npm - @hasna/loops - Versions diffs - 0.3.15 → 0.3.17 - Mend

@hasna/loops 0.3.15 → 0.3.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -328,6 +328,17 @@ function optionalPositiveInteger(value, label) {
     throw new Error(`${label} must be a positive integer`);
   return value;
 }
+function optionalStringArray(value, label) {
+  if (value === undefined)
+    return;
+  if (!Array.isArray(value))
+    throw new Error(`${label} must be an array`);
+  const values = value.map((entry, index) => {
+    assertString(entry, `${label}[${index}]`);
+    return entry.trim();
+  }).filter(Boolean);
+  return values.length ? values : undefined;
+}
 function normalizeGoalSpec(value, label = "goal") {
   if (value === undefined)
     return;
@@ -399,6 +410,14 @@ function validateTarget(value, label) {
         throw new Error(`${label}.sandbox is currently supported only for provider codewith, codex, or cursor`);
       }
     }
+    if (value.allowlist !== undefined) {
+      assertObject(value.allowlist, `${label}.allowlist`);
+      optionalStringArray(value.allowlist.tools, `${label}.allowlist.tools`);
+      optionalStringArray(value.allowlist.commands, `${label}.allowlist.commands`);
+      if (value.allowlist.enforcement !== undefined && value.allowlist.enforcement !== "metadata_only") {
+        throw new Error(`${label}.allowlist.enforcement must be metadata_only`);
+      }
+    }
     return value;
   }
   throw new Error(`${label}.type must be command or agent`);
@@ -1033,6 +1052,30 @@ class Store {
       throw new Error(`loop not found after update: ${id}`);
     return after;
   }
+  renameLoop(id, name, opts = {}) {
+    const current = this.getLoop(id);
+    if (!current)
+      throw new Error(`loop not found: ${id}`);
+    const trimmed = name.trim();
+    if (!trimmed)
+      throw new Error("loop name must not be empty");
+    const updated = (opts.now ?? new Date).toISOString();
+    this.db.query(`UPDATE loops SET name=$name, updated_at=$updated
+         WHERE id=$id
+           AND ($daemonLeaseId IS NULL OR EXISTS (
+             SELECT 1 FROM daemon_lease WHERE id=$daemonLeaseId AND expires_at > $now
+           ))`).run({
+      $id: id,
+      $name: trimmed,
+      $updated: updated,
+      $daemonLeaseId: opts.daemonLeaseId ?? null,
+      $now: updated
+    });
+    const after = this.getLoop(id);
+    if (!after)
+      throw new Error(`loop not found after rename: ${id}`);
+    return after;
+  }
   archiveLoop(idOrName) {
     const loop = this.requireLoop(idOrName);
     if (loop.archivedAt)
@@ -2152,8 +2195,9 @@ class Store {
 }
 // src/cli/index.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
+import { spawnSync as spawnSync5 } from "child_process";
 import { Command } from "commander";
 // src/lib/format.ts
@@ -2571,6 +2615,16 @@ function metadataEnv(metadata) {
     env.LOOPS_GOAL_NODE_KEY = metadata.goalNodeKey;
   return env;
 }
+function allowlistEnv(allowlist) {
+  const env = {};
+  if (allowlist?.tools?.length)
+    env.LOOPS_AGENT_ALLOWED_TOOLS = allowlist.tools.join(",");
+  if (allowlist?.commands?.length)
+    env.LOOPS_AGENT_ALLOWED_COMMANDS = allowlist.commands.join(",");
+  if (allowlist?.tools?.length || allowlist?.commands?.length)
+    env.LOOPS_AGENT_ALLOWLIST_ENFORCEMENT = "metadata_only";
+  return env;
+}
 function providerCommand(provider) {
   switch (provider) {
     case "claude":
@@ -2778,7 +2832,8 @@ function commandSpec(target) {
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
-    stdin: agentTarget.prompt
+    stdin: agentTarget.prompt,
+    allowlist: agentTarget.allowlist
   };
 }
 function executionEnv(spec, metadata, opts) {
@@ -2790,6 +2845,7 @@ function executionEnv(spec, metadata, opts) {
     Object.assign(env, accountEnv);
   }
   Object.assign(env, spec.env ?? {});
+  Object.assign(env, allowlistEnv(spec.allowlist));
   env.PATH = normalizeExecutionPath(env);
   Object.assign(env, metadataEnv(metadata));
   return env;
@@ -2828,6 +2884,9 @@ function remoteBootstrapLines(spec, metadata) {
       continue;
     lines.push(`export ${key}=${shellQuote(value)}`);
   }
+  for (const [key, value] of Object.entries(allowlistEnv(spec.allowlist))) {
+    lines.push(`export ${key}=${shellQuote(value)}`);
+  }
   return lines;
 }
 function remoteScript(spec, metadata) {
@@ -4577,10 +4636,434 @@ function runDoctor(store) {
     checks
   };
 }
+// src/lib/health.ts
+import { createHash } from "crypto";
+var EVIDENCE_CHARS = 2000;
+var CLASSIFICATIONS = [
+  "rate_limit",
+  "auth",
+  "model_not_found",
+  "context_length",
+  "schema_response_format",
+  "node_init",
+  "timeout",
+  "sigsegv",
+  "skipped_previous_active",
+  "unknown"
+];
+function bounded(value, limit = EVIDENCE_CHARS) {
+  if (!value)
+    return;
+  if (value.length <= limit)
+    return value;
+  return `${value.slice(0, limit)}
+[truncated ${value.length - limit} chars]`;
+}
+function searchableText(run) {
+  return [run.error, run.stderr, run.stdout].filter(Boolean).join(`
+`).toLowerCase();
+}
+function stableFingerprint(parts) {
+  return createHash("sha256").update(parts.join(`
+`)).digest("hex").slice(0, 16);
+}
+function healthRun(run) {
+  return {
+    ...run,
+    error: bounded(run.error),
+    stdout: bounded(run.stdout),
+    stderr: bounded(run.stderr)
+  };
+}
+function classifyRunFailure(run) {
+  if (run.status === "succeeded" || run.status === "running")
+    return;
+  const text = searchableText(run);
+  let classification = "unknown";
+  if (run.status === "timed_out")
+    classification = "timeout";
+  else if (run.status === "skipped" && /previous run still active/.test(text))
+    classification = "skipped_previous_active";
+  else if (/rate limit|too many requests|429\b|quota exceeded/.test(text))
+    classification = "rate_limit";
+  else if (/unauthorized|authentication|auth\b|api key|invalid token|permission denied|401\b|403\b/.test(text))
+    classification = "auth";
+  else if (/model .*not found|model_not_found|unknown model|invalid model|404.*model/.test(text))
+    classification = "model_not_found";
+  else if (/context length|context_length|context window|maximum context|token limit|too many tokens/.test(text))
+    classification = "context_length";
+  else if (/response_format|json schema|schema validation|invalid schema|structured output/.test(text))
+    classification = "schema_response_format";
+  else if (/cannot find module|module not found|node:internal|bun: command not found|node: command not found|npm err!|err_module_not_found/.test(text))
+    classification = "node_init";
+  else if (/sigsegv|segmentation fault|signal 11/.test(text))
+    classification = "sigsegv";
+  return {
+    classification,
+    fingerprint: stableFingerprint([
+      run.loopId,
+      run.loopName,
+      run.status,
+      classification,
+      String(run.exitCode ?? ""),
+      (run.error ?? run.stderr ?? run.stdout ?? "").slice(0, 500)
+    ]),
+    evidence: {
+      error: bounded(run.error),
+      stdout: bounded(run.stdout),
+      stderr: bounded(run.stderr),
+      exitCode: run.exitCode
+    }
+  };
+}
+function targetRoute(loop) {
+  if (loop.target.type === "agent") {
+    return {
+      source: "openloops",
+      kind: "loop_expectation",
+      loopId: loop.id,
+      loopName: loop.name,
+      cwd: loop.target.cwd,
+      provider: loop.target.provider
+    };
+  }
+  if (loop.target.type === "command") {
+    return {
+      source: "openloops",
+      kind: "loop_expectation",
+      loopId: loop.id,
+      loopName: loop.name,
+      cwd: loop.target.cwd
+    };
+  }
+  return {
+    source: "openloops",
+    kind: "loop_expectation",
+    loopId: loop.id,
+    loopName: loop.name
+  };
+}
+function recommendedTask(loop, run, failure, route) {
+  const title = `BUG: open-loops loop failure - ${loop.name}`;
+  const description = [
+    `OpenLoops expectation failed for loop ${loop.name} (${loop.id}).`,
+    `Run: ${run.id}`,
+    `Status: ${run.status}`,
+    `Classification: ${failure.classification}`,
+    `Fingerprint: ${failure.fingerprint}`,
+    route.cwd ? `Route cwd: ${route.cwd}` : undefined,
+    route.provider ? `Provider: ${route.provider}` : undefined,
+    failure.evidence.error ? `Error:
+${failure.evidence.error}` : undefined,
+    failure.evidence.stderr ? `Stderr:
+${failure.evidence.stderr}` : undefined
+  ].filter(Boolean).join(`
+`);
+  const dedupeKey = `openloops:${loop.id}:${failure.fingerprint}`;
+  const tags = ["bug", "openloops", "loop-health", failure.classification];
+  const priority = failure.classification === "auth" || failure.classification === "rate_limit" ? "high" : "medium";
+  return {
+    title,
+    description,
+    priority,
+    tags,
+    dedupeKey,
+    search: { query: dedupeKey },
+    compatibilityFallback: {
+      search: ["todos", "search", dedupeKey, "--json"],
+      add: ["todos", "add", title, "--description", description, "--tag", tags.join(","), "--priority", priority],
+      comment: ["todos", "comment", "<task-id>", description]
+    },
+    futureNativeUpsert: {
+      command: "todos upsert",
+      fields: {
+        title,
+        description,
+        priority,
+        tags,
+        dedupeKey,
+        routeSource: route.source,
+        routeKind: route.kind,
+        routeLoopId: route.loopId,
+        routeLoopName: route.loopName
+      }
+    }
+  };
+}
+function expectationForLoop(store, loop) {
+  const latestRun = store.listRuns({ loopId: loop.id, limit: 1 })[0];
+  const route = targetRoute(loop);
+  if (!latestRun) {
+    return {
+      loop: { id: loop.id, name: loop.name, status: loop.status, nextRunAt: loop.nextRunAt },
+      ok: true,
+      check: { id: "latest-run-succeeded", status: "warn", message: "loop has no recorded runs yet" },
+      route
+    };
+  }
+  if (latestRun.status === "succeeded") {
+    return {
+      loop: { id: loop.id, name: loop.name, status: loop.status, nextRunAt: loop.nextRunAt },
+      ok: true,
+      check: { id: "latest-run-succeeded", status: "pass", message: "latest run succeeded" },
+      latestRun: healthRun(latestRun),
+      route
+    };
+  }
+  const failure = classifyRunFailure(latestRun);
+  return {
+    loop: { id: loop.id, name: loop.name, status: loop.status, nextRunAt: loop.nextRunAt },
+    ok: false,
+    check: { id: "latest-run-succeeded", status: "fail", message: `latest run is ${latestRun.status}` },
+    latestRun: healthRun(latestRun),
+    failure,
+    route,
+    recommendedTask: failure ? recommendedTask(loop, latestRun, failure, route) : undefined
+  };
+}
+function buildHealthReport(store, opts = {}) {
+  const loops = store.listLoops({ includeArchived: opts.includeArchived, limit: opts.limit ?? 200 });
+  const expectations = loops.map((loop) => expectationForLoop(store, loop));
+  const classifications = Object.fromEntries(CLASSIFICATIONS.map((key) => [key, 0]));
+  for (const expectation of expectations) {
+    if (expectation.failure)
+      classifications[expectation.failure.classification] += 1;
+  }
+  const unhealthy = expectations.filter((expectation) => !expectation.ok).length;
+  const warnings = expectations.filter((expectation) => expectation.check.status === "warn").length;
+  return {
+    ok: unhealthy === 0,
+    generatedAt: new Date().toISOString(),
+    summary: {
+      loops: expectations.length,
+      healthy: expectations.length - unhealthy,
+      unhealthy,
+      warnings
+    },
+    classifications,
+    expectations
+  };
+}
+// src/lib/hygiene.ts
+import { basename } from "path";
+var PROVIDER_TOKENS = new Set([
+  "codewith",
+  "claude",
+  "command",
+  "tmux",
+  "codex",
+  "cursor",
+  "opencode",
+  "aicopilot",
+  "agent"
+]);
+var REPO_GENERIC_TOKENS = new Set(["repo", "repoops"]);
+function slugify(value) {
+  return value.normalize("NFKD").replace(/[^\w\s.-]/g, "-").replace(/[_\s.:/]+/g, "-").replace(/[^a-zA-Z0-9-]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "").toLowerCase();
+}
+function repoSlugFromCwd(cwd) {
+  if (!cwd || cwd === process.env.HOME || cwd === "/home/hasna")
+    return "";
+  if (cwd.includes("/.hasna/loops/"))
+    return "";
+  return slugify(basename(cwd));
+}
+function scopeForLoop(loop) {
+  const cwd = loop.target.type === "command" || loop.target.type === "agent" ? loop.target.cwd : undefined;
+  const repoSlug = repoSlugFromCwd(cwd);
+  if (repoSlug)
+    return { scope: "repo", prefix: `repo-${repoSlug}`, scopeSlug: repoSlug };
+  return { scope: "machine", prefix: "machine", scopeSlug: "machine" };
+}
+function taskSlug(loop, scope) {
+  const oldName = loop.name;
+  let nameForParsing = oldName;
+  if (!oldName.includes(":")) {
+    const slug = slugify(oldName);
+    if (scope.scope === "machine" && slug.startsWith("machine-"))
+      nameForParsing = slug.slice("machine-".length);
+    else if (scope.scope === "repo" && slug.startsWith(`repo-${scope.scopeSlug}-`)) {
+      nameForParsing = slug.slice(`repo-${scope.scopeSlug}-`.length);
+    } else
+      nameForParsing = slug;
+  }
+  const parts = [];
+  for (const rawPart of oldName.includes(":") ? oldName.split(":") : [nameForParsing]) {
+    const part = slugify(rawPart);
+    if (!part)
+      continue;
+    if (PROVIDER_TOKENS.has(part) || /^account\d+$/.test(part))
+      continue;
+    if (scope.scope === "repo" && REPO_GENERIC_TOKENS.has(part))
+      continue;
+    let normalized = part;
+    if (scope.scope === "repo" && normalized === scope.scopeSlug)
+      continue;
+    if (scope.scope === "repo" && normalized.startsWith(`${scope.scopeSlug}-`)) {
+      normalized = normalized.slice(scope.scopeSlug.length + 1);
+    }
+    if (normalized)
+      parts.push(normalized);
+  }
+  const deduped = [];
+  for (const token of parts.join("-").split("-").filter(Boolean)) {
+    if (deduped[deduped.length - 1] !== token)
+      deduped.push(token);
+  }
+  return deduped.join("-") || "loop";
+}
+function canonicalName(loop) {
+  const scope = scopeForLoop(loop);
+  let name = `${scope.prefix}-${taskSlug(loop, scope)}`.replace(/-+/g, "-").replace(/^-|-$/g, "");
+  if (name.length > 120)
+    name = `${name.slice(0, 111).replace(/-+$/g, "")}-${loop.id.slice(0, 8)}`;
+  return {
+    id: loop.id,
+    status: loop.status,
+    scope: scope.scope,
+    scopeSlug: scope.scopeSlug,
+    newName: name
+  };
+}
+function ensureUnique(changes) {
+  const used = new Set;
+  for (const change of changes) {
+    let candidate = change.newName;
+    if (!used.has(candidate)) {
+      used.add(candidate);
+      change.newName = candidate;
+      change.changed = change.oldName !== candidate;
+      continue;
+    }
+    const base = candidate.slice(0, 111).replace(/-+$/g, "");
+    candidate = `${base}-${change.id.slice(0, 8)}`;
+    let suffix = 2;
+    while (used.has(candidate)) {
+      const extra = `-${change.id.slice(0, 6)}-${suffix++}`;
+      candidate = `${base.slice(0, 120 - extra.length)}${extra}`;
+    }
+    used.add(candidate);
+    change.newName = candidate;
+    change.changed = change.oldName !== candidate;
+  }
+}
+function managedLoops(store, opts) {
+  const loops = store.listLoops({ includeArchived: Boolean(opts.includeInactive), limit: opts.limit ?? 1000 });
+  if (opts.includeInactive)
+    return loops;
+  if (opts.includeStopped)
+    return loops.filter((loop) => loop.status !== "expired");
+  return loops.filter((loop) => loop.status === "active" || loop.status === "paused");
+}
+function buildNameHygieneReport(store, opts = {}) {
+  const changes = managedLoops(store, opts).map((loop) => {
+    const canonical = canonicalName(loop);
+    return {
+      ...canonical,
+      oldName: loop.name,
+      changed: loop.name !== canonical.newName
+    };
+  });
+  ensureUnique(changes);
+  const changed = changes.filter((change) => change.changed);
+  if (opts.apply) {
+    for (const change of changed)
+      store.renameLoop(change.id, change.newName);
+  }
+  return {
+    ok: changed.length === 0,
+    generatedAt: new Date().toISOString(),
+    applied: Boolean(opts.apply),
+    checked: changes.length,
+    changed: changed.length,
+    changes
+  };
+}
+function baseName(name) {
+  return name.replace(/-(bounded|compact|native)?-?low(?:-\d+m)?$/g, "").replace(/-\d+[mhd]$/g, "").replace(/-(bounded|compact)$/g, "");
+}
+function scheduleKey(schedule) {
+  if (schedule.type === "cron")
+    return `cron:${schedule.expression}`;
+  if (schedule.type === "interval")
+    return `interval:${schedule.everyMs}`;
+  if (schedule.type === "once")
+    return `once:${schedule.at}`;
+  return `dynamic:${schedule.minIntervalMs ?? ""}`;
+}
+function targetCwd(loop) {
+  return loop.target.type === "command" || loop.target.type === "agent" ? loop.target.cwd ?? "" : "";
+}
+function buildDuplicateOverlapReport(store, opts = {}) {
+  const loops = managedLoops(store, { includeInactive: opts.includeInactive, includeStopped: true, limit: opts.limit });
+  const groups = new Map;
+  for (const loop of loops) {
+    const base = baseName(loop.name);
+    const cwd = targetCwd(loop) || undefined;
+    const schedule = scheduleKey(loop.schedule);
+    const key = `${base}|${cwd ?? ""}|${schedule}`;
+    const existing = groups.get(key) ?? { baseName: base, cwd, schedule, loops: [] };
+    existing.loops.push(loop);
+    groups.set(key, existing);
+  }
+  const duplicateGroups = [...groups.entries()].filter(([, group]) => group.loops.length > 1).map(([key, group]) => ({
+    key,
+    baseName: group.baseName,
+    cwd: group.cwd,
+    schedule: group.schedule,
+    loops: group.loops.map((loop) => ({
+      id: loop.id,
+      name: loop.name,
+      status: loop.status,
+      nextRunAt: loop.nextRunAt
+    }))
+  }));
+  return {
+    ok: duplicateGroups.length === 0,
+    generatedAt: new Date().toISOString(),
+    checked: loops.length,
+    groups: duplicateGroups
+  };
+}
+function commandText(loop) {
+  if (loop.target.type !== "command")
+    return "";
+  return [loop.target.command, ...loop.target.args ?? []].join(" ");
+}
+function buildScriptInventoryReport(store, opts = {}) {
+  const scriptsDir = opts.scriptsDir ?? `${process.env.HOME ?? "/home/hasna"}/.hasna/loops/scripts`;
+  const loops = managedLoops(store, { includeInactive: opts.includeInactive, includeStopped: true, limit: opts.limit });
+  const scriptBacked = loops.map((loop) => {
+    const text = commandText(loop);
+    if (!text)
+      return;
+    const matches = [scriptsDir, "/.hasna/loops/scripts/"].filter((needle) => text.includes(needle));
+    if (!matches.length)
+      return;
+    return {
+      id: loop.id,
+      name: loop.name,
+      status: loop.status,
+      cwd: targetCwd(loop) || undefined,
+      command: text.length > 500 ? `${text.slice(0, 500)}...` : text,
+      scriptMatches: [...new Set(matches)]
+    };
+  }).filter((value) => Boolean(value));
+  return {
+    ok: scriptBacked.length === 0,
+    generatedAt: new Date().toISOString(),
+    checked: loops.length,
+    scriptBacked: scriptBacked.length,
+    loops: scriptBacked
+  };
+}
 // package.json
 var package_default = {
   name: "@hasna/loops",
-  version: "0.3.15",
+  version: "0.3.17",
   description: "Persistent local loop and workflow runner for deterministic commands and headless AI coding agents",
   type: "module",
   main: "dist/index.js",
@@ -4671,6 +5154,7 @@ function packageVersion() {
 // src/lib/templates.ts
 var TODOS_TASK_WORKER_VERIFIER_TEMPLATE_ID = "todos-task-worker-verifier";
 var EVENT_WORKER_VERIFIER_TEMPLATE_ID = "event-worker-verifier";
+var BOUNDED_AGENT_WORKER_VERIFIER_TEMPLATE_ID = "bounded-agent-worker-verifier";
 var TEMPLATE_SUMMARIES = [
   {
     id: TODOS_TASK_WORKER_VERIFIER_TEMPLATE_ID,
@@ -4715,6 +5199,28 @@ var TEMPLATE_SUMMARIES = [
       { name: "permissionMode", default: "bypass", description: "Provider permission mode: default, plan, auto, or bypass." },
       { name: "sandbox", default: "danger-full-access", description: "Provider sandbox mode." }
     ]
+  },
+  {
+    id: BOUNDED_AGENT_WORKER_VERIFIER_TEMPLATE_ID,
+    name: "Bounded Agent Worker + Verifier",
+    description: "Create a bounded recurring-agent workflow: one agent performs a narrow objective, then a fresh verifier audits the result with separate account/profile selection.",
+    kind: "workflow",
+    variables: [
+      { name: "objective", required: true, description: "Narrow goal-mode objective for the worker." },
+      { name: "prompt", description: "Optional extra worker prompt details." },
+      { name: "projectPath", required: true, description: "Repository or project working directory." },
+      { name: "provider", default: "codewith", description: "Agent provider: codewith, claude, cursor, opencode, aicopilot, or codex." },
+      { name: "authProfile", description: "Provider-native auth profile, currently Codewith." },
+      { name: "authProfilePool", description: "Comma-separated provider-native auth profiles; worker/verifier are selected deterministically." },
+      { name: "workerAuthProfile", description: "Provider-native auth profile for the worker step." },
+      { name: "verifierAuthProfile", description: "Provider-native auth profile for the verifier step." },
+      { name: "accountPool", description: "Comma-separated OpenAccounts profiles; worker/verifier are selected deterministically." },
+      { name: "model", description: "Provider model." },
+      { name: "variant", description: "Provider reasoning/model effort variant." },
+      { name: "permissionMode", default: "bypass", description: "Provider permission mode: default, plan, auto, or bypass." },
+      { name: "sandbox", default: "danger-full-access", description: "Provider sandbox mode." },
+      { name: "timeoutMs", default: "2700000", description: "Step timeout in milliseconds." }
+    ]
   }
 ];
 function compactJson(value) {
@@ -4901,6 +5407,54 @@ function renderEventWorkerVerifierWorkflow(input) {
     ]
   };
 }
+function renderBoundedAgentWorkerVerifierWorkflow(input) {
+  if (!input.objective?.trim())
+    throw new Error("objective is required");
+  if (!input.projectPath?.trim())
+    throw new Error("projectPath is required");
+  const seed = `${input.projectPath}:${input.objective}`;
+  const timeoutMs = input.timeoutMs && Number.isFinite(input.timeoutMs) ? input.timeoutMs : 45 * 60000;
+  const workerPrompt = [
+    `/goal ${input.objective}`,
+    "",
+    "You are the worker step for a bounded OpenLoops agent workflow.",
+    "Investigate first. Keep scope narrow, use local project/task systems as the source of truth when relevant, preserve unrelated changes, run focused validation, and record concise evidence.",
+    "Do not dispatch or paste prompts into tmux panes. If additional work is required, create or update deduped todos tasks so task-created routing can start a fresh headless workflow.",
+    input.prompt ? "" : undefined,
+    input.prompt
+  ].filter(Boolean).join(`
+`);
+  const verifierPrompt = [
+    `/goal Adversarially verify: ${input.objective}`,
+    "",
+    "You are the verifier step for a bounded OpenLoops agent workflow.",
+    "Use fresh context. Review the worker result for correctness, regressions, missing tests, safety, runaway-agent risk, output bounds, and incomplete evidence.",
+    "If valid, record verification evidence. If invalid, create precise follow-up tasks or comments and leave the original work open. Do not make broad unrelated changes."
+  ].join(`
+`);
+  return {
+    name: input.name ?? `bounded-agent-${stableIndex(seed, 65535).toString(16)}-worker-verifier`,
+    description: `Bounded worker/verifier workflow for ${input.objective.slice(0, 180)}`,
+    version: 1,
+    steps: [
+      {
+        id: "worker",
+        name: "Worker",
+        description: "Execute the bounded objective and record evidence.",
+        target: agentTarget(input, workerPrompt, "worker", seed),
+        timeoutMs
+      },
+      {
+        id: "verifier",
+        name: "Verifier",
+        description: "Adversarially verify the bounded objective result.",
+        dependsOn: ["worker"],
+        target: agentTarget(input, verifierPrompt, "verifier", seed),
+        timeoutMs: Math.min(timeoutMs, 30 * 60000)
+      }
+    ]
+  };
+}
 function renderLoopTemplate(id, values) {
   if (id === TODOS_TASK_WORKER_VERIFIER_TEMPLATE_ID) {
     return renderTodosTaskWorkerVerifierWorkflow({
@@ -4947,6 +5501,27 @@ function renderLoopTemplate(id, values) {
       sandbox: values.sandbox
     });
   }
+  if (id === BOUNDED_AGENT_WORKER_VERIFIER_TEMPLATE_ID) {
+    return renderBoundedAgentWorkerVerifierWorkflow({
+      name: values.name,
+      objective: values.objective ?? "",
+      prompt: values.prompt,
+      projectPath: values.projectPath ?? values.cwd ?? process.cwd(),
+      provider: values.provider,
+      authProfile: values.authProfile,
+      authProfilePool: listVar(values.authProfilePool),
+      workerAuthProfile: values.workerAuthProfile,
+      verifierAuthProfile: values.verifierAuthProfile,
+      account: values.account ? { profile: values.account, tool: values.accountTool } : undefined,
+      accountPool: accountPoolVar(values.accountPool, values.accountTool),
+      model: values.model,
+      variant: values.variant,
+      agent: values.agent,
+      permissionMode: values.permissionMode,
+      sandbox: values.sandbox,
+      timeoutMs: values.timeoutMs ? Number(values.timeoutMs) : undefined
+    });
+  }
   throw new Error(`unknown template: ${id}`);
 }
 function listVar(value) {
@@ -5080,6 +5655,17 @@ function splitList(value) {
   const values = value?.split(",").map((entry) => entry.trim()).filter(Boolean);
   return values?.length ? values : undefined;
 }
+function allowlistFromOpts(opts) {
+  const tools = (opts.allowTool ?? []).flatMap((entry) => splitList(entry) ?? []);
+  const commands = (opts.allowCommand ?? []).flatMap((entry) => splitList(entry) ?? []);
+  if (!tools.length && !commands.length)
+    return;
+  return {
+    tools: tools.length ? tools : undefined,
+    commands: commands.length ? commands : undefined,
+    enforcement: "metadata_only"
+  };
+}
 function accountPoolFromOpts(opts) {
   return splitList(opts.accountPool)?.map((profile) => ({ profile, tool: opts.accountTool }));
 }
@@ -5100,6 +5686,36 @@ function collectValues(value, previous = []) {
   previous.push(value);
   return previous;
 }
+function defaultLoopsProject() {
+  return process.env.LOOPS_TASK_PROJECT || process.env.LOOPS_DATA_DIR || `${process.env.HOME ?? "/home/hasna"}/.hasna/loops`;
+}
+function runLocalCommand(command, args, opts = {}) {
+  const result = spawnSync5(command, args, {
+    input: opts.input,
+    encoding: "utf8",
+    timeout: opts.timeoutMs ?? 30000,
+    maxBuffer: 8 * 1024 * 1024,
+    env: process.env
+  });
+  return {
+    ok: result.status === 0,
+    status: result.status,
+    stdout: result.stdout || "",
+    stderr: result.stderr || "",
+    error: result.error ? String(result.error.message || result.error) : ""
+  };
+}
+function ensureTodosTaskList(project, slug, name, description) {
+  runLocalCommand("todos", ["--project", project, "task-lists", "--add", name, "--slug", slug, "-d", description]);
+  const list = runLocalCommand("todos", ["--project", project, "--json", "task-lists"]);
+  if (!list.ok)
+    throw new Error(list.stderr || list.error || "failed to list todos task lists");
+  const values = JSON.parse(list.stdout || "[]");
+  const found = values.find((entry) => entry.slug === slug);
+  if (!found)
+    throw new Error(`todos task list not found after ensure: ${slug}`);
+  return found.id;
+}
 function eventData(event) {
   const data = event.data;
   if (data && typeof data === "object" && !Array.isArray(data))
@@ -5119,7 +5735,7 @@ function slugSegment(value, fallback = "event") {
   return value.toLowerCase().replace(/[^a-z0-9._:-]+/g, "-").replace(/^-|-$/g, "").slice(0, 80) || fallback;
 }
 function stableSuffix(value) {
-  return createHash("sha256").update(value).digest("hex").slice(0, 12);
+  return createHash2("sha256").update(value).digest("hex").slice(0, 12);
 }
 function taskEventField(data, keys) {
   for (const key of keys) {
@@ -5145,6 +5761,85 @@ function taskEventField(data, keys) {
   }
   return;
 }
+function objectField(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : undefined;
+}
+function nestedObject(input, key) {
+  return objectField(input[key]);
+}
+function taskEventRecords(data, metadata) {
+  const records = [data];
+  const dataTask = nestedObject(data, "task");
+  if (dataTask)
+    records.push(dataTask);
+  const dataPayload = nestedObject(data, "payload");
+  if (dataPayload) {
+    records.push(dataPayload);
+    const payloadTask = nestedObject(dataPayload, "task");
+    if (payloadTask)
+      records.push(payloadTask);
+  }
+  const dataMetadata = nestedObject(data, "metadata");
+  if (dataMetadata)
+    records.push(dataMetadata);
+  records.push(metadata);
+  const metadataTask = nestedObject(metadata, "task");
+  if (metadataTask)
+    records.push(metadataTask);
+  const metadataAutomation = nestedObject(metadata, "automation");
+  if (metadataAutomation)
+    records.push(metadataAutomation);
+  return records;
+}
+function booleanLike(value) {
+  return value === true || value === "true" || value === "1" || value === 1;
+}
+function hasTruthyField(records, keys) {
+  return records.some((record) => keys.some((key) => booleanLike(record[key])));
+}
+function tagsFromValue(value) {
+  if (Array.isArray(value))
+    return value.map((entry) => String(entry).trim()).filter(Boolean);
+  if (typeof value === "string")
+    return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+  return [];
+}
+function taskEventTags(records) {
+  const tags = new Set;
+  for (const record of records) {
+    for (const tag of tagsFromValue(record.tags ?? record.task_tags ?? record.taskTags))
+      tags.add(tag);
+  }
+  return [...tags];
+}
+function taskRouteEligibility(data, metadata) {
+  const records = taskEventRecords(data, metadata);
+  const tags = taskEventTags(records);
+  const hasRouteOptIn = tags.includes("auto:route") || hasTruthyField(records, ["route_enabled", "routeEnabled", "automation_allowed", "automationAllowed", "allowed"]);
+  if (!hasRouteOptIn)
+    return { eligible: false, reason: "missing explicit route opt-in", tags };
+  const status = taskEventField(data, ["status", "task_status", "taskStatus"])?.toLowerCase();
+  if (status && ["blocked", "completed", "done", "cancelled", "canceled", "failed", "archived"].includes(status)) {
+    return { eligible: false, reason: `task status is not routable: ${status}`, tags };
+  }
+  const disallowedTags = tags.filter((tag) => ["no-auto", "manual", "manual-required", "approval-required"].includes(tag));
+  if (disallowedTags.length)
+    return { eligible: false, reason: `task has disallowed tag: ${disallowedTags[0]}`, tags };
+  if (hasTruthyField(records, [
+    "no_auto",
+    "noAuto",
+    "manual",
+    "manual_required",
+    "manualRequired",
+    "requires_approval",
+    "requiresApproval",
+    "approval_required",
+    "approvalRequired"
+  ])) {
+    return { eligible: false, reason: "task metadata requires manual or approval-gated handling", tags };
+  }
+  return { eligible: true, tags };
+}
 async function readEventEnvelopeFromStdin() {
   const raw = process.env.HASNA_EVENT_JSON || await Bun.stdin.text();
   const event = JSON.parse(raw);
@@ -5217,7 +5912,7 @@ addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.com
     store.close();
   }
 });
-addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("agent <name>").description("create a headless coding-agent loop").requiredOption("--provider <provider>", "claude, cursor, codewith, aicopilot, opencode, or codex").requiredOption("--prompt <prompt>", "agent prompt").option("--cwd <dir>", "working directory").option("--model <model>", "model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--timeout <duration>", "run timeout").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass").option("--sandbox <mode>", "provider sandbox: codewith/codex use read-only/workspace-write/danger-full-access; cursor uses enabled/disabled").option("--config-isolation <mode>", "safe or none", "safe"))))).action((name, opts) => {
+addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("agent <name>").description("create a headless coding-agent loop").requiredOption("--provider <provider>", "claude, cursor, codewith, aicopilot, opencode, or codex").requiredOption("--prompt <prompt>", "agent prompt").option("--cwd <dir>", "working directory").option("--model <model>", "model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--timeout <duration>", "run timeout").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass").option("--sandbox <mode>", "provider sandbox: codewith/codex use read-only/workspace-write/danger-full-access; cursor uses enabled/disabled").option("--allow-tool <name>", "advisory per-session tool allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--allow-command <name>", "advisory per-session command allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--config-isolation <mode>", "safe or none", "safe"))))).action((name, opts) => {
   const provider = opts.provider;
   if (!["claude", "cursor", "codewith", "aicopilot", "opencode", "codex"].includes(provider)) {
     throw new Error("unsupported provider");
@@ -5240,6 +5935,7 @@ addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.com
       configIsolation: opts.configIsolation,
       permissionMode: permissionModeFromOpts(opts, provider),
       sandbox: sandboxFromOpts(opts, provider),
+      allowlist: allowlistFromOpts(opts),
       account: accountFromOpts(opts)
     };
     const loop = store.createLoop(baseCreateInput(name, opts, target));
@@ -5305,6 +6001,11 @@ eventsHandle.command("todos-task").description("create a one-shot worker/verifie
   const taskId = taskEventField(data, ["id", "task_id", "taskId"]);
   if (!taskId)
     throw new Error("todos task event is missing task id in data.id, data.task_id, data.task.id, or data.payload.id");
+  const eligibility = taskRouteEligibility(data, metadata);
+  if (!eligibility.eligible) {
+    print({ skipped: true, reason: eligibility.reason, event, taskId, eligibility }, `skipped task ${taskId}: ${eligibility.reason}`);
+    return;
+  }
   const taskTitle = taskEventField(data, ["title", "task_title", "taskTitle"]);
   const taskDescription = taskEventField(data, ["description", "body"]);
   const dataProjectPath = taskEventField(data, ["working_dir", "workingDir", "project_path", "projectPath", "cwd"]);
@@ -5729,6 +6430,172 @@ program.command("runs [idOrName]").option("--limit <n>", "limit", "50").option("
     store.close();
   }
 });
+program.command("expectations [idOrName]").description("evaluate deterministic loop expectations without mutating external task systems").option("--limit <n>", "maximum loops to inspect when no loop is specified", "200").option("--json", "print JSON").action((idOrName, opts) => {
+  const store = new Store;
+  try {
+    const loops = idOrName ? [store.requireLoop(idOrName)] : store.listLoops({ limit: Number(opts.limit) });
+    const values = loops.map((loop) => expectationForLoop(store, loop));
+    if (isJson() || opts.json)
+      console.log(JSON.stringify(idOrName ? values[0] : values, null, 2));
+    else {
+      for (const value of values) {
+        console.log(`${value.ok ? "ok" : "fail"}  ${value.loop.name}  ${value.check.message}`);
+        if (value.failure)
+          console.log(`  classification=${value.failure.classification} fingerprint=${value.failure.fingerprint}`);
+      }
+    }
+    if (values.some((value) => !value.ok))
+      process.exitCode = 1;
+  } finally {
+    store.close();
+  }
+});
+var health = program.command("health").description("summarize loop health and latest-run expectation status").option("--json", "print JSON").action((opts) => {
+  const store = new Store;
+  try {
+    const report = buildHealthReport(store);
+    if (isJson() || opts.json)
+      console.log(JSON.stringify(report, null, 2));
+    else {
+      console.log(`loops=${report.summary.loops} healthy=${report.summary.healthy} unhealthy=${report.summary.unhealthy} warnings=${report.summary.warnings}`);
+      for (const expectation of report.expectations.filter((entry) => !entry.ok)) {
+        console.log(`fail  ${expectation.loop.name}  ${expectation.failure?.classification ?? "unknown"}  ${expectation.failure?.fingerprint ?? "-"}`);
+      }
+    }
+    if (!report.ok)
+      process.exitCode = 1;
+  } finally {
+    store.close();
+  }
+});
+health.command("route-tasks").description("upsert deduped todos tasks for failed loop health expectations").option("--project <path>", "todos project path", defaultLoopsProject()).option("--task-list <slug>", "todos task-list slug", "loop-error-self-heal").option("--limit <n>", "maximum loops to inspect", "200").option("--max-actions <n>", "maximum todos tasks to upsert", "5").option("--dry-run", "print intended task upserts without mutating todos").option("--json", "print JSON").action((opts) => {
+  const store = new Store;
+  try {
+    const report = buildHealthReport(store, { limit: Number(opts.limit) });
+    const failures = report.expectations.filter((entry) => !entry.ok && entry.recommendedTask).slice(0, Number(opts.maxActions));
+    const listId = opts.dryRun ? undefined : ensureTodosTaskList(opts.project, opts.taskList, "Loop Error Self Heal", "Deduped OpenLoops health expectation failures routed by loops health route-tasks.");
+    const actions = failures.map((expectation) => {
+      const task = expectation.recommendedTask;
+      const metadata = {
+        source: "openloops.health.route-tasks",
+        loop_id: expectation.loop.id,
+        loop_name: expectation.loop.name,
+        run_id: expectation.latestRun?.id,
+        classification: expectation.failure?.classification,
+        fingerprint: task.dedupeKey,
+        no_tmux_dispatch: true
+      };
+      if (opts.dryRun) {
+        return { action: "would-upsert", title: task.title, fingerprint: task.dedupeKey, priority: task.priority, metadata };
+      }
+      const result = runLocalCommand("todos", [
+        "--project",
+        opts.project,
+        "--json",
+        "task",
+        "upsert",
+        "--fingerprint",
+        task.dedupeKey,
+        "--title",
+        task.title,
+        "-d",
+        task.description,
+        "--priority",
+        task.priority,
+        "--status",
+        "pending",
+        "--list",
+        listId,
+        "--tags",
+        task.tags.join(","),
+        "--metadata-json",
+        JSON.stringify(metadata)
+      ]);
+      if (!result.ok) {
+        return { action: "upsert-failed", fingerprint: task.dedupeKey, error: result.stderr || result.error || result.stdout };
+      }
+      return { action: "upserted", fingerprint: task.dedupeKey, task: JSON.parse(result.stdout || "{}") };
+    });
+    const routed = { ok: actions.every((action) => action.action !== "upsert-failed"), inspected: report.summary.loops, failures: failures.length, actions };
+    if (isJson() || opts.json)
+      console.log(JSON.stringify(routed, null, 2));
+    else {
+      console.log(`health_route_tasks inspected=${routed.inspected} failures=${routed.failures} actions=${actions.length}`);
+      for (const action of actions)
+        console.log(`${action.action} ${action.fingerprint}`);
+    }
+    if (!routed.ok)
+      process.exitCode = 1;
+  } finally {
+    store.close();
+  }
+});
+var hygiene = program.command("hygiene").description("deterministic OpenLoops hygiene checks and safe repairs");
+hygiene.command("names").description("check or apply canonical machine-/repo-prefixed loop names").option("--apply", "rename loops in-place").option("--include-stopped", "include stopped loops").option("--include-inactive", "include stopped, expired, and archived loops").option("--limit <n>", "maximum loops to inspect", "1000").option("--json", "print JSON").action((opts) => {
+  const store = new Store;
+  try {
+    const report = buildNameHygieneReport(store, {
+      apply: Boolean(opts.apply),
+      includeStopped: Boolean(opts.includeStopped),
+      includeInactive: Boolean(opts.includeInactive),
+      limit: Number(opts.limit)
+    });
+    if (isJson() || opts.json)
+      console.log(JSON.stringify(report, null, 2));
+    else {
+      console.log(`hygiene_names checked=${report.checked} changed=${report.changed} applied=${report.applied}`);
+      for (const change of report.changes.filter((entry) => entry.changed)) {
+        console.log(`${report.applied ? "renamed" : "would-rename"} ${change.id} ${change.oldName} -> ${change.newName}`);
+      }
+    }
+    if (!report.ok && !report.applied)
+      process.exitCode = 1;
+  } finally {
+    store.close();
+  }
+});
+hygiene.command("duplicates").description("detect duplicate/overlapping loops with the same canonical name, cwd, and schedule").option("--include-inactive", "include stopped, expired, and archived loops").option("--limit <n>", "maximum loops to inspect", "1000").option("--json", "print JSON").action((opts) => {
+  const store = new Store;
+  try {
+    const report = buildDuplicateOverlapReport(store, {
+      includeInactive: Boolean(opts.includeInactive),
+      limit: Number(opts.limit)
+    });
+    if (isJson() || opts.json)
+      console.log(JSON.stringify(report, null, 2));
+    else {
+      console.log(`hygiene_duplicates checked=${report.checked} groups=${report.groups.length}`);
+      for (const group of report.groups) {
+        console.log(`${group.key}	${group.loops.map((loop) => `${loop.id}:${loop.status}:${loop.name}`).join(",")}`);
+      }
+    }
+    if (!report.ok)
+      process.exitCode = 1;
+  } finally {
+    store.close();
+  }
+});
+hygiene.command("scripts").description("inventory loops still backed by local ~/.hasna/loops/scripts commands").option("--scripts-dir <path>", "script directory to detect").option("--include-inactive", "include stopped, expired, and archived loops").option("--limit <n>", "maximum loops to inspect", "1000").option("--json", "print JSON").action((opts) => {
+  const store = new Store;
+  try {
+    const report = buildScriptInventoryReport(store, {
+      scriptsDir: opts.scriptsDir,
+      includeInactive: Boolean(opts.includeInactive),
+      limit: Number(opts.limit)
+    });
+    if (isJson() || opts.json)
+      console.log(JSON.stringify(report, null, 2));
+    else {
+      console.log(`hygiene_scripts checked=${report.checked} script_backed=${report.scriptBacked}`);
+      for (const loop of report.loops)
+        console.log(`${loop.id}	${loop.status}	${loop.name}	${loop.command}`);
+    }
+    if (!report.ok)
+      process.exitCode = 1;
+  } finally {
+    store.close();
+  }
+});
 program.command("pause <idOrName>").action((idOrName) => updateStatus(idOrName, "paused"));
 program.command("resume <idOrName>").action((idOrName) => updateStatus(idOrName, "active"));
 program.command("stop <idOrName>").action((idOrName) => updateStatus(idOrName, "stopped"));