@ironbee-ai/cli 0.26.0 → 0.28.0

package/dist/clients/codex/platforms/skill.android.md

@@ -33,6 +33,8 @@ If you see only `ios/`, `web/`, or no mobile directories — the project does NO
      - Read Logcat output for the tag(s) relevant to the changed code: `mcp__android-devtools__adt_o11y_log-read` or `mcp__android-devtools__adt_o11y_log-follow` (drain a follow with `mcp__android-devtools__adt_o11y_log-get-followed`, stop it with `mcp__android-devtools__adt_o11y_log-stop-follow`).
      - Confirm expected log lines appear AND no unexpected crashes (FATAL / E/ entries for the app package).
 
+**Batch (speed):** connect + launch-app run standalone first (prerequisites). On the device-evidence path, batch the UI interactions + the UI snapshot into one `mcp__android-devtools__adt_execute`; the snapshot captures the state after the batched interactions, so to assert an intermediate state take a snapshot at that point too. The device-evidence screenshot is usually pixel-judged (a visual change) — take THAT one standalone with `includeBase64: true` so you can see it; batch it only when it's purely gate evidence. Log-evidence reads batch together too.
+
 ### Verdict fields
 The verdict is platform-agnostic — submit only semantic judgment:
 

package/dist/clients/codex/platforms/skill.backend.md

@@ -13,6 +13,8 @@ The **backend protocol cycle** verifies backend changes by driving real protocol
 
 You can satisfy the cycle via **protocol-call evidence** (you drive the request yourself), **log evidence** (something else drives the request, you read the resulting logs), **DB evidence** (you inspect database state directly), or any combination. Pick whichever fits the task; one is enough.
 
+**Batch (speed):** group consecutive `bedt_*` steps into one `mcp__backend-devtools__bedt_execute` — e.g. a POST then a GET that reuses the created id (bind the first call's result: `const r = callTool('bedt_request_http', {…POST…}); callTool('bedt_request_http', { /* GET using an id from r */ })`), register-source + read, or db-connect + query. Keep a step standalone only when you must inspect its result to DECIDE what to do next, not just to pass a value along.
+
 ### Path A — Protocol-call evidence
 
 1. **Confirm a backend service is running** (the user's dev server, Docker compose, k8s port-forward, …). The agent itself does not start the service — ask the user if uncertain.

package/dist/clients/codex/platforms/skill.browser.md

@@ -14,6 +14,8 @@
 
 All four tools are MANDATORY (the Stop hook checks each). Functional interaction is expected for every verification.
 
+**Batch (speed):** navigate (step 1) is standalone — read the ARIA snapshot it returns to decide your interactions. Then run steps 2–5 in ONE `mcp__browser-devtools__bdt_execute` batch — `callTool('bdt_interaction_…', …)` for each interaction, `callTool('bdt_content_take-screenshot', …)`, `callTool('bdt_a11y_take-aria-snapshot', …)`, `callTool('bdt_o11y_get-console-messages', …)` — instead of four separate turns. Screenshot/aria/console capture the state AFTER the batched interactions, so batch interactions that lead to ONE state you want to assert; to assert an intermediate state (e.g. a modal that opens then closes) take a screenshot/snapshot at that point too — interleave it in the batch or split into two. The interaction is what makes the evidence meaningful: a batch of just the four evidence tools with no real interaction passes the tool-presence check but verifies nothing. If you must judge the screenshot's pixels, take that one standalone with `includeBase64: true`.
+
 ### Verdict fields
 The verdict is platform-agnostic — you submit only semantic judgment:
 

package/dist/clients/codex/platforms/skill.node.md

@@ -31,6 +31,8 @@ If you see `pom.xml`, `build.gradle`, `requirements.txt`, `pyproject.toml`, `go.
      - Read errors: `ndt_debug_get-logs` with the error-level filter.
 4. **Disconnect** (optional): `ndt_debug_disconnect`.
 
+**Batch (speed):** connect (step 2) is standalone discovery. Batch consecutive `ndt_*` calls in one `mcp__node-devtools__ndt_execute` — set several probes together, then later read snapshots/logs together. The exercise step is ALWAYS separate: whatever triggers the code path (a browser/backend call on another server, a CLI command, the user) can't share an `ndt_*` batch — so node runs as set probes (batch) → exercise (separate) → read snapshots (batch).
+
 ### Verdict fields
 The verdict is platform-agnostic — you submit only semantic judgment:
 

package/dist/clients/codex/rules/ironbee-verification.main.md

@@ -0,0 +1,39 @@
+You MUST verify all code changes before completing any task — by driving the IronBee verification tools yourself. This project runs IronBee in **main-agent** mode: the devtools tools (`mcp__browser-devtools__*` / `mcp__node-devtools__*` / `mcp__backend-devtools__*` / `mcp__android-devtools__*`) are wired into THIS session. There is no verifier sub-agent — you verify inline.
+
+Your **Session ID** is injected into your context by the SessionStart hook (a `Session ID: <sid>` line); author it in every `ironbee hook` command's JSON.
+
+After editing code (`apply_patch`), before reporting completion:
+
+1. **Start verification — run this ALONE first** (Codex runs shell and MCP tools in separate lanes, so the open must land before any devtools call):
+   ```
+   echo '{"session_id":"<your-session-id>"}' | ironbee hook verification-start
+   ```
+2. Build and start the app if it isn't already running (don't guess ports). Track what YOU started.
+3. **Drive every active cycle's tools** (browser / runtime / backend / android, as wired up for this project — see the platform sections below) to exercise what changed. Reading code is NOT verification.
+4. Tear down only what you started, then **submit one verdict**:
+   ```
+   echo '{"session_id":"...","status":"pass","checks":["..."]}' | ironbee hook submit-verdict
+   ```
+   On fail add `"issues":[...]`; on pass-after-fail add `"fixes":[...]`. Nothing to verify → N/A (`"status":"not_applicable","reason":[...]`, or per-platform `"not_applicable_cycles":[...]`).
+5. If verification FAILS: submit the fail verdict first, then fix the issues, then re-verify (back to step 1) until it passes.
+
+Every `apply_patch` clears the verdict, requiring re-verification. The Stop gate blocks completion until a valid verdict exists for your changes and the required tools were called for every active cycle.
+
+<!--IRONBEE:PLATFORM:browser-->
+<!--/IRONBEE:PLATFORM:browser-->
+
+<!--IRONBEE:PLATFORM:node-->
+<!--/IRONBEE:PLATFORM:node-->
+
+<!--IRONBEE:PLATFORM:backend-->
+<!--/IRONBEE:PLATFORM:backend-->
+
+<!--IRONBEE:PLATFORM:android-->
+<!--/IRONBEE:PLATFORM:android-->
+
+## BANNED
+
+- Reporting a task complete without verifying your changes through the real tools.
+- Submitting a verdict based on assumptions, code reading, or prior knowledge — verify through real tools.
+- Writing `verdict.json` directly (always use `ironbee hook submit-verdict`).
+- Submitting `pass` when your own evidence shows a legitimate, in-scope operation breaking — that is a FALSE pass; fail it.

package/dist/clients/codex/rules/ironbee-verification.md

@@ -1,33 +1,16 @@
-You MUST verify all code changes through real tools before completing any task — and on Codex you do this by **delegating to the `ironbee-verifier` custom agent**, not by verifying inline.
+You MUST verify all code changes before completing any task — by DELEGATING to the `ironbee-verifier` custom agent. You do not have the verification tools; the verifier does. Never verify inline.
 
-## Delegate verification (do not verify inline)
+After editing code, before reporting completion: spawn the `ironbee-verifier` custom agent — call `spawn_agent` with `agent_type="ironbee-verifier"` and `fork_turns="none"` (REQUIRED: the default `fork_turns="all"` silently drops the agent_type → a generic agent without the verification tools; not a generic "act as" agent either) with a prompt describing what to verify. It drives the verification tools, exercises every active cycle (browser / runtime / backend, as wired up for this project), and submits the single verdict in this shared session — then returns a summary. Relay it. **Wait for the verifier in the same turn — do NOT background it; if it is backgrounded your turn can end before its verdict is recorded, leaving your changes unverified.**
 
-After you edit code (or whenever asked to "verify"), **spawn the `ironbee-verifier` custom agent** to run the verification cycle. Spawn it as a custom agent **by its `agent_type`** (`ironbee-verifier`) — NOT by telling a generic agent to "act as" it (that loads a generic agent without the verification tools). The verifier:
+If verification FAILS: fix the issues the verifier reported, optionally record what you fixed (`echo '{"fixes":["what you repaired"]}' | ironbee hook record-fix`), then re-delegate until it passes. Every code edit (apply_patch) clears the verdict, requiring re-delegation.
 
-- drives the real devtools tools (browser / node / backend — it owns them; you do not),
-- judges the result and submits a single verdict via `ironbee hook submit-verdict`,
-- runs inside your session, so the Stop gate sees its work,
-- does NOT edit code — if it finds problems it returns them as `issues` for YOU to fix.
-
-You (the main agent) do **not** have the devtools tools and must not try to drive them. Your job is to edit code, spawn the verifier to verify, and — if it reports a fail — fix the issues and re-spawn it.
-
-**Wait for the verifier in the same turn — do NOT background it.** Let it run to completion and read its verdict before you respond; a backgrounded verifier can let your turn end (and the Stop gate fire) before its verdict is recorded, leaving your changes unverified.
-
-## After a fail → fix → record → re-verify
-
-1. The verifier returns a fail verdict with `issues`.
-2. Fix the issues in your code.
-3. Record what you fixed so the next pass verdict captures it (the verifier can't author this — it didn't make the edit):
-   ```
-   echo '{"fixes":["fixed null check in src/foo.ts"]}' | ironbee hook record-fix
-   ```
-4. Re-spawn the `ironbee-verifier` custom agent. Repeat until it passes.
+The Stop gate blocks completion until a verdict exists for your changes — delegation is the only path.
 
 ## BANNED
 
-- Verifying inline / driving devtools tools yourself — always delegate to the `ironbee-verifier` custom agent.
-- "Act as ironbee-verifier" free-text spawns — spawn the custom agent by `agent_type` so it loads its tools.
-- Backgrounding the verifier, or ending your turn before it returns its verdict — wait for it in the same turn.
-- Writing `verdict.json` directly, or completing a task with unverified code changes.
-
-The Stop gate blocks completion until the verifier has exercised every active cycle's tools and submitted a verdict with non-empty `checks`. Every code edit clears the prior verdict, requiring a fresh verification.
+- Running the verification tools (`bdt_*` / `ndt_*` / `bedt_*`) or `ironbee hook verification-start` / `submit-verdict` yourself — those are the verifier's job. Delegate. The verifier already submitted the single verdict in this shared session; you only RELAY it in text. Re-running `submit-verdict` yourself is REJECTED ("no active verification cycle" — the cycle already closed) and records nothing — a duplicate, not a verdict.
+- Using the generic `spawn_agent` tool / a plain fork to "be" the verifier — that spawns a DEFAULT agent without the devtools. Spawn the `ironbee-verifier` custom agent by its `agent_type`.
+- Reporting a task complete without delegating verification of your changes.
+- Submitting a verdict based on assumptions, code reading, or prior knowledge — the verifier verifies through real tools.
+- Writing `verdict.json` directly.
+- Backgrounding the verifier custom agent, or ending your turn before it returns its verdict — wait for it in the same turn.

package/dist/clients/codex/skills/ironbee-verification.main.md

@@ -0,0 +1,110 @@
+---
+name: ironbee-verification
+description: >
+  MANDATORY verification after code changes. Activates when implementing features, fixing
+  bugs, modifying UI components, API endpoints, styles, refactoring, or any task that changes
+  application behavior. After editing code you MUST verify the affected cycle(s) through real
+  tools and submit a single verdict (pass or fail) before reporting task completion. You drive
+  the verification tools yourself — they are wired into this session.
+---
+
+# IronBee Verification
+
+> **You verify INLINE.** This project runs IronBee in **main-agent** mode: the devtools tools
+> (`mcp__browser-devtools__*` / `mcp__node-devtools__*` / `mcp__backend-devtools__*` /
+> `mcp__android-devtools__*`) are wired into THIS session — you drive them yourself. There is no
+> verifier sub-agent to delegate to.
+
+## Rule
+No task is complete until your changes are verified through **real tools**, not by reading code or
+inferring behavior. After verifying, you MUST submit a verdict (pass or fail) before doing
+anything else. If verification fails, submit the fail verdict first, then fix and re-verify.
+
+## Session id
+IronBee's SessionStart hook injects your **Session ID** into your context at the top of the
+session (a line `Session ID: <sid>`). Author it in every `ironbee hook` command's JSON.
+
+## Cycles
+IronBee runs verification in **cycles**. A single Stop hook can drive multiple cycles in
+parallel — every active cycle must pass for your task to complete. You don't choose which cycle
+runs — the edited file's path decides (pattern match). **See the platform sections near the
+bottom of this file** for which cycles are active for this project, the tools they expose, and
+the per-cycle flow.
+
+## Universal flow
+
+1. Finish your code edits (`apply_patch`).
+2. **Start verification — run this ALONE first**, before any devtools call:
+   ```
+   echo '{"session_id":"<your-session-id>"}' | ironbee hook verification-start
+   ```
+   Devtools tools are blocked until this opens the cycle. **Codex runs shell commands and MCP
+   tools in separate lanes**, so a same-message ordering of this shell command before a devtools
+   call is NOT guaranteed — a devtools call that lands first is blocked. Once the cycle is open,
+   independent MCP calls can ride one message.
+3. Build and start the application **only if it isn't already running** (check `docker compose ps`
+   / process output / config — don't guess ports). Track whether YOU started it.
+4. **Run the per-cycle flows for every active cycle** (see the platform sections below). All
+   active cycles must be exercised within this one verification cycle.
+5. **Teardown** — stop ONLY what you started (the dev server / container you launched for this
+   verification); never stop a server that was already running. Honor any cycle-specific teardown
+   (e.g. stop an active screen recording) BEFORE the verdict.
+6. **Submit your verdict immediately** — do NOT edit any code first:
+   ```
+   echo '<verdict-json>' | ironbee hook submit-verdict
+   ```
+   - Platform-agnostic shape: `session_id`, `status`, `checks`, optionally `issues` / `fixes`.
+     One verdict regardless of how many cycles ran.
+   - Pass → `{ "session_id": "...", "status": "pass", "checks": [...] }`
+   - Fail → add `"issues": [...]` describing what failed.
+   - Pass after a previous fail → add `"fixes": [...]` describing what was repaired.
+   - **A FALSE failure is a FAIL — not "verified failure handling".** Separate an EXPECTED
+     negative test (you deliberately fed invalid input and it correctly failed → supports a
+     `pass`) from a FALSE failure (a VALID, in-scope operation that SHOULD succeed but errors out
+     → a DEFECT → `status: "fail"`).
+   - **Nothing to verify? Use N/A — never fake evidence.** When the change has no runtime surface
+     (type-only edit, behavior-neutral refactor, config/docs that still tripped a cycle): global
+     `{ "session_id": "...", "status": "not_applicable", "reason": ["why"] }` (no `checks`), or
+     per-platform on a pass/fail verdict `"not_applicable_cycles": ["browser"], "reason": ["..."]`
+     to exempt some cycles while verifying others. `reason` is REQUIRED. Strict mode rejects N/A.
+     Base "nothing to verify" on the FULL change set (the change is often already COMMITTED) —
+     check `git diff HEAD~1 HEAD --stat`, not just a clean `git status`.
+7. If failed → fix → rebuild → go back to step 2 → repeat until pass (up to the retry cap).
+
+## Speed — batch your tool calls (fewer LLM round-trips)
+
+Each tool call is a separate LLM round-trip, and that round-trip — not the tool's execution — is
+the dominant cost. Drive the tools in as few turns as you can:
+
+- **Batch a scope's work into ONE `*_execute` call.** Each cycle exposes a batch tool
+  (`mcp__browser-devtools__bdt_execute` / `mcp__node-devtools__ndt_execute` /
+  `mcp__backend-devtools__bedt_execute` / `mcp__android-devtools__adt_execute`) that runs many
+  steps in one turn — nest each as a `callTool('<tool>', { … })`. A batch nests only that cycle's
+  own tools. It's a JS sandbox, so a later step can reuse a value an earlier `callTool` returned;
+  `*_execute` STOPS at the first failing nested call. Authoring the batch is not the work — read
+  each result and confirm real evidence came back.
+- **Discovery stays standalone** — the step that reveals what to do (navigate / connect / snapshot)
+  runs first and on its own; THEN batch the actions it told you to take.
+
+<!--IRONBEE:PLATFORM:browser-->
+<!--/IRONBEE:PLATFORM:browser-->
+
+<!--IRONBEE:PLATFORM:node-->
+<!--/IRONBEE:PLATFORM:node-->
+
+<!--IRONBEE:PLATFORM:backend-->
+<!--/IRONBEE:PLATFORM:backend-->
+
+<!--IRONBEE:PLATFORM:android-->
+<!--/IRONBEE:PLATFORM:android-->
+
+## Important
+- **Always submit a verdict after every verification attempt** — both pass AND fail.
+- Submit verdicts via `ironbee hook submit-verdict`, never write `verdict.json` directly.
+- Every `apply_patch` edit automatically clears your session's verdict — re-verify after edits.
+- After the retry cap, you may complete but must report unresolved issues.
+
+## BANNED
+- Reporting a task complete without verifying your changes through the real tools.
+- Claiming verification passed based on code reading, assumptions, or prior knowledge.
+- Submitting `pass` when your own evidence shows a legitimate operation breaking.

package/dist/clients/codex/skills/ironbee-verification.md

@@ -2,82 +2,54 @@
 name: ironbee-verification
 description: >
   MANDATORY verification after code changes. Activates when implementing features, fixing
-  bugs, modifying UI components, API endpoints, styles, refactoring, or any task that
-  changes application behavior. Verification runs in cycles activated by file-pattern
-  match — which cycles are wired up for this project is shown in the platform sections
-  near the bottom of this file. After every code edit you MUST verify the affected
-  cycle(s) through real tools and submit a single verdict (pass or fail) before
-  reporting task completion. If verification fails, submit the fail verdict first,
-  then fix.
+  bugs, modifying UI components, API endpoints, styles, refactoring, or any task that changes
+  application behavior. After editing code you MUST verify the changes before reporting task
+  completion — and you verify by DELEGATING to the ironbee-verifier custom agent, never inline.
 ---
 
 # IronBee Verification
 
-## Rule
-No task is complete until changes are verified — through **real tools**, not by reading code or inferring behavior. After verification, you MUST submit a verdict (pass or fail) before doing anything else. If verification fails, submit the fail verdict first, then fix.
-
-## Cycles
-
-IronBee runs verification in **cycles**. A single Stop hook can drive multiple cycles in parallel — every active cycle must pass for your task to complete.
-
-You don't choose which cycle runs — the file pattern decides. A single edited file can match multiple cycles' patterns and activate them all. Cycles always run in parallel within a single Stop run. Each cycle has its own tools, flow steps, and verdict fields.
-
-**See the platform sections near the bottom of this file** for which cycles are active for this project, the tools they expose, and the per-cycle verdict fields you must include.
-
-## Application lifecycle (your responsibility)
-
-For every active cycle you manage the running application:
-- **Build** if needed (`npm run build`, `docker compose build`, …)
-- **Start** before navigating/connecting (`npm run dev`, `docker compose up -d`, …)
-- **Stop** when verification is complete
-
-If already running, skip start. If the build fails, fix it before proceeding.
+> **Delegate — do NOT verify inline.** You verify by spawning the **`ironbee-verifier` custom agent** via `spawn_agent` with `agent_type="ironbee-verifier"` **and `fork_turns="none"`** (the default `fork_turns="all"` silently drops the agent_type → a generic toolless agent; not a generic "act as" agent either) and relaying its verdict. The verifier owns the devtools tools; you (the main agent) don't have them.
 
-**Don't guess ports.** After starting, check the actual port via `docker compose ps`, process output, or config files.
-
-## Universal flow
-
-1. Implement your changes (write/edit code).
-2. **Start verification** (one cycle covers every active mode — every active cycle's flow runs within the same verification cycle):
-   ```
-   echo '{"session_id":"<your-session-id>"}' | ironbee hook verification-start
-   ```
-   Devtools tools are blocked without this.
-3. Build and start the application if not already running.
-4. **Run the per-cycle flows for every active cycle.** See the platform sections near the bottom of this file — each enabled cycle's section has its own flow steps and mandatory tools. All active cycles must be exercised within this one verification cycle.
-5. Stop the dev server when verification is complete (every cycle — including the final one).
-6. **Honor any cycle-specific teardown** noted in the platform sections (e.g. recording stop) BEFORE submitting your verdict.
-7. **Submit your verdict immediately** — do NOT edit any code first:
+## Rule
+No task is complete until your changes are verified through **real tools** — and you verify by
+**delegating to the `ironbee-verifier` custom agent**, never inline. You do not have the
+verification tools (browser / runtime / backend devtools); the verifier does. After delegating,
+relay its verdict; on fail, fix the reported issues and re-delegate until it passes.
+
+## How to verify — delegate
+1. Finish your code edits.
+2. Spawn the `ironbee-verifier` custom agent: call `spawn_agent` with `agent_type="ironbee-verifier"`
+   AND `fork_turns="none"` (REQUIRED — the default `fork_turns="all"` silently drops the agent_type,
+   giving a generic agent without the verification tools; not a generic "act as" agent either) with a
+   prompt like *"Verify the recent changes"* (optionally describe what changed, or pass a
+   scenario). It drives the verification tools, exercises every active cycle, and submits the
+   single verdict in this **shared session** — then returns a short summary.
+   **Wait for it in the same turn — do NOT background the verifier.** Let it run to completion
+   and read its verdict before you respond. If the verifier is backgrounded, your turn can end
+   (and the Stop gate fire) before its verdict is recorded, leaving your changes unverified.
+3. **Relay the verdict.** If it FAILED: fix the issues it reported. Optionally record what you
+   fixed so the next pass verdict can describe it:
    ```
-   echo '<verdict-json>' | ironbee hook submit-verdict
+   echo '{"fixes":["what you repaired"]}' | ironbee hook record-fix
    ```
-   - Verdict shape is platform-agnostic: `status`, `checks`, optionally `issues` / `fixes`. One verdict regardless of how many cycles ran.
-   - Pass → `{ "session_id": "...", "status": "pass", "checks": [...] }`
-   - Fail → add `"issues": [...]` describing what failed.
-   - Pass after a previous fail → add `"fixes": [...]` describing what was repaired.
-   - **The Stop hook enforces that you called the required tools for every active cycle and that the verdict carries non-empty `checks`.**
-8. If failed → fix → rebuild → go back to step 2 → repeat until pass.
-
-<!--IRONBEE:PLATFORM:browser-->
-<!--/IRONBEE:PLATFORM:browser-->
-
-<!--IRONBEE:PLATFORM:node-->
-<!--/IRONBEE:PLATFORM:node-->
-
-<!--IRONBEE:PLATFORM:backend-->
-<!--/IRONBEE:PLATFORM:backend-->
+   Then re-delegate. Repeat until it passes.
 
-<!--IRONBEE:PLATFORM:android-->
-<!--/IRONBEE:PLATFORM:android-->
+The Stop gate enforces this: it blocks completion until a verdict exists for your changes. Since
+you can't verify inline, delegation is the only path forward.
 
-## Important
-- **Always submit a verdict after every verification attempt** — both pass AND fail. Fail verdicts are tracked for analytics.
-- The Stop hook checks that the required tools were used for every active cycle and that the verdict carries non-empty `checks`.
-- Submit verdicts via `ironbee hook submit-verdict`, never write `verdict.json` directly.
-- Every code edit (Write/Edit) automatically clears your session's verdict.
-- After 3 failed verification attempts, you may complete but must report unresolved issues.
+## BANNED
+- Trying to run the verification tools yourself (`bdt_*` / `ndt_*` / `bedt_*`) or
+  `ironbee hook verification-start` / `submit-verdict` — those are the verifier's job. Delegate.
+- Using the generic `spawn_agent` tool / a plain fork to "be" the verifier — that spawns a
+  DEFAULT agent without the devtools. Spawn the `ironbee-verifier` custom agent via `spawn_agent` with `agent_type="ironbee-verifier"` and `fork_turns="none"`.
+- Reporting a task complete without delegating verification of your changes.
+- Claiming verification passed based on code reading, assumptions, or prior knowledge.
+- Backgrounding the verifier custom agent (or ending your turn before it returns its verdict) —
+  wait for it to finish in the same turn.
 
 ## Subagent teams
-- Subagents focus on implementation only — do NOT verify.
-- The main orchestrator agent verifies ALL changes after subagents complete.
-- Each session's verification is isolated via session-specific verdict files.
+- Implementation subagents write code; they do NOT verify.
+- Verification is ALWAYS delegated to the dedicated `ironbee-verifier` custom agent — it owns the
+  per-cycle browser/node/backend flows and the verification tools. Each session's verification
+  is isolated via session-specific verdict files.

package/dist/clients/codex/util.js

@@ -1,38 +1,48 @@
-"use strict";var y=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var E=Object.getOwnPropertyNames;var P=Object.prototype.hasOwnProperty;var o=(n,t)=>y(n,"name",{value:t,configurable:!0});var W=(n,t)=>{for(var e in t)y(n,e,{get:t[e],enumerable:!0})},J=(n,t,e,s)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of E(t))!P.call(n,r)&&r!==e&&y(n,r,{get:()=>t[r],enumerable:!(s=I(t,r))||s.enumerable});return n};var L=n=>J(y({},"__esModule",{value:!0}),n);var gn={};W(gn,{AGENTS_MD_END_MARKER:()=>h,AGENTS_MD_START_MARKER:()=>w,canonicalizeCodexServerName:()=>$,canonicalizeCodexToolName:()=>v,classifyCodexTool:()=>F,codexAgentTomlPath:()=>nn,codexConfigTomlPath:()=>R,codexHooksJsonPath:()=>cn,decodeJwtPayload:()=>A,ensureFeaturesHooksTrue:()=>Z,extractBashBinary:()=>j,extractCodexMcpServer:()=>S,extractCodexToolInput:()=>D,extractTomlTopLevelModel:()=>tn,findTomlSection:()=>k,normalizeCodexToolName:()=>T,parseCodexHookStdin:()=>M,readCodexConfigToml:()=>on,removeAgentsTable:()=>N,removeMcpServer:()=>Q,resolveCodexUsage:()=>V,stripAgentsMdBlock:()=>sn,tomlBodyFromRecord:()=>en,upsertAgentsMdBlock:()=>rn,upsertAgentsTable:()=>Y,upsertMcpServer:()=>q,userCodexAgentTomlPath:()=>an,userCodexConfigTomlPath:()=>dn,userCodexHooksJsonPath:()=>ln,writeCodexConfigToml:()=>un});module.exports=L(gn);var m=require("fs"),x=require("os"),p=require("path"),b=require("../../lib/logger");function M(n){try{return JSON.parse(n)}catch(t){return b.logger.debug(`failed to parse Codex hook stdin: ${t}`),{}}}o(M,"parseCodexHookStdin");const _="mcp__",B={browser_devtools:"browser-devtools",node_devtools:"node-devtools",backend_devtools:"backend-devtools",android_devtools:"android-devtools"},z=["bdt_","ndt_","bedt_","adt_"];function $(n){return B[n]??n}o($,"canonicalizeCodexServerName");function v(n){if(!z.some(e=>n.startsWith(e)))return n;const t=n.split("_");return t.length<=3?n:`${t[0]}_${t[1]}_${t.slice(2).join("-")}`}o(v,"canonicalizeCodexToolName");const H=[["bdt_","browser-devtools"],["ndt_","node-devtools"],["bedt_","backend-devtools"],["adt_","android-devtools"]];function S(n){if(!n)return null;if(n.startsWith(_)){const t=n.slice(_.length),e=t.indexOf("__");return e<0?null:$(t.slice(0,e))}for(const[t,e]of H)if(n.startsWith(t))return e;return null}o(S,"extractCodexMcpServer");function T(n){return n==="exec_command"?"Bash":n==="apply_patch"?"Edit":n==="update_plan"?"TodoWrite":n==="read_file"?"Read":n==="web_search"?"WebSearch":n==="web_fetch"?"WebFetch":n}o(T,"normalizeCodexToolName");function F(n){if(!n)return{tool_type:null,tool_name:"",mcp_server:null};if(n.startsWith(_)){const s=n.slice(_.length),r=s.indexOf("__");if(r>=0){const i=s.slice(0,r),c=$(i),u=s.slice(r+2);return{tool_type:"mcp",tool_name:v(u),mcp_server:c}}}const t=S(n);if(t!==null&&!n.startsWith(_))return{tool_type:"mcp",tool_name:v(n),mcp_server:t};const e=T(n);return n==="spawn_agent"||n==="wait_agent"||n==="close_agent"?{tool_type:"sub_agent",tool_name:e,mcp_server:null}:{tool_type:null,tool_name:e,mcp_server:null}}o(F,"classifyCodexTool");function D(n,t){if(!n||t===void 0)return;if(n==="apply_patch"){if(typeof t=="string")return{input_size:t.length};if(typeof t=="object"&&t!==null){const r=t,i=r.command??r.input;if(typeof i=="string")return{input_size:i.length}}return{input_size:void 0}}if(typeof t!="object"||t===null)return;const e=t;if(T(n)==="Bash"){const r=e.cmd??e.command,i=typeof r=="string"?j(r):void 0;return{workdir:e.workdir,binary:i}}if(n==="update_plan"){const r=e.explanation,i=e.plan;return{explanation:typeof r=="string"?r:void 0,plan_step_count:Array.isArray(i)?i.length:void 0}}if(n==="spawn_agent"){const r=e.agent_type,i=e.message,c=e.fork_context;return{agent_type:typeof r=="string"?r:void 0,message_size:typeof i=="string"?i.length:void 0,fork_context:typeof c=="boolean"?c:void 0}}if(n==="wait_agent"){const r=e.targets,i=e.timeout_ms;return{target_count:Array.isArray(r)?r.length:void 0,timeout_ms:typeof i=="number"?i:void 0}}if(n==="close_agent"){const r=e.target;return{target:typeof r=="string"?r:void 0}}if(n==="view_image"){const r=e.path,i=e.detail;return{path:typeof r=="string"?r:void 0,detail:typeof i=="string"?i:void 0}}if(n==="write_stdin"){const r=e.session_id,i=e.chars,c=e.yield_time_ms,u=e.max_output_tokens;return{session_id:typeof r=="number"?r:void 0,chars_size:typeof i=="string"?i.length:void 0,yield_time_ms:typeof c=="number"?c:void 0,max_output_tokens:typeof u=="number"?u:void 0}}if(n.startsWith(_)||S(n)!==null){if("_metadata"in e){const{_metadata:r,...i}=e;return i}return e}}o(D,"extractCodexToolInput");function j(n){const t=n.trim();if(!t)return;const e=t.split(/\s+/);for(const s of e)if(!/^[A-Za-z_][A-Za-z0-9_]*=/.test(s)&&s.length>0)return s.split(/[\\/]/).pop()??s}o(j,"extractBashBinary");function A(n){const t=n.split(".");if(t.length!==3)return null;try{const e=Buffer.from(t[1],"base64url").toString("utf-8"),s=JSON.parse(e);return typeof s!="object"||s===null?null:s}catch{return null}}o(A,"decodeJwtPayload");function K(n){if(typeof n=="string"){const t=A(n);return t?{email:t.email,planType:t["https://api.openai.com/auth"]?.chatgpt_plan_type}:{}}if(typeof n=="object"&&n!==null){const t=n;return{email:t.email,planType:t.chatgpt_plan_type}}return{}}o(K,"extractIdTokenFields");function V(n){const t=n??(0,p.join)((0,x.homedir)(),".codex","auth.json");if(!(0,m.existsSync)(t))return{};try{const e=JSON.parse((0,m.readFileSync)(t,"utf-8")),s=e.auth_mode==="chatgpt"||e.auth_mode==="swic"?"subscription":e.auth_mode==="api"?"api":void 0,{email:r,planType:i}=K(e.tokens?.id_token);return{usageType:s,usagePlan:i?.toLowerCase(),userEmail:r}}catch(e){return b.logger.debug(`failed to parse ${t}: ${e}`),{}}}o(V,"resolveCodexUsage");function U(n,t){return n.trim()===`[${t}]`}o(U,"tableHeaderLineExact");function X(n){const t=n.trim();return/^\[\[?[^\]]+\]\]?$/.test(t)}o(X,"isAnyTableHeader");function O(n){const e=n.trim().match(/^\[([^[\]]+)\]$/);return e===null?null:e[1]}o(O,"tableHeaderName");function k(n,t){let e=-1;for(let r=0;r<n.length;r+=1)if(U(n[r],t)){e=r;break}if(e<0)return null;let s=n.length;for(let r=e+1;r<n.length;r+=1)if(X(n[r])){s=r;break}return{startIdx:e,endIdx:s}}o(k,"findTomlSection");function G(n){const t=[...n];for(;t.length>0&&t[t.length-1].trim()==="";)t.pop();return t}o(G,"trimTrailingBlanks");function C(n,t){return n.length===0?t.join(`
+"use strict";var k=Object.defineProperty;var E=Object.getOwnPropertyDescriptor;var L=Object.getOwnPropertyNames;var W=Object.prototype.hasOwnProperty;var o=(n,t)=>k(n,"name",{value:t,configurable:!0});var M=(n,t)=>{for(var e in t)k(n,e,{get:t[e],enumerable:!0})},P=(n,t,e,s)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of L(t))!W.call(n,r)&&r!==e&&k(n,r,{get:()=>t[r],enumerable:!(s=E(t,r))||s.enumerable});return n};var J=n=>P(k({},"__esModule",{value:!0}),n);var pn={};M(pn,{AGENTS_MD_END_MARKER:()=>x,AGENTS_MD_START_MARKER:()=>v,canonicalizeCodexServerName:()=>C,canonicalizeCodexToolName:()=>$,classifyCodexTool:()=>V,codexAgentTomlPath:()=>en,codexConfigTomlPath:()=>T,codexHooksJsonPath:()=>ln,decodeJwtPayload:()=>A,ensureFeaturesHooksTrue:()=>Z,ensureMultiAgentV2SpawnMetadataExposed:()=>q,extractBashBinary:()=>j,extractCodexMcpServer:()=>I,extractCodexToolInput:()=>D,extractTomlTopLevelModel:()=>rn,findTomlSection:()=>h,normalizeCodexToolName:()=>S,parseCodexHookStdin:()=>B,readCodexConfigToml:()=>an,removeAgentsTable:()=>tn,removeMcpServer:()=>N,removeMultiAgentV2SpawnMetadata:()=>Q,resolveCodexUsage:()=>U,stripAgentsMdBlock:()=>un,tomlBodyFromRecord:()=>sn,upsertAgentsMdBlock:()=>on,upsertAgentsTable:()=>nn,upsertMcpServer:()=>Y,userCodexAgentTomlPath:()=>fn,userCodexConfigTomlPath:()=>cn,userCodexHooksJsonPath:()=>gn,writeCodexConfigToml:()=>dn});module.exports=J(pn);var m=require("fs"),b=require("os"),p=require("path"),y=require("../../lib/logger");function B(n){try{return JSON.parse(n)}catch(t){return y.logger.debug(`failed to parse Codex hook stdin: ${t}`),{}}}o(B,"parseCodexHookStdin");const _="mcp__",z={browser_devtools:"browser-devtools",node_devtools:"node-devtools",backend_devtools:"backend-devtools",android_devtools:"android-devtools"},H=["bdt_","ndt_","bedt_","adt_"];function C(n){return z[n]??n}o(C,"canonicalizeCodexServerName");function $(n){if(!H.some(e=>n.startsWith(e)))return n;const t=n.split("_");return t.length<=3?n:`${t[0]}_${t[1]}_${t.slice(2).join("-")}`}o($,"canonicalizeCodexToolName");const F=[["bdt_","browser-devtools"],["ndt_","node-devtools"],["bedt_","backend-devtools"],["adt_","android-devtools"]];function I(n){if(!n)return null;if(n.startsWith(_)){const t=n.slice(_.length),e=t.indexOf("__");return e<0?null:C(t.slice(0,e))}for(const[t,e]of F)if(n.startsWith(t))return e;return null}o(I,"extractCodexMcpServer");function S(n){return n==="exec_command"?"Bash":n==="apply_patch"?"Edit":n==="update_plan"?"TodoWrite":n==="read_file"?"Read":n==="web_search"?"WebSearch":n==="web_fetch"?"WebFetch":n}o(S,"normalizeCodexToolName");function V(n){if(!n)return{tool_type:null,tool_name:"",mcp_server:null};if(n.startsWith(_)){const s=n.slice(_.length),r=s.indexOf("__");if(r>=0){const i=s.slice(0,r),u=C(i),a=s.slice(r+2);return{tool_type:"mcp",tool_name:$(a),mcp_server:u}}}const t=I(n);if(t!==null&&!n.startsWith(_))return{tool_type:"mcp",tool_name:$(n),mcp_server:t};const e=S(n);return n==="spawn_agent"||n==="wait_agent"||n==="close_agent"?{tool_type:"sub_agent",tool_name:e,mcp_server:null}:{tool_type:null,tool_name:e,mcp_server:null}}o(V,"classifyCodexTool");function D(n,t){if(!n||t===void 0)return;if(n==="apply_patch"){if(typeof t=="string")return{input_size:t.length};if(typeof t=="object"&&t!==null){const r=t,i=r.command??r.input;if(typeof i=="string")return{input_size:i.length}}return{input_size:void 0}}if(typeof t!="object"||t===null)return;const e=t;if(S(n)==="Bash"){const r=e.cmd??e.command,i=typeof r=="string"?j(r):void 0;return{workdir:e.workdir,binary:i}}if(n==="update_plan"){const r=e.explanation,i=e.plan;return{explanation:typeof r=="string"?r:void 0,plan_step_count:Array.isArray(i)?i.length:void 0}}if(n==="spawn_agent"){const r=e.agent_type,i=e.message,u=e.fork_context;return{agent_type:typeof r=="string"?r:void 0,message_size:typeof i=="string"?i.length:void 0,fork_context:typeof u=="boolean"?u:void 0}}if(n==="wait_agent"){const r=e.targets,i=e.timeout_ms;return{target_count:Array.isArray(r)?r.length:void 0,timeout_ms:typeof i=="number"?i:void 0}}if(n==="close_agent"){const r=e.target;return{target:typeof r=="string"?r:void 0}}if(n==="view_image"){const r=e.path,i=e.detail;return{path:typeof r=="string"?r:void 0,detail:typeof i=="string"?i:void 0}}if(n==="write_stdin"){const r=e.session_id,i=e.chars,u=e.yield_time_ms,a=e.max_output_tokens;return{session_id:typeof r=="number"?r:void 0,chars_size:typeof i=="string"?i.length:void 0,yield_time_ms:typeof u=="number"?u:void 0,max_output_tokens:typeof a=="number"?a:void 0}}if(n.startsWith(_)||I(n)!==null){if("_metadata"in e){const{_metadata:r,...i}=e;return i}return e}}o(D,"extractCodexToolInput");function j(n){const t=n.trim();if(!t)return;const e=t.split(/\s+/);for(const s of e)if(!/^[A-Za-z_][A-Za-z0-9_]*=/.test(s)&&s.length>0)return s.split(/[\\/]/).pop()??s}o(j,"extractBashBinary");function A(n){const t=n.split(".");if(t.length!==3)return null;try{const e=Buffer.from(t[1],"base64url").toString("utf-8"),s=JSON.parse(e);return typeof s!="object"||s===null?null:s}catch{return null}}o(A,"decodeJwtPayload");function K(n){if(typeof n=="string"){const t=A(n);return t?{email:t.email,planType:t["https://api.openai.com/auth"]?.chatgpt_plan_type}:{}}if(typeof n=="object"&&n!==null){const t=n;return{email:t.email,planType:t.chatgpt_plan_type}}return{}}o(K,"extractIdTokenFields");function U(n){const t=n??(0,p.join)((0,b.homedir)(),".codex","auth.json");if(!(0,m.existsSync)(t))return{};try{const e=JSON.parse((0,m.readFileSync)(t,"utf-8")),s=e.auth_mode==="chatgpt"||e.auth_mode==="swic"?"subscription":e.auth_mode==="api"?"api":void 0,{email:r,planType:i}=K(e.tokens?.id_token);return{usageType:s,usagePlan:i?.toLowerCase(),userEmail:r}}catch(e){return y.logger.debug(`failed to parse ${t}: ${e}`),{}}}o(U,"resolveCodexUsage");function X(n,t){return n.trim()===`[${t}]`}o(X,"tableHeaderLineExact");function G(n){const t=n.trim();return/^\[\[?[^\]]+\]\]?$/.test(t)}o(G,"isAnyTableHeader");function R(n){const e=n.trim().match(/^\[([^[\]]+)\]$/);return e===null?null:e[1]}o(R,"tableHeaderName");function h(n,t){let e=-1;for(let r=0;r<n.length;r+=1)if(X(n[r],t)){e=r;break}if(e<0)return null;let s=n.length;for(let r=e+1;r<n.length;r+=1)if(G(n[r])){s=r;break}return{startIdx:e,endIdx:s}}o(h,"findTomlSection");function O(n){const t=[...n];for(;t.length>0&&t[t.length-1].trim()==="";)t.pop();return t}o(O,"trimTrailingBlanks");function w(n,t){return n.length===0?t.join(`
 `)+`
 `:n.replace(/\n+$/,"")+`
 
 `+t.join(`
 `)+`
-`}o(C,"appendBlockWithSeparator");function Z(n){const t=n.split(`
-`),e=k(t,"features");if(e===null)return C(n,["[features]","hooks = true"]);const s=t.slice(e.startIdx+1,e.endIdx),r=/^\s*hooks\s*=/;let i=!1;for(let l=0;l<s.length;l+=1)if(r.test(s[l])){s[l]="hooks = true",i=!0;break}i||s.unshift("hooks = true");const c=G(s),a=[...t.slice(0,e.startIdx),t[e.startIdx],...c,...e.endIdx<t.length?[""]:[],...t.slice(e.endIdx)].join(`
-`);return a.endsWith(`
-`)?a:a+`
-`}o(Z,"ensureFeaturesHooksTrue");function q(n,t,e){const s=`mcp_servers.${t}`,r=n.split(`
-`),i=k(r,s),u=[`[${s}]`,...e];if(i===null)return C(n,u);const a=r.slice(0,i.startIdx),l=r.slice(i.endIdx),d=[...a,...u,...l.length>0?[""]:[],...l].join(`
-`);return d.endsWith(`
-`)?d:d+`
-`}o(q,"upsertMcpServer");function Q(n,t){const e=`mcp_servers.${t}`,s=`${e}.`,r=n.split(`
-`),i=[];let c=!1,u=!1;for(const d of r){const g=O(d);if(g!==null&&(c=g===e||g.startsWith(s),c)){u=!0;continue}c||i.push(d)}if(!u)return n;const a=[];let l=!1;for(const d of i){const g=d.trim().length===0;g&&l||(a.push(d),l=g)}const f=a.join(`
+`}o(w,"appendBlockWithSeparator");function Z(n){const t=n.split(`
+`),e=h(t,"features");if(e===null)return w(n,["[features]","hooks = true"]);const s=t.slice(e.startIdx+1,e.endIdx),r=/^\s*hooks\s*=/;let i=!1;for(let d=0;d<s.length;d+=1)if(r.test(s[d])){s[d]="hooks = true",i=!0;break}i||s.unshift("hooks = true");const u=O(s),c=[...t.slice(0,e.startIdx),t[e.startIdx],...u,...e.endIdx<t.length?[""]:[],...t.slice(e.endIdx)].join(`
+`);return c.endsWith(`
+`)?c:c+`
+`}o(Z,"ensureFeaturesHooksTrue");function q(n){const t=n.split(`
+`),e=h(t,"features.multi_agent_v2");if(e===null)return w(n,["[features.multi_agent_v2]","hide_spawn_agent_metadata = false"]);const s=t.slice(e.startIdx+1,e.endIdx),r=/^\s*hide_spawn_agent_metadata\s*=/;let i=!1;for(let d=0;d<s.length;d+=1)if(r.test(s[d])){s[d]="hide_spawn_agent_metadata = false",i=!0;break}i||s.unshift("hide_spawn_agent_metadata = false");const u=O(s),c=[...t.slice(0,e.startIdx),t[e.startIdx],...u,...e.endIdx<t.length?[""]:[],...t.slice(e.endIdx)].join(`
+`);return c.endsWith(`
+`)?c:c+`
+`}o(q,"ensureMultiAgentV2SpawnMetadataExposed");function Q(n){const t=n.split(`
+`),e=h(t,"features.multi_agent_v2");if(e===null)return n;const s=t.slice(e.startIdx+1,e.endIdx).filter(a=>a.trim().length>0);if(!(s.length===1&&/^\s*hide_spawn_agent_metadata\s*=\s*false\s*$/.test(s[0])))return n;const u=[...t.slice(0,e.startIdx),...t.slice(e.endIdx)].join(`
+`).replace(/\n{3,}/g,`
+
+`);return u.endsWith(`
+`)?u:u+`
+`}o(Q,"removeMultiAgentV2SpawnMetadata");function Y(n,t,e){const s=`mcp_servers.${t}`,r=n.split(`
+`),i=h(r,s),a=[`[${s}]`,...e];if(i===null)return w(n,a);const c=r.slice(0,i.startIdx),d=r.slice(i.endIdx),l=[...c,...a,...d.length>0?[""]:[],...d].join(`
+`);return l.endsWith(`
+`)?l:l+`
+`}o(Y,"upsertMcpServer");function N(n,t){const e=`mcp_servers.${t}`,s=`${e}.`,r=n.split(`
+`),i=[];let u=!1,a=!1;for(const l of r){const g=R(l);if(g!==null&&(u=g===e||g.startsWith(s),u)){a=!0;continue}u||i.push(l)}if(!a)return n;const c=[];let d=!1;for(const l of i){const g=l.trim().length===0;g&&d||(c.push(l),d=g)}const f=c.join(`
 `);return f.endsWith(`
 `)||f.length===0?f:f+`
-`}o(Q,"removeMcpServer");function Y(n,t,e){const s=`agents.${t}`,r=n.split(`
-`),i=k(r,s),u=[`[${s}]`,...e];if(i===null)return C(n,u);const a=r.slice(0,i.startIdx),l=r.slice(i.endIdx),d=[...a,...u,...l.length>0?[""]:[],...l].join(`
-`);return d.endsWith(`
-`)?d:d+`
-`}o(Y,"upsertAgentsTable");function N(n,t){const e=`agents.${t}`,s=`${e}.`,r=n.split(`
-`),i=[];let c=!1,u=!1;for(const d of r){const g=O(d);if(g!==null&&(c=g===e||g.startsWith(s),c)){u=!0;continue}c||i.push(d)}if(!u)return n;const a=[];let l=!1;for(const d of i){const g=d.trim().length===0;g&&l||(a.push(d),l=g)}const f=a.join(`
+`}o(N,"removeMcpServer");function nn(n,t,e){const s=`agents.${t}`,r=n.split(`
+`),i=h(r,s),a=[`[${s}]`,...e];if(i===null)return w(n,a);const c=r.slice(0,i.startIdx),d=r.slice(i.endIdx),l=[...c,...a,...d.length>0?[""]:[],...d].join(`
+`);return l.endsWith(`
+`)?l:l+`
+`}o(nn,"upsertAgentsTable");function tn(n,t){const e=`agents.${t}`,s=`${e}.`,r=n.split(`
+`),i=[];let u=!1,a=!1;for(const l of r){const g=R(l);if(g!==null&&(u=g===e||g.startsWith(s),u)){a=!0;continue}u||i.push(l)}if(!a)return n;const c=[];let d=!1;for(const l of i){const g=l.trim().length===0;g&&d||(c.push(l),d=g)}const f=c.join(`
 `);return f.endsWith(`
 `)||f.length===0?f:f+`
-`}o(N,"removeAgentsTable");function nn(n,t){return(0,p.join)(n,".codex","agents",`${t}.toml`)}o(nn,"codexAgentTomlPath");function tn(n){for(const t of n.split(`
-`)){const e=t.trim();if(e.startsWith("["))break;const s=e.match(/^model\s*=\s*"([^"]*)"/);if(s&&s[1].length>0)return s[1]}return null}o(tn,"extractTomlTopLevelModel");function en(n){const t=[];for(const[e,s]of Object.entries(n))if(s!=null){if(typeof s=="string")t.push(`${e} = ${JSON.stringify(s)}`);else if(typeof s=="number"||typeof s=="boolean")t.push(`${e} = ${s}`);else if(Array.isArray(s)){const r=s.map(i=>typeof i=="string"?JSON.stringify(i):typeof i=="number"||typeof i=="boolean"?String(i):JSON.stringify(i));t.push(`${e} = [${r.join(", ")}]`)}else if(typeof s=="object"){const r=s,i=[];for(const[c,u]of Object.entries(r))u!=null&&(typeof u=="string"?i.push(`${c} = ${JSON.stringify(u)}`):typeof u=="number"||typeof u=="boolean"?i.push(`${c} = ${u}`):i.push(`${c} = ${JSON.stringify(u)}`));t.push(`${e} = { ${i.join(", ")} }`)}}return t}o(en,"tomlBodyFromRecord");const w="<!-- ironbee:start -->",h="<!-- ironbee:end -->";function rn(n,t){const e=`${w}
+`}o(tn,"removeAgentsTable");function en(n,t){return(0,p.join)(n,".codex","agents",`${t}.toml`)}o(en,"codexAgentTomlPath");function rn(n){for(const t of n.split(`
+`)){const e=t.trim();if(e.startsWith("["))break;const s=e.match(/^model\s*=\s*"([^"]*)"/);if(s&&s[1].length>0)return s[1]}return null}o(rn,"extractTomlTopLevelModel");function sn(n){const t=[];for(const[e,s]of Object.entries(n))if(s!=null){if(typeof s=="string")t.push(`${e} = ${JSON.stringify(s)}`);else if(typeof s=="number"||typeof s=="boolean")t.push(`${e} = ${s}`);else if(Array.isArray(s)){const r=s.map(i=>typeof i=="string"?JSON.stringify(i):typeof i=="number"||typeof i=="boolean"?String(i):JSON.stringify(i));t.push(`${e} = [${r.join(", ")}]`)}else if(typeof s=="object"){const r=s,i=[];for(const[u,a]of Object.entries(r))a!=null&&(typeof a=="string"?i.push(`${u} = ${JSON.stringify(a)}`):typeof a=="number"||typeof a=="boolean"?i.push(`${u} = ${a}`):i.push(`${u} = ${JSON.stringify(a)}`));t.push(`${e} = { ${i.join(", ")} }`)}}return t}o(sn,"tomlBodyFromRecord");const v="<!-- ironbee:start -->",x="<!-- ironbee:end -->";function on(n,t){const e=`${v}
 ${t.trimEnd()}
-${h}`,s=n.indexOf(w),r=n.indexOf(h);if(s>=0&&r>s){const i=n.slice(0,s),c=n.slice(r+h.length);return i+e+c}return n.trim().length===0?e+`
+${x}`,s=n.indexOf(v),r=n.indexOf(x);if(s>=0&&r>s){const i=n.slice(0,s),u=n.slice(r+x.length);return i+e+u}return n.trim().length===0?e+`
 `:n.trimEnd()+`
 
 `+e+`
-`}o(rn,"upsertAgentsMdBlock");function sn(n){const t=n.indexOf(w),e=n.indexOf(h);if(t<0||e<t)return n.trim().length===0?null:n;const s=n.slice(0,t).trimEnd(),r=n.slice(e+h.length).trimStart(),i=s+(s.length>0&&r.length>0?`
+`}o(on,"upsertAgentsMdBlock");function un(n){const t=n.indexOf(v),e=n.indexOf(x);if(t<0||e<t)return n.trim().length===0?null:n;const s=n.slice(0,t).trimEnd(),r=n.slice(e+x.length).trimStart(),i=s+(s.length>0&&r.length>0?`
 
 `:"")+r;return i.trim().length===0?null:i.endsWith(`
 `)?i:i+`
-`}o(sn,"stripAgentsMdBlock");function on(n){const t=R(n);if(!(0,m.existsSync)(t))return"";try{return(0,m.readFileSync)(t,"utf-8")}catch(e){return b.logger.debug(`failed to read ${t}: ${e}`),""}}o(on,"readCodexConfigToml");function un(n,t){const e=R(n);try{(0,m.writeFileSync)(e,t)}catch(s){b.logger.debug(`failed to write ${e}: ${s}`)}}o(un,"writeCodexConfigToml");function R(n){return(0,p.join)(n,".codex","config.toml")}o(R,"codexConfigTomlPath");function cn(n){return(0,p.join)(n,".codex","hooks.json")}o(cn,"codexHooksJsonPath");function dn(){return(0,p.join)((0,x.homedir)(),".codex","config.toml")}o(dn,"userCodexConfigTomlPath");function ln(){return(0,p.join)((0,x.homedir)(),".codex","hooks.json")}o(ln,"userCodexHooksJsonPath");function an(n){return(0,p.join)((0,x.homedir)(),".codex","agents",`${n}.toml`)}o(an,"userCodexAgentTomlPath");0&&(module.exports={AGENTS_MD_END_MARKER,AGENTS_MD_START_MARKER,canonicalizeCodexServerName,canonicalizeCodexToolName,classifyCodexTool,codexAgentTomlPath,codexConfigTomlPath,codexHooksJsonPath,decodeJwtPayload,ensureFeaturesHooksTrue,extractBashBinary,extractCodexMcpServer,extractCodexToolInput,extractTomlTopLevelModel,findTomlSection,normalizeCodexToolName,parseCodexHookStdin,readCodexConfigToml,removeAgentsTable,removeMcpServer,resolveCodexUsage,stripAgentsMdBlock,tomlBodyFromRecord,upsertAgentsMdBlock,upsertAgentsTable,upsertMcpServer,userCodexAgentTomlPath,userCodexConfigTomlPath,userCodexHooksJsonPath,writeCodexConfigToml});
+`}o(un,"stripAgentsMdBlock");function an(n){const t=T(n);if(!(0,m.existsSync)(t))return"";try{return(0,m.readFileSync)(t,"utf-8")}catch(e){return y.logger.debug(`failed to read ${t}: ${e}`),""}}o(an,"readCodexConfigToml");function dn(n,t){const e=T(n);try{(0,m.writeFileSync)(e,t)}catch(s){y.logger.debug(`failed to write ${e}: ${s}`)}}o(dn,"writeCodexConfigToml");function T(n){return(0,p.join)(n,".codex","config.toml")}o(T,"codexConfigTomlPath");function ln(n){return(0,p.join)(n,".codex","hooks.json")}o(ln,"codexHooksJsonPath");function cn(){return(0,p.join)((0,b.homedir)(),".codex","config.toml")}o(cn,"userCodexConfigTomlPath");function gn(){return(0,p.join)((0,b.homedir)(),".codex","hooks.json")}o(gn,"userCodexHooksJsonPath");function fn(n){return(0,p.join)((0,b.homedir)(),".codex","agents",`${n}.toml`)}o(fn,"userCodexAgentTomlPath");0&&(module.exports={AGENTS_MD_END_MARKER,AGENTS_MD_START_MARKER,canonicalizeCodexServerName,canonicalizeCodexToolName,classifyCodexTool,codexAgentTomlPath,codexConfigTomlPath,codexHooksJsonPath,decodeJwtPayload,ensureFeaturesHooksTrue,ensureMultiAgentV2SpawnMetadataExposed,extractBashBinary,extractCodexMcpServer,extractCodexToolInput,extractTomlTopLevelModel,findTomlSection,normalizeCodexToolName,parseCodexHookStdin,readCodexConfigToml,removeAgentsTable,removeMcpServer,removeMultiAgentV2SpawnMetadata,resolveCodexUsage,stripAgentsMdBlock,tomlBodyFromRecord,upsertAgentsMdBlock,upsertAgentsTable,upsertMcpServer,userCodexAgentTomlPath,userCodexConfigTomlPath,userCodexHooksJsonPath,writeCodexConfigToml});

package/dist/clients/codex/verifier.js

@@ -0,0 +1,2 @@
+"use strict";var d=Object.defineProperty;var x=Object.getOwnPropertyDescriptor;var y=Object.getOwnPropertyNames;var $=Object.prototype.hasOwnProperty;var g=(e,o)=>d(e,"name",{value:o,configurable:!0});var h=(e,o)=>{for(var l in o)d(e,l,{get:o[l],enumerable:!0})},w=(e,o,l,a)=>{if(o&&typeof o=="object"||typeof o=="function")for(let r of y(o))!$.call(e,r)&&r!==l&&d(e,r,{get:()=>o[r],enumerable:!(a=x(o,r))||a.enumerable});return e};var j=e=>w(d({},"__esModule",{value:!0}),e);var I={};h(I,{verifierCommand:()=>D});module.exports=j(I);var m=require("commander"),i=require("fs"),p=require("path"),s=require("../../lib/config"),b=require("../../lib/logger"),n=require("../../lib/output"),v=require("./index");function M(e){if(e.global===!0&&e.local===!0)throw new Error("Pass at most one of -g / --global, --local.");const o=e.projectDir??process.cwd();return e.global===!0?{target:"global",projectDir:o}:e.local===!0?{target:"local",projectDir:o}:{target:"project",projectDir:o}}g(M,"resolveTarget");function k(e){if(!(0,i.existsSync)(e))return{};try{return JSON.parse((0,i.readFileSync)(e,"utf-8"))}catch(o){throw new Error(`Config at ${e} is not valid JSON: ${o instanceof Error?o.message:o}`)}}g(k,"readConfigFile");function S(e,o){const l=(0,i.existsSync)(e)?(0,i.readFileSync)(e,"utf-8"):null,a=k(e),r={...a.codex??{}};return r.verifier={...r.verifier??{},mode:o},(0,i.mkdirSync)((0,p.join)(e,".."),{recursive:!0}),(0,i.writeFileSync)(e,JSON.stringify({...a,codex:r},null,2)+`
+`),l}g(S,"writeVerifierMode");const E=new m.Command("mode").description(`Set the Codex verifier delivery mode: "sub-agent" (default \u2014 delegate to the ironbee-verifier custom agent) or "main-agent" (the main agent drives the devtools tools directly; the fallback when Codex's sub-agent machinery breaks).`).argument("<mode>",'"sub-agent" or "main-agent"').option("-p, --project-dir <dir>","Project directory (default: cwd).").option("-g, --global","Write to the global config (~/.ironbee/config.json).").option("--local","Write to the gitignored project-local override (<project>/.ironbee/config.local.json).").action((e,o)=>{e!=="sub-agent"&&e!=="main-agent"&&(console.error(`${n.pc.red("\u2717")}  Invalid mode "${e}". Use ${n.pc.bold("sub-agent")} or ${n.pc.bold("main-agent")}.`),process.exit(1));const l=e;let a,r;try{({target:a,projectDir:r}=M(o))}catch(t){console.error(`${n.pc.red("\u2717")}  ${t instanceof Error?t.message:t}`),process.exit(1);return}const c=(0,s.getTargetConfigPath)(a,r);let f=null;try{f=S(c,l)}catch(t){console.error(`${n.pc.red("\u2717")}  ${t instanceof Error?t.message:t}`),process.exit(1);return}const u=new v.CodexClient;if(u.detect(r))try{u.install(r,(0,s.loadConfig)(r))}catch(t){if(f===null)try{(0,i.writeFileSync)(c,"")}catch{}else try{(0,i.writeFileSync)(c,f)}catch{}b.logger.debug(`verifier mode: rerender failed, rolled back ${c}: ${t}`),console.error(`${n.pc.red("\u2717")}  Failed to re-render Codex artifacts: ${t instanceof Error?t.message:t}`),process.exit(1);return}else console.log(`  ${n.pc.yellow("\u26A0")}  Codex is not installed in this project \u2014 setting saved, run ${n.pc.bold("ironbee install --client codex")} to apply.`);const C=(0,s.getCodexVerifierMode)((0,s.loadConfig)(r));console.log(`${n.pc.green("\u2713")}  Codex verifier mode set to ${n.pc.bold(l)} in ${a} config (${n.pc.dim(c)}).`),C!==l&&console.log(`  ${n.pc.yellow("\u26A0")}  Effective mode is ${n.pc.bold(C)} \u2014 a higher-priority config layer overrides this write.`),console.log(`  ${n.pc.dim("\u21BB")}  Restart any open Codex sessions to pick up the new config.`)}),D=new m.Command("verifier").description("Codex verifier settings. Subcommand: `mode <sub-agent|main-agent>` \u2014 how the verification cycle is driven (sub-agent delegation vs the main agent driving the tools directly).").addCommand(E);0&&(module.exports={verifierCommand});

package/dist/clients/cursor/platforms/skill.android.md

@@ -33,6 +33,8 @@ If you see only `ios/`, `web/`, or no mobile directories — the project does NO
      - Read Logcat output for the tag(s) relevant to the changed code: `MCP:adt_o11y_log-read` or `MCP:adt_o11y_log-follow` (drain a follow with `MCP:adt_o11y_log-get-followed`, stop it with `MCP:adt_o11y_log-stop-follow`).
      - Confirm expected log lines appear AND no unexpected crashes (FATAL / E/ entries for the app package).
 
+**Batch (speed):** connect + launch-app run standalone first (prerequisites). On the device-evidence path, batch the UI interactions + the UI snapshot into one `MCP:adt_execute`; the snapshot captures the state after the batched interactions, so to assert an intermediate state take a snapshot at that point too. The device-evidence screenshot is usually pixel-judged (a visual change) — take THAT one standalone with `includeBase64: true` so you can see it; batch it only when it's purely gate evidence. Log-evidence reads batch together too.
+
 ### Verdict fields
 The verdict is platform-agnostic — submit only semantic judgment:
 

package/dist/clients/cursor/platforms/skill.backend.md

@@ -13,6 +13,8 @@ The **backend protocol cycle** verifies backend changes by driving real protocol
 
 You can satisfy the cycle via **protocol-call evidence** (you drive the request yourself), **log evidence** (something else drives the request, you read the resulting logs), **DB evidence** (you inspect database state directly), or any combination. Pick whichever fits the task; one is enough.
 
+**Batch (speed):** group consecutive `bedt_*` steps into one `MCP:bedt_execute` — e.g. a POST then a GET that reuses the created id (bind the first call's result: `const r = callTool('bedt_request_http', {…POST…}); callTool('bedt_request_http', { /* GET using an id from r */ })`), register-source + read, or db-connect + query. Keep a step standalone only when you must inspect its result to DECIDE what to do next, not just to pass a value along.
+
 ### Path A — Protocol-call evidence
 
 1. **Confirm a backend service is running** (the user's dev server, Docker compose, k8s port-forward, …). The agent itself does not start the service — ask the user if uncertain.

package/dist/clients/cursor/platforms/skill.browser.md

@@ -14,6 +14,8 @@
 
 All four tools are MANDATORY (the stop hook checks each). Functional interaction is expected for every verification.
 
+**Batch (speed):** navigate (step 1) is standalone — read the ARIA snapshot it returns to decide your interactions. Then run steps 2–5 in ONE `MCP:bdt_execute` batch — `callTool('bdt_interaction_…', …)` for each interaction, `callTool('bdt_content_take-screenshot', …)`, `callTool('bdt_a11y_take-aria-snapshot', …)`, `callTool('bdt_o11y_get-console-messages', …)` — instead of four separate turns. Screenshot/aria/console capture the state AFTER the batched interactions, so batch interactions that lead to ONE state you want to assert; to assert an intermediate state (e.g. a modal that opens then closes) take a screenshot/snapshot at that point too — interleave it in the batch or split into two. The interaction is what makes the evidence meaningful: a batch of just the four evidence tools with no real interaction passes the tool-presence check but verifies nothing. If you must judge the screenshot's pixels, take that one standalone with `includeBase64: true`.
+
 ### Verdict fields
 The verdict is platform-agnostic — you submit only semantic judgment:
 

package/dist/clients/cursor/platforms/skill.node.md

@@ -31,6 +31,8 @@ If you see `pom.xml`, `build.gradle`, `requirements.txt`, `pyproject.toml`, `go.
      - Read errors: `MCP:ndt_debug_get-logs` with the error-level filter.
 4. **Disconnect** (optional): `MCP:ndt_debug_disconnect`.
 
+**Batch (speed):** connect (step 2) is standalone discovery. Batch consecutive `ndt_*` calls in one `MCP:ndt_execute` — set several probes together, then later read snapshots/logs together. The exercise step is ALWAYS separate: whatever triggers the code path (a browser/backend call on another server, a CLI command, the user) can't share an `ndt_*` batch — so node runs as set probes (batch) → exercise (separate) → read snapshots (batch).
+
 ### Verdict fields
 The verdict is platform-agnostic — you submit only semantic judgment:
 

package/dist/clients/cursor/skills/ironbee-verification.md

@@ -55,10 +55,31 @@ If already running, skip start. If the build fails, fix it before proceeding.
    - Pass → `{ "session_id": "...", "status": "pass", "checks": [...] }`
    - Fail → add `"issues": [...]` describing what failed.
    - Pass after a previous fail → add `"fixes": [...]` describing what was repaired.
+   - **A FALSE failure is a FAIL — not "verified failure handling".** When you exercise a negative path, separate an EXPECTED negative test (you deliberately fed invalid input — bad card, missing auth, malformed payload — and it correctly failed → supports a `pass`) from a FALSE failure (a VALID, in-scope operation that SHOULD succeed but errors out → a DEFECT). Report a false failure as `status: "fail"` (or at minimum non-empty `issues`), never as a passing "failure path verified". Passing a run whose own evidence shows a legitimate operation breaking is a false pass.
    - **Nothing to verify? Use N/A — never fake evidence.** When the change has no runtime surface (type-only edit, behavior-neutral refactor, config/docs that still tripped a cycle): global `{ "session_id": "...", "status": "not_applicable", "reason": ["why there's no runtime surface"] }` (no `checks`), or per-platform on a pass/fail verdict `"not_applicable_cycles": ["browser"], "reason": ["server-only change"]` to exempt some cycles while verifying others. `reason` is REQUIRED (recorded + observable); strict mode rejects N/A. Base "nothing to verify" on the FULL change set (the change is often already COMMITTED) — check `git diff HEAD~1 HEAD --stat`, not just a clean `git status`, before declaring N/A.
    - **The stop hook enforces that you called the required tools for every active (non-exempt) cycle and that a pass/fail verdict carries non-empty `checks`.**
 8. If failed → fix → rebuild → go back to step 2 → repeat until pass.
 
+## Speed — batch your tool calls (fewer LLM round-trips)
+
+Each tool call is a separate LLM round-trip, and that round-trip — not the tool's execution
+— is the dominant cost of a verification. Drive the tools in as few turns as you can:
+
+- **Batch a scope's work into ONE `MCP:*_execute` call.** Each cycle exposes a batch tool
+  (`MCP:bdt_execute` / `MCP:ndt_execute` / `MCP:bedt_execute` / `MCP:adt_execute`) that runs
+  many steps in one turn — nest each as a `callTool('<tool>', { … })`. A batch nests only
+  that cycle's own tools (you can't mix servers in one `*_execute`). It's a JS sandbox, so a later step
+  can reuse a value an earlier `callTool` returned
+  (`const r = callTool(…); callTool(…, { /* a field from r */ })`); and `*_execute` STOPS at
+  the first failing nested call, so the rest don't run. Nested calls are credited to the gate like
+  standalone calls — but authoring the batch is not the work: read each result and confirm
+  real evidence came back (a batch whose interaction failed has no screenshot/snapshot
+  behind it). See each platform section for that cycle's concrete batch shape, including any
+  cycle-specific screenshot or recording handling.
+- **Discovery stays standalone — you can't batch what you haven't seen.** The step that
+  reveals what to do (navigate / connect / snapshot) runs first and on its own; you read its
+  result, THEN batch the actions it told you to take.
+
 <!--IRONBEE:PLATFORM:browser-->
 <!--/IRONBEE:PLATFORM:browser-->