@seanyao/roll 2026.512.8 → 2026.514.1

package/bin/roll

@@ -4,7 +4,7 @@ set -euo pipefail
 # Roll — AI Agent Convention Manager
 # Single source of truth for how all AI coding agents behave.
 
-VERSION="2026.512.8"
+VERSION="2026.514.1"
 ROLL_HOME="${ROLL_HOME:-${HOME}/.roll}"
 ROLL_CONFIG="${ROLL_HOME}/config.yaml"
 ROLL_GLOBAL="${ROLL_HOME}/conventions/global"
@@ -609,6 +609,36 @@ cmd_setup() {
 
   echo ""
   info "Next: run ${BOLD}roll init${NC} inside a project to initialize it.  下一步：在项目目录运行 roll init"
+
+  echo ""
+  _print_pr_pipeline_hint
+}
+
+# ─── PR pipeline hint ────────────────────────────────────────────────────────
+# US-AUTO-035: print the one-time branch-protection command that flips repo
+# from path A (CI gate only) to path C (CI + AI review double gate). Reading
+# this hint is opt-in; the command is destructive (changes branch protection)
+# so it is never run automatically.
+_print_pr_pipeline_hint() {
+  cat <<'HINT'
+
+  Optional — enable AI review as a hard merge gate (path C).
+  可选 —— 启用 AI 评审作为合并双门（路径 C）。
+
+  Run once per repo (requires admin token), then claude-code-review.yml
+  approvals become a required merge gate alongside CI:
+  每个仓库执行一次（需要管理员 token），之后 claude-code-review.yml 的
+  approve 将与 CI 一起成为合并必经的双门：
+
+      gh api -X PATCH repos/<owner>/<repo>/branches/main/protection \
+        -f required_pull_request_reviews.required_approving_review_count=1
+
+  Escape hatch: add [skip-ai-review] to a PR body, or include
+  SKIP_AI_REVIEW in any commit message, to bypass AI review for that PR.
+  紧急通道：在 PR body 加 [skip-ai-review]，或在任一 commit message
+  里包含 SKIP_AI_REVIEW，可对该 PR 绕过 AI 评审。
+
+HINT
 }
 
 # ═══════════════════════════════════════════════════════════════════════════════
@@ -1437,7 +1467,7 @@ _peer_auto_attach() {
   fi
   local launched=0
   if [[ "$terminal_pref" = "ghostty" || "$terminal_pref" = "Ghostty" ]]; then
-    open -na Ghostty.app --args -e "tmux attach -t $session" >/dev/null 2>&1 && launched=1 || true
+    open -na Ghostty.app --args -e tmux attach -t "$session" >/dev/null 2>&1 && launched=1 || true
   fi
   if [[ $launched -eq 0 ]] && { [[ "$terminal_pref" = "iTerm2" || "$terminal_pref" = "iTerm" ]] || [[ -d "/Applications/iTerm.app" ]]; }; then
     osascript \
@@ -1447,7 +1477,7 @@ _peer_auto_attach() {
       && launched=1 || true
   fi
   if [[ $launched -eq 0 ]] && [[ -d "/Applications/Ghostty.app" ]]; then
-    open -na Ghostty.app --args -e "tmux attach -t $session" >/dev/null 2>&1 && launched=1 || true
+    open -na Ghostty.app --args -e tmux attach -t "$session" >/dev/null 2>&1 && launched=1 || true
   fi
   if [[ $launched -eq 0 ]] && command -v osascript >/dev/null 2>&1; then
     osascript \
@@ -1666,6 +1696,8 @@ cmd_peer() {
     peer_session="roll-peer-${from_tool}-${to_tool}"
     if ! tmux has-session -t "$peer_session" 2>/dev/null; then
       tmux new-session -d -s "$peer_session" -x 200 -y 50
+    fi
+    if [ -z "$(tmux list-clients -t "$peer_session" 2>/dev/null)" ]; then
       _peer_auto_attach "$peer_session"
     fi
   fi
@@ -1707,7 +1739,7 @@ cmd_peer() {
 
   printf '%s\n' "$response" >> "$log_file"
 
-  local resolution
+  local resolution=""
   resolution="$(_peer_parse_resolution "$response")"
 
   if [[ -z "$resolution" ]]; then
@@ -1732,7 +1764,7 @@ cmd_peer() {
       if [[ "$round" -ge 3 ]]; then
         warn "Max rounds reached. Escalating to user.  达到最大轮数，升级给用户。"
       else
-        info "Peer requests $resolution. Continue to round $((round + 1)).  Peer 请求 $resolution，继续第 $((round + 1)) 轮。"
+        info "Peer requests ${resolution}. Continue to round $((round + 1)).  Peer 请求 ${resolution}，继续第 $((round + 1)) 轮。"
       fi
       ;;
     ESCALATE|UNKNOWN)
@@ -2046,17 +2078,67 @@ _write_loop_runner_script() {
   # Use stream-json + formatter: --verbose alone does nothing in -p mode;
   # stream-json enables realtime streaming; loop-fmt.py humanizes the events.
   local fmt_script="${ROLL_PKG_DIR}/lib/loop-fmt.py"
+  local roll_bin="${ROLL_PKG_DIR}/bin/roll"
   local cmd_verbose="${cmd/claude -p/claude -p --verbose --output-format stream-json}"
+  # US-AUTO-037: strip leading `cd "<path>" && ` (callers like
+  # _install_launchd_plists prepend it). The runner now manages cwd itself
+  # — pointing at the worktree when isolation succeeds, project_path otherwise.
+  local claude_cmd; claude_cmd="${cmd_verbose#cd \"*\" && }"
+  local slug; slug=$(_project_slug "$project_path")
   cat > "$inner_path" << INNER
 #!/bin/bash -l
 set -o pipefail
 export PATH="/opt/homebrew/bin:\$PATH"
+# FIX-031: inner-level LOCK (PID + start-ts) — outer runner.sh LOCK can be
+# bypassed (recovery / retry / direct invocation); this guards the actual
+# claude invocation so a second session can't run under the same project.
+INNER_LOCK="\$(dirname "\$0")/.INNER-LOCK-\$(basename "\$0" -inner.sh | sed 's/^run-//')"
+if [ -f "\$INNER_LOCK" ]; then
+  _prev_pid=""; _prev_ts=""
+  IFS=: read -r _prev_pid _prev_ts < "\$INNER_LOCK" 2>/dev/null || true
+  _now=\$(date -u +%s)
+  if [ -n "\$_prev_pid" ] && [ -n "\$_prev_ts" ] \\
+     && kill -0 "\$_prev_pid" 2>/dev/null \\
+     && [ "\$((_now - _prev_ts))" -lt 14400 ]; then
+    echo "[\$(date '+%Y-%m-%dT%H:%M:%S%z')] inner loop already running (PID \$_prev_pid), skipping"
+    exit 0
+  fi
+  rm -f "\$INNER_LOCK"
+fi
+printf '%s:%s\n' "\$\$" "\$(date -u +%s)" > "\$INNER_LOCK"
+trap 'rm -f "\$INNER_LOCK"' EXIT
+
+# US-AUTO-037: pull in worktree helpers (US-AUTO-036). Sourcing bin/roll is
+# safe — its main() only runs when invoked directly (BASH_SOURCE == \$0).
+# bin/roll's top-level \`set -euo pipefail\` infects us, so disable -e (the
+# retry loop relies on tolerating non-zero exits) while keeping pipefail.
+source "${roll_bin}"
+set +e
+
+# Pre-claude: try to create a per-cycle isolated worktree on origin/main.
+# On any failure (no remote, no main, etc.) fall back to running in the
+# project's main tree (degraded — no isolation, like pre-037 behavior).
+CYCLE_ID="\$(date -u +%Y%m%d-%H%M%S)-\$\$"
+WT="\$(_worktree_path "${slug}" "cycle-\${CYCLE_ID}")"
+BRANCH="loop/cycle-\${CYCLE_ID}"
+_USE_WORKTREE=0
+cd "${project_path}" 2>/dev/null || true
+if _worktree_fetch_origin main \\
+   && _worktree_create "\$WT" "\$BRANCH" "origin/main"; then
+  _USE_WORKTREE=1
+  _worktree_submodule_init "\$WT" 2>/dev/null || true
+  echo "[loop] cycle \${CYCLE_ID}: worktree \$WT on \$BRANCH"
+else
+  echo "[loop] cycle \${CYCLE_ID}: worktree setup failed; running in main tree (no isolation)"
+  WT="${project_path}"
+fi
+
 FMT="${fmt_script}"
 for _attempt in 1 2 3; do
   if [ -f "\$FMT" ]; then
-    ( cd "${project_path}" && ${cmd_verbose} ) | python3 "\$FMT"
+    ( cd "\$WT" && ${claude_cmd} ) | python3 "\$FMT"
   else
-    ( cd "${project_path}" && ${cmd_verbose} )
+    ( cd "\$WT" && ${claude_cmd} )
   fi
   _exit=\$?
   [ "\$_exit" -eq 0 ] && break
@@ -2065,10 +2147,41 @@ for _attempt in 1 2 3; do
     sleep 30
   fi
 done
+
+# Post-claude: publish cycle branch. Doc-only changes (BACKLOG/docs) merge
+# immediately via --admin; code changes use auto-merge (CI gate required).
+# When \`gh\` is unavailable, fall back to the legacy ff-merge path.
+if [ "\$_USE_WORKTREE" = "1" ]; then
+  if [ "\$_exit" -eq 0 ]; then
+    if ( cd "\$WT" && _loop_is_doc_only_change ); then
+      ( cd "\$WT" && _loop_publish_doc_pr "\$BRANCH" "doc: loop cycle \${CYCLE_ID}" )
+    else
+      ( cd "\$WT" && _loop_publish_pr "\$BRANCH" "loop cycle \${CYCLE_ID}" )
+    fi
+    _publish_status=\$?
+    if [ "\$_publish_status" -eq 0 ]; then
+      _worktree_cleanup "\$WT" "\$BRANCH"
+      echo "[loop] cycle \${CYCLE_ID}: published; worktree cleaned"
+    elif [ "\$_publish_status" -eq 2 ]; then
+      if ( cd "${project_path}" && _worktree_merge_back "\$BRANCH" ); then
+        _worktree_cleanup "\$WT" "\$BRANCH"
+        echo "[loop] cycle \${CYCLE_ID}: gh unavailable; merged via ff and cleaned up"
+      else
+        _worktree_alert "cycle \${CYCLE_ID}: gh unavailable AND merge_back failed; worktree preserved at \$WT"
+        echo "[loop] cycle \${CYCLE_ID}: gh+merge_back both failed; worktree preserved at \$WT"
+      fi
+    else
+      _worktree_alert "cycle \${CYCLE_ID}: PR publish failed; worktree preserved at \$WT (branch \$BRANCH)"
+      echo "[loop] cycle \${CYCLE_ID}: PR publish failed; worktree preserved at \$WT"
+    fi
+  else
+    _worktree_alert "cycle \${CYCLE_ID}: claude exited \$_exit; worktree preserved at \$WT (branch \$BRANCH)"
+    echo "[loop] cycle \${CYCLE_ID}: claude failed (exit \$_exit); worktree preserved at \$WT"
+  fi
+fi
 INNER
   chmod +x "$inner_path"
 
-  local slug; slug=$(_project_slug "$project_path")
   cat > "$script_path" << SCRIPT
 #!/bin/bash -l
 # Active-window check — skipped when ROLL_LOOP_FORCE is set (manual 'roll loop now')
@@ -2218,8 +2331,13 @@ _install_launchd_plists() {
     if [[ "$before" != "$after" ]]; then
       updated=$((updated + 1))
       if _launchd_is_loaded "$label"; then
-        launchctl unload "$plist" 2>/dev/null || true
-        launchctl load "$plist" 2>/dev/null || true
+        # FIX-027: use bootout/bootstrap so we don't disturb the label's
+        # enabled flag in the launchd overrides db (which legacy
+        # unload/load no-`-w` wipes on macOS Sonoma+, causing
+        # `roll loop status` to falsely report off after `roll update`).
+        local uid; uid=$(id -u)
+        launchctl bootout "gui/${uid}/${label}" 2>/dev/null || true
+        launchctl bootstrap "gui/${uid}" "$plist" 2>/dev/null || true
       fi
     fi
   done
@@ -2919,6 +3037,432 @@ EOF
   return 0
 }
 
+# FIX-032: dependency gate — parses BACKLOG inline tags so the loop SKILL
+# can enforce them at Step 2 (story pickup). Pure functions, no side effects.
+#
+# BACKLOG row format (relevant fragments):
+#   | [US-AUTO-033](...) | desc `depends-on:US-AUTO-037` `manual-only:true` | 📋 Todo |
+#   | FIX-100 | desc `depends-on:US-A,US-B` | 📋 Todo |
+#
+# Row matching is anchored on `^| [?<id>\b` so a story-id appearing in some
+# other row's depends-on list is not mistaken for the row that defines it.
+
+# _loop_check_depends_on <story-id> [backlog-path]
+#   Exit 0: all listed depends-on are ✅ Done, or no depends-on tag present.
+#   Exit 1: any dep not ✅ Done, story-id not found, or backlog missing.
+#   Stdout (on exit 1 due to unsatisfied deps): space-separated unsatisfied IDs.
+_loop_check_depends_on() {
+  local id="$1"
+  local backlog="${2:-BACKLOG.md}"
+  [ -n "$id" ] || return 1
+  [ -f "$backlog" ] || return 1
+
+  local row
+  row=$(grep -E "^\| \[?${id}[]| ]" "$backlog" | head -1)
+  [ -n "$row" ] || return 1
+
+  local deps
+  deps=$(echo "$row" | grep -oE 'depends-on:[A-Z][A-Z0-9,-]+' | head -1 | sed 's/depends-on://')
+  [ -n "$deps" ] || return 0
+
+  local unsatisfied=""
+  local dep
+  local IFS_save="$IFS"
+  IFS=','
+  for dep in $deps; do
+    local dep_row
+    dep_row=$(grep -E "^\| \[?${dep}[]| ]" "$backlog" | head -1)
+    if [ -z "$dep_row" ] || ! echo "$dep_row" | grep -qF '✅ Done'; then
+      unsatisfied="${unsatisfied:+$unsatisfied }${dep}"
+    fi
+  done
+  IFS="$IFS_save"
+
+  if [ -n "$unsatisfied" ]; then
+    echo "$unsatisfied"
+    return 1
+  fi
+  return 0
+}
+
+# _loop_is_manual_only <story-id> [backlog-path]
+#   Exit 0: story's own row carries `manual-only:true`.
+#   Exit 1: tag absent, story-id not found, or backlog missing.
+_loop_is_manual_only() {
+  local id="$1"
+  local backlog="${2:-BACKLOG.md}"
+  [ -n "$id" ] || return 1
+  [ -f "$backlog" ] || return 1
+
+  local row
+  row=$(grep -E "^\| \[?${id}[]| ]" "$backlog" | head -1)
+  [ -n "$row" ] || return 1
+
+  echo "$row" | grep -qE 'manual-only:true'
+}
+
+# US-CL-004: changelog 风格守门 Phase 1 — mechanical linter.
+#
+# _changelog_lint_bullet <bullet-text>
+#   Stdout: one violation tag per line; empty = bullet passes.
+#   Exit:   0 always (callers read the output stream, not the exit code).
+#
+# Violation tags:
+#   backtick-identifier  `…` contains `_` or `()`  (e.g. `_foo`, `bar()`)
+#   file-suffix          `.md`/`.sh`/`.yml`/`.ts`/`.bats` outside backticks
+#   internal-word        Phase N / Step N / Helper / Schema / Fixture / Refactor
+#   over-length          > 50 visible chars (UTF-8 codepoints; 中文按字符计)
+#   path-fragment        docs/ / bin/ / tests/ / scripts/ outside backticks
+#
+# Backticks are treated as the "user-quoted" zone — content there is assumed
+# to be a real user command (e.g. `roll edit notes.md`) and is excluded from
+# the file-suffix / path-fragment checks.
+_changelog_lint_bullet() {
+  local bullet="$1"
+  local stripped
+  stripped=$(printf '%s' "$bullet" | sed -E 's/`[^`]*`//g')
+
+  if printf '%s' "$bullet" | grep -qE '`[^`]*(_|\(\))[^`]*`'; then
+    echo "backtick-identifier"
+  fi
+  if printf '%s' "$stripped" | grep -qE '\.(md|sh|yml|ts|bats)([^A-Za-z0-9]|$)'; then
+    echo "file-suffix"
+  fi
+  if printf '%s' "$bullet" | grep -qE '(Phase|Step)[[:space:]]+[0-9]+|Helper|Schema|Fixture|Refactor'; then
+    echo "internal-word"
+  fi
+  local len
+  len=$(printf '%s' "$bullet" | LC_ALL=C.UTF-8 wc -m | tr -d ' ')
+  if [ "${len:-0}" -gt 50 ]; then
+    echo "over-length"
+  fi
+  if printf '%s' "$stripped" | grep -qE '(^|[^A-Za-z0-9_])(docs|bin|tests|scripts)/'; then
+    echo "path-fragment"
+  fi
+  return 0
+}
+
+# US-CL-004: changelog few-shot style anchors — extract bullets from the
+# most recent 3 published `## v...` sections of CHANGELOG.md (skipping
+# `## Unreleased`). Cap at ~1500 chars so the agent's context stays lean.
+#
+# _changelog_style_anchors [changelog-path]
+#   Stdout: concatenated bullet lines from the last 3 released versions.
+#   Exit:   0 (empty output when no CHANGELOG.md or no released sections).
+_changelog_style_anchors() {
+  local changelog="${1:-CHANGELOG.md}"
+  [ -f "$changelog" ] || return 0
+  awk '
+    /^## v/ { ver++; if (ver > 3) exit; printing = 1; next }
+    /^## /  { printing = 0 }
+    printing && /^- / { print }
+  ' "$changelog" | head -c 1500
+}
+
+# US-CL-005: changelog 风格守门 Phase 2 — self-audit gate.
+#
+# _changelog_audit_bullet <bullet>
+#   Stricter than _changelog_lint_bullet: 5 boolean rules, 30-char cap.
+#   Stdout: one failed-rule tag per line; empty = bullet passes.
+#   Exit:   0 always.
+#
+# Rules:
+#   over-length-30   visible chars > 30 AND no backtick (user-cmd escape hatch)
+#   internal-id      backtick content contains `_` or `()`
+#   path-or-suffix   .md/.sh/.yml/.ts/.bats or docs/bin/tests/scripts/ outside backticks
+#   phase-step       `Phase N` / `Step N` workflow vocabulary
+#   bad-shape        no `—` (em dash) AND no `不再` AND no `现在` keyword
+_changelog_audit_bullet() {
+  local bullet="$1"
+  local stripped
+  stripped=$(printf '%s' "$bullet" | sed -E 's/`[^`]*`//g')
+
+  # Rule 1: length cap 30 (user-command in backticks bypasses this rule).
+  if ! printf '%s' "$bullet" | grep -q '`'; then
+    local len
+    len=$(LC_ALL=en_US.UTF-8 printf '%s' "$bullet" | LC_ALL=en_US.UTF-8 wc -m | tr -d ' ')
+    if [ "${len:-0}" -gt 30 ]; then
+      echo "over-length-30"
+    fi
+  fi
+
+  # Rule 2: internal identifier inside backticks.
+  if printf '%s' "$bullet" | grep -qE '`[^`]*(_|\(\))[^`]*`'; then
+    echo "internal-id"
+  fi
+
+  # Rule 3: file suffix / path fragment outside backticks.
+  if printf '%s' "$stripped" | grep -qE '\.(md|sh|yml|ts|bats)([^A-Za-z0-9]|$)' \
+    || printf '%s' "$stripped" | grep -qE '(^|[^A-Za-z0-9_])(docs|bin|tests|scripts)/'; then
+    echo "path-or-suffix"
+  fi
+
+  # Rule 4: workflow vocabulary.
+  if printf '%s' "$bullet" | grep -qE '(Phase|Step)[[:space:]]+[0-9]+'; then
+    echo "phase-step"
+  fi
+
+  # Rule 5: required shape — em dash, 不再, or 现在.
+  if ! printf '%s' "$bullet" | grep -qE '—|不再|现在'; then
+    echo "bad-shape"
+  fi
+
+  return 0
+}
+
+# _changelog_audit_log <verdict> <round> <bullet> [<reason>...]
+#   Append a JSONL record to the audit log. Path overridable via
+#   ROLL_CHANGELOG_AUDIT_LOG (tests use this to stay out of $HOME).
+_changelog_audit_log() {
+  local verdict="$1" round="$2" bullet="$3"
+  shift 3
+  local log="${ROLL_CHANGELOG_AUDIT_LOG:-${_SHARED_ROOT}/loop/changelog-audit.jsonl}"
+  mkdir -p "$(dirname "$log")"
+  local ts; ts=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+  local reasons_json='[]'
+  if [ "$#" -gt 0 ]; then
+    reasons_json=$(printf '%s\n' "$@" | jq -R . | jq -sc .)
+  fi
+  jq -nc \
+    --arg ts "$ts" \
+    --arg verdict "$verdict" \
+    --argjson round "$round" \
+    --arg bullet "$bullet" \
+    --argjson reasons "$reasons_json" \
+    '{ts:$ts, verdict:$verdict, round:$round, bullet:$bullet, reasons:$reasons}' \
+    >> "$log"
+}
+
+# _changelog_audit_gate <round1> [<round2> <round3>]
+#   Run up to 3 candidate bullets through _changelog_audit_bullet.
+#   First clean candidate wins: print bullet to stdout, exit 0.
+#   All 3 failed: print ⚠️-prefixed last candidate, append ALERT, exit 1.
+#   Each round writes a _changelog_audit_log record.
+_changelog_audit_gate() {
+  local i=0 last=""
+  for candidate in "$@"; do
+    i=$((i + 1))
+    last="$candidate"
+    local viols
+    # shellcheck disable=SC2207
+    viols=( $(_changelog_audit_bullet "$candidate") )
+    if [ "${#viols[@]}" -eq 0 ]; then
+      _changelog_audit_log pass "$i" "$candidate"
+      printf '%s\n' "$candidate"
+      return 0
+    fi
+    _changelog_audit_log fail "$i" "$candidate" "${viols[@]}"
+    [ "$i" -ge 3 ] && break
+  done
+  # All 3 rounds failed (or fewer if caller passed < 3).
+  mkdir -p "$(dirname "$_LOOP_ALERT")" 2>/dev/null
+  {
+    echo ""
+    echo "# ALERT — changelog audit failed after $i rounds"
+    echo "**Time**: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+    echo "**Bullet**: $last"
+    echo "**Action**: kept under \`## Unreleased\` with ⚠️ prefix; human review recommended."
+  } >> "$_LOOP_ALERT"
+  printf '⚠️ %s\n' "$last"
+  return 1
+}
+
+# US-AUTO-036: worktree helpers (loop-safe pure additions).
+#
+# Phase 1 of worktree isolation — these helpers are NOT yet called by
+# runner.sh. US-AUTO-037 (manual-only) wires them into
+# _write_loop_runner_script. Do not delete or inline; they are unit-tested
+# in tests/unit/roll_worktree.bats.
+
+# _worktree_path <slug> <us-id>
+#   Echoes the canonical worktree directory for a (project, story) pair.
+_worktree_path() {
+  echo "${_SHARED_ROOT}/worktrees/${1}-${2}"
+}
+
+# _worktree_alert <msg>
+#   Append a timestamped line to $_LOOP_ALERT. Used by failure paths in
+#   _worktree_merge_back to surface stuck worktrees.
+_worktree_alert() {
+  mkdir -p "$(dirname "$_LOOP_ALERT")" 2>/dev/null
+  printf '[%s] worktree: %s\n' "$(date -u +%FT%TZ)" "$1" >> "$_LOOP_ALERT"
+}
+
+# _worktree_create <path> <branch> <base>
+#   Create a worktree at <path> on a new branch <branch> rooted at <base>.
+#   Idempotent: if <branch> already exists locally (from a prior failed
+#   run) it is deleted first so `git worktree add -b` does not error.
+_worktree_create() {
+  local path="$1" branch="$2" base="$3"
+  mkdir -p "$(dirname "$path")"
+  if [ -e "$path" ]; then
+    git worktree remove --force "$path" 2>/dev/null || true
+    rm -rf "$path" 2>/dev/null || true
+  fi
+  if git show-ref --verify --quiet "refs/heads/${branch}"; then
+    git branch -D "$branch" >/dev/null 2>&1 || true
+  fi
+  git worktree add "$path" -b "$branch" "$base"
+}
+
+# _worktree_cleanup <path> <branch>
+#   Remove the worktree at <path> and delete <branch>. Tolerant when
+#   either is already absent so retries / partial-failure rollback is safe.
+_worktree_cleanup() {
+  local path="$1" branch="$2"
+  git worktree remove --force "$path" 2>/dev/null || true
+  rm -rf "$path" 2>/dev/null || true
+  git branch -D "$branch" 2>/dev/null || true
+  return 0
+}
+
+# _worktree_fetch_origin <branch>
+#   `git fetch origin <branch>` quietly. Lenient on failure: a missing
+#   remote / network blip must not derail the loop, so we return 0 even
+#   when fetch fails (the loop's later ff-only check is the strict gate).
+_worktree_fetch_origin() {
+  local branch="$1"
+  if ! git fetch origin "$branch" --quiet 2>/dev/null; then
+    echo "[worktree] fetch origin ${branch} failed (lenient, continuing)" >&2
+  fi
+  return 0
+}
+
+# _worktree_submodule_init <path>
+#   Run `git submodule update --init --recursive` inside the worktree at
+#   <path> so its working tree is materially complete. Runs in a subshell
+#   (cd is local) so the caller's cwd and the parent worktree's submodule
+#   state are untouched. Returns submodule update's exit code.
+_worktree_submodule_init() {
+  local path="$1"
+  ( cd "$path" && git submodule update --init --recursive --quiet )
+}
+
+# _worktree_merge_back <branch>
+#   Caller must be in the main worktree (cwd = main). Steps:
+#     1. git pull --ff-only origin main   (sync local main with remote)
+#     2. git merge --ff-only <branch>     (linear merge of loop branch)
+#     3. git push origin main             (publish)
+#   Any failure → write to $_LOOP_ALERT and return 1 (worktree is left
+#   in place by the caller for human inspection, per US-AUTO-036 non-goal).
+_worktree_merge_back() {
+  local branch="$1"
+  if ! git pull --ff-only origin main --quiet 2>/dev/null; then
+    _worktree_alert "pull --ff-only origin main failed (remote diverged?)"
+    return 1
+  fi
+  if ! git merge --ff-only "$branch" --quiet 2>/dev/null; then
+    _worktree_alert "merge --ff-only ${branch} failed (not fast-forwardable from main)"
+    return 1
+  fi
+  if ! git push origin main --quiet 2>/dev/null; then
+    _worktree_alert "push origin main failed after merging ${branch}"
+    return 1
+  fi
+  return 0
+}
+
+# US-AUTO-033: publish a loop cycle branch as a GitHub PR with auto-merge.
+#
+# _loop_publish_pr <branch> [title]
+#   Caller's cwd: a tree where <branch> exists locally.
+#   Steps:
+#     1. git push origin <branch>
+#     2. gh pr view <branch>  → reuse if a PR is already open
+#     3. gh pr create --base main --head <branch> ...
+#     4. gh pr merge <branch> --auto --squash --delete-branch
+#   Stdout: PR URL (always, even on idempotent reuse).
+#   Exit 0 on success / idempotent reuse; non-zero on push or create failure.
+#   On auto-merge failure: still returns 0 (PR exists; human can take over).
+#   When `gh` is not installed: returns 2 — runner script's fallback path.
+_loop_publish_pr() {
+  local branch="$1"
+  local title="${2:-loop cycle ${branch#loop/}}"
+  if ! command -v gh >/dev/null 2>&1; then
+    _worktree_alert "_loop_publish_pr: gh not installed; cannot publish PR for ${branch}"
+    return 2
+  fi
+  local slug; slug=$(_gh_repo_slug 2>/dev/null) || slug=""
+  if [ -z "$slug" ]; then
+    _worktree_alert "_loop_publish_pr: origin remote is not a github repo; cannot publish PR for ${branch}"
+    return 2
+  fi
+  local _push_err
+  _push_err=$(git push origin "$branch" 2>&1) || {
+    _worktree_alert "_loop_publish_pr: push origin ${branch} failed: ${_push_err}"
+    return 1
+  }
+  local pr_url
+  pr_url=$(gh -R "$slug" pr view "$branch" --json url -q .url 2>/dev/null) || pr_url=""
+  if [ -z "$pr_url" ]; then
+    local body
+    body=$(printf 'Auto-opened by roll-loop cycle.\n\n- Branch: %s\n- TCR micro-commits: %s\n\nThis PR will auto-merge once required checks pass.' \
+      "$branch" "$(git rev-list --count origin/main.."$branch" 2>/dev/null || echo '?')")
+    pr_url=$(gh -R "$slug" pr create --base main --head "$branch" \
+      --title "$title" --body "$body" 2>/dev/null) || pr_url=""
+    if [ -z "$pr_url" ]; then
+      _worktree_alert "_loop_publish_pr: gh pr create failed for ${branch}"
+      return 1
+    fi
+  fi
+  gh -R "$slug" pr merge "$branch" --auto --squash --delete-branch >/dev/null 2>&1 \
+    || _worktree_alert "_loop_publish_pr: gh pr merge --auto failed for ${branch} (PR ${pr_url} left open)"
+  echo "$pr_url"
+  return 0
+}
+
+# _loop_is_doc_only_change
+#   Returns 0 if every file changed since origin/main is doc-only
+#   (BACKLOG.md, CHANGELOG.md, PROPOSALS.md, docs/, .claude/).
+#   Returns 1 if any code file changed or there are no changes.
+_loop_is_doc_only_change() {
+  local changed
+  changed=$(git diff --name-only origin/main HEAD 2>/dev/null) || return 1
+  [ -z "$changed" ] && return 1
+  echo "$changed" | grep -qvE '^(BACKLOG\.md|CHANGELOG\.md|PROPOSALS\.md|docs/|\.claude/)' && return 1
+  return 0
+}
+
+# _loop_publish_doc_pr <branch> [title]
+#   Like _loop_publish_pr but merges immediately with --admin (no CI wait).
+#   For doc-only changes where CI is not meaningful.
+_loop_publish_doc_pr() {
+  local branch="$1"
+  local title="${2:-doc update ${branch#loop/}}"
+  if ! command -v gh >/dev/null 2>&1; then
+    _worktree_alert "_loop_publish_doc_pr: gh not installed; cannot publish PR for ${branch}"
+    return 2
+  fi
+  local slug; slug=$(_gh_repo_slug 2>/dev/null) || slug=""
+  if [ -z "$slug" ]; then
+    _worktree_alert "_loop_publish_doc_pr: origin remote is not a github repo; cannot publish PR for ${branch}"
+    return 2
+  fi
+  if ! git push origin "$branch" --quiet 2>/dev/null; then
+    _worktree_alert "_loop_publish_doc_pr: push origin ${branch} failed"
+    return 1
+  fi
+  local pr_url
+  pr_url=$(gh -R "$slug" pr view "$branch" --json url -q .url 2>/dev/null) || pr_url=""
+  if [ -z "$pr_url" ]; then
+    local body
+    body=$(printf 'Doc-only update by roll-loop cycle.\n\n- Branch: %s\n- Files: BACKLOG / docs only\n\nMerging immediately — no CI gate needed for doc-only changes.' "$branch")
+    pr_url=$(gh -R "$slug" pr create --base main --head "$branch" \
+      --title "$title" --body "$body" 2>/dev/null) || pr_url=""
+    if [ -z "$pr_url" ]; then
+      _worktree_alert "_loop_publish_doc_pr: gh pr create failed for ${branch}"
+      return 1
+    fi
+  fi
+  if ! gh -R "$slug" pr merge "$branch" --admin --squash --delete-branch >/dev/null 2>&1; then
+    _worktree_alert "_loop_publish_doc_pr: gh pr merge --admin failed for ${branch} (PR ${pr_url} left open)"
+    echo "$pr_url"
+    return 1
+  fi
+  echo "$pr_url"
+  return 0
+}
+
 _loop_monitor() {
   local interval="${1:-3}"
   local project_path; project_path=$(pwd -P)
@@ -3416,83 +3960,378 @@ cmd_backlog() {
   fi
 }
 
+# ─────────────────────────────────────────────────────────────────────────────
+# DASHBOARD — 自治优先六块布局 (US-AUTO-029)
 # ─────────────────────────────────────────────────────────────────────────────
 
+# ① Identity — git working tree state.
+_dash_git_status() {
+  git rev-parse --is-inside-work-tree &>/dev/null || { echo "—"; return; }
+  if [[ -z "$(git status --porcelain 2>/dev/null)" ]]; then
+    echo "✓"
+  else
+    echo "dirty"
+  fi
+}
+
+# ② Loop layer: extract in-progress story id|title|feature-link from BACKLOG.md.
+# Output empty if no row's *status column* is 🔨 In Progress (substring matches
+# anywhere on the row would catch description text that mentions the emoji).
+_dash_in_progress_story() {
+  [[ -f "BACKLOG.md" ]] || return 0
+  local row
+  row=$(grep -F '| 🔨 In Progress |' BACKLOG.md | head -1) || return 0
+  [[ -z "$row" ]] && return 0
+  local id desc
+  id=$(echo "$row" | grep -oE '(US|FIX|REFACTOR)-[A-Z]*-?[0-9]+' | head -1)
+  desc=$(echo "$row" | awk -F'|' '{print $3}' | sed 's/^ *//;s/ *$//' | cut -c1-60)
+  local link
+  link=$(echo "$row" | grep -oE 'docs/features/[^)]+' | head -1 || true)
+  printf '%s|%s|%s' "$id" "$desc" "$link"
+}
+
+# ② Loop layer: minutes since last "tcr:" commit, or empty if none.
+_dash_last_tcr_minutes() {
+  git rev-parse --is-inside-work-tree &>/dev/null || return 0
+  local last_ts
+  last_ts=$(git log --grep='^tcr:' -1 --format=%ct 2>/dev/null)
+  [[ -z "$last_ts" ]] && return 0
+  local now; now=$(date +%s)
+  echo $(( (now - last_ts) / 60 ))
+}
+
+# ② Loop layer: tcr: commits since midnight today.
+_dash_tcr_today_count() {
+  git rev-parse --is-inside-work-tree &>/dev/null || { echo 0; return; }
+  local since; since=$(date '+%Y-%m-%d 00:00:00')
+  git log --since="$since" --grep='^tcr:' --oneline 2>/dev/null | grep -c '^' || echo 0
+}
+
+# ② Dream layer: hours since last dream log entry on disk.
+_dash_last_dream_hours() {
+  local dream_log="${HOME}/.shared/roll/dream/log.md"
+  [[ -f "$dream_log" ]] || return 0
+  local mod_time now
+  mod_time=$(stat -c %Y "$dream_log" 2>/dev/null || stat -f %m "$dream_log" 2>/dev/null || echo 0)
+  now=$(date +%s)
+  echo $(( (now - mod_time) / 3600 ))
+}
+
+# ② Dream layer: count of REFACTOR-XXX rows currently 📋 Todo in BACKLOG.
+_dash_refactor_pending() {
+  [[ -f "BACKLOG.md" ]] || { echo 0; return; }
+  grep -E '^\| REFACTOR-' BACKLOG.md 2>/dev/null | grep -F '| 📋 Todo |' | wc -l | tr -d ' '
+}
+
+# ② Peer layer: last result + days ago from peer log, empty if no log.
+_dash_last_peer() {
+  local peer_log_dir="${HOME}/.shared/roll/peer"
+  local latest
+  latest=$(ls "$peer_log_dir"/*.log 2>/dev/null | sort | tail -1 || true)
+  [[ -z "$latest" || ! -f "$latest" ]] && return 0
+  local result
+  result=$(grep -oE '(AGREE|REFINE|OBJECT|ESCALATE)' "$latest" 2>/dev/null | tail -1 || true)
+  local mod_time now days
+  mod_time=$(stat -c %Y "$latest" 2>/dev/null || stat -f %m "$latest" 2>/dev/null || echo 0)
+  now=$(date +%s)
+  days=$(( (now - mod_time) / 86400 ))
+  printf '%s|%s' "${result:-—}" "${days}"
+}
+
+# ③ Pipeline counts → Idea Backlog Build (Verify/Release reserved).
+_dash_pipeline_counts() {
+  [[ -f "BACKLOG.md" ]] || { echo "0 0 0 0 0"; return; }
+  local idea backlog build
+  idea=$(grep -E '^\| IDEA-' BACKLOG.md 2>/dev/null | grep -F '| 📋 Todo |' | wc -l | tr -d ' ')
+  backlog=$(grep -E '^\| (\[?US-|FIX-|REFACTOR-)' BACKLOG.md 2>/dev/null | grep -F '| 📋 Todo |' | wc -l | tr -d ' ')
+  build=$(grep -F '| 🔨 In Progress |' BACKLOG.md 2>/dev/null | wc -l | tr -d ' ')
+  printf '%s %s %s 0 0' "$idea" "$backlog" "$build"
+}
+
+# ④ DoD AC signal — read [x]/total checkboxes for a US section in feature doc.
+# Echoes "x/total"; "0/0" if no checkboxes found.
+_dash_ac_completion() {
+  local feature_link="$1"
+  [[ -z "$feature_link" ]] && { echo "0/0"; return; }
+  local path="${feature_link%%#*}"
+  local anchor="${feature_link##*#}"
+  [[ ! -f "$path" ]] && { echo "0/0"; return; }
+  # Extract the section from <a id="anchor"></a> or ## heading to next ## heading.
+  local section
+  section=$(awk -v anc="$anchor" '
+    BEGIN{in_sec=0}
+    /^<a id="/{
+      gsub(/<a id="|"><\/a>/, "")
+      if ($0 == anc) { in_sec=1; next }
+    }
+    in_sec && /^## /{ if(!started){ started=1; next } else { exit } }
+    in_sec && started { print }
+    in_sec { started_default=1 }
+  ' "$path" 2>/dev/null)
+  [[ -z "$section" ]] && {
+    # Fallback: match heading line containing the anchor pattern directly.
+    section=$(awk -v pat="$anchor" 'BEGIN{IGNORECASE=1}
+      tolower($0) ~ pat && /^## /{p=1;next}
+      p && /^## /{exit}
+      p{print}' "$path" 2>/dev/null)
+  }
+  local done total
+  done=$(echo "$section" | grep -cE '\[x\]' || echo 0)
+  total=$(echo "$section" | grep -cE '\[[ x]\]' || echo 0)
+  printf '%s/%s' "$done" "$total"
+}
+
+# ④ DoD CI signal — query gh for HEAD's most-recent run conclusion.
+# Returns: success | pending | failure | none
+_dash_ci_status() {
+  command -v gh &>/dev/null || { echo "none"; return; }
+  local commit; commit=$(git rev-parse HEAD 2>/dev/null) || { echo "none"; return; }
+  local slug; slug=$(_gh_repo_slug 2>/dev/null) || true
+  local out
+  if [[ -n "$slug" ]]; then
+    out=$(gh -R "$slug" run list --commit "$commit" --json status,conclusion 2>/dev/null) || { echo "none"; return; }
+  else
+    out=$(gh run list --commit "$commit" --json status,conclusion 2>/dev/null) || { echo "none"; return; }
+  fi
+  [[ -z "$out" || "$out" == "[]" ]] && { echo "none"; return; }
+  local concl status
+  concl=$(echo "$out" | jq -r '.[0].conclusion // ""' 2>/dev/null)
+  status=$(echo "$out" | jq -r '.[0].status // ""' 2>/dev/null)
+  if [[ "$status" == "in_progress" || "$status" == "queued" ]]; then
+    echo "pending"
+  elif [[ "$concl" == "success" ]]; then
+    echo "success"
+  elif [[ -n "$concl" ]]; then
+    echo "failure"
+  else
+    echo "pending"
+  fi
+}
+
+# ⑤ Active ALERT count (number of "# ALERT" headings in ALERT.md, 0 if absent).
+_dash_alert_count() {
+  [[ -f "$_LOOP_ALERT" ]] || { echo 0; return; }
+  grep '^# ALERT' "$_LOOP_ALERT" 2>/dev/null | wc -l | tr -d ' '
+}
+
+# ⑤ Pending proposal count — "## PROPOSAL:" entries in PROPOSALS.md.
+_dash_proposal_count() {
+  [[ -f "PROPOSALS.md" ]] || { echo 0; return; }
+  grep '^## PROPOSAL' PROPOSALS.md 2>/dev/null | wc -l | tr -d ' '
+}
+
+# ⑤ Release-ready signal — true iff there are releasable commits since the
+# latest tag AND the latest brief signals 可发版/Release ready. Releasable =
+# any commit since the latest tag whose subject does NOT start with the
+# release-irrelevant prefixes `docs:` or `chore:`. Prevents the flag from
+# sticking on after a release when only docs rewrites land on top of the tag
+# (FIX-033 symptom 2).
+_dash_release_ready() {
+  local latest_tag
+  latest_tag=$(git describe --tags --abbrev=0 2>/dev/null) || return 1
+  local commits_with_code
+  commits_with_code=$(git log "${latest_tag}..HEAD" --pretty=format:%s 2>/dev/null \
+    | grep -cvE '^(docs|chore)(\([^)]*\))?:[[:space:]]' 2>/dev/null \
+    || echo 0)
+  [[ "${commits_with_code:-0}" -gt 0 ]] || return 1
+  local latest
+  latest=$(ls docs/briefs/*.md 2>/dev/null | sort | tail -1 || true)
+  [[ -z "$latest" ]] && return 1
+  grep -qE '✅ 可发版|Release ready' "$latest" 2>/dev/null
+}
+
+# ⑥ Latest brief summary — first non-trivial line after frontmatter.
+_dash_brief_summary() {
+  local latest="$1"
+  [[ -z "$latest" || ! -f "$latest" ]] && return 0
+  awk '
+    NR==1 && /^#/ { next }       # skip H1 title
+    /^>/ { next }                # skip blockquote
+    /^---$/ { next }
+    /^$/ { next }
+    /^## /{ gsub(/^## */,""); print; exit }
+    /^[^[:space:]]/{ print; exit }
+  ' "$latest" 2>/dev/null | head -1 | cut -c1-60
+}
+
 _dashboard() {
   local project_path; project_path=$(pwd -P)
   local project_name; project_name=$(basename "$project_path")
   local agent; agent=$(_project_agent)
+  local git_state; git_state=$(_dash_git_status)
+  local is_darwin=false
+  [[ "$(uname)" == "Darwin" ]] && is_darwin=true
 
-  echo -e "\n  ${BOLD}${CYAN}${project_name}${NC}  ${YELLOW}v${VERSION}${NC}\n"
+  # ── ① Identity ─────────────────────────────────────────────────────────────
+  echo ""
+  printf "  ${BOLD}${CYAN}%s${NC}  ${YELLOW}v%s${NC}  ${BOLD}·${NC}  agent ${CYAN}%s${NC}  ${BOLD}·${NC}  git " \
+    "$project_name" "$VERSION" "$agent"
+  case "$git_state" in
+    ✓) printf "${GREEN}✓${NC}\n" ;;
+    dirty) printf "${YELLOW}dirty${NC}\n" ;;
+    *) printf "${YELLOW}%s${NC}\n" "$git_state" ;;
+  esac
+  echo ""
+
+  # ── ② AI 自治 — 三层 × 四道防线 (主视觉) ────────────────────────────────
+  echo -e "  ${BOLD}╔══ 🤖 AI 自治 — 三层 × 四道防线 ══════════════════════════╗${NC}"
 
+  # Loop layer
+  local loop_state="not-installed"
   local _dash_loop_paused=false
   [[ -f "$_LOOP_STATE" ]] && grep -q "^status: paused" "$_LOOP_STATE" 2>/dev/null && _dash_loop_paused=true
+  if $is_darwin; then
+    loop_state=$(_launchd_svc_state "loop" "$project_path")
+  else
+    crontab -l 2>/dev/null | grep -q "${_LOOP_TAG}:${project_path}" && loop_state="enabled"
+  fi
+  local active_start active_end loop_minute dream_hour dream_minute brief_hour brief_minute
+  active_start=$(_config_read_int "loop_active_start" "10")
+  active_end=$(_config_read_int "loop_active_end" "18")
+  loop_minute=$(_config_read_int "loop_minute" "$(_loop_derive_minute "$project_path" 0)")
+  dream_hour=$(_config_read_int "loop_dream_hour" "3")
+  dream_minute=$(_config_read_int "loop_dream_minute" "$(_loop_derive_minute "$project_path" 2)")
+  brief_hour=$(_config_read_int "loop_brief_hour" "9")
+  brief_minute=$(_config_read_int "loop_brief_minute" "$(_loop_derive_minute "$project_path" 4)")
 
-  local _dash_loop_enabled=false
-  if [[ "$(uname)" == "Darwin" ]]; then
-    _launchd_is_loaded "$(_launchd_label "loop" "$project_path")" && _dash_loop_enabled=true
+  local loop_badge loop_sched
+  loop_sched=$(printf "every :%02d  active %02d:00–%02d:00" "$loop_minute" "$active_start" "$active_end")
+  case "$loop_state" in
+    enabled)       loop_badge="${GREEN}● enabled${NC}" ;;
+    installed-off) loop_badge="${YELLOW}⚠ off${NC}" ;;
+    *)             loop_badge="${RED}○ missing${NC}" ;;
+  esac
+  $_dash_loop_paused && loop_badge="${YELLOW}⏸ paused${NC}"
+  printf "  Loop Layer    %b  %s\n" "$loop_badge" "$loop_sched"
+
+  # Loop "Now:" line — current in-progress story, if any.
+  local in_prog; in_prog=$(_dash_in_progress_story)
+  if [[ -n "$in_prog" ]]; then
+    local p_id p_desc
+    p_id=${in_prog%%|*}
+    p_desc=$(echo "$in_prog" | awk -F'|' '{print $2}')
+    printf "                Now: ${BOLD}🔨 %s${NC}  %s\n" "$p_id" "$p_desc"
   else
-    crontab -l 2>/dev/null | grep -q "${_LOOP_TAG}:${project_path}" && _dash_loop_enabled=true
+    printf "                Now: ${DIM:-}idle${NC}\n"
   fi
-  if $_dash_loop_paused; then
-    echo -e "  Loop  ${YELLOW}⏸ paused${NC}   run: roll loop resume"
-  elif $_dash_loop_enabled; then
-    echo -e "  Loop  ${GREEN}● on${NC}   Agent: ${CYAN}${agent}${NC}"
-    if [[ "$(uname)" == "Darwin" ]]; then
-      local active_start active_end loop_minute dream_hour dream_minute brief_hour brief_minute
-      active_start=$(_config_read_int "loop_active_start" "10")
-      active_end=$(_config_read_int "loop_active_end" "18")
-      loop_minute=$(_config_read_int "loop_minute" "$(_loop_derive_minute "$project_path" 0)")
-      dream_hour=$(_config_read_int "loop_dream_hour" "3")
-      dream_minute=$(_config_read_int "loop_dream_minute" "$(_loop_derive_minute "$project_path" 2)")
-      brief_hour=$(_config_read_int "loop_brief_hour" "9")
-      brief_minute=$(_config_read_int "loop_brief_minute" "$(_loop_derive_minute "$project_path" 4)")
-      local loop_sched dream_sched brief_sched
-      loop_sched=$(printf "every hour :%02d  active %02d:00–%02d:00" "$loop_minute" "$active_start" "$active_end")
-      dream_sched=$(printf "%02d:%02d" "$dream_hour" "$dream_minute")
-      brief_sched=$(printf "%02d:%02d" "$brief_hour" "$brief_minute")
-      local svcs=("loop" "dream" "brief")
-      local scheds=("$loop_sched" "$dream_sched" "$brief_sched")
-      for i in "${!svcs[@]}"; do
-        local svc="${svcs[$i]}" schedule="${scheds[$i]}"
-        local state; state=$(_launchd_svc_state "$svc" "$project_path")
-        case "$state" in
-          enabled)       printf "    ${GREEN}%-8s ● enabled${NC}  (%s)\n" "$svc" "$schedule" ;;
-          installed-off) printf "    ${YELLOW}%-8s ⚠ off${NC}       (%s)  run: roll loop on\n" "$svc" "$schedule" ;;
-          not-installed) printf "    ${RED}%-8s ○ missing${NC}  (%s)  run: roll setup\n" "$svc" "$schedule" ;;
-        esac
-      done
-    fi
+
+  # last TCR + today count
+  local last_tcr_min today_tcr
+  last_tcr_min=$(_dash_last_tcr_minutes)
+  today_tcr=$(_dash_tcr_today_count)
+  if [[ -n "$last_tcr_min" ]]; then
+    printf "                last TCR ${CYAN}%smin${NC} ago · ${CYAN}%s${NC} micro-commits today\n" "$last_tcr_min" "$today_tcr"
+  else
+    printf "                no tcr commits yet\n"
+  fi
+
+  # Dream layer
+  local dream_state="not-installed"
+  $is_darwin && dream_state=$(_launchd_svc_state "dream" "$project_path")
+  local dream_badge
+  case "$dream_state" in
+    enabled)       dream_badge="${GREEN}● enabled${NC}" ;;
+    installed-off) dream_badge="${YELLOW}⚠ off${NC}" ;;
+    *)             dream_badge="${RED}○ missing${NC}" ;;
+  esac
+  printf "  Dream Layer   %b  %02d:%02d\n" "$dream_badge" "$dream_hour" "$dream_minute"
+  local dream_hours refac_pending
+  dream_hours=$(_dash_last_dream_hours)
+  refac_pending=$(_dash_refactor_pending)
+  if [[ -n "$dream_hours" ]]; then
+    printf "                Last scan ${CYAN}%sh${NC} ago → ${CYAN}%s${NC} REFACTOR queued\n" "$dream_hours" "$refac_pending"
   else
-    echo -e "  Loop  ${YELLOW}○ off${NC}   run: roll loop on"
+    printf "                no scan yet → ${CYAN}%s${NC} REFACTOR queued\n" "$refac_pending"
+  fi
+
+  # Peer layer
+  local peer; peer=$(_dash_last_peer)
+  printf "  Peer Layer    ${GREEN}● ready${NC}    on complexity=large\n"
+  if [[ -n "$peer" ]]; then
+    local peer_res peer_days
+    peer_res=${peer%%|*}
+    peer_days=${peer##*|}
+    printf "                Last call ${CYAN}%sd${NC} ago · %s\n" "$peer_days" "$peer_res"
+  else
+    printf "                Last call —\n"
+  fi
+
+  # 四道防线
+  echo -e "  ${BOLD}─ 四道防线 ─${NC}"
+  local def_tcr="${RED}○${NC}" def_review="${GREEN}●${NC}" def_spar="${YELLOW}○${NC}" def_sentinel="${YELLOW}○ off${NC}"
+  if [[ -n "$last_tcr_min" ]]; then
+    def_tcr="${GREEN}● ${last_tcr_min}min${NC}"
   fi
-  [[ -f "$_LOOP_ALERT" ]] && echo -e "  ${RED}⚠ ALERT — run: roll alert${NC}"
+  printf "  TCR %b   Spar %b   Auto Review %b   Sentinel %b\n" \
+    "$def_tcr" "$def_spar" "$def_review" "$def_sentinel"
+  echo -e "  ${BOLD}╚══════════════════════════════════════════════════════════╝${NC}"
+  echo ""
+
+  # ── ③ Pipeline 全景 ────────────────────────────────────────────────────────
+  read -r pl_idea pl_backlog pl_build pl_verify pl_release <<< "$(_dash_pipeline_counts)"
+  local build_color="${DIM:-}"
+  (( pl_build > 0 )) && build_color="${BOLD}${YELLOW}"
+  printf "  ${BOLD}📦 Pipeline${NC}   Idea %s ▸ Backlog %s ▸ Build %b%s🔨${NC} ▸ Verify %s ▸ Release %s\n" \
+    "$pl_idea" "$pl_backlog" "$build_color" "$pl_build" "$pl_verify" "$pl_release"
+  echo ""
 
-  # Backlog summary
-  if [[ -f "BACKLOG.md" ]]; then
-    local pending_count
-    pending_count=$(grep -cF '| 📋 Todo |' "BACKLOG.md" 2>/dev/null) || pending_count=0
-    if (( pending_count > 0 )); then
-      echo -e "  Backlog  ${YELLOW}${pending_count} pending${NC}   run: roll backlog"
+  # ── ④ Current Focus · DoD (仅当 Build > 0) ──────────────────────────────
+  if [[ -n "$in_prog" && "$pl_build" -gt 0 ]]; then
+    local p_id p_desc p_link
+    p_id=${in_prog%%|*}
+    p_desc=$(echo "$in_prog" | awk -F'|' '{print $2}')
+    p_link=$(echo "$in_prog" | awk -F'|' '{print $3}')
+    local ac_ratio; ac_ratio=$(_dash_ac_completion "$p_link")
+    local ac_done="${ac_ratio%%/*}" ac_total="${ac_ratio##*/}"
+    local ac_badge ci_badge
+    if [[ "$ac_total" != "0" && "$ac_done" == "$ac_total" ]]; then
+      ac_badge="${GREEN}✓ AC${NC}"
     else
-      echo -e "  Backlog  ${GREEN}✓ clear${NC}"
+      ac_badge="${YELLOW}○ AC ${ac_done}/${ac_total}${NC}"
     fi
+    local ci_state; ci_state=$(_dash_ci_status)
+    case "$ci_state" in
+      success) ci_badge="${GREEN}✓ CI${NC}" ;;
+      pending) ci_badge="${YELLOW}… CI${NC}" ;;
+      failure) ci_badge="${RED}✗ CI${NC}" ;;
+      *)       ci_badge="${YELLOW}○ CI${NC}" ;;
+    esac
+    printf "  ${BOLD}📊 Current Focus · DoD${NC}\n"
+    printf "    🔨 ${BOLD}%s${NC}  %s\n" "$p_id" "$p_desc"
+    printf "    [%b]  [%b]\n" "$ac_badge" "$ci_badge"
+    printf "    ${YELLOW}其余 4 项 DoD 信号源待接入：see US-AUTO-030/031, IDEA-013/014${NC}\n"
+    echo ""
   fi
 
-  local briefs_dir="docs/briefs"
-  local latest; latest=$(ls "${briefs_dir}"/*.md 2>/dev/null | sort | tail -1 || true)
-  if [[ -n "$latest" ]]; then
-    local mod_time now age
-    mod_time=$(stat -c %Y "$latest" 2>/dev/null || stat -f %m "$latest" 2>/dev/null || echo 0)
-    now=$(date +%s); age=$(( (now - mod_time) / 3600 ))
-    local readiness; readiness=$(awk '/^## Release Readiness/{found=1;next} found && /[^[:space:]]/{gsub(/\*\*/,""); print; exit}' "$latest" 2>/dev/null || true)
-    local done_count; done_count=$(grep -c '| Story\|| Fix\|| Refactor' "$latest" 2>/dev/null) || done_count=0
-    echo -e "\n  Brief  (${age}h ago)  ${readiness:+${CYAN}${readiness}${NC}}"
-    [[ "$done_count" -gt 0 ]] && echo -e "  This cycle: ${done_count} items completed"
+  # ── ⑤ Human × AI 介入区 ───────────────────────────────────────────────────
+  local alerts proposals release_ready
+  alerts=$(_dash_alert_count); alerts=${alerts//[^0-9]/}; alerts=${alerts:-0}
+  proposals=$(_dash_proposal_count); proposals=${proposals//[^0-9]/}; proposals=${proposals:-0}
+  release_ready=false; _dash_release_ready && release_ready=true
+  printf "  ${BOLD}👤 需要你介入${NC}\n"
+  if (( alerts == 0 )) && (( proposals == 0 )) && ! $release_ready; then
+    printf "    ${GREEN}✓ AI 自驱中 — 无需介入${NC}\n"
   else
-    echo -e "\n  No brief yet — run: roll brief"
+    (( alerts > 0 )) && printf "    ${RED}⚠ %s ALERT${NC}          run: roll alert\n" "$alerts"
+    (( proposals > 0 )) && printf "    ${YELLOW}📋 %s PROPOSAL${NC}      see: PROPOSALS.md\n" "$proposals"
+    $release_ready && printf "    ${GREEN}✓ Release ready${NC}    run: roll release\n"
   fi
+  echo ""
 
+  # ── ⑥ Schedules & Last Brief ──────────────────────────────────────────────
+  printf "  ${BOLD}⏰ Schedules & Last Brief${NC}\n"
+  printf "    loop :%02d · dream %02d:%02d · brief %02d:%02d\n" \
+    "$loop_minute" "$dream_hour" "$dream_minute" "$brief_hour" "$brief_minute"
+  local latest_brief; latest_brief=$(ls docs/briefs/*.md 2>/dev/null | sort | tail -1 || true)
+  if [[ -n "$latest_brief" ]]; then
+    local mod_time now age summary
+    mod_time=$(stat -c %Y "$latest_brief" 2>/dev/null || stat -f %m "$latest_brief" 2>/dev/null || echo 0)
+    now=$(date +%s); age=$(( (now - mod_time) / 3600 ))
+    summary=$(_dash_brief_summary "$latest_brief")
+    printf "    Brief ${CYAN}%sh${NC} ago — %s\n" "$age" "${summary:-—}"
+  else
+    printf "    Brief: ${YELLOW}none yet${NC} — run: roll brief\n"
+  fi
   echo ""
 }