiredBridgeScope(method, path17);
+function requiredScopeForRoute(method, path22) {
+  const bridgeScope = requiredBridgeScope(method, path22);
   if (bridgeScope) return bridgeScope;
-  if (path17 === "/api/v1/auth/token" && method === "POST") return "admin";
-  if (path17 === "/api/v1/auth/tokens" && method === "GET") return "admin";
-  if (/^\/api\/v1\/auth\/tokens\/[^/]+$/.test(path17) && method === "DELETE") return "admin";
-  if ((path17 === "/api/state" || path17 === "/api/v1/state") && method === "GET") return "read-status";
-  if (path17.startsWith("/api/interactions")) return "resolve-interaction";
-  if (path17.startsWith("/api/plans")) return "read-status";
-  if (path17.startsWith("/api/analyze") || path17.startsWith("/api/analyses")) return "read-status";
-  if (path17.startsWith("/api/roadmap-actions")) return "modify-roadmap";
-  if (path17.startsWith("/api/dispatch-actions")) return "trigger-job";
-  if (path17.startsWith("/api/local-model") || path17.startsWith("/api/local-models"))
+  if (path22 === "/api/v1/auth/token" && method === "POST") return "admin";
+  if (path22 === "/api/v1/auth/tokens" && method === "GET") return "admin";
+  if (/^\/api\/v1\/auth\/tokens\/[^/]+$/.test(path22) && method === "DELETE") return "admin";
+  if ((path22 === "/api/state" || path22 === "/api/v1/state") && method === "GET") return "read-status";
+  if (path22.startsWith("/api/interactions")) return "resolve-interaction";
+  if (path22.startsWith("/api/plans")) return "read-status";
+  if (path22.startsWith("/api/analyze") || path22.startsWith("/api/analyses")) return "read-status";
+  if (path22.startsWith("/api/roadmap-actions")) return "modify-roadmap";
+  if (path22.startsWith("/api/dispatch-actions")) return "trigger-job";
+  if (path22.startsWith("/api/local-model") || path22.startsWith("/api/local-models"))
     return "read-status";
-  if (path17.startsWith("/api/maintenance")) return "trigger-job";
-  if (path17.startsWith("/api/streams")) return "read-status";
-  if (path17.startsWith("/api/sessions")) return "read-status";
-  if (path17.startsWith("/api/chat-proxy")) return "trigger-job";
+  if (path22.startsWith("/api/maintenance")) return "trigger-job";
+  if (path22.startsWith("/api/streams")) return "read-status";
+  if (path22.startsWith("/api/sessions")) return "read-status";
+  if (path22.startsWith("/api/chat-proxy")) return "trigger-job";
   return null;
 }
 
@@ -7649,6 +8806,11 @@ var OrchestratorServer = class {
   roadmapPath;
   dispatchAdHoc;
   sessionsDir;
+  /**
+   * Project root used by file-backed routes (Phase 4 proposals at
+   * `.harness/proposals/`). Defaults to process.cwd().
+   */
+  projectPath;
   maintenanceDeps = null;
   getLocalModelStatus = null;
   getLocalModelStatuses = null;
@@ -7666,8 +8828,8 @@ var OrchestratorServer = class {
     this.orchestrator = orchestrator;
     this.port = port;
     this.initDependencies(deps);
-    const tokensPath = process.env["HARNESS_TOKENS_PATH"] ?? path14.resolve(".harness", "tokens.json");
-    const auditPath = process.env["HARNESS_AUDIT_PATH"] ?? path14.resolve(".harness", "audit.log");
+    const tokensPath = process.env["HARNESS_TOKENS_PATH"] ?? path15.resolve(".harness", "tokens.json");
+    const auditPath = process.env["HARNESS_AUDIT_PATH"] ?? path15.resolve(".harness", "audit.log");
     this.tokenStore = new TokenStore(tokensPath);
     this.auditLogger = new AuditLogger(auditPath);
     this.httpServer = http.createServer(this.handleRequest.bind(this));
@@ -7680,14 +8842,15 @@ var OrchestratorServer = class {
   }
   initDependencies(deps) {
     this.interactionQueue = deps?.interactionQueue;
-    this.plansDir = deps?.plansDir ?? path14.resolve("docs", "plans");
-    this.dashboardDir = deps?.dashboardDir ?? path14.resolve("packages", "dashboard", "dist", "client");
+    this.plansDir = deps?.plansDir ?? path15.resolve("docs", "plans");
+    this.dashboardDir = deps?.dashboardDir ?? path15.resolve("packages", "dashboard", "dist", "client");
     this.claudeCommand = deps?.claudeCommand ?? "claude";
     this.pipeline = deps?.pipeline ?? null;
     this.analysisArchive = deps?.analysisArchive;
     this.roadmapPath = deps?.roadmapPath ?? null;
     this.dispatchAdHoc = deps?.dispatchAdHoc ?? null;
-    this.sessionsDir = deps?.sessionsDir ?? path14.resolve(".harness", "sessions");
+    this.sessionsDir = deps?.sessionsDir ?? path15.resolve(".harness", "sessions");
+    this.projectPath = deps?.projectPath ?? process.cwd();
     this.maintenanceDeps = deps?.maintenanceDeps ?? null;
     this.getLocalModelStatus = deps?.getLocalModelStatus ?? null;
     this.getLocalModelStatuses = deps?.getLocalModelStatuses ?? null;
@@ -7858,6 +9021,15 @@ var OrchestratorServer = class {
       (req, res) => handleV1TelemetryRoute(req, res, {
         ...this.cacheMetrics ? { cacheMetrics: this.cacheMetrics } : {}
       }),
+      // Hermes Phase 4 — skill proposal review queue. Read scopes
+      // (`read-status`) and write scopes (`manage-proposals`) are enforced
+      // upstream by V1_BRIDGE_ROUTES; this dispatcher only handles
+      // business logic. `projectPath` defaults to process.cwd() — that is
+      // where `.harness/proposals/` lives in every deployment we ship.
+      (req, res) => handleV1ProposalsRoute(req, res, {
+        projectPath: this.projectPath,
+        bus: this.orchestrator
+      }),
       // Chat proxy route (spawns Claude Code CLI — no API key required)
       (req, res) => handleChatProxyRoute(req, res, this.claudeCommand)
     ];
@@ -7945,11 +9117,11 @@ var OrchestratorServer = class {
       this.planWatcher = new PlanWatcher(this.plansDir, this.interactionQueue);
       this.planWatcher.start();
     }
-    return new Promise((resolve6) => {
+    return new Promise((resolve7) => {
       const host = getBindHost();
       this.httpServer.listen(this.port, host, () => {
         console.log(`Orchestrator API listening on ${host}:${this.port}`);
-        resolve6();
+        resolve7();
       });
     });
   }
@@ -7999,8 +9171,8 @@ function genSecret2() {
   return randomBytes4(32).toString("base64url");
 }
 var WebhookStore = class {
-  constructor(path17) {
-    this.path = path17;
+  constructor(path22) {
+    this.path = path22;
   }
   path;
   cache = null;
@@ -8391,7 +9563,12 @@ var WEBHOOK_TOPICS = [
   "maintenance:completed",
   "maintenance:error",
   "webhook.subscription.created",
-  "webhook.subscription.deleted"
+  "webhook.subscription.deleted",
+  // Hermes Phase 4 — skill proposal lifecycle. Subscriptions can use the
+  // `proposal.*` glob pattern to receive all three.
+  "proposal.created",
+  "proposal.approved",
+  "proposal.rejected"
 ];
 function newEventId2() {
   return `evt_${randomBytes6(8).toString("hex")}`;
@@ -8586,13 +9763,373 @@ function wireTelemetryFanout(params) {
   };
 }
 
-// src/orchestrator.ts
-import { CacheMetricsRecorder, OTLPExporter } from "@harness-engineering/core";
-
-// src/logging/logger.ts
-var StructuredLogger = class {
-  debug(message, context) {
-    this.log("debug", message, context);
+// src/notifications/slack-sink.ts
+var SEVERITY_PREFIX = {
+  info: ":information_source:",
+  success: ":white_check_mark:",
+  warning: ":warning:",
+  error: ":x:"
+};
+var SlackSink = class {
+  kind = "slack";
+  id;
+  webhookUrl;
+  fetchImpl;
+  timeoutMs;
+  constructor(opts) {
+    this.id = opts.id;
+    this.webhookUrl = opts.webhookUrl;
+    this.fetchImpl = opts.fetchImpl ?? fetch;
+    this.timeoutMs = opts.timeoutMs ?? 5e3;
+  }
+  async deliver(input) {
+    const body = input.wrapped ? this.renderEnvelope(input.payload) : this.renderRawEvent(input.payload);
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), this.timeoutMs);
+    try {
+      const res = await this.fetchImpl(this.webhookUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: ctrl.signal
+      });
+      if (res.ok) {
+        return { ok: true, deliveredAt: Date.now() };
+      }
+      return { ok: false, error: `HTTP ${res.status}`, httpStatus: res.status };
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return { ok: false, error: ctrl.signal.aborted ? "timeout" : msg };
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+  renderEnvelope(env) {
+    const prefix = SEVERITY_PREFIX[env.severity] ?? "";
+    const headline = `${prefix} ${env.title}`.trim();
+    const blocks = [
+      { type: "section", text: { type: "mrkdwn", text: `*${headline}*
+${env.summary}` } }
+    ];
+    if (env.actions && env.actions.length > 0) {
+      blocks.push({
+        type: "actions",
+        elements: env.actions.map((a) => ({
+          type: "button",
+          text: { type: "plain_text", text: a.label },
+          url: a.url
+        }))
+      });
+    }
+    if (env.permalink) {
+      blocks.push({
+        type: "section",
+        text: { type: "mrkdwn", text: `<${env.permalink}|View details>` }
+      });
+    }
+    return { text: headline, blocks };
+  }
+  renderRawEvent(event) {
+    const dump = (() => {
+      try {
+        return JSON.stringify(event.data, null, 2);
+      } catch {
+        return String(event.data);
+      }
+    })();
+    const text = `harness event: \`${event.type}\``;
+    return {
+      text,
+      blocks: [
+        { type: "section", text: { type: "mrkdwn", text: `*${text}*
+\`\`\`
+${dump}
+\`\`\`` } }
+      ]
+    };
+  }
+};
+
+// src/notifications/registry.ts
+var SinkConfigError = class extends Error {
+  constructor(sinkId, message) {
+    super(`[sink:${sinkId}] ${message}`);
+    this.sinkId = sinkId;
+    this.name = "SinkConfigError";
+  }
+  sinkId;
+};
+var SinkRegistry = class _SinkRegistry {
+  entries;
+  constructor(entries) {
+    this.entries = entries;
+  }
+  static fromConfig(config, options) {
+    const entries = [];
+    for (const sinkConfig of config.sinks) {
+      entries.push({
+        config: sinkConfig,
+        adapter: buildSink(sinkConfig, options)
+      });
+    }
+    return new _SinkRegistry(entries);
+  }
+  list() {
+    return this.entries;
+  }
+  get(id) {
+    return this.entries.find((e) => e.config.id === id) ?? null;
+  }
+  ids() {
+    return this.entries.map((e) => e.config.id);
+  }
+  async dispose() {
+    for (const entry of this.entries) {
+      if (entry.adapter.dispose) {
+        await entry.adapter.dispose();
+      }
+    }
+  }
+};
+function buildSink(config, options) {
+  const kind = config.kind;
+  switch (kind) {
+    case "slack":
+      return buildSlackSink(config, options);
+    default: {
+      const _exhaustive = kind;
+      throw new SinkConfigError(config.id, `unknown sink kind '${String(_exhaustive)}'`);
+    }
+  }
+}
+function buildSlackSink(config, options) {
+  const rawConfig = config.config;
+  const envKey = typeof rawConfig.webhookUrlEnv === "string" ? rawConfig.webhookUrlEnv : null;
+  const inlineUrl = typeof rawConfig.webhookUrl === "string" ? rawConfig.webhookUrl : null;
+  let url;
+  if (envKey) {
+    const v = options.env[envKey];
+    if (!v) {
+      throw new SinkConfigError(
+        config.id,
+        `Slack webhook env var '${envKey}' is not set in the environment`
+      );
+    }
+    url = v;
+  } else if (inlineUrl) {
+    url = inlineUrl;
+  } else {
+    throw new SinkConfigError(
+      config.id,
+      `Slack sink requires 'config.webhookUrlEnv' (preferred) or 'config.webhookUrl'`
+    );
+  }
+  if (!/^https:\/\/hooks\.slack\.com\//.test(url)) {
+    throw new SinkConfigError(
+      config.id,
+      `Slack webhook URL must be an https://hooks.slack.com/ URL`
+    );
+  }
+  const sinkOpts = {
+    id: config.id,
+    webhookUrl: url
+  };
+  if (options.fetchImpl) sinkOpts.fetchImpl = options.fetchImpl;
+  return new SlackSink(sinkOpts);
+}
+
+// src/notifications/events.ts
+import { randomBytes as randomBytes8 } from "crypto";
+
+// src/notifications/envelope.ts
+function asObj(data) {
+  return typeof data === "object" && data !== null ? data : {};
+}
+var ENVELOPE_DERIVERS = {
+  "maintenance.started": (event) => {
+    const data = asObj(event.data);
+    return {
+      title: `Maintenance started: ${data.taskId ?? "(unknown task)"}`,
+      summary: `Task \`${data.taskId ?? "(unknown)"}\` is running.`,
+      severity: "info"
+    };
+  },
+  "maintenance.completed": (event) => {
+    const data = asObj(event.data);
+    return {
+      title: `Maintenance done: ${data.taskId ?? "(unknown task)"}`,
+      summary: `Task \`${data.taskId ?? "(unknown)"}\` completed successfully.`,
+      severity: "success"
+    };
+  },
+  "maintenance.error": (event) => {
+    const data = asObj(event.data);
+    return {
+      title: `Maintenance failed: ${data.taskId ?? "(unknown task)"}`,
+      summary: data.error ?? "No error message provided.",
+      severity: "error"
+    };
+  },
+  "interaction.created": (event) => {
+    const data = asObj(event.data);
+    return {
+      title: `Action required: ${truncate(data.question ?? "pending interaction", 80)}`,
+      summary: data.question ?? "(no question text)",
+      severity: "warning"
+    };
+  },
+  "interaction.resolved": (event) => {
+    const data = asObj(event.data);
+    return {
+      title: `Interaction resolved`,
+      summary: data.resolution ?? "(no resolution text)",
+      severity: "info"
+    };
+  },
+  "notification.test": (event) => {
+    const data = asObj(event.data);
+    return {
+      title: "Test notification from harness",
+      summary: data.message ?? "If you see this, your notification sink is working.",
+      severity: "info"
+    };
+  },
+  // Hermes Phase 4 — skill proposal lifecycle events.
+  "proposal.created": (event) => {
+    const data = asObj(event.data);
+    const label = data.kind === "refinement" ? `refinement of ${data.targetSkill ?? "(unknown skill)"}` : data.name ?? "(new skill)";
+    return {
+      title: `New skill proposal: ${label}`,
+      summary: truncate(data.justification ?? "No justification provided.", 240),
+      severity: "info"
+    };
+  },
+  "proposal.approved": (event) => {
+    const data = asObj(event.data);
+    const label = data.name ?? data.targetSkill ?? "(unknown skill)";
+    return {
+      title: `Skill proposal approved: ${label}`,
+      summary: `Approved by ${data.decidedBy ?? "(unknown reviewer)"}.`,
+      severity: "success"
+    };
+  },
+  "proposal.rejected": (event) => {
+    const data = asObj(event.data);
+    return {
+      title: "Skill proposal rejected",
+      summary: truncate(data.reason ?? "No reason provided.", 240),
+      severity: "warning"
+    };
+  }
+};
+function truncate(s, max) {
+  return s.length <= max ? s : `${s.slice(0, max - 1)}\u2026`;
+}
+function fallbackTitle(event) {
+  return event.type;
+}
+function fallbackSummary(event) {
+  try {
+    return "```\n" + JSON.stringify(event.data, null, 2) + "\n```";
+  } catch {
+    return String(event.data);
+  }
+}
+function severityFromType(type) {
+  if (type.endsWith(".error") || type.endsWith(".failed")) return "error";
+  if (type.endsWith(".completed") || type.endsWith(".resolved")) return "success";
+  if (type.endsWith(".created") || type.startsWith("interaction.")) return "warning";
+  return "info";
+}
+function backfillEnvelope(event, partial) {
+  return {
+    title: truncate(partial.title ?? fallbackTitle(event), 280),
+    summary: partial.summary ?? fallbackSummary(event),
+    severity: partial.severity ?? severityFromType(event.type)
+  };
+}
+function wrapAsEnvelope(event) {
+  const deriver = ENVELOPE_DERIVERS[event.type];
+  const partial = deriver ? deriver(event) : {};
+  const envelope = backfillEnvelope(event, partial);
+  if (partial.actions) envelope.actions = partial.actions;
+  if (partial.permalink) envelope.permalink = partial.permalink;
+  if (event.correlationId) envelope.correlationId = event.correlationId;
+  return envelope;
+}
+
+// src/notifications/events.ts
+var NOTIFICATION_TOPICS = [
+  "interaction.created",
+  "interaction.resolved",
+  "maintenance:started",
+  "maintenance:completed",
+  "maintenance:error",
+  // Hermes Phase 4 — skill proposal lifecycle.
+  "proposal.created",
+  "proposal.approved",
+  "proposal.rejected"
+];
+function newEventId4() {
+  return `evt_${randomBytes8(8).toString("hex")}`;
+}
+function dispatchToEntry(bus, entry, event) {
+  const eventType = event.type;
+  const matches = entry.config.events.some((p) => eventMatches(p, eventType));
+  if (!matches) return;
+  const payload = entry.config.wrap_response ? wrapAsEnvelope(event) : event;
+  const summaryBase = {
+    sinkId: entry.adapter.id,
+    kind: entry.adapter.kind,
+    eventType,
+    eventId: event.id
+  };
+  void entry.adapter.deliver({ payload, wrapped: entry.config.wrap_response }).then((result) => {
+    bus.emit("notification.delivery.attempted", { ...summaryBase, ok: result.ok });
+    if (!result.ok) {
+      bus.emit("notification.delivery.failed", {
+        ...summaryBase,
+        ok: false,
+        error: result.error
+      });
+    }
+  }).catch((err) => {
+    const msg = err instanceof Error ? err.message : String(err);
+    bus.emit("notification.delivery.failed", { ...summaryBase, ok: false, error: msg });
+  });
+}
+function wireNotificationSinks({ bus, registry }) {
+  const handlers = [];
+  for (const topic of NOTIFICATION_TOPICS) {
+    const eventType = topic.replace(":", ".");
+    const fn = (data) => {
+      const entries = registry.list();
+      if (entries.length === 0) return;
+      const event = {
+        id: newEventId4(),
+        type: eventType,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        data
+      };
+      for (const entry of entries) {
+        dispatchToEntry(bus, entry, event);
+      }
+    };
+    bus.on(topic, fn);
+    handlers.push({ topic, fn });
+  }
+  return () => {
+    for (const { topic, fn } of handlers) bus.removeListener(topic, fn);
+  };
+}
+
+// src/orchestrator.ts
+import { CacheMetricsRecorder, OTLPExporter } from "@harness-engineering/core";
+
+// src/logging/logger.ts
+var StructuredLogger = class {
+  debug(message, context) {
+    this.log("debug", message, context);
   }
   info(message, context) {
     this.log("info", message, context);
@@ -8627,8 +10164,8 @@ var StructuredLogger = class {
 };
 
 // src/workspace/config-scanner.ts
-import { existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
-import { join as join13, relative } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync5 } from "fs";
+import { join as join14, relative } from "path";
 import {
   scanForInjection,
   SecurityScanner,
@@ -8652,10 +10189,10 @@ function adjustFindingSeverity(findings) {
   });
 }
 async function scanSingleFile(filePath, targetDir, scanner) {
-  if (!existsSync4(filePath)) return null;
+  if (!existsSync5(filePath)) return null;
   let content;
   try {
-    content = readFileSync4(filePath, "utf8");
+    content = readFileSync5(filePath, "utf8");
   } catch {
     return null;
   }
@@ -8674,7 +10211,7 @@ async function scanWorkspaceConfig(workspacePath) {
   const scanner = new SecurityScanner(parseSecurityConfig({}));
   const results = [];
   for (const configFile of CONFIG_FILES) {
-    const result = await scanSingleFile(join13(workspacePath, configFile), workspacePath, scanner);
+    const result = await scanSingleFile(join14(workspacePath, configFile), workspacePath, scanner);
     if (result) results.push(result);
   }
   return { exitCode: computeScanExitCode(results), results };
@@ -8860,6 +10397,19 @@ var BUILT_IN_TASKS = [
     schedule: "*/15 * * * *",
     branch: null,
     checkCommand: ["harness", "sync-main", "--json"]
+  },
+  // Hermes Phase 4 — one-shot backfill that stamps `provenance: user-authored`
+  // on every existing catalog skill. Schedule is Feb 31 (a date that never
+  // exists) so the cron loop never fires it automatically; operators trigger
+  // it once via the dashboard "Run now" button or `harness backfill-skill-
+  // provenance` after upgrading to Phase 4.
+  {
+    id: "proposal-provenance-backfill",
+    type: "housekeeping",
+    description: "Backfill provenance: user-authored on every existing skill (one-shot, idempotent)",
+    schedule: "0 0 31 2 *",
+    branch: null,
+    checkCommand: ["backfill-skill-provenance"]
   }
 ];
 
@@ -8952,24 +10502,49 @@ var MaintenanceScheduler = class {
     this.resolvedTasks = this.resolveTasks();
   }
   /**
-   * Merge built-in task definitions with config overrides.
-   * Tasks with `enabled: false` are filtered out.
-   * Schedule overrides replace the default cron expression.
+   * Merge built-in task definitions with config overrides, then append
+   * Hermes Phase 2 `customTasks` (also respecting `tasks.<id>.enabled`
+   * overrides). Tasks with `enabled: false` are filtered out. Schedule
+   * overrides replace the default cron expression.
    */
   resolveTasks() {
     const overrides = this.config.tasks ?? {};
-    return BUILT_IN_TASKS.filter((task) => {
-      const override = overrides[task.id];
-      if (override?.enabled === false) return false;
-      return true;
-    }).map((task) => {
+    const customs = this.config.customTasks ?? {};
+    const merged = [];
+    for (const task of BUILT_IN_TASKS) {
       const override = overrides[task.id];
-      if (!override) return { ...task };
-      return {
+      if (override?.enabled === false) continue;
+      merged.push({
         ...task,
-        ...override.schedule !== void 0 && { schedule: override.schedule }
-      };
-    });
+        ...override?.schedule !== void 0 && { schedule: override.schedule }
+      });
+    }
+    for (const [id, def] of Object.entries(customs)) {
+      const override = overrides[id];
+      if (override?.enabled === false) continue;
+      merged.push({
+        id,
+        type: def.type,
+        description: def.description,
+        schedule: override?.schedule ?? def.schedule,
+        branch: def.branch,
+        ...def.checkCommand !== void 0 && { checkCommand: def.checkCommand },
+        ...def.checkScript !== void 0 && { checkScript: def.checkScript },
+        ...def.fixSkill !== void 0 && { fixSkill: def.fixSkill },
+        ...def.inlineSkills !== void 0 && { inlineSkills: def.inlineSkills },
+        ...def.inlineSkillsBudgetTokens !== void 0 && {
+          inlineSkillsBudgetTokens: def.inlineSkillsBudgetTokens
+        },
+        ...def.contextFrom !== void 0 && { contextFrom: def.contextFrom },
+        ...def.contextFromMaxAgeMinutes !== void 0 && {
+          contextFromMaxAgeMinutes: def.contextFromMaxAgeMinutes
+        },
+        ...def.outputRetention !== void 0 && { outputRetention: def.outputRetention },
+        ...def.costCeiling !== void 0 && { costCeiling: def.costCeiling },
+        isCustom: true
+      });
+    }
+    return merged;
   }
   /** Returns the resolved (merged) task list. Useful for testing and dashboard. */
   getResolvedTasks() {
@@ -9142,27 +10717,27 @@ var MaintenanceScheduler = class {
 };
 
 // src/maintenance/leader-elector.ts
-import { Ok as Ok20 } from "@harness-engineering/types";
+import { Ok as Ok22 } from "@harness-engineering/types";
 var SingleProcessLeaderElector = class {
   async electLeader() {
-    return Ok20("claimed");
+    return Ok22("claimed");
   }
 };
 
 // src/maintenance/reporter.ts
-import * as fs14 from "fs";
-import * as path15 from "path";
-import { z as z15 } from "zod";
-var RunResultSchema = z15.object({
-  taskId: z15.string(),
-  startedAt: z15.string(),
-  completedAt: z15.string(),
-  status: z15.enum(["success", "failure", "skipped", "no-issues"]),
-  findings: z15.number(),
-  fixed: z15.number(),
-  prUrl: z15.string().nullable(),
-  prUpdated: z15.boolean(),
-  error: z15.string().optional()
+import * as fs15 from "fs";
+import * as path16 from "path";
+import { z as z16 } from "zod";
+var RunResultSchema = z16.object({
+  taskId: z16.string(),
+  startedAt: z16.string(),
+  completedAt: z16.string(),
+  status: z16.enum(["success", "failure", "skipped", "no-issues"]),
+  findings: z16.number(),
+  fixed: z16.number(),
+  prUrl: z16.string().nullable(),
+  prUpdated: z16.boolean(),
+  error: z16.string().optional()
 });
 var MAX_HISTORY = 500;
 var fallbackLogger = {
@@ -9186,10 +10761,10 @@ var MaintenanceReporter = class {
    */
   async load() {
     try {
-      await fs14.promises.mkdir(this.persistDir, { recursive: true });
-      const filePath = path15.join(this.persistDir, "history.json");
-      const data = await fs14.promises.readFile(filePath, "utf-8");
-      const parsed = z15.array(RunResultSchema).safeParse(JSON.parse(data));
+      await fs15.promises.mkdir(this.persistDir, { recursive: true });
+      const filePath = path16.join(this.persistDir, "history.json");
+      const data = await fs15.promises.readFile(filePath, "utf-8");
+      const parsed = z16.array(RunResultSchema).safeParse(JSON.parse(data));
       if (parsed.success) {
         this.history = parsed.data.slice(0, MAX_HISTORY);
       }
@@ -9222,9 +10797,9 @@ var MaintenanceReporter = class {
    */
   async persist() {
     try {
-      await fs14.promises.mkdir(this.persistDir, { recursive: true });
-      const filePath = path15.join(this.persistDir, "history.json");
-      await fs14.promises.writeFile(filePath, JSON.stringify(this.history, null, 2), "utf-8");
+      await fs15.promises.mkdir(this.persistDir, { recursive: true });
+      const filePath = path16.join(this.persistDir, "history.json");
+      await fs15.promises.writeFile(filePath, JSON.stringify(this.history, null, 2), "utf-8");
     } catch (err) {
       this.logger.error("MaintenanceReporter: failed to persist history", { error: String(err) });
     }
@@ -9240,6 +10815,9 @@ var TaskRunner = class {
   cwd;
   prManager;
   baseBranch;
+  checkScriptRunner;
+  contextResolver;
+  outputStore;
   constructor(options) {
     this.config = options.config;
     this.checkRunner = options.checkRunner;
@@ -9248,27 +10826,49 @@ var TaskRunner = class {
     this.cwd = options.cwd;
     this.prManager = options.prManager ?? null;
     this.baseBranch = options.baseBranch ?? "main";
+    this.checkScriptRunner = options.checkScriptRunner ?? null;
+    this.contextResolver = options.contextResolver ?? null;
+    this.outputStore = options.outputStore ?? null;
   }
   /**
    * Run a maintenance task and return the result.
    * Dispatches to the appropriate execution path based on task type.
    * Never throws -- errors are captured in the RunResult.
+   *
+   * @param task - Resolved task definition.
+   * @param origin - Hermes Phase 2 trigger-source tag; defaults to `'cron'`
+   *                 when called from the scheduler path.
    */
-  async run(task) {
+  async run(task, origin = "cron") {
     const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    let result;
+    let captured;
     try {
       switch (task.type) {
-        case "mechanical-ai":
-          return await this.runMechanicalAI(task, startedAt);
+        case "mechanical-ai": {
+          const out = await this.runMechanicalAI(task, startedAt);
+          result = out.result;
+          captured = out.captured;
+          break;
+        }
         case "pure-ai":
-          return await this.runPureAI(task, startedAt);
-        case "report-only":
-          return await this.runReportOnly(task, startedAt);
-        case "housekeeping":
-          return await this.runHousekeeping(task, startedAt);
+          result = await this.runPureAI(task, startedAt);
+          break;
+        case "report-only": {
+          const out = await this.runReportOnly(task, startedAt);
+          result = out.result;
+          captured = out.captured;
+          break;
+        }
+        case "housekeeping": {
+          const out = await this.runHousekeeping(task, startedAt);
+          result = out.result;
+          captured = out.captured;
+          break;
+        }
         default: {
           const _exhaustive = task.type;
-          return this.failureResult(
+          result = this.failureResult(
             task.id,
             startedAt,
             `Unknown task type: ${String(_exhaustive)}`
@@ -9276,69 +10876,174 @@ var TaskRunner = class {
         }
       }
     } catch (err) {
-      return this.failureResult(task.id, startedAt, String(err));
+      result = this.failureResult(task.id, startedAt, String(err));
+    }
+    result.origin = origin;
+    await this.persistOutput(task, result, captured, origin);
+    return result;
+  }
+  async persistOutput(task, result, captured, origin) {
+    if (!this.outputStore) return;
+    const entry = {
+      taskId: result.taskId,
+      startedAt: result.startedAt,
+      completedAt: result.completedAt,
+      status: result.status,
+      findings: result.findings,
+      fixed: result.fixed,
+      prUrl: result.prUrl,
+      prUpdated: result.prUpdated,
+      origin,
+      ...result.error !== void 0 && { error: result.error },
+      ...result.costUsd !== void 0 && { costUsd: result.costUsd },
+      ...captured?.stdout !== void 0 && { stdout: captured.stdout },
+      ...captured?.stderr !== void 0 && { stderr: captured.stderr },
+      ...captured?.structured !== void 0 && { structured: captured.structured },
+      ...captured?.context !== void 0 && { context: captured.context }
+    };
+    try {
+      await this.outputStore.write(task.id, entry, task.outputRetention);
+    } catch {
     }
   }
   /**
-   * Mechanical-AI: run check command, dispatch AI agent only if fixable findings exist.
+   * Run the check step using whichever runner the task asks for. Custom
+   * tasks that declare `checkScript` go through the Hermes Phase 2
+   * `CheckScriptRunner`; built-ins (and customs that use the legacy
+   * `checkCommand` shape) go through the original heuristic runner.
    */
-  async runMechanicalAI(task, startedAt) {
+  async runCheckStep(task) {
+    if (task.checkScript) {
+      if (!this.checkScriptRunner) {
+        throw new Error(
+          `task '${task.id}' declares checkScript but no CheckScriptRunner is configured`
+        );
+      }
+      const r2 = await this.checkScriptRunner.run(task.checkScript, this.cwd);
+      return {
+        passed: r2.passed,
+        findings: r2.findings,
+        stdout: r2.output,
+        stderr: r2.stderr,
+        structured: r2.structured ? r2.structured : null
+      };
+    }
     if (!task.checkCommand || task.checkCommand.length === 0) {
-      return this.failureResult(task.id, startedAt, "mechanical-ai task missing checkCommand");
+      throw new Error(`task '${task.id}' is missing checkCommand`);
     }
+    const r = await this.checkRunner.run(task.checkCommand, this.cwd);
+    return {
+      passed: r.passed,
+      findings: r.findings,
+      stdout: r.output,
+      stderr: "",
+      structured: null
+    };
+  }
+  /**
+   * Hermes Phase 2 — Compose the agent prompt-context block from inlined
+   * skills + upstream task outputs. Returns an empty string when nothing
+   * is configured (or when the resolver is absent), which is the safe
+   * no-op default.
+   */
+  async composePromptContext(task) {
+    if (!this.contextResolver) return "";
+    const skills = await this.contextResolver.resolveInlineSkills(
+      task.inlineSkills,
+      task.inlineSkillsBudgetTokens ?? 8e3
+    );
+    const upstream = await this.contextResolver.resolveContextFrom(task.contextFrom, {
+      maxAgeMinutes: task.contextFromMaxAgeMinutes ?? 1440
+    });
+    return [skills, upstream].filter(Boolean).join("\n");
+  }
+  /**
+   * Mechanical-AI: run check (legacy or Phase 2 script), dispatch AI agent
+   * only if fixable findings exist; persist captured stdout/stderr/context
+   * via the output store on the way out.
+   */
+  async runMechanicalAI(task, startedAt) {
     if (!task.fixSkill) {
-      return this.failureResult(task.id, startedAt, "mechanical-ai task missing fixSkill");
+      return wrap(this.failureResult(task.id, startedAt, "mechanical-ai task missing fixSkill"));
     }
     if (!task.branch) {
-      return this.failureResult(task.id, startedAt, "mechanical-ai task missing branch");
+      return wrap(this.failureResult(task.id, startedAt, "mechanical-ai task missing branch"));
     }
-    const checkResult = await this.checkRunner.run(task.checkCommand, this.cwd);
-    if (checkResult.findings === 0) {
+    if (!task.checkCommand && !task.checkScript) {
+      return wrap(
+        this.failureResult(
+          task.id,
+          startedAt,
+          "mechanical-ai task missing checkCommand or checkScript"
+        )
+      );
+    }
+    let check;
+    try {
+      check = await this.runCheckStep(task);
+    } catch (err) {
+      return wrap(this.failureResult(task.id, startedAt, String(err)));
+    }
+    const promptContext = await this.composePromptContext(task);
+    const baseCaptured = {
+      stdout: check.stdout,
+      stderr: check.stderr,
+      structured: check.structured,
+      ...promptContext ? { context: promptContext } : {}
+    };
+    const wakeAgentExplicitlyFalse = check.structured !== null && typeof check.structured === "object" && check.structured.wakeAgent === false;
+    if (check.findings === 0 || wakeAgentExplicitlyFalse) {
       return {
-        taskId: task.id,
-        startedAt,
-        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        status: "no-issues",
-        findings: 0,
-        fixed: 0,
-        prUrl: null,
-        prUpdated: false
+        result: {
+          taskId: task.id,
+          startedAt,
+          completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          status: "no-issues",
+          findings: check.findings,
+          fixed: 0,
+          prUrl: null,
+          prUpdated: false
+        },
+        captured: baseCaptured
       };
     }
     if (this.prManager) {
       try {
         await this.prManager.ensureBranch(task.branch, this.baseBranch);
       } catch (err) {
-        return this.failureResult(task.id, startedAt, `ensureBranch failed: ${String(err)}`);
+        return wrap(
+          this.failureResult(task.id, startedAt, `ensureBranch failed: ${String(err)}`),
+          baseCaptured
+        );
       }
     }
     const backendName = this.resolveBackend(task.id);
     let agentResult;
     try {
-      agentResult = await this.agentDispatcher.dispatch(
-        task.fixSkill,
-        task.branch,
-        backendName,
-        this.cwd
-      );
+      agentResult = promptContext ? await this.agentDispatcher.dispatch(task.fixSkill, task.branch, backendName, this.cwd, {
+        promptContext
+      }) : await this.agentDispatcher.dispatch(task.fixSkill, task.branch, backendName, this.cwd);
     } catch (err) {
       return {
-        taskId: task.id,
-        startedAt,
-        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        status: "failure",
-        findings: checkResult.findings,
-        fixed: 0,
-        prUrl: null,
-        prUpdated: false,
-        error: `Agent dispatch failed: ${String(err)}`
+        result: {
+          taskId: task.id,
+          startedAt,
+          completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          status: "failure",
+          findings: check.findings,
+          fixed: 0,
+          prUrl: null,
+          prUpdated: false,
+          error: `Agent dispatch failed: ${String(err)}`
+        },
+        captured: baseCaptured
       };
     }
     let prUrl = null;
     let prUpdated = false;
     if (this.prManager && agentResult.producedCommits) {
       try {
-        const summary = `Findings: ${checkResult.findings}, Fixed: ${agentResult.fixed}`;
+        const summary = `Findings: ${check.findings}, Fixed: ${agentResult.fixed}`;
         const prResult = await this.prManager.ensurePR(task, summary);
         prUrl = prResult.prUrl;
         prUpdated = prResult.prUpdated;
@@ -9347,14 +11052,17 @@ var TaskRunner = class {
       }
     }
     return {
-      taskId: task.id,
-      startedAt,
-      completedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      status: "success",
-      findings: checkResult.findings,
-      fixed: agentResult.fixed,
-      prUrl,
-      prUpdated
+      result: {
+        taskId: task.id,
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        status: "success",
+        findings: check.findings,
+        fixed: agentResult.fixed,
+        prUrl,
+        prUpdated
+      },
+      captured: baseCaptured
     };
   }
   /**
@@ -9374,15 +11082,13 @@ var TaskRunner = class {
         return this.failureResult(task.id, startedAt, `ensureBranch failed: ${String(err)}`);
       }
     }
+    const promptContext = await this.composePromptContext(task);
     const backendName = this.resolveBackend(task.id);
     let agentResult;
     try {
-      agentResult = await this.agentDispatcher.dispatch(
-        task.fixSkill,
-        task.branch,
-        backendName,
-        this.cwd
-      );
+      agentResult = promptContext ? await this.agentDispatcher.dispatch(task.fixSkill, task.branch, backendName, this.cwd, {
+        promptContext
+      }) : await this.agentDispatcher.dispatch(task.fixSkill, task.branch, backendName, this.cwd);
     } catch (err) {
       return this.failureResult(task.id, startedAt, `Agent dispatch failed: ${String(err)}`);
     }
@@ -9410,7 +11116,7 @@ var TaskRunner = class {
     };
   }
   /**
-   * Report-only: run check command, record metrics, no AI dispatch.
+   * Report-only: run check (legacy or Phase 2 script), record metrics, no AI dispatch.
    *
    * Honors the JSON status contract emitted by Phase 4/5 CLIs (`harness pulse run`
    * and `harness compound scan-candidates` in `--non-interactive` mode):
@@ -9420,122 +11126,715 @@ var TaskRunner = class {
    * Legacy report-only tasks emit free-form output and fall through to 'success'.
    */
   async runReportOnly(task, startedAt) {
-    if (!task.checkCommand || task.checkCommand.length === 0) {
-      return this.failureResult(task.id, startedAt, "report-only task missing checkCommand");
+    if (!task.checkCommand && !task.checkScript) {
+      return wrap(
+        this.failureResult(
+          task.id,
+          startedAt,
+          "report-only task missing checkCommand or checkScript"
+        )
+      );
+    }
+    let check;
+    try {
+      check = await this.runCheckStep(task);
+    } catch (err) {
+      return wrap(this.failureResult(task.id, startedAt, String(err)));
+    }
+    const parsed = parseStatusLine(check.stdout);
+    const status = parsed?.status ?? "success";
+    const findings = parsed === null ? check.findings : typeof parsed.candidatesFound === "number" ? parsed.candidatesFound : 0;
+    const result = {
+      taskId: task.id,
+      startedAt,
+      completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status,
+      findings,
+      fixed: 0,
+      prUrl: null,
+      prUpdated: false
+    };
+    if (parsed?.error) {
+      result.error = parsed.error;
+    }
+    return {
+      result,
+      captured: { stdout: check.stdout, stderr: check.stderr, structured: check.structured }
+    };
+  }
+  /**
+   * Housekeeping: run command directly, no AI, no PR.
+   *
+   * Captures stdout and parses a trailing JSON status line if present.
+   * Recognized contracts:
+   *   - Phase 4/5 status contract (e.g., harness pulse run): success/skipped/failure/no-issues
+   *   - sync-main contract: updated/no-op/skipped/error → mapped onto the run-result status
+   * Legacy housekeeping commands that emit no JSON keep the prior behavior:
+   *   status: 'success', findings: 0.
+   *
+   * Hermes Phase 2: a `checkScript` may replace `checkCommand` for housekeeping
+   * tasks; the runner falls through to the same JSON-status parsing path.
+   */
+  async runHousekeeping(task, startedAt) {
+    if (!task.checkCommand && !task.checkScript) {
+      return wrap(
+        this.failureResult(
+          task.id,
+          startedAt,
+          "housekeeping task missing checkCommand or checkScript"
+        )
+      );
+    }
+    let stdout;
+    let stderr = "";
+    let structured = null;
+    if (task.checkScript) {
+      try {
+        const r = await this.runCheckStep(task);
+        stdout = r.stdout;
+        stderr = r.stderr;
+        structured = r.structured;
+      } catch (err) {
+        return wrap(this.failureResult(task.id, startedAt, String(err)));
+      }
+    } else {
+      try {
+        const out = await this.commandExecutor.exec(task.checkCommand, this.cwd);
+        stdout = out.stdout ?? "";
+      } catch (err) {
+        return wrap(this.failureResult(task.id, startedAt, String(err)));
+      }
+    }
+    const parsed = parseStatusLine(stdout);
+    const status = parsed?.status ?? "success";
+    const result = {
+      taskId: task.id,
+      startedAt,
+      completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status,
+      findings: 0,
+      fixed: 0,
+      prUrl: null,
+      prUpdated: false
+    };
+    if (parsed?.error) result.error = parsed.error;
+    return { result, captured: { stdout, stderr, structured } };
+  }
+  /**
+   * Resolve which AI backend name to use for a given task.
+   * Priority: per-task override > global config > 'local' default.
+   */
+  resolveBackend(taskId) {
+    const taskOverride = this.config.tasks?.[taskId]?.aiBackend;
+    if (taskOverride) return taskOverride;
+    return this.config.aiBackend ?? "local";
+  }
+  failureResult(taskId, startedAt, error) {
+    return {
+      taskId,
+      startedAt,
+      completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status: "failure",
+      findings: 0,
+      fixed: 0,
+      prUrl: null,
+      prUpdated: false,
+      error
+    };
+  }
+};
+function wrap(result, captured) {
+  return captured ? { result, captured } : { result };
+}
+function parseStatusLine(output) {
+  const lines = output.split("\n").map((l) => l.trim()).filter(Boolean);
+  for (let i = lines.length - 1; i >= 0; i--) {
+    const line = lines[i];
+    if (!line || !line.startsWith("{") || !line.endsWith("}")) continue;
+    try {
+      const obj = JSON.parse(line);
+      const s = obj.status;
+      if (s === "success" || s === "skipped" || s === "failure" || s === "no-issues") {
+        const parsed = { status: s, rawStatus: s };
+        if (typeof obj.candidatesFound === "number") {
+          parsed.candidatesFound = obj.candidatesFound;
+        }
+        if (typeof obj.error === "string") {
+          parsed.error = obj.error;
+        }
+        if (typeof obj.reason === "string") {
+          parsed.reason = obj.reason;
+        }
+        if (typeof obj.detail === "string" && !parsed.error) {
+          parsed.error = `${parsed.reason ?? "skipped"}: ${obj.detail}`;
+        }
+        return parsed;
+      }
+      if (s === "updated" || s === "no-op") {
+        return { status: "success", rawStatus: s };
+      }
+      if (s === "error") {
+        const message = typeof obj.message === "string" ? obj.message : "unknown error";
+        return { status: "failure", error: message, rawStatus: "error" };
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+
+// src/maintenance/check-script-runner.ts
+import { execFile as execFile6 } from "child_process";
+import { promisify as promisify3 } from "util";
+import * as path17 from "path";
+var execFileAsync = promisify3(execFile6);
+var CheckScriptRunner = class {
+  constructor(cwd) {
+    this.cwd = cwd;
+  }
+  cwd;
+  async run(spec, cwd) {
+    const projectRoot = cwd ?? this.cwd;
+    const captured = await captureScript(spec, projectRoot);
+    const parseJson = spec.parseStdoutJson !== false;
+    const structured = parseJson ? parseStatusEnvelope(captured.stdout) : null;
+    if (structured) {
+      return mapStructured(structured, captured.stdout, captured.stderr);
+    }
+    return heuristicResult(captured.stdout, captured.stderr, captured.exitedAbnormally);
+  }
+};
+async function captureScript(spec, projectRoot) {
+  const resolved = path17.isAbsolute(spec.path) ? spec.path : path17.resolve(projectRoot, spec.path);
+  const args = spec.args ?? [];
+  const timeoutMs = spec.timeoutMs ?? 12e4;
+  try {
+    const result = await execFileAsync(resolved, args, { cwd: projectRoot, timeout: timeoutMs });
+    return {
+      stdout: String(result.stdout ?? ""),
+      stderr: String(result.stderr ?? ""),
+      exitedAbnormally: false
+    };
+  } catch (err) {
+    const e = err;
+    return {
+      stdout: String(e.stdout ?? ""),
+      stderr: String(e.stderr ?? ""),
+      exitedAbnormally: true
+    };
+  }
+}
+function parseStatusEnvelope(stdout) {
+  const lines = stdout.split("\n").map((l) => l.trim()).filter(Boolean);
+  for (let i = lines.length - 1; i >= 0; i--) {
+    const env = classifyLine2(lines[i]);
+    if (env) return env;
+  }
+  return null;
+}
+var ENVELOPE_STATUSES = /* @__PURE__ */ new Set(["ok", "findings", "skip", "error"]);
+function classifyLine2(line) {
+  const obj = tryParseJsonObject(line);
+  if (!obj) return null;
+  const s = obj.status;
+  if (typeof s !== "string" || !ENVELOPE_STATUSES.has(s)) return null;
+  return buildEnvelope(s, obj);
+}
+function tryParseJsonObject(line) {
+  if (!line || !line.startsWith("{") || !line.endsWith("}")) return null;
+  try {
+    return JSON.parse(line);
+  } catch {
+    return null;
+  }
+}
+function buildEnvelope(status, obj) {
+  const env = { status };
+  if (typeof obj.findings === "number") env.findings = obj.findings;
+  if (typeof obj.wakeAgent === "boolean") env.wakeAgent = obj.wakeAgent;
+  if (typeof obj.message === "string") env.message = obj.message;
+  if (obj.outputs && typeof obj.outputs === "object") {
+    env.outputs = obj.outputs;
+  }
+  return env;
+}
+function mapStructured(env, stdout, stderr) {
+  const findings = env.findings ?? (env.status === "findings" ? 1 : 0);
+  switch (env.status) {
+    case "ok":
+      return { passed: true, findings: 0, output: stdout, stderr, structured: env };
+    case "findings": {
+      const wake = env.wakeAgent ?? findings > 0;
+      return { passed: !wake, findings, output: stdout, stderr, structured: env };
+    }
+    case "skip":
+      return { passed: true, findings: 0, output: stdout, stderr, structured: env };
+    case "error":
+      return {
+        passed: false,
+        findings: Math.max(findings, 1),
+        output: stdout,
+        stderr,
+        structured: env
+      };
+    default:
+      return { passed: true, findings: 0, output: stdout, stderr, structured: env };
+  }
+}
+function heuristicResult(stdout, stderr, exitedAbnormally) {
+  const combined = [stdout, stderr].filter(Boolean).join("\n");
+  const findingsMatch = combined.match(/(\d+)\s+(?:finding|issue|violation|error)/i);
+  const findings = findingsMatch ? parseInt(findingsMatch[1], 10) : exitedAbnormally ? 1 : 0;
+  return {
+    passed: findings === 0 && !exitedAbnormally,
+    findings,
+    output: stdout,
+    stderr,
+    structured: null
+  };
+}
+
+// src/maintenance/output-store.ts
+import * as fs16 from "fs";
+import * as path18 from "path";
+var DEFAULT_RETENTION = {
+  runs: 50,
+  maxAgeDays: 30
+};
+var fallbackLogger2 = {
+  info: () => {
+  },
+  warn: (m, c) => console.warn(m, c),
+  error: (m, c) => console.error(m, c)
+};
+var TaskOutputStore = class {
+  rootDir;
+  retentionDefaults;
+  logger;
+  constructor(options) {
+    this.rootDir = options.rootDir;
+    this.retentionDefaults = options.retentionDefaults ?? DEFAULT_RETENTION;
+    this.logger = options.logger ?? fallbackLogger2;
+  }
+  /**
+   * Reject task IDs that don't match the validator's kebab-case pattern —
+   * defends `dirFor()` against caller-supplied path-traversal segments
+   * (`'../foo'`) when the store is invoked from CLI surfaces that don't
+   * round-trip through `validateCustomTasks`.
+   */
+  ensureSafeTaskId(taskId) {
+    if (!/^[a-z0-9][a-z0-9-]*$/.test(taskId)) {
+      throw new Error(
+        `TaskOutputStore: invalid task id '${taskId}' (must match ^[a-z0-9][a-z0-9-]*$)`
+      );
+    }
+  }
+  /**
+   * Persist a single run entry. Retention is applied after the write so
+   * the latest record is durable even if pruning fails.
+   */
+  async write(taskId, entry, retention) {
+    this.ensureSafeTaskId(taskId);
+    const dir = this.dirFor(taskId);
+    await fs16.promises.mkdir(dir, { recursive: true });
+    const fileName = `${sanitizeIso(entry.completedAt || (/* @__PURE__ */ new Date()).toISOString())}.json`;
+    const filePath = path18.join(dir, fileName);
+    const tmpPath = `${filePath}.tmp`;
+    const payload = JSON.stringify(entry, null, 2);
+    await fs16.promises.writeFile(tmpPath, payload, "utf-8");
+    await fs16.promises.rename(tmpPath, filePath);
+    try {
+      await this.applyRetention(taskId, retention);
+    } catch (err) {
+      this.logger.warn("TaskOutputStore retention failed", { taskId, error: String(err) });
+    }
+  }
+  /**
+   * Return the most recent persisted entry for the task, or null if none.
+   */
+  async latest(taskId) {
+    const entries = await this.list(taskId, 1, 0);
+    return entries[0] ?? null;
+  }
+  /**
+   * List entries newest-first with offset+limit pagination.
+   */
+  async list(taskId, limit, offset) {
+    this.ensureSafeTaskId(taskId);
+    const dir = this.dirFor(taskId);
+    const fileNames = await listJsonFilesDescending(dir);
+    const slice = fileNames.slice(offset, offset + limit);
+    const out = [];
+    for (const name of slice) {
+      const entry = await this.readEntry(path18.join(dir, name));
+      if (entry) out.push(entry);
+    }
+    return out;
+  }
+  /**
+   * Lookup a specific run by its file name (without the `.json` suffix) or
+   * by its raw completion timestamp.
+   */
+  async get(taskId, runId) {
+    this.ensureSafeTaskId(taskId);
+    if (/[\\/]|\.\./.test(runId)) {
+      throw new Error(`TaskOutputStore: runId '${runId}' must not contain path separators or '..'`);
+    }
+    const dir = this.dirFor(taskId);
+    const fileName = runId.endsWith(".json") ? runId : `${sanitizeIso(runId)}.json`;
+    return this.readEntry(path18.join(dir, fileName));
+  }
+  /**
+   * The on-disk root for a given task. Exposed for tooling that needs to walk
+   * outputs from outside the store API.
+   */
+  dirFor(taskId) {
+    return path18.join(this.rootDir, taskId, "outputs");
+  }
+  async readEntry(filePath) {
+    try {
+      const buf = await fs16.promises.readFile(filePath, "utf-8");
+      const parsed = JSON.parse(buf);
+      return parsed;
+    } catch {
+      return null;
+    }
+  }
+  async applyRetention(taskId, retention) {
+    const runs = retention?.runs ?? this.retentionDefaults.runs;
+    const maxAgeDays = retention?.maxAgeDays ?? this.retentionDefaults.maxAgeDays;
+    const dir = this.dirFor(taskId);
+    const fileNames = await listJsonFilesDescending(dir);
+    const overflow = fileNames.slice(runs);
+    const cutoffMs = Date.now() - maxAgeDays * 24 * 60 * 60 * 1e3;
+    const aged = [];
+    for (const name of fileNames) {
+      const ts = parseIsoFromFileName(name);
+      if (ts !== null && ts < cutoffMs) aged.push(name);
+    }
+    const toRemove = /* @__PURE__ */ new Set([...overflow, ...aged]);
+    for (const name of toRemove) {
+      try {
+        await fs16.promises.unlink(path18.join(dir, name));
+      } catch {
+      }
+    }
+  }
+};
+async function listJsonFilesDescending(dir) {
+  let names;
+  try {
+    names = await fs16.promises.readdir(dir);
+  } catch {
+    return [];
+  }
+  return names.filter((n) => n.endsWith(".json")).sort().reverse();
+}
+function sanitizeIso(iso) {
+  return iso.replace(/:/g, "-");
+}
+function parseIsoFromFileName(fileName) {
+  const stem = fileName.replace(/\.json$/, "");
+  const restored = stem.replace(/T(\d{2})-(\d{2})-(\d{2})/, "T$1:$2:$3");
+  const ms = Date.parse(restored);
+  return Number.isFinite(ms) ? ms : null;
+}
+
+// src/maintenance/context-resolver.ts
+var ContextResolver = class {
+  outputStore;
+  skillReader;
+  logger;
+  perUpstreamMaxChars;
+  constructor(options) {
+    this.outputStore = options.outputStore;
+    this.skillReader = options.skillReader ?? null;
+    this.logger = options.logger ?? fallbackLogger3;
+    this.perUpstreamMaxChars = options.perUpstreamMaxChars ?? 2e3;
+  }
+  async resolveContextFrom(upstreamTaskIds, options = {}) {
+    if (!upstreamTaskIds || upstreamTaskIds.length === 0) return "";
+    const maxAgeMs = (options.maxAgeMinutes ?? 1440) * 60 * 1e3;
+    const now = Date.now();
+    const sections = [];
+    for (const id of upstreamTaskIds) {
+      const entry = await this.outputStore.latest(id);
+      sections.push(this.formatUpstream(id, entry, now, maxAgeMs));
+    }
+    return `## Upstream context
+
+${sections.join("\n\n")}
+`;
+  }
+  async resolveInlineSkills(skillNames, budgetTokens = 8e3) {
+    if (!skillNames || skillNames.length === 0) return "";
+    if (!this.skillReader) return "";
+    const charBudget = budgetTokens * 4;
+    let used = 0;
+    const sections = [];
+    let truncatedAt = -1;
+    for (let i = 0; i < skillNames.length; i++) {
+      const name = skillNames[i];
+      const body = await this.skillReader.read(name);
+      if (body === null) {
+        this.logger.warn("inlineSkills: skill not found in registry", { name });
+        continue;
+      }
+      const block = `### ${name}
+
+${body}`;
+      if (used + block.length > charBudget) {
+        truncatedAt = i;
+        break;
+      }
+      used += block.length;
+      sections.push(block);
+    }
+    if (truncatedAt >= 0) {
+      this.logger.warn(
+        `inlineSkillsBudgetTokens (${budgetTokens}) exhausted after ${sections.length} of ${skillNames.length} skills; truncated.`
+      );
+    }
+    if (sections.length === 0) return "";
+    return `## Reference skills
+
+${sections.join("\n\n")}
+`;
+  }
+  formatUpstream(id, entry, now, maxAgeMs) {
+    if (!entry) {
+      return `### ${id}
+
+_[no prior run]_`;
+    }
+    const completedMs = Date.parse(entry.completedAt);
+    if (Number.isFinite(completedMs) && now - completedMs > maxAgeMs) {
+      return `### ${id} (last run ${entry.completedAt}, stale)
+
+_[stale: omitted]_`;
+    }
+    const head = `### ${id} (last run ${entry.completedAt}, status=${entry.status}, findings=${entry.findings})`;
+    const body = (entry.stdout ?? "").trim();
+    const truncated = body.length > this.perUpstreamMaxChars ? `${body.slice(0, this.perUpstreamMaxChars)}
+
+_[truncated]_` : body;
+    return `${head}
+
+${truncated || "_[no stdout captured]_"}`;
+  }
+};
+var fallbackLogger3 = {
+  info: () => {
+  },
+  warn: () => {
+  },
+  error: () => {
+  }
+};
+
+// src/maintenance/custom-task-validator.ts
+import { Ok as Ok23, Err as Err20 } from "@harness-engineering/types";
+var ID_PATTERN = /^[a-z0-9][a-z0-9-]*$/;
+var REQUIRED_FIELDS_BY_TYPE = {
+  "mechanical-ai": ["branch", "fixSkill"],
+  "pure-ai": ["branch", "fixSkill"],
+  "report-only": [],
+  housekeeping: []
+};
+function validateCustomTasks(customTasks, builtIns, deps = {}) {
+  const errors = [];
+  if (!customTasks) return Ok23(void 0);
+  const builtInIds = new Set(builtIns.map((t) => t.id));
+  const customIds = Object.keys(customTasks);
+  const allIds = /* @__PURE__ */ new Set([...builtInIds, ...customIds]);
+  for (const id of customIds) {
+    const task = customTasks[id];
+    if (!task) continue;
+    validateOne(id, task, builtInIds, allIds, deps, errors);
+  }
+  detectCycles(customTasks, builtIns, errors);
+  return errors.length === 0 ? Ok23(void 0) : Err20(errors);
+}
+function validateOne(id, task, builtInIds, allIds, deps, errors) {
+  const prefix = `customTasks.${id}`;
+  if (!ID_PATTERN.test(id)) {
+    errors.push({
+      path: prefix,
+      message: `task ID '${id}' must match ^[a-z0-9][a-z0-9-]*$`
+    });
+  }
+  if (builtInIds.has(id)) {
+    errors.push({
+      path: prefix,
+      message: `task ID '${id}' collides with a built-in task; choose a different name`
+    });
+  }
+  if (!task.description || task.description.trim().length === 0) {
+    errors.push({ path: `${prefix}.description`, message: "description is required" });
+  }
+  if (!task.schedule || task.schedule.trim().length === 0) {
+    errors.push({ path: `${prefix}.schedule`, message: "schedule (cron expression) is required" });
+  }
+  validateCheckShape(prefix, task, errors);
+  validateRequiredByType(prefix, task, errors);
+  validateContextFrom(prefix, id, task, allIds, errors);
+  validateInlineSkills(prefix, task, deps, errors);
+  validateScriptPath(prefix, task, deps, errors);
+}
+function validateCheckShape(prefix, task, errors) {
+  const hasCommand = Array.isArray(task.checkCommand) && task.checkCommand.length > 0;
+  const hasScript = task.checkScript !== void 0;
+  if (hasCommand && hasScript) {
+    errors.push({
+      path: prefix,
+      message: "a task may declare checkCommand OR checkScript, not both"
+    });
+  }
+  const needsCheck = task.type === "mechanical-ai" || task.type === "report-only" || task.type === "housekeeping";
+  if (needsCheck && !hasCommand && !hasScript) {
+    errors.push({
+      path: prefix,
+      message: `${task.type} task must declare either checkCommand or checkScript`
+    });
+  }
+  if (hasScript) {
+    const path22 = task.checkScript?.path;
+    if (!path22 || path22.trim().length === 0) {
+      errors.push({ path: `${prefix}.checkScript.path`, message: "checkScript.path is required" });
     }
-    const checkResult = await this.checkRunner.run(task.checkCommand, this.cwd);
-    const parsed = parseStatusLine(checkResult.output);
-    const status = parsed?.status ?? "success";
-    const findings = parsed === null ? checkResult.findings : typeof parsed.candidatesFound === "number" ? parsed.candidatesFound : 0;
-    const result = {
-      taskId: task.id,
-      startedAt,
-      completedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      status,
-      findings,
-      fixed: 0,
-      prUrl: null,
-      prUpdated: false
-    };
-    if (parsed?.error) {
-      result.error = parsed.error;
+    if (task.checkScript?.timeoutMs !== void 0 && task.checkScript.timeoutMs <= 0) {
+      errors.push({
+        path: `${prefix}.checkScript.timeoutMs`,
+        message: "timeoutMs must be a positive integer"
+      });
     }
-    return result;
   }
-  /**
-   * Housekeeping: run command directly, no AI, no PR.
-   *
-   * Captures stdout and parses a trailing JSON status line if present.
-   * Recognized contracts:
-   *   - Phase 4/5 status contract (e.g., harness pulse run): success/skipped/failure/no-issues
-   *   - sync-main contract: updated/no-op/skipped/error → mapped onto the run-result status
-   * Legacy housekeeping commands that emit no JSON keep the prior behavior:
-   *   status: 'success', findings: 0.
-   */
-  async runHousekeeping(task, startedAt) {
-    if (!task.checkCommand || task.checkCommand.length === 0) {
-      return this.failureResult(task.id, startedAt, "housekeeping task missing checkCommand");
-    }
-    let stdout;
-    try {
-      const out = await this.commandExecutor.exec(task.checkCommand, this.cwd);
-      stdout = out.stdout ?? "";
-    } catch (err) {
-      return this.failureResult(task.id, startedAt, String(err));
+}
+function validateRequiredByType(prefix, task, errors) {
+  const required = REQUIRED_FIELDS_BY_TYPE[task.type];
+  if (!required) {
+    errors.push({ path: `${prefix}.type`, message: `unknown task type '${String(task.type)}'` });
+    return;
+  }
+  for (const field of required) {
+    const value = task[field];
+    if (value === void 0 || value === null || typeof value === "string" && value.length === 0) {
+      errors.push({
+        path: `${prefix}.${String(field)}`,
+        message: `${task.type} task requires ${String(field)}`
+      });
     }
-    const parsed = parseStatusLine(stdout);
-    const status = parsed?.status ?? "success";
-    const result = {
-      taskId: task.id,
-      startedAt,
-      completedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      status,
-      findings: 0,
-      fixed: 0,
-      prUrl: null,
-      prUpdated: false
-    };
-    if (parsed?.error) result.error = parsed.error;
-    return result;
   }
-  /**
-   * Resolve which AI backend name to use for a given task.
-   * Priority: per-task override > global config > 'local' default.
-   */
-  resolveBackend(taskId) {
-    const taskOverride = this.config.tasks?.[taskId]?.aiBackend;
-    if (taskOverride) return taskOverride;
-    return this.config.aiBackend ?? "local";
+  if ((task.type === "mechanical-ai" || task.type === "pure-ai") && task.branch === null) {
+    errors.push({
+      path: `${prefix}.branch`,
+      message: `${task.type} task requires a non-null branch`
+    });
   }
-  failureResult(taskId, startedAt, error) {
-    return {
-      taskId,
-      startedAt,
-      completedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      status: "failure",
-      findings: 0,
-      fixed: 0,
-      prUrl: null,
-      prUpdated: false,
-      error
-    };
+}
+function validateContextFrom(prefix, selfId, task, allIds, errors) {
+  if (task.contextFromMaxAgeMinutes !== void 0 && task.contextFromMaxAgeMinutes <= 0) {
+    errors.push({
+      path: `${prefix}.contextFromMaxAgeMinutes`,
+      message: "contextFromMaxAgeMinutes must be a positive integer"
+    });
   }
-};
-function parseStatusLine(output) {
-  const lines = output.split("\n").map((l) => l.trim()).filter(Boolean);
-  for (let i = lines.length - 1; i >= 0; i--) {
-    const line = lines[i];
-    if (!line || !line.startsWith("{") || !line.endsWith("}")) continue;
-    try {
-      const obj = JSON.parse(line);
-      const s = obj.status;
-      if (s === "success" || s === "skipped" || s === "failure" || s === "no-issues") {
-        const parsed = { status: s, rawStatus: s };
-        if (typeof obj.candidatesFound === "number") {
-          parsed.candidatesFound = obj.candidatesFound;
-        }
-        if (typeof obj.error === "string") {
-          parsed.error = obj.error;
-        }
-        if (typeof obj.reason === "string") {
-          parsed.reason = obj.reason;
-        }
-        if (typeof obj.detail === "string" && !parsed.error) {
-          parsed.error = `${parsed.reason ?? "skipped"}: ${obj.detail}`;
-        }
-        return parsed;
-      }
-      if (s === "updated" || s === "no-op") {
-        return { status: "success", rawStatus: s };
-      }
-      if (s === "error") {
-        const message = typeof obj.message === "string" ? obj.message : "unknown error";
-        return { status: "failure", error: message, rawStatus: "error" };
-      }
-    } catch {
+  if (!task.contextFrom) return;
+  for (let i = 0; i < task.contextFrom.length; i++) {
+    const upstreamId = task.contextFrom[i];
+    if (!upstreamId) continue;
+    if (upstreamId === selfId) {
+      errors.push({
+        path: `${prefix}.contextFrom[${i}]`,
+        message: `task '${selfId}' cannot reference itself in contextFrom`
+      });
+    }
+    if (!allIds.has(upstreamId)) {
+      errors.push({
+        path: `${prefix}.contextFrom[${i}]`,
+        message: `references unknown task '${upstreamId}'`
+      });
     }
   }
-  return null;
+}
+function validateInlineSkills(prefix, task, deps, errors) {
+  if (!task.inlineSkills) return;
+  if (!deps.skillExists) return;
+  for (let i = 0; i < task.inlineSkills.length; i++) {
+    const name = task.inlineSkills[i];
+    if (!name) continue;
+    if (!deps.skillExists(name)) {
+      errors.push({
+        path: `${prefix}.inlineSkills[${i}]`,
+        message: `skill '${name}' not found in the registry`
+      });
+    }
+  }
+  if (task.inlineSkillsBudgetTokens !== void 0 && task.inlineSkillsBudgetTokens <= 0) {
+    errors.push({
+      path: `${prefix}.inlineSkillsBudgetTokens`,
+      message: "inlineSkillsBudgetTokens must be a positive integer"
+    });
+  }
+}
+function validateScriptPath(prefix, task, deps, errors) {
+  if (!task.checkScript?.path) return;
+  if (!deps.scriptExists) return;
+  if (!deps.scriptExists(task.checkScript.path)) {
+    errors.push({
+      path: `${prefix}.checkScript.path`,
+      message: `executable not found: ${task.checkScript.path}`
+    });
+  }
+}
+function detectCycles(customTasks, builtIns, errors) {
+  const adjacency = /* @__PURE__ */ new Map();
+  for (const t of builtIns) adjacency.set(t.id, []);
+  for (const [id, task] of Object.entries(customTasks)) {
+    adjacency.set(id, (task.contextFrom ?? []).slice());
+  }
+  const color = /* @__PURE__ */ new Map();
+  for (const id of adjacency.keys()) color.set(id, "white");
+  const reported = /* @__PURE__ */ new Set();
+  for (const id of Object.keys(customTasks)) {
+    if (color.get(id) === "white") visitFromRoot(id, adjacency, color, errors, reported);
+  }
+}
+function visitFromRoot(start, adjacency, color, errors, reported) {
+  const stack = [{ id: start, nextIdx: 0, path: [start] }];
+  color.set(start, "grey");
+  while (stack.length) {
+    const top = stack[stack.length - 1];
+    const neighbors = adjacency.get(top.id) ?? [];
+    if (top.nextIdx >= neighbors.length) {
+      color.set(top.id, "black");
+      stack.pop();
+      continue;
+    }
+    const next = neighbors[top.nextIdx++];
+    if (!next || !adjacency.has(next)) continue;
+    handleEdge(top, next, color, stack, errors, reported);
+  }
+}
+function handleEdge(top, next, color, stack, errors, reported) {
+  const nextColor = color.get(next);
+  if (nextColor === "grey") {
+    reportCycle(top.path, next, errors, reported);
+  } else if (nextColor === "white") {
+    color.set(next, "grey");
+    stack.push({ id: next, nextIdx: 0, path: [...top.path, next] });
+  }
+}
+function reportCycle(path22, next, errors, reported) {
+  const cycleStart = path22.indexOf(next);
+  const cyclePath = cycleStart >= 0 ? [...path22.slice(cycleStart), next] : [...path22, next];
+  const key = cyclePath.join("\u2192");
+  if (reported.has(key)) return;
+  reported.add(key);
+  errors.push({
+    path: `customTasks.${cyclePath[0]}.contextFrom`,
+    message: `contextFrom cycle detected: ${cyclePath.join(" \u2192 ")}`
+  });
 }
 
 // src/orchestrator.ts
@@ -9625,13 +11924,20 @@ var Orchestrator = class extends EventEmitter {
   cacheMetrics;
   otlpExporter;
   telemetryFanoutOff;
+  // Hermes Phase 3: in-process notification sinks subscribe to the same
+  // event bus (`this`) that webhook fanout uses, applying envelope
+  // formatting before delivering to Slack/etc. The registry + unwire
+  // handle are kept on the instance so stop() can detach listeners and
+  // call adapter dispose() in deterministic order.
+  notificationsRegistry;
+  notificationFanoutOff;
   orchestratorIdPromise;
   recorder;
   intelligenceRunner;
   completionHandler;
   /** Project root directory, derived from workspace root. */
   get projectRoot() {
-    return path16.resolve(this.config.workspace.root, "..", "..");
+    return path19.resolve(this.config.workspace.root, "..", "..");
   }
   enrichedSpecsByIssue = /* @__PURE__ */ new Map();
   /** Tracks recently-failed intelligence analysis to avoid re-requesting every tick */
@@ -9686,10 +11992,10 @@ var Orchestrator = class extends EventEmitter {
     this.renderer = new PromptRenderer();
     this.overrideBackend = overrides?.backend ?? null;
     this.interactionQueue = new InteractionQueue(
-      path16.join(config.workspace.root, "..", "interactions"),
+      path19.join(config.workspace.root, "..", "interactions"),
       this
     );
-    this.analysisArchive = new AnalysisArchive(path16.join(config.workspace.root, "..", "analyses"));
+    this.analysisArchive = new AnalysisArchive(path19.join(config.workspace.root, "..", "analyses"));
     const backendsMap = this.config.agent.backends ?? {};
     for (const [name, def] of Object.entries(backendsMap)) {
       if (def.type === "local" || def.type === "pi") {
@@ -9733,7 +12039,7 @@ var Orchestrator = class extends EventEmitter {
       ...overrides?.execFileFn ? { execFileFn: overrides.execFileFn } : {}
     });
     this.recorder = new StreamRecorder(
-      path16.resolve(config.workspace.root, "..", "streams"),
+      path19.resolve(config.workspace.root, "..", "streams"),
       this.logger
     );
     const self = this;
@@ -9764,10 +12070,10 @@ var Orchestrator = class extends EventEmitter {
     this.completionHandler = new CompletionHandler(ctx, this.postLifecycleComment.bind(this));
     if (config.server?.port) {
       const webhookStore = new WebhookStore(
-        path16.join(this.projectRoot, ".harness", "webhooks.json")
+        path19.join(this.projectRoot, ".harness", "webhooks.json")
       );
       this.webhookQueue = new WebhookQueue(
-        path16.join(this.projectRoot, ".harness", "webhook-queue.sqlite")
+        path19.join(this.projectRoot, ".harness", "webhook-queue.sqlite")
       );
       const webhookDelivery = new WebhookDelivery({
         queue: this.webhookQueue,
@@ -9780,6 +12086,7 @@ var Orchestrator = class extends EventEmitter {
         delivery: webhookDelivery
       });
       webhookDelivery.start();
+      this.setupNotifications(config.notifications);
       const otlpCfg = config.telemetry?.export?.otlp;
       if (otlpCfg) {
         this.otlpExporter = new OTLPExporter({
@@ -9804,7 +12111,7 @@ var Orchestrator = class extends EventEmitter {
           queue: this.webhookQueue
         },
         cacheMetrics: this.cacheMetrics,
-        plansDir: path16.resolve(config.workspace.root, "..", "docs", "plans"),
+        plansDir: path19.resolve(config.workspace.root, "..", "docs", "plans"),
         pipeline: this.pipeline,
         analysisArchive: this.analysisArchive,
         roadmapPath: config.tracker.filePath ?? null,
@@ -9860,13 +12167,13 @@ var Orchestrator = class extends EventEmitter {
     const logger = this.logger;
     const checkRunner = {
       run: async (command, cwd) => {
-        const { execFile: execFile6 } = await import("child_process");
-        const { promisify: promisify4 } = await import("util");
-        const execFileAsync = promisify4(execFile6);
+        const { execFile: execFile7 } = await import("child_process");
+        const { promisify: promisify5 } = await import("util");
+        const execFileAsync2 = promisify5(execFile7);
         const [cmd, ...args] = command;
         if (!cmd) return { passed: true, findings: 0, output: "" };
         try {
-          const { stdout } = await execFileAsync(cmd, args, { cwd, timeout: 12e4 });
+          const { stdout } = await execFileAsync2(cmd, args, { cwd, timeout: 12e4 });
           const findingsMatch = stdout.match(/(\d+)\s+(?:finding|issue|violation|error)/i);
           const findings = findingsMatch ? parseInt(findingsMatch[1], 10) : 0;
           return { passed: findings === 0, findings, output: stdout };
@@ -9895,13 +12202,13 @@ var Orchestrator = class extends EventEmitter {
     };
     const commandExecutor = {
       exec: async (command, cwd) => {
-        const { execFile: execFile6 } = await import("child_process");
-        const { promisify: promisify4 } = await import("util");
-        const execFileAsync = promisify4(execFile6);
+        const { execFile: execFile7 } = await import("child_process");
+        const { promisify: promisify5 } = await import("util");
+        const execFileAsync2 = promisify5(execFile7);
         const [cmd, ...args] = command;
         if (!cmd) return { stdout: "" };
         try {
-          const { stdout } = await execFileAsync(cmd, args, { cwd, timeout: 12e4 });
+          const { stdout } = await execFileAsync2(cmd, args, { cwd, timeout: 12e4 });
           return { stdout: String(stdout) };
         } catch (err) {
           logger.warn("Maintenance command execution failed", {
@@ -9913,12 +12220,31 @@ var Orchestrator = class extends EventEmitter {
         }
       }
     };
+    const outputStore = new TaskOutputStore({
+      rootDir: path19.join(this.projectRoot, ".harness", "maintenance"),
+      logger: this.logger
+    });
+    const checkScriptRunner = new CheckScriptRunner(this.projectRoot);
+    const skillReader = {
+      // The orchestrator does not own the skill registry; CLI-side skill
+      // resolution wires this in via direct injection. Default: skill not
+      // resolvable from the orchestrator boundary.
+      read: async () => null
+    };
+    const contextResolver = new ContextResolver({
+      outputStore,
+      skillReader,
+      logger: this.logger
+    });
     return new TaskRunner({
       config: maintenanceConfig,
       checkRunner,
       agentDispatcher,
       commandExecutor,
-      cwd: this.projectRoot
+      cwd: this.projectRoot,
+      checkScriptRunner,
+      contextResolver,
+      outputStore
     });
   }
   /**
@@ -9926,8 +12252,17 @@ var Orchestrator = class extends EventEmitter {
    * Extracted from start() to keep function length under threshold.
    */
   async initMaintenance(maintenanceConfig) {
+    const validation = validateCustomTasks(
+      maintenanceConfig.customTasks,
+      BUILT_IN_TASKS
+    );
+    if (!validation.ok) {
+      const messages = validation.error.map((e) => `  - ${e.path}: ${e.message}`).join("\n");
+      throw new Error(`Invalid maintenance.customTasks configuration:
+${messages}`);
+    }
     this.maintenanceReporter = new MaintenanceReporter({
-      persistDir: path16.join(this.projectRoot, ".harness", "maintenance"),
+      persistDir: path19.join(this.projectRoot, ".harness", "maintenance"),
       logger: this.logger
     });
     await this.maintenanceReporter.load();
@@ -10615,6 +12950,31 @@ var Orchestrator = class extends EventEmitter {
     );
     this.emit("state_change", this.getSnapshot());
   }
+  /**
+   * Hermes Phase 3: wire in-process notification sinks against the
+   * orchestrator's event bus (`this`). A misconfigured sink (unknown kind,
+   * missing env var) logs + skips rather than breaking startup — the
+   * hardened doctor (`harness doctor`) surfaces the gap. Sinks subscribe
+   * to the same topics as `wireWebhookFanout`; a slow Slack call cannot
+   * block webhook delivery because the two paths fan out independently.
+   */
+  setupNotifications(notifConfig) {
+    if (!notifConfig || !notifConfig.sinks || notifConfig.sinks.length === 0) return;
+    try {
+      this.notificationsRegistry = SinkRegistry.fromConfig(notifConfig, {
+        env: process.env
+      });
+      this.notificationFanoutOff = wireNotificationSinks({
+        bus: this,
+        registry: this.notificationsRegistry
+      });
+    } catch (err) {
+      this.logger.warn(
+        `notifications sink registry failed: ${err instanceof Error ? err.message : String(err)}; sinks disabled`
+      );
+      delete this.notificationsRegistry;
+    }
+  }
   /**
    * Stops execution for a specific issue.
    *
@@ -10782,6 +13142,14 @@ var Orchestrator = class extends EventEmitter {
       this.webhookFanoutOff();
       delete this.webhookFanoutOff;
     }
+    if (this.notificationFanoutOff) {
+      this.notificationFanoutOff();
+      delete this.notificationFanoutOff;
+    }
+    if (this.notificationsRegistry) {
+      await this.notificationsRegistry.dispose();
+      delete this.notificationsRegistry;
+    }
     if (this.telemetryFanoutOff) {
       this.telemetryFanoutOff();
       delete this.telemetryFanoutOff;
@@ -11071,10 +13439,10 @@ function launchTUI(orchestrator) {
 
 // src/maintenance/sync-main.ts
 import { execFile as nodeExecFile } from "child_process";
-import { promisify as promisify3 } from "util";
-var DEFAULT_TIMEOUT_MS2 = 6e4;
+import { promisify as promisify4 } from "util";
+var DEFAULT_TIMEOUT_MS3 = 6e4;
 async function git(execFileFn, args, cwd, timeoutMs) {
-  const exec = promisify3(execFileFn);
+  const exec = promisify4(execFileFn);
   const { stdout, stderr } = await exec("git", args, { cwd, timeout: timeoutMs });
   return { stdout: String(stdout), stderr: String(stderr) };
 }
@@ -11137,7 +13505,7 @@ async function isAncestor(execFileFn, a, b, cwd, timeoutMs) {
 }
 async function syncMain(repoRoot, opts = {}) {
   const execFileFn = opts.execFileFn ?? nodeExecFile;
-  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS3;
   try {
     const originRef = await resolveOriginDefault(execFileFn, repoRoot, timeoutMs);
     if (!originRef) {
@@ -11212,10 +13580,472 @@ async function syncMain(repoRoot, opts = {}) {
     };
   }
 }
+
+// src/sessions/search-index.ts
+import * as fs17 from "fs";
+import * as path20 from "path";
+import Database2 from "better-sqlite3";
+import { INDEXED_FILE_KINDS } from "@harness-engineering/types";
+var SEARCH_INDEX_FILE = "search-index.sqlite";
+var SCHEMA_SQL2 = `
+  CREATE TABLE IF NOT EXISTS session_docs (
+    id           INTEGER PRIMARY KEY AUTOINCREMENT,
+    session_id   TEXT NOT NULL,
+    archived     INTEGER NOT NULL,
+    file_kind    TEXT NOT NULL,
+    path         TEXT NOT NULL,
+    mtime_ms     INTEGER NOT NULL,
+    body         TEXT NOT NULL,
+    UNIQUE (session_id, archived, file_kind)
+  );
+
+  CREATE VIRTUAL TABLE IF NOT EXISTS session_docs_fts USING fts5 (
+    body,
+    content='session_docs',
+    content_rowid='id',
+    tokenize='unicode61 remove_diacritics 2'
+  );
+
+  CREATE TRIGGER IF NOT EXISTS session_docs_ai
+    AFTER INSERT ON session_docs
+    BEGIN INSERT INTO session_docs_fts(rowid, body) VALUES (new.id, new.body); END;
+
+  CREATE TRIGGER IF NOT EXISTS session_docs_ad
+    AFTER DELETE ON session_docs
+    BEGIN INSERT INTO session_docs_fts(session_docs_fts, rowid, body) VALUES('delete', old.id, old.body); END;
+
+  CREATE TRIGGER IF NOT EXISTS session_docs_au
+    AFTER UPDATE ON session_docs
+    BEGIN
+      INSERT INTO session_docs_fts(session_docs_fts, rowid, body) VALUES('delete', old.id, old.body);
+      INSERT INTO session_docs_fts(rowid, body) VALUES (new.id, new.body);
+    END;
+`;
+var DEFAULT_LIMIT = 20;
+function normalizeFts5Query(query) {
+  const advancedSyntax = /["()*^+]|\bAND\b|\bOR\b|\bNOT\b|[A-Za-z_]+:/;
+  if (advancedSyntax.test(query)) return query;
+  return query.split(/\s+/).filter((tok) => tok.length > 0).map((tok) => `"${tok.replace(/"/g, '""')}"`).join(" ");
+}
+function searchIndexPath(projectPath) {
+  return path20.join(projectPath, ".harness", SEARCH_INDEX_FILE);
+}
+var FILE_KIND_TO_FILENAME = {
+  summary: "summary.md",
+  learnings: "learnings.md",
+  failures: "failures.md",
+  sections: "session-sections.md",
+  llm_summary: "llm-summary.md"
+};
+var SqliteSearchIndex = class {
+  db;
+  upsertStmt;
+  removeSessionStmt;
+  totalStmt;
+  constructor(dbPath) {
+    fs17.mkdirSync(path20.dirname(dbPath), { recursive: true });
+    this.db = new Database2(dbPath);
+    this.db.pragma("journal_mode = WAL");
+    this.db.pragma("synchronous = NORMAL");
+    this.db.exec(SCHEMA_SQL2);
+    this.upsertStmt = this.db.prepare(
+      `INSERT INTO session_docs (session_id, archived, file_kind, path, mtime_ms, body)
+       VALUES (@sessionId, @archived, @fileKind, @path, @mtimeMs, @body)
+       ON CONFLICT(session_id, archived, file_kind) DO UPDATE SET
+         path = excluded.path,
+         mtime_ms = excluded.mtime_ms,
+         body = excluded.body`
+    );
+    this.removeSessionStmt = this.db.prepare(`DELETE FROM session_docs WHERE session_id = ?`);
+    this.totalStmt = this.db.prepare(`SELECT COUNT(*) AS n FROM session_docs`);
+  }
+  upsertSessionDoc(doc) {
+    this.upsertStmt.run({
+      sessionId: doc.sessionId,
+      archived: doc.archived ? 1 : 0,
+      fileKind: doc.fileKind,
+      path: doc.path,
+      mtimeMs: Math.floor(doc.mtimeMs),
+      body: doc.body
+    });
+  }
+  removeSession(sessionId) {
+    const info = this.removeSessionStmt.run(sessionId);
+    return info.changes;
+  }
+  /**
+   * Drop all `archived=1` rows. Used by `reindexFromArchive` before a full
+   * re-walk. Live (archived=0) rows are preserved.
+   */
+  resetArchived() {
+    this.db.prepare(`DELETE FROM session_docs WHERE archived = 1`).run();
+  }
+  /** Total rows currently indexed (across both live and archived). */
+  totalIndexed() {
+    const row = this.totalStmt.get();
+    return row.n;
+  }
+  /**
+   * Ranked FTS5 query. Returns BM25-sorted matches. The `query` is passed to
+   * FTS5 as-is; FTS5 syntax (phrases with quotes, AND/OR/NOT, `column:term`)
+   * is therefore the user-facing language. Errors from malformed queries
+   * surface as thrown `SqliteError` so the CLI can catch + render them.
+   */
+  search(query, opts = {}) {
+    const limit = opts.limit ?? DEFAULT_LIMIT;
+    const filters = [];
+    const params = { q: normalizeFts5Query(query), limit };
+    if (opts.archivedOnly) {
+      filters.push("d.archived = 1");
+    }
+    const fileKinds = opts.fileKinds && opts.fileKinds.length > 0 ? opts.fileKinds : null;
+    if (fileKinds) {
+      const placeholders = fileKinds.map((_, i) => `@fk${i}`).join(", ");
+      filters.push(`d.file_kind IN (${placeholders})`);
+      fileKinds.forEach((k, i) => {
+        params[`fk${i}`] = k;
+      });
+    }
+    const whereClause = filters.length > 0 ? `AND ${filters.join(" AND ")}` : "";
+    const sql = `
+      SELECT
+        d.session_id   AS sessionId,
+        d.archived     AS archived,
+        d.file_kind    AS fileKind,
+        d.path         AS path,
+        bm25(session_docs_fts) AS bm25,
+        snippet(session_docs_fts, 0, '\u2026', '\u2026', '\u2026', 16) AS snippet
+      FROM session_docs_fts
+      JOIN session_docs d ON d.id = session_docs_fts.rowid
+      WHERE session_docs_fts MATCH @q
+        ${whereClause}
+      ORDER BY bm25 ASC
+      LIMIT @limit
+    `;
+    const start = Date.now();
+    const rows = this.db.prepare(sql).all(params);
+    const durationMs = Date.now() - start;
+    const matches = rows.map((r) => ({
+      sessionId: r.sessionId,
+      archived: r.archived === 1,
+      fileKind: r.fileKind,
+      path: r.path,
+      bm25: r.bm25,
+      snippet: r.snippet
+    }));
+    return { matches, durationMs, totalIndexed: this.totalIndexed() };
+  }
+  close() {
+    this.db.close();
+  }
+};
+function openSearchIndex(projectPath) {
+  return new SqliteSearchIndex(searchIndexPath(projectPath));
+}
+function indexSessionDirectory(idx, args) {
+  const kinds = args.fileKinds ?? [...INDEXED_FILE_KINDS];
+  const cap = args.maxBytesPerBody ?? 256 * 1024;
+  let docsWritten = 0;
+  for (const kind of kinds) {
+    const fileName = FILE_KIND_TO_FILENAME[kind];
+    const filePath = path20.join(args.sessionDir, fileName);
+    if (!fs17.existsSync(filePath)) continue;
+    let body = fs17.readFileSync(filePath, "utf8");
+    if (Buffer.byteLength(body, "utf8") > cap) {
+      body = body.slice(0, cap) + "\n\n[TRUNCATED]";
+    }
+    const stat = fs17.statSync(filePath);
+    const relPath = path20.relative(args.projectPath, filePath).replaceAll("\\", "/");
+    idx.upsertSessionDoc({
+      sessionId: args.sessionId,
+      archived: args.archived,
+      fileKind: kind,
+      path: relPath,
+      mtimeMs: stat.mtimeMs,
+      body
+    });
+    docsWritten++;
+  }
+  return { docsWritten };
+}
+function reindexFromArchive(projectPath, opts = {}) {
+  const start = Date.now();
+  const archiveBase = path20.join(projectPath, ".harness", "archive", "sessions");
+  const idx = openSearchIndex(projectPath);
+  try {
+    idx.resetArchived();
+    let sessionsIndexed = 0;
+    let docsWritten = 0;
+    if (fs17.existsSync(archiveBase)) {
+      const entries = fs17.readdirSync(archiveBase, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue;
+        const sessionDir = path20.join(archiveBase, entry.name);
+        const result = indexSessionDirectory(idx, {
+          sessionId: entry.name,
+          sessionDir,
+          archived: true,
+          projectPath,
+          ...opts.fileKinds && { fileKinds: opts.fileKinds },
+          ...opts.maxBytesPerBody !== void 0 && { maxBytesPerBody: opts.maxBytesPerBody }
+        });
+        if (result.docsWritten > 0) sessionsIndexed++;
+        docsWritten += result.docsWritten;
+      }
+    }
+    return { sessionsIndexed, docsWritten, durationMs: Date.now() - start };
+  } finally {
+    idx.close();
+  }
+}
+
+// src/sessions/summarize.ts
+import * as fs18 from "fs";
+import * as path21 from "path";
+import {
+  SessionSummarySchema
+} from "@harness-engineering/types";
+import { Ok as Ok24, Err as Err21 } from "@harness-engineering/types";
+var LLM_SUMMARY_FILE = "llm-summary.md";
+var SUMMARY_INPUT_FILES = [
+  { filename: "summary.md", kind: "summary" },
+  { filename: "learnings.md", kind: "learnings" },
+  { filename: "failures.md", kind: "failures" },
+  { filename: "session-sections.md", kind: "sections" }
+];
+var DEFAULT_INPUT_BUDGET_TOKENS = 16e3;
+var DEFAULT_TIMEOUT_MS4 = 6e4;
+var CHARS_PER_TOKEN = 4;
+var SYSTEM_PROMPT = `You produce concise, structured retrospectives of completed harness-engineering sessions.
+
+Read the session's archived markdown files and emit a JSON object that conforms exactly to the provided schema. Be specific and grounded \u2014 quote artefacts (file names, skill names, error messages) verbatim when relevant. Do not invent. If a field has no content, return an empty array.`;
+var USER_PROMPT_PREAMBLE = `Below are the archived files for a single harness-engineering session. Produce a structured summary capturing:
+- headline: one-sentence retrospective (\u2264 120 chars)
+- keyOutcomes: concrete things that shipped / decisions made (\u2264 20 strings)
+- openQuestions: items still open (\u2264 20 strings)
+- relatedSessions: other session slugs referenced (may be empty)
+
+---
+
+`;
+function readInputCorpus(archiveDir) {
+  const parts = [];
+  for (const { filename, kind } of SUMMARY_INPUT_FILES) {
+    const p = path21.join(archiveDir, filename);
+    if (!fs18.existsSync(p)) continue;
+    try {
+      const content = fs18.readFileSync(p, "utf8");
+      if (content.trim().length === 0) continue;
+      parts.push(`## FILE: ${kind}
+
+${content.trim()}`);
+    } catch {
+    }
+  }
+  return parts.join("\n\n");
+}
+function truncateForBudget(text, inputBudgetTokens) {
+  const cap = Math.max(0, inputBudgetTokens * CHARS_PER_TOKEN);
+  if (text.length <= cap) return text;
+  return text.slice(0, cap) + "\n\n[TRUNCATED \u2014 input exceeded token budget]";
+}
+function renderLlmSummaryMarkdown(summary, meta) {
+  const lines = [
+    "---",
+    `generatedAt: ${meta.generatedAt}`,
+    `model: ${meta.model}`,
+    `inputTokens: ${meta.inputTokens}`,
+    `outputTokens: ${meta.outputTokens}`,
+    `schemaVersion: ${meta.schemaVersion}`,
+    "---",
+    "",
+    "## Headline",
+    summary.headline,
+    "",
+    "## Key outcomes"
+  ];
+  if (summary.keyOutcomes.length === 0) {
+    lines.push("_(none)_");
+  } else {
+    for (const item of summary.keyOutcomes) lines.push(`- ${item}`);
+  }
+  lines.push("", "## Open questions");
+  if (summary.openQuestions.length === 0) {
+    lines.push("_(none)_");
+  } else {
+    for (const item of summary.openQuestions) lines.push(`- ${item}`);
+  }
+  lines.push("", "## Related sessions");
+  if (summary.relatedSessions.length === 0) {
+    lines.push("_(none)_");
+  } else {
+    for (const item of summary.relatedSessions) lines.push(`- ${item}`);
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+function writeStubMarkdown(archiveDir, reason) {
+  const filePath = path21.join(archiveDir, LLM_SUMMARY_FILE);
+  const body = `---
+generatedAt: ${(/* @__PURE__ */ new Date()).toISOString()}
+schemaVersion: 1
+status: failed
+---
+
+## Summary unavailable
+
+- reason: ${reason}
+`;
+  fs18.writeFileSync(filePath, body, "utf8");
+  return filePath;
+}
+async function summarizeArchivedSession(ctx) {
+  const writeStubOnError = ctx.writeStubOnError ?? true;
+  if (!fs18.existsSync(ctx.archiveDir)) {
+    return Err21(new Error(`archive directory not found: ${ctx.archiveDir}`));
+  }
+  const corpus = readInputCorpus(ctx.archiveDir);
+  if (corpus.trim().length === 0) {
+    return Err21(new Error(`no summary input files found in ${ctx.archiveDir}`));
+  }
+  const inputBudgetTokens = ctx.config?.inputBudgetTokens ?? DEFAULT_INPUT_BUDGET_TOKENS;
+  const truncated = truncateForBudget(corpus, inputBudgetTokens);
+  const prompt = USER_PROMPT_PREAMBLE + truncated;
+  const timeoutMs = ctx.config?.timeoutMs ?? DEFAULT_TIMEOUT_MS4;
+  const analyzeOpts = {
+    prompt,
+    systemPrompt: SYSTEM_PROMPT,
+    responseSchema: SessionSummarySchema,
+    ...ctx.config?.model && { model: ctx.config.model }
+  };
+  let response;
+  try {
+    response = await Promise.race([
+      ctx.provider.analyze(analyzeOpts),
+      new Promise(
+        (_, reject) => setTimeout(
+          () => reject(new Error(`provider call timed out after ${timeoutMs}ms`)),
+          timeoutMs
+        )
+      )
+    ]);
+  } catch (e) {
+    const reason = e instanceof Error ? e.message : String(e);
+    ctx.logger?.warn?.("session summary: provider call failed", { reason });
+    let stubPath;
+    if (writeStubOnError) {
+      try {
+        stubPath = writeStubMarkdown(ctx.archiveDir, reason);
+      } catch {
+      }
+    }
+    return Err21(
+      new Error(`session summary failed: ${reason}` + (stubPath ? ` (stub: ${stubPath})` : ""))
+    );
+  }
+  const parsed = SessionSummarySchema.safeParse(response.result);
+  if (!parsed.success) {
+    const reason = `schema validation failed: ${parsed.error.message}`;
+    ctx.logger?.warn?.("session summary: invalid provider payload", { reason });
+    if (writeStubOnError) {
+      try {
+        writeStubMarkdown(ctx.archiveDir, reason);
+      } catch {
+      }
+    }
+    return Err21(new Error(reason));
+  }
+  const meta = {
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    model: response.model,
+    inputTokens: response.tokenUsage.inputTokens,
+    outputTokens: response.tokenUsage.outputTokens,
+    schemaVersion: 1
+  };
+  const filePath = path21.join(ctx.archiveDir, LLM_SUMMARY_FILE);
+  const body = renderLlmSummaryMarkdown(parsed.data, meta);
+  fs18.writeFileSync(filePath, body, "utf8");
+  return Ok24({ summary: parsed.data, meta, filePath });
+}
+function isSummaryEnabled(config) {
+  if (!config) return false;
+  if (config.enabled === false) return false;
+  return true;
+}
+
+// src/sessions/archive-hooks.ts
+var defaultLogger = {
+  warn: (msg, meta) => console.warn(`[sessions] ${msg}`, meta)
+};
+async function runSummaryStep(opts, logger, sessionId, archiveDir) {
+  const enabled = isSummaryEnabled(opts.config?.summary) && opts.provider != null;
+  if (!enabled || !opts.provider) return;
+  const ctx = {
+    archiveDir,
+    provider: opts.provider,
+    ...opts.config?.summary && { config: opts.config.summary },
+    ...logger && { logger }
+  };
+  try {
+    const result = await summarizeArchivedSession(ctx);
+    if (!result.ok) {
+      logger.warn?.("session summary: failed", {
+        sessionId,
+        error: result.error.message
+      });
+    }
+  } catch (e) {
+    logger.warn?.("session summary: threw", {
+      sessionId,
+      error: e instanceof Error ? e.message : String(e)
+    });
+  }
+}
+function runIndexStep(opts, logger, sessionId, archiveDir) {
+  try {
+    const idx = openSearchIndex(opts.projectPath);
+    try {
+      const result = indexSessionDirectory(idx, {
+        sessionId,
+        sessionDir: archiveDir,
+        archived: true,
+        projectPath: opts.projectPath,
+        ...opts.config?.search?.indexedFileKinds && {
+          fileKinds: opts.config.search.indexedFileKinds
+        },
+        ...opts.config?.search?.maxIndexBytesPerFile !== void 0 && {
+          maxBytesPerBody: opts.config.search.maxIndexBytesPerFile
+        }
+      });
+      if (result.docsWritten === 0) {
+        logger.warn?.("session index: no docs written", { sessionId, archiveDir });
+      }
+    } finally {
+      idx.close();
+    }
+  } catch (e) {
+    logger.warn?.("session index: failed", {
+      sessionId,
+      error: e instanceof Error ? e.message : String(e)
+    });
+  }
+}
+function buildArchiveHooks(opts) {
+  const logger = opts.logger ?? defaultLogger;
+  return {
+    async onArchived({ sessionId, archiveDir }) {
+      await runSummaryStep(opts, logger, sessionId, archiveDir);
+      runIndexStep(opts, logger, sessionId, archiveDir);
+    }
+  };
+}
 export {
   AnalysisArchive,
+  BUILT_IN_TASKS,
   BackendRouter,
   ClaimManager,
+  GateNotReadyError,
+  GateRunError,
   InteractionQueue,
   LinearGraphQLStub,
   MAX_ATTEMPTS,
@@ -11224,10 +14054,16 @@ export {
   Orchestrator,
   OrchestratorBackendFactory,
   PRDetector,
+  PromotionError,
   PromptRenderer,
   RETRY_DELAYS_MS,
   RoadmapTrackerAdapter,
+  SinkConfigError,
+  SinkRegistry,
+  SlackSink,
+  SqliteSearchIndex,
   StreamRecorder,
+  TaskOutputStore,
   TokenStore,
   WebhookQueue,
   WorkflowLoader,
@@ -11235,31 +14071,49 @@ export {
   WorkspaceManager,
   applyEvent,
   artifactPresenceFromIssue,
+  buildArchiveHooks,
   calculateRetryDelay,
   canDispatch,
   computeRateLimitDelay,
   createBackend,
   createEmptyState,
   detectScopeTier,
+  emitProposalApproved,
+  emitProposalCreated,
+  emitProposalRejected,
   extractHighlights,
   extractTitlePrefix,
   getAvailableSlots,
   getDefaultConfig,
   getPerStateCount,
+  indexSessionDirectory,
   isEligible,
+  isSummaryEnabled,
   launchTUI,
   loadPublishedIndex,
   migrateAgentConfig,
+  normalizeFts5Query,
+  openSearchIndex,
+  promote,
   reconcile,
+  reindexFromArchive,
   renderAnalysisComment,
+  renderLlmSummaryMarkdown,
   renderPRComment,
   resolveEscalationConfig,
   resolveOrchestratorId,
   routeIssue,
+  runGate,
   savePublishedIndex,
+  searchIndexPath,
   selectCandidates,
   sortCandidates,
+  summarizeArchivedSession,
   syncMain,
   triageIssue,
-  validateWorkflowConfig
+  truncateForBudget,
+  validateCustomTasks,
+  validateWorkflowConfig,
+  wireNotificationSinks,
+  wrapAsEnvelope
 };