@hongmaple0820/scale-engine 0.40.1 → 0.43.0

package/scripts/workflow/provider-rehearsal.mjs

@@ -1,9 +1,16 @@
 #!/usr/bin/env node
 import { spawnSync } from 'node:child_process'
-import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs'
+import { cpSync, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs'
 import { tmpdir } from 'node:os'
 import { dirname, extname, join, resolve } from 'node:path'
 import { fileURLToPath } from 'node:url'
+import {
+  ensureMirroredGbrainInvocation,
+  normalizeGbrainSpawnResult,
+  resolveDirectWindowsGbrainInvocation,
+  shouldRetryWithMirroredGbrain,
+} from './lib/gbrain-runtime.mjs'
+import { summarizeCommandOutput, summarizeCommandRecord } from './lib/report-output.mjs'
 
 const scriptDir = dirname(fileURLToPath(import.meta.url))
 const repoRoot = resolve(scriptDir, '..', '..')
@@ -12,6 +19,7 @@ const runId = `provider-rehearsal-${Date.now()}-${Math.random().toString(16).sli
 const workRoot = options.outDir ? resolve(options.outDir) : join(tmpdir(), runId)
 const results = []
 const RTK_BYPASS_COMMANDS = new Set(['gbrain'])
+const GRAPHIFY_ALLOWED_HIDDEN_TOP_LEVEL_DIRS = new Set(['.github', '.scale', '.storybook', '.vscode', '.cursor'])
 
 mkdirSync(workRoot, { recursive: true })
 
@@ -27,14 +35,34 @@ try {
 }
 
 function runGbrainReplay() {
-  const healthCheck = runCommand('gbrain-health', 'gbrain', ['list', '-n', '1'], { timeoutMs: 60_000 })
+  const init = runCommand('gbrain-init', 'gbrain', ['init', '--pglite', '--no-embedding'], {
+    timeoutMs: 120_000,
+    env: gbrainCommandEnv(),
+  })
+  if (init.exitCode !== 0) {
+    return capability('gbrain', options.requireGbrain ? 'failed' : 'blocked', {
+      reason: failureLine(`${init.stdout}\n${init.stderr}`) || 'gbrain init failed for the isolated smoke brain',
+      required: options.requireGbrain,
+      commands: [init],
+      nextCommands: [
+        'gbrain init --pglite --no-embedding',
+        'gbrain doctor --json',
+        'npm run smoke:gbrain',
+      ],
+    })
+  }
+
+  const healthCheck = runCommand('gbrain-health', 'gbrain', ['list', '-n', '1'], {
+    timeoutMs: 60_000,
+    env: gbrainCommandEnv(),
+  })
   const health = evaluateGbrainList(healthCheck)
   if (!health.available) {
     return capability('gbrain', options.requireGbrain ? 'failed' : 'blocked', {
       reason: health.reason || failureLine(`${healthCheck.stdout}\n${healthCheck.stderr}`) || 'gbrain health check failed',
       required: options.requireGbrain,
       health,
-      commands: [healthCheck],
+      commands: [init, healthCheck],
       nextCommands: [
         'gbrain init --pglite --no-embedding',
         'gbrain init --supabase',
@@ -50,22 +78,27 @@ function runGbrainReplay() {
   const sentinel = `scale-engine-gbrain-replay-${Date.now()}-${Math.random().toString(16).slice(2)}`
   const body = `# ${slug}. Sentinel: ${sentinel}. This page verifies that SCALE can write memory in one process and read/query it in later processes.`
 
-  const put = runCommand('gbrain-put', 'gbrain', ['put', slug, '--content', body], { timeoutMs: 60_000 })
-  const get = runCommand('gbrain-get', 'gbrain', ['get', slug], { timeoutMs: 8_000 })
-  const query = runCommand('gbrain-query', 'gbrain', ['query', sentinel], { timeoutMs: 8_000 })
+  const put = runCommand('gbrain-put', 'gbrain', ['put', slug, '--content', body], { timeoutMs: 60_000, env: gbrainCommandEnv() })
+  const get = runCommand('gbrain-get', 'gbrain', ['get', slug], { timeoutMs: 8_000, env: gbrainCommandEnv() })
+  const query = runCommand('gbrain-query', 'gbrain', ['query', sentinel], { timeoutMs: 8_000, env: gbrainCommandEnv() })
   const queryOutput = `${query.stdout}\n${query.stderr}`
   const search = query.exitCode === 0 && (queryOutput.includes(sentinel) || queryOutput.includes(slug))
     ? undefined
-    : runCommand('gbrain-search', 'gbrain', ['search', sentinel], { timeoutMs: 8_000 })
-  const cleanup = options.keepGbrainPage ? undefined : runCommand('gbrain-delete', 'gbrain', ['delete', slug], { timeoutMs: 60_000 })
+    : runCommand('gbrain-search', 'gbrain', ['search', sentinel], { timeoutMs: 8_000, env: gbrainCommandEnv() })
+  const cleanup = options.keepGbrainPage ? undefined : runCommand('gbrain-delete', 'gbrain', ['delete', slug], { timeoutMs: 60_000, env: gbrainCommandEnv() })
 
   const recallOutput = `${queryOutput}\n${search?.stdout ?? ''}\n${search?.stderr ?? ''}`
-  const getPassed = (get.exitCode === 0 || get.timedOut) && get.stdout.includes(sentinel)
-  const recallPassed = (query.exitCode === 0 || query.timedOut || search?.exitCode === 0 || search?.timedOut)
+  const getPassed = get.exitCode === 0 && get.stdout.includes(sentinel)
+  const recallPassed = (query.exitCode === 0 || search?.exitCode === 0)
     && (recallOutput.includes(sentinel) || recallOutput.includes(slug))
   const replayPassed = put.exitCode === 0
     && getPassed
     && recallPassed
+  const recoveredCommands = [get, query, search]
+    .filter(Boolean)
+    .filter(command => command.recoveredTimeout)
+    .map(command => command.name)
+  const recoveredTimeouts = replayPassed && recoveredCommands.length > 0
 
   return capability('gbrain', replayPassed ? 'passed' : 'failed', {
     reason: replayPassed
@@ -73,10 +106,17 @@ function runGbrainReplay() {
       : 'gbrain was configured, but write/get/query replay did not prove recall',
     required: options.requireGbrain,
     health,
+    degraded: false,
+    recoveredTimeouts,
+    recoveredCommands,
     sentinel,
     slug,
-    commands: [healthCheck, put, get, query, search, cleanup].filter(Boolean),
-    nextCommands: replayPassed ? [] : ['gbrain doctor --json', `gbrain get ${slug}`, `gbrain query ${sentinel}`],
+    commands: summarizeCommands([init, healthCheck, put, get, query, search, cleanup]),
+    notes: recoveredCommands.map(name => `${name} returned complete output after Bun shutdown recovery`),
+    warnings: [],
+    nextCommands: replayPassed
+      ? []
+      : ['gbrain doctor --json', `gbrain get ${slug}`, `gbrain query ${sentinel}`],
   })
 }
 
@@ -107,9 +147,9 @@ function runGraphifyRehearsal() {
     })
   }
 
-  const projectPath = resolve(options.largeProject)
-  const graphOut = options.semanticExtract ? resolve(workRoot, 'graphify-out') : join(projectPath, 'graphify-out')
-  if (options.semanticExtract) mkdirSync(graphOut, { recursive: true })
+  const sourceProjectPath = resolve(options.largeProject)
+  const projectPath = prepareGraphifyProject(sourceProjectPath)
+  const graphOut = join(projectPath, 'graphify-out')
   const extractCommand = options.semanticExtract ? 'extract' : 'update'
   const extractArgs = options.semanticExtract
     ? ['extract', projectPath, '--out', graphOut]
@@ -131,7 +171,7 @@ function runGraphifyRehearsal() {
       nextCommands: [
         'graphify install --platform codex',
         'graphify hook status',
-        `graphify update ${quoteArg(projectPath)} --no-cluster`,
+        `graphify update ${quoteArg(sourceProjectPath)} --no-cluster`,
         'Use --semantic-extract only when semantic LLM extraction is explicitly allowed.',
       ],
     })
@@ -171,11 +211,12 @@ function runGraphifyRehearsal() {
       ? `graphify ${extractCommand} built a real project graph and answered a graph query`
       : 'graphify generated an artifact but graph stats or query validation failed',
     required: options.requireGraphify,
-    project: projectPath,
+    project: sourceProjectPath,
+    analyzedProject: projectPath,
     mode: options.semanticExtract ? 'semantic-extract' : 'ast-update-no-llm',
     graphPath,
     stats,
-    commands: [help, extract, query, benchmark, globalAdd].filter(Boolean),
+    commands: summarizeCommands([help, extract, query, benchmark, globalAdd]),
     nextCommands: passed ? [] : [`graphify query ${quoteArg(options.graphifyQuestion)} --graph ${quoteArg(graphPath)}`],
   })
 }
@@ -250,6 +291,15 @@ function buildReport(capabilities) {
   }
 }
 
+function gbrainCommandEnv() {
+  return {
+    ...process.env,
+    GBRAIN_HOME: join(workRoot, 'gbrain-home'),
+    GBRAIN_AUDIT_DIR: join(workRoot, 'gbrain-audit'),
+    GBRAIN_NO_BANNER: '1',
+  }
+}
+
 function writeReport(report) {
   const target = options.reportFile
     ? resolve(options.reportFile)
@@ -259,6 +309,10 @@ function writeReport(report) {
   writeFileSync(target, `${JSON.stringify(report, null, 2)}\n`, 'utf8')
 }
 
+function summarizeCommands(commands) {
+  return commands.filter(Boolean).map(command => summarizeCommandRecord(command))
+}
+
 function runCommand(name, command, args, opts = {}) {
   const invocation = opts.wrapRtk === false
     ? { command, args, wrapped: false }
@@ -274,20 +328,21 @@ function runCommand(name, command, args, opts = {}) {
     timeout: opts.timeoutMs ?? options.timeoutMs,
     maxBuffer: 80 * 1024 * 1024,
   })
-  const stdout = String(result.stdout ?? '')
-  const stderr = String(result.stderr ?? '') + (result.error ? `\n${result.error.message}` : '')
-  const exitCode = typeof result.status === 'number' ? result.status : 1
-  const timedOut = /ETIMEDOUT/i.test(String(result.error?.message ?? ''))
+  const normalized = command === 'gbrain'
+    ? normalizeGbrainSpawnResult(args, result)
+    : normalizeSpawnResult(result)
+  const { stdout, stderr, exitCode, timedOut, recoveredTimeout } = normalized
   const entry = {
     name,
     command: commandLine,
     wrappedByRtk: invocation.wrapped,
     exitCode,
     timedOut,
+    recoveredTimeout,
     startedAt,
     endedAt: new Date().toISOString(),
-    stdoutTail: tail(stdout),
-    stderrTail: tail(stderr),
+    stdoutTail: summarizeCommandOutput(name, 'stdout', stdout),
+    stderrTail: summarizeCommandOutput(name, 'stderr', stderr),
   }
   results.push(entry)
   return { ...entry, stdout, stderr }
@@ -317,17 +372,65 @@ function removeGeneratedGraphJson(graphOut) {
   rmSync(join(outputDir, 'graph.json'), { force: true })
 }
 
+function prepareGraphifyProject(sourceProjectPath) {
+  const snapshotPath = join(workRoot, 'graphify-project')
+  rmSync(snapshotPath, { recursive: true, force: true })
+  cpSync(sourceProjectPath, snapshotPath, {
+    recursive: true,
+    force: true,
+    filter: sourcePath => shouldIncludeGraphifySnapshotPath(sourceProjectPath, sourcePath),
+  })
+  return snapshotPath
+}
+
+function shouldIncludeGraphifySnapshotPath(sourceProjectPath, sourcePath) {
+  const relativePath = sourcePath.slice(sourceProjectPath.length).replace(/^[\\/]+/, '')
+  if (!relativePath) return true
+  const segments = relativePath.split(/[\\/]+/)
+  if (segments[0].startsWith('.') && !GRAPHIFY_ALLOWED_HIDDEN_TOP_LEVEL_DIRS.has(segments[0])) return false
+  if (segments.some(segment => ['.git', '.codegraph', 'node_modules', '.tmp', 'graphify-out', 'dist', 'coverage'].includes(segment))) {
+    return false
+  }
+  for (let index = 0; index < segments.length - 1; index += 1) {
+    if (segments[index] === '.scale' && ['reports', 'ai-os', 'runtime', 'model-usage', 'cache', 'events'].includes(segments[index + 1])) {
+      return false
+    }
+  }
+  return true
+}
+
 function wrapWithRtk(command, args) {
   if (RTK_BYPASS_COMMANDS.has(command)) return { command, args, wrapped: false }
   if (!options.useRtk || command === 'rtk' || !commandExists('rtk')) return { command, args, wrapped: false }
   return { command: 'rtk', args: [command, ...args], wrapped: true }
 }
 
+function normalizeSpawnResult(result) {
+  const stdout = String(result.stdout ?? '')
+  const stderr = `${String(result.stderr ?? '')}${result.error ? `\n${result.error.message}` : ''}`.trim()
+  return {
+    stdout,
+    stderr,
+    exitCode: typeof result.status === 'number' ? result.status : 1,
+    timedOut: /ETIMEDOUT/i.test(String(result.error?.message ?? '')),
+    recoveredTimeout: false,
+  }
+}
+
 function spawnStructured(command, args, options) {
-  const direct = resolveDirectWindowsInvocation(command, args)
+  const direct = resolveDirectWindowsGbrainInvocation(command, args, resolveCommandPath)
   if (direct) {
-    return spawnSync(direct.command, direct.args, {
+    const result = spawnSync(direct.command, direct.args, {
       ...options,
+      cwd: options.cwd ?? direct.cwd,
+      shell: false,
+      windowsHide: true,
+    })
+    if (!shouldRetryWithMirroredGbrain(direct, result)) return result
+    const mirrored = ensureMirroredGbrainInvocation(direct)
+    return spawnSync(mirrored.command, mirrored.args, {
+      ...options,
+      cwd: options.cwd ?? mirrored.cwd,
       shell: false,
       windowsHide: true,
     })
@@ -348,24 +451,6 @@ function spawnStructured(command, args, options) {
   })
 }
 
-function resolveDirectWindowsInvocation(command, args) {
-  if (process.platform !== 'win32' || command !== 'gbrain') return null
-  const gbrainShim = resolveCommandPath('gbrain')
-  if (!gbrainShim || !/\.cmd$/i.test(gbrainShim) || !existsSync(gbrainShim)) return null
-  try {
-    const content = readFileSync(gbrainShim, 'utf8')
-    const cliPath = content.match(/"([^"]*gbrain[^"]*src[\\/]cli\.ts)"/i)?.[1]
-    const bunShim = resolveCommandPath('bun')
-    const bunExe = bunShim ? join(dirname(bunShim), 'node_modules', 'bun', 'bin', 'bun.exe') : ''
-    if (cliPath && bunExe && existsSync(bunExe)) {
-      return { command: bunExe, args: [cliPath, ...args] }
-    }
-  } catch {
-    return null
-  }
-  return null
-}
-
 function resolveWindowsCommandShim(command) {
   if (process.platform !== 'win32') return command
   if (!/[\\/]/.test(command) || extname(command)) return command
@@ -510,7 +595,3 @@ function quoteArg(value) {
 function powershellQuote(value) {
   return `'${String(value).replace(/'/g, "''")}'`
 }
-
-function tail(value, max = 4000) {
-  return value.length > max ? value.slice(-max) : value
-}

package/scripts/workflow/setup-smoke.mjs

@@ -1,9 +1,16 @@
 #!/usr/bin/env node
 import { spawnSync } from 'node:child_process'
-import { existsSync, mkdirSync, rmSync } from 'node:fs'
+import { existsSync, mkdirSync, rmSync, writeFileSync } from 'node:fs'
 import { tmpdir } from 'node:os'
 import { dirname, extname, join, resolve } from 'node:path'
 import { fileURLToPath } from 'node:url'
+import {
+  ensureMirroredGbrainInvocation,
+  normalizeGbrainSpawnResult,
+  resolveDirectWindowsGbrainInvocation,
+  shouldRetryWithMirroredGbrain,
+} from './lib/gbrain-runtime.mjs'
+import { summarizeCommandOutput } from './lib/report-output.mjs'
 
 const scriptDir = dirname(fileURLToPath(import.meta.url))
 const repoRoot = resolve(scriptDir, '..', '..')
@@ -13,12 +20,19 @@ const smokeRoot = options.tempDir
   : mkSmokeRoot()
 const projectDir = join(smokeRoot, 'project')
 const scaleDir = join(smokeRoot, '.scale')
+const homeDir = join(smokeRoot, 'home')
+const appDataDir = join(homeDir, 'AppData', 'Roaming')
+const localAppDataDir = join(homeDir, 'AppData', 'Local')
+const gbrainHomeDir = join(smokeRoot, 'gbrain-home')
+const gbrainAuditDir = join(smokeRoot, 'gbrain-audit')
 const scaleInvocation = parseCommandLine(options.scaleCommand ?? 'node --import tsx src/api/cli.ts')
 const scaleCommand = formatCommand(scaleInvocation.file, scaleInvocation.args)
 const results = []
 
 mkdirSync(projectDir, { recursive: true })
 mkdirSync(scaleDir, { recursive: true })
+mkdirSync(appDataDir, { recursive: true })
+mkdirSync(localAppDataDir, { recursive: true })
 
 try {
   runSetupSmoke()
@@ -33,10 +47,19 @@ try {
 function runSetupSmoke() {
   const baseEnv = {
     ...process.env,
+    HOME: homeDir,
+    USERPROFILE: homeDir,
+    APPDATA: appDataDir,
+    LOCALAPPDATA: localAppDataDir,
     SCALE_DIR: scaleDir,
     SCALE_PROJECT_DIR: projectDir,
     SCALE_LOG_LEVEL: '',
+    GBRAIN_HOME: gbrainHomeDir,
+    GBRAIN_AUDIT_DIR: gbrainAuditDir,
+    GBRAIN_NO_BANNER: '1',
   }
+  initProject(baseEnv)
+  initIsolatedGbrain(baseEnv)
 
   const zh = runCommand('bootstrap-ui-zh', ['bootstrap', 'deps', '--dir', projectDir, '--pack', 'ui', '--lang', 'zh'], baseEnv)
   assertIncludes(zh.stdout, 'SCALE 依赖安装计划', 'Chinese bootstrap output should use Chinese title')
@@ -64,6 +87,7 @@ function runSetupSmoke() {
   const envDoctor = runJson('doctor-env-json', ['doctor', 'env', '--json'], baseEnv)
   assert(envDoctor.ok === true, 'environment doctor should pass when required core commands are available')
   assertArrayContains(envDoctor.checks?.map(check => check.id), ['git', 'npm', 'npx', 'rtk', 'gbrain', 'graphify', 'codegraph'], 'environment doctor should report core and third-party commands')
+  assert(envDoctor.checks?.find(check => check.id === 'gbrain')?.status === 'ok', 'environment doctor should validate gbrain when an isolated brain is initialized')
 
   const localMemory = runJson('setup-memory-scale-local-json', [
     'setup',
@@ -97,11 +121,107 @@ function runSetupSmoke() {
   assert(gbrainMemory.memoryProviderSwitch?.mode === 'external-first', 'gbrain provider should support external-first mode')
   assert(gbrainMemory.memoryProviderSwitch?.nextOrder?.[0] === 'gbrain', 'gbrain should become the first provider')
 
+  const apply = runJson('setup-governed-apply-json', [
+    'setup',
+    '--dir',
+    projectDir,
+    '--pack',
+    'external-cli,memory,knowledge',
+    '--apply',
+    '--memory-provider',
+    'gbrain',
+    '--memory-mode',
+    'external-first',
+    '--json',
+  ], baseEnv)
+  assert(apply.final?.ok === true, 'setup apply should succeed for external-cli, memory, and knowledge packs')
+  assert(apply.final?.complete === true, 'setup apply should leave the selected packs fully installed')
+  assert(apply.final?.summary?.needsInit === 0, 'setup apply should not leave RTK, GBrain, Graphify, or CodeGraph uninitialized')
+  assert(apply.memoryProviderSwitch?.provider === 'gbrain', 'setup apply should keep gbrain as the selected provider')
+  assert(existsSync(join(projectDir, '.codegraph')), 'setup apply should initialize a CodeGraph index in the target project')
+  assert(existsSync(join(projectDir, 'graphify-out', 'graph.json')), 'setup apply should generate a Graphify graph artifact without LLM usage')
+  assert(existsSync(join(projectDir, '.git', 'hooks', 'post-commit')), 'setup apply should install the Graphify post-commit hook')
+  assert(existsSync(join(projectDir, '.git', 'hooks', 'post-checkout')), 'setup apply should install the Graphify post-checkout hook')
+  assert(
+    ['installed', 'installed-now'].includes(apply.final?.items?.find(item => item.id === 'rtk')?.status),
+    'setup apply should leave RTK in an installed state after Codex initialization',
+  )
+  assert(
+    ['installed', 'installed-now'].includes(apply.final?.items?.find(item => item.id === 'graphify')?.status),
+    'setup apply should leave Graphify in an installed state after hook and graph initialization',
+  )
+  assert((apply.final?.postCheckSummary?.warned ?? 0) === 0, 'setup apply should not leave memory/code post-checks in a warned state')
+
+  const verify = runJson('setup-governed-verify-json', [
+    'setup',
+    '--verify',
+    '--dir',
+    projectDir,
+    '--pack',
+    'external-cli,memory,knowledge',
+    '--json',
+  ], baseEnv)
+  assert(verify.ok === true, 'setup verify should pass after governed apply in the isolated home')
+  assert((verify.summary?.blockingIssues?.length ?? 0) === 0, 'setup verify should not report any blocking dependency issues after apply')
+
   const codegraph = runJson('codegraph-status-json', ['codegraph', 'status', '--dir', repoRoot, '--json'], baseEnv)
   assertArrayContains(codegraph.providers?.map(provider => provider.id), ['codegraph', 'graphify'], 'codegraph status should expose CodeGraph and Graphify providers')
   assert(typeof codegraph.projectIndexExists === 'boolean', 'codegraph status should report project index state')
 }
 
+function initProject(env) {
+  writeFileSync(join(projectDir, 'AGENTS.md'), '# Setup smoke project\n', 'utf-8')
+  writeFileSync(join(projectDir, 'smoke.ts'), 'export const setupSmoke = "ready"\n', 'utf-8')
+  const result = spawnStructured('git', ['init'], {
+    cwd: projectDir,
+    env,
+    encoding: 'utf8',
+    timeout: options.timeoutMs,
+    maxBuffer: 20 * 1024 * 1024,
+  })
+  const stdout = String(result.stdout ?? '')
+  const stderr = String(result.stderr ?? '')
+  results.push({
+    name: 'git-init-project',
+    command: 'git init',
+    exitCode: typeof result.status === 'number' ? result.status : 1,
+    startedAt: new Date().toISOString(),
+    endedAt: new Date().toISOString(),
+    stdoutTail: summarizeCommandOutput('git-init-project', 'stdout', stdout),
+    stderrTail: summarizeCommandOutput('git-init-project', 'stderr', stderr + (result.error ? `\n${result.error.message}` : '')),
+  })
+  if (result.status !== 0) {
+    throw new Error(`git-init-project failed with exit code ${result.status ?? 1}\n${stderr || stdout}`)
+  }
+}
+
+function initIsolatedGbrain(env) {
+  const startedAt = new Date().toISOString()
+  const result = spawnStructured('gbrain', ['init', '--pglite', '--no-embedding'], {
+    cwd: repoRoot,
+    env,
+    encoding: 'utf8',
+    timeout: options.timeoutMs,
+    maxBuffer: 20 * 1024 * 1024,
+  })
+  const normalized = normalizeGbrainSpawnResult(['init', '--pglite', '--no-embedding'], result)
+  const { stdout, stderr, exitCode, timedOut, recoveredTimeout } = normalized
+  results.push({
+    name: 'gbrain-init-isolated-home',
+    command: 'gbrain init --pglite --no-embedding',
+    exitCode,
+    timedOut,
+    recoveredTimeout,
+    startedAt,
+    endedAt: new Date().toISOString(),
+    stdoutTail: summarizeCommandOutput('gbrain-init-isolated-home', 'stdout', stdout),
+    stderrTail: summarizeCommandOutput('gbrain-init-isolated-home', 'stderr', stderr),
+  })
+  if (exitCode !== 0) {
+    throw new Error(`gbrain-init-isolated-home failed with exit code ${exitCode}\n${summarizeCommandOutput('gbrain-init-isolated-home', 'stderr', stderr) || summarizeCommandOutput('gbrain-init-isolated-home', 'stdout', stdout)}`)
+  }
+}
+
 function runJson(name, args, env) {
   const result = runCommand(name, args, env)
   try {
@@ -132,8 +252,8 @@ function runCommand(name, args, env) {
     exitCode,
     startedAt,
     endedAt: new Date().toISOString(),
-    stdoutTail: tail(stdout),
-    stderrTail: tail(stderr + (result.error ? `\n${result.error.message}` : '')),
+    stdoutTail: summarizeCommandOutput(name, 'stdout', stdout),
+    stderrTail: summarizeCommandOutput(name, 'stderr', stderr + (result.error ? `\n${result.error.message}` : '')),
   }
   results.push(entry)
   if (exitCode !== 0) {
@@ -143,6 +263,23 @@ function runCommand(name, args, env) {
 }
 
 function spawnStructured(command, args, options) {
+  const direct = resolveDirectWindowsGbrainInvocation(command, args, resolveCommandPath)
+  if (direct) {
+    const result = spawnSync(direct.command, direct.args, {
+      ...options,
+      cwd: options.cwd ?? direct.cwd,
+      shell: false,
+      windowsHide: true,
+    })
+    if (!shouldRetryWithMirroredGbrain(direct, result)) return result
+    const mirrored = ensureMirroredGbrainInvocation(direct)
+    return spawnSync(mirrored.command, mirrored.args, {
+      ...options,
+      cwd: options.cwd ?? mirrored.cwd,
+      shell: false,
+      windowsHide: true,
+    })
+  }
   const resolved = resolveWindowsCommandShim(resolveCommandPath(command) ?? command)
   if (process.platform === 'win32' && /\.(cmd|bat)$/i.test(resolved)) {
     const comspec = process.env.ComSpec || 'cmd.exe'
@@ -200,7 +337,7 @@ function parseArgs(args) {
     else if (arg === '--temp-dir') parsed.tempDir = args[++index]
     else if (arg === '--timeout-ms') parsed.timeoutMs = Number.parseInt(args[++index] ?? '', 10)
     else if (arg === '--help' || arg === '-h') {
-      process.stdout.write(`Usage: node scripts/workflow/setup-smoke.mjs [--scale-command "scale"] [--keep-temp] [--verbose]\n`)
+      process.stdout.write('Usage: node scripts/workflow/setup-smoke.mjs [--scale-command "scale"] [--keep-temp] [--verbose]\n')
       process.exit(0)
     } else {
       throw new Error(`Unknown argument: ${arg}`)
@@ -288,12 +425,9 @@ function writeSummary(status, error) {
     repoRoot,
     projectDir,
     scaleDir,
+    homeDir,
     results,
     error: error ? String(error.stack ?? error.message ?? error) : undefined,
   }
   process.stdout.write(`${JSON.stringify(report, null, 2)}\n`)
 }
-
-function tail(value, max = 4000) {
-  return value.length > max ? value.slice(-max) : value
-}

package/docs/ACTIVE_SECURITY_VISUAL_GATES.md

@@ -1,87 +0,0 @@
-# Active Security And Visual Gates
-
-SCALE V2 adds two optional verification layers for projects that can provide a runnable local target:
-
-- `ActiveRedTeam`: bounded dynamic security probes for configured HTTP targets.
-- `VisualGate`: structured visual review evidence for UI routes and UI specs.
-
-Both are conditional. A library or backend project with no runtime target should not pay the cost.
-
-## Active Security
-
-Active security is configured under `.scale/verification.json`:
-
-```json
-{
-  "security": {
-    "active": {
-      "enabled": true,
-      "baseUrl": "http://localhost:3000",
-      "startCommand": "npm run dev",
-      "targets": ["/api/login", "/api/users"],
-      "timeoutMs": 5000,
-      "maxRequests": 20
-    }
-  }
-}
-```
-
-Behavior:
-
-- missing or disabled config returns `SKIPPED`
-- invalid enabled config returns `FAILED` before sending probes
-- probes are capped by `maxRequests`
-- every request has a timeout
-- reflected probe payloads are `HIGH` findings and block
-- request errors and server errors are recorded as findings, but only configured blocker severity should fail the gate
-
-The first implementation exposes `runActiveRedTeam()` as a library API. It does not start a server by itself yet. CLI orchestration can wire `startCommand` later, but startup failure must become a `FAILED` result when that runner is added.
-
-## Visual Gate
-
-Visual verification is configured under `.scale/verification.json`:
-
-```json
-{
-  "visual": {
-    "enabled": true,
-    "baseUrl": "http://localhost:5173",
-    "specPath": "docs/ui/UI-SPEC.md",
-    "routes": ["/", "/settings"],
-    "reportPath": "docs/worklog/tasks/TASK-123/visual-report.json",
-    "blockingSeverities": ["critical", "high"]
-  }
-}
-```
-
-`VisualGate` consumes a structured report:
-
-```json
-{
-  "screenshots": [
-    { "route": "/", "path": "screenshots/home.png" }
-  ],
-  "findings": [
-    {
-      "severity": "high",
-      "route": "/",
-      "message": "Primary action overlaps the navigation bar.",
-      "evidence": "overlap ratio 0.42"
-    }
-  ]
-}
-```
-
-Behavior:
-
-- missing or disabled config passes with a `Visual gate skipped` evidence item
-- enabled config requires `baseUrl`, `specPath`, `routes`, and `reportPath`
-- missing or invalid visual report fails
-- default blockers are `critical` and `high`
-- VLM comments may be recorded in the report, but the gate blocks only on structured severity thresholds
-
-## Gate Numbering
-
-`VisualGate` uses `G9` when explicitly registered. It is not registered by default because meta governance also uses the G9-G15 range. Projects should register it only in UI verification profiles or dedicated task flows.
-
-Active security remains a security sub-check instead of a fractional gate number. It belongs under the broader G7 security lifecycle when wired into a concrete workflow.