@hybridaione/hybridclaw 0.4.0 → 0.4.3

package/AGENTS.md

@@ -1,5 +1,84 @@
 # AGENTS.md
 
+## Scope
+
+This file is the canonical repo-level instruction set for coding agents working
+in HybridClaw.
+
+- Follow this file first.
+- If a deeper directory contains its own `AGENTS.md`, that file overrides this
+  one for its subtree.
+- Keep `CLAUDE.md` aligned with this file. `CLAUDE.md` should only carry
+  tool-specific deltas.
+
+## Project Map
+
+- `src/` core CLI, gateway, providers, auth, audit, scheduler, and runtime
+  wiring
+- `container/` sandboxed runtime, tool executor, provider adapters, and
+  container build inputs
+- `skills/` bundled `SKILL.md` skills plus any supporting scripts or reference
+  material
+- `templates/` runtime workspace bootstrap files seeded into agent workspaces
+- `tests/` Vitest suites across unit, integration, e2e, and live coverage
+- `docs/` static site assets and maintainer/development reference docs
+
+## Working Rules
+
+- Keep changes focused. Prefer targeted fixes over broad refactors unless the
+  task requires wider movement.
+- Match the existing TypeScript + ESM patterns already used in the touched area.
+- Update tests and docs when behavior, commands, or repo workflows change.
+- Treat existing uncommitted changes as user work unless you created them.
+- Do not rename or relocate files in `templates/` without updating
+  `src/workspace.ts` and the workspace bootstrap tests.
+
+## Setup And Commands
+
+Prerequisites:
+
+- Node.js 22 (matches CI)
+- npm
+- Docker when working on container-mode behavior or image builds
+
+Common commands:
+
+```bash
+npm install
+npm run setup
+npm run build
+npm run typecheck
+npm run lint
+npm run check
+npm run test:unit
+npm run test:integration
+npm run test:e2e
+npm run test:live
+npm run release:check
+npm --prefix container run lint
+npm --prefix container run release:check
+```
+
+## Testing Expectations
+
+- Docs-only changes: keep links and commands accurate; runtime tests are usually
+  unnecessary.
+- `src/` changes: run `npm run typecheck`, `npm run lint`, and the relevant
+  Vitest suites.
+- `container/` changes: run `npm --prefix container run lint`, `npm run build`,
+  and targeted tests that exercise the runtime boundary.
+- Release or packaging changes: run both release checks and verify versioned
+  docs stay aligned.
+- If you skip a relevant check, state that explicitly in your handoff.
+
+## Documentation Hierarchy
+
+- `README.md` is the end-user and product entry point.
+- `CONTRIBUTING.md` is the human contributor quickstart.
+- `docs/development/` holds deeper maintainer and runtime reference docs.
+- `templates/*.md` are product runtime workspace seed files, not repo
+  contributor onboarding docs.
+
 ## Bump Release
 
 When the user says "bump release":
@@ -10,10 +89,12 @@ When the user says "bump release":
    - `package-lock.json` (root `version` and `packages[""]`)
    - `container/package.json`
    - `container/package-lock.json` (root `version` and `packages[""]`)
-   - any user-facing version text (for example `src/tui.ts` banner).
-3. Move `CHANGELOG.md` release notes from `Unreleased` to the new version heading (or create one).
+   - any user-facing version text (for example `src/tui.ts` banner)
+3. Move `CHANGELOG.md` release notes from `Unreleased` to the new version
+   heading (or create one).
 4. Update `README.md` "latest tag" link/text if present.
 5. Commit with a release chore message (for example `chore: release vX.Y.Z`).
-6. Create annotated git tag `vX.Y.Z`.
-7. Push commit and tag.
-8. Always create/publish a GitHub Release entry for the tag (tags alone do not update the Releases list).
+6. Create an annotated git tag `vX.Y.Z`.
+7. Push the commit and tag.
+8. Always create or publish a GitHub Release entry for the tag. Tags alone do
+   not update the Releases list.

package/CHANGELOG.md

@@ -2,6 +2,55 @@
 
 ## [Unreleased]
 
+## [0.4.3](https://github.com/HybridAIOne/hybridclaw/tree/v0.4.3)
+
+### Added
+
+- **Manual session compaction command**: Added built-in `/compact` support across gateway, TUI, and Discord to archive older transcript history, summarize it into high-confidence session memory, and preserve a recent conversation tail for active context.
+- **Bundled PDF workflow support**: Added a built-in `pdf` skill plus Node-based PDF tooling for text extraction, page rendering, fillable form inspection/filling, and non-fillable overlay workflows, with current-turn PDF context injection for explicit file paths and Discord attachments.
+- **Skill installer commands**: Added `hybridclaw skill list` and `hybridclaw skill install <skill> [install-id]` so bundled skills can advertise optional dependency installers.
+- **Container bind path config**: Added `container.binds` support alongside validated host/container path aliasing so configured external directories can be used safely from sandboxed tools and PDF workflows.
+- **Published coverage badge**: CI now generates and publishes a coverage badge JSON artifact for the README badge and release-health visibility.
+
+### Changed
+
+- **Attachment and media routing**: Gateway/media prompt assembly now distinguishes image attachments from document attachments, prefers current-turn local files for PDFs, and limits native vision injection to actual image inputs.
+- **Contributor documentation structure**: Promoted `AGENTS.md` to the canonical repo-level agent guide, slimmed `CONTRIBUTING.md` into a contributor quickstart, and moved deeper maintainer/runtime references into `docs/development/`.
+- **Host runtime workspace setup**: Host-mode agent workspaces now link package `node_modules`, while runtime path handling and workspace globbing understand configured extra mounts and local scratch paths more reliably.
+- **Release metadata and docs alignment**: The published package now declares `Node 22.x`, README badges point at maintained badge sources, and the docs landing page tracks the current tagged release/version requirements.
+- **Regression coverage**: Added focused unit coverage for memory chunking, gateway startup/health flows, Discord delivery chunking, PDF context handling, and compaction paths.
+
+### Fixed
+
+- **Compaction archive path exposure**: `/compact` responses now show a safe archive reference instead of leaking absolute host filesystem paths in user-facing output.
+- **Workspace bootstrap lifecycle**: `BOOTSTRAP.md` is now removed once onboarding is effectively complete and is not recreated on subsequent starts.
+- **Codex device-code activation flow**: Device-code login now falls back to the default activation URL and tolerates nested pending/authorization error payloads from the auth service.
+- **Runtime-home migration false positive**: Launching HybridClaw from `~/.hybridclaw` no longer treats the runtime `data/` directory as a legacy current-working-directory migration target.
+- **Heartbeat proactive queue cleanup**: Local proactive delivery now drops orphaned heartbeat queue rows instead of trying to route them as real outbound messages.
+- **Coverage badge publishing permissions**: CI now has the repository permissions needed to update the published coverage badge without failing the main workflow.
+
+## [0.4.2](https://github.com/HybridAIOne/hybridclaw/tree/v0.4.2)
+
+### Added
+
+- **Gateway debug tracing**: Added `hybridclaw gateway start|restart --debug` to force debug logging and emit request-stage traces across Discord intake, gateway chat handling, container model calls, and Codex streaming transport.
+
+### Changed
+
+- **Unified configured model catalog**: Discord slash commands, gateway model commands, and TUI model selection now all consume the same deduplicated configured model list derived from runtime config.
+- **Startup path reliability**: TUI now attaches to a reachable gateway without redundant local runtime preflight, and the CLI resolves symlinked installs correctly so globally linked `hybridclaw` commands no longer exit silently.
+
+### Fixed
+
+- **Discord DM trigger suppression**: Greeting-only direct messages are no longer dropped by the guild-oriented auto-suppress filter before they reach the model pipeline.
+- **Container refresh fallback**: Gateway restart now keeps using an existing local image if a stale-image rebuild attempt fails, instead of aborting despite a usable runtime image.
+
+## [0.4.1](https://github.com/HybridAIOne/hybridclaw/tree/v0.4.1)
+
+### Added
+
+- **HybridAI auth commands**: Added `hybridclaw hybridai login`, `status`, and `logout` commands with browser-assisted, headless/manual, and env-import flows backed by the existing `~/.hybridclaw/credentials.json` secrets store.
+
 ## [0.4.0](https://github.com/HybridAIOne/hybridclaw/tree/v0.4.0)
 
 ### Added

package/README.md

@@ -1,5 +1,13 @@
 # HybridClaw
 
+[![CI](https://github.com/HybridAIOne/hybridclaw/actions/workflows/ci.yml/badge.svg)](https://github.com/HybridAIOne/hybridclaw/actions/workflows/ci.yml)
+[![coverage](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/HybridAIOne/hybridclaw/gh-pages/badge/coverage.json)](https://github.com/HybridAIOne/hybridclaw/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/@hybridaione/hybridclaw)](https://www.npmjs.com/package/@hybridaione/hybridclaw)
+[![Node](https://img.shields.io/badge/node-22.x-5FA04E?logo=node.js&logoColor=white)](https://nodejs.org/en/download)
+[![License](https://img.shields.io/github/license/HybridAIOne/hybridclaw)](https://github.com/HybridAIOne/hybridclaw/blob/main/LICENSE)
+[![Docs](https://img.shields.io/badge/docs-github%20pages-blue)](https://hybridaione.github.io/hybridclaw/)
+[![Powered by HybridAI](https://img.shields.io/badge/powered%20by-HybridAI-blueviolet)](https://hybridai.one)
+
 <img width="540" height="511" alt="image" src="docs/hero.png" />
 
 Personal AI assistant bot for Discord, powered by [HybridAI](https://hybridai.one).
@@ -11,7 +19,8 @@ npm install -g @hybridaione/hybridclaw
 hybridclaw onboarding
 ```
 
-Latest release: [v0.4.0](https://github.com/HybridAIOne/hybridclaw/releases/tag/v0.4.0)
+Prerequisites: Node.js 22. Docker is recommended when you want the default
+container sandbox.
 
 ## HybridAI Advantage
 
@@ -65,9 +74,24 @@ hybridclaw tui
 
 HybridClaw supports two auth paths:
 
-- `HybridAI API key` via `hybridclaw onboarding`
+- `HybridAI API key` via `hybridclaw hybridai ...` or `hybridclaw onboarding`
 - `OpenAI Codex OAuth` via `hybridclaw codex ...`
 
+HybridAI commands:
+
+```bash
+hybridclaw hybridai login
+hybridclaw hybridai login --device-code
+hybridclaw hybridai login --browser
+hybridclaw hybridai login --import
+hybridclaw hybridai status
+hybridclaw hybridai logout
+```
+
+- `hybridclaw hybridai login` auto-selects browser login on local GUI machines and a manual/headless API-key flow on SSH, CI, and container shells.
+- `hybridclaw hybridai login --import` copies the current `HYBRIDAI_API_KEY` from your shell into `~/.hybridclaw/credentials.json`.
+- HybridAI secrets are stored in `~/.hybridclaw/credentials.json`.
+
 Codex commands:
 
 ```bash
@@ -81,7 +105,6 @@ hybridclaw codex logout
 
 - `hybridclaw codex login` auto-selects browser PKCE on local GUI machines and device code on headless or remote shells.
 - Codex credentials are stored separately in `~/.hybridclaw/codex-auth.json`.
-- HybridAI secrets remain in `~/.hybridclaw/credentials.json`.
 
 ## Model Selection
 
@@ -117,11 +140,17 @@ HybridClaw creates `~/.hybridclaw/config.json` on first run and hot-reloads most
 - Start from `config.example.json` (reference).
 - Runtime state lives under `~/.hybridclaw/` (`config.json`, `credentials.json`, `data/hybridclaw.db`, audit/session files).
 - HybridClaw does not keep runtime state in the current working directory. If `./.env` exists, supported secrets are migrated once into `~/.hybridclaw/credentials.json`.
-- `container.*` controls execution isolation, including `sandboxMode`, `memory`, `memorySwap`, `cpus`, `network`, and additional mounts.
+- `container.*` controls execution isolation, including `sandboxMode`, `memory`, `memorySwap`, `cpus`, `network`, `binds`, and additional mounts.
+- Use `container.binds` for explicit host-to-container mounts in `host:container[:ro|rw]` format. Mounted paths appear inside the sandbox under `/workspace/extra/<container>`.
 - Keep HybridAI secrets in `~/.hybridclaw/credentials.json` (`HYBRIDAI_API_KEY` required for HybridAI models, `DISCORD_TOKEN` optional). Codex OAuth sessions are stored separately in `~/.hybridclaw/codex-auth.json`.
 - Trust-model acceptance is stored in `~/.hybridclaw/config.json` under `security.*` and is required before runtime starts.
 - See [TRUST_MODEL.md](./TRUST_MODEL.md) for onboarding acceptance policy and [SECURITY.md](./SECURITY.md) for technical security guidelines.
-- For advanced configuration, audit/observability details, skills internals, agent tools, and developer docs, see [CONTRIBUTING.md](./CONTRIBUTING.md).
+- For contributor workflow, see [CONTRIBUTING.md](./CONTRIBUTING.md). For deeper runtime, skills, release, and maintainer reference docs, see [docs/development/README.md](./docs/development/README.md).
+
+## Bundled Skills
+
+- `pdf` is bundled and supports text extraction, page rendering, fillable form inspection/filling, and non-fillable overlay workflows.
+- Use `hybridclaw skill list` to inspect available installers and `hybridclaw skill install pdf [install-id]` when a bundled skill advertises optional setup helpers.
 
 ## Commands
 
@@ -133,11 +162,17 @@ CLI runtime commands:
 - `hybridclaw gateway stop` — Stop managed gateway backend process
 - `hybridclaw gateway status` — Show lifecycle/API status
 - `hybridclaw gateway <command...>` — Send a command to a running gateway (for example `sessions`, `bot info`)
+- `hybridclaw gateway compact` — Archive older session history into semantic memory while preserving a recent active context tail
 - `hybridclaw tui` — Start terminal client connected to gateway
 - `hybridclaw onboarding` — Run HybridAI account/API key onboarding
+- `hybridclaw hybridai login [--device-code|--browser|--import]` — Store HybridAI API credentials via browser-assisted, headless/manual, or env-import flows
+- `hybridclaw hybridai status` — Show stored HybridAI auth state, token mask, and source
+- `hybridclaw hybridai logout` — Clear stored HybridAI credentials
 - `hybridclaw codex login [--device-code|--browser|--import]` — Authenticate OpenAI Codex via OAuth or one-time Codex CLI import
 - `hybridclaw codex status` — Show stored Codex auth state, token mask, expiry, and source
 - `hybridclaw codex logout` — Clear stored Codex credentials
+- `hybridclaw skill list` — Show skills and any declared installer options
+- `hybridclaw skill install <skill> [install-id]` — Run a declared skill dependency installer
 - `hybridclaw update [status|--check] [--yes]` — Check for updates and upgrade global npm installs (source checkouts get git-based update instructions)
 - `hybridclaw audit ...` — Verify and inspect structured audit trail (`recent`, `search`, `approvals`, `verify`, `instructions`)
 - `hybridclaw audit instructions [--sync]` — Compare runtime instruction copies under `~/.hybridclaw/instructions/` against installed sources and restore shipped defaults when needed
@@ -148,6 +183,7 @@ In Discord, use `!claw help` to see all commands. Key ones:
 - `!claw bot set <id>` — Set chatbot for this channel
 - `!claw model set <name>` — Set model for this channel
 - `!claw rag on/off` — Toggle RAG
+- `!claw compact` — Archive older history into session memory and keep a recent working tail
 - `!claw clear` — Clear conversation history
 - `!claw audit recent [n]` — Show recent structured audit events
 - `!claw audit verify [sessionId]` — Verify audit hash chain integrity
@@ -158,3 +194,5 @@ In Discord, use `!claw help` to see all commands. Key ones:
 - `!claw schedule add "<cron>" <prompt>` — Add cron scheduled task
 - `!claw schedule add at "<ISO time>" <prompt>` — Add one-shot task
 - `!claw schedule add every <ms> <prompt>` — Add interval task
+
+In the TUI, use `/compact` to trigger the same session compaction flow.

package/config.example.json

@@ -89,10 +89,21 @@
     "cpus": "1",
     "network": "bridge",
     "timeoutMs": 300000,
+    "binds": [],
     "additionalMounts": "",
     "maxOutputBytes": 10485760,
     "maxConcurrent": 5
   },
+  "web": {
+    "search": {
+      "provider": "auto",
+      "fallbackProviders": [],
+      "defaultCount": 5,
+      "cacheTtlMinutes": 5,
+      "searxngBaseUrl": "",
+      "tavilySearchDepth": "advanced"
+    }
+  },
   "heartbeat": {
     "enabled": true,
     "intervalMs": 1800000,

package/container/Dockerfile

@@ -1,10 +1,16 @@
 FROM node:20-slim
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    ripgrep git curl python3 python3-pip \
+    ripgrep git curl python3 python3-pip poppler-utils qpdf \
     && rm -rf /var/lib/apt/lists/*
 
-RUN python3 -m pip install --no-cache-dir --break-system-packages uv
+RUN python3 -m pip install --no-cache-dir --break-system-packages \
+    uv \
+    pypdf==5.4.0 \
+    pdfplumber==0.11.6 \
+    pdf2image==1.17.0 \
+    reportlab==4.4.4 \
+    pillow==11.3.0
 
 WORKDIR /app
 

package/container/dist/approval-policy.js

@@ -1,5 +1,6 @@
 import { createHash, randomUUID } from 'node:crypto';
 import fs from 'node:fs';
+import os from 'node:os';
 import path from 'node:path';
 import { URL } from 'node:url';
 const POLICY_PATH = path.posix.join('/workspace', '.hybridclaw', 'policy.yaml');
@@ -8,6 +9,12 @@ const YELLOW_IMPLICIT_DELAY_MS = 5_000;
 const YELLOW_IMPLICIT_DELAY_SECS = Math.max(1, Math.round(YELLOW_IMPLICIT_DELAY_MS / 1_000));
 const MAX_PROMPT_CHARS = 1_200;
 const MAX_COMMAND_PREVIEW_CHARS = 160;
+const WORKSPACE_ROOT_DISPLAY = '/workspace';
+const WORKSPACE_ROOT_ACTUAL = path.resolve(process.env.HYBRIDCLAW_AGENT_WORKSPACE_ROOT || WORKSPACE_ROOT_DISPLAY);
+const SCRATCH_ROOTS = Array.from(new Set(['/tmp', '/private/tmp', os.tmpdir()]
+    .map((value) => value.trim())
+    .filter(Boolean)
+    .map((value) => path.resolve(value))));
 const DEFAULT_POLICY = {
     pinnedRed: [
         { pattern: 'rm\\s+-rf\\s+/' },
@@ -29,6 +36,7 @@ const WRITE_INTENT_RE = /\b(mkdir|touch|mv|cp|chmod|chown|tee)\b|(^|[^>])>>?[^>]
 const INSTALL_RE = /\b(npm|pnpm|yarn|bun)\s+(install|add)\b/i;
 const GIT_WRITE_RE = /\bgit\s+(add|commit|checkout\s+-b|branch|merge|rebase|tag)\b/i;
 const UNKNOWN_SCRIPT_RE = /(^|\s)(\.[/\\][^\s]+|bash\s+[^\s]+\.sh|zsh\s+[^\s]+\.sh|sh\s+[^\s]+\.sh)(\s|$)/i;
+const READ_ONLY_PDF_SCRIPT_RE = /^\s*node\s+skills\/pdf\/scripts\/(?:extract_pdf_text|check_fillable_fields|extract_form_field_info|extract_form_structure)\.mjs\b/i;
 const READ_ONLY_BASH_RE = /^\s*(ls|pwd|cat|head|tail|wc|rg|grep|find|git\s+(status|log|diff|show)|npm\s+test|pnpm\s+test|yarn\s+test|vitest|pytest|phpunit|node\s+--version|npm\s+--version|pnpm\s+--version|yarn\s+--version)\b/i;
 const NETWORK_COMMAND_RE = /\b(curl|wget|http|https|ssh|scp)\b/i;
 const ABS_PATH_RE = /(^|\s)(\/[^\s"'`;,|&()<>]+)/g;
@@ -411,6 +419,104 @@ function extractAbsolutePaths(input) {
     }
     return [...paths];
 }
+function splitCommandSegments(command) {
+    const segments = [];
+    let current = '';
+    let quote = null;
+    for (let index = 0; index < command.length; index += 1) {
+        const char = command[index];
+        const next = command[index + 1];
+        if (char === "'" && quote !== '"') {
+            quote = quote === "'" ? null : "'";
+            current += char;
+            continue;
+        }
+        if (char === '"' && quote !== "'") {
+            quote = quote === '"' ? null : '"';
+            current += char;
+            continue;
+        }
+        if (!quote) {
+            if (char === ';') {
+                if (current.trim())
+                    segments.push(current.trim());
+                current = '';
+                continue;
+            }
+            if ((char === '&' || char === '|') && next === char) {
+                if (current.trim())
+                    segments.push(current.trim());
+                current = '';
+                index += 1;
+                continue;
+            }
+            if (char === '|') {
+                if (current.trim())
+                    segments.push(current.trim());
+                current = '';
+                continue;
+            }
+        }
+        current += char;
+    }
+    if (current.trim())
+        segments.push(current.trim());
+    return segments;
+}
+function unquotePathToken(rawValue) {
+    const trimmed = rawValue.trim();
+    if ((trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+        (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
+        return trimmed.slice(1, -1);
+    }
+    return trimmed;
+}
+function pushAbsolutePath(output, rawValue) {
+    const candidate = unquotePathToken(String(rawValue || ''));
+    if (!candidate.startsWith('/'))
+        return;
+    output.add(candidate);
+}
+function extractLikelyWritePaths(command) {
+    const paths = new Set();
+    const segments = splitCommandSegments(command);
+    for (const segment of segments) {
+        const segmentAbsPaths = extractAbsolutePaths(segment);
+        for (const match of segment.matchAll(/(?:^|\s)(?:--out|-o)\s+("[^"]+"|'[^']+'|\/[^\s"'`;,|&()<>]+)/g)) {
+            pushAbsolutePath(paths, match[1]);
+        }
+        for (const match of segment.matchAll(/(?:^|[^>])>>?\s*("[^"]+"|'[^']+'|\/[^\s"'`;,|&()<>]+)/g)) {
+            pushAbsolutePath(paths, match[1]);
+        }
+        for (const match of segment.matchAll(/(?:^|\s)tee(?:\s+-a)?\s+("[^"]+"|'[^']+'|\/[^\s"'`;,|&()<>]+)/g)) {
+            pushAbsolutePath(paths, match[1]);
+        }
+        if (/^\s*(mkdir|touch|chmod|chown)\b/i.test(segment)) {
+            for (const candidate of segmentAbsPaths) {
+                paths.add(candidate);
+            }
+        }
+        if (/^\s*(cp|mv)\b/i.test(segment)) {
+            const destination = segmentAbsPaths.at(-1);
+            if (destination)
+                paths.add(destination);
+        }
+    }
+    return [...paths];
+}
+function isWithinResolvedRoot(candidate, root) {
+    const resolvedCandidate = path.resolve(candidate);
+    const resolvedRoot = path.resolve(root);
+    return (resolvedCandidate === resolvedRoot ||
+        resolvedCandidate.startsWith(`${resolvedRoot}${path.sep}`));
+}
+function isWorkspacePath(rawPath) {
+    return (isWithinResolvedRoot(rawPath, WORKSPACE_ROOT_DISPLAY) ||
+        isWithinResolvedRoot(rawPath, WORKSPACE_ROOT_ACTUAL));
+}
+function isScratchPath(rawPath) {
+    return SCRATCH_ROOTS.some((root) => isWithinResolvedRoot(rawPath, root));
+}
 function primaryPathKey(rawPath) {
     const normalized = normalizePathValue(rawPath);
     if (!normalized)
@@ -664,7 +770,13 @@ export class TrustedCoworkerApprovalRuntime {
             : mode === 'agent'
                 ? 'agent trust'
                 : 'once';
-        const replayPrompt = normalizePrompt(target.originalPrompt);
+        const replayPrompt = normalizePrompt([
+            '[Approval already granted]',
+            `The action "${target.intent}" is approved (${modeSummary}). Continue with it now.`,
+            'Do not ask for approval again unless a new blocked action appears.',
+            '',
+            `Original user request: ${target.originalPrompt}`,
+        ].join('\n'));
         return {
             replayPrompt: replayPrompt || undefined,
             approvalMode: mode,
@@ -790,7 +902,9 @@ export class TrustedCoworkerApprovalRuntime {
             reason: classified.reason,
             commandPreview: classified.commandPreview,
             pinned: pinnedByPolicy,
-            implicitDelayMs: tier === 'yellow' ? YELLOW_IMPLICIT_DELAY_MS : undefined,
+            implicitDelayMs: tier === 'yellow' && decision === 'implicit'
+                ? YELLOW_IMPLICIT_DELAY_MS
+                : undefined,
             hostHints: classified.hostHints,
         };
     }
@@ -896,6 +1010,29 @@ export class TrustedCoworkerApprovalRuntime {
                 stickyYellow: false,
             };
         }
+        if (lowerTool === 'message') {
+            const action = normalizeText(args.action).toLowerCase();
+            const readonlyAction = action === 'read' ||
+                action === 'member-info' ||
+                action === 'channel-info';
+            return {
+                tier: readonlyAction ? 'green' : 'yellow',
+                actionKey: action ? `message:${action}` : 'message',
+                intent: `run message${action ? ` ${action}` : ''}`,
+                consequenceIfDenied: action === 'send'
+                    ? 'no message will be sent.'
+                    : 'I will continue without this message lookup.',
+                reason: readonlyAction
+                    ? 'this is a read-only channel operation'
+                    : 'this action may change channel state',
+                commandPreview: normalizePreview(JSON.stringify(args)),
+                pathHints: [],
+                hostHints: [],
+                writeIntent: action === 'send',
+                promotableRed: false,
+                stickyYellow: false,
+            };
+        }
         if (lowerTool === 'delete') {
             const rawPath = normalizeText(args.path);
             const key = rawPath
@@ -941,6 +1078,47 @@ export class TrustedCoworkerApprovalRuntime {
                 stickyYellow: false,
             };
         }
+        if (lowerTool === 'web_search') {
+            const provider = normalizeText(args.provider).toLowerCase();
+            const providerHosts = (() => {
+                switch (provider) {
+                    case 'brave':
+                        return ['api.search.brave.com'];
+                    case 'perplexity':
+                        return ['api.perplexity.ai'];
+                    case 'tavily':
+                        return ['api.tavily.com'];
+                    case 'duckduckgo':
+                        return ['html.duckduckgo.com'];
+                    case 'searxng':
+                        return extractHostScopes(extractHostsFromUrlLikeText(process.env.SEARXNG_BASE_URL || ''));
+                    default:
+                        return [
+                            'api.search.brave.com',
+                            'api.perplexity.ai',
+                            'api.tavily.com',
+                            'html.duckduckgo.com',
+                        ];
+                }
+            })();
+            const primaryHost = providerHosts[0] || 'web-search';
+            const unseen = providerHosts.filter((host) => !this.seenNetworkHosts.has(host));
+            return {
+                tier: unseen.length > 0 ? 'red' : 'yellow',
+                actionKey: `network:${primaryHost}`,
+                intent: `search the web via ${provider || 'configured providers'}`,
+                consequenceIfDenied: 'I will avoid external search providers and continue with local context only.',
+                reason: unseen.length > 0
+                    ? 'this would contact a new external host'
+                    : 'this is an external network action',
+                commandPreview: normalizePreview(JSON.stringify(args)),
+                pathHints: [],
+                hostHints: providerHosts,
+                writeIntent: false,
+                promotableRed: unseen.length > 0,
+                stickyYellow: true,
+            };
+        }
         if (lowerTool === 'web_fetch' || lowerTool === 'browser_navigate') {
             const rawUrl = normalizeText(args.url);
             const hostScopes = extractHostScopes(extractHostsFromUrlLikeText(rawUrl));
@@ -1002,6 +1180,7 @@ export class TrustedCoworkerApprovalRuntime {
         const hosts = extractHostsFromUrlLikeText(command);
         const unseenHosts = hosts.filter((host) => !this.seenNetworkHosts.has(host));
         const absPaths = extractAbsolutePaths(command);
+        const likelyWritePaths = extractLikelyWritePaths(command);
         const writeIntent = WRITE_INTENT_RE.test(command) ||
             DELETE_RE.test(command) ||
             INSTALL_RE.test(command) ||
@@ -1022,7 +1201,10 @@ export class TrustedCoworkerApprovalRuntime {
             };
         }
         if (this.loadedPolicy.workspaceFence && writeIntent) {
-            const outsideWorkspace = absPaths.find((entry) => !entry.startsWith('/workspace') && !entry.startsWith('/dev/null'));
+            const workspaceFencePaths = likelyWritePaths.length > 0 ? likelyWritePaths : absPaths;
+            const outsideWorkspace = workspaceFencePaths.find((entry) => !isWorkspacePath(entry) &&
+                !entry.startsWith('/dev/null') &&
+                !isScratchPath(entry));
             if (outsideWorkspace) {
                 return {
                     tier: 'red',
@@ -1130,6 +1312,21 @@ export class TrustedCoworkerApprovalRuntime {
                 stickyYellow: false,
             };
         }
+        if (READ_ONLY_PDF_SCRIPT_RE.test(command)) {
+            return {
+                tier: 'green',
+                actionKey: 'bash:pdf-read-only',
+                intent: `run read-only PDF command \`${normalizePreview(command)}\``,
+                consequenceIfDenied: 'I will continue without that PDF check.',
+                reason: 'this command only reads PDF content',
+                commandPreview: normalizePreview(command),
+                pathHints: absPaths,
+                hostHints: hosts,
+                writeIntent: false,
+                promotableRed: false,
+                stickyYellow: false,
+            };
+        }
         return {
             tier: 'yellow',
             actionKey: 'bash:other',