@wnlen/agent-execution-template 0.8.15 → 0.8.17

package/README.md

@@ -147,12 +147,37 @@ npx -y @wnlen/agent-execution-template strategy --lang en
 | Strategy amendment gate | New direction goes through `inbox/ideas/`, a proposal, human confirmation, then an explicit apply task. |
 | Protected project context | `update` refreshes `ai/template/**` without overwriting `ai/project/**`. |
 | Project context refresh | `refresh` backs up old `ai/project/**`, creates a fresh project context, and imports the old context into the inbox for reconciliation. |
-| Bounded task execution | Goals, scope, permissions, risk, and acceptance criteria live in one task file. |
+| Automatic continuous execution | The agent decomposes L1/L2/L3 before execution; 2+ L1 tasks automatically enable bounded continuous execution, and only Red risk stops for confirmation. |
 | Auditable results | Every run can leave human-readable output, machine-readable facts, and metrics. |
 | Token-efficient model policy | Cheap models handle bounded work; strong models are reserved for judgment points. |
 | Upgradeable template | Reuse protocol improvements without losing local project memory. |
 | Doctor checks | Validate required files and template version before running the agent. |
 
+## How Automatic Continuous Execution Works
+
+The user can still give a natural-language goal, for example:
+
+```text
+Build the settings page with profile editing, notification toggles, and export entrypoint
+```
+
+Before execution, the AI decomposes L1 tasks:
+
+```text
+- [ ] L1-1 Profile editing Green
+- [ ] L1-2 Notification toggles Green
+- [ ] L1-3 Export entrypoint Yellow
+```
+
+Because there are two or more L1 tasks, the protocol automatically uses bounded
+continuous execution. Before each L1, the AI plans naturally derived L2/L3 work.
+After completing an L1, it checks and strikes the item, then writes status back
+to `execution_policy.task_tree` in `ai/project/task.md`.
+
+Only Red risk stops for confirmation. Green continues automatically, and Yellow
+continues after local low-risk correction. Every checkpoint must include
+evidence: changed files, commands run, and verification results.
+
 ## Installed Layout
 
 ```text
@@ -162,6 +187,7 @@ ai/
   template/
     VERSION
     bootstrap.md
+    execution-policy.md
     prompt.md
     reconcile.md
     protocol.md
@@ -323,6 +349,8 @@ Reconcile the new material in ai/project/inbox/
 
 The agent must produce a reconciliation plan first, wait for confirmation, then merge long-lived facts into `project.md`, `runtime.md`, and `refs/*`.
 After reconciliation, processed material is moved to `ai/project/inbox/processed/` for traceability.
+By default, only `ai/project/inbox/*.md` and `ai/project/inbox/raw/*.md` are absorbed;
+`processed/**` is not reconciled again, and `ideas/**` goes through the direction amendment proposal flow.
 
 ## Project North Star
 

package/README.zh-CN.md

@@ -157,12 +157,35 @@ npx -y @wnlen/agent-execution-template strategy
 | 策略修订门禁 | 新方向先进入 `inbox/ideas/`，生成 proposal，人类确认后才合并进北极星、模块地图或路线图。 |
 | 保护项目现场 | `update` 刷新 `ai/template/**`，不会覆盖 `ai/project/**`。 |
 | 项目上下文重整 | `refresh` 备份旧 `ai/project/**`，生成新项目上下文，并把旧上下文放入 inbox 供 AI 整理。 |
-| 有边界的任务执行 | 目标、范围、权限、风险和验收标准集中在任务文件里。 |
+| 自动连续执行 | AI 执行前自动拆 L1/L2/L3 任务树；L1 两个以上自动启用边界内连续执行，只有 Red 风险停下来确认。 |
 | 可审计结果 | 每次执行都可以留下人类可读结果、机器可读事实和 metrics。 |
 | Token-efficient 模型策略 | 便宜模型处理边界清楚的工作，强模型只用于关键判断点。 |
 | 可升级模板 | 协议可以持续改进，不丢失项目本地记忆。 |
 | Doctor 检查 | 执行前检查必要文件和模板版本。 |
 
+## 自动连续执行怎么工作
+
+用户仍然只需要说自然语言目标，例如：
+
+```text
+实现设置页，包括资料编辑、通知开关和导出入口
+```
+
+AI 会在执行前先拆 L1 任务：
+
+```text
+- [ ] L1-1 资料编辑 Green
+- [ ] L1-2 通知开关 Green
+- [ ] L1-3 导出入口 Yellow
+```
+
+因为 L1 有两个以上，协议会自动使用边界内连续执行。执行每个 L1 前，AI 再规划
+自然衍生的 L2/L3；完成一个 L1 后，在清单中打勾并划掉，同时把状态写回
+`ai/project/task.md` 的 `execution_policy.task_tree`。
+
+只有 Red 风险会停下来让你确认。Green 自动继续，Yellow 只做局部低风险修正后继续。
+每个 Checkpoint 都必须带证据：改了哪些文件、跑了哪些命令、验证结果是什么。
+
 ## 安装后的结构
 
 ```text
@@ -172,6 +195,7 @@ ai/
   template/
     VERSION
     bootstrap.md
+    execution-policy.md
     prompt.md
     reconcile.md
     protocol.md
@@ -332,6 +356,8 @@ ai/project/inbox/
 
 AI 必须先输出整合计划，等待确认后，再把长期有效事实合并进 `project.md`、`runtime.md` 和 `refs/*`。
 整合完成后，已处理资料统一移动到 `ai/project/inbox/processed/`，保留用于追溯。
+默认只吸收 `ai/project/inbox/*.md` 和 `ai/project/inbox/raw/*.md`；
+`processed/**` 不会再次参与整合，`ideas/**` 走方向修订提案。
 
 ## 项目北极星
 

package/bin/agent-execution-template.js

@@ -13,6 +13,7 @@ const REQUIRED_FILES = [
   "ai/template/LANG",
   "ai/template/VERSION",
   "ai/template/bootstrap.md",
+  "ai/template/execution-policy.md",
   "ai/template/prompt.md",
   "ai/template/reconcile.md",
   "ai/template/protocol.md",
@@ -48,6 +49,13 @@ const TASK_HEALTH_PATTERNS = [
   /^type:\s*/m,
   /^priority:\s*/m,
   /^risk_level:\s*/m,
+  /^readiness:\s*/m,
+  /^execution_policy:/m,
+  /^\s+mode:\s*/m,
+  /^\s+activation_rule:\s*/m,
+  /^\s+task_tree:/m,
+  /^\s+risk_gate:/m,
+  /^\s+evidence_required:\s*/m,
   /^model_policy:/m,
   /^refs:/m,
   /^permission:/m
@@ -145,6 +153,7 @@ const TEXT = {
     nextTellAgent: "把这句话发给你的 AI coding 工具:",
     nextRunCommand: "运行这个命令:",
     nextReviewProposal: "已有方向修订提案。先审查提案；确认后对 AI 说:",
+    nextContinuePrompt: "继续推进这个项目。执行前先拆 L1 任务；若 L1 >= 2，自动启用边界内连续执行；只有 Red 风险停下来确认。",
     repairHint: "缺失的 project 推荐文件可通过重新运行 init 安全补齐；已有 ai/project/** 不会被覆盖。",
     permissionDenied: "无法写入目标路径",
     permissionHint: `请检查 ai/** 的归属和权限。常见修复:
@@ -249,6 +258,7 @@ Usage:
     nextTellAgent: "Send this to your AI coding tool:",
     nextRunCommand: "Run this command:",
     nextReviewProposal: "A direction amendment proposal exists. Review it first; after confirmation, tell the AI:",
+    nextContinuePrompt: "Continue this project. Before execution, decompose L1 tasks; if L1 >= 2, automatically use bounded continuous execution; only Red risk stops for confirmation.",
     repairHint: "Missing recommended project files can be safely added by running init again; existing ai/project/** files are not overwritten.",
     permissionDenied: "Cannot write target path",
     permissionHint: `Check ownership and permissions under ai/**. Common fix:
@@ -582,7 +592,7 @@ function next({ lang = readInstalledLang() } = {}) {
   }
 
   console.log(`${text.nextTellAgent}
-  ${lang === "zh" ? "继续推进这个项目" : "Continue this project"}
+  ${text.nextContinuePrompt}
 `);
 }
 

package/docs/SPEC.md

@@ -22,7 +22,7 @@ npx 安装协议 -> AI 整理项目上下文 -> 人类确认 -> AI 生成任务
 
 ```text
 Protocol: v0.8
-Package: @wnlen/agent-execution-template@0.8.15
+Package: @wnlen/agent-execution-template@0.8.17
 中文安装: npx -y @wnlen/agent-execution-template init
 英文安装: npx -y @wnlen/agent-execution-template init --lang en
 ```
@@ -181,6 +181,7 @@ ai/
   template/
     VERSION
     bootstrap.md
+    execution-policy.md
     prompt.md
     reconcile.md
     protocol.md
@@ -243,6 +244,7 @@ project 是现场。
 ```text
 ai/template/VERSION
 ai/template/bootstrap.md
+ai/template/execution-policy.md
 ai/template/prompt.md
 ai/template/reconcile.md
 ai/template/protocol.md
@@ -390,12 +392,13 @@ npx -y @wnlen/agent-execution-template doctor
 ```text
 Agent Execution Template 检查
 
-模板版本: 0.8.15
+模板版本: 0.8.17
 模板语言: zh
 
 [通过] ai/template/LANG
 [通过] ai/template/VERSION
 [通过] ai/template/bootstrap.md
+[通过] ai/template/execution-policy.md
 [通过] ai/template/prompt.md
 [通过] ai/template/reconcile.md
 [通过] ai/template/protocol.md
@@ -610,6 +613,7 @@ ai/project/refs/roadmap.md
 - 任务类型；
 - 优先级；
 - 风险等级；
+- 执行策略；
 - 模型分工策略；
 - refs 要求；
 - 修改权限；
@@ -645,7 +649,46 @@ apply_strategy_update
 权限不允许，不越界修改。
 ```
 
-## 14. 模型分工协议
+## 14. 执行授权策略
+
+执行策略入口写在：
+
+```text
+ai/project/task.md.execution_policy
+ai/template/execution-policy.md
+```
+
+默认模式是 `auto`。AI 每次执行前先做任务分解和风险判断，再决定使用
+`normal` 还是 `bounded_continuous`，不依赖用户口令。
+
+执行前规划：
+
+- AI 根据用户目标、项目上下文和仓库事实推断目标、范围、验收、权限和验证方式；
+- 先列 L1 任务清单，并给每个 L1 标注 Green / Yellow / Red；
+- L1 少于 2 个时使用 `normal`；
+- L1 为 2 个或更多时自动使用 `bounded_continuous`；
+- 任一 L1 为 Red 时停止等待人类确认；Green 和 Yellow 不阻塞启动。
+
+`bounded_continuous` 规则集中在 `ai/template/execution-policy.md`。核心要求：
+
+- 按 L1 -> L2 -> L3 执行，执行 L1 前规划 L2，执行 L2 前按需规划 L3；
+- 默认最多 3 层，只有当 L3 仍过大、不可验证或不可回退时才动态增加 L4；
+- 每个任务节点必须有风险评级、预期改动范围、验收方式和证据要求；
+- L1 清单必须用待办列表展示，每完成一个 L1 就打勾并划掉；
+- 执行前和执行中必须把任务树写回 `ai/project/task.md.execution_policy.task_tree`；
+- 默认按 `vertical_slice` 推进，每轮都要产生可检查增量；
+- 每个 Checkpoint 必须包含证据：已改文件、已运行命令、验证结果或无法验证原因；
+- Green 可自动继续；
+- Yellow 做局部低风险修正后继续；
+- Red 必须停止等待人类确认；
+- 目标、范围、验收和权限由 AI 推断，但不能越过项目规则、显式用户限制、
+  `permission.modify.denied`、安全边界或破坏性操作限制；
+- 需要扩大权限、运行未允许命令、访问网络、执行破坏性操作、改变产品方向或核心架构时，
+  当前节点必须标为 Red。
+
+它不适用于方向未定且无法推断、验收无法定义或高风险架构取舍任务；这些应直接评为 Red。
+
+## 15. 模型分工协议
 
 模型分工写在：
 
@@ -673,7 +716,7 @@ Default cheap. Escalate for judgment. Record why.
 - 写明需要的 strong model role；
 - 记录到 `ai/project/metrics.json`。
 
-## 15. 风险门禁
+## 16. 风险门禁
 
 任务涉及以下内容时必须谨慎：
 
@@ -687,7 +730,7 @@ Default cheap. Escalate for judgment. Record why.
 
 如果风险高且 `task.md` 未明确授权，AI 必须停止并写 blocked 结果。
 
-## 16. refs 延迟加载
+## 17. refs 延迟加载
 
 `ai/project/refs/` 存放按需读取的详细资料。
 
@@ -707,7 +750,7 @@ Default cheap. Escalate for judgment. Record why.
 
 每次读取 ref 都必须在 `result.json.refs_read` 中记录原因。
 
-## 16.1 inbox 待吸收资料
+## 17.1 inbox 待吸收资料
 
 `ai/project/inbox/` 存放尚未整合进项目上下文的新资料。
 已完成整合的资料统一移动到 `ai/project/inbox/processed/`，用于追溯并避免重复处理。
@@ -732,11 +775,13 @@ AI 必须先输出整合计划，等人类确认后，才更新 `project.md`、`
 应用整合完成后，AI 必须把本次已处理的 `ai/project/inbox/*.md`
 移动到 `ai/project/inbox/processed/`。`processed/` 中的资料默认不再触发
 `reconcile` 或 `next` 的待处理资料判断。
+即使用户口语上说“整合整个 inbox”，默认也只处理 `ai/project/inbox/*.md`
+和 `ai/project/inbox/raw/*.md`；`ai/project/inbox/ideas/**` 不参与上下文整合。
 
 如果新资料会改变 `final-shape.md`、`module-map.md` 或 `roadmap.md` 的方向性内容，
 上下文整合只能建议创建 `strategy_update` 提案，不能直接改这些文件。
 
-## 16.2 项目北极星与策略修订
+## 17.2 项目北极星与策略修订
 
 `ai/project/refs/final-shape.md` 是项目北极星说明书，也可以理解为
 Product Constitution / Final Shape Spec。它负责保存：
@@ -812,7 +857,7 @@ ai/project/refs/decisions.md
 ai/project/refs/constraints.md
 ```
 
-## 17. 输出结果
+## 18. 输出结果
 
 每次执行必须写：
 
@@ -822,7 +867,7 @@ ai/project/result.md
 ai/project/metrics.json
 ```
 
-### 17.1 `result.json`
+### 18.1 `result.json`
 
 机器可读结果，是当前最新权威执行记录。
 
@@ -840,7 +885,7 @@ ai/project/metrics.json
 - next；
 - runtime update proposal。
 
-### 17.2 `result.md`
+### 18.2 `result.md`
 
 人类可读摘要。
 
@@ -852,7 +897,7 @@ ai/project/metrics.json
 - 有什么问题；
 - 下一步。
 
-### 17.3 `metrics.json`
+### 18.3 `metrics.json`
 
 执行经济性和模型分工记录。
 
@@ -867,7 +912,7 @@ ai/project/metrics.json
 - human fix required；
 - reuse potential。
 
-## 18. 状态规则
+## 19. 状态规则
 
 允许状态：
 
@@ -885,7 +930,7 @@ blocked
 - 任务不可执行，使用 `blocked`；
 - 执行失败且无法完成，使用 `failed`。
 
-## 19. runtime 治理
+## 20. runtime 治理
 
 `ai/project/runtime.md` 只存当前仍然有效的执行上下文。
 
@@ -904,7 +949,7 @@ ai/project/result.json.runtime_update
 
 再由单独任务决定是否更新 runtime。
 
-## 20. 同步规则
+## 21. 同步规则
 
 从模板仓库导入真实项目：
 
@@ -922,7 +967,7 @@ ai/project/result.json.runtime_update
 
 这是整个项目的安全底线。
 
-## 21. npm 包结构
+## 22. npm 包结构
 
 模板仓库内部结构：
 
@@ -952,7 +997,7 @@ LICENSE
 - `bin/agent-execution-template.js` 是 CLI；
 - `test/selftest.js` 是本地自测。
 
-## 22. 自测与发布检查
+## 23. 自测与发布检查
 
 本地自测：
 
@@ -997,7 +1042,7 @@ diff 检查：
 git diff --check
 ```
 
-## 23. 当前能力边界
+## 24. 当前能力边界
 
 当前项目已经能做到：
 
@@ -1018,7 +1063,7 @@ git diff --check
 - IDE 插件；
 - 发布流水线。
 
-## 24. 最终判断
+## 25. 最终判断
 
 Agent Execution Template v0.8 已经从一个 prompt/template 原型，升级为：
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wnlen/agent-execution-template",
-  "version": "0.8.15",
+  "version": "0.8.17",
   "description": "Low-friction AI execution protocol template for coding agents.",
   "bin": {
     "agent-execution-template": "bin/agent-execution-template.js"

package/template/en/ai/README.md

@@ -11,6 +11,7 @@ project is the field workspace
 
 - `template/prompt.md`: AI startup prompt.
 - `template/bootstrap.md`: project discovery and context bootstrap prompt.
+- `template/execution-policy.md`: automatic continuous execution, task tree, risk rubric, and checkpoint rules.
 - `template/reconcile.md`: merge new authoritative material into existing project context.
 - `template/VERSION`: installed template version.
 - `template/protocol.md`: bootstrap flow, execution flow, model division, sync rules.
@@ -77,6 +78,10 @@ The workflow produces a reconciliation plan first and updates `project.md`,
 `runtime.md`, and `refs/*` only after confirmation. After reconciliation,
 processed material is moved to `ai/project/inbox/processed/`.
 
+By default, only `ai/project/inbox/*.md` and `ai/project/inbox/raw/*.md` are
+absorbed. `processed/**` is trace history and is not reconciled again;
+`ideas/**` goes through the direction amendment proposal flow.
+
 ## Direction Amendments
 
 The North Star, module map, and roadmap belong to the project direction layer:

package/template/en/ai/project/task.md

@@ -3,7 +3,43 @@ task_id: ""
 type: "bugfix | feature | refactor | docs | config | test | research | strategy_update | apply_strategy_update"
 priority: "P0 | P1 | P2 | P3"
 risk_level: "low | medium | high"
+readiness: "draft_for_confirmation | ready_to_execute | blocked"
 depends_on_previous_result: false
+execution_policy:
+  mode: "auto | normal | bounded_continuous"
+  activation_rule: "auto_enable_when_l1_count_gte_2"
+  max_depth: 3
+  allow_depth_4_when_needed: true
+  progress_unit: "vertical_slice"
+  task_tree:
+    - id: "L1-1"
+      title: ""
+      risk: "Green | Yellow | Red"
+      status: "pending | running | done | blocked"
+      scope:
+        allowed: []
+        denied: []
+      acceptance: []
+      evidence: []
+      children: []
+  checkpoint_budget:
+    l1: 0
+    l2: 0
+    l3: 0
+    l4: 0
+  checkpoint_triggers:
+    - before_crossing_boundary
+    - after_vertical_slice
+    - before_final_review
+  auto_continue:
+    green: true
+    yellow: "low_risk_only"
+    red: false
+  risk_gate:
+    green: "continue"
+    yellow: "continue_with_local_fix"
+    red: "stop_for_human"
+  evidence_required: true
 model_policy:
   default_tier: "cheap"
   allowed_tiers:
@@ -45,8 +81,11 @@ This file is the current execution contract. Prefer generating it in Bootstrap
 Mode from a short human goal plus repository context, then have a human review
 it before execution.
 
-Prefer safe assumptions over extra questions, but do not guess scope, risk,
-permissions, or acceptance.
+Prefer safe assumptions over extra questions. The AI should infer scope, risk,
+permissions, and acceptance from the human goal, project context, and repository
+facts. If inference would cross permission or safety boundaries, or acceptance
+cannot be defined, set `readiness` to `blocked` or mark the relevant task node
+`Red` and wait for human confirmation.
 
 ## Goal
 
@@ -86,6 +125,50 @@ The task is complete when:
 
 - 
 
+## Execution Policy
+
+Default to `auto`. The AI decides during pre-execution planning whether to use
+continuous execution; it does not wait for a human keyword. If planning finds
+fewer than 2 L1 tasks, use `normal`; if it finds 2 or more L1 tasks, use
+`bounded_continuous` automatically.
+
+`bounded_continuous` means bounded continuous execution:
+
+- The AI infers goal, scope, acceptance, permissions, and risk from the human
+  goal, project context, and repository facts; the human does not need to
+  provide each field upfront.
+- `readiness = ready_to_execute` means no Red preflight item exists and the task
+  may execute.
+- `readiness = draft_for_confirmation` means human confirmation is required
+  before execution.
+- `readiness = blocked` means the task cannot execute and must produce a
+  blocked result.
+- Before execution, write the L1 checklist to `execution_policy.task_tree`.
+- Before execution, list the L1 task checklist; mark each L1 complete with a
+  checked and struck-through item.
+- Before executing an L1, plan the naturally derived L2 tasks; if an L2 still
+  needs decomposition, plan L3 tasks.
+- Default to at most 3 levels; add L4 dynamically only when leaving it out
+  would make L3 too large or unverifiable.
+- The AI assigns Green / Yellow / Red risk to every task node.
+- Only Red stops for human confirmation; Green continues automatically, and
+  Yellow continues after local low-risk correction.
+- `progress_unit` defaults to `vertical_slice`: each work loop should produce
+  a reviewable increment.
+- `checkpoint_budget` is the maximum checkpoint budget, not a required count;
+  do not report just to spend the budget.
+- Emit a checkpoint only when `checkpoint_triggers` fire, risk rises, or final
+  review is about to start.
+- Every checkpoint must include evidence: changed files, commands run,
+  verification results, or why verification was not possible.
+- During execution, update `task_tree` node status: `pending`, `running`,
+  `done`, or `blocked`.
+- After completion, run one final review; only re-check Yellow, Red, failed
+  verification, or high-impact modules.
+- Continuous execution does not change model policy; escalate through
+  `model_policy` for judgment, architecture, failure review, or acceptance
+  disputes.
+
 ## Permission
 
 Modify files only under the allowlist in the YAML front matter.
@@ -108,3 +191,8 @@ Stop and write `ai/project/result.json`, `ai/project/result.md`, and `ai/project
 - Required refs are missing.
 - Required command cannot be run.
 - Risk level is high without explicit authorization.
+- A Red checkpoint appears during continuous execution.
+- The task would change product direction, core architecture, data structures,
+  security boundaries, payment, accounts, or permissions.
+- The task would delete many files, rewrite a core module, or require choosing
+  between multiple high-cost options.

package/template/en/ai/template/VERSION

@@ -1 +1 @@
-0.8.15
+0.8.17

package/template/en/ai/template/execution-policy.md

@@ -0,0 +1,109 @@
+# Execution Policy
+
+Do not summarize this file.
+During task execution, use this file to choose `normal` or `bounded_continuous`.
+
+## Default Policy
+
+The default execution policy is `auto`: before each execution, the AI first
+decomposes the task and judges risk, then chooses `normal` or
+`bounded_continuous`. Continuous execution does not depend on a human keyword.
+
+Pre-execution planning must:
+
+- Infer goal, scope, acceptance, permissions, and verification method from the
+  human goal, project context, and repository facts.
+- List the L1 task checklist and assign Green / Yellow / Red risk to each L1.
+- Use `normal` if there are fewer than 2 L1 tasks.
+- Automatically use `bounded_continuous` if there are 2 or more L1 tasks.
+- Stop for human confirmation first if any L1 is Red; Green and Yellow do not
+  block startup.
+- Write the task tree to `execution_policy.task_tree` in `ai/project/task.md`.
+
+## Task Tree
+
+Execute the task tree in L1 -> L2 -> L3 order.
+
+- Before executing an L1, plan its naturally derived L2 tasks.
+- Before executing an L2, plan L3 tasks if it still needs decomposition.
+- Default to at most 3 levels. Add L4 dynamically only when L3 would otherwise
+  be too large, unverifiable, or hard to revert.
+- Every L1/L2/L3/L4 node must have risk, expected edit scope, acceptance method,
+  and evidence requirements.
+- Show the L1 checklist as task items; when an L1 is complete, check it off and
+  strike it through.
+- During execution, update each `task_tree` node status: `pending`, `running`,
+  `done`, or `blocked`.
+
+Recommended node shape:
+
+```yaml
+id: "L1-1"
+title: ""
+risk: "Green | Yellow | Red"
+status: "pending | running | done | blocked"
+scope:
+  allowed: []
+  denied: []
+acceptance: []
+evidence: []
+children: []
+```
+
+## Risk Rubric
+
+Green:
+
+- Inside current task scope;
+- no new permission, command, network access, or destructive action is needed;
+- acceptance is clear;
+- no product direction, core architecture, data structure, security boundary,
+  payment, account, or permission change is needed.
+
+Yellow:
+
+- Still inside current task scope;
+- local uncertainty or local verification failure exists;
+- a low-risk local correction can continue the work;
+- no permission, scope, command, or acceptance expansion is needed.
+
+Red:
+
+- Permission expansion, unallowed command, network access, or destructive action
+  is needed;
+- product direction, core architecture, data structure, security boundary,
+  payment, account, or permission would change;
+- many files must be deleted, a core module must be rewritten, or multiple
+  high-cost options require judgment;
+- acceptance cannot be defined, or task goal materially conflicts with project direction.
+
+Only Red stops for human confirmation. Green continues automatically. Yellow
+continues after local low-risk correction.
+
+## Checkpoint
+
+Emit checkpoints only when risk rises, a boundary is about to change, a vertical
+slice is complete, or final review is about to start. Do not report just to
+spend checkpoint budget.
+
+Every checkpoint must include:
+
+```text
+## Checkpoint
+### Task Tree
+### Progress
+### Completed
+### Evidence
+### Drift Risk: Green / Yellow / Red
+### Recommended Next Step
+### Auto-Continue Decision
+```
+
+Evidence must include changed files, commands run, verification results, or why
+verification was not possible. A purely subjective Green is not valid.
+
+## Model Policy
+
+Continuous execution does not change `model_policy`. Still escalate through
+`model_policy` for planning, architecture, failure review, or acceptance
+disputes, and record the reason in `ai/project/metrics.json`.

package/template/en/ai/template/prompt.md

@@ -9,6 +9,7 @@ First read:
 
 1. `ai/template/protocol.md`
 2. `ai/template/rules/core.md`
+3. `ai/template/execution-policy.md`
 
 Then choose the mode:
 
@@ -36,7 +37,9 @@ Then choose the mode:
   `ai/template/reconcile.md` and stop or update according to its two-phase
   workflow; `ai/project/inbox/processed/` is already processed material and
   should not trigger reconciliation, while `ai/project/inbox/ideas/` should
-  route to `strategy_update` first.
+  route to `strategy_update` first. Even if the human says to reconcile the
+  whole inbox, default to only `ai/project/inbox/*.md` and
+  `ai/project/inbox/raw/*.md`.
 - If the user says "Start initializing this project", asks to initialize,
   organize, or generate project context, or if `ai/project/project.md` is
   empty, placeholder-only, or incomplete, follow `ai/template/bootstrap.md`
@@ -58,10 +61,21 @@ Then choose the mode:
 In Task Draft Mode:
 
 1. Read confirmed `ai/project/project.md` and relevant `ai/project/refs/*.md`.
-2. Draft `ai/project/task.md` from the user's current goal.
-3. Ask at most 3 questions only for scope, risk, permission, or acceptance
-   blockers.
-4. Stop for human confirmation. Do not modify source or business files.
+2. Infer goal, scope, acceptance, permissions, verification method, and initial
+   risk from the user's current goal, project context, and repository facts; do
+   not require the human to provide each field upfront.
+3. Draft `ai/project/task.md` and set `execution_policy.mode` to `auto`.
+4. Before execution, list the L1 checklist, mark each L1 Green / Yellow / Red,
+   and write it to `execution_policy.task_tree`. Use `normal` if there are
+   fewer than 2 L1 tasks; automatically use `bounded_continuous` if there are 2
+   or more L1 tasks.
+5. If no Red preflight item exists, set `readiness` to `ready_to_execute`; if
+   human confirmation is needed, set it to `draft_for_confirmation`; if the task
+   cannot execute, set it to `blocked`.
+6. Stop for human confirmation only when a Red preflight item appears. If the
+   human asked to execute or continue, and preflight contains only Green /
+   Yellow, proceed directly to Execution Mode.
+7. Do not modify source or business files in Task Draft Mode.
 
 End Task Draft Mode with:
 
@@ -112,7 +126,15 @@ In Execution Mode, read:
 2. `ai/project/runtime.md`
 3. `ai/project/task.md`
 
-Then execute the task and write results to:
+Then follow `ai/template/execution-policy.md` for pre-execution planning: list
+the L1 checklist, mark each L1 Green / Yellow / Red, and write it to
+`execution_policy.task_tree`. Automatically choose `normal` or
+`bounded_continuous` from the L1 count. Plan L2 before executing an L1, and
+plan L3 as needed before executing an L2; default to at most 3 levels, with L4
+allowed when needed. When an L1 is complete, check it off, strike it through,
+and update the `task_tree` node status. Only Red stops for human confirmation;
+Green continues automatically, and Yellow continues after local low-risk
+correction. Write results to:
 
 - `ai/project/result.json`
 - `ai/project/result.md`

package/template/en/ai/template/protocol.md

@@ -47,6 +47,19 @@ Project Bootstrap / Context Reconcile / Strategy Update -> Project Confirm -> Ta
 9. Execute only within the project task boundary.
 10. Write `ai/project/result.json`, `ai/project/result.md`, and `ai/project/metrics.json`.
 
+## Execution Authorization Modes
+
+Before task execution, read `ai/template/execution-policy.md`.
+
+The default execution policy is `auto`: the AI first decomposes L1 tasks and
+judges Green / Yellow / Red risk, then chooses `normal` or `bounded_continuous`.
+Use `normal` when there are fewer than 2 L1 tasks; automatically use
+`bounded_continuous` when there are 2 or more L1 tasks. Only Red stops for
+human confirmation.
+
+Task tree, risk rubric, checkpoint evidence, and `task_tree` status update
+rules are defined in `ai/template/execution-policy.md`.
+
 ## Bootstrap Mode
 
 Bootstrap Mode prepares stable project understanding:

package/template/en/ai/template/reconcile.md

@@ -22,6 +22,9 @@ New material should usually live in:
 absorbed. After reconciliation is confirmed, move processed material to
 `ai/project/inbox/processed/` for traceability and to avoid repeated
 reconciliation.
+Even when the human says to reconcile the whole inbox, default to only
+`ai/project/inbox/*.md` and `ai/project/inbox/raw/*.md`; do not recursively
+read `processed/**` or `ideas/**`.
 
 ## First Read
 
@@ -30,11 +33,12 @@ reconciliation.
 3. `ai/project/project.md`
 4. `ai/project/runtime.md`
 5. `ai/project/refs/*.md`
-6. The new material named by the human; if none is named, read `ai/project/inbox/*.md`
+6. The new material named by the human; if none is named, read only
+   `ai/project/inbox/*.md` and `ai/project/inbox/raw/*.md`
 
-Do not read `ai/project/inbox/processed/**`, `ai/project/archive/**`, source,
-tests, config, or dependency files by default unless the human explicitly asks
-you to use them for fact checking.
+Do not read `ai/project/inbox/processed/**`, `ai/project/inbox/ideas/**`,
+`ai/project/archive/**`, source, tests, config, or dependency files by default
+unless the human explicitly asks you to use them for fact checking.
 
 ## Reconciliation Principles
 

package/template/en/ai/template/rules/core.md

@@ -8,6 +8,7 @@ Before editing code, check that `ai/project/task.md` clearly defines:
 - Scope
 - Acceptance
 - Permission
+- Execution policy
 
 If readiness fails, do not edit code. Write blocked results to:
 
@@ -116,6 +117,28 @@ must not directly modify:
 Do not modify current task, results, metrics, archives, source, tests, config,
 or dependency files unless the human explicitly authorizes it.
 
+## Bounded Continuous Execution Gate
+
+Before every execution, the AI must read `ai/template/execution-policy.md`,
+decompose the task, and judge risk instead of waiting for the human to
+explicitly say "enable continuous execution".
+
+Hard gates:
+
+- `execution_policy.task_tree` must record the L1 checklist and execution state.
+- Every task node must have Green / Yellow / Red risk.
+- Every checkpoint must include evidence; a purely subjective Green is not valid.
+- Red must stop for human confirmation.
+- Any product direction, core architecture, data structure, security, payment,
+  account, permission, large deletion, core rewrite, or high-cost option choice
+  must stop.
+- Any need to expand scope, permission, commands, network access, or acceptance
+  must stop.
+
+The AI infers goal, scope, acceptance, and permissions, but must not cross
+project rules, explicit human limits, `permission.modify.denied`, security
+boundaries, or destructive-action limits.
+
 ## Strategy Update Gate
 
 If the user asks to update the North Star, final shape, product constitution,

package/template/zh/ai/README.md

@@ -11,6 +11,7 @@ project 是现场工作区
 
 - `template/prompt.md`：AI 启动提示。
 - `template/bootstrap.md`：项目发现和上下文引导提示。
+- `template/execution-policy.md`：自动连续执行、任务树、风险分级和 Checkpoint 规则。
 - `template/reconcile.md`：把新的权威资料合并进现有项目上下文。
 - `template/VERSION`：已安装模板版本。
 - `template/protocol.md`：引导流程、执行流程、模型分工、同步规则。
@@ -77,6 +78,9 @@ ai/project/inbox/
 `refs/*`。整合完成后，已处理资料统一移动到
 `ai/project/inbox/processed/`。
 
+默认只吸收 `ai/project/inbox/*.md` 和 `ai/project/inbox/raw/*.md`。
+`processed/**` 是追溯区，不会再次参与整合；`ideas/**` 走方向修订提案。
+
 ## 方向修订
 
 北极星、模块地图和路线图属于项目方向层：

package/template/zh/ai/project/task.md

@@ -3,7 +3,43 @@ task_id: ""
 type: "bugfix | feature | refactor | docs | config | test | research | strategy_update | apply_strategy_update"
 priority: "P0 | P1 | P2 | P3"
 risk_level: "low | medium | high"
+readiness: "draft_for_confirmation | ready_to_execute | blocked"
 depends_on_previous_result: false
+execution_policy:
+  mode: "auto | normal | bounded_continuous"
+  activation_rule: "auto_enable_when_l1_count_gte_2"
+  max_depth: 3
+  allow_depth_4_when_needed: true
+  progress_unit: "vertical_slice"
+  task_tree:
+    - id: "L1-1"
+      title: ""
+      risk: "Green | Yellow | Red"
+      status: "pending | running | done | blocked"
+      scope:
+        allowed: []
+        denied: []
+      acceptance: []
+      evidence: []
+      children: []
+  checkpoint_budget:
+    l1: 0
+    l2: 0
+    l3: 0
+    l4: 0
+  checkpoint_triggers:
+    - before_crossing_boundary
+    - after_vertical_slice
+    - before_final_review
+  auto_continue:
+    green: true
+    yellow: "low_risk_only"
+    red: false
+  risk_gate:
+    green: "continue"
+    yellow: "continue_with_local_fix"
+    red: "stop_for_human"
+  evidence_required: true
 model_policy:
   default_tier: "cheap"
   allowed_tiers:
@@ -44,7 +80,9 @@ permission:
 这个文件是当前执行契约。优先在引导模式中，根据简短人类目标和仓库上下文生成，
 然后由人类在执行前检查。
 
-优先使用安全假设，少问额外问题；但不要猜测范围、风险、权限或验收。
+优先使用安全假设，少问额外问题。AI 应基于用户目标、项目上下文和仓库事实推断
+范围、风险、权限和验收；如果推断会越过权限、安全边界或验收无法定义，将
+`readiness` 标为 `blocked` 或将相关任务节点标为 `Red`，等待人类确认。
 
 ## 目标
 
@@ -81,6 +119,33 @@ permission:
 
 -
 
+## 执行策略
+
+默认使用 `auto`，由 AI 在执行前规划时判定是否启用连续执行，而不是等待用户口令。
+如果执行前拆出的 L1 任务少于 2 个，使用 `normal`；如果 L1 任务为 2 个或更多，
+自动使用 `bounded_continuous`。
+
+`bounded_continuous` 表示边界内连续执行：
+
+- 目标、范围、验收、权限和风险评级由 AI 基于用户目标、项目上下文和仓库事实推断；
+  不要求用户预先逐项提供。
+- `readiness = ready_to_execute` 表示没有 Red 预检项，可以执行。
+- `readiness = draft_for_confirmation` 表示需要人类确认后才能执行。
+- `readiness = blocked` 表示当前任务不可执行，必须写 blocked 结果。
+- 执行前必须把 L1 任务清单写入 `execution_policy.task_tree`。
+- 执行前必须列出 L1 任务清单；每个 L1 用待办列表表示，完成后打勾并划掉。
+- 执行某个 L1 前，AI 先规划自然衍生出的 L2；如果 L2 仍需拆分，再规划 L3。
+- 默认最多 3 层；只有当不拆 L4 会导致 L3 过大或不可验证时，才允许动态增加 L4。
+- 每个任务节点都由 AI 自己生成 Green / Yellow / Red 风险评级。
+- 只有 Red 停下来让人类确认；Green 自动继续，Yellow 先做局部低风险修正后继续。
+- `progress_unit` 默认是 `vertical_slice`：每轮推进都应该产生可检查的工作增量。
+- `checkpoint_budget` 是最多可用检查点预算，不是必须用完的次数；不要为了消耗预算而汇报。
+- 只有在触发 `checkpoint_triggers`、风险升高或准备收尾时才输出 Checkpoint。
+- 每个 Checkpoint 必须包含证据：已改文件、已运行命令、验证结果或无法验证的原因。
+- 执行中必须更新 `task_tree` 节点状态：`pending`、`running`、`done` 或 `blocked`。
+- 完成后只做一次总复盘；只对 Yellow、Red、失败验证或高影响模块做二次抽检。
+- 连续执行不改变模型策略；涉及判断、架构、失败复盘或验收争议时仍按 `model_policy` 升级。
+
 ## 权限
 
 只修改 YAML front matter 允许列表中的文件。
@@ -104,3 +169,6 @@ permission:
 - 必需引用缺失。
 - 必需命令无法运行。
 - 风险等级高但没有明确授权。
+- 连续执行中出现 Red 检查点。
+- 需要改变产品方向、核心架构、数据结构、安全边界、支付、账号或权限。
+- 需要删除大量文件、重写核心模块，或在多个高成本方案之间取舍。

package/template/zh/ai/template/VERSION

@@ -1 +1 @@
-0.8.15
+0.8.17

package/template/zh/ai/template/execution-policy.md

@@ -0,0 +1,95 @@
+# 执行策略
+
+不要总结这个文件。
+任务执行时按本文件选择 `normal` 或 `bounded_continuous`。
+
+## 默认策略
+
+默认执行策略是 `auto`：AI 在每次执行前先做任务分解和风险判断，再决定使用
+`normal` 还是 `bounded_continuous`。启用连续执行不依赖用户说出特定口令。
+
+执行前规划必须：
+
+- 根据用户目标、项目上下文和仓库事实，推断目标、范围、验收、权限和验证方式。
+- 列出 L1 任务清单，并为每个 L1 生成 Green / Yellow / Red 风险评级。
+- 如果 L1 少于 2 个，使用 `normal`。
+- 如果 L1 为 2 个或更多，自动启用 `bounded_continuous`。
+- 如果任一 L1 为 Red，先停止并让人类确认；Green 和 Yellow 不阻塞启动。
+- 将任务树写入 `ai/project/task.md` 的 `execution_policy.task_tree`。
+
+## 任务树
+
+任务树按 L1 -> L2 -> L3 执行。
+
+- 执行某个 L1 前，先规划它自然衍生出的 L2。
+- 执行某个 L2 前，如果仍需拆分，再规划 L3。
+- 默认最多 3 层。只有当 L3 仍过大、不可验证或不可回退时，才动态增加 L4。
+- L1/L2/L3/L4 都必须有风险评级、预期改动范围、验收方式和证据要求。
+- L1 清单必须用待办列表展示；每完成一个 L1，就打勾并划掉。
+- 执行中必须更新 `task_tree` 节点状态：`pending`、`running`、`done` 或 `blocked`。
+
+推荐节点结构：
+
+```yaml
+id: "L1-1"
+title: ""
+risk: "Green | Yellow | Red"
+status: "pending | running | done | blocked"
+scope:
+  allowed: []
+  denied: []
+acceptance: []
+evidence: []
+children: []
+```
+
+## 风险分级
+
+Green：
+
+- 在当前任务范围内；
+- 不需要新增权限、命令、网络或破坏性操作；
+- 验收方式明确；
+- 不改变产品方向、核心架构、数据结构、安全边界、支付、账号或权限。
+
+Yellow：
+
+- 仍在当前任务范围内；
+- 存在局部不确定或局部验证失败；
+- 可以用低风险修正继续；
+- 不需要扩大权限、范围、命令或验收。
+
+Red：
+
+- 需要扩大权限、运行未允许命令、访问网络或执行破坏性操作；
+- 需要改变产品方向、核心架构、数据结构、安全边界、支付、账号或权限；
+- 需要删除大量文件、重写核心模块或在多个高成本方案之间取舍；
+- 验收不可定义，或任务目标和项目方向发生实质冲突。
+
+只有 Red 停止等待人类确认。Green 自动继续。Yellow 做局部低风险修正后继续。
+
+## Checkpoint
+
+Checkpoint 只在风险升高、边界即将变化、完成垂直切片或准备收尾时输出。
+不要为了消耗预算而汇报。
+
+每个 Checkpoint 必须包含：
+
+```text
+## Checkpoint
+### 任务树
+### 当前完成度
+### 已完成
+### 证据
+### 偏离风险：Green / Yellow / Red
+### 下一步建议
+### 是否自动继续
+```
+
+证据必须包含已改文件、已运行命令、验证结果，或无法验证的原因。
+不接受只有主观判断的 Green。
+
+## 模型策略
+
+连续执行不改变 `model_policy`。遇到规划、架构、失败复盘或验收争议，
+仍按 `model_policy` 升级，并在 `ai/project/metrics.json` 中记录原因。

package/template/zh/ai/template/prompt.md

@@ -9,6 +9,7 @@
 
 1. `ai/template/protocol.md`
 2. `ai/template/rules/core.md`
+3. `ai/template/execution-policy.md`
 
 然后选择模式：
 
@@ -29,7 +30,9 @@
   更新上下文/处理新资料，提到 `reconcile` 或 `ai/project/inbox/`，
   或 `ai/project/inbox/` 里存在 `.gitkeep` 之外的待吸收资料，执行 `ai/template/reconcile.md`，
   并按它的两阶段流程停止或更新；但 `ai/project/inbox/processed/` 是已处理资料，
-  不应触发整合，`ai/project/inbox/ideas/` 应优先走 `strategy_update`。
+  不应触发整合，`ai/project/inbox/ideas/` 应优先走 `strategy_update`。即使用户说
+  “整合整个 inbox”，默认也只处理 `ai/project/inbox/*.md` 和
+  `ai/project/inbox/raw/*.md`。
 - 如果用户说“开始初始化这个项目”、要求初始化/整理/生成项目上下文，
   或 `ai/project/project.md` 为空、只有占位内容、
   或不完整，执行 `ai/template/bootstrap.md`，并在项目上下文确认后停止。
@@ -46,9 +49,17 @@
 在任务草稿模式中：
 
 1. 读取已确认的 `ai/project/project.md` 和相关 `ai/project/refs/*.md`。
-2. 根据用户当前目标起草 `ai/project/task.md`。
-3. 只为范围、风险、权限或验收阻塞项最多问 3 个问题。
-4. 停止等待人类确认。不要修改源码或业务文件。
+2. 根据用户当前目标、项目上下文和仓库事实，推断目标、范围、验收、权限、
+   验证方式和初始风险；不要要求用户逐项提供。
+3. 起草 `ai/project/task.md`，并将 `execution_policy.mode` 设为 `auto`。
+4. 执行前列出 L1 任务清单并标注 Green / Yellow / Red，同时写入
+   `execution_policy.task_tree`。L1 少于 2 个时使用 `normal`；L1 为 2 个或更多时
+   自动使用 `bounded_continuous`。
+5. 如果没有 Red 预检项，将 `readiness` 设为 `ready_to_execute`；如果需要人类确认，
+   设为 `draft_for_confirmation`；如果不可执行，设为 `blocked`。
+6. 只有出现 Red 预检项时才停止等待人类确认。若用户要求的是执行或继续，且预检
+   只有 Green / Yellow，可以直接进入执行模式。
+7. 不要在任务草稿模式中修改源码或业务文件。
 
 任务草稿模式必须以下面结构结束：
 
@@ -97,7 +108,12 @@
 2. `ai/project/runtime.md`
 3. `ai/project/task.md`
 
-然后执行任务，并把结果写入：
+然后按 `ai/template/execution-policy.md` 做执行前规划：列出 L1 清单，给每个 L1
+标注 Green / Yellow / Red，并写入 `execution_policy.task_tree`。根据 L1 数量自动选择
+`normal` 或 `bounded_continuous`。执行 L1 前规划 L2，执行 L2 前按需规划 L3；
+默认最多 3 层，必要时允许 L4。每完成一个 L1，在清单中打勾并划掉，并更新
+`task_tree` 节点状态。只有 Red 停止等待人类确认；Green 自动继续，Yellow 做局部
+低风险修正后继续。最后把结果写入：
 
 - `ai/project/result.json`
 - `ai/project/result.md`

package/template/zh/ai/template/protocol.md

@@ -41,6 +41,17 @@ ai/project/task.md             = 当前执行契约
 9. 只在项目任务边界内执行。
 10. 写入 `ai/project/result.json`、`ai/project/result.md` 和 `ai/project/metrics.json`。
 
+## 执行授权模式
+
+任务执行前必须读取 `ai/template/execution-policy.md`。
+
+执行策略默认是 `auto`：AI 先拆 L1 任务并判断 Green / Yellow / Red，再决定使用
+`normal` 或 `bounded_continuous`。L1 少于 2 个使用 `normal`；L1 为 2 个或更多
+自动启用 `bounded_continuous`。只有 Red 停止等待人类确认。
+
+任务树、风险分级、Checkpoint 证据和 `task_tree` 状态更新规则由
+`ai/template/execution-policy.md` 定义。
+
 ## 引导模式
 
 引导模式准备稳定的项目理解：

package/template/zh/ai/template/reconcile.md

@@ -20,6 +20,8 @@
 
 `ai/project/inbox/` 是待吸收资料区。资料被整合确认后，统一移动到
 `ai/project/inbox/processed/`，用于追溯并避免后续重复整合。
+即使用户说“整合整个 inbox”，默认也只处理 `ai/project/inbox/*.md`
+和 `ai/project/inbox/raw/*.md`；不要递归读取 `processed/**` 或 `ideas/**`。
 
 ## 先读
 
@@ -28,10 +30,11 @@
 3. `ai/project/project.md`
 4. `ai/project/runtime.md`
 5. `ai/project/refs/*.md`
-6. 人类指定的新资料；未指定时，读取 `ai/project/inbox/*.md`
+6. 人类指定的新资料；未指定时，只读取 `ai/project/inbox/*.md`
+   和 `ai/project/inbox/raw/*.md`
 
-不要默认读取 `ai/project/inbox/processed/**`、`ai/project/archive/**`、源码、
-测试、配置或依赖文件，除非人类明确要求用它们核对事实。
+不要默认读取 `ai/project/inbox/processed/**`、`ai/project/inbox/ideas/**`、
+`ai/project/archive/**`、源码、测试、配置或依赖文件，除非人类明确要求用它们核对事实。
 
 ## 整合原则
 

package/template/zh/ai/template/rules/core.md

@@ -8,6 +8,7 @@
 - 范围
 - 验收
 - 权限
+- 执行策略
 
 如果未就绪，不要编辑代码。将阻塞结果写入：
 
@@ -100,6 +101,24 @@
 
 除非人类明确授权，不要修改当前任务、结果、指标、归档、源码、测试、配置或依赖文件。
 
+## 边界内连续执行门
+
+每次执行前，AI 必须读取 `ai/template/execution-policy.md`，先做任务分解和风险判断，
+而不是等待用户显式说“启用连续执行”。
+
+硬门禁：
+
+- `execution_policy.task_tree` 必须记录 L1 清单和执行状态。
+- 每个任务节点必须有 Green / Yellow / Red 风险评级。
+- 每个 Checkpoint 必须包含证据；不接受只有主观判断的 Green。
+- Red 必须停止等待人类确认。
+- 任何方向、核心架构、数据结构、安全、支付、账号、权限、大量删除、
+  核心重写或高成本方案取舍，都必须停止。
+- 需要扩大范围、权限、命令、网络或验收时，必须停止。
+
+目标、范围、验收和权限由 AI 推断，但不能越过项目规则、显式用户限制、
+`permission.modify.denied`、安全边界或破坏性操作限制。
+
 ## 策略修订门
 
 如果用户要求更新项目北极星、最终形态、产品宪法、模块地图、路线图或项目方向，

package/test/selftest.js

@@ -51,6 +51,7 @@ function testInitUpdateDoctor() {
   assert(read(cwd, "ai/template/LANG") === "zh\n", "init should default to zh template");
   assert(exists(cwd, "ai/template/VERSION"), "init should create template VERSION");
   assert(exists(cwd, "ai/template/bootstrap.md"), "init should create template bootstrap prompt");
+  assert(exists(cwd, "ai/template/execution-policy.md"), "init should create execution policy prompt");
   assert(exists(cwd, "ai/template/prompt.md"), "init should create template prompt");
   assert(exists(cwd, "ai/template/reconcile.md"), "init should create template reconcile prompt");
   assert(exists(cwd, "ai/project/inbox/.gitkeep"), "init should create inbox directory");
@@ -77,6 +78,22 @@ function testInitUpdateDoctor() {
   assert(read(cwd, "ai/template/bootstrap.md").includes("未吸收资料"), "bootstrap handoff should audit unabsorbed material");
   assert(read(cwd, "ai/template/bootstrap.md").includes("冲突处理"), "bootstrap handoff should audit conflict handling");
   assert(read(cwd, "ai/template/prompt.md").includes("任务草稿交接"), "execution prompt should include task handoff");
+  assert(read(cwd, "ai/template/prompt.md").includes("ai/template/execution-policy.md"), "execution prompt should read execution policy");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("风险分级"), "execution policy should include risk rubric");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("execution_policy.task_tree"), "execution policy should require task tree persistence");
+  assert(read(cwd, "ai/template/prompt.md").includes("默认也只处理 `ai/project/inbox/*.md`"), "execution prompt should narrow inbox reconciliation");
+  assert(read(cwd, "ai/template/protocol.md").includes("`bounded_continuous`"), "protocol should include bounded continuous execution");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("垂直切片"), "protocol should require vertical-slice progress for continuous execution");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("L1 为 2 个或更多，自动启用"), "protocol should auto-enable continuous execution from L1 count");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("每个 Checkpoint 必须包含"), "protocol should require evidence-backed checkpoints");
+  assert(read(cwd, "ai/template/rules/core.md").includes("边界内连续执行门"), "core rules should include bounded continuous execution gate");
+  assert(read(cwd, "ai/template/rules/core.md").includes("需要扩大范围、权限、命令、网络或验收时"), "core rules should stop continuous execution before boundary expansion");
+  assert(read(cwd, "ai/project/task.md").includes("execution_policy:"), "task template should include execution policy");
+  assert(read(cwd, "ai/project/task.md").includes("readiness:"), "task template should include readiness state");
+  assert(read(cwd, "ai/project/task.md").includes("activation_rule: \"auto_enable_when_l1_count_gte_2\""), "task template should define automatic activation rule");
+  assert(read(cwd, "ai/project/task.md").includes("risk_gate:"), "task template should define risk gate");
+  assert(read(cwd, "ai/project/task.md").includes("status: \"pending | running | done | blocked\""), "task template should define task tree node status");
+  assert(read(cwd, "ai/project/task.md").includes("progress_unit: \"vertical_slice\""), "task template should define continuous progress unit");
   assert(read(cwd, "ai/template/prompt.md").includes("开始初始化这个项目"), "execution prompt should route natural bootstrap entry");
   assert(read(cwd, "ai/template/prompt.md").includes("开始初始化这个项目，并吸收 ai/project/inbox/ 里的资料"), "execution prompt should route bootstrap with inbox material");
   assert(read(cwd, "ai/template/prompt.md").includes("不要重新 bootstrap"), "execution prompt should reconcile inbox material when project context already exists");
@@ -85,6 +102,7 @@ function testInitUpdateDoctor() {
   assert(read(cwd, "ai/template/prompt.md").includes("strategy_update"), "execution prompt should route strategy updates");
   assert(read(cwd, "ai/template/reconcile.md").includes("上下文整合"), "init should install reconcile prompt");
   assert(read(cwd, "ai/template/reconcile.md").includes("整合计划"), "reconcile prompt should require a plan first");
+  assert(read(cwd, "ai/template/reconcile.md").includes("不要递归读取 `processed/**` 或 `ideas/**`"), "reconcile prompt should exclude processed and ideas recursively");
   assert(read(cwd, "ai/template/reconcile.md").includes("ai/project/inbox/processed/raw/file.md"), "reconcile prompt should archive absorbed raw inbox material");
   assert(read(cwd, "ai/template/reconcile.md").includes("未吸收资料"), "reconcile handoff should audit unabsorbed material");
   assert(read(cwd, "ai/template/reconcile.md").includes("冲突处理"), "reconcile handoff should audit conflict handling");
@@ -130,6 +148,7 @@ function testEnglishInitUpdateDoctor() {
 
   const initOutput = run(["init", "--lang", "en"], cwd);
   assert(read(cwd, "ai/template/LANG") === "en\n", "init --lang en should install English template");
+  assert(exists(cwd, "ai/template/execution-policy.md"), "English init should create execution policy prompt");
   assert(read(cwd, "ai/template/bootstrap.md").includes("Confirmation Dimensions"), "English init should install English bootstrap prompt");
   assert(read(cwd, "ai/template/bootstrap.md").includes("Do not summarize this file"), "English bootstrap prompt should prevent summary-only behavior");
   assert(read(cwd, "ai/template/bootstrap.md").includes("ai/project/refs/final-shape.md"), "English bootstrap prompt should initialize the North Star");
@@ -142,6 +161,22 @@ function testEnglishInitUpdateDoctor() {
   assert(read(cwd, "ai/template/bootstrap.md").includes("Unabsorbed material"), "English bootstrap handoff should audit unabsorbed material");
   assert(read(cwd, "ai/template/bootstrap.md").includes("Conflict handling"), "English bootstrap handoff should audit conflict handling");
   assert(read(cwd, "ai/template/prompt.md").includes("Start initializing this project"), "English execution prompt should route natural bootstrap entry");
+  assert(read(cwd, "ai/template/prompt.md").includes("ai/template/execution-policy.md"), "English execution prompt should read execution policy");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("Risk Rubric"), "English execution policy should include risk rubric");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("execution_policy.task_tree"), "English execution policy should require task tree persistence");
+  assert(read(cwd, "ai/template/prompt.md").includes("default to only `ai/project/inbox/*.md`"), "English execution prompt should narrow inbox reconciliation");
+  assert(read(cwd, "ai/template/protocol.md").includes("`bounded_continuous`"), "English protocol should include bounded continuous execution");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("vertical"), "English protocol should require vertical-slice progress for continuous execution");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("Automatically use `bounded_continuous`"), "English protocol should auto-enable continuous execution from L1 count");
+  assert(read(cwd, "ai/template/execution-policy.md").includes("Every checkpoint must include"), "English protocol should require evidence-backed checkpoints");
+  assert(read(cwd, "ai/template/rules/core.md").includes("Bounded Continuous Execution Gate"), "English core rules should include bounded continuous execution gate");
+  assert(read(cwd, "ai/template/rules/core.md").includes("expand scope, permission, commands, network access, or acceptance"), "English core rules should stop continuous execution before boundary expansion");
+  assert(read(cwd, "ai/project/task.md").includes("execution_policy:"), "English task template should include execution policy");
+  assert(read(cwd, "ai/project/task.md").includes("readiness:"), "English task template should include readiness state");
+  assert(read(cwd, "ai/project/task.md").includes("activation_rule: \"auto_enable_when_l1_count_gte_2\""), "English task template should define automatic activation rule");
+  assert(read(cwd, "ai/project/task.md").includes("risk_gate:"), "English task template should define risk gate");
+  assert(read(cwd, "ai/project/task.md").includes("status: \"pending | running | done | blocked\""), "English task template should define task tree node status");
+  assert(read(cwd, "ai/project/task.md").includes("progress_unit: \"vertical_slice\""), "English task template should define continuous progress unit");
   assert(read(cwd, "ai/template/prompt.md").includes("Start initializing this project and absorb the material in ai/project/inbox/"), "English execution prompt should route bootstrap with inbox material");
   assert(read(cwd, "ai/template/prompt.md").includes("instead of bootstrapping again"), "English execution prompt should reconcile inbox material when project context already exists");
   assert(read(cwd, "ai/template/prompt.md").includes("Reconcile the new material in ai/project/inbox/"), "English execution prompt should route natural reconcile entry");
@@ -155,6 +190,7 @@ function testEnglishInitUpdateDoctor() {
   assert(read(cwd, "ai/project/proposals/final-shape-updates/_template.md").includes("`accepted`"), "English proposal template should describe accepted status");
   assert(read(cwd, "ai/template/reconcile.md").includes("Context Reconcile"), "English init should install English reconcile prompt");
   assert(read(cwd, "ai/template/reconcile.md").includes("reconciliation plan"), "English reconcile prompt should require a plan first");
+  assert(read(cwd, "ai/template/reconcile.md").includes("do not recursively\nread `processed/**` or `ideas/**`"), "English reconcile prompt should exclude processed and ideas recursively");
   assert(read(cwd, "ai/template/reconcile.md").includes("ai/project/inbox/processed/raw/file.md"), "English reconcile prompt should archive absorbed raw inbox material");
   assert(read(cwd, "ai/template/reconcile.md").includes("Unabsorbed material"), "English reconcile handoff should audit unabsorbed material");
   assert(read(cwd, "ai/template/reconcile.md").includes("Conflict handling"), "English reconcile handoff should audit conflict handling");
@@ -212,6 +248,25 @@ function testDoctorFailureAndWarning() {
   write(taskWarnCwd, "ai/project/task.md", "# Task only\n");
   const taskWarnOutput = run(["doctor"], taskWarnCwd);
   assert(taskWarnOutput.includes("任务 front matter 缺少关键字段"), "doctor should warn incomplete task front matter");
+
+  const taskPolicyWarnCwd = createTempProject("agent-execution-template-task-policy");
+  run(["init"], taskPolicyWarnCwd);
+  write(taskPolicyWarnCwd, "ai/project/task.md", `---
+task_id: ""
+type: "feature"
+priority: "P2"
+risk_level: "low"
+readiness: "ready_to_execute"
+execution_policy:
+  mode: "auto"
+model_policy: {}
+refs: {}
+permission: {}
+---
+# Task
+`);
+  const taskPolicyWarnOutput = run(["doctor"], taskPolicyWarnCwd);
+  assert(taskPolicyWarnOutput.includes("任务 front matter 缺少关键字段"), "doctor should warn when execution policy fields are incomplete");
 }
 
 function testRefreshBacksUpAndImportsOldProject() {
@@ -247,14 +302,14 @@ function testNextCommandRoutesByProjectState() {
   assert(run(["next"], cwd).includes("开始初始化这个项目"), "next should bootstrap a freshly installed project");
 
   write(cwd, "ai/project/project.md", "USER PROJECT MARKER\n");
-  assert(run(["next"], cwd).includes("继续推进这个项目"), "next should continue when no intake is waiting");
+  assert(run(["next"], cwd).includes("执行前先拆 L1 任务"), "next should continue with automatic execution guidance when no intake is waiting");
 
   write(cwd, "ai/project/inbox/product.md", "# Product material\n");
   assert(run(["next"], cwd).includes("整合 ai/project/inbox/ 里的新资料"), "next should route material inbox to reconcile");
   fs.unlinkSync(path.join(cwd, "ai/project/inbox/product.md"));
 
   write(cwd, "ai/project/inbox/processed/product.md", "# Processed material\n");
-  assert(run(["next"], cwd).includes("继续推进这个项目"), "next should ignore processed inbox material");
+  assert(run(["next"], cwd).includes("执行前先拆 L1 任务"), "next should ignore processed inbox material");
   fs.unlinkSync(path.join(cwd, "ai/project/inbox/processed/product.md"));
 
   write(cwd, "ai/project/inbox/ideas/new-direction.md", "# Direction idea\n");
@@ -262,7 +317,7 @@ function testNextCommandRoutesByProjectState() {
   fs.unlinkSync(path.join(cwd, "ai/project/inbox/ideas/new-direction.md"));
 
   write(cwd, "ai/project/proposals/final-shape-updates/proposal.md", "---\nstatus: \"applied\"\n---\n");
-  assert(run(["next"], cwd).includes("继续推进这个项目"), "next should ignore already applied proposals");
+  assert(run(["next"], cwd).includes("执行前先拆 L1 任务"), "next should ignore already applied proposals");
 
   write(cwd, "ai/project/proposals/final-shape-updates/proposal.md", "---\nstatus: \"proposed\"\n---\n");
   assert(run(["next"], cwd).includes("已有方向修订提案"), "next should route existing proposals to human review");