npm - @pushpalsdev/cli - Versions diffs - 1.0.84 → 1.0.86 - Mend

@pushpalsdev/cli 1.0.84 → 1.0.86

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/runtime/sandbox/apps/workerpals/src/execute_job.ts CHANGED Viewed

@@ -3,8 +3,7 @@
  * Used by both the host Worker (direct mode) and the Docker job runner.
  */
-import { existsSync, mkdirSync, readFileSync, rmSync, unlinkSync } from "fs";
-import { tmpdir } from "os";
+import { existsSync, readFileSync, rmSync, unlinkSync } from "fs";
 import { resolve } from "path";
 import {
   deriveAutonomyComponentArea,
@@ -32,6 +31,7 @@ import {
   truncate,
   type OutputCompactionPolicy,
 } from "./common/execution_utils.js";
+import { buildWorkerSandboxWritableEnv } from "./common/sandbox_env.js";
 // Re-export shared utilities for backward compatibility with external consumers.
 export { compactJobOutput, truncate, streamLines } from "./common/execution_utils.js";
 export { extractClarificationQuestionFromOutput } from "./backends/openhands_task_execute.js";
@@ -65,7 +65,7 @@ export interface TaskExecutePlanning {
   finalizationBudgetMs: number;
 }
-interface ValidationExecutionResult {
+export interface ValidationExecutionResult {
   step: string;
   command: string;
   ok: boolean;
@@ -75,7 +75,7 @@ interface ValidationExecutionResult {
   elapsedMs: number;
 }
-interface ValidationBlocker {
+export interface ValidationBlocker {
   category: "repo" | "environment";
   detail: string;
 }
@@ -84,11 +84,14 @@ interface DeterministicQualityResult {
   ok: boolean;
   skipped: boolean;
   issues: string[];
+  scopeIssues: string[];
+  validationIssues: string[];
   changedPaths: string[];
   changedTestPaths: string[];
   validationRuns: ValidationExecutionResult[];
   requiredValidationFailures: string[];
   blocker: ValidationBlocker | null;
+  validationFailureScope: "none" | "task_scope" | "outside_task_scope";
 }
 interface CriticReview {
@@ -112,6 +115,11 @@ export interface ReviewFixContext {
 export interface QualityGatePolicy {
   mode: "default" | "review_fix" | "merge_conflict";
   maxAutoRevisions: number;
+  validationMaxAutoRevisions: number;
+  scopeGateEnabled: boolean;
+  validationGateEnabled: boolean;
+  criticGateEnabled: boolean;
+  publishGateEnabled: boolean;
   softPassOnExhausted: boolean;
   criticMinScore: number;
 }
@@ -125,6 +133,35 @@ function shouldSoftPassValidationBlocker(
   return policy.mode === "review_fix" || policy.mode === "merge_conflict";
 }
+export function shouldReviseRequiredValidationBlocker(opts: {
+  requiredValidationFailures: string[];
+  blocker: ValidationBlocker | null;
+  revisionAttempt: number;
+  maxAutoRevisions: number;
+  outsideTaskScope?: boolean;
+}): boolean {
+  if (opts.requiredValidationFailures.length === 0) return false;
+  if (!opts.blocker) return false;
+  if (opts.outsideTaskScope) return false;
+  if (opts.blocker.category !== "repo") return false;
+  return opts.revisionAttempt < opts.maxAutoRevisions;
+}
+export function revisionLimitForQualityGateFailures(opts: {
+  policy: Pick<QualityGatePolicy, "maxAutoRevisions" | "validationMaxAutoRevisions">;
+  qualityIssues: string[];
+  requiredValidationFailures: string[];
+  blocker: ValidationBlocker | null;
+}): number {
+  const hasValidationGateFailure =
+    opts.requiredValidationFailures.length > 0 ||
+    opts.blocker !== null ||
+    opts.qualityIssues.some((issue) => issue.startsWith("ValidationGate:"));
+  return hasValidationGateFailure
+    ? opts.policy.validationMaxAutoRevisions
+    : opts.policy.maxAutoRevisions;
+}
 // ─── Utilities ───────────────────────────────────────────────────────────────
 export function shouldCommit(
@@ -228,6 +265,13 @@ export function buildQualityGateRevisionIssues(
 const TEST_ASSERTION_BALANCE_ISSUE =
   "Changed test files do not show both positive and negative assertion coverage (expected both).";
+function isAssertionBalanceIssue(issue: string): boolean {
+  return (
+    issue === TEST_ASSERTION_BALANCE_ISSUE ||
+    issue.includes("positive and negative assertion coverage")
+  );
+}
 export function relaxAdvisoryQualityIssues(
   qualityIssues: string[],
   validationRuns: Array<{ ok: boolean }>,
@@ -245,7 +289,7 @@ export function relaxAdvisoryQualityIssues(
     return normalizedQualityIssues;
   }
-  const relaxed = normalizedQualityIssues.filter((issue) => issue !== TEST_ASSERTION_BALANCE_ISSUE);
+  const relaxed = normalizedQualityIssues.filter((issue) => !isAssertionBalanceIssue(issue));
   return relaxed;
 }
@@ -362,13 +406,40 @@ export function deriveQualityGatePolicy(
       10,
       Number.isFinite(Number(runtimeConfig.workerpals.qualityMaxAutoRevisions))
         ? Math.floor(Number(runtimeConfig.workerpals.qualityMaxAutoRevisions))
-        : 4,
+        : 3,
+    ),
+  );
+  const baseValidationMaxAutoRevisions = Math.max(
+    0,
+    Math.min(
+      10,
+      Number.isFinite(Number(runtimeConfig.workerpals.qualityValidationMaxAutoRevisions))
+        ? Math.floor(Number(runtimeConfig.workerpals.qualityValidationMaxAutoRevisions))
+        : 3,
     ),
   );
   const baseSoftPassOnExhausted =
     typeof runtimeConfig.workerpals.qualitySoftPassOnExhausted === "boolean"
       ? runtimeConfig.workerpals.qualitySoftPassOnExhausted
       : true;
+  const gateSwitches = {
+    scopeGateEnabled:
+      typeof runtimeConfig.workerpals.qualityScopeGateEnabled === "boolean"
+        ? runtimeConfig.workerpals.qualityScopeGateEnabled
+        : true,
+    validationGateEnabled:
+      typeof runtimeConfig.workerpals.qualityValidationGateEnabled === "boolean"
+        ? runtimeConfig.workerpals.qualityValidationGateEnabled
+        : true,
+    criticGateEnabled:
+      typeof runtimeConfig.workerpals.qualityCriticGateEnabled === "boolean"
+        ? runtimeConfig.workerpals.qualityCriticGateEnabled
+        : true,
+    publishGateEnabled:
+      typeof runtimeConfig.workerpals.qualityPublishGateEnabled === "boolean"
+        ? runtimeConfig.workerpals.qualityPublishGateEnabled
+        : true,
+  };
   const baseCriticMinScore = (() => {
     const value = Number(runtimeConfig.workerpals.qualityCriticMinScore);
     if (!Number.isFinite(value)) return 8;
@@ -379,19 +450,23 @@ export function deriveQualityGatePolicy(
     const mergeConflict = extractMergeConflictReviewContext(params);
     if (mergeConflict) {
       return {
-        mode: "merge_conflict",
-        maxAutoRevisions: baseMaxAutoRevisions,
-        softPassOnExhausted: baseSoftPassOnExhausted,
-        criticMinScore: baseCriticMinScore,
-      };
-    }
-    return {
-      mode: "default",
+      mode: "merge_conflict",
       maxAutoRevisions: baseMaxAutoRevisions,
+      validationMaxAutoRevisions: baseValidationMaxAutoRevisions,
+      ...gateSwitches,
       softPassOnExhausted: baseSoftPassOnExhausted,
       criticMinScore: baseCriticMinScore,
     };
   }
+  return {
+    mode: "default",
+    maxAutoRevisions: baseMaxAutoRevisions,
+    validationMaxAutoRevisions: baseValidationMaxAutoRevisions,
+    ...gateSwitches,
+    softPassOnExhausted: baseSoftPassOnExhausted,
+    criticMinScore: baseCriticMinScore,
+  };
+  }
   const tightenedCriticMinScore =
     reviewFix.reviewThreshold != null
       ? Math.max(baseCriticMinScore, Math.max(0, Math.min(10, reviewFix.reviewThreshold - 0.2)))
@@ -399,6 +474,8 @@ export function deriveQualityGatePolicy(
   return {
     mode: "review_fix",
     maxAutoRevisions: Math.max(baseMaxAutoRevisions, 2),
+    validationMaxAutoRevisions: baseValidationMaxAutoRevisions,
+    ...gateSwitches,
     softPassOnExhausted: baseSoftPassOnExhausted,
     criticMinScore: tightenedCriticMinScore,
   };
@@ -541,7 +618,8 @@ async function runValidationCommand(
   timeoutMs: number,
   outputPolicy: Partial<OutputCompactionPolicy>,
 ): Promise<ValidationExecutionResult> {
-  const argv = tokenizeValidationCommandArgv(command);
+  const env = buildWorkerSandboxWritableEnv(repo);
+  const argv = prepareValidationCommandArgv(command, env);
   if (!argv) {
     return {
       step: command,
@@ -557,7 +635,7 @@ async function runValidationCommand(
   const startedAt = Date.now();
   const proc = Bun.spawn(argv, {
     cwd: repo,
-    env: buildValidationCommandEnv(repo),
+    env,
     stdout: "pipe",
     stderr: "pipe",
   });
@@ -587,41 +665,68 @@ async function runValidationCommand(
     ok: !timedOut && exitCode === 0,
     exitCode: timedOut ? 124 : exitCode,
     stdout: compactJobOutput(stdout.trim(), outputPolicy),
-    stderr: compactJobOutput(stderr.trim(), outputPolicy),
+    stderr: compactJobOutput(
+      [
+        stderr.trim(),
+        timedOut
+          ? `Validation command timed out after ${Math.max(1_000, timeoutMs)}ms. Captured output is the process output emitted before PushPals terminated the command.`
+          : "",
+      ]
+        .filter(Boolean)
+        .join("\n"),
+      outputPolicy,
+    ),
     elapsedMs: Math.max(1, Date.now() - startedAt),
   };
 }
-function buildValidationCommandEnv(repo: string): Record<string, string> {
-  const homeDir = resolve(tmpdir(), "pushpals-validation-home");
-  const cacheDir = resolve(tmpdir(), "pushpals-validation-cache");
-  const expoDir = resolve(tmpdir(), "pushpals-validation-expo");
-  for (const dir of [homeDir, cacheDir, expoDir]) {
-    try {
-      mkdirSync(dir, { recursive: true });
-    } catch {
-      // Keep validation best-effort; the command output will expose any real env blocker.
-    }
-  }
-  const env: Record<string, string> = {};
-  for (const [key, value] of Object.entries(process.env)) {
-    if (typeof value === "string") env[key] = value;
-  }
-  return {
-    ...env,
-    HOME: homeDir,
-    USERPROFILE: homeDir,
-    XDG_CACHE_HOME: cacheDir,
-    npm_config_cache: resolve(cacheDir, "npm"),
-    EXPO_HOME: expoDir,
-    EXPO_NO_TELEMETRY: process.env.EXPO_NO_TELEMETRY ?? "1",
-    EXPO_NO_INTERACTIVE: process.env.EXPO_NO_INTERACTIVE ?? "1",
-    CI: process.env.CI ?? "1",
-    BROWSER: process.env.BROWSER ?? "none",
-    EXPO_DEV_SERVER_PORT: process.env.EXPO_DEV_SERVER_PORT ?? "19006",
-    RCT_METRO_PORT: process.env.RCT_METRO_PORT ?? "19006",
-    PUSHPALS_VALIDATION_REPO: repo,
-  };
+export function isLongRunningBrowserValidationCommand(command: string): boolean {
+  const normalized = validationCommandKey(command);
+  if (!normalized) return false;
+  const tokens = tokenizeValidationCommandArgv(command)?.map((token) => token.toLowerCase()) ?? [];
+  const joined = tokens.join(" ");
+  return (
+    /\b(web:e2e|e2e:web|browser:e2e|smoke:web|web:smoke|browser:smoke)\b/.test(normalized) ||
+    /\b(playwright|cypress)\b/.test(joined) ||
+    (/\bexpo\b/.test(joined) && /\b(web|start)\b/.test(joined))
+  );
+}
+export function resolveValidationCommandTimeoutMs(command: string, baseTimeoutMs: number): number {
+  const normalizedBase = Number.isFinite(Number(baseTimeoutMs))
+    ? Math.max(1_000, Math.min(7_200_000, Math.floor(Number(baseTimeoutMs))))
+    : 180_000;
+  if (!isLongRunningBrowserValidationCommand(command)) return normalizedBase;
+  return Math.max(normalizedBase, 600_000);
+}
+function commandHasPortArg(argv: string[]): boolean {
+  return argv.some((token) => token === "--port" || token.startsWith("--port="));
+}
+function shouldInjectBrowserValidationPort(command: string, argv: string[]): boolean {
+  if (commandHasPortArg(argv)) return false;
+  if (!isLongRunningBrowserValidationCommand(command)) return false;
+  return /\b(web:e2e|e2e:web|browser:e2e|smoke:web|web:smoke|browser:smoke)\b/.test(
+    validationCommandKey(command),
+  );
+}
+export function prepareValidationCommandArgv(
+  command: string,
+  env: Record<string, string>,
+): string[] | null {
+  const argv = tokenizeValidationCommandArgv(command);
+  if (!argv) return null;
+  const port = String(env.EXPO_DEV_SERVER_PORT ?? "").trim();
+  if (!port || !shouldInjectBrowserValidationPort(command, argv)) return argv;
+  return [...argv, "--", "--port", port];
+}
+function isBrowserValidationInfrastructureDigest(digest: string): boolean {
+  return /\b(ERR_SOCKET_BAD_PORT|EADDRINUSE|ECONNREFUSED|ECONNRESET|ETIMEDOUT|timed out|timeout|port|browser runtime|playwright install|executable doesn't exist)\b/i.test(
+    digest,
+  );
 }
 interface ToolAvailabilityResult {
@@ -730,6 +835,96 @@ function extractPreparedMergeConflictPaths(params: Record<string, unknown>): str
     .filter(Boolean);
 }
+function normalizeValidationPathToken(value: string): string | null {
+  const normalized = value
+    .trim()
+    .replace(/^['"`(<[]+/, "")
+    .replace(/[>'"`)\],.;:]+$/, "")
+    .replace(/\\/g, "/")
+    .replace(/^\.\/+/, "")
+    .replace(/\/+/g, "/");
+  if (!normalized || normalized.startsWith("../") || normalized.includes("/../")) return null;
+  if (!/[./]/.test(normalized)) return null;
+  if (/^(https?|file):/i.test(normalized)) return null;
+  return normalized;
+}
+function extractPathTokensFromValidationOutput(value: string): string[] {
+  const seen = new Set<string>();
+  const out: string[] = [];
+  const add = (raw: string | undefined) => {
+    if (!raw) return;
+    const normalized = normalizeValidationPathToken(raw);
+    if (!normalized || seen.has(normalized)) return;
+    seen.add(normalized);
+    out.push(normalized);
+  };
+  const normalized = stripAnsiControlSequences(value);
+  for (const match of normalized.matchAll(/[A-Za-z0-9_.@-]+(?:\/[A-Za-z0-9_.@-]+)+(?:\.[A-Za-z0-9_.-]+)?/g)) {
+    add(match[0]);
+  }
+  for (const match of normalized.matchAll(/(?:from|in|at)\s+['"`]?([^'"`\s]+\/[^'"`\s]+)['"`]?/gi)) {
+    add(match[1]);
+  }
+  return out;
+}
+function literalScopePrefix(value: string): string | null {
+  const normalized = normalizeValidationPathToken(value.replace(/\*\*?.*$/, "").replace(/\/+$/, ""));
+  if (!normalized || normalized === ".") return null;
+  return normalized;
+}
+function pathMatchesScopeHint(path: string, hint: string): boolean {
+  const normalizedPath = normalizeValidationPathToken(path);
+  const normalizedHint = hint.trim().replace(/\\/g, "/").replace(/^\.\/+/, "");
+  if (!normalizedPath || !normalizedHint) return false;
+  if (matchesGlob(normalizedPath, normalizedHint)) return true;
+  const prefix = literalScopePrefix(normalizedHint);
+  if (!prefix) return false;
+  return normalizedPath === prefix || normalizedPath.startsWith(`${prefix}/`);
+}
+export function classifyValidationFailureScope(
+  runs: ValidationExecutionResult[],
+  planning: TaskExecutePlanning,
+  changedPaths: string[],
+  targetPath?: string,
+): "none" | "task_scope" | "outside_task_scope" {
+  const failedRuns = runs.filter((run) => !run.ok && run.exitCode !== 127);
+  if (failedRuns.length === 0) return "none";
+  const scopeHints = [
+    targetPath ?? "",
+    ...changedPaths,
+    ...(planning.targetPaths ?? []),
+    ...(planning.scope.writeGlobs ?? []),
+  ]
+    .map((entry) => entry.trim().replace(/\\/g, "/"))
+    .filter(Boolean);
+  if (scopeHints.length === 0) return "none";
+  const combined = failedRuns
+    .flatMap((run) => [run.stdout, run.stderr])
+    .filter(Boolean)
+    .join("\n");
+  const lowerCombined = combined.toLowerCase().replace(/\\/g, "/");
+  for (const hint of scopeHints) {
+    const normalized = literalScopePrefix(hint);
+    if (normalized && normalized.length >= 4 && lowerCombined.includes(normalized.toLowerCase())) {
+      return "task_scope";
+    }
+  }
+  const pathTokens = extractPathTokensFromValidationOutput(combined).filter(
+    (token) => !/^(node_modules|\.bun|bun|npm|pnpm|yarn)\//i.test(token),
+  );
+  if (pathTokens.length === 0) return "none";
+  if (pathTokens.some((token) => scopeHints.some((hint) => pathMatchesScopeHint(token, hint)))) {
+    return "task_scope";
+  }
+  return "outside_task_scope";
+}
 function detectValidationBlocker(runs: ValidationExecutionResult[]): ValidationBlocker | null {
   const combined = runs
     .flatMap((run) => [run.stdout, run.stderr])
@@ -910,7 +1105,51 @@ function extractRunnableValidationCommand(step: string): string | null {
 }
 function validationCommandKey(command: string): string {
-  return command.trim().replace(/\s+/g, " ").toLowerCase();
+  const argv = tokenizeValidationCommandArgv(command);
+  if (argv && argv.length > 0) {
+    const normalized = argv.map((entry) => entry.trim()).filter(Boolean);
+    if (normalized[0]?.toLowerCase() === "bunx") {
+      normalized.splice(0, 1, "bun", "x");
+    }
+    return normalized.join(" ").replace(/\s+/g, " ").toLowerCase();
+  }
+  return command
+    .trim()
+    .replace(/\s+/g, " ")
+    .replace(/^bunx\b/i, "bun x")
+    .toLowerCase();
+}
+export function extractValidationFailureDigest(run: {
+  exitCode?: number;
+  stdout?: string;
+  stderr?: string;
+  elapsedMs?: number;
+}): string {
+  const combined = stripAnsiControlSequences([run.stderr, run.stdout].filter(Boolean).join("\n"));
+  const patterns = [
+    /\bCannot find module\s+['"`][^'"`\r\n]+['"`][^\r\n]*/i,
+    /\bFailed to resolve import\s+['"`][^'"`\r\n]+['"`][^\r\n]*/i,
+    /\bCould not resolve\s+['"`]?[^'"`\r\n]+['"`]?[^\r\n]*/i,
+    /\bModule not found[^\r\n]*/i,
+    /\bERR_SOCKET_BAD_PORT[^\r\n]*/i,
+    /\berror TS\d+:[^\r\n]*/i,
+    /\bError:\s+[^\r\n]*/i,
+  ];
+  for (const pattern of patterns) {
+    const match = combined.match(pattern);
+    if (match?.[0]) return toSingleLine(match[0], 180);
+  }
+  const firstMeaningfulLine = combined
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .find((line) => /\b(error|failed|cannot|could not|timeout|timed out)\b/i.test(line));
+  if (firstMeaningfulLine) return toSingleLine(firstMeaningfulLine, 180);
+  if (Number(run.exitCode) === 124) {
+    const elapsed = Number.isFinite(Number(run.elapsedMs)) ? ` after ${Number(run.elapsedMs)}ms` : "";
+    return `timed out${elapsed}`;
+  }
+  return "";
 }
 export function collectRequiredValidationFailures(
@@ -923,7 +1162,8 @@ export function collectRequiredValidationFailures(
     .filter((run) => requiredKeys.has(validationCommandKey(run.command)) && !run.ok)
     .map((run) => {
       const exitCode = Number.isFinite(Number(run.exitCode)) ? Number(run.exitCode) : "unknown";
-      return `${run.command} exited ${exitCode}`;
+      const digest = extractValidationFailureDigest(run);
+      return `${run.command} exited ${exitCode}${digest ? ` (${digest})` : ""}`;
     });
 }
@@ -983,7 +1223,7 @@ function dedupeValidationCommands(...groups: string[][]): string[] {
     for (const command of group) {
       const trimmed = command.trim();
       if (!trimmed) continue;
-      const key = trimmed.toLowerCase();
+      const key = validationCommandKey(trimmed);
       if (seen.has(key)) continue;
       seen.add(key);
       out.push(trimmed);
@@ -1088,14 +1328,19 @@ export function inferFallbackValidationCommandsForTestTask(
   return candidates.slice(0, 4);
 }
-function isTestFocusedTask(
+export function isTestFocusedTask(
   instruction: string,
   planning: TaskExecutePlanning,
   targetPath?: string,
 ): boolean {
   const lowerInstruction = instruction.toLowerCase();
   if (
-    /\b(test|tests|coverage|unit test|integration test|unittest|pytest)\b/.test(lowerInstruction)
+    /\b(add|write|create|update|extend|expand|harden|improve|refactor|move|extract|fix)\b.{0,80}\b(test|tests|coverage|unit test|integration test|unittest|pytest)\b/.test(
+      lowerInstruction,
+    ) ||
+    /\b(test|tests|coverage|unit test|integration test|unittest|pytest)\b.{0,80}\b(add|write|create|update|extend|expand|harden|improve|refactor|move|extract|fix)\b/.test(
+      lowerInstruction,
+    )
   ) {
     return true;
   }
@@ -1107,7 +1352,9 @@ function isTestFocusedTask(
   if (pathHints.some((entry) => isLikelyTestPath(entry))) return true;
   if (
     planning.acceptanceCriteria.some((entry) =>
-      /\b(test|tests|coverage|unit|integration|negative|invalid|valid)\b/i.test(entry),
+      /\b(add|write|create|update|extend|expand|harden|improve|refactor|move|extract|fix)\b.{0,80}\b(test|tests|coverage|unit test|integration test|unittest|pytest)\b/i.test(
+        entry,
+      ),
     )
   ) {
     return true;
@@ -1143,7 +1390,12 @@ async function runDeterministicQualityGate(
   repo: string,
   params: Record<string, unknown>,
   runtimeConfig: WorkerpalsRuntimeConfig,
+  qualityGatePolicy: QualityGatePolicy,
   onLog?: (stream: "stdout" | "stderr", line: string) => void,
+  validationRetryState?: {
+    previousFailureDigests?: Map<string, string>;
+    revisionAttempt?: number;
+  },
 ): Promise<DeterministicQualityResult> {
   const instruction = String(params.instruction ?? "");
   const targetPath = String(params.targetPath ?? params.path ?? "").trim() || undefined;
@@ -1154,16 +1406,25 @@ async function runDeterministicQualityGate(
   }
   const isTestTask = isTestFocusedTask(instruction, planning, targetPath);
   const hasRequiredValidationCriteria = requiredValidationSteps.length > 0;
-  if (!isTestTask && !hasRequiredValidationCriteria) {
+  if (
+    !qualityGatePolicy.scopeGateEnabled &&
+    !qualityGatePolicy.validationGateEnabled &&
+    !qualityGatePolicy.criticGateEnabled &&
+    !isTestTask &&
+    !hasRequiredValidationCriteria
+  ) {
     return {
       ok: true,
       skipped: true,
       issues: [],
+      scopeIssues: [],
+      validationIssues: [],
       changedPaths: [],
       changedTestPaths: [],
       validationRuns: [],
       requiredValidationFailures: [],
       blocker: null,
+      validationFailureScope: "none",
     };
   }
@@ -1176,15 +1437,47 @@ async function runDeterministicQualityGate(
     ),
   );
   const issues: string[] = [];
-  if (changedTestPaths.length === 0) {
-    issues.push("No relevant test file was modified for this test-focused task.");
+  const scopeIssues: string[] = [];
+  const validationIssues: string[] = [];
+  const addScopeIssue = (issue: string): void => {
+    scopeIssues.push(issue);
+    issues.push(`ScopeGate: ${issue}`);
+  };
+  const addValidationIssue = (issue: string): void => {
+    validationIssues.push(issue);
+    issues.push(`ValidationGate: ${issue}`);
+  };
+  if (qualityGatePolicy.scopeGateEnabled) {
+    if (!statusResult.ok) {
+      addScopeIssue("could not evaluate changed paths from git status.");
+    }
+    for (const issue of collectWriteScopeIssuesFromChangedPaths(changedPaths, planning)) {
+      addScopeIssue(issue);
+    }
+    if (isTestTask && changedTestPaths.length === 0) {
+      addScopeIssue("found no relevant test file modified for this test-focused task.");
+    }
+    if (
+      isTestTask &&
+      changedTestPaths.length > 0 &&
+      !hasBalancedPositiveNegativeAssertions(changedTestPaths, repo)
+    ) {
+      addScopeIssue(
+        "found changed test files without both positive and negative assertion coverage (expected both).",
+      );
+    }
+    for (const issue of scopeIssues) {
+      onLog?.("stderr", `[ScopeGate] ${issue}`);
+    }
+  } else {
+    onLog?.("stdout", "[ScopeGate] Disabled by workerpals.quality_scope_gate_enabled=false.");
   }
-  if (
-    changedTestPaths.length > 0 &&
-    !hasBalancedPositiveNegativeAssertions(changedTestPaths, repo)
-  ) {
-    issues.push(
-      "Changed test files do not show both positive and negative assertion coverage (expected both).",
+  if (!qualityGatePolicy.validationGateEnabled) {
+    onLog?.(
+      "stdout",
+      "[ValidationGate] Disabled by workerpals.quality_validation_gate_enabled=false.",
     );
   }
@@ -1207,28 +1500,30 @@ async function runDeterministicQualityGate(
     if (!Number.isFinite(value)) return 180_000;
     return Math.max(1_000, Math.min(7_200_000, Math.floor(value)));
   })();
+  let requiredValidationFailures: string[] = [];
+  if (qualityGatePolicy.validationGateEnabled) {
   if (hasRequiredValidationCriteria && requiredRunnableSteps.length === 0) {
-    issues.push(
-      "vision.md testing criteria were provided, but none contained a runnable validation command.",
+    addValidationIssue(
+      "found vision.md testing criteria, but none contained a runnable validation command.",
     );
   }
   if (commandsToRun.length === 0) {
-    issues.push(
+    addValidationIssue(
       hasRequiredValidationCriteria
-        ? "No runnable validation command was available from vision.md testing criteria or planning.validationSteps."
-        : "No runnable validation command was provided in planning.validationSteps (expected at least one test command).",
+        ? "found no runnable validation command from vision.md testing criteria or planning.validationSteps."
+        : "found no runnable validation command in planning.validationSteps (expected at least one test command).",
     );
   } else {
     if (requiredRunnableSteps.length > 0) {
       onLog?.(
         "stdout",
-        `[QualityGate] Running required vision.md testing criteria: ${requiredRunnableSteps.join(" | ")}`,
+        `[ValidationGate] Running required vision.md testing criteria: ${requiredRunnableSteps.join(" | ")}`,
       );
     }
     if (isTestTask && plannerRunnableSteps.length === 0 && fallbackValidationSteps.length > 0) {
       onLog?.(
         "stdout",
-        `[QualityGate] No runnable planning.validationSteps found; using fallback validation command(s): ${commandsToRun.join(" | ")}`,
+        `[ValidationGate] No runnable planning.validationSteps found; using fallback validation command(s): ${commandsToRun.join(" | ")}`,
       );
     }
     const toolchainPlan = buildToolchainPlan({
@@ -1238,7 +1533,7 @@ async function runDeterministicQualityGate(
     if (toolchainPlan.requirements.length > 0) {
       onLog?.(
         "stdout",
-        `[QualityGate] Toolchain preflight: source=${toolchainPlan.environmentSource}, required=${toolchainPlan.requirements
+        `[ValidationGate] Toolchain preflight: source=${toolchainPlan.environmentSource}, required=${toolchainPlan.requirements
           .map((requirement) => requirement.tool)
           .join(", ")}`,
       );
@@ -1250,7 +1545,7 @@ async function runDeterministicQualityGate(
     if (missingToolRequirements.length > 0) {
       onLog?.(
         "stderr",
-        `[QualityGate] Toolchain preflight blocked dependent validation command(s): ${formatMissingToolRequirements(
+        `[ValidationGate] Toolchain preflight blocked dependent validation command(s): ${formatMissingToolRequirements(
           missingToolRequirements,
         )}`,
       );
@@ -1275,19 +1570,47 @@ async function runDeterministicQualityGate(
         });
         onLog?.(
           "stderr",
-          `[QualityGate] Quality gate validation skipped (missing toolchain): ${command}`,
+          `[ValidationGate] Validation skipped (missing toolchain): ${command}`,
         );
         continue;
       }
-      onLog?.("stdout", `[QualityGate] Quality gate validation: running "${command}"`);
+      const previousDigest = validationRetryState?.previousFailureDigests?.get(
+        validationCommandKey(command),
+      );
+      if (
+        previousDigest &&
+        Number(validationRetryState?.revisionAttempt ?? 0) > 0 &&
+        isLongRunningBrowserValidationCommand(command) &&
+        isBrowserValidationInfrastructureDigest(previousDigest)
+      ) {
+        const stderr =
+          `Skipped repeated browser validation after the same command failed in an earlier revision: ${previousDigest}. ` +
+          "Run it once after the underlying blocker changes.";
+        validationRuns.push({
+          step: command,
+          command,
+          ok: false,
+          exitCode: 124,
+          stdout: "",
+          stderr,
+          elapsedMs: 1,
+        });
+        onLog?.(
+          "stderr",
+          `[ValidationGate] Skipped repeated long browser validation: ${command} (${previousDigest})`,
+        );
+        continue;
+      }
+      onLog?.("stdout", `[ValidationGate] Running "${command}"`);
       const run = await runValidationCommand(
         repo,
         command,
-        qualityValidationStepTimeoutMs,
+        resolveValidationCommandTimeoutMs(command, qualityValidationStepTimeoutMs),
         outputPolicy,
       );
       validationRuns.push(run);
-      const runSummary = `[QualityGate] Quality gate validation ${run.ok ? "passed" : "failed"} (${run.elapsedMs}ms, exit ${run.exitCode}): ${command}`;
+      const digest = run.ok ? "" : extractValidationFailureDigest(run);
+      const runSummary = `[ValidationGate] ${run.ok ? "Passed" : "Failed"} (${run.elapsedMs}ms, exit ${run.exitCode}): ${command}${digest ? ` - ${digest}` : ""}`;
       onLog?.(run.ok ? "stdout" : "stderr", runSummary);
     }
     // exit 127 = command not found: separate tool-availability issues from real test failures.
@@ -1297,43 +1620,58 @@ async function runDeterministicQualityGate(
       const cmds = notFoundRuns.map((run) => run.command).join(", ");
       onLog?.(
         "stderr",
-        `[QualityGate] Some validation commands not found (exit 127 — wrong tool?): ${cmds}. This project uses Bun: prefer "bun test".`,
+        `[ValidationGate] Some validation commands not found (exit 127 - wrong tool?): ${cmds}. This project uses Bun: prefer "bun test".`,
       );
     }
     if (executedRuns.length > 0 && executedRuns.every((run) => !run.ok)) {
-      issues.push("Validation commands were executed but none passed.");
+      addValidationIssue("executed validation commands, but none passed.");
     } else if (executedRuns.length === 0 && notFoundRuns.length > 0) {
-      issues.push(
-        'No validation command could be run (command not found). Use "bun test" or another available test runner.',
+      addValidationIssue(
+        'could not run any validation command (command not found). Use "bun test" or another available test runner.',
       );
     }
     if (
       isTestTask &&
       !validationRuns.some((run) => /\b(test|pytest|coverage|vitest|jest)\b/i.test(run.command))
     ) {
-      issues.push("Validation steps did not execute a recognizable test command.");
+      addValidationIssue("did not execute a recognizable test command.");
     }
   }
-  const requiredValidationFailures = collectRequiredValidationFailures(
+  requiredValidationFailures = collectRequiredValidationFailures(
     requiredRunnableSteps,
     validationRuns,
   );
   if (requiredValidationFailures.length > 0) {
-    issues.push(
+    addValidationIssue(
       `Required vision.md validation failed: ${requiredValidationFailures.join("; ")}`,
     );
   }
-  const blocker = detectValidationBlocker(validationRuns);
+  }
+  const blocker = qualityGatePolicy.validationGateEnabled
+    ? detectValidationBlocker(validationRuns)
+    : null;
+  const scopedValidationFailure = qualityGatePolicy.validationGateEnabled
+    ? classifyValidationFailureScope(validationRuns, planning, changedPaths, targetPath)
+    : "none";
+  if (scopedValidationFailure === "outside_task_scope") {
+    onLog?.(
+      "stderr",
+      "[ValidationGate] Required validation failures appear outside the task write scope; treating them as publish blockers, not repair instructions.",
+    );
+  }
   return {
     ok: issues.length === 0 && blocker === null,
     skipped: false,
     issues,
+    scopeIssues,
+    validationIssues,
     changedPaths,
     changedTestPaths,
     validationRuns,
     requiredValidationFailures,
     blocker,
+    validationFailureScope: scopedValidationFailure,
   };
 }
@@ -1456,7 +1794,7 @@ async function runTaskCriticReview(
       if (lowered.includes("response_format")) {
         onLog?.(
           "stdout",
-          "[QualityGate] Critic fallback: response_format json_object unsupported; retrying without strict response_format.",
+          "[CriticGate] fallback: response_format json_object unsupported; retrying without strict response_format.",
         );
         request = await runCriticRequest(null);
       }
@@ -1464,7 +1802,7 @@ async function runTaskCriticReview(
     if (!request.response.ok) {
       onLog?.(
         "stderr",
-        `[QualityGate] Critic review request failed (${request.response.status}): ${toSingleLine(request.text, 240)}`,
+        `[CriticGate] review request failed (${request.response.status}): ${toSingleLine(request.text, 240)}`,
       );
       return null;
     }
@@ -1480,7 +1818,7 @@ async function runTaskCriticReview(
     if (!reviewObj) {
       onLog?.(
         "stderr",
-        `[QualityGate] Critic produced non-JSON content; skipping critic gate. Raw: ${toSingleLine(
+        `[CriticGate] produced non-JSON content; skipping critic gate. Raw: ${toSingleLine(
           content,
           220,
         )}`,
@@ -1509,7 +1847,7 @@ async function runTaskCriticReview(
   } catch (err) {
     onLog?.(
       "stderr",
-      `[QualityGate] Critic review unavailable: ${toSingleLine(err, 220)} (continuing without critic gate).`,
+      `[CriticGate] review unavailable: ${toSingleLine(err, 220)} (continuing without critic gate).`,
     );
     return null;
   }
@@ -1520,6 +1858,8 @@ export function buildQualityRevisionHint(
   critic: CriticReview | null,
   planning: TaskExecutePlanning,
   reviewFixContext?: ReviewFixContext | null,
+  validationRuns: ValidationExecutionResult[] = [],
+  validationBlocker: ValidationBlocker | null = null,
 ): string {
   const lines: string[] = [];
   lines.push("Quality revision required before completion.");
@@ -1552,6 +1892,26 @@ export function buildQualityRevisionHint(
     lines.push("Deterministic quality issues:");
     for (const issue of issues) lines.push(`- ${issue}`);
   }
+  if (validationBlocker) {
+    lines.push(
+      `Validation blocker: ${validationBlocker.category} - ${toSingleLine(
+        validationBlocker.detail,
+        300,
+      )}`,
+    );
+  }
+  const failedValidationRuns = validationRuns.filter((run) => !run.ok);
+  if (failedValidationRuns.length > 0) {
+    lines.push("Validation failure diagnostics:");
+    for (const run of failedValidationRuns.slice(0, 5)) {
+      lines.push(`- ${run.command} failed with exit ${run.exitCode} after ${run.elapsedMs}ms.`);
+      const output = toSingleLine(
+        stripAnsiControlSequences([run.stderr, run.stdout].filter(Boolean).join("\n")),
+        700,
+      );
+      if (output) lines.push(`  Output: ${output}`);
+    }
+  }
   if (critic) {
     lines.push(`Critic score: ${critic.score.toFixed(1)} / 10`);
     if (critic.mustFix.length > 0) {
@@ -3318,9 +3678,10 @@ async function generateCommitMessageFromDiffViaCodex(
   repo: string,
   runtimeConfig: WorkerpalsRuntimeConfig,
 ): Promise<string | null> {
+  const model = runtimeConfig.workerpals.llm.model.trim();
+  if (!model) return null;
   const codexPrefix = await resolveCodexCommandPrefix(repo, runtimeConfig.workerpals.llm.codexBin);
   if (!codexPrefix) return null;
-  const model = runtimeConfig.workerpals.llm.model.trim();
   const timeoutMs = (() => {
     const value = Number(runtimeConfig.workerpals.llm.codexTimeoutMs);
     if (!Number.isFinite(value)) return 120_000;
@@ -3355,6 +3716,7 @@ async function generateCommitMessageFromDiffViaCodex(
     const stdinText = `${prompt.systemPrompt}\n\n${prompt.userMessage}`;
     const proc = Bun.spawn(cmd, {
       cwd: repo,
+      env: buildWorkerSandboxWritableEnv(repo),
       stdout: "pipe",
       stderr: "pipe",
       stdin: new Blob([stdinText]),
@@ -3587,40 +3949,33 @@ function taskExecuteOrigin(params: Record<string, unknown>): "autonomy" | "user"
   return "user";
 }
-async function collectWriteScopeWarnings(
-  repo: string,
+function collectWriteScopeIssuesFromChangedPaths(
+  changedPaths: string[],
   planning: TaskExecutePlanning,
-): Promise<{ warnings: string[] }> {
+): string[] {
   const writeGlobs = toStringArray(planning.scope.writeGlobs ?? []);
-  if (writeGlobs.length === 0) return { warnings: [] };
-  const statusResult = await git(repo, ["status", "--porcelain"]);
-  if (!statusResult.ok) {
-    return { warnings: ["Unable to evaluate changed paths for scope suggestion check."] };
-  }
+  if (writeGlobs.length === 0) return [];
-  const changedPaths = parseChangedPathsFromStatus(statusResult.stdout)
+  const normalizedChangedPaths = changedPaths
     .map((entry) => normalizeStagePath(entry))
     .filter((entry): entry is string => Boolean(entry) && entry !== ".");
-  if (changedPaths.length === 0) return { warnings: [] };
+  if (normalizedChangedPaths.length === 0) return [];
   const forbidden = toStringArray(planning.scope.forbiddenGlobs ?? []);
-  const warnings: string[] = [];
-  const outOfScope = changedPaths.filter(
+  const issues: string[] = [];
+  const outOfScope = normalizedChangedPaths.filter(
     (path) => !writeGlobs.some((glob) => matchesGlob(path, glob)),
   );
   if (outOfScope.length > 0) {
-    warnings.push(`Scope suggestion: modified paths outside writeGlobs: ${outOfScope.join(", ")}`);
+    issues.push(`modified paths outside writeGlobs: ${outOfScope.join(", ")}`);
   }
-  const forbiddenTouched = changedPaths.filter((path) =>
+  const forbiddenTouched = normalizedChangedPaths.filter((path) =>
     forbidden.some((glob) => matchesGlob(path, glob)),
   );
   if (forbiddenTouched.length > 0) {
-    warnings.push(
-      `Scope suggestion: modified paths matching forbiddenGlobs: ${forbiddenTouched.join(", ")}`,
-    );
+    issues.push(`modified paths matching forbiddenGlobs: ${forbiddenTouched.join(", ")}`);
   }
-  return { warnings };
+  return issues;
 }
 function sanitizeTaskExecutePlanningPathHints(value: unknown): unknown {
@@ -3945,7 +4300,7 @@ async function runCodexCriticReview(
   if (!codexPrefix) {
     onLog?.(
       "stderr",
-      "[QualityGate] Codex critic: unable to resolve Codex CLI command (workerpals.llm.codex_bin/PATH); skipping.",
+      "[CriticGate] Codex: unable to resolve Codex CLI command (workerpals.llm.codex_bin/PATH); skipping.",
     );
     return null;
   }
@@ -4026,6 +4381,7 @@ async function runCodexCriticReview(
   try {
     const proc = Bun.spawn(cmd, {
       cwd: repo,
+      env: buildWorkerSandboxWritableEnv(repo),
       stdout: "pipe",
       stderr: "pipe",
       stdin: new Blob([criticInstruction]),
@@ -4045,14 +4401,14 @@ async function runCodexCriticReview(
     clearTimeout(timer);
     if (timedOut) {
-      onLog?.("stderr", "[QualityGate] Codex critic timed out; skipping.");
+      onLog?.("stderr", "[CriticGate] Codex timed out; skipping.");
       return null;
     }
     if (exitCode !== 0) {
       const stderrText = await new Response(proc.stderr).text();
       onLog?.(
         "stderr",
-        `[QualityGate] Codex critic exited ${exitCode}: ${toSingleLine(stderrText, 220)}`,
+        `[CriticGate] Codex exited ${exitCode}: ${toSingleLine(stderrText, 220)}`,
       );
       return null;
     }
@@ -4070,7 +4426,7 @@ async function runCodexCriticReview(
     }
     if (!lastMessage) {
-      onLog?.("stderr", "[QualityGate] Codex critic: no output message captured; skipping.");
+      onLog?.("stderr", "[CriticGate] Codex: no output message captured; skipping.");
       return null;
     }
@@ -4078,7 +4434,7 @@ async function runCodexCriticReview(
     if (!reviewObj) {
       onLog?.(
         "stderr",
-        `[QualityGate] Codex critic returned non-JSON: ${toSingleLine(lastMessage, 220)}`,
+        `[CriticGate] Codex returned non-JSON: ${toSingleLine(lastMessage, 220)}`,
       );
       return null;
     }
@@ -4094,7 +4450,7 @@ async function runCodexCriticReview(
     const revisionGuidance = String(reviewObj.revision_guidance ?? "")
       .trim()
       .slice(0, 2000);
-    onLog?.("stdout", `[QualityGate] Codex critic score: ${score}/10`);
+    onLog?.("stdout", `[CriticGate] Codex score: ${score}/10`);
     return {
       score,
       findings,
@@ -4103,7 +4459,7 @@ async function runCodexCriticReview(
       raw: compactJobOutput(lastMessage, outputPolicyForRuntime(runtimeConfig)),
     };
   } catch (err) {
-    onLog?.("stderr", `[QualityGate] Codex critic error: ${toSingleLine(err, 220)} (skipping).`);
+    onLog?.("stderr", `[CriticGate] Codex error: ${toSingleLine(err, 220)} (skipping).`);
     return null;
   }
 }
@@ -4189,12 +4545,25 @@ export async function executeJob(
   const reviewFixContext = extractReviewFixContext(normalizedParams);
   const qualityGatePolicy = deriveQualityGatePolicy(normalizedParams, runtimeConfig);
   const qualityMaxAutoRevisions = qualityGatePolicy.maxAutoRevisions;
+  const qualityValidationMaxAutoRevisions = qualityGatePolicy.validationMaxAutoRevisions;
+  const qualityRevisionLoopMax = Math.max(
+    qualityMaxAutoRevisions,
+    qualityValidationMaxAutoRevisions,
+  );
   const qualitySoftPassOnExhausted = qualityGatePolicy.softPassOnExhausted;
   const qualityCriticMinScore = qualityGatePolicy.criticMinScore;
   onLog?.(
     "stdout",
-    `[QualityGate] Policy: max_auto_revisions=${qualityMaxAutoRevisions}, soft_pass_on_exhausted=${qualitySoftPassOnExhausted ? "true" : "false"}, critic_min_score=${qualityCriticMinScore}`,
+    `[QualityGate] Policy: max_auto_revisions=${qualityMaxAutoRevisions}, validation_max_auto_revisions=${qualityValidationMaxAutoRevisions}, soft_pass_on_exhausted=${qualitySoftPassOnExhausted ? "true" : "false"}, critic_min_score=${qualityCriticMinScore}`,
+  );
+  onLog?.(
+    "stdout",
+    `[QualityGate] Gates: scope=${qualityGatePolicy.scopeGateEnabled ? "on" : "off"}, validation=${
+      qualityGatePolicy.validationGateEnabled ? "on" : "off"
+    }, critic=${qualityGatePolicy.criticGateEnabled ? "on" : "off"}, publish=${
+      qualityGatePolicy.publishGateEnabled ? "on" : "off"
+    }`,
   );
   if (qualityGatePolicy.mode === "review_fix") {
     const priorScore =
@@ -4218,7 +4587,8 @@ export async function executeJob(
   let revisionAttempt = 0;
   let revisionHint = "";
-  while (revisionAttempt <= qualityMaxAutoRevisions) {
+  const previousValidationFailureDigests = new Map<string, string>();
+  while (revisionAttempt <= qualityRevisionLoopMax) {
     const attemptParams: Record<string, unknown> = { ...normalizedParams };
     if (revisionHint) {
       attemptParams.qualityRevisionHint = revisionHint;
@@ -4306,50 +4676,154 @@ export async function executeJob(
       };
     }
-    const scopeCheck = await collectWriteScopeWarnings(repo, planning);
-    for (const warning of scopeCheck.warnings) {
-      onLog?.("stdout", `[TaskExecute] ${warning}`);
+    const quality = await runDeterministicQualityGate(
+      repo,
+      attemptParams,
+      runtimeConfig,
+      qualityGatePolicy,
+      onLog,
+      {
+        previousFailureDigests: previousValidationFailureDigests,
+        revisionAttempt,
+      },
+    );
+    for (const run of quality.validationRuns) {
+      if (run.ok) continue;
+      const digest = extractValidationFailureDigest(run);
+      if (digest) previousValidationFailureDigests.set(validationCommandKey(run.command), digest);
     }
-    const quality = await runDeterministicQualityGate(repo, attemptParams, runtimeConfig, onLog);
-    const critic = quality.skipped
-      ? null
-      : executor === "openai_codex"
-        ? await runCodexCriticReview(repo, attemptParams, quality, runtimeConfig, onLog)
-        : await runTaskCriticReview(repo, attemptParams, quality, runtimeConfig, onLog);
-    const effectiveQualityIssues = relaxAdvisoryQualityIssues(
+    const validationOutsideTaskScope =
+      quality.validationFailureScope === "outside_task_scope";
+    const qualityForCritic: DeterministicQualityResult = validationOutsideTaskScope
+      ? {
+          ...quality,
+          issues: quality.issues.filter((issue) => !issue.startsWith("ValidationGate:")),
+          validationIssues: [],
+          validationRuns: [],
+          blocker: null,
+        }
+      : quality;
+    const critic =
+      quality.skipped || !qualityGatePolicy.criticGateEnabled
+        ? null
+        : executor === "openai_codex"
+          ? await runCodexCriticReview(repo, attemptParams, qualityForCritic, runtimeConfig, onLog)
+          : await runTaskCriticReview(repo, attemptParams, qualityForCritic, runtimeConfig, onLog);
+    if (!qualityGatePolicy.criticGateEnabled) {
+      onLog?.("stdout", "[CriticGate] Disabled by workerpals.quality_critic_gate_enabled=false.");
+    }
+    const advisoryRelaxedQualityIssues = relaxAdvisoryQualityIssues(
       quality.issues,
       quality.validationRuns,
       critic,
       qualityCriticMinScore,
     );
-    if (effectiveQualityIssues.length !== quality.issues.length) {
+    let effectiveQualityIssues = advisoryRelaxedQualityIssues;
+    if (validationOutsideTaskScope) {
+      effectiveQualityIssues = effectiveQualityIssues.filter(
+        (issue) => !issue.startsWith("ValidationGate:"),
+      );
+      if (effectiveQualityIssues.length !== quality.issues.length) {
+        onLog?.(
+          "stderr",
+          "[ValidationGate] Validation failures are outside the task scope; they will block publishing but will not drive another code revision.",
+        );
+      }
+    }
+    if (
+      !validationOutsideTaskScope &&
+      advisoryRelaxedQualityIssues.length !== quality.issues.length
+    ) {
       onLog?.(
         "stdout",
         "[QualityGate] Assertion-balance heuristic downgraded to advisory because validation passed and critic score met threshold.",
       );
     }
     const deterministicRequiresRevision =
-      effectiveQualityIssues.length > 0 || quality.blocker !== null;
+      effectiveQualityIssues.length > 0 ||
+      (quality.blocker !== null && !validationOutsideTaskScope);
     const criticRequiresRevision = Boolean(critic && critic.score < qualityCriticMinScore);
+    if (
+      !qualityGatePolicy.publishGateEnabled &&
+      (deterministicRequiresRevision || criticRequiresRevision)
+    ) {
+      onLog?.(
+        "stderr",
+        "[PublishGate] Disabled by workerpals.quality_publish_gate_enabled=false; returning worker result despite gate failures.",
+      );
+      return {
+        ...result,
+        summary: `${result.summary} (publish gate disabled; quality gate findings were advisory)`,
+        stderr: truncate(
+          [
+            result.stderr ?? "",
+            ...quality.validationRuns.flatMap((run) => [run.stdout, run.stderr]).filter(Boolean),
+            critic ? `Critic raw: ${critic.raw}` : "",
+          ]
+            .filter(Boolean)
+            .join("\n"),
+          outputPolicyForRuntime(runtimeConfig),
+        ),
+        exitCode: typeof result.exitCode === "number" ? result.exitCode : 0,
+      };
+    }
     if (!deterministicRequiresRevision && !criticRequiresRevision) {
+      if (quality.requiredValidationFailures.length > 0) {
+        const requiredSummary = `Required vision.md validation blocked publishing: ${quality.requiredValidationFailures.join("; ")}`;
+        const diagnostics = truncate(
+          [
+            result.stderr ?? "",
+            validationOutsideTaskScope
+              ? "Validation failures appear outside the task write scope and are treated as pre-existing repo blockers."
+              : "",
+            ...quality.validationRuns.flatMap((run) => [run.stdout, run.stderr]).filter(Boolean),
+          ]
+            .filter(Boolean)
+            .join("\n"),
+          outputPolicyForRuntime(runtimeConfig),
+        );
+        onLog?.("stderr", `[QualityGate] ${requiredSummary}`);
+        return {
+          ok: false,
+          summary: requiredSummary,
+          stdout: result.stdout,
+          stderr: diagnostics,
+          exitCode: 4,
+        };
+      }
       if (critic) {
         onLog?.(
           "stdout",
-          `[QualityGate] Critic review score ${critic.score.toFixed(1)}/10 (threshold ${qualityCriticMinScore}).`,
+          `[CriticGate] review score ${critic.score.toFixed(1)}/10 (threshold ${qualityCriticMinScore}).`,
         );
       }
       return result;
     }
+    const blockerIssue = quality.blocker
+      ? [
+          `Validation blocker (${quality.blocker.category}): ${toSingleLine(
+            quality.blocker.detail,
+            240,
+          )}`,
+        ]
+      : [];
     const issues = buildQualityGateRevisionIssues(
-      effectiveQualityIssues,
+      [...effectiveQualityIssues, ...blockerIssue],
       critic,
       qualityCriticMinScore,
     );
+    const activeMaxAutoRevisions = revisionLimitForQualityGateFailures({
+      policy: qualityGatePolicy,
+      qualityIssues: effectiveQualityIssues,
+      requiredValidationFailures: validationOutsideTaskScope
+        ? []
+        : quality.requiredValidationFailures,
+      blocker: validationOutsideTaskScope ? null : quality.blocker,
+    });
     const issueSummary = issues.map((entry) => toSingleLine(entry, 180)).join(" | ");
-    if (quality.blocker) {
+    if (quality.blocker && !validationOutsideTaskScope) {
       const blockerSummary = `Quality gate blocked by ${quality.blocker.category} issue: ${quality.blocker.detail}`;
       const blockerDiagnostics = truncate(
         [
@@ -4358,7 +4832,23 @@ export async function executeJob(
         ].join("\n"),
         outputPolicyForRuntime(runtimeConfig),
       );
-      if (quality.requiredValidationFailures.length > 0) {
+      const requiredValidationCanRevise = shouldReviseRequiredValidationBlocker({
+        requiredValidationFailures: quality.requiredValidationFailures,
+        blocker: quality.blocker,
+        revisionAttempt,
+        maxAutoRevisions: qualityValidationMaxAutoRevisions,
+        outsideTaskScope: validationOutsideTaskScope,
+      });
+      if (requiredValidationCanRevise) {
+        onLog?.(
+          "stderr",
+          `[QualityGate] Required vision.md validation hit a repo blocker; requesting revision ${
+            revisionAttempt + 1
+          }/${qualityValidationMaxAutoRevisions} instead of failing immediately: ${quality.requiredValidationFailures.join(
+            "; ",
+          )}`,
+        );
+      } else if (quality.requiredValidationFailures.length > 0) {
         const requiredSummary = `Required vision.md validation blocked publishing: ${quality.requiredValidationFailures.join("; ")}`;
         onLog?.("stderr", `[QualityGate] ${requiredSummary}`);
         return {
@@ -4368,8 +4858,7 @@ export async function executeJob(
           stderr: blockerDiagnostics,
           exitCode: 4,
         };
-      }
-      if (shouldSoftPassValidationBlocker(qualityGatePolicy, quality.blocker)) {
+      } else if (shouldSoftPassValidationBlocker(qualityGatePolicy, quality.blocker)) {
         onLog?.(
           "stderr",
           `[QualityGate] Soft-pass on ${quality.blocker.category} blocker for publishable ${qualityGatePolicy.mode} job: ${toSingleLine(
@@ -4385,17 +4874,18 @@ export async function executeJob(
           stderr: blockerDiagnostics,
           exitCode: typeof result.exitCode === "number" ? result.exitCode : 0,
         };
+      } else {
+        onLog?.("stderr", `[QualityGate] ${blockerSummary}`);
+        return {
+          ok: false,
+          summary: blockerSummary,
+          stdout: result.stdout,
+          stderr: blockerDiagnostics,
+          exitCode: 4,
+        };
       }
-      onLog?.("stderr", `[QualityGate] ${blockerSummary}`);
-      return {
-        ok: false,
-        summary: blockerSummary,
-        stdout: result.stdout,
-        stderr: blockerDiagnostics,
-        exitCode: 4,
-      };
     }
-    if (revisionAttempt >= qualityMaxAutoRevisions) {
+    if (revisionAttempt >= activeMaxAutoRevisions) {
       if (quality.requiredValidationFailures.length > 0) {
         const diagnostics = truncate(
           [
@@ -4456,10 +4946,17 @@ export async function executeJob(
     }
     revisionAttempt += 1;
-    revisionHint = buildQualityRevisionHint(issues, critic, planning, reviewFixContext);
+    revisionHint = buildQualityRevisionHint(
+      issues,
+      critic,
+      planning,
+      reviewFixContext,
+      validationOutsideTaskScope ? [] : quality.validationRuns,
+      validationOutsideTaskScope ? null : quality.blocker,
+    );
     onLog?.(
       "stderr",
-      `[QualityGate] Quality gate requested revision ${revisionAttempt}/${qualityMaxAutoRevisions}: ${toSingleLine(
+      `[QualityGate] Quality gate requested revision ${revisionAttempt}/${activeMaxAutoRevisions}: ${toSingleLine(
         issueSummary,
         260,
       )}`,