@wnlen/agent-execution-template 0.8.15 → 0.8.16

package/README.md

@@ -147,7 +147,7 @@ npx -y @wnlen/agent-execution-template strategy --lang en
 | Strategy amendment gate | New direction goes through `inbox/ideas/`, a proposal, human confirmation, then an explicit apply task. |
 | Protected project context | `update` refreshes `ai/template/**` without overwriting `ai/project/**`. |
 | Project context refresh | `refresh` backs up old `ai/project/**`, creates a fresh project context, and imports the old context into the inbox for reconciliation. |
-| Bounded task execution | Goals, scope, permissions, risk, and acceptance criteria live in one task file. |
+| Automatic continuous execution | The agent decomposes L1/L2/L3 before execution; 2+ L1 tasks automatically enable bounded continuous execution, and only Red risk stops for confirmation. |
 | Auditable results | Every run can leave human-readable output, machine-readable facts, and metrics. |
 | Token-efficient model policy | Cheap models handle bounded work; strong models are reserved for judgment points. |
 | Upgradeable template | Reuse protocol improvements without losing local project memory. |
@@ -323,6 +323,8 @@ Reconcile the new material in ai/project/inbox/
 
 The agent must produce a reconciliation plan first, wait for confirmation, then merge long-lived facts into `project.md`, `runtime.md`, and `refs/*`.
 After reconciliation, processed material is moved to `ai/project/inbox/processed/` for traceability.
+By default, only `ai/project/inbox/*.md` and `ai/project/inbox/raw/*.md` are absorbed;
+`processed/**` is not reconciled again, and `ideas/**` goes through the direction amendment proposal flow.
 
 ## Project North Star
 

package/README.zh-CN.md

@@ -157,7 +157,7 @@ npx -y @wnlen/agent-execution-template strategy
 | 策略修订门禁 | 新方向先进入 `inbox/ideas/`，生成 proposal，人类确认后才合并进北极星、模块地图或路线图。 |
 | 保护项目现场 | `update` 刷新 `ai/template/**`，不会覆盖 `ai/project/**`。 |
 | 项目上下文重整 | `refresh` 备份旧 `ai/project/**`，生成新项目上下文，并把旧上下文放入 inbox 供 AI 整理。 |
-| 有边界的任务执行 | 目标、范围、权限、风险和验收标准集中在任务文件里。 |
+| 自动连续执行 | AI 执行前自动拆 L1/L2/L3 任务树；L1 两个以上自动启用边界内连续执行，只有 Red 风险停下来确认。 |
 | 可审计结果 | 每次执行都可以留下人类可读结果、机器可读事实和 metrics。 |
 | Token-efficient 模型策略 | 便宜模型处理边界清楚的工作，强模型只用于关键判断点。 |
 | 可升级模板 | 协议可以持续改进，不丢失项目本地记忆。 |
@@ -332,6 +332,8 @@ ai/project/inbox/
 
 AI 必须先输出整合计划，等待确认后，再把长期有效事实合并进 `project.md`、`runtime.md` 和 `refs/*`。
 整合完成后，已处理资料统一移动到 `ai/project/inbox/processed/`，保留用于追溯。
+默认只吸收 `ai/project/inbox/*.md` 和 `ai/project/inbox/raw/*.md`；
+`processed/**` 不会再次参与整合，`ideas/**` 走方向修订提案。
 
 ## 项目北极星
 

package/bin/agent-execution-template.js

@@ -48,6 +48,7 @@ const TASK_HEALTH_PATTERNS = [
   /^type:\s*/m,
   /^priority:\s*/m,
   /^risk_level:\s*/m,
+  /^execution_policy:/m,
   /^model_policy:/m,
   /^refs:/m,
   /^permission:/m

package/docs/SPEC.md

@@ -22,7 +22,7 @@ npx 安装协议 -> AI 整理项目上下文 -> 人类确认 -> AI 生成任务
 
 ```text
 Protocol: v0.8
-Package: @wnlen/agent-execution-template@0.8.15
+Package: @wnlen/agent-execution-template@0.8.16
 中文安装: npx -y @wnlen/agent-execution-template init
 英文安装: npx -y @wnlen/agent-execution-template init --lang en
 ```
@@ -390,7 +390,7 @@ npx -y @wnlen/agent-execution-template doctor
 ```text
 Agent Execution Template 检查
 
-模板版本: 0.8.15
+模板版本: 0.8.16
 模板语言: zh
 
 [通过] ai/template/LANG
@@ -610,6 +610,7 @@ ai/project/refs/roadmap.md
 - 任务类型；
 - 优先级；
 - 风险等级；
+- 执行策略；
 - 模型分工策略；
 - refs 要求；
 - 修改权限；
@@ -645,7 +646,44 @@ apply_strategy_update
 权限不允许，不越界修改。
 ```
 
-## 14. 模型分工协议
+## 14. 执行授权策略
+
+执行策略写在：
+
+```text
+ai/project/task.md.execution_policy
+```
+
+默认模式是 `auto`。AI 每次执行前先做任务分解和风险判断，再决定使用
+`normal` 还是 `bounded_continuous`，不依赖用户口令。
+
+执行前规划：
+
+- AI 根据用户目标、项目上下文和仓库事实推断目标、范围、验收、权限和验证方式；
+- 先列 L1 任务清单，并给每个 L1 标注 Green / Yellow / Red；
+- L1 少于 2 个时使用 `normal`；
+- L1 为 2 个或更多时自动使用 `bounded_continuous`；
+- 任一 L1 为 Red 时停止等待人类确认；Green 和 Yellow 不阻塞启动。
+
+`bounded_continuous` 规则：
+
+- 按 L1 -> L2 -> L3 执行，执行 L1 前规划 L2，执行 L2 前按需规划 L3；
+- 默认最多 3 层，只有当 L3 仍过大、不可验证或不可回退时才动态增加 L4；
+- 每个任务节点必须有风险评级、预期改动范围、验收方式和证据要求；
+- L1 清单必须用待办列表展示，每完成一个 L1 就打勾并划掉；
+- 默认按 `vertical_slice` 推进，每轮都要产生可检查增量；
+- 每个 Checkpoint 必须包含证据：已改文件、已运行命令、验证结果或无法验证原因；
+- Green 可自动继续；
+- Yellow 做局部低风险修正后继续；
+- Red 必须停止等待人类确认；
+- 目标、范围、验收和权限由 AI 推断，但不能越过项目规则、显式用户限制、
+  `permission.modify.denied`、安全边界或破坏性操作限制；
+- 需要扩大权限、运行未允许命令、访问网络、执行破坏性操作、改变产品方向或核心架构时，
+  当前节点必须标为 Red。
+
+它不适用于方向未定且无法推断、验收无法定义或高风险架构取舍任务；这些应直接评为 Red。
+
+## 15. 模型分工协议
 
 模型分工写在：
 
@@ -673,7 +711,7 @@ Default cheap. Escalate for judgment. Record why.
 - 写明需要的 strong model role；
 - 记录到 `ai/project/metrics.json`。
 
-## 15. 风险门禁
+## 16. 风险门禁
 
 任务涉及以下内容时必须谨慎：
 
@@ -687,7 +725,7 @@ Default cheap. Escalate for judgment. Record why.
 
 如果风险高且 `task.md` 未明确授权，AI 必须停止并写 blocked 结果。
 
-## 16. refs 延迟加载
+## 17. refs 延迟加载
 
 `ai/project/refs/` 存放按需读取的详细资料。
 
@@ -707,7 +745,7 @@ Default cheap. Escalate for judgment. Record why.
 
 每次读取 ref 都必须在 `result.json.refs_read` 中记录原因。
 
-## 16.1 inbox 待吸收资料
+## 17.1 inbox 待吸收资料
 
 `ai/project/inbox/` 存放尚未整合进项目上下文的新资料。
 已完成整合的资料统一移动到 `ai/project/inbox/processed/`，用于追溯并避免重复处理。
@@ -732,11 +770,13 @@ AI 必须先输出整合计划，等人类确认后，才更新 `project.md`、`
 应用整合完成后，AI 必须把本次已处理的 `ai/project/inbox/*.md`
 移动到 `ai/project/inbox/processed/`。`processed/` 中的资料默认不再触发
 `reconcile` 或 `next` 的待处理资料判断。
+即使用户口语上说“整合整个 inbox”，默认也只处理 `ai/project/inbox/*.md`
+和 `ai/project/inbox/raw/*.md`；`ai/project/inbox/ideas/**` 不参与上下文整合。
 
 如果新资料会改变 `final-shape.md`、`module-map.md` 或 `roadmap.md` 的方向性内容，
 上下文整合只能建议创建 `strategy_update` 提案，不能直接改这些文件。
 
-## 16.2 项目北极星与策略修订
+## 17.2 项目北极星与策略修订
 
 `ai/project/refs/final-shape.md` 是项目北极星说明书，也可以理解为
 Product Constitution / Final Shape Spec。它负责保存：
@@ -812,7 +852,7 @@ ai/project/refs/decisions.md
 ai/project/refs/constraints.md
 ```
 
-## 17. 输出结果
+## 18. 输出结果
 
 每次执行必须写：
 
@@ -822,7 +862,7 @@ ai/project/result.md
 ai/project/metrics.json
 ```
 
-### 17.1 `result.json`
+### 18.1 `result.json`
 
 机器可读结果，是当前最新权威执行记录。
 
@@ -840,7 +880,7 @@ ai/project/metrics.json
 - next；
 - runtime update proposal。
 
-### 17.2 `result.md`
+### 18.2 `result.md`
 
 人类可读摘要。
 
@@ -852,7 +892,7 @@ ai/project/metrics.json
 - 有什么问题；
 - 下一步。
 
-### 17.3 `metrics.json`
+### 18.3 `metrics.json`
 
 执行经济性和模型分工记录。
 
@@ -867,7 +907,7 @@ ai/project/metrics.json
 - human fix required；
 - reuse potential。
 
-## 18. 状态规则
+## 19. 状态规则
 
 允许状态：
 
@@ -885,7 +925,7 @@ blocked
 - 任务不可执行，使用 `blocked`；
 - 执行失败且无法完成，使用 `failed`。
 
-## 19. runtime 治理
+## 20. runtime 治理
 
 `ai/project/runtime.md` 只存当前仍然有效的执行上下文。
 
@@ -904,7 +944,7 @@ ai/project/result.json.runtime_update
 
 再由单独任务决定是否更新 runtime。
 
-## 20. 同步规则
+## 21. 同步规则
 
 从模板仓库导入真实项目：
 
@@ -922,7 +962,7 @@ ai/project/result.json.runtime_update
 
 这是整个项目的安全底线。
 
-## 21. npm 包结构
+## 22. npm 包结构
 
 模板仓库内部结构：
 
@@ -952,7 +992,7 @@ LICENSE
 - `bin/agent-execution-template.js` 是 CLI；
 - `test/selftest.js` 是本地自测。
 
-## 22. 自测与发布检查
+## 23. 自测与发布检查
 
 本地自测：
 
@@ -997,7 +1037,7 @@ diff 检查：
 git diff --check
 ```
 
-## 23. 当前能力边界
+## 24. 当前能力边界
 
 当前项目已经能做到：
 
@@ -1018,7 +1058,7 @@ git diff --check
 - IDE 插件；
 - 发布流水线。
 
-## 24. 最终判断
+## 25. 最终判断
 
 Agent Execution Template v0.8 已经从一个 prompt/template 原型，升级为：
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wnlen/agent-execution-template",
-  "version": "0.8.15",
+  "version": "0.8.16",
   "description": "Low-friction AI execution protocol template for coding agents.",
   "bin": {
     "agent-execution-template": "bin/agent-execution-template.js"

package/template/en/ai/README.md

@@ -77,6 +77,10 @@ The workflow produces a reconciliation plan first and updates `project.md`,
 `runtime.md`, and `refs/*` only after confirmation. After reconciliation,
 processed material is moved to `ai/project/inbox/processed/`.
 
+By default, only `ai/project/inbox/*.md` and `ai/project/inbox/raw/*.md` are
+absorbed. `processed/**` is trace history and is not reconciled again;
+`ideas/**` goes through the direction amendment proposal flow.
+
 ## Direction Amendments
 
 The North Star, module map, and roadmap belong to the project direction layer:

package/template/en/ai/project/task.md

@@ -4,6 +4,31 @@ type: "bugfix | feature | refactor | docs | config | test | research | strategy_
 priority: "P0 | P1 | P2 | P3"
 risk_level: "low | medium | high"
 depends_on_previous_result: false
+execution_policy:
+  mode: "auto | normal | bounded_continuous"
+  activation_rule: "auto_enable_when_l1_count_gte_2"
+  max_depth: 3
+  allow_depth_4_when_needed: true
+  progress_unit: "vertical_slice"
+  task_tree: []
+  checkpoint_budget:
+    l1: 0
+    l2: 0
+    l3: 0
+    l4: 0
+  checkpoint_triggers:
+    - before_crossing_boundary
+    - after_vertical_slice
+    - before_final_review
+  auto_continue:
+    green: true
+    yellow: "low_risk_only"
+    red: false
+  risk_gate:
+    green: "continue"
+    yellow: "continue_with_local_fix"
+    red: "stop_for_human"
+  evidence_required: true
 model_policy:
   default_tier: "cheap"
   allowed_tiers:
@@ -86,6 +111,41 @@ The task is complete when:
 
 - 
 
+## Execution Policy
+
+Default to `auto`. The AI decides during pre-execution planning whether to use
+continuous execution; it does not wait for a human keyword. If planning finds
+fewer than 2 L1 tasks, use `normal`; if it finds 2 or more L1 tasks, use
+`bounded_continuous` automatically.
+
+`bounded_continuous` means bounded continuous execution:
+
+- The AI infers goal, scope, acceptance, permissions, and risk from the human
+  goal, project context, and repository facts; the human does not need to
+  provide each field upfront.
+- Before execution, list the L1 task checklist; mark each L1 complete with a
+  checked and struck-through item.
+- Before executing an L1, plan the naturally derived L2 tasks; if an L2 still
+  needs decomposition, plan L3 tasks.
+- Default to at most 3 levels; add L4 dynamically only when leaving it out
+  would make L3 too large or unverifiable.
+- The AI assigns Green / Yellow / Red risk to every task node.
+- Only Red stops for human confirmation; Green continues automatically, and
+  Yellow continues after local low-risk correction.
+- `progress_unit` defaults to `vertical_slice`: each work loop should produce
+  a reviewable increment.
+- `checkpoint_budget` is the maximum checkpoint budget, not a required count;
+  do not report just to spend the budget.
+- Emit a checkpoint only when `checkpoint_triggers` fire, risk rises, or final
+  review is about to start.
+- Every checkpoint must include evidence: changed files, commands run,
+  verification results, or why verification was not possible.
+- After completion, run one final review; only re-check Yellow, Red, failed
+  verification, or high-impact modules.
+- Continuous execution does not change model policy; escalate through
+  `model_policy` for judgment, architecture, failure review, or acceptance
+  disputes.
+
 ## Permission
 
 Modify files only under the allowlist in the YAML front matter.
@@ -108,3 +168,8 @@ Stop and write `ai/project/result.json`, `ai/project/result.md`, and `ai/project
 - Required refs are missing.
 - Required command cannot be run.
 - Risk level is high without explicit authorization.
+- A Red checkpoint appears during continuous execution.
+- The task would change product direction, core architecture, data structures,
+  security boundaries, payment, accounts, or permissions.
+- The task would delete many files, rewrite a core module, or require choosing
+  between multiple high-cost options.

package/template/en/ai/template/VERSION

@@ -1 +1 @@
-0.8.15
+0.8.16

package/template/en/ai/template/prompt.md

@@ -36,7 +36,9 @@ Then choose the mode:
   `ai/template/reconcile.md` and stop or update according to its two-phase
   workflow; `ai/project/inbox/processed/` is already processed material and
   should not trigger reconciliation, while `ai/project/inbox/ideas/` should
-  route to `strategy_update` first.
+  route to `strategy_update` first. Even if the human says to reconcile the
+  whole inbox, default to only `ai/project/inbox/*.md` and
+  `ai/project/inbox/raw/*.md`.
 - If the user says "Start initializing this project", asks to initialize,
   organize, or generate project context, or if `ai/project/project.md` is
   empty, placeholder-only, or incomplete, follow `ai/template/bootstrap.md`
@@ -58,10 +60,17 @@ Then choose the mode:
 In Task Draft Mode:
 
 1. Read confirmed `ai/project/project.md` and relevant `ai/project/refs/*.md`.
-2. Draft `ai/project/task.md` from the user's current goal.
-3. Ask at most 3 questions only for scope, risk, permission, or acceptance
-   blockers.
-4. Stop for human confirmation. Do not modify source or business files.
+2. Infer goal, scope, acceptance, permissions, verification method, and initial
+   risk from the user's current goal, project context, and repository facts; do
+   not require the human to provide each field upfront.
+3. Draft `ai/project/task.md` and set `execution_policy.mode` to `auto`.
+4. Before execution, list the L1 checklist and mark each L1 Green / Yellow /
+   Red. Use `normal` if there are fewer than 2 L1 tasks; automatically use
+   `bounded_continuous` if there are 2 or more L1 tasks.
+5. Stop for human confirmation only when a Red preflight item appears. If the
+   human asked to execute or continue, and preflight contains only Green /
+   Yellow, proceed directly to Execution Mode.
+6. Do not modify source or business files in Task Draft Mode.
 
 End Task Draft Mode with:
 
@@ -112,7 +121,13 @@ In Execution Mode, read:
 2. `ai/project/runtime.md`
 3. `ai/project/task.md`
 
-Then execute the task and write results to:
+Then perform pre-execution planning: list the L1 checklist, mark each L1 Green
+/ Yellow / Red, and automatically choose `normal` or `bounded_continuous` from
+the L1 count. Plan L2 before executing an L1, and plan L3 as needed before
+executing an L2; default to at most 3 levels, with L4 allowed when needed. When
+an L1 is complete, check it off and strike it through. Only Red stops for human
+confirmation; Green continues automatically, and Yellow continues after local
+low-risk correction. Write results to:
 
 - `ai/project/result.json`
 - `ai/project/result.md`

package/template/en/ai/template/protocol.md

@@ -47,6 +47,74 @@ Project Bootstrap / Context Reconcile / Strategy Update -> Project Confirm -> Ta
 9. Execute only within the project task boundary.
 10. Write `ai/project/result.json`, `ai/project/result.md`, and `ai/project/metrics.json`.
 
+## Execution Authorization Modes
+
+The default execution policy is `auto`: before each execution, the AI first
+decomposes the task and judges risk, then chooses `normal` or
+`bounded_continuous`. Continuous execution does not depend on a human keyword.
+
+Pre-execution planning must:
+
+- Infer goal, scope, acceptance, permissions, and verification method from the
+  human goal, project context, and repository facts.
+- List the L1 task checklist and assign Green / Yellow / Red risk to each L1.
+- Use `normal` if there are fewer than 2 L1 tasks.
+- Automatically use `bounded_continuous` if there are 2 or more L1 tasks.
+- Stop for human confirmation first if any L1 is Red; Green and Yellow do not
+  block startup.
+
+Bounded continuous execution rules:
+
+- Execute the task tree in L1 -> L2 -> L3 order. Before executing an L1, plan
+  its naturally derived L2 tasks; before executing an L2, plan L3 tasks if it
+  still needs decomposition.
+- Default to at most 3 levels. Add L4 dynamically only when L3 would otherwise
+  be too large, unverifiable, or hard to revert.
+- Every L1/L2/L3/L4 node must have risk, expected edit scope, acceptance method,
+  and evidence requirements.
+- Show the L1 checklist as task items; when an L1 is complete, check it off and
+  strike it through.
+- Default to `vertical_slice` progress: each loop should produce a runnable,
+  reviewable, or reversible increment.
+- The AI infers goal, scope, acceptance, and permissions, but must not cross
+  project rules, explicit human limits, `permission.modify.denied`, security
+  boundaries, or destructive-action limits.
+- `Green` may continue automatically.
+- `Yellow` may continue after local low-risk correction.
+- `Red` must stop for human confirmation.
+- If permission must expand, an unallowed command must run, network access is
+  needed, a destructive action is needed, or product direction / core
+  architecture would change, the current node must be Red.
+- After all work is complete, run one final review; re-check only Yellow, Red,
+  failed verification, or high-impact modules.
+- Every checkpoint must include evidence; a purely subjective Green is not valid.
+- Continuous execution does not change model policy; still escalate through
+  `model_policy` for planning, architecture, failure review, or acceptance disputes.
+
+Must stop when:
+
+- The task would change product direction, core architecture, data structures,
+  security boundaries, payment, accounts, or permissions.
+- The task would delete many files or rewrite a core module.
+- The task outline, acceptance, or permission contains a material conflict.
+- The current implementation affects multiple later modules and the task
+  contract does not cover that impact.
+- Tests fail and cannot be fixed locally.
+- There are two or more high-cost options that need human judgment.
+
+Use this compact checkpoint format:
+
+```text
+## Checkpoint
+### Task Tree
+### Progress
+### Completed
+### Evidence
+### Drift Risk: Green / Yellow / Red
+### Recommended Next Step
+### Auto-Continue Decision
+```
+
 ## Bootstrap Mode
 
 Bootstrap Mode prepares stable project understanding:

package/template/en/ai/template/reconcile.md

@@ -22,6 +22,9 @@ New material should usually live in:
 absorbed. After reconciliation is confirmed, move processed material to
 `ai/project/inbox/processed/` for traceability and to avoid repeated
 reconciliation.
+Even when the human says to reconcile the whole inbox, default to only
+`ai/project/inbox/*.md` and `ai/project/inbox/raw/*.md`; do not recursively
+read `processed/**` or `ideas/**`.
 
 ## First Read
 
@@ -30,11 +33,12 @@ reconciliation.
 3. `ai/project/project.md`
 4. `ai/project/runtime.md`
 5. `ai/project/refs/*.md`
-6. The new material named by the human; if none is named, read `ai/project/inbox/*.md`
+6. The new material named by the human; if none is named, read only
+   `ai/project/inbox/*.md` and `ai/project/inbox/raw/*.md`
 
-Do not read `ai/project/inbox/processed/**`, `ai/project/archive/**`, source,
-tests, config, or dependency files by default unless the human explicitly asks
-you to use them for fact checking.
+Do not read `ai/project/inbox/processed/**`, `ai/project/inbox/ideas/**`,
+`ai/project/archive/**`, source, tests, config, or dependency files by default
+unless the human explicitly asks you to use them for fact checking.
 
 ## Reconciliation Principles
 

package/template/en/ai/template/rules/core.md

@@ -8,6 +8,7 @@ Before editing code, check that `ai/project/task.md` clearly defines:
 - Scope
 - Acceptance
 - Permission
+- Execution policy
 
 If readiness fails, do not edit code. Write blocked results to:
 
@@ -116,6 +117,45 @@ must not directly modify:
 Do not modify current task, results, metrics, archives, source, tests, config,
 or dependency files unless the human explicitly authorizes it.
 
+## Bounded Continuous Execution Gate
+
+Before every execution, the AI must decompose the task and judge risk instead
+of waiting for the human to explicitly say "enable continuous execution".
+
+Before execution:
+
+- Infer goal, scope, acceptance, permissions, and verification method from the
+  human goal, project context, and repository facts.
+- List the L1 task checklist and mark each L1 Green / Yellow / Red.
+- Use `normal` when there are fewer than 2 L1 tasks; automatically use
+  `bounded_continuous` when there are 2 or more L1 tasks.
+- Stop for human confirmation if any L1 is Red; Green and Yellow may continue.
+
+When enabled:
+
+- Execute in L1 -> L2 -> L3 order; plan L2 before executing an L1, and plan L3
+  as needed before executing an L2.
+- Default to at most 3 levels; add L4 dynamically only when L3 is still too
+  large, unverifiable, or hard to revert.
+- Show the L1 checklist as task items; when an L1 is complete, check it off and
+  strike it through.
+- Every task node must have risk, expected edit scope, acceptance method, and
+  evidence requirements.
+- The checkpoint budget is a maximum, not a required count.
+- Every checkpoint must include evidence.
+- `Green` may continue automatically.
+- `Yellow` continues after local low-risk correction.
+- `Red` must stop for human confirmation.
+- Any product direction, core architecture, data structure, security, payment,
+  account, permission, large deletion, core rewrite, or high-cost option choice
+  must stop.
+- Any need to expand scope, permission, commands, network access, or acceptance
+  must stop.
+
+The AI infers goal, scope, acceptance, and permissions, but must not cross
+project rules, explicit human limits, `permission.modify.denied`, security
+boundaries, or destructive-action limits.
+
 ## Strategy Update Gate
 
 If the user asks to update the North Star, final shape, product constitution,

package/template/zh/ai/README.md

@@ -77,6 +77,9 @@ ai/project/inbox/
 `refs/*`。整合完成后，已处理资料统一移动到
 `ai/project/inbox/processed/`。
 
+默认只吸收 `ai/project/inbox/*.md` 和 `ai/project/inbox/raw/*.md`。
+`processed/**` 是追溯区，不会再次参与整合；`ideas/**` 走方向修订提案。
+
 ## 方向修订
 
 北极星、模块地图和路线图属于项目方向层：

package/template/zh/ai/project/task.md

@@ -4,6 +4,31 @@ type: "bugfix | feature | refactor | docs | config | test | research | strategy_
 priority: "P0 | P1 | P2 | P3"
 risk_level: "low | medium | high"
 depends_on_previous_result: false
+execution_policy:
+  mode: "auto | normal | bounded_continuous"
+  activation_rule: "auto_enable_when_l1_count_gte_2"
+  max_depth: 3
+  allow_depth_4_when_needed: true
+  progress_unit: "vertical_slice"
+  task_tree: []
+  checkpoint_budget:
+    l1: 0
+    l2: 0
+    l3: 0
+    l4: 0
+  checkpoint_triggers:
+    - before_crossing_boundary
+    - after_vertical_slice
+    - before_final_review
+  auto_continue:
+    green: true
+    yellow: "low_risk_only"
+    red: false
+  risk_gate:
+    green: "continue"
+    yellow: "continue_with_local_fix"
+    red: "stop_for_human"
+  evidence_required: true
 model_policy:
   default_tier: "cheap"
   allowed_tiers:
@@ -81,6 +106,28 @@ permission:
 
 -
 
+## 执行策略
+
+默认使用 `auto`，由 AI 在执行前规划时判定是否启用连续执行，而不是等待用户口令。
+如果执行前拆出的 L1 任务少于 2 个，使用 `normal`；如果 L1 任务为 2 个或更多，
+自动使用 `bounded_continuous`。
+
+`bounded_continuous` 表示边界内连续执行：
+
+- 目标、范围、验收、权限和风险评级由 AI 基于用户目标、项目上下文和仓库事实推断；
+  不要求用户预先逐项提供。
+- 执行前必须列出 L1 任务清单；每个 L1 用待办列表表示，完成后打勾并划掉。
+- 执行某个 L1 前，AI 先规划自然衍生出的 L2；如果 L2 仍需拆分，再规划 L3。
+- 默认最多 3 层；只有当不拆 L4 会导致 L3 过大或不可验证时，才允许动态增加 L4。
+- 每个任务节点都由 AI 自己生成 Green / Yellow / Red 风险评级。
+- 只有 Red 停下来让人类确认；Green 自动继续，Yellow 先做局部低风险修正后继续。
+- `progress_unit` 默认是 `vertical_slice`：每轮推进都应该产生可检查的工作增量。
+- `checkpoint_budget` 是最多可用检查点预算，不是必须用完的次数；不要为了消耗预算而汇报。
+- 只有在触发 `checkpoint_triggers`、风险升高或准备收尾时才输出 Checkpoint。
+- 每个 Checkpoint 必须包含证据：已改文件、已运行命令、验证结果或无法验证的原因。
+- 完成后只做一次总复盘；只对 Yellow、Red、失败验证或高影响模块做二次抽检。
+- 连续执行不改变模型策略；涉及判断、架构、失败复盘或验收争议时仍按 `model_policy` 升级。
+
 ## 权限
 
 只修改 YAML front matter 允许列表中的文件。
@@ -104,3 +151,6 @@ permission:
 - 必需引用缺失。
 - 必需命令无法运行。
 - 风险等级高但没有明确授权。
+- 连续执行中出现 Red 检查点。
+- 需要改变产品方向、核心架构、数据结构、安全边界、支付、账号或权限。
+- 需要删除大量文件、重写核心模块，或在多个高成本方案之间取舍。

package/template/zh/ai/template/VERSION

@@ -1 +1 @@
-0.8.15
+0.8.16

package/template/zh/ai/template/prompt.md

@@ -29,7 +29,9 @@
   更新上下文/处理新资料，提到 `reconcile` 或 `ai/project/inbox/`，
   或 `ai/project/inbox/` 里存在 `.gitkeep` 之外的待吸收资料，执行 `ai/template/reconcile.md`，
   并按它的两阶段流程停止或更新；但 `ai/project/inbox/processed/` 是已处理资料，
-  不应触发整合，`ai/project/inbox/ideas/` 应优先走 `strategy_update`。
+  不应触发整合，`ai/project/inbox/ideas/` 应优先走 `strategy_update`。即使用户说
+  “整合整个 inbox”，默认也只处理 `ai/project/inbox/*.md` 和
+  `ai/project/inbox/raw/*.md`。
 - 如果用户说“开始初始化这个项目”、要求初始化/整理/生成项目上下文，
   或 `ai/project/project.md` 为空、只有占位内容、
   或不完整，执行 `ai/template/bootstrap.md`，并在项目上下文确认后停止。
@@ -46,9 +48,14 @@
 在任务草稿模式中：
 
 1. 读取已确认的 `ai/project/project.md` 和相关 `ai/project/refs/*.md`。
-2. 根据用户当前目标起草 `ai/project/task.md`。
-3. 只为范围、风险、权限或验收阻塞项最多问 3 个问题。
-4. 停止等待人类确认。不要修改源码或业务文件。
+2. 根据用户当前目标、项目上下文和仓库事实，推断目标、范围、验收、权限、
+   验证方式和初始风险；不要要求用户逐项提供。
+3. 起草 `ai/project/task.md`，并将 `execution_policy.mode` 设为 `auto`。
+4. 执行前列出 L1 任务清单并标注 Green / Yellow / Red。L1 少于 2 个时使用
+   `normal`；L1 为 2 个或更多时自动使用 `bounded_continuous`。
+5. 只有出现 Red 预检项时才停止等待人类确认。若用户要求的是执行或继续，且预检
+   只有 Green / Yellow，可以直接进入执行模式。
+6. 不要在任务草稿模式中修改源码或业务文件。
 
 任务草稿模式必须以下面结构结束：
 
@@ -97,7 +104,11 @@
 2. `ai/project/runtime.md`
 3. `ai/project/task.md`
 
-然后执行任务，并把结果写入：
+然后先做执行前规划：列出 L1 清单，给每个 L1 标注 Green / Yellow / Red，
+并根据 L1 数量自动选择 `normal` 或 `bounded_continuous`。执行 L1 前规划 L2，
+执行 L2 前按需规划 L3；默认最多 3 层，必要时允许 L4。每完成一个 L1，
+在清单中打勾并划掉。只有 Red 停止等待人类确认；Green 自动继续，Yellow 做局部
+低风险修正后继续。最后把结果写入：
 
 - `ai/project/result.json`
 - `ai/project/result.md`

package/template/zh/ai/template/protocol.md

@@ -41,6 +41,60 @@ ai/project/task.md             = 当前执行契约
 9. 只在项目任务边界内执行。
 10. 写入 `ai/project/result.json`、`ai/project/result.md` 和 `ai/project/metrics.json`。
 
+## 执行授权模式
+
+默认执行策略是 `auto`：AI 在每次执行前先做任务分解和风险判断，再决定使用
+`normal` 还是 `bounded_continuous`。启用连续执行不依赖用户说出特定口令。
+
+执行前规划必须：
+
+- 根据用户目标、项目上下文和仓库事实，推断目标、范围、验收、权限和验证方式。
+- 列出 L1 任务清单，并为每个 L1 生成 Green / Yellow / Red 风险评级。
+- 如果 L1 少于 2 个，使用 `normal`。
+- 如果 L1 为 2 个或更多，自动启用 `bounded_continuous`。
+- 如果任一 L1 为 Red，先停止并让人类确认；Green 和 Yellow 不阻塞启动。
+
+边界内连续执行规则：
+
+- 任务树按 L1 -> L2 -> L3 执行。执行某个 L1 前，先规划它自然衍生出的 L2；
+  执行某个 L2 前，如果仍需拆分，再规划 L3。
+- 默认最多 3 层。只有当 L3 仍过大、不可验证或不可回退时，才动态增加 L4。
+- L1/L2/L3/L4 都必须有风险评级、预期改动范围、验收方式和证据要求。
+- L1 清单必须用待办列表展示；每完成一个 L1，就打勾并划掉。
+- 默认按 `vertical_slice` 推进：每轮都产出可运行、可检查或可回退的增量。
+- 目标、范围、验收和权限由 AI 推断，但不能越过项目规则、显式用户限制、
+  `permission.modify.denied`、安全边界或破坏性操作限制。
+- `Green` 可以自动继续。
+- `Yellow` 可以在局部低风险修正后继续。
+- `Red` 必须停止等待人类确认。
+- 如果需要扩大权限、运行未允许命令、访问网络、执行破坏性操作、改变产品方向或核心架构，
+  当前节点必须标为 Red。
+- 全部完成后只做一次总复盘；只对 Yellow、Red、验证失败或高影响模块做二次抽检。
+- 每个 Checkpoint 必须给出证据，不接受只有主观判断的 Green。
+- 连续执行不改变模型策略；遇到规划、架构、失败复盘或验收争议，仍按 `model_policy` 升级。
+
+必须停止的情况：
+
+- 需要改变产品方向、核心架构、数据结构、安全边界、支付、账号或权限。
+- 需要删除大量文件或重写核心模块。
+- 发现任务大纲、验收或权限之间存在实质冲突。
+- 当前实现会影响多个后续模块，且任务契约没有覆盖该影响。
+- 测试失败且无法局部修复。
+- 出现两个以上高成本方案，需要人类裁决。
+
+检查点使用紧凑格式：
+
+```text
+## Checkpoint
+### 任务树
+### 当前完成度
+### 已完成
+### 证据
+### 偏离风险：Green / Yellow / Red
+### 下一步建议
+### 是否自动继续
+```
+
 ## 引导模式
 
 引导模式准备稳定的项目理解：

package/template/zh/ai/template/reconcile.md

@@ -20,6 +20,8 @@
 
 `ai/project/inbox/` 是待吸收资料区。资料被整合确认后，统一移动到
 `ai/project/inbox/processed/`，用于追溯并避免后续重复整合。
+即使用户说“整合整个 inbox”，默认也只处理 `ai/project/inbox/*.md`
+和 `ai/project/inbox/raw/*.md`；不要递归读取 `processed/**` 或 `ideas/**`。
 
 ## 先读
 
@@ -28,10 +30,11 @@
 3. `ai/project/project.md`
 4. `ai/project/runtime.md`
 5. `ai/project/refs/*.md`
-6. 人类指定的新资料；未指定时，读取 `ai/project/inbox/*.md`
+6. 人类指定的新资料；未指定时，只读取 `ai/project/inbox/*.md`
+   和 `ai/project/inbox/raw/*.md`
 
-不要默认读取 `ai/project/inbox/processed/**`、`ai/project/archive/**`、源码、
-测试、配置或依赖文件，除非人类明确要求用它们核对事实。
+不要默认读取 `ai/project/inbox/processed/**`、`ai/project/inbox/ideas/**`、
+`ai/project/archive/**`、源码、测试、配置或依赖文件，除非人类明确要求用它们核对事实。
 
 ## 整合原则
 

package/template/zh/ai/template/rules/core.md

@@ -8,6 +8,7 @@
 - 范围
 - 验收
 - 权限
+- 执行策略
 
 如果未就绪，不要编辑代码。将阻塞结果写入：
 
@@ -100,6 +101,35 @@
 
 除非人类明确授权，不要修改当前任务、结果、指标、归档、源码、测试、配置或依赖文件。
 
+## 边界内连续执行门
+
+每次执行前，AI 必须先做任务分解和风险判断，而不是等待用户显式说“启用连续执行”。
+
+执行前必须：
+
+- 根据用户目标、项目上下文和仓库事实，推断目标、范围、验收、权限和验证方式。
+- 列出 L1 任务清单，并给每个 L1 标注 Green / Yellow / Red。
+- L1 少于 2 个时使用 `normal`；L1 为 2 个或更多时自动使用 `bounded_continuous`。
+- 任一 L1 为 Red 时，停止等待人类确认；Green 和 Yellow 可继续。
+
+启用后：
+
+- 按 L1 -> L2 -> L3 执行；执行某个 L1 前规划 L2，执行某个 L2 前按需规划 L3。
+- 默认最多 3 层；只有当 L3 仍过大、不可验证或不可回退时，才动态增加 L4。
+- L1 清单必须用待办列表展示；每完成一个 L1，就打勾并划掉。
+- 每个任务节点必须有风险评级、预期改动范围、验收方式和证据要求。
+- 检查点预算是上限，不是必须用完的次数。
+- 每个 Checkpoint 必须包含证据。
+- `Green` 可自动继续。
+- `Yellow` 做局部低风险修正后继续。
+- `Red` 必须停止等待人类确认。
+- 任何方向、核心架构、数据结构、安全、支付、账号、权限、大量删除、
+  核心重写或高成本方案取舍，都必须停止。
+- 需要扩大范围、权限、命令、网络或验收时，必须停止。
+
+目标、范围、验收和权限由 AI 推断，但不能越过项目规则、显式用户限制、
+`permission.modify.denied`、安全边界或破坏性操作限制。
+
 ## 策略修订门
 
 如果用户要求更新项目北极星、最终形态、产品宪法、模块地图、路线图或项目方向，

package/test/selftest.js

@@ -77,6 +77,17 @@ function testInitUpdateDoctor() {
   assert(read(cwd, "ai/template/bootstrap.md").includes("未吸收资料"), "bootstrap handoff should audit unabsorbed material");
   assert(read(cwd, "ai/template/bootstrap.md").includes("冲突处理"), "bootstrap handoff should audit conflict handling");
   assert(read(cwd, "ai/template/prompt.md").includes("任务草稿交接"), "execution prompt should include task handoff");
+  assert(read(cwd, "ai/template/prompt.md").includes("默认也只处理 `ai/project/inbox/*.md`"), "execution prompt should narrow inbox reconciliation");
+  assert(read(cwd, "ai/template/protocol.md").includes("边界内连续执行"), "protocol should include bounded continuous execution");
+  assert(read(cwd, "ai/template/protocol.md").includes("`vertical_slice`"), "protocol should require vertical-slice progress for continuous execution");
+  assert(read(cwd, "ai/template/protocol.md").includes("L1 为 2 个或更多，自动启用"), "protocol should auto-enable continuous execution from L1 count");
+  assert(read(cwd, "ai/template/protocol.md").includes("每个 Checkpoint 必须给出证据"), "protocol should require evidence-backed checkpoints");
+  assert(read(cwd, "ai/template/rules/core.md").includes("边界内连续执行门"), "core rules should include bounded continuous execution gate");
+  assert(read(cwd, "ai/template/rules/core.md").includes("需要扩大范围、权限、命令、网络或验收时"), "core rules should stop continuous execution before boundary expansion");
+  assert(read(cwd, "ai/project/task.md").includes("execution_policy:"), "task template should include execution policy");
+  assert(read(cwd, "ai/project/task.md").includes("activation_rule: \"auto_enable_when_l1_count_gte_2\""), "task template should define automatic activation rule");
+  assert(read(cwd, "ai/project/task.md").includes("risk_gate:"), "task template should define risk gate");
+  assert(read(cwd, "ai/project/task.md").includes("progress_unit: \"vertical_slice\""), "task template should define continuous progress unit");
   assert(read(cwd, "ai/template/prompt.md").includes("开始初始化这个项目"), "execution prompt should route natural bootstrap entry");
   assert(read(cwd, "ai/template/prompt.md").includes("开始初始化这个项目，并吸收 ai/project/inbox/ 里的资料"), "execution prompt should route bootstrap with inbox material");
   assert(read(cwd, "ai/template/prompt.md").includes("不要重新 bootstrap"), "execution prompt should reconcile inbox material when project context already exists");
@@ -85,6 +96,7 @@ function testInitUpdateDoctor() {
   assert(read(cwd, "ai/template/prompt.md").includes("strategy_update"), "execution prompt should route strategy updates");
   assert(read(cwd, "ai/template/reconcile.md").includes("上下文整合"), "init should install reconcile prompt");
   assert(read(cwd, "ai/template/reconcile.md").includes("整合计划"), "reconcile prompt should require a plan first");
+  assert(read(cwd, "ai/template/reconcile.md").includes("不要递归读取 `processed/**` 或 `ideas/**`"), "reconcile prompt should exclude processed and ideas recursively");
   assert(read(cwd, "ai/template/reconcile.md").includes("ai/project/inbox/processed/raw/file.md"), "reconcile prompt should archive absorbed raw inbox material");
   assert(read(cwd, "ai/template/reconcile.md").includes("未吸收资料"), "reconcile handoff should audit unabsorbed material");
   assert(read(cwd, "ai/template/reconcile.md").includes("冲突处理"), "reconcile handoff should audit conflict handling");
@@ -142,6 +154,17 @@ function testEnglishInitUpdateDoctor() {
   assert(read(cwd, "ai/template/bootstrap.md").includes("Unabsorbed material"), "English bootstrap handoff should audit unabsorbed material");
   assert(read(cwd, "ai/template/bootstrap.md").includes("Conflict handling"), "English bootstrap handoff should audit conflict handling");
   assert(read(cwd, "ai/template/prompt.md").includes("Start initializing this project"), "English execution prompt should route natural bootstrap entry");
+  assert(read(cwd, "ai/template/prompt.md").includes("default to only `ai/project/inbox/*.md`"), "English execution prompt should narrow inbox reconciliation");
+  assert(read(cwd, "ai/template/protocol.md").includes("`bounded_continuous`"), "English protocol should include bounded continuous execution");
+  assert(read(cwd, "ai/template/protocol.md").includes("`vertical_slice`"), "English protocol should require vertical-slice progress for continuous execution");
+  assert(read(cwd, "ai/template/protocol.md").includes("Automatically use `bounded_continuous`"), "English protocol should auto-enable continuous execution from L1 count");
+  assert(read(cwd, "ai/template/protocol.md").includes("Every checkpoint must include evidence"), "English protocol should require evidence-backed checkpoints");
+  assert(read(cwd, "ai/template/rules/core.md").includes("Bounded Continuous Execution Gate"), "English core rules should include bounded continuous execution gate");
+  assert(read(cwd, "ai/template/rules/core.md").includes("expand scope, permission, commands, network access, or acceptance"), "English core rules should stop continuous execution before boundary expansion");
+  assert(read(cwd, "ai/project/task.md").includes("execution_policy:"), "English task template should include execution policy");
+  assert(read(cwd, "ai/project/task.md").includes("activation_rule: \"auto_enable_when_l1_count_gte_2\""), "English task template should define automatic activation rule");
+  assert(read(cwd, "ai/project/task.md").includes("risk_gate:"), "English task template should define risk gate");
+  assert(read(cwd, "ai/project/task.md").includes("progress_unit: \"vertical_slice\""), "English task template should define continuous progress unit");
   assert(read(cwd, "ai/template/prompt.md").includes("Start initializing this project and absorb the material in ai/project/inbox/"), "English execution prompt should route bootstrap with inbox material");
   assert(read(cwd, "ai/template/prompt.md").includes("instead of bootstrapping again"), "English execution prompt should reconcile inbox material when project context already exists");
   assert(read(cwd, "ai/template/prompt.md").includes("Reconcile the new material in ai/project/inbox/"), "English execution prompt should route natural reconcile entry");
@@ -155,6 +178,7 @@ function testEnglishInitUpdateDoctor() {
   assert(read(cwd, "ai/project/proposals/final-shape-updates/_template.md").includes("`accepted`"), "English proposal template should describe accepted status");
   assert(read(cwd, "ai/template/reconcile.md").includes("Context Reconcile"), "English init should install English reconcile prompt");
   assert(read(cwd, "ai/template/reconcile.md").includes("reconciliation plan"), "English reconcile prompt should require a plan first");
+  assert(read(cwd, "ai/template/reconcile.md").includes("do not recursively\nread `processed/**` or `ideas/**`"), "English reconcile prompt should exclude processed and ideas recursively");
   assert(read(cwd, "ai/template/reconcile.md").includes("ai/project/inbox/processed/raw/file.md"), "English reconcile prompt should archive absorbed raw inbox material");
   assert(read(cwd, "ai/template/reconcile.md").includes("Unabsorbed material"), "English reconcile handoff should audit unabsorbed material");
   assert(read(cwd, "ai/template/reconcile.md").includes("Conflict handling"), "English reconcile handoff should audit conflict handling");