@useorgx/openclaw-plugin 0.4.0 → 0.4.3

package/dist/http-handler.js

@@ -30,6 +30,7 @@ import { getAgentRun, markAgentRunStopped, readAgentRuns, upsertAgentRun, } from
 import { readByokKeys, writeByokKeys } from "./byok-store.js";
 import { computeMilestoneRollup, computeWorkstreamRollup, } from "./reporting/rollups.js";
 import { listRuntimeInstances, resolveRuntimeHookToken, upsertRuntimeInstanceFromHook, } from "./runtime-instance-store.js";
+import { readOpenClawSettingsSnapshot, resolvePreferredOpenClawProvider, } from "./openclaw-settings.js";
 // =============================================================================
 // Helpers
 // =============================================================================
@@ -203,48 +204,60 @@ async function setOpenClawAgentModel(input) {
     }
 }
 async function listOpenClawProviderModels(input) {
-    const result = await runCommandCollect({
-        command: "openclaw",
-        args: [
-            "models",
-            "--agent",
-            input.agentId,
-            "list",
-            "--provider",
-            input.provider,
-            "--json",
-        ],
-        timeoutMs: 10_000,
-        env: resolveByokEnvOverrides(),
-    });
-    if (result.exitCode !== 0) {
-        throw new Error(result.stderr.trim() || "openclaw models list failed");
-    }
-    const parsed = parseJsonSafe(result.stdout);
-    if (!parsed || typeof parsed !== "object") {
-        const trimmed = result.stdout.trim();
-        if (!trimmed || /no models found/i.test(trimmed)) {
-            return [];
-        }
-        throw new Error("openclaw models list returned invalid JSON");
-    }
-    const modelsRaw = "models" in parsed && Array.isArray(parsed.models)
-        ? parsed.models
-        : [];
-    return modelsRaw
-        .map((entry) => {
-        if (!entry || typeof entry !== "object")
-            return null;
-        const row = entry;
-        const key = typeof row.key === "string" ? row.key.trim() : "";
-        const tags = Array.isArray(row.tags)
-            ? row.tags.filter((t) => typeof t === "string")
+    const providerArgs = input.provider === "openai" ? ["openai-codex", "openai"] : [input.provider];
+    let lastError = null;
+    for (const providerArg of providerArgs) {
+        const result = await runCommandCollect({
+            command: "openclaw",
+            args: [
+                "models",
+                "--agent",
+                input.agentId,
+                "list",
+                "--provider",
+                providerArg,
+                "--json",
+            ],
+            timeoutMs: 10_000,
+            env: resolveByokEnvOverrides(),
+        });
+        if (result.exitCode !== 0) {
+            lastError = new Error(result.stderr.trim() || "openclaw models list failed");
+            continue;
+        }
+        const parsed = parseJsonSafe(result.stdout);
+        if (!parsed || typeof parsed !== "object") {
+            const trimmed = result.stdout.trim();
+            if (!trimmed || /no models found/i.test(trimmed)) {
+                if (providerArg === providerArgs[providerArgs.length - 1])
+                    return [];
+                continue;
+            }
+            lastError = new Error("openclaw models list returned invalid JSON");
+            continue;
+        }
+        const modelsRaw = "models" in parsed && Array.isArray(parsed.models)
+            ? parsed.models
             : [];
-        if (!key)
-            return null;
-        return { key, tags };
-    })
-        .filter((entry) => Boolean(entry));
+        const models = modelsRaw
+            .map((entry) => {
+            if (!entry || typeof entry !== "object")
+                return null;
+            const row = entry;
+            const key = typeof row.key === "string" ? row.key.trim() : "";
+            const tags = Array.isArray(row.tags)
+                ? row.tags.filter((t) => typeof t === "string")
+                : [];
+            if (!key)
+                return null;
+            return { key, tags };
+        })
+            .filter((entry) => Boolean(entry));
+        if (models.length > 0 || providerArg === providerArgs[providerArgs.length - 1]) {
+            return models;
+        }
+    }
+    throw lastError ?? new Error("openclaw models list failed");
 }
 function pickPreferredModel(models) {
     if (models.length === 0)
@@ -256,7 +269,7 @@ async function configureOpenClawProviderRouting(input) {
     const requestedModel = (input.requestedModel ?? "").trim() || null;
     // Fast path: use known aliases where possible.
     const aliasByProvider = {
-        anthropic: "opus",
+        anthropic: "sonnet",
         openrouter: "sonnet",
         openai: null,
     };
@@ -281,6 +294,18 @@ async function configureOpenClawProviderRouting(input) {
     await setOpenClawAgentModel({ agentId: input.agentId, model: selected });
     return { provider: input.provider, model: selected };
 }
+function resolveAutoOpenClawProvider() {
+    try {
+        const settings = readOpenClawSettingsSnapshot();
+        const provider = resolvePreferredOpenClawProvider(settings.raw);
+        if (!provider)
+            return null;
+        return provider;
+    }
+    catch {
+        return null;
+    }
+}
 function isPidAlive(pid) {
     if (!Number.isFinite(pid) || pid <= 0)
         return false;
@@ -808,11 +833,30 @@ const CORS_HEADERS = {
     "Access-Control-Allow-Headers": "Content-Type, Authorization, X-OrgX-Api-Key, X-API-Key, X-OrgX-User-Id, X-OrgX-Hook-Token, X-Hook-Token",
     Vary: "Origin",
 };
+const CONTENT_SECURITY_POLICY = [
+    "default-src 'self'",
+    "base-uri 'self'",
+    "frame-ancestors 'none'",
+    "form-action 'self'",
+    "object-src 'none'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: blob:",
+    "font-src 'self' data:",
+    "media-src 'self'",
+    "connect-src 'self' https://*.useorgx.com https://*.openclaw.ai http://127.0.0.1:* http://localhost:*",
+].join("; ");
 const SECURITY_HEADERS = {
     "X-Content-Type-Options": "nosniff",
     "X-Frame-Options": "DENY",
     "Referrer-Policy": "same-origin",
+    "X-Robots-Tag": "noindex, nofollow, noarchive, nosnippet, noimageindex",
+    "Permissions-Policy": "camera=(), microphone=(), geolocation=(), payment=(), usb=(), midi=(), magnetometer=(), gyroscope=()",
+    "Cross-Origin-Opener-Policy": "same-origin",
     "Cross-Origin-Resource-Policy": "same-origin",
+    "Origin-Agent-Cluster": "?1",
+    "X-Permitted-Cross-Domain-Policies": "none",
+    "Content-Security-Policy": CONTENT_SECURITY_POLICY,
 };
 function normalizeHost(value) {
     return value.trim().toLowerCase().replace(/^\[|\]$/g, "");
@@ -1215,6 +1259,86 @@ function idempotencyKey(parts) {
     const suffix = stableHash(raw).slice(0, 20);
     return `${cleaned}:${suffix}`.slice(0, 120);
 }
+const ORGX_SKILL_BY_DOMAIN = {
+    engineering: "orgx-engineering-agent",
+    product: "orgx-product-agent",
+    marketing: "orgx-marketing-agent",
+    sales: "orgx-sales-agent",
+    operations: "orgx-operations-agent",
+    design: "orgx-design-agent",
+    orchestration: "orgx-orchestrator-agent",
+};
+function normalizeExecutionDomain(value) {
+    const raw = (value ?? "").trim().toLowerCase();
+    if (!raw)
+        return null;
+    if (raw === "orchestrator")
+        return "orchestration";
+    if (raw === "ops")
+        return "operations";
+    return Object.prototype.hasOwnProperty.call(ORGX_SKILL_BY_DOMAIN, raw)
+        ? raw
+        : null;
+}
+function inferExecutionDomainFromText(...values) {
+    const text = values
+        .map((value) => (value ?? "").trim().toLowerCase())
+        .filter((value) => value.length > 0)
+        .join(" ");
+    if (!text)
+        return "engineering";
+    if (/\b(marketing|campaign|copy|ad|content)\b/.test(text))
+        return "marketing";
+    if (/\b(sales|meddic|pipeline|deal|outreach)\b/.test(text))
+        return "sales";
+    if (/\b(design|ui|ux|brand|wcag)\b/.test(text))
+        return "design";
+    if (/\b(product|prd|roadmap|prioritization)\b/.test(text))
+        return "product";
+    if (/\b(ops|operations|incident|reliability|oncall|slo)\b/.test(text))
+        return "operations";
+    if (/\b(orchestration|dispatch|handoff)\b/.test(text))
+        return "orchestration";
+    return "engineering";
+}
+function deriveExecutionPolicy(taskNode, workstreamNode) {
+    const domainCandidate = taskNode.assignedAgents
+        .map((agent) => normalizeExecutionDomain(agent.domain))
+        .find((domain) => Boolean(domain)) ??
+        (workstreamNode
+            ? workstreamNode.assignedAgents
+                .map((agent) => normalizeExecutionDomain(agent.domain))
+                .find((domain) => Boolean(domain))
+            : null) ??
+        inferExecutionDomainFromText(taskNode.title, workstreamNode?.title ?? null);
+    const domain = normalizeExecutionDomain(domainCandidate) ?? "engineering";
+    const requiredSkill = ORGX_SKILL_BY_DOMAIN[domain] ?? ORGX_SKILL_BY_DOMAIN.engineering;
+    return { domain, requiredSkills: [requiredSkill] };
+}
+function spawnGuardIsRateLimited(result) {
+    if (!result || typeof result !== "object")
+        return false;
+    const record = result;
+    const checks = record.checks;
+    if (!checks || typeof checks !== "object")
+        return false;
+    const rateLimit = checks.rateLimit;
+    if (!rateLimit || typeof rateLimit !== "object")
+        return false;
+    return rateLimit.passed === false;
+}
+function summarizeSpawnGuardBlockReason(result) {
+    if (!result || typeof result !== "object")
+        return "Spawn guard denied dispatch.";
+    const record = result;
+    const blockedReason = pickString(record, ["blockedReason", "blocked_reason"]);
+    if (blockedReason)
+        return blockedReason;
+    if (spawnGuardIsRateLimited(result)) {
+        return "Spawn guard rate limit reached.";
+    }
+    return "Spawn guard denied dispatch.";
+}
 const DEFAULT_DURATION_HOURS = {
     initiative: 40,
     workstream: 16,
@@ -2106,6 +2230,263 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
             }
         }
     }
+    async function requestDecisionSafe(input) {
+        const initiativeId = input.initiativeId?.trim() ?? "";
+        const title = input.title.trim();
+        if (!initiativeId || !title)
+            return;
+        try {
+            await client.applyChangeset({
+                initiative_id: initiativeId,
+                correlation_id: input.correlationId?.trim() || undefined,
+                source_client: "openclaw",
+                idempotency_key: idempotencyKey([
+                    "openclaw",
+                    "decision",
+                    initiativeId,
+                    title,
+                    input.correlationId ?? null,
+                ]),
+                operations: [
+                    {
+                        op: "decision.create",
+                        title,
+                        summary: input.summary ?? undefined,
+                        urgency: input.urgency ?? "high",
+                        options: input.options ?? [],
+                        blocking: input.blocking ?? true,
+                    },
+                ],
+            });
+        }
+        catch {
+            // best effort
+        }
+    }
+    async function checkSpawnGuardSafe(input) {
+        const scopedClient = client;
+        if (typeof scopedClient.checkSpawnGuard !== "function") {
+            return null;
+        }
+        const taskId = input.taskId?.trim() ?? "";
+        const targetLabel = input.targetLabel?.trim() ||
+            (taskId ? `task ${taskId}` : "dispatch target");
+        try {
+            return await scopedClient.checkSpawnGuard(input.domain, taskId || undefined);
+        }
+        catch (err) {
+            await emitActivitySafe({
+                initiativeId: input.initiativeId,
+                correlationId: input.correlationId,
+                phase: "blocked",
+                level: "warn",
+                message: `Spawn guard check degraded for ${targetLabel}; continuing with local policy.`,
+                metadata: {
+                    event: "spawn_guard_degraded",
+                    task_id: taskId || null,
+                    domain: input.domain,
+                    error: safeErrorMessage(err),
+                },
+            });
+            return null;
+        }
+    }
+    function extractSpawnGuardModelTier(result) {
+        if (!result || typeof result !== "object")
+            return null;
+        return (pickString(result, ["modelTier", "model_tier"]) ??
+            null);
+    }
+    function formatRequiredSkills(requiredSkills) {
+        const normalized = requiredSkills
+            .map((entry) => entry.trim())
+            .filter((entry) => entry.length > 0)
+            .map((entry) => (entry.startsWith("$") ? entry : `$${entry}`));
+        return normalized.length > 0
+            ? normalized.join(", ")
+            : "$orgx-engineering-agent";
+    }
+    function buildPolicyEnforcedMessage(input) {
+        const modelTier = extractSpawnGuardModelTier(input.spawnGuardResult ?? null);
+        return [
+            `Execution policy: ${input.executionPolicy.domain}`,
+            `Required skills: ${formatRequiredSkills(input.executionPolicy.requiredSkills)}`,
+            modelTier ? `Spawn guard model tier: ${modelTier}` : null,
+            "",
+            input.baseMessage,
+        ]
+            .filter((entry) => Boolean(entry))
+            .join("\n");
+    }
+    async function resolveDispatchExecutionPolicy(input) {
+        const initiativeId = input.initiativeId?.trim() ?? "";
+        const taskId = input.taskId?.trim() ?? "";
+        const workstreamId = input.workstreamId?.trim() ?? "";
+        let resolvedTaskTitle = input.taskTitle?.trim() || null;
+        let resolvedWorkstreamTitle = input.workstreamTitle?.trim() || null;
+        if (initiativeId && (taskId || workstreamId)) {
+            try {
+                const graph = await buildMissionControlGraph(client, initiativeId);
+                const nodeById = new Map(graph.nodes.map((node) => [node.id, node]));
+                const taskNode = taskId ? nodeById.get(taskId) ?? null : null;
+                const workstreamNode = workstreamId ? nodeById.get(workstreamId) ?? null : null;
+                if (taskNode && taskNode.type === "task") {
+                    resolvedTaskTitle = resolvedTaskTitle ?? taskNode.title;
+                    const relatedWorkstream = (taskNode.workstreamId ? nodeById.get(taskNode.workstreamId) ?? null : null) ??
+                        workstreamNode;
+                    const normalizedWorkstream = relatedWorkstream && relatedWorkstream.type === "workstream"
+                        ? relatedWorkstream
+                        : null;
+                    resolvedWorkstreamTitle =
+                        resolvedWorkstreamTitle ?? normalizedWorkstream?.title ?? null;
+                    return {
+                        executionPolicy: deriveExecutionPolicy(taskNode, normalizedWorkstream),
+                        taskTitle: resolvedTaskTitle,
+                        workstreamTitle: resolvedWorkstreamTitle,
+                    };
+                }
+                if (workstreamNode && workstreamNode.type === "workstream") {
+                    resolvedWorkstreamTitle = resolvedWorkstreamTitle ?? workstreamNode.title;
+                    const assignedDomain = workstreamNode.assignedAgents
+                        .map((agent) => normalizeExecutionDomain(agent.domain))
+                        .find((entry) => Boolean(entry));
+                    const domain = assignedDomain ??
+                        inferExecutionDomainFromText(workstreamNode.title, input.initiativeTitle, input.message);
+                    const normalizedDomain = normalizeExecutionDomain(domain) ?? "engineering";
+                    return {
+                        executionPolicy: {
+                            domain: normalizedDomain,
+                            requiredSkills: [
+                                ORGX_SKILL_BY_DOMAIN[normalizedDomain] ??
+                                    ORGX_SKILL_BY_DOMAIN.engineering,
+                            ],
+                        },
+                        taskTitle: resolvedTaskTitle,
+                        workstreamTitle: resolvedWorkstreamTitle,
+                    };
+                }
+            }
+            catch {
+                // best effort
+            }
+        }
+        const inferredDomain = normalizeExecutionDomain(inferExecutionDomainFromText(resolvedTaskTitle, resolvedWorkstreamTitle, input.initiativeTitle, input.message)) ?? "engineering";
+        return {
+            executionPolicy: {
+                domain: inferredDomain,
+                requiredSkills: [
+                    ORGX_SKILL_BY_DOMAIN[inferredDomain] ?? ORGX_SKILL_BY_DOMAIN.engineering,
+                ],
+            },
+            taskTitle: resolvedTaskTitle,
+            workstreamTitle: resolvedWorkstreamTitle,
+        };
+    }
+    async function enforceSpawnGuardForDispatch(input) {
+        const taskId = input.taskId?.trim() ?? "";
+        const workstreamId = input.workstreamId?.trim() ?? "";
+        const taskTitle = input.taskTitle?.trim() || null;
+        const workstreamTitle = input.workstreamTitle?.trim() || null;
+        const targetLabel = taskId
+            ? `task ${taskTitle ?? taskId}`
+            : workstreamId
+                ? `workstream ${workstreamTitle ?? workstreamId}`
+                : "dispatch target";
+        const spawnGuardResult = await checkSpawnGuardSafe({
+            domain: input.executionPolicy.domain,
+            taskId: taskId || workstreamId || null,
+            initiativeId: input.initiativeId,
+            correlationId: input.correlationId,
+            targetLabel,
+        });
+        if (!spawnGuardResult || typeof spawnGuardResult !== "object") {
+            return {
+                allowed: true,
+                retryable: false,
+                blockedReason: null,
+                spawnGuardResult,
+            };
+        }
+        const allowed = spawnGuardResult.allowed;
+        if (allowed !== false) {
+            return {
+                allowed: true,
+                retryable: false,
+                blockedReason: null,
+                spawnGuardResult,
+            };
+        }
+        const blockedReason = summarizeSpawnGuardBlockReason(spawnGuardResult);
+        const retryable = spawnGuardIsRateLimited(spawnGuardResult);
+        const blockedEvent = retryable
+            ? `${input.sourceEventPrefix}_spawn_guard_rate_limited`
+            : `${input.sourceEventPrefix}_spawn_guard_blocked`;
+        await emitActivitySafe({
+            initiativeId: input.initiativeId,
+            correlationId: input.correlationId,
+            phase: "blocked",
+            level: retryable ? "warn" : "error",
+            message: retryable
+                ? `Spawn guard rate-limited ${targetLabel}; deferring launch.`
+                : `Spawn guard blocked ${targetLabel}.`,
+            metadata: {
+                event: blockedEvent,
+                agent_id: input.agentId ?? null,
+                task_id: taskId || null,
+                task_title: taskTitle,
+                workstream_id: workstreamId || null,
+                workstream_title: workstreamTitle,
+                domain: input.executionPolicy.domain,
+                required_skills: input.executionPolicy.requiredSkills,
+                blocked_reason: blockedReason,
+                spawn_guard: spawnGuardResult,
+            },
+            nextStep: retryable
+                ? "Retry dispatch when spawn rate limits recover."
+                : "Review decision and unblock guard checks before retry.",
+        });
+        if (!retryable && input.initiativeId && taskId) {
+            try {
+                await client.updateEntity("task", taskId, { status: "blocked" });
+            }
+            catch {
+                // best effort
+            }
+            await syncParentRollupsForTask({
+                initiativeId: input.initiativeId,
+                taskId,
+                workstreamId: workstreamId || null,
+                milestoneId: input.milestoneId ?? null,
+                correlationId: input.correlationId,
+            });
+        }
+        if (!retryable) {
+            await requestDecisionSafe({
+                initiativeId: input.initiativeId,
+                correlationId: input.correlationId,
+                title: `Unblock ${targetLabel}`,
+                summary: [
+                    `${targetLabel} failed spawn guard checks.`,
+                    `Reason: ${blockedReason}`,
+                    `Domain: ${input.executionPolicy.domain}`,
+                    `Required skills: ${input.executionPolicy.requiredSkills.join(", ")}`,
+                ].join(" "),
+                urgency: "high",
+                options: [
+                    "Approve exception and continue",
+                    "Reassign task/domain",
+                    "Pause and investigate quality gate",
+                ],
+                blocking: true,
+            });
+        }
+        return {
+            allowed: false,
+            retryable,
+            blockedReason,
+            spawnGuardResult,
+        };
+    }
     async function syncParentRollupsForTask(input) {
         const initiativeId = input.initiativeId?.trim() ?? "";
         const taskId = input.taskId?.trim() ?? "";
@@ -2445,25 +2826,61 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
     async function dispatchFallbackWorkstreamTurn(input) {
         const now = new Date().toISOString();
         const sessionId = randomUUID();
-        const message = [
+        const policyResolution = await resolveDispatchExecutionPolicy({
+            initiativeId: input.initiativeId,
+            initiativeTitle: input.initiativeTitle,
+            workstreamId: input.workstreamId,
+            workstreamTitle: input.workstreamTitle,
+            message: "Continue this workstream from the latest context. Identify and execute the next concrete task.",
+        });
+        const executionPolicy = policyResolution.executionPolicy;
+        const resolvedWorkstreamTitle = policyResolution.workstreamTitle ?? input.workstreamTitle;
+        const guard = await enforceSpawnGuardForDispatch({
+            sourceEventPrefix: "next_up_fallback",
+            initiativeId: input.initiativeId,
+            correlationId: sessionId,
+            executionPolicy,
+            agentId: input.agentId,
+            workstreamId: input.workstreamId,
+            workstreamTitle: resolvedWorkstreamTitle,
+        });
+        if (!guard.allowed) {
+            return {
+                sessionId: null,
+                pid: null,
+                blockedReason: guard.blockedReason,
+                retryable: guard.retryable,
+                executionPolicy,
+                spawnGuardResult: guard.spawnGuardResult,
+            };
+        }
+        const baseMessage = [
             `Initiative: ${input.initiativeTitle}`,
-            `Workstream: ${input.workstreamTitle}`,
+            `Workstream: ${resolvedWorkstreamTitle}`,
             "",
             "Continue this workstream from the latest context.",
             "Identify and execute the next concrete task, then provide a concise progress summary.",
         ].join("\n");
+        const message = buildPolicyEnforcedMessage({
+            baseMessage,
+            executionPolicy,
+            spawnGuardResult: guard.spawnGuardResult,
+        });
         await emitActivitySafe({
             initiativeId: input.initiativeId,
             correlationId: sessionId,
             phase: "execution",
             level: "info",
-            message: `Next Up dispatched ${input.workstreamTitle}.`,
+            message: `Next Up dispatched ${resolvedWorkstreamTitle}.`,
             metadata: {
                 event: "next_up_manual_dispatch_started",
                 agent_id: input.agentId,
                 session_id: sessionId,
                 workstream_id: input.workstreamId,
-                workstream_title: input.workstreamTitle,
+                workstream_title: resolvedWorkstreamTitle,
+                domain: executionPolicy.domain,
+                required_skills: executionPolicy.requiredSkills,
+                spawn_guard_model_tier: extractSpawnGuardModelTier(guard.spawnGuardResult),
                 fallback: true,
             },
         });
@@ -2493,7 +2910,14 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
             startedAt: now,
             status: "running",
         });
-        return { sessionId, pid: spawned.pid };
+        return {
+            sessionId,
+            pid: spawned.pid,
+            blockedReason: null,
+            retryable: false,
+            executionPolicy,
+            spawnGuardResult: guard.spawnGuardResult,
+        };
     }
     async function tickAutoContinueRun(run) {
         if (run.status !== "running" && run.status !== "stopping")
@@ -2560,6 +2984,27 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                         error_message: summary.errorMessage,
                     },
                 });
+                if (summary.hadError && record.taskId) {
+                    await requestDecisionSafe({
+                        initiativeId: run.initiativeId,
+                        correlationId: record.runId,
+                        title: `Unblock auto-continue task ${record.taskId}`,
+                        summary: [
+                            `Task ${record.taskId} finished with runtime error in session ${record.runId}.`,
+                            summary.errorMessage ? `Error: ${summary.errorMessage}` : null,
+                            `Workstream: ${record.workstreamId ?? "unknown"}.`,
+                        ]
+                            .filter((line) => Boolean(line))
+                            .join(" "),
+                        urgency: "high",
+                        options: [
+                            "Retry task in auto-continue",
+                            "Assign manual recovery owner",
+                            "Pause initiative until fixed",
+                        ],
+                        blocking: true,
+                    });
+                }
                 run.lastRunId = record.runId;
                 run.lastTaskId = record.taskId ?? run.lastTaskId;
                 run.activeRunId = null;
@@ -2682,30 +3127,120 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
         const milestoneTitle = nextTaskNode.milestoneId
             ? nodeById.get(nextTaskNode.milestoneId)?.title ?? null
             : null;
+        const workstreamNode = nextTaskNode.workstreamId
+            ? nodeById.get(nextTaskNode.workstreamId) ?? null
+            : null;
+        const executionPolicy = deriveExecutionPolicy(nextTaskNode, workstreamNode);
+        const spawnGuardResult = await checkSpawnGuardSafe({
+            domain: executionPolicy.domain,
+            taskId: nextTaskNode.id,
+            initiativeId: run.initiativeId,
+            correlationId: sessionId,
+        });
+        if (spawnGuardResult && typeof spawnGuardResult === "object") {
+            const allowed = spawnGuardResult.allowed;
+            if (allowed === false) {
+                const blockedReason = summarizeSpawnGuardBlockReason(spawnGuardResult);
+                if (spawnGuardIsRateLimited(spawnGuardResult)) {
+                    run.lastError = blockedReason;
+                    run.updatedAt = now;
+                    await emitActivitySafe({
+                        initiativeId: run.initiativeId,
+                        correlationId: sessionId,
+                        phase: "blocked",
+                        level: "warn",
+                        message: `Spawn guard rate-limited task ${nextTaskNode.id}; waiting to retry.`,
+                        metadata: {
+                            event: "auto_continue_spawn_guard_rate_limited",
+                            task_id: nextTaskNode.id,
+                            task_title: nextTaskNode.title,
+                            domain: executionPolicy.domain,
+                            required_skills: executionPolicy.requiredSkills,
+                            spawn_guard: spawnGuardResult,
+                        },
+                    });
+                    return;
+                }
+                try {
+                    await client.updateEntity("task", nextTaskNode.id, {
+                        status: "blocked",
+                    });
+                }
+                catch {
+                    // best effort
+                }
+                await syncParentRollupsForTask({
+                    initiativeId: run.initiativeId,
+                    taskId: nextTaskNode.id,
+                    workstreamId: nextTaskNode.workstreamId,
+                    milestoneId: nextTaskNode.milestoneId,
+                    correlationId: sessionId,
+                });
+                await emitActivitySafe({
+                    initiativeId: run.initiativeId,
+                    correlationId: sessionId,
+                    phase: "blocked",
+                    level: "error",
+                    message: `Auto-continue blocked by spawn guard on task ${nextTaskNode.id}.`,
+                    metadata: {
+                        event: "auto_continue_spawn_guard_blocked",
+                        task_id: nextTaskNode.id,
+                        task_title: nextTaskNode.title,
+                        domain: executionPolicy.domain,
+                        required_skills: executionPolicy.requiredSkills,
+                        blocked_reason: blockedReason,
+                        spawn_guard: spawnGuardResult,
+                    },
+                });
+                await requestDecisionSafe({
+                    initiativeId: run.initiativeId,
+                    correlationId: sessionId,
+                    title: `Unblock auto-continue task ${nextTaskNode.title}`,
+                    summary: [
+                        `Task ${nextTaskNode.id} failed spawn guard checks.`,
+                        `Reason: ${blockedReason}`,
+                        `Domain: ${executionPolicy.domain}`,
+                        `Required skills: ${executionPolicy.requiredSkills.join(", ")}`,
+                    ].join(" "),
+                    urgency: "high",
+                    options: [
+                        "Approve exception and continue",
+                        "Reassign task/domain",
+                        "Pause and investigate quality gate",
+                    ],
+                    blocking: true,
+                });
+                await stopAutoContinueRun({
+                    run,
+                    reason: "blocked",
+                    error: blockedReason,
+                });
+                return;
+            }
+        }
         const message = [
             initiativeNode ? `Initiative: ${initiativeNode.title}` : null,
             workstreamTitle ? `Workstream: ${workstreamTitle}` : null,
             milestoneTitle ? `Milestone: ${milestoneTitle}` : null,
             "",
             `Task: ${nextTaskNode.title}`,
+            `Execution policy: ${executionPolicy.domain}`,
+            `Required skills: ${executionPolicy.requiredSkills.map((skill) => `$${skill}`).join(", ")}`,
             "",
             "Execute this task. When finished, provide a concise completion summary and any relevant commands/notes.",
         ]
             .filter((line) => typeof line === "string")
             .join("\n");
-        if (nextTaskNode.workstreamId) {
-            const workstreamNode = nodeById.get(nextTaskNode.workstreamId);
-            if (workstreamNode &&
-                !isInProgressStatus(workstreamNode.status) &&
-                isDispatchableWorkstreamStatus(workstreamNode.status)) {
-                try {
-                    await client.updateEntity("workstream", workstreamNode.id, {
-                        status: "active",
-                    });
-                }
-                catch {
-                    // best effort
-                }
+        if (workstreamNode &&
+            !isInProgressStatus(workstreamNode.status) &&
+            isDispatchableWorkstreamStatus(workstreamNode.status)) {
+            try {
+                await client.updateEntity("workstream", workstreamNode.id, {
+                    status: "active",
+                });
+            }
+            catch {
+                // best effort
             }
         }
         try {
@@ -2744,6 +3279,11 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                 workstream_title: workstreamTitle,
                 milestone_id: nextTaskNode.milestoneId,
                 milestone_title: milestoneTitle,
+                domain: executionPolicy.domain,
+                required_skills: executionPolicy.requiredSkills,
+                spawn_guard_model_tier: spawnGuardResult && typeof spawnGuardResult === "object"
+                    ? pickString(spawnGuardResult, ["modelTier", "model_tier"]) ?? null
+                    : null,
             },
         });
         upsertAgentContext({
@@ -3561,6 +4101,7 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                         searchParams.get("model_id") ??
                         "")
                         .trim() || null;
+                    const routingProvider = provider ?? (!provider && !requestedModel ? resolveAutoOpenClawProvider() : null);
                     const dryRunRaw = payload.dryRun ??
                         payload.dry_run ??
                         searchParams.get("dryRun") ??
@@ -3569,7 +4110,7 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                     const dryRun = typeof dryRunRaw === "boolean"
                         ? dryRunRaw
                         : parseBooleanQuery(typeof dryRunRaw === "string" ? dryRunRaw : null);
-                    let requiresPremiumLaunch = Boolean(provider) || modelImpliesByok(requestedModel);
+                    let requiresPremiumLaunch = Boolean(routingProvider) || modelImpliesByok(requestedModel);
                     if (!requiresPremiumLaunch) {
                         try {
                             const agents = await listAgents();
@@ -3609,12 +4150,23 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                         searchParams.get("text") ??
                         "")
                         .trim();
-                    const message = messageInput ||
+                    const baseMessage = messageInput ||
                         (initiativeTitle
                             ? `Kick off: ${initiativeTitle}`
                             : initiativeId
                                 ? `Kick off initiative ${initiativeId}`
                                 : `Kick off agent ${agentId}`);
+                    const policyResolution = await resolveDispatchExecutionPolicy({
+                        initiativeId,
+                        initiativeTitle,
+                        workstreamId,
+                        taskId,
+                        message: baseMessage,
+                    });
+                    const executionPolicy = policyResolution.executionPolicy;
+                    const resolvedTaskTitle = policyResolution.taskTitle;
+                    const resolvedWorkstreamTitle = policyResolution.workstreamTitle ??
+                        (workstreamId ? `Workstream ${workstreamId}` : null);
                     if (dryRun) {
                         sendJson(res, 200, {
                             ok: true,
@@ -3624,11 +4176,48 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                             workstreamId,
                             taskId,
                             requiresPremiumLaunch,
+                            provider: routingProvider,
+                            model: requestedModel,
                             startedAt: new Date().toISOString(),
-                            message,
+                            message: baseMessage,
+                            domain: executionPolicy.domain,
+                            requiredSkills: executionPolicy.requiredSkills,
+                        });
+                        return true;
+                    }
+                    const guard = await enforceSpawnGuardForDispatch({
+                        sourceEventPrefix: "agent_launch",
+                        initiativeId,
+                        correlationId: sessionId,
+                        executionPolicy,
+                        agentId,
+                        taskId,
+                        taskTitle: resolvedTaskTitle,
+                        workstreamId,
+                        workstreamTitle: resolvedWorkstreamTitle,
+                    });
+                    if (!guard.allowed) {
+                        sendJson(res, guard.retryable ? 429 : 409, {
+                            ok: false,
+                            code: guard.retryable
+                                ? "spawn_guard_rate_limited"
+                                : "spawn_guard_blocked",
+                            error: guard.blockedReason ??
+                                "Spawn guard denied this agent launch.",
+                            retryable: guard.retryable,
+                            initiativeId,
+                            workstreamId,
+                            taskId,
+                            domain: executionPolicy.domain,
+                            requiredSkills: executionPolicy.requiredSkills,
                         });
                         return true;
                     }
+                    const message = buildPolicyEnforcedMessage({
+                        baseMessage,
+                        executionPolicy,
+                        spawnGuardResult: guard.spawnGuardResult,
+                    });
                     if (initiativeId) {
                         try {
                             await client.updateEntity("initiative", initiativeId, { status: "active" });
@@ -3665,16 +4254,19 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                             session_id: sessionId,
                             workstream_id: workstreamId,
                             task_id: taskId,
-                            provider,
+                            provider: routingProvider,
                             model: requestedModel,
+                            domain: executionPolicy.domain,
+                            required_skills: executionPolicy.requiredSkills,
+                            spawn_guard_model_tier: extractSpawnGuardModelTier(guard.spawnGuardResult),
                         },
                     });
                     let routedProvider = null;
                     let routedModel = null;
-                    if (provider) {
+                    if (routingProvider) {
                         const routed = await configureOpenClawProviderRouting({
                             agentId,
-                            provider,
+                            provider: routingProvider,
                             requestedModel,
                         });
                         routedProvider = routed.provider;
@@ -3718,6 +4310,8 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                         workstreamId,
                         taskId,
                         startedAt: new Date().toISOString(),
+                        domain: executionPolicy.domain,
+                        requiredSkills: executionPolicy.requiredSkills,
                     });
                 }
                 catch (err) {
@@ -3806,7 +4400,9 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                         record.model ??
                         "")
                         .trim() || null;
-                    let requiresPremiumRestart = Boolean(providerOverride) ||
+                    const routingProvider = providerOverride ??
+                        (!providerOverride && !requestedModel ? resolveAutoOpenClawProvider() : null);
+                    let requiresPremiumRestart = Boolean(routingProvider) ||
                         modelImpliesByok(requestedModel) ||
                         modelImpliesByok(record.model ?? null);
                     if (!requiresPremiumRestart) {
@@ -3842,13 +4438,52 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                         }
                     }
                     const sessionId = randomUUID();
-                    const message = messageOverride ?? record.message ?? `Restart agent ${record.agentId}`;
-                    let routedProvider = providerOverride ?? null;
+                    const baseMessage = messageOverride ?? record.message ?? `Restart agent ${record.agentId}`;
+                    const policyResolution = await resolveDispatchExecutionPolicy({
+                        initiativeId: record.initiativeId,
+                        initiativeTitle: record.initiativeTitle,
+                        workstreamId: record.workstreamId,
+                        taskId: record.taskId,
+                        message: baseMessage,
+                    });
+                    const executionPolicy = policyResolution.executionPolicy;
+                    const guard = await enforceSpawnGuardForDispatch({
+                        sourceEventPrefix: "agent_restart",
+                        initiativeId: record.initiativeId,
+                        correlationId: sessionId,
+                        executionPolicy,
+                        agentId: record.agentId,
+                        taskId: record.taskId,
+                        taskTitle: policyResolution.taskTitle,
+                        workstreamId: record.workstreamId,
+                        workstreamTitle: policyResolution.workstreamTitle,
+                    });
+                    if (!guard.allowed) {
+                        sendJson(res, guard.retryable ? 429 : 409, {
+                            ok: false,
+                            code: guard.retryable
+                                ? "spawn_guard_rate_limited"
+                                : "spawn_guard_blocked",
+                            error: guard.blockedReason ??
+                                "Spawn guard denied this restart.",
+                            retryable: guard.retryable,
+                            previousRunId,
+                            domain: executionPolicy.domain,
+                            requiredSkills: executionPolicy.requiredSkills,
+                        });
+                        return true;
+                    }
+                    const message = buildPolicyEnforcedMessage({
+                        baseMessage,
+                        executionPolicy,
+                        spawnGuardResult: guard.spawnGuardResult,
+                    });
+                    let routedProvider = routingProvider ?? null;
                     let routedModel = requestedModel ?? null;
-                    if (providerOverride) {
+                    if (routingProvider) {
                         const routed = await configureOpenClawProviderRouting({
                             agentId: record.agentId,
-                            provider: providerOverride,
+                            provider: routingProvider,
                             requestedModel,
                         });
                         routedProvider = routed.provider;
@@ -3888,6 +4523,8 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                         pid: spawned.pid,
                         provider: routedProvider,
                         model: routedModel,
+                        domain: executionPolicy.domain,
+                        requiredSkills: executionPolicy.requiredSkills,
                     });
                 }
                 catch (err) {
@@ -3988,24 +4625,33 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
                             agentId,
                         });
                     }
+                    const fallbackStarted = Boolean(fallbackDispatch?.sessionId);
                     const dispatchMode = run.activeRunId
                         ? "task"
-                        : fallbackDispatch
+                        : fallbackStarted
                             ? "fallback"
                             : "none";
                     if (dispatchMode === "none") {
-                        const reason = run.stopReason === "blocked"
-                            ? "No dispatchable task is ready for this workstream yet."
-                            : run.stopReason === "completed"
-                                ? "No queued task is available for this workstream."
-                                : "Unable to dispatch this workstream right now.";
-                        sendJson(res, 409, {
+                        const fallbackBlockedReason = fallbackDispatch?.blockedReason ?? null;
+                        const reason = fallbackBlockedReason ??
+                            (run.stopReason === "blocked"
+                                ? "No dispatchable task is ready for this workstream yet."
+                                : run.stopReason === "completed"
+                                    ? "No queued task is available for this workstream."
+                                    : "Unable to dispatch this workstream right now.");
+                        sendJson(res, fallbackDispatch?.retryable ? 429 : 409, {
                             ok: false,
+                            code: fallbackBlockedReason
+                                ? fallbackDispatch?.retryable
+                                    ? "spawn_guard_rate_limited"
+                                    : "spawn_guard_blocked"
+                                : undefined,
                             error: reason,
                             run,
                             initiativeId,
                             workstreamId,
                             agentId,
+                            fallbackDispatch,
                         });
                         return true;
                     }
@@ -5932,6 +6578,11 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
         // Requests under /orgx/live
         if (url === "/orgx/live" || url.startsWith("/orgx/live/")) {
             const subPath = url.replace(/^\/orgx\/live\/?/, "");
+            // Never expose source maps in shipped plugin dashboards.
+            if (/\.map$/i.test(subPath)) {
+                send404(res);
+                return true;
+            }
             // Static assets: /orgx/live/assets/* → dashboard/dist/assets/*
             // Hashed filenames get long-lived cache
             if (subPath.startsWith("assets/")) {
@@ -5977,4 +6628,3 @@ export function createHttpHandler(config, client, getSnapshot, onboarding, diagn
         return true;
     };
 }
-//# sourceMappingURL=http-handler.js.map