baldart 4.58.0 → 4.60.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. package/CHANGELOG.md +39 -0
  2. package/README.md +1 -1
  3. package/VERSION +1 -1
  4. package/framework/.claude/agents/REGISTRY.md +2 -0
  5. package/framework/.claude/agents/codebase-architect.md +9 -0
  6. package/framework/.claude/agents/doc-reviewer.md +11 -0
  7. package/framework/.claude/agents/plan-auditor.md +11 -0
  8. package/framework/.claude/agents/senior-researcher.md +10 -0
  9. package/framework/.claude/skills/new/SKILL.md +63 -3
  10. package/framework/.claude/skills/new/references/codex-gate.md +2 -2
  11. package/framework/.claude/skills/new/references/commit.md +2 -2
  12. package/framework/.claude/skills/new/references/completeness.md +5 -3
  13. package/framework/.claude/skills/new/references/final-review.md +37 -7
  14. package/framework/.claude/skills/new/references/implement.md +2 -2
  15. package/framework/.claude/skills/new/references/merge-cleanup.md +18 -1
  16. package/framework/.claude/skills/new/references/production-readiness.md +17 -2
  17. package/framework/.claude/skills/new/references/review-cycle.md +20 -7
  18. package/framework/.claude/skills/new/references/setup.md +11 -5
  19. package/framework/.claude/skills/new/references/team-mode.md +9 -7
  20. package/framework/.claude/workflows/new-card-review.js +75 -18
  21. package/framework/.claude/workflows/new-final-review.js +212 -15
  22. package/framework/agents/index.md +2 -0
  23. package/framework/agents/return-contract-protocol.md +130 -0
  24. package/framework/templates/agent-return-contract.snippet.md +30 -0
  25. package/framework/templates/baldart.config.template.yml +11 -0
  26. package/package.json +1 -1
  27. package/src/commands/configure.js +13 -0
  28. package/src/commands/doctor.js +33 -0
  29. package/src/commands/update.js +3 -0
package/CHANGELOG.md CHANGED
@@ -5,6 +5,45 @@ All notable changes to BALDART will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [4.60.0] - 2026-06-21
9
+
10
+ **`/new` cost + autonomy release — born from a forensic post-mortem of a real `-full` epic run** (224M orchestrator cache_read over 543 turns, context grown to ~670k, 9 improvised on-context fix agents, Codex completing only 2/7 reviews). The dominant cost is mechanical — turn-count × monotonically-growing context, confirmed against Anthropic's current prompt-caching docs — and the back half of the run was the expensive half because the final-review fix cascade and the deploy phase ran ON the orchestrator context at ~670k/turn. Two adversarial review passes shaped and verified the change set (several proposed items were refuted as already-shipped or redundant; four blockers found in pre-release review were fixed before tagging).
11
+
12
+ ### Added
13
+
14
+ - **`/new -auto` / `-auto-ship` — autonomous epic mode.** `/new <ID> -full -auto` runs the whole batch with ZERO `AskUserQuestion`: every decision gate resolves deterministically via the new **§ AUTONOMOUS RESOLUTION RULE** (SSOT in `SKILL.md`, cited by every gate site) — the recommended option where one exists, else a **no-drop follow-up card** (never a silent deferral, never a scope/AC reduction), with irreversible/outward actions governed by the **§ AUTONOMOUS SAFETY BOUNDARY**. Motivated by convenience AND cost: removing the human-gate idle waits keeps the prompt cache warm (the post-mortem run lost ~1.2–1.5M tokens re-warming a ~670k prefix across two idle gaps that exceeded the 1h subscription TTL). Reuses the deterministic-gate machinery already battle-tested in `new2`. `AUTONOMOUS` also activates from `BALDART_AUTONOMOUS`/`CI`/`GITHUB_ACTIONS` (unified codepath). Under `-auto`, team-mode is forced to sequential single-worktree (≈7× cheaper). **Safety:** bare `-auto` ships NOTHING outward (remote db:push / deploy / scheduled-functions / secret / DNS → deferred follow-up); `-auto-ship` + the new `git.auto_deploy` allowlist authorize ONLY the DoD-declared deploys, with `stack.schema_deploy_from_trunk_only` still a hard floor; force-push / reset-hard trunk and release/production merge are HARD-NEVER under any flag.
15
+ - **`git.auto_deploy`** config key — allowlist bounding what `-auto-ship` may auto-execute (default `[]` = nothing auto-deploys). Propagated end-to-end (template + configure prompt + update detector + doctor diagnostic).
16
+
17
+ ### Changed
18
+
19
+ - **`framework/.claude/workflows/new-final-review.js`** — off-context Fix phase (OPT-IN, default OFF). The final review now applies its VERIFIED findings INSIDE the workflow (sequential security-reviewer → coder → doc-reviewer, off the orchestrator context) when the caller passes `applyFixes:true` + `editableFiles`. This removes the post-final-review fix cascade the post-mortem showed running on the orchestrator at 460–670k/turn (the dominant late-run cost). The classic `/new` opts in (final-review.md §F.1/§F.5); `new2` and any non-opting caller get the byte-identical review-only return (no regression).
20
+ - **`framework/.claude/workflows/new-card-review.js` + `new-final-review.js`** — Codex prose path. When Codex finishes but emits prose instead of the sentinel JSON (≈5/7 of the post-mortem run), the seeded path now runs a CHEAP transcription-only converter (no duplicate full re-hunt); its findings are NON-preValidated AND confidence-clamped (<80) so the existing Verify phase still validates each over real code (`codexEngine: 'codex (prose-converted)'`). Recovers the wasted second review pass while preserving the trust model.
21
+ - **`framework/.claude/workflows/new-card-review.js`** (+ the final-review Fix phase) — collision-safe `finding_id` reconciliation. A writer that echoes only the human-readable id tail no longer drops applied fixes into residual (the empty-coder re-spawn bug): `resolveId` maps a returned token to its canonical prefixed id by exact or UNIQUE colon-tail match, logging any unmatched. Also a light-tier test gate: after the Fix phase at light tier (where qa-sentinel was skipped), a diff-scoped qa-sentinel pass now catches a fix-introduced test regression via the existing gateTable gate (graceful SKIP when no diff-scoped runner).
22
+ - **`framework/.claude/skills/new/` references** — autonomous gate coverage + turn economy. Every `AskUserQuestion`/HALT gate across SKILL.md + `implement.md`, `setup.md`, `review-cycle.md`, `team-mode.md`, `completeness.md`, `merge-cleanup.md`, `commit.md`, `codex-gate.md`, `final-review.md`, `production-readiness.md` cites the AUTONOMOUS rule (so none silently blocks under `-auto` and none auto-approves a deferral); a sequential-path coverage assertion (review-cycle.md) catches a silently-skipped test-only card review; one concrete batching example added to the turn-economy HARD RULE.
23
+
24
+ **MINOR** — additive: two new flags (`-auto`/`-auto-ship`) + an opt-in workflow Fix phase + one new `baldart.config.yml` key (`git.auto_deploy`, schema-change propagation applied) + reference-prose gate coverage. No new agent/skill/command/routine; no install/layout change. With the flags/args absent and `applyFixes` not opted in, every path is byte-identical to v4.59.0 (`new2` unaffected).
25
+
26
+ ## [4.59.0] - 2026-06-20
27
+
28
+ **Subagent return contracts — every orchestrator-facing agent now bounds its *final message* so a long body doesn't flood the spawning context.** Outcome of studying the [headroom](https://github.com/chopratejas/headroom) context-compression tool against BALDART's existing context-economy stack. The study's verdict: headroom is **not** adopted as a dependency — it is a heavyweight Python+Rust runtime (proxy/wrapper) that contradicts BALDART's "thin CLI + authored markdown, zero runtime" identity, is explicitly unsuitable for the ephemeral cloud sandboxes these sessions run in, and applies *lossy* compression to code/tool output (risky in a code-gen framework). Its techniques already have prompt-level analogues here: verbosity steering L0–L4 ≈ the Terse / Terse Ultra output styles, effort routing ≈ `effort-protocol`, AST/code compression ≈ the LSP + Graphify retrieval layers (which filter input *losslessly*).
29
+
30
+ The one real gap headroom surfaced is the **verbosity of subagent return messages**: when free-form analysts (`codebase-architect`, `doc-reviewer`, `plan-auditor`, `senior-researcher`) finish, their entire reasoning body lands verbatim in the orchestrator's context — and the orchestrator pays for it on *every* subsequent turn of a batch. A subagent's final message is the only text that costs the spawning context tokens (its intermediate reading/thinking is discarded), so the whole optimization reduces to one rule: **persist the long form, return the short form.** This is implemented natively — zero dependencies, portable across Claude + Codex, works inside sandboxes — as the input-side twin of the effort protocol: effort governs how *deeply* an agent reasons, the return contract governs how *compactly* it reports back.
31
+
32
+ The contract: COMPACT (default) = bounded headline/verdict + key points as `path:line` references (no reasoning dump, no pasted code) + `Report: <path>` when the long form is on disk; FULL narrative only when the user invoked the agent directly for prose. It reuses the existing pooled YAML findings schema (never a new one) and explicitly does **not** truncate substance — it cuts ceremony/narration/echo, not real findings. Agents already structured this way (`qa-sentinel` Return Protocol, `visual-fidelity-verifier` JSON, the verdict+pooled-YAML reviewers `code-reviewer` / `security-reviewer` / `api-perf-cost-auditor`) are the reference exemplars and were left untouched.
33
+
34
+ **MINOR** — adds a protocol module + a template snippet (additive capability); no new `baldart.config.yml` key, so the schema-change propagation rule does not apply (same class as `effort-protocol`). No install/layout change.
35
+
36
+ ### Added
37
+
38
+ - **`framework/agents/return-contract-protocol.md`** — new SSOT protocol module: COMPACT vs FULL return modes, the persist-then-summarize rule, findings-schema reuse, honest limits, and the canonical `## Return Contract` body block. Modeled on `effort-protocol.md`.
39
+ - **`framework/templates/agent-return-contract.snippet.md`** — copy-paste starter for the `## Return Contract` block (twin of `skill-effort.snippet.md`), with placement guidance and the "skip agents already structured" carve-out.
40
+
41
+ ### Changed
42
+
43
+ - **`framework/.claude/agents/{codebase-architect,doc-reviewer,plan-auditor,senior-researcher}.md`** — added an explicit `## Return Contract` block (tailored per agent: architect → file/symbol/pattern/risk map as `path:line`; doc-reviewer → condensed verdict + docs on disk; plan-auditor → verdict + pooled YAML, 10-section narrative is FULL-only; senior-researcher → §0–§11 report written to disk, return the Executive Summary + pointer).
44
+ - **`framework/agents/index.md`** — added the return-contract routing rule and a Modules-list entry.
45
+ - **`framework/.claude/agents/REGISTRY.md`** — added the return-contract convention note (exemplars + "paste the block for new analysis/audit/research agents").
46
+
8
47
  ## [4.58.0] - 2026-06-20
9
48
 
10
49
  **`simplify` gains a 4th Reuse class — "a new third-party dependency reimplements a native/stdlib/platform capability" — closing the one genuine residual from the (otherwise refuted) ponytail analysis.** Follow-up to a user observation that `simplify` relates to the ponytail learnings. The accurate picture is the reverse: ponytail was **refuted, never integrated** (zero mentions anywhere in `framework/`), because `simplify` already covered its concepts in superior form. That analysis left exactly **one** genuinely uncovered item (recorded as a ~1-line residual): the reuse lens did not flag *pulling in a dependency* for something the language/stdlib/runtime/platform already does (e.g. a date/util library for what `Intl` / `Temporal` / built-ins provide). The v4.57.0 coder reflex touched only the adjacent *inline-reimplementation* (hand-rolling) case, not the new-dependency case.
package/README.md CHANGED
@@ -82,7 +82,7 @@ No additional activation steps needed — once installed, Claude Code (and Codex
82
82
  ### Core Protocol
83
83
 
84
84
  - **AGENTS.md**: Mandatory coordination rules (MUST/SHOULD/OPTIONAL)
85
- - **agents/**: 24 domain modules (architecture, workflows, testing, security, card-schema, i18n-protocol, etc.)
85
+ - **agents/**: 25 domain modules (architecture, workflows, testing, security, card-schema, i18n-protocol, return-contract-protocol, etc.)
86
86
  - **Routing**: If you touch X, read Y - minimize context loading
87
87
 
88
88
  ### AI Agents (29 specialized agents)
package/VERSION CHANGED
@@ -1 +1 @@
1
- 4.58.0
1
+ 4.60.0
@@ -6,6 +6,8 @@ Quick-reference for all custom agents. Use this to route tasks to the right spec
6
6
 
7
7
  > **Machine-readable source of truth (since v3.20.0)**: the filesystem directory `framework/.claude/agents/` is authoritative for the list of BALDART agents. The `agent-discovery-gate.js` PreToolUse hook, the `agent-discovery-info.sh` SessionStart hook, and `baldart doctor` enumerate the directory directly (every `<name>.md` except this file is an agent — no manifest JSON is shipped). Adding a new agent means dropping `<name>.md` here; no other touchpoint.
8
8
 
9
+ > **Return contract (since v4.59.0)**: every orchestrator-facing subagent bounds its **final message** so a long body doesn't flood the spawning context — COMPACT return (headline/verdict + `path:line` findings + disk pointer), long form persisted to disk. Agents already structured this way are the exemplars (`qa-sentinel` Return Protocol, `visual-fidelity-verifier` JSON, the verdict+pooled-YAML reviewers — `code-reviewer` / `security-reviewer` / `api-perf-cost-auditor`); free-form analysts carry an explicit `## Return Contract` block (`codebase-architect`, `doc-reviewer`, `plan-auditor`, `senior-researcher`). When adding a new analysis/audit/research agent, paste the block from `framework/templates/agent-return-contract.snippet.md`. Protocol: `framework/agents/return-contract-protocol.md`.
10
+
9
11
  ## Agent Map
10
12
 
11
13
  | Agent | Category | When to Use | Specialization | Can Edit Code | Key Tools |
@@ -27,6 +27,15 @@ Per the project's AGENTS.md MUST rules, all agents must invoke you (codebase-arc
27
27
 
28
28
  4. **Pattern Recognition**: Identify and explain established patterns in the codebase, including coding standards, architectural decisions (from ADRs), and implementation conventions.
29
29
 
30
+ ## Return Contract
31
+
32
+ **Mode:** COMPACT (default). Your final message to the orchestrator is bounded —
33
+ a structured file / symbol / pattern / risk map as `path:line` references, NOT a
34
+ narrative essay. Lead with the headline answer; cite locations, don't paste code
35
+ or restate what you read. Return only what the spawning agent needs to plan. FULL
36
+ prose only when the user invoked you directly for an explanation. Mode definitions
37
+ and the persist-then-summarize rule: `framework/agents/return-contract-protocol.md`.
38
+
30
39
  **Project-Specific Context:**
31
40
 
32
41
  This codebase follows strict protocols defined in AGENTS.md. Key architectural references you should consult:
@@ -36,6 +36,17 @@ Notes: [one-liner if any]
36
36
 
37
37
  For cards exceeding 3 files or triggering invariants, use the full Required Deliverables format (sections A-H, summarized under "Required Deliverables" below). If `.claude/skills/doc-reviewer-support/references/deliverables-format.md` exists, read it for the detailed section spec; otherwise use the inline summary.
38
38
 
39
+ ## Return Contract
40
+
41
+ **Mode:** COMPACT (default). Your docs are written to disk; your final message to
42
+ the orchestrator is bounded — the condensed verdict line (Verdict / invariants /
43
+ docs written / SSOT updated) + violated rows + any `path:line` notes. Persist the
44
+ long form (the docs themselves), return the short form. Never paste full doc bodies
45
+ or the A–H narrative back into the orchestrator context. The Fast-Mode condensed
46
+ format above IS the COMPACT return; use it as the ceiling even for larger cards
47
+ (point to the docs on disk instead of inlining them). Mode definitions and the
48
+ persist-then-summarize rule: `framework/agents/return-contract-protocol.md`.
49
+
39
50
  ## Parallel Safety (MUST)
40
51
 
41
52
  When running in parallel with other agents (code-reviewer, security-reviewer):
@@ -22,6 +22,17 @@ You receive an existing implementation plan (created by another agent, a human,
22
22
 
23
23
  You review ANY development plan: frontend, backend, mobile, infra, data pipelines, AI/ML, integrations. Assume the plan may be incomplete or optimistic. You must expose gaps.
24
24
 
25
+ ## Return Contract
26
+
27
+ **Mode:** COMPACT (default, orchestrator-spawned). Your final message is bounded —
28
+ verdict line + the pooled YAML findings (the FINDINGS YAML SCHEMA below) + a
29
+ `path:line`-referenced one-liner per BLOCKER. The 10-section narrative (OUTPUT
30
+ FORMAT — FULL mode only) is **FULL mode**: emit it only when invoked directly by a
31
+ human for an interactive audit, and when it is large, persist it and return the
32
+ pointer. Don't paste the 10 sections back to an orchestrator that only needs the
33
+ findings. Mode definitions, findings-schema reuse, and persist-then-summarize:
34
+ `framework/agents/return-contract-protocol.md`.
35
+
25
36
  ## AUDIT MODE (read your invocation prompt FIRST)
26
37
 
27
38
  You operate in one of two declared modes. Detect which from your invocation prompt:
@@ -35,6 +35,16 @@ The report will be read by an AI model with finite context. Therefore:
35
35
  - Use consistent terminology and define aliases once (glossary).
36
36
  - Use citation-friendly formatting: `[Author Year]` consistently throughout.
37
37
 
38
+ ## Return Contract
39
+
40
+ **Mode:** COMPACT return, FULL deliverable-on-disk. The §0–§11 report below is your
41
+ deliverable — **write it to disk** (a research file under the project's docs/wiki
42
+ path). Your final message to the orchestrator is bounded: the Executive Summary
43
+ headline + the recommendation line + `Report: <path>`. Do NOT paste the full
44
+ §0–§11 body back into the orchestrator context — that is exactly the "finite
45
+ context" cost the CRITICAL CONSTRAINT above warns about. Persist the long form,
46
+ return the short form: `framework/agents/return-contract-protocol.md`.
47
+
38
48
  ## OUTPUT (DELIVERABLE)
39
49
  A detailed research report containing these sections in order:
40
50
 
@@ -11,9 +11,9 @@ description: >
11
11
 
12
12
  > **YOLO MODE**: All agents spawned via the Task tool MUST use `mode: "bypassPermissions"`. No exceptions.
13
13
 
14
- > **SCOPE CLOSURE DISCIPLINE (BLOCKING)**: This orchestrator NEVER unilaterally defers an acceptance criterion. Silent deferral via `implementation_notes`, commit message, or final recap is a protocol violation per `framework/agents/workflows.md § Scope Closure Discipline`. Under context-window pressure, time pressure, or unforeseen complexity, the correct action is to STOP and route the decision back to the user via `AskUserQuestion` — Auto Mode's "bias toward proceeding" applies to routine decisions, NOT to scope reduction. **Phase 2.5b (AC-Closure Gate)** enforces this at the per-card level before commit and is non-skippable.
14
+ > **SCOPE CLOSURE DISCIPLINE (BLOCKING)**: This orchestrator NEVER unilaterally defers an acceptance criterion. Silent deferral via `implementation_notes`, commit message, or final recap is a protocol violation per `framework/agents/workflows.md § Scope Closure Discipline`. Under context-window pressure, time pressure, or unforeseen complexity, the correct action is to STOP and route the decision back to the user via `AskUserQuestion` — Auto Mode's "bias toward proceeding" applies to routine decisions, NOT to scope reduction. **Phase 2.5b (AC-Closure Gate)** enforces this at the per-card level before commit and is non-skippable. **When AUTONOMOUS, apply § "AUTONOMOUS RESOLUTION RULE" (category=blocker / AC-Closure → materialize a follow-up card, never approve the deferral).**
15
15
 
16
- > **NO PHASE SKIP FOR PERCEIVED TIME, EVER (BLOCKING)**: MANDATORY phases are non-negotiable in BOTH sequential mode and team mode. The phrases `time budget`, `context budget`, `context pressure as override`, `for time`, `to save tokens`, `to save iterations`, or any model-invented constraint are NOT valid skip reasons. The only valid skip reasons are those explicitly enumerated in each phase's Gate table (e.g. `features.has_e2e_review: false`, backend-only diff, card type `docs`/`chore`/`config`, **the card's `review_profile`-driven review depth — see next paragraph — the `IS_TRIVIAL` fast-lane (`review_profile=skip` + non-source diff + 0 high-risk triggers), defined once in § "Trivial-card fast-lane", and the v4.7.0 Final-deferred reviews: plan-auditor grounding skipped on `/prd` holistic-audit provenance + no drift; per-card doc-review / qa-sentinel / api-perf-cost-auditor deferred to the unconditional Final FULL gate when their `review_profile`/provenance condition holds**). Documenting skipped phases at the end of a batch as `"saltati per time budget"` is a protocol violation per the FEAT-0006 incident — treat any such phrase in your own output as a self-correction trigger: stop, surface the situation via `AskUserQuestion`, and resume only after explicit user direction. Auto Mode does NOT override this. Team-mode orchestrators (L0/L1) propagate every MANDATORY phase per-card and never aggregate, reduce, or pre-filter the per-card pipeline **for any model-invented reason**.
16
+ > **NO PHASE SKIP FOR PERCEIVED TIME, EVER (BLOCKING)**: MANDATORY phases are non-negotiable in BOTH sequential mode and team mode. The phrases `time budget`, `context budget`, `context pressure as override`, `for time`, `to save tokens`, `to save iterations`, or any model-invented constraint are NOT valid skip reasons. The only valid skip reasons are those explicitly enumerated in each phase's Gate table (e.g. `features.has_e2e_review: false`, backend-only diff, card type `docs`/`chore`/`config`, **the card's `review_profile`-driven review depth — see next paragraph — the `IS_TRIVIAL` fast-lane (`review_profile=skip` + non-source diff + 0 high-risk triggers), defined once in § "Trivial-card fast-lane", and the v4.7.0 Final-deferred reviews: plan-auditor grounding skipped on `/prd` holistic-audit provenance + no drift; per-card doc-review / qa-sentinel / api-perf-cost-auditor deferred to the unconditional Final FULL gate when their `review_profile`/provenance condition holds**). Documenting skipped phases at the end of a batch as `"saltati per time budget"` is a protocol violation per the FEAT-0006 incident — treat any such phrase in your own output as a self-correction trigger: stop, surface the situation via `AskUserQuestion`, and resume only after explicit user direction. Auto Mode does NOT override this. **When AUTONOMOUS, apply § "AUTONOMOUS RESOLUTION RULE" (category=blocker; recommended=enumerated Gate-table reason if one applies, else materialize a follow-up card — NEVER a `time budget` skip).** Team-mode orchestrators (L0/L1) propagate every MANDATORY phase per-card and never aggregate, reduce, or pre-filter the per-card pipeline **for any model-invented reason**.
17
17
 
18
18
  > **REVIEW DEPTH SCALES WITH `review_profile` (deterministic — NOT a time/token skip)**: the review *depth* of a card MAY scale with its `review_profile` (the PRD-authored field, escalation-only via the Step-A detector — `light`→`full` never the reverse), exactly as the QA tier (D.4) and Codex `light`/`full` depth (D.4b / Phase 3.7 Step C) already do. This is an **enumerated, deterministic gate reason**, the polar opposite of a `time budget` skip: it is driven by a field a human authored at PRD time, not by the model's perception of how long the batch is taking. In **team mode** (since v4.18.0) every non-trivial card receives its per-card code review at the **D.4b `/codexreview`** pass: a `light` (0-trigger) card runs `/codexreview` at `profile: light` (**Codex finder + `code-reviewer` FP-gate**), a `full` card at `profile: full` (both finders). The D.2 group pass is now **doc-reviewer only** (the old D.2 group code-reviewer over light cards is removed — their code review moved to D.4b). `TRIVIAL_CARDS` (non-source diff) skip D.4b and rely on the doc-reviewer pass + the Final FULL gate. Every card still gets ≥1 per-card code review **plus** the cross-batch Final FULL gate. The **sequential** per-card pipeline is analogous (its Phase 3.7 `/codexreview` runs at `light`/`full` per the card profile). Skipping a gate WITHOUT an enumerated `review_profile`/Gate-table reason remains a protocol violation.
19
19
 
@@ -42,6 +42,8 @@ If no card IDs are provided, ask the user which cards to implement.
42
42
 
43
43
  **Opt-in session telemetry (`-stats` / `--stats`)**: strip `-stats` / `--stats` from the args list exactly like `-full` (it is NOT a card ID), and set an internal flag `STATS=true` for this run. When present, Phase 8 additionally measures REAL token + wall-clock cost per agent role (coder, code-reviewer, …) by post-processing the session transcripts — zero model-token overhead, runs in Bash after the work is done. When absent, Phase 8 behaves exactly as before. The flag is batch-scoped and composes with `-full` (`/new FEAT-005 -full -stats`).
44
44
 
45
+ **Autonomous run (`-auto` / `--auto`, `-auto-ship` / `--auto-ship`)**: strip these tokens from the args list exactly like `-full`/`-stats` (they are NOT card IDs). `-auto` / `--auto` sets `AUTONOMOUS=true`; `-auto-ship` / `--auto-ship` sets `AUTO_SHIP=true` AND implies `AUTONOMOUS=true`. When `AUTONOMOUS` is set the orchestrator runs the WHOLE batch without ever calling `AskUserQuestion` — every decision gate is resolved deterministically per § "AUTONOMOUS RESOLUTION RULE" below. The flags are **batch-scoped** and compose with `-full`/`-stats` (`/new FEAT-005 -full -auto`). `AUTONOMOUS` is ALSO set when the environment already signals an unattended run — env `BALDART_AUTONOMOUS`, `CI`, or `GITHUB_ACTIONS` (unify with that existing codepath: treat the env signal and the flag as the same `AUTONOMOUS` state; `AUTO_SHIP` is flag-only). **Record `AUTONOMOUS` / `AUTO_SHIP` in the Phase-0 tracker** (the recovery SSOT — write them once into `## Issues & Flags` or a dedicated tracker field; never re-derive them per turn, since a compaction would otherwise lose the run mode).
46
+
45
47
  ## Effort
46
48
 
47
49
  **Baseline:** `effort: medium` (frontmatter). **Inline override:** pass
@@ -51,6 +53,49 @@ before consuming user input. Level→behavior mapping, parsing contract, and
51
53
  precedence caveats: `framework/agents/effort-protocol.md`.
52
54
 
53
55
 
56
+ ---
57
+
58
+ ## AUTONOMOUS RESOLUTION RULE (since v4.59.0 — SSOT; gate sites CITE this, never redefine it)
59
+
60
+ > **§ AUTONOMOUS RESOLUTION RULE** — When `AUTONOMOUS` is set (flag `-auto`/`--auto`, the
61
+ > `AUTO_SHIP`-implied `-auto-ship`/`--auto-ship`, or env `BALDART_AUTONOMOUS`/`CI`/`GITHUB_ACTIONS`),
62
+ > the orchestrator **NEVER calls `AskUserQuestion`**. At every decision gate apply, in order:
63
+ > - **(a) clear RECOMMENDED/default option** → TAKE it and append one line to `## Issues & Flags`:
64
+ > `AUTO: <gate> → <chosen> (<evidence>)`.
65
+ > - **(b) blocker with no safe default** → materialize ONE follow-up card (no-drop: spawn
66
+ > `prd-card-writer` to write into `${paths.backlog_dir}` in the MAIN repo, re-verified on disk before
67
+ > the gate is treated as closed), log `AUTO: <gate> → follow-up <id>`. NEVER mark the original card
68
+ > closed/approved, NEVER fabricate a result.
69
+ > - **(c) IRREVERSIBLE / OUTWARD action** (remote `db push`, deploy, secret/DNS write, force-push or
70
+ > reset-hard on trunk, release-branch merge) → resolve per § "AUTONOMOUS SAFETY BOUNDARY" (default:
71
+ > defer to a follow-up; execute ONLY a DoD-declared deploy when BOTH `AUTO_SHIP` is set AND
72
+ > `git.auto_deploy` authorizes the target, with `stack.schema_deploy_from_trunk_only` still a hard
73
+ > floor; force-push/reset-hard on trunk and any merge into release/production are HARD-NEVER under any
74
+ > flag).
75
+ >
76
+ > Every auto-resolution is logged twice: in `## Issues & Flags` at the gate, and in the final result
77
+ > block ("auto-chosen vs became-follow-up"). Under `AUTONOMOUS`, **team-mode is FORCED to sequential
78
+ > single-worktree** (cost/predictability — see `references/team-mode.md`).
79
+ >
80
+ > **Per-gate semantics** (lifted from `new2.js`'s proven deterministic policies — apply the matching one
81
+ > at each gate instead of asking):
82
+ > - `depends_on` unmet → DAG-exclude the card + defer (follow-up).
83
+ > - unknown `owner_agent` → fall back to `coder` + WARN (per § "Agent Routing").
84
+ > - missing required fields → SKIP + report; NEVER fabricate values.
85
+ > - AC-Closure (Phase 2.5b) → materialize a follow-up card; NEVER approve a deferred AC.
86
+ > - simplify / doc regression → revert the offending change.
87
+ > - e2e error → retry once, then skip + follow-up.
88
+ > - e2e blocked → escalate to a follow-up; NEVER override the block.
89
+ > - Codex / QA BLOCKER or HIGH → route to the domain writer; if unresolved, follow-up; NEVER force-DONE.
90
+ > - final NEEDS_MANUAL_CONFIRMATION → treat as VERIFIED (never as a false positive).
91
+ > - team-mode empty result → classify via the subagent transcript (transient vs genuine empty).
92
+
93
+ > **§ AUTONOMOUS SAFETY BOUNDARY (pointer)** — the per-action dispositions (AUTO-RUN / PRE-AUTH /
94
+ > SKIP+FOLLOW-UP / HARD-NEVER) for irreversible-or-outward actions live in
95
+ > `references/production-readiness.md` and `references/merge-cleanup.md`. The hard floor:
96
+ > `stack.schema_deploy_from_trunk_only` is a BRANCH invariant, NOT a human authorization — `AUTO_SHIP`
97
+ > + `git.auto_deploy` layer the allowlist ON TOP of it, never replace it.
98
+
54
99
  ---
55
100
 
56
101
  ## Context Tracking (CRITICAL)
@@ -207,6 +252,21 @@ baselines. Keep that bulk on disk and pass **paths**, not bodies.
207
252
  > completion — end your turn after spawning; never `sleep N; echo "waiting…"` (already stated for
208
253
  > team mode in `references/team-mode.md` — it applies to every barrier in both modes).
209
254
  >
255
+ > **Concrete batching example.** At a card hand-off you typically need: (a) an `Edit` moving the card to
256
+ > `## Completed Cards` in the tracker, (b) an `Edit` claiming the NEXT card under `## Current Card`, and
257
+ > (c) the first real tool call of that next card (e.g. the `Read` of its backlog YAML, or the `Bash`
258
+ > capturing its diff to `/tmp/diff-<CARD-ID>.txt`). These have no data dependency on each other → emit
259
+ > **all three in ONE assistant message**, not three turns. Same for the pre-flight tracker writes
260
+ > (batch them into a single flush, per § "Context economy" rule 6) and for several independent `Read`s
261
+ > of phase modules / card YAMLs at a phase boundary.
262
+ >
263
+ > **Tracker flush batches EMISSIONS, never defers the write.** The tracker is the recovery SSOT — its
264
+ > on-disk state must stay current. "Batch" the tracker write means **co-emit the `Edit` to the on-disk
265
+ > tracker in the SAME message as the next real tool call** (so it costs no dedicated turn); it does NOT
266
+ > mean holding the transition in memory and writing it later. Never defer a tracker write past the turn
267
+ > the transition happens (a compaction between would lose it — § "Context recovery protocol" re-reads
268
+ > the tracker, not your memory).
269
+ >
210
270
 
211
271
  > **HARD RULE — orchestrator is near-silent / maximally cryptic (since v4.49.0).** `/new` is NOT
212
272
  > conversational: the user does not read its running narration and keeps the orchestrator attached ONLY so it
@@ -347,7 +407,7 @@ Specialization Rules`) and validated by the PRD validation phase
347
407
  | `visual-designer` | Fallback to `coder` + WARN | Standard coder briefing + same WARN format |
348
408
  | `motion-expert` | Fallback to `coder` + WARN | Standard coder briefing + same WARN format |
349
409
  | missing / `""` / `claude` (legacy placeholders only) | Fallback to `coder` + WARN | Standard coder briefing + log `"[ROUTER] card <ID> has no valid owner_agent (got '<raw>'); defaulting to coder"` |
350
- | any other unrecognized value (typo, unregistered agent) | **HALT + ask the user** | No briefing — the router stops and surfaces the literal value (see pseudocode step 6b) |
410
+ | any other unrecognized value (typo, unregistered agent) | **HALT + ask the user** (**AUTONOMOUS → fall back to `coder` + WARN, never HALT** — § "AUTONOMOUS RESOLUTION RULE") | No briefing — the router stops and surfaces the literal value (see pseudocode step 6b) |
351
411
 
352
412
  The three `plan` / `visual-designer` / `motion-expert` stubs exist so the
353
413
  router never blocks a card; specialized briefings are tracked as a follow-up.
@@ -129,7 +129,7 @@ For EVERY card (no conditional skip — the gate ALWAYS runs; only its DEPTH var
129
129
  4. **Apply fix sub-loop** (mirror of Phase 3.5 retry pattern):
130
130
  - If 0 BLOCKER and 0 HIGH → log `verdict: PASS — proceeding to Phase 4` in tracker. Done. (MEDIUM/LOW findings are advisory at this per-card gate; they are not silently lost — the post-batch **Final-review FULL gate** applies every VERIFIED finding ≥ MEDIUM. Log the MEDIUM count in the tracker so it is visible.)
131
131
  - If 1+ BLOCKER OR 1+ HIGH → spawn the **domain writer** with the report path + list of VERIFIED bugs (canonical writer map v4.26.1 — see SKILL.md § "Domain-Override Domains"): **`security`-domain findings** (touching `paths.high_risk_modules` or RLS-policy SQL — the same `security` match rule) → **`security-reviewer`** in write mode (it owns the security-invariant contract a coder lacks; never route a security fix to `coder`); **all other findings** (`correctness`/code/perf/`other`) → **`coder`**. Run security-reviewer first, then coder (skip either if its partition is empty). **At `full` profile** the report contains Codex-suggested inline patches: pass them and have the coder **apply the suggested patches** with the right system prompt (project conventions, naming, testing patterns) — it does NOT re-do the analysis or re-grep (since v3.28.3), BUT it MUST first confirm each patch still applies against the current file state (prior fix-loop iterations may have shifted line offsets); if a patch no longer applies cleanly, the coder re-locates the target by content and applies the equivalent edit rather than a stale-offset verbatim paste. **At `light` profile** (since v4.18.0) the findings come from **Codex** (the sole finder) — the report carries Codex's `minimal_fix_direction`; brief the coder to apply it (treat it like the `full`-profile Codex fix direction). **On the Codex-unavailable fallback** the `light` findings come from `code-reviewer` instead — brief the coder to apply the `code-reviewer` fix direction (no Codex patches to paste). After coder fixes, **re-write the lean contract `/tmp/codexreview-lean-<CARD-ID>.json` (it is consumed-once and deleted by `/codexreview`)** and re-invoke `/codexreview` via the Skill tool with `args: <CARD-ID>` (NOT a bare prose mention — the card ID MUST be passed so the retry reviews THIS card, not an inferred one). Repeat **max 2 times**.
132
- - If still BLOCKER/HIGH after 2 retries → log in `## Issues & Flags` and **ask the user** whether to proceed, escalate, or stop. The Phase 4 commit MUST NOT happen until the Pre-Merge Codex Review verdict is PASS or user explicitly overrides.
132
+ - If still BLOCKER/HIGH after 2 retries → log in `## Issues & Flags` and **ask the user** whether to proceed, escalate, or stop. The Phase 4 commit MUST NOT happen until the Pre-Merge Codex Review verdict is PASS or user explicitly overrides. **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=route the residual BLOCKER/HIGH to the writer (security-reviewer/coder) and re-verify; if still unresolved → follow-up card (NEVER force the verdict to PASS / force-commit).**
133
133
  - **Telemetry** — for EVERY codex finding processed (verified BLOCKER, verified HIGH, or false-positive-filtered), append one row to `## Fix Application Log`: `3.7 | codex-<security|correctness|other> | est_lines=<n> | decision=<security-reviewer|coder|skipped> | applied_by=<security-reviewer|coder|-> | severity=<BLOCKER|HIGH|FALSE-POSITIVE> | retry=<n>`. (`security`-domain fixes are applied by `security-reviewer`, all others by `coder`.) Classify domain: `security` for findings touching RLS / auth / permissions / payments; `correctness` for logic / data integrity / race conditions; `other` for everything else.
134
134
 
135
135
  5. **Update tracker**: phase = `3.7-codexgate DONE` (the gate runs unconditionally for every card — the legacy `3.7-highrisk` name implied it only fired on high-risk cards, which is no longer true), log final verdict, retry count, list of fixed findings, and the report path.
@@ -140,4 +140,4 @@ For EVERY card (no conditional skip — the gate ALWAYS runs; only its DEPTH var
140
140
 
141
141
  The detector (Step A) is bash + grep — guaranteed to run, no LLM skip. The downstream pipeline (Step C) is the existing `/codexreview` skill — fully tested, includes Codex adversarial review and Step 3.5 cross-agent CoVe. This combination ensures the AGENTS.md "MUST run BEFORE merge" rule is enforced reliably.
142
142
 
143
- **Crash handling**: if `/codexreview` (or its fix-loop `coder`) crashes mid-phase, apply the "Sub-agent failure protocol" (below). Treat this gate as a **mandatory gate, NOT a non-domain-override fallback** — `/codexreview` covers the `security` domain (auth/payment/permission findings), so a crash that cannot be recovered by one retry STOPS the pipeline and routes to `AskUserQuestion`; do NOT rationalize it as "non-domain-override" and inline-bypass the merge gate.
143
+ **Crash handling**: if `/codexreview` (or its fix-loop `coder`) crashes mid-phase, apply the "Sub-agent failure protocol" (below). Treat this gate as a **mandatory gate, NOT a non-domain-override fallback** — `/codexreview` covers the `security` domain (auth/payment/permission findings), so a crash that cannot be recovered by one retry STOPS the pipeline and routes to `AskUserQuestion`; do NOT rationalize it as "non-domain-override" and inline-bypass the merge gate. **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (an unrecoverable crash on the merge gate cannot be inline-bypassed) → materialize a follow-up card and do NOT commit that card (NEVER inline-bypass the merge gate).**
@@ -27,7 +27,7 @@
27
27
  rm -f <main-repo>/.git/worktrees/<worktree-name>/COMMIT_LOCK 2>/dev/null
28
28
  ```
29
29
  2. Re-stage the same files explicitly and retry. Never run `git commit` alone after a failure — the staging area may have been altered by lint-staged auto-fixes. If lint-staged removed an "unused" variable that IS used by code in a later card, check `git diff` to see what changed, restore the needed code (explicit file write — **never `git stash pop` in a worktree**), re-stage, and retry.
30
- 3. **Retry cap + escalation** — retry the commit at most **2 times**. If it still fails (e.g. a pre-commit / doc-freshness rule that cannot be satisfied without human input), log the failure in `## Issues & Flags` as `[COMMIT-BLOCKED] <error>` and invoke `AskUserQuestion`: (a) fix the blocking condition manually and let me retry, (b) hand off the worktree intact, (c) abandon this card and continue the batch. Do NOT loop indefinitely and do NOT silently proceed to step 28 with an uncommitted card.
30
+ 3. **Retry cap + escalation** — retry the commit at most **2 times**. If it still fails (e.g. a pre-commit / doc-freshness rule that cannot be satisfied without human input), log the failure in `## Issues & Flags` as `[COMMIT-BLOCKED] <error>` and invoke `AskUserQuestion`: (a) fix the blocking condition manually and let me retry, (b) hand off the worktree intact, (c) abandon this card and continue the batch. Do NOT loop indefinitely and do NOT silently proceed to step 28 with an uncommitted card. **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (a hook rejection needs human input) → materialize a follow-up card carrying the blocking condition and leave the worktree intact (NEVER force-commit, NEVER mark the card DONE).**
31
31
  - The Claude Code pre-commit hook automatically skips for worktree commits (Husky handles checks natively in the worktree).
32
32
  28. **Mark card DONE (MANDATORY — do NOT skip)**:
33
33
  a. Edit the backlog YAML (`${paths.backlog_dir}/<CARD-ID>.yml`): set `status: DONE`, add `completed_date: <today>`.
@@ -43,7 +43,7 @@ If any sub-agent **crashes or errors** during any phase, follow this 4-step prot
43
43
 
44
44
  1. **Log the failure** in the tracker with the full error trace (under `## Issues & Flags`, prefix `[AGENT-CRASH]`).
45
45
  2. **Retry the same agent once**. Transient errors (network, rate-limit, race) are common; a single retry resolves most.
46
- 3. **If retry fails AND the fix is in a domain-override domain** (`doc`, `security`, `migration` — see "Domain-Override Domains" sub-section): **STOP the pipeline**, log in `## Issues & Flags`, and invoke `AskUserQuestion` with options (a) skip the finding, (b) hand off to user, (c) escalate to a different agent type. **NEVER** fall through to inline orchestrator apply for these domains. The whole point of delegation here is that the orchestrator does not have the right system prompt — bypassing on crash defeats the rule.
46
+ 3. **If retry fails AND the fix is in a domain-override domain** (`doc`, `security`, `migration` — see "Domain-Override Domains" sub-section): **STOP the pipeline**, log in `## Issues & Flags`, and invoke `AskUserQuestion` with options (a) skip the finding, (b) hand off to user, (c) escalate to a different agent type. **NEVER** fall through to inline orchestrator apply for these domains. The whole point of delegation here is that the orchestrator does not have the right system prompt — bypassing on crash defeats the rule. **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (a domain-override fix needs the right system prompt) → materialize a follow-up card carrying the unfixed finding (NEVER inline-apply a doc/security/migration fix the orchestrator lacks the contract for).**
47
47
  4. **If retry fails AND the fix is non-domain-override**: orchestrator MAY apply inline, but MUST log a Fix Application Log row with `applied_by=orchestrator-fallback` + `reason=<agent>-crash-retry-failed` so the telemetry surfaces frequency. If this happens often for the same agent, that agent's reliability is the problem, not the protocol.
48
48
 
49
49
  Never block the pipeline indefinitely — recover and continue per the rules above. AskUserQuestion in step 3 is bounded by normal user response time.
@@ -127,7 +127,7 @@ Before triggering any review, you MUST verify that the coder agent implemented *
127
127
  - Re-verify each fixed item against the code — do NOT trust the agent's self-report.
128
128
  - Repeat this sub-loop up to **2 times** (per-item budget, shared with step 0 — see "Loop-counter scope"). After 2 loops, if items remain Partial or Missing:
129
129
  - Log in `## Issues & Flags`: list each unimplemented requirement.
130
- - Ask the user whether to proceed to review despite the gap or stop.
130
+ - Ask the user whether to proceed to review despite the gap or stop. **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (an unimplemented AC must not be silently swallowed) → seed the residual ACs into the Phase 2.5b ledger as `deferred` (which, under AUTONOMOUS, materializes a follow-up card per Step 4's pointer) — NEVER mark them `implemented`.**
131
131
  - **Handoff to Phase 2.5b**: any AC that is still `Partial` or `Missing` at this point (whether the user said "proceed" or not) MUST be seeded into the Phase 2.5b AC Closure Ledger as a `deferred` row with `User-approved? pending` — the user's "proceed to review" answer here does NOT auto-approve the deferral; Phase 2.5b Step 4 still asks per-AC. Do NOT let "proceed" silently mark these ACs `implemented`.
132
132
 
133
133
  5b. **API contract check**:
@@ -197,7 +197,7 @@ For each `[ALIAS-MUTATION] BLOCKER`:
197
197
 
198
198
  - Spawn a targeted fix `coder` agent with the exact file:line and instruction: "Add identity guard `if (result !== input) { ... }` around the in-place reset, OR clone the input with `[...input]` before passing it to the helper. Add a regression test on the caller pattern, co-located with the helper's existing tests following this project's test convention (e.g. a `*-reference` negative-control test next to the helper's test file). Read `agents/coding-standards.md § Reference-Aliasing Mutation Patterns` before implementing."
199
199
  - Re-run the detector after the fix. The hit MUST classify as Guarded, Cloned, or helper-immutable. Repeat **max 2 times**.
200
- - If still un-guarded after 2 loops → log in `## Issues & Flags` and ask the user.
200
+ - If still un-guarded after 2 loops → log in `## Issues & Flags` and ask the user. **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (an un-guarded alias-mutation is a correctness BLOCKER) → materialize a follow-up card with the file:line + captured pattern (NEVER proceed to commit with an un-guarded hit).**
201
201
 
202
202
  Rationale (reference-aliasing incident class): a helper that returns its same input reference on some code paths, combined with a call site that did `arr.length = 0; arr.push(...result)` without an identity guard, silently wiped the result. The helper passed unit tests in isolation; the bug only manifested end-to-end. This detector closes that detection gap. Full policy: `agents/coding-standards.md § Reference-Aliasing Mutation Patterns`.
203
203
 
@@ -251,6 +251,8 @@ This gate enforces `framework/agents/workflows.md § Scope Closure Discipline` a
251
251
 
252
252
  4. **User gate (BLOCKING `AskUserQuestion` — one per `deferred` AC that is not pre-approved)**:
253
253
 
254
+ > **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (an AC deferral is a scope cut that belongs to the user) → for each `deferred` AC take option 3 "Sposta su follow-up card" (delegate to `prd-card-writer`, verify on disk), mark the row `User-approved? auto-followup (<new-card-id>)`. NEVER take option 2 "Approva il deferral" autonomously and NEVER mark a deferred AC `implemented`.** (This is per-gate semantics SC-4: AC-Closure → follow-up card, never approve.)
255
+
254
256
  For each `deferred` row whose `User-approved?` is `pending`, invoke `AskUserQuestion` with:
255
257
  - Question: `"AC-<N> of <CARD-ID> non implementata. Testo verbatim: '<AC text>'. Motivazione dell'implementer: '<reason or 'nessuna — silent skip'>'. Come procedo?"`
256
258
  - Options (max 4):
@@ -284,6 +286,6 @@ If at any point in Phases 2 / 2.5 / 2.5b you detect context-window pressure (you
284
286
 
285
287
  1. Stop the current card's pipeline.
286
288
  2. Write the current state to the tracker under `## Issues & Flags` with the prefix `[CONTEXT-PRESSURE]` (which Phase 2 finished, which ACs are open, which files are dirty).
287
- 3. Invoke `AskUserQuestion` with options: (a) finish remaining ACs in a fresh `/new` session that resumes from the tracker, (b) commit the complete ACs and route the rest through this gate's Step 4, (c) hand off the worktree intact to the user.
289
+ 3. Invoke `AskUserQuestion` with options: (a) finish remaining ACs in a fresh `/new` session that resumes from the tracker, (b) commit the complete ACs and route the rest through this gate's Step 4, (c) hand off the worktree intact to the user. **When AUTONOMOUS, do NOT bypass: take option (b) — commit only the complete ACs and route every incomplete AC through Step 4 (which under AUTONOMOUS materializes a follow-up card per Step 4's pointer). This is the no-drop path; NEVER mark an incomplete AC `implemented` to relieve context pressure.**
288
290
 
289
291
  Auto Mode does NOT override this rule. "Bias toward proceeding" applies to routine decisions ("should I rerun this check?", "should I confirm this safe rename?"), NEVER to scope reduction.
@@ -93,6 +93,8 @@ that is a **gate violation**: log it as
93
93
  singleCard: cardPaths.length === 1, // N=1 batch — enables the F-041 per-finder slim
94
94
  slimDoc: cardPaths.length === 1 && <doc-review ran INLINE at Phase 3 (post-E2E), NOT in the workflow's Doc stage, NOT deferred>,
95
95
  slimApi: false, // api-perf NEVER runs per-card in classic /new → final is its ONLY run; never slim it
96
+ applyFixes: true, // classic /new opts INTO the workflow's Fix phase (since v4.59.0) → it applies VERIFIED fixes by domain owner and returns `residual`. (Absent/false ⇒ today's review-only shape — new2 stays on that path.)
97
+ editableFiles: <union ownership map>, // the FULL union of files the batch's writers MAY edit (the File Ownership Map from the tracker) — bounds the Fix phase; the phase is a no-op when empty
96
98
  codexScriptPath // resolved ONCE per run (glob in team-mode.md § Step D); omit if empty → workflow self-resolves
97
99
  }})
98
100
  ```
@@ -111,7 +113,15 @@ that is a **gate violation**: log it as
111
113
  The workflow returns `{ codexEngine, findings, noActionFindings, gateTable, summary }` where
112
114
  `findings` are already consolidated and classified (`VERIFIED` /
113
115
  `NEEDS_MANUAL_CONFIRMATION`; `FALSE_POSITIVE` already dropped) and `gateTable`
114
- is the qa-sentinel PASS/FAIL/SKIP table. **Read the workflow's STRUCTURED RETURN
116
+ is the qa-sentinel PASS/FAIL/SKIP table. **Since `applyFixes: true` is passed (since v4.59.0),
117
+ the workflow ALSO ran its Fix phase** and returns the additive fields
118
+ `{ ...above, fixesApplied:[…1-line strings], docFixesApplied:[…1-line strings], residual:[…slim findings] }`:
119
+ it already applied every VERIFIED fix by domain owner (security-reviewer → coder → doc-reviewer, all
120
+ worktree-rooted), so `findings` STAYS the full classified actionable set (telemetry/compat) while
121
+ `residual` is the ONLY set the skill still has to act on — `fixesApplied`/`docFixesApplied` are already
122
+ on disk, do NOT re-route them. (When a caller does NOT opt in — `applyFixes` absent/false, e.g. new2 —
123
+ the workflow returns exactly today's review-only shape with no `residual`; that path is byte-unchanged.)
124
+ **Read the workflow's STRUCTURED RETURN
115
125
  VALUE directly** (the `Workflow` tool hands you the parsed object) — do NOT
116
126
  `grep`/`tail`/hand-parse the raw run-journal file: this is the **final-review**
117
127
  shape (`findings` + `noActionFindings` at top level), which is DIFFERENT from
@@ -120,10 +130,11 @@ that is a **gate violation**: log it as
120
130
  informational telemetry (`codex` / `code-reviewer (fallback)` / `code-reviewer
121
131
  (codex-seeded)`) — it NEVER gates F.5: always carry `findings` + `gateTable`
122
132
  forward regardless of which engine produced them. **Skip the inline F.2/F.3/F.4
123
- below** and carry those results straight into **Step F.5** (fix application +
124
- final build + the `AskUserQuestion` gates — which stay HERE, in the skill,
125
- because a workflow cannot prompt the user). Log `f.final: delegated to
126
- new-final-review workflow (engine: <codexEngine>)` in the tracker.
133
+ below AND the inline fix-application in F.5 step 11** (the workflow already applied them) and carry
134
+ these results straight into **Step F.5** (read `residual` + final build + the `AskUserQuestion` gates —
135
+ which stay HERE, in the skill, because a workflow cannot prompt the user). Log `f.final: delegated to
136
+ new-final-review workflow (engine: <codexEngine>, fixes: <fixesApplied.length>+<docFixesApplied.length>, residual: <residual.length>)`
137
+ in the tracker.
127
138
 
128
139
  - **ELSE** (no `Workflow` tool — older Claude Code, `disableWorkflows`, or a
129
140
  Codex install where workflows have no equivalent) → run the **inline F.2–F.4
@@ -267,12 +278,31 @@ that is a **gate violation**: log it as
267
278
  - **Each domain specialist OWNS its lane end-to-end** — it runs its OWN false-positive check in the finding pass (doc-reviewer for doc, api-perf-cost-auditor for api/perf/data, and the Codex/`code-reviewer`-fallback engine for code), so its surviving findings are **already validated**. Do **NOT** cross-validate a doc or api finding by spawning `code-reviewer` (that is the WRONG specialist judging another domain), and do **NOT** re-run the same specialist over its own findings (self-judge — no model diversity). Codex findings are likewise already FP-validated (Step F.3 protocol includes it).
268
279
  - **Residual only:** a finding the originating specialist explicitly leaves UNRESOLVED (`confidence < 80`) is routed to the finding's **domain specialist** (by `domain`: doc→doc-reviewer, api/perf→api-perf-cost-auditor, security/migration→security-reviewer, test→qa-sentinel, else code-reviewer) over the cited file:line. If that domain specialist **is** the originating finder (it already had its pass), classify `NEEDS_MANUAL_CONFIRMATION` instead of re-spawning it — never self-judge, never silently drop.
269
280
  - Classify: `VERIFIED` | `FALSE_POSITIVE` | `NEEDS_MANUAL_CONFIRMATION`.
270
- - `VERIFIED` findings proceed to fixes — **EXCEPT no-action ones** (`requires_action:false`, or a "no fix required" / "acceptable as-is" / "verified non-issue" direction; MEDIUM/LOW only). A no-action finding is TRUE but needs no change: record it (`decision=skipped | reason=no-action`) and do NOT route it to a writer. (The delegated `new-final-review` workflow returns these separately as `noActionFindings` + `summary.noAction`; the inline path classifies them here.) **`NEEDS_MANUAL_CONFIRMATION` findings are NOT discarded** — list them in `## Issues & Flags` and surface them to the user via `AskUserQuestion` (treat as VERIFIED, treat as FALSE_POSITIVE, or hand off) before merge. Only `FALSE_POSITIVE` are dropped.
281
+ - `VERIFIED` findings proceed to fixes — **EXCEPT no-action ones** (`requires_action:false`, or a "no fix required" / "acceptable as-is" / "verified non-issue" direction; MEDIUM/LOW only). A no-action finding is TRUE but needs no change: record it (`decision=skipped | reason=no-action`) and do NOT route it to a writer. (The delegated `new-final-review` workflow returns these separately as `noActionFindings` + `summary.noAction`; the inline path classifies them here.) **`NEEDS_MANUAL_CONFIRMATION` findings are NOT discarded** — list them in `## Issues & Flags` and surface them to the user via `AskUserQuestion` (treat as VERIFIED, treat as FALSE_POSITIVE, or hand off) before merge. **When AUTONOMOUS, apply § "AUTONOMOUS RESOLUTION RULE" (SKILL.md): category=blocker; recommended=treat NEEDS_MANUAL_CONFIRMATION as VERIFIED (never as a false positive), else materialize a follow-up card.** Only `FALSE_POSITIVE` are dropped.
271
282
 
272
283
  ### Step F.5 — Apply fixes and final build
273
284
 
274
285
  10. **Persist verified findings** to `/tmp/batch-final-review-<FIRST-CARD-ID>.md`.
275
- 11. **Merge-blocking gate (mirrors the per-card Phase 3.7 gate this final pass backstops):** if any VERIFIED **BLOCKER or HIGH** finding exists, it MUST be resolved before Phase 6 merge. Apply fixes by **domain owner** (since v3.40.0 — same Domain-Override routing as the per-card phases), then re-verify; if a BLOCKER/HIGH cannot be resolved in a single apply + one retry, log it in `## Issues & Flags` and invoke `AskUserQuestion` (override with reason / escalate to a follow-up card / halt) — do NOT proceed to Phase 6 with an unresolved BLOCKER or HIGH. VERIFIED findings of severity MEDIUM are also applied (advisory below that). Partition the verified findings — **excluding the no-action ones segregated in F.4** (`requires_action:false` / no-change direction, MED/LOW; they are recorded, never fixed) — by the **Domain-Override match rules** ("Domain-Override Domains"):
286
+
287
+ > **F.5 delegated-with-applyFixes path (since v4.59.0 — when F.1.5 delegated AND passed `applyFixes: true`).**
288
+ > The workflow already applied every VERIFIED fix by domain owner (returned in `fixesApplied` /
289
+ > `docFixesApplied`, already on disk), so the orchestrator does **NOT** re-run step 11's inline fix
290
+ > application. Instead it reads `residual` (the slim findings the Fix phase could NOT resolve) and acts
291
+ > ONLY on those:
292
+ > - any `NEEDS_MANUAL_CONFIRMATION` residual, OR a residual flagged needs-followup → surface via
293
+ > `AskUserQuestion` (treat as VERIFIED / treat as FALSE_POSITIVE / hand off) before merge. **When
294
+ > AUTONOMOUS, apply § "AUTONOMOUS RESOLUTION RULE" (SKILL.md): category=blocker; recommended=treat
295
+ > NEEDS_MANUAL_CONFIRMATION as VERIFIED, else materialize a follow-up card — NEVER force-DONE, NEVER
296
+ > drop.**
297
+ > - an UNRESOLVED **BLOCKER or HIGH** in `residual` MUST NOT be silently dropped: it blocks the merge
298
+ > exactly as in step 11 (route to its domain writer for one more apply + retry; if still unresolved,
299
+ > `AskUserQuestion` / under AUTONOMOUS → follow-up card per the rule above).
300
+ > - do NOT re-route anything already in `fixesApplied`/`docFixesApplied` — those are done.
301
+ > Then proceed to step 12 (final build). The inline step 11 below is the **no-Workflow / Codex fallback**
302
+ > (when the `Workflow` tool was unavailable at F.1.5, so the inline F.2–F.4 ran and produced
303
+ > `findings` that have NOT yet been applied).
304
+
305
+ 11. **Merge-blocking gate (mirrors the per-card Phase 3.7 gate this final pass backstops — inline / no-Workflow fallback path):** if any VERIFIED **BLOCKER or HIGH** finding exists, it MUST be resolved before Phase 6 merge. Apply fixes by **domain owner** (since v3.40.0 — same Domain-Override routing as the per-card phases), then re-verify; if a BLOCKER/HIGH cannot be resolved in a single apply + one retry, log it in `## Issues & Flags` and invoke `AskUserQuestion` (override with reason / escalate to a follow-up card / halt) — do NOT proceed to Phase 6 with an unresolved BLOCKER or HIGH. **When AUTONOMOUS, apply § "AUTONOMOUS RESOLUTION RULE" (SKILL.md): category=blocker; recommended=escalate to a follow-up card (NEVER force-DONE, NEVER auto-override a BLOCKER).** VERIFIED findings of severity MEDIUM are also applied (advisory below that). Partition the verified findings — **excluding the no-action ones segregated in F.4** (`requires_action:false` / no-change direction, MED/LOW; they are recorded, never fixed) — by the **Domain-Override match rules** ("Domain-Override Domains"):
276
306
  - **`doc`-domain findings** (file path matching the `doc` match rule — `*.md` under `${paths.references_dir}`/`${paths.prd_dir}`, `CHANGELOG.md`, `ssot-registry.md`) → invoke the **doc-reviewer** agent once in write mode to apply them. NEVER route doc fixes to coder.
277
307
  - **`security`-domain findings** (path in `paths.high_risk_modules`, or RLS-policy SQL) → route to **security-reviewer** in write mode (canonical writer map v4.26.1 — it owns the security-invariant contract a coder lacks; NEVER route security fixes to coder). **`migration`-domain findings** (SQL under the migrations dir) → route to **coder**. For both, apply the Sub-agent failure protocol's STOP-on-crash rule (never inline-fallback on a security/migration fix). These are NOT collapsed into a generic "everything else" bucket.
278
308
  - **All remaining findings** (other code, perf, test) → invoke the **coder** agent once to apply them in a single pass.
@@ -6,7 +6,7 @@
6
6
  1. **Update tracker**: set current card, phase = "1-claim".
7
7
  2. **`depends_on` gate (BEFORE claiming)** — read the card's `depends_on` field. For each listed card ID:
8
8
  - Read that card's backlog YAML and check its `status` field.
9
- - If NOT `DONE` → HALT: log in `## Issues & Flags` and ask the user: "Card <CARD-ID> depends on <DEP-ID> which is `<status>`. Proceed anyway, or wait?" Do not start implementation until the user responds explicitly. **The card status is NOT written until this gate passes** — so a HALT leaves the card untouched (no stale `IN_PROGRESS` for the next run to mis-read).
9
+ - If NOT `DONE` → HALT: log in `## Issues & Flags` and ask the user: "Card <CARD-ID> depends on <DEP-ID> which is `<status>`. Proceed anyway, or wait?" Do not start implementation until the user responds explicitly. **The card status is NOT written until this gate passes** — so a HALT leaves the card untouched (no stale `IN_PROGRESS` for the next run to mis-read). **When AUTONOMOUS (SKILL.md § "AUTONOMOUS RESOLUTION RULE"): do NOT HALT — DAG-exclude this card from the runnable set (defer it) and materialize ONE follow-up card (no-drop); NEVER proceed-anyway, NEVER mark DONE.**
10
10
  - If `DONE` (or the user chose "proceed anyway") → continue.
11
11
  2b. **Claim** — only now set the card status to `IN_PROGRESS` (in the backlog YAML / tracker) and assign yourself. This is a state write, not a visibility emission — do not also spend a TaskUpdate / Progress-Bar turn (§ "State surface — the tracker only").
12
12
  2c. **Trivial-card classification (BLOCKING gate for steps 3–4)** — evaluate `IS_TRIVIAL(card)` per § "Trivial-card fast-lane". Note: condition 3 (non-source diff) cannot be fully evaluated until the coder has produced the diff, so at this point compute the **provisional** trivial flag from conditions 1+2 only (`review_profile == skip` AND no Step-A trigger sourced from the card YAML text + `files_likely_touched` extensions — if EVERY path in `files_likely_touched` is non-source, condition 3 is provisionally satisfied). If provisionally trivial → **SKIP steps 3, 3a, and 4** (architecture grounding); log `trivial: architecture grounding skipped (review_profile=skip + non-source files_likely_touched + 0 triggers)` and jump to Phase 2. Re-confirm `IS_TRIVIAL` on the ACTUAL committed diff at the review gates (Phase 2.55/3.5/3.7); if the coder unexpectedly touched a source file, the guard flips the card back onto the normal review path there. If NOT provisionally trivial → run steps 3, 3a, 4 as normal.
@@ -69,7 +69,7 @@
69
69
  - "" | missing | "claude"
70
70
  → spawn = "coder", briefing = "coder"
71
71
  + log: "[ROUTER] card <ID> has no valid owner_agent (got '<raw>'); defaulting to coder"
72
- - anything else → HALT. Log: "[ROUTER] card <ID> has unknown owner_agent '<raw>' — not in {coder, ui-expert, plan, visual-designer, motion-expert}. Ask the user how to proceed."
72
+ - anything else → HALT. Log: "[ROUTER] card <ID> has unknown owner_agent '<raw>' — not in {coder, ui-expert, plan, visual-designer, motion-expert}. Ask the user how to proceed." (**When AUTONOMOUS — SKILL.md § "AUTONOMOUS RESOLUTION RULE" — do NOT HALT: fall back to `spawn = "coder"` + WARN `[ROUTER] AUTO: unknown owner_agent '<raw>' → coder`, never ask the user.**)
73
73
  ```
74
74
 
75
75
  Log the resolved `spawn` and `briefing` in the tracker (1 line: `"router: owner_agent=<raw> → spawn=<agent>, briefing=<variant>"`). This is the audit trail for which specialist actually handled the card.
@@ -117,7 +117,9 @@ The most common failure mode is leaving cards IN_PROGRESS after merge. This crea
117
117
 
118
118
  **Why this exists**: FEAT-0006 incident closed the batch leaving the main repo with an unpushed orphan commit (`c9d41f9`) and local `develop` diverged from `origin/develop` for a manual fix. This phase closes the loop opened by Phase 0: it verifies the main repo is clean and synchronized, parses the `[SYNC-DEFERRED]` marker emitted by `/mw` when HEAD ≠ `$TRUNK`, and restores any stash saved in Phase 0.
119
119
 
120
- **Auto Mode does NOT override this phase.** Every `AskUserQuestion` below is non-bypassable.
120
+ **Auto Mode does NOT override this phase.** Every `AskUserQuestion` below is non-bypassable in the interactive path.
121
+
122
+ > **When AUTONOMOUS** (per § AUTONOMOUS RESOLUTION RULE + § AUTONOMOUS SAFETY BOUNDARY, SKILL.md), the orchestrator still runs every assertion below — it does NOT skip Phase 6c — but resolves each gate by the per-action disposition instead of `AskUserQuestion`. The dispositions are AUTO-RUN (reversible/local: ff-pull, push genuine unpushed commits to `origin/$TRUNK`, stash with a labeled message, pop a clean stash), DEFER-to-follow-up (anything that needs human judgment: an unresolvable divergence, a foreign uncommitted file, a stash-pop conflict), and **HARD-NEVER under any flag** (`reset --hard $TRUNK`, force-push `$TRUNK`, merge into a release/production branch — see § AUTONOMOUS SAFETY BOUNDARY). Every auto-resolution is logged to `## Issues & Flags` as `AUTO: <gate> → <chosen> (<evidence>)`.
121
123
 
122
124
  **Steps:**
123
125
 
@@ -130,9 +132,11 @@ The most common failure mode is leaving cards IN_PROGRESS after merge. This crea
130
132
  - **`[SYNC-DEFERRED] main repo HEAD=<branch>`** (main repo HEAD ≠ `$TRUNK`) — surface via `AskUserQuestion`:
131
133
  - Question: `"Una o più merge worktree hanno deferito la sincronizzazione di local $TRUNK (main repo HEAD non era $TRUNK). Come riconcilio adesso?"`
132
134
  - Options: `[Ora HEAD è $TRUNK → ff-pull adesso]` / `[Lascia deferred (riconcilio io manualmente)]` / `[Mostra dettagli e fammi decidere]`.
135
+ - **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=reversible; recommended=if `$MAIN` HEAD is now `$TRUNK` → ff-pull (AUTO-RUN); else leave deferred and log `AUTO: sync-deferred → left deferred (HEAD=<branch>)` (NEVER check out `$TRUNK` on the shared main repo).**
133
136
  - **`[SYNC-NEEDS-DECISION] …`** (HEAD was `$TRUNK` but the ff was blocked by a **foreign** uncommitted file, or by a divergence/rebase conflict `/mw` would not auto-commit) — this is NEVER a passive note. Surface via `AskUserQuestion`:
134
137
  - Question: `"Il $TRUNK locale non si è sincronizzato: <dettaglio dal marker>. Come chiudo?"`
135
138
  - Options: `[Committa tu adesso (descrivi cosa)]` / `[Lo gestisco io — chiudi senza sync locale]` / `[Mostrami il diff e decidiamo]`.
139
+ - **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (a foreign uncommitted file / unresolved divergence needs human judgment) → leave the local `$TRUNK` unsynced and materialize a follow-up card describing the reconciliation; log `AUTO: sync-needs-decision → follow-up <id>` (NEVER commit a foreign file on the user's behalf).**
136
140
  - **No marker** — `/mw` fast-forwarded (or auto-reconciled the framework telemetry log); nothing to parse.
137
141
 
138
142
  3. **Clean-tree assertion (BLOCKING — same framework-managed partition as Phase 0 step 3)**:
@@ -147,6 +151,7 @@ The most common failure mode is leaving cards IN_PROGRESS after merge. This crea
147
151
  If `$POST_DIRTY` is non-empty AND no Phase 0 stash is pending → invoke `AskUserQuestion`:
148
152
  - Question: `"Main repo ha modifiche non committate dopo il batch (non c'era stash di Phase 0). Cosa faccio?"`
149
153
  - Options: `[Mostrami il diff e fammi decidere]` / `[Stash adesso con label baldart-post-batch-<timestamp>]` / `[Lascia così (lo gestisco io)]` / `[Halt]`.
154
+ - **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=reversible; recommended=stash with label `baldart-post-batch-<timestamp>` (AUTO-RUN — reversible, nothing lost) and log `AUTO: post-batch-dirty → stashed (<label>)`.**
150
155
 
151
156
  4. **Divergence assertion (BLOCKING — this catches the FEAT-0006 orphan-commit pattern)**. `$MAIN` and `$TRUNK` are read from the tracker (`## Worktree` section); HALT if either is absent/empty.
152
157
  ```bash
@@ -158,12 +163,15 @@ The most common failure mode is leaving cards IN_PROGRESS after merge. This crea
158
163
  - Question: `"Local $TRUNK ha $GENUINE_AHEAD commit genuini non pushati su origin/$TRUNK al termine del batch (esclusi $FW_SKIPPED di gestione framework). Lista: <git show -s --oneline $GENUINE_LIST>. Cosa faccio?"`
159
164
  - Options: `[Push adesso (git push origin $TRUNK)]` / `[Cherry-pick selettivo su origin/$TRUNK]` / `[Reset --hard origin/$TRUNK (richiede conferma esplicita, DISTRUTTIVO)]` / `[Halt con stato preservato]`.
160
165
  - On `Reset --hard origin/$TRUNK` re-ask `AskUserQuestion` to confirm: `"Confermi reset --hard? I commit <list> verranno persi se non pushati altrove."` Solo dopo conferma esplicita esegui il reset.
166
+ - **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE + § AUTONOMOUS SAFETY BOUNDARY (SKILL.md): category=reversible; recommended=push the genuine commits to `origin/$TRUNK` (AUTO-RUN — a fast-forward push of your own batch commits is reversible and outward-but-bounded) and log `AUTO: trunk-ahead → pushed ($GENUINE_AHEAD commits)`. `Reset --hard $TRUNK` is HARD-NEVER under any flag (it destroys local commits) — NEVER auto-select it.**
161
167
  - **Behind only (`BEHIND > 0`, `GENUINE_AHEAD=0`)** — invoke `AskUserQuestion`:
162
168
  - Question: `"Local $TRUNK è behind origin/$TRUNK di $BEHIND commit (qualcuno ha pushato durante il batch). Faccio ff-pull adesso?"`
163
169
  - Options: `[Fast-forward pull]` / `[Lascia behind (lo gestisco io)]`.
170
+ - **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=reversible; recommended=fast-forward pull (AUTO-RUN — only when `$MAIN` HEAD == `$TRUNK`, else log deferred) and log `AUTO: trunk-behind → ff-pulled`.**
164
171
  - **Diverged both ways (`BEHIND > 0` and `GENUINE_AHEAD > 0`)** — invoke `AskUserQuestion`:
165
172
  - Question: `"Local $TRUNK è diverged ($BEHIND behind, $GENUINE_AHEAD genuine ahead). Servono entrambe le riconciliazioni. Come procedo?"`
166
173
  - Options: `[Rebase local $TRUNK su origin/$TRUNK]` / `[Mostrami i commit locali e decidiamo]` / `[Halt]`.
174
+ - **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (a two-way divergence needs human judgment — an autonomous rebase could conflict) → leave `$TRUNK` diverged and materialize a follow-up card describing the reconciliation; log `AUTO: trunk-diverged → follow-up <id>` (NEVER `reset --hard` / force-push).**
167
175
 
168
176
  5. **Restore Phase 0 stash (if any)** — read the tracker for `## Workspace Snapshot: <message-label>`:
169
177
  - If the snapshot is `dirty-tree override` → skip restore, log "user retained dirty-tree responsibility".
@@ -176,6 +184,7 @@ The most common failure mode is leaving cards IN_PROGRESS after merge. This crea
176
184
  On conflict, do NOT silent-drop — invoke `AskUserQuestion`:
177
185
  - Question: `"Restore dello stash di Phase 0 ha generato conflitti. Lo stash è ancora presente (NON eliminato). Come procedo?"`
178
186
  - Options: `[Lascia lo stash + apri istruzioni per merge manuale]` / `[Mostrami il conflitto inline]` / `[Halt]`.
187
+ - **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=blocker; recommended=none safe (a stash-pop conflict needs human merge) → leave the stash intact (NEVER drop it) and materialize a follow-up card with the restore instructions; log `AUTO: stash-restore-conflict → follow-up <id> (stash retained)`.**
179
188
 
180
189
  5b. **Process hygiene — reap orphaned Codex MCP servers (NON-BLOCKING)**. This
181
190
  batch's per-card / final-review Codex calls drive `codex app-server`, whose
@@ -214,4 +223,12 @@ The most common failure mode is leaving cards IN_PROGRESS after merge. This crea
214
223
  - Never remove a worktree before confirming the trunk is stable post-merge.
215
224
  - Stop execution immediately if any command fails.
216
225
 
226
+ #### AUTONOMOUS SAFETY BOUNDARY — merge/branch dispositions (per § AUTONOMOUS SAFETY BOUNDARY, SKILL.md)
227
+
228
+ These bound what the AUTONOMOUS path (`-auto`/`--auto`/`BALDART_AUTONOMOUS`/`CI`) may do here. They REINFORCE the fail-safe rules above — never relax them:
229
+
230
+ - **AUTO-RUN (reversible / local / fail-safe-bounded):** in-worktree commits; the integration-trunk merge via the configured `git.merge_strategy` (a `local-push` FF push to `origin/$TRUNK`, or a `pr` merge — exactly what `/mw` already does); post-verify branch delete; `--force-with-lease` on a **feature** branch after rebase; pushing the batch's own genuine unpushed commits to `origin/$TRUNK` (FF only).
231
+ - **DEFER to follow-up by default:** any divergence/conflict that needs human judgment (two-way trunk divergence, a foreign uncommitted file, a stash-pop conflict).
232
+ - **HARD-NEVER (any flag, including `-auto-ship`):** `git push --force`/`--force-with-lease` to `$TRUNK`; `git reset --hard $TRUNK`; merging into a **release / production** branch. These are destructive or outward-irreversible and are never auto-selected — the interactive path's explicit double-confirm is the ONLY route, so under AUTONOMOUS they degrade to a deferred follow-up card, never an execution.
233
+
217
234
  ---
@@ -70,14 +70,29 @@ adapt commands and tags to the project's resolved stack.
70
70
  - Environment variables must be set on the deployment platform BEFORE the deploy triggers
71
71
  ```
72
72
 
73
+ ### AUTONOMOUS SAFETY BOUNDARY — per-action dispositions (per § AUTONOMOUS SAFETY BOUNDARY, SKILL.md)
74
+
75
+ This table governs what the AUTONOMOUS path (`-auto`/`--auto`/`BALDART_AUTONOMOUS`/`CI`) may execute in this phase. It is the SSOT for the per-action dispositions the "Auto-execution" section below applies under AUTONOMOUS:
76
+
77
+ | Disposition | Actions | Under AUTONOMOUS |
78
+ |-------------|---------|------------------|
79
+ | **AUTO-RUN** (reversible / local / fail-safe-bounded) | local DB ops, in-worktree commits, integration-trunk merge (`git.merge_strategy`), post-verify branch delete, `--force-with-lease` on **feature** branches | run as today |
80
+ | **PRE-AUTH** (gated on `AUTO_SHIP` token **AND** `git.auto_deploy` allowlist; else DEFER) | ANY remote deploy to a shared/prod datastore OR runtime — i.e. EVERY `YES` row of the "Auto-executable items" table below that targets a shared/prod environment: remote schema deploy (`supabase db push` / `prisma migrate deploy` / `firebase deploy --only firestore:rules\|firestore:indexes\|storage` / `cdk deploy` / `terraform apply` of a table+GSI / a SQL migrator against the live DB), **scheduled/cloud functions deploy** (`firebase deploy --only functions` / equivalent), env / feature-flag writes | EXECUTE only when `AUTO_SHIP` is set **and** the deploy target/intent is listed in `git.auto_deploy` **and** `schema_deploy_from_trunk_only` still passes; otherwise DEFER to a `db-migration-deploy` follow-up residual |
81
+ | **SKIP + FOLLOW-UP** (by default) | DNS changes, secrets, auth-provider config, data backfills, prod app deploy | never auto-execute → report + follow-up |
82
+ | **HARD-NEVER** (any flag, incl. `-auto-ship`) | force-push trunk, `reset --hard` trunk, merge into release/production | never |
83
+
84
+ > **CRITICAL:** `schema_deploy_from_trunk_only` is a **branch invariant**, NOT human authorization. `AUTO_SHIP` + `git.auto_deploy` layer the authorization allowlist **ON TOP** of that floor — they never replace it. A remote schema deploy under `-auto-ship` must satisfy BOTH (on trunk AND allowlisted) to run.
85
+
73
86
  ### Auto-execution of agent-doable tasks
74
87
 
75
88
  Before presenting the checklist, **auto-execute** all items that can be performed by the agent
76
89
  without manual intervention. Do NOT ask the user for approval — just run them.
77
90
 
91
+ > **When AUTONOMOUS without `AUTO_SHIP` + `git.auto_deploy` authorization, EVERY remote/shared deploy in the "Auto-executable items" table is a PRE-AUTH action and MUST NOT auto-run** (see the SAFETY BOUNDARY table above). This covers ALL `YES` rows that target a shared/prod environment — database indexes, persistence/storage access rules, **scheduled/cloud functions**, and any schema/RLS/migration deploy — NOT just the schema rows. The table below auto-runs these today; under bare `-auto` they **DOWNGRADE to a deferred `db-migration-deploy` (or `remote-deploy`) follow-up residual** — report them as a `MANUAL`/deferred item with the note *"remote deploy deferred — AUTONOMOUS without AUTO_SHIP authorization"* and do NOT execute. This makes bare `-auto` ship NOTHING outward — strictly SAFER than today's interactive default (which auto-runs the deploy). They auto-run ONLY when `AUTO_SHIP` is set AND the target/intent is listed in `git.auto_deploy` AND (for schema mutations) the `schema_deploy_from_trunk_only` guard passes. Local-only DB ops (a synchronous migration on a local/dev DB) remain AUTO-RUN.
92
+
78
93
  **Auto-executable items** (run via Bash tool, no confirmation needed). Pick the
79
94
  command matching `stack.deployment` + `stack.database`. If the inferred command
80
- is wrong for the project, ask the user — never auto-execute a guess.
95
+ is wrong for the project, ask the user — never auto-execute a guess. **When AUTONOMOUS, apply § AUTONOMOUS RESOLUTION RULE (SKILL.md): category=outward; recommended=DEFER — when the deploy command cannot be confidently inferred, do NOT guess and do NOT execute; defer it as a `db-migration-deploy` (or equivalent) follow-up residual and log `AUTO: deploy-command-ambiguous → deferred`.**
81
96
 
82
97
  | Category | Command per `stack.deployment` | Auto-execute? |
83
98
  |----------|-------------------------------|--------------|
@@ -128,7 +143,7 @@ secret / feature-flag items are already manual-only and unaffected.
128
143
  **Auto-execution procedure:**
129
144
 
130
145
  1. For each auto-executable item detected, run the command immediately
131
- (subject to the Schema-deploy-from-trunk-only guard above when enabled).
146
+ (subject to the Schema-deploy-from-trunk-only guard above when enabled). **When AUTONOMOUS: EVERY remote/shared deploy in the table above (schema/RLS/index/migration AND scheduled/cloud functions AND access/storage rules) is PRE-AUTH — run it ONLY if `AUTO_SHIP` + `git.auto_deploy` authorize it AND (for schema mutations) it passes the trunk-only guard; otherwise DEFER it as a `db-migration-deploy`/`remote-deploy` residual (do NOT execute). Local-only DB ops still AUTO-RUN. See the AUTONOMOUS SAFETY BOUNDARY table above.**
132
147
  2. Log the result (success/failure) in the tracker under `## Production Readiness`.
133
148
  3. In the final checklist output, mark auto-executed items with their result:
134
149
  ```