npm - @kody-ade/kody-engine - Versions diffs - 0.4.173 → 0.4.176 - Mend

@kody-ade/kody-engine 0.4.173 → 0.4.176

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +73 -2
package/dist/bin/kody.js +914 -186
package/dist/executables/job-tick/prompts/locked.md +48 -0
package/dist/executables/preview-build/profile.json +61 -0
package/dist/scripts/preview-build-templates/default-Dockerfile.preview.dev +43 -0
package/dist/scripts/preview-build-templates/default-Dockerfile.preview.prod +40 -0
package/package.json +1 -1

package/dist/bin/kody.js CHANGED Viewed

@@ -358,141 +358,6 @@ var init_submitMcp = __esm({
   }
 });
-// src/repoWorkspace.ts
-import { spawn as spawn2, spawnSync } from "child_process";
-import * as fs6 from "fs";
-import * as path6 from "path";
-async function resolveAndClone(reposRoot, repo, repoToken, cloneRepo) {
-  const name = repo?.trim();
-  if (!name || !REPO_RE.test(name)) return null;
-  const root = path6.resolve(reposRoot);
-  const dir = path6.resolve(root, name);
-  if (dir !== root && !dir.startsWith(root + path6.sep)) return null;
-  if (fs6.existsSync(path6.join(dir, ".git"))) return dir;
-  const inflight = repoClones.get(dir);
-  if (inflight) {
-    await inflight;
-    return dir;
-  }
-  const p = cloneRepo(name, repoToken, dir).finally(() => {
-    if (repoClones.get(dir) === p) repoClones.delete(dir);
-  });
-  repoClones.set(dir, p);
-  await p;
-  return dir;
-}
-async function ensureRepoCwd(opts) {
-  const dir = await resolveAndClone(
-    opts.reposRoot,
-    opts.repo,
-    opts.repoToken,
-    opts.cloneRepo
-  );
-  return dir ?? opts.baseCwd;
-}
-async function fetchRepo(opts) {
-  const dir = await resolveAndClone(
-    opts.reposRoot,
-    opts.repo,
-    opts.repoToken,
-    opts.cloneRepo ?? defaultCloneRepo
-  );
-  if (!dir) {
-    throw new Error(
-      `invalid repo "${opts.repo}" \u2014 expected "owner/name" with no path escapes`
-    );
-  }
-  return dir;
-}
-var REPO_RE, repoClones, defaultCloneRepo;
-var init_repoWorkspace = __esm({
-  "src/repoWorkspace.ts"() {
-    "use strict";
-    REPO_RE = /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/;
-    repoClones = /* @__PURE__ */ new Map();
-    defaultCloneRepo = (repo, token, dir) => {
-      fs6.mkdirSync(path6.dirname(dir), { recursive: true });
-      const authUrl = token ? `https://x-access-token:${token}@github.com/${repo}.git` : `https://github.com/${repo}.git`;
-      return new Promise((resolve6, reject) => {
-        const child = spawn2("git", ["clone", "--depth=1", authUrl, dir], {
-          stdio: "inherit"
-        });
-        child.on("exit", (code) => {
-          if (code !== 0) {
-            reject(new Error(`git clone ${repo} failed (exit ${code})`));
-            return;
-          }
-          try {
-            const name = process.env.GIT_AUTHOR_NAME ?? "Kody Bot";
-            const email = process.env.GIT_AUTHOR_EMAIL ?? "kody-bot@users.noreply.github.com";
-            spawnSync("git", ["-C", dir, "config", "user.name", name]);
-            spawnSync("git", ["-C", dir, "config", "user.email", email]);
-          } catch {
-          }
-          resolve6();
-        });
-        child.on("error", reject);
-      });
-    };
-  }
-});
-// src/fetchRepoMcp.ts
-var fetchRepoMcp_exports = {};
-__export(fetchRepoMcp_exports, {
-  buildFetchRepoMcpServer: () => buildFetchRepoMcpServer
-});
-import {
-  createSdkMcpServer as createSdkMcpServer3,
-  tool as tool3
-} from "@anthropic-ai/claude-agent-sdk";
-import { z as z3 } from "zod";
-function buildFetchRepoMcpServer(opts) {
-  const fetchTool = tool3(
-    "fetch_repo",
-    'Clone another GitHub repository into your workspace so you can read and work on it. Pass `repo` as "owner/name" (e.g. "A-Guy-educ/A-Guy"). Returns the absolute path of the clone \u2014 then use your Read/Grep/Glob/Bash tools at that path to inspect it. Already-fetched repos are reused instantly. Use this whenever the user asks about a repository other than your current one \u2014 you are NOT limited to a single repo.',
-    {
-      repo: z3.string().describe('GitHub repository as "owner/name", e.g. "A-Guy-educ/A-Guy".')
-    },
-    async (args) => {
-      const repo = String(args.repo ?? "").trim();
-      try {
-        const dir = await fetchRepo({
-          reposRoot: opts.reposRoot,
-          repo,
-          repoToken: opts.repoToken
-        });
-        return {
-          content: [
-            {
-              type: "text",
-              text: `Cloned ${repo} \u2192 ${dir}
-Use Read/Grep/Glob/Bash at that absolute path to explore it. It now lives in your workspace alongside any other repos you've fetched.`
-            }
-          ]
-        };
-      } catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        return {
-          content: [{ type: "text", text: `Could not fetch ${repo}: ${msg}` }],
-          isError: true
-        };
-      }
-    }
-  );
-  return createSdkMcpServer3({
-    name: "kody-fetch-repo",
-    version: "0.1.0",
-    tools: [fetchTool]
-  });
-}
-var init_fetchRepoMcp = __esm({
-  "src/fetchRepoMcp.ts"() {
-    "use strict";
-    init_repoWorkspace();
-  }
-});
 // src/issue.ts
 import { execFileSync } from "child_process";
 function ghToken() {
@@ -676,6 +541,362 @@ var init_issue = __esm({
   }
 });
+// src/dutyMcp.ts
+var dutyMcp_exports = {};
+__export(dutyMcp_exports, {
+  DUTY_MCP_TOOL_NAMES: () => DUTY_MCP_TOOL_NAMES,
+  buildDutyMcpServer: () => buildDutyMcpServer
+});
+import { createSdkMcpServer as createSdkMcpServer3, tool as tool3 } from "@anthropic-ai/claude-agent-sdk";
+import { z as z3 } from "zod";
+function summarizeCiStatus(rollup) {
+  if (!Array.isArray(rollup) || rollup.length === 0) return "UNKNOWN";
+  let hasRunning = false;
+  for (const check of rollup) {
+    const status = String(check.status ?? "").toUpperCase();
+    const conclusion = String(check.conclusion ?? "").toUpperCase();
+    if (FAIL_CONCLUSIONS.has(conclusion)) return "FAILING";
+    if (!conclusion && RUNNING_STATUSES.has(status)) hasRunning = true;
+  }
+  return hasRunning ? "RUNNING" : "PASSING";
+}
+function computeBehindBy(repoSlug, base, head) {
+  try {
+    const raw = gh(["api", `repos/${repoSlug}/compare/${base}...${head}`, "--jq", ".behind_by"]);
+    const n = Number(raw.trim());
+    return Number.isFinite(n) ? n : -1;
+  } catch {
+    return -1;
+  }
+}
+function listRepairCandidates(repoSlug) {
+  const raw = gh([
+    "pr",
+    "list",
+    "--state",
+    "open",
+    "--limit",
+    "100",
+    "--json",
+    "number,title,headRefName,headRefOid,baseRefName,isDraft,mergeable,statusCheckRollup,updatedAt"
+  ]);
+  const prs = JSON.parse(raw);
+  return prs.filter((p) => !p.isDraft).map((p) => {
+    const ciStatus = summarizeCiStatus(p.statusCheckRollup);
+    const mergeable = String(p.mergeable ?? "UNKNOWN").toUpperCase();
+    const behindBy = mergeable === "CONFLICTING" || ciStatus === "FAILING" ? 0 : computeBehindBy(repoSlug, p.baseRefName, p.headRefName);
+    return {
+      number: p.number,
+      title: p.title,
+      headSha: p.headRefOid,
+      baseRef: p.baseRefName,
+      isDraft: false,
+      mergeable,
+      ciStatus,
+      behindBy,
+      updatedAt: p.updatedAt
+    };
+  });
+}
+function dispatchVerb(workflowFile, executable, prNumber) {
+  try {
+    gh([
+      "workflow",
+      "run",
+      workflowFile,
+      "-f",
+      `executable=${executable}`,
+      "-f",
+      `issue_number=${prNumber}`
+    ]);
+    return { ok: true };
+  } catch (err) {
+    return { ok: false, error: err instanceof Error ? err.message : String(err) };
+  }
+}
+function postRecommendation(prNumber, mention, message) {
+  const body = mention ? `${mention} ${message}` : message;
+  try {
+    gh(["pr", "comment", String(prNumber), "--body", body]);
+    return { ok: true };
+  } catch (err) {
+    return { ok: false, error: err instanceof Error ? err.message : String(err) };
+  }
+}
+function readLedger(label) {
+  const startTag = `<!-- ${label}:start -->`;
+  const endTag = `<!-- ${label}:end -->`;
+  try {
+    const raw = gh([
+      "issue",
+      "list",
+      "--state",
+      "open",
+      "--label",
+      label,
+      "--limit",
+      "5",
+      "--json",
+      "number,body"
+    ]);
+    const issues = JSON.parse(raw);
+    if (issues.length === 0) return { found: false, payload: null };
+    const issue = issues.sort((a, b) => a.number - b.number)[0];
+    const body = issue?.body ?? "";
+    const startIdx = body.indexOf(startTag);
+    const endIdx = body.indexOf(endTag);
+    if (startIdx === -1 || endIdx === -1 || endIdx <= startIdx) {
+      return { found: true, issueNumber: issue?.number, payload: null };
+    }
+    const between = body.slice(startIdx + startTag.length, endIdx);
+    const fenceMatch = between.match(/```json\s*([\s\S]*?)```/);
+    if (!fenceMatch) return { found: true, issueNumber: issue?.number, payload: null };
+    try {
+      return { found: true, issueNumber: issue?.number, payload: JSON.parse(fenceMatch[1]) };
+    } catch {
+      return { found: true, issueNumber: issue?.number, payload: null };
+    }
+  } catch (err) {
+    return { found: false, payload: { error: err instanceof Error ? err.message : String(err) } };
+  }
+}
+function buildDutyMcpServer(opts) {
+  const workflowFile = opts.workflowFile ?? "kody.yml";
+  const listTool = tool3(
+    "list_prs_to_repair",
+    "Return open non-draft PRs with the signals you need to pick a repair: number, title, headSha, baseRef, mergeable (CONFLICTING/MERGEABLE/UNKNOWN), ciStatus (PASSING/FAILING/RUNNING/UNKNOWN), behindBy (commits behind base; 0 for PRs that already match conflicts or CI-failure rules), updatedAt. Drafts are excluded. One call returns everything \u2014 do not iterate or paginate.",
+    {},
+    async () => {
+      const candidates = listRepairCandidates(opts.repoSlug);
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ prs: candidates }, null, 2)
+          }
+        ]
+      };
+    }
+  );
+  const makeDispatch = (verb, describe) => tool3(
+    `${verb.replace("-", "_")}_pr`,
+    describe,
+    {
+      pr: z3.number().int().positive().describe("PR number to repair.")
+    },
+    async (args) => {
+      const result = dispatchVerb(workflowFile, verb, args.pr);
+      const text = result.ok ? `Dispatched \`${verb}\` on PR #${args.pr}. The repair runs in its own workflow_dispatch \u2014 wait for the next tick to see the new headSha.` : `Dispatch failed for \`${verb}\` on PR #${args.pr}: ${result.error}`;
+      return {
+        content: [{ type: "text", text }]
+      };
+    }
+  );
+  const syncTool = makeDispatch(
+    "sync",
+    "Bring a stale PR up to date with its base branch (merges base \u2192 head + pushes). Use when behindBy > 10 AND mergeable !== CONFLICTING AND ciStatus !== FAILING. Returns immediately \u2014 the actual merge runs in a separate workflow."
+  );
+  const fixCiTool = makeDispatch(
+    "fix-ci",
+    "Repair a PR whose CI is failing. Use when ciStatus === FAILING. The repair runs in a separate workflow."
+  );
+  const resolveTool = makeDispatch(
+    "resolve",
+    "Resolve merge conflicts on a PR. Use when mergeable === CONFLICTING. The repair runs in a separate workflow."
+  );
+  const recommendTool = tool3(
+    "recommend_to_operator",
+    "Post ONE comment on a PR with the operator @-mention prepended. Use this when a verb is NOT graduated in the trust ledger and you want the operator to confirm via the dashboard inbox. The mention handle is substituted from kody.config.json `github.operators` \u2014 do not type it yourself.",
+    {
+      pr: z3.number().int().positive().describe("PR number to comment on."),
+      body: z3.string().min(1).describe("Comment body (markdown). Do not include the operator mention \u2014 the engine prepends it.")
+    },
+    async (args) => {
+      const result = postRecommendation(args.pr, opts.operatorMention, args.body);
+      const text = result.ok ? `Recommendation posted on PR #${args.pr}.` : `Recommendation failed on PR #${args.pr}: ${result.error}`;
+      return {
+        content: [{ type: "text", text }]
+      };
+    }
+  );
+  const ledgerTool = tool3(
+    "read_ledger",
+    "Read the trust ledger (or any sentinel-fenced JSON manifest stored on a labeled issue). Returns `{found, issueNumber, payload}` where payload is the parsed JSON between `<!-- <label>:start -->` and `<!-- <label>:end -->` sentinels. Use `read_ledger({label: 'kody:cto-decisions'})` to look up per-verb graduation modes for the trust gate.",
+    {
+      label: z3.string().min(1).describe("GitHub issue label that identifies the manifest issue (e.g. 'kody:cto-decisions').")
+    },
+    async (args) => {
+      const result = readLedger(args.label);
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify(result, null, 2)
+          }
+        ]
+      };
+    }
+  );
+  const server = createSdkMcpServer3({
+    name: "kody-duty",
+    version: "0.1.0",
+    tools: [listTool, syncTool, fixCiTool, resolveTool, recommendTool, ledgerTool]
+  });
+  return { server };
+}
+var FAIL_CONCLUSIONS, RUNNING_STATUSES, DUTY_MCP_TOOL_NAMES;
+var init_dutyMcp = __esm({
+  "src/dutyMcp.ts"() {
+    "use strict";
+    init_issue();
+    FAIL_CONCLUSIONS = /* @__PURE__ */ new Set(["FAILURE", "TIMED_OUT", "ACTION_REQUIRED", "STARTUP_FAILURE", "CANCELLED"]);
+    RUNNING_STATUSES = /* @__PURE__ */ new Set(["IN_PROGRESS", "QUEUED", "PENDING", "WAITING", "REQUESTED"]);
+    DUTY_MCP_TOOL_NAMES = [
+      "list_prs_to_repair",
+      "sync_pr",
+      "fix_ci_pr",
+      "resolve_pr",
+      "recommend_to_operator",
+      "read_ledger"
+    ];
+  }
+});
+// src/repoWorkspace.ts
+import { spawn as spawn2, spawnSync } from "child_process";
+import * as fs6 from "fs";
+import * as path6 from "path";
+async function resolveAndClone(reposRoot, repo, repoToken, cloneRepo) {
+  const name = repo?.trim();
+  if (!name || !REPO_RE.test(name)) return null;
+  const root = path6.resolve(reposRoot);
+  const dir = path6.resolve(root, name);
+  if (dir !== root && !dir.startsWith(root + path6.sep)) return null;
+  if (fs6.existsSync(path6.join(dir, ".git"))) return dir;
+  const inflight = repoClones.get(dir);
+  if (inflight) {
+    await inflight;
+    return dir;
+  }
+  const p = cloneRepo(name, repoToken, dir).finally(() => {
+    if (repoClones.get(dir) === p) repoClones.delete(dir);
+  });
+  repoClones.set(dir, p);
+  await p;
+  return dir;
+}
+async function ensureRepoCwd(opts) {
+  const dir = await resolveAndClone(
+    opts.reposRoot,
+    opts.repo,
+    opts.repoToken,
+    opts.cloneRepo
+  );
+  return dir ?? opts.baseCwd;
+}
+async function fetchRepo(opts) {
+  const dir = await resolveAndClone(
+    opts.reposRoot,
+    opts.repo,
+    opts.repoToken,
+    opts.cloneRepo ?? defaultCloneRepo
+  );
+  if (!dir) {
+    throw new Error(
+      `invalid repo "${opts.repo}" \u2014 expected "owner/name" with no path escapes`
+    );
+  }
+  return dir;
+}
+var REPO_RE, repoClones, defaultCloneRepo;
+var init_repoWorkspace = __esm({
+  "src/repoWorkspace.ts"() {
+    "use strict";
+    REPO_RE = /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/;
+    repoClones = /* @__PURE__ */ new Map();
+    defaultCloneRepo = (repo, token, dir) => {
+      fs6.mkdirSync(path6.dirname(dir), { recursive: true });
+      const authUrl = token ? `https://x-access-token:${token}@github.com/${repo}.git` : `https://github.com/${repo}.git`;
+      return new Promise((resolve6, reject) => {
+        const child = spawn2("git", ["clone", "--depth=1", authUrl, dir], {
+          stdio: "inherit"
+        });
+        child.on("exit", (code) => {
+          if (code !== 0) {
+            reject(new Error(`git clone ${repo} failed (exit ${code})`));
+            return;
+          }
+          try {
+            const name = process.env.GIT_AUTHOR_NAME ?? "Kody Bot";
+            const email = process.env.GIT_AUTHOR_EMAIL ?? "kody-bot@users.noreply.github.com";
+            spawnSync("git", ["-C", dir, "config", "user.name", name]);
+            spawnSync("git", ["-C", dir, "config", "user.email", email]);
+          } catch {
+          }
+          resolve6();
+        });
+        child.on("error", reject);
+      });
+    };
+  }
+});
+// src/fetchRepoMcp.ts
+var fetchRepoMcp_exports = {};
+__export(fetchRepoMcp_exports, {
+  buildFetchRepoMcpServer: () => buildFetchRepoMcpServer
+});
+import {
+  createSdkMcpServer as createSdkMcpServer4,
+  tool as tool4
+} from "@anthropic-ai/claude-agent-sdk";
+import { z as z4 } from "zod";
+function buildFetchRepoMcpServer(opts) {
+  const fetchTool = tool4(
+    "fetch_repo",
+    'Clone another GitHub repository into your workspace so you can read and work on it. Pass `repo` as "owner/name" (e.g. "A-Guy-educ/A-Guy"). Returns the absolute path of the clone \u2014 then use your Read/Grep/Glob/Bash tools at that path to inspect it. Already-fetched repos are reused instantly. Use this whenever the user asks about a repository other than your current one \u2014 you are NOT limited to a single repo.',
+    {
+      repo: z4.string().describe('GitHub repository as "owner/name", e.g. "A-Guy-educ/A-Guy".')
+    },
+    async (args) => {
+      const repo = String(args.repo ?? "").trim();
+      try {
+        const dir = await fetchRepo({
+          reposRoot: opts.reposRoot,
+          repo,
+          repoToken: opts.repoToken
+        });
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Cloned ${repo} \u2192 ${dir}
+Use Read/Grep/Glob/Bash at that absolute path to explore it. It now lives in your workspace alongside any other repos you've fetched.`
+            }
+          ]
+        };
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return {
+          content: [{ type: "text", text: `Could not fetch ${repo}: ${msg}` }],
+          isError: true
+        };
+      }
+    }
+  );
+  return createSdkMcpServer4({
+    name: "kody-fetch-repo",
+    version: "0.1.0",
+    tools: [fetchTool]
+  });
+}
+var init_fetchRepoMcp = __esm({
+  "src/fetchRepoMcp.ts"() {
+    "use strict";
+    init_repoWorkspace();
+  }
+});
 // src/prompt.ts
 import * as fs21 from "fs";
 import * as path20 from "path";
@@ -1088,7 +1309,7 @@ var init_loadPriorArt = __esm({
 // package.json
 var package_default = {
   name: "@kody-ade/kody-engine",
-  version: "0.4.173",
+  version: "0.4.176",
   description: "kody \u2014 autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   license: "MIT",
   type: "module",
@@ -1146,7 +1367,7 @@ var package_default = {
 // src/chat-cli.ts
 import { execFileSync as execFileSync29 } from "child_process";
 import * as fs43 from "fs";
-import * as path39 from "path";
+import * as path40 from "path";
 // src/chat/events.ts
 import * as fs from "fs";
@@ -1702,7 +1923,6 @@ var BASH_WRITE_VERB = /\b(git\s+(commit|push|merge|rebase|tag|reset|cherry-pick)
 function toolMayMutate(name, input) {
   if (!name) return false;
   if (MUTATING_FILE_TOOLS.has(name)) return true;
-  if (name.startsWith("mcp__kody-submit__")) return true;
   if (name === "Bash") return BASH_WRITE_VERB.test(String(input?.command ?? ""));
   return false;
 }
@@ -1783,6 +2003,19 @@ async function runAgent(opts) {
         getSubmitted = submitHandle.getSubmitted;
         mcpEntries.push(["kody-submit", submitHandle.server]);
       }
+      if (opts.enableDutyTool) {
+        const { buildDutyMcpServer: buildDutyMcpServer2 } = await Promise.resolve().then(() => (init_dutyMcp(), dutyMcp_exports));
+        if (!opts.dutyRepoSlug) {
+          throw new Error(
+            "enableDutyTool requires dutyRepoSlug (owner/name) \u2014 set kody.config.json github.{owner,repo} or GITHUB_REPOSITORY env var"
+          );
+        }
+        const dutyHandle = buildDutyMcpServer2({
+          repoSlug: opts.dutyRepoSlug,
+          operatorMention: opts.dutyOperatorMention ?? ""
+        });
+        mcpEntries.push(["kody-duty", dutyHandle.server]);
+      }
       if (opts.enableFetchRepoTool && opts.reposRoot) {
         const { buildFetchRepoMcpServer: buildFetchRepoMcpServer2 } = await Promise.resolve().then(() => (init_fetchRepoMcp(), fetchRepoMcp_exports));
         const fetchServer = buildFetchRepoMcpServer2({
@@ -2848,7 +3081,7 @@ async function emit2(sink, type, sessionId, suffix, payload) {
 // src/kody-cli.ts
 import { execFileSync as execFileSync28 } from "child_process";
 import * as fs42 from "fs";
-import * as path38 from "path";
+import * as path39 from "path";
 // src/app-auth.ts
 import { createSign } from "crypto";
@@ -2998,6 +3231,12 @@ var POLITE_WORDS = /* @__PURE__ */ new Set([
   "pls",
   "yo"
 ]);
+function primaryNumericInputName(executable) {
+  const inputs = getProfileInputs(executable);
+  if (!inputs) return null;
+  const intInput = inputs.find((i) => i.type === "int" && i.required);
+  return intInput?.name ?? null;
+}
 function autoDispatch(opts) {
   const explicit = opts?.explicit;
   if (explicit?.issueNumber && explicit.issueNumber > 0) {
@@ -3017,7 +3256,8 @@ function autoDispatch(opts) {
     if (!Number.isNaN(n) && n > 0) {
       const exe = String(event.inputs?.executable ?? "").trim() || "run";
       const base = String(event.inputs?.base ?? "").trim();
-      const cliArgs = { issue: n };
+      const targetKey = primaryNumericInputName(exe) ?? "issue";
+      const cliArgs = { [targetKey]: n };
       if (base) cliArgs.base = base;
       return { executable: exe, cliArgs, target: n };
     }
@@ -3258,9 +3498,9 @@ function coerceBare(spec, value) {
 }
 // src/executor.ts
-import { execFileSync as execFileSync27, spawn as spawn9 } from "child_process";
+import { execFileSync as execFileSync27, spawn as spawn10 } from "child_process";
 import * as fs41 from "fs";
-import * as path37 from "path";
+import * as path38 from "path";
 // src/discipline.ts
 var DISCIPLINE = `# Working discipline (applies to this entire task)
@@ -5495,10 +5735,10 @@ import * as fs23 from "fs";
 import * as path22 from "path";
 var VALID_STATES = /* @__PURE__ */ new Set(["active", "abandoned", "closed", "awaiting-merge", "done"]);
 var GoalStateError = class extends Error {
-  constructor(path40, message) {
-    super(`Invalid goal state at ${path40}:
+  constructor(path41, message) {
+    super(`Invalid goal state at ${path41}:
   ${message}`);
-    this.path = path40;
+    this.path = path41;
     this.name = "GoalStateError";
   }
   path;
@@ -7117,6 +7357,9 @@ function parseFlatYaml(text) {
     } else if (key === "mentions") {
       const logins = value.split(",").map((s) => s.trim().replace(/^@/, "")).filter(Boolean);
       if (logins.length > 0) out.mentions = logins;
+    } else if (key === "tools") {
+      const names = value.split(",").map((s) => s.trim()).filter(Boolean);
+      if (names.length > 0) out.tools = names;
     }
   }
   return out;
@@ -9077,9 +9320,11 @@ var loadIssueStateComment = async (ctx, _profile, args) => {
 };
 // src/scripts/loadJobFromFile.ts
+init_dutyMcp();
 import * as fs32 from "fs";
 import * as path30 from "path";
-var loadJobFromFile = async (ctx, _profile, args) => {
+var DUTY_TOOL_PALETTE = new Set(DUTY_MCP_TOOL_NAMES);
+var loadJobFromFile = async (ctx, profile, args) => {
   const jobsDir = String(args?.jobsDir ?? ".kody/duties");
   const workersDir = String(args?.workersDir ?? ".kody/staff");
   const slugArg = String(args?.slugArg ?? "job");
@@ -9121,6 +9366,21 @@ var loadJobFromFile = async (ctx, _profile, args) => {
   ctx.data.workerTitle = workerTitle;
   ctx.data.workerPersona = workerPersona;
   ctx.data.mentions = mentions;
+  const declaredTools = frontmatter.tools ?? [];
+  if (declaredTools.length > 0) {
+    const unknown = declaredTools.filter((name) => !DUTY_TOOL_PALETTE.has(name));
+    if (unknown.length > 0) {
+      throw new Error(
+        `loadJobFromFile: duty '${slug}' declared tools not in the kody-duty palette: ${unknown.join(", ")}. Available: ${[...DUTY_MCP_TOOL_NAMES].join(", ")}`
+      );
+    }
+    const mcpToolNames = declaredTools.map((name) => `mcp__kody-duty__${name}`);
+    profile.claudeCode.tools = [...mcpToolNames, "mcp__kody-submit__submit_state"];
+    ctx.data.dutyTools = declaredTools;
+    ctx.data.dutyOperatorMention = mentions;
+    ctx.data.promptTemplate = "prompts/locked.md";
+    ctx.data.dutyToolsList = declaredTools.map((name) => `- \`${name}\``).join("\n");
+  }
 };
 function parseJobFile(raw, slug) {
   let stripped = raw;
@@ -10054,8 +10314,8 @@ var FlyClient = class {
   get fetch() {
     return this.opts.fetchImpl ?? fetch;
   }
-  async call(path40, init = {}) {
-    const res = await this.fetch(`${FLY_API_BASE}${path40}`, {
+  async call(path41, init = {}) {
+    const res = await this.fetch(`${FLY_API_BASE}${path41}`, {
       method: init.method ?? "GET",
       headers: {
         Authorization: `Bearer ${this.opts.token}`,
@@ -10066,7 +10326,7 @@ var FlyClient = class {
     if (res.status === 404 && init.allow404) return null;
     if (!res.ok) {
       const text = await res.text().catch(() => "");
-      throw new Error(`Fly API ${res.status} on ${path40}: ${text.slice(0, 200) || res.statusText}`);
+      throw new Error(`Fly API ${res.status} on ${path41}: ${text.slice(0, 200) || res.statusText}`);
     }
     if (res.status === 204) return null;
     const raw = await res.text();
@@ -11963,10 +12223,467 @@ var runnerServe = async (ctx) => {
   });
 };
+// src/scripts/runPreviewBuild.ts
+import { copyFile, writeFile } from "fs/promises";
+import * as path36 from "path";
+import { fileURLToPath } from "url";
+// src/scripts/previewBuildHelpers.ts
+import { createDecipheriv as createDecipheriv2, createHash } from "crypto";
+var NEVER_PASS_TO_BUILD = /* @__PURE__ */ new Set([
+  "FLY_API_TOKEN",
+  "FLY_ORG_SLUG",
+  "FLY_DEFAULT_REGION",
+  "KODY_MASTER_KEY",
+  // Preview-config knob; consumed by the dispatcher before spawn.
+  "KODY_PREVIEW_BUILD_MODE"
+]);
+function shortHash(s) {
+  return createHash("sha256").update(s).digest("hex").slice(0, 6);
+}
+function previewAppName(repo, pr) {
+  const [owner, name] = repo.split("/");
+  if (!owner || !name) {
+    throw new Error(`invalid repo "${repo}", expected "owner/name"`);
+  }
+  return `kp-${shortHash(owner)}-${shortHash(name)}-pr-${pr}`;
+}
+function basePreviewAppName(repo) {
+  const [owner, name] = repo.split("/");
+  if (!owner || !name) {
+    throw new Error(`invalid repo "${repo}", expected "owner/name"`);
+  }
+  return `kp-${shortHash(owner)}-${shortHash(name)}-base`;
+}
+function decryptVaultPayload(payload, keyRaw) {
+  const parts = payload.split(":");
+  if (parts.length !== 4 || parts[0] !== "v1") {
+    throw new Error("invalid vault payload format");
+  }
+  const [, ivB64, ctB64, tagB64] = parts;
+  const key = /^[0-9a-fA-F]{64}$/.test(keyRaw) ? Buffer.from(keyRaw, "hex") : Buffer.from(keyRaw, "base64");
+  if (key.length !== 32) {
+    throw new Error("KODY_MASTER_KEY must decode to 32 bytes");
+  }
+  const iv = Buffer.from(ivB64, "base64");
+  const ct = Buffer.from(ctB64, "base64");
+  const tag = Buffer.from(tagB64, "base64");
+  const decipher = createDecipheriv2("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+}
+function buildEnvFromVault(doc) {
+  const buildEnv = {};
+  for (const [name, entry] of Object.entries(doc.secrets ?? {})) {
+    if (!entry?.value) continue;
+    if (NEVER_PASS_TO_BUILD.has(name)) continue;
+    buildEnv[name] = entry.value;
+  }
+  const raw = doc.secrets?.KODY_PREVIEW_BUILD_MODE?.value;
+  const buildMode = raw?.toLowerCase().trim() === "dev" ? "dev" : "prod";
+  return { buildEnv, buildMode };
+}
+function formatPreviewComment(args) {
+  const url = `https://${args.appName}.fly.dev`;
+  return [
+    "<!-- kody-fly-preview -->",
+    `\u2705 **Preview ready:** ${url}`,
+    "",
+    `<sub>App: \`${args.appName}\` \xB7 Commit: \`${args.ref.slice(0, 7)}\` \xB7 Updated: ${args.nowIso}</sub>`
+  ].join("\n");
+}
+function defaultImageTag(repo, ref) {
+  return createHash("sha256").update(`${repo}@${ref}`).digest("hex").slice(0, 12);
+}
+// src/scripts/previewBuildRun.ts
+import { spawn as spawn6 } from "child_process";
+async function runCmd(cmd, args, opts = {}) {
+  await new Promise((resolve6, reject) => {
+    const child = spawn6(cmd, args, {
+      cwd: opts.cwd,
+      env: { ...process.env, ...opts.env ?? {} },
+      stdio: opts.input ? ["pipe", "inherit", "inherit"] : "inherit"
+    });
+    if (opts.input && child.stdin) {
+      child.stdin.write(opts.input);
+      child.stdin.end();
+    }
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (code === 0) resolve6();
+      else reject(new Error(`${cmd} ${args.join(" ")} exited ${code}`));
+    });
+  });
+}
+// src/scripts/runPreviewBuild.ts
+var FLY_MACHINES = "https://api.machines.dev/v1";
+var FLY_GRAPHQL = "https://api.fly.io/graphql";
+var REQ_TIMEOUT_MS = 3e4;
+function bundledDockerfilePath(mode) {
+  const here = path36.dirname(fileURLToPath(import.meta.url));
+  const file = mode === "dev" ? "default-Dockerfile.preview.dev" : "default-Dockerfile.preview.prod";
+  return path36.join(here, "preview-build-templates", file);
+}
+function required(name) {
+  const v = (process.env[name] ?? "").trim();
+  if (!v) throw new Error(`${name} is required`);
+  return v;
+}
+function flyHeaders(token) {
+  return {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json"
+  };
+}
+async function ghJSON(url, token) {
+  const res = await fetch(url, {
+    headers: {
+      Authorization: `Bearer ${token}`,
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    },
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+  });
+  if (!res.ok) {
+    throw new Error(`GitHub ${url}: ${res.status} ${res.statusText}`);
+  }
+  return await res.json();
+}
+async function fetchVaultDoc(repo, ghToken4, masterKey) {
+  const meta = await ghJSON(
+    `https://api.github.com/repos/${repo}/contents/.kody/secrets.enc`,
+    ghToken4
+  );
+  const payload = Buffer.from(meta.content, "base64").toString("utf8");
+  const plaintext = decryptVaultPayload(payload, masterKey);
+  return JSON.parse(plaintext);
+}
+async function flyAppExists(name, token) {
+  const res = await fetch(`${FLY_MACHINES}/apps/${encodeURIComponent(name)}`, {
+    headers: flyHeaders(token),
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+  });
+  if (res.status === 404) return false;
+  if (!res.ok) {
+    throw new Error(`appExists ${name}: ${res.status} ${res.statusText}`);
+  }
+  return true;
+}
+async function flyCreateApp(name, orgSlug, token) {
+  const res = await fetch(`${FLY_MACHINES}/apps`, {
+    method: "POST",
+    headers: flyHeaders(token),
+    body: JSON.stringify({ app_name: name, org_slug: orgSlug }),
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+  });
+  if (res.status === 422) return;
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`createApp ${name}: ${res.status} ${text.slice(0, 200)}`);
+  }
+}
+async function flyAllocateSharedIps(appName, token) {
+  const mutation = `
+    mutation AllocateIps($appId: ID!) {
+      v4: allocateIpAddress(input: { appId: $appId, type: shared_v4 }) { ipAddress { address } }
+      v6: allocateIpAddress(input: { appId: $appId, type: v6 }) { ipAddress { address } }
+    }
+  `;
+  const res = await fetch(FLY_GRAPHQL, {
+    method: "POST",
+    headers: flyHeaders(token),
+    body: JSON.stringify({ query: mutation, variables: { appId: appName } }),
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+  });
+  if (!res.ok) {
+    throw new Error(`allocateSharedIps ${appName}: ${res.status}`);
+  }
+  const data = await res.json();
+  if (data.errors?.length) {
+    const msgs = data.errors.map((e) => e.message).join("; ");
+    if (!/already|exists/i.test(msgs)) {
+      throw new Error(`allocateSharedIps: ${msgs}`);
+    }
+  }
+}
+async function flyListMachines(appName, token) {
+  const res = await fetch(
+    `${FLY_MACHINES}/apps/${encodeURIComponent(appName)}/machines`,
+    {
+      headers: flyHeaders(token),
+      signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    }
+  );
+  if (res.status === 404) return [];
+  if (!res.ok) {
+    throw new Error(`listMachines ${appName}: ${res.status}`);
+  }
+  const data = await res.json();
+  return data.map((m) => ({ id: m.id, state: m.state }));
+}
+async function flyDestroyMachine(appName, machineId, token) {
+  await fetch(
+    `${FLY_MACHINES}/apps/${encodeURIComponent(appName)}/machines/${encodeURIComponent(machineId)}/stop`,
+    {
+      method: "POST",
+      headers: flyHeaders(token),
+      signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    }
+  ).catch(() => void 0);
+  const res = await fetch(
+    `${FLY_MACHINES}/apps/${encodeURIComponent(appName)}/machines/${encodeURIComponent(machineId)}?force=true`,
+    {
+      method: "DELETE",
+      headers: flyHeaders(token),
+      signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    }
+  );
+  if (res.status === 404) return;
+  if (!res.ok) {
+    throw new Error(`destroyMachine ${machineId}: ${res.status}`);
+  }
+}
+async function flyCreatePreviewMachine(args, token) {
+  const body = {
+    region: args.region,
+    config: {
+      image: args.image,
+      env: args.env,
+      auto_destroy: false,
+      restart: { policy: "always" },
+      // 4 GB / 2 CPU is the floor that compiles A-Guy-class pages
+      // without OOM when something forces a runtime recompile.
+      guest: { cpu_kind: "shared", cpus: 2, memory_mb: 4096 },
+      services: [
+        {
+          ports: [
+            { port: 443, handlers: ["tls", "http"], force_https: false },
+            { port: 80, handlers: ["http"] }
+          ],
+          protocol: "tcp",
+          internal_port: 8080,
+          auto_stop_machines: "suspend",
+          auto_start_machines: true,
+          min_machines_running: 0
+        }
+      ],
+      checks: {
+        httpget: {
+          type: "http",
+          port: 8080,
+          method: "GET",
+          path: "/",
+          interval: "15s",
+          timeout: "10s",
+          grace_period: "30s"
+        }
+      }
+    }
+  };
+  let lastErr = null;
+  for (let attempt = 0; attempt < 6; attempt++) {
+    const res = await fetch(
+      `${FLY_MACHINES}/apps/${encodeURIComponent(args.appName)}/machines`,
+      {
+        method: "POST",
+        headers: flyHeaders(token),
+        body: JSON.stringify(body),
+        signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+      }
+    );
+    if (res.ok) {
+      const { id } = await res.json();
+      return id;
+    }
+    const text = await res.text().catch(() => "");
+    lastErr = new Error(
+      `createPreviewMachine ${res.status}: ${text.slice(0, 300)}`
+    );
+    if (!/MANIFEST_UNKNOWN|manifest unknown/i.test(text)) break;
+    await new Promise((r) => setTimeout(r, 2e3 * (attempt + 1)));
+  }
+  throw lastErr ?? new Error("createPreviewMachine failed (unknown)");
+}
+async function postOrUpdatePreviewComment(args) {
+  const MARKER = "<!-- kody-fly-preview -->";
+  const base = `https://api.github.com/repos/${args.repo}/issues/${args.pr}/comments`;
+  const headers = {
+    Authorization: `Bearer ${args.token}`,
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "Content-Type": "application/json"
+  };
+  const listRes = await fetch(`${base}?per_page=100`, {
+    headers,
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+  }).catch(() => null);
+  let existingId = null;
+  if (listRes && listRes.ok) {
+    const comments = await listRes.json().catch(() => []);
+    const hit = comments.find((c) => (c.body ?? "").includes(MARKER));
+    if (hit) existingId = hit.id;
+  }
+  if (existingId) {
+    await fetch(
+      `https://api.github.com/repos/${args.repo}/issues/comments/${existingId}`,
+      {
+        method: "PATCH",
+        headers,
+        body: JSON.stringify({ body: args.body }),
+        signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+      }
+    );
+    return;
+  }
+  await fetch(base, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({ body: args.body }),
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+  });
+}
+var runPreviewBuild = async (ctx, _profile, _args) => {
+  ctx.skipAgent = true;
+  const pr = Number(ctx.args.pr);
+  if (!Number.isFinite(pr) || pr <= 0) {
+    ctx.output.exitCode = 99;
+    ctx.output.reason = `runPreviewBuild: invalid pr arg "${ctx.args.pr}"`;
+    return;
+  }
+  let repo;
+  let ref;
+  let flyToken;
+  let masterKey;
+  let ghToken4;
+  try {
+    repo = required("GITHUB_REPOSITORY");
+    ref = required("GITHUB_SHA");
+    flyToken = required("FLY_API_TOKEN");
+    masterKey = required("KODY_MASTER_KEY");
+    ghToken4 = required("GITHUB_TOKEN");
+  } catch (err) {
+    ctx.output.exitCode = 99;
+    ctx.output.reason = `runPreviewBuild: ${err instanceof Error ? err.message : String(err)}`;
+    return;
+  }
+  const orgSlug = (process.env.FLY_ORG_SLUG ?? "personal").trim();
+  const region = (process.env.FLY_REGION ?? "fra").trim();
+  const ghcrOwner = process.env.KODY_PREVIEW_GHCR_OWNER?.trim() || "";
+  const appName = previewAppName(repo, pr);
+  const tag = defaultImageTag(repo, ref);
+  try {
+    const doc = await fetchVaultDoc(repo, ghToken4, masterKey);
+    const { buildEnv, buildMode } = buildEnvFromVault(doc);
+    console.log(
+      `[preview-build] vault: ${Object.keys(buildEnv).length} secrets, mode=${buildMode}`
+    );
+    if (Object.keys(buildEnv).length > 0) {
+      const lines = Object.entries(buildEnv).map(
+        ([k, v]) => `${k}=${JSON.stringify(v)}`
+      );
+      await writeFile(
+        path36.join(ctx.cwd, ".env.production.local"),
+        lines.join("\n") + "\n",
+        "utf8"
+      );
+    }
+    const consumerDockerfile = path36.join(ctx.cwd, "Dockerfile.preview");
+    try {
+      await copyFile(bundledDockerfilePath(buildMode), consumerDockerfile);
+      console.log(`[preview-build] using bundled Dockerfile.preview.${buildMode}`);
+    } catch (err) {
+      console.warn(
+        `[preview-build] failed to drop bundled Dockerfile: ${err instanceof Error ? err.message : err}`
+      );
+    }
+    let baseImage = null;
+    if (ghcrOwner) {
+      const baseRef = `${ghcrOwner.toLowerCase()}/${basePreviewAppName(repo)}`;
+      const tok = await fetch(
+        `https://ghcr.io/token?scope=repository:${baseRef}:pull&service=ghcr.io`,
+        { signal: AbortSignal.timeout(15e3) }
+      ).catch(() => null);
+      if (tok?.ok) {
+        const { token: bearer } = await tok.json();
+        const probe = await fetch(`https://ghcr.io/v2/${baseRef}/manifests/latest`, {
+          method: "HEAD",
+          headers: {
+            Authorization: `Bearer ${bearer}`,
+            Accept: "application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.v2+json"
+          },
+          signal: AbortSignal.timeout(15e3)
+        }).catch(() => null);
+        if (probe?.status === 200) {
+          baseImage = `ghcr.io/${baseRef}:latest`;
+          console.log(`[preview-build] inheriting from base ${baseImage}`);
+        }
+      }
+    }
+    if (!await flyAppExists(appName, flyToken)) {
+      await flyCreateApp(appName, orgSlug, flyToken);
+    }
+    await flyAllocateSharedIps(appName, flyToken);
+    await runCmd(
+      "docker",
+      ["login", "registry.fly.io", "-u", "x", "--password-stdin"],
+      { input: flyToken, cwd: ctx.cwd }
+    );
+    const buildArgs = [
+      "build",
+      "-f",
+      "Dockerfile.preview",
+      "-t",
+      `registry.fly.io/${appName}:${tag}`
+    ];
+    if (baseImage) buildArgs.push("--build-arg", `BASE_IMAGE=${baseImage}`);
+    buildArgs.push(".");
+    await runCmd("docker", buildArgs, {
+      cwd: ctx.cwd,
+      env: { DOCKER_BUILDKIT: "1" }
+    });
+    await runCmd("docker", ["push", `registry.fly.io/${appName}:${tag}`], {
+      cwd: ctx.cwd
+    });
+    const stale = await flyListMachines(appName, flyToken);
+    for (const m of stale) {
+      await flyDestroyMachine(appName, m.id, flyToken).catch(() => void 0);
+    }
+    const machineId = await flyCreatePreviewMachine(
+      {
+        appName,
+        region,
+        image: `registry.fly.io/${appName}:${tag}`,
+        env: buildEnv
+      },
+      flyToken
+    );
+    console.log(
+      `[preview-build] done \u2014 machine ${machineId} at https://${appName}.fly.dev`
+    );
+    await postOrUpdatePreviewComment({
+      repo,
+      pr,
+      body: formatPreviewComment({
+        appName,
+        ref,
+        nowIso: (/* @__PURE__ */ new Date()).toISOString()
+      }),
+      token: ghToken4
+    });
+  } catch (err) {
+    ctx.output.exitCode = 1;
+    ctx.output.reason = `runPreviewBuild: ${err instanceof Error ? err.message : String(err)}`;
+    console.error("[preview-build] failed:", err);
+    return;
+  }
+};
 // src/scripts/runTickScript.ts
 import { spawnSync as spawnSync2 } from "child_process";
 import * as fs39 from "fs";
-import * as path36 from "path";
+import * as path37 from "path";
 var runTickScript = async (ctx, _profile, args) => {
   ctx.skipAgent = true;
   const jobsDir = String(args?.jobsDir ?? ".kody/duties");
@@ -11978,7 +12695,7 @@ var runTickScript = async (ctx, _profile, args) => {
     ctx.output.reason = `runTickScript: ctx.args.${slugArg} must be a non-empty slug`;
     return;
   }
-  const jobPath = path36.join(ctx.cwd, jobsDir, `${slug}.md`);
+  const jobPath = path37.join(ctx.cwd, jobsDir, `${slug}.md`);
   if (!fs39.existsSync(jobPath)) {
     ctx.output.exitCode = 99;
     ctx.output.reason = `runTickScript: job file not found: ${jobPath}`;
@@ -11992,7 +12709,7 @@ var runTickScript = async (ctx, _profile, args) => {
     ctx.output.reason = `runTickScript: job ${slug} has no \`tickScript:\` frontmatter \u2014 route via job-tick instead`;
     return;
   }
-  const scriptPath = path36.isAbsolute(tickScript) ? tickScript : path36.join(ctx.cwd, tickScript);
+  const scriptPath = path37.isAbsolute(tickScript) ? tickScript : path37.join(ctx.cwd, tickScript);
   if (!fs39.existsSync(scriptPath)) {
     ctx.output.exitCode = 99;
     ctx.output.reason = `runTickScript: tickScript not found: ${scriptPath}`;
@@ -12144,7 +12861,7 @@ function synthesizeAction(ctx) {
 }
 // src/scripts/serveFlow.ts
-import { spawn as spawn6 } from "child_process";
+import { spawn as spawn7 } from "child_process";
 function parseTarget(positional) {
   if (!Array.isArray(positional) || positional.length === 0) return "none";
   const first = String(positional[0]).toLowerCase();
@@ -12193,7 +12910,7 @@ var serveFlow = async (ctx) => {
     if (usesProxy) process.stdout.write(`  ANTHROPIC_BASE_URL=${url}
 `);
     const args = ["--dangerously-skip-permissions", "--model", model.model];
-    const child = spawn6("claude", args, { stdio: "inherit", env: editorEnv, cwd: ctx.cwd });
+    const child = spawn7("claude", args, { stdio: "inherit", env: editorEnv, cwd: ctx.cwd });
     const exitCode = await new Promise((resolve6) => {
       child.on("exit", (code) => resolve6(code ?? 0));
       child.on("error", (err) => {
@@ -12214,7 +12931,7 @@ var serveFlow = async (ctx) => {
     if (usesProxy) process.stdout.write(`  ANTHROPIC_BASE_URL=${url}
 `);
     try {
-      const code = spawn6("code", [ctx.cwd], { stdio: "inherit", env: editorEnv, detached: true });
+      const code = spawn7("code", [ctx.cwd], { stdio: "inherit", env: editorEnv, detached: true });
       code.on("error", (err) => {
         process.stderr.write(`[kody serve] failed to launch VS Code: ${err.message}
 `);
@@ -12469,7 +13186,7 @@ var verify = async (ctx) => {
 };
 // src/scripts/verifyReproFails.ts
-import { spawn as spawn7 } from "child_process";
+import { spawn as spawn8 } from "child_process";
 var TEST_TIMEOUT_MS = 10 * 60 * 1e3;
 var TAIL_CHARS2 = 8e3;
 var ANSI_RE2 = /\x1B\[[0-?]*[ -/]*[@-~]/g;
@@ -12538,7 +13255,7 @@ function stripAnsi2(s) {
 }
 function runCommand2(command, cwd) {
   return new Promise((resolve6) => {
-    const child = spawn7(command, {
+    const child = spawn8(command, {
       cwd,
       shell: true,
       env: { ...process.env, HUSKY: "0", SKIP_HOOKS: "1", CI: process.env.CI ?? "1" },
@@ -12869,7 +13586,7 @@ var appendCompanyActivity = async (ctx, _profile, agentResult) => {
 };
 // src/scripts/warmupMcp.ts
-import { spawn as spawn8 } from "child_process";
+import { spawn as spawn9 } from "child_process";
 var PER_SERVER_TIMEOUT_MS = 6e4;
 var PER_REQUEST_TIMEOUT_MS = 2e4;
 var warmupMcp = async (_ctx, profile) => {
@@ -12891,7 +13608,7 @@ var warmupMcp = async (_ctx, profile) => {
   }
 };
 async function warmupOne(command, args, env) {
-  const child = spawn8(command, args, {
+  const child = spawn9(command, args, {
     stdio: ["pipe", "pipe", "pipe"],
     env: env ? { ...process.env, ...env } : process.env
   });
@@ -13171,6 +13888,7 @@ var preflightScripts = {
   dispatchJobTicks,
   dispatchJobFileTicks,
   runTickScript,
+  runPreviewBuild,
   serveFlow,
   brainServe,
   runnerServe,
@@ -13246,24 +13964,24 @@ function firstRequiredFailure(results, tools) {
   }
   return null;
 }
-function verifyOne(tool4, cwd) {
-  const result = { name: tool4.name, present: false, verified: false };
-  const checkRes = runShell(tool4.install.checkCommand, cwd);
+function verifyOne(tool5, cwd) {
+  const result = { name: tool5.name, present: false, verified: false };
+  const checkRes = runShell(tool5.install.checkCommand, cwd);
   let present = checkRes.ok;
-  if (!present && tool4.install.installCommand) {
-    runShell(tool4.install.installCommand, cwd, 12e4);
-    present = runShell(tool4.install.checkCommand, cwd).ok;
+  if (!present && tool5.install.installCommand) {
+    runShell(tool5.install.installCommand, cwd, 12e4);
+    present = runShell(tool5.install.checkCommand, cwd).ok;
   }
   result.present = present;
   if (!present) {
-    result.error = `tool "${tool4.name}" not on PATH (check: ${tool4.install.checkCommand})`;
+    result.error = `tool "${tool5.name}" not on PATH (check: ${tool5.install.checkCommand})`;
     return result;
   }
-  const verifyRes = runShell(tool4.verify, cwd);
+  const verifyRes = runShell(tool5.verify, cwd);
   result.verified = verifyRes.ok;
   if (!verifyRes.ok) {
     const tail = formatStderrTail(verifyRes.stderr, verifyRes.stdout);
-    result.error = `tool "${tool4.name}" failed verify: ${tool4.verify}${tail ? ` \u2014 ${tail}` : ""}`;
+    result.error = `tool "${tool5.name}" failed verify: ${tool5.verify}${tail ? ` \u2014 ${tail}` : ""}`;
   }
   return result;
 }
@@ -13395,9 +14113,9 @@ async function runExecutable(profileName, input) {
       })
     };
   })() : null;
-  const ndjsonDir = path37.join(input.cwd, ".kody");
+  const ndjsonDir = path38.join(input.cwd, ".kody");
   const invokeAgent = async (prompt) => {
-    const externalPlugins = (profile.claudeCode.plugins ?? []).map((p) => path37.isAbsolute(p) ? p : path37.resolve(profile.dir, p)).filter((p) => p.length > 0);
+    const externalPlugins = (profile.claudeCode.plugins ?? []).map((p) => path38.isAbsolute(p) ? p : path38.resolve(profile.dir, p)).filter((p) => p.length > 0);
     const syntheticPath = ctx.data.syntheticPluginPath;
     const pluginPaths = [...externalPlugins, ...syntheticPath ? [syntheticPath] : []];
     const agents = loadSubagents(profile);
@@ -13427,6 +14145,16 @@ async function runExecutable(profileName, input) {
       cacheable: profile.claudeCode.cacheable,
       enableVerifyTool: profile.claudeCode.enableVerifyTool,
       enableSubmitTool: profile.claudeCode.enableSubmitTool,
+      // Locked-toolbox duty mode: `loadJobFromFile` flips `ctx.data.dutyTools`
+      // when a duty declares `tools:` frontmatter. The executor doesn't need
+      // to know the palette — it just forwards the flag so agent.ts can spin
+      // up the in-process `kody-duty` MCP server with the right context.
+      enableDutyTool: Array.isArray(ctx.data.dutyTools) && ctx.data.dutyTools.length > 0,
+      dutyOperatorMention: typeof ctx.data.dutyOperatorMention === "string" ? ctx.data.dutyOperatorMention : void 0,
+      // owner/repo from kody.config.json; envelope falls back to GITHUB_REPOSITORY
+      // for tester repos that don't set config.github (the file isn't always
+      // checked in). Either way, dutyMcp needs "owner/name" to hit the compare API.
+      dutyRepoSlug: config.github?.owner && config.github?.repo ? `${config.github.owner}/${config.github.repo}` : process.env.GITHUB_REPOSITORY?.trim() || void 0,
       verifyToolMaxAttempts: profile.claudeCode.verifyAttempts ?? null,
       verifyConfig: profile.claudeCode.enableVerifyTool ? config : void 0,
       executableName: profileName,
@@ -13639,13 +14367,13 @@ function getProfileInputsForChild(profileName, _cwd) {
 function resolveProfilePath(profileName) {
   const found = resolveExecutable(profileName);
   if (found) return found;
-  const here = path37.dirname(new URL(import.meta.url).pathname);
+  const here = path38.dirname(new URL(import.meta.url).pathname);
   const candidates = [
-    path37.join(here, "executables", profileName, "profile.json"),
+    path38.join(here, "executables", profileName, "profile.json"),
     // same-dir sibling (dev)
-    path37.join(here, "..", "executables", profileName, "profile.json"),
+    path38.join(here, "..", "executables", profileName, "profile.json"),
     // up one (prod: dist/bin → dist/executables)
-    path37.join(here, "..", "src", "executables", profileName, "profile.json")
+    path38.join(here, "..", "src", "executables", profileName, "profile.json")
     // fallback
   ];
   for (const c of candidates) {
@@ -13749,7 +14477,7 @@ function resolveShellTimeoutMs(entry) {
 var SIGKILL_GRACE_MS = 5e3;
 async function runShellEntry(entry, ctx, profile) {
   const shellName = entry.shell;
-  const shellPath = path37.join(profile.dir, shellName);
+  const shellPath = path38.join(profile.dir, shellName);
   if (!fs41.existsSync(shellPath)) {
     ctx.skipAgent = true;
     ctx.output.exitCode = 99;
@@ -13766,7 +14494,7 @@ async function runShellEntry(entry, ctx, profile) {
     env[`KODY_CFG_${k}`] = v;
   }
   const timeoutMs = resolveShellTimeoutMs(entry);
-  const child = spawn9("bash", [shellPath, ...positional], {
+  const child = spawn10("bash", [shellPath, ...positional], {
     cwd: ctx.cwd,
     env,
     stdio: ["pipe", "pipe", "pipe"],
@@ -14256,9 +14984,9 @@ async function resolveAuthToken(env = process.env) {
   return void 0;
 }
 function detectPackageManager2(cwd) {
-  if (fs42.existsSync(path38.join(cwd, "pnpm-lock.yaml"))) return "pnpm";
-  if (fs42.existsSync(path38.join(cwd, "yarn.lock"))) return "yarn";
-  if (fs42.existsSync(path38.join(cwd, "bun.lockb"))) return "bun";
+  if (fs42.existsSync(path39.join(cwd, "pnpm-lock.yaml"))) return "pnpm";
+  if (fs42.existsSync(path39.join(cwd, "yarn.lock"))) return "yarn";
+  if (fs42.existsSync(path39.join(cwd, "bun.lockb"))) return "bun";
   return "npm";
 }
 function shellOut(cmd, args, cwd, stream = true) {
@@ -14345,7 +15073,7 @@ function configureGitIdentity(cwd) {
 }
 function postFailureTail(issueNumber, cwd, reason) {
   if (!issueNumber) return;
-  const logPath = path38.join(cwd, ".kody", "last-run.jsonl");
+  const logPath = path39.join(cwd, ".kody", "last-run.jsonl");
   let tail = "";
   try {
     if (fs42.existsSync(logPath)) {
@@ -14374,7 +15102,7 @@ async function runCi(argv) {
     return 0;
   }
   const args = parseCiArgs(argv);
-  const cwd = args.cwd ? path38.resolve(args.cwd) : process.cwd();
+  const cwd = args.cwd ? path39.resolve(args.cwd) : process.cwd();
   let earlyConfig;
   try {
     earlyConfig = loadConfig(cwd);
@@ -14647,12 +15375,12 @@ function parseChatArgs(argv, env = process.env) {
   return result;
 }
 function commitChatFiles(cwd, sessionId, verbose) {
-  const sessionFile = path39.relative(cwd, sessionFilePath(cwd, sessionId));
-  const eventsFile = path39.relative(cwd, eventsFilePath(cwd, sessionId));
+  const sessionFile = path40.relative(cwd, sessionFilePath(cwd, sessionId));
+  const eventsFile = path40.relative(cwd, eventsFilePath(cwd, sessionId));
   const safeSession = sessionId.replace(/[^a-zA-Z0-9._-]/g, "_");
-  const tasksDir = path39.join(".kody", "tasks", safeSession);
+  const tasksDir = path40.join(".kody", "tasks", safeSession);
   const candidatePaths = [sessionFile, eventsFile, tasksDir];
-  const paths = candidatePaths.filter((p) => fs43.existsSync(path39.join(cwd, p)));
+  const paths = candidatePaths.filter((p) => fs43.existsSync(path40.join(cwd, p)));
   if (paths.length === 0) return;
   const opts = { cwd, stdio: verbose ? "inherit" : "pipe" };
   try {
@@ -14696,7 +15424,7 @@ async function runChat(argv) {
 ${CHAT_HELP}`);
     return 64;
   }
-  const cwd = args.cwd ? path39.resolve(args.cwd) : process.cwd();
+  const cwd = args.cwd ? path40.resolve(args.cwd) : process.cwd();
   const sessionId = args.sessionId;
   const unpackedSecrets = unpackAllSecrets();
   if (unpackedSecrets > 0) {