@pellux/goodvibes-agent 0.1.43 → 0.1.45

package/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to GoodVibes Agent will be recorded here.
 
+## 0.1.45 - 2026-05-31
+
+- 0aa4b3e Add daemon route risk approval review
+
+## 0.1.44 - 2026-05-31
+
+- fdee09e Add daemon capability gap report
+
 ## 0.1.43 - 2026-05-31
 
 - 3afba9c Add daemon route risk coverage

package/README.md

@@ -17,6 +17,8 @@ goodvibes-agent --help
 goodvibes-agent status
 goodvibes-agent capabilities
 goodvibes-agent capabilities daemon
+goodvibes-agent capabilities daemon gaps
+goodvibes-agent capabilities daemon risk
 ```
 
 If Bun reports untrusted lifecycle dependencies, trust only the package and dependencies required by this package:
@@ -45,7 +47,7 @@ bun run publish:check
 
 Inside the Agent TUI, use `/agent`, `/home`, or `/operator` to open the operator workspace. It is the Agent-first fullscreen surface for setup, status, live daemon capability coverage, knowledge, local memory/skills, work-plan/approval review, automation observability, and explicit build delegation to GoodVibes TUI.
 
-Use `goodvibes-agent capabilities` or `/capabilities` to inspect the OpenClaw/Hermes benchmark, current Agent posture, configuration commands, usage paths, and remaining gaps. Use `goodvibes-agent capabilities daemon` or `/capabilities daemon` for a live read-only audit of the GoodVibes daemon method catalog, route risk posture, and isolated Agent Knowledge route coverage.
+Use `goodvibes-agent capabilities` or `/capabilities` to inspect the OpenClaw/Hermes benchmark, current Agent posture, configuration commands, usage paths, and remaining gaps. Use `goodvibes-agent capabilities daemon` or `/capabilities daemon` for a live read-only audit of the GoodVibes daemon method catalog, route risk posture, and isolated Agent Knowledge route coverage. Use `goodvibes-agent capabilities daemon gaps` or `/capabilities daemon gaps` to turn that live daemon audit into a prioritized gap plan that separates missing daemon routes from Agent UX work. Use `goodvibes-agent capabilities daemon risk` or `/approval risk` for route-risk-aware approval posture without mutating approval state.
 
 Inside the workspace, use `/agent-profile guide` to author custom profile starters without leaving the Agent TUI. The guided flow lists starters, exports starter JSON, imports edited local starters, and creates isolated runtime profiles from them.
 
@@ -87,9 +89,11 @@ To verify what the running daemon can expose for the Agent/OpenClaw/Hermes capab
 ```sh
 goodvibes-agent capabilities daemon
 goodvibes-agent capabilities daemon --json
+goodvibes-agent capabilities daemon gaps
+goodvibes-agent capabilities daemon risk
 ```
 
-This audit checks `/api/control-plane/methods` and `/api/goodvibes-agent/knowledge/status`. It does not query default Knowledge/Wiki or HomeGraph.
+This audit checks `/api/control-plane/methods` and `/api/goodvibes-agent/knowledge/status`. The gap plan and route-risk review are derived from the same read-only calls. None of these commands query default Knowledge/Wiki or HomeGraph.
 
 Agent intentionally blocks daemon lifecycle commands:
 

package/docs/operator-capability-benchmark.md

@@ -17,6 +17,8 @@ goodvibes-agent capabilities --json
 goodvibes-agent capabilities hermes
 goodvibes-agent capabilities daemon
 goodvibes-agent capabilities daemon --json
+goodvibes-agent capabilities daemon gaps
+goodvibes-agent capabilities daemon risk
 goodvibes-agent capabilities daemon knowledge
 ```
 
@@ -27,6 +29,8 @@ Inside the TUI:
 /capabilities openclaw
 /capabilities knowledge
 /capabilities daemon
+/capabilities daemon gaps
+/approval risk
 ```
 
 ## Research Baseline
@@ -56,7 +60,7 @@ The benchmark measures two different GoodVibes layers:
 
 If the daemon already has a route but Agent lacks a good setup/workspace/CLI surface, the gap is treated as an Agent product gap rather than a missing platform capability.
 
-Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. It checks the public control-plane method catalog, route risk posture, and the isolated Agent Knowledge status route. It intentionally does not call default `/api/knowledge/*`, HomeGraph, or Home Assistant routes.
+Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. It checks the public control-plane method catalog, route risk posture, and the isolated Agent Knowledge status route. Use `goodvibes-agent capabilities daemon gaps` to convert that daemon-measured audit into a prioritized gap plan with `version_mismatch`, `agent_route_missing`, `required_method_missing`, `route_risk_review`, and `agent_ux_gap` rows. Use `goodvibes-agent capabilities daemon risk` or `/approval risk` for a route-risk-aware approval-center view over read-only, mutating, dangerous, and authenticated route metadata. These commands intentionally avoid default `/api/knowledge/*`, HomeGraph, and Home Assistant routes.
 
 ## Capability Targets
 
@@ -78,7 +82,7 @@ Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. I
 
 GoodVibes Agent should exceed OpenClaw/Hermes by making these properties true from day one:
 
-- Capability surfaces are discoverable through `goodvibes-agent capabilities`, `goodvibes-agent capabilities daemon`, `/capabilities`, `/capabilities daemon`, onboarding, and the operator workspace.
+- Capability surfaces are discoverable through `goodvibes-agent capabilities`, `goodvibes-agent capabilities daemon`, `goodvibes-agent capabilities daemon gaps`, `goodvibes-agent capabilities daemon risk`, `/capabilities`, `/capabilities daemon`, `/approval risk`, onboarding, and the operator workspace.
 - Agent Knowledge isolation is a release gate, not a convention.
 - Routine-to-schedule promotion preserves Agent Knowledge isolation, uses only public external daemon schedule routes, supports explicit delivery targets, and stores redacted receipts.
 - Model-visible tools are policy-gated for serial, non-secret, non-destructive use.
@@ -94,5 +98,5 @@ GoodVibes Agent should exceed OpenClaw/Hermes by making these properties true fr
 - Artifact and multimodal Agent Knowledge ingestion when the isolated Agent route accepts artifact-backed media.
 - Deeper live run/delivery history and delivery error surfacing for promoted routines.
 - Delegation receipts and artifact review inside the operator workspace.
-- Approval center with route risk labels and saved policy presets.
+- Saved policy presets for the route-risk-aware approval center.
 - Intent-gated tool exposure so the model sees fewer irrelevant tools per turn while retaining broad capability coverage.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pellux/goodvibes-agent",
-  "version": "0.1.43",
+  "version": "0.1.45",
   "private": false,
   "description": "Near-fork GoodVibes operator assistant with the GoodVibes TUI shell, renderer, input, fullscreen workspace, and daemon-connected Agent product brain.",
   "type": "module",

package/src/cli/capabilities-command.ts

@@ -6,21 +6,39 @@ import {
   renderOperatorCapabilityBenchmark,
 } from '../operator/capability-benchmark.ts';
 import {
+  buildDaemonCapabilityGapReport,
+  buildDaemonCapabilityRouteRiskReport,
   fetchLiveDaemonCapabilityAudit,
   filterDaemonCapabilityAuditAreas,
+  filterDaemonCapabilityGaps,
+  filterDaemonCapabilityRouteRiskAreas,
   renderDaemonCapabilityAudit,
   renderDaemonCapabilityFailure,
+  renderDaemonCapabilityGaps,
+  renderDaemonCapabilityRouteRisk,
 } from '../operator/daemon-capability-audit.ts';
 import { resolveAgentDaemonConnection } from '../agent/routine-schedule-promotion.ts';
 
 interface CapabilityCommandArgs {
-  readonly mode: 'benchmark' | 'daemon';
+  readonly mode: 'benchmark' | 'daemon' | 'daemon-gaps' | 'daemon-risk';
   readonly query: string | undefined;
 }
 
 function readCapabilityArgs(args: readonly string[]): CapabilityCommandArgs {
   const values = args.filter((arg) => !arg.startsWith('--'));
+  if (values[0] === 'gaps') {
+    const query = values.slice(1).join(' ').trim();
+    return { mode: 'daemon-gaps', query: query.length > 0 ? query : undefined };
+  }
   if (values[0] === 'daemon') {
+    if (values[1] === 'gaps') {
+      const query = values.slice(2).join(' ').trim();
+      return { mode: 'daemon-gaps', query: query.length > 0 ? query : undefined };
+    }
+    if (values[1] === 'risk' || values[1] === 'route-risk') {
+      const query = values.slice(2).join(' ').trim();
+      return { mode: 'daemon-risk', query: query.length > 0 ? query : undefined };
+    }
     const query = values.slice(1).join(' ').trim();
     return { mode: 'daemon', query: query.length > 0 ? query : undefined };
   }
@@ -48,6 +66,46 @@ export async function handleCapabilitiesCommand(runtime: CliCommandRuntime): Pro
       exitCode: 0,
     };
   }
+  if (args.mode === 'daemon-gaps') {
+    const connection = resolveAgentDaemonConnection(runtime.configManager, runtime.homeDirectory);
+    const audit = await fetchLiveDaemonCapabilityAudit(connection);
+    if (!audit.ok) {
+      return {
+        output: runtime.cli.flags.outputFormat === 'json'
+          ? JSON.stringify(audit, null, 2)
+          : renderDaemonCapabilityFailure(audit),
+        exitCode: audit.kind === 'auth_required' || audit.kind === 'daemon_unavailable' ? 1 : 2,
+      };
+    }
+    const report = buildDaemonCapabilityGapReport(audit);
+    const gaps = filterDaemonCapabilityGaps(report.gaps, args.query);
+    return {
+      output: runtime.cli.flags.outputFormat === 'json'
+        ? JSON.stringify({ ...report, matchedGapCount: gaps.length, gaps }, null, 2)
+        : renderDaemonCapabilityGaps(report, gaps),
+      exitCode: 0,
+    };
+  }
+  if (args.mode === 'daemon-risk') {
+    const connection = resolveAgentDaemonConnection(runtime.configManager, runtime.homeDirectory);
+    const audit = await fetchLiveDaemonCapabilityAudit(connection);
+    if (!audit.ok) {
+      return {
+        output: runtime.cli.flags.outputFormat === 'json'
+          ? JSON.stringify(audit, null, 2)
+          : renderDaemonCapabilityFailure(audit),
+        exitCode: audit.kind === 'auth_required' || audit.kind === 'daemon_unavailable' ? 1 : 2,
+      };
+    }
+    const report = buildDaemonCapabilityRouteRiskReport(audit);
+    const areas = filterDaemonCapabilityRouteRiskAreas(report.areas, args.query);
+    return {
+      output: runtime.cli.flags.outputFormat === 'json'
+        ? JSON.stringify({ ...report, matchedAreaCount: areas.length, areas }, null, 2)
+        : renderDaemonCapabilityRouteRisk(report, areas),
+      exitCode: 0,
+    };
+  }
   const report = buildOperatorCapabilityBenchmarkReport();
   const capabilities = filterOperatorCapabilities(report.capabilities, args.query);
   if (runtime.cli.flags.outputFormat === 'json') {

package/src/cli/help.ts

@@ -103,6 +103,8 @@ export function renderGoodVibesHelp(binary = 'goodvibes-agent'): string {
     `  ${binary} compat`,
     `  ${binary} capabilities`,
     `  ${binary} capabilities daemon`,
+    `  ${binary} capabilities daemon gaps`,
+    `  ${binary} capabilities daemon risk`,
     `  ${binary} knowledge status`,
     `  ${binary} knowledge ask "What is GoodVibes Agent?"`,
     `  ${binary} ask "What is GoodVibes Agent?"`,
@@ -197,9 +199,9 @@ const COMMAND_HELP: Record<string, CommandHelp> = {
     examples: ['compat', 'compat --json'],
   },
   capabilities: {
-    usage: ['capabilities [openclaw|hermes|query]', 'capabilities daemon [query]', 'capabilities --json'],
-    summary: 'Show the OpenClaw/Hermes capability benchmark, Agent readiness, and live GoodVibes daemon method coverage.',
-    examples: ['capabilities', 'capabilities hermes', 'capabilities daemon', 'capabilities daemon knowledge --json'],
+    usage: ['capabilities [openclaw|hermes|query]', 'capabilities daemon [query]', 'capabilities daemon gaps [query]', 'capabilities daemon risk [query]', 'capabilities --json'],
+    summary: 'Show the OpenClaw/Hermes capability benchmark, Agent readiness, live GoodVibes daemon method coverage, and daemon-measured product gaps.',
+    examples: ['capabilities', 'capabilities hermes', 'capabilities daemon', 'capabilities daemon gaps', 'capabilities daemon risk --json', 'capabilities daemon knowledge --json'],
   },
   knowledge: {
     usage: [

package/src/input/agent-workspace.ts

@@ -489,6 +489,8 @@ export const AGENT_WORKSPACE_CATEGORIES: readonly AgentWorkspaceCategory[] = [
     actions: [
       { id: 'capabilities-benchmark', label: 'Benchmark report', detail: 'Show the OpenClaw/Hermes parity benchmark with Agent posture, setup commands, usage paths, and remaining product gaps.', command: '/capabilities', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon', label: 'Live daemon audit', detail: 'Inspect the public daemon method catalog plus isolated Agent Knowledge route coverage. Does not query default Knowledge/Wiki or HomeGraph.', command: '/capabilities daemon', kind: 'command', safety: 'read-only' },
+      { id: 'capabilities-daemon-gaps', label: 'Daemon gap plan', detail: 'Classify live daemon coverage into platform gaps, Agent route gaps, route-risk reviews, and Agent UX work without querying default Knowledge/Wiki or HomeGraph.', command: '/capabilities daemon gaps', kind: 'command', safety: 'read-only' },
+      { id: 'capabilities-daemon-risk', label: 'Route risk review', detail: 'Inspect daemon read-only, mutating, dangerous, and authenticated route metadata for approval-center planning.', command: '/capabilities daemon risk', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon-knowledge', label: 'Knowledge coverage', detail: 'Filter the live daemon audit to the isolated Agent Knowledge segment.', command: '/capabilities daemon knowledge', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon-channels', label: 'Channel coverage', detail: 'Filter the live daemon audit to channel and delivery gateway route coverage.', command: '/capabilities daemon channels', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon-automation', label: 'Automation coverage', detail: 'Filter the live daemon audit to automation, schedule, run, and capacity route coverage.', command: '/capabilities daemon automation', kind: 'command', safety: 'read-only' },
@@ -580,6 +582,7 @@ export const AGENT_WORKSPACE_CATEGORIES: readonly AgentWorkspaceCategory[] = [
       { id: 'workplan', label: 'Open work plan', detail: 'Open the workspace-scoped work plan panel.', command: '/workplan panel', kind: 'command', safety: 'read-only' },
       { id: 'workplan-list', label: 'List work plan', detail: 'Print a concise work plan summary.', command: '/workplan list', kind: 'command', safety: 'read-only' },
       { id: 'approvals', label: 'Review approvals', detail: 'Open/read approval posture. This workspace does not approve or deny requests.', command: '/approval open', kind: 'command', safety: 'read-only' },
+      { id: 'approval-risk', label: 'Route risk review', detail: 'Inspect daemon route risk and dangerous method metadata without approving, denying, or mutating requests.', command: '/approval risk', kind: 'command', safety: 'read-only' },
     ],
   },
   {

package/src/input/commands/capabilities-runtime.ts

@@ -5,10 +5,16 @@ import {
   OPERATOR_CAPABILITY_BENCHMARKS,
 } from '../../operator/capability-benchmark.ts';
 import {
+  buildDaemonCapabilityGapReport,
+  buildDaemonCapabilityRouteRiskReport,
   fetchLiveDaemonCapabilityAudit,
   filterDaemonCapabilityAuditAreas,
+  filterDaemonCapabilityGaps,
+  filterDaemonCapabilityRouteRiskAreas,
   renderDaemonCapabilityAudit,
   renderDaemonCapabilityFailure,
+  renderDaemonCapabilityGaps,
+  renderDaemonCapabilityRouteRisk,
 } from '../../operator/daemon-capability-audit.ts';
 import { resolveAgentDaemonConnection } from '../../agent/routine-schedule-promotion.ts';
 
@@ -17,7 +23,7 @@ export function registerCapabilitiesRuntimeCommands(registry: CommandRegistry):
     name: 'capabilities',
     aliases: ['caps', 'benchmark'],
     description: 'Show the OpenClaw/Hermes capability benchmark, Agent readiness, and live daemon coverage',
-    usage: '[daemon|openclaw|hermes|query]',
+    usage: '[daemon|gaps|openclaw|hermes|query]',
     async handler(args, ctx) {
       if (args[0] === 'daemon') {
         const homeDirectory = ctx.platform.configManager.getHomeDirectory() ?? process.cwd();
@@ -27,11 +33,39 @@ export function registerCapabilitiesRuntimeCommands(registry: CommandRegistry):
           ctx.print(renderDaemonCapabilityFailure(audit));
           return;
         }
+        if (args[1] === 'gaps') {
+          const report = buildDaemonCapabilityGapReport(audit);
+          const query = args.slice(2).join(' ').trim() || undefined;
+          const gaps = filterDaemonCapabilityGaps(report.gaps, query);
+          ctx.print(renderDaemonCapabilityGaps(report, gaps));
+          return;
+        }
+        if (args[1] === 'risk' || args[1] === 'route-risk') {
+          const report = buildDaemonCapabilityRouteRiskReport(audit);
+          const query = args.slice(2).join(' ').trim() || undefined;
+          const areas = filterDaemonCapabilityRouteRiskAreas(report.areas, query);
+          ctx.print(renderDaemonCapabilityRouteRisk(report, areas));
+          return;
+        }
         const query = args.slice(1).join(' ').trim() || undefined;
         const areas = filterDaemonCapabilityAuditAreas(audit.areas, query);
         ctx.print(renderDaemonCapabilityAudit(audit, areas));
         return;
       }
+      if (args[0] === 'gaps') {
+        const homeDirectory = ctx.platform.configManager.getHomeDirectory() ?? process.cwd();
+        const connection = resolveAgentDaemonConnection(ctx.platform.configManager, homeDirectory);
+        const audit = await fetchLiveDaemonCapabilityAudit(connection);
+        if (!audit.ok) {
+          ctx.print(renderDaemonCapabilityFailure(audit));
+          return;
+        }
+        const report = buildDaemonCapabilityGapReport(audit);
+        const query = args.slice(1).join(' ').trim() || undefined;
+        const gaps = filterDaemonCapabilityGaps(report.gaps, query);
+        ctx.print(renderDaemonCapabilityGaps(report, gaps));
+        return;
+      }
       const query = args.join(' ').trim() || undefined;
       const capabilities = filterOperatorCapabilities(OPERATOR_CAPABILITY_BENCHMARKS, query);
       ctx.print(renderOperatorCapabilityBenchmark(capabilities));

package/src/input/commands/experience-runtime.ts

@@ -3,6 +3,14 @@ import { dirname, resolve } from 'node:path';
 import type { CommandRegistry } from '../command-registry.ts';
 import { requirePanelManager, requireShellPaths } from './runtime-services.ts';
 import { requireYesFlag, stripYesFlag } from './confirmation.ts';
+import { resolveAgentDaemonConnection } from '../../agent/routine-schedule-promotion.ts';
+import {
+  buildDaemonCapabilityRouteRiskReport,
+  fetchLiveDaemonCapabilityAudit,
+  filterDaemonCapabilityRouteRiskAreas,
+  renderDaemonCapabilityFailure,
+  renderDaemonCapabilityRouteRisk,
+} from '../../operator/daemon-capability-audit.ts';
 
 interface VoiceBundle {
   readonly version: 1;
@@ -178,8 +186,8 @@ export function registerExperienceRuntimeCommands(registry: CommandRegistry): vo
     name: 'approval',
     aliases: ['approvals'],
     description: 'Review action-specific approval classes and the specialized security UX matrix',
-    usage: '[matrix|review <kind>]',
-    handler(args, ctx) {
+    usage: '[matrix|risk|review <kind>]',
+    async handler(args, ctx) {
       const sub = (args[0] ?? 'matrix').toLowerCase();
       if (sub === 'open' || sub === 'panel') {
         if (ctx.showPanel) ctx.showPanel('approval');
@@ -205,9 +213,25 @@ export function registerExperienceRuntimeCommands(registry: CommandRegistry): vo
         ctx.print([
           'Approval Matrix',
           ...matrix.map(([kind, summary]) => `  ${kind.padEnd(10)} ${summary}`),
+          '',
+          'Live daemon route risk: /approval risk',
         ].join('\n'));
         return;
       }
+      if (sub === 'risk' || sub === 'route-risk') {
+        const shellPaths = requireShellPaths(ctx);
+        const connection = resolveAgentDaemonConnection(ctx.platform.configManager, shellPaths.homeDirectory);
+        const audit = await fetchLiveDaemonCapabilityAudit(connection);
+        if (!audit.ok) {
+          ctx.print(renderDaemonCapabilityFailure(audit));
+          return;
+        }
+        const report = buildDaemonCapabilityRouteRiskReport(audit);
+        const query = args.slice(1).join(' ').trim() || undefined;
+        const areas = filterDaemonCapabilityRouteRiskAreas(report.areas, query);
+        ctx.print(renderDaemonCapabilityRouteRisk(report, areas));
+        return;
+      }
       if (sub === 'review') {
         const kind = (args[1] ?? '').toLowerCase();
         const entry = matrix.find(([id]) => id === kind);
@@ -222,7 +246,7 @@ export function registerExperienceRuntimeCommands(registry: CommandRegistry): vo
         ].join('\n'));
         return;
       }
-      ctx.print('Usage: /approval [open|matrix|review <kind>]');
+      ctx.print('Usage: /approval [open|matrix|risk|review <kind>]');
     },
   });
 

package/src/operator/daemon-capability-audit.ts

@@ -15,6 +15,13 @@ export type DaemonCapabilityAuditFailureKind =
 
 export type DaemonCapabilityCoverage = 'ready' | 'partial' | 'missing';
 export type DaemonCapabilityRouteCoverage = 'ready' | 'missing' | 'not_checked';
+export type DaemonCapabilityGapKind =
+  | 'version_mismatch'
+  | 'agent_route_missing'
+  | 'required_method_missing'
+  | 'route_risk_review'
+  | 'agent_ux_gap';
+export type DaemonCapabilityGapSeverity = 'blocker' | 'high' | 'medium' | 'low';
 
 export interface DaemonCapabilityRequirement {
   readonly id: string;
@@ -42,6 +49,9 @@ export interface DaemonCapabilityAuditArea {
     readonly coverage: DaemonCapabilityRouteCoverage;
   }[];
   readonly routeRisk: {
+    readonly readOnlyMethodIds: readonly string[];
+    readonly mutatingMethodIds: readonly string[];
+    readonly authenticatedMethodIds: readonly string[];
     readonly readOnlyMethodCount: number;
     readonly mutatingMethodCount: number;
     readonly authenticatedMethodCount: number;
@@ -67,6 +77,64 @@ export interface DaemonCapabilityAuditSuccess {
   readonly areas: readonly DaemonCapabilityAuditArea[];
 }
 
+export interface DaemonCapabilityGap {
+  readonly id: string;
+  readonly kind: DaemonCapabilityGapKind;
+  readonly severity: DaemonCapabilityGapSeverity;
+  readonly areaId?: string;
+  readonly title: string;
+  readonly detail: string;
+  readonly action: string;
+}
+
+export interface DaemonCapabilityGapReport {
+  readonly ok: true;
+  readonly kind: 'daemon.capabilities.gaps';
+  readonly baseUrl: string;
+  readonly daemonVersion: string;
+  readonly expectedSdkVersion: string;
+  readonly daemonCompatible: boolean;
+  readonly methodCatalogRoute: typeof DAEMON_METHOD_CATALOG_ROUTE;
+  readonly agentKnowledgeRoute: typeof AGENT_KNOWLEDGE_STATUS_ROUTE;
+  readonly agentKnowledgeRouteReady: boolean;
+  readonly defaultKnowledgeFallback: false;
+  readonly homeGraphFallback: false;
+  readonly gapCount: number;
+  readonly gaps: readonly DaemonCapabilityGap[];
+}
+
+export interface DaemonCapabilityRouteRiskArea {
+  readonly areaId: string;
+  readonly title: string;
+  readonly coverage: DaemonCapabilityCoverage;
+  readonly readOnlyMethodIds: readonly string[];
+  readonly mutatingMethodIds: readonly string[];
+  readonly authenticatedMethodIds: readonly string[];
+  readonly readOnlyMethodCount: number;
+  readonly mutatingMethodCount: number;
+  readonly authenticatedMethodCount: number;
+  readonly dangerousMethodIds: readonly string[];
+}
+
+export interface DaemonCapabilityRouteRiskReport {
+  readonly ok: true;
+  readonly kind: 'daemon.capabilities.route_risk';
+  readonly baseUrl: string;
+  readonly daemonVersion: string;
+  readonly expectedSdkVersion: string;
+  readonly daemonCompatible: boolean;
+  readonly methodCatalogRoute: typeof DAEMON_METHOD_CATALOG_ROUTE;
+  readonly agentKnowledgeRoute: typeof AGENT_KNOWLEDGE_STATUS_ROUTE;
+  readonly agentKnowledgeRouteReady: boolean;
+  readonly defaultKnowledgeFallback: false;
+  readonly homeGraphFallback: false;
+  readonly totalReadOnlyMethodCount: number;
+  readonly totalMutatingMethodCount: number;
+  readonly totalAuthenticatedMethodCount: number;
+  readonly totalDangerousMethodCount: number;
+  readonly areas: readonly DaemonCapabilityRouteRiskArea[];
+}
+
 export interface DaemonCapabilityAuditFailure {
   readonly ok: false;
   readonly kind: DaemonCapabilityAuditFailureKind;
@@ -419,15 +487,17 @@ export function buildDaemonCapabilityAuditAreas(
       const method = methodsById.get(methodId);
       return method ? [method] : [];
     });
-    const readOnlyMethodCount = areaMethods.filter((method) => {
+    const readOnlyMethodIds = areaMethods.filter((method) => {
       const verb = method.http?.method?.toUpperCase();
       return verb === 'GET' || verb === 'HEAD';
-    }).length;
-    const mutatingMethodCount = areaMethods.filter((method) => {
+    }).map((method) => method.id);
+    const mutatingMethodIds = areaMethods.filter((method) => {
       const verb = method.http?.method?.toUpperCase();
       return Boolean(verb) && verb !== 'GET' && verb !== 'HEAD';
-    }).length;
-    const authenticatedMethodCount = areaMethods.filter((method) => method.access === 'authenticated').length;
+    }).map((method) => method.id);
+    const authenticatedMethodIds = areaMethods
+      .filter((method) => method.access === 'authenticated')
+      .map((method) => method.id);
     const dangerousMethodIds = areaMethods
       .filter((method) => method.dangerous === true)
       .map((method) => method.id);
@@ -451,9 +521,12 @@ export function buildDaemonCapabilityAuditAreas(
       missingOptionalMethodIds,
       agentRoutes,
       routeRisk: {
-        readOnlyMethodCount,
-        mutatingMethodCount,
-        authenticatedMethodCount,
+        readOnlyMethodIds,
+        mutatingMethodIds,
+        authenticatedMethodIds,
+        readOnlyMethodCount: readOnlyMethodIds.length,
+        mutatingMethodCount: mutatingMethodIds.length,
+        authenticatedMethodCount: authenticatedMethodIds.length,
         dangerousMethodIds,
       },
       next: requirement.next,
@@ -531,6 +604,259 @@ export function filterDaemonCapabilityAuditAreas(
   });
 }
 
+function gapToken(value: string): string {
+  return value
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    || 'gap';
+}
+
+function gapSeverityRank(severity: DaemonCapabilityGapSeverity): number {
+  if (severity === 'blocker') return 0;
+  if (severity === 'high') return 1;
+  if (severity === 'medium') return 2;
+  return 3;
+}
+
+function sortCapabilityGaps(gaps: readonly DaemonCapabilityGap[]): readonly DaemonCapabilityGap[] {
+  return [...gaps].sort((left, right) => {
+    const severityDelta = gapSeverityRank(left.severity) - gapSeverityRank(right.severity);
+    if (severityDelta !== 0) return severityDelta;
+    return left.id.localeCompare(right.id);
+  });
+}
+
+export function buildDaemonCapabilityGapReport(
+  audit: DaemonCapabilityAuditSuccess,
+  areas: readonly DaemonCapabilityAuditArea[] = audit.areas,
+): DaemonCapabilityGapReport {
+  const gaps: DaemonCapabilityGap[] = [];
+
+  if (!audit.daemonCompatible) {
+    gaps.push({
+      id: 'daemon-version-mismatch',
+      kind: 'version_mismatch',
+      severity: audit.agentKnowledgeRouteReady ? 'high' : 'blocker',
+      title: 'Daemon SDK version does not match Agent SDK pin',
+      detail: `Agent expects ${audit.expectedSdkVersion}; daemon reports ${audit.daemonVersion}.`,
+      action: 'Update/restart the externally owned GoodVibes daemon before release validation; Agent will not start it.',
+    });
+  }
+
+  for (const area of areas) {
+    if (area.missingRequiredMethodIds.length > 0) {
+      gaps.push({
+        id: `${area.id}-missing-required-methods`,
+        kind: 'required_method_missing',
+        severity: 'high',
+        areaId: area.id,
+        title: `${area.title} missing required daemon methods`,
+        detail: area.missingRequiredMethodIds.join(', '),
+        action: 'Keep the Agent surface read-only or blocked for this area until the public daemon route contract is present.',
+      });
+    }
+
+    for (const route of area.agentRoutes) {
+      if (route.coverage !== 'missing') continue;
+      gaps.push({
+        id: `${area.id}-missing-${gapToken(route.route)}`,
+        kind: 'agent_route_missing',
+        severity: route.route === AGENT_KNOWLEDGE_STATUS_ROUTE ? 'blocker' : 'high',
+        areaId: area.id,
+        title: `${area.title} missing Agent route`,
+        detail: route.route,
+        action: 'Fail closed for this product segment. Do not query default Knowledge/Wiki, HomeGraph, or Home Assistant routes.',
+      });
+    }
+
+    if (area.routeRisk.dangerousMethodIds.length > 0) {
+      gaps.push({
+        id: `${area.id}-dangerous-route-review`,
+        kind: 'route_risk_review',
+        severity: 'medium',
+        areaId: area.id,
+        title: `${area.title} has dangerous daemon routes`,
+        detail: area.routeRisk.dangerousMethodIds.join(', '),
+        action: 'Keep these routes behind exact commands, confirmation, and concise approval UX; never trigger them from ordinary chat.',
+      });
+    }
+
+    for (const next of area.next) {
+      gaps.push({
+        id: `${area.id}-agent-ux-${gapToken(next)}`,
+        kind: 'agent_ux_gap',
+        severity: area.coverage === 'ready' ? 'medium' : 'low',
+        areaId: area.id,
+        title: `${area.title} Agent UX gap`,
+        detail: next,
+        action: 'Build a first-class Agent workspace, command, or setup flow on top of the existing daemon capability.',
+      });
+    }
+  }
+
+  const sortedGaps = sortCapabilityGaps(gaps);
+  return {
+    ok: true,
+    kind: 'daemon.capabilities.gaps',
+    baseUrl: audit.baseUrl,
+    daemonVersion: audit.daemonVersion,
+    expectedSdkVersion: audit.expectedSdkVersion,
+    daemonCompatible: audit.daemonCompatible,
+    methodCatalogRoute: audit.methodCatalogRoute,
+    agentKnowledgeRoute: audit.agentKnowledgeRoute,
+    agentKnowledgeRouteReady: audit.agentKnowledgeRouteReady,
+    defaultKnowledgeFallback: false,
+    homeGraphFallback: false,
+    gapCount: sortedGaps.length,
+    gaps: sortedGaps,
+  };
+}
+
+export function filterDaemonCapabilityGaps(
+  gaps: readonly DaemonCapabilityGap[],
+  query: string | undefined,
+): readonly DaemonCapabilityGap[] {
+  const normalized = query?.trim().toLowerCase();
+  if (!normalized) return gaps;
+  return gaps.filter((gap) => {
+    return gap.id.includes(normalized)
+      || gap.kind.includes(normalized)
+      || gap.severity.includes(normalized)
+      || gap.title.toLowerCase().includes(normalized)
+      || gap.detail.toLowerCase().includes(normalized)
+      || gap.action.toLowerCase().includes(normalized)
+      || Boolean(gap.areaId?.includes(normalized));
+  });
+}
+
+export function renderDaemonCapabilityGaps(
+  report: DaemonCapabilityGapReport,
+  gaps: readonly DaemonCapabilityGap[] = report.gaps,
+): string {
+  const lines: string[] = [
+    'GoodVibes daemon capability gaps',
+    `  daemon: ${report.baseUrl}`,
+    `  SDK: Agent expects ${report.expectedSdkVersion}; daemon reports ${report.daemonVersion}`,
+    `  compatibility: ${report.daemonCompatible ? 'matched' : 'mismatch'}`,
+    `  Agent Knowledge: ${report.agentKnowledgeRouteReady ? 'ready' : 'missing'} ${report.agentKnowledgeRoute}`,
+    '  isolation: default Knowledge/Wiki fallback no; HomeGraph fallback no',
+    `  gaps: ${gaps.length}/${report.gapCount}`,
+    '',
+  ];
+
+  if (gaps.length === 0) {
+    lines.push('No daemon capability gaps matched this query.');
+    return lines.join('\n');
+  }
+
+  for (const gap of gaps) {
+    lines.push(`${gap.title} [${gap.severity}; ${gap.kind}]`);
+    if (gap.areaId) lines.push(`  area: ${gap.areaId}`);
+    lines.push(`  detail: ${gap.detail}`);
+    lines.push(`  action: ${gap.action}`);
+    lines.push('');
+  }
+
+  return lines.join('\n').trimEnd();
+}
+
+export function buildDaemonCapabilityRouteRiskReport(
+  audit: DaemonCapabilityAuditSuccess,
+  areas: readonly DaemonCapabilityAuditArea[] = audit.areas,
+): DaemonCapabilityRouteRiskReport {
+  const riskAreas = areas.map((area): DaemonCapabilityRouteRiskArea => ({
+    areaId: area.id,
+    title: area.title,
+    coverage: area.coverage,
+    readOnlyMethodIds: area.routeRisk.readOnlyMethodIds,
+    mutatingMethodIds: area.routeRisk.mutatingMethodIds,
+    authenticatedMethodIds: area.routeRisk.authenticatedMethodIds,
+    readOnlyMethodCount: area.routeRisk.readOnlyMethodCount,
+    mutatingMethodCount: area.routeRisk.mutatingMethodCount,
+    authenticatedMethodCount: area.routeRisk.authenticatedMethodCount,
+    dangerousMethodIds: area.routeRisk.dangerousMethodIds,
+  }));
+  const readOnlyMethodIds = new Set(riskAreas.flatMap((area) => area.readOnlyMethodIds));
+  const mutatingMethodIds = new Set(riskAreas.flatMap((area) => area.mutatingMethodIds));
+  const authenticatedMethodIds = new Set(riskAreas.flatMap((area) => area.authenticatedMethodIds));
+  const dangerousMethodIds = new Set(riskAreas.flatMap((area) => area.dangerousMethodIds));
+
+  return {
+    ok: true,
+    kind: 'daemon.capabilities.route_risk',
+    baseUrl: audit.baseUrl,
+    daemonVersion: audit.daemonVersion,
+    expectedSdkVersion: audit.expectedSdkVersion,
+    daemonCompatible: audit.daemonCompatible,
+    methodCatalogRoute: audit.methodCatalogRoute,
+    agentKnowledgeRoute: audit.agentKnowledgeRoute,
+    agentKnowledgeRouteReady: audit.agentKnowledgeRouteReady,
+    defaultKnowledgeFallback: false,
+    homeGraphFallback: false,
+    totalReadOnlyMethodCount: readOnlyMethodIds.size,
+    totalMutatingMethodCount: mutatingMethodIds.size,
+    totalAuthenticatedMethodCount: authenticatedMethodIds.size,
+    totalDangerousMethodCount: dangerousMethodIds.size,
+    areas: riskAreas,
+  };
+}
+
+export function filterDaemonCapabilityRouteRiskAreas(
+  areas: readonly DaemonCapabilityRouteRiskArea[],
+  query: string | undefined,
+): readonly DaemonCapabilityRouteRiskArea[] {
+  const normalized = query?.trim().toLowerCase();
+  if (!normalized) return areas;
+  return areas.filter((area) => {
+    return area.areaId.includes(normalized)
+      || area.title.toLowerCase().includes(normalized)
+      || area.coverage.includes(normalized)
+      || area.dangerousMethodIds.some((methodId) => methodId.includes(normalized));
+  });
+}
+
+export function renderDaemonCapabilityRouteRisk(
+  report: DaemonCapabilityRouteRiskReport,
+  areas: readonly DaemonCapabilityRouteRiskArea[] = report.areas,
+): string {
+  const lines: string[] = [
+    'GoodVibes daemon route risk review',
+    `  daemon: ${report.baseUrl}`,
+    `  SDK: Agent expects ${report.expectedSdkVersion}; daemon reports ${report.daemonVersion}`,
+    `  compatibility: ${report.daemonCompatible ? 'matched' : 'mismatch'}`,
+    `  method catalog: ${report.methodCatalogRoute}`,
+    `  Agent Knowledge: ${report.agentKnowledgeRouteReady ? 'ready' : 'missing'} ${report.agentKnowledgeRoute}`,
+    '  isolation: default Knowledge/Wiki fallback no; HomeGraph fallback no',
+    `  totals: ${report.totalReadOnlyMethodCount} read-only; ${report.totalMutatingMethodCount} mutating; ${report.totalDangerousMethodCount} dangerous; ${report.totalAuthenticatedMethodCount} authenticated`,
+    '  policy: exact command plus confirmation for side effects; ordinary chat never triggers mutating routes',
+    '',
+  ];
+
+  const visibleAreas = areas.filter((area) => {
+    return area.readOnlyMethodCount > 0
+      || area.mutatingMethodCount > 0
+      || area.authenticatedMethodCount > 0
+      || area.dangerousMethodIds.length > 0;
+  });
+  if (visibleAreas.length === 0) {
+    lines.push('No route risk metadata matched this query.');
+    return lines.join('\n');
+  }
+
+  for (const area of visibleAreas) {
+    lines.push(`${area.title} [${area.coverage}]`);
+    lines.push(`  methods: ${area.readOnlyMethodCount} read-only; ${area.mutatingMethodCount} mutating; ${area.dangerousMethodIds.length} dangerous; ${area.authenticatedMethodCount} authenticated`);
+    if (area.dangerousMethodIds.length > 0) {
+      lines.push(`  dangerous methods: ${area.dangerousMethodIds.join(', ')}`);
+    }
+    lines.push('  approval posture: read-only by default; exact command and confirmation required for side effects.');
+    lines.push('');
+  }
+
+  return lines.join('\n').trimEnd();
+}
+
 export function renderDaemonCapabilityAudit(
   audit: DaemonCapabilityAuditSuccess,
   areas: readonly DaemonCapabilityAuditArea[] = audit.areas,

package/src/version.ts

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 // The prebuild script updates the fallback value before compilation.
 // Uses import.meta.dir (Bun) to locate package.json relative to this file,
 // which is correct regardless of the process working directory.
-let _version = '0.1.43';
+let _version = '0.1.45';
 let _sdkVersion = '0.33.35';
 try {
   const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', 'package.json'), 'utf-8')) as {