agestra 4.14.2 → 4.14.5

package/commands/qa.md

@@ -8,7 +8,7 @@ You are executing the `/agestra qa` command.
 **Target:** $ARGUMENTS
 
 Plain review/QA/check requests without `/agestra` or explicit multi-AI/provider wording stay with the current host; they are not Agestra natural-language auto-triggers.
-Agestra natural-language routing requires explicit multi-AI/provider wording such as "multiple AIs", "all AIs", "other AI", "multi-AI", "Codex and Gemini", "provider comparison", or "프로바이더 비교". Explicit `/agestra ...` commands remain supported.
+Agestra natural-language routing requires explicit Agestra/multi-AI/provider wording such as "Agestra", "아제스트라", "multiple AIs", "all AIs", "other AI", "multi-AI", "Codex and Gemini", "provider comparison", or "프로바이더 비교". Explicit `/agestra ...` commands remain supported.
 
 Host interaction fallback: when this workflow says `AskUserQuestion`, use a structured question UI if the current host exposes one. If it is unavailable (for example, in Codex), ask the same question plainly in chat, present the same options, and wait for the user's answer.
 
@@ -19,7 +19,7 @@ Before anything else, call `setup_status`. If it reports `Setup required: yes` o
 1. Invoke the `agestra:setup` skill (or run `/agestra setup` inline) — provider detection, selection, locale, `setup_apply`.
 2. After the config is written, resume this `/agestra qa` command **from Step 1**, preserving `$ARGUMENTS`. Do not ask the user to retype.
 
-Before any provider fan-out, run the shared workspace trust preflight for the exact current project root. If supported providers are blocked, ask once whether to register only this project folder, then call `provider_trust_apply_all` after approval.
+Before any provider fan-out, run the shared workspace trust preflight for the exact current project root. If supported providers are blocked, ask once whether to register only this project folder. This is a security approval gate, not a clarifying question; "keep going" / no-questions instructions are not approval. After approval, call `provider_trust_apply` once per blocked provider. Use `provider_trust_apply_all` only when the host permission model explicitly allows batch trust changes. If approval cannot be obtained, skip blocked providers or fall back to Host-only QA.
 
 ## Step 1: Determine QA target
 
@@ -32,7 +32,21 @@ If no target is provided:
 - If no design document exists, explain that QA needs a design contract and suggest `/agestra design` first.
 Use `AskUserQuestion` when available, or a plain numbered prompt as fallback. Do not proceed to QA depth or provider routing until the QA target/source-of-truth is explicit.
 
-## Step 2: Choose QA depth
+## Step 2: Choose QA execution mode
+
+Ask the user once:
+
+> Which QA execution mode should I use?
+
+| Option | Description |
+|--------|-------------|
+| **Host-only QA (Recommended)** | Fastest path. The current host collects evidence, runs `qa_run`, writes the QA report, and does not call external providers. |
+| **QA Brigade** | The host collects evidence first, then enabled providers cross-check the prepared findings through a short consensus round. Takes longer. |
+| **Decide automatically** | Use Host-only QA unless the target is broad/high-risk, the user explicitly asked for multiple AIs/providers, or the design has disputed evidence. |
+
+Use `AskUserQuestion` when available, or a plain numbered prompt as fallback. This is a cost/permission gate, not a clarifying question. Do not infer provider-backed QA merely because `/agestra qa` was invoked or providers are configured. Only skip this question when the user already explicitly requested current-host-only QA, named provider-backed/multi-AI QA, or chose a mode in the same request. If a host-level no-questions directive prevents asking, choose Host-only QA and report that provider fan-out was skipped.
+
+## Step 3: Choose QA depth
 
 Ask the user once:
 
@@ -44,7 +58,7 @@ Ask the user once:
 | **Full QA with E2E** | Standard QA plus existing E2E tests, temporary browser automation, screenshots when useful, and core real-user flows |
 | **Decide automatically** | Include E2E when UI flow, auth, file operations, public release, destructive actions, or complex state transitions are central |
 
-Use `AskUserQuestion` when available, or a plain numbered prompt as fallback. Do not infer QA depth unless the user chose `Decide automatically` or the request already explicitly asked for Standard QA or Full QA/E2E.
+Use `AskUserQuestion` when available, or a plain numbered prompt as fallback. This is a cost/permission gate, not a clarifying question. Do not infer QA depth unless the user chose `Decide automatically` or the request already explicitly asked for Standard QA or Full QA/E2E. If a host-level no-questions directive prevents asking, choose Standard QA and report that E2E was skipped unless the user explicitly requested it.
 
 If the user chooses Full QA and persistent E2E test files must be added or updated, QA must ask approval and route test-file work to `agestra-implementer` with `mode: e2e-test-authoring`. QA itself remains read-only for source code and persistent tests.
 
@@ -52,17 +66,28 @@ Even in multi-AI QA, E2E/runtime execution is host-owned. External providers may
 
 QA writes a Markdown report under `docs/reports/qa/` unless the user explicitly asks for chat-only output.
 
-Then ask host-led research notes before provider fan-out: spec-to-code mapping gaps, API/consumer data shape, route/link mapping, state transition completeness, command/result consistency, suspected regressions, integration/regression risk, edge/error states, test adequacy, safety hygiene, E2E artifact interpretation, or `skip`. Ask whether any provider or lens should receive a specific research assignment, or whether team-lead should choose.
+If QA Brigade was selected, then ask focused provider cross-check notes before provider fan-out: spec-to-code mapping gaps, API/consumer data shape, route/link mapping, state transition completeness, command/result consistency, suspected regressions, integration/regression risk, edge/error states, test adequacy, safety hygiene, E2E artifact interpretation, or `skip`. Ask whether any provider or host-native lens should receive a specific cross-check assignment, or whether team-lead should choose.
 
-## Step 3: Route execution
+## Step 4: Route execution
 
 Call `environment_check` and `provider_list`.
 
+**Host-only path:**
+Run the host-owned QA evidence pass directly:
+
+- Use `qa_run` for build/test verification where applicable.
+- Inspect the design/progress contract, implementation files, command output, and runtime/E2E artifacts according to the selected depth.
+- Use host-native `agestra-research` only as a bounded native helper assignment when the current host exposes native agents and the evidence question is narrow.
+- Write the QA report under `docs/reports/qa/`.
+- Do not call `agent_research_consensus_start`, `agent_consensus_start`, `ai_chat`, or external provider tools.
+
 **No-provider stop path:**
-Stop Agestra orchestration and tell the user to run `/agestra setup` to enable a provider, or ask the current host to verify directly outside Agestra.
+If QA Brigade was selected but no external provider is available, stop provider orchestration and offer Host-only QA or `/agestra setup`. Do not spawn a provider-backed consensus with zero providers.
+
+**Provider-backed path — QA Brigade selected and 1+ configured external providers available:**
+Before any provider fan-out, run workspace trust readiness for the exact target root. If supported providers are blocked, ask once whether to register only this project folder. This is a security approval gate, not a clarifying question; "keep going" / no-questions instructions are not approval. After approval, call `provider_trust_apply` once per blocked provider. Use `provider_trust_apply_all` only when the host permission model explicitly allows batch trust changes. If approval cannot be obtained, skip blocked providers or fall back to Host-only QA. Pass `workspace_base_dir` explicitly to provider readiness/trust and consensus calls whenever the host workspace root may be ambiguous.
 
-**Provider-backed path — 1+ configured external providers available (host research consensus + QA Brigade):**
-Hand off to `agestra:agestra-team-lead`. Provider-backed QA uses the host research consensus flow:
+Hand off to `agestra:agestra-team-lead`. Provider-backed QA uses the fast host-prepared consensus path by default:
 
 ```text
 호스트가 조사한다.
@@ -71,11 +96,11 @@ Hand off to `agestra:agestra-team-lead`. Provider-backed QA uses the host resear
 호스트가 문서화한다.
 ```
 
-External AI research and debate run in separate fresh sessions, even when the same provider participates in both phases. Build a self-contained handoff packet:
+The host must prepare QA evidence before provider fan-out. External providers cross-check the prepared evidence; they do not run the initial research phase. Build a self-contained handoff packet:
 
 - **Domain:** `qa`
 - **Submode:** `qa-only`
-- **Mode:** `multi-ai`
+- **Mode:** `qa-brigade` (selected by the user; do not re-ask)
 - **QA formation:** QA Brigade
 - **QA target:** from Step 1
 - **QA depth:** Standard QA / Full QA with E2E / Decide automatically
@@ -84,23 +109,28 @@ External AI research and debate run in separate fresh sessions, even when the sa
 - **Report artifact path expectation:** `docs/reports/qa/YYYY-MM-DD-qa-[target].md`
 - **Consensus domain:** `qa`
 - **Connection / Boundary Checks:** API/consumer data shape, route/link mapping, state transition completeness, command/result consistency, and E2E artifact interpretation when E2E ran
-- **Research notes:** what the host-led investigation should look for (spec-to-code gaps, boundary mismatches, regressions, integration risk, edge/error states, test adequacy, safety hygiene)
-- **Research assignments:** optional participant/lens rows for `research_assignments`
+- **Research notes:** what the host-owned evidence pass should look for (spec-to-code gaps, boundary mismatches, regressions, integration risk, edge/error states, test adequacy, safety hygiene)
+- **Cross-check assignments:** optional provider/lens rows for the short consensus round, or "team-lead choose"
+- **Host-native route:** run active-host `agestra-research` for bounded QA evidence lenses before provider cross-check when useful; route any host debate participant to `agestra-debate` with `participant_routes`; do not substitute the current host's external CLI provider for this native role
 - **Available providers:** from `environment_check`; include configured providers when their detected model capability is suitable, using read-only QA/review tools so verification cannot modify source files
 - **Requested providers:** explicit names captured from user wording; otherwise "all configured and available review-capable providers"
-- **QA lens handoff:** when a host QA/review/security perspective is needed, team-lead assigns `agestra-research` focused lenses and includes that evidence in the host-led consolidation inputs. Do not create a bundled research participant.
+- **QA lens handoff:** when a host QA/review/security perspective is needed, team-lead assigns `agestra-research` focused native-agent lenses before provider fan-out and includes that evidence in the host-prepared `initial_aggregation`. Do not list `agestra-research` as an external provider participant.
 - **Brigade lenses:** host executable evidence, spec-to-code compliance, implementation progress truthfulness, integration/regression risk, edge/error states, test adequacy, basic safety hygiene, and E2E artifact review when E2E ran
 - **QA-only boundary:** QA-only mode does not modify product code; connection or boundary defects are findings until the user approves a separate implementation task
 - **JSON finding flow:** candidate findings become `ITEM-*` ledger items; participants use the existing `agree` / `disagree` / `opinion` / `revise` stance contract; only ledger-accepted items affect the final verdict
 - **Locale:** from `setup_status`
 - **Target workspace root:** absolute project folder if the user supplied or implied one; pass it to workspace/debate MCP calls as `workspace_base_dir`
+- **Progress contract:** surface concise phase updates every 30-60 seconds; poll `agent_debate_status`, `run_observable_events` with a cursor, or `cli_worker_status` when available; if trace is `cold-start`, report the current local phase and keep monitoring
 - **Original user request:** preserve verbatim
 
-Team-lead owns running the host-owned QA evidence pass, then calling `agent_research_consensus_start` with `domain: "qa"`, the QA `objective`, `participants`, optional `research_assignments`, optional `provider_order`, bounded `max_rounds`, and output document flags. Team-lead must ensure external AI research and debate use separate fresh sessions, must never create a bundled research pseudo-participant, and must never carry research bundles through `source_documents`. Inspect `aggregation_record.json`, `open_debate_items.json`, `round_packet.{round}.{provider}.json`, the aggregation document, and the leader-authored final decision document under `docs/agestra/`. This command must not call `agent_consensus_start` directly for provider-backed QA; the research consensus workflow prepares the aggregation first. Do not ask for a separate multi-AI confirmation in the provider-backed path; provider selection already came from setup. If the user asks for current-host-only verification, handle that outside Agestra.
+Team-lead owns running the host-owned QA evidence pass, then preparing `initial_aggregation.items` from concrete evidence and calling `agent_consensus_start` with `domain` represented only in metadata, exact provider participants, `participant_routes` for any host-native `agestra-debate` participant, `max_rounds: 1` for Standard QA, and a bounded participant timeout. Team-lead must poll `agent_debate_status` and `run_observable_events` when a locator is available, then surface concise progress at least every 30-60 seconds while provider work is running. When the status reports pending host turns, team-lead dispatches the native `agestra-debate` agent and submits the JSON with `agent_consensus_submit_turn`. If the current host cannot surface progress from a background team-lead, the caller must poll and relay progress, or choose Host-only QA for the current run.
+
+Do not call `agent_research_consensus_start` for the default QA Brigade path. That tool is reserved for an explicit deep provider-research mode; in that exception, External AI research and debate run in separate fresh sessions, even when the same provider participates in both phases. Default QA Brigade must avoid the extra external research round because QA already has host-owned executable evidence.
 
-## Step 4: Present the final result
+## Step 5: Present the final result
 
 When QA returns:
+- State QA execution mode
 - State QA depth and whether E2E was run
 - Link or name the design document used
 - Link the QA report artifact under `docs/reports/qa/`

package/commands/research.md

@@ -1,5 +1,5 @@
 ---
-description: "Run domain-specific research with council, host-seeded, or provider-seeded topology"
+description: "Run domain-specific research with Host-native first, council, or provider-seeded topology"
 argument-hint: "[domain] [topic or question]"
 ---
 
@@ -9,6 +9,7 @@ You are executing the `/agestra research` command.
 
 Use the user-facing term "조사 방식" when talking to the user.
 Provider-facing prompts stay English; user-facing summaries follow the configured locale.
+External provider research prompts must include `skills/references/lenses/research-provider-rules.md`.
 
 ## Step 0: Setup preflight
 
@@ -16,7 +17,7 @@ Call `setup_status` first. If setup is required, run the setup workflow, then re
 
 Then call `environment_check` and `provider_list` before proposing any multi-provider plan.
 
-Before any provider fan-out, run the shared workspace trust preflight for the exact current project root. If supported providers are blocked, ask once whether to register only this project folder, then call `provider_trust_apply_all` after approval.
+Before any provider fan-out, run the shared workspace trust preflight for the exact current project root. If supported providers are blocked, ask once whether to register only this project folder. This is a security approval gate, not a clarifying question; "keep going" / no-questions instructions are not approval. After approval, call `provider_trust_apply` once per blocked provider. Use `provider_trust_apply_all` only when the host permission model explicitly allows batch trust changes. If approval cannot be obtained, skip blocked providers.
 
 ## Step 1: Clarify research target domain and topic
 
@@ -59,14 +60,17 @@ Also capture:
 Available 조사 방식:
 
 - Council Research
-- Host-seeded Research
+- Host-native first (recorded internally as `host-seeded`)
 - Provider-seeded Research
 
 If the user already chose one, validate that it fits the domain and continue.
 If not, propose one recommendation with a short reason and ask for approval.
+This is a cost/latency gate, not a clarifying question. If a host-level
+no-questions directive prevents asking, choose Host-native first (`host-seeded`) and report
+that broader provider investigation was skipped.
 If no external providers are available, stop Agestra orchestration and tell the user to run setup or handle the research directly outside Agestra.
 
-Host-seeded Research means the active host creates the first seed/evidence document, persists it through workspace document tooling, and external participants challenge it through `domain: "research"`. It is provider-backed research, not a host-only multi-AI mode.
+Host-native first means the active host's native `agestra-research` agent creates the first seed/evidence document, persists it through workspace document tooling, and external participants challenge it through `domain: "research"`. Record it internally as `host-seeded`. It is provider-backed research, not a host-only multi-AI mode.
 
 Provider-seeded Research means the selected `seed_provider` creates the first seed/evidence artifact, then reviewer participants independently challenge that seed. The seed provider never commands reviewers; Agestra team-lead/moderator remains the orchestrator.
 
@@ -82,12 +86,17 @@ Before any provider fan-out, create a concise plan containing:
 - Markdown report target
 - validation step, including finding-validator when claims need confirmation
 
+External provider research prompts must be assembled from provider rules, the
+common research guide, the target-domain research card, the `ResearchSubmission`
+output contract, and the assignment task packet. Do not send the full
+`agestra-research` agent or skill document to providers.
+
 For Council Research, this proposal is mandatory. Ask the user to approve or modify it before running the council.
 Do not start provider fan-out until the user approves or modifies the plan.
 
-For Host-seeded Research, create the host seed/aggregation before provider fan-out. Normalize it into `initial_aggregation.items`; do not pass it through `source_documents`.
+For Host-native first (`host-seeded`), create the host seed/aggregation through the active host's native agent surface before provider fan-out. Normalize it into `initial_aggregation.items`; do not pass it through `source_documents`.
 
-Host-seeded Research requires at least one external reviewer participant outside the seed provider. If the user explicitly asks for host-only artifact capture, use `artifact_only_diagnostic: true` and clearly state that no multi-AI consensus was produced.
+Host-native first requires at least one external reviewer participant outside the seed provider. If the user explicitly asks for host-only artifact capture, use `artifact_only_diagnostic: true` and clearly state that no multi-AI consensus was produced.
 
 For Provider-seeded Research, choose or confirm one configured and available `seed_provider` before fan-out. Include it in `participants`, include at least one reviewer participant, and pass `reviewer_participants` when the reviewer set should be explicit. Use `seed_scope` when the seed artifact needs a narrower brief. Use `tool_broker_policy` only to record explicit host-brokered evidence expectations (`none`, `host-brokered-readonly`, or `host-brokered-evidence`); this does not grant direct host tool-use to the provider.
 
@@ -103,9 +112,11 @@ Hand off to `agestra:agestra-team-lead` with a self-contained packet:
 - Runtime lens/role assignment table
 - Available providers
 - Requested providers from user wording, or all available
+- Host-native route: for Host-native first (`host-seeded`), run active-host `agestra-research` before external provider fan-out; route any host debate participant to `agestra-debate` with `participant_routes`; do not substitute the current host's external CLI provider for this native role
 - Locale
 - Target workspace root
 - Required JSON artifacts
+- Progress contract: surface concise phase updates every 30-60 seconds; poll `agent_debate_status`, `run_observable_events` with a cursor, or `cli_worker_status` when available; if trace is `cold-start`, report the current local phase and keep monitoring
 - Original user request verbatim
 
 For Council Research, the team-lead must call `agent_consensus_start` only after approval and after preparing `initial_aggregation.items`:
@@ -121,7 +132,7 @@ For Council Research, the team-lead must call `agent_consensus_start` only after
 }
 ```
 
-For Host-seeded Research, the team-lead must first create the host aggregation, then call `agent_consensus_start` with:
+For Host-native first (`host-seeded`), the team-lead must first create the host aggregation, then call `agent_consensus_start` with:
 
 ```json
 {
@@ -164,7 +175,7 @@ Runtime boundary: native researcher/helper agents are created only by the active
 This command must not call `agent_consensus_start` directly when external providers are involved until host-owned research preprocessing has produced `initial_aggregation.items`.
 This command must not create a bundled research pseudo-participant or carry research bundles through `source_documents`.
 
-When host-owned investigation material is produced as evidence for a provider-backed research workflow, record it through `agent_research_record` before the council or host-seeded review consumes it. Include:
+When host-owned investigation material is produced as evidence for a provider-backed research workflow, record it through `agent_research_record` before the council or Host-native first (`host-seeded`) review consumes it. Include:
 
 - `research_target_domain`
 - selected `topology`

package/commands/review.md

@@ -8,7 +8,7 @@ You are executing the `/agestra review` command.
 **Target:** $ARGUMENTS
 
 Plain review/QA/check requests without `/agestra` or explicit multi-AI/provider wording stay with the current host; they are not Agestra natural-language auto-triggers.
-Agestra natural-language routing requires explicit multi-AI/provider wording such as "multiple AIs", "all AIs", "other AI", "multi-AI", "Codex and Gemini", "provider comparison", or "프로바이더 비교". Explicit `/agestra ...` commands remain supported.
+Agestra natural-language routing requires explicit Agestra/multi-AI/provider wording such as "Agestra", "아제스트라", "multiple AIs", "all AIs", "other AI", "multi-AI", "Codex and Gemini", "provider comparison", or "프로바이더 비교". Explicit `/agestra ...` commands remain supported.
 
 Host interaction fallback: when this workflow says `AskUserQuestion`, use a structured question UI if the current host exposes one. If it is unavailable (for example, in Codex), ask the same question plainly in chat, present the same options, and wait for the user's answer.
 
@@ -21,7 +21,7 @@ Before anything else, call `setup_status`. If it reports `Setup required: yes` o
 
 Agestra uses a single shared `providers.config.json` resolved through `AGESTRA_CONFIG_PATH` or `~/.agestra/providers.config.json` (existing legacy `$CLAUDE_PLUGIN_ROOT/providers.config.json` remains readable). No config -> no sanctioned provider set or locale -> interactive setup is the only correct starting point. Do not silently choose defaults or write config without the user's provider/language choices.
 
-Before any provider fan-out, run the shared workspace trust preflight for the exact current project root. If supported providers are blocked, ask once whether to register only this project folder, then call `provider_trust_apply_all` after approval.
+Before any provider fan-out, run the shared workspace trust preflight for the exact current project root. If supported providers are blocked, ask once whether to register only this project folder. This is a security approval gate, not a clarifying question; "keep going" / no-questions instructions are not approval. After approval, call `provider_trust_apply` once per blocked provider. Use `provider_trust_apply_all` only when the host permission model explicitly allows batch trust changes. If approval cannot be obtained, skip blocked providers.
 
 ## Step 1: Determine review scope
 
@@ -73,9 +73,22 @@ Optionally ask tone if useful:
 
 Use `AskUserQuestion` when available, or a plain numbered prompt as fallback. Do not infer review lens/depth/tone when the user has not provided enough signal; explicit defaults such as `Balanced review`, `Standard review`, or `skip tone` are acceptable.
 
-Then ask host-led research notes before provider fan-out: regression-prone areas, blast radius / downstream callers, prior incidents, dependency / supply-chain concerns, current-information needs, or `skip`. Ask whether any provider or lens should receive a specific research assignment, or whether team-lead should choose.
+Then ask research notes before provider fan-out: regression-prone areas, blast radius / downstream callers, prior incidents, dependency / supply-chain concerns, current-information needs, or `skip`. Ask whether any provider or lens should receive a specific research assignment, or whether team-lead should choose.
 
-## Step 3: Route execution
+## Step 3: Choose 조사 방식
+
+Before provider fan-out, ask once which investigation topology to use unless the user already specified it:
+
+| Option | Description |
+|--------|-------------|
+| **Host-native first (Recommended)** | The active host's native `agestra-research` agent prepares bounded review evidence first; providers challenge and debate the prepared findings. Record internally as `host-seeded`. |
+| **Council Research** | Host and providers independently inspect assigned review lenses before consolidation and debate. |
+| **Provider-seeded Research** | One selected provider creates the first review seed/evidence artifact; host and other providers challenge it. |
+| **Decide automatically** | Use Host-native first for scoped reviews, Council for whole-project/deep reviews, and Provider-seeded only when the user named a provider to lead. |
+
+Use `AskUserQuestion` when available, or a plain numbered prompt as fallback. This is a cost/latency gate, not a review clarification. If a host-level no-questions directive prevents asking, choose Host-native first (`host-seeded`) and report that broader provider investigation was skipped. If Provider-seeded Research is selected and the seed provider is not explicit, record the seed provider as pending; after provider availability is listed, ask which available provider should seed. Do not infer it.
+
+## Step 4: Route execution
 
 Call `environment_check` and `provider_list` to determine available providers.
 
@@ -83,7 +96,7 @@ Call `environment_check` and `provider_list` to determine available providers.
 Stop Agestra orchestration and tell the user to run `/agestra setup` to enable a provider, or ask the current host to review directly outside Agestra. Do not spawn a host specialist from this command.
 
 **Provider-backed path — 1+ external providers available (multi-AI):**
-Hand off to the `agestra:agestra-team-lead` agent with multi-AI mode **pre-selected**. Provider-backed review uses the host research consensus flow:
+Hand off to the `agestra:agestra-team-lead` agent with multi-AI mode **pre-selected**. Provider-backed review uses the selected research topology flow:
 
 ```text
 호스트가 조사한다.
@@ -102,19 +115,22 @@ External AI research and debate run in separate fresh sessions, even when the sa
 - **Boundary:** this is critique/evaluation, not QA PASS/FAIL and not a deep security audit
 - **Report artifact path expectation:** `docs/reports/review/YYYY-MM-DD-review-[target].md`
 - **Consensus domain:** `review`
-- **Research notes:** what the host-led investigation should look for (regression-prone areas, blast radius, prior incidents, dependency concerns, current-information needs)
+- **Research topology / 조사 방식:** selected in Step 3 (`host-seeded`, `council`, `provider-seeded`, or `automatic`)
+- **Host-native route:** for Host-native first (`host-seeded`), run active-host `agestra-research` before external provider fan-out; route any host debate participant to `agestra-debate` with `participant_routes`; do not substitute the current host's external CLI provider for this native role
+- **Research notes:** what the selected investigation should look for (regression-prone areas, blast radius, prior incidents, dependency concerns, current-information needs)
 - **Research assignments:** optional participant/lens rows for `research_assignments`
 - **Available providers:** from `environment_check`; include configured providers when their detected model capability is suitable, using read-only review tools for code/document critique
 - **Requested providers:** explicit names captured from user wording; otherwise "all available review-capable"
-- **Review lens handoff:** when a host review perspective is needed, team-lead assigns `agestra-research` a focused review lens and includes that evidence in the host-led consolidation inputs. Do not create a bundled research participant.
+- **Review lens handoff:** when a host review perspective is needed, team-lead assigns `agestra-research` a focused review lens and includes that evidence in the selected research/consolidation inputs. Do not create a bundled research participant.
 - **Scale controls:** normal scoped reviews inherit the 5-minute participant timeout. If the target is a whole project, a large directory, or deep review, instruct team-lead to create a bounded review packet before fan-out: changed files, key entry points, relevant docs/config, and explicit exclusions. Do not ask external CLI providers to explore an unbounded large repository from scratch. Use `participant_timeout_ms: 600000` (10 minutes) for large/deep reviews, and split the review into narrower area debates if providers still time out.
 - **Locale:** from `setup_status`
 - **Target workspace root:** absolute project folder if the user supplied or implied one; pass it to workspace/debate MCP calls as `workspace_base_dir`
+- **Progress contract:** surface concise phase updates every 30-60 seconds; poll `agent_debate_status`, `run_observable_events` with a cursor, or `cli_worker_status` when available; if trace is `cold-start`, report the current local phase and keep monitoring
 - **Original user request:** preserve verbatim
 
 Team-lead owns the rest:
 - Building the participant team from focused review lenses, explicit host-turn debate participants, and external providers
-- Calling `agent_research_consensus_start` with `domain: "review"`, the review `objective`, `participants`, optional `research_assignments`, optional `provider_order`, bounded `max_rounds`, and output document flags.
+- Resolving the selected research topology, then calling `agent_research_consensus_start` when investigation fan-out is required or `agent_consensus_start` with prepared `initial_aggregation.items` when seed/host evidence is already available.
 - Ensuring external AI research and debate use separate fresh sessions.
 - Never creating a bundled research pseudo-participant and never carrying research bundles through `source_documents`.
 - Inspecting `aggregation_record.json`, `open_debate_items.json`, `round_packet.{round}.{provider}.json`, the aggregation document, and the leader-authored final decision document under `docs/agestra/`.
@@ -127,7 +143,7 @@ Team-lead owns the rest:
 
 Direct execution from this command bypasses team-lead's task design, capability-based routing with optional trace-assisted signals (`trace_summary`), and consistency enforcement. Always go through team-lead in the provider-backed path.
 
-## Step 4: Present the final result
+## Step 5: Present the final result
 
 When team-lead returns:
 - Link the debate markdown, consensus JSON ledger, and synthesis document if created

package/commands/security.md

@@ -8,7 +8,7 @@ You are executing the `/agestra security` command.
 **Target:** $ARGUMENTS
 
 Plain review/QA/check requests without `/agestra` or explicit multi-AI/provider wording stay with the current host; they are not Agestra natural-language auto-triggers.
-Agestra natural-language routing requires explicit multi-AI/provider wording such as "multiple AIs", "all AIs", "other AI", "multi-AI", "Codex and Gemini", "provider comparison", or "프로바이더 비교". Explicit `/agestra ...` commands remain supported.
+Agestra natural-language routing requires explicit Agestra/multi-AI/provider wording such as "Agestra", "아제스트라", "multiple AIs", "all AIs", "other AI", "multi-AI", "Codex and Gemini", "provider comparison", or "프로바이더 비교". Explicit `/agestra ...` commands remain supported.
 
 Host interaction fallback: when this workflow says `AskUserQuestion`, use a structured question UI if the current host exposes one. If it is unavailable (for example, in Codex), ask the same question plainly in chat, present the same options, and wait for the user's answer.
 
@@ -19,7 +19,7 @@ Before anything else, call `setup_status`. If it reports `Setup required: yes` o
 1. Invoke the `agestra:setup` skill (or run `/agestra setup` inline) — provider detection, selection, locale, `setup_apply`.
 2. After the config is written, resume this `/agestra security` command **from Step 1**, preserving `$ARGUMENTS`. Do not ask the user to retype.
 
-Before any provider fan-out, run the shared workspace trust preflight for the exact current project root. If supported providers are blocked, ask once whether to register only this project folder, then call `provider_trust_apply_all` after approval.
+Before any provider fan-out, run the shared workspace trust preflight for the exact current project root. If supported providers are blocked, ask once whether to register only this project folder. This is a security approval gate, not a clarifying question; "keep going" / no-questions instructions are not approval. After approval, call `provider_trust_apply` once per blocked provider. Use `provider_trust_apply_all` only when the host permission model explicitly allows batch trust changes. If approval cannot be obtained, skip blocked providers.
 
 ## Step 1: Determine security scope
 
@@ -50,9 +50,22 @@ Use `AskUserQuestion` when available, or a plain numbered prompt as fallback. Do
 
 Ask separately before any tool-assisted scan that installs tools, contacts package registries, uses network access, or produces large logs. The user must approve the exact tool, command, scope, expected time, privacy/telemetry behavior, and artifact path. If the user declines, continue with manual/code-based review and list the skipped checks as residual risk.
 
-Then ask host-led research notes before provider fan-out: secrets / API key surfaces, auth / authz boundaries, file / command execution paths, network exposure, dependency / supply-chain concerns, unsafe defaults, or `skip`. Ask whether any provider or lens should receive a specific research assignment, or whether team-lead should choose.
+Then ask research notes before provider fan-out: secrets / API key surfaces, auth / authz boundaries, file / command execution paths, network exposure, dependency / supply-chain concerns, unsafe defaults, or `skip`. Ask whether any provider or lens should receive a specific research assignment, or whether team-lead should choose.
 
-## Step 3: Route execution
+## Step 3: Choose 조사 방식
+
+Before provider fan-out, ask once which investigation topology to use unless the user already specified it:
+
+| Option | Description |
+|--------|-------------|
+| **Host-native first (Recommended)** | The active host's native `agestra-research` agent prepares bounded security evidence first; providers challenge and debate the prepared findings. Record internally as `host-seeded`. |
+| **Council Research** | Host and providers independently inspect assigned security surfaces before consolidation and debate. |
+| **Provider-seeded Research** | One selected provider creates the first security seed/evidence artifact; host and other providers challenge it. |
+| **Decide automatically** | Use Host-native first for bounded audits, Council for broad/full security reviews, and Provider-seeded only when the user named a provider to lead. |
+
+Use `AskUserQuestion` when available, or a plain numbered prompt as fallback. This is a cost/latency gate, not a security clarification. If a host-level no-questions directive prevents asking, choose Host-native first (`host-seeded`) and report that broader provider investigation was skipped. If Provider-seeded Research is selected and the seed provider is not explicit, record the seed provider as pending; after provider availability is listed, ask which available provider should seed. Do not infer it.
+
+## Step 4: Route execution
 
 Call `environment_check` and `provider_list`.
 
@@ -60,7 +73,7 @@ Call `environment_check` and `provider_list`.
 Stop Agestra orchestration and tell the user to run `/agestra setup` to enable a provider, or ask the current host to run a security review directly outside Agestra. Do not spawn a host specialist from this command.
 
 **Provider-backed path — 1+ external providers available (multi-AI):**
-Hand off to `agestra:agestra-team-lead`. Provider-backed security uses the host research consensus flow:
+Hand off to `agestra:agestra-team-lead`. Provider-backed security uses the selected research topology flow:
 
 ```text
 호스트가 조사한다.
@@ -79,18 +92,21 @@ External AI research and debate run in separate fresh sessions, even when the sa
 - **Tool permission choices:** approved / declined / not asked, with exact approved commands if any
 - **Report artifact path expectation:** `docs/reports/security/YYYY-MM-DD-security-[target].md`
 - **Consensus domain:** `security`
-- **Research notes:** what the host-led investigation should look for (secrets/keys, auth/authz boundaries, file/command execution, network exposure, dependency concerns, unsafe defaults)
+- **Research topology / 조사 방식:** selected in Step 3 (`host-seeded`, `council`, `provider-seeded`, or `automatic`)
+- **Host-native route:** for Host-native first (`host-seeded`), run active-host `agestra-research` before external provider fan-out; route any host debate participant to `agestra-debate` with `participant_routes`; do not substitute the current host's external CLI provider for this native role
+- **Research notes:** what the selected investigation should look for (secrets/keys, auth/authz boundaries, file/command execution, network exposure, dependency concerns, unsafe defaults)
 - **Research assignments:** optional participant/lens rows for `research_assignments`
 - **Available providers:** from `environment_check`; include configured providers when their detected model capability is suitable, using read-only security-review tools unless the user explicitly approves a separate implementation task
 - **Requested providers:** explicit names captured from user wording; otherwise "all available security-capable"
-- **Specialist handoff (host-native security):** when a host-native security lens is needed, team-lead runs that specialist through the active host layer and includes the result in the host-led research/consolidation inputs. Do not use host-specialist handoff to create a bundled research participant.
+- **Specialist handoff (host-native security):** when a host-native security lens is needed, team-lead runs that specialist through the active host layer and includes the result in the selected research/consolidation inputs. Do not use host-specialist handoff to create a bundled research participant.
 - **Locale:** from `setup_status`
 - **Target workspace root:** absolute project folder if the user supplied or implied one; pass it to workspace/debate MCP calls as `workspace_base_dir`
+- **Progress contract:** surface concise phase updates every 30-60 seconds; poll `agent_debate_status`, `run_observable_events` with a cursor, or `cli_worker_status` when available; if trace is `cold-start`, report the current local phase and keep monitoring
 - **Original user request:** preserve verbatim
 
-Team-lead owns calling `agent_research_consensus_start` with `domain: "security"`, the security `objective`, `participants`, optional `research_assignments`, optional `provider_order`, bounded `max_rounds`, and output document flags. Team-lead must ensure external AI research and debate use separate fresh sessions, must never create a bundled research pseudo-participant, and must never carry research bundles through `source_documents`. Inspect `aggregation_record.json`, `open_debate_items.json`, `round_packet.{round}.{provider}.json`, the aggregation document, and the leader-authored final decision document under `docs/agestra/`. The brigade must not run destructive exploit tests and must not install tools or run heavyweight/networked scans without explicit user approval.
+Team-lead owns resolving the selected research topology, then calling `agent_research_consensus_start` when investigation fan-out is required or `agent_consensus_start` with prepared `initial_aggregation.items` when seed/host evidence is already available. Team-lead must ensure external AI research and debate use separate fresh sessions when a research phase is used, must never create a bundled research pseudo-participant, and must never carry research bundles through `source_documents`. Inspect `aggregation_record.json`, `open_debate_items.json`, `round_packet.{round}.{provider}.json`, the aggregation document, and the leader-authored final decision document under `docs/agestra/`. The brigade must not run destructive exploit tests and must not install tools or run heavyweight/networked scans without explicit user approval.
 
-## Step 4: Present the result
+## Step 5: Present the result
 
 When security review returns:
 - Show SECURITY PASS / PASS WITH HARDENING / SECURITY BLOCK

package/commands/setup.md

@@ -84,7 +84,7 @@ Ask the workspace trust policy question once. Default to `ask` unless the user e
 - `auto-exact`: automatically register only the exact current project root when discovery is clean
 - `never`: never modify provider trust stores
 
-Do not treat "등록하고 계속" / "Trust this project and continue" as consent to store `auto-exact`; that action only applies the current exact root through `provider_trust_apply_all`.
+Do not treat "등록하고 계속" / "Trust this project and continue" as consent to store `auto-exact`; that action only applies the current exact root through `provider_trust_apply` calls for the selected providers. Use `provider_trust_apply_all` only when the host permission model explicitly allows batch trust changes.
 
 Call `setup_apply` with:
 - `enabled_providers`: the selected provider IDs