@kody-ade/kody-engine 0.2.58 → 0.2.60

package/dist/bin/kody2.js

@@ -3,7 +3,7 @@
 // package.json
 var package_default = {
   name: "@kody-ade/kody-engine",
-  version: "0.2.58",
+  version: "0.2.60",
   description: "kody2 \u2014 autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   license: "MIT",
   type: "module",
@@ -50,7 +50,7 @@ var package_default = {
 };
 
 // src/chat-cli.ts
-import { execFileSync as execFileSync22 } from "child_process";
+import { execFileSync as execFileSync23 } from "child_process";
 import * as fs22 from "fs";
 import * as path19 from "path";
 
@@ -543,7 +543,7 @@ async function emit(sink, type, sessionId, suffix, payload) {
 }
 
 // src/kody2-cli.ts
-import { execFileSync as execFileSync21 } from "child_process";
+import { execFileSync as execFileSync22 } from "child_process";
 import * as fs21 from "fs";
 import * as path18 from "path";
 
@@ -581,6 +581,9 @@ function autoDispatch(opts) {
   if (!targetNum) return null;
   const afterTag = extractAfterTag(body);
   if (isPr) {
+    if (/\bapprove\b/.test(afterTag)) {
+      return { executable: "approve", cliArgs: { pr: targetNum }, target: targetNum };
+    }
     if (/\bfix-ci\b/.test(afterTag)) {
       return { executable: "fix-ci", cliArgs: { pr: targetNum }, target: targetNum };
     }
@@ -754,6 +757,7 @@ import * as path6 from "path";
 var VALID_INPUT_TYPES = /* @__PURE__ */ new Set(["int", "string", "bool", "enum"]);
 var VALID_PERMISSION_MODES = /* @__PURE__ */ new Set(["default", "acceptEdits", "plan", "bypassPermissions"]);
 var VALID_ROLES = /* @__PURE__ */ new Set(["primitive", "orchestrator", "watch", "utility"]);
+var VALID_PHASES = /* @__PURE__ */ new Set(["research", "planning", "implementing", "reviewing", "shipped", "failed", "idle"]);
 var ProfileError = class extends Error {
   constructor(profilePath, message) {
     super(`Invalid profile at ${profilePath}:
@@ -788,12 +792,20 @@ function loadProfile(profilePath) {
     );
   }
   const role = r.role;
+  let phase;
+  if (r.phase !== void 0) {
+    if (typeof r.phase !== "string" || !VALID_PHASES.has(r.phase)) {
+      throw new ProfileError(profilePath, `"phase" must be one of: ${[...VALID_PHASES].join(" | ")}`);
+    }
+    phase = r.phase;
+  }
   const profile = {
     name: requireString(profilePath, r, "name"),
     describe: typeof r.describe === "string" ? r.describe : "",
     role,
     kind,
     schedule: typeof r.schedule === "string" ? r.schedule : void 0,
+    phase,
     inputs: parseInputs(profilePath, r.inputs),
     claudeCode: parseClaudeCode(profilePath, r.claudeCode),
     cliTools: parseCliTools(profilePath, r.cliTools),
@@ -1060,7 +1072,7 @@ function parseStateComment(body) {
     return emptyState();
   }
 }
-function reduce(state, executable, action) {
+function reduce(state, executable, action, phase) {
   if (!action) return state;
   const newAttempts = { ...state.core.attempts, [executable]: (state.core.attempts[executable] ?? 0) + 1 };
   const newExecutables = {
@@ -1079,7 +1091,7 @@ function reduce(state, executable, action) {
       lastOutcome: action,
       currentExecutable: executable,
       status: statusFromAction(action),
-      phase: phaseFromAction(executable, action)
+      phase: phaseFromAction(action, phase)
     },
     executables: newExecutables,
     artifacts: { ...state.artifacts ?? {} },
@@ -1092,12 +1104,9 @@ function statusFromAction(action) {
   if (/COMPLETED$|SHIPPED$|MERGED$|SUCCESS$/i.test(action.type)) return "succeeded";
   return "running";
 }
-function phaseFromAction(executable, action) {
+function phaseFromAction(action, phase) {
   if (/FAILED$|ERROR$|REJECTED$/i.test(action.type)) return "failed";
-  if (executable === "build") return statusFromAction(action) === "succeeded" ? "implementing" : "implementing";
-  if (executable === "review") return "reviewing";
-  if (executable === "release") return "shipped";
-  return "idle";
+  return phase ?? "idle";
 }
 function noteFromAction(action) {
   const p = action.payload;
@@ -1206,7 +1215,7 @@ var advanceFlow = async (ctx, profile) => {
     try {
       const issueState = readTaskState("issue", flow.issueNumber, ctx.cwd);
       issueState.flow = flow;
-      const next = reduce(issueState, profile.name, action);
+      const next = reduce(issueState, profile.name, action, profile.phase);
       if (state?.core.prUrl && !next.core.prUrl) next.core.prUrl = state.core.prUrl;
       next.flow = flow;
       writeTaskState("issue", flow.issueNumber, next, ctx.cwd);
@@ -1232,6 +1241,265 @@ var advanceFlow = async (ctx, profile) => {
   }
 };
 
+// src/scripts/applyApprovals.ts
+import { execFileSync as execFileSync5 } from "child_process";
+
+// src/issue.ts
+import { execFileSync as execFileSync4 } from "child_process";
+var API_TIMEOUT_MS3 = 3e4;
+function ghToken2() {
+  return process.env.GH_PAT?.trim() || process.env.GH_TOKEN;
+}
+function gh2(args, options) {
+  const token = ghToken2();
+  const env = token ? { ...process.env, GH_TOKEN: token } : { ...process.env };
+  return execFileSync4("gh", args, {
+    encoding: "utf-8",
+    timeout: API_TIMEOUT_MS3,
+    cwd: options?.cwd,
+    env,
+    input: options?.input,
+    stdio: options?.input ? ["pipe", "pipe", "pipe"] : ["inherit", "pipe", "pipe"]
+  }).trim();
+}
+function getIssue(issueNumber, cwd) {
+  const output = gh2(["issue", "view", String(issueNumber), "--json", "number,title,body,comments,labels"], { cwd });
+  const parsed = JSON.parse(output);
+  if (typeof parsed?.title !== "string") {
+    throw new Error(`Issue #${issueNumber}: unexpected response shape`);
+  }
+  return {
+    number: parsed.number ?? issueNumber,
+    title: parsed.title,
+    body: parsed.body ?? "",
+    comments: (parsed.comments ?? []).map((c) => ({
+      body: c.body ?? "",
+      author: c.author?.login ?? "unknown",
+      createdAt: c.createdAt ?? ""
+    })),
+    labels: Array.isArray(parsed.labels) ? parsed.labels.map((l) => l.name ?? "").filter((n) => n.length > 0) : []
+  };
+}
+function stripKody2Mentions(body) {
+  return body.replace(/(@)(kody2)/gi, "$1\u200B$2");
+}
+function postIssueComment(issueNumber, body, cwd) {
+  try {
+    gh2(["issue", "comment", String(issueNumber), "--body-file", "-"], { input: stripKody2Mentions(body), cwd });
+  } catch (err) {
+    process.stderr.write(
+      `[kody2] failed to post comment on #${issueNumber}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+  }
+}
+function truncate2(s, maxBytes) {
+  if (s.length <= maxBytes) return s;
+  return `${s.slice(0, maxBytes)}\u2026 (+${s.length - maxBytes} chars)`;
+}
+function getPr(prNumber, cwd) {
+  const output = gh2(["pr", "view", String(prNumber), "--json", "number,title,body,headRefName,baseRefName,state"], {
+    cwd
+  });
+  const parsed = JSON.parse(output);
+  if (typeof parsed?.title !== "string") {
+    throw new Error(`PR #${prNumber}: unexpected response shape`);
+  }
+  return {
+    number: parsed.number ?? prNumber,
+    title: parsed.title,
+    body: parsed.body ?? "",
+    headRefName: String(parsed.headRefName ?? ""),
+    baseRefName: String(parsed.baseRefName ?? ""),
+    state: String(parsed.state ?? "")
+  };
+}
+function getPrDiff(prNumber, cwd) {
+  try {
+    return gh2(["pr", "diff", String(prNumber)], { cwd });
+  } catch (err) {
+    process.stderr.write(
+      `[kody2] failed to fetch diff for PR #${prNumber}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+    return "";
+  }
+}
+function getPrReviews(prNumber, cwd) {
+  try {
+    const output = gh2(["pr", "view", String(prNumber), "--json", "reviews"], { cwd });
+    const parsed = JSON.parse(output);
+    if (!Array.isArray(parsed?.reviews)) return [];
+    return parsed.reviews.map(
+      (r) => ({
+        body: r.body ?? "",
+        state: r.state ?? "",
+        author: r.author?.login ?? "unknown",
+        submittedAt: r.submittedAt ?? ""
+      })
+    );
+  } catch {
+    return [];
+  }
+}
+function getPrComments(prNumber, cwd) {
+  try {
+    const output = gh2(["pr", "view", String(prNumber), "--json", "comments"], { cwd });
+    const parsed = JSON.parse(output);
+    if (!Array.isArray(parsed?.comments)) return [];
+    return parsed.comments.map((c) => ({
+      body: c.body ?? "",
+      author: c.author?.login ?? "unknown",
+      createdAt: c.createdAt ?? ""
+    })).filter((c) => c.body.trim().length > 0);
+  } catch {
+    return [];
+  }
+}
+var VERDICT_HEADING = /(^|\n)\s*#{1,6}\s*Verdict\s*:/i;
+function isReviewShaped(body) {
+  return VERDICT_HEADING.test(body);
+}
+function getPrLatestReviewBody(prNumber, cwd) {
+  const reviews = getPrReviews(prNumber, cwd).filter((r) => r.body.trim().length > 0).map((r) => ({ body: r.body, at: r.submittedAt }));
+  const comments = getPrComments(prNumber, cwd).filter((c) => isReviewShaped(c.body)).map((c) => ({ body: c.body, at: c.createdAt }));
+  const all = [...reviews, ...comments].sort((a, b) => (b.at || "").localeCompare(a.at || ""));
+  if (all.length > 0) return all[0].body;
+  const pr = getPr(prNumber, cwd);
+  return pr.body;
+}
+function postPrReviewComment(prNumber, body, cwd) {
+  try {
+    gh2(["pr", "comment", String(prNumber), "--body-file", "-"], { input: stripKody2Mentions(body), cwd });
+  } catch (err) {
+    process.stderr.write(
+      `[kody2] failed to post review comment on PR #${prNumber}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+  }
+}
+
+// src/scripts/applyApprovals.ts
+var API_TIMEOUT_MS4 = 3e4;
+var ALL_APPROVE_LABELS = [
+  { label: "kody-approve:all", description: "kody2: approve all soft risk gates" },
+  { label: "kody-approve:secrets", description: "kody2: approve the secrets risk gate and resume the flow" },
+  { label: "kody-approve:workflow-edit", description: "kody2: approve the workflow-edit risk gate and resume the flow" },
+  { label: "kody-approve:large-diff", description: "kody2: approve the large-diff risk gate and resume the flow" },
+  { label: "kody-approve:dep-change", description: "kody2: approve the dep-change risk gate and resume the flow" },
+  { label: "kody-approve:test-deletion", description: "kody2: approve the test-deletion risk gate and resume the flow" }
+];
+var applyApprovals = async (ctx) => {
+  const issueArg = typeof ctx.args.issue === "number" ? ctx.args.issue : null;
+  const prArg = typeof ctx.args.pr === "number" ? ctx.args.pr : null;
+  const currentTarget = issueArg ? { type: "issue", number: issueArg } : prArg ? { type: "pr", number: prArg } : null;
+  if (!currentTarget) {
+    ctx.output.exitCode = 64;
+    ctx.output.reason = "approve: must be invoked with --issue or --pr";
+    return;
+  }
+  let state = null;
+  try {
+    state = readTaskState(currentTarget.type, currentTarget.number, ctx.cwd);
+  } catch {
+    state = null;
+  }
+  const issueNumber = currentTarget.type === "issue" ? currentTarget.number : state?.flow?.issueNumber ?? null;
+  const prNumber = currentTarget.type === "pr" ? currentTarget.number : parsePrNumber(state?.core?.prUrl);
+  const targets = uniquePairs(
+    [
+      { type: "issue", number: issueNumber },
+      { type: "pr", number: prNumber }
+    ].filter((t) => typeof t.number === "number" && t.number > 0)
+  );
+  for (const spec of ALL_APPROVE_LABELS) {
+    ensureLabel(spec, ctx.cwd);
+  }
+  for (const t of targets) {
+    for (const spec of ALL_APPROVE_LABELS) {
+      addLabel(t.number, spec.label, ctx.cwd);
+    }
+  }
+  const confirmation = formatConfirmation(currentTarget, targets, state);
+  try {
+    if (currentTarget.type === "issue") postIssueComment(currentTarget.number, confirmation, ctx.cwd);
+    else postPrReviewComment(currentTarget.number, confirmation, ctx.cwd);
+  } catch {
+  }
+  const flowName = state?.flow?.name;
+  if (issueNumber && typeof flowName === "string" && flowName.length > 0) {
+    try {
+      execFileSync5("gh", ["issue", "comment", String(issueNumber), "--body", `@kody2 ${flowName}`], {
+        timeout: API_TIMEOUT_MS4,
+        cwd: ctx.cwd,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+    } catch (err) {
+      process.stderr.write(
+        `[kody2 approve] failed to re-trigger flow on issue #${issueNumber}: ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
+  }
+  ctx.output.exitCode = 0;
+};
+function parsePrNumber(url) {
+  if (!url) return null;
+  const m = url.match(/\/pull\/(\d+)(?:[/?#]|$)/);
+  if (!m) return null;
+  const n = parseInt(m[1], 10);
+  return Number.isFinite(n) ? n : null;
+}
+function uniquePairs(pairs) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const p of pairs) {
+    const key = `${p.type}:${p.number}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(p);
+  }
+  return out;
+}
+function ensureLabel(spec, cwd) {
+  try {
+    gh2(
+      ["label", "create", spec.label, "--force", "--color", "0e8a16", "--description", spec.description],
+      { cwd }
+    );
+  } catch {
+  }
+}
+function addLabel(number, label, cwd) {
+  try {
+    gh2(["issue", "edit", String(number), "--add-label", label], { cwd });
+  } catch {
+  }
+}
+function formatConfirmation(current, targets, state) {
+  const other = targets.find((t) => t.type !== current.type);
+  const lines = [];
+  lines.push("\u2705 **kody2 risk gates approved.**");
+  lines.push("");
+  lines.push(
+    `Applied \`kody-approve:*\` labels on ${targets.map((t) => `${t.type} #${t.number}`).join(" and ")}.`
+  );
+  if (other && current.type === "pr") {
+    lines.push(`Mirrored to the originating issue (#${other.number}) so the orchestrator also sees the approval.`);
+  } else if (other && current.type === "issue") {
+    lines.push(`Mirrored to PR #${other.number} so a pending \`fix\` primitive also passes the gate.`);
+  }
+  const flowName = state?.flow?.name;
+  if (flowName) {
+    lines.push("");
+    lines.push(`Re-triggering the \`${flowName}\` flow now \u2014 it will resume from the existing branch/PR checkpoint.`);
+  } else {
+    lines.push("");
+    lines.push("No active flow found in task state. Post `@kody2 <command>` to resume manually.");
+  }
+  return lines.join("\n");
+}
+
 // src/scripts/buildSyntheticPlugin.ts
 import * as fs8 from "fs";
 import * as os2 from "os";
@@ -1326,7 +1594,7 @@ function copyDir(src, dst) {
 }
 
 // src/coverage.ts
-import { execFileSync as execFileSync4 } from "child_process";
+import { execFileSync as execFileSync6 } from "child_process";
 function patternToRegex(pattern) {
   let s = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
   s = s.replace(/\*\*\//g, "\xA7S").replace(/\*\*/g, "\xA7A").replace(/\*/g, "[^/]*");
@@ -1344,7 +1612,7 @@ function renderSiblingPath(file, requireSibling) {
 }
 function safeGit(args, cwd) {
   try {
-    return execFileSync4("git", args, { encoding: "utf-8", cwd, env: { ...process.env, HUSKY: "0" } }).trim();
+    return execFileSync6("git", args, { encoding: "utf-8", cwd, env: { ...process.env, HUSKY: "0" } }).trim();
   } catch {
     return "";
   }
@@ -1550,10 +1818,10 @@ function defaultLabelMap() {
 }
 
 // src/scripts/commitAndPush.ts
-import { execFileSync as execFileSync6 } from "child_process";
+import { execFileSync as execFileSync8 } from "child_process";
 
 // src/commit.ts
-import { execFileSync as execFileSync5 } from "child_process";
+import { execFileSync as execFileSync7 } from "child_process";
 import * as fs10 from "fs";
 import * as path9 from "path";
 var FORBIDDEN_PATH_PREFIXES = [
@@ -1583,7 +1851,7 @@ var CONVENTIONAL_PREFIXES = [
 ];
 function git(args, cwd) {
   try {
-    return execFileSync5("git", args, {
+    return execFileSync7("git", args, {
       encoding: "utf-8",
       timeout: 12e4,
       cwd,
@@ -1641,7 +1909,7 @@ function isForbiddenPath(p) {
   return false;
 }
 function listChangedFiles(cwd) {
-  const raw = execFileSync5("git", ["status", "--porcelain=v1", "-z"], {
+  const raw = execFileSync7("git", ["status", "--porcelain=v1", "-z"], {
     encoding: "utf-8",
     cwd,
     env: { ...process.env, HUSKY: "0", SKIP_HOOKS: "1" },
@@ -1653,7 +1921,7 @@ function listChangedFiles(cwd) {
 }
 function listFilesInCommit(ref = "HEAD", cwd) {
   try {
-    const raw = execFileSync5("git", ["show", "--name-only", "--pretty=format:", "-z", ref], {
+    const raw = execFileSync7("git", ["show", "--name-only", "--pretty=format:", "-z", ref], {
       encoding: "utf-8",
       cwd,
       env: { ...process.env, HUSKY: "0", SKIP_HOOKS: "1" },
@@ -1733,7 +2001,7 @@ var commitAndPush2 = async (ctx, profile) => {
   const kind = profile.name;
   if (kind === "resolve") {
     try {
-      execFileSync6("git", ["add", "-A"], { cwd: ctx.cwd, env: { ...process.env, HUSKY: "0" }, stdio: "pipe" });
+      execFileSync8("git", ["add", "-A"], { cwd: ctx.cwd, env: { ...process.env, HUSKY: "0" }, stdio: "pipe" });
     } catch {
     }
   } else {
@@ -2355,8 +2623,8 @@ var discoverQaContext = async (ctx) => {
 };
 
 // src/scripts/dispatch.ts
-import { execFileSync as execFileSync7 } from "child_process";
-var API_TIMEOUT_MS3 = 3e4;
+import { execFileSync as execFileSync9 } from "child_process";
+var API_TIMEOUT_MS5 = 3e4;
 var dispatch = async (ctx, _profile, _agentResult, args) => {
   const next = args?.next;
   if (!next) {
@@ -2378,8 +2646,8 @@ var dispatch = async (ctx, _profile, _agentResult, args) => {
   const sub = usePr ? "pr" : "issue";
   const body = `@kody2 ${next}`;
   try {
-    execFileSync7("gh", [sub, "comment", String(targetNumber), "--body", body], {
-      timeout: API_TIMEOUT_MS3,
+    execFileSync9("gh", [sub, "comment", String(targetNumber), "--body", body], {
+      timeout: API_TIMEOUT_MS5,
       cwd: ctx.cwd,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -2397,141 +2665,6 @@ function parsePr(url) {
   return Number.isFinite(n) ? n : null;
 }
 
-// src/issue.ts
-import { execFileSync as execFileSync8 } from "child_process";
-var API_TIMEOUT_MS4 = 3e4;
-function ghToken2() {
-  return process.env.GH_PAT?.trim() || process.env.GH_TOKEN;
-}
-function gh2(args, options) {
-  const token = ghToken2();
-  const env = token ? { ...process.env, GH_TOKEN: token } : { ...process.env };
-  return execFileSync8("gh", args, {
-    encoding: "utf-8",
-    timeout: API_TIMEOUT_MS4,
-    cwd: options?.cwd,
-    env,
-    input: options?.input,
-    stdio: options?.input ? ["pipe", "pipe", "pipe"] : ["inherit", "pipe", "pipe"]
-  }).trim();
-}
-function getIssue(issueNumber, cwd) {
-  const output = gh2(["issue", "view", String(issueNumber), "--json", "number,title,body,comments,labels"], { cwd });
-  const parsed = JSON.parse(output);
-  if (typeof parsed?.title !== "string") {
-    throw new Error(`Issue #${issueNumber}: unexpected response shape`);
-  }
-  return {
-    number: parsed.number ?? issueNumber,
-    title: parsed.title,
-    body: parsed.body ?? "",
-    comments: (parsed.comments ?? []).map((c) => ({
-      body: c.body ?? "",
-      author: c.author?.login ?? "unknown",
-      createdAt: c.createdAt ?? ""
-    })),
-    labels: Array.isArray(parsed.labels) ? parsed.labels.map((l) => l.name ?? "").filter((n) => n.length > 0) : []
-  };
-}
-function stripKody2Mentions(body) {
-  return body.replace(/(@)(kody2)/gi, "$1\u200B$2");
-}
-function postIssueComment(issueNumber, body, cwd) {
-  try {
-    gh2(["issue", "comment", String(issueNumber), "--body-file", "-"], { input: stripKody2Mentions(body), cwd });
-  } catch (err) {
-    process.stderr.write(
-      `[kody2] failed to post comment on #${issueNumber}: ${err instanceof Error ? err.message : String(err)}
-`
-    );
-  }
-}
-function truncate2(s, maxBytes) {
-  if (s.length <= maxBytes) return s;
-  return `${s.slice(0, maxBytes)}\u2026 (+${s.length - maxBytes} chars)`;
-}
-function getPr(prNumber, cwd) {
-  const output = gh2(["pr", "view", String(prNumber), "--json", "number,title,body,headRefName,baseRefName,state"], {
-    cwd
-  });
-  const parsed = JSON.parse(output);
-  if (typeof parsed?.title !== "string") {
-    throw new Error(`PR #${prNumber}: unexpected response shape`);
-  }
-  return {
-    number: parsed.number ?? prNumber,
-    title: parsed.title,
-    body: parsed.body ?? "",
-    headRefName: String(parsed.headRefName ?? ""),
-    baseRefName: String(parsed.baseRefName ?? ""),
-    state: String(parsed.state ?? "")
-  };
-}
-function getPrDiff(prNumber, cwd) {
-  try {
-    return gh2(["pr", "diff", String(prNumber)], { cwd });
-  } catch (err) {
-    process.stderr.write(
-      `[kody2] failed to fetch diff for PR #${prNumber}: ${err instanceof Error ? err.message : String(err)}
-`
-    );
-    return "";
-  }
-}
-function getPrReviews(prNumber, cwd) {
-  try {
-    const output = gh2(["pr", "view", String(prNumber), "--json", "reviews"], { cwd });
-    const parsed = JSON.parse(output);
-    if (!Array.isArray(parsed?.reviews)) return [];
-    return parsed.reviews.map(
-      (r) => ({
-        body: r.body ?? "",
-        state: r.state ?? "",
-        author: r.author?.login ?? "unknown",
-        submittedAt: r.submittedAt ?? ""
-      })
-    );
-  } catch {
-    return [];
-  }
-}
-function getPrComments(prNumber, cwd) {
-  try {
-    const output = gh2(["pr", "view", String(prNumber), "--json", "comments"], { cwd });
-    const parsed = JSON.parse(output);
-    if (!Array.isArray(parsed?.comments)) return [];
-    return parsed.comments.map((c) => ({
-      body: c.body ?? "",
-      author: c.author?.login ?? "unknown",
-      createdAt: c.createdAt ?? ""
-    })).filter((c) => c.body.trim().length > 0);
-  } catch {
-    return [];
-  }
-}
-var VERDICT_HEADING = /(^|\n)\s*#{1,6}\s*Verdict\s*:/i;
-function isReviewShaped(body) {
-  return VERDICT_HEADING.test(body);
-}
-function getPrLatestReviewBody(prNumber, cwd) {
-  const reviews = getPrReviews(prNumber, cwd).filter((r) => r.body.trim().length > 0).map((r) => ({ body: r.body, at: r.submittedAt }));
-  const comments = getPrComments(prNumber, cwd).filter((c) => isReviewShaped(c.body)).map((c) => ({ body: c.body, at: c.createdAt }));
-  const all = [...reviews, ...comments].sort((a, b) => (b.at || "").localeCompare(a.at || ""));
-  if (all.length > 0) return all[0].body;
-  const pr = getPr(prNumber, cwd);
-  return pr.body;
-}
-function postPrReviewComment(prNumber, body, cwd) {
-  try {
-    gh2(["pr", "comment", String(prNumber), "--body-file", "-"], { input: stripKody2Mentions(body), cwd });
-  } catch (err) {
-    process.stderr.write(
-      `[kody2] failed to post review comment on PR #${prNumber}: ${err instanceof Error ? err.message : String(err)}
-`
-    );
-  }
-}
-
 // src/pr.ts
 var TITLE_MAX = 72;
 function stripTitlePrefixes(raw) {
@@ -2697,7 +2830,7 @@ function computeFailureReason(ctx) {
 }
 
 // src/scripts/finishFlow.ts
-import { execFileSync as execFileSync9 } from "child_process";
+import { execFileSync as execFileSync10 } from "child_process";
 
 // src/registry.ts
 import * as fs14 from "fs";
@@ -2816,7 +2949,7 @@ function getIssueLabels(issueNumber, cwd) {
     return [];
   }
 }
-function addLabel(issueNumber, label, cwd) {
+function addLabel2(issueNumber, label, cwd) {
   gh2(["issue", "edit", String(issueNumber), "--add-label", label], { cwd });
 }
 function removeLabel(issueNumber, label, cwd) {
@@ -2848,12 +2981,12 @@ function setKodyLabel(issueNumber, spec, cwd) {
     }
   }
   try {
-    addLabel(issueNumber, target, cwd);
+    addLabel2(issueNumber, target, cwd);
   } catch (err) {
     if (looksLikeMissingLabel(err)) {
       try {
         createLabelInRepo(spec, cwd);
-        addLabel(issueNumber, target, cwd);
+        addLabel2(issueNumber, target, cwd);
         return;
       } catch (retryErr) {
         process.stderr.write(
@@ -2885,7 +3018,7 @@ function errMsg(err) {
 }
 
 // src/scripts/finishFlow.ts
-var API_TIMEOUT_MS5 = 3e4;
+var API_TIMEOUT_MS6 = 3e4;
 var STATUS_ICON = {
   "review-passed": "\u2705",
   "fix-applied": "\u2705",
@@ -2917,8 +3050,8 @@ var finishFlow = async (ctx, _profile, _agentResult, args) => {
 **PR:** ${state.core.prUrl}` : "";
   const body = `${icon} kody2 flow \`${flowName}\` finished \u2014 \`${reason}\`${prSuffix}`;
   try {
-    execFileSync9("gh", ["issue", "comment", String(issueNumber), "--body", body], {
-      timeout: API_TIMEOUT_MS5,
+    execFileSync10("gh", ["issue", "comment", String(issueNumber), "--body", body], {
+      timeout: API_TIMEOUT_MS6,
       cwd: ctx.cwd,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -2931,7 +3064,7 @@ var finishFlow = async (ctx, _profile, _agentResult, args) => {
 };
 
 // src/branch.ts
-import { execFileSync as execFileSync10 } from "child_process";
+import { execFileSync as execFileSync11 } from "child_process";
 var UncommittedChangesError = class extends Error {
   constructor(branch) {
     super(`Uncommitted changes on branch '${branch}' \u2014 refusing to run to protect work in progress`);
@@ -2941,7 +3074,7 @@ var UncommittedChangesError = class extends Error {
   branch;
 };
 function git2(args, cwd) {
-  return execFileSync10("git", args, {
+  return execFileSync11("git", args, {
     encoding: "utf-8",
     timeout: 3e4,
     cwd,
@@ -2966,7 +3099,7 @@ function checkoutPrBranch(prNumber, cwd) {
     SKIP_HOOKS: "1",
     GH_TOKEN: process.env.GH_PAT?.trim() || process.env.GH_TOKEN || ""
   };
-  execFileSync10("gh", ["pr", "checkout", String(prNumber)], {
+  execFileSync11("gh", ["pr", "checkout", String(prNumber)], {
     cwd,
     env,
     stdio: ["ignore", "pipe", "pipe"],
@@ -3033,7 +3166,7 @@ function ensureFeatureBranch(issueNumber, title, defaultBranch, cwd) {
 }
 
 // src/gha.ts
-import { execFileSync as execFileSync11 } from "child_process";
+import { execFileSync as execFileSync12 } from "child_process";
 import * as fs15 from "fs";
 function getRunUrl() {
   const server = process.env.GITHUB_SERVER_URL;
@@ -3076,7 +3209,7 @@ function reactToTriggerComment(cwd) {
   for (let attempt = 0; attempt < 3; attempt++) {
     if (attempt > 0) sleepMs(attempt === 1 ? 500 : 1500);
     try {
-      execFileSync11("gh", args, opts);
+      execFileSync12("gh", args, opts);
       return;
     } catch (err) {
       lastErr = err;
@@ -3089,13 +3222,13 @@ function reactToTriggerComment(cwd) {
 }
 function sleepMs(ms) {
   try {
-    execFileSync11("sleep", [(ms / 1e3).toString()], { stdio: "ignore", timeout: ms + 1e3 });
+    execFileSync12("sleep", [(ms / 1e3).toString()], { stdio: "ignore", timeout: ms + 1e3 });
   } catch {
   }
 }
 
 // src/workflow.ts
-import { execFileSync as execFileSync12 } from "child_process";
+import { execFileSync as execFileSync13 } from "child_process";
 var GH_TIMEOUT_MS = 3e4;
 function ghToken3() {
   return process.env.GH_PAT?.trim() || process.env.GH_TOKEN;
@@ -3103,7 +3236,7 @@ function ghToken3() {
 function gh3(args, cwd) {
   const token = ghToken3();
   const env = token ? { ...process.env, GH_TOKEN: token } : { ...process.env };
-  return execFileSync12("gh", args, {
+  return execFileSync13("gh", args, {
     encoding: "utf-8",
     timeout: GH_TIMEOUT_MS,
     cwd,
@@ -3287,7 +3420,7 @@ function tryPostPr2(prNumber, body, cwd) {
 }
 
 // src/scripts/initFlow.ts
-import { execFileSync as execFileSync13 } from "child_process";
+import { execFileSync as execFileSync14 } from "child_process";
 import * as fs17 from "fs";
 import * as path15 from "path";
 
@@ -3328,7 +3461,7 @@ function qualityCommandsFor(pm) {
 function detectOwnerRepo(cwd) {
   let url;
   try {
-    url = execFileSync13("git", ["remote", "get-url", "origin"], {
+    url = execFileSync14("git", ["remote", "get-url", "origin"], {
       cwd,
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "pipe"]
@@ -3412,7 +3545,7 @@ jobs:
 `;
 function defaultBranchFromGit(cwd) {
   try {
-    const ref = execFileSync13("git", ["symbolic-ref", "refs/remotes/origin/HEAD"], {
+    const ref = execFileSync14("git", ["symbolic-ref", "refs/remotes/origin/HEAD"], {
       cwd,
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "pipe"]
@@ -3420,7 +3553,7 @@ function defaultBranchFromGit(cwd) {
     return ref.replace("refs/remotes/origin/", "");
   } catch {
     try {
-      return execFileSync13("git", ["branch", "--show-current"], {
+      return execFileSync14("git", ["branch", "--show-current"], {
         cwd,
         encoding: "utf-8",
         stdio: ["ignore", "pipe", "pipe"]
@@ -3610,7 +3743,7 @@ var mirrorStateToPr = async (ctx) => {
   if (!issueNumber || issueTarget !== "issue") return;
   const prUrl = ctx.output.prUrl ?? ctx.data.prResult?.url;
   if (!prUrl) return;
-  const prNumber = parsePrNumber(prUrl);
+  const prNumber = parsePrNumber2(prUrl);
   if (!prNumber) return;
   let state;
   try {
@@ -3628,7 +3761,7 @@ var mirrorStateToPr = async (ctx) => {
     );
   }
 };
-function parsePrNumber(prUrl) {
+function parsePrNumber2(prUrl) {
   const m = prUrl.match(/\/pull\/(\d+)(?:[/?#]|$)/);
   if (!m) return null;
   const n = parseInt(m[1], 10);
@@ -3713,8 +3846,8 @@ var persistFlowState = async (ctx) => {
 };
 
 // src/scripts/postClassification.ts
-import { execFileSync as execFileSync14 } from "child_process";
-var API_TIMEOUT_MS6 = 3e4;
+import { execFileSync as execFileSync15 } from "child_process";
+var API_TIMEOUT_MS7 = 3e4;
 var VALID_CLASSES2 = /* @__PURE__ */ new Set(["feature", "bug", "spec", "chore"]);
 var postClassification = async (ctx) => {
   const issueNumber = ctx.args.issue;
@@ -3743,9 +3876,9 @@ var postClassification = async (ctx) => {
     ctx.cwd
   );
   try {
-    execFileSync14("gh", ["issue", "comment", String(issueNumber), "--body", `@kody2 ${classification}`], {
+    execFileSync15("gh", ["issue", "comment", String(issueNumber), "--body", `@kody2 ${classification}`], {
       cwd: ctx.cwd,
-      timeout: API_TIMEOUT_MS6,
+      timeout: API_TIMEOUT_MS7,
       stdio: ["ignore", "pipe", "pipe"]
     });
   } catch (err) {
@@ -3777,9 +3910,9 @@ function parseClassification(prSummary) {
 }
 function tryAuditComment(issueNumber, body, cwd) {
   try {
-    execFileSync14("gh", ["issue", "comment", String(issueNumber), "--body", body], {
+    execFileSync15("gh", ["issue", "comment", String(issueNumber), "--body", body], {
       cwd,
-      timeout: API_TIMEOUT_MS6,
+      timeout: API_TIMEOUT_MS7,
       stdio: ["ignore", "pipe", "pipe"]
     });
   } catch {
@@ -3961,7 +4094,7 @@ REVIEW_POSTED=https://github.com/${ctx.config.github.owner}/${ctx.config.github.
 };
 
 // src/scripts/releaseFlow.ts
-import { execFileSync as execFileSync15, spawnSync } from "child_process";
+import { execFileSync as execFileSync16, spawnSync } from "child_process";
 import * as fs18 from "fs";
 import * as path16 from "path";
 function bumpVersion(current, bump) {
@@ -3991,7 +4124,7 @@ function generateChangelog(cwd, newVersion, lastTag) {
   const range = lastTag ? `${lastTag}..HEAD` : "HEAD";
   let log = "";
   try {
-    log = execFileSync15("git", ["log", range, "--pretty=format:%s||%h", "--no-merges"], {
+    log = execFileSync16("git", ["log", range, "--pretty=format:%s||%h", "--no-merges"], {
       cwd,
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "pipe"]
@@ -4048,7 +4181,7 @@ ${entry}${prior.slice(idx + 1)}`);
   }
 }
 function git3(args, cwd, timeout = 6e4) {
-  return execFileSync15("git", args, {
+  return execFileSync16("git", args, {
     encoding: "utf-8",
     timeout,
     cwd,
@@ -4351,7 +4484,7 @@ var resolveArtifacts = async (ctx, profile) => {
 };
 
 // src/scripts/resolveFlow.ts
-import { execFileSync as execFileSync16 } from "child_process";
+import { execFileSync as execFileSync17 } from "child_process";
 var CONFLICT_DIFF_MAX_BYTES = 4e4;
 var resolveFlow = async (ctx) => {
   const prNumber = ctx.args.pr;
@@ -4403,7 +4536,7 @@ var resolveFlow = async (ctx) => {
 };
 function getConflictedFiles(cwd) {
   try {
-    const out = execFileSync16("git", ["diff", "--name-only", "--diff-filter=U"], {
+    const out = execFileSync17("git", ["diff", "--name-only", "--diff-filter=U"], {
       encoding: "utf-8",
       cwd,
       env: { ...process.env, HUSKY: "0" }
@@ -4418,7 +4551,7 @@ function getConflictMarkersPreview(files, cwd, maxBytes = CONFLICT_DIFF_MAX_BYTE
   let total = 0;
   for (const f of files) {
     try {
-      const content = execFileSync16("cat", [f], { encoding: "utf-8", cwd }).toString();
+      const content = execFileSync17("cat", [f], { encoding: "utf-8", cwd }).toString();
       const snippet = `### ${f}
 
 \`\`\`
@@ -4487,7 +4620,7 @@ function tryPostPr4(prNumber, body, cwd) {
 }
 
 // src/scripts/riskGate.ts
-import { execFileSync as execFileSync17 } from "child_process";
+import { execFileSync as execFileSync18 } from "child_process";
 var ALL_GATES = ["secrets", "workflow-edit", "large-diff", "dep-change", "test-deletion"];
 var HARD_GATES = /* @__PURE__ */ new Set(["secrets"]);
 var APPROVE_ALL = "kody-approve:all";
@@ -4504,7 +4637,7 @@ var riskGate = async (ctx, profile, _agent, args) => {
   }
   const targetType = ctx.data.commentTargetType;
   const targetNumber = Number(ctx.data.commentTargetNumber ?? 0);
-  const labels = targetNumber > 0 ? getIssueLabels(targetNumber, ctx.cwd) : [];
+  const labels = collectApprovalLabels(ctx, targetType, targetNumber);
   const approveAll = labels.includes(APPROVE_ALL);
   const pending = violations.filter((v) => !isApproved(v, labels, approveAll));
   ctx.data.riskGate = {
@@ -4528,7 +4661,8 @@ var riskGate = async (ctx, profile, _agent, args) => {
     );
   } catch {
   }
-  const body = formatAdvisory(pending);
+  const compareUrl = computeCompareUrl(ctx);
+  const body = formatAdvisory(pending, compareUrl);
   try {
     if (targetType === "issue") postIssueComment(targetNumber, body, ctx.cwd);
     else postPrReviewComment(targetNumber, body, ctx.cwd);
@@ -4602,6 +4736,20 @@ function evaluateGates(ctx, profileName, changedFiles, gatesToRun, args) {
   }
   return violations;
 }
+function collectApprovalLabels(ctx, targetType, targetNumber) {
+  const seen = /* @__PURE__ */ new Set();
+  if (targetNumber > 0) {
+    for (const l of getIssueLabels(targetNumber, ctx.cwd)) seen.add(l);
+  }
+  if (targetType === "pr") {
+    const state = ctx.data.taskState;
+    const issueNum = state?.flow?.issueNumber;
+    if (typeof issueNum === "number" && issueNum > 0 && issueNum !== targetNumber) {
+      for (const l of getIssueLabels(issueNum, ctx.cwd)) seen.add(l);
+    }
+  }
+  return [...seen];
+}
 function isApproved(v, labels, approveAll) {
   if (labels.includes(`kody-approve:${v.name}`)) return true;
   if (!HARD_GATES.has(v.name) && approveAll) return true;
@@ -4627,8 +4775,13 @@ var SECRET_PATTERNS = [
   /\.pem$/i,
   /\.key$/i,
   /(^|\/)(id_rsa|id_ed25519|id_ecdsa)(\.|$)/i,
-  /credentials?(\.|\/|$)/i,
-  /(^|\/)(private|secret)[^/]*\.json$/i,
+  // Match the keyword anywhere inside the filename, as a whole word (so e.g.
+  // `api-secrets.json`, `config/app.credentials.yaml`, `user-passwords.txt`
+  // all trip — while false friends like `secretary.md` do not).
+  /(^|\/)[^/]*\bsecrets?\b[^/]*$/i,
+  /(^|\/)[^/]*\bcredentials?\b[^/]*$/i,
+  /(^|\/)[^/]*\bpasswords?\b[^/]*$/i,
+  /(^|\/)[^/]*\bapi[-_]keys?\b[^/]*$/i,
   /(^|\/)\.netrc$/i,
   /(^|\/)\.npmrc$/i
 ];
@@ -4661,7 +4814,7 @@ function collectBranchChangedFiles(ctx) {
   const base = ctx.config.git.defaultBranch;
   for (const ref of [`origin/${base}...HEAD`, `${base}...HEAD`]) {
     try {
-      const out = execFileSync17("git", ["diff", "--name-only", ref], {
+      const out = execFileSync18("git", ["diff", "--name-only", ref], {
         cwd: ctx.cwd,
         encoding: "utf-8",
         stdio: ["pipe", "pipe", "pipe"]
@@ -4677,7 +4830,7 @@ function computeDiffStats(ctx) {
   const base = ctx.config.git.defaultBranch;
   for (const ref of [`origin/${base}...HEAD`, `${base}...HEAD`]) {
     try {
-      const out = execFileSync17("git", ["diff", "--shortstat", ref], {
+      const out = execFileSync18("git", ["diff", "--shortstat", ref], {
         cwd: ctx.cwd,
         encoding: "utf-8",
         stdio: ["pipe", "pipe", "pipe"]
@@ -4698,7 +4851,7 @@ function parseShortstat(s) {
 }
 function listDeletedFilesInHeadCommit(cwd) {
   try {
-    const out = execFileSync17("git", ["show", "--name-status", "--pretty=format:", "HEAD"], {
+    const out = execFileSync18("git", ["show", "--name-status", "--pretty=format:", "HEAD"], {
       cwd,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -4726,28 +4879,38 @@ function ensureApproveLabel(gate, cwd) {
   } catch {
   }
 }
-function formatAdvisory(pending) {
+function formatAdvisory(pending, compareUrl) {
   const lines = [];
   lines.push("\u23F8\uFE0F **kody2 risk gate halted the flow.**");
   lines.push("");
-  lines.push("The changes were committed and pushed, but the flow will **not progress** until a human approves:");
+  lines.push("The branch was pushed but **no PR was opened** \u2014 waiting for human approval:");
   lines.push("");
   for (const v of pending) {
     lines.push(`- **\`${v.name}\`** _(${v.severity})_ \u2014 ${v.reason}`);
   }
   lines.push("");
-  lines.push("**To approve and resume**, add one of these labels to this issue/PR:");
-  const perGate = pending.map((v) => `\`kody-approve:${v.name}\``).join(", ");
-  lines.push(`- ${perGate}`);
-  if (pending.some((v) => v.severity === "soft")) {
-    lines.push("- `kody-approve:all` \u2014 bypass **soft** gates at once (hard gates still require their specific label)");
+  if (compareUrl) {
+    lines.push(`\u{1F4CE} Review the branch diff: ${compareUrl}`);
+    lines.push("");
   }
+  lines.push("**To approve and resume**, post a comment:");
+  lines.push("");
+  lines.push("> `@kody2 approve`");
   lines.push("");
   lines.push(
-    "Then re-trigger kody2 (e.g. post a new `@kody2 \u2026` comment). The branch already holds the committed work, so the re-run resumes from the same point."
+    "kody2 will acknowledge all currently-pending gates (soft **and** hard), open the PR, and continue the flow from this checkpoint. No re-running the agent."
   );
   return lines.join("\n");
 }
+function computeCompareUrl(ctx) {
+  const branch = ctx.data.branch;
+  if (!branch) return null;
+  const owner = ctx.config.github?.owner;
+  const repo = ctx.config.github?.repo;
+  if (!owner || !repo) return null;
+  const base = ctx.config.git.defaultBranch;
+  return `https://github.com/${owner}/${repo}/compare/${base}...${branch}`;
+}
 
 // src/scripts/runFlow.ts
 var runFlow = async (ctx) => {
@@ -4790,7 +4953,7 @@ var saveTaskState = async (ctx, profile) => {
   const action = ctx.data.action ?? synthesizeAction(ctx);
   if (ctx.output.prUrl && !state.core.prUrl) state.core.prUrl = ctx.output.prUrl;
   if (typeof ctx.data.runUrl === "string") state.core.runUrl = ctx.data.runUrl;
-  const next = reduce(state, executable, action);
+  const next = reduce(state, executable, action, profile.phase);
   if (ctx.output.prUrl) next.core.prUrl = ctx.output.prUrl;
   if (typeof ctx.data.runUrl === "string") next.core.runUrl = ctx.data.runUrl;
   writeTaskState(target, number, next, ctx.cwd);
@@ -4845,8 +5008,8 @@ var skipAgent = async (ctx) => {
 };
 
 // src/scripts/startFlow.ts
-import { execFileSync as execFileSync18 } from "child_process";
-var API_TIMEOUT_MS7 = 3e4;
+import { execFileSync as execFileSync19 } from "child_process";
+var API_TIMEOUT_MS8 = 3e4;
 var startFlow = async (ctx, profile, _agentResult, args) => {
   const entry = args?.entry;
   if (!entry) {
@@ -4879,8 +5042,8 @@ function postKody2Comment(target, issueNumber, state, next, cwd) {
   const sub = target === "pr" && state?.core.prUrl ? "pr" : "issue";
   const body = `@kody2 ${next}`;
   try {
-    execFileSync18("gh", [sub, "comment", String(targetNumber), "--body", body], {
-      timeout: API_TIMEOUT_MS7,
+    execFileSync19("gh", [sub, "comment", String(targetNumber), "--body", body], {
+      timeout: API_TIMEOUT_MS8,
       cwd,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -4899,7 +5062,7 @@ function parsePr2(url) {
 }
 
 // src/scripts/syncFlow.ts
-import { execFileSync as execFileSync19 } from "child_process";
+import { execFileSync as execFileSync20 } from "child_process";
 var syncFlow = async (ctx) => {
   ctx.skipAgent = true;
   const prNumber = ctx.args.pr;
@@ -4958,7 +5121,7 @@ function bail2(ctx, prNumber, reason) {
 }
 function revParseHead(cwd) {
   try {
-    return execFileSync19("git", ["rev-parse", "HEAD"], { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }).toString().trim();
+    return execFileSync20("git", ["rev-parse", "HEAD"], { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }).toString().trim();
   } catch {
     return "";
   }
@@ -4966,9 +5129,9 @@ function revParseHead(cwd) {
 function pushBranch(branch, cwd) {
   const env = { ...process.env, HUSKY: "0", SKIP_HOOKS: "1" };
   try {
-    execFileSync19("git", ["push", "-u", "origin", branch], { cwd, env, stdio: ["ignore", "pipe", "pipe"] });
+    execFileSync20("git", ["push", "-u", "origin", branch], { cwd, env, stdio: ["ignore", "pipe", "pipe"] });
   } catch {
-    execFileSync19("git", ["push", "--force-with-lease", "-u", "origin", branch], {
+    execFileSync20("git", ["push", "--force-with-lease", "-u", "origin", branch], {
       cwd,
       env,
       stdio: ["ignore", "pipe", "pipe"]
@@ -5211,7 +5374,8 @@ var postflightScripts = {
   advanceFlow,
   persistFlowState,
   postClassification,
-  riskGate
+  riskGate,
+  applyApprovals
 };
 var allScriptNames = /* @__PURE__ */ new Set([
   ...Object.keys(preflightScripts),
@@ -5219,7 +5383,7 @@ var allScriptNames = /* @__PURE__ */ new Set([
 ]);
 
 // src/tools.ts
-import { execFileSync as execFileSync20 } from "child_process";
+import { execFileSync as execFileSync21 } from "child_process";
 function verifyCliTools(tools, cwd) {
   const out = [];
   for (const t of tools) out.push(verifyOne(t, cwd));
@@ -5252,7 +5416,7 @@ function verifyOne(tool, cwd) {
 }
 function runShell2(cmd, cwd, timeoutMs = 3e4) {
   try {
-    execFileSync20("sh", ["-c", cmd], { cwd, stdio: "pipe", timeout: timeoutMs });
+    execFileSync21("sh", ["-c", cmd], { cwd, stdio: "pipe", timeout: timeoutMs });
     return true;
   } catch {
     return false;
@@ -5582,7 +5746,7 @@ function detectPackageManager2(cwd) {
 }
 function shellOut(cmd, args, cwd, stream = true) {
   try {
-    execFileSync21(cmd, args, {
+    execFileSync22(cmd, args, {
       cwd,
       stdio: stream ? "inherit" : "pipe",
       env: { ...process.env, HUSKY: "0", SKIP_HOOKS: "1", CI: process.env.CI ?? "1" }
@@ -5595,7 +5759,7 @@ function shellOut(cmd, args, cwd, stream = true) {
 }
 function isOnPath(bin) {
   try {
-    execFileSync21("which", [bin], { stdio: "pipe" });
+    execFileSync22("which", [bin], { stdio: "pipe" });
     return true;
   } catch {
     return false;
@@ -5629,7 +5793,7 @@ function installLitellmIfNeeded(cwd) {
   } catch {
   }
   try {
-    execFileSync21("python3", ["-c", "import litellm"], { stdio: "pipe" });
+    execFileSync22("python3", ["-c", "import litellm"], { stdio: "pipe" });
     process.stdout.write("\u2192 kody2: litellm already installed\n");
     return 0;
   } catch {
@@ -5639,16 +5803,16 @@ function installLitellmIfNeeded(cwd) {
 }
 function configureGitIdentity(cwd) {
   try {
-    const name = execFileSync21("git", ["config", "user.name"], { cwd, stdio: "pipe", encoding: "utf-8" }).trim();
+    const name = execFileSync22("git", ["config", "user.name"], { cwd, stdio: "pipe", encoding: "utf-8" }).trim();
     if (name) return;
   } catch {
   }
   try {
-    execFileSync21("git", ["config", "user.name", "github-actions[bot]"], { cwd, stdio: "pipe" });
+    execFileSync22("git", ["config", "user.name", "github-actions[bot]"], { cwd, stdio: "pipe" });
   } catch {
   }
   try {
-    execFileSync21("git", ["config", "user.email", "41898282+github-actions[bot]@users.noreply.github.com"], {
+    execFileSync22("git", ["config", "user.email", "41898282+github-actions[bot]@users.noreply.github.com"], {
       cwd,
       stdio: "pipe"
     });
@@ -5825,9 +5989,9 @@ function commitChatFiles(cwd, sessionId, verbose) {
   if (paths.length === 0) return;
   const opts = { cwd, stdio: verbose ? "inherit" : "pipe" };
   try {
-    execFileSync22("git", ["add", ...paths], opts);
-    execFileSync22("git", ["commit", "--quiet", "-m", `chat: reply for ${sessionId}`], opts);
-    execFileSync22("git", ["push", "--quiet", "origin", "HEAD"], opts);
+    execFileSync23("git", ["add", ...paths], opts);
+    execFileSync23("git", ["commit", "--quiet", "-m", `chat: reply for ${sessionId}`], opts);
+    execFileSync23("git", ["push", "--quiet", "origin", "HEAD"], opts);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     process.stderr.write(`[kody2:chat] commit/push skipped: ${msg}