@productbrain/cli 0.1.0-beta.15 → 0.1.0-beta.1522

package/dist/commands/handshake.js

@@ -1,19 +1,254 @@
 /**
  * pb handshake — generate context files for AI developer tools.
- * The fourth delivery surface: context export (GLO-63, DEC-161).
+ * Context export wiring (read-only filesystem bridge; GLO-63, DEC-161) — not a product surface.
  */
-import { mkdirSync, writeFileSync, existsSync, readFileSync } from 'fs';
-import { join } from 'path';
+import { mkdirSync, writeFileSync, existsSync, readFileSync, readdirSync, copyFileSync, appendFileSync, unlinkSync, statSync, renameSync, rmSync, realpathSync } from 'fs';
+import { join, dirname, resolve, basename, relative, sep, isAbsolute } from 'path';
 import { homedir } from 'os';
-import { createInterface } from 'readline';
+import { fileURLToPath } from 'url';
+import { createHash } from 'crypto';
+import { execSync } from 'child_process';
 import { getConfigOrGuide } from '../lib/config.js';
-import { mcpCall } from '../lib/client.js';
-import { detectRepo } from '../lib/repo-detect.js';
+import { select as promptSelect, confirm as promptConfirm } from '../lib/prompts.js';
+import { composeHooksFromIntents, getHookStatusForSurface } from '../lib/hook-intents.js';
+import { kernelCall, kernelCallWithSession } from '../lib/client.js';
+import { readSession } from '../lib/session.js';
+import { detectRepo, extractWorkspaceProfile } from '../lib/repo-detect.js';
 import { generateContextMd } from '../generators/context-md.js';
 import { generateBriefingMd } from '../generators/briefing-md.js';
-import { MARKER, generateClaudeMd, generateCursorMdc, generateCopilotMd } from '../generators/adapters.js';
-import { readCanonicalSkills, readCanonicalRules, generateCursorSkill, generateCursorRule, generateClaudeRule, generateClaudeSkillRouter, shouldEmitToTarget, filterByLevel, } from '../generators/portable-knowledge.js';
+import { MARKER, generateAgentsMd, generateClaudeMd, generateCursorMdc, generateCopilotMd } from '../generators/adapters.js';
+import { readCanonicalSkills, readCanonicalRules, readPersonalLayer, readPersonalSkillsLayer, generateCursorSkill, generateCursorRule, generateCodexSkill, generateCodexSkillIndex, generateClaudeRule, generateClaudeSkillRouter, shouldEmitToTarget, filterByLevel, validateCodexSkills, evaluateConditions, STAGE_TO_MAX_LEVEL, LEVEL_ORDER, } from '../generators/portable-knowledge.js';
+import { generateChainRules } from '../generators/chain-rules.js';
+import { saveHandshakeState, loadPreviousState, diffHandshakeState, formatDiff, buildCurrentState, } from '../generators/handshake-diff.js';
+import { resolveSurfaceProfile } from '../generators/surface-profiles.js';
 import { formatHandshakeReport } from '../formatters/handshake.js';
+import { classifyAdapterFile, detectEol, spliceAppend, spliceReplace } from '../generators/region.js';
+import { REGION_PROJECTIONS } from '../generators/region-projections.js';
+import { readManifest, readManifestStatus, filterByAdoptionState } from '../generators/manifest.js';
+import { generateBoundaryManifest, getBoundaryEnforcementMode } from '../generators/boundary-manifest.js';
+import { loadMethodRegistry } from '../lib/method-registry.js';
+import { CLIError, ErrorCode } from '../lib/errors.js';
+import { trackEvent } from '../lib/telemetry.js';
+import { replaceVocabTokens } from '../lib/canonicalRefs.js';
+// WP-436 S3: vocab projector — resolves {{vocab:...}} tokens before writing to disk.
+import { getOrFetchVocabCtx } from '../lib/workspaceVocabCache.js';
+import { normalizeMaterializedFilename } from '../lib/normalizeMaterializedFilename.js';
+import { parseSetupFrontmatter } from '../lib/frontmatter.js';
+import { sanitizeStartupResolutionSignals } from '../lib/startup-resolution-signals.js';
+import { assertSetupWritePath } from '../setup/perimeter.js';
+// WP-421 S3: SurfaceAdapter reverse-map for tampered prompts (DEC-952, doneWhen #34).
+import { canonicalPathForAnySurface, SURFACE_GOVERN_NO_SURFACES, SURFACE_REGISTRY, validateSurfacesForMode, } from '../surfaces/registry.js';
+import { getReverseMapFallbackMessage, reportReverseMapMissing } from '../surfaces/telemetry.js';
+const MAX_HANDSHAKE_WAIT_MS = 10_000; // 10 seconds
+const POLL_INTERVAL_MS = 500; // 500 ms per poll
+const MAX_POLLS = MAX_HANDSHAKE_WAIT_MS / POLL_INTERVAL_MS; // 20
+// ── WP-379 S4: Dormant marker ─────────────────────────────────────────────────
+/**
+ * DORMANT_MARKER — appended to previously-projected asset files when the asset's
+ * gate deactivates (e.g. workspace readiness exceeds the max threshold).
+ *
+ * Contract:
+ *   - The file is NOT deleted. It persists on disk so that history is preserved
+ *     and the agent surface remains inspectable.
+ *   - The marker is appended at the end of the file, idempotent — if it already
+ *     exists, no second append occurs.
+ *   - The marker does NOT trigger a drift TEN. Dormant files are intentionally
+ *     deactivated, not accidentally forked.
+ *   - The marker is never included in active file writes — only dormant writes.
+ *
+ * Used by: writeDormantMarker() (write) and hasDormantMarker() (idempotency check).
+ * Exported for use in tests.
+ *
+ * Chain: WP-379 S4.
+ */
+export const DORMANT_MARKER = '<!-- pb-status: dormant -->';
+/**
+ * hasDormantMarker — check whether a file on disk already has the dormant marker.
+ * Used for idempotency: if the marker is already present, skip the append.
+ */
+function hasDormantMarker(content) {
+    return content.includes(DORMANT_MARKER);
+}
+/**
+ * writeDormantMarker — append the dormant marker to a previously-projected file.
+ *
+ * Idempotent: if DORMANT_MARKER is already present, no-op.
+ * Only operates on files that have the auto-gen MARKER — we never touch
+ * manually-authored files.
+ *
+ * @param filePath  Absolute path to the file.
+ * @returns         'written' | 'already-dormant' | 'skipped' (no auto-gen marker)
+ */
+export function writeDormantMarkerToFile(filePath) {
+    if (!existsSync(filePath))
+        return 'skipped';
+    const content = readFileSync(filePath, 'utf8');
+    // Only mark files that were originally projected by pb handshake.
+    // Files without the auto-gen MARKER are manually authored — leave them alone.
+    if (!content.includes(MARKER))
+        return 'skipped';
+    if (hasDormantMarker(content))
+        return 'already-dormant';
+    // Append the marker on its own line. No trailing newline assumption —
+    // appendFileSync adds to whatever is already there.
+    appendFileSync(filePath, `\n${DORMANT_MARKER}\n`);
+    return 'written';
+}
+/**
+ * renameSurfaceForDormancy — rename a projected surface file to `<path>.dormant`
+ * so external scanners (which glob *.md / *.mdc) stop loading it. WP-426 E4.
+ * The HTML-comment marker is invisible to scanners; the extension change removes
+ * the file from their glob set. Only touches files carrying the auto-gen MARKER.
+ * Runs on an INDEPENDENT existence check (not gated on marker-write result) so
+ * legacy WP-379 marker-only files still rename. Idempotent.
+ * Codex P1: when a .dormant already exists, only replace it if its body matches the
+ * live file. A divergent .dormant (user edited it) is preserved and reported as 'drift'
+ * rather than force-deleted — no silent data loss.
+ * @returns 'renamed' | 'replaced' | 'already-dormant' | 'skipped' | 'drift'
+ */
+export function renameSurfaceForDormancy(filePath) {
+    const dormantPath = `${filePath}.dormant`;
+    if (!existsSync(filePath))
+        return existsSync(dormantPath) ? 'already-dormant' : 'skipped';
+    if (!readFileSync(filePath, 'utf8').includes(MARKER))
+        return 'skipped';
+    const replacing = existsSync(dormantPath);
+    if (replacing) {
+        // Codex P1: the existing .dormant may carry user edits (e.g. the user reactivated to
+        // the live path but kept an edited dormant sibling). Compare normalized bodies
+        // (DORMANT_MARKER + volatile auto-gen timestamp stripped from both); if they diverge,
+        // preserve the .dormant and signal drift instead of force-replacing it.
+        const strip = (s) => normalizeHandshakeContentForComparison(s.split(DORMANT_MARKER).join('')).trimEnd();
+        if (strip(readFileSync(filePath, 'utf8')) !== strip(readFileSync(dormantPath, 'utf8'))) {
+            return 'drift';
+        }
+        rmSync(dormantPath, { force: true });
+    }
+    renameSync(filePath, dormantPath);
+    return replacing ? 'replaced' : 'renamed';
+}
+/**
+ * restoreSurfaceFromDormant — clean the orphan `<path>.dormant` sibling after a
+ * raised (observe→project) asset has been re-projected fresh from the DB body by
+ * the normal write loop. WP-426 E4.
+ * Normalizes the volatile auto-gen timestamp (via normalizeHandshakeContentForComparison)
+ * before comparing, else the lowering-time timestamp would always force a false
+ * 'orphan-drift'. Identical body → remove. Differs (user edited) → preserve + drift.
+ * @returns 'restored' | 'orphan-drift' | 'skipped'
+ */
+export function restoreSurfaceFromDormant(filePath) {
+    const dormantPath = `${filePath}.dormant`;
+    if (!existsSync(dormantPath))
+        return 'skipped';
+    // WP-426 E4: no fresh live projection this run (surface filtered / user-owned / not written) →
+    // nothing to reconcile; absence of fresh is NOT evidence of a user edit. Leave the .dormant.
+    if (!existsSync(filePath))
+        return 'skipped';
+    const fresh = readFileSync(filePath, 'utf8');
+    // Codex P2: only reconcile against a PB-managed projection. A live file WITHOUT the auto-gen
+    // MARKER is a user-owned file (shouldWriteAdapter would have skipped reprojecting it),
+    // so it was NOT raised this run — comparing the .dormant against it would wrongly delete it or
+    // re-fire "edited while dormant" drift. Leave the .dormant untouched.
+    if (!fresh.includes(MARKER))
+        return 'skipped';
+    const dormant = readFileSync(dormantPath, 'utf8').split(DORMANT_MARKER).join('');
+    const norm = (s) => normalizeHandshakeContentForComparison(s).trimEnd();
+    if (norm(dormant) === norm(fresh)) {
+        rmSync(dormantPath, { force: true });
+        return 'restored';
+    }
+    return 'orphan-drift';
+}
+/**
+ * deriveDormantFilePaths — compute the set of on-disk file paths that would have
+ * been projected for a given dormant asset (by name and assetKind).
+ *
+ * Assets are projected to one or more surfaces (cursor/claude/codex) depending
+ * on shouldEmitToTarget. Since we don't re-run shouldEmitToTarget here, we
+ * speculatively probe all known surface paths and let writeDormantMarkerToFile
+ * decide whether each exists and has the auto-gen MARKER.
+ *
+ * @param asset  The dormant asset from the server.
+ * @param cwd    Current working directory (project root).
+ * @returns      Each candidate path paired with its owning surface, so callers can
+ *               filter by the run's allowedTargets (--surfaces) and the perimeter.
+ */
+function deriveDormantFilePaths(asset, cwd) {
+    // Defense-in-depth: even though `name` originates from platform-seeded DB
+    // entries (not user input), validate it against a strict charset before
+    // interpolating into a filesystem path. Reject anything that could traverse
+    // out of the expected directories. WP-379 S4 review finding.
+    if (!/^[A-Za-z0-9 ._-]+$/.test(asset.name)) {
+        return [];
+    }
+    const out = [];
+    const { name, assetKind } = asset;
+    if (assetKind === 'skill') {
+        out.push({ path: join(cwd, '.cursor', 'skills', name, 'SKILL.md'), surface: 'cursor' });
+        out.push({ path: join(cwd, '.codex', 'skills', `${name}.md`), surface: 'codex' });
+    }
+    else if (assetKind === 'rule' || assetKind === 'hook') {
+        out.push({ path: join(cwd, '.cursor', 'rules', `${name}.mdc`), surface: 'cursor' });
+        out.push({ path: join(cwd, '.claude', 'rules', `${name}.md`), surface: 'claude' });
+    }
+    return out;
+}
+/**
+ * Single-shot health probe — calls `workspace.health` and inspects
+ * `starterSetupSeeded`. Does NOT poll internally; polling is the caller's
+ * responsibility (connect-context.ts).
+ *
+ * Returns:
+ *  - `seeds-ready`   — health query succeeded AND starterSetupSeeded is true
+ *  - `seeds-pending` — health query succeeded but starterSetupSeeded is false
+ *  - `probe-failed`  — health query threw (network, auth, etc.)
+ */
+export async function probeStarterSetupSeeded() {
+    try {
+        const health = await kernelCall('workspace.health', {});
+        if (health.starterSetupSeeded) {
+            return { status: 'seeds-ready' };
+        }
+        const starterGaps = (health.gaps ?? []).filter((g) => g.kind === 'starter-setup-missing' || g.kind === 'platform-domains-missing');
+        return {
+            status: 'seeds-pending',
+            gaps: starterGaps.length > 0 ? starterGaps : [
+                {
+                    kind: 'starter-setup-missing',
+                    severity: 'warn',
+                    message: 'Starter setup seeds are still running.',
+                },
+            ],
+        };
+    }
+    catch (err) {
+        return {
+            status: 'probe-failed',
+            error: err instanceof Error ? err.message : String(err),
+        };
+    }
+}
+/**
+ * Poll `probeStarterSetupSeeded` up to MAX_POLLS times (10s at 500ms intervals).
+ * Returns the final probe result — caller decides how to render the outcome.
+ *
+ * Exported so connect-context.ts can use it without re-implementing the loop.
+ */
+export async function pollUntilSeedsReady() {
+    for (let poll = 0; poll < MAX_POLLS; poll++) {
+        const result = await probeStarterSetupSeeded();
+        if (result.status === 'seeds-ready')
+            return result;
+        if (result.status === 'probe-failed')
+            return result; // don't retry on auth/network errors
+        // seeds-pending — wait before next poll
+        if (poll < MAX_POLLS - 1) {
+            await new Promise((res) => setTimeout(res, POLL_INTERVAL_MS));
+        }
+    }
+    // Final probe after exhausting waits — return whatever state we have
+    return probeStarterSetupSeeded();
+}
 const LEVELS = {
     guide: {
         label: 'Guide me',
@@ -45,9 +280,6 @@ const LEVEL_KEYS = ['guide', 'work', 'silent', 'full-trust'];
 // Hook failure contract (TEN-712): all hook commands MUST end with '2>/dev/null || true'
 // so Claude Code always starts even if pb is unavailable. Never remove this suffix.
 const INIT_PERMISSION = 'Bash(pb:*)';
-const INIT_SESSION_START_CMD = 'pb session start 2>/dev/null || true';
-const INIT_SESSION_CLOSE_CMD = 'pb session close 2>/dev/null || true';
-const INIT_PRECOMPACT_CMD = 'pb session id > /dev/null 2>&1 && echo \'{"systemMessage": "pb session active — capture decisions/tensions before compacting: pb capture \\"DEC: ...\\""}\'  || true';
 function readSettings(filePath) {
     if (!existsSync(filePath))
         return {};
@@ -59,9 +291,6 @@ function readSettings(filePath) {
         return {};
     }
 }
-function hasCommand(groups, cmd) {
-    return (groups ?? []).some((g) => g.hooks?.some((h) => h.command === cmd));
-}
 // Team write: hooks + Bash(pb:*) → .claude/settings.json (safe to commit)
 function writeTeamSettings(cwd, dryRun) {
     const claudeDir = join(cwd, '.claude');
@@ -77,26 +306,10 @@ function writeTeamSettings(cwd, dryRun) {
     }
     settings.permissions = permissions;
     const hooks = (settings.hooks ?? {});
-    if (!hasCommand(hooks.SessionStart, INIT_SESSION_START_CMD)) {
-        hooks.SessionStart = [
-            ...(hooks.SessionStart ?? []),
-            { hooks: [{ type: 'command', command: INIT_SESSION_START_CMD, statusMessage: 'Opening pb session...' }] },
-        ];
-        added.push('SessionStart → pb session start');
-    }
-    if (!hasCommand(hooks.Stop, INIT_SESSION_CLOSE_CMD)) {
-        hooks.Stop = [
-            ...(hooks.Stop ?? []),
-            { hooks: [{ type: 'command', command: INIT_SESSION_CLOSE_CMD, statusMessage: 'Closing pb session...' }] },
-        ];
-        added.push('Stop → pb session close');
-    }
-    if (!hasCommand(hooks.PreCompact, INIT_PRECOMPACT_CMD)) {
-        hooks.PreCompact = [
-            ...(hooks.PreCompact ?? []),
-            { hooks: [{ type: 'command', command: INIT_PRECOMPACT_CMD }] },
-        ];
-        added.push('PreCompact → decision capture reminder');
+    const hookAdditions = composeHooksFromIntents(['session-start', 'session-close', 'pre-compact'], hooks);
+    for (const addition of hookAdditions) {
+        hooks[addition.event] = [...(hooks[addition.event] ?? []), addition.entry];
+        added.push(addition.label);
     }
     settings.hooks = hooks;
     if (!dryRun) {
@@ -133,31 +346,26 @@ function writePersonalSettings(levelKey, dryRun) {
     return added;
 }
 async function promptLevel() {
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    console.log('\nHow much should Claude explain before acting?\n');
-    LEVEL_KEYS.forEach((key, i) => {
-        const l = LEVELS[key];
-        console.log(`  ${i + 1}. ${l.label.padEnd(12)} — ${l.description}`);
-    });
-    console.log('');
-    return new Promise((resolve) => {
-        rl.question('> ', (answer) => {
-            rl.close();
-            const n = parseInt(answer.trim(), 10);
-            if (!(n >= 1 && n <= LEVEL_KEYS.length)) {
-                console.log('  (Invalid choice — defaulting to "Just work")');
-            }
-            resolve(n >= 1 && n <= LEVEL_KEYS.length ? LEVEL_KEYS[n - 1] : 'work');
-        });
+    const result = await promptSelect({
+        message: 'How much should Claude explain before acting?',
+        options: LEVEL_KEYS.map((key) => ({
+            value: key,
+            label: LEVELS[key].label,
+            hint: LEVELS[key].description,
+        })),
     });
+    return result;
 }
 export async function runHandshakeInit(options = {}) {
     const cwd = process.cwd();
     const dryRun = options.dryRun ?? false;
     const suffix = dryRun ? ' (dry run)' : '';
     if (options.level && !LEVEL_KEYS.includes(options.level)) {
-        console.error(`Unknown level "${options.level}". Valid: ${LEVEL_KEYS.join(', ')}`);
-        process.exit(1);
+        throw new CLIError(`Unknown level "${options.level}".`, {
+            code: ErrorCode.VALIDATION_FAILED,
+            category: 'validation',
+            guidance: `Valid levels: ${LEVEL_KEYS.join(', ')}`,
+        });
     }
     console.log('Setting up Claude Code integration...\n');
     // Step 1: Team config — always, no prompt
@@ -172,7 +380,7 @@ export async function runHandshakeInit(options = {}) {
             console.log(`    + ${item}`);
     }
     // Step 2: Personal config — wizard or --level flag
-    // Cast is safe: LEVEL_KEYS.includes() validated above; invalid level already called process.exit(1).
+    // Cast is safe: LEVEL_KEYS.includes() validated above; invalid level already threw CLIError.
     const levelKey = options.level ? options.level : await promptLevel();
     const level = LEVELS[levelKey];
     const personalAdded = writePersonalSettings(levelKey, dryRun);
@@ -194,6 +402,319 @@ export async function runHandshakeInit(options = {}) {
     if (!dryRun)
         console.log('Reload /hooks in Claude Code (or restart) to activate.');
     console.log('Run `pb handshake --init --level <guide|work|silent|full-trust>` to change level.');
+    // Step 2b: Report multi-surface hook opt-in status (WP-310 E3b)
+    // Reads manifest.hooks.{cursor,copilot} and prints an informational note for
+    // each opted-in surface. Silence = no manifest or no hooks flags set.
+    // DEC-536: Claude-native default is already wired above; this block only fires
+    // when the user has explicitly opted in via manifest.
+    const pbDirForManifest = join(cwd, '.productbrain');
+    const initManifest = readManifest(pbDirForManifest);
+    const multiSurfaceOptIns = [];
+    if (initManifest?.hooks?.cursor)
+        multiSurfaceOptIns.push('cursor');
+    if (initManifest?.hooks?.copilot)
+        multiSurfaceOptIns.push('copilot');
+    if (multiSurfaceOptIns.length > 0) {
+        console.log('');
+        for (const surface of multiSurfaceOptIns) {
+            const status = getHookStatusForSurface(surface);
+            if (status.writable) {
+                // Future-proofing path: surface has hook events, would write files.
+                console.log(`ℹ ${surface} hooks: opted in — hooks will be written`);
+            }
+            else {
+                console.log(`ℹ ${surface} hooks: opted in — no auto-hooks (${surface} has no session events; run \`pb session start\` manually)`);
+            }
+        }
+    }
+    // Step 3: Scaffold starter templates if .productbrain/rules/ is empty
+    const rulesDir = join(cwd, '.productbrain', 'rules');
+    const hasExistingRules = existsSync(rulesDir) && readdirSync(rulesDir).filter((f) => f.endsWith('.md')).length > 0;
+    if (!hasExistingRules) {
+        // Detect stack from repo to pick template set
+        const repo = detectRepo(cwd);
+        const stack = repo.detectedStack.map((s) => s.toLowerCase());
+        let templateSet;
+        if (stack.some((s) => ['typescript', 'sveltekit', 'nextjs', 'react'].includes(s))) {
+            templateSet = 'node-ts';
+        }
+        else if (stack.includes('python')) {
+            templateSet = 'python';
+        }
+        else {
+            templateSet = 'general';
+        }
+        // Resolve templates directory relative to this file
+        const __filename = fileURLToPath(import.meta.url);
+        const __dirname = dirname(__filename);
+        // From dist/commands/handshake.js → ../../templates/
+        const templatesRoot = resolve(__dirname, '..', '..', 'templates');
+        const templateDir = join(templatesRoot, templateSet);
+        if (existsSync(templateDir)) {
+            const templateFiles = readdirSync(templateDir).filter((f) => f.endsWith('.md'));
+            if (templateFiles.length > 0) {
+                console.log('');
+                console.log(`Scaffolding starter rules from ${templateSet} template...`);
+                if (!dryRun) {
+                    mkdirSync(rulesDir, { recursive: true });
+                    for (const file of templateFiles) {
+                        const src = join(templateDir, file);
+                        const dest = join(rulesDir, file);
+                        copyFileSync(src, dest);
+                        console.log(`  + .productbrain/rules/${file}`);
+                    }
+                    console.log('');
+                    console.log('Run `pb handshake` to sync the scaffolded rules to your AI tools.');
+                }
+                else {
+                    for (const file of templateFiles) {
+                        console.log(`  + .productbrain/rules/${file} (dry run)`);
+                    }
+                }
+            }
+        }
+    }
+}
+const LOCAL_REF_REGEX = /\b(?:WP|TEN|DEC|BET|FEAT|INS|STD|PRI|ARCH)[-\s#]*\d+\b|\bPR\s*#?\s*\d+\b/gi;
+const STARTUP_RESOLUTION_RESOLVER_VERSION = 'startup-resolution-v1';
+// Global cap on collected refs (spec "Contract: StartupResolutionSignals" — arrays are capped).
+const LOCAL_REF_GLOBAL_CAP = 25;
+// Per-source cap so a broad source (context.md) cannot starve the task-specific
+// briefing.md refs (Codex@677). With the global cap at 25, a single source capped
+// at 18 always leaves slots for at least one other source's distinct refs.
+const LOCAL_REF_PER_SOURCE_CAP = 18;
+// PR-ref diff dereference is time-boxed so an unauthed/slow `gh` cannot stall
+// session-start (F4 — guard: time-box + skip gracefully on failure).
+const PR_DIFF_TIMEOUT_MS = 4_000;
+// Cap on how many PR refs we dereference per handshake — bounds the worst-case
+// number of `gh` subprocess invocations.
+const PR_DIFF_MAX_REFS = 5;
+function runGitText(cwd, command) {
+    try {
+        const value = execSync(command, {
+            cwd,
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+        return value.length > 0 ? value : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Dereference a "PR #N" ref to its changed paths via `gh pr diff <N> --name-only`.
+ * F4 (spec "PR refs must dereference to diff paths when available"): the server
+ * resolver has no git/gh access, so PR-domain evidence can only be produced
+ * here in the CLI. Guarded: `gh` may be absent/unauthed or the PR may not exist,
+ * so failures are swallowed (returns []) and the call is time-boxed.
+ *
+ * Injectable via `run` so tests can drive the dereference without a real `gh`.
+ */
+export function dereferencePrRefToPaths(cwd, prNumber, run = runGitTextTimeboxed) {
+    if (!Number.isInteger(prNumber) || prNumber <= 0)
+        return [];
+    const raw = run(cwd, `gh pr diff ${prNumber} --name-only`, PR_DIFF_TIMEOUT_MS);
+    if (!raw)
+        return [];
+    return raw.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+}
+/** Time-boxed variant of runGitText for the PR-diff dereference (F4). */
+function runGitTextTimeboxed(cwd, command, timeoutMs) {
+    try {
+        const value = execSync(command, {
+            cwd,
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+            timeout: timeoutMs,
+        }).trim();
+        return value.length > 0 ? value : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function readOptionalLocalText(cwd, path) {
+    const fullPath = join(cwd, path);
+    if (!existsSync(fullPath))
+        return undefined;
+    try {
+        return readFileSync(fullPath, 'utf8');
+    }
+    catch {
+        return undefined;
+    }
+}
+function normalizeLocalRef(ref) {
+    const trimmed = ref.trim().replace(/\s+/g, ' ');
+    const pr = trimmed.match(/^PR\s*#?\s*(\d+)$/i);
+    if (pr)
+        return `PR #${pr[1]}`;
+    const entry = trimmed.match(/^([A-Z]+)[-\s#]*(\d+)$/i);
+    if (entry)
+        return `${entry[1].toUpperCase()}-${entry[2]}`;
+    return trimmed;
+}
+/**
+ * Collect normalized local refs across several text sources, deduped.
+ *
+ * Codex@677: a per-source cap (LOCAL_REF_PER_SOURCE_CAP) is applied in addition
+ * to the global cap so a broad source (e.g. a context.md carrying 25+ IDs) cannot
+ * consume the whole budget before a later, task-specific source (briefing.md) is
+ * even read. Each source contributes at most its quota; refs already collected by
+ * an earlier source still dedupe across sources (and do not count against the
+ * later source's quota, since they are skipped before the per-source counter).
+ */
+function collectLocalRefs(texts) {
+    const refs = [];
+    const seen = new Set();
+    for (const text of texts) {
+        if (!text)
+            continue;
+        let fromThisSource = 0;
+        for (const match of text.matchAll(LOCAL_REF_REGEX)) {
+            const ref = normalizeLocalRef(match[0]);
+            const key = ref.toLowerCase();
+            if (seen.has(key))
+                continue;
+            if (fromThisSource >= LOCAL_REF_PER_SOURCE_CAP)
+                break;
+            seen.add(key);
+            refs.push(ref);
+            fromThisSource++;
+            if (refs.length >= LOCAL_REF_GLOBAL_CAP)
+                return refs;
+        }
+    }
+    return refs;
+}
+function deriveHandshakeStartupTask(refs, changedPaths, callerTask) {
+    if (callerTask && callerTask.trim())
+        return callerTask.trim();
+    const parts = [];
+    if (refs.length > 0)
+        parts.push(refs.join(' '));
+    if (changedPaths.length > 0)
+        parts.push(`changed paths ${changedPaths.slice(0, 5).join(' ')}`);
+    return parts.length > 0 ? parts.join(' ') : undefined;
+}
+const DEFAULT_HANDSHAKE_SIGNAL_DEPS = {
+    runGit: runGitText,
+    prDiff: (cwd, prNumber) => dereferencePrRefToPaths(cwd, prNumber),
+};
+/** Extract the PR number from a normalized "PR #N" ref, else null. */
+function prNumberFromRef(ref) {
+    const m = ref.match(/^PR\s*#?\s*(\d+)$/i);
+    if (!m)
+        return null;
+    const n = Number(m[1]);
+    return Number.isInteger(n) && n > 0 ? n : null;
+}
+export function deriveHandshakeStartupSignals(cwd, callerSignals = {}, deps = DEFAULT_HANDSHAKE_SIGNAL_DEPS) {
+    const { runGit, prDiff } = deps;
+    const branchName = runGit(cwd, 'git branch --show-current');
+    const commitSha = runGit(cwd, 'git rev-parse --short HEAD');
+    // Changed paths come from THREE sources, unioned + deduped:
+    //   1. Dirty worktree (`git diff --name-only HEAD`) — existing behavior.
+    //   2. Committed branch delta vs the merge-base with origin/main (Codex@665):
+    //      after the branch is committed and the worktree is clean, source #1 is
+    //      empty and the branch delta would be invisible without this.
+    //   3. PR-ref dereference (F4) — appended later, once refs are collected.
+    const dirtyChangedPaths = runGit(cwd, 'git diff --name-only HEAD')?.split(/\r?\n/).filter(Boolean) ?? [];
+    const mergeBase = runGit(cwd, 'git merge-base HEAD origin/main');
+    const branchChangedPaths = mergeBase
+        ? (runGit(cwd, `git diff --name-only ${mergeBase} HEAD`)?.split(/\r?\n/).filter(Boolean) ?? [])
+        : [];
+    const worktreeName = basename(cwd);
+    const contextText = readOptionalLocalText(cwd, '.productbrain/context.md');
+    const briefingText = readOptionalLocalText(cwd, '.productbrain/briefing.md');
+    const callerRefs = Array.isArray(callerSignals.reviewedArtifactRefs) ? callerSignals.reviewedArtifactRefs.join('\n') : undefined;
+    // Codex@677: briefing.md (task-specific) is read BEFORE context.md (broad) so
+    // its refs are collected first; combined with the per-source cap in
+    // collectLocalRefs, a context.md with 25+ IDs can no longer starve the briefing.
+    const refs = collectLocalRefs([
+        callerSignals.taskText ?? undefined,
+        callerSignals.explicitScope ?? undefined,
+        callerRefs,
+        branchName,
+        worktreeName,
+        briefingText,
+        contextText,
+    ]);
+    // F4: dereference any "PR #N" ref to its diff paths and fold them into the
+    // changedPaths evidence so PR refs contribute real path-domain signal. The
+    // server resolver records PR refs as dereferenced:false (no git access), so
+    // this is the only place the dereference can happen. Time-boxed + try/catch
+    // inside prDiff → absent/unauthed gh is a graceful no-op.
+    const prDiffPaths = [];
+    if (callerSignals.changedPaths === undefined) {
+        let derefed = 0;
+        for (const ref of refs) {
+            const prNumber = prNumberFromRef(ref);
+            if (prNumber === null)
+                continue;
+            if (derefed >= PR_DIFF_MAX_REFS)
+                break;
+            derefed++;
+            try {
+                for (const p of prDiff(cwd, prNumber))
+                    prDiffPaths.push(p);
+            }
+            catch {
+                // gh absent / unauthed / PR missing — skip gracefully, leave existing behavior.
+            }
+        }
+    }
+    // Caller-supplied changedPaths win (backward compat); otherwise union the
+    // three local sources, deduped, order-stable.
+    const unionedChangedPaths = callerSignals.changedPaths ??
+        Array.from(new Set([...dirtyChangedPaths, ...branchChangedPaths, ...prDiffPaths]));
+    const baseSignals = sanitizeStartupResolutionSignals({
+        ...callerSignals,
+        sourceSurface: callerSignals.sourceSurface ?? 'cli',
+        resolverVersion: callerSignals.resolverVersion ?? STARTUP_RESOLUTION_RESOLVER_VERSION,
+        branchName: callerSignals.branchName ?? branchName,
+        worktreeName: callerSignals.worktreeName ?? worktreeName,
+        changedPaths: unionedChangedPaths,
+        reviewedArtifactRefs: callerSignals.reviewedArtifactRefs ?? refs,
+        commitSha: callerSignals.commitSha ?? commitSha,
+    });
+    const taskText = deriveHandshakeStartupTask(baseSignals.reviewedArtifactRefs ?? [], baseSignals.changedPaths ?? [], baseSignals.taskText);
+    const sanitized = sanitizeStartupResolutionSignals({
+        ...baseSignals,
+        taskText,
+    });
+    const hasMeaningfulEvidence = Boolean(sanitized.taskText) ||
+        (sanitized.changedPaths?.length ?? 0) > 0 ||
+        (sanitized.reviewedArtifactRefs?.length ?? 0) > 0 ||
+        Boolean(sanitized.explicitScope);
+    if (hasMeaningfulEvidence)
+        return sanitized;
+    // Codex@704: even with no task/path/ref/scope evidence, still emit a minimal
+    // envelope carrying the attribution fields (resolverVersion, commitSha,
+    // branchName). Returning {} here would drop the whole startup block at the
+    // caller, losing attribution AND the loud domain-unresolved signal exactly in
+    // the low-evidence case the resolver is meant to make queryable
+    // (spec "Loud Unresolved State"; AC #4). The envelope has no evidence fields,
+    // so the resolver sees no domain and emits domain-unresolved.
+    return sanitizeStartupResolutionSignals({
+        sourceSurface: sanitized.sourceSurface ?? 'cli',
+        resolverVersion: sanitized.resolverVersion ?? STARTUP_RESOLUTION_RESOLVER_VERSION,
+        branchName: sanitized.branchName,
+        worktreeName: sanitized.worktreeName,
+        commitSha: sanitized.commitSha,
+        changeId: sanitized.changeId,
+    });
+}
+/**
+ * Normalize volatile handshake-only timestamps before comparing generated files.
+ * This keeps the visible timestamps in generated artifacts while avoiding
+ * meaningless rewrites when semantic content is unchanged.
+ */
+export function normalizeHandshakeContentForComparison(content) {
+    return content
+        .replace(/<!-- auto-generated by pb handshake — [0-9]{4}-[0-9]{2}-[0-9]{2}T[^>]+ -->/g, '<!-- auto-generated by pb handshake — <TIMESTAMP> -->')
+        .replace(/^_Generated: [0-9]{4}-[0-9]{2}-[0-9]{2}T.*_$/gm, '_Generated: <TIMESTAMP>_');
 }
 function shouldWriteAdapter(filePath, force) {
     if (force)
@@ -203,6 +724,227 @@ function shouldWriteAdapter(filePath, force) {
     const content = readFileSync(filePath, 'utf8');
     return content.includes(MARKER);
 }
+function normalizeSurfaceName(surface) {
+    const stripped = surface.startsWith('.') ? surface.slice(1) : surface;
+    const normalized = stripped === 'github' ? 'copilot' : stripped;
+    return normalized in SURFACE_REGISTRY ? normalized : null;
+}
+function surfacePerimeterRoots(surface) {
+    if (surface === 'codex')
+        return ['.codex', SURFACE_REGISTRY.codex.hookFilePath];
+    if (surface === 'copilot')
+        return ['.github', SURFACE_REGISTRY.copilot.hookFilePath];
+    if (surface === 'claude')
+        return ['.claude', 'CLAUDE.md'];
+    return [`.${surface}`];
+}
+function modeRank(mode) {
+    return { off: 0, observe: 1, project: 2, govern: 3 }[mode];
+}
+function normalizeSetupAuthoringBody(body) {
+    return body.replace(/\r\n/g, '\n').replace(/\r/g, '\n').trimEnd();
+}
+function setupAuthoringAssetHash(asset) {
+    const canonical = {
+        entryId: asset.entryId,
+        name: asset.name,
+        description: asset.description ?? '',
+        assetKind: asset.assetKind,
+        triggers: asset.triggers ?? [],
+        semanticRefs: asset.semanticRefs ?? [],
+        body: normalizeSetupAuthoringBody(asset.body),
+    };
+    return `sha256:${createHash('sha256').update(JSON.stringify(canonical), 'utf8').digest('hex')}`;
+}
+function parseSetupAuthoringFrontmatter(raw) {
+    // Shared parser (lib/frontmatter.ts) — array-item quotes are stripped exactly
+    // as this function always did; the shared copy makes that behavior canonical
+    // for migrate-setup and setup-ingest too. `assetKind` from the union shape is
+    // ignored here (handshake derives kind from the directory).
+    const parsed = parseSetupFrontmatter(raw);
+    return {
+        frontmatterId: parsed.frontmatterId,
+        name: parsed.name,
+        description: parsed.description,
+        body: parsed.body,
+        triggers: parsed.triggers,
+        semanticRefs: parsed.semanticRefs,
+    };
+}
+function deriveSetupAuthoringEntryId(filename, kind) {
+    const base = basename(filename, '.md');
+    const snakeCase = base.toUpperCase().replace(/[^A-Z0-9]+/g, '_');
+    return `SETUP-${kind.toUpperCase()}-${snakeCase}`;
+}
+function scanSetupAuthoringFiles(productbrainDir) {
+    const dirs = [
+        { dir: 'skills', kind: 'skill' },
+        { dir: 'rules', kind: 'rule' },
+        { dir: 'hooks', kind: 'hook' },
+    ];
+    const items = [];
+    for (const { dir, kind } of dirs) {
+        const absDir = join(productbrainDir, dir);
+        if (!existsSync(absDir))
+            continue;
+        for (const file of readdirSync(absDir).filter((f) => f.endsWith('.md'))) {
+            const filePath = join(absDir, file);
+            const parsed = parseSetupAuthoringFrontmatter(readFileSync(filePath, 'utf8'));
+            const fallbackName = basename(file, '.md');
+            items.push({
+                filePath,
+                derivedEntryId: deriveSetupAuthoringEntryId(file, kind),
+                frontmatterId: parsed.frontmatterId,
+                name: parsed.name || fallbackName,
+                description: parsed.description,
+                body: parsed.body,
+                assetKind: kind,
+                triggers: parsed.triggers,
+                semanticRefs: parsed.semanticRefs,
+            });
+        }
+    }
+    return items.sort((a, b) => a.filePath.localeCompare(b.filePath));
+}
+function setupAuthoringDirForKind(kind) {
+    if (kind === 'skill')
+        return 'skills';
+    if (kind === 'rule')
+        return 'rules';
+    if (kind === 'hook')
+        return 'hooks';
+    return null;
+}
+function setupAuthoringFilename(name, entryId) {
+    const base = (name || entryId)
+        .replace(/[\/\\:*?"<>|]/g, '-')
+        .replace(/\s+/g, ' ')
+        .trim();
+    return `${base || entryId}.md`;
+}
+function setupAuthoringPath(cwd, asset) {
+    const dir = setupAuthoringDirForKind(asset.assetKind);
+    if (!dir)
+        return null;
+    // WP-426 E3: recorded authoring source path wins so reprojection lands where the
+    // user authored — no duplicate (TEN-1920). Stored relative to .productbrain/.
+    if (asset.authoringPath && asset.authoringPath.trim()) {
+        // Codex P1/P2: authoringPath comes from the DB and is untrusted at projection
+        // time. It is probed via existsSync/readFileSync (and later writeFileSync) in the
+        // writeback loop BEFORE any assertSetupWritePath guard runs. Containment alone is
+        // not enough — a bad DB row could still point at a directory (e.g. "skills") or an
+        // internal PB file (".authoring-sync.json", "manifest.yaml"), which the loop would
+        // mis-handle as markdown (throw on a directory read, or overwrite PB state).
+        // Constrain to a kind-appropriate markdown file (<dir>/**/*.md); otherwise fall
+        // back to the safe name-derived path.
+        const pbDir = join(cwd, '.productbrain');
+        const candidate = resolve(pbDir, asset.authoringPath);
+        const within = relative(pbDir, candidate);
+        const withinPosix = within.split(sep).join('/');
+        if (!within.startsWith('..') &&
+            !isAbsolute(within) &&
+            withinPosix.startsWith(`${dir}/`) &&
+            withinPosix.toLowerCase().endsWith('.md')) {
+            return candidate;
+        }
+    }
+    return join(cwd, '.productbrain', dir, setupAuthoringFilename(asset.name, asset.entryId));
+}
+function renderSetupAuthoringFile(asset) {
+    const lines = [
+        '---',
+        `id: ${asset.entryId}`,
+        `name: ${JSON.stringify(asset.name)}`,
+        `description: ${JSON.stringify(asset.description ?? '')}`,
+        `assetKind: ${asset.assetKind}`,
+    ];
+    const pushArray = (key, values) => {
+        if (!values || values.length === 0)
+            return;
+        lines.push(`${key}:`);
+        for (const value of values)
+            lines.push(`  - ${JSON.stringify(value)}`);
+    };
+    pushArray('triggers', asset.triggers);
+    pushArray('semanticRefs', asset.semanticRefs);
+    lines.push('---', normalizeSetupAuthoringBody(asset.body), '');
+    return lines.join('\n');
+}
+function loadAuthoringSyncState(productbrainDir) {
+    const statePath = join(productbrainDir, '.authoring-sync.json');
+    if (!existsSync(statePath))
+        return { version: 1, assets: {} };
+    try {
+        const parsed = JSON.parse(readFileSync(statePath, 'utf8'));
+        if (parsed.version !== 1 || !parsed.assets || typeof parsed.assets !== 'object') {
+            return { version: 1, assets: {} };
+        }
+        // Codex P2: the dormant registries are consumed via .includes() in the dormant loop
+        // BEFORE its per-file try/catch, so a malformed .authoring-sync.json (a field set to
+        // an object/number instead of an array) would throw a TypeError and abort the whole
+        // handshake. Coerce to a string[] (mirrors the assets validation above) to fail open.
+        const toStringArray = (v) => Array.isArray(v) ? v.filter((x) => typeof x === 'string') : [];
+        return {
+            version: 1,
+            assets: parsed.assets,
+            dormantRenamed: toStringArray(parsed.dormantRenamed),
+            dormantReactivated: toStringArray(parsed.dormantReactivated),
+        };
+    }
+    catch {
+        return { version: 1, assets: {} };
+    }
+}
+function saveAuthoringSyncState(productbrainDir, state) {
+    const statePath = join(productbrainDir, '.authoring-sync.json');
+    assertSetupWritePath(statePath, { surfaces: [] });
+    mkdirSync(productbrainDir, { recursive: true });
+    writeFileSync(statePath, JSON.stringify(state, null, 2) + '\n');
+}
+const DRIFT_HASH_TRAILER_REGEX = /^<!--\s*pb-hash:\s*sha256:([0-9a-f]+)\s*-->\s*$/m;
+const DRIFT_HASH_TRAILER_STRIP = /^<!--\s*pb-hash:.*-->\s*$/gm;
+const DRIFT_TIMESTAMP_STRIP = /^<!--\s*pb-generated-at:.*-->\s*$/gm;
+/**
+ * Classify a single projection-target file into one of the three drift buckets.
+ *
+ * Returns `null` when `filePath` does not exist (first-run / unprojected) — the
+ * write loop treats that as "would-write" and the file is not part of any bucket.
+ *
+ * @param filePath  Absolute path to the projection file on disk.
+ * @returns         { bucket, expectedHash, actualHash } when the file exists.
+ *                  `expectedHash`/`actualHash` are populated only for the
+ *                  tampered bucket so the headless refusal payload can include
+ *                  them verbatim. For clean / user-owned, both are `''`.
+ */
+export function classifyDriftBucket(filePath) {
+    if (!existsSync(filePath))
+        return null;
+    const content = readFileSync(filePath, 'utf8');
+    // No auto-gen MARKER → user-owned. Never touch.
+    if (!content.includes(MARKER)) {
+        return { bucket: 'user-owned', expectedHash: '', actualHash: '' };
+    }
+    // Marker present but no hash trailer → legacy / pre-S0c projection: treat as
+    // clean (the hash trailer was added in WP-345 S0c). The user-owned-vs-clean
+    // semantic falls back to existing shouldWriteAdapter behavior.
+    const trailerMatch = content.match(DRIFT_HASH_TRAILER_REGEX);
+    if (!trailerMatch) {
+        return { bucket: 'pb-managed-clean', expectedHash: '', actualHash: '' };
+    }
+    const expectedHash = `sha256:${trailerMatch[1]}`;
+    // Recompute the actual hash from the body (strip trailer + timestamp, LF, trim).
+    const normalized = content
+        .replace(DRIFT_HASH_TRAILER_STRIP, '')
+        .replace(DRIFT_TIMESTAMP_STRIP, '')
+        .replace(/\r\n/g, '\n')
+        .replace(/\r/g, '\n')
+        .trimEnd();
+    const actualHash = `sha256:${createHash('sha256').update(normalized, 'utf8').digest('hex')}`;
+    if (actualHash === expectedHash) {
+        return { bucket: 'pb-managed-clean', expectedHash, actualHash };
+    }
+    return { bucket: 'pb-managed-tampered', expectedHash, actualHash };
+}
 function deduplicateEntries(entries) {
     const seen = new Set();
     const result = [];
@@ -215,15 +957,178 @@ function deduplicateEntries(entries) {
     }
     return result;
 }
+/**
+ * resolveProjectionCollision — WP-379 S5b
+ *
+ * Marker-scoped orphan unlink: enumerates target dirs (.cursor/rules/,
+ * .claude/rules/, .claude/skills/, .codex/skills/); for each file that has
+ * the auto-gen MARKER whose lowercase-normalized filename does NOT match any
+ * current active-asset materializedFilename, the file is unlinked.
+ *
+ * User-owned files (no MARKER) are never touched, regardless of name.
+ *
+ * Linux case-collision disambiguation:
+ *   1. Exact match (lowercase name == any canonical name): survives.
+ *   2. Case-variant with MARKER (marker file, no exact canonical match): unlinked.
+ *   3. Ambiguous (zero exact, multiple case-variants with MARKER):
+ *      newest mtime wins; all others are unlinked; a collision TEN is
+ *      appended to the session capture queue (not fired inline).
+ *
+ * Returns a list of unlink results so the caller can log/report them.
+ *
+ * @param cwd         Project root (absolute path).
+ * @param assetNames  The current set of canonical asset names from the server
+ *                    (e.g. ["Setup-ProductBrain", "chain-rules"]).
+ * @param log         Progress log function.
+ * @param logErr      Error log function.
+ */
+export function resolveProjectionCollision(cwd, assetNames, log, logErr) {
+    // Target directories by extension suffix.
+    const TARGET_DIRS_BY_EXT = [
+        { dir: join(cwd, '.cursor', 'rules'), ext: '.mdc' },
+        { dir: join(cwd, '.claude', 'rules'), ext: '.md' },
+        { dir: join(cwd, '.claude', 'skills'), ext: '.md' },
+        { dir: join(cwd, '.codex', 'skills'), ext: '.md' },
+    ];
+    // Build a set of normalized canonical names (without extension) for fast lookup.
+    // We normalize all asset names to detect case-variant collisions.
+    // For each asset name we derive the normalized basename (the part before the ext).
+    // canonicalNormalizedNames: Set<normalized-stem> (lowercase + slug).
+    const canonicalNormalizedStems = new Set(assetNames.map((n) => normalizeMaterializedFilename(n)));
+    const results = [];
+    const collisionTens = [];
+    for (const { dir, ext } of TARGET_DIRS_BY_EXT) {
+        if (!existsSync(dir))
+            continue;
+        let files;
+        try {
+            files = readdirSync(dir);
+        }
+        catch {
+            continue; // unreadable dir — skip
+        }
+        // Group files by their normalized stem.
+        // normalizedStem → [ { filename, fullPath } ]
+        const groups = new Map();
+        for (const filename of files) {
+            if (!filename.endsWith(ext))
+                continue;
+            const fullPath = join(dir, filename);
+            // Only operate on files that have the auto-gen MARKER.
+            let content;
+            try {
+                content = readFileSync(fullPath, 'utf8');
+            }
+            catch {
+                continue; // unreadable file — skip
+            }
+            if (!content.includes(MARKER))
+                continue; // user-owned — never touch
+            const stem = basename(filename, ext);
+            const normalizedStem = normalizeMaterializedFilename(stem);
+            const group = groups.get(normalizedStem) ?? [];
+            group.push({ filename, fullPath });
+            groups.set(normalizedStem, group);
+        }
+        // Evaluate each normalized stem group.
+        for (const [normalizedStem, members] of groups) {
+            const isKnownCanonical = canonicalNormalizedStems.has(normalizedStem);
+            if (!isKnownCanonical) {
+                // All members of this group are orphans (no canonical asset with this stem).
+                // Unlink them all — they're stale projections of an asset no longer in the server.
+                for (const { filename, fullPath } of members) {
+                    try {
+                        unlinkSync(fullPath);
+                        log(`Orphan unlinked: ${fullPath}`);
+                        results.push({ action: 'unlinked', filePath: fullPath, reason: 'orphan-no-canonical-match' });
+                    }
+                    catch (err) {
+                        logErr(`Warning: could not unlink orphan ${fullPath} — ${err instanceof Error ? err.message : String(err)}`);
+                        results.push({ action: 'kept', filePath: fullPath, reason: 'unlink-failed' });
+                    }
+                }
+                continue;
+            }
+            // The stem IS known canonical. Check for case-collision.
+            if (members.length === 1) {
+                // Single file — no collision.
+                results.push({ action: 'kept', filePath: members[0].fullPath, reason: 'canonical-exact' });
+                continue;
+            }
+            // Multiple files with the same normalized stem → case-collision.
+            // Rule: exact match (filename stem === normalized stem, i.e. already lowercase) wins.
+            const exactMatches = members.filter(({ filename }) => {
+                const stem = basename(filename, ext);
+                return stem === normalizedStem; // lowercase-equal means already normalized
+            });
+            if (exactMatches.length === 1) {
+                // Rule 1: exactly one exact match → keep it, unlink all case-variants.
+                const keeper = exactMatches[0];
+                results.push({ action: 'kept', filePath: keeper.fullPath, reason: 'case-exact-match-wins' });
+                for (const member of members) {
+                    if (member.fullPath === keeper.fullPath)
+                        continue;
+                    try {
+                        unlinkSync(member.fullPath);
+                        log(`Case-variant unlinked: ${member.fullPath} (kept: ${keeper.filename})`);
+                        results.push({ action: 'unlinked', filePath: member.fullPath, reason: 'case-variant-unlinked' });
+                    }
+                    catch (err) {
+                        logErr(`Warning: could not unlink case-variant ${member.fullPath} — ${err instanceof Error ? err.message : String(err)}`);
+                        results.push({ action: 'kept', filePath: member.fullPath, reason: 'unlink-failed' });
+                    }
+                }
+                continue;
+            }
+            // Rule 3: ambiguous — zero exact matches (or multiple exact matches, which
+            // can't happen on a case-sensitive FS). Newest mtime wins.
+            // Sort by mtime descending: highest mtime = newest = winner.
+            const withStats = members.map(({ filename, fullPath }) => {
+                try {
+                    const { mtimeMs } = statSync(fullPath);
+                    return { filename, fullPath, mtimeMs };
+                }
+                catch {
+                    return { filename, fullPath, mtimeMs: 0 };
+                }
+            });
+            withStats.sort((a, b) => b.mtimeMs - a.mtimeMs);
+            const winner = withStats[0];
+            log(`Case-collision ambiguous for ${normalizedStem}${ext}: newest mtime wins (${winner.filename})`);
+            results.push({ action: 'collision-ten', filePath: winner.fullPath, reason: 'ambiguous-newest-mtime-wins' });
+            const tenMsg = `Handshake case-collision: ambiguous filename for stem "${normalizedStem}${ext}" ` +
+                `(${members.map((m) => m.filename).join(', ')}). ` +
+                `Kept newest: ${winner.filename}. Consider renaming to ${normalizedStem}${ext}.`;
+            collisionTens.push(tenMsg);
+            for (const member of withStats.slice(1)) {
+                try {
+                    unlinkSync(member.fullPath);
+                    log(`Case-variant (ambiguous) unlinked: ${member.fullPath}`);
+                    results.push({ action: 'unlinked', filePath: member.fullPath, reason: 'ambiguous-case-variant-unlinked' });
+                }
+                catch (err) {
+                    logErr(`Warning: could not unlink ambiguous case-variant ${member.fullPath} — ${err instanceof Error ? err.message : String(err)}`);
+                    results.push({ action: 'kept', filePath: member.fullPath, reason: 'unlink-failed' });
+                }
+            }
+        }
+    }
+    return { results, collisionTens };
+}
 export async function runHandshake(options = {}) {
-    const config = await getConfigOrGuide(() => runHandshake(options));
+    const config = await getConfigOrGuide(async () => { await runHandshake(options); });
     if (!config)
-        return;
+        return undefined;
     const cwd = process.cwd();
     const force = options.force ?? false;
     const dryRun = options.dryRun ?? false;
+    // Preview mode: default when neither --apply nor --dry-run is passed.
+    // --dry-run is kept as a backward-compat alias for preview (same behavior).
+    const preview = !options.apply && !dryRun;
+    const applyMode = options.apply === true && !dryRun;
     const level = options.level;
     const quiet = options.quiet ?? false;
+    const generate = options.generate ?? false;
     const timestamp = new Date().toISOString();
     // Helper: emit progress line only when not quiet (used when handshake is a sub-step)
     const log = (msg) => { if (!quiet)
@@ -233,8 +1138,11 @@ export async function runHandshake(options = {}) {
     // Validate --level if provided (for handshake content filtering, not --init trust level)
     const VALID_HANDSHAKE_LEVELS = ['beginner', 'intermediate', 'expert'];
     if (level && !VALID_HANDSHAKE_LEVELS.includes(level)) {
-        process.stderr.write(`Unknown level "${level}". Valid levels: ${VALID_HANDSHAKE_LEVELS.join(', ')}\n`);
-        process.exit(1);
+        throw new CLIError(`Unknown level "${level}".`, {
+            code: ErrorCode.VALIDATION_FAILED,
+            category: 'validation',
+            guidance: `Valid levels: ${VALID_HANDSHAKE_LEVELS.join(', ')}`,
+        });
     }
     // 1. Detect repo
     const repo = detectRepo(cwd);
@@ -242,16 +1150,39 @@ export async function runHandshake(options = {}) {
     if (repo.detectedStack.length > 0) {
         log(`Stack: ${repo.detectedStack.join(', ')}`);
     }
-    // 2. Fetch orient view
+    const startupSignals = deriveHandshakeStartupSignals(cwd, options.startupSignals ?? {});
+    const orientArgs = { tier: 'standard' };
+    if (options.invocationPath)
+        orientArgs.invocationPath = options.invocationPath;
+    if (Object.keys(startupSignals).length > 0) {
+        orientArgs.startupSignals = startupSignals;
+        if (startupSignals.taskText)
+            orientArgs.task = startupSignals.taskText;
+    }
+    // 2. Fetch orient view + workspace readiness in parallel (budget max +200ms added latency)
     log('Fetching workspace context...');
     let orientView = null;
+    let workspaceProfile = null;
     try {
-        orientView = await mcpCall('chain.getOrientView', {});
+        const workspaceReadinessPromise = kernelCall('chain.workspaceReadiness', {}).catch(() => null);
+        const [orientResult, readinessRaw] = await Promise.all([
+            kernelCall('chain.getOrientView', orientArgs).catch((err) => {
+                logErr(`Warning: could not fetch workspace context — ${err instanceof Error ? err.message : err}`);
+                logErr('Continuing with limited context (Chain search + portable knowledge only).');
+                return null;
+            }),
+            workspaceReadinessPromise,
+        ]);
+        orientView = orientResult;
+        workspaceProfile = extractWorkspaceProfile(readinessRaw);
     }
     catch (err) {
         logErr(`Warning: could not fetch workspace context — ${err instanceof Error ? err.message : err}`);
         logErr('Continuing with limited context (Chain search + portable knowledge only).');
     }
+    if (workspaceProfile) {
+        log(`Workspace profile: stage=${workspaceProfile.stage}, entries=${workspaceProfile.totalEntries}, governance=${workspaceProfile.governanceMode}`);
+    }
     // 3. Build search queries from repo context
     const searchQueries = [];
     if (repo.name && repo.name.length >= 2)
@@ -269,76 +1200,718 @@ export async function runHandshake(options = {}) {
     let matchedEntries = [];
     if (uniqueQueries.length > 0) {
         log(`Searching Chain for: ${uniqueQueries.join(', ')}...`);
-        const searchResults = await Promise.all(uniqueQueries.map((q) => mcpCall('chain.searchEntries', { query: q }).catch(() => [])));
+        const searchResults = await Promise.all(uniqueQueries.map((q) => kernelCall('chain.searchEntries', { query: q }).catch(() => [])));
         matchedEntries = deduplicateEntries(searchResults.flat());
     }
-    // 5. Read canonical skills & rules from .productbrain/
+    // 5. Read canonical skills & rules — DB-first (WP-345 S0c, TEN-1459), FS fallback.
+    // Primary: query setup.listAssetsForUser from DB (workspace SSOT).
+    // Fallback: read from .productbrain/ filesystem (legacy — used when DB is empty or unavailable).
     const pbDir = join(cwd, '.productbrain');
-    const allSkills = readCanonicalSkills(pbDir);
-    const allRules = readCanonicalRules(pbDir);
-    // Apply level filtering (after read, before target filtering in write loop)
-    const canonicalSkills = filterByLevel(allSkills, level);
-    const canonicalRules = filterByLevel(allRules, level);
+    const manifestStatus = readManifestStatus(pbDir);
+    const manifest = manifestStatus.manifest;
+    const surfaceValidation = validateSurfacesForMode(manifestStatus.mode, manifestStatus.surfaces);
+    if (applyMode && surfaceValidation.error === SURFACE_GOVERN_NO_SURFACES) {
+        throw new CLIError('materialize: govern requires at least one registered manifest surface.', {
+            code: ErrorCode.VALIDATION_FAILED,
+            category: 'validation',
+            guidance: 'Add surfaces such as `.cursor` or `.claude` to .productbrain/manifest.yaml.',
+        });
+    }
+    for (const surface of surfaceValidation.unregisteredSurfaces) {
+        logErr(`Warning: manifest surface "${surface}" is not registered; skipping it.`);
+    }
+    const manifestTargets = new Set(surfaceValidation.registeredSurfaces);
+    const cliTargets = new Set();
+    const ignoredCliSurfaces = [];
+    for (const surface of options.surfaces ?? []) {
+        const normalized = normalizeSurfaceName(surface);
+        if (normalized && manifestTargets.has(normalized)) {
+            cliTargets.add(normalized);
+        }
+        else {
+            ignoredCliSurfaces.push(surface);
+        }
+    }
+    if (ignoredCliSurfaces.length > 0) {
+        logErr(`Warning: --surfaces ignored outside manifest.surfaces: ${ignoredCliSurfaces.join(', ')}`);
+    }
+    const allowedTargets = options.surfaces && options.surfaces.length > 0
+        ? cliTargets
+        : manifestTargets;
+    const perimeterManifest = {
+        surfaces: [...manifestTargets].flatMap(surfacePerimeterRoots),
+    };
+    const authorityCanWrite = manifestStatus.mode === 'project' || manifestStatus.mode === 'govern';
+    const authorityPreviewOnly = applyMode && !authorityCanWrite;
+    const writeMode = applyMode && authorityCanWrite;
+    let dbSkills = [];
+    let dbRules = [];
+    let usedDbSource = false;
+    let dbAssetRows = [];
+    // WP-379 S4: dormant assets (gate-failed) — their on-disk files get the dormant marker.
+    let dormantDbAssetRows = [];
+    // WP-428 S2 (Finding #5): tracks entryIds whose body fetch from storage failed.
+    // Hoisted here (same scope as dbAssetRows) so both the skills/rules projection loop
+    // AND the authoring-file projection loop can skip failed assets.
+    const bodyFetchFailedEntryIds = new Set();
+    const dbProjectionHashes = new Map();
+    const syncDriftTensToFire = [];
+    const deferredAuthoringBaselineEntryIds = new Set();
+    if (writeMode) {
+        const authoringItems = scanSetupAuthoringFiles(pbDir);
+        if (authoringItems.length > 0) {
+            // WP-428 S2 (Critical #1): ingestSetupAssetsBatch is an internalMutation — it cannot
+            // call ctx.storage.store(). We now call ingestSetupAssetWithBody (action) per-asset so
+            // each asset gets bodyStorageId written. This loses intra-batch collision detection;
+            // canonical-id collision check is now client-side before dispatch.
+            //
+            // Client-side collision detection (replaces server-side DEC-954 check in the batch mutation):
+            const idToPaths = new Map();
+            for (const item of authoringItems) {
+                const canonicalId = item.frontmatterId?.trim() || item.derivedEntryId;
+                const paths = idToPaths.get(canonicalId) ?? [];
+                paths.push(item.filePath);
+                idToPaths.set(canonicalId, paths);
+            }
+            const conflictingPaths = new Set();
+            for (const [, paths] of idToPaths) {
+                if (paths.length > 1) {
+                    for (const p of paths)
+                        conflictingPaths.add(p);
+                }
+            }
+            if (conflictingPaths.size > 0) {
+                logErr(`Setup authoring import partial: ${conflictingPaths.size} file(s) refused for duplicate setup id. ` +
+                    [...conflictingPaths].join(', '));
+            }
+            const itemsToIngest = authoringItems.filter((item) => !conflictingPaths.has(item.filePath));
+            if (itemsToIngest.length > 0) {
+                try {
+                    // Parallel uploads — concurrency limit 10 to avoid overwhelming the gateway.
+                    const CONCURRENCY = 10;
+                    const ingestResults = [];
+                    for (let i = 0; i < itemsToIngest.length; i += CONCURRENCY) {
+                        const batch = itemsToIngest.slice(i, i + CONCURRENCY);
+                        const settled = await Promise.allSettled(batch.map(async (item) => {
+                            const result = await kernelCall('setup.ingestSetupAssetWithBody', {
+                                entryId: item.derivedEntryId,
+                                frontmatterId: item.frontmatterId,
+                                name: item.name,
+                                description: item.description,
+                                body: item.body,
+                                assetKind: item.assetKind,
+                                triggers: item.triggers,
+                                semanticRefs: item.semanticRefs,
+                                authoringPath: relative(pbDir, item.filePath).split(sep).join('/'),
+                            });
+                            return { filePath: item.filePath, ...result };
+                        }));
+                        for (const r of settled) {
+                            if (r.status === 'fulfilled') {
+                                ingestResults.push(r.value);
+                                if (r.value.conflict === 'repo-wins') {
+                                    syncDriftTensToFire.push(`Repo authoring file won setup sync conflict for ${r.value.entryId} at ${r.value.filePath}.`);
+                                    logErr(`Warning: repo authoring file won sync conflict for ${r.value.entryId}; DB edit was overwritten.`);
+                                }
+                            }
+                            else {
+                                trackEvent('setup.authoring_import.item_failed', { error: r.reason instanceof Error ? r.reason.message : String(r.reason) });
+                                logErr(`Warning: setup authoring import failed for one asset — ${r.reason instanceof Error ? r.reason.message : String(r.reason)}`);
+                            }
+                        }
+                    }
+                    if (ingestResults.length > 0) {
+                        log(`Setup authoring import: ${ingestResults.length} file(s) checked (with bodyStorageId).`);
+                    }
+                }
+                catch (err) {
+                    trackEvent('setup.authoring_import.failed', { error: err instanceof Error ? err.message : String(err) });
+                    logErr(`Warning: setup authoring import failed — ${err instanceof Error ? err.message : String(err)}`);
+                }
+            }
+        }
+    }
+    try {
+        // WP-379 S4: listAssetsForUser now returns { activeAssets, dormantAssets }.
+        // Wire format changed from DbAsset[] to { activeAssets: DbAsset[], dormantAssets: DbAsset[] }.
+        // Fall back to empty arrays if the server returns the old flat-array shape (graceful degradation).
+        const rawResponse = await kernelCall('setup.listAssetsForUser', {}).catch(() => null);
+        let dbAssets = [];
+        if (rawResponse !== null) {
+            if (Array.isArray(rawResponse)) {
+                // Pre-S4 server — treat entire response as active assets with no dormant list.
+                dbAssets = rawResponse;
+                dormantDbAssetRows = [];
+            }
+            else {
+                dbAssets = rawResponse.activeAssets ?? [];
+                dormantDbAssetRows = rawResponse.dormantAssets ?? [];
+            }
+        }
+        if (dbAssets.length > 0) {
+            dbAssetRows = dbAssets;
+            // WP-428 S2: body is no longer inline — fetch from storage per-asset when bodyStorageId is set.
+            // Projectable assets: non-disabled skill/rule/hook entries. Fetch bodies in parallel (bounded).
+            const projectableAssets = dbAssets.filter((a) => !a.disabledByOwner && (a.assetKind === 'skill' || a.assetKind === 'rule' || a.assetKind === 'hook'));
+            const assetsNeedingBodyFetch = projectableAssets.filter((a) => a.bodyStorageId);
+            const bodyFetchMap = new Map(); // entryId → body
+            // WP-428 S2 (Finding #5/#12): track fetch-failed assets so we can skip their projection.
+            // Failed entryIds are excluded from dbSkills/dbRules — no empty body written, no lastProjectedHash update.
+            // bodyFetchFailedEntryIds is declared at outer scope (also used by authoring-file projection loop).
+            if (assetsNeedingBodyFetch.length > 0) {
+                log(`Fetching ${assetsNeedingBodyFetch.length} asset body(s) from storage...`);
+                const bodyFetchResults = await Promise.allSettled(assetsNeedingBodyFetch.map(async (asset) => {
+                    const result = await kernelCall('setup.fetchAssetBody', { bodyStorageId: asset.bodyStorageId });
+                    return { entryId: asset.entryId, name: asset.name, body: result.body };
+                }));
+                for (let i = 0; i < bodyFetchResults.length; i++) {
+                    const result = bodyFetchResults[i];
+                    if (result.status === 'fulfilled') {
+                        bodyFetchMap.set(result.value.entryId, result.value.body);
+                    }
+                    else {
+                        // WP-428 S2 (Finding #12): include entryId and name in the warning (Finding #5: skip projection).
+                        const asset = assetsNeedingBodyFetch[i];
+                        logErr(`Warning: failed to fetch body for ${asset.entryId} (${asset.name}) — ${result.reason instanceof Error ? result.reason.message : String(result.reason)}`);
+                        bodyFetchFailedEntryIds.add(asset.entryId);
+                    }
+                }
+                if (bodyFetchFailedEntryIds.size > 0) {
+                    // WP-439 S4: strict-by-default. Any body-fetch failure is a hard
+                    // failure unless --lenient is passed. The strict path surfaces an
+                    // actionable pointer at the audit/repair command operators can run
+                    // to diagnose and fix orphaned setup-asset rows.
+                    const failedList = [...bodyFetchFailedEntryIds].join(', ');
+                    if (options.lenient) {
+                        logErr(`Warning: ${bodyFetchFailedEntryIds.size} asset(s) skipped due to body fetch failure (--lenient): ${failedList}`);
+                    }
+                    else {
+                        throw new CLIError(`${bodyFetchFailedEntryIds.size} asset(s) failed body fetch: ${failedList}. ` +
+                            `Run \`pb setup-audit\` to diagnose, then \`pb setup-audit --repair\` to reseed. ` +
+                            `Pass --lenient to suppress this and continue with affected entries skipped (legacy behaviour).`, { code: ErrorCode.INTERNAL, category: 'internal' });
+                    }
+                }
+            }
+            // Map DB assets to CanonicalSkill/CanonicalRule shapes
+            for (const asset of dbAssets) {
+                if (asset.disabledByOwner)
+                    continue;
+                // WP-428 S2 (Finding #5): skip projection for assets whose body fetch failed.
+                // Do NOT write empty body to disk and do NOT update lastProjectedHash.
+                if (bodyFetchFailedEntryIds.has(asset.entryId))
+                    continue;
+                // WP-428 S2: resolve body — prefer storage-fetched body, fall back to inline body (pre-S2 servers).
+                // Fallback: pre-S2 servers (no bodyStorageId) return inline body. Once all servers are S2+, this can be deleted.
+                const resolvedBody = bodyFetchMap.get(asset.entryId) ?? asset.body ?? '';
+                if (asset.assetKind === 'skill') {
+                    dbSkills.push({
+                        name: asset.name,
+                        description: asset.description,
+                        triggers: asset.triggers ?? [],
+                        body: resolvedBody,
+                        sourcePath: `db:${asset.entryId}`,
+                    });
+                }
+                else if (asset.assetKind === 'rule' || asset.assetKind === 'hook') {
+                    dbRules.push({
+                        name: asset.name,
+                        description: asset.description,
+                        autoApply: false,
+                        body: resolvedBody,
+                        sourcePath: `db:${asset.entryId}`,
+                    });
+                }
+            }
+            usedDbSource = true;
+            log(`Setup assets: ${dbSkills.length} skills, ${dbRules.length} rules/hooks from DB (WP-345 DB-first path)`);
+            if (dormantDbAssetRows.length > 0) {
+                log(`Setup assets: ${dormantDbAssetRows.length} dormant (gate-filtered) asset(s) will be marked on disk`);
+            }
+        }
+    }
+    catch {
+        // DB source unavailable — silently fall through to FS path
+    }
+    const allSkills = usedDbSource ? dbSkills : readCanonicalSkills(pbDir);
+    const manualRules = usedDbSource ? dbRules : readCanonicalRules(pbDir);
+    if (!usedDbSource) {
+        log('Setup assets: reading from filesystem (DB source unavailable or empty)');
+    }
+    // 5a-pre. E4: Resolve semantic refs in DB assets (WP-345, DEC-A, DEC-C, DEC-K)
+    // For each asset with semanticRefs[], resolve them via the Convex resolver and
+    // replace {{ref:key}} placeholders in the body. Runs in apply mode only (not preview).
+    // NG11: PostHog events fire from CLI side only (never inside Convex mutations).
+    if (usedDbSource && writeMode) {
+        const projectableDbAssets = dbAssetRows.filter((a) => !a.disabledByOwner && (a.assetKind === 'skill' || a.assetKind === 'rule' || a.assetKind === 'hook'));
+        const assetsWithRefs = projectableDbAssets.filter((a) => a.semanticRefs && a.semanticRefs.length > 0);
+        if (assetsWithRefs.length > 0) {
+            log(`Resolving semantic refs for ${assetsWithRefs.length} asset(s)...`);
+            // Collect unique ref keys across all assets
+            const allRefKeys = [...new Set(assetsWithRefs.flatMap((a) => a.semanticRefs))];
+            // Resolve all refs in a single batch call. Shape: SetupRefResolution[]
+            // (DEC-767 / WP-354 Build-Order #6 — kind + status discriminator).
+            let resolvedRefs = [];
+            try {
+                resolvedRefs = await kernelCall('setup.resolveSemanticRefs', { semanticRefs: allRefKeys });
+            }
+            catch (err) {
+                trackEvent('setup.refs.resolve_failed', { error: err instanceof Error ? err.message : String(err) });
+                logErr(`Warning: could not resolve semantic refs — ${err instanceof Error ? err.message : String(err)}`);
+            }
+            // Build resolved map: canonicalKey → display name. Only required refs
+            // count as unresolved warnings; seed/unknown refs are not gates.
+            const resolvedMap = new Map();
+            let unresolvedCount = 0;
+            for (const result of resolvedRefs) {
+                if (result.status === 'resolved' && result.localEntryId) {
+                    resolvedMap.set(result.ref, result.localEntryId);
+                    trackEvent('skill.ref.resolved', { ref: result.ref, kind: result.kind });
+                }
+                else if (result.status === 'unsupported-future') {
+                    // seed: refs are explicitly future scope per WP-354 Build-Order #6 — not a warning.
+                    trackEvent('skill.ref.future', { ref: result.ref, kind: result.kind });
+                }
+                else if (result.required) {
+                    unresolvedCount++;
+                    trackEvent('skill.ref.unresolved', { ref: result.ref, kind: result.kind, status: result.status });
+                }
+            }
+            if (unresolvedCount > 0) {
+                logErr(`Warning: ${unresolvedCount} required semantic ref(s) could not be resolved.`);
+            }
+            // Projection must preserve ref tokens as portable machine-readable refs.
+            // resolvedMap is only used for validation/telemetry here; generated setup
+            // artifacts keep {{ref:domain:...}} / {{ref:entry:...}} intact.
+        }
+        // Compute projection hash for each projected DB asset (DEC-K).
+        // The stored hash is sha256 of the normalized resolved asset body; DB persistence
+        // is deferred until the write loop confirms a matching file was emitted.
+        // Strip existing hash trailer and timestamp lines, normalize to LF, then hash.
+        const HASH_TRAILER_REGEX = /^<!--\s*pb-hash:.*-->\s*$/gm;
+        const TIMESTAMP_REGEX = /^<!--\s*pb-generated-at:.*-->\s*$/gm;
+        for (const rawAsset of projectableDbAssets) {
+            const resolvedAsset = [...dbSkills, ...dbRules].find((a) => a.sourcePath === `db:${rawAsset.entryId}`);
+            if (!resolvedAsset)
+                continue;
+            try {
+                // Build the projected body (what will be written to disk)
+                const projectedBody = resolvedAsset.body;
+                // Normalize: strip existing hash/timestamp trailers, convert to LF
+                const normalized = projectedBody
+                    .replace(HASH_TRAILER_REGEX, '')
+                    .replace(TIMESTAMP_REGEX, '')
+                    .replace(/\r\n/g, '\n')
+                    .replace(/\r/g, '\n')
+                    .trimEnd();
+                // Compute sha256 hash
+                const hash = createHash('sha256').update(normalized, 'utf8').digest('hex');
+                const hashTrailer = `<!-- pb-hash: sha256:${hash} -->`;
+                // Append hash trailer to the projected body
+                resolvedAsset.body = `${normalized}\n${hashTrailer}`;
+                dbProjectionHashes.set(rawAsset.entryId, {
+                    hash: `sha256:${hash}`,
+                    assetKind: rawAsset.assetKind,
+                });
+                // Drift detection: compare against last known hash
+                if (rawAsset.lastProjectedHash && rawAsset.lastProjectedHash !== `sha256:${hash}`) {
+                    trackEvent('skill.drift.detected', {
+                        entryId: rawAsset.entryId,
+                        assetKind: rawAsset.assetKind,
+                    });
+                    log(`Drift detected for asset ${rawAsset.entryId} — projecting updated version.`);
+                }
+                trackEvent('skill.projection.succeeded', {
+                    entryId: rawAsset.entryId,
+                    assetKind: rawAsset.assetKind,
+                });
+            }
+            catch (err) {
+                trackEvent('skill.projection.failed', {
+                    entryId: rawAsset.entryId,
+                    assetKind: rawAsset.assetKind,
+                });
+                logErr(`Warning: projection failed for ${rawAsset.entryId} — ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+    }
+    // 5a. Optionally fetch and merge Chain-derived rules (--generate flag)
+    let chainRulesStats = null;
+    let chainGaps = [];
+    let allRules = manualRules;
+    if (generate) {
+        log('Generating Chain-derived rules...');
+        const chainResult = await generateChainRules(kernelCall, manualRules);
+        if (chainResult.sentinel) {
+            // MCP unavailable — inject sentinel rule and warn
+            allRules = [...manualRules, chainResult.sentinel];
+            logErr('Warning: Chain MCP unavailable — generated rules are disabled. Sentinel rule injected.');
+        }
+        else {
+            // Merge generated rules after manual rules (manual takes precedence on dedup)
+            allRules = [...manualRules, ...chainResult.rules];
+            chainRulesStats = chainResult.stats;
+            chainGaps = chainResult.gaps;
+            const { generatedRules, suppressedByManual, suppressedByZeroEntries } = chainResult.stats;
+            log(`Chain-derived rules: ${generatedRules} generated, ${suppressedByManual} suppressed by manual, ${suppressedByZeroEntries} gaps`);
+            if (chainGaps.length > 0) {
+                log(`Gaps (no matching governance entries): ${chainGaps.join(', ')}`);
+            }
+            // Diff: compare current state against previous run
+            const previousState = loadPreviousState(pbDir);
+            const currentState = buildCurrentState(chainResult.rules, chainResult.classified);
+            saveHandshakeState(pbDir, chainResult.rules, chainResult.classified);
+            const diff = diffHandshakeState(currentState, previousState);
+            const diffText = formatDiff(diff);
+            log(diffText);
+        }
+    }
+    // 5b. Read personal layer (WP-310 E2) — machine-local rules/skills from .productbrain/.local/
+    // Returns [] when the directory is absent. All returned entries have persist: 'local'.
+    const personalRules = readPersonalLayer(pbDir);
+    if (personalRules.length > 0) {
+        // Name collision detection — warn when a personal rule overrides a team rule
+        const teamRuleNames = new Set(allRules.map((r) => r.name));
+        for (const pr of personalRules) {
+            if (teamRuleNames.has(pr.name)) {
+                logErr(`Personal rule "${pr.name}" overrides team rule (local takes precedence).`);
+            }
+        }
+        // Merge: team rules first, personal rules appended (personal takes precedence via name collision above)
+        allRules = [...allRules, ...personalRules];
+    }
+    const personalSkills = readPersonalSkillsLayer(pbDir);
+    if (personalSkills.length > 0) {
+        const teamSkillNames = new Set(allSkills.map((s) => s.name));
+        for (const ps of personalSkills) {
+            if (teamSkillNames.has(ps.name)) {
+                logErr(`Personal skill "${ps.name}" overrides team skill (local takes precedence).`);
+            }
+        }
+        allSkills.push(...personalSkills);
+    }
+    // 5d. Load method registry (WP-310 E4) — only when manifest is present.
+    let registrySource;
+    let registryStale;
+    if (manifest) {
+        const registryResult = await loadMethodRegistry(manifest.method_source, kernelCall).catch(() => null);
+        if (registryResult) {
+            registrySource = registryResult.source;
+            registryStale = registryResult.stale;
+        }
+    }
+    const adoptionFilteredSkills = filterByAdoptionState(allSkills, manifest);
+    const adoptionFilteredRules = filterByAdoptionState(allRules, manifest);
+    // Compute adoption counts for report (only meaningful when manifest is present)
+    const adoptedRulesCount = manifest ? adoptionFilteredRules.length : undefined;
+    const rejectedRulesCount = manifest ? allRules.length - adoptionFilteredRules.length : undefined;
+    // Apply level filtering with stage-gating (after adoption filter, before target filtering in write loop)
+    // Stage caps the effective level: blank→beginner, seed→intermediate, grounded+→expert.
+    // If stage caps below the requested level, log it so the user knows why items were dropped.
+    const profileStage = workspaceProfile?.stage;
+    const levelFilteredSkills = filterByLevel(adoptionFilteredSkills, level, profileStage);
+    const levelFilteredRules = filterByLevel(adoptionFilteredRules, level, profileStage);
+    // Log when stage gating changes the effective level
+    if (profileStage) {
+        const stageCap = STAGE_TO_MAX_LEVEL[profileStage];
+        if (stageCap) {
+            const requestedIdx = level ? LEVEL_ORDER.indexOf(level) : LEVEL_ORDER.length - 1;
+            const capIdx = LEVEL_ORDER.indexOf(stageCap);
+            if (capIdx < requestedIdx) {
+                log(`Stage "${profileStage}" caps level from ${level || 'expert'} to ${stageCap}`);
+            }
+        }
+    }
+    // Apply when-condition filtering (stage-aware, workspace profile + repo context)
+    const canonicalSkills = levelFilteredSkills.filter((skill) => {
+        const result = evaluateConditions(skill.conditions ?? {}, workspaceProfile, repo);
+        if (dryRun && !result.included) {
+            log(`  EXCLUDED skill ${skill.name}: ${result.reasons.join(', ')}`);
+        }
+        return result.included;
+    });
+    const canonicalRules = levelFilteredRules.filter((rule) => {
+        const result = evaluateConditions(rule.conditions ?? {}, workspaceProfile, repo);
+        if (dryRun && !result.included) {
+            log(`  EXCLUDED rule ${rule.name}: ${result.reasons.join(', ')}`);
+        }
+        return result.included;
+    });
+    if (dryRun && canonicalSkills.length > 0) {
+        log(`  INCLUDED skills: ${canonicalSkills.map((s) => s.name).join(', ')}`);
+    }
+    if (dryRun && canonicalRules.length > 0) {
+        log(`  INCLUDED rules: ${canonicalRules.map((r) => r.name).join(', ')}`);
+    }
     if (canonicalSkills.length > 0 || canonicalRules.length > 0) {
         const levelSuffix = level ? ` (level: ${level})` : '';
-        log(`Portable knowledge: ${canonicalSkills.length} skill(s), ${canonicalRules.length} rule(s)${levelSuffix}`);
+        const stageSuffix = profileStage ? `, stage: ${profileStage}` : '';
+        const stackSuffix = repo.detectedStack.length > 0 ? `, stack: [${repo.detectedStack.join(', ')}]` : '';
+        const totalSkills = allSkills.length;
+        const totalRules = allRules.length;
+        log(`Portable knowledge: ${canonicalSkills.length}/${totalSkills} skills, ${canonicalRules.length}/${totalRules} rules${levelSuffix}${stageSuffix}${stackSuffix}`);
     }
     // 6. Generate file contents
-    const contextContent = orientView ? generateContextMd(orientView, repo, timestamp) : null;
+    // Build workspace context for AGENTS.md enrichment (stage, focus, governance, entry count)
+    const agentsWorkspaceContext = workspaceProfile
+        ? {
+            stage: workspaceProfile.stage,
+            focus: orientView?.strategicContext?.currentWorkPackage ?? undefined,
+            governanceMode: workspaceProfile.governanceMode,
+            totalEntries: workspaceProfile.totalEntries,
+        }
+        : undefined;
+    // Collect codex-targeted skills for AGENTS.md skill directory.
+    // persist: 'local' entries are included; all projections are now local-only.
+    const agentsCodexSkills = canonicalSkills
+        .filter((s) => shouldEmitToTarget(s, 'codex'))
+        .map((s) => ({
+        name: s.name,
+        description: s.description,
+        triggers: s.triggers,
+    }));
+    // Collect copilot-targeted skills for copilot-instructions.md skill summaries
+    const copilotSkills = canonicalSkills
+        .filter((s) => shouldEmitToTarget(s, 'copilot'))
+        .map((s) => ({
+        name: s.name,
+        description: s.description,
+        triggers: s.triggers,
+    }));
+    // Collect copilot-targeted rules for copilot-instructions.md rule summaries
+    const copilotRules = canonicalRules
+        .filter((r) => shouldEmitToTarget(r, 'copilot'))
+        .map((r) => ({
+        name: r.name,
+        description: r.description,
+    }));
+    const copilotProfile = resolveSurfaceProfile('copilot');
+    const copilotOptions = {
+        profile: copilotProfile,
+        workspaceContext: agentsWorkspaceContext,
+        skills: copilotSkills.length > 0 ? copilotSkills : undefined,
+        rules: copilotRules.length > 0 ? copilotRules : undefined,
+    };
+    const contextContent = orientView ? generateContextMd(orientView, repo, timestamp, workspaceProfile?.stage) : null;
     const briefingContent = generateBriefingMd(matchedEntries, repo, uniqueQueries, timestamp);
+    const agentsContent = generateAgentsMd(timestamp, {
+        workspaceContext: agentsWorkspaceContext,
+        skills: agentsCodexSkills.length > 0 ? agentsCodexSkills : undefined,
+    });
     const claudeContent = generateClaudeMd(timestamp);
     const cursorContent = generateCursorMdc(timestamp);
-    const copilotContent = generateCopilotMd(timestamp);
+    const copilotContent = generateCopilotMd(timestamp, copilotOptions);
+    const boundaryEnforcementMode = getBoundaryEnforcementMode(manifest);
+    const boundaryManifestContent = boundaryEnforcementMode === 'advisory'
+        ? null
+        : generateBoundaryManifest(pbDir);
     // 7. Write files
     const filesWritten = [];
     const filesSkipped = [];
+    const previewPlan = [];
+    if (writeMode && usedDbSource) {
+        const authoringSyncState = loadAuthoringSyncState(pbDir);
+        let authoringSyncStateChanged = false;
+        const personalAssets = dbAssetRows.filter((asset) => asset.scope === 'personal' &&
+            !asset.disabledByOwner &&
+            (asset.assetKind === 'skill' || asset.assetKind === 'rule' || asset.assetKind === 'hook'));
+        for (const asset of personalAssets) {
+            // WP-428 S2 (Finding #5): skip projection for assets whose body fetch failed.
+            // Do NOT write the authoring file with empty body, do NOT update lastProjectedHash.
+            if (bodyFetchFailedEntryIds.has(asset.entryId))
+                continue;
+            const authoringPath = setupAuthoringPath(cwd, asset);
+            if (!authoringPath)
+                continue;
+            // Review: use relative() for correct cross-platform path computation (string-replace
+            // mis-fires when cwd uses a non-'/' separator), matching the dormant passes below.
+            const relativeAuthoringPath = relative(cwd, authoringPath);
+            const bodyHash = setupAuthoringAssetHash(asset);
+            const authoringExists = existsSync(authoringPath);
+            const tracked = authoringSyncState.assets[asset.entryId];
+            const trackedHere = tracked?.path === relativeAuthoringPath;
+            const trackedMatchesServer = Boolean(trackedHere && asset.lastProjectedHash && tracked?.hash === asset.lastProjectedHash);
+            if (!authoringExists && asset.lastProjectedHash && trackedHere && trackedMatchesServer) {
+                try {
+                    const dormantResult = await kernelCall('setup.markPersonalSetupAssetDormantFromSync', { entryId: asset.entryId, expectedLastProjectedHash: tracked.hash });
+                    if (dormantResult.action === 'conflict') {
+                        syncDriftTensToFire.push(`Repo authoring deletion skipped for ${asset.entryId}; server baseline changed during sync, so writeback was deferred until the next DB read.`);
+                        logErr(`Warning: authoring deletion for ${asset.entryId} was not applied because the DB baseline changed during sync.`);
+                        deferredAuthoringBaselineEntryIds.add(asset.entryId);
+                        continue;
+                    }
+                    else {
+                        syncDriftTensToFire.push(`Repo authoring file was deleted for ${asset.entryId}; caller-owned personal setup asset marked dormant.`);
+                        log(`Setup authoring deletion: ${asset.entryId} marked dormant.`);
+                        delete authoringSyncState.assets[asset.entryId];
+                        authoringSyncStateChanged = true;
+                        continue;
+                    }
+                }
+                catch (err) {
+                    logErr(`Warning: could not mark ${asset.entryId} dormant after authoring deletion — ${err instanceof Error ? err.message : String(err)}`);
+                    continue;
+                }
+            }
+            else if (!authoringExists && asset.lastProjectedHash && trackedHere) {
+                syncDriftTensToFire.push(`Repo authoring deletion skipped for ${asset.entryId}; local sync baseline is stale, so DB writeback wins.`);
+                logErr(`Warning: authoring deletion for ${asset.entryId} was not applied because the DB baseline changed.`);
+            }
+            const nextAuthoringContent = renderSetupAuthoringFile(asset);
+            if (authoringExists) {
+                const parsed = parseSetupAuthoringFrontmatter(readFileSync(authoringPath, 'utf8'));
+                const fileHash = setupAuthoringAssetHash({
+                    entryId: parsed.frontmatterId?.trim() || asset.entryId,
+                    name: parsed.name || asset.name,
+                    description: parsed.description,
+                    body: parsed.body,
+                    assetKind: asset.assetKind,
+                    triggers: parsed.triggers,
+                    semanticRefs: parsed.semanticRefs,
+                });
+                if (fileHash === bodyHash) {
+                    if (asset.lastProjectedHash !== bodyHash) {
+                        await kernelCall('setup.updateLastProjectedHash', {
+                            entryId: asset.entryId,
+                            hash: bodyHash,
+                        }).catch(() => null);
+                    }
+                    authoringSyncState.assets[asset.entryId] = { path: relativeAuthoringPath, hash: bodyHash };
+                    authoringSyncStateChanged = true;
+                    continue;
+                }
+                if (!asset.lastProjectedHash) {
+                    syncDriftTensToFire.push(`Repo authoring file differs from DB for ${asset.entryId} at ${authoringPath} with no shared baseline; DB writeback skipped.`);
+                    logErr(`Warning: setup authoring drift for ${asset.entryId}; DB writeback skipped because no shared baseline exists.`);
+                    continue;
+                }
+                if (fileHash !== asset.lastProjectedHash &&
+                    bodyHash !== asset.lastProjectedHash) {
+                    syncDriftTensToFire.push(`Repo authoring file won setup sync conflict for ${asset.entryId} at ${authoringPath}.`);
+                    logErr(`Warning: repo authoring file won sync conflict for ${asset.entryId}; DB writeback skipped.`);
+                    continue;
+                }
+                if (fileHash !== asset.lastProjectedHash) {
+                    syncDriftTensToFire.push(`Repo authoring file differs from DB baseline for ${asset.entryId} at ${authoringPath}; DB writeback skipped.`);
+                    logErr(`Warning: setup authoring drift for ${asset.entryId}; DB writeback skipped.`);
+                    continue;
+                }
+            }
+            try {
+                assertSetupWritePath(authoringPath, perimeterManifest);
+                mkdirSync(dirname(authoringPath), { recursive: true });
+                writeFileSync(authoringPath, nextAuthoringContent);
+                filesWritten.push(relativeAuthoringPath);
+                await kernelCall('setup.updateLastProjectedHash', {
+                    entryId: asset.entryId,
+                    hash: bodyHash,
+                }).catch(() => null);
+                authoringSyncState.assets[asset.entryId] = { path: relativeAuthoringPath, hash: bodyHash };
+                authoringSyncStateChanged = true;
+            }
+            catch (err) {
+                logErr(`Warning: could not write setup authoring file for ${asset.entryId} — ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+        if (authoringSyncStateChanged) {
+            try {
+                saveAuthoringSyncState(pbDir, authoringSyncState);
+            }
+            catch (err) {
+                logErr(`Warning: could not persist setup authoring sync state — ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+    }
     const writes = [
         ...(contextContent ? [{ path: join(cwd, '.productbrain', 'context.md'), relative: '.productbrain/context.md', content: contextContent, dirs: join(cwd, '.productbrain'), isAdapter: false }] : []),
         { path: join(cwd, '.productbrain', 'briefing.md'), relative: '.productbrain/briefing.md', content: briefingContent, isAdapter: false },
-        { path: join(cwd, 'CLAUDE.md'), relative: 'CLAUDE.md', content: claudeContent, isAdapter: true },
-        { path: join(cwd, '.cursor', 'rules', 'chain.mdc'), relative: '.cursor/rules/chain.mdc', content: cursorContent, dirs: join(cwd, '.cursor', 'rules'), isAdapter: true },
-        { path: join(cwd, '.github', 'copilot-instructions.md'), relative: '.github/copilot-instructions.md', content: copilotContent, dirs: join(cwd, '.github'), isAdapter: true },
+        { path: join(cwd, 'AGENTS.md'), relative: 'AGENTS.md', content: agentsContent, isAdapter: true, target: 'codex', augmentTarget: true },
+        { path: join(cwd, 'CLAUDE.md'), relative: 'CLAUDE.md', content: claudeContent, isAdapter: true, target: 'claude', augmentTarget: true },
+        { path: join(cwd, '.cursor', 'rules', 'chain.mdc'), relative: '.cursor/rules/chain.mdc', content: cursorContent, dirs: join(cwd, '.cursor', 'rules'), isAdapter: true, target: 'cursor' },
+        { path: join(cwd, '.github', 'copilot-instructions.md'), relative: '.github/copilot-instructions.md', content: copilotContent, dirs: join(cwd, '.github'), isAdapter: true, target: 'copilot' },
+        ...(boundaryManifestContent ? [{
+                path: join(cwd, '.productbrain', 'generated', 'boundaries.json'),
+                relative: '.productbrain/generated/boundaries.json',
+                content: boundaryManifestContent,
+                dirs: join(cwd, '.productbrain', 'generated'),
+                isAdapter: false,
+            }] : []),
     ];
     // Add Cursor skill copies (filtered by target)
+    const cursorProfile = resolveSurfaceProfile('cursor');
     for (const skill of canonicalSkills) {
         if (!shouldEmitToTarget(skill, 'cursor'))
             continue;
+        const dbAssetEntryId = skill.sourcePath.startsWith('db:') ? skill.sourcePath.slice(3) : undefined;
         const skillDir = join(cwd, '.cursor', 'skills', skill.name);
         writes.push({
             path: join(skillDir, 'SKILL.md'),
             relative: `.cursor/skills/${skill.name}/SKILL.md`,
-            content: generateCursorSkill(skill),
+            content: generateCursorSkill(skill, cursorProfile),
             dirs: skillDir,
             isAdapter: true,
+            target: 'cursor',
+            dbAssetEntryId,
         });
     }
+    // Add Codex skill copies (projected markdown + index)
+    const codexProfile = resolveSurfaceProfile('codex');
+    const codexSkills = canonicalSkills.filter((s) => shouldEmitToTarget(s, 'codex'));
+    for (const skill of codexSkills) {
+        const dbAssetEntryId = skill.sourcePath.startsWith('db:') ? skill.sourcePath.slice(3) : undefined;
+        writes.push({
+            path: join(cwd, '.codex', 'skills', `${skill.name}.md`),
+            relative: `.codex/skills/${skill.name}.md`,
+            content: generateCodexSkill(skill, codexProfile),
+            dirs: join(cwd, '.codex', 'skills'),
+            isAdapter: true,
+            target: 'codex',
+            dbAssetEntryId,
+        });
+    }
+    writes.push({
+        path: join(cwd, '.codex', 'skills', 'README.md'),
+        relative: '.codex/skills/README.md',
+        content: generateCodexSkillIndex(codexSkills),
+        dirs: join(cwd, '.codex', 'skills'),
+        isAdapter: true,
+        target: 'codex',
+    });
+    // Validate Codex-projected skills for dead references
+    const codexWarnings = validateCodexSkills(codexSkills);
     // Add Cursor rule copies (filtered by target)
     for (const rule of canonicalRules) {
         if (!shouldEmitToTarget(rule, 'cursor'))
             continue;
+        const dbAssetEntryId = rule.sourcePath.startsWith('db:') ? rule.sourcePath.slice(3) : undefined;
         writes.push({
             path: join(cwd, '.cursor', 'rules', `${rule.name}.mdc`),
             relative: `.cursor/rules/${rule.name}.mdc`,
-            content: generateCursorRule(rule),
+            content: generateCursorRule(rule, cursorProfile),
             dirs: join(cwd, '.cursor', 'rules'),
             isAdapter: true,
+            target: 'cursor',
+            dbAssetEntryId,
         });
     }
     // Add Claude Code rule copies (filtered by target)
+    const claudeProfile = resolveSurfaceProfile('claude');
     for (const rule of canonicalRules) {
         if (!shouldEmitToTarget(rule, 'claude'))
             continue;
+        const dbAssetEntryId = rule.sourcePath.startsWith('db:') ? rule.sourcePath.slice(3) : undefined;
         writes.push({
             path: join(cwd, '.claude', 'rules', `${rule.name}.md`),
             relative: `.claude/rules/${rule.name}.md`,
-            content: generateClaudeRule(rule),
+            content: generateClaudeRule(rule, claudeProfile),
             dirs: join(cwd, '.claude', 'rules'),
             isAdapter: true,
+            target: 'claude',
+            dbAssetEntryId,
         });
     }
     // Add Claude Code skill router (filtered by target)
     const claudeSkills = canonicalSkills.filter((s) => shouldEmitToTarget(s, 'claude'));
-    const skillRouterContent = generateClaudeSkillRouter(claudeSkills);
+    const skillRouterContent = generateClaudeSkillRouter(claudeSkills, claudeProfile);
     if (skillRouterContent) {
         writes.push({
             path: join(cwd, '.claude', 'rules', 'skill-router.md'),
@@ -346,33 +1919,717 @@ export async function runHandshake(options = {}) {
             content: skillRouterContent,
             dirs: join(cwd, '.claude', 'rules'),
             isAdapter: true,
+            target: 'claude',
         });
     }
+    // 7a. WP-379 S5b: Resolve projection collisions before writing.
+    // In apply mode, enumerate target dirs and unlink any auto-generated files
+    // whose normalized name no longer matches any active asset from the server.
+    // This prevents case-variant orphans from accumulating across handshakes.
+    // Runs only when we have a DB asset list (usedDbSource) — without a DB source,
+    // we can't determine which files are canonical vs. orphan.
+    const collisionTensToFire = [];
+    if (writeMode && usedDbSource) {
+        const activeAssetNames = dbAssetRows
+            .filter((a) => !a.disabledByOwner)
+            .map((a) => a.name);
+        const { collisionTens } = resolveProjectionCollision(cwd, activeAssetNames, log, logErr);
+        collisionTensToFire.push(...collisionTens);
+    }
+    // ── WP-436 S3: Vocab projector — fetch workspace vocab context once per handshake ──
+    // Source-side (.productbrain/skills/*.md + rules/*.md) stays tokenized.
+    // The projector resolves {{vocab:...}} tokens before writing adapter output to disk
+    // (.cursor/rules/, .claude/rules/, CLAUDE.md, AGENTS.md, .github/copilot-instructions.md).
+    // Fail-open: if vocab fetch fails, skip resolution and write raw token (no breakage).
+    const handshakeVocabCtx = await getOrFetchVocabCtx(config.apiKey, async () => {
+        try {
+            const vocab = await kernelCall('chain.getVocabulary', {});
+            if (vocab?.collectionLabels || vocab?.collectionDefaults) {
+                return {
+                    ...(vocab.collectionLabels ? { collectionLabels: vocab.collectionLabels } : {}),
+                    ...(vocab.collectionDefaults ? { collectionDefaults: vocab.collectionDefaults } : {}),
+                };
+            }
+            return null;
+        }
+        catch {
+            return null; // fail-open
+        }
+    });
+    const userOwnedSkipped = [];
+    const projectedHashUpdates = new Map();
+    const cleanBucketPaths = [];
+    const tamperedBucket = [];
+    const recordProjectedHash = (entryId) => {
+        if (!applyMode || !entryId)
+            return;
+        if (deferredAuthoringBaselineEntryIds.has(entryId))
+            return;
+        const projection = dbProjectionHashes.get(entryId);
+        if (projection)
+            projectedHashUpdates.set(entryId, projection.hash);
+    };
+    // TEN-2155: region augmentation context + symlink dedupe.
+    // codexActive gates the AGENTS.md skills-index pointer (region-projections.ts).
+    const regionCtx = { codexActive: allowedTargets.has('codex') };
+    const malformedRegionPaths = [];
+    // If two augment targets resolve to the same inode (e.g. CLAUDE.md symlinked to AGENTS.md),
+    // augment only the first-seen (AGENTS.md precedes CLAUDE.md in `writes`) to avoid double-injection.
+    const seenAugmentRealpaths = new Set();
+    const augmentTargetSkip = new Set();
     for (const w of writes) {
+        if (!w.augmentTarget || !w.target || !allowedTargets.has(w.target) || !existsSync(w.path))
+            continue;
+        let real;
+        try {
+            real = realpathSync(w.path);
+        }
+        catch {
+            real = w.path;
+        }
+        if (seenAugmentRealpaths.has(real))
+            augmentTargetSkip.add(w.path);
+        else
+            seenAugmentRealpaths.add(real);
+    }
+    for (const w of writes) {
+        // Surface filtering: skip adapter writes for targets not in the allowed set
+        if (w.target && !allowedTargets.has(w.target)) {
+            filesSkipped.push({ path: w.relative, reason: `filtered (surface: ${w.target})` });
+            if (preview)
+                previewPlan.push({ path: w.relative, status: 'filtered' });
+            continue;
+        }
+        // ── TEN-2155: augment user-owned CLAUDE.md / AGENTS.md with a marked PB region ──
+        // Runs ahead of the legacy MARKER-keyed gates. Only existing augmentable/region-present
+        // files are spliced here; absent + legacy-pb-managed fall through to the legacy path.
+        if (w.augmentTarget) {
+            const projection = REGION_PROJECTIONS[w.target];
+            if (projection && existsSync(w.path)) {
+                if (augmentTargetSkip.has(w.path)) {
+                    filesSkipped.push({ path: w.relative, reason: 'symlinked to another augment target — augmented once' });
+                    continue;
+                }
+                const disk = readFileSync(w.path, 'utf8');
+                const cls = classifyAdapterFile(disk);
+                if (cls === 'augmentable' || cls === 'region-present') {
+                    const eol = detectEol(disk);
+                    const region = replaceVocabTokens(projection.build(regionCtx, eol), handshakeVocabCtx);
+                    // Defense-in-depth: the composed region (post vocab-token resolution) must itself be a
+                    // single well-formed region. v1 content has no vocab tokens so this is a no-op, but it
+                    // guards the documented future override/vocab seam from injecting a stray sentinel/MARKER.
+                    if (classifyAdapterFile(region) !== 'region-present') {
+                        filesSkipped.push({ path: w.relative, reason: 'internal: composed PB region malformed — skipped to protect your file' });
+                        if (preview)
+                            previewPlan.push({ path: w.relative, status: 'needs-attention' });
+                        continue;
+                    }
+                    const candidate = cls === 'augmentable' ? spliceAppend(disk, region, eol) : spliceReplace(disk, region);
+                    if (candidate === disk) {
+                        filesSkipped.push({ path: w.relative, reason: 'unchanged' });
+                        if (preview)
+                            previewPlan.push({ path: w.relative, status: 'unchanged' });
+                        continue;
+                    }
+                    if (preview || dryRun) {
+                        filesWritten.push(w.relative + (dryRun ? ' (dry run)' : ''));
+                        if (preview)
+                            previewPlan.push({ path: w.relative, status: 'would-augment' });
+                        continue;
+                    }
+                    if (authorityPreviewOnly) {
+                        // apply + materialize observe/off: honor authority — do NOT write; mirror the legacy
+                        // preview-only skip so the report does not falsely list it as written.
+                        filesSkipped.push({ path: w.relative, reason: `preview-only (materialize: ${manifestStatus.mode})` });
+                        continue;
+                    }
+                    assertSetupWritePath(w.path, perimeterManifest);
+                    writeFileSync(w.path, candidate);
+                    filesWritten.push(w.relative);
+                    continue;
+                }
+                if (cls === 'malformed') {
+                    filesSkipped.push({ path: w.relative, reason: 'malformed PB region — left untouched; fix the pb:region sentinels' });
+                    if (preview)
+                        previewPlan.push({ path: w.relative, status: 'needs-attention' });
+                    malformedRegionPaths.push(w.relative);
+                    continue;
+                }
+                // cls 'pb-managed' → fall through to the legacy whole-file re-projection path below.
+                // cls 'opt-out' (file carries the pb:no-augment sentinel — e.g. this repo's committed
+                // constitution) → fall through too, landing on the legacy user-owned skip: left untouched,
+                // never spliced. This is how a file declines augmentation without losing its user-owned status.
+            }
+            // absent file → fall through to legacy whole-file CREATE.
+        }
         if (w.isAdapter && !shouldWriteAdapter(w.path, force)) {
-            filesSkipped.push({ path: w.relative, reason: 'exists without auto-generated marker (use --force to overwrite)' });
+            // User-owned: a file at an adapter path without our auto-gen MARKER is the
+            // user's own file. Leave it untouched — never overwrite, never treat as drift
+            // or log a TEN (TEN-2150). Relayed to the connect screen via userOwnedSkipped.
+            filesSkipped.push({ path: w.relative, reason: 'user-owned — left untouched (pb won\'t overwrite your file)' });
+            if (preview) {
+                previewPlan.push({ path: w.relative, status: 'user-owned' });
+            }
+            else {
+                userOwnedSkipped.push(w.relative);
+            }
             continue;
         }
-        if (dryRun) {
-            filesWritten.push(w.relative + ' (dry run)');
+        if (authorityPreviewOnly) {
+            filesSkipped.push({
+                path: w.relative,
+                reason: `preview-only (materialize: ${manifestStatus.mode})`,
+            });
             continue;
         }
+        if (preview || dryRun) {
+            // In preview/dry-run mode: check content to distinguish new/update/unchanged
+            if (existsSync(w.path)) {
+                const current = readFileSync(w.path, 'utf8');
+                const nextNormalized = normalizeHandshakeContentForComparison(w.content);
+                const currentNormalized = normalizeHandshakeContentForComparison(current);
+                if (nextNormalized === currentNormalized) {
+                    filesSkipped.push({ path: w.relative, reason: 'unchanged' });
+                    if (preview)
+                        previewPlan.push({ path: w.relative, status: 'unchanged' });
+                }
+                else {
+                    filesWritten.push(w.relative + (dryRun ? ' (dry run)' : ''));
+                    if (preview)
+                        previewPlan.push({ path: w.relative, status: 'would-update' });
+                }
+            }
+            else {
+                filesWritten.push(w.relative + (dryRun ? ' (dry run)' : ''));
+                if (preview)
+                    previewPlan.push({ path: w.relative, status: 'would-write' });
+            }
+            continue;
+        }
+        // ── WP-421 S3: defer tampered adapter writes (doneWhen #17) ──────────────
+        // For adapter projections that already exist on disk, classify into
+        // pb-managed-clean / pb-managed-tampered. Tampered = MARKER present +
+        // hash trailer mismatches body. Defer (do NOT overwrite); post-loop
+        // resolution handles them. --force bypasses the tampered defer (legacy
+        // semantic: explicit user opt-in to overwrite).
+        if (w.isAdapter && !force) {
+            const drift = classifyDriftBucket(w.path);
+            if (drift && drift.bucket === 'pb-managed-tampered') {
+                tamperedBucket.push({
+                    path: w.path,
+                    relative: w.relative,
+                    content: w.content,
+                    expectedHash: drift.expectedHash,
+                    actualHash: drift.actualHash,
+                    dirs: w.dirs,
+                    dbAssetEntryId: w.dbAssetEntryId,
+                });
+                // Do NOT write — defer until prompt/refusal resolves the file.
+                continue;
+            }
+            if (drift && drift.bucket === 'pb-managed-clean') {
+                cleanBucketPaths.push(w.relative);
+            }
+        }
+        assertSetupWritePath(w.path, perimeterManifest);
         if (w.dirs)
             mkdirSync(w.dirs, { recursive: true });
-        writeFileSync(w.path, w.content);
+        // WP-436 S3: resolve {{vocab:...}} tokens before writing projected adapter files.
+        // Source-side (.productbrain/skills/*.md, rules/*.md) stays tokenized.
+        // Only adapter projections (cursor/rules, claude/rules, CLAUDE.md, AGENTS.md, etc.) get resolved.
+        // Fail-open: if vocabCtx is undefined, replaceVocabTokens falls back to canonicalKey literals.
+        const resolvedContent = w.isAdapter
+            ? replaceVocabTokens(w.content, handshakeVocabCtx)
+            : w.content;
+        if (existsSync(w.path)) {
+            const current = readFileSync(w.path, 'utf8');
+            const nextNormalized = normalizeHandshakeContentForComparison(resolvedContent);
+            const currentNormalized = normalizeHandshakeContentForComparison(current);
+            if (nextNormalized === currentNormalized) {
+                filesSkipped.push({ path: w.relative, reason: 'unchanged' });
+                recordProjectedHash(w.dbAssetEntryId);
+                continue;
+            }
+        }
+        writeFileSync(w.path, resolvedContent);
         filesWritten.push(w.relative);
+        recordProjectedHash(w.dbAssetEntryId);
+    }
+    if (projectedHashUpdates.size > 0) {
+        const updates = [...projectedHashUpdates];
+        const results = await Promise.allSettled(updates.map(([entryId, hash]) => kernelCall('setup.updateLastProjectedHash', { entryId, hash })));
+        results.forEach((result, index) => {
+            if (result.status === 'rejected') {
+                const [entryId] = updates[index];
+                trackEvent('skill.projection.failed', {
+                    entryId,
+                    reason: result.reason instanceof Error ? result.reason.message : String(result.reason),
+                });
+            }
+        });
+    }
+    // Ordering note: this refusal runs AFTER the projected-hash flush so that files legitimately
+    // written THIS run still record their hashes; malformed files were never written (no hash to record).
+    // TEN-2155: in non-interactive apply, a malformed PB region is a refusal, not a silent skip.
+    // Gated on applyMode (NOT writeMode): a malformed region is a user-file INTEGRITY fault, so the
+    // refusal fires on any headless `--apply` regardless of materialize authority (STD-263 invariant vi —
+    // "headless → non-zero refusal", unqualified). writeMode would suppress it under observe/off, where
+    // the malformed file still gets enumerated but the corruption signal would be silently dropped.
+    if (applyMode && malformedRegionPaths.length > 0 && (options.noPrompt || !process.stdout.isTTY)) {
+        throw new CLIError(`Malformed PB region in: ${malformedRegionPaths.join(', ')}`, {
+            code: ErrorCode.VALIDATION_FAILED,
+            category: 'validation',
+            guidance: 'Fix the `<!-- pb:region:start -->` / `<!-- pb:region:end -->` sentinels (one balanced pair), then re-run `pb handshake`.',
+        });
+    }
+    // ── WP-421 S3: tampered-bucket resolution (doneWhen #17) ────────────────────
+    // Apply mode only. Tampered files were DEFERRED in the write loop above;
+    // here we either prompt the user (interactive TTY) or refuse (headless).
+    //
+    // Headless = `--no-prompt` flag OR `process.stdout.isTTY === false`. When
+    // headless: enumerate each tampered file to stderr, write a setup_receipt
+    // row with kind='transition' (DEC-962) capturing `refusedTamperedFiles[]`,
+    // then exit non-zero. NEVER auto-resolve. (#17 + exclusions: edits to
+    // projection dirs are detected, NOT silently overwritten.)
+    //
+    // Interactive: for each tampered file, present adopt-or-revert. Adopt =
+    // create a personal-scoped setup_asset draft from the tampered content
+    // (see helper below). Revert = re-project canonical content over the
+    // tampered file (write w.content to w.path).
+    const adoptedTamperedPaths = [];
+    const revertedTamperedPaths = [];
+    if (writeMode && tamperedBucket.length > 0) {
+        const headless = options.noPrompt === true || !process.stdout.isTTY;
+        if (headless) {
+            // ── Headless refusal path (doneWhen #17) ────────────────────────────────
+            logErr('');
+            logErr(`pb handshake: ${tamperedBucket.length} PB-managed projection file(s) were edited downstream of the auto-gen marker.`);
+            logErr('Headless mode (--no-prompt or no TTY) cannot resolve adopt-or-revert — refusing.');
+            logErr('');
+            const refusedTamperedFiles = tamperedBucket.map((t) => ({
+                path: t.relative,
+                expectedHash: t.expectedHash,
+                actualHash: t.actualHash,
+            }));
+            for (const refused of refusedTamperedFiles) {
+                // Per #17: stderr enumerates each tampered file as
+                // {path, expectedHash, actualHash, bucket}.
+                logErr(`  ${JSON.stringify({ ...refused, bucket: 'pb-managed-tampered' })}`);
+            }
+            logErr('');
+            logErr('Re-run interactively to resolve, or use --force to overwrite (data loss).');
+            // Write the kind='transition' setup_receipt row. Fail-open on the
+            // network/auth side: if the row cannot be written, we still exit non-zero
+            // (the audit trail is best-effort; refusal is mandatory).
+            try {
+                const manifestStatus = readManifestStatus(pbDir);
+                await kernelCall('setup.recordTamperRefusal', {
+                    mode: manifestStatus.mode,
+                    refusedTamperedFiles,
+                });
+                trackEvent('setup.transition.refused', {
+                    fileCount: refusedTamperedFiles.length,
+                    mode: manifestStatus.mode,
+                });
+            }
+            catch (err) {
+                trackEvent('setup.transition.refused.write_failed', {
+                    error: err instanceof Error ? err.message : String(err),
+                });
+                logErr(`Warning: could not record transition receipt — ${err instanceof Error ? err.message : String(err)}`);
+            }
+            // Surface the report counts before exit (visibility for CI logs).
+            if (!quiet) {
+                process.stdout.write('\n');
+                process.stdout.write(formatHandshakeReport({
+                    filesWritten,
+                    filesSkipped,
+                    matchedEntries,
+                    searchQueries: uniqueQueries,
+                    repo,
+                    codexWarnings: codexWarnings.length > 0 ? codexWarnings : undefined,
+                    chainRulesStats: chainRulesStats ?? undefined,
+                    chainGaps: chainGaps.length > 0 ? chainGaps : undefined,
+                    adoptedCount: adoptedRulesCount,
+                    rejectedCount: rejectedRulesCount,
+                    personalRuleCount: personalRules.length > 0 ? personalRules.length : undefined,
+                    personalSkillCount: personalSkills.length > 0 ? personalSkills.length : undefined,
+                    registrySource,
+                    registryStale,
+                    userOwnedSkipped: userOwnedSkipped.length > 0 ? userOwnedSkipped : undefined,
+                    managedCleanCount: cleanBucketPaths.length || undefined,
+                    tamperedFiles: refusedTamperedFiles,
+                }) + '\n');
+            }
+            // Exit non-zero per #17.
+            process.exit(1);
+        }
+        // ── Interactive path: prompt adopt-or-revert per file ──────────────────────
+        log('');
+        log(`pb handshake: ${tamperedBucket.length} PB-managed projection file(s) were edited downstream of the auto-gen marker.`);
+        log('You can ADOPT (capture your edits as a personal-scoped draft) or REVERT (overwrite with canonical content).');
+        // Batch yes-to-all / no-to-all when the user has many tampered files.
+        // Threshold: 5 (arbitrary; mirrors the typical handshake projection set).
+        let batchChoice = null;
+        if (tamperedBucket.length >= 5) {
+            const useBatch = await promptConfirm({
+                message: `Apply the same choice to all ${tamperedBucket.length} tampered files?`,
+                initialValue: false,
+            });
+            if (useBatch) {
+                const choice = await promptSelect({
+                    message: 'Apply to all:',
+                    options: [
+                        { value: 'adopt', label: 'Adopt all — capture each as a personal-scoped draft' },
+                        { value: 'revert', label: 'Revert all — overwrite with canonical content' },
+                    ],
+                });
+                batchChoice = choice === 'adopt' ? 'adopt-all' : 'revert-all';
+            }
+        }
+        for (const tamper of tamperedBucket) {
+            // Reverse-map the projection path back to the canonical authoring path.
+            const reverse = canonicalPathForAnySurface(tamper.relative);
+            const canonicalHint = reverse
+                ? `Canonical authoring path: ${reverse.canonicalPath}`
+                : (() => {
+                    // Telemetry + fallback message per surfaces/telemetry.ts.
+                    reportReverseMapMissing({ surface: 'unknown', projectionPath: tamper.relative }, logErr);
+                    return `Canonical authoring path: ${getReverseMapFallbackMessage()}`;
+                })();
+            log('');
+            log(`Tampered: ${tamper.relative}`);
+            log(`  expected: ${tamper.expectedHash}`);
+            log(`  actual:   ${tamper.actualHash}`);
+            log(`  ${canonicalHint}`);
+            let action;
+            if (batchChoice === 'adopt-all')
+                action = 'adopt';
+            else if (batchChoice === 'revert-all')
+                action = 'revert';
+            else {
+                action = await promptSelect({
+                    message: 'Adopt or revert?',
+                    options: [
+                        { value: 'adopt', label: 'Adopt — capture this as a personal-scoped setup_asset draft' },
+                        { value: 'revert', label: 'Revert — overwrite with canonical content' },
+                    ],
+                });
+            }
+            if (action === 'revert') {
+                // Re-project canonical content over the tampered file.
+                // WP-436 S3: resolve vocab tokens before writing (all tampered files are adapters).
+                if (tamper.dirs)
+                    mkdirSync(tamper.dirs, { recursive: true });
+                assertSetupWritePath(tamper.path, perimeterManifest);
+                writeFileSync(tamper.path, replaceVocabTokens(tamper.content, handshakeVocabCtx));
+                revertedTamperedPaths.push(tamper.relative);
+                recordProjectedHash(tamper.dbAssetEntryId);
+                trackEvent('setup.tampered.reverted', { path: tamper.relative });
+            }
+            else {
+                // Adopt: capture the tampered content as a personal-scoped draft.
+                // Per DEC-953 sync rules: personal scope = push (no fork required).
+                // The mutation is best-effort — if the adopt write fails, the file is
+                // kept on disk untouched and a warning is logged. Adopt does NOT
+                // revert; it preserves the user's edits AND records them as a draft.
+                const draftName = basename(tamper.relative).replace(/\.(md|mdc)$/, '') + ' (adopted)';
+                try {
+                    const tamperedContent = readFileSync(tamper.path, 'utf8');
+                    const session = readSession();
+                    const caller = session ? kernelCallWithSession : kernelCall;
+                    await caller('setup.ingestSetupAsset', {
+                        entryId: `SETUP-ADOPTED-${Date.now()}-${draftName.replace(/\s+/g, '-')}`,
+                        name: draftName,
+                        // WP-421 S3
+                        description: `Adopted from tampered projection at ${tamper.relative}.`,
+                        body: tamperedContent,
+                        assetKind: tamper.relative.includes('/skills/') ? 'skill' : 'rule',
+                        triggers: [],
+                        semanticRefs: [],
+                    });
+                    adoptedTamperedPaths.push(tamper.relative);
+                    trackEvent('setup.tampered.adopted', { path: tamper.relative });
+                }
+                catch (err) {
+                    logErr(`Warning: could not adopt ${tamper.relative} as draft — ${err instanceof Error ? err.message : String(err)}`);
+                    trackEvent('setup.tampered.adopt_failed', {
+                        path: tamper.relative,
+                        error: err instanceof Error ? err.message : String(err),
+                    });
+                }
+            }
+        }
+    }
+    // 8a. Dormant marker + .dormant rename (WP-379 S4 + WP-426 E4) — apply mode only.
+    const dormantMarkedPaths = [];
+    if (writeMode && dormantDbAssetRows.length > 0) {
+        const dormantState = loadAuthoringSyncState(pbDir);
+        let dormantStateChanged = false;
+        for (const dormantAsset of dormantDbAssetRows) {
+            for (const { path: filePath, surface } of deriveDormantFilePaths(dormantAsset, cwd)) {
+                // Codex P2: deriveDormantFilePaths emits every known surface path. Honor the run's
+                // target set (allowedTargets = the --surfaces selection, else all manifest surfaces)
+                // so a `--surfaces cursor` run never renames .claude/.codex to .dormant, and surfaces
+                // outside the manifest are skipped silently (no false "could not dormant-mark" warning).
+                if (!allowedTargets.has(surface))
+                    continue;
+                // FIX 4: use relative() instead of string-replace for correct cross-platform behaviour.
+                const rel = relative(cwd, filePath);
+                const alreadyReactivated = dormantState.dormantReactivated?.includes(rel) ?? false;
+                const previouslyRenamed = dormantState.dormantRenamed?.includes(rel) ?? false;
+                try {
+                    assertSetupWritePath(filePath, perimeterManifest);
+                    // WP-426 E4: BUG 1 fix — hands-off set.
+                    //
+                    // Step 1: permanently hands-off — user already reactivated this path on a
+                    //   prior run. Skip silently every time until they re-lower or raise in PB.
+                    //   (Task 7 raise-cleanup must later also prune dormantReactivated for raised
+                    //   assets — see the `dormantReactivated` comment on AuthoringSyncState.)
+                    if (alreadyReactivated) {
+                        continue; // leave file untouched; no TEN (already fired on first detection)
+                    }
+                    // Step 2: FIRST detection of manual reactivation — we previously renamed
+                    //   this to .dormant but the user renamed it back to a live file. Push the
+                    //   drift TEN exactly once, add to the permanent hands-off set, remove from
+                    //   dormantRenamed, leave file untouched.
+                    if (previouslyRenamed && existsSync(filePath) && !existsSync(`${filePath}.dormant`)) {
+                        syncDriftTensToFire.push(`Dormant asset ${dormantAsset.entryId} was manually reactivated at ${rel}; left untouched. Re-lower or raise it in PB to resync.`);
+                        logErr(`Warning: ${rel} was manually un-dormanted; leaving it in place (drift).`);
+                        dormantState.dormantReactivated = [...(dormantState.dormantReactivated ?? []), rel];
+                        dormantState.dormantRenamed = (dormantState.dormantRenamed ?? []).filter((p) => p !== rel);
+                        dormantStateChanged = true;
+                        continue;
+                    }
+                    // Step 3: normal lowering — write dormant marker + rename to .dormant.
+                    // WP-426 E4 spec: every rename TARGET must also pass the perimeter guard.
+                    // Check the post-rename .dormant path BEFORE any FS mutation, so a guard
+                    // failure can't leave a half-dormant file (marker appended but not renamed).
+                    assertSetupWritePath(`${filePath}.dormant`, perimeterManifest);
+                    const markerResult = writeDormantMarkerToFile(filePath);
+                    if (markerResult === 'written')
+                        log(`Dormant marker written: ${filePath}`);
+                    const renameResult = renameSurfaceForDormancy(filePath);
+                    if (renameResult === 'renamed' || renameResult === 'replaced') {
+                        // dormantMarkedPaths holds post-rename .dormant paths (not the original surface paths).
+                        dormantMarkedPaths.push(`${filePath}.dormant`);
+                        if (!dormantState.dormantRenamed?.includes(rel)) {
+                            dormantState.dormantRenamed = [...(dormantState.dormantRenamed ?? []), rel];
+                            dormantStateChanged = true;
+                        }
+                        log(`Dormant rename: ${filePath} → ${filePath}.dormant`);
+                    }
+                    else if (renameResult === 'drift') {
+                        // Codex P1: an edited .dormant already exists alongside the live file. Preserve
+                        // both and flag, rather than overwriting the user's edited dormant copy.
+                        syncDriftTensToFire.push(`Edited dormant copy ${rel}.dormant diverges from the live surface for ${dormantAsset.entryId}; left both in place. Resolve manually.`);
+                        logErr(`Warning: ${rel}.dormant diverges from the live file; not replacing (possible manual edit).`);
+                    }
+                }
+                catch (err) {
+                    logErr(`Warning: could not dormant-mark ${filePath} — ${err instanceof Error ? err.message : String(err)}`);
+                }
+            }
+        }
+        if (dormantMarkedPaths.length > 0) {
+            log('Run `pb setup observe --purge` to remove these instead of dormant-renaming.');
+        }
+        if (dormantStateChanged) {
+            try {
+                saveAuthoringSyncState(pbDir, dormantState);
+            }
+            catch (err) {
+                logErr(`Warning: could not persist dormancy state — ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+    }
+    // 8b. Raise-cleanup (WP-426 E4): for assets active this run, drop any orphan
+    // <surface>.dormant left by a prior lowering (active surface was re-projected
+    // fresh above). User-edited dormant copies are preserved + flagged. Fail-open.
+    if (writeMode) {
+        const raiseState = loadAuthoringSyncState(pbDir);
+        let raiseStateChanged = false;
+        const dormantIds = new Set(dormantDbAssetRows.map((a) => a.entryId));
+        const activeRows = dbAssetRows.filter((a) => !dormantIds.has(a.entryId) &&
+            (a.assetKind === 'skill' || a.assetKind === 'rule' || a.assetKind === 'hook'));
+        for (const asset of activeRows) {
+            // Codex P2: if this asset's body fetch failed, the write loop did NOT reproject its
+            // surfaces this run (same skip the authoring loop applies), so there's no fresh surface
+            // to reconcile against — skip raise-cleanup to avoid acting on stale content.
+            if (bodyFetchFailedEntryIds.has(asset.entryId))
+                continue;
+            for (const { path: filePath, surface } of deriveDormantFilePaths(asset, cwd)) {
+                // Codex P2: honor the run's target set (parity with the dormant pass) — a
+                // `--surfaces cursor` run must not touch .claude/.codex .dormant files, and surfaces
+                // outside the manifest are skipped silently (no false "raise-cleanup failed" warning).
+                if (!allowedTargets.has(surface))
+                    continue;
+                const rel = relative(cwd, filePath);
+                try {
+                    assertSetupWritePath(filePath, perimeterManifest); // WP-426 E4: perimeter before any FS mutation (parity with the dormant pass)
+                    // E4 spec parity (review): restoreSurfaceFromDormant deletes the .dormant
+                    // sibling, so guard that delete TARGET too — exactly as the lowering pass
+                    // guards both filePath and ${filePath}.dormant.
+                    assertSetupWritePath(`${filePath}.dormant`, perimeterManifest);
+                    const r = restoreSurfaceFromDormant(filePath);
+                    if (r === 'restored') {
+                        log(`Raised: removed superseded ${filePath}.dormant`);
+                    }
+                    else if (r === 'orphan-drift') {
+                        syncDriftTensToFire.push(`Dormant copy ${rel}.dormant was edited while dormant for ${asset.entryId}; preserved on raise. Resolve manually.`);
+                        logErr(`Warning: ${rel}.dormant differs from the freshly raised projection; left in place.`);
+                    }
+                    // Prune the registry only when no .dormant sibling remains for this surface:
+                    //   • 'restored' removed it, or
+                    //   • it was already gone (manual .dormant→live reactivation; 'skipped', no .dormant).
+                    // Carry-over obligation (Phase 3) + Codex P1: the manual-reactivation case must
+                    // leave the hands-off set so a future lowering can re-evaluate the surface.
+                    // Codex P2: but if a .dormant STILL exists (surface-filtered 'skipped' with no
+                    // fresh live file, or a preserved 'orphan-drift'), KEEP the registry evidence —
+                    // otherwise a later manual .dormant→live reactivation would not be recognized as
+                    // previouslyRenamed and would be silently re-dormanted on the next lowering.
+                    if (!existsSync(`${filePath}.dormant`)) {
+                        if (raiseState.dormantRenamed?.includes(rel)) {
+                            raiseState.dormantRenamed = raiseState.dormantRenamed.filter((p) => p !== rel);
+                            raiseStateChanged = true;
+                        }
+                        if (raiseState.dormantReactivated?.includes(rel)) {
+                            raiseState.dormantReactivated = raiseState.dormantReactivated.filter((p) => p !== rel);
+                            raiseStateChanged = true;
+                        }
+                    }
+                }
+                catch (err) {
+                    logErr(`Warning: raise-cleanup failed for ${filePath} — ${err instanceof Error ? err.message : String(err)}`);
+                }
+            }
+        }
+        if (raiseStateChanged) {
+            try {
+                saveAuthoringSyncState(pbDir, raiseState);
+            }
+            catch { /* fail-open */ }
+        }
+    }
+    // 8. User-owned files left untouched are NOT drift (TEN-2150).
+    // A marker-less file at an adapter path is the user's own file: handshake never
+    // wrote it, so there is nothing to "sync" and no draft TEN is logged. These files
+    // are surfaced benignly under "Skipped:" and relayed to the connect screen via
+    // report.userOwnedSkipped. (The legitimate "tampered" and authoring-sync drift
+    // signals below are unaffected.)
+    if (syncDriftTensToFire.length > 0) {
+        const session = readSession();
+        if (session) {
+            for (const driftDescription of syncDriftTensToFire) {
+                kernelCallWithSession('chain.createEntry', {
+                    collectionSlug: 'tensions',
+                    name: 'TEN: setup authoring sync drift — repo wins',
+                    status: 'draft',
+                    data: {
+                        kind: 'drift',
+                        description: driftDescription,
+                    },
+                    sessionId: session.sessionId,
+                    createdBy: `agent:${session.sessionId}`,
+                }).catch(() => { });
+            }
+        }
+    }
+    // 8. Case-collision TENs (WP-379 S5b).
+    // These are distinct from drift TENs: they record ambiguous filename collisions
+    // where the "newest mtime wins" heuristic was applied. They always fire on a
+    // detected collision (collision is a data quality issue, not a drift issue).
+    if (collisionTensToFire.length > 0) {
+        const session = readSession();
+        if (session) {
+            for (const tenDescription of collisionTensToFire) {
+                kernelCallWithSession('chain.createEntry', {
+                    collectionSlug: 'tensions',
+                    name: `TEN: handshake case-collision — ambiguous filename resolved by mtime`,
+                    // Collision audit TENs intentionally stay draft — they need explicit human review,
+                    // not auto-commit, even in Open mode (mirrors smart-capture.ts recordCommitFailure).
+                    status: 'draft',
+                    data: { description: tenDescription },
+                    sessionId: session.sessionId,
+                    createdBy: `agent:${session.sessionId}`,
+                }).catch(() => { });
+            }
+        }
+    }
+    // 8b. Setup receipt — record which assets were materialized (apply mode only)
+    // Fail-open: receipt write is advisory, never blocks the handshake.
+    if (applyMode) {
+        const session = readSession();
+        const caller = session ? kernelCallWithSession : kernelCall;
+        try {
+            const currentState = await caller('setup.getCurrentSetupState', {});
+            const fromMode = currentState?.effectiveMode ?? 'observe';
+            if (fromMode !== manifestStatus.mode) {
+                await caller('setup.recordTransition', {
+                    fromMode,
+                    toMode: manifestStatus.mode,
+                    parseStatus: manifestStatus.parseStatus,
+                    surfaces: manifestStatus.surfaces,
+                    lock: manifestStatus.lock,
+                });
+                if (modeRank(manifestStatus.mode) < modeRank(fromMode)) {
+                    trackEvent('setup.transition.lowered', { fromMode, toMode: manifestStatus.mode });
+                }
+            }
+        }
+        catch (err) {
+            trackEvent('setup.transition.write_failed', { error: err instanceof Error ? err.message : String(err) });
+            logErr(`Warning: could not record setup transition — ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    if (writeMode) {
+        const session = readSession();
+        const caller = session ? kernelCallWithSession : kernelCall;
+        try {
+            const receiptResult = await caller('setup.materializeSetup', {});
+            if (receiptResult?.assetCount > 0) {
+                log(`Setup receipt: ${receiptResult.assetCount} asset(s) recorded.`);
+            }
+        }
+        catch (err) {
+            trackEvent('setup.receipt.write_failed', { error: err instanceof Error ? err.message : String(err) });
+            logErr(`Warning: could not write setup receipt — ${err instanceof Error ? err.message : String(err)}`);
+        }
     }
-    // 8. Report
+    // 9. Report
     const report = {
         filesWritten,
         filesSkipped,
         matchedEntries,
         searchQueries: uniqueQueries,
         repo,
+        codexWarnings: codexWarnings.length > 0 ? codexWarnings : undefined,
+        chainRulesStats: chainRulesStats ?? undefined,
+        chainGaps: chainGaps.length > 0 ? chainGaps : undefined,
+        adoptedCount: adoptedRulesCount,
+        rejectedCount: rejectedRulesCount,
+        personalRuleCount: personalRules.length > 0 ? personalRules.length : undefined,
+        personalSkillCount: personalSkills.length > 0 ? personalSkills.length : undefined,
+        registrySource,
+        registryStale,
+        preview: preview ? true : undefined,
+        previewPlan: preview && previewPlan.length > 0 ? previewPlan : undefined,
+        userOwnedSkipped: userOwnedSkipped.length > 0 ? userOwnedSkipped : undefined,
+        // WP-421 S3: three-bucket drift report (doneWhen #17). PB-managed-clean is
+        // the count of files whose marker + hash matched. Tampered files were
+        // resolved (adopted/reverted) above and are reported separately.
+        managedCleanCount: cleanBucketPaths.length > 0 ? cleanBucketPaths.length : undefined,
+        adoptedTamperedPaths: adoptedTamperedPaths.length > 0 ? adoptedTamperedPaths : undefined,
+        revertedTamperedPaths: revertedTamperedPaths.length > 0 ? revertedTamperedPaths : undefined,
     };
     if (!quiet) {
         process.stdout.write('\n');
         process.stdout.write(formatHandshakeReport(report) + '\n');
     }
+    // Return the report so non-UI callers (e.g. prepareConnectContext) can surface
+    // skipped/user-owned files without re-deriving the skip logic (TEN-2107).
+    return report;
 }
+// WP-426 E3/E4: exported test-only surface (not part of the public CLI API).
+export const __test = { setupAuthoringPath, renameSurfaceForDormancy, restoreSurfaceFromDormant, loadAuthoringSyncState, MARKER };
 //# sourceMappingURL=handshake.js.map