@mcrescenzo/opencode-workflows 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/CODE_OF_CONDUCT.md +134 -0
  3. package/CONTRIBUTING.md +95 -0
  4. package/LICENSE +21 -0
  5. package/README.md +746 -0
  6. package/SECURITY.md +38 -0
  7. package/commands/repo-bughunt.md +94 -0
  8. package/commands/repo-review.md +148 -0
  9. package/commands/workflow-live-gates-release-check.md +143 -0
  10. package/docs/workflow-plugin.md +400 -0
  11. package/opencode-workflows.js +5 -0
  12. package/package.json +86 -0
  13. package/skills/opencode-workflow-authoring/SKILL.md +180 -0
  14. package/skills/repo-review-command-protocol/SKILL.md +56 -0
  15. package/skills/workflow-model-tiering/SKILL.md +57 -0
  16. package/skills/workflow-plan-review/SKILL.md +91 -0
  17. package/workflow-kernel/approval-hashing.js +39 -0
  18. package/workflow-kernel/async-util.js +33 -0
  19. package/workflow-kernel/audited-shell-policy.js +200 -0
  20. package/workflow-kernel/authority-policy.js +670 -0
  21. package/workflow-kernel/budget-accounting.js +142 -0
  22. package/workflow-kernel/capability-adapter.js +753 -0
  23. package/workflow-kernel/child-agent-runner.js +1264 -0
  24. package/workflow-kernel/constants.js +117 -0
  25. package/workflow-kernel/diagnostics.js +152 -0
  26. package/workflow-kernel/drain-runtime.js +421 -0
  27. package/workflow-kernel/errors.js +181 -0
  28. package/workflow-kernel/event-journal.js +487 -0
  29. package/workflow-kernel/extension-registry.js +144 -0
  30. package/workflow-kernel/free-text-redactor.js +91 -0
  31. package/workflow-kernel/gate-shapes.js +82 -0
  32. package/workflow-kernel/git-util.js +45 -0
  33. package/workflow-kernel/index.js +72 -0
  34. package/workflow-kernel/integration-mode.js +155 -0
  35. package/workflow-kernel/lane-effort-policy.js +134 -0
  36. package/workflow-kernel/lifecycle-control.js +608 -0
  37. package/workflow-kernel/live-gate-probes.js +916 -0
  38. package/workflow-kernel/notification-toast-cards.js +393 -0
  39. package/workflow-kernel/notification-toast-policy.js +179 -0
  40. package/workflow-kernel/notification-toast-scope.js +100 -0
  41. package/workflow-kernel/notification-toast.js +287 -0
  42. package/workflow-kernel/path-policy.js +219 -0
  43. package/workflow-kernel/result-readback.js +106 -0
  44. package/workflow-kernel/role-template-loading.js +606 -0
  45. package/workflow-kernel/run-context.js +139 -0
  46. package/workflow-kernel/run-observability.js +43 -0
  47. package/workflow-kernel/run-store-fs.js +231 -0
  48. package/workflow-kernel/run-store-locks.js +180 -0
  49. package/workflow-kernel/run-store-projections.js +421 -0
  50. package/workflow-kernel/run-store-rehydrate.js +68 -0
  51. package/workflow-kernel/run-store-state.js +147 -0
  52. package/workflow-kernel/run-store-status-format.js +1154 -0
  53. package/workflow-kernel/run-store-status.js +107 -0
  54. package/workflow-kernel/sandbox-executor.js +1131 -0
  55. package/workflow-kernel/session-access.js +56 -0
  56. package/workflow-kernel/structured-output.js +143 -0
  57. package/workflow-kernel/test-fix-drain-adapter.js +119 -0
  58. package/workflow-kernel/text-json.js +136 -0
  59. package/workflow-kernel/workflow-plugin.js +3017 -0
  60. package/workflow-kernel/workflow-source.js +444 -0
  61. package/workflow-kernel/worktree-adapter.js +256 -0
  62. package/workflow-kernel/worktree-git.js +147 -0
  63. package/workflows/repo-bughunt.js +362 -0
  64. package/workflows/repo-cleanup.js +383 -0
  65. package/workflows/repo-complexity.js +404 -0
  66. package/workflows/repo-deps.js +457 -0
  67. package/workflows/repo-modernize.js +395 -0
  68. package/workflows/repo-perf.js +394 -0
  69. package/workflows/repo-review.js +831 -0
  70. package/workflows/repo-security-audit.js +466 -0
  71. package/workflows/repo-test-gaps.js +377 -0
package/SECURITY.md ADDED
@@ -0,0 +1,38 @@
1
+ # Security Policy
2
+
3
+ ## Supported Versions
4
+
5
+ Security fixes are handled on the current `main` branch until the first public
6
+ release process defines versioned support windows. Treat unpublished snapshots
7
+ and local plugin checkouts as unsupported outside their owning checkout.
8
+
9
+ ## Reporting A Vulnerability
10
+
11
+ Report suspected sandbox escapes, authority bypasses, unsafe primary-tree writes,
12
+ secret disclosure, or child-process abuse privately through the
13
+ [GitHub Security Advisory flow](https://github.com/mcrescenzo/opencode-workflows/security/advisories/new)
14
+ for this repository. Include a minimal reproduction, affected commit or version,
15
+ and whether the issue needs a configured extension, a project workflow, or only
16
+ core plugin tools.
17
+
18
+ Please do not publish exploit details before there is a coordinated fix or a
19
+ mutual disclosure date. Do not open a public GitHub issue for an unpatched
20
+ vulnerability.
21
+
22
+ ## Trust Boundary
23
+
24
+ Workflow scripts are guest code and run inside the QuickJS sandbox with injected
25
+ workflow globals only. They do not receive Node `fs`, `child_process`, `require`,
26
+ or direct domain-store access.
27
+
28
+ Configured workflow extensions are different: they are trusted host modules.
29
+ Adding an extension path to opencode config imports and runs that module in the
30
+ plugin's Node process with normal local privileges before exported capabilities
31
+ are structurally validated. The core plugin does not currently enforce extension
32
+ signatures, hash pins, or a module allowlist.
33
+
34
+ The kernel's authority, path, approval, and live-gate checks protect core guest
35
+ and tool flows. They do not automatically sandbox extension-contributed tools,
36
+ drain adapters, or mutation finalizers. Extension code can call provided guard
37
+ helpers, but that is part of the extension's trusted implementation. Only load
38
+ extensions you trust as local code.
@@ -0,0 +1,94 @@
1
+ ---
2
+ description: Run the repo-bughunt read-only review workflow and persist a single-domain report
3
+ ---
4
+
5
+ Mode: read-only review. This command runs only the bundled `repo-bughunt` leaf
6
+ workflow, reads back its result, and persists one report artifact under
7
+ `.repo-review/runs/`. Use the `repo-review-command-protocol` skill for the
8
+ shared wrapper steps; this file supplies the bughunt-specific args, workflow
9
+ name, result fields, and report filename.
10
+ Canonical references: `workflow_list({ format: "json" })` is the
11
+ machine-readable workflow discovery surface; tool mutability and safe readback
12
+ are in `docs/workflow-plugin.md#workflow-tool-reference`; raw run artifact
13
+ handling is in the README source-of-truth section.
14
+
15
+ ## 1. Bughunt Args
16
+
17
+ Validate `$ARGUMENTS` before touching `workflow_run`.
18
+
19
+ - If `$ARGUMENTS` is empty, default to the engine's thorough read-only review:
20
+
21
+ ```json
22
+ {}
23
+ ```
24
+
25
+ - If `$ARGUMENTS` is non-empty, it MUST parse as valid JSON and resolve to a
26
+ plain object. If it fails to parse, or parses to a string, number, boolean,
27
+ array, or null, STOP before `workflow_run` and report the argument error.
28
+ - If present, `depth` MUST be one of `quick`, `normal`, or `thorough`.
29
+ - Optional recognized keys: `paths`, `exclude`, `categories`,
30
+ `maxReturnFindings`, `recon`. Pass through only what the user supplied.
31
+
32
+ Carry the validated object forward as `args`.
33
+
34
+ ## 2. Models
35
+
36
+ Follow the `workflow-model-tiering` skill before invoking `workflow_run`: call
37
+ `workflow_models`, map `fast` (recon + finders) and `deep` (skeptics) to concrete
38
+ models inside the invoking session family, and confirm with the user only when
39
+ the plan deviates from that family. Pass `modelTiers: { fast, deep }`.
40
+
41
+ ## 3. Run, Read, Persist
42
+
43
+ Invoke the bundled workflow by name only, never by file path:
44
+ `workflow_run({ name: "repo-bughunt", args, modelTiers, format: "json" })`.
45
+
46
+ ```json
47
+ {
48
+ "name": "repo-bughunt",
49
+ "args": "<the validated args object from step 1>",
50
+ "modelTiers": { "fast": "<fast model>", "deep": "<deep model>" },
51
+ "format": "json"
52
+ }
53
+ ```
54
+
55
+ Use `workflow_run` for launch. If it returns a preview, report `.approvalHash`,
56
+ `.authority.profile` (`read-only-review`), and `.modelPlan`, then re-run with
57
+ `approve: true` and the matching `approvalHash`. If configured autoApprove
58
+ launches immediately, report the `runId` and status from that first call.
59
+
60
+ After terminal status, read the redacted envelope with:
61
+
62
+ ```json
63
+ { "runId": "<the run id>", "detail": "result" }
64
+ ```
65
+
66
+ That is `workflow_status({ runId, detail: "result" })`. The leaf envelope is at
67
+ `.result.output`: `status`, `summary`, `counts`, `findings`,
68
+ `truncatedFindings`, and `reportMarkdown`.
69
+
70
+ Persist exactly one report:
71
+
72
+ - Directory: `mkdir -p .repo-review/runs`
73
+ - File: `.repo-review/runs/<run-id>-bughunt-report.md`
74
+ - Preferred: write `.result.output.reportMarkdown` when present.
75
+ - Fallback: when `reportMarkdown` is null or omitted for size, synthesize a short
76
+ fallback summary from returned `summary`, `counts`, and `findings` only. State
77
+ that full `reportMarkdown` was omitted for size / 256 KiB cap and do not invent
78
+ findings outside the returned subset.
79
+ - Footer: `Report-only - nothing applied.`
80
+
81
+ ## 4. Boundary
82
+
83
+ This command is report-only. Avoid `materialize`, `beads-drain`,
84
+ `workflow_apply`, any `git` write, and any `bd` create/update/close/claim. The
85
+ ONLY allowed workspace write is the local
86
+ `.repo-review/runs/<run-id>-bughunt-report.md` report artifact. `.repo-review/`
87
+ is gitignored; do not stage or commit it.
88
+
89
+ ## 5. Report Back
90
+
91
+ Report the validated args, model plan, `approvalHash` when a preview was shown,
92
+ `runId`, terminal status, envelope `status`/`summary`/`counts`, whether
93
+ `reportMarkdown` was present or the size-fallback summary was rendered,
94
+ `truncatedFindings`, and the absolute report path.
@@ -0,0 +1,148 @@
1
+ ---
2
+ description: Run the repo-review exhaustive read-only review workflow and persist the merged eight-domain report
3
+ ---
4
+
5
+ Mode: read-only review. This command runs the bundled `repo-review` META
6
+ workflow over the eight repo-* leaf domains, reads back the unified result, and
7
+ persists one merged report artifact under `.repo-review/runs/`. Use the
8
+ `repo-review-command-protocol` skill for the shared wrapper steps; this file
9
+ supplies the meta-specific args, no-fast-model policy, merged-result fields, and
10
+ materialization offer rule. It is distinct from `/repo-bughunt`, which runs only
11
+ the bughunt leaf.
12
+ Canonical references: `workflow_list({ format: "json" })` is the
13
+ machine-readable workflow discovery surface; tool mutability and safe readback
14
+ are in `docs/workflow-plugin.md#workflow-tool-reference`; raw run artifact
15
+ handling is in the README source-of-truth section.
16
+
17
+ ## 1. Meta Args
18
+
19
+ Validate `$ARGUMENTS` before touching `workflow_run`.
20
+
21
+ - If `$ARGUMENTS` is empty, default to an exhaustive full-suite review:
22
+
23
+ ```json
24
+ { "mode": "exhaustive" }
25
+ ```
26
+
27
+ - If `$ARGUMENTS` is non-empty, it MUST parse as valid JSON and resolve to a
28
+ plain object. If it fails to parse, or parses to a string, number, boolean,
29
+ array, or null, STOP before `workflow_run` and report the argument error.
30
+ - `mode` is `exhaustive` (default) or `bounded`. Exhaustive uses `depth:
31
+ "thorough"`, high `maxReturnFindings`, and the coverage auditor lane. Bounded
32
+ uses the legacy normal-depth pass.
33
+ - `depth` is `quick`, `normal`, or `thorough` when supplied.
34
+ - Optional recognized keys: `domains`, `paths`, `exclude`, `maxReturnFindings`,
35
+ `batchSize`, `recon`, `maxDirs`, `deepMode`.
36
+ - `deepMode` may select `audited-shell` when the caller explicitly wants the
37
+ command-scoped shell inspection mode and the required gates are verified.
38
+ - `domains` may name any subset of `bughunt`, `security`, `test-gaps`,
39
+ `cleanup`, `modernize`, `perf`, `complexity`, `deps`, or their `repo-*` leaf
40
+ names. Unknown domains are rejected rather than falling back to all domains.
41
+
42
+ Carry the validated object forward as `args`.
43
+
44
+ ## 2. Resolve Model Tiers - NO FAST MODELS
45
+
46
+ Follow `workflow-model-tiering` to enumerate available models, but this command
47
+ NEVER selects a fast model. The meta's `fast` and `deep` labels are lane intent
48
+ markers, not permission to pick a low-quality model. Resolve one high-quality
49
+ deep model inside the session family and map both tiers to the same deep model:
50
+
51
+ ```json
52
+ {
53
+ "modelTiers": {
54
+ "fast": "<the deep model>",
55
+ "deep": "<the deep model>"
56
+ }
57
+ }
58
+ ```
59
+
60
+ If the selected model deviates from the session family, confirm explicitly before
61
+ launch. Do NOT set `maxCost` or `maxTokens`; exhaustive mode spares no expense.
62
+
63
+ ## 3. Run, Read, Persist
64
+
65
+ Invoke the bundled workflow by name only, never by file path:
66
+ `workflow_run({ name: "repo-review", args, modelTiers, format: "json" })`.
67
+
68
+ ```json
69
+ {
70
+ "name": "repo-review",
71
+ "args": "<the validated args object from step 1>",
72
+ "modelTiers": { "fast": "<deep model>", "deep": "<deep model>" },
73
+ "format": "json"
74
+ }
75
+ ```
76
+
77
+ Use `workflow_run` for launch. If it returns a preview, report `.approvalHash`,
78
+ `.authority.profile` (`read-only-review`), and `.modelPlan`, then re-run with
79
+ `approve: true` and the matching `approvalHash`. If configured autoApprove
80
+ launches immediately, report the `runId` and status from that first call. The
81
+ meta never edits, commits, or writes files; nested leaves share the parent
82
+ `maxAgents:100000, concurrency:16` budget. Each leaf's OWN declared `maxAgents`
83
+ and `concurrency` are ignored at runtime under the meta run.
84
+
85
+ After terminal status, read the redacted envelope with:
86
+
87
+ ```json
88
+ { "runId": "<the run id>", "detail": "result" }
89
+ ```
90
+
91
+ That is `workflow_status({ runId, detail: "result" })`. The merged envelope is
92
+ at `.result.output` and includes `domain: "repo-review"`, `status`, `summary`,
93
+ `counts`, ranked `findings`, `truncatedFindings`, `reportMarkdown`,
94
+ `leafOutcomes`, `partialCoverage`, `artifactPaths.reportMarkdownPath`,
95
+ `materializationReady`, `materializationBlockers`, `coverageGrade`,
96
+ `coverageAdvisories`, `coverageAudit`, and `artifactPaths.findingsJson`.
97
+
98
+ Persist exactly one report:
99
+
100
+ - Directory: `mkdir -p .repo-review/runs`
101
+ - File: `.repo-review/runs/<run-id>-repo-review-report.md`
102
+ - Preferred: read `artifactPaths.reportMarkdownPath` and use that full ranked cross-domain markdown report.
103
+ - Fallback: if `reportMarkdown` is non-null, treat it as a bounded
104
+ preview/fallback body.
105
+ - Fallback: when `reportMarkdown` is null or omitted for size, synthesize a short
106
+ fallback summary from returned `summary`, `counts`, `leafOutcomes`, and
107
+ `findings` only. State that full `reportMarkdown` was omitted for size /
108
+ 256 KiB cap and do not invent findings outside the returned subset.
109
+ - Footer: `Report-only - nothing applied.`
110
+
111
+ ## 4. Coverage And Materialization
112
+
113
+ Report `leafOutcomes` and `partialCoverage` so the user sees which domains
114
+ completed or failed. Report materialization readiness separately:
115
+ `materializationReady`, `materializationBlockers`, `coverageGrade`,
116
+ `coverageAdvisories`, and `coverageAudit`.
117
+
118
+ If `materializationReady` is true and there is at least one finding, first
119
+ confirm the Beads extension has contributed `/review-materialize` in the command
120
+ registry. If that command is absent, report that the command is unavailable and
121
+ do not offer an unavailable action. If available, offer the user the option of
122
+ creating a duplicate-aware Beads epic via separately approved
123
+ `/review-materialize` with the completed review's `runId`. The materialization
124
+ tool validates `domain: "repo-review"`, consumes `artifactPaths.findingsJson`,
125
+ passes the full findings through its `findingsPath` handoff, and derives its
126
+ default program label from review-time provenance rather than current `HEAD`.
127
+
128
+ If `materializationReady` is false, list every blocker and state that
129
+ materialization is blocked. Do not proceed.
130
+
131
+ ## 5. Boundary
132
+
133
+ This command is report-only. It must never run `materialize`, `beads-drain`,
134
+ `workflow_apply`, any `git` write, or any `bd` create/update/close/claim. The
135
+ ONLY allowed workspace write is the local
136
+ `.repo-review/runs/<run-id>-repo-review-report.md` report artifact. The
137
+ materialization item above is a question to the user, not a mutation from this
138
+ command. `.repo-review/` is gitignored; do not stage or commit it.
139
+
140
+ ## 6. Report Back
141
+
142
+ Report the validated args including `mode`, model plan confirming both tiers
143
+ resolved to the same deep model - no fast model, `approvalHash` when a preview
144
+ was shown, `runId`, terminal status, envelope `status`/`summary`/`counts`,
145
+ `leafOutcomes`, `partialCoverage`, `materializationReady`,
146
+ `materializationBlockers`, `coverageGrade`, `coverageAudit`, whether the full
147
+ artifact, bounded `reportMarkdown` preview/fallback, or size-fallback summary
148
+ was used, `truncatedFindings`, and the absolute report path.
@@ -0,0 +1,143 @@
1
+ ---
2
+ description: Run the opt-in active-runtime workflow live-gate release check
3
+ ---
4
+
5
+ Run the active-runtime workflow live-gate release check only because the user explicitly invoked this command or otherwise approved token/worktree side effects.
6
+ Canonical references: live-gate behavior is summarized in the README live-gates
7
+ section, and `workflow_live_gates` mutability/approval requirements are listed in
8
+ `docs/workflow-plugin.md#workflow-tool-reference`.
9
+
10
+ Before running probes, state these side effects briefly:
11
+
12
+ - Session probes can spend model tokens.
13
+ - The concurrency-capacity probe launches `concurrencyProbeLimit` child prompts at once; keep the limit modest unless the user approved a larger burst.
14
+ - Worktree probes can create and remove throwaway worktrees.
15
+ - Background and notification probes can schedule asynchronous OpenCode work.
16
+ - Plugin or command changes require restarting OpenCode before this check reflects them.
17
+
18
+ Then call `workflow_live_gates` with every behavioral probe enabled and `format: "json"`:
19
+
20
+ ```json
21
+ {
22
+ "format": "json",
23
+ "approvalIntent": "probe",
24
+ "probePermissionEnforcement": true,
25
+ "probeDeniedBash": true,
26
+ "probeCommandScopedBash": true,
27
+ "probeSecretReadDeny": true,
28
+ "probeStructuredOutput": true,
29
+ "probeWorktreeApi": true,
30
+ "probeDirectoryRooting": true,
31
+ "probeWorktreeEditIsolation": true,
32
+ "probeIntegrationWorktreeIsolation": true,
33
+ "probeBackgroundContinuation": true,
34
+ "probeConcurrencyCapacity": true,
35
+ "concurrencyProbeLimit": 16,
36
+ "probeCancellation": true,
37
+ "probeWorkflowNotification": true
38
+ }
39
+ ```
40
+
41
+ Report the raw JSON evidence in the transcript or point to the exact saved evidence location if the output is too large.
42
+
43
+ Readiness is reported per capability tier, not as a single all-gates verdict,
44
+ because the non-dry `beads-drain` profile (`drain-autonomous-local`) uses
45
+ integration-worktree isolation and does not require the native edit-mode
46
+ worktree gates. Conflating the tiers overblocks valid Beads readiness.
47
+
48
+ ## Full / native edit-mode readiness
49
+
50
+ All gates verified. Required for `edit-plan-only` and any workflow that edits through the
51
+ native worktree API.
52
+
53
+ Pass criteria:
54
+
55
+ - `configured` is `true`.
56
+ - `verified` is `true`.
57
+ - Every entry in `gates` has `state: "verified"` and `verified: true`, including
58
+ `worktreeApi` and `worktreeEditIsolation`.
59
+
60
+ If any gate is `blocked`, `available-unverified`, or `failed-with-evidence`, do not claim
61
+ full/native edit-mode release readiness. Report `[release-gate:blocked]` with the tier
62
+ (`full-edit`), the non-verified gate names, and evidence.
63
+
64
+ ## Non-dry beads-drain readiness
65
+
66
+ Only the Beads-required gate subset must be verified. This subset mirrors
67
+ `NON_DRY_DRAIN_REQUIRED_GATES` in `workflow-kernel/authority-policy.js`:
68
+
69
+ - `permissionEnforcement`
70
+ - `commandScopedBash`
71
+ - `secretReadDeny`
72
+ - `structuredOutput`
73
+ - `directoryRooting`
74
+ - `integrationWorktreeIsolation`
75
+ - `cancellation`
76
+
77
+ The native worktree gates `worktreeApi` and `worktreeEditIsolation` are NOT required for
78
+ non-dry Beads readiness, because Beads profiles use integration-worktree isolation instead.
79
+ `backgroundContinuation` and `workflowNotification` are also not in the Beads subset.
80
+
81
+ Pass criteria for non-dry Beads readiness:
82
+
83
+ - `configured` is `true`.
84
+ - Every gate listed in the Beads subset above has `state: "verified"` and `verified: true`.
85
+
86
+ If a Beads-subset gate is `blocked`, `available-unverified`, or `failed-with-evidence`, do
87
+ not claim non-dry beads-drain release readiness. Report `[release-gate:blocked]` with the
88
+ tier (`beads-non-dry`), only the non-verified Beads-subset gate names, and evidence. Do not
89
+ include native worktree gates in the Beads blocked message.
90
+
91
+ A `[release-gate:blocked]` for `full-edit` does NOT imply Beads is blocked, and a
92
+ `[release-gate:blocked]` for `beads-non-dry` does NOT imply full/native edit is blocked.
93
+
94
+ ## Evidence-strength caveat (do not overclaim permission or rooting gates)
95
+
96
+ A verified gate is not always equivalent to directly-observed target behavior. Each
97
+ verified gate carries an `evidenceStrength` field:
98
+
99
+ - `observed` — the probe directly observed the target behavior (a denied tool part,
100
+ denial text, a thrown denial, a successful create/remove, a completed sentinel read,
101
+ etc.). Strong evidence.
102
+ - `no-attempt-fallback` — the probe observed no tool attempt at all (the denied tool
103
+ appears hidden/unavailable) and verified only that retained deny rules held and no
104
+ successful tool call occurred. This is a compatibility path for runtimes that hide
105
+ fully-denied tools, not behavioral enforcement proof. Used only by
106
+ `permissionEnforcement`.
107
+ - `model-text-only` — the probe observed only model-reported text matching the expected
108
+ value, without a deterministic tool result. Historically used by `directoryRooting` when
109
+ the child echoed the assigned directory but did not perform (or did not expose) the
110
+ sentinel read tool call. The model can echo a directory without being rooted there, so
111
+ this is not equivalent to an observed tool-anchored rooting proof. As of the R31 fix
112
+ (`directoryRooting`) and the integration-worktree rooting hardening
113
+ (`integrationWorktreeIsolation`), neither gate PRODUCES this strength anymore: a text-only
114
+ echo is reported as `available-unverified` (verified=false), so the required rooting
115
+ authority cannot be satisfied without a completed `read` tool part returning unique
116
+ on-disk sentinel content. The strength is retained for the down-ranker's scope lock.
117
+ - `in-process-smoke` — the probe verified only in-process event-loop yield and did not
118
+ exercise the OpenCode background subsystem. Used by `backgroundContinuation`. Restart
119
+ survival is not implied; production background continuation across OpenCode restart is
120
+ out of scope for this gate.
121
+
122
+ `commandScopedBash` and `secretReadDeny` stay strict: they do not use the
123
+ `no-attempt-fallback` and report `blocked` when no tool attempt is observable.
124
+
125
+ Before claiming non-dry readiness, inspect each verified gate's `evidenceStrength`:
126
+
127
+ - If every required gate is `observed`, the readiness verdict above holds as-is.
128
+ - If `permissionEnforcement` is `no-attempt-fallback`, do NOT claim equivalence to an
129
+ observed denial. Report `[release-gate:weak-evidence]` with the gate name and state
130
+ that the hidden/no-attempt fallback was accepted only if an explicit policy/operator
131
+ decision confirms this runtime hides fully-denied tools by design. Without that
132
+ explicit acceptance, treat the gate as not-yet-proven and do not advance to a non-dry
133
+ release verdict.
134
+ - If `directoryRooting` or `integrationWorktreeIsolation` is `available-unverified` with
135
+ "model-reported cwd text" evidence, do NOT claim deterministic runtime/tool rooting
136
+ evidence. The child echoed the target directory without a completed sentinel `read`, so
137
+ rooting is unproven. Report `[release-gate:weak-evidence]` and request a runtime/tool-
138
+ anchored sentinel read before advancing to a non-dry release verdict. (Pre-fix these
139
+ gates could return `verified` with `evidenceStrength:"model-text-only"`; both now
140
+ downgrade a text-only echo to `available-unverified`.)
141
+ - `backgroundContinuation` is always `in-process-smoke` in this build. Treat its
142
+ `verified` state as proof of in-process continuation only and never as restart
143
+ survival. Restart-surviving background execution is out of scope.