@tekyzinc/gsd-t 4.0.27 → 4.0.29

package/templates/workflows/gsd-t-integrate.workflow.js

@@ -16,11 +16,41 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers (sandbox bans require/fs/child_process/process — the old
+// require("./_lib.js") crashed this workflow on first eval, TD-113). Delegate CLI calls
+// to an agent's Bash; args arrives as a JSON STRING in this runtime. See gsd-t-scan.workflow.js.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: { ok: { type: "boolean" }, exitCode: { type: "integer" }, envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" } },
+};
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseName) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local"). Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global"). Use cwd \`${projectDir}\`.`,
+    `2. Capture exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.` : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseName) opts.phase = phaseName;
+  const r = await agent(prompt, opts).catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseName) { return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseName); }
+async function runVerifyGate(projectDir, label = "verify-gate", phaseName) { return runCli(projectDir, "verify-gate", ["--json"], "gsd-t-verify-gate.cjs", label, true, phaseName); }
+async function generateBrief(projectDir, { kind = "execute", milestone, domain, id, label = "brief", phaseName } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseName);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone) || null;
-const domains    = (args && args.domains) || [];
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const domains    = _args.domains || [];
 
 const INTEGRATE_SCHEMA = {
   type: "object",
@@ -38,9 +68,9 @@ if (!milestone || !domains.length) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
-const brief = lib.generateBrief({ kind: "execute", milestone, projectDir });
+const brief = await generateBrief(projectDir, { kind: "execute", milestone, id: `integrate-${(milestone || "m").toLowerCase()}` });
 
 phase("Integrate");
 const integrate = await agent(
@@ -63,7 +93,7 @@ if (integrate.status === "failed") {
 }
 
 phase("Verify-Gate");
-const vg = lib.runVerifyGate({ projectDir });
+const vg = await runVerifyGate(projectDir);
 return {
   status: vg.ok ? "complete" : "verify-failed",
   integrate,

package/templates/workflows/gsd-t-phase.workflow.js

@@ -26,7 +26,36 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers (sandbox bans require/fs/child_process/process — the old
+// require("./_lib.js") crashed this workflow on first eval, TD-113). Delegate CLI calls
+// to an agent's Bash; args arrives as a JSON STRING in this runtime. See gsd-t-scan.workflow.js.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: { ok: { type: "boolean" }, exitCode: { type: "integer" }, envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" } },
+};
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseNameOpt) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local"). Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global"). Use cwd \`${projectDir}\`.`,
+    `2. Capture exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.` : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseNameOpt) opts.phase = phaseNameOpt;
+  const r = await agent(prompt, opts).catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseNameOpt) { return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseNameOpt); }
+async function generateBrief(projectDir, { kind = "execute", milestone, domain, id, label = "brief", phaseNameOpt } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseNameOpt);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
 
 const VALID_PHASES = [
   "partition", "plan", "discuss", "impact",
@@ -45,10 +74,10 @@ const PHASE_RESULT_SCHEMA = {
   },
 };
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone)  || null;
-const userInput  = (args && args.userInput)  || "";
-const phaseName  = args && args.phase;
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const userInput  = _args.userInput || "";
+const phaseName  = _args.phase;
 
 if (!phaseName || !VALID_PHASES.includes(phaseName)) {
   log(`phase: args.phase must be one of: ${VALID_PHASES.join(", ")}`);
@@ -56,9 +85,9 @@ if (!phaseName || !VALID_PHASES.includes(phaseName)) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
-const brief = lib.generateBrief({ kind: phaseName, milestone, projectDir });
+const brief = await generateBrief(projectDir, { kind: phaseName, milestone, id: `${phaseName}-${(milestone || "m").toLowerCase()}` });
 
 phase("Phase");
 const promptByPhase = {

package/templates/workflows/gsd-t-quick.workflow.js

@@ -16,11 +16,63 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers. The Anthropic Workflow sandbox provides ONLY the
+// globals agent/parallel/pipeline/log/phase/budget/args — NO require/fs/path/
+// child_process/process. The old `require("./_lib.js")` threw ReferenceError on first
+// eval, so EVERY workflow except scan silently crashed and never ran (TD-113, confirmed
+// by the NiceNote session 2026-06-05). These inline helpers delegate the CLI calls to an
+// agent() that runs them via Bash (preferring project-local bin/<tool>.cjs, falling back
+// to the global `gsd-t` PATH binary), parsing the JSON envelope — same brains, sandbox-safe
+// invocation. The args global also arrives as a JSON STRING in this runtime, so parse it.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
 
-const projectDir = (args && args.projectDir) || ".";
-const task = (args && args.task) || null;
-const model = (args && args.model) || "sonnet";
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: {
+    ok: { type: "boolean" }, exitCode: { type: "integer" },
+    envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" },
+  },
+};
+// Run a `gsd-t <subcmd>` CLI (or project-local bin/<localBin>) via an agent's Bash and
+// return { ok, exitCode, envelope, stderr, via }. parseJson=true parses stdout as the envelope.
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseName) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local").`,
+    `   Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global").`,
+    `   Run it with cwd \`${projectDir}\` (use \`cd ${projectDir} && …\` or \`-C\`/\`--cwd\` as appropriate).`,
+    `2. Capture the exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson
+      ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.`
+      : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseName) opts.phase = phaseName; // opts.phase MUST be a string, never the phase() fn
+  const r = await agent(prompt, opts)
+    .catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseName) {
+  return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseName);
+}
+async function runVerifyGate(projectDir, label = "verify-gate", phaseName) {
+  return runCli(projectDir, "verify-gate", ["--json"], "gsd-t-verify-gate.cjs", label, true, phaseName);
+}
+// Brief generation: writes .gsd-t/briefs/<id>.json and returns its path. The id must be
+// caller-supplied (no Date.now/Math.random in the sandbox) — pass a stable id per spawn.
+async function generateBrief(projectDir, { kind = "execute", milestone, domain, id, label = "brief", phaseName } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseName);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
+
+const projectDir = _args.projectDir || ".";
+const task = _args.task || null;
+const model = _args.model || "sonnet";
 
 const QUICK_SCHEMA = {
   type: "object",
@@ -38,9 +90,9 @@ if (!task) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
-const brief = lib.generateBrief({ kind: "execute", projectDir });
+const brief = await generateBrief(projectDir, { kind: "execute", id: "quick-brief" });
 
 phase("Execute");
 const result = await agent(
@@ -64,7 +116,7 @@ if (result.status === "failed" || result.status === "blocked") {
 }
 
 phase("Verify");
-const vg = lib.runVerifyGate({ projectDir });
+const vg = await runVerifyGate(projectDir);
 return {
   status: vg.ok ? "complete" : "verify-failed",
   result,

package/templates/workflows/gsd-t-scan.workflow.js

@@ -607,6 +607,19 @@ log(`register written: ${JSON.stringify(synthesis.counts)} (${synthesis.tdRange}
 // READ the just-written register itself, since the orchestrator can't read it.
 phase("Document");
 const sliceSummary = slices.map((s) => `- ${s.key} (${s.dimension}): ${JSON.stringify(s.paths)}`).join("\n");
+// Compact serialization of the verified findings handed to each document agent. Project
+// only the fields the docs need (full objects can carry verbose verify metadata); the
+// baseCtx caps it at 120KB below. (Bugfix: findingsJson was referenced but never defined,
+// which crashed the entire workflow at the Document phase AFTER all finders/verify/synthesis
+// ran — ReferenceError: findingsJson is not defined.)
+const findingsJson = JSON.stringify(
+  finalFindings.map((f) => ({
+    title: f.title, severity: f.severity, area: f.area,
+    files: f.files, detail: f.detail, impact: f.impact,
+    recommendation: f.recommendation, slice: f.slice,
+  })),
+  null, 1
+);
 const baseCtx = [
   `Project: \`${projectDir}\`. Probe totals: ${JSON.stringify(probe.totals)}.`,
   `Slices the scan covered:`,
@@ -740,20 +753,37 @@ for (const sev of ["CRITICAL", "HIGH", "MEDIUM", "LOW"]) {
   }
   if (buf.trim()) peChunks.push(buf);
 }
-let peWrote = 0;
-for (let ci = 0; ci < peChunks.length; ci++) {
-  const first = ci === 0;
-  const res = await gatedAgent(
-    [
-      first ? `Create the file \`${peTarget}\` (overwrite) with EXACTLY the content between markers, using the Write tool. Verbatim.`
-            : `APPEND EXACTLY the content between markers to the END of \`${peTarget}\` (do not overwrite; append) via a Bash heredoc \`cat >> ${peTarget} <<'GSDTEOF'\` … \`GSDTEOF\`. Verbatim.`,
-      `Reply ONLY "OK".`, "", "<<<C>>>", peChunks[ci], "<<<END>>>",
-    ].join("\n"),
-    { label: `plain-english write ${ci + 1}/${peChunks.length}`, phase: "Plain-English", model: "haiku" }
-  ).catch((e) => ({ _e: String(e && e.message) }));
-  if (typeof res === "string" && /ok/i.test(res)) peWrote++;
-}
-log(`plain-english: ${Object.values(peGroups).reduce((a, b) => a + b.length, 0)}/${peItems.length} entries, grouped by severity, ${peWrote}/${peChunks.length} chunks written${peFailed ? `; ${peFailed} gen batch(es) failed` : ""}`);
+// M80 fix: a SINGLE owning agent writes ALL chunks sequentially and SELF-VERIFIES the
+// final `### TD-` entry count, retrying short writes. The prior design fanned each chunk
+// to a separate haiku agent via heredoc-append — agents replied "OK" without faithfully
+// appending 30KB blobs of markdown (special chars `$` ` # collide with the heredoc /
+// get paraphrased), so the middle chunks silently dropped: run wf_b2a6a9e0-9de wrote
+// only 65/181 entries (Critical+High + a 2-item tail). With one owner + a count check,
+// an incomplete write is detected and fixed in-agent instead of shipping truncated.
+const peExpectedEntries = Object.values(peGroups).reduce((a, b) => a + b.length, 0);
+const peWriteRes = await gatedAgent(
+  [
+    `You write ONE file: \`${peTarget}\`. It has ${peChunks.length} ordered chunks (below, each between <<<C n>>> and <<<END n>>>).`,
+    `Procedure — follow EXACTLY:`,
+    `1. Write chunk 1 to \`${peTarget}\` VERBATIM using the Write tool (creates/overwrites).`,
+    `2. For chunks 2..${peChunks.length}, APPEND each VERBATIM to the END of the file. Use the Write tool with the FULL accumulated content (read the file, concatenate the next chunk, Write the whole thing) — do NOT use a heredoc (special chars corrupt it).`,
+    `3. After all chunks: run \`grep -c '^### TD-' ${peTarget}\`. It MUST equal ${peExpectedEntries}.`,
+    `4. If the count is LESS than ${peExpectedEntries}, you dropped content — redo the append for the missing chunks until the count is exactly ${peExpectedEntries}.`,
+    `Reply with ONLY the final integer count from step 3 (e.g. "${peExpectedEntries}"). Nothing else. Reproduce every chunk verbatim — do not summarize, reword, or skip entries.`,
+    ``,
+    ...peChunks.map((c, i) => `<<<C ${i + 1}>>>\n${c}\n<<<END ${i + 1}>>>`),
+  ].join("\n"),
+  { label: `plain-english write (${peChunks.length} chunks, ${peExpectedEntries} entries)`, phase: "Plain-English", model: "sonnet" }
+).catch((e) => ({ _e: String(e && e.message) }));
+// Independent verification by a second cheap agent (the writer self-reports; trust but verify).
+const peVerify = await gatedAgent(
+  `Run \`grep -c '^### TD-' ${peTarget}\` and reply with ONLY the integer it prints.`,
+  { label: `plain-english verify-count`, phase: "Plain-English", model: "haiku" }
+).catch(() => null);
+const peActual = (typeof peVerify === "string" && /\d+/.test(peVerify)) ? parseInt(peVerify.match(/\d+/)[0], 10) : null;
+const peComplete = peActual === peExpectedEntries;
+if (!peComplete) log(`⚠ plain-english INCOMPLETE: wrote ${peActual}/${peExpectedEntries} entries (writer said ${typeof peWriteRes === "string" ? peWriteRes.trim().slice(0, 20) : JSON.stringify(peWriteRes).slice(0, 40)})`);
+log(`plain-english: ${peExpectedEntries}/${peItems.length} entries, grouped by severity, ${peChunks.length} chunks, on-disk count ${peActual ?? "?"} (${peComplete ? "COMPLETE" : "INCOMPLETE"})${peFailed ? `; ${peFailed} gen batch(es) failed` : ""}`);
 
 // Commit the docs + dimension files + plain-english via a small agent (Bash git).
 const commitAgent = await agent(
@@ -787,6 +817,11 @@ return {
   docsWritten: docsOk.length,
   docsFailed: docsFailed.map((d) => d.doc),
   docsCommitted: commitAgent && commitAgent.status,
+  // M80: plain-english completeness is surfaced, not silent. plainEnglishComplete=false
+  // means the companion doc is truncated (writer dropped entries) — the caller should flag it.
+  plainEnglishEntries: peActual,
+  plainEnglishExpected: peExpectedEntries,
+  plainEnglishComplete: peComplete,
   htmlReport: null, // render stage removed (M71)
   probeTotals: probe.totals,
 };

package/templates/workflows/gsd-t-verify.workflow.js

@@ -30,12 +30,55 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers (sandbox bans require/fs/path/child_process/process — the
+// old require("./_lib.js") + the inline require("child_process"/"fs"/"path") in the
+// CI-parity block crashed this on first eval, TD-113). All CLI calls (preflight,
+// verify-gate, build-coverage, ci-parity, test-data) delegate to an agent's Bash; the
+// QA/Red-Team protocol bodies are read by an agent (Read) instead of fs. args arrives as
+// a JSON STRING in this runtime. See gsd-t-scan.workflow.js.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: { ok: { type: "boolean" }, exitCode: { type: "integer" }, envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" } },
+};
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseName) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local"). Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global"). Use cwd \`${projectDir}\`.`,
+    `2. Capture exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.` : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseName) opts.phase = phaseName;
+  const r = await agent(prompt, opts).catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseName) { return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseName); }
+async function runVerifyGate(projectDir, label = "verify-gate", phaseName) { return runCli(projectDir, "verify-gate", ["--json"], "gsd-t-verify-gate.cjs", label, true, phaseName); }
+async function generateBrief(projectDir, { kind = "verify", milestone, domain, id, label = "brief", phaseName } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseName);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
+// The QA / Red-Team / design-verify protocol bodies live at templates/prompts/<name>-subagent.md
+// inside the installed @tekyzinc/gsd-t package. The orchestrator can't read files (no fs); each
+// triad agent reads its OWN protocol via Read at spawn time. loadProtocol returns a Read-instruction
+// the agent prompt embeds, rather than the protocol text itself.
+function loadProtocolInstruction(name) {
+  const rel = `templates/prompts/${name}-subagent.md`;
+  // Locate the protocol inside the installed @tekyzinc/gsd-t package using ONLY shell
+  // (no require/fs tokens — those trip the runtime-native lint even inside a string).
+  return `Read your protocol FIRST. Find it by running in Bash: \`cat "$(npm root -g)/@tekyzinc/gsd-t/${rel}"\` (or, if a project-local \`${rel}\` exists, read that instead). Follow that protocol exactly.`;
+}
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone)  || null;
-const skipUltra  = (args && args.skipUltra)  || false;
-const skipUltraReason = (args && args.skipUltraReason) || null;
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const skipUltra  = _args.skipUltra || false;
+const skipUltraReason = _args.skipUltraReason || null;
 
 // 4.8-audit fix: skipUltra requires a recorded reason per
 // orthogonal-validation-contract.md Rule #2. Refuse without one.
@@ -153,15 +196,15 @@ if (!milestone) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) {
   log(`preflight FAIL — halting verify`);
   return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
 }
-const brief = lib.generateBrief({ kind: "verify", milestone, projectDir });
+const brief = await generateBrief(projectDir, { kind: "verify", milestone, id: `verify-${(milestone || "m").toLowerCase()}` });
 
 phase("Verify-Gate");
-const vg = lib.runVerifyGate({ projectDir });
+const vg = await runVerifyGate(projectDir);
 if (!vg.ok) {
   log(`verify-gate FAIL exitCode=${vg.exitCode} — halting before triad`);
   return {
@@ -179,36 +222,16 @@ log(`verify-gate green`);
 // from Dockerfile COPY — silent CI-divergence regression. M57 made this gate
 // mandatory; Workflow MUST preserve it or we re-introduce that exact failure.
 // Detected by user/worker in parallel session 2026-05-29 13:00.
+// M81: these were raw spawnSync + require("fs"/"path"/"child_process") in the orchestrator
+// — the exact sandbox-forbidden pattern (TD-113). Now awaited runCli agent calls. The
+// FAIL-blocking semantics are UNCHANGED: a non-zero exit halts verify before the triad.
 phase("CI-Parity");
-const { spawnSync } = require("child_process");
-function _runJsonCli(subcmd, argv = []) {
-  // Use _lib-style resolution — prefer project-local bin/<tool>.cjs
-  const fsMod = require("fs");
-  const pMod = require("path");
-  const localMap = {
-    "build-coverage": "gsd-t-build-coverage.cjs",
-    "ci-parity":      "gsd-t-ci-parity.cjs",
-    "test-data":      "gsd-t-test-data-ledger.cjs",
-  };
-  const local = pMod.join(projectDir, "bin", localMap[subcmd] || "");
-  const cmd = fsMod.existsSync(local) ? process.execPath : "gsd-t";
-  const args = fsMod.existsSync(local) ? [local, ...argv] : [subcmd, ...argv];
-  const r = spawnSync(cmd, args, { cwd: projectDir, stdio: "pipe" });
-  let envelope = null;
-  try { envelope = r.stdout ? JSON.parse(r.stdout.toString()) : null; } catch (_) {}
-  return {
-    ok: r.status === 0,
-    exitCode: r.status,
-    envelope,
-    stderr: r.stderr && r.stderr.toString(),
-  };
-}
-const bc = _runJsonCli("build-coverage", ["--json"]);
+const bc = await runCli(projectDir, "build-coverage", ["--json"], "gsd-t-build-coverage.cjs", "m57:build-coverage", true, "CI-Parity");
 if (!bc.ok) {
   log(`M57 build-coverage FAIL exitCode=${bc.exitCode} — halting (FAIL-blocking)`);
   return { status: "ci-parity-failed", overallVerdict: "VERIFY-FAILED", buildCoverage: bc.envelope };
 }
-const cip = _runJsonCli("ci-parity", ["--json"]);
+const cip = await runCli(projectDir, "ci-parity", ["--json"], "gsd-t-ci-parity.cjs", "m57:ci-parity", true, "CI-Parity");
 if (!cip.ok) {
   log(`M57 ci-parity FAIL exitCode=${cip.exitCode} — halting (FAIL-blocking)`);
   return { status: "ci-parity-failed", overallVerdict: "VERIFY-FAILED", ciParity: cip.envelope };
@@ -221,8 +244,10 @@ log(`M57 CI-parity gate green`);
 // live in production data. M58 made post-E2E purge mandatory; M60 hardened
 // the adapters against empty-prefix bypass. Workflow MUST preserve.
 phase("Test-Data Purge");
-const verifyRunId = `verify-${milestone || "M??"}-${Date.now().toString(36)}`;
-const td = _runJsonCli("test-data", ["--purge", "--run", verifyRunId, "--json"]);
+// M81: run-id is stable per verify run (no Date.now in the sandbox); the milestone scope
+// is sufficient for purge targeting and is deterministic on resume.
+const verifyRunId = `verify-${(milestone || "M__").toLowerCase()}`;
+const td = await runCli(projectDir, "test-data", ["--purge", "--run", verifyRunId, "--json"], "gsd-t-test-data-ledger.cjs", "m58:test-data-purge", true, "Test-Data Purge");
 if (!td.ok) {
   log(`M58 test-data purge FAIL exitCode=${td.exitCode} — halting (FAIL-blocking)`);
   return { status: "test-data-purge-failed", overallVerdict: "VERIFY-FAILED", testDataPurge: td.envelope };
@@ -233,10 +258,11 @@ phase("Orthogonal Triad");
 
 const briefRef = brief.briefPath || "(brief generation failed — re-walk repo)";
 
-// Load the methodology protocols KEPT in templates/prompts/. The protocol body
-// IS the methodology — Workflow just hosts the agent() call.
-const redTeamProtocol = lib.loadProtocol("red-team");
-const qaProtocol = lib.loadProtocol("qa");
+// M81: the protocol body lives in templates/prompts/<name>-subagent.md inside the installed
+// package; the orchestrator can't read files (no fs). Each triad agent reads its OWN
+// protocol via Read at spawn time — loadProtocolInstruction returns the Read directive.
+const redTeamProtocolInstruction = loadProtocolInstruction("red-team");
+const qaProtocolInstruction = loadProtocolInstruction("qa");
 
 const stages = [
   // Stage A — /code-review ultra (cooperative correctness + cleanup)
@@ -273,10 +299,7 @@ const stages = [
       `**adversarial / security / boundaries**. You are NOT cooperative — your`,
       `success is measured in bugs FOUND, not tests passed. Try to break the code.`,
       ``,
-      `Run the Red Team protocol:`,
-      "----- BEGIN RED TEAM PROTOCOL -----",
-      redTeamProtocol.slice(0, 8000),
-      "----- END RED TEAM PROTOCOL -----",
+      `Run the Red Team protocol. ${redTeamProtocolInstruction}`,
       ``,
       `Verdict is FAIL if you found any CRITICAL or HIGH severity bug; GRUDGING-PASS`,
       `if you searched exhaustively and found nothing. Return JSON per the schema.`,
@@ -296,10 +319,7 @@ const stages = [
       `counts. Detect shallow tests (layout-only assertions that pass on an empty HTML page).`,
       `Verify contract compliance against .gsd-t/contracts/.`,
       ``,
-      `Run the QA protocol:`,
-      "----- BEGIN QA PROTOCOL -----",
-      qaProtocol.slice(0, 8000),
-      "----- END QA PROTOCOL -----",
+      `Run the QA protocol. ${qaProtocolInstruction}`,
       ``,
       `Return JSON per the schema.`,
     ].join("\n"),

package/templates/workflows/gsd-t-wave.workflow.js

@@ -14,11 +14,14 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: this workflow only composes sub-workflows (execute + verify) — it never used
+// lib.*, but the `require("./_lib.js")` import alone crashed it on first eval in the
+// sandbox (TD-113). Removed. args arrives as a JSON STRING in this runtime, so parse it.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone)  || null;
-const domains    = (args && args.domains)    || [];
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const domains    = _args.domains || [];
 
 if (!milestone || !domains.length) {
   log("wave: args.milestone and args.domains required");