@kody-ade/kody-engine 0.2.54 → 0.2.56

package/dist/bin/kody2.js

@@ -3,7 +3,7 @@
 // package.json
 var package_default = {
   name: "@kody-ade/kody-engine",
-  version: "0.2.54",
+  version: "0.2.56",
   description: "kody2 \u2014 autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   license: "MIT",
   type: "module",
@@ -50,7 +50,7 @@ var package_default = {
 };
 
 // src/chat-cli.ts
-import { execFileSync as execFileSync20 } from "child_process";
+import { execFileSync as execFileSync22 } from "child_process";
 import * as fs22 from "fs";
 import * as path19 from "path";
 
@@ -182,9 +182,24 @@ function loadConfig(projectDir = process.cwd()) {
     issueContext: parseIssueContext(raw.issueContext),
     testRequirements: parseTestRequirements(raw.testRequirements),
     defaultExecutable: typeof raw.defaultExecutable === "string" && raw.defaultExecutable.length > 0 ? raw.defaultExecutable : void 0,
+    classify: parseClassifyConfig(raw.classify),
     release: parseReleaseConfig(raw.release)
   };
 }
+function parseClassifyConfig(raw) {
+  if (!raw || typeof raw !== "object") return void 0;
+  const r = raw;
+  const out = {};
+  if (r.labelMap && typeof r.labelMap === "object") {
+    const entries = Object.entries(r.labelMap).filter(
+      ([, v]) => typeof v === "string" && v.length > 0
+    );
+    if (entries.length > 0) {
+      out.labelMap = Object.fromEntries(entries.map(([k, v]) => [k.toLowerCase(), String(v)]));
+    }
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+}
 function parseReleaseConfig(raw) {
   if (!raw || typeof raw !== "object") return void 0;
   const r = raw;
@@ -528,7 +543,7 @@ async function emit(sink, type, sessionId, suffix, payload) {
 }
 
 // src/kody2-cli.ts
-import { execFileSync as execFileSync19 } from "child_process";
+import { execFileSync as execFileSync21 } from "child_process";
 import * as fs21 from "fs";
 import * as path18 from "path";
 
@@ -1499,6 +1514,41 @@ ${formatMissesForFeedback(misses)}`;
   ctx.data.coverageMisses = finalMisses;
 };
 
+// src/scripts/classifyByLabel.ts
+var VALID_CLASSES = /* @__PURE__ */ new Set(["feature", "bug", "spec", "chore"]);
+var classifyByLabel = async (ctx) => {
+  const issue = ctx.data.issue;
+  const labels = issue?.labels;
+  if (!labels || labels.length === 0) return;
+  const cfgMap = ctx.config.classify?.labelMap;
+  const map = cfgMap ?? defaultLabelMap();
+  for (const label of labels) {
+    const candidate = map[label.toLowerCase()];
+    if (candidate && VALID_CLASSES.has(candidate)) {
+      ctx.data.classification = candidate;
+      ctx.data.classificationSource = "label";
+      ctx.data.classificationReason = `label \`${label}\` \u2192 ${candidate}`;
+      ctx.skipAgent = true;
+      return;
+    }
+  }
+};
+function defaultLabelMap() {
+  return {
+    bug: "bug",
+    enhancement: "bug",
+    refactor: "feature",
+    feature: "feature",
+    performance: "feature",
+    rfc: "spec",
+    design: "spec",
+    spec: "spec",
+    docs: "chore",
+    chore: "chore",
+    dependencies: "chore"
+  };
+}
+
 // src/scripts/commitAndPush.ts
 import { execFileSync as execFileSync6 } from "child_process";
 
@@ -2366,7 +2416,7 @@ function gh2(args, options) {
   }).trim();
 }
 function getIssue(issueNumber, cwd) {
-  const output = gh2(["issue", "view", String(issueNumber), "--json", "number,title,body,comments"], { cwd });
+  const output = gh2(["issue", "view", String(issueNumber), "--json", "number,title,body,comments,labels"], { cwd });
   const parsed = JSON.parse(output);
   if (typeof parsed?.title !== "string") {
     throw new Error(`Issue #${issueNumber}: unexpected response shape`);
@@ -2379,7 +2429,8 @@ function getIssue(issueNumber, cwd) {
       body: c.body ?? "",
       author: c.author?.login ?? "unknown",
       createdAt: c.createdAt ?? ""
-    }))
+    })),
+    labels: Array.isArray(parsed.labels) ? parsed.labels.map((l) => l.name ?? "").filter((n) => n.length > 0) : []
   };
 }
 function stripKody2Mentions(body) {
@@ -3534,7 +3585,9 @@ var loadIssueContext = async (ctx) => {
   const kept = sorted.slice(0, limit);
   const commentsFormatted = kept.length === 0 ? "(no comments yet)" : kept.map((c) => `- **${c.author}** (${c.createdAt}):
   ${truncate2(c.body, maxBytes).replace(/\n/g, "\n  ")}`).join("\n\n");
-  ctx.data.issue = { ...issue, commentsFormatted };
+  const labels = issue.labels ?? [];
+  const labelsFormatted = labels.length === 0 ? "(no labels)" : labels.map((l) => `\`${l}\``).join(", ");
+  ctx.data.issue = { ...issue, commentsFormatted, labelsFormatted };
   ctx.data.commentTargetType = "issue";
   ctx.data.commentTargetNumber = issueNumber;
 };
@@ -3659,6 +3712,86 @@ var persistFlowState = async (ctx) => {
   }
 };
 
+// src/scripts/postClassification.ts
+import { execFileSync as execFileSync14 } from "child_process";
+var API_TIMEOUT_MS6 = 3e4;
+var VALID_CLASSES2 = /* @__PURE__ */ new Set(["feature", "bug", "spec", "chore"]);
+var postClassification = async (ctx) => {
+  const issueNumber = ctx.args.issue;
+  if (!issueNumber) return;
+  const presetClassification = ctx.data.classification;
+  let classification = null;
+  let reason = null;
+  if (presetClassification && VALID_CLASSES2.has(presetClassification)) {
+    classification = presetClassification;
+    reason = ctx.data.classificationReason ?? "label-based match";
+  } else {
+    const parsed = parseClassification(ctx.data.prSummary ?? "");
+    classification = parsed?.classification ?? null;
+    reason = parsed?.reason ?? null;
+  }
+  if (!classification) {
+    ctx.data.action = failedAction("classification missing or invalid");
+    tryAuditComment(issueNumber, "\u26A0\uFE0F kody2 classifier could not decide \u2014 please re-run with an explicit `@kody2 <type>`.", ctx.cwd);
+    ctx.output.exitCode = 1;
+    ctx.output.reason = "classify: no decision";
+    return;
+  }
+  tryAuditComment(
+    issueNumber,
+    `\u{1F50E} kody2 classified as \`${classification}\`${reason ? ` \u2014 ${reason}` : ""}`,
+    ctx.cwd
+  );
+  try {
+    execFileSync14("gh", ["issue", "comment", String(issueNumber), "--body", `@kody2 ${classification}`], {
+      cwd: ctx.cwd,
+      timeout: API_TIMEOUT_MS6,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+  } catch (err) {
+    process.stderr.write(
+      `[kody2 postClassification] failed to dispatch @kody2 ${classification}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+    ctx.data.action = failedAction("dispatch post failed");
+    ctx.output.exitCode = 1;
+    ctx.output.reason = "classify: dispatch failed";
+    return;
+  }
+  ctx.data.action = makeAction2(`CLASSIFIED_AS_${classification.toUpperCase()}`, {
+    classification,
+    reason: reason ?? "",
+    source: ctx.data.classificationSource ?? "agent"
+  });
+  ctx.data.classification = classification;
+  ctx.data.classificationReason = reason ?? "";
+};
+function parseClassification(prSummary) {
+  if (!prSummary) return null;
+  const classMatch = prSummary.match(/classification:\s*(feature|bug|spec|chore)\b/i);
+  if (!classMatch) return null;
+  const classification = classMatch[1].toLowerCase();
+  const reasonMatch = prSummary.match(/reason:\s*(.+)$/im);
+  const reason = reasonMatch ? reasonMatch[1].trim() : "";
+  return { classification, reason };
+}
+function tryAuditComment(issueNumber, body, cwd) {
+  try {
+    execFileSync14("gh", ["issue", "comment", String(issueNumber), "--body", body], {
+      cwd,
+      timeout: API_TIMEOUT_MS6,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+  } catch {
+  }
+}
+function makeAction2(type, payload) {
+  return { type, payload, timestamp: (/* @__PURE__ */ new Date()).toISOString() };
+}
+function failedAction(reason) {
+  return { type: "CLASSIFY_FAILED", payload: { reason }, timestamp: (/* @__PURE__ */ new Date()).toISOString() };
+}
+
 // src/scripts/postIssueComment.ts
 var postIssueComment2 = async (ctx) => {
   if (ctx.skipAgent && ctx.output.exitCode !== void 0) return;
@@ -3773,7 +3906,7 @@ function reviewAction(verdict, payload) {
   const type = verdict === "PASS" ? "REVIEW_PASS" : verdict === "CONCERNS" ? "REVIEW_CONCERNS" : verdict === "FAIL" ? "REVIEW_FAIL" : "REVIEW_COMPLETED";
   return { type, payload: { verdict, ...payload }, timestamp: (/* @__PURE__ */ new Date()).toISOString() };
 }
-function failedAction(reason) {
+function failedAction2(reason) {
   return { type: "REVIEW_FAILED", payload: { reason }, timestamp: (/* @__PURE__ */ new Date()).toISOString() };
 }
 var postReviewResult = async (ctx, _profile, agentResult) => {
@@ -3781,7 +3914,7 @@ var postReviewResult = async (ctx, _profile, agentResult) => {
   if (!prNumber) {
     ctx.output.exitCode = 99;
     ctx.output.reason = "review postflight: no PR number in context";
-    ctx.data.action = failedAction(ctx.output.reason);
+    ctx.data.action = failedAction2(ctx.output.reason);
     return;
   }
   if (!agentResult || agentResult.outcome !== "completed") {
@@ -3792,7 +3925,7 @@ var postReviewResult = async (ctx, _profile, agentResult) => {
     }
     ctx.output.exitCode = 1;
     ctx.output.reason = reason;
-    ctx.data.action = failedAction(reason);
+    ctx.data.action = failedAction2(reason);
     return;
   }
   const reviewBody = agentResult.finalText.trim();
@@ -3803,7 +3936,7 @@ var postReviewResult = async (ctx, _profile, agentResult) => {
     }
     ctx.output.exitCode = 1;
     ctx.output.reason = "empty review body";
-    ctx.data.action = failedAction("empty review body");
+    ctx.data.action = failedAction2("empty review body");
     return;
   }
   try {
@@ -3812,7 +3945,7 @@ var postReviewResult = async (ctx, _profile, agentResult) => {
     const msg = err instanceof Error ? err.message : String(err);
     ctx.output.exitCode = 4;
     ctx.output.reason = `failed to post review comment: ${msg}`;
-    ctx.data.action = failedAction(ctx.output.reason);
+    ctx.data.action = failedAction2(ctx.output.reason);
     return;
   }
   const verdict = detectVerdict(reviewBody);
@@ -3828,7 +3961,7 @@ REVIEW_POSTED=https://github.com/${ctx.config.github.owner}/${ctx.config.github.
 };
 
 // src/scripts/releaseFlow.ts
-import { execFileSync as execFileSync14, spawnSync } from "child_process";
+import { execFileSync as execFileSync15, spawnSync } from "child_process";
 import * as fs18 from "fs";
 import * as path16 from "path";
 function bumpVersion(current, bump) {
@@ -3858,7 +3991,7 @@ function generateChangelog(cwd, newVersion, lastTag) {
   const range = lastTag ? `${lastTag}..HEAD` : "HEAD";
   let log = "";
   try {
-    log = execFileSync14("git", ["log", range, "--pretty=format:%s||%h", "--no-merges"], {
+    log = execFileSync15("git", ["log", range, "--pretty=format:%s||%h", "--no-merges"], {
       cwd,
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "pipe"]
@@ -3915,7 +4048,7 @@ ${entry}${prior.slice(idx + 1)}`);
   }
 }
 function git3(args, cwd, timeout = 6e4) {
-  return execFileSync14("git", args, {
+  return execFileSync15("git", args, {
     encoding: "utf-8",
     timeout,
     cwd,
@@ -4142,12 +4275,12 @@ function fail(ctx, profile, reason) {
   ctx.data.agentDone = false;
   ctx.data.agentFailureReason = reason;
   const modeSeg = profile.name.replace(/-/g, "_").toUpperCase();
-  const failedAction2 = {
+  const failedAction3 = {
     type: `${modeSeg}_FAILED`,
     payload: { reason },
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
   };
-  ctx.data.action = failedAction2;
+  ctx.data.action = failedAction3;
 }
 function countActionItems(block) {
   if (!block.trim()) return 0;
@@ -4186,12 +4319,12 @@ function fail2(ctx, profile, reason) {
   ctx.data.agentDone = false;
   ctx.data.agentFailureReason = reason;
   const modeSeg = profile.name.replace(/-/g, "_").toUpperCase();
-  const failedAction2 = {
+  const failedAction3 = {
     type: `${modeSeg}_FAILED`,
     payload: { reason },
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
   };
-  ctx.data.action = failedAction2;
+  ctx.data.action = failedAction3;
 }
 
 // src/scripts/resolveArtifacts.ts
@@ -4218,7 +4351,7 @@ var resolveArtifacts = async (ctx, profile) => {
 };
 
 // src/scripts/resolveFlow.ts
-import { execFileSync as execFileSync15 } from "child_process";
+import { execFileSync as execFileSync16 } from "child_process";
 var CONFLICT_DIFF_MAX_BYTES = 4e4;
 var resolveFlow = async (ctx) => {
   const prNumber = ctx.args.pr;
@@ -4270,7 +4403,7 @@ var resolveFlow = async (ctx) => {
 };
 function getConflictedFiles(cwd) {
   try {
-    const out = execFileSync15("git", ["diff", "--name-only", "--diff-filter=U"], {
+    const out = execFileSync16("git", ["diff", "--name-only", "--diff-filter=U"], {
       encoding: "utf-8",
       cwd,
       env: { ...process.env, HUSKY: "0" }
@@ -4285,7 +4418,7 @@ function getConflictMarkersPreview(files, cwd, maxBytes = CONFLICT_DIFF_MAX_BYTE
   let total = 0;
   for (const f of files) {
     try {
-      const content = execFileSync15("cat", [f], { encoding: "utf-8", cwd }).toString();
+      const content = execFileSync16("cat", [f], { encoding: "utf-8", cwd }).toString();
       const snippet = `### ${f}
 
 \`\`\`
@@ -4353,6 +4486,253 @@ function tryPostPr4(prNumber, body, cwd) {
   }
 }
 
+// src/scripts/riskGate.ts
+import { execFileSync as execFileSync17 } from "child_process";
+var ALL_GATES = ["secrets", "workflow-edit", "large-diff", "dep-change", "test-deletion"];
+var HARD_GATES = /* @__PURE__ */ new Set(["secrets"]);
+var APPROVE_ALL = "kody-approve:all";
+var GATED_LABEL = "kody:gated";
+var DEFAULT_MAX_FILES = 20;
+var DEFAULT_MAX_DELETIONS = 500;
+var riskGate = async (ctx, profile, _agent, args) => {
+  const changedFiles = ctx.data.changedFiles ?? [];
+  const gatesToRun = parseGates(args?.gates);
+  const violations = evaluateGates(ctx, profile.name, changedFiles, gatesToRun, args);
+  if (violations.length === 0) {
+    ctx.data.riskGate = { violations: [], pending: [], decision: "allow" };
+    return;
+  }
+  const targetType = ctx.data.commentTargetType;
+  const targetNumber = Number(ctx.data.commentTargetNumber ?? 0);
+  const labels = targetNumber > 0 ? getIssueLabels(targetNumber, ctx.cwd) : [];
+  const approveAll = labels.includes(APPROVE_ALL);
+  const pending = violations.filter((v) => !isApproved(v, labels, approveAll));
+  ctx.data.riskGate = {
+    violations,
+    pending,
+    decision: pending.length === 0 ? "allow" : "halt"
+  };
+  if (pending.length === 0 || !targetType || targetNumber <= 0) return;
+  for (const v of pending) {
+    ensureApproveLabel(v.name, ctx.cwd);
+  }
+  try {
+    setKodyLabel(
+      targetNumber,
+      {
+        label: GATED_LABEL,
+        color: "fbca04",
+        description: "kody2: awaiting human approval of risk gate(s)"
+      },
+      ctx.cwd
+    );
+  } catch {
+  }
+  const body = formatAdvisory(pending);
+  try {
+    if (targetType === "issue") postIssueComment(targetNumber, body, ctx.cwd);
+    else postPrReviewComment(targetNumber, body, ctx.cwd);
+  } catch {
+  }
+  if (!ctx.output.reason) {
+    ctx.output.reason = `risk gate halt: ${pending.map((p) => p.name).join(", ")}`;
+  }
+};
+function evaluateGates(ctx, profileName, changedFiles, gatesToRun, args) {
+  const violations = [];
+  if (gatesToRun.includes("secrets")) {
+    const hits = changedFiles.filter(isSecretPath);
+    if (hits.length > 0) {
+      violations.push({
+        name: "secrets",
+        severity: "hard",
+        reason: `secret/credential files touched: ${preview(hits)}`
+      });
+    }
+  }
+  if (gatesToRun.includes("workflow-edit")) {
+    const hits = changedFiles.filter((f) => f.startsWith(".github/workflows/"));
+    if (hits.length > 0) {
+      violations.push({
+        name: "workflow-edit",
+        severity: "soft",
+        reason: `CI workflow files modified: ${preview(hits)}`
+      });
+    }
+  }
+  if (gatesToRun.includes("large-diff")) {
+    const maxFiles = toPositiveInt(args?.maxFiles, DEFAULT_MAX_FILES);
+    const maxDeletions = toPositiveInt(args?.maxDeletions, DEFAULT_MAX_DELETIONS);
+    if (changedFiles.length > maxFiles) {
+      violations.push({
+        name: "large-diff",
+        severity: "soft",
+        reason: `${changedFiles.length} files changed (threshold: ${maxFiles})`
+      });
+    } else {
+      const stats = computeDiffStats(ctx);
+      if (stats && stats.deletions > maxDeletions) {
+        violations.push({
+          name: "large-diff",
+          severity: "soft",
+          reason: `${stats.deletions} lines deleted (threshold: ${maxDeletions})`
+        });
+      }
+    }
+  }
+  if (gatesToRun.includes("dep-change") && profileName !== "chore") {
+    const hits = changedFiles.filter(isDepFile);
+    if (hits.length > 0) {
+      violations.push({
+        name: "dep-change",
+        severity: "soft",
+        reason: `dependency/lockfile changes outside a chore flow: ${preview(hits)}`
+      });
+    }
+  }
+  if (gatesToRun.includes("test-deletion")) {
+    const deleted = listDeletedFilesInHeadCommit(ctx.cwd).filter(isTestFile);
+    if (deleted.length > 0) {
+      violations.push({
+        name: "test-deletion",
+        severity: "soft",
+        reason: `test files deleted: ${preview(deleted)}`
+      });
+    }
+  }
+  return violations;
+}
+function isApproved(v, labels, approveAll) {
+  if (labels.includes(`kody-approve:${v.name}`)) return true;
+  if (!HARD_GATES.has(v.name) && approveAll) return true;
+  return false;
+}
+function parseGates(spec) {
+  if (spec === void 0 || spec === null || spec === "") return ALL_GATES;
+  const list = String(spec).split(",").map((s) => s.trim()).filter(Boolean);
+  const valid = ALL_GATES;
+  const matched = list.filter((n) => valid.includes(n));
+  return matched.length > 0 ? matched : ALL_GATES;
+}
+function toPositiveInt(v, fallback) {
+  const n = typeof v === "number" ? v : parseInt(String(v ?? ""), 10);
+  return Number.isFinite(n) && n > 0 ? n : fallback;
+}
+function preview(list, max = 5) {
+  if (list.length <= max) return list.join(", ");
+  return `${list.slice(0, max).join(", ")} (+${list.length - max} more)`;
+}
+var SECRET_PATTERNS = [
+  /(^|\/)\.env(\.|$)/i,
+  /\.pem$/i,
+  /\.key$/i,
+  /(^|\/)(id_rsa|id_ed25519|id_ecdsa)(\.|$)/i,
+  /credentials?(\.|\/|$)/i,
+  /(^|\/)(private|secret)[^/]*\.json$/i,
+  /(^|\/)\.netrc$/i,
+  /(^|\/)\.npmrc$/i
+];
+function isSecretPath(p) {
+  return SECRET_PATTERNS.some((r) => r.test(p));
+}
+var DEP_FILES = /* @__PURE__ */ new Set([
+  "package.json",
+  "pnpm-lock.yaml",
+  "package-lock.json",
+  "yarn.lock",
+  "requirements.txt",
+  "Pipfile",
+  "Pipfile.lock",
+  "poetry.lock",
+  "go.mod",
+  "go.sum",
+  "Cargo.toml",
+  "Cargo.lock",
+  "Gemfile",
+  "Gemfile.lock"
+]);
+function isDepFile(p) {
+  return DEP_FILES.has(p.split("/").pop() ?? "");
+}
+function isTestFile(p) {
+  return /(^|\/)(tests?|__tests__|spec)\//i.test(p) || /\.(test|spec)\.[a-z0-9]+$/i.test(p);
+}
+function computeDiffStats(ctx) {
+  const base = ctx.config.git.defaultBranch;
+  for (const ref of [`origin/${base}...HEAD`, `${base}...HEAD`]) {
+    try {
+      const out = execFileSync17("git", ["diff", "--shortstat", ref], {
+        cwd: ctx.cwd,
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"]
+      }).trim();
+      if (out) return parseShortstat(out);
+    } catch {
+    }
+  }
+  return null;
+}
+function parseShortstat(s) {
+  const ins = /(\d+)\s+insertions?/.exec(s);
+  const del = /(\d+)\s+deletions?/.exec(s);
+  return {
+    insertions: ins ? parseInt(ins[1], 10) : 0,
+    deletions: del ? parseInt(del[1], 10) : 0
+  };
+}
+function listDeletedFilesInHeadCommit(cwd) {
+  try {
+    const out = execFileSync17("git", ["show", "--name-status", "--pretty=format:", "HEAD"], {
+      cwd,
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return out.split("\n").map((l) => l.trim()).filter((l) => l.startsWith("D	")).map((l) => l.slice(2).trim()).filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+function ensureApproveLabel(gate, cwd) {
+  try {
+    gh2(
+      [
+        "label",
+        "create",
+        `kody-approve:${gate}`,
+        "--force",
+        "--color",
+        "0e8a16",
+        "--description",
+        `kody2: approve the ${gate} risk gate and resume the flow`
+      ],
+      { cwd }
+    );
+  } catch {
+  }
+}
+function formatAdvisory(pending) {
+  const lines = [];
+  lines.push("\u23F8\uFE0F **kody2 risk gate halted the flow.**");
+  lines.push("");
+  lines.push("The changes were committed and pushed, but the flow will **not progress** until a human approves:");
+  lines.push("");
+  for (const v of pending) {
+    lines.push(`- **\`${v.name}\`** _(${v.severity})_ \u2014 ${v.reason}`);
+  }
+  lines.push("");
+  lines.push("**To approve and resume**, add one of these labels to this issue/PR:");
+  const perGate = pending.map((v) => `\`kody-approve:${v.name}\``).join(", ");
+  lines.push(`- ${perGate}`);
+  if (pending.some((v) => v.severity === "soft")) {
+    lines.push("- `kody-approve:all` \u2014 bypass **soft** gates at once (hard gates still require their specific label)");
+  }
+  lines.push("");
+  lines.push(
+    "Then re-trigger kody2 (e.g. post a new `@kody2 \u2026` comment). The branch already holds the committed work, so the re-run resumes from the same point."
+  );
+  return lines.join("\n");
+}
+
 // src/scripts/runFlow.ts
 var runFlow = async (ctx) => {
   const issueNumber = ctx.args.issue;
@@ -4449,8 +4829,8 @@ var skipAgent = async (ctx) => {
 };
 
 // src/scripts/startFlow.ts
-import { execFileSync as execFileSync16 } from "child_process";
-var API_TIMEOUT_MS6 = 3e4;
+import { execFileSync as execFileSync18 } from "child_process";
+var API_TIMEOUT_MS7 = 3e4;
 var startFlow = async (ctx, profile, _agentResult, args) => {
   const entry = args?.entry;
   if (!entry) {
@@ -4483,8 +4863,8 @@ function postKody2Comment(target, issueNumber, state, next, cwd) {
   const sub = target === "pr" && state?.core.prUrl ? "pr" : "issue";
   const body = `@kody2 ${next}`;
   try {
-    execFileSync16("gh", [sub, "comment", String(targetNumber), "--body", body], {
-      timeout: API_TIMEOUT_MS6,
+    execFileSync18("gh", [sub, "comment", String(targetNumber), "--body", body], {
+      timeout: API_TIMEOUT_MS7,
       cwd,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -4503,7 +4883,7 @@ function parsePr2(url) {
 }
 
 // src/scripts/syncFlow.ts
-import { execFileSync as execFileSync17 } from "child_process";
+import { execFileSync as execFileSync19 } from "child_process";
 var syncFlow = async (ctx) => {
   ctx.skipAgent = true;
   const prNumber = ctx.args.pr;
@@ -4562,7 +4942,7 @@ function bail2(ctx, prNumber, reason) {
 }
 function revParseHead(cwd) {
   try {
-    return execFileSync17("git", ["rev-parse", "HEAD"], { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }).toString().trim();
+    return execFileSync19("git", ["rev-parse", "HEAD"], { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }).toString().trim();
   } catch {
     return "";
   }
@@ -4570,9 +4950,9 @@ function revParseHead(cwd) {
 function pushBranch(branch, cwd) {
   const env = { ...process.env, HUSKY: "0", SKIP_HOOKS: "1" };
   try {
-    execFileSync17("git", ["push", "-u", "origin", branch], { cwd, env, stdio: ["ignore", "pipe", "pipe"] });
+    execFileSync19("git", ["push", "-u", "origin", branch], { cwd, env, stdio: ["ignore", "pipe", "pipe"] });
   } catch {
-    execFileSync17("git", ["push", "--force-with-lease", "-u", "origin", branch], {
+    execFileSync19("git", ["push", "--force-with-lease", "-u", "origin", branch], {
       cwd,
       env,
       stdio: ["ignore", "pipe", "pipe"]
@@ -4790,7 +5170,8 @@ var preflightScripts = {
   resolvePreviewUrl,
   composePrompt,
   setLifecycleLabel,
-  skipAgent
+  skipAgent,
+  classifyByLabel
 };
 var postflightScripts = {
   parseAgentResult: parseAgentResult2,
@@ -4812,7 +5193,9 @@ var postflightScripts = {
   dispatch,
   finishFlow,
   advanceFlow,
-  persistFlowState
+  persistFlowState,
+  postClassification,
+  riskGate
 };
 var allScriptNames = /* @__PURE__ */ new Set([
   ...Object.keys(preflightScripts),
@@ -4820,7 +5203,7 @@ var allScriptNames = /* @__PURE__ */ new Set([
 ]);
 
 // src/tools.ts
-import { execFileSync as execFileSync18 } from "child_process";
+import { execFileSync as execFileSync20 } from "child_process";
 function verifyCliTools(tools, cwd) {
   const out = [];
   for (const t of tools) out.push(verifyOne(t, cwd));
@@ -4853,7 +5236,7 @@ function verifyOne(tool, cwd) {
 }
 function runShell2(cmd, cwd, timeoutMs = 3e4) {
   try {
-    execFileSync18("sh", ["-c", cmd], { cwd, stdio: "pipe", timeout: timeoutMs });
+    execFileSync20("sh", ["-c", cmd], { cwd, stdio: "pipe", timeout: timeoutMs });
     return true;
   } catch {
     return false;
@@ -5183,7 +5566,7 @@ function detectPackageManager2(cwd) {
 }
 function shellOut(cmd, args, cwd, stream = true) {
   try {
-    execFileSync19(cmd, args, {
+    execFileSync21(cmd, args, {
       cwd,
       stdio: stream ? "inherit" : "pipe",
       env: { ...process.env, HUSKY: "0", SKIP_HOOKS: "1", CI: process.env.CI ?? "1" }
@@ -5196,7 +5579,7 @@ function shellOut(cmd, args, cwd, stream = true) {
 }
 function isOnPath(bin) {
   try {
-    execFileSync19("which", [bin], { stdio: "pipe" });
+    execFileSync21("which", [bin], { stdio: "pipe" });
     return true;
   } catch {
     return false;
@@ -5230,7 +5613,7 @@ function installLitellmIfNeeded(cwd) {
   } catch {
   }
   try {
-    execFileSync19("python3", ["-c", "import litellm"], { stdio: "pipe" });
+    execFileSync21("python3", ["-c", "import litellm"], { stdio: "pipe" });
     process.stdout.write("\u2192 kody2: litellm already installed\n");
     return 0;
   } catch {
@@ -5240,16 +5623,16 @@ function installLitellmIfNeeded(cwd) {
 }
 function configureGitIdentity(cwd) {
   try {
-    const name = execFileSync19("git", ["config", "user.name"], { cwd, stdio: "pipe", encoding: "utf-8" }).trim();
+    const name = execFileSync21("git", ["config", "user.name"], { cwd, stdio: "pipe", encoding: "utf-8" }).trim();
     if (name) return;
   } catch {
   }
   try {
-    execFileSync19("git", ["config", "user.name", "github-actions[bot]"], { cwd, stdio: "pipe" });
+    execFileSync21("git", ["config", "user.name", "github-actions[bot]"], { cwd, stdio: "pipe" });
   } catch {
   }
   try {
-    execFileSync19("git", ["config", "user.email", "41898282+github-actions[bot]@users.noreply.github.com"], {
+    execFileSync21("git", ["config", "user.email", "41898282+github-actions[bot]@users.noreply.github.com"], {
       cwd,
       stdio: "pipe"
     });
@@ -5426,9 +5809,9 @@ function commitChatFiles(cwd, sessionId, verbose) {
   if (paths.length === 0) return;
   const opts = { cwd, stdio: verbose ? "inherit" : "pipe" };
   try {
-    execFileSync20("git", ["add", ...paths], opts);
-    execFileSync20("git", ["commit", "--quiet", "-m", `chat: reply for ${sessionId}`], opts);
-    execFileSync20("git", ["push", "--quiet", "origin", "HEAD"], opts);
+    execFileSync22("git", ["add", ...paths], opts);
+    execFileSync22("git", ["commit", "--quiet", "-m", `chat: reply for ${sessionId}`], opts);
+    execFileSync22("git", ["push", "--quiet", "origin", "HEAD"], opts);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     process.stderr.write(`[kody2:chat] commit/push skipped: ${msg}

package/dist/executables/classify/profile.json

@@ -0,0 +1,64 @@
+{
+  "name": "classify",
+  "role": "primitive",
+  "describe": "Classify an issue into one of {feature, bug, spec, chore} and dispatch the matching sub-orchestrator. Label-first fast path; LLM fallback when labels don't decide.",
+  "inputs": [
+    {
+      "name": "issue",
+      "flag": "--issue",
+      "type": "int",
+      "required": true,
+      "describe": "GitHub issue number to classify."
+    }
+  ],
+  "claudeCode": {
+    "model": "inherit",
+    "permissionMode": "default",
+    "maxTurns": null,
+    "maxThinkingTokens": null,
+    "systemPromptAppend": null,
+    "tools": [
+      "Read",
+      "Bash"
+    ],
+    "hooks": [],
+    "skills": [],
+    "commands": [],
+    "subagents": [],
+    "plugins": [],
+    "mcpServers": []
+  },
+  "cliTools": [],
+  "scripts": {
+    "preflight": [
+      {
+        "script": "setLifecycleLabel",
+        "with": {
+          "label": "kody:classifying",
+          "color": "0e8a16",
+          "description": "kody2: classifying the issue"
+        }
+      },
+      { "script": "loadIssueContext" },
+      { "script": "loadTaskState" },
+      { "script": "classifyByLabel" },
+      { "script": "loadConventions" },
+      { "script": "composePrompt" }
+    ],
+    "postflight": [
+      { "script": "parseAgentResult" },
+      { "script": "postClassification" },
+      { "script": "writeRunSummary" },
+      { "script": "saveTaskState" }
+    ]
+  },
+  "output": {
+    "actionTypes": [
+      "CLASSIFIED_AS_FEATURE",
+      "CLASSIFIED_AS_BUG",
+      "CLASSIFIED_AS_SPEC",
+      "CLASSIFIED_AS_CHORE",
+      "CLASSIFY_FAILED"
+    ]
+  }
+}

package/dist/executables/classify/prompt.md

@@ -0,0 +1,49 @@
+You are Kody's issue-triage classifier. Your only job: read the issue below and pick ONE of the four flow types.
+
+# Repo
+{{repoOwner}}/{{repoName}}, default branch `{{defaultBranch}}`
+
+# Issue #{{issue.number}}: {{issue.title}}
+
+Labels: {{issue.labelsFormatted}}
+
+{{issue.body}}
+
+Recent comments (most recent first, truncated):
+{{issue.commentsFormatted}}
+
+{{conventionsBlock}}
+
+---
+
+# Classification rubric
+
+Pick **exactly one** of:
+
+- **feature** — new user-facing capability, refactor, performance work, or anything where scope is not fully known up front. Multi-file change likely. Use when the issue opens a design space (even if small).
+- **bug** — fix broken behavior, enhancement to existing feature, or any targeted change where the scope is localized and well understood. Skip research; go straight to plan.
+- **spec** — produce a design doc, RFC, architecture proposal, or exploration artifact. No code changes. Terminates at the plan artifact.
+- **chore** — trivial maintenance: docs tweak, dep bump, lint fix, README update. No planning needed.
+
+**If the issue ASKS for an RFC / design doc / spec / analysis with no implementation → `spec`.** Beats everything else.
+**If the issue is plainly "fix X" or "add tiny Y to existing Z" with clear boundaries → `bug`.**
+**If the issue is "tweak config / bump dep / fix typo" with no real design choice → `chore`.**
+**Otherwise → `feature`.**
+
+# Required output
+
+Your FINAL message must be exactly this shape (no extra text before or after):
+
+```
+DONE
+COMMIT_MSG: classify: <classification>
+PR_SUMMARY:
+classification: <feature|bug|spec|chore>
+reason: <one sentence explaining the pick, grounded in the issue text>
+```
+
+# Rules
+
+- Read-only. Do NOT modify any file. Do NOT run git or gh.
+- Output `FAILED: <reason>` if the issue is incoherent or ambiguous beyond the rubric.
+- Do not over-think. This is triage, not analysis.

package/dist/executables/fix/profile.json

@@ -94,7 +94,11 @@
         "script": "saveTaskState"
       },
       {
-        "script": "advanceFlow"
+        "script": "riskGate"
+      },
+      {
+        "script": "advanceFlow",
+        "runWhen": { "data.riskGate.decision": "allow" }
       }
     ]
   },

package/dist/executables/run/profile.json

@@ -93,7 +93,11 @@
         "script": "mirrorStateToPr"
       },
       {
-        "script": "advanceFlow"
+        "script": "riskGate"
+      },
+      {
+        "script": "advanceFlow",
+        "runWhen": { "data.riskGate.decision": "allow" }
       }
     ]
   },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kody-ade/kody-engine",
-  "version": "0.2.54",
+  "version": "0.2.56",
   "description": "kody2 — autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   "license": "MIT",
   "type": "module",