@tekyzinc/gsd-t 4.0.28 → 4.0.29

package/CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to GSD-T are documented here. Updated with each release.
 
+## [4.0.29] - 2026-06-05 (M81 Workflows Runtime-Native - patch)
+
+### Fixed - TD-113: 6 of 7 workflows (+ quick) crashed in the Workflow sandbox and had never run
+
+The GSD-T self-scan (Scan #12) and a live NiceNote session both confirmed it: every `*.workflow.js` except `gsd-t-scan` opened with `require("./_lib.js")`, which the Anthropic Workflow sandbox forbids (it provides only `agent/parallel/pipeline/log/phase/budget/args` — no `require`/`fs`/`path`/`child_process`/`process`). Each threw `ReferenceError` on first eval, so the entire orchestration layer — `execute`, `verify`, `wave`, `integrate`, `debug`, `phase`, `quick` — silently fell back to hand-driven runs and never actually executed as workflows.
+
+Ported all 7 to the runtime-native pattern proven on scan in M71/M80: inline `async` helpers that delegate each CLI call (preflight, verify-gate, brief, build-coverage, ci-parity, test-data, parallel/disjointness) to an `agent()`'s Bash — preferring project-local `bin/<tool>.cjs`, falling back to the global `gsd-t` PATH binary — and parse the JSON envelope. `args` is now `JSON.parse`d (it arrives stringified). File reads moved into the agents that have `Read` (worker reads its own scope.md/tasks.md; triad agents read their own protocol from `templates/prompts/`). `verify`'s raw `spawnSync`/`require` CI-parity block and `Date.now()` run-id were replaced; the M57/M58 FAIL-blocking semantics are unchanged.
+
+- `templates/workflows/gsd-t-{execute,verify,wave,integrate,debug,phase,quick}.workflow.js`: runtime-native port.
+- `test/m71-workflow-runtime-native-lint.test.js`: lint now covers all 8 workflows (was scan-only).
+- `test/m81-workflows-runtime-native.test.js`: structural invariants (no `_lib` require, args-string parse, no `spawnSync`/`Date.now`/`Math.random` in orchestrator, FAIL-blocking gates preserved).
+- `CLAUDE.md`, `~/.claude/CLAUDE.md` + `templates/CLAUDE-global.md`: documented the runtime-native invariant; retired `_lib.js` as a workflow dependency.
+
+Proven in the REAL sandbox: `quick` ran end-to-end (verify-gate PASS), `verify` evaluated through its CLI delegations returning a real verify-gate envelope, `execute` evaluated cleanly to its arg-guard — all with zero ReferenceError. Suite 1341/1341 pass.
+
 ## [4.0.28] - 2026-06-04 (M80 Scan Document-Phase Fixes - patch)
 
 ### Fixed - scan workflow crashed at the document phase, then shipped a truncated plain-English doc

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tekyzinc/gsd-t",
-  "version": "4.0.28",
+  "version": "4.0.29",
   "description": "GSD-T: Contract-Driven Development for Claude Code — 54 slash commands with headless-by-default workflow spawning, unattended supervisor relay with event stream, graph-powered code analysis, real-time agent dashboard, task telemetry, doc-ripple enforcement, backlog management, impact analysis, test sync, milestone archival, and PRD generation",
   "author": "Tekyz, Inc.",
   "license": "MIT",

package/templates/CLAUDE-global.md

@@ -331,7 +331,7 @@ Canonical scripts:
 - `gsd-t-phase.workflow.js` — generic upper-stage runner (partition / plan / discuss / impact / milestone / prd / design-decompose / doc-ripple)
 - `gsd-t-scan.workflow.js` — preflight → volume-probe → pipeline(per-slice deep finder → single verify) → synthesis → document → render (M66: fans out by codebase VOLUME, not a fixed 5-teammate dimension count; M67: deep document phase deterministically produces the full living-doc set + dimension files, per-doc fan-out)
 
-Shared helpers: `templates/workflows/_lib.js` — `runPreflight`, `generateBrief`, `proveFileDisjointness`, `runVerifyGate`, `loadProtocol`, `readDomainTasks`, `readScope`. Each prefers project-local `bin/<tool>.cjs` and falls back to global `gsd-t` PATH binary (preserves M55-D5 project-local-bin invariant).
+**Runtime-native invariant (M81 — v4.0.29+):** the Workflow sandbox provides ONLY `agent/parallel/pipeline/log/phase/budget/args` — NO `require`/`fs`/`path`/`child_process`/`process`, and `args` arrives as a JSON STRING. Each workflow is self-contained: it `JSON.parse`s `args` and delegates every CLI call (preflight, verify-gate, brief, build-coverage, ci-parity, test-data, disjointness) to inline `async` helpers that run the command via an `agent()`'s Bash (preferring project-local `bin/<tool>.cjs`, else the global `gsd-t` PATH binary) and parse the JSON envelope — preserving the M55-D5 project-local-bin invariant. The old `require("./_lib.js")` pattern threw `ReferenceError` on first eval and silently broke every workflow except scan (TD-113, fixed M81); `_lib.js` is retired as a workflow dependency.
 
 ## Preflight Gate (KEPT from M55)
 

package/templates/workflows/gsd-t-debug.workflow.js

@@ -16,10 +16,39 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers (sandbox bans require/fs/child_process/process — the old
+// require("./_lib.js") crashed this workflow on first eval, TD-113). Delegate CLI calls
+// to an agent's Bash; args arrives as a JSON STRING in this runtime. See gsd-t-scan.workflow.js.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: { ok: { type: "boolean" }, exitCode: { type: "integer" }, envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" } },
+};
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseName) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local"). Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global"). Use cwd \`${projectDir}\`.`,
+    `2. Capture exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.` : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseName) opts.phase = phaseName;
+  const r = await agent(prompt, opts).catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseName) { return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseName); }
+async function generateBrief(projectDir, { kind = "execute", milestone, domain, id, label = "brief", phaseName } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseName);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
 
-const projectDir = (args && args.projectDir) || ".";
-const symptom = (args && args.symptom) || null;
+const projectDir = _args.projectDir || ".";
+const symptom = _args.symptom || null;
 
 const DEBUG_CYCLE_SCHEMA = {
   type: "object",
@@ -42,9 +71,9 @@ if (!symptom) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
-const brief = lib.generateBrief({ kind: "execute", projectDir });
+const brief = await generateBrief(projectDir, { kind: "execute", id: "debug-brief" });
 
 let lastResult = null;
 for (let cycle = 1; cycle <= 2; cycle++) {

package/templates/workflows/gsd-t-execute.workflow.js

@@ -65,12 +65,47 @@ const INTEGRATE_RESULT_SCHEMA = {
 
 // ───── Script body ──────────────────────────────────────────────────────────
 
-const lib = require("./_lib.js");
-const path = require("path");
+// M81: runtime-native helpers (sandbox bans require/fs/path/child_process/process — the
+// old require("./_lib.js")+require("path") crashed this on first eval, TD-113). CLI calls
+// delegate to an agent's Bash; file reads (scope.md/tasks.md) move INTO the worker agent
+// (it has Read). args arrives as a JSON STRING in this runtime. See gsd-t-scan.workflow.js.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: { ok: { type: "boolean" }, exitCode: { type: "integer" }, envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" } },
+};
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseName) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local"). Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global"). Use cwd \`${projectDir}\`.`,
+    `2. Capture exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.` : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseName) opts.phase = phaseName;
+  const r = await agent(prompt, opts).catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseName) { return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseName); }
+async function runVerifyGate(projectDir, label = "verify-gate", phaseName) { return runCli(projectDir, "verify-gate", ["--json"], "gsd-t-verify-gate.cjs", label, true, phaseName); }
+async function proveFileDisjointness(projectDir, domains, label = "disjointness", phaseName) {
+  const argv = ["--dry-run"];
+  for (const d of (domains || [])) { argv.push("--domain", d); }
+  return runCli(projectDir, "parallel", argv, "gsd-t-parallel.cjs", label, false, phaseName);
+}
+async function generateBrief(projectDir, { kind = "execute", milestone, domain, id, label = "brief", phaseName } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseName);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone)  || null;
-const domains    = (args && Array.isArray(args.domains) && args.domains) || [];
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const domains    = (Array.isArray(_args.domains) && _args.domains) || [];
 
 if (!milestone) {
   log("execute: no milestone provided — args.milestone is required");
@@ -83,7 +118,7 @@ if (!domains.length) {
 
 phase("Preflight");
 log(`execute: milestone=${milestone}, domains=${domains.length}`);
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) {
   log(`preflight FAIL — exitCode=${pre.exitCode}: ${pre.stderr || "(no stderr)"}`);
   return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
@@ -93,7 +128,7 @@ log(`preflight OK`);
 phase("Disjointness");
 // 4.8-audit fix: scope disjointness to the requested domain set, not the whole project.
 // Without this, an unrelated DRAFT domain elsewhere in the project could flip the result.
-const disj = lib.proveFileDisjointness({ projectDir, domains });
+const disj = await proveFileDisjointness(projectDir, domains);
 if (!disj.ok) {
   log(`disjointness FAIL — exitCode=${disj.exitCode}: ${disj.stderr || disj.stdout}`);
   return { status: "failed", reason: "non-disjoint" };
@@ -105,32 +140,22 @@ const domainResults = await parallel(
   domains.map((domain) => async () => {
     // 4.8-audit fix: per-domain brief (M55-D2 brief-per-spawn semantic) — each worker
     // gets a brief scoped to its own domain so grep-the-brief is most effective.
-    const domBrief = lib.generateBrief({ kind: "execute", milestone, domain, projectDir });
-    const briefRef = domBrief.ok
-      ? domBrief.briefPath
-      : "(brief generation failed — re-walk repo)";
-
-    // 4.8-audit fix: do NOT truncate scope/tasks. The worker is being told to "execute
-    // every task" — silently dropping tail content is a correctness regression. Briefs
-    // are the compression layer; raw scope/tasks must pass whole.
-    const scope = lib.readScope({ projectDir, domain }) || "(scope.md missing)";
-    const tasks = lib.readDomainTasks({ projectDir, domain }) || "(tasks.md missing)";
+    // M81: generated via an awaited agent (sandbox-safe); the worker reads its own
+    // scope.md/tasks.md (it has Read) instead of the orchestrator pre-reading via fs.
+    const domBrief = await generateBrief(projectDir, { kind: "execute", milestone, domain, id: `execute-${(milestone || "m").toLowerCase()}-${domain}`, phaseName: "Domains", label: `brief:${domain}` });
+    const briefRef = domBrief.ok ? domBrief.briefPath : "(brief generation failed — re-walk repo)";
+    const scopePath = `${projectDir}/.gsd-t/domains/${domain}/scope.md`;
+    const tasksPath = `${projectDir}/.gsd-t/domains/${domain}/tasks.md`;
     const prompt = [
       `You are the worker agent for the GSD-T domain \`${domain}\` in milestone \`${milestone}\`.`,
       ``,
-      `Your job: execute every task listed under "## Tasks" in this domain's tasks.md, respecting the file ownership in scope.md.`,
+      `FIRST, read these two files in full (do NOT skip or truncate them):`,
+      `- Scope (your owned files): \`${scopePath}\``,
+      `- Tasks: \`${tasksPath}\``,
       ``,
-      `**Brief (REQUIRED READ):** ${briefRef} — if present, grep this JSON first instead of re-reading CLAUDE.md and contracts.`,
-      ``,
-      `**Scope (your owned files):**`,
-      "```",
-      scope,
-      "```",
+      `Your job: execute every task listed under "## Tasks" in tasks.md, respecting the file ownership in scope.md.`,
       ``,
-      `**Tasks:**`,
-      "```",
-      tasks,
-      "```",
+      `**Brief (REQUIRED READ):** ${briefRef} — if present, grep this JSON first instead of re-reading CLAUDE.md and contracts.`,
       ``,
       `Constraints:`,
       `- Touch only files in your scope's "Owned Files" list.`,
@@ -194,7 +219,7 @@ if (integrate.status === "failed") {
 }
 
 phase("Verify-Gate");
-const vg = lib.runVerifyGate({ projectDir });
+const vg = await runVerifyGate(projectDir);
 log(`verify-gate exitCode=${vg.exitCode} ok=${vg.ok}`);
 
 return {

package/templates/workflows/gsd-t-integrate.workflow.js

@@ -16,11 +16,41 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers (sandbox bans require/fs/child_process/process — the old
+// require("./_lib.js") crashed this workflow on first eval, TD-113). Delegate CLI calls
+// to an agent's Bash; args arrives as a JSON STRING in this runtime. See gsd-t-scan.workflow.js.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: { ok: { type: "boolean" }, exitCode: { type: "integer" }, envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" } },
+};
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseName) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local"). Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global"). Use cwd \`${projectDir}\`.`,
+    `2. Capture exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.` : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseName) opts.phase = phaseName;
+  const r = await agent(prompt, opts).catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseName) { return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseName); }
+async function runVerifyGate(projectDir, label = "verify-gate", phaseName) { return runCli(projectDir, "verify-gate", ["--json"], "gsd-t-verify-gate.cjs", label, true, phaseName); }
+async function generateBrief(projectDir, { kind = "execute", milestone, domain, id, label = "brief", phaseName } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseName);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone) || null;
-const domains    = (args && args.domains) || [];
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const domains    = _args.domains || [];
 
 const INTEGRATE_SCHEMA = {
   type: "object",
@@ -38,9 +68,9 @@ if (!milestone || !domains.length) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
-const brief = lib.generateBrief({ kind: "execute", milestone, projectDir });
+const brief = await generateBrief(projectDir, { kind: "execute", milestone, id: `integrate-${(milestone || "m").toLowerCase()}` });
 
 phase("Integrate");
 const integrate = await agent(
@@ -63,7 +93,7 @@ if (integrate.status === "failed") {
 }
 
 phase("Verify-Gate");
-const vg = lib.runVerifyGate({ projectDir });
+const vg = await runVerifyGate(projectDir);
 return {
   status: vg.ok ? "complete" : "verify-failed",
   integrate,

package/templates/workflows/gsd-t-phase.workflow.js

@@ -26,7 +26,36 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers (sandbox bans require/fs/child_process/process — the old
+// require("./_lib.js") crashed this workflow on first eval, TD-113). Delegate CLI calls
+// to an agent's Bash; args arrives as a JSON STRING in this runtime. See gsd-t-scan.workflow.js.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: { ok: { type: "boolean" }, exitCode: { type: "integer" }, envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" } },
+};
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseNameOpt) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local"). Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global"). Use cwd \`${projectDir}\`.`,
+    `2. Capture exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.` : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseNameOpt) opts.phase = phaseNameOpt;
+  const r = await agent(prompt, opts).catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseNameOpt) { return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseNameOpt); }
+async function generateBrief(projectDir, { kind = "execute", milestone, domain, id, label = "brief", phaseNameOpt } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseNameOpt);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
 
 const VALID_PHASES = [
   "partition", "plan", "discuss", "impact",
@@ -45,10 +74,10 @@ const PHASE_RESULT_SCHEMA = {
   },
 };
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone)  || null;
-const userInput  = (args && args.userInput)  || "";
-const phaseName  = args && args.phase;
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const userInput  = _args.userInput || "";
+const phaseName  = _args.phase;
 
 if (!phaseName || !VALID_PHASES.includes(phaseName)) {
   log(`phase: args.phase must be one of: ${VALID_PHASES.join(", ")}`);
@@ -56,9 +85,9 @@ if (!phaseName || !VALID_PHASES.includes(phaseName)) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
-const brief = lib.generateBrief({ kind: phaseName, milestone, projectDir });
+const brief = await generateBrief(projectDir, { kind: phaseName, milestone, id: `${phaseName}-${(milestone || "m").toLowerCase()}` });
 
 phase("Phase");
 const promptByPhase = {

package/templates/workflows/gsd-t-quick.workflow.js

@@ -16,11 +16,63 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers. The Anthropic Workflow sandbox provides ONLY the
+// globals agent/parallel/pipeline/log/phase/budget/args — NO require/fs/path/
+// child_process/process. The old `require("./_lib.js")` threw ReferenceError on first
+// eval, so EVERY workflow except scan silently crashed and never ran (TD-113, confirmed
+// by the NiceNote session 2026-06-05). These inline helpers delegate the CLI calls to an
+// agent() that runs them via Bash (preferring project-local bin/<tool>.cjs, falling back
+// to the global `gsd-t` PATH binary), parsing the JSON envelope — same brains, sandbox-safe
+// invocation. The args global also arrives as a JSON STRING in this runtime, so parse it.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
 
-const projectDir = (args && args.projectDir) || ".";
-const task = (args && args.task) || null;
-const model = (args && args.model) || "sonnet";
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: {
+    ok: { type: "boolean" }, exitCode: { type: "integer" },
+    envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" },
+  },
+};
+// Run a `gsd-t <subcmd>` CLI (or project-local bin/<localBin>) via an agent's Bash and
+// return { ok, exitCode, envelope, stderr, via }. parseJson=true parses stdout as the envelope.
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseName) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local").`,
+    `   Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global").`,
+    `   Run it with cwd \`${projectDir}\` (use \`cd ${projectDir} && …\` or \`-C\`/\`--cwd\` as appropriate).`,
+    `2. Capture the exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson
+      ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.`
+      : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseName) opts.phase = phaseName; // opts.phase MUST be a string, never the phase() fn
+  const r = await agent(prompt, opts)
+    .catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseName) {
+  return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseName);
+}
+async function runVerifyGate(projectDir, label = "verify-gate", phaseName) {
+  return runCli(projectDir, "verify-gate", ["--json"], "gsd-t-verify-gate.cjs", label, true, phaseName);
+}
+// Brief generation: writes .gsd-t/briefs/<id>.json and returns its path. The id must be
+// caller-supplied (no Date.now/Math.random in the sandbox) — pass a stable id per spawn.
+async function generateBrief(projectDir, { kind = "execute", milestone, domain, id, label = "brief", phaseName } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseName);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
+
+const projectDir = _args.projectDir || ".";
+const task = _args.task || null;
+const model = _args.model || "sonnet";
 
 const QUICK_SCHEMA = {
   type: "object",
@@ -38,9 +90,9 @@ if (!task) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
-const brief = lib.generateBrief({ kind: "execute", projectDir });
+const brief = await generateBrief(projectDir, { kind: "execute", id: "quick-brief" });
 
 phase("Execute");
 const result = await agent(
@@ -64,7 +116,7 @@ if (result.status === "failed" || result.status === "blocked") {
 }
 
 phase("Verify");
-const vg = lib.runVerifyGate({ projectDir });
+const vg = await runVerifyGate(projectDir);
 return {
   status: vg.ok ? "complete" : "verify-failed",
   result,

package/templates/workflows/gsd-t-verify.workflow.js

@@ -30,12 +30,55 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: runtime-native helpers (sandbox bans require/fs/path/child_process/process — the
+// old require("./_lib.js") + the inline require("child_process"/"fs"/"path") in the
+// CI-parity block crashed this on first eval, TD-113). All CLI calls (preflight,
+// verify-gate, build-coverage, ci-parity, test-data) delegate to an agent's Bash; the
+// QA/Red-Team protocol bodies are read by an agent (Read) instead of fs. args arrives as
+// a JSON STRING in this runtime. See gsd-t-scan.workflow.js.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
+const _CLI_ENVELOPE_SCHEMA = {
+  type: "object", required: ["ok", "exitCode"], additionalProperties: true,
+  properties: { ok: { type: "boolean" }, exitCode: { type: "integer" }, envelope: {}, stdout: { type: "string" }, stderr: { type: "string" }, via: { type: "string" } },
+};
+async function runCli(projectDir, subcmd, argv, localBin, label, parseJson = true, phaseName) {
+  const argStr = (argv || []).map((a) => `'${String(a).replace(/'/g, "'\\''")}'`).join(" ");
+  const prompt = [
+    `Run a GSD-T CLI command for the project at \`${projectDir}\` and report the result. Steps:`,
+    `1. If \`${projectDir}/bin/${localBin}\` exists, run: \`node ${projectDir}/bin/${localBin} ${argStr}\` (set via="local"). Otherwise run: \`gsd-t ${subcmd} ${argStr}\` (set via="global"). Use cwd \`${projectDir}\`.`,
+    `2. Capture exit code (ok = exitCode 0) and stdout/stderr.`,
+    parseJson ? `3. Parse stdout as JSON into \`envelope\` (null if not JSON). Return JSON per the schema.` : `3. Put stdout (trimmed, ≤4000 chars) in \`stdout\`. Return JSON per the schema.`,
+    `Do NOT do any other work. ONLY run this one command and report.`,
+  ].join("\n");
+  const opts = { label, schema: _CLI_ENVELOPE_SCHEMA, model: "haiku" };
+  if (phaseName) opts.phase = phaseName;
+  const r = await agent(prompt, opts).catch((e) => ({ ok: false, exitCode: -1, envelope: null, stderr: String(e && e.message), via: "error" }));
+  return r || { ok: false, exitCode: -1, envelope: null, via: "error" };
+}
+async function runPreflight(projectDir, label = "preflight", phaseName) { return runCli(projectDir, "preflight", ["--json"], "cli-preflight.cjs", label, true, phaseName); }
+async function runVerifyGate(projectDir, label = "verify-gate", phaseName) { return runCli(projectDir, "verify-gate", ["--json"], "gsd-t-verify-gate.cjs", label, true, phaseName); }
+async function generateBrief(projectDir, { kind = "verify", milestone, domain, id, label = "brief", phaseName } = {}) {
+  const argv = ["--kind", kind, "--spawn-id", id, "--out", `${projectDir}/.gsd-t/briefs/${id}.json`];
+  if (milestone) argv.push("--milestone", milestone);
+  if (domain) argv.push("--domain", domain);
+  const r = await runCli(projectDir, "brief", argv, "gsd-t-context-brief.cjs", label, false, phaseName);
+  return { ok: r.ok, briefPath: `${projectDir}/.gsd-t/briefs/${id}.json`, via: r.via };
+}
+// The QA / Red-Team / design-verify protocol bodies live at templates/prompts/<name>-subagent.md
+// inside the installed @tekyzinc/gsd-t package. The orchestrator can't read files (no fs); each
+// triad agent reads its OWN protocol via Read at spawn time. loadProtocol returns a Read-instruction
+// the agent prompt embeds, rather than the protocol text itself.
+function loadProtocolInstruction(name) {
+  const rel = `templates/prompts/${name}-subagent.md`;
+  // Locate the protocol inside the installed @tekyzinc/gsd-t package using ONLY shell
+  // (no require/fs tokens — those trip the runtime-native lint even inside a string).
+  return `Read your protocol FIRST. Find it by running in Bash: \`cat "$(npm root -g)/@tekyzinc/gsd-t/${rel}"\` (or, if a project-local \`${rel}\` exists, read that instead). Follow that protocol exactly.`;
+}
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone)  || null;
-const skipUltra  = (args && args.skipUltra)  || false;
-const skipUltraReason = (args && args.skipUltraReason) || null;
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const skipUltra  = _args.skipUltra || false;
+const skipUltraReason = _args.skipUltraReason || null;
 
 // 4.8-audit fix: skipUltra requires a recorded reason per
 // orthogonal-validation-contract.md Rule #2. Refuse without one.
@@ -153,15 +196,15 @@ if (!milestone) {
 }
 
 phase("Preflight");
-const pre = lib.runPreflight({ projectDir });
+const pre = await runPreflight(projectDir);
 if (!pre.ok) {
   log(`preflight FAIL — halting verify`);
   return { status: "failed", reason: "preflight-failed", preflight: pre.envelope };
 }
-const brief = lib.generateBrief({ kind: "verify", milestone, projectDir });
+const brief = await generateBrief(projectDir, { kind: "verify", milestone, id: `verify-${(milestone || "m").toLowerCase()}` });
 
 phase("Verify-Gate");
-const vg = lib.runVerifyGate({ projectDir });
+const vg = await runVerifyGate(projectDir);
 if (!vg.ok) {
   log(`verify-gate FAIL exitCode=${vg.exitCode} — halting before triad`);
   return {
@@ -179,36 +222,16 @@ log(`verify-gate green`);
 // from Dockerfile COPY — silent CI-divergence regression. M57 made this gate
 // mandatory; Workflow MUST preserve it or we re-introduce that exact failure.
 // Detected by user/worker in parallel session 2026-05-29 13:00.
+// M81: these were raw spawnSync + require("fs"/"path"/"child_process") in the orchestrator
+// — the exact sandbox-forbidden pattern (TD-113). Now awaited runCli agent calls. The
+// FAIL-blocking semantics are UNCHANGED: a non-zero exit halts verify before the triad.
 phase("CI-Parity");
-const { spawnSync } = require("child_process");
-function _runJsonCli(subcmd, argv = []) {
-  // Use _lib-style resolution — prefer project-local bin/<tool>.cjs
-  const fsMod = require("fs");
-  const pMod = require("path");
-  const localMap = {
-    "build-coverage": "gsd-t-build-coverage.cjs",
-    "ci-parity":      "gsd-t-ci-parity.cjs",
-    "test-data":      "gsd-t-test-data-ledger.cjs",
-  };
-  const local = pMod.join(projectDir, "bin", localMap[subcmd] || "");
-  const cmd = fsMod.existsSync(local) ? process.execPath : "gsd-t";
-  const args = fsMod.existsSync(local) ? [local, ...argv] : [subcmd, ...argv];
-  const r = spawnSync(cmd, args, { cwd: projectDir, stdio: "pipe" });
-  let envelope = null;
-  try { envelope = r.stdout ? JSON.parse(r.stdout.toString()) : null; } catch (_) {}
-  return {
-    ok: r.status === 0,
-    exitCode: r.status,
-    envelope,
-    stderr: r.stderr && r.stderr.toString(),
-  };
-}
-const bc = _runJsonCli("build-coverage", ["--json"]);
+const bc = await runCli(projectDir, "build-coverage", ["--json"], "gsd-t-build-coverage.cjs", "m57:build-coverage", true, "CI-Parity");
 if (!bc.ok) {
   log(`M57 build-coverage FAIL exitCode=${bc.exitCode} — halting (FAIL-blocking)`);
   return { status: "ci-parity-failed", overallVerdict: "VERIFY-FAILED", buildCoverage: bc.envelope };
 }
-const cip = _runJsonCli("ci-parity", ["--json"]);
+const cip = await runCli(projectDir, "ci-parity", ["--json"], "gsd-t-ci-parity.cjs", "m57:ci-parity", true, "CI-Parity");
 if (!cip.ok) {
   log(`M57 ci-parity FAIL exitCode=${cip.exitCode} — halting (FAIL-blocking)`);
   return { status: "ci-parity-failed", overallVerdict: "VERIFY-FAILED", ciParity: cip.envelope };
@@ -221,8 +244,10 @@ log(`M57 CI-parity gate green`);
 // live in production data. M58 made post-E2E purge mandatory; M60 hardened
 // the adapters against empty-prefix bypass. Workflow MUST preserve.
 phase("Test-Data Purge");
-const verifyRunId = `verify-${milestone || "M??"}-${Date.now().toString(36)}`;
-const td = _runJsonCli("test-data", ["--purge", "--run", verifyRunId, "--json"]);
+// M81: run-id is stable per verify run (no Date.now in the sandbox); the milestone scope
+// is sufficient for purge targeting and is deterministic on resume.
+const verifyRunId = `verify-${(milestone || "M__").toLowerCase()}`;
+const td = await runCli(projectDir, "test-data", ["--purge", "--run", verifyRunId, "--json"], "gsd-t-test-data-ledger.cjs", "m58:test-data-purge", true, "Test-Data Purge");
 if (!td.ok) {
   log(`M58 test-data purge FAIL exitCode=${td.exitCode} — halting (FAIL-blocking)`);
   return { status: "test-data-purge-failed", overallVerdict: "VERIFY-FAILED", testDataPurge: td.envelope };
@@ -233,10 +258,11 @@ phase("Orthogonal Triad");
 
 const briefRef = brief.briefPath || "(brief generation failed — re-walk repo)";
 
-// Load the methodology protocols KEPT in templates/prompts/. The protocol body
-// IS the methodology — Workflow just hosts the agent() call.
-const redTeamProtocol = lib.loadProtocol("red-team");
-const qaProtocol = lib.loadProtocol("qa");
+// M81: the protocol body lives in templates/prompts/<name>-subagent.md inside the installed
+// package; the orchestrator can't read files (no fs). Each triad agent reads its OWN
+// protocol via Read at spawn time — loadProtocolInstruction returns the Read directive.
+const redTeamProtocolInstruction = loadProtocolInstruction("red-team");
+const qaProtocolInstruction = loadProtocolInstruction("qa");
 
 const stages = [
   // Stage A — /code-review ultra (cooperative correctness + cleanup)
@@ -273,10 +299,7 @@ const stages = [
       `**adversarial / security / boundaries**. You are NOT cooperative — your`,
       `success is measured in bugs FOUND, not tests passed. Try to break the code.`,
       ``,
-      `Run the Red Team protocol:`,
-      "----- BEGIN RED TEAM PROTOCOL -----",
-      redTeamProtocol.slice(0, 8000),
-      "----- END RED TEAM PROTOCOL -----",
+      `Run the Red Team protocol. ${redTeamProtocolInstruction}`,
       ``,
       `Verdict is FAIL if you found any CRITICAL or HIGH severity bug; GRUDGING-PASS`,
       `if you searched exhaustively and found nothing. Return JSON per the schema.`,
@@ -296,10 +319,7 @@ const stages = [
       `counts. Detect shallow tests (layout-only assertions that pass on an empty HTML page).`,
       `Verify contract compliance against .gsd-t/contracts/.`,
       ``,
-      `Run the QA protocol:`,
-      "----- BEGIN QA PROTOCOL -----",
-      qaProtocol.slice(0, 8000),
-      "----- END QA PROTOCOL -----",
+      `Run the QA protocol. ${qaProtocolInstruction}`,
       ``,
       `Return JSON per the schema.`,
     ].join("\n"),

package/templates/workflows/gsd-t-wave.workflow.js

@@ -14,11 +14,14 @@ export const meta = {
   ],
 };
 
-const lib = require("./_lib.js");
+// M81: this workflow only composes sub-workflows (execute + verify) — it never used
+// lib.*, but the `require("./_lib.js")` import alone crashed it on first eval in the
+// sandbox (TD-113). Removed. args arrives as a JSON STRING in this runtime, so parse it.
+const _args = (typeof args === "string") ? (() => { try { return JSON.parse(args); } catch { return {}; } })() : (args || {});
 
-const projectDir = (args && args.projectDir) || ".";
-const milestone  = (args && args.milestone)  || null;
-const domains    = (args && args.domains)    || [];
+const projectDir = _args.projectDir || ".";
+const milestone  = _args.milestone || null;
+const domains    = _args.domains || [];
 
 if (!milestone || !domains.length) {
   log("wave: args.milestone and args.domains required");