@mediadatafusion/pi-workflow-suite 0.0.9 → 0.0.11

package/config/prompts/mission-review-prompt.md

@@ -0,0 +1,42 @@
+CRITICAL: Call workflow_review_result as your FIRST action in this turn. Do not output any text, analysis, or diagrams before the tool call. After the tool executes and returns, include a workflow_diagram to visualize your review findings (architecture concerns, risk flow, or recommendation path) with concise prose. Place the diagram inline -- not batched at the end.
+
+---
+description: Review the mission milestone plan before approval and execution
+---
+
+You are in PI MISSION MODE REVIEWER MODE.
+
+Use read-only tools only. Do not edit, write, or run bash. Review the Mission milestone plan before Mission approval and execution. Reviewer is not validation. Reviewer checks whether the mission plan is safe, complete, properly scoped, and has validation-ready milestones before executor work begins.
+
+Review checklist:
+- Milestones are parser-safe, ordered, and scoped to the mission goal.
+- Each milestone has clear objective, steps, acceptance criteria, required evidence, and risks.
+- The mission plan does not authorize destructive, secret, auth/session/log/runtime-state, database, deployment, push, or out-of-scope work without explicit approval.
+- Validation strategy is strong enough for per-milestone validation and optional final comprehensive validation.
+- Autonomy and pause/continue behavior are safe for the mission scope.
+- Any repair recommendation must revise the mission plan only; do not execute.
+
+Output exactly:
+# Review Report
+## Verdict
+PASS — plan is complete, safe, scoped correctly, and ready for approval.
+NOTES — plan is acceptable but has non-blocking observations for the executor.
+NEEDS REPAIR — plan has concrete gaps that should be repaired before approval (missing requirements, unclear milestones, insufficient validation).
+FAIL — plan has serious issues that block safe execution (missing safety constraints, out-of-scope work, broken dependencies).
+BLOCKED — plan cannot proceed without external resolution (missing credentials, unavailable services, blocked dependencies).
+
+Verdict criteria:
+- PASS only when: no repairable issues remain and the plan is ready for approval.
+- NOTES when: plan is sound but has minor observations the executor should consider.
+- NEEDS REPAIR when: milestones lack acceptance criteria, validation plan is weak, scope is unclear, or concrete missing requirements are identified.
+- FAIL when: plan authorizes destructive/secret/auth/database/deploy/push work without explicit approval, or safety constraints are absent.
+- BLOCKED when: plan requires unavailable resources or external dependencies that cannot be resolved by repair.
+## Reason
+## Mission Plan Coverage
+## Milestone Quality
+## Validation Plan Review
+## Safety And Scope Review
+## Missing Requirements
+## Repairable Plan Issues
+## Regression Risks
+## Recommended Next Action

package/config/prompts/validate-approved-plan.md

@@ -13,9 +13,10 @@ Use validation sub-agents aggressively for independent checks, regression review
 
 Verdict rules:
 - PASS only when the approved plan is fully satisfied with no blocking unresolved risk.
-- PARTIAL PASS when implementation appears plan-compliant but manual/visual/browser verification remains or evidence is incomplete without a concrete code defect.
-- FAIL only for concrete missing requirements, unexpected changes, regressions, broken checks, or unsafe/out-of-scope work that needs repair.
-- Manual visual-verification caveats alone are not repairable code failures; recommend manual QA/revalidation instead of repair.
+- FAIL when concrete missing requirements, unexpected changes, regressions, broken checks, unsafe/out-of-scope work, or concrete code/content/citation/source/file/metadata/artifact fixes remain.
+- PARTIAL PASS is only for manual/visual/browser verification caveats or evidence gaps without a concrete repairable issue.
+- Manual visual-verification caveats alone are not repairable failures; recommend manual QA/revalidation instead of repair.
+- If concrete repairable issues remain in code, content, citations, sources, generated files, indexes, metadata, artifacts, or validation artifacts, mark Concrete Repairable Issue: yes, list them clearly under Missing Requirements or Recommended Next Action, and prefer FAIL over PARTIAL PASS.
 - Evidence gaps are not repairable defects unless a concrete missing requirement or artifact is identified.
 
 Mermaid diagrams are rendered by Workflow Suite in a uniform dark-mode visual style. For user-facing workflows, export/share paths, request lifecycles, architecture, data flow, multi-step sequences, state transitions, dependencies, validation flow, or implementation phases, prefer a meaningful Mermaid diagram plus concise prose. Use concise labels and the right diagram type; do not hardcode random style/classDef/light-theme overrides unless the user explicitly asks. Skip diagrams for trivial responses.

package/config/prompts/workflow-reviewer-prompt.md

@@ -0,0 +1,44 @@
+CRITICAL: Call workflow_review_result as your FIRST action in this turn. Do not output any text, analysis, or diagrams before the tool call. After the tool executes and returns, include a workflow_diagram to visualize your review findings (architecture concerns, risk flow, or recommendation path) with concise prose. Place the diagram inline -- not batched at the end.
+
+---
+description: Review the approved plan before execution
+---
+
+You are in PI WORKFLOW REVIEWER MODE.
+
+Use read-only tools only. Do not edit, write, or run bash. Review the approved plan before execution for scope, risk, missing requirements, and files that should remain untouched.
+
+Reviewer is not validation. Reviewer checks whether the plan or implementation approach is safe, complete, and aligned before execution. Validation checks whether work passes after or during implementation.
+
+Review checklist:
+- Plan scope is clear, bounded, and aligned with the user's request.
+- Implementation steps are ordered correctly with no circular dependencies.
+- Required files are identified and files to avoid are listed.
+- Validation strategy covers all deliverables with concrete acceptance criteria.
+- Risk assessment covers security, data loss, breaking changes, and deployment concerns.
+- The plan does not authorize destructive, secret, auth/session/log/runtime-state, database, deployment, push, or out-of-scope work without explicit approval.
+- Test and build verification is included where applicable.
+
+Output exactly:
+# Reviewer Report
+## Verdict
+PASS — plan is complete, safe, properly scoped, and ready for execution.
+NOTES — plan is sound with non-blocking observations for the executor.
+NEEDS REPAIR — plan has concrete gaps (missing steps, unclear files, weak validation, scope creep, risks not addressed).
+FAIL — plan has serious blockers (safety violations, missing security constraints, broken dependencies, impossible steps).
+BLOCKED — plan cannot proceed without external resolution.
+
+Do not write APPROVED, APPROVE, OK, or PROCEED as the verdict label.
+
+Verdict criteria:
+- PASS only when: all checklist items are satisfied and no repairable issues remain.
+- NOTES when: minor observations exist (suggested file order, additional test ideas, optional improvements).
+- NEEDS REPAIR when: concrete missing requirements, unclear scope boundaries, insufficient validation, or unaddressed risks.
+- FAIL when: safety/security violations, circular dependencies, impossible steps, or work that exceeds approved scope without authorization.
+- BLOCKED when: plan requires unavailable resources or external dependencies that cannot be resolved by repair.
+## Reason
+## Scope Risks
+## Missing Information
+## Files To Be Careful With
+## Required Plan Revisions
+## Recommended Execution Notes

package/extensions/subagent/index.ts

@@ -15,7 +15,7 @@
  * Uses JSON mode to capture structured output from subagents.
  */
 
-import { spawn } from "node:child_process";
+import { execFileSync, spawn } from "node:child_process";
 import { createRequire } from "node:module";
 import * as fs from "node:fs";
 import * as os from "node:os";
@@ -109,6 +109,42 @@ class SafeContainer {
 const MAX_PARALLEL_TASKS = 8;
 const MAX_CONCURRENCY = 4;
 const COLLAPSED_ITEM_COUNT = 10;
+const REPOLOCK_GUARD_EXTENSION = path.join(path.dirname(new URL(import.meta.url).pathname), "repolock-guard.ts");
+
+function safeRealpath(candidate: string): string {
+	try {
+		return fs.realpathSync(candidate);
+	} catch {
+		return candidate;
+	}
+}
+
+function pathInsideRoot(candidate: string, root: string): boolean {
+	return candidate === root || candidate.startsWith(`${root}${path.sep}`);
+}
+
+function resolveSubagentCwd(candidate: string | undefined, defaultCwd: string): string {
+	return safeRealpath(path.resolve(defaultCwd, candidate || "."));
+}
+
+function repoRootForCwd(cwd: string): string {
+	try {
+		const root = execFileSync("git", ["rev-parse", "--show-toplevel"], { cwd, encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+		return safeRealpath(root || cwd);
+	} catch {
+		return safeRealpath(cwd);
+	}
+}
+
+function repoLockRootForSubagent(defaultCwd: string, settings: ReturnType<typeof loadWorkflowSettings>): string | undefined {
+	if (process.env.PI_WORKFLOW_REPO_LOCK_ENABLED === "1" && process.env.PI_WORKFLOW_REPO_LOCK_ROOT) return safeRealpath(process.env.PI_WORKFLOW_REPO_LOCK_ROOT);
+	return settings.safety.repoLockEnabled === true ? repoRootForCwd(defaultCwd) : undefined;
+}
+
+function repoLockCwdError(candidate: string | undefined, defaultCwd: string, root: string): string | undefined {
+	const resolved = resolveSubagentCwd(candidate, defaultCwd);
+	return pathInsideRoot(resolved, root) ? undefined : `Repo Lock blocked sub-agent cwd outside current repository: ${resolved} (repo root: ${root})`;
+}
 
 function formatTokens(count: number): string {
 	if (count < 1000) return count.toString();
@@ -345,7 +381,23 @@ async function runSingleAgent(
 		};
 	}
 
-	const args: string[] = ["--no-extensions", "--mode", "json", "-p", "--no-session"];
+	const settings = loadWorkflowSettings(defaultCwd);
+	const lockRoot = repoLockRootForSubagent(defaultCwd, settings);
+	const effectiveCwd = resolveSubagentCwd(cwd, defaultCwd);
+	if (lockRoot && !pathInsideRoot(effectiveCwd, lockRoot)) {
+		return {
+			agent: agentName,
+			agentSource: agent.source,
+			task,
+			exitCode: 1,
+			messages: [],
+			stderr: `Repo Lock blocked sub-agent cwd outside current repository: ${effectiveCwd} (repo root: ${lockRoot})`,
+			usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, cost: 0, contextTokens: 0, turns: 0 },
+			step,
+		};
+	}
+
+	const args: string[] = ["--no-extensions", "--extension", REPOLOCK_GUARD_EXTENSION, "--mode", "json", "-p", "--no-session"];
 	if (agent.model) args.push("--model", agent.model);
 	if (agent.tools && agent.tools.length > 0) args.push("--tools", agent.tools.join(","));
 
@@ -390,13 +442,14 @@ async function runSingleAgent(
 		const exitCode = await new Promise<number>((resolve) => {
 			const invocation = getPiInvocation(args);
 			const proc = spawn(invocation.command, invocation.args, {
-				cwd: cwd ?? defaultCwd,
+				cwd: effectiveCwd,
 				shell: false,
 				stdio: ["ignore", "pipe", "pipe"],
 				env: {
 					...process.env,
 					PI_SUBAGENT_WORKER: "1",
 					PI_SUBAGENT_NAME: agent.name,
+					...(lockRoot ? { PI_WORKFLOW_REPO_LOCK_ENABLED: "1", PI_WORKFLOW_REPO_LOCK_ROOT: lockRoot } : {}),
 				},
 			});
 			let buffer = "";
@@ -562,6 +615,19 @@ export default function (pi: ExtensionAPI) {
 
 		async execute(_toolCallId, params, signal, onUpdate, ctx) {
 			const settings = loadWorkflowSettings(ctx.cwd);
+			const lockRoot = repoLockRootForSubagent(ctx.cwd, settings);
+			if (lockRoot) {
+				const cwdErrors = [params.cwd, ...(params.tasks ?? []).map((task) => task.cwd), ...(params.chain ?? []).map((step) => step.cwd)]
+					.map((cwdValue) => repoLockCwdError(cwdValue, ctx.cwd, lockRoot))
+					.filter((error): error is string => Boolean(error));
+				if (cwdErrors.length) {
+					return {
+						content: [{ type: "text", text: cwdErrors[0] }],
+						details: { mode: "single", agentScope: params.agentScope ?? "user", projectAgentsDir: null, results: [] },
+						isError: true,
+					};
+				}
+			}
 			const subagentLimits = { timeoutMinutes: settings.subagents.subagentTimeoutMinutes, staleMinutes: settings.subagents.subagentStaleMinutes };
 			if (settings.subagents.requireApprovalBeforeRun === true) {
 				const requested = params.tasks?.length

package/extensions/subagent/repolock-guard.ts

@@ -0,0 +1,111 @@
+import { existsSync, realpathSync } from "node:fs";
+import { isAbsolute, resolve } from "node:path";
+import { getAgentDir, type ExtensionAPI } from "@earendil-works/pi-coding-agent";
+
+const PATH_SCOPED_TOOLS = new Set(["read", "grep", "find", "ls", "edit", "write"]);
+
+function safeRealpath(path: string): string {
+  try {
+    return realpathSync(path);
+  } catch {
+    return path;
+  }
+}
+
+function resolveCandidatePath(pathValue: string, cwd: string): string {
+  const expanded = pathValue === "~" || pathValue.startsWith("~/") ? resolve(process.env.HOME || cwd, pathValue.slice(2)) : pathValue;
+  const resolved = isAbsolute(expanded) ? resolve(expanded) : resolve(cwd, expanded || ".");
+  if (existsSync(resolved)) return safeRealpath(resolved);
+  const existingParent = safeRealpath(resolve(resolved, ".."));
+  return resolve(existingParent, resolved.split(/[\\/]/).pop() || "");
+}
+
+function pathInsideRoot(candidate: string, root: string): boolean {
+  return candidate === root || candidate.startsWith(`${root}/`);
+}
+
+function protectedRepoPath(candidate: string, root: string): boolean {
+  const rel = candidate === root ? "" : candidate.slice(root.length + 1);
+  return rel === ".pi" || rel.startsWith(".pi/");
+}
+
+function piRuntimeInstructionPath(candidate: string): boolean {
+  const root = safeRealpath(getAgentDir());
+  if (!pathInsideRoot(candidate, root)) return false;
+  const rel = candidate === root ? "" : candidate.slice(root.length + 1);
+  return rel === "skills" || rel.startsWith("skills/")
+    || rel === "agents" || rel.startsWith("agents/")
+    || rel === "config/prompts" || rel.startsWith("config/prompts/")
+    || rel === "prompts" || rel.startsWith("prompts/")
+    || rel === "themes" || rel.startsWith("themes/");
+}
+
+function repoLockPathBlock(pathValue: unknown, cwd: string, tool: string): string | undefined {
+  if (process.env.PI_WORKFLOW_REPO_LOCK_ENABLED !== "1") return undefined;
+  const root = safeRealpath(process.env.PI_WORKFLOW_REPO_LOCK_ROOT || cwd);
+  const candidate = resolveCandidatePath(typeof pathValue === "string" && pathValue.trim() ? pathValue.trim() : ".", cwd);
+  if (!pathInsideRoot(candidate, root)) {
+    if ((tool === "read" || tool === "grep" || tool === "find" || tool === "ls") && piRuntimeInstructionPath(candidate)) return undefined;
+    return `Repo Lock blocked sub-agent path outside current repository: ${candidate} (repo root: ${root})`;
+  }
+  if ((tool === "edit" || tool === "write") && protectedRepoPath(candidate, root)) return `Repo Lock blocked sub-agent ${tool} for protected project control path: ${candidate}`;
+  return undefined;
+}
+
+function stripHereDocBodies(command: string): string {
+  const lines = command.split("\n");
+  const kept: string[] = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    kept.push(line);
+    const match = line.match(/<<[-]?\s*['\"]?([A-Za-z_][A-Za-z0-9_]*)['\"]?/);
+    if (!match) continue;
+    const marker = match[1];
+    i++;
+    while (i < lines.length && lines[i].trim() !== marker) i++;
+  }
+  return kept.join("\n");
+}
+
+function stripUriTokens(command: string): string {
+  return command.replace(/\b[A-Za-z][A-Za-z0-9+.-]*:\/\/[^\s'"`;&|)]*/g, " ");
+}
+
+function bashPathCandidates(command: string): string[] {
+  const trimmed = stripUriTokens(stripHereDocBodies(command)).trim();
+  if (!trimmed) return [];
+  return Array.from(trimmed.matchAll(/(?:^|[\s=:'"`])((?:\.{1,2}|~|\/)[^\s'"`;&|)]*)/g)).map((match) => match[1]).filter(Boolean);
+}
+
+function repoLockBashBlock(command: string, cwd: string): string | undefined {
+  if (process.env.PI_WORKFLOW_REPO_LOCK_ENABLED !== "1") return undefined;
+  const root = safeRealpath(process.env.PI_WORKFLOW_REPO_LOCK_ROOT || cwd);
+  const candidates = bashPathCandidates(command);
+  for (const raw of candidates) {
+    if (raw === "." || raw === "./" || raw === "/") continue;
+    const cleaned = raw.replace(/[),]+$/, "");
+    if (!cleaned || cleaned.startsWith("./node_modules/.bin")) continue;
+    const candidate = resolveCandidatePath(cleaned, cwd);
+    if (!pathInsideRoot(candidate, root)) return `Repo Lock blocked sub-agent bash path outside current repository: ${cleaned} -> ${candidate} (repo root: ${root})`;
+  }
+  return undefined;
+}
+
+export default function repoLockSubagentGuard(pi: ExtensionAPI): void {
+  pi.on("tool_call", (event, ctx) => {
+    if (PATH_SCOPED_TOOLS.has(event.toolName)) {
+      const reason = repoLockPathBlock((event.input as { path?: unknown; file_path?: unknown }).path ?? (event.input as { file_path?: unknown }).file_path, ctx.cwd, event.toolName);
+      if (reason) return { block: true, reason };
+    }
+    if (event.toolName === "bash") {
+      const command = String((event.input as { command?: unknown }).command ?? "");
+      const reason = repoLockBashBlock(command, ctx.cwd);
+      if (reason) return { block: true, reason };
+    }
+  });
+
+  pi.on("user_bash", (event, ctx) => {
+    const reason = repoLockBashBlock(event.command, ctx.cwd);
+    if (reason) return { result: { output: reason, exitCode: 1, cancelled: false, truncated: false } };
+  });
+}

package/extensions/subagent/runner.ts

@@ -5,12 +5,13 @@
  * sub-agent policy before the main planner/executor/reviewer/validator turn.
  */
 
-import { spawn } from "node:child_process";
+import { execFileSync, spawn } from "node:child_process";
 import * as fs from "node:fs";
 import * as os from "node:os";
 import * as path from "node:path";
 import type { Message } from "@earendil-works/pi-ai";
 import { withFileMutationQueue } from "@earendil-works/pi-coding-agent";
+import { loadWorkflowSettings } from "../workflow-model-router.js";
 import { type AgentConfig, type AgentScope, type AgentSource, discoverAgents } from "./agents.js";
 
 export interface WorkflowSubagentTask {
@@ -60,6 +61,37 @@ export interface WorkflowSubagentRunOptions {
 }
 
 const MAX_CONCURRENCY = 4;
+const REPOLOCK_GUARD_EXTENSION = path.join(path.dirname(new URL(import.meta.url).pathname), "repolock-guard.ts");
+
+function safeRealpath(candidate: string): string {
+  try {
+    return fs.realpathSync(candidate);
+  } catch {
+    return candidate;
+  }
+}
+
+function pathInsideRoot(candidate: string, root: string): boolean {
+  return candidate === root || candidate.startsWith(`${root}${path.sep}`);
+}
+
+function resolveSubagentCwd(candidate: string | undefined, defaultCwd: string): string {
+  return safeRealpath(path.resolve(defaultCwd, candidate || "."));
+}
+
+function repoRootForCwd(cwd: string): string {
+  try {
+    const root = execFileSync("git", ["rev-parse", "--show-toplevel"], { cwd, encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+    return safeRealpath(root || cwd);
+  } catch {
+    return safeRealpath(cwd);
+  }
+}
+
+function repoLockRootForSubagent(defaultCwd: string): string | undefined {
+  if (process.env.PI_WORKFLOW_REPO_LOCK_ENABLED === "1" && process.env.PI_WORKFLOW_REPO_LOCK_ROOT) return safeRealpath(process.env.PI_WORKFLOW_REPO_LOCK_ROOT);
+  return loadWorkflowSettings(defaultCwd).safety.repoLockEnabled === true ? repoRootForCwd(defaultCwd) : undefined;
+}
 
 function finalOutput(messages: Message[]): string {
   for (let i = messages.length - 1; i >= 0; i--) {
@@ -132,7 +164,22 @@ async function runSingleWorkflowSubagent(
     };
   }
 
-  const args: string[] = ["--no-extensions", "--mode", "json", "-p", "--no-session"];
+  const lockRoot = repoLockRootForSubagent(defaultCwd);
+  const effectiveCwd = resolveSubagentCwd(task.cwd, defaultCwd);
+  if (lockRoot && !pathInsideRoot(effectiveCwd, lockRoot)) {
+    return {
+      agent: task.agent,
+      agentSource: agent.source,
+      agentTools: agent.tools,
+      task: task.task,
+      exitCode: 1,
+      output: "",
+      stderr: `Repo Lock blocked sub-agent cwd outside current repository: ${effectiveCwd} (repo root: ${lockRoot})`,
+      usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, cost: 0, contextTokens: 0, turns: 0 },
+    };
+  }
+
+  const args: string[] = ["--no-extensions", "--extension", REPOLOCK_GUARD_EXTENSION, "--mode", "json", "-p", "--no-session"];
   if (agent.model) args.push("--model", agent.model);
   if (agent.tools && agent.tools.length > 0) args.push("--tools", agent.tools.join(","));
 
@@ -162,13 +209,14 @@ async function runSingleWorkflowSubagent(
     const exitCode = await new Promise<number>((resolve) => {
       const invocation = getPiInvocation(args);
       const proc = spawn(invocation.command, invocation.args, {
-        cwd: task.cwd ?? defaultCwd,
+        cwd: effectiveCwd,
         shell: false,
         stdio: ["ignore", "pipe", "pipe"],
         env: {
           ...process.env,
           PI_SUBAGENT_WORKER: "1",
           PI_SUBAGENT_NAME: agent.name,
+          ...(lockRoot ? { PI_WORKFLOW_REPO_LOCK_ENABLED: "1", PI_WORKFLOW_REPO_LOCK_ROOT: lockRoot } : {}),
         },
       });
       let buffer = "";

package/extensions/workflow-model-router.ts

@@ -106,6 +106,8 @@ export interface WorkflowSettings {
     clarificationQualityGate?: boolean;
     allowClarificationWithoutAnalysis?: boolean;
     useSubagentsBeforeClarification?: boolean;
+    maxTokens?: number;
+    maxRuntimeHours?: number;
   };
   workflow: {
     requirePlanApprovalBeforeExecute: boolean;
@@ -138,6 +140,7 @@ export interface WorkflowSettings {
     planHistoryLimit?: number;
     planProgressEnabled?: boolean;
     planRuntimeEnabled?: boolean;
+    planShowProgressBar?: boolean;
   };
   standard: {
     enabled: boolean;
@@ -160,11 +163,13 @@ export interface WorkflowSettings {
     useStandardSpecificModels?: boolean;
     modelRole?: StandardModelRole;
     models?: Record<WorkflowRole, RoleModelSettings>;
+    maxTokens?: number;
   };
   missions: {
     enabled: boolean;
     defaultAutonomy: MissionAutonomy;
     maxRuntimeHours: number;
+    maxTokens?: number;
     checkpointIntervalMinutes: number;
     requireApprovalForDestructiveActions: boolean;
     requireValidationPerMilestone: boolean;
@@ -214,6 +219,7 @@ export interface WorkflowSettings {
     disableBashInPlanMode: boolean;
     disableBashInValidatorMode: boolean;
     blockDestructiveCommands: boolean;
+    allowPackageInstallInExecution: boolean;
   };
   ui: {
     showWorkflowStatus: boolean;
@@ -242,6 +248,7 @@ export interface WorkflowSettings {
     customBrandEnabled?: boolean;
     customBrandText?: string;
     customBrandBaseVisual?: CustomBrandBaseVisual;
+    debugPlanStepTracking?: boolean;
   };
   subagents: WorkflowSubagentSettings;
   context: {
@@ -365,6 +372,7 @@ const BUILTIN_DEFAULT_WORKFLOW_SETTINGS = {
     "planHistoryLimit": 50,
     "planProgressEnabled": true,
     "planRuntimeEnabled": true,
+    "planShowProgressBar": true,
     "requireApprovalBeforeExecution": true,
     "requireApprovalPerStep": false,
     "validateAfterEachStep": false,
@@ -415,7 +423,8 @@ const BUILTIN_DEFAULT_WORKFLOW_SETTINGS = {
         "model": null,
         "thinkingLevel": "xhigh"
       }
-    }
+    },
+    "maxTokens": 0
   },
   "missions": {
     "enabled": true,
@@ -429,9 +438,9 @@ const BUILTIN_DEFAULT_WORKFLOW_SETTINGS = {
     "autoRunAfterApproval": true,
     "offerReviewerBeforeApprove": false,
     "autoRunReviewerBeforeApprove": false,
-    "autoRepairReviewFailures": false,
-    "reviewRetryMode": "off",
-    "maxReviewRetriesPerMission": 0,
+    "autoRepairReviewFailures": true,
+    "reviewRetryMode": "safe_only",
+    "maxReviewRetriesPerMission": 2,
     "continueAcrossMilestones": true,
     "pauseBetweenMilestones": false,
     "progressWidgetEnabled": true,
@@ -488,13 +497,15 @@ const BUILTIN_DEFAULT_WORKFLOW_SETTINGS = {
     "clarificationTiming": "after_initial_analysis",
     "clarificationQualityGate": true,
     "allowClarificationWithoutAnalysis": false,
-    "useSubagentsBeforeClarification": true
+    "useSubagentsBeforeClarification": true,
+    "maxTokens": 0
   },
   "safety": {
-    "repoLockEnabled": false,
-    "disableBashInPlanMode": true,
+    "repoLockEnabled": true,
+    "disableBashInPlanMode": false,
     "disableBashInValidatorMode": true,
-    "blockDestructiveCommands": true
+    "blockDestructiveCommands": true,
+    "allowPackageInstallInExecution": true
   },
   "ui": {
     "showWorkflowStatus": true,
@@ -522,7 +533,8 @@ const BUILTIN_DEFAULT_WORKFLOW_SETTINGS = {
     "startupVisualOnSessionStart": true,
     "customBrandEnabled": false,
     "customBrandText": "",
-    "customBrandBaseVisual": "mission_control"
+    "customBrandBaseVisual": "mission_control",
+    "debugPlanStepTracking": false
   },
   "shortcuts": {
     "planMode": null
@@ -572,7 +584,9 @@ const BUILTIN_DEFAULT_WORKFLOW_SETTINGS = {
     "clarificationTiming": "after_initial_analysis",
     "clarificationQualityGate": true,
     "allowClarificationWithoutAnalysis": false,
-    "useSubagentsBeforeClarification": true
+    "useSubagentsBeforeClarification": true,
+    "maxTokens": 0,
+    "maxRuntimeHours": 0
   },
   "context": {
     "compactionMode": "pi_default",
@@ -869,7 +883,7 @@ export function builtInWorkflowPresets(): Record<string, WorkflowPresetBundle> {
       displayName: "Simple",
       description: "Fast end-to-end Plan/Mission/Standard workflow with minimal ceremony, automatic validation when work runs, low safe repair retries, and one-worker sub-agent support.",
       planning: { depth: "fast", clarificationMode: "auto", maxClarificationQuestions: 2, interactiveClarificationEnabled: true, clarificationQualityGate: false, useSubagentsBeforeClarification: true },
-      workflow: { offerReviewerBeforeExecute: false, autoRunReviewerBeforeExecute: false, offerValidationAfterExecute: true, autoRunValidationAfterExecute: true, validateAfterExecution: true, requirePlanApprovalBeforeExecute: false, requireApprovalBeforeExecution: false, autoRepairReviewFailures: false, autoRepairValidationFailures: true, reviewRetryMode: "off", validationRetryMode: "safe_only", maxReviewRetriesPerPlan: 0, maxReviewRetriesPerWorkflow: 0, maxValidationRetriesPerPlan: 1, maxValidationRetriesPerWorkflow: 2, pauseAfterReviewFailure: true, pauseAfterValidationFailure: false, planProgressEnabled: true, planRuntimeEnabled: true },
+      workflow: { offerReviewerBeforeExecute: false, autoRunReviewerBeforeExecute: false, offerValidationAfterExecute: true, autoRunValidationAfterExecute: true, validateAfterExecution: true, requirePlanApprovalBeforeExecute: false, requireApprovalBeforeExecution: false, autoRepairReviewFailures: false, autoRepairValidationFailures: true, reviewRetryMode: "off", validationRetryMode: "safe_only", maxReviewRetriesPerPlan: 0, maxReviewRetriesPerWorkflow: 0, maxValidationRetriesPerPlan: 1, maxValidationRetriesPerWorkflow: 2, pauseAfterReviewFailure: true, pauseAfterValidationFailure: false, planProgressEnabled: true, planRuntimeEnabled: true, planShowProgressBar: true },
       standard: { enabled: true, autoTodoEnabled: true, todoProgressVisible: true, todoTriggerMode: "auto", clarificationEnabled: true, clarificationMode: "auto", maxClarificationQuestions: 1, interactiveClarificationEnabled: true, clarificationTiming: "after_initial_analysis", clarificationQualityGate: false, allowClarificationWithoutAnalysis: false, useSubagentsBeforeClarification: false, allowSubagents: true, subagentScope: "user", subagents: { planningPolicy: "forced", executionPolicy: "forced", repairPolicy: "forced", reviewPolicy: "auto", validationPolicy: "forced", autoUseDuringPlanning: true, autoUseDuringExecution: true, autoUseDuringRepair: true, autoUseDuringReview: true, autoUseDuringValidation: true, minPlanningWorkersForDeep: 1, minPlanningWorkersForMaximum: 1, minExecutionWorkersForDeep: 1, minExecutionWorkersForMaximum: 1, minRepairWorkersForDeep: 1, minRepairWorkersForMaximum: 1, minReviewWorkersForDeep: 1, minReviewWorkersForMaximum: 1, minValidationWorkersForDeep: 1, minValidationWorkersForMaximum: 1 }, statusWidgetVisible: true, useSharedExecutorModel: true, useStandardSpecificModels: false, modelRole: "executor" },
       missions: { defaultAutonomy: "approval_gated", requireValidationPerMilestone: true, autoRunAfterApproval: true, continueAcrossMilestones: true, pauseBetweenMilestones: false, clarificationMode: "auto", maxClarificationQuestions: 2, planningDepth: "fast", useSubagentsBeforeClarification: true, autoRepairValidationFailures: true, validationRetryMode: "safe_only", maxValidationRetriesPerMilestone: 1, maxValidationRetriesPerMission: 2, finalValidationEnabled: false, autoRepairFinalValidationFailures: false, maxFinalValidationRetries: 0, subagentPolicy: "forced", minWorkersForDeep: 1, minWorkersForMaximum: 1 },
       subagents: { planningPolicy: "forced", executionPolicy: "forced", repairPolicy: "forced", reviewPolicy: "auto", validationPolicy: "forced", autoUseDuringPlanning: true, autoUseDuringExecution: true, autoUseDuringRepair: true, autoUseDuringReview: true, autoUseDuringValidation: true, minPlanningWorkersForDeep: 1, minPlanningWorkersForMaximum: 1, minExecutionWorkersForDeep: 1, minExecutionWorkersForMaximum: 1, minRepairWorkersForDeep: 1, minRepairWorkersForMaximum: 1, minReviewWorkersForDeep: 1, minReviewWorkersForMaximum: 1, minValidationWorkersForDeep: 1, minValidationWorkersForMaximum: 1 },
@@ -878,7 +892,7 @@ export function builtInWorkflowPresets(): Record<string, WorkflowPresetBundle> {
       displayName: "Standard",
       description: "Default end-to-end workflow with useful clarification, automatic execution/validation after approval, safe repair retries, and balanced worker support.",
       planning: { depth: "standard", clarificationMode: "auto", maxClarificationQuestions: 3, interactiveClarificationEnabled: true, clarificationQualityGate: true, useSubagentsBeforeClarification: true },
-      workflow: { offerReviewerBeforeExecute: false, autoRunReviewerBeforeExecute: false, offerValidationAfterExecute: true, autoRunValidationAfterExecute: true, validateAfterExecution: true, requirePlanApprovalBeforeExecute: false, requireApprovalBeforeExecution: false, autoRepairReviewFailures: true, autoRepairValidationFailures: true, reviewRetryMode: "safe_only", validationRetryMode: "safe_only", maxReviewRetriesPerPlan: 2, maxReviewRetriesPerWorkflow: 4, maxValidationRetriesPerPlan: 2, maxValidationRetriesPerWorkflow: 4, pauseAfterReviewFailure: false, pauseAfterValidationFailure: false, planProgressEnabled: true, planRuntimeEnabled: true },
+      workflow: { offerReviewerBeforeExecute: false, autoRunReviewerBeforeExecute: false, offerValidationAfterExecute: true, autoRunValidationAfterExecute: true, validateAfterExecution: true, requirePlanApprovalBeforeExecute: false, requireApprovalBeforeExecution: false, autoRepairReviewFailures: true, autoRepairValidationFailures: true, reviewRetryMode: "safe_only", validationRetryMode: "safe_only", maxReviewRetriesPerPlan: 2, maxReviewRetriesPerWorkflow: 4, maxValidationRetriesPerPlan: 2, maxValidationRetriesPerWorkflow: 4, pauseAfterReviewFailure: false, pauseAfterValidationFailure: false, planProgressEnabled: true, planRuntimeEnabled: true, planShowProgressBar: true },
       standard: { enabled: true, autoTodoEnabled: true, todoProgressVisible: true, todoTriggerMode: "auto", clarificationEnabled: true, clarificationMode: "auto", maxClarificationQuestions: 1, interactiveClarificationEnabled: true, clarificationTiming: "after_initial_analysis", clarificationQualityGate: true, allowClarificationWithoutAnalysis: false, useSubagentsBeforeClarification: false, allowSubagents: true, subagentScope: "user", subagents: { planningPolicy: "forced", executionPolicy: "forced", repairPolicy: "forced", reviewPolicy: "forced", validationPolicy: "forced", autoUseDuringPlanning: true, autoUseDuringExecution: true, autoUseDuringRepair: true, autoUseDuringReview: true, autoUseDuringValidation: true, minPlanningWorkersForDeep: 1, minPlanningWorkersForMaximum: 1, minExecutionWorkersForDeep: 2, minExecutionWorkersForMaximum: 2, minRepairWorkersForDeep: 2, minRepairWorkersForMaximum: 2, minReviewWorkersForDeep: 2, minReviewWorkersForMaximum: 2, minValidationWorkersForDeep: 2, minValidationWorkersForMaximum: 2 }, statusWidgetVisible: true, useSharedExecutorModel: true, useStandardSpecificModels: false, modelRole: "executor" },
       missions: { defaultAutonomy: "approval_gated", requireValidationPerMilestone: true, autoRunAfterApproval: true, continueAcrossMilestones: true, pauseBetweenMilestones: false, clarificationMode: "auto", maxClarificationQuestions: 3, planningDepth: "standard", useSubagentsBeforeClarification: true, autoRepairValidationFailures: true, validationRetryMode: "safe_only", maxValidationRetriesPerMilestone: 2, maxValidationRetriesPerMission: 6, finalValidationEnabled: false, autoRepairFinalValidationFailures: false, maxFinalValidationRetries: 1, subagentPolicy: "forced", minWorkersForDeep: 1, minWorkersForMaximum: 1 },
       subagents: { planningPolicy: "forced", executionPolicy: "forced", repairPolicy: "forced", reviewPolicy: "forced", validationPolicy: "forced", autoUseDuringPlanning: true, autoUseDuringExecution: true, autoUseDuringRepair: true, autoUseDuringReview: true, autoUseDuringValidation: true, minPlanningWorkersForDeep: 1, minPlanningWorkersForMaximum: 1, minExecutionWorkersForDeep: 2, minExecutionWorkersForMaximum: 2, minRepairWorkersForDeep: 2, minRepairWorkersForMaximum: 2, minReviewWorkersForDeep: 2, minReviewWorkersForMaximum: 2, minValidationWorkersForDeep: 2, minValidationWorkersForMaximum: 2 },
@@ -887,7 +901,7 @@ export function builtInWorkflowPresets(): Record<string, WorkflowPresetBundle> {
       displayName: "Deep",
       description: "Careful end-to-end workflow for risky or codebase-heavy work with stronger clarification, automatic review/validation, final mission validation, and larger worker teams.",
       planning: { depth: "deep", clarificationMode: "always_for_nontrivial", maxClarificationQuestions: 5, interactiveClarificationEnabled: true, clarificationQualityGate: true, useSubagentsBeforeClarification: true },
-      workflow: { offerReviewerBeforeExecute: false, autoRunReviewerBeforeExecute: true, offerValidationAfterExecute: true, autoRunValidationAfterExecute: true, validateAfterExecution: true, requirePlanApprovalBeforeExecute: false, requireApprovalBeforeExecution: false, autoRepairReviewFailures: true, autoRepairValidationFailures: true, reviewRetryMode: "safe_only", validationRetryMode: "safe_only", maxReviewRetriesPerPlan: 3, maxReviewRetriesPerWorkflow: 6, maxValidationRetriesPerPlan: 3, maxValidationRetriesPerWorkflow: 6, pauseAfterReviewFailure: false, pauseAfterValidationFailure: false, planProgressEnabled: true, planRuntimeEnabled: true },
+      workflow: { offerReviewerBeforeExecute: false, autoRunReviewerBeforeExecute: true, offerValidationAfterExecute: true, autoRunValidationAfterExecute: true, validateAfterExecution: true, requirePlanApprovalBeforeExecute: false, requireApprovalBeforeExecution: false, autoRepairReviewFailures: true, autoRepairValidationFailures: true, reviewRetryMode: "safe_only", validationRetryMode: "safe_only", maxReviewRetriesPerPlan: 3, maxReviewRetriesPerWorkflow: 6, maxValidationRetriesPerPlan: 3, maxValidationRetriesPerWorkflow: 6, pauseAfterReviewFailure: false, pauseAfterValidationFailure: false, planProgressEnabled: true, planRuntimeEnabled: true, planShowProgressBar: true },
       standard: { enabled: true, autoTodoEnabled: true, todoProgressVisible: true, todoTriggerMode: "required", clarificationEnabled: true, clarificationMode: "always_for_nontrivial", maxClarificationQuestions: 2, interactiveClarificationEnabled: true, clarificationTiming: "after_initial_analysis", clarificationQualityGate: true, allowClarificationWithoutAnalysis: false, useSubagentsBeforeClarification: true, allowSubagents: true, subagentScope: "user", subagents: { planningPolicy: "forced", executionPolicy: "forced", repairPolicy: "forced", reviewPolicy: "forced", validationPolicy: "forced", autoUseDuringPlanning: true, autoUseDuringExecution: true, autoUseDuringRepair: true, autoUseDuringReview: true, autoUseDuringValidation: true, minPlanningWorkersForDeep: 2, minPlanningWorkersForMaximum: 2, minExecutionWorkersForDeep: 3, minExecutionWorkersForMaximum: 3, minRepairWorkersForDeep: 2, minRepairWorkersForMaximum: 2, minReviewWorkersForDeep: 3, minReviewWorkersForMaximum: 3, minValidationWorkersForDeep: 3, minValidationWorkersForMaximum: 3 }, statusWidgetVisible: true, useSharedExecutorModel: true, useStandardSpecificModels: false, modelRole: "executor" },
       missions: { defaultAutonomy: "approval_gated", requireValidationPerMilestone: true, autoRunAfterApproval: true, continueAcrossMilestones: true, pauseBetweenMilestones: false, clarificationMode: "always_for_nontrivial", maxClarificationQuestions: 5, planningDepth: "deep", useSubagentsBeforeClarification: true, autoRepairValidationFailures: true, validationRetryMode: "safe_only", maxValidationRetriesPerMilestone: 3, maxValidationRetriesPerMission: 8, finalValidationEnabled: true, autoRepairFinalValidationFailures: true, maxFinalValidationRetries: 2, subagentPolicy: "forced", minWorkersForDeep: 3, minWorkersForMaximum: 3 },
       subagents: { planningPolicy: "forced", executionPolicy: "forced", repairPolicy: "forced", reviewPolicy: "forced", validationPolicy: "forced", autoUseDuringPlanning: true, autoUseDuringExecution: true, autoUseDuringRepair: true, autoUseDuringReview: true, autoUseDuringValidation: true, minPlanningWorkersForDeep: 3, minPlanningWorkersForMaximum: 3, minExecutionWorkersForDeep: 3, minExecutionWorkersForMaximum: 3, minRepairWorkersForDeep: 2, minRepairWorkersForMaximum: 2, minReviewWorkersForDeep: 3, minReviewWorkersForMaximum: 3, minValidationWorkersForDeep: 3, minValidationWorkersForMaximum: 3 },
@@ -896,7 +910,7 @@ export function builtInWorkflowPresets(): Record<string, WorkflowPresetBundle> {
       displayName: "Maximum",
       description: "Highest-rigor end-to-end workflow with strongest clarification, automatic review/validation, final mission validation, aggressive in-scope repair, and maximum worker teams.",
       planning: { depth: "maximum", clarificationMode: "always_for_nontrivial", maxClarificationQuestions: 5, interactiveClarificationEnabled: true, clarificationQualityGate: true, useSubagentsBeforeClarification: true },
-      workflow: { offerReviewerBeforeExecute: false, autoRunReviewerBeforeExecute: true, offerValidationAfterExecute: true, autoRunValidationAfterExecute: true, validateAfterExecution: true, requirePlanApprovalBeforeExecute: false, requireApprovalBeforeExecution: false, autoRepairReviewFailures: true, autoRepairValidationFailures: true, reviewRetryMode: "aggressive_within_scope", validationRetryMode: "aggressive_within_scope", maxReviewRetriesPerPlan: 5, maxReviewRetriesPerWorkflow: 8, maxValidationRetriesPerPlan: 5, maxValidationRetriesPerWorkflow: 8, pauseAfterReviewFailure: false, pauseAfterValidationFailure: false, planProgressEnabled: true, planRuntimeEnabled: true },
+      workflow: { offerReviewerBeforeExecute: false, autoRunReviewerBeforeExecute: true, offerValidationAfterExecute: true, autoRunValidationAfterExecute: true, validateAfterExecution: true, requirePlanApprovalBeforeExecute: false, requireApprovalBeforeExecution: false, autoRepairReviewFailures: true, autoRepairValidationFailures: true, reviewRetryMode: "aggressive_within_scope", validationRetryMode: "aggressive_within_scope", maxReviewRetriesPerPlan: 5, maxReviewRetriesPerWorkflow: 8, maxValidationRetriesPerPlan: 5, maxValidationRetriesPerWorkflow: 8, pauseAfterReviewFailure: false, pauseAfterValidationFailure: false, planProgressEnabled: true, planRuntimeEnabled: true, planShowProgressBar: true },
       standard: { enabled: true, autoTodoEnabled: true, todoProgressVisible: true, todoTriggerMode: "required", clarificationEnabled: true, clarificationMode: "always_for_nontrivial", maxClarificationQuestions: 2, interactiveClarificationEnabled: true, clarificationTiming: "after_initial_analysis", clarificationQualityGate: true, allowClarificationWithoutAnalysis: false, useSubagentsBeforeClarification: true, allowSubagents: true, subagentScope: "user", subagents: { planningPolicy: "forced", executionPolicy: "forced", repairPolicy: "forced", reviewPolicy: "forced", validationPolicy: "forced", autoUseDuringPlanning: true, autoUseDuringExecution: true, autoUseDuringRepair: true, autoUseDuringReview: true, autoUseDuringValidation: true, minPlanningWorkersForDeep: 3, minPlanningWorkersForMaximum: 3, minExecutionWorkersForDeep: 4, minExecutionWorkersForMaximum: 4, minRepairWorkersForDeep: 3, minRepairWorkersForMaximum: 3, minReviewWorkersForDeep: 4, minReviewWorkersForMaximum: 4, minValidationWorkersForDeep: 4, minValidationWorkersForMaximum: 4 }, statusWidgetVisible: true, useSharedExecutorModel: true, useStandardSpecificModels: false, modelRole: "executor" },
       missions: { defaultAutonomy: "supervised_auto", requireValidationPerMilestone: true, autoRunAfterApproval: true, continueAcrossMilestones: true, pauseBetweenMilestones: false, clarificationMode: "always_for_nontrivial", maxClarificationQuestions: 6, planningDepth: "maximum", useSubagentsBeforeClarification: true, autoRepairValidationFailures: true, validationRetryMode: "aggressive_within_scope", maxValidationRetriesPerMilestone: 4, maxValidationRetriesPerMission: 12, finalValidationEnabled: true, autoRepairFinalValidationFailures: true, maxFinalValidationRetries: 4, subagentPolicy: "forced", minWorkersForDeep: 4, minWorkersForMaximum: 4 },
       subagents: { planningPolicy: "forced", executionPolicy: "forced", repairPolicy: "forced", reviewPolicy: "forced", validationPolicy: "forced", autoUseDuringPlanning: true, autoUseDuringExecution: true, autoUseDuringRepair: true, autoUseDuringReview: true, autoUseDuringValidation: true, minPlanningWorkersForDeep: 4, minPlanningWorkersForMaximum: 4, minExecutionWorkersForDeep: 4, minExecutionWorkersForMaximum: 4, minRepairWorkersForDeep: 3, minRepairWorkersForMaximum: 3, minReviewWorkersForDeep: 4, minReviewWorkersForMaximum: 4, minValidationWorkersForDeep: 4, minValidationWorkersForMaximum: 4 },