@pourkit/cli 0.0.0-next-20260614002607 → 0.0.0-next-20260614074434

package/dist/cli.js

@@ -58,20 +58,20 @@ function createLogger(name, filePath) {
       );
     },
     async close() {
-      await new Promise((resolve3) => {
+      await new Promise((resolve5) => {
         if (!fileStream) {
-          resolve3();
+          resolve5();
           return;
         }
         const timer = setTimeout(() => {
           if (!fileStream.destroyed) {
             fileStream.destroy();
           }
-          resolve3();
+          resolve5();
         }, 2e3);
         fileStream.end(() => {
           clearTimeout(timer);
-          resolve3();
+          resolve5();
         });
       });
     }
@@ -265,7 +265,7 @@ async function execJson(command, args, options = {}) {
   return JSON.parse(result.stdout);
 }
 function sleep(ms) {
-  return new Promise((resolve3) => setTimeout(resolve3, ms));
+  return new Promise((resolve5) => setTimeout(resolve5, ms));
 }
 async function execCaptureWithRetry(command, args, options = {}) {
   const retries = options.retries ?? 3;
@@ -335,175 +335,37 @@ import { pathToFileURL } from "url";
 import { Command, Option, CommanderError } from "commander";
 
 // shared/config.ts
-import { join } from "path";
-import { z } from "zod";
-var NonEmptyString = z.string().trim().min(1);
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, isAbsolute, join, normalize, sep, resolve } from "path";
+import Ajv from "ajv";
+var __filename = fileURLToPath(import.meta.url);
+var __dirname = dirname(__filename);
+var SCHEMA_PATH = resolve(__dirname, "../schema/pourkit.schema.json");
+var _schema = null;
+var _validate = null;
+var _ajvErrors = null;
+function getValidator() {
+  if (!_validate) {
+    const schema = _schema ?? JSON.parse(readFileSync(SCHEMA_PATH, "utf-8"));
+    _schema = schema;
+    const ajv = new Ajv({ strict: true });
+    ajv.addKeyword("x-pourkit-schema-version");
+    const validate = ajv.compile(schema);
+    _validate = (data) => {
+      _ajvErrors = null;
+      const valid2 = validate(data);
+      if (!valid2) _ajvErrors = validate.errors;
+      return valid2;
+    };
+  }
+  return _validate;
+}
 var DEFAULT_MISSING_OR_EMPTY_OUTPUT_RETRIES = 3;
-var OutputRetriesConfigSchema = z.object({
-  missingOrEmpty: z.number().int().nonnegative().default(DEFAULT_MISSING_OR_EMPTY_OUTPUT_RETRIES)
-}).strict();
+var DEFAULT_BRANCH_TEMPLATE = "pourkit/{{issue.number}}/{{issue.slug}}";
 function resolveMissingOrEmptyOutputRetries(config) {
   return config?.outputRetries?.missingOrEmpty ?? DEFAULT_MISSING_OR_EMPTY_OUTPUT_RETRIES;
 }
-var StageAgentConfigSchema = z.object({
-  agent: NonEmptyString,
-  model: NonEmptyString,
-  variant: NonEmptyString.optional(),
-  env: z.record(z.string(), z.string()).optional(),
-  promptTemplate: NonEmptyString,
-  outputRetries: OutputRetriesConfigSchema.optional()
-}).strict();
-var ReviewerConfigSchema = z.object({
-  agent: NonEmptyString,
-  model: NonEmptyString,
-  variant: NonEmptyString.optional(),
-  env: z.record(z.string(), z.string()).optional(),
-  promptTemplate: NonEmptyString,
-  outputRetries: OutputRetriesConfigSchema.optional(),
-  criteria: z.array(NonEmptyString),
-  includeReviewHistory: z.boolean().optional(),
-  passWithNotesRefactorAttempts: z.number().int().nonnegative().optional()
-}).strict();
-var VerificationCommandSchema = z.object({
-  command: z.string().nullable().optional(),
-  label: z.string().optional()
-}).strict().refine((d) => d.command && d.command.trim() !== "", {
-  message: "must have a non-empty command"
-}).transform((d) => ({
-  command: d.command,
-  label: d.label && d.label.trim() !== "" ? d.label : void 0
-}));
-var PrdRunModeSchema = z.enum(["github", "local"]);
-var QueueConfigSchema = z.object({
-  loop: z.boolean().optional()
-}).strict();
-var FailureResolutionConfigSchema = z.object({
-  agent: NonEmptyString,
-  model: NonEmptyString,
-  variant: NonEmptyString.optional(),
-  env: z.record(z.string(), z.string()).optional(),
-  promptTemplate: NonEmptyString,
-  outputRetries: OutputRetriesConfigSchema.optional(),
-  maxAttemptsPerFailure: z.number().int().positive(),
-  failureLimits: z.record(z.string(), z.number().int().positive()).optional()
-}).strict();
-var ReviewRefactorLoopStrategySchema = z.object({
-  type: z.literal("review-refactor-loop"),
-  implement: z.object({
-    builder: StageAgentConfigSchema
-  }).strict(),
-  conflictResolution: z.object({
-    agent: NonEmptyString,
-    model: NonEmptyString,
-    variant: NonEmptyString.optional(),
-    env: z.record(z.string(), z.string()).optional(),
-    promptTemplate: NonEmptyString,
-    maxAttempts: z.number().int().positive()
-  }).strict().optional(),
-  failureResolution: FailureResolutionConfigSchema,
-  review: z.object({
-    reviewer: ReviewerConfigSchema,
-    refactor: StageAgentConfigSchema,
-    maxIterations: z.number().int().positive(),
-    passWithNotesRefactorAttempts: z.number().int().nonnegative().default(2)
-  }).strict(),
-  verify: z.object({
-    commands: z.preprocess(
-      (v) => Array.isArray(v) ? v : [],
-      z.array(VerificationCommandSchema).refine((arr) => arr.length > 0, {
-        message: "must contain at least one command"
-      })
-    )
-  }).strict().optional(),
-  issueFinalReview: StageAgentConfigSchema.extend({
-    maxAttempts: z.number().int().positive()
-  }),
-  finalize: z.object({
-    prDescriptionAgent: StageAgentConfigSchema,
-    maxAttempts: z.number().int().positive()
-  }).strict(),
-  prdRun: z.object({
-    mode: PrdRunModeSchema.optional(),
-    // Uses promptTemplate (canonical StageAgentConfig field), not prompt as Issue contract may suggest
-    finalReview: StageAgentConfigSchema
-  }).strict().optional()
-}).strict();
-var TargetSerenaConfigSchema = z.object({
-  enabled: z.boolean().optional(),
-  required: z.boolean().optional()
-}).strict();
-var TargetSchema = z.object({
-  name: NonEmptyString,
-  baseBranch: z.preprocess(
-    (v) => typeof v === "string" && v.length > 0 ? v : void 0,
-    NonEmptyString.default("main")
-  ),
-  branchTemplate: z.string().default("pourkit/{{issue.number}}/{{issue.slug}}"),
-  setupCommands: z.preprocess(
-    (v) => Array.isArray(v) ? v : void 0,
-    z.array(VerificationCommandSchema).default([])
-  ),
-  autoMerge: z.preprocess(
-    (v) => typeof v === "boolean" ? v : void 0,
-    z.boolean().default(true)
-  ),
-  queue: QueueConfigSchema.optional(),
-  serena: TargetSerenaConfigSchema.optional(),
-  strategy: ReviewRefactorLoopStrategySchema
-}).strict();
-var LabelsSchema = z.object({
-  readyForAgent: NonEmptyString,
-  agentInProgress: NonEmptyString,
-  blocked: NonEmptyString,
-  prOpenAwaitingMerge: NonEmptyString,
-  readyForHuman: NonEmptyString,
-  needsTriage: NonEmptyString.optional().default("needs-triage")
-}).strict();
-var SandboxMountSchema = z.object({
-  hostPath: NonEmptyString,
-  sandboxPath: NonEmptyString,
-  readonly: z.boolean().default(false)
-}).strict();
-var SandboxSchema = z.object({
-  provider: NonEmptyString,
-  copyToWorktree: z.array(NonEmptyString).optional(),
-  mounts: z.array(SandboxMountSchema).optional(),
-  env: z.record(z.string()).optional(),
-  idleTimeoutSeconds: z.preprocess((v) => {
-    if (v === void 0) return void 0;
-    if (typeof v === "number" && Number.isFinite(v) && v > 0) return v;
-    return v;
-  }, z.number().int().positive().optional())
-}).strict();
-var ChecksSchema = z.object({
-  requiredLabels: z.array(NonEmptyString),
-  allowedAuthors: z.array(NonEmptyString),
-  checksFoundTimeoutSeconds: z.number().int().positive().optional(),
-  checksCompletionTimeoutSeconds: z.number().int().positive().optional(),
-  pollIntervalSeconds: z.number().int().positive().optional(),
-  issueListLimit: z.number().int().positive().optional()
-}).strict();
-var CleanupConfigSchema = z.object({
-  enabled: z.boolean().default(true),
-  worktreeRetentionDays: z.number().int().positive().default(14),
-  logRetentionDays: z.number().int().positive().default(30)
-}).strict();
-var SerenaConfigSchema = z.object({
-  enabled: z.boolean().default(false),
-  required: z.boolean().default(false),
-  mcpUrl: NonEmptyString.default("http://localhost:9121/mcp"),
-  sandboxMcpUrl: NonEmptyString.default("http://localhost:9121/mcp"),
-  dataDir: z.string().default(".pourkit/serena/"),
-  autoStart: z.boolean().default(false)
-}).strict();
-var PourkitConfigSchema = z.object({
-  targets: z.array(TargetSchema).min(1),
-  labels: LabelsSchema,
-  sandbox: SandboxSchema,
-  checks: ChecksSchema,
-  cleanup: CleanupConfigSchema.optional(),
-  serena: SerenaConfigSchema.default({})
-}).strict();
 var removedFieldReplacements = {
   "config.implementor": "targets[].strategy.implement.builder",
   "config.reviewer": "targets[].strategy.review.reviewer",
@@ -567,11 +429,12 @@ function checkRemovedFields(raw) {
     }
   }
 }
-function formatZodPath(path9) {
-  if (path9.length === 0) return "";
+function formatAjvPath(instancePath) {
+  if (!instancePath || instancePath === "/") return "";
+  const parts = instancePath.split("/").slice(1);
   let result = "";
-  for (const segment of path9) {
-    if (typeof segment === "number") {
+  for (const segment of parts) {
+    if (/^\d+$/.test(segment)) {
       result += `[${segment}]`;
     } else {
       result += result ? `.${segment}` : segment;
@@ -579,51 +442,172 @@ function formatZodPath(path9) {
   }
   return result;
 }
-function formatFirstZodError(err) {
-  const issue = err.issues[0];
-  const path9 = formatZodPath(issue.path);
-  if (path9 === "targets" && (issue.code === "too_small" || issue.code === "invalid_type")) {
-    return "Config must have at least one target";
+function formatFirstAjvError(errors) {
+  const error = errors[0];
+  const path9 = formatAjvPath(error.instancePath);
+  if (error.keyword === "required") {
+    const missingParam = error.params.missingProperty;
+    if (missingParam === "targets") {
+      return "Config must have at least one target";
+    }
+    if (path9 === "" && missingParam === "targets") {
+      return "Config must have at least one target";
+    }
+    if (path9) {
+      return `${path9} must have required property '${missingParam}'`;
+    }
+    return `${missingParam} must be an object`;
   }
-  if (issue.path.length >= 3 && issue.path[0] === "targets" && typeof issue.path[1] === "number" && issue.path[2] === "name" && issue.code === z.ZodIssueCode.too_small) {
-    return `Target[${issue.path[1]}] must have a non-empty name`;
+  if (error.keyword === "additionalProperties") {
+    const additionalProp = error.params.additionalProperty;
+    const keyPath = path9 ? `${path9}.${additionalProp}` : additionalProp;
+    return `${keyPath} is not supported`;
   }
-  switch (issue.code) {
-    case z.ZodIssueCode.invalid_type: {
-      if (issue.expected === "object") {
-        return path9 ? `${path9} must be an object` : "Config must be an object";
-      }
-      if (issue.expected === "integer") {
-        return `${path9} must be an integer`;
-      }
-      if (issue.expected === "string") {
-        return `${path9} must be a string`;
-      }
-      if (issue.expected === "number") {
-        return `${path9} must be a number`;
-      }
-      return issue.message;
+  if (error.keyword === "minLength") {
+    if (path9) {
+      return `${path9} must be a non-empty string`;
+    }
+    return "Config must be a non-empty string";
+  }
+  if (error.keyword === "const") {
+    const allowedValue = error.params.allowedValue;
+    return `${path9 || "Config"} must be ${JSON.stringify(allowedValue)}`;
+  }
+  if (error.keyword === "enum") {
+    const allowedValues = error.params.allowedValues;
+    return `${path9} must be one of: ${allowedValues.map((v) => JSON.stringify(v)).join(", ")}`;
+  }
+  if (error.keyword === "minimum" || error.keyword === "exclusiveMinimum") {
+    const limit = error.params.limit;
+    if (limit === 1) {
+      return `${path9} must be a positive number`;
+    }
+    return `${path9} must be at least ${limit}`;
+  }
+  if (error.keyword === "type") {
+    const expected = error.params.type;
+    if (path9 === "") {
+      return `Config must be an object`;
+    }
+    if (expected === "object") {
+      return `${path9} must be an object`;
+    }
+    if (expected === "integer") {
+      return `${path9} must be an integer`;
+    }
+    if (expected === "string") {
+      return `${path9} must be a string`;
+    }
+    if (expected === "number") {
+      return `${path9} must be a number`;
+    }
+    return `${path9} must be ${expected === "integer" ? "an integer" : `a ${expected}`}`;
+  }
+  if (error.keyword === "minItems") {
+    return `${path9} must contain at least one item`;
+  }
+  if (error.keyword === "pattern") {
+    return `${path9} has an invalid format`;
+  }
+  return `${path9 || "Config"} ${error.message || "is invalid"}`;
+}
+function applyOutputRetriesDefaults(retries) {
+  if (retries === void 0) return void 0;
+  return {
+    missingOrEmpty: retries.missingOrEmpty ?? DEFAULT_MISSING_OR_EMPTY_OUTPUT_RETRIES
+  };
+}
+function applyStageAgentDefaults(agent) {
+  return {
+    ...agent,
+    outputRetries: applyOutputRetriesDefaults(agent.outputRetries)
+  };
+}
+function assertRepoRelativePath(value, location) {
+  const normalized = normalize(value);
+  if (isAbsolute(value) || isAbsolute(normalized) || normalized === ".." || normalized.startsWith(`..${sep}`)) {
+    throw new Error(
+      `${location} must stay within the repository and be repo-relative; got "${value}"`
+    );
+  }
+}
+function assertBaseBranch(value, location) {
+  if (value.includes("/")) {
+    throw new Error(
+      `${location} must be a local branch name, not a remote-qualified, tag, ref, or path-like name; got "${value}"`
+    );
+  }
+  if (/^[0-9a-f]{7,40}$/i.test(value)) {
+    throw new Error(
+      `${location} must be a branch name, not a commit SHA; got "${value}"`
+    );
+  }
+}
+function assertStageAgentPath(agent, location) {
+  if (!agent) return;
+  const promptTemplate = agent.promptTemplate;
+  if (typeof promptTemplate === "string") {
+    assertRepoRelativePath(promptTemplate, `${location}.promptTemplate`);
+  }
+}
+function validateConfigSemantics(data) {
+  const sandbox = data.sandbox;
+  const copyToWorktree = sandbox?.copyToWorktree;
+  copyToWorktree?.forEach((entry, index) => {
+    assertRepoRelativePath(entry, `sandbox.copyToWorktree[${index}]`);
+  });
+  const targetNames = /* @__PURE__ */ new Set();
+  data.targets.forEach((target, targetIndex) => {
+    const name = target.name;
+    if (targetNames.has(name)) {
+      throw new Error(
+        `Duplicate target name "${name}"; target names must be unique`
+      );
+    }
+    targetNames.add(name);
+    assertBaseBranch(
+      target.baseBranch,
+      `targets[${targetIndex}].baseBranch`
+    );
+    const strategy = target.strategy;
+    const implement = strategy.implement;
+    const review = strategy.review;
+    const finalize = strategy.finalize;
+    assertStageAgentPath(
+      implement.builder,
+      `targets[${targetIndex}].strategy.implement.builder`
+    );
+    assertStageAgentPath(
+      strategy.conflictResolution,
+      `targets[${targetIndex}].strategy.conflictResolution`
+    );
+    assertStageAgentPath(
+      strategy.failureResolution,
+      `targets[${targetIndex}].strategy.failureResolution`
+    );
+    assertStageAgentPath(
+      review.reviewer,
+      `targets[${targetIndex}].strategy.review.reviewer`
+    );
+    assertStageAgentPath(
+      review.refactor,
+      `targets[${targetIndex}].strategy.review.refactor`
+    );
+    assertStageAgentPath(
+      strategy.issueFinalReview,
+      `targets[${targetIndex}].strategy.issueFinalReview`
+    );
+    assertStageAgentPath(
+      finalize.prDescriptionAgent,
+      `targets[${targetIndex}].strategy.finalize.prDescriptionAgent`
+    );
+  });
+}
+function assertKnownKeys(value, path9, knownKeys) {
+  for (const key of Object.keys(value)) {
+    if (!knownKeys.includes(key)) {
+      throw new Error(`${path9}.${key} is not supported`);
     }
-    case z.ZodIssueCode.too_small:
-      if (issue.type === "string" && issue.minimum === 1) {
-        return `${path9} must be a non-empty string`;
-      }
-      if (issue.type === "array" && issue.minimum === 1) {
-        return `${path9} must not be empty`;
-      }
-      if (issue.type === "number") {
-        return `${path9} must be a positive number`;
-      }
-      return issue.message;
-    case z.ZodIssueCode.invalid_literal:
-      return `${path9} must be ${issue.expected}`;
-    case z.ZodIssueCode.unrecognized_keys:
-      const keyPath = path9 ? `${path9}.${issue.keys[0]}` : issue.keys[0];
-      return `${keyPath} is not supported`;
-    case z.ZodIssueCode.custom:
-      return path9 ? `${path9} ${issue.message}` : issue.message;
-    default:
-      return issue.message;
   }
 }
 function parseConfig(raw) {
@@ -645,6 +629,7 @@ function parseConfig(raw) {
       "name",
       "baseBranch",
       "branchTemplate",
+      "prdRun",
       "setupCommands",
       "autoMerge",
       "queue",
@@ -660,9 +645,20 @@ function parseConfig(raw) {
         `targets[${i}].strategy.conflictResolution has been removed; use targets[${i}].strategy.failureResolution`
       );
     }
-    if (strategy && typeof strategy === "object" && strategy.prdRun && typeof strategy.prdRun === "object" && "reconciliation" in strategy.prdRun) {
+    if (strategy && typeof strategy === "object" && strategy.prdRun && typeof strategy.prdRun === "object") {
+      const prdRun = strategy.prdRun;
+      if ("reconciliation" in prdRun) {
+        throw new Error(
+          `targets[${i}].strategy.prdRun.reconciliation has been removed; PRD Run no longer invokes Architect reconciliation.`
+        );
+      }
+      if ("finalReview" in prdRun) {
+        throw new Error(
+          `targets[${i}].strategy.prdRun.finalReview has been removed; PRD-wide Final Review is no longer part of the PRD Run lifecycle. Use targets[${i}].strategy.issueFinalReview instead.`
+        );
+      }
       throw new Error(
-        `targets[${i}].strategy.prdRun.reconciliation has been removed; PRD Run no longer invokes Architect reconciliation.`
+        `targets[${i}].strategy.prdRun is not supported in the new config; use targets[${i}].prdRun instead.`
       );
     }
   }
@@ -672,67 +668,126 @@ function parseConfig(raw) {
       "copyToWorktree",
       "mounts",
       "env",
-      "idleTimeoutSeconds"
+      "idleTimeoutSeconds",
+      "forceRebuild"
     ]);
   }
-  const result = PourkitConfigSchema.safeParse(raw);
-  if (!result.success) {
-    throw new Error(formatFirstZodError(result.error));
-  }
-  const data = result.data;
-  const targets = data.targets.map((t) => {
-    const setupCommands = t.setupCommands?.map((cmd, i) => ({
-      command: cmd.command,
-      label: cmd.label ?? `check-${i}`
-    }));
-    const verifyCommands = t.strategy.verify?.commands?.map((cmd, i) => ({
-      command: cmd.command,
-      label: cmd.label ?? `check-${i}`
-    }));
-    return {
-      name: t.name,
-      baseBranch: t.baseBranch,
-      branchTemplate: t.branchTemplate,
-      setupCommands,
-      autoMerge: t.autoMerge,
-      queue: t.queue,
-      serena: t.serena,
-      strategy: {
-        type: "review-refactor-loop",
-        implement: { builder: t.strategy.implement.builder },
-        failureResolution: {
-          agent: t.strategy.failureResolution.agent,
-          model: t.strategy.failureResolution.model,
-          promptTemplate: t.strategy.failureResolution.promptTemplate,
-          outputRetries: t.strategy.failureResolution.outputRetries,
-          maxAttemptsPerFailure: t.strategy.failureResolution.maxAttemptsPerFailure,
-          failureLimits: t.strategy.failureResolution.failureLimits
-        },
-        review: {
-          reviewer: t.strategy.review.reviewer,
-          refactor: t.strategy.review.refactor,
-          maxIterations: t.strategy.review.maxIterations,
-          passWithNotesRefactorAttempts: t.strategy.review.passWithNotesRefactorAttempts
-        },
-        ...t.strategy.verify ? { verify: { commands: verifyCommands } } : {},
-        issueFinalReview: t.strategy.issueFinalReview,
-        finalize: {
-          prDescriptionAgent: t.strategy.finalize.prDescriptionAgent,
-          maxAttempts: t.strategy.finalize.maxAttempts
-        },
-        ...t.strategy.prdRun ? {
-          prdRun: {
-            ...t.strategy.prdRun.mode ? { mode: t.strategy.prdRun.mode } : {},
-            finalReview: t.strategy.prdRun.finalReview
+  const validate = getValidator();
+  if (!validate(raw)) {
+    throw new Error(
+      formatFirstAjvError(
+        _ajvErrors ?? [
+          {
+            instancePath: "",
+            message: "validation failed",
+            keyword: "error",
+            params: {}
           }
-        } : {}
-      }
-    };
-  });
+        ]
+      )
+    );
+  }
+  const data = config;
+  validateConfigSemantics(data);
+  const targets = data.targets.map(
+    (t) => {
+      const input = t;
+      const strategy = input.strategy;
+      const implement = strategy.implement;
+      const failureResolution = strategy.failureResolution;
+      const review = strategy.review;
+      const reviewReviewer = review.reviewer;
+      const reviewRefactor = review.refactor;
+      const finalize = strategy.finalize;
+      const issueFinalReview = strategy.issueFinalReview;
+      const setupCommands = input.setupCommands?.map((cmd, i) => ({
+        command: cmd.command,
+        label: cmd.label ?? `check-${i}`
+      }));
+      const verifyCommands = strategy.verify?.commands ? strategy.verify.commands : void 0;
+      const verifyLabeled = verifyCommands?.map((cmd, i) => ({
+        command: cmd.command,
+        label: cmd.label ?? `check-${i}`
+      }));
+      return {
+        name: input.name,
+        baseBranch: input.baseBranch,
+        branchTemplate: input.branchTemplate ?? DEFAULT_BRANCH_TEMPLATE,
+        prdRun: input.prdRun,
+        setupCommands,
+        autoMerge: input.autoMerge !== void 0 ? input.autoMerge : true,
+        queue: input.queue,
+        serena: input.serena,
+        strategy: {
+          type: "review-refactor-loop",
+          implement: {
+            builder: applyStageAgentDefaults(
+              implement.builder
+            )
+          },
+          failureResolution: {
+            agent: failureResolution.agent,
+            model: failureResolution.model,
+            variant: failureResolution.variant,
+            env: failureResolution.env,
+            promptTemplate: failureResolution.promptTemplate,
+            outputRetries: applyOutputRetriesDefaults(
+              failureResolution.outputRetries
+            ),
+            maxAttemptsPerFailure: failureResolution.maxAttemptsPerFailure,
+            failureLimits: failureResolution.failureLimits
+          },
+          review: {
+            reviewer: {
+              agent: reviewReviewer.agent,
+              model: reviewReviewer.model,
+              variant: reviewReviewer.variant,
+              env: reviewReviewer.env,
+              promptTemplate: reviewReviewer.promptTemplate,
+              outputRetries: applyOutputRetriesDefaults(
+                reviewReviewer.outputRetries
+              ),
+              criteria: reviewReviewer.criteria,
+              includeReviewHistory: reviewReviewer.includeReviewHistory,
+              passWithNotesRefactorAttempts: reviewReviewer.passWithNotesRefactorAttempts
+            },
+            refactor: applyStageAgentDefaults(
+              reviewRefactor
+            ),
+            maxIterations: review.maxIterations,
+            passWithNotesRefactorAttempts: review.passWithNotesRefactorAttempts ?? 2
+          },
+          ...verifyLabeled ? { verify: { commands: verifyLabeled } } : {},
+          issueFinalReview: {
+            ...issueFinalReview,
+            maxAttempts: issueFinalReview.maxAttempts,
+            outputRetries: applyOutputRetriesDefaults(
+              issueFinalReview.outputRetries
+            )
+          },
+          finalize: {
+            prDescriptionAgent: applyStageAgentDefaults(
+              finalize.prDescriptionAgent
+            ),
+            maxAttempts: finalize.maxAttempts
+          }
+        }
+      };
+    }
+  );
+  const serenaRaw = data.serena;
+  const serenaDefaults = {
+    mcpUrl: serenaRaw?.mcpUrl ?? "http://localhost:9121/mcp",
+    sandboxMcpUrl: serenaRaw?.sandboxMcpUrl ?? "http://localhost:9121/mcp",
+    dataDir: serenaRaw?.dataDir ?? ".pourkit/serena/"
+  };
   const serena = {
-    ...data.serena,
-    mcpUrl: process.env.POURKIT_SERENA_MCP_URL ?? data.serena.mcpUrl,
-    sandboxMcpUrl: process.env.POURKIT_SERENA_SANDBOX_MCP_URL ?? data.serena.sandboxMcpUrl
+    enabled: serenaRaw?.enabled ?? false,
+    required: serenaRaw?.required ?? false,
+    mcpUrl: process.env.POURKIT_SERENA_MCP_URL ?? serenaDefaults.mcpUrl,
+    sandboxMcpUrl: process.env.POURKIT_SERENA_SANDBOX_MCP_URL ?? serenaDefaults.sandboxMcpUrl,
+    dataDir: serenaDefaults.dataDir,
+    autoStart: serenaRaw?.autoStart ?? false
   };
   if (serena.mcpUrl.trim() === "") {
     throw new Error("POURKIT_SERENA_MCP_URL must be a non-empty string");
@@ -742,39 +797,48 @@ function parseConfig(raw) {
       "POURKIT_SERENA_SANDBOX_MCP_URL must be a non-empty string"
     );
   }
+  const checksRaw = data.checks;
+  const labelsRaw = data.labels;
+  const cleanupRaw = data.cleanup;
+  const sandboxRaw = data.sandbox;
   return {
     targets,
-    labels: data.labels,
+    labels: {
+      readyForAgent: labelsRaw?.readyForAgent ?? "ready-for-agent",
+      agentInProgress: labelsRaw?.agentInProgress ?? "agent-in-progress",
+      blocked: labelsRaw?.blocked ?? "blocked",
+      prOpenAwaitingMerge: labelsRaw?.prOpenAwaitingMerge ?? "pr-open-awaiting-merge",
+      readyForHuman: labelsRaw?.readyForHuman ?? "ready-for-human",
+      needsTriage: labelsRaw?.needsTriage ?? "needs-triage"
+    },
     sandbox: {
-      provider: data.sandbox.provider,
-      copyToWorktree: data.sandbox.copyToWorktree,
-      mounts: data.sandbox.mounts,
-      env: data.sandbox.env,
-      idleTimeoutSeconds: data.sandbox.idleTimeoutSeconds
+      provider: sandboxRaw?.provider ?? "docker",
+      copyToWorktree: sandboxRaw?.copyToWorktree,
+      mounts: sandboxRaw?.mounts ? sandboxRaw.mounts.map((m) => ({
+        hostPath: m.hostPath,
+        sandboxPath: m.sandboxPath,
+        readonly: m.readonly ?? false
+      })) : void 0,
+      env: sandboxRaw?.env,
+      idleTimeoutSeconds: sandboxRaw?.idleTimeoutSeconds,
+      forceRebuild: sandboxRaw?.forceRebuild
     },
     checks: {
-      requiredLabels: data.checks.requiredLabels,
-      allowedAuthors: data.checks.allowedAuthors,
-      checksFoundTimeoutSeconds: data.checks.checksFoundTimeoutSeconds ?? 60,
-      checksCompletionTimeoutSeconds: data.checks.checksCompletionTimeoutSeconds ?? 30 * 60,
-      pollIntervalSeconds: data.checks.pollIntervalSeconds ?? 15,
-      issueListLimit: data.checks.issueListLimit ?? 50
+      requiredLabels: checksRaw?.requiredLabels ?? [],
+      allowedAuthors: checksRaw?.allowedAuthors ?? [],
+      checksFoundTimeoutSeconds: checksRaw?.checksFoundTimeoutSeconds ?? 60,
+      checksCompletionTimeoutSeconds: checksRaw?.checksCompletionTimeoutSeconds ?? 30 * 60,
+      pollIntervalSeconds: checksRaw?.pollIntervalSeconds ?? 15,
+      issueListLimit: checksRaw?.issueListLimit ?? 50
     },
     serena,
     cleanup: {
-      enabled: data.cleanup?.enabled ?? true,
-      worktreeRetentionDays: data.cleanup?.worktreeRetentionDays ?? 14,
-      logRetentionDays: data.cleanup?.logRetentionDays ?? 30
+      enabled: cleanupRaw?.enabled ?? true,
+      worktreeRetentionDays: cleanupRaw?.worktreeRetentionDays ?? 14,
+      logRetentionDays: cleanupRaw?.logRetentionDays ?? 30
     }
   };
 }
-function assertKnownKeys(value, path9, knownKeys) {
-  for (const key of Object.keys(value)) {
-    if (!knownKeys.includes(key)) {
-      throw new Error(`${path9}.${key} is not supported`);
-    }
-  }
-}
 function getVerificationCommands(target) {
   return target.strategy.verify?.commands ?? [];
 }
@@ -782,7 +846,7 @@ function resolvePrdRunMode(target, opts) {
   if (opts?.localOverride === true) {
     return { mode: "local", source: "cli-override", targetName: target.name };
   }
-  const configMode = target.strategy.prdRun?.mode;
+  const configMode = target.prdRun?.mode;
   if (configMode) {
     return {
       mode: configMode,
@@ -792,48 +856,41 @@ function resolvePrdRunMode(target, opts) {
   }
   return { mode: "github", source: "default", targetName: target.name };
 }
-async function loadRepoConfig(repoRoot2, configFileName = "pourkit.config.ts") {
-  const { existsSync: existsSync19 } = await import("fs");
-  const { mkdir: mkdir6, writeFile: writeFile4, rm } = await import("fs/promises");
-  const { join: pjoin, basename } = await import("path");
-  const { pathToFileURL: pathToFileURL2 } = await import("url");
-  const { build } = await import("esbuild");
-  const configPath = pjoin(repoRoot2, configFileName);
-  if (!existsSync19(configPath)) {
+var OBSOLETE_CONFIG_PATHS = [
+  "pourkit.config.ts",
+  "pourkit.config.mjs",
+  "pourkit.config.js",
+  "pourkit.json"
+];
+var CANONICAL_CONFIG_PATH = ".pourkit/config.json";
+async function loadRepoConfig(repoRoot2, _configFileName) {
+  const { existsSync: existsSync20 } = await import("fs");
+  const { join: pjoin } = await import("path");
+  for (const obPath of OBSOLETE_CONFIG_PATHS) {
+    const fullPath = pjoin(repoRoot2, obPath);
+    if (existsSync20(fullPath)) {
+      const isRootJson = obPath === "pourkit.json";
+      throw new Error(
+        isRootJson ? `Found root ${obPath}, but Pourkit config now lives at ${CANONICAL_CONFIG_PATH}. Move the file and update "$schema" to "./schema/pourkit.schema.json".` : `Found ${obPath}, but executable config is no longer supported. Move configuration to ${CANONICAL_CONFIG_PATH} with "$schema": "./schema/pourkit.schema.json".`
+      );
+    }
+  }
+  const configPath = pjoin(repoRoot2, CANONICAL_CONFIG_PATH);
+  if (!existsSync20(configPath)) {
     throw new Error(
-      `No config file found at ${configPath}. Create a ${configFileName} that exports a default PourkitConfig.`
+      `No Pourkit config found at ${CANONICAL_CONFIG_PATH}. Run pourkit init or create ${CANONICAL_CONFIG_PATH} with "$schema": "./schema/pourkit.schema.json".`
     );
   }
-  const tmpDir = pjoin(repoRoot2, ".pourkit", ".tmp", "config");
-  await mkdir6(tmpDir, { recursive: true });
-  const tmpFile = pjoin(
-    tmpDir,
-    `pourkit-config-${Date.now()}-${Math.random().toString(36).slice(2, 8)}.mjs`
-  );
+  const { readFile: readFile7 } = await import("fs/promises");
+  const raw = await readFile7(configPath, "utf-8");
+  let parsed;
   try {
-    await build({
-      entryPoints: [configPath],
-      bundle: true,
-      write: false,
-      platform: "node",
-      format: "esm",
-      external: ["node:*"]
-    }).then(async (result) => {
-      const output = result.outputFiles[0].text;
-      await writeFile4(tmpFile, output, "utf-8");
-    });
-    const imported = await import(pathToFileURL2(tmpFile).href);
-    const raw = imported.default;
-    if (raw === void 0) {
-      throw new Error("pourkit.config.ts must have a default export");
-    }
-    return parseConfig(raw);
-  } finally {
-    try {
-      await rm(tmpFile, { force: true });
-    } catch {
-    }
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    const message = err instanceof SyntaxError ? err.message : String(err);
+    throw new Error(`${CANONICAL_CONFIG_PATH}: Invalid JSON \u2014 ${message}`);
   }
+  return parseConfig(parsed);
 }
 function resolvePromptTemplatePath(repoRoot2, promptTemplate) {
   if (promptTemplate.includes("/")) {
@@ -872,8 +929,8 @@ function resolveTarget(config, explicitTarget) {
 init_common();
 
 // shared/worktree-run-state.ts
-import { existsSync, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "fs";
-import { dirname, join as join2 } from "path";
+import { existsSync, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { dirname as dirname2, join as join2 } from "path";
 var WORKTREE_RUN_STATE_PATH = ".pourkit/state.json";
 function readWorktreeRunState(worktreePath) {
   const statePath = join2(worktreePath, WORKTREE_RUN_STATE_PATH);
@@ -881,7 +938,7 @@ function readWorktreeRunState(worktreePath) {
     return null;
   }
   try {
-    const raw = JSON.parse(readFileSync(statePath, "utf-8"));
+    const raw = JSON.parse(readFileSync2(statePath, "utf-8"));
     if (isValidWorktreeRunState(raw)) {
       return raw;
     }
@@ -902,7 +959,7 @@ function isValidWorktreeRunState(raw) {
 }
 function writeWorktreeRunState(worktreePath, state) {
   const statePath = join2(worktreePath, WORKTREE_RUN_STATE_PATH);
-  mkdirSync2(dirname(statePath), { recursive: true });
+  mkdirSync2(dirname2(statePath), { recursive: true });
   writeFileSync(statePath, JSON.stringify(state, null, 2), "utf-8");
 }
 function updateWorktreeRunState(worktreePath, update) {
@@ -1049,8 +1106,8 @@ async function cleanupRepository(options) {
 // commands/artifact-validation.ts
 import { createHash } from "crypto";
 import { execSync } from "child_process";
-import { existsSync as existsSync7, readdirSync as readdirSync3, readFileSync as readFileSync7 } from "fs";
-import { isAbsolute as isAbsolute2, join as join7, resolve as resolve2 } from "path";
+import { existsSync as existsSync7, readdirSync as readdirSync3, readFileSync as readFileSync8 } from "fs";
+import { isAbsolute as isAbsolute3, join as join7, resolve as resolve3 } from "path";
 
 // pr/review-verdict.ts
 var ReviewVerdictProtocolError = class extends Error {
@@ -1085,15 +1142,15 @@ function parseReviewVerdict(output) {
 import {
   existsSync as existsSync5,
   mkdirSync as mkdirSync5,
-  readFileSync as readFileSync5,
+  readFileSync as readFileSync6,
   readdirSync as readdirSync2,
   writeFileSync as writeFileSync3
 } from "fs";
 import { join as join6 } from "path";
 
 // execution/agent-output-retry.ts
-import { existsSync as existsSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync2, rmSync } from "fs";
-import { dirname as dirname2, join as join4 } from "path";
+import { existsSync as existsSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync3, rmSync } from "fs";
+import { dirname as dirname3, join as join4 } from "path";
 async function executeWithMissingOrEmptyArtifactRetry({
   executionProvider,
   executionOptions,
@@ -1153,20 +1210,20 @@ function readArtifactOutput(artifactPath) {
   if (!existsSync2(artifactPath)) {
     return { _tag: "missing", path: artifactPath };
   }
-  const output = readFileSync2(artifactPath, "utf-8");
+  const output = readFileSync3(artifactPath, "utf-8");
   if (!output.trim()) {
     return { _tag: "empty", path: artifactPath };
   }
   return { _tag: "content", value: output, path: artifactPath };
 }
 function prepareArtifactPath(artifactPath) {
-  mkdirSync3(dirname2(artifactPath), { recursive: true });
+  mkdirSync3(dirname3(artifactPath), { recursive: true });
   rmSync(artifactPath, { recursive: true, force: true });
 }
 
 // shared/run-context.ts
-import { existsSync as existsSync3, readFileSync as readFileSync3, readdirSync } from "fs";
-import { isAbsolute, join as join5, relative, resolve } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync4, readdirSync } from "fs";
+import { isAbsolute as isAbsolute2, join as join5, relative, resolve as resolve2 } from "path";
 
 // commands/run-verification.ts
 init_common();
@@ -1372,11 +1429,17 @@ function buildRunContextMarkdown(options) {
     }
   }
   if (sections.includes("branch")) {
+    const canonicalBaseRef = `origin/${target.baseBranch}`;
     parts.push(
       "## Branch",
       "",
       `- Base: ${target.baseBranch}`,
+      `- Canonical Base Ref: ${canonicalBaseRef}`,
       `- Working Branch: ${branchName}`,
+      "",
+      "Use the canonical base ref for scope checks, commit ranges, and diffs. Do not use a bare PRD/base branch name such as `PRD-0063`; local branches with those names may be stale.",
+      "",
+      "Runner-owned Git operations: do not run destructive history/worktree commands such as `git reset --hard`, `git checkout .`, `git clean`, `git rebase`, `git merge`, or `git branch -f`. Edit files only; the runner owns branch/base movement.",
       ""
     );
   }
@@ -1439,7 +1502,7 @@ function renderPrdContext(issue, parentPrdIssue, repoRoot2) {
       `### Parent PRD Content: \`${relative(repoRoot2, parentPrdPath)}\``,
       "",
       "```markdown",
-      readFileSync3(parentPrdPath, "utf-8").trimEnd(),
+      readFileSync4(parentPrdPath, "utf-8").trimEnd(),
       "```",
       ""
     );
@@ -1466,7 +1529,7 @@ function renderPrdContext(issue, parentPrdIssue, repoRoot2) {
       `### Document Content: \`${documentPath}\``,
       "",
       "```markdown",
-      readFileSync3(absolutePath, "utf-8").trimEnd(),
+      readFileSync4(absolutePath, "utf-8").trimEnd(),
       "```",
       ""
     );
@@ -1491,10 +1554,10 @@ function extractRepoPaths(section) {
   return Array.from(paths);
 }
 function resolveRepoPath(repoRoot2, path9) {
-  if (isAbsolute(path9) || path9.includes("\0")) return null;
-  const resolved = resolve(repoRoot2, path9);
+  if (isAbsolute2(path9) || path9.includes("\0")) return null;
+  const resolved = resolve2(repoRoot2, path9);
   const repoRelative2 = relative(repoRoot2, resolved);
-  if (repoRelative2.startsWith("..") || isAbsolute(repoRelative2)) return null;
+  if (repoRelative2.startsWith("..") || isAbsolute2(repoRelative2)) return null;
   return resolved;
 }
 function findParentPrdPath(repoRoot2, parentRef) {
@@ -1538,17 +1601,19 @@ function renderCriteria(criteria) {
 
 // shared/prompt-guidance.ts
 var PROTECTED_WORK_RULE = "Do **not** revert, delete, or substantially strip already-landed protected sibling/base work unless the issue explicitly requires those files.";
+var RUNNER_OWNED_GIT_RULE = "Do **not** move Git history or reset the Worktree. Do not run `git reset --hard`, `git checkout .`, `git clean`, `git rebase`, `git merge`, `git branch -f`, or equivalent destructive history/worktree commands; branch/base changes are runner-owned.";
 function appendProtectedWorkGuidance(promptBody) {
   return `${promptBody}
 
 ## Hard Rule
 
-- ${PROTECTED_WORK_RULE}`;
+- ${PROTECTED_WORK_RULE}
+- ${RUNNER_OWNED_GIT_RULE}`;
 }
 
 // shared/effect-services.ts
 import { Context, Effect, Layer } from "effect";
-import { existsSync as existsSync4, mkdirSync as mkdirSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync2, rmSync as rmSync2 } from "fs";
+import { existsSync as existsSync4, mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync2, rmSync as rmSync2 } from "fs";
 var GitExecutionError = class extends Error {
   _tag = "GitExecutionError";
   message;
@@ -1564,7 +1629,7 @@ var FileSystemDefault = Layer.succeed(
   FileSystem,
   FileSystem.of({
     readFile: (path9) => Effect.try({
-      try: () => readFileSync4(path9, "utf-8"),
+      try: () => readFileSync5(path9, "utf-8"),
       catch: (error) => new Error(
         `Failed to read file ${path9}: ${error instanceof Error ? error.message : String(error)}`
       )
@@ -1965,7 +2030,7 @@ function validateRefactorArtifact(artifactPath, findingIds) {
       `Refactor artifact missing at ${artifactPath}`
     );
   }
-  const content = readFileSync5(artifactPath, "utf-8");
+  const content = readFileSync6(artifactPath, "utf-8");
   if (!content.trim()) {
     throw new RefactorArtifactValidationError("Refactor artifact is empty");
   }
@@ -2290,12 +2355,29 @@ A prior review emitted \`NEEDS_HUMAN\` and stopped the agent loop. The issue has
 Before carrying forward old blockers, inspect newer issue comments and the current worktree. Treat prior Reviewer and Refactor Artifacts as historical context, not active findings unless they still apply.
 
 ` : "";
-    return `${renderedTemplate}
+    return appendProtectedWorkGuidance(`${renderedTemplate}
 
 ## Shared Run Context
 
 Read the selected issue requirements, PRD context, branch context, verification commands, and artifact paths from: ${RUN_CONTEXT_PATH_IN_WORKTREE}
 
+## Initial Verification Pass
+
+- First read ${RUN_CONTEXT_PATH_IN_WORKTREE} only far enough to identify the configured verification commands.
+- Before reviewing code, diffs, artifacts, or prior findings, run each configured verification command yourself from the Worktree.
+- Run the commands exactly as configured. Do not substitute narrower commands unless the configured command cannot run.
+- If a configured command fails, keep reviewing after recording the failure details; use the failure output as review evidence.
+- If a command cannot run because the environment is missing required setup, dependencies, or scripts outside agent control, treat it as a human handoff blocker.
+- If no verification commands are configured, note that and proceed with normal review.
+
+## Scope Evidence Rules
+
+- Use the Run Context's canonical base ref, for example \`origin/<base>\`, for scope diffs and commit ranges.
+- Do not use bare PRD/base branch names such as \`PRD-0063\`, \`main\`, or \`dev\` for scope decisions; local branches with those names may be stale.
+- Only call a file or commit out of scope when it is part of the working branch's delta from the canonical base ref.
+- Do not recommend reverting accepted sibling/base work. If a file is present or changed on the canonical base ref, it is not this Issue's scope overreach.
+- If scope evidence is ambiguous, use \`NEEDS_HUMAN\` or ask for a runner/base mismatch decision instead of telling Refactor to revert files.
+
 ${hasCriteriaPlaceholder ? "" : `## Review Criteria
 
 ${criteriaBlock}
@@ -2312,7 +2394,7 @@ End the file with exactly one wrapped verdict token: <verdict>PASS</verdict>, <v
 
 Findings must include an ID column with values in the format R${iteration}.F{findingNumber} (e.g., R${iteration}.F1, R${iteration}.F2) and a Supersedes column referencing the finding ID being superseded (or a hyphen for new findings).
 
-When verdict is NEEDS_HUMAN, include Human Handoff Summary and Human Handoff Reason sections before the final verdict token.`;
+When verdict is NEEDS_HUMAN, include Human Handoff Summary and Human Handoff Reason sections before the final verdict token.`);
   });
 }
 function renderReviewHistory(reviewHistory) {
@@ -2437,12 +2519,12 @@ function recoverReviewOutputFromLog(logPath) {
   if (!existsSync5(logPath)) {
     return null;
   }
-  const logContent = readFileSync5(logPath, "utf-8");
+  const logContent = readFileSync6(logPath, "utf-8");
   return recoverReviewOutputFromString(logContent);
 }
 function readReviewArtifact(artifactPath, logPath) {
   if (existsSync5(artifactPath)) {
-    const output = readFileSync5(artifactPath, "utf-8");
+    const output = readFileSync6(artifactPath, "utf-8");
     if (output.trim()) {
       return output;
     }
@@ -3092,7 +3174,7 @@ function parseConflictResolutionArtifact(output) {
 }
 
 // prd-run/final-review-validation.ts
-import { existsSync as existsSync6, readFileSync as readFileSync6 } from "fs";
+import { existsSync as existsSync6, readFileSync as readFileSync7 } from "fs";
 function parseFinalReviewArtifact(artifactPath) {
   if (!existsSync6(artifactPath)) {
     return {
@@ -3103,7 +3185,7 @@ function parseFinalReviewArtifact(artifactPath) {
   }
   let content;
   try {
-    content = readFileSync6(artifactPath, "utf-8");
+    content = readFileSync7(artifactPath, "utf-8");
   } catch (error) {
     return {
       ok: false,
@@ -3306,7 +3388,7 @@ function readArtifact(options) {
     };
   }
   try {
-    const content = readFileSync7(options.artifactPath, "utf-8");
+    const content = readFileSync8(options.artifactPath, "utf-8");
     if (!content.trim()) {
       return { ok: false, result: invalid(options, "Artifact is empty") };
     }
@@ -3376,7 +3458,7 @@ function validateIssueFinalReviewArtifact(parsed, options) {
   for (const p of parsed.changedPaths) {
     const normalized = p.replace(/\\/g, "/");
     const segments = normalized.split("/");
-    if (normalized.trim() === "" || normalized === "." || normalized === ".." || isAbsolute2(p) || normalized.startsWith("/") || segments.some((segment) => segment === "..")) {
+    if (normalized.trim() === "" || normalized === "." || normalized === ".." || isAbsolute3(p) || normalized.startsWith("/") || segments.some((segment) => segment === "..")) {
       return {
         ok: false,
         reason: `changedPaths must not contain absolute paths or path traversal: ${p}`,
@@ -3477,7 +3559,7 @@ function validateAgentArtifact(options) {
       case "refactor": {
         let findingIds = options.findingIds ?? [];
         if (findingIds.length === 0 && options.latestReviewArtifactPath) {
-          const latestReview = readFileSync7(
+          const latestReview = readFileSync8(
             options.latestReviewArtifactPath,
             "utf-8"
           );
@@ -3500,10 +3582,10 @@ function validateAgentArtifact(options) {
         if (options.checkConflictMarkers !== false && parsed.status === "resolved") {
           const base = options.worktreePath ?? process.cwd();
           const filesWithMarkers = parsed.files.filter((file) => {
-            const filePath = resolve2(base, file);
+            const filePath = resolve3(base, file);
             try {
               return CONFLICT_MARKER_PATTERN.test(
-                readFileSync7(filePath, "utf-8")
+                readFileSync8(filePath, "utf-8")
               );
             } catch {
               return false;
@@ -3608,8 +3690,8 @@ function validateAgentArtifact(options) {
   }
 }
 function runValidateArtifactCommand(options) {
-  const artifactPath = resolve2(options.repoRoot, options.artifactPath);
-  const latestReviewArtifactPath = options.latestReviewArtifactPath ? resolve2(options.repoRoot, options.latestReviewArtifactPath) : void 0;
+  const artifactPath = resolve3(options.repoRoot, options.artifactPath);
+  const latestReviewArtifactPath = options.latestReviewArtifactPath ? resolve3(options.repoRoot, options.latestReviewArtifactPath) : void 0;
   return validateAgentArtifact({
     ...options,
     artifactPath,
@@ -3618,9 +3700,9 @@ function runValidateArtifactCommand(options) {
   });
 }
 function runLocalValidateArtifactCommand(options) {
-  const resolvedPath = resolve2(options.repoRoot, options.artifactPath);
+  const resolvedPath = resolve3(options.repoRoot, options.artifactPath);
   const resolvedExtra = (options.extraArgs ?? []).map(
-    (p) => isAbsolute2(p) ? p : resolve2(options.repoRoot, p)
+    (p) => isAbsolute3(p) ? p : resolve3(options.repoRoot, p)
   );
   let localResult;
   switch (options.kind) {
@@ -3667,7 +3749,7 @@ function runLocalValidateArtifactCommand(options) {
 }
 function readLocalArtifact(path9, failureCode) {
   try {
-    const raw = readFileSync7(path9, "utf-8");
+    const raw = readFileSync8(path9, "utf-8");
     const parsed = JSON.parse(raw);
     if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
       return {
@@ -4366,8 +4448,8 @@ function validateLocalTriage(prdPath, issuePaths) {
 }
 
 // commands/issue-run.ts
-import { existsSync as existsSync12, readFileSync as readFileSync14 } from "fs";
-import { isAbsolute as isAbsolute3, join as join15 } from "path";
+import { existsSync as existsSync12, readFileSync as readFileSync15 } from "fs";
+import { isAbsolute as isAbsolute4, join as join15 } from "path";
 
 // pr/templates.ts
 init_common();
@@ -4502,12 +4584,12 @@ function runEffectAndMapExit(program) {
 }
 
 // shared/attempt-log.ts
-import { appendFileSync, existsSync as existsSync8, mkdirSync as mkdirSync6, readFileSync as readFileSync8 } from "fs";
-import { dirname as dirname3, join as join8 } from "path";
+import { appendFileSync, existsSync as existsSync8, mkdirSync as mkdirSync6, readFileSync as readFileSync9 } from "fs";
+import { dirname as dirname4, join as join8 } from "path";
 var ATTEMPT_LOG_PATH = ".pourkit/attempt-log.jsonl";
 function writeAttemptLog(worktreePath, entry) {
   const logPath = join8(worktreePath, ATTEMPT_LOG_PATH);
-  mkdirSync6(dirname3(logPath), { recursive: true });
+  mkdirSync6(dirname4(logPath), { recursive: true });
   appendFileSync(logPath, JSON.stringify(entry) + "\n", "utf-8");
 }
 function readAttemptLog(worktreePath) {
@@ -4515,7 +4597,7 @@ function readAttemptLog(worktreePath) {
   if (!existsSync8(logPath)) {
     return [];
   }
-  const raw = readFileSync8(logPath, "utf-8");
+  const raw = readFileSync9(logPath, "utf-8");
   const lines = raw.split("\n").filter((l) => l.length > 0);
   const entries = [];
   for (const line of lines) {
@@ -4634,7 +4716,7 @@ async function runBaseRefreshAttempt(options) {
 }
 
 // commands/conflict-resolution.ts
-import { existsSync as existsSync9, readFileSync as readFileSync9 } from "fs";
+import { existsSync as existsSync9, readFileSync as readFileSync10 } from "fs";
 import { join as join9 } from "path";
 init_common();
 var CONFLICT_MARKER_PATTERN2 = /<<<<<<<|=======|>>>>>>>/m;
@@ -4642,7 +4724,7 @@ async function hasUnresolvedConflictMarkers(worktreePath, files) {
   for (const file of files) {
     const filePath = join9(worktreePath, file);
     try {
-      const content = readFileSync9(filePath, "utf-8");
+      const content = readFileSync10(filePath, "utf-8");
       if (CONFLICT_MARKER_PATTERN2.test(content)) {
         return true;
       }
@@ -4922,7 +5004,7 @@ async function canReachMcp(url) {
       return true;
     } catch {
       if (attempt < 9) {
-        await new Promise((resolve3) => setTimeout(resolve3, 100));
+        await new Promise((resolve5) => setTimeout(resolve5, 100));
       }
     }
   }
@@ -4973,7 +5055,7 @@ async function prepareSerenaForTarget(options) {
 }
 
 // failure-resolution/failure-resolution-agent.ts
-import { readFileSync as readFileSync10 } from "fs";
+import { readFileSync as readFileSync11 } from "fs";
 import { join as join10 } from "path";
 
 // failure-resolution/recovery-policy.ts
@@ -5127,7 +5209,7 @@ async function runFailureResolutionAgent(options) {
   }
   let artifact;
   try {
-    const md = readFileSync10(fullArtifactPath, "utf-8");
+    const md = readFileSync11(fullArtifactPath, "utf-8");
     const validation2 = validateAgentArtifact({
       kind: "failure-resolution",
       artifactPath: fullArtifactPath,
@@ -5221,7 +5303,7 @@ async function writeRecoveryAttempt(worktreePath, outcome, fingerprint, summary,
 
 // commands/pr-description-agent.ts
 import { join as join12 } from "path";
-import { readFileSync as readFileSync11 } from "fs";
+import { readFileSync as readFileSync12 } from "fs";
 
 // pr/pr-description-context.ts
 init_common();
@@ -5415,7 +5497,7 @@ function runFinalizerAgent(options) {
       ],
       logger: options.logger
     });
-    const output = readFileSync11(artifactPath, "utf-8");
+    const output = readFileSync12(artifactPath, "utf-8");
     yield* persistGeneratedArtifactEffect(options.worktreePath, output, fs);
     return result;
   });
@@ -5543,7 +5625,7 @@ function persistGeneratedArtifactEffect(worktreePath, output, fs) {
 
 // prd-run/local-merge-coordinator.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { existsSync as existsSync10, mkdirSync as mkdirSync7, readFileSync as readFileSync12, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync10, mkdirSync as mkdirSync7, readFileSync as readFileSync13, writeFileSync as writeFileSync4 } from "fs";
 import { join as join13 } from "path";
 
 // prd-run/local-branches.ts
@@ -5646,7 +5728,7 @@ function readIssueBranchName(repoRoot2, prdId, issueId) {
   const issuePath = getIssueArtifactPath(repoRoot2, prdId, issueId);
   if (!existsSync10(issuePath)) return null;
   try {
-    const content = readFileSync12(issuePath, "utf-8");
+    const content = readFileSync13(issuePath, "utf-8");
     const parsed = JSON.parse(content);
     return typeof parsed.branchName === "string" && parsed.branchName ? parsed.branchName : null;
   } catch {
@@ -5658,7 +5740,7 @@ async function hasLocalIssueMergeReceipt(prdId, issueId, repoRoot2) {
   const receiptPath = getMergeReceiptPath(root, prdId, issueId);
   if (!existsSync10(receiptPath)) return null;
   try {
-    const content = readFileSync12(receiptPath, "utf-8");
+    const content = readFileSync13(receiptPath, "utf-8");
     const parsed = JSON.parse(content);
     if (typeof parsed.prdId === "string" && typeof parsed.issueId === "string" && typeof parsed.stage === "string" && typeof parsed.sourceBranch === "string" && typeof parsed.localPrdBranch === "string" && typeof parsed.mergeCommit === "string" && typeof parsed.completedAt === "string") {
       return parsed;
@@ -5674,7 +5756,7 @@ async function squashMergeLocalIssue(prdId, issueId, input, repoRoot2) {
   if (existsSync10(receiptPath)) {
     try {
       const existing = JSON.parse(
-        readFileSync12(receiptPath, "utf-8")
+        readFileSync13(receiptPath, "utf-8")
       );
       if (existing.prdId === prdId && existing.issueId === issueId && existing.mergeCommit) {
         return {
@@ -6083,7 +6165,7 @@ function runMergeCoordinator(options) {
 }
 
 // commands/issue-final-review-agent.ts
-import { existsSync as existsSync11, readFileSync as readFileSync13 } from "fs";
+import { existsSync as existsSync11, readFileSync as readFileSync14 } from "fs";
 import { join as join14 } from "path";
 var ISSUE_FINAL_REVIEW_ARTIFACT_PATH = join14(
   ".pourkit",
@@ -6197,12 +6279,21 @@ async function runIssueFinalReviewAgent(options) {
 }
 function loadIssueFinalReviewPrompt(repoRoot2, promptTemplate) {
   const promptPath = resolvePromptTemplatePath(repoRoot2, promptTemplate);
-  const promptBody = existsSync11(promptPath) ? readFileSync13(promptPath, "utf-8") : promptTemplate;
+  const promptBody = existsSync11(promptPath) ? readFileSync14(promptPath, "utf-8") : promptTemplate;
   return appendProtectedWorkGuidance(`${promptBody}
 
 ## Shared Run Context
 
-Read the selected issue requirements, PRD context, comments, branch context, verification commands, and artifact paths from: ${RUN_CONTEXT_PATH_IN_WORKTREE}`);
+Read the selected issue requirements, PRD context, comments, branch context, verification commands, and artifact paths from: ${RUN_CONTEXT_PATH_IN_WORKTREE}
+
+## Initial Verification Pass
+
+- First read ${RUN_CONTEXT_PATH_IN_WORKTREE} only far enough to identify the configured verification commands.
+- Before reviewing code, diffs, artifacts, or prior findings, run each configured verification command yourself from the Worktree.
+- Run the commands exactly as configured. Do not substitute narrower commands unless the configured command cannot run.
+- If a configured command fails, keep reviewing after recording the failure details; use the failure output as review evidence.
+- If a command cannot run because the environment is missing required setup, dependencies, or scripts outside agent control, treat it as a human handoff blocker.
+- If no verification commands are configured, note that and proceed with normal review.`);
 }
 
 // issues/issue-transitions.ts
@@ -6405,7 +6496,7 @@ async function advanceIssueFinalReview(options) {
         "Issue Final Review state is incomplete: missing artifactPath"
       );
     }
-    const artifactPath = isAbsolute3(ifrFromState.artifactPath) ? ifrFromState.artifactPath : join15(worktreePath, ifrFromState.artifactPath);
+    const artifactPath = isAbsolute4(ifrFromState.artifactPath) ? ifrFromState.artifactPath : join15(worktreePath, ifrFromState.artifactPath);
     const validation = validateAgentArtifact({
       kind: "issue-final-review",
       artifactPath,
@@ -6437,6 +6528,12 @@ async function advanceIssueFinalReview(options) {
     logger,
     reviewArtifactPath
   });
+  await assertCanonicalBaseAncestor({
+    worktreePath,
+    baseRef: `origin/${target.baseBranch}`,
+    stageName: "Issue Final Review",
+    logger
+  });
   if (result.verdict === "pass") {
     updateWorktreeRunState(worktreePath, {
       issueFinalReview: {
@@ -6661,6 +6758,14 @@ async function startIssueRun(options) {
     };
   }
   if (executionResult.worktreePath) {
+    if (shouldRunBuilder) {
+      await assertCanonicalBaseAncestor({
+        worktreePath: executionResult.worktreePath,
+        baseRef: `origin/${effectiveBaseBranch}`,
+        stageName: "Builder",
+        logger
+      });
+    }
     if (worktreeState) {
       updateWorktreeRunState(executionResult.worktreePath, {
         completedStages: { builder: true }
@@ -6722,6 +6827,12 @@ async function advanceIssueRunReview(options) {
       }
     })
   );
+  await assertCanonicalBaseAncestor({
+    worktreePath: options.worktreePath,
+    baseRef: `origin/${options.target.baseBranch}`,
+    stageName: "Review/Refactor",
+    logger: options.logger
+  });
   updateWorktreeRunState(options.worktreePath, {
     review: {
       lifetimeIterations: reviewResult.lifetimeIterations,
@@ -6790,7 +6901,7 @@ async function completeIssueRun(options) {
               message: `Finalizer artifact missing at ${finalizerFromState.artifactPath}`
             });
           }
-          const artifactContent = readFileSync14(
+          const artifactContent = readFileSync15(
             finalizerFromState.artifactPath,
             "utf-8"
           );
@@ -6848,6 +6959,14 @@ async function completeIssueRun(options) {
       }
       prTitle = finalizerResult.title;
       prBody = finalizerResult.body;
+      if (executionResult.worktreePath) {
+        await assertCanonicalBaseAncestor({
+          worktreePath: executionResult.worktreePath,
+          baseRef: `origin/${effectiveBaseBranch}`,
+          stageName: "Finalizer",
+          logger
+        });
+      }
     }
     prTitle = ensureConventionalPrTitle(
       prTitle,
@@ -7216,18 +7335,12 @@ function getRefactorArtifactDir(artifactPath) {
 }
 async function finalizeWorktreeCommit(options) {
   const { worktreePath, baseRef, title, body, logger } = options;
-  await syncRemoteBaseRef(worktreePath, baseRef, logger);
-  try {
-    await execCapture("git", ["merge-base", "--is-ancestor", baseRef, "HEAD"], {
-      cwd: worktreePath,
-      logger,
-      label: "git merge-base --is-ancestor"
-    });
-  } catch {
-    throw new Error(
-      `Cannot finalize stale worktree: ${baseRef} is not an ancestor of HEAD. Refresh the branch onto the latest target base before creating the final commit.`
-    );
-  }
+  await assertCanonicalBaseAncestor({
+    worktreePath,
+    baseRef,
+    stageName: "final commit",
+    logger
+  });
   await execCapture("git", ["reset", "--soft", baseRef], {
     cwd: worktreePath,
     logger,
@@ -7244,6 +7357,21 @@ async function finalizeWorktreeCommit(options) {
     label: "git commit"
   });
 }
+async function assertCanonicalBaseAncestor(options) {
+  const { worktreePath, baseRef, stageName, logger } = options;
+  await syncRemoteBaseRef(worktreePath, baseRef, logger);
+  try {
+    await execCapture("git", ["merge-base", "--is-ancestor", baseRef, "HEAD"], {
+      cwd: worktreePath,
+      logger,
+      label: "git merge-base --is-ancestor"
+    });
+  } catch {
+    throw new Error(
+      `Cannot continue after ${stageName}: ${baseRef} is not an ancestor of HEAD. An agent may have moved the issue branch behind the canonical base; refresh the branch onto the latest target base before continuing.`
+    );
+  }
+}
 async function syncRemoteBaseRef(worktreePath, baseRef, logger) {
   const remoteBase = parseRemoteBaseRef(baseRef);
   if (!remoteBase) {
@@ -7487,7 +7615,7 @@ async function syncTargetBranch(root, baseBranch, logger) {
 }
 function loadBuilderPrompt(repoRoot2, promptTemplate) {
   const promptPath = resolvePromptTemplatePath(repoRoot2, promptTemplate);
-  const promptBody = existsSync12(promptPath) ? readFileSync14(promptPath, "utf-8") : promptTemplate;
+  const promptBody = existsSync12(promptPath) ? readFileSync15(promptPath, "utf-8") : promptTemplate;
   return appendProtectedWorkGuidance(`${promptBody}
 
 ## Shared Run Context
@@ -7984,12 +8112,12 @@ import {
   lstatSync,
   mkdirSync as mkdirSync10,
   mkdtempSync,
-  readFileSync as readFileSync17,
+  readFileSync as readFileSync18,
   realpathSync,
   rmSync as rmSync3
 } from "fs";
 import { spawnSync as spawnSync3 } from "child_process";
-import { dirname as dirname4, join as join20, relative as relative2 } from "path";
+import { dirname as dirname5, join as join20, relative as relative2 } from "path";
 import { tmpdir } from "os";
 import { Match, pipe } from "effect";
 
@@ -7997,20 +8125,20 @@ import { Match, pipe } from "effect";
 import {
   existsSync as existsSync13,
   mkdirSync as mkdirSync8,
-  readFileSync as readFileSync15,
+  readFileSync as readFileSync16,
   readdirSync as readdirSync4,
   writeFileSync as writeFileSync5
 } from "fs";
 import { mkdir as mkdir4, readFile as readFile4, writeFile } from "fs/promises";
 import { join as join16 } from "path";
-import { z as z2 } from "zod";
+import { z } from "zod";
 var PRD_RUN_STATE_DIR = ".pourkit/prd-runs";
-var PrdRunRecordSchema = z2.object({
-  prdRef: z2.string().regex(
+var PrdRunRecordSchema = z.object({
+  prdRef: z.string().regex(
     /^PRD-\d{4}$/,
     "PRD ref must use four-digit format (e.g., PRD-0052)"
   ),
-  status: z2.enum([
+  status: z.enum([
     "blocked",
     "starting",
     "running",
@@ -8022,61 +8150,61 @@ var PrdRunRecordSchema = z2.object({
     "complete",
     "completed_local_branch"
   ]),
-  updatedAt: z2.string().min(1),
-  mode: z2.enum(["github", "local"]).optional(),
-  blockedGate: z2.enum(["receipt-check", "branch-state", "git", "queue", "final-review"]).optional(),
-  targetName: z2.string().min(1).optional(),
-  prdBranch: z2.string().min(1).optional(),
-  blockedReason: z2.string().min(1).optional(),
-  diagnostics: z2.array(z2.string()).optional(),
-  offendingPaths: z2.array(z2.string()).optional(),
-  start: z2.object({
-    status: z2.enum(["started", "succeeded", "adopted", "reused"]),
-    targetName: z2.string().min(1),
-    prdBranch: z2.string().min(1),
-    startBaseBranch: z2.string().min(1),
-    startBaseCommit: z2.string().min(1).optional(),
-    branchAction: z2.enum(["created", "reused", "adopted"]).optional(),
-    startedAt: z2.string().min(1).optional(),
-    queueStartedAt: z2.string().min(1).optional(),
-    queueDrainedAt: z2.string().min(1).optional(),
-    queueProcessedCount: z2.number().int().nonnegative().optional(),
-    queueCommand: z2.literal("queue-run").optional(),
-    refreshReceipts: z2.tuple([]).optional()
+  updatedAt: z.string().min(1),
+  mode: z.enum(["github", "local"]).optional(),
+  blockedGate: z.enum(["receipt-check", "branch-state", "git", "queue", "final-review"]).optional(),
+  targetName: z.string().min(1).optional(),
+  prdBranch: z.string().min(1).optional(),
+  blockedReason: z.string().min(1).optional(),
+  diagnostics: z.array(z.string()).optional(),
+  offendingPaths: z.array(z.string()).optional(),
+  start: z.object({
+    status: z.enum(["started", "succeeded", "adopted", "reused"]),
+    targetName: z.string().min(1),
+    prdBranch: z.string().min(1),
+    startBaseBranch: z.string().min(1),
+    startBaseCommit: z.string().min(1).optional(),
+    branchAction: z.enum(["created", "reused", "adopted"]).optional(),
+    startedAt: z.string().min(1).optional(),
+    queueStartedAt: z.string().min(1).optional(),
+    queueDrainedAt: z.string().min(1).optional(),
+    queueProcessedCount: z.number().int().nonnegative().optional(),
+    queueCommand: z.literal("queue-run").optional(),
+    refreshReceipts: z.tuple([]).optional()
   }).strict().optional(),
-  finalReview: z2.object({
-    status: z2.enum([
+  finalReview: z.object({
+    status: z.enum([
       "started",
       "succeeded",
       "blocked",
       "needs_human_review",
       "final_reviewed"
     ]),
-    targetName: z2.string().min(1),
-    prdBranch: z2.string().min(1),
-    mergeBase: z2.string().min(1).optional(),
-    verdict: z2.enum([
+    targetName: z.string().min(1),
+    prdBranch: z.string().min(1),
+    mergeBase: z.string().min(1).optional(),
+    verdict: z.enum([
       "pass_no_changes",
       "pass_with_retouch",
       "needs_human_review",
       "blocked"
     ]).optional(),
-    artifactPath: z2.string().min(1).optional(),
-    diagnostics: z2.array(z2.string()).optional(),
-    reviewedAt: z2.string().min(1).optional(),
-    retouchPrNumber: z2.number().int().positive().optional(),
-    retouchPrUrl: z2.string().url().optional(),
-    retouchMergeCommit: z2.string().min(1).optional(),
-    autoMerge: z2.boolean().optional(),
-    changedPaths: z2.array(z2.string()).optional()
+    artifactPath: z.string().min(1).optional(),
+    diagnostics: z.array(z.string()).optional(),
+    reviewedAt: z.string().min(1).optional(),
+    retouchPrNumber: z.number().int().positive().optional(),
+    retouchPrUrl: z.string().url().optional(),
+    retouchMergeCommit: z.string().min(1).optional(),
+    autoMerge: z.boolean().optional(),
+    changedPaths: z.array(z.string()).optional()
   }).strict().optional(),
-  scopeChanges: z2.array(
-    z2.object({
-      issueNumber: z2.number().int().positive(),
-      decision: z2.literal("accepted_scope_change"),
-      reason: z2.string().min(1),
-      acceptedBy: z2.string().min(1),
-      acceptedAt: z2.string().min(1)
+  scopeChanges: z.array(
+    z.object({
+      issueNumber: z.number().int().positive(),
+      decision: z.literal("accepted_scope_change"),
+      reason: z.string().min(1),
+      acceptedBy: z.string().min(1),
+      acceptedAt: z.string().min(1)
     }).strict()
   ).optional()
 }).strict();
@@ -8097,12 +8225,12 @@ function readPrdRun(repoRoot2, prdRef) {
     return { record: null, diagnostics: [] };
   }
   try {
-    const raw = JSON.parse(readFileSync15(recordPath, "utf-8"));
+    const raw = JSON.parse(readFileSync16(recordPath, "utf-8"));
     const parsed = normalizeLegacyPrdRunRecord(PrdRunRecordSchema.parse(raw));
     return { record: parsed, diagnostics: [] };
   } catch (error) {
     try {
-      const raw = JSON.parse(readFileSync15(recordPath, "utf-8"));
+      const raw = JSON.parse(readFileSync16(recordPath, "utf-8"));
       if (raw && typeof raw === "object" && raw.start && typeof raw.start === "object" && raw.start.startBaseBranch === void 0) {
         return {
           record: raw,
@@ -8136,7 +8264,7 @@ function listPrdRuns(repoRoot2) {
     const recordPath = join16(stateDir, entry.name);
     try {
       const record = normalizeLegacyPrdRunRecord(
-        PrdRunRecordSchema.parse(JSON.parse(readFileSync15(recordPath, "utf-8")))
+        PrdRunRecordSchema.parse(JSON.parse(readFileSync16(recordPath, "utf-8")))
       );
       records.push(record);
     } catch (error) {
@@ -8168,40 +8296,40 @@ function normalizeLegacyPrdRunRecord(record) {
     offendingPaths: void 0
   };
 }
-var LocalPrdRunRecordSchema = z2.object({
-  prdId: z2.string().regex(
+var LocalPrdRunRecordSchema = z.object({
+  prdId: z.string().regex(
     /^PRD-\d{4}$/,
     "PRD id must use four-digit format (e.g., PRD-0052)"
   ),
-  createdAt: z2.string().min(1),
-  receipts: z2.object({
-    start: z2.object({
-      startedAt: z2.string().min(1),
-      branch: z2.string().min(1),
-      baseCommit: z2.string().min(1)
+  createdAt: z.string().min(1),
+  receipts: z.object({
+    start: z.object({
+      startedAt: z.string().min(1),
+      branch: z.string().min(1),
+      baseCommit: z.string().min(1)
     }).strict().optional(),
-    queue: z2.object({ completedAt: z2.string().min(1) }).strict().optional(),
-    finalReview: z2.object({
-      completedAt: z2.string().min(1),
-      targetName: z2.string().optional(),
-      prdBranch: z2.string().optional(),
-      mergeBase: z2.string().optional(),
-      verdict: z2.enum([
+    queue: z.object({ completedAt: z.string().min(1) }).strict().optional(),
+    finalReview: z.object({
+      completedAt: z.string().min(1),
+      targetName: z.string().optional(),
+      prdBranch: z.string().optional(),
+      mergeBase: z.string().optional(),
+      verdict: z.enum([
         "pass_no_changes",
         "pass_with_retouch",
         "needs_human_review",
         "blocked"
       ]).optional(),
-      diagnostics: z2.array(z2.string()).optional(),
-      artifactPath: z2.string().optional()
+      diagnostics: z.array(z.string()).optional(),
+      artifactPath: z.string().optional()
     }).strict().optional(),
-    complete: z2.object({
-      completedAt: z2.string().min(1),
-      branch: z2.string().min(1),
-      stages: z2.array(z2.string())
+    complete: z.object({
+      completedAt: z.string().min(1),
+      branch: z.string().min(1),
+      stages: z.array(z.string())
     }).strict().optional()
   }).strict(),
-  metadata: z2.record(z2.unknown())
+  metadata: z.record(z.unknown())
 }).strict();
 function getRecordPath(repoRoot2, prdRef) {
   return join16(
@@ -8213,20 +8341,20 @@ function getRecordPath(repoRoot2, prdRef) {
 
 // prd-run/evidence-packet.ts
 import { createHash as createHash2 } from "crypto";
-import { z as z3 } from "zod";
+import { z as z2 } from "zod";
 var PRD_REF_REGEX2 = /^PRD-\d{3,4}$/;
-var StageSchema = z3.enum(["prdFinalReview", "prdReconciliation"]);
-var EvidencePacketSchema = z3.object({
-  prdRef: z3.string().regex(PRD_REF_REGEX2),
-  prdBranch: z3.string().min(1),
-  mergeBase: z3.string().min(6),
-  planningManifestPath: z3.string().min(1),
-  planningManifestFacts: z3.object({
-    parentPrdIssueUrl: z3.string().min(1),
-    childIssueCount: z3.number().int().nonnegative()
+var StageSchema = z2.enum(["prdFinalReview", "prdReconciliation"]);
+var EvidencePacketSchema = z2.object({
+  prdRef: z2.string().regex(PRD_REF_REGEX2),
+  prdBranch: z2.string().min(1),
+  mergeBase: z2.string().min(6),
+  planningManifestPath: z2.string().min(1),
+  planningManifestFacts: z2.object({
+    parentPrdIssueUrl: z2.string().min(1),
+    childIssueCount: z2.number().int().nonnegative()
   }),
   stage: StageSchema,
-  stageReceipts: z3.record(z3.string(), z3.unknown())
+  stageReceipts: z2.record(z2.string(), z2.unknown())
 }).strict();
 
 // commands/prd-run.ts
@@ -8437,7 +8565,7 @@ import { mkdirSync as mkdirSync9, writeFileSync as writeFileSync6 } from "fs";
 import { join as join18 } from "path";
 
 // prd-run/local-queue-loop.ts
-import { readFileSync as readFileSync16, writeFileSync as writeFileSync7 } from "fs";
+import { readFileSync as readFileSync17, writeFileSync as writeFileSync7 } from "fs";
 import { join as join19 } from "path";
 
 // prd-run/local-issue-run.ts
@@ -8574,7 +8702,7 @@ function getIssueArtifactPath2(repoRoot2, prdId, issueId) {
 }
 function readIssueArtifact(repoRoot2, prdId, issueId) {
   try {
-    const content = readFileSync16(
+    const content = readFileSync17(
       getIssueArtifactPath2(repoRoot2, prdId, issueId),
       "utf-8"
     );
@@ -9316,7 +9444,7 @@ function validateLocalStartStore(repoRoot2, prdRef) {
   if (existsSync16(localStoreDir)) {
     const localStorePath = join20(localStoreDir, "prd.json");
     try {
-      const content = JSON.parse(readFileSync17(localStorePath, "utf8"));
+      const content = JSON.parse(readFileSync18(localStorePath, "utf8"));
       localStoreReady = content?.id === prdRef && content?.kind === "prd";
     } catch {
       localStoreReady = false;
@@ -11115,135 +11243,120 @@ function inferVerificationCommands(scripts, pm) {
 }
 function generateConfigTemplate(options) {
   const {
-    sourceRoot,
-    targetRoot,
-    packageManager,
     baseBranch,
+    packageManager,
     verificationCommands,
     hasPackageJson = true,
     labels: maybeLabels
   } = options;
   const labels = maybeLabels ?? DEFAULT_RUNNER_LABELS;
-  const relPath = path5.relative(targetRoot, sourceRoot).replace(/\\/g, "/");
-  const importPath = relPath || ".";
   const setupCommand = `${packageManager} install`;
-  let setupSection;
-  if (hasPackageJson) {
-    setupSection = [
-      "      setupCommands: [",
-      `        { command: "${setupCommand}", label: "install" },`,
-      "      ],"
-    ].join("\n");
-  } else {
-    setupSection = "";
-  }
-  let verifySection;
-  if (verificationCommands.length > 0) {
-    const cmdLines = verificationCommands.map((vc) => `        { command: "${vc.command}", label: "${vc.label}" }`).join(",\n");
-    verifySection = [
-      "        verify: {",
-      "          commands: [",
-      cmdLines,
-      "          ],",
-      "        },"
-    ].join("\n");
-  } else {
-    verifySection = [
-      "        // verify: {",
-      "        //   commands: [",
-      "        //     No matching scripts found in package.json.",
-      "        //   ],",
-      "        // },"
-    ].join("\n");
-  }
-  return `import { definePourkitConfig } from "${importPath}/pourkit/shared/config";
-import type { PourkitConfig } from "${importPath}/pourkit/shared/config";
-
-export default definePourkitConfig({
-  targets: [
-    {
-      name: "default",
-      baseBranch: "${baseBranch}",
-      branchTemplate: "pourkit/{{issue.number}}/{{issue.slug}}",
-      autoMerge: false,
-${setupSection}
-      strategy: {
-        type: "review-refactor-loop",
-        implement: {
-          builder: {
-            agent: "pourkit-builder",
-            model: "opencode-go/deepseek-v4-flash",
-            promptTemplate: ".pourkit/prompts/builder.prompt.md",
-          },
-        },
-        review: {
-          reviewer: {
-            agent: "pourkit-reviewer",
-            model: "opencode-go/deepseek-v4-pro",
-            promptTemplate: ".pourkit/prompts/reviewer.prompt.md",
-            criteria: ["correctness", "scope", "tests", "quality"],
-          },
-          refactor: {
-            agent: "pourkit-refactor",
-            model: "opencode-go/qwen3.6-plus",
-            promptTemplate: ".pourkit/prompts/refactor.prompt.md",
-          },
-          maxIterations: 3,
-          passWithNotesRefactorAttempts: 2,
+  const target = {
+    name: "default",
+    baseBranch,
+    branchTemplate: "pourkit/{{issue.number}}/{{issue.slug}}",
+    autoMerge: false,
+    strategy: {
+      type: "review-refactor-loop",
+      implement: {
+        builder: {
+          agent: "pourkit-builder",
+          model: "opencode-go/deepseek-v4-flash",
+          promptTemplate: ".pourkit/prompts/builder.prompt.md"
+        }
+      },
+      failureResolution: {
+        agent: "pourkit-failure-resolution-agent",
+        model: "opencode-go/mimo-v2.5",
+        promptTemplate: ".pourkit/prompts/failure-resolution.prompt.md",
+        maxAttemptsPerFailure: 1
+      },
+      review: {
+        reviewer: {
+          agent: "pourkit-reviewer",
+          model: "opencode-go/deepseek-v4-pro",
+          promptTemplate: ".pourkit/prompts/reviewer.prompt.md",
+          criteria: ["correctness", "scope", "tests", "quality"]
         },
-${verifySection}
-        finalize: {
-          prDescriptionAgent: {
-            agent: "pourkit-pr-description",
-            model: "opencode-go/deepseek-v4-flash",
-            promptTemplate: ".pourkit/prompts/pr-description.prompt.md",
-          },
-          maxAttempts: 2,
+        refactor: {
+          agent: "pourkit-refactor",
+          model: "opencode-go/qwen3.6-plus",
+          promptTemplate: ".pourkit/prompts/refactor.prompt.md"
         },
+        maxIterations: 3,
+        passWithNotesRefactorAttempts: 2
       },
-    },
-  ],
-  labels: {
-    readyForAgent: ${JSON.stringify(labels.readyForAgent)},
-    agentInProgress: ${JSON.stringify(labels.agentInProgress)},
-    blocked: ${JSON.stringify(labels.blocked)},
-    prOpenAwaitingMerge: ${JSON.stringify(labels.prOpenAwaitingMerge)},
-    readyForHuman: ${JSON.stringify(labels.readyForHuman)},
-  },
-  sandbox: {
-    provider: "docker",
-    copyToWorktree: ["node_modules"],
-    mounts: [
-      {
-        hostPath: "~/.local/share/opencode",
-        sandboxPath: "/home/agent/.local/share/opencode",
-        readonly: false,
+      issueFinalReview: {
+        agent: "pourkit-reviewer",
+        model: "opencode-go/deepseek-v4-pro",
+        promptTemplate: ".pourkit/prompts/issue-final-review.prompt.md",
+        maxAttempts: 3
       },
-      {
-        hostPath: "~/.config/opencode",
-        sandboxPath: "/home/agent/.config/opencode",
-        readonly: true,
+      finalize: {
+        prDescriptionAgent: {
+          agent: "pourkit-pr-description",
+          model: "opencode-go/deepseek-v4-flash",
+          promptTemplate: ".pourkit/prompts/pr-description.prompt.md"
+        },
+        maxAttempts: 2
+      }
+    }
+  };
+  if (hasPackageJson) {
+    target.setupCommands = [
+      { command: setupCommand, label: "install" }
+    ];
+  }
+  if (verificationCommands.length > 0) {
+    target.strategy.verify = {
+      commands: verificationCommands
+    };
+  }
+  const config = {
+    $schema: "./schema/pourkit.schema.json",
+    schemaVersion: 1,
+    targets: [target],
+    labels: {
+      readyForAgent: labels.readyForAgent,
+      agentInProgress: labels.agentInProgress,
+      blocked: labels.blocked,
+      prOpenAwaitingMerge: labels.prOpenAwaitingMerge,
+      readyForHuman: labels.readyForHuman
+    },
+    sandbox: {
+      provider: "docker",
+      copyToWorktree: ["node_modules"],
+      mounts: [
+        {
+          hostPath: "~/.local/share/opencode",
+          sandboxPath: "/home/agent/.local/share/opencode",
+          readonly: false
+        },
+        {
+          hostPath: "~/.config/opencode",
+          sandboxPath: "/home/agent/.config/opencode",
+          readonly: true
+        }
+      ],
+      env: {
+        HOME: "/home/agent",
+        XDG_DATA_HOME: "/home/agent/.local/share",
+        XDG_CONFIG_HOME: "/home/agent/.config",
+        XDG_STATE_HOME: "/home/agent/.local/state",
+        XDG_CACHE_HOME: "/home/agent/.cache"
       },
-    ],
-    env: {
-      HOME: "/home/agent",
-      XDG_DATA_HOME: "/home/agent/.local/share",
-      XDG_CONFIG_HOME: "/home/agent/.config",
-      XDG_STATE_HOME: "/home/agent/.local/state",
-      XDG_CACHE_HOME: "/home/agent/.cache",
+      idleTimeoutSeconds: 300
     },
-    idleTimeoutSeconds: 300,
-  },
-  checks: {
-    requiredLabels: [],
-    allowedAuthors: [],
-    checksFoundTimeoutSeconds: 60,
-    checksCompletionTimeoutSeconds: 1800,
-    pollIntervalSeconds: 15,
-    issueListLimit: 50,
-  },
-});
-`;
+    checks: {
+      requiredLabels: [],
+      allowedAuthors: [],
+      checksFoundTimeoutSeconds: 60,
+      checksCompletionTimeoutSeconds: 1800,
+      pollIntervalSeconds: 15,
+      issueListLimit: 50
+    }
+  };
+  return JSON.stringify(config, null, 2) + "\n";
 }
 function generateOpenCodeConfig(existingConfig = {}) {
   const { $schema, ...rest } = existingConfig;
@@ -11976,15 +12089,13 @@ async function planInit(options) {
           checksum
         });
       }
-      const configTsPath = path5.join(targetRoot, "pourkit.config.ts");
-      if (!existsSync17(configTsPath)) {
+      const configJsonPath = path5.join(targetRoot, ".pourkit", "config.json");
+      if (!existsSync17(configJsonPath)) {
         const verifyCommands = inferVerificationCommands(
           packageScripts,
           pm || "npm"
         );
         const configContent = generateConfigTemplate({
-          targetRoot,
-          sourceRoot,
           packageManager: pm || "npm",
           baseBranch,
           verificationCommands: verifyCommands,
@@ -11993,9 +12104,9 @@ async function planInit(options) {
         });
         operations.push({
           kind: "create",
-          path: configTsPath,
+          path: configJsonPath,
           ownership: "managed",
-          reason: "Init pourkit.config.ts template",
+          reason: "Init .pourkit/config.json template",
           requiresConfirmation: false,
           destructive: false,
           content: configContent
@@ -12003,13 +12114,85 @@ async function planInit(options) {
       } else {
         operations.push({
           kind: "skip",
-          path: configTsPath,
+          path: configJsonPath,
           ownership: "project-owned",
-          reason: "Existing pourkit.config.ts (project-owned)",
+          reason: "Existing .pourkit/config.json (project-owned)",
           requiresConfirmation: false,
           destructive: false
         });
       }
+      const schemaJsonPath = path5.join(
+        targetRoot,
+        ".pourkit",
+        "schema",
+        "pourkit.schema.json"
+      );
+      const srcSchemaJson = path5.join(
+        sourceRoot,
+        "pourkit",
+        "schema",
+        "pourkit.schema.json"
+      );
+      if (existsSync17(srcSchemaJson)) {
+        const checksum = await computeFileChecksum(srcSchemaJson);
+        if (!existsSync17(schemaJsonPath)) {
+          operations.push({
+            kind: "copy",
+            sourcePath: srcSchemaJson,
+            path: schemaJsonPath,
+            ownership: "managed",
+            reason: "Copy schema: pourkit.schema.json",
+            requiresConfirmation: false,
+            destructive: false,
+            checksum
+          });
+        } else {
+          operations.push({
+            kind: "skip",
+            path: schemaJsonPath,
+            ownership: "project-owned",
+            reason: "Existing .pourkit/schema/pourkit.schema.json (project-owned)",
+            requiresConfirmation: false,
+            destructive: false
+          });
+        }
+      }
+      const schemaHashPath = path5.join(
+        targetRoot,
+        ".pourkit",
+        "schema",
+        "pourkit.schema.hash"
+      );
+      const srcSchemaHash = path5.join(
+        sourceRoot,
+        "pourkit",
+        "schema",
+        "pourkit.schema.hash"
+      );
+      if (existsSync17(srcSchemaHash)) {
+        const checksum = await computeFileChecksum(srcSchemaHash);
+        if (!existsSync17(schemaHashPath)) {
+          operations.push({
+            kind: "copy",
+            sourcePath: srcSchemaHash,
+            path: schemaHashPath,
+            ownership: "managed",
+            reason: "Copy schema hash: pourkit.schema.hash",
+            requiresConfirmation: false,
+            destructive: false,
+            checksum
+          });
+        } else {
+          operations.push({
+            kind: "skip",
+            path: schemaHashPath,
+            ownership: "project-owned",
+            reason: "Existing .pourkit/schema/pourkit.schema.hash (project-owned)",
+            requiresConfirmation: false,
+            destructive: false
+          });
+        }
+      }
       const agentFileMode = options.conflictPolicy?.agentFile ?? "both";
       const hasExistingAgents = operations.some(
         (op) => (op.kind === "skip" || op.kind === "update") && op.path?.endsWith("AGENTS.md")
@@ -12994,6 +13177,165 @@ async function runSerenaStatusCommand(options) {
   logSerenaSidecarStatus("Serena sidecar status", status);
 }
 
+// commands/config-schema.ts
+import { readFileSync as readFileSync19, existsSync as existsSync18 } from "fs";
+import { mkdir as mkdir6, readFile as readFile6, writeFile as writeFile3 } from "fs/promises";
+import { resolve as resolve4, dirname as dirname6 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import Ajv2 from "ajv";
+var __filename2 = fileURLToPath2(import.meta.url);
+var __dirname2 = dirname6(__filename2);
+var PACKAGED_SCHEMA_PATH = resolve4(
+  __dirname2,
+  "../schema/pourkit.schema.json"
+);
+var PACKAGED_HASH_PATH = resolve4(__dirname2, "../schema/pourkit.schema.hash");
+var _schemaValidator = null;
+var _schemaErrors = null;
+function getSchemaValidator() {
+  if (!_schemaValidator) {
+    const schema = JSON.parse(readFileSync19(PACKAGED_SCHEMA_PATH, "utf-8"));
+    const ajv = new Ajv2({ strict: true });
+    ajv.addKeyword("x-pourkit-schema-version");
+    const validate = ajv.compile(schema);
+    _schemaValidator = (data) => {
+      _schemaErrors = null;
+      const valid2 = validate(data);
+      if (!valid2) _schemaErrors = validate.errors;
+      return valid2;
+    };
+  }
+  return _schemaValidator;
+}
+function readPackagedHash() {
+  return readFileSync19(PACKAGED_HASH_PATH, "utf-8");
+}
+function localSchemaDir(repoRoot2) {
+  return resolve4(repoRoot2, ".pourkit/schema");
+}
+async function runDoctorCommand(options) {
+  const repoRootPath = options.cwd ?? process.cwd();
+  const schemaDir = localSchemaDir(repoRootPath);
+  const localSchemaPath = resolve4(schemaDir, "pourkit.schema.json");
+  const localHashPath = resolve4(schemaDir, "pourkit.schema.hash");
+  const localSchemaExists = existsSync18(localSchemaPath);
+  const localHashExists = existsSync18(localHashPath);
+  let packagedHash = null;
+  try {
+    packagedHash = readPackagedHash();
+  } catch {
+  }
+  let localHashContent = null;
+  if (localHashExists) {
+    try {
+      localHashContent = await readFile6(localHashPath, "utf-8");
+    } catch {
+    }
+  }
+  const schema = !localSchemaExists ? "missing" : !packagedHash || !localHashContent ? "missing" : localHashContent.trim() === packagedHash.trim() ? "fresh" : "stale";
+  const hash = !localHashExists ? "missing" : !packagedHash ? "missing" : localHashContent && localHashContent.trim() === packagedHash.trim() ? "fresh" : "stale";
+  const overall = schema === "fresh" && hash === "fresh" ? "fresh" : schema === "missing" || hash === "missing" ? "missing" : "stale";
+  const configPath = resolve4(repoRootPath, ".pourkit/config.json");
+  let configValidation;
+  if (existsSync18(configPath)) {
+    try {
+      const raw = JSON.parse(readFileSync19(configPath, "utf-8"));
+      const validate = getSchemaValidator();
+      const valid2 = validate(raw);
+      if (valid2) {
+        configValidation = { ok: true, errors: [] };
+      } else {
+        const errors = _schemaErrors;
+        configValidation = {
+          ok: false,
+          errors: (errors ?? []).map(
+            (e) => `${e.instancePath || "(root)"}: ${e.message ?? "validation failed"}`
+          )
+        };
+      }
+    } catch (err) {
+      const msg = err instanceof SyntaxError ? err.message : String(err);
+      configValidation = {
+        ok: false,
+        errors: [`.pourkit/config.json: ${msg}`]
+      };
+    }
+  } else {
+    configValidation = {
+      ok: false,
+      errors: [".pourkit/config.json not found"]
+    };
+  }
+  const obsoleteConfigs = [
+    "pourkit.config.ts",
+    "pourkit.config.mjs",
+    "pourkit.config.js",
+    "pourkit.json"
+  ].filter((p) => existsSync18(resolve4(repoRootPath, p)));
+  let recommendation = null;
+  if (!configValidation.ok || overall !== "fresh" || obsoleteConfigs.length > 0) {
+    const parts = [];
+    if (obsoleteConfigs.length > 0) {
+      parts.push(
+        `Found obsolete config files: ${obsoleteConfigs.join(", ")}. Move configuration to .pourkit/config.json with "$schema": "./schema/pourkit.schema.json".`
+      );
+    }
+    if (!configValidation.ok) {
+      parts.push(
+        "Config validation failed; fix errors in .pourkit/config.json."
+      );
+    }
+    if (overall !== "fresh") {
+      parts.push(
+        'Run "pourkit config sync-schema" to update local schema assets.'
+      );
+    }
+    recommendation = parts.join(" ");
+  }
+  return {
+    configValidation,
+    obsoleteConfigs,
+    schemaAssets: { schema, hash, overall },
+    recommendation
+  };
+}
+async function runConfigSyncSchemaCommand(options) {
+  const repoRootPath = options.cwd ?? process.cwd();
+  const schemaDir = localSchemaDir(repoRootPath);
+  await mkdir6(schemaDir, { recursive: true });
+  const packagedSchema = await readFile6(PACKAGED_SCHEMA_PATH, "utf-8");
+  const packagedHash = await readFile6(PACKAGED_HASH_PATH, "utf-8");
+  const localSchemaPath = resolve4(schemaDir, "pourkit.schema.json");
+  const localHashPath = resolve4(schemaDir, "pourkit.schema.hash");
+  let schemaWritten = false;
+  let hashWritten = false;
+  if (existsSync18(localSchemaPath)) {
+    const existing = await readFile6(localSchemaPath, "utf-8");
+    if (existing !== packagedSchema) {
+      await writeFile3(localSchemaPath, packagedSchema, "utf-8");
+      schemaWritten = true;
+    }
+  } else {
+    await writeFile3(localSchemaPath, packagedSchema, "utf-8");
+    schemaWritten = true;
+  }
+  if (existsSync18(localHashPath)) {
+    const existing = await readFile6(localHashPath, "utf-8");
+    if (existing !== packagedHash) {
+      await writeFile3(localHashPath, packagedHash, "utf-8");
+      hashWritten = true;
+    }
+  } else {
+    await writeFile3(localHashPath, packagedHash, "utf-8");
+    hashWritten = true;
+  }
+  return {
+    changed: schemaWritten || hashWritten,
+    schemaWritten,
+    hashWritten
+  };
+}
+
 // providers/github-provider.ts
 var GitHubIssueProvider = class {
   client;
@@ -13531,14 +13873,14 @@ import { docker } from "@ai-hero/sandcastle/sandboxes/docker";
 // execution/execution-provider.ts
 init_common();
 import { mkdtempSync as mkdtempSync2 } from "fs";
-import { writeFile as writeFile3 } from "fs/promises";
+import { writeFile as writeFile4 } from "fs/promises";
 import { tmpdir as tmpdir2 } from "os";
-import { dirname as dirname5, join as join21 } from "path";
+import { dirname as dirname7, join as join21 } from "path";
 async function writeExecutionArtifacts(worktreePath, artifacts) {
   for (const artifact of artifacts) {
     const filePath = join21(worktreePath, artifact.path);
-    await ensureDir(dirname5(filePath));
-    await writeFile3(filePath, artifact.content, "utf-8");
+    await ensureDir(dirname7(filePath));
+    await writeFile4(filePath, artifact.content, "utf-8");
   }
 }
 
@@ -13548,17 +13890,17 @@ import path7 from "path";
 
 // execution/sandbox-image.ts
 import { createHash as createHash4 } from "crypto";
-import { existsSync as existsSync18, readFileSync as readFileSync18 } from "fs";
+import { existsSync as existsSync19, readFileSync as readFileSync20 } from "fs";
 import path6 from "path";
 function sandboxImageName(repoRoot2) {
   const dirName = path6.basename(repoRoot2.replace(/[\\/]+$/, "")) || "local";
   const sanitized = dirName.toLowerCase().replace(/[^a-z0-9_.-]/g, "-");
   const baseName = sanitized || "local";
   const dockerfilePath = path6.join(repoRoot2, ".sandcastle", "Dockerfile");
-  if (!existsSync18(dockerfilePath)) {
+  if (!existsSync19(dockerfilePath)) {
     return `sandcastle:${baseName}`;
   }
-  const fingerprint = createHash4("sha256").update(readFileSync18(dockerfilePath)).digest("hex").slice(0, 8);
+  const fingerprint = createHash4("sha256").update(readFileSync20(dockerfilePath)).digest("hex").slice(0, 8);
   return `sandcastle:${baseName}-${fingerprint}`;
 }
 
@@ -14418,6 +14760,26 @@ function createCliProgram(version) {
       await runInitCommand(initOptions);
     }
   );
+  program.command("doctor").description("Report Config Schema drift without mutating files").option("--cwd <path>", "target repository directory").action(async (options) => {
+    const targetRepoRoot = options.cwd ? repoRoot(options.cwd) : repoRoot();
+    const report = await runDoctorCommand({ cwd: targetRepoRoot });
+    console.log(JSON.stringify(report, null, 2));
+    if (!report.configValidation.ok || report.obsoleteConfigs.length > 0 || report.schemaAssets.overall !== "fresh") {
+      process.exitCode = 1;
+    }
+  });
+  const configCommand = program.command("config").description("Config management commands");
+  configCommand.command("sync-schema").description("Copy packaged Config Schema assets to .pourkit/schema/").option("--cwd <path>", "target repository directory").action(async (options) => {
+    const targetRepoRoot = options.cwd ? repoRoot(options.cwd) : repoRoot();
+    const result = await runConfigSyncSchemaCommand({ cwd: targetRepoRoot });
+    if (result.changed) {
+      console.log(
+        `Schema assets updated (schema: ${result.schemaWritten ? "written" : "unchanged"}, hash: ${result.hashWritten ? "written" : "unchanged"}).`
+      );
+    } else {
+      console.log("Schema assets are up to date.");
+    }
+  });
   const serena = program.command("serena").description("Serena baseline and sidecar commands");
   serena.command("init").requiredOption("--target <name>", "target name").option("--cwd <path>", "target repository directory").action(async (options) => {
     await runSerenaInitCommand({
@@ -14543,11 +14905,11 @@ function createCliProgram(version) {
   return program;
 }
 async function resolveCliVersion() {
-  if (isPackageVersion("0.0.0-next-20260614002607")) {
-    return "0.0.0-next-20260614002607";
+  if (isPackageVersion("0.0.0-next-20260614074434")) {
+    return "0.0.0-next-20260614074434";
   }
-  if (isReleaseVersion("0.0.0-next-20260614002607")) {
-    return "0.0.0-next-20260614002607";
+  if (isReleaseVersion("0.0.0-next-20260614074434")) {
+    return "0.0.0-next-20260614074434";
   }
   try {
     const root = repoRoot();