npm - @pushpalsdev/cli - Versions diffs - 1.0.86 → 1.0.93 - Mend

@pushpalsdev/cli 1.0.86 → 1.0.93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/pushpals-cli.js CHANGED Viewed

@@ -1071,7 +1071,7 @@ function loadPushPalsConfig(options = {}) {
           const parsed = Number.parseFloat(String(firstNonEmpty(process.env.REMOTEBUDDY_AUTONOMY_ALERT_AUTONOMY_FAILURE_RATE_THRESHOLD, asString(remoteAutonomyNode.alert_autonomy_failure_rate_threshold, "0.45"), "0.45")));
           return Number.isFinite(parsed) ? parsed : 0.45;
         })())),
-        allowReadAnywhere: parseBoolEnv("REMOTEBUDDY_AUTONOMY_ALLOW_READ_ANYWHERE") ?? asBoolean(remoteAutonomyNode.allow_read_anywhere, false),
+        allowReadAnywhere: parseBoolEnv("REMOTEBUDDY_AUTONOMY_ALLOW_READ_ANYWHERE") ?? asBoolean(remoteAutonomyNode.allow_read_anywhere, true),
         prFeedbackCommentRows: Math.max(1, Math.min(200, asInt(parseIntEnv("REMOTEBUDDY_AUTONOMY_PR_FEEDBACK_COMMENT_ROWS") ?? remoteAutonomyNode.pr_feedback_comment_rows, 16))),
         prFeedbackCommentChars: Math.max(32, Math.min(20000, asInt(parseIntEnv("REMOTEBUDDY_AUTONOMY_PR_FEEDBACK_COMMENT_CHARS") ?? remoteAutonomyNode.pr_feedback_comment_chars, 600))),
         prFeedbackSummaryChars: Math.max(32, Math.min(20000, asInt(parseIntEnv("REMOTEBUDDY_AUTONOMY_PR_FEEDBACK_SUMMARY_CHARS") ?? remoteAutonomyNode.pr_feedback_summary_chars, 600))),

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pushpalsdev/cli",
-  "version": "1.0.86",
+  "version": "1.0.93",
   "description": "PushPals terminal CLI for LocalBuddy -> RemoteBuddy orchestration",
   "license": "MIT",
   "repository": {
@@ -12,7 +12,7 @@
     "url": "https://github.com/PushPalsDev/pushpals/issues"
   },
   "bin": {
-    "pushpals": "./bin/pushpals.cjs"
+    "pushpals": "bin/pushpals.cjs"
   },
   "files": [
     "bin",

package/runtime/prompts/remotebuddy/autonomy_ideation_system_prompt.md CHANGED Viewed

@@ -56,9 +56,10 @@ Constraints:
 - `objective_type` is a governance lane, not a fixed feature catalog. Feature ideas are free-form and should be expressed in `title`, `problem_statement`, and `feature_hypotheses`.
 - `feature_hypotheses` may contain any suitable product/engineering features; keep each item concise and actionable.
 - target_paths must be literal repo-relative paths.
-- write_globs must be repo-relative globs.
+- write_globs must be repo-relative globs used as starting-point/relevance hints, not hard write boundaries.
 - Choose target_paths that own the behavior being improved, not thin route wrappers, re-export files, or shell components, unless the requested change is explicitly at that wrapper boundary.
 - For UI/game/product-surface objectives, prefer files that render or compute the relevant state directly; use wrapper files only for navigation, mounting, or screen-level chrome work.
+- Workers have repo-wide sandbox write access and may expand from these hints to the behavior-owning files; the review agent will judge whether the final diff stays relevant.
 - do not invent evidence ids.
 - If all signals are low/noisy, it is valid to return zero candidates.
 - Treat a low `sig_queue_health` value as maintenance-window evidence for safe proactive work, not only incident response.

package/runtime/prompts/remotebuddy/autonomy_planning_system_prompt.md CHANGED Viewed

@@ -1,5 +1,5 @@
 Write objective instruction text for a worker.
 Return strict JSON:
 { "instruction": "..." }
-Keep it concise, executable, and scoped to target_paths and write_globs only.
+Keep it concise and executable. Treat target_paths and write_globs as starting-point/relevance hints, not hard write boundaries; the worker may edit other behavior-owning repo files when needed and the review agent will judge relevance.
 If you mention commands, use Bun/Bunx command forms (`bun ...`, `bunx ...`), never npm/npx/pnpm/yarn forms.

package/runtime/prompts/remotebuddy/remotebuddy_system_prompt.md CHANGED Viewed

@@ -11,7 +11,7 @@ Repository boundary policy:
 - Treat `{{repo_root}}` as the only allowed repository scope.
 - Never plan edits or checks outside this repository root.
-- Prefer explicit repo-relative targets; use broad `"."` scope only when the user explicitly requests whole-repo work.
+- Prefer explicit repo-relative targets as review/relevance hints. WorkerPals have repo-wide sandbox write access, so do not over-constrain write scope unless the user explicitly asks for a hard path limit.
 Intent taxonomy (choose the single best fit):
@@ -44,7 +44,7 @@ Execution policy:
 - Scope policy (for `requires_worker=true`):
   - `scope.read_anywhere` should default to `true` (do not set `false` unless user explicitly requested restrictive reading)
   - `scope.write_allowed` should default to `true`
-  - `scope.write_globs` should be included only when you need to constrain edits
+  - `scope.write_globs` should be included as starting-point/relevance hints, not as hard write boundaries
   - `scope.forbidden_globs` should be included only when specific paths must be blocked
   - `scope.max_files_to_edit` should be included only when a cap is needed

package/runtime/prompts/workerpals/miniswe_completion_requirement.md CHANGED Viewed

	@@ -1 +1 @@
1	- Completion requirement: ~~handle~~ ~~all~~ requested ~~edits~~ ~~across~~ ~~all~~ ~~explicit~~ ~~target~~ paths ~~before~~ ~~setting~~ ~~done=true~~.
1	+ Completion requirement: solve the requested task before setting done=true. Target paths are relevance hints; edit other behavior-owning files when needed and explain why.

package/runtime/prompts/workerpals/miniswe_explicit_targets_block.md CHANGED Viewed

@@ -1,2 +1,2 @@
-Explicit target paths:
+Target path hints:
 {{targets_block}}

package/runtime/prompts/workerpals/openai_codex_task_execute_system_prompt.md CHANGED Viewed

@@ -11,7 +11,10 @@ Non-negotiable runtime invariants:
 Execution rules:
-- Keep edits minimal, correct, and scoped to the requested task.
+- Keep edits minimal, correct, and relevant to the requested task.
+- You have repo-wide read/write access inside an isolated WorkerPal sandbox. Target paths and write globs are starting-point/relevance hints, not hard write boundaries.
+- If the hinted file is a thin wrapper or the behavior lives elsewhere, edit the behavior-owning file(s) needed to solve the task and explain the scope expansion in your final response.
+- Avoid irrelevant sprawl; the review agent will judge whether changed files are necessary for the requested outcome.
 - Read relevant files before editing, then run focused validation.
 - Use direct commands without shell wrappers. Prefer plain commands like `git diff -- path`, `git add <path>`, `git status --porcelain`, and `pwd`.
 - Do not wrap commands in `/bin/bash -lc`, `sh -lc`, `cmd /c`, or `powershell -Command`, and avoid pipelines, `awk`, heredocs, or multi-command shell snippets unless they are truly unavoidable.

package/runtime/prompts/workerpals/openhands_minimal_system_prompt.j2 CHANGED Viewed

@@ -1,10 +1,12 @@
 You are PushPals WorkerPal running inside OpenHands.
-Operate with strict scope:
+Operate with strict relevance:
 - Focus only on the current user task.
 - If the task is a question, answer directly and do not edit files.
 - If code/file changes are requested, implement them end-to-end.
 - Reuse existing repository conventions and avoid unrelated refactors/docs.
+- Treat target paths and write globs as starting-point/relevance hints, not hard write boundaries.
+- If the behavior lives outside the hinted files, edit the owning files and explain the scope expansion.
 Execution loop:
 - Prefer concrete execution over planning chatter.

package/runtime/prompts/workerpals/openhands_task_execute_system_prompt.md CHANGED Viewed

@@ -3,7 +3,8 @@ You are PushPals WorkerPal running inside OpenHands.
 Execution rules:
 - Focus only on the task below.
-- Keep changes minimal, correct, and scoped to the request.
+- Keep changes minimal, correct, and relevant to the request.
+- Target paths and write globs are starting-point/relevance hints, not hard write boundaries; if the behavior lives elsewhere, edit the owning files and explain why.
 - Read relevant files before editing.
 - Reuse existing project conventions and tooling.
 - If the task is a question/explanation, answer directly and do not edit files.

package/runtime/prompts/workerpals/workerpals_system_prompt.md CHANGED Viewed

@@ -6,7 +6,7 @@ Your mission:
 - Take the user (or RemoteBuddy) request and fully execute it end-to-end.
 - You are responsible for breaking the work down into concrete subtasks, completing them, validating, reviewing your own changes, and preparing a high-quality commit message when the work is ready.
-- You have full read/write access within the assigned repository only; do not access files outside that repository.
+- You have full read/write access within the assigned repository sandbox only; do not access files outside that repository. Target paths and write globs are starting-point/relevance hints, not hard write boundaries.
 Mindset:
@@ -64,7 +64,7 @@ Execution workflow (you MUST follow this):
      - Performance: no unnecessary work on UI thread, no extra network calls, no large bundles
      - Cross-platform: iOS/Android/Web differences guarded appropriately
      - Security: no secret leakage, safe networking defaults, no unsafe shell usage
-   - Make any final polish edits that improve clarity without changing scope.
+   - Make any final polish edits that improve clarity without drifting from the task.
 7. Prepare to commit (when appropriate)
    - When the work is ready, produce a detailed commit message (do NOT actually commit unless your system explicitly allows it).

package/runtime/sandbox/.pushpals-remotebuddy-fallback.js CHANGED Viewed

@@ -86,11 +86,13 @@ class CommunicationManager {
   sessionId;
   from;
   authToken;
+  fetchImpl;
   constructor(opts) {
     this.serverUrl = opts.serverUrl;
     this.sessionId = opts.sessionId;
     this.from = opts.from;
     this.authToken = opts.authToken ?? null;
+    this.fetchImpl = opts.fetchImpl ?? fetch;
   }
   headers() {
     const headers = { "Content-Type": "application/json" };
@@ -132,7 +134,7 @@ class CommunicationManager {
         body.turnId = meta.turnId;
       if (meta.parentId)
         body.parentId = meta.parentId;
-      const response = await fetch(this.commandUrl(sessionId), {
+      const response = await this.fetchImpl(this.commandUrl(sessionId), {
         method: "POST",
         headers: this.headers(),
         body: JSON.stringify(body)
@@ -588,7 +590,8 @@ function validateScopeInvariants(componentArea, targetPathsInput, writeGlobsInpu
   const scopeSeeds = collectScopeSeedPaths(targetPathsInput, writeGlobsInput);
   const normalizedComponentArea = normalizeAutonomyComponentArea(componentArea) ?? deriveAutonomyComponentArea(targetPathsInput, writeGlobsInput);
   const allowMultipleComponentRoots = options?.allowMultipleComponentRoots === true;
-  if (!normalizedComponentArea && scopeSeeds.length > 1 && !allowMultipleComponentRoots) {
+  const hintsOnly = options?.hintsOnly === true;
+  if (!hintsOnly && !normalizedComponentArea && scopeSeeds.length > 1 && !allowMultipleComponentRoots) {
     errors.push(`scope spans multiple component roots: ${scopeSeeds.slice(0, 6).join(", ")}`);
   }
   const rootPrefix = normalizedComponentArea ? componentRootPrefix(normalizedComponentArea) : "";
@@ -600,7 +603,7 @@ function validateScopeInvariants(componentArea, targetPathsInput, writeGlobsInpu
       errors.push(`invalid target_path: ${String(raw ?? "")}`);
       continue;
     }
-    if (rootPrefix && !underRoot(normalized, rootPrefix)) {
+    if (!hintsOnly && rootPrefix && !underRoot(normalized, rootPrefix)) {
       errors.push(`target_path outside component root: ${normalized}`);
       continue;
     }
@@ -621,20 +624,20 @@ function validateScopeInvariants(componentArea, targetPathsInput, writeGlobsInpu
       errors.push(`invalid write_glob: ${String(raw ?? "")}`);
       continue;
     }
-    if (hasForbiddenBroadGlob(normalized)) {
+    if (!hintsOnly && hasForbiddenBroadGlob(normalized)) {
       errors.push(`forbidden broad write_glob: ${normalized}`);
       continue;
     }
     const prefix = literalPrefix(normalized);
-    if (!prefix) {
+    if (!hintsOnly && !prefix) {
       errors.push(`write_glob literal prefix cannot be empty: ${normalized}`);
       continue;
     }
-    if (rootPrefix && !underRoot(prefix, rootPrefix)) {
+    if (!hintsOnly && rootPrefix && !underRoot(prefix, rootPrefix)) {
       errors.push(`write_glob outside component root: ${normalized}`);
       continue;
     }
-    if (!normalizedTargetPaths.some((targetPath) => targetPath === prefix || targetPath.startsWith(`${prefix}/`))) {
+    if (!hintsOnly && !normalizedTargetPaths.some((targetPath) => targetPath === prefix || targetPath.startsWith(`${prefix}/`))) {
       errors.push(`write_glob prefix does not align with target_paths: ${normalized}`);
       continue;
     }
@@ -647,14 +650,14 @@ function validateScopeInvariants(componentArea, targetPathsInput, writeGlobsInpu
   if ((options?.requireWriteGlobs ?? true) && normalizedWriteGlobs.length === 0) {
     errors.push("write_globs must be provided and non-empty");
   }
-  if (normalizedTargetPaths.length > 0 && normalizedWriteGlobs.length > 0) {
+  if (!hintsOnly && normalizedTargetPaths.length > 0 && normalizedWriteGlobs.length > 0) {
     for (const targetPath of normalizedTargetPaths) {
       const covered = normalizedWriteGlobs.some((glob) => matchesGlob(targetPath, glob));
       if (!covered)
         errors.push(`target_path not covered by write_globs: ${targetPath}`);
     }
   }
-  if (!normalizedComponentArea && !allowMultipleComponentRoots) {
+  if (!hintsOnly && !normalizedComponentArea && !allowMultipleComponentRoots) {
     errors.push("component_area could not be derived from scope");
   }
   const breadth = classifyGlobBreadth(normalizedWriteGlobs);
@@ -1357,7 +1360,7 @@ function loadPushPalsConfig(options = {}) {
           const parsed = Number.parseFloat(String(firstNonEmpty(process.env.REMOTEBUDDY_AUTONOMY_ALERT_AUTONOMY_FAILURE_RATE_THRESHOLD, asString(remoteAutonomyNode.alert_autonomy_failure_rate_threshold, "0.45"), "0.45")));
           return Number.isFinite(parsed) ? parsed : 0.45;
         })())),
-        allowReadAnywhere: parseBoolEnv("REMOTEBUDDY_AUTONOMY_ALLOW_READ_ANYWHERE") ?? asBoolean(remoteAutonomyNode.allow_read_anywhere, false),
+        allowReadAnywhere: parseBoolEnv("REMOTEBUDDY_AUTONOMY_ALLOW_READ_ANYWHERE") ?? asBoolean(remoteAutonomyNode.allow_read_anywhere, true),
         prFeedbackCommentRows: Math.max(1, Math.min(200, asInt(parseIntEnv("REMOTEBUDDY_AUTONOMY_PR_FEEDBACK_COMMENT_ROWS") ?? remoteAutonomyNode.pr_feedback_comment_rows, 16))),
         prFeedbackCommentChars: Math.max(32, Math.min(20000, asInt(parseIntEnv("REMOTEBUDDY_AUTONOMY_PR_FEEDBACK_COMMENT_CHARS") ?? remoteAutonomyNode.pr_feedback_comment_chars, 600))),
         prFeedbackSummaryChars: Math.max(32, Math.min(20000, asInt(parseIntEnv("REMOTEBUDDY_AUTONOMY_PR_FEEDBACK_SUMMARY_CHARS") ?? remoteAutonomyNode.pr_feedback_summary_chars, 600))),
@@ -4257,11 +4260,6 @@ var POLICY = {
   }
 };
 var RISK_ORDER = { low: 0, medium: 1, high: 2 };
-var BREADTH_ORDER = {
-  narrow: 0,
-  medium: 1,
-  broad: 2
-};
 var IDEATION_SYSTEM_PROMPT = loadPromptTemplate("remotebuddy/autonomy_ideation_system_prompt.md").trim();
 var SCORING_SYSTEM_PROMPT = loadPromptTemplate("remotebuddy/autonomy_scoring_system_prompt.md").trim();
 var PLANNING_SYSTEM_PROMPT = loadPromptTemplate("remotebuddy/autonomy_planning_system_prompt.md").trim();
@@ -4996,7 +4994,8 @@ function chooseRepoObjectiveTargetProfile(profiles, objective) {
 function adaptCandidateShapeToRepo(params) {
   const shape = params.shape;
   const scopeValidation = validateScopeInvariants(shape.component_area, shape.target_paths, shape.write_globs, {
-    requireWriteGlobs: true
+    requireWriteGlobs: true,
+    hintsOnly: true
   });
   const pathsExist = params.repoRoot && scopeValidation.ok ? findMissingRepoTargetPaths(params.repoRoot, scopeValidation.normalizedTargetPaths).length === 0 : scopeValidation.ok;
   if (scopeValidation.ok && pathsExist) {
@@ -5782,7 +5781,7 @@ ${pattern.tags.join(" ")}`.toLowerCase();
   const targetPaths = asStringArray2(metadataShape.target_paths ?? metadataShape.targetPaths ?? metadata.target_paths);
   const writeGlobs = asStringArray2(metadataShape.write_globs ?? metadataShape.writeGlobs ?? metadata.write_globs);
   const validationIdeas = asStringArray2(metadataShape.expected_validation ?? metadataShape.expectedValidation ?? metadata.expected_validation ?? pattern.validationIdeas);
-  const scopeCheck = validateScopeInvariants(componentArea, targetPaths.length > 0 ? targetPaths : defaults.target_paths, writeGlobs.length > 0 ? writeGlobs : defaults.write_globs, { requireWriteGlobs: true });
+  const scopeCheck = validateScopeInvariants(componentArea, targetPaths.length > 0 ? targetPaths : defaults.target_paths, writeGlobs.length > 0 ? writeGlobs : defaults.write_globs, { requireWriteGlobs: true, hintsOnly: true });
   return adaptCandidateShapeToRepo({
     shape: {
       objective_type: objectiveType,
@@ -6217,7 +6216,7 @@ function buildRepoVisionFallbackCandidates(params) {
       component_area: componentArea,
       target_paths: targetPaths,
       scope: {
-        read_anywhere: false,
+        read_anywhere: true,
         write_globs: writeGlobs
       },
       risk_level: "low",
@@ -6271,7 +6270,7 @@ function buildEngineFallbackCandidates(params) {
       component_area: candidateShape.component_area,
       target_paths: candidateShape.target_paths,
       scope: {
-        read_anywhere: false,
+        read_anywhere: true,
         write_globs: candidateShape.write_globs
       },
       risk_level: candidateShape.risk_level,
@@ -7367,15 +7366,11 @@ ${JSON.stringify(input.messages ?? [])}`),
             recordDropReason(`${source}_risk_exceeds_policy`);
             continue;
           }
-          const scopeValidation = validateScopeInvariants(candidate.component_area, candidate.target_paths, candidate.scope.write_globs, { requireWriteGlobs: true });
+          const scopeValidation = validateScopeInvariants(candidate.component_area, candidate.target_paths, candidate.scope.write_globs, { requireWriteGlobs: true, hintsOnly: true });
           if (!scopeValidation.ok) {
             recordDropReason(`${source}_scope_validation_failed`);
             continue;
           }
-          if (BREADTH_ORDER[scopeValidation.breadth] > BREADTH_ORDER[policy.maxBreadth]) {
-            recordDropReason(`${source}_scope_breadth_exceeds_policy`);
-            continue;
-          }
           if (candidate.scope.read_anywhere && !this.cfg.allowReadAnywhere) {
             recordDropReason(`${source}_read_anywhere_not_allowed`);
             continue;
@@ -8266,12 +8261,13 @@ function buildExecutionGuidance(plan, targetPaths, requiredValidationSteps = [])
   const lines = [];
   const targets = normalizePathHints(targetPaths.length > 0 ? targetPaths : plan.scope.write_globs ?? []);
   if (targets.length > 0) {
-    lines.push("Target paths:");
+    lines.push("Target paths / starting points:");
     for (const path of targets)
       lines.push(`- ${path}`);
     lines.push("Path handling:");
     lines.push("- Treat all target paths as repo-relative to the current working directory.");
     lines.push("- Do not prepend a leading slash to target paths.");
+    lines.push("- These paths are relevance hints, not hard write boundaries; edit the behavior-owning files needed for the task and explain any expansion.");
   }
   lines.push("Scope:");
   lines.push(`- read_anywhere: ${plan.scope.read_anywhere ? "true" : "false"}`);
@@ -8280,7 +8276,7 @@ function buildExecutionGuidance(plan, targetPaths, requiredValidationSteps = [])
     lines.push(`- max_files_to_edit: ${plan.scope.max_files_to_edit}`);
   }
   if (Array.isArray(plan.scope.write_globs) && plan.scope.write_globs.length > 0) {
-    lines.push("Write globs:");
+    lines.push("Write intent hints:");
     for (const glob of plan.scope.write_globs)
       lines.push(`- ${glob}`);
   }
@@ -8556,6 +8552,7 @@ class RemoteBuddyOrchestrator {
   server;
   sessionId;
   authToken;
+  fetchImpl;
   repo;
   jobsDbPath;
   workerOnlineTtlMs;
@@ -8624,6 +8621,7 @@ class RemoteBuddyOrchestrator {
     this.server = opts.server;
     this.sessionId = opts.sessionId;
     this.authToken = opts.authToken;
+    this.fetchImpl = opts.fetchImpl ?? fetch;
     this.brain = opts.brain;
     this.idempotency = opts.idempotency;
     this.persistentMemory = opts.persistentMemory;
@@ -8687,7 +8685,8 @@ class RemoteBuddyOrchestrator {
       serverUrl: this.server,
       sessionId: this.sessionId,
       authToken: this.authToken,
-      from: `agent:${this.agentId}`
+      from: `agent:${this.agentId}`,
+      fetchImpl: this.fetchImpl
     });
     this.autonomousEngine = new RemoteBuddyAutonomousEngine({
       server: this.server,
@@ -8749,7 +8748,7 @@ class RemoteBuddyOrchestrator {
   async ensureSessionWithRetry(sessionId = this.sessionId, maxRetries = 20, baseDelayMs = 500, maxDelayMs = 5000) {
     for (let attempt = 1;attempt <= maxRetries && !this.disposed; attempt++) {
       try {
-        const res = await fetch(`${this.server}/sessions`, {
+        const res = await this.fetchImpl(`${this.server}/sessions`, {
           method: "POST",
           headers: this.authHeaders(),
           body: JSON.stringify({ sessionId })
@@ -8796,7 +8795,7 @@ class RemoteBuddyOrchestrator {
   }
   async fetchJobLogs(jobId, limit = 80) {
     try {
-      const res = await fetch(`${this.server}/jobs/${jobId}/logs?limit=${Math.max(1, Math.min(500, limit))}`, {
+      const res = await this.fetchImpl(`${this.server}/jobs/${jobId}/logs?limit=${Math.max(1, Math.min(500, limit))}`, {
         method: "GET",
         headers: this.authHeaders()
       });
@@ -8812,7 +8811,7 @@ class RemoteBuddyOrchestrator {
   }
   async fetchJobToolRuns(jobId, limit = 20) {
     try {
-      const res = await fetch(`${this.server}/jobs/${jobId}/tool-runs?limit=${Math.max(1, Math.min(100, limit))}`, {
+      const res = await this.fetchImpl(`${this.server}/jobs/${jobId}/tool-runs?limit=${Math.max(1, Math.min(100, limit))}`, {
         method: "GET",
         headers: this.authHeaders()
       });
@@ -8868,7 +8867,7 @@ class RemoteBuddyOrchestrator {
     query.set("feedbackLimit", "3");
     const suffix = query.toString();
     try {
-      const res = await fetch(`${this.server}/autonomy/insights${suffix ? `?${suffix}` : ""}`, {
+      const res = await this.fetchImpl(`${this.server}/autonomy/insights${suffix ? `?${suffix}` : ""}`, {
         method: "GET",
         headers: this.authHeaders()
       });
@@ -9169,7 +9168,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
         payload.dedupeKey = dedupeKey;
       if (targetWorkerId)
         payload.targetWorkerId = targetWorkerId;
-      const res = await fetch(`${this.server}/jobs/enqueue`, {
+      const res = await this.fetchImpl(`${this.server}/jobs/enqueue`, {
         method: "POST",
         headers: this.authHeaders(),
         body: JSON.stringify(payload)
@@ -9439,7 +9438,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
   }
   async fetchWorkers() {
     try {
-      const res = await fetch(`${this.server}/workers?ttlMs=${this.workerOnlineTtlMs}`, {
+      const res = await this.fetchImpl(`${this.server}/workers?ttlMs=${this.workerOnlineTtlMs}`, {
         method: "GET",
         headers: this.authHeaders()
       });
@@ -9453,7 +9452,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
   }
   async fetchWorkerAutoscaleSnapshot() {
     try {
-      const res = await fetch(`${this.server}/workers/autoscale?ttlMs=${this.workerOnlineTtlMs}`, {
+      const res = await this.fetchImpl(`${this.server}/workers/autoscale?ttlMs=${this.workerOnlineTtlMs}`, {
         method: "GET",
         headers: this.authHeaders()
       });
@@ -9715,7 +9714,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
     const prompt = String(request.prompt ?? "").trim();
     if (!prompt) {
       console.warn(`[RemoteBuddy] Request ${requestId} missing prompt; marking failed`);
-      await fetch(`${this.server}/requests/${requestId}/fail`, {
+      await this.fetchImpl(`${this.server}/requests/${requestId}/fail`, {
         method: "POST",
         headers: this.authHeaders(),
         body: JSON.stringify({ message: "Request missing prompt" })
@@ -9749,7 +9748,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
           plan.job_kind = "task.execute";
           plan.lane = "worker";
         }
-        plan.scope.read_anywhere = false;
+        plan.scope.read_anywhere = true;
         plan.scope.write_allowed = true;
         plan.scope.write_globs = [...autonomyMetadata.writeGlobs];
       }
@@ -9774,7 +9773,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
         if (scopeCoverage.addedGlobs.length > 0) {
           console.warn(`[RemoteBuddy] Planner write_globs did not cover target paths. Added scope globs: ${scopeCoverage.addedGlobs.join(", ")}`);
         }
-        if (forceWorker) {
+        if (forceWorker && !autonomyMetadata) {
           const concreteTargetCount = targetPaths.filter((entry) => entry && entry !== ".").length;
           if (concreteTargetCount > 0) {
             const currentMax = Number.isFinite(Number(plan.scope.max_files_to_edit)) && Number(plan.scope.max_files_to_edit) > 0 ? Math.floor(Number(plan.scope.max_files_to_edit)) : 0;
@@ -9783,9 +9782,6 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
             }
           }
         }
-        if (autonomyMetadata && (!plan.scope.write_globs || plan.scope.write_globs.length === 0)) {
-          throw new Error("Autonomy-origin request requires non-empty planning.scope.write_globs before task dispatch.");
-        }
         if (plan.acceptance_criteria.length === 0) {
           plan.acceptance_criteria = ["Produce a correct and helpful result for the user request."];
         }
@@ -9844,7 +9840,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
             await this.assistantMessage(requestSessionId, "Should I have a WorkerPal implement this? Reply to confirm and I'll enqueue the work, or clarify what you'd like focused on.", { turnId, correlationId: requestId, from: eventFrom });
           }
         }
-        await fetch(`${this.server}/requests/${requestId}/complete`, {
+        await this.fetchImpl(`${this.server}/requests/${requestId}/complete`, {
           method: "POST",
           headers: this.authHeaders(),
           body: JSON.stringify({
@@ -9875,7 +9871,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
             correlationId: requestId,
             from: eventFrom
           });
-          await fetch(`${this.server}/requests/${requestId}/fail`, {
+          await this.fetchImpl(`${this.server}/requests/${requestId}/fail`, {
             method: "POST",
             headers: this.authHeaders(),
             body: JSON.stringify({
@@ -10010,7 +10006,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
         await this.assistantMessage(requestSessionId, "I could not queue this WorkerPal task. No task was started.", { turnId, correlationId: requestId, from: eventFrom });
         this.rememberPersistentMemory("job_enqueue_failed", `enqueue_failed lane=${lane} intent=${plan.intent}`, requestId, requestSessionId);
       }
-      await fetch(`${this.server}/requests/${requestId}/complete`, {
+      await this.fetchImpl(`${this.server}/requests/${requestId}/complete`, {
         method: "POST",
         headers: this.authHeaders(),
         body: JSON.stringify({
@@ -10041,7 +10037,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
         correlationId: requestId,
         from: eventFrom
       });
-      await fetch(`${this.server}/requests/${requestId}/fail`, {
+      await this.fetchImpl(`${this.server}/requests/${requestId}/fail`, {
         method: "POST",
         headers: this.authHeaders(),
         body: JSON.stringify({
@@ -10056,7 +10052,7 @@ Please reply with the missing details and I will enqueue a follow-up request.` :
     while (!this.disposed) {
       try {
         await this.maybeAutoscaleWorkers();
-        const res = await fetch(`${this.server}/requests/claim`, {
+        const res = await this.fetchImpl(`${this.server}/requests/claim`, {
           method: "POST",
           headers: this.authHeaders(),
           body: JSON.stringify({ agentId: this.agentId })

package/runtime/sandbox/apps/workerpals/src/backends/miniswe/miniswe_executor.py CHANGED Viewed

@@ -465,25 +465,9 @@ def _extract_write_globs_from_payload(payload: Optional[Dict[str, Any]]) -> List
 def _assert_write_allowed(repo: str, path: str, write_globs: Optional[List[str]]) -> None:
-    if not write_globs:
-        return
-    normalized = _normalize_concrete_repo_path(repo, path)
-    if not normalized:
-        raise RuntimeError(f"Invalid write path for scope enforcement: {path!r}")
-    for glob in write_globs:
-        pattern = str(glob or "").strip()
-        if not pattern:
-            continue
-        if any(ch in pattern for ch in "*?[]"):
-            if fnmatch.fnmatchcase(normalized, pattern):
-                return
-            continue
-        if normalized == pattern or normalized.startswith(pattern + "/"):
-            return
-    raise RuntimeError(
-        "Scope violation: attempted write outside writeGlobs. "
-        f"path={normalized!r} write_globs={write_globs!r}"
-    )
+    # WorkerPal jobs run in isolated sandboxes. Scope hints are used for review
+    # relevance, not per-write filesystem enforcement.
+    return
 def _read_text_file(repo: str, path: str, max_chars: int = 60000) -> str:
@@ -1587,11 +1571,6 @@ def _broker_run(
     if expected_targets and changed_paths:
         changed_set = {str(p).strip().replace("\\", "/") for p in changed_paths}
         expected_set = {str(p).strip().replace("\\", "/") for p in expected_targets}
-        strict_target_match = bool(
-            explicit_target_set
-            and not any(t in {".", "/"} for t in explicit_target_set)
-            and not any(any(ch in t for ch in "*?[]") for t in explicit_target_set)
-        )
         matched = any(
             _target_hint_matches_changed_path(expected, changed)
             for expected in expected_set
@@ -1602,14 +1581,6 @@ def _broker_run(
                 "Expected one of target paths to change, but observed different files. "
                 f"expected={sorted(expected_set)} observed={sorted(changed_set)}"
             )
-            if strict_target_match:
-                return {
-                    "ok": False,
-                    "summary": "tool broker failed: changed files do not match explicit target paths",
-                    "stdout": stdout + "\n\nChanged files:\n" + "\n".join(f"- {p}" for p in changed_paths),
-                    "stderr": msg,
-                    "exitCode": 3,
-                }
             stdout += "\n\nTarget-path mismatch (heuristic, non-fatal):\n" + msg
     if edits_made and not shell_validation_ran:
         stdout += (
@@ -1786,10 +1757,10 @@ def _run_miniswe_task(
     agent = None
     agent_messages: List[Dict[str, Any]] = []
     broker_enabled = _tool_broker_enabled(base_url)
-    prefer_broker_for_scoped_writes = bool(explicit_write_globs)
+    prefer_broker_for_scoped_writes = False
     ran_primary_broker = False
     if prefer_broker_for_scoped_writes and broker_enabled:
-        log.info("Using tool broker shim for strict per-write scope enforcement.")
+        log.info("Using tool broker shim for task execution.")
         broker_result = _run_broker_with_recovery()
         if not bool(broker_result.get("ok")):
             return {

package/runtime/sandbox/apps/workerpals/src/backends/openhands/openhands_executor.py CHANGED Viewed

@@ -352,9 +352,10 @@ def _build_path_handling_message(target_paths: List[str], repo: str) -> str:
         "- Prefer the repo-relative paths for shell commands.\n"
         "- If FileEditor rejects a repo-relative path, retry with the matching absolute path.\n"
         "- Do not run broad filesystem scans when concrete target paths are listed.\n"
-        "Concrete target paths (repo-relative):\n"
+        "- These paths are starting points, not hard write boundaries; edit other behavior-owning files when needed and explain why.\n"
+        "Target path hints (repo-relative):\n"
         f"{listed_rel}\n"
-        "Concrete target paths (absolute):\n"
+        "Target path hints (absolute):\n"
         f"{listed_abs}"
     )

package/runtime/sandbox/apps/workerpals/src/execute_job.ts CHANGED Viewed

@@ -19,7 +19,6 @@ import {
   normalizeTargetPath,
   requirementsForValidationCommand,
   sanitizeSourceControlIdentityField,
-  validateScopeInvariants,
   type AutonomyComponentArea,
   type SourceControlCommitIdentity,
   type ToolRequirement,
@@ -2503,12 +2502,21 @@ function buildStageTargets(kind: string, params?: Record<string, unknown>): stri
   }
 }
-function buildStageCommand(kind: string, params?: Record<string, unknown>): string[] | null {
+export function buildStageCommand(kind: string, params?: Record<string, unknown>): string[] | null {
+  if (kind === "task.execute") {
+    return [
+      "add",
+      "-A",
+      "--",
+      ".",
+      ":(exclude)workspace/**",
+      ":(exclude)outputs/**",
+      ":(exclude).codex",
+      ":(exclude).codex/**",
+    ];
+  }
   const targets = buildStageTargets(kind, params);
   if (targets.length === 0) {
-    if (kind === "task.execute") {
-      return ["add", "-A", "--", ".", ":(exclude)workspace/**", ":(exclude)outputs/**"];
-    }
     return null;
   }
   return ["add", "-A", "--", ...targets];
@@ -3949,13 +3957,10 @@ function taskExecuteOrigin(params: Record<string, unknown>): "autonomy" | "user"
   return "user";
 }
-function collectWriteScopeIssuesFromChangedPaths(
+export function collectWriteScopeIssuesFromChangedPaths(
   changedPaths: string[],
   planning: TaskExecutePlanning,
 ): string[] {
-  const writeGlobs = toStringArray(planning.scope.writeGlobs ?? []);
-  if (writeGlobs.length === 0) return [];
   const normalizedChangedPaths = changedPaths
     .map((entry) => normalizeStagePath(entry))
     .filter((entry): entry is string => Boolean(entry) && entry !== ".");
@@ -3963,12 +3968,6 @@ function collectWriteScopeIssuesFromChangedPaths(
   const forbidden = toStringArray(planning.scope.forbiddenGlobs ?? []);
   const issues: string[] = [];
-  const outOfScope = normalizedChangedPaths.filter(
-    (path) => !writeGlobs.some((glob) => matchesGlob(path, glob)),
-  );
-  if (outOfScope.length > 0) {
-    issues.push(`modified paths outside writeGlobs: ${outOfScope.join(", ")}`);
-  }
   const forbiddenTouched = normalizedChangedPaths.filter((path) =>
     forbidden.some((glob) => matchesGlob(path, glob)),
   );
@@ -4105,41 +4104,17 @@ function validateTaskExecutePlanning(
       reviewAgentAllowsMultiRootScope(options?.reviewAgentResolutionType);
     if (origin === "autonomy") {
       const declaredComponentArea = asAutonomyComponentArea(options?.autonomyComponentArea);
-      const inferredComponentArea = allowMultiRootAutonomyScope
-        ? null
-        : deriveAutonomyComponentArea(normalizedTargetPaths, normalizedWriteGlobs);
-      const componentArea = allowMultiRootAutonomyScope
-        ? declaredComponentArea
-        : declaredComponentArea ?? inferredComponentArea;
-      if (!allowMultiRootAutonomyScope && !componentArea) {
-        return {
-          ok: false,
-          message:
-            "task.execute planning.targetPaths must resolve to a repo-relative componentArea",
-        };
-      }
-      if (
-        !allowMultiRootAutonomyScope &&
-        declaredComponentArea &&
-        inferredComponentArea &&
-        declaredComponentArea !== inferredComponentArea
-      ) {
-        return {
-          ok: false,
-          message: "task.execute planning.targetPaths do not match autonomy componentArea",
-        };
-      }
-      const validatedScope = validateScopeInvariants(
-        componentArea,
-        normalizedTargetPaths,
-        normalizedWriteGlobs,
-        { requireWriteGlobs: false, allowMultipleComponentRoots: allowMultiRootAutonomyScope },
-      );
-      if (!validatedScope.ok) {
-        return {
-          ok: false,
-          message: `task.execute scope invariants failed: ${validatedScope.errors.join("; ")}`,
-        };
+      if (!allowMultiRootAutonomyScope && declaredComponentArea) {
+        const inferredComponentArea = deriveAutonomyComponentArea(
+          normalizedTargetPaths,
+          normalizedWriteGlobs,
+        );
+        if (inferredComponentArea && declaredComponentArea !== inferredComponentArea) {
+          return {
+            ok: false,
+            message: "task.execute planning.targetPaths do not match autonomy componentArea",
+          };
+        }
       }
     } else if (normalizedWriteGlobs.length > 0) {
       const uncoveredPaths = normalizedTargetPaths.filter(

package/runtime/sandbox/apps/workerpals/src/workerpals_main.ts CHANGED Viewed

@@ -65,6 +65,8 @@ type WorkerJobResult = JobResult & {
 const DEFAULT_LLM_MODEL = "local-model";
 const CODEX_UNAVAILABLE_WORKER_EXIT_CODE = 86;
+const CODEX_UNAVAILABLE_DOCKER_SHUTDOWN_GRACE_MS = 5_000;
+const CODEX_UNAVAILABLE_WORKER_FORCE_EXIT_MS = 4_000;
 const CONFIG = loadPushPalsConfig();
 const LOG = new Logger("WorkerPals");
@@ -360,6 +362,36 @@ function shouldRecycleWorkerForCodexUnavailableFailure(
   ].some((needle) => text.includes(needle));
 }
+async function shutdownDockerExecutorBeforeCodexRecycle(
+  dockerExecutor: DockerExecutor | null,
+): Promise<void> {
+  if (!dockerExecutor) return;
+  let timeout: ReturnType<typeof setTimeout> | null = null;
+  let timedOut = false;
+  try {
+    await Promise.race([
+      dockerExecutor.shutdown(),
+      new Promise<void>((resolvePromise) => {
+        timeout = setTimeout(() => {
+          timedOut = true;
+          resolvePromise();
+        }, CODEX_UNAVAILABLE_DOCKER_SHUTDOWN_GRACE_MS);
+      }),
+    ]);
+  } catch (err) {
+    console.error(`[WorkerPals] Docker shutdown cleanup failed: ${String(err)}`);
+  } finally {
+    if (timeout) clearTimeout(timeout);
+  }
+  if (timedOut) {
+    console.warn(
+      `[WorkerPals] Docker shutdown cleanup exceeded ${CODEX_UNAVAILABLE_DOCKER_SHUTDOWN_GRACE_MS}ms; exiting worker for Codex recycle anyway.`,
+    );
+  }
+}
 function parseArgs(): {
   server: string;
   pollMs: number;
@@ -1667,21 +1699,46 @@ async function workerLoop(
             }
           } finally {
             clearInterval(busyHeartbeat);
-            if (
-              !recycleWorkerAfterJob &&
-              job.sessionId &&
-              result?.cooldownMs &&
-              result.cooldownMs > 0
-            ) {
-              await transport.queueSessionCommand(job.sessionId, {
-                type: "assistant_message",
-                payload: {
-                  text: `WorkerPal is cooling down for ${formatDurationMs(result.cooldownMs)} after transient infrastructure failures.`,
+            if (recycleWorkerAfterJob) {
+              runtimeState.shutdownRequested = true;
+              const forceExitTimer = setTimeout(() => {
+                console.warn(
+                  `[WorkerPals] Forcing worker recycle ${CODEX_UNAVAILABLE_WORKER_FORCE_EXIT_MS}ms after Codex backend failure.`,
+                );
+                process.exit(CODEX_UNAVAILABLE_WORKER_EXIT_CODE);
+              }, CODEX_UNAVAILABLE_WORKER_FORCE_EXIT_MS);
+              try {
+                await maybeHeartbeat("offline", null, true);
+                if (directWorktreePath) {
+                  await removeIsolatedWorktree(opts.repo, directWorktreePath).catch((err) => {
+                    console.error(
+                      `[WorkerPals] Failed to remove isolated worktree before Codex recycle: ${String(
+                        err,
+                      )}`,
+                    );
+                  });
+                  directWorktreePath = null;
+                }
+                await shutdownDockerExecutorBeforeCodexRecycle(dockerExecutor);
+              } finally {
+                clearTimeout(forceExitTimer);
+                process.exit(CODEX_UNAVAILABLE_WORKER_EXIT_CODE);
+              }
+            }
+            if (job.sessionId && result?.cooldownMs && result.cooldownMs > 0) {
+              await transport.queueSessionCommand(
+                job.sessionId,
+                {
+                  type: "assistant_message",
+                  payload: {
+                    text: `WorkerPal is cooling down for ${formatDurationMs(result.cooldownMs)} after transient infrastructure failures.`,
+                  },
+                  from: `worker:${opts.workerId}`,
                 },
-                from: `worker:${opts.workerId}`,
-              }, { priority: "high" });
+                { priority: "high" },
+              );
             }
-            if (!recycleWorkerAfterJob && result?.cooldownMs && result.cooldownMs > 0) {
+            if (result?.cooldownMs && result.cooldownMs > 0) {
               const cooldownMs = Math.max(0, Math.floor(result.cooldownMs));
               console.warn(
                 `[WorkerPals] Entering cooldown for ${formatDurationMs(cooldownMs)} after retry exhaustion.`,
@@ -1697,18 +1754,6 @@ async function workerLoop(
                 console.error(`[WorkerPals] Failed to remove isolated worktree: ${String(err)}`);
               });
             }
-            if (recycleWorkerAfterJob) {
-              runtimeState.shutdownRequested = true;
-              await maybeHeartbeat("offline", null, true);
-              if (dockerExecutor) {
-                try {
-                  await dockerExecutor.shutdown();
-                } catch (err) {
-                  console.error(`[WorkerPals] Docker shutdown cleanup failed: ${String(err)}`);
-                }
-              }
-              process.exit(CODEX_UNAVAILABLE_WORKER_EXIT_CODE);
-            }
           }
         }
       }

package/runtime/sandbox/packages/shared/src/autonomy_policy.ts CHANGED Viewed

@@ -319,7 +319,11 @@ export function validateScopeInvariants(
   componentArea: AutonomyComponentArea | null | undefined,
   targetPathsInput: unknown[],
   writeGlobsInput: unknown[],
-  options?: { requireWriteGlobs?: boolean; allowMultipleComponentRoots?: boolean },
+  options?: {
+    requireWriteGlobs?: boolean;
+    allowMultipleComponentRoots?: boolean;
+    hintsOnly?: boolean;
+  },
 ): ScopeValidationResult {
   const errors: string[] = [];
   const scopeSeeds = collectScopeSeedPaths(targetPathsInput, writeGlobsInput);
@@ -327,7 +331,8 @@ export function validateScopeInvariants(
     normalizeAutonomyComponentArea(componentArea) ??
     deriveAutonomyComponentArea(targetPathsInput, writeGlobsInput);
   const allowMultipleComponentRoots = options?.allowMultipleComponentRoots === true;
-  if (!normalizedComponentArea && scopeSeeds.length > 1 && !allowMultipleComponentRoots) {
+  const hintsOnly = options?.hintsOnly === true;
+  if (!hintsOnly && !normalizedComponentArea && scopeSeeds.length > 1 && !allowMultipleComponentRoots) {
     errors.push(
       `scope spans multiple component roots: ${scopeSeeds.slice(0, 6).join(", ")}`,
     );
@@ -341,7 +346,7 @@ export function validateScopeInvariants(
       errors.push(`invalid target_path: ${String(raw ?? "")}`);
       continue;
     }
-    if (rootPrefix && !underRoot(normalized, rootPrefix)) {
+    if (!hintsOnly && rootPrefix && !underRoot(normalized, rootPrefix)) {
       errors.push(`target_path outside component root: ${normalized}`);
       continue;
     }
@@ -362,20 +367,21 @@ export function validateScopeInvariants(
       errors.push(`invalid write_glob: ${String(raw ?? "")}`);
       continue;
     }
-    if (hasForbiddenBroadGlob(normalized)) {
+    if (!hintsOnly && hasForbiddenBroadGlob(normalized)) {
       errors.push(`forbidden broad write_glob: ${normalized}`);
       continue;
     }
     const prefix = literalPrefix(normalized);
-    if (!prefix) {
+    if (!hintsOnly && !prefix) {
       errors.push(`write_glob literal prefix cannot be empty: ${normalized}`);
       continue;
     }
-    if (rootPrefix && !underRoot(prefix, rootPrefix)) {
+    if (!hintsOnly && rootPrefix && !underRoot(prefix, rootPrefix)) {
       errors.push(`write_glob outside component root: ${normalized}`);
       continue;
     }
     if (
+      !hintsOnly &&
       !normalizedTargetPaths.some(
         (targetPath) => targetPath === prefix || targetPath.startsWith(`${prefix}/`),
       )
@@ -393,13 +399,13 @@ export function validateScopeInvariants(
     errors.push("write_globs must be provided and non-empty");
   }
-  if (normalizedTargetPaths.length > 0 && normalizedWriteGlobs.length > 0) {
+  if (!hintsOnly && normalizedTargetPaths.length > 0 && normalizedWriteGlobs.length > 0) {
     for (const targetPath of normalizedTargetPaths) {
       const covered = normalizedWriteGlobs.some((glob) => matchesGlob(targetPath, glob));
       if (!covered) errors.push(`target_path not covered by write_globs: ${targetPath}`);
     }
   }
-  if (!normalizedComponentArea && !allowMultipleComponentRoots) {
+  if (!hintsOnly && !normalizedComponentArea && !allowMultipleComponentRoots) {
     errors.push("component_area could not be derived from scope");
   }

package/runtime/sandbox/packages/shared/src/communication.ts CHANGED Viewed

@@ -53,6 +53,7 @@ export interface CommunicationManagerOptions {
   sessionId: string;
   from: string;
   authToken?: string | null;
+  fetchImpl?: typeof fetch;
 }
 export class CommunicationManager {
@@ -60,12 +61,14 @@ export class CommunicationManager {
   private readonly sessionId: string;
   private readonly from: string;
   private readonly authToken: string | null;
+  private readonly fetchImpl: typeof fetch;
   constructor(opts: CommunicationManagerOptions) {
     this.serverUrl = opts.serverUrl;
     this.sessionId = opts.sessionId;
     this.from = opts.from;
     this.authToken = opts.authToken ?? null;
+    this.fetchImpl = opts.fetchImpl ?? fetch;
   }
   private headers(): Record<string, string> {
@@ -121,7 +124,7 @@ export class CommunicationManager {
       if (meta.turnId) body.turnId = meta.turnId;
       if (meta.parentId) body.parentId = meta.parentId;
-      const response = await fetch(this.commandUrl(sessionId), {
+      const response = await this.fetchImpl(this.commandUrl(sessionId), {
         method: "POST",
         headers: this.headers(),
         body: JSON.stringify(body),

package/runtime/sandbox/packages/shared/src/config.ts CHANGED Viewed

@@ -1929,7 +1929,7 @@ export function loadPushPalsConfig(options: LoadOptions = {}): PushPalsConfig {
         ),
         allowReadAnywhere:
           parseBoolEnv("REMOTEBUDDY_AUTONOMY_ALLOW_READ_ANYWHERE") ??
-          asBoolean(remoteAutonomyNode.allow_read_anywhere, false),
+          asBoolean(remoteAutonomyNode.allow_read_anywhere, true),
         prFeedbackCommentRows: Math.max(
           1,
           Math.min(

package/runtime/sandbox/prompts/workerpals/miniswe_completion_requirement.md CHANGED Viewed

	@@ -1 +1 @@
1	- Completion requirement: ~~handle~~ ~~all~~ requested ~~edits~~ ~~across~~ ~~all~~ ~~explicit~~ ~~target~~ paths ~~before~~ ~~setting~~ ~~done=true~~.
1	+ Completion requirement: solve the requested task before setting done=true. Target paths are relevance hints; edit other behavior-owning files when needed and explain why.

package/runtime/sandbox/prompts/workerpals/miniswe_explicit_targets_block.md CHANGED Viewed

@@ -1,2 +1,2 @@
-Explicit target paths:
+Target path hints:
 {{targets_block}}

package/runtime/sandbox/prompts/workerpals/openai_codex_task_execute_system_prompt.md CHANGED Viewed

@@ -11,7 +11,10 @@ Non-negotiable runtime invariants:
 Execution rules:
-- Keep edits minimal, correct, and scoped to the requested task.
+- Keep edits minimal, correct, and relevant to the requested task.
+- You have repo-wide read/write access inside an isolated WorkerPal sandbox. Target paths and write globs are starting-point/relevance hints, not hard write boundaries.
+- If the hinted file is a thin wrapper or the behavior lives elsewhere, edit the behavior-owning file(s) needed to solve the task and explain the scope expansion in your final response.
+- Avoid irrelevant sprawl; the review agent will judge whether changed files are necessary for the requested outcome.
 - Read relevant files before editing, then run focused validation.
 - Use direct commands without shell wrappers. Prefer plain commands like `git diff -- path`, `git add <path>`, `git status --porcelain`, and `pwd`.
 - Do not wrap commands in `/bin/bash -lc`, `sh -lc`, `cmd /c`, or `powershell -Command`, and avoid pipelines, `awk`, heredocs, or multi-command shell snippets unless they are truly unavoidable.

package/runtime/sandbox/prompts/workerpals/openhands_minimal_system_prompt.j2 CHANGED Viewed

@@ -1,10 +1,12 @@
 You are PushPals WorkerPal running inside OpenHands.
-Operate with strict scope:
+Operate with strict relevance:
 - Focus only on the current user task.
 - If the task is a question, answer directly and do not edit files.
 - If code/file changes are requested, implement them end-to-end.
 - Reuse existing repository conventions and avoid unrelated refactors/docs.
+- Treat target paths and write globs as starting-point/relevance hints, not hard write boundaries.
+- If the behavior lives outside the hinted files, edit the owning files and explain the scope expansion.
 Execution loop:
 - Prefer concrete execution over planning chatter.

package/runtime/sandbox/prompts/workerpals/openhands_task_execute_system_prompt.md CHANGED Viewed

@@ -3,7 +3,8 @@ You are PushPals WorkerPal running inside OpenHands.
 Execution rules:
 - Focus only on the task below.
-- Keep changes minimal, correct, and scoped to the request.
+- Keep changes minimal, correct, and relevant to the request.
+- Target paths and write globs are starting-point/relevance hints, not hard write boundaries; if the behavior lives elsewhere, edit the owning files and explain why.
 - Read relevant files before editing.
 - Reuse existing project conventions and tooling.
 - If the task is a question/explanation, answer directly and do not edit files.

package/runtime/sandbox/prompts/workerpals/workerpals_system_prompt.md CHANGED Viewed

@@ -6,7 +6,7 @@ Your mission:
 - Take the user (or RemoteBuddy) request and fully execute it end-to-end.
 - You are responsible for breaking the work down into concrete subtasks, completing them, validating, reviewing your own changes, and preparing a high-quality commit message when the work is ready.
-- You have full read/write access within the assigned repository only; do not access files outside that repository.
+- You have full read/write access within the assigned repository sandbox only; do not access files outside that repository. Target paths and write globs are starting-point/relevance hints, not hard write boundaries.
 Mindset:
@@ -64,7 +64,7 @@ Execution workflow (you MUST follow this):
      - Performance: no unnecessary work on UI thread, no extra network calls, no large bundles
      - Cross-platform: iOS/Android/Web differences guarded appropriately
      - Security: no secret leakage, safe networking defaults, no unsafe shell usage
-   - Make any final polish edits that improve clarity without changing scope.
+   - Make any final polish edits that improve clarity without drifting from the task.
 7. Prepare to commit (when appropriate)
    - When the work is ready, produce a detailed commit message (do NOT actually commit unless your system explicitly allows it).