bosun 0.42.4 → 0.42.6

package/.env.example

@@ -1,3 +1,6 @@
+# Max characters of matched built-in/local skills injected into an agent task prompt.
+# Skills are only injected when task title/description/labels match skill tags.
+BOSUN_SKILLS_MAX_CHARS=4000
 # ─── Bosun — Environment Configuration ───────────────────────────────
 # Copy this file to .env and fill in your values.
 # Or run: bosun --setup
@@ -88,6 +91,8 @@ TELEGRAM_MINIAPP_ENABLED=false
 # BOSUN_UI_BROWSER_OPEN_MODE=manual
 # Legacy auto-open toggle for UI server (requires BOSUN_UI_BROWSER_OPEN_MODE=auto)
 # BOSUN_UI_AUTO_OPEN_BROWSER=false
+# Daemon startup keeps browser auto-open disabled unless this is explicitly true.
+# BOSUN_UI_AUTO_OPEN_ON_DAEMON=false
 # Show full /?token=... browser URL in logs (default: false; token is hidden)
 # BOSUN_UI_LOG_TOKENIZED_BROWSER_URL=false
 # Setup wizard browser auto-open (default: true when mode=auto)
@@ -350,12 +355,8 @@ VOICE_DELEGATE_EXECUTOR=codex-sdk
 # FAILOVER_DISABLE_AFTER=3
 
 # ─── Internal Executor ───────────────────────────────────────────────────────
-# Controls whether tasks are executed locally via agent-pool instead of
-# (or alongside) VK's cloud executor. Modes:
-#   "vk"       — all tasks via VK executor (default, existing behavior)
-#   "internal"  — all tasks via local agent-pool (bypass wrapper orchestrator script)
-#   "hybrid"    — both VK and internal run simultaneously for overflow
-# EXECUTOR_MODE=vk
+# Controls whether tasks are executed locally via agent-pool.
+# EXECUTOR_MODE=internal
 # Max concurrent agent slots for internal executor (default: 3)
 # INTERNAL_EXECUTOR_PARALLEL=3
 # INTERNAL_EXECUTOR_BASE_BRANCH_PARALLEL=0
@@ -495,7 +496,6 @@ VOICE_DELEGATE_EXECUTOR=codex-sdk
 # ─── Kanban Backend ──────────────────────────────────────────────────────────
 # Task-board backend:
 #   internal - local task-store source of truth (recommended primary)
-#   vk      - Vibe-Kanban (secondary adapter)
 #   github  - GitHub Issues
 #   jira    - Jira Issues
 # KANBAN_BACKEND=internal
@@ -661,37 +661,6 @@ VOICE_DELEGATE_EXECUTOR=codex-sdk
 # Stop auto-restarts after this many instant failures in a row (default: 3)
 # BOSUN_DAEMON_MAX_INSTANT_RESTARTS=3
 
-# ─── Vibe-Kanban ──────────────────────────────────────────────────────────────
-# Base URL for the Vibe-Kanban API (default: http://127.0.0.1:54089)
-VK_BASE_URL=http://127.0.0.1:54089
-# Alternate endpoint URL for VK (overrides VK_BASE_URL if set)
-# VK_ENDPOINT_URL=http://127.0.0.1:54089
-# Port for vibe-kanban API (default: 54089)
-VK_RECOVERY_PORT=54089
-# Host for VK recovery (default: 0.0.0.0)
-# VK_RECOVERY_HOST=0.0.0.0
-# VK_HOST=0.0.0.0
-# Public URL shown in Telegram links (optional)
-# VK_PUBLIC_URL=https://kanban.yoursite.com
-# VK_WEB_URL=https://kanban.yoursite.com
-# VK HTTP timeout/retry controls (used by ve-kanban.ps1)
-# VK_HTTP_TIMEOUT_SEC=45
-# VK_HTTP_RETRIES=2
-# VK_HTTP_RETRY_DELAY_MS=1500
-# Set to true to prevent the monitor from spawning vibe-kanban automatically
-# VK_NO_SPAWN=false
-# Cooldown minutes between VK recovery attempts (default: 10)
-# VK_RECOVERY_COOLDOWN_MIN=10
-# VK health check interval in ms (default: 60000)
-# VK_ENSURE_INTERVAL=60000
-# VK project name (auto-detected)
-# VK_PROJECT_NAME=my-project
-# Explicit VK project/repo IDs (auto-detected if empty)
-# VK_PROJECT_ID=
-# VK_REPO_ID=
-# Override task URL template (optional)
-# VK_TASK_URL_TEMPLATE=https://kanban.yoursite.com/projects/{projectId}/tasks/{taskId}
-
 # ─── Shared Workspace Registry ───────────────────────────────────────────────
 # Optional registry path for shared workspace leasing
 # VE_SHARED_WORKSPACE_REGISTRY=.cache/bosun/shared-workspaces.json
@@ -713,13 +682,8 @@ VK_RECOVERY_PORT=54089
 # GITHUB_TOKEN=
 # GH_TOKEN=
 # GITHUB_PAT=
-# Owner/repo for gh CLI in ve-kanban
-# GH_OWNER=virtengine
-# GH_REPO=virtengine
 # Target branch for PR checks/merge (default: origin/main)
-# VK_TARGET_BRANCH=origin/main
-# Default upstream/base branch for bosun tasks (overrides VK_TARGET_BRANCH)
-# BOSUN_TASK_UPSTREAM=origin/ve/bosun-generic
+# BOSUN_TASK_UPSTREAM=origin/main
 
 # ─── Codex / AI Provider ─────────────────────────────────────────────────────
 # The Codex SDK uses OpenAI-compatible configuration that has been setup in ~/.codex/config.toml -
@@ -1024,7 +988,7 @@ COPILOT_CLOUD_DISABLED=true
 
 # ─── Task Planner ─────────────────────────────────────────────────────────────
 # How to plan new tasks when backlog is empty:
-#   "kanban"   - (default) create a VK planning task for an agent to refine
+#   "kanban"   - (default) create a planning task for an agent to refine
 #   "codex-sdk" - run Codex SDK directly to generate tasks
 #   "disabled"  - do nothing, wait for manual task creation
 # TASK_PLANNER_MODE=kanban
@@ -1056,6 +1020,17 @@ COPILOT_CLOUD_DISABLED=true
 # WORKFLOW_RECOVERY_BACKOFF_MAX_MS=60000
 # Random jitter ratio (0.0-0.9) applied to backoff to prevent retry storms.
 # WORKFLOW_RECOVERY_BACKOFF_JITTER_RATIO=0.2
+# Delay startup workflow recovery actions so the daemon can settle before
+# resuming interrupted runs or firing schedule/task-poll recovery.
+# WORKFLOW_RECOVERY_STARTUP_GRACE_MS=30000
+# Additional delay inserted between each startup recovery action.
+# WORKFLOW_RECOVERY_STARTUP_STEP_DELAY_MS=15000
+
+# Bosun MCP policy: by default Bosun-launched agents only receive validated
+# library-managed MCP servers, with required auth pulled from environment.
+# BOSUN_MCP_REQUIRE_AUTH=true
+# BOSUN_MCP_ALLOW_EXTERNAL_SOURCES=false
+# BOSUN_MCP_ALLOW_DEFAULT_SERVERS=false
 
 # ─── GitHub Issue Reconciler ─────────────────────────────────────────────────
 # Periodically reconciles open GitHub issues against open/merged PRs.
@@ -1135,12 +1110,12 @@ COPILOT_CLOUD_DISABLED=true
 # Repository root (auto-detected from git; setup writes this)
 # REPO_ROOT=/path/to/repo
 # Watch path to trigger restarts (default: script path)
-# WATCH_PATH=/path/to/ve-orchestrator.sh
+# WATCH_PATH=/path/to/orchestrator.sh
 # Monitor source hot-reload watcher. Default: enabled in devmode, disabled otherwise.
 # Set to true to force-enable monitor source hot-restart, false to force-disable.
 # SELF_RESTART_WATCH_ENABLED=true
-# Status file path (default: .cache/ve-orchestrator-status.json)
-# STATUS_FILE=.cache/ve-orchestrator-status.json
+# Status file path (default: .cache/orchestrator-status.json)
+# STATUS_FILE=.cache/orchestrator-status.json
 # Log directory (default: ./logs)
 # LOG_DIR=./logs
 # Max total log folder size in MB. Oldest logs are deleted when exceeded. 0 = unlimited.
@@ -1161,8 +1136,6 @@ COPILOT_CLOUD_DISABLED=true
 # AGENT_WORK_LOGGING_ENABLED=true
 # Enable/disable live stream analyzer (default: true)
 # AGENT_WORK_ANALYZER_ENABLED=true
-# Enrich missing task metadata from VK for agent work logs (default: true)
-# AGENT_WORK_LOGGING_ENRICH_VK=true
 # Task metadata cache (auto-managed): .cache/agent-work-logs/task-metadata.json
 # Log directory (default: .cache/agent-work-logs)
 # AGENT_WORK_LOG_DIR=.cache/agent-work-logs
@@ -1184,3 +1157,4 @@ COPILOT_CLOUD_DISABLED=true
 # OpenTelemetry tracing (optional)
 # BOSUN_OTEL_ENDPOINT=http://localhost:4318/v1/traces
 
+

package/README.md

@@ -108,7 +108,7 @@ Fallback admin auth (secondary path) is available and stores only Argon2id hash
 - Persists workflow runs to disk and auto-resumes on restart
 - Monitors runs and recovers from stalled or broken states
 - Provides Telegram control and a Mini App dashboard
-- Integrates with GitHub, Jira, and Vibe-Kanban boards
+- Integrates with GitHub and Jira boards
 
 ## Autonomous Engineer Workflow Capabilities
 
@@ -144,6 +144,16 @@ Set `primaryAgent` in `.bosun/bosun.config.json` or choose an executor preset du
 - `bosun --daemon --sentinel` starts daemon + sentinel together (recommended for unattended operation).
 - `bosun --terminate` is the clean reset command when you suspect stale/ghost processes.
 
+## VS Code debugging
+
+Bosun now includes workspace debug entries in `.vscode/launch.json` and helper tasks in `.vscode/tasks.json`.
+
+- `Debug Bosun CLI` launches `cli.mjs` with the repo-local `.bosun` config and attaches the debugger to the real CLI entry path.
+- `Debug Bosun Monitor Direct` launches `infra/monitor.mjs` directly when you want to debug monitor logic without stepping through the CLI worker bootstrap.
+- `Debug Bosun Daemon Child (foreground)` runs the daemon-child path without detaching, which is useful for restart-loop and daemon-specific behavior.
+- `Attach to Bosun CLI Startup (9229)` and `Attach to Bosun Monitor Startup (9230)` start Bosun under `--inspect-brk` so you can catch startup failures before normal breakpoints would bind.
+- `Bosun: Terminate Runtime` is the cleanup task to use if a stale monitor/daemon is holding the lock before a debug session.
+
 Telegram operators can pull the weekly agent work summary with `/weekly [days]` or `/report weekly [days]`. To post it automatically once per week, set `TELEGRAM_WEEKLY_REPORT_ENABLED=true` together with `TELEGRAM_WEEKLY_REPORT_DAY`, `TELEGRAM_WEEKLY_REPORT_HOUR`, and optional `TELEGRAM_WEEKLY_REPORT_DAYS`.
 
 ## Documentation
@@ -162,6 +172,20 @@ Key places to start:
 - `docs/agent-logging-quickstart.md` - agent work logging quickstart
 - `docs/agent-work-logging-design.md` - logging design and event model
 
+## Troubleshooting
+
+### Preflight warns about an interactive git editor
+
+If preflight reports an interactive git editor such as `code --wait`, `vim`, or `nano`, Bosun can deadlock while Git waits for an editor session to close.
+
+Run this from the repo root to switch the local repo config to a non-interactive editor:
+
+```bash
+node git-editor-fix.mjs
+```
+
+Preflight checks both `GIT_EDITOR` and `git config --get core.editor`. No warning is shown when `core.editor` is already non-interactive, for example `:`.
+
 ---
 
 ## CI/CD and quality gates
@@ -228,7 +252,7 @@ npm run hooks:install
 - `server/` — setup server, Mini App backend, and API endpoints
 - `ui/` — Mini App frontend assets and operator dashboard modules
 - `telegram/` — Telegram bot, sentinel, and channel integrations
-- `github/` and `kanban/` — GitHub auth/webhooks and Vibe-Kanban adapters
+- `github/` and `kanban/` — GitHub auth/webhooks and kanban adapters
 - `workspace/` — shared workspace registry, context indexing, and worktree lifecycle
 - `shell/` and `agent/` — executor integrations, prompts, hooks, and fleet coordination
 - `site/` — marketing site and generated docs website assets
@@ -251,3 +275,5 @@ If you find this project useful or would like to stay up to date with new releas
 ## License
 
 Apache-2.0
+
+

package/agent/agent-custom-tools.mjs

@@ -47,7 +47,7 @@ import {
   rmSync,
   writeFileSync,
 } from "node:fs";
-import { copyFile, writeFile } from "node:fs/promises";
+import { copyFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { basename, dirname, extname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -212,7 +212,10 @@ function safeReadIndex(storeDir) {
   if (!existsSync(idx)) return [];
   try {
     const parsed = JSON.parse(readFileSync(idx, "utf8"));
-    return Array.isArray(parsed) ? parsed : [];
+    if (!Array.isArray(parsed)) return [];
+    return parsed
+      .map((entry) => sanitizeIndexEntry(entry))
+      .filter(Boolean);
   } catch {
     return [];
   }
@@ -243,6 +246,77 @@ function scriptPath(storeDir, id, lang) {
   return resolve(storeDir, `${id}.${lang}`);
 }
 
+function isPlainObject(value) {
+  return value != null && typeof value === "object" && !Array.isArray(value);
+}
+
+function normalizeStringList(values, { lowercase = true } = {}) {
+  if (!Array.isArray(values)) return [];
+  const normalized = values
+    .map((value) => String(value ?? "").trim())
+    .filter(Boolean)
+    .map((value) => (lowercase ? value.toLowerCase() : value));
+  return Array.from(new Set(normalized));
+}
+
+function normalizeUsageCount(value) {
+  const numeric = Number(value);
+  return Number.isFinite(numeric) && numeric >= 0 ? numeric : 0;
+}
+
+function normalizeToolId(toolId) {
+  if (typeof toolId !== "string") return null;
+  const trimmed = toolId.trim();
+  if (!trimmed) return null;
+  if (!/^[A-Za-z0-9][A-Za-z0-9_-]{0,59}$/.test(trimmed)) return null;
+  return trimmed;
+}
+
+function sanitizeIndexEntry(raw) {
+  if (!isPlainObject(raw)) return null;
+
+  const id = normalizeToolId(raw.id);
+  const lang = VALID_LANGS.includes(raw.lang) ? raw.lang : null;
+  if (!id || !lang) return null;
+
+  const category = TOOL_CATEGORIES.includes(raw.category)
+    ? raw.category
+    : "utility";
+  const skills = normalizeStringList(raw.skills, { lowercase: false });
+  const agents = normalizeStringList(raw.agents, { lowercase: false });
+  const templates = normalizeStringList(raw.templates, { lowercase: false });
+
+  return {
+    ...raw,
+    id,
+    title: typeof raw.title === "string" && raw.title.trim() ? raw.title : id,
+    description: typeof raw.description === "string" ? raw.description : "",
+    tags: normalizeStringList(raw.tags),
+    category,
+    lang,
+    createdBy: typeof raw.createdBy === "string" && raw.createdBy.trim()
+      ? raw.createdBy
+      : "agent",
+    createdAt: typeof raw.createdAt === "string" && raw.createdAt.trim()
+      ? raw.createdAt
+      : nowISO(),
+    updatedAt: typeof raw.updatedAt === "string" && raw.updatedAt.trim()
+      ? raw.updatedAt
+      : nowISO(),
+    usageCount: normalizeUsageCount(raw.usageCount),
+    ...(typeof raw.lastUsed === "string" && raw.lastUsed.trim()
+      ? { lastUsed: raw.lastUsed }
+      : {}),
+    ...(skills.length > 0 ? { skills } : {}),
+    ...(agents.length > 0 ? { agents } : {}),
+    ...(templates.length > 0 ? { templates } : {}),
+    ...(raw.autoInject ? { autoInject: true } : {}),
+    ...(typeof raw.version === "string" && raw.version.trim()
+      ? { version: raw.version }
+      : {}),
+  };
+}
+
 // ── Types ─────────────────────────────────────────────────────────────────────
 
 /**
@@ -302,6 +376,9 @@ export function listCustomTools(rootDir, opts = {}) {
     includeBuiltins = true,
   } = opts;
 
+  const requestedTags = normalizeStringList(tags);
+  const searchQuery = typeof search === "string" ? search.trim().toLowerCase() : "";
+
   let entries = [];
 
   // Workspace tools
@@ -339,23 +416,24 @@ export function listCustomTools(rootDir, opts = {}) {
   if (category) {
     entries = entries.filter((e) => e.category === category);
   }
-  if (tags.length > 0) {
+  if (requestedTags.length > 0) {
     entries = entries.filter((e) =>
-      tags.some((t) => (e.tags || []).includes(t)),
+      requestedTags.some((t) => (e.tags || []).includes(t)),
     );
   }
-  if (search) {
-    const q = search.toLowerCase();
+  if (searchQuery) {
     entries = entries.filter(
       (e) =>
-        e.id.includes(q) ||
-        e.title.toLowerCase().includes(q) ||
-        e.description.toLowerCase().includes(q) ||
-        (e.tags || []).some((t) => t.includes(q)),
+        e.id.toLowerCase().includes(searchQuery) ||
+        e.title.toLowerCase().includes(searchQuery) ||
+        e.description.toLowerCase().includes(searchQuery) ||
+        (e.tags || []).some((t) => t.toLowerCase().includes(searchQuery)),
     );
   }
 
-  return entries.sort((a, b) => b.usageCount - a.usageCount);
+  return entries.sort(
+    (a, b) => normalizeUsageCount(b.usageCount) - normalizeUsageCount(a.usageCount),
+  );
 }
 
 /**
@@ -366,11 +444,14 @@ export function listCustomTools(rootDir, opts = {}) {
  * @returns {{ entry: CustomToolEntry, script: string }|null}
  */
 export function getCustomTool(rootDir, toolId) {
+  const normalizedToolId = normalizeToolId(toolId);
+  if (!normalizedToolId) return null;
+
   // Workspace-scoped takes precedence, then global, then builtin
   for (const isGlobal of [false, true]) {
     const storeDir = getToolStore(rootDir, { global: isGlobal });
     const index = safeReadIndex(storeDir);
-    const entry = index.find((e) => e.id === toolId);
+    const entry = index.find((e) => e.id === normalizedToolId);
     if (!entry) continue;
 
     const sPath = scriptPath(storeDir, entry.id, entry.lang);
@@ -383,7 +464,7 @@ export function getCustomTool(rootDir, toolId) {
   }
 
   // Fall back to built-in tools shipped with bosun
-  const builtinDef = BUILTIN_TOOLS.find((b) => b.id === toolId);
+  const builtinDef = BUILTIN_TOOLS.find((b) => b.id === normalizedToolId);
   if (builtinDef) {
     const sPath = resolve(BUILTIN_TOOLS_DIR, `${builtinDef.id}.${builtinDef.lang}`);
     if (existsSync(sPath)) {
@@ -414,6 +495,10 @@ export function getCustomTool(rootDir, toolId) {
  * @returns {CustomToolEntry}
  */
 export function registerCustomTool(rootDir, def) {
+  if (!isPlainObject(def)) {
+    throw new TypeError("registerCustomTool: definition object is required");
+  }
+
   const {
     title,
     description,
@@ -449,19 +534,29 @@ export function registerCustomTool(rootDir, def) {
     );
   }
 
+  const explicitId = def.id == null ? null : normalizeToolId(def.id);
+  if (def.id != null && !explicitId) {
+    throw new TypeError(
+      "registerCustomTool: id must match /^[A-Za-z0-9][A-Za-z0-9_-]{0,59}$/ and must not contain path separators",
+    );
+  }
+
   const storeDir = getToolStore(rootDir, { global: isGlobal });
   const index = safeReadIndex(storeDir);
 
-  const id = def.id || slugify(title) || `tool-${Date.now()}`;
+  const id = explicitId || slugify(title) || `tool-${Date.now()}`;
   const existingIdx = index.findIndex((e) => e.id === id);
   const now = nowISO();
+  const normalizedSkills = normalizeStringList(skills, { lowercase: false });
+  const normalizedAgents = normalizeStringList(agents, { lowercase: false });
+  const normalizedTemplates = normalizeStringList(templates, { lowercase: false });
 
   /** @type {CustomToolEntry} */
   const entry = {
     id,
     title,
     description: description || "",
-    tags: Array.from(new Set(tags.map((t) => String(t).toLowerCase()))),
+    tags: normalizeStringList(tags),
     category,
     lang,
     createdBy,
@@ -474,9 +569,9 @@ export function registerCustomTool(rootDir, def) {
       : {}),
     scope: isGlobal ? "global" : "workspace",
     // Affinity metadata (persisted for future skill/agent matching)
-    ...(skills.length > 0 ? { skills } : {}),
-    ...(agents.length > 0 ? { agents } : {}),
-    ...(templates.length > 0 ? { templates } : {}),
+    ...(normalizedSkills.length > 0 ? { skills: normalizedSkills } : {}),
+    ...(normalizedAgents.length > 0 ? { agents: normalizedAgents } : {}),
+    ...(normalizedTemplates.length > 0 ? { templates: normalizedTemplates } : {}),
     ...(autoInject ? { autoInject } : {}),
     ...(version ? { version } : {}),
   };
@@ -518,6 +613,10 @@ export async function invokeCustomTool(rootDir, toolId, args = [], opts = {}) {
     throw new Error(`invokeCustomTool: tool "${toolId}" not found`);
   }
 
+  const cliArgs = Array.isArray(args)
+    ? args.map((arg) => String(arg))
+    : [String(args)];
+
   const { entry } = result;
   let sPath;
   if (entry.scope === "builtin") {
@@ -536,15 +635,15 @@ export async function invokeCustomTool(rootDir, toolId, args = [], opts = {}) {
   switch (entry.lang) {
     case "mjs":
       cmd = process.execPath; // use same node binary
-      cmdArgs = [sPath, ...args];
+      cmdArgs = [sPath, ...cliArgs];
       break;
     case "sh":
       cmd = process.platform === "win32" ? "bash" : "/bin/sh";
-      cmdArgs = [sPath, ...args];
+      cmdArgs = [sPath, ...cliArgs];
       break;
     case "py":
-      cmd = "python3";
-      cmdArgs = [sPath, ...args];
+      cmd = process.platform === "win32" ? "python" : "python3";
+      cmdArgs = [sPath, ...cliArgs];
       break;
     default:
       throw new Error(`invokeCustomTool: unsupported lang "${entry.lang}"`);
@@ -601,10 +700,13 @@ export async function invokeCustomTool(rootDir, toolId, args = [], opts = {}) {
  * @returns {Promise<void>}
  */
 export async function recordToolUsage(rootDir, toolId) {
+  const normalizedToolId = normalizeToolId(toolId);
+  if (!normalizedToolId) return;
+
   for (const isGlobal of [false, true]) {
     const storeDir = getToolStore(rootDir, { global: isGlobal });
     const index = safeReadIndex(storeDir);
-    const idx = index.findIndex((e) => e.id === toolId);
+    const idx = index.findIndex((e) => e.id === normalizedToolId);
     if (idx < 0) continue;
     index[idx].usageCount = (index[idx].usageCount ?? 0) + 1;
     index[idx].lastUsed = nowISO();
@@ -622,9 +724,12 @@ export async function recordToolUsage(rootDir, toolId) {
  * @returns {boolean} true if the tool was found and removed
  */
 export function deleteCustomTool(rootDir, toolId, { global: isGlobal = false } = {}) {
+  const normalizedToolId = normalizeToolId(toolId);
+  if (!normalizedToolId) return false;
+
   const storeDir = getToolStore(rootDir, { global: isGlobal });
   const index = safeReadIndex(storeDir);
-  const idx = index.findIndex((e) => e.id === toolId);
+  const idx = index.findIndex((e) => e.id === normalizedToolId);
   if (idx < 0) return false;
 
   const entry = index[idx];
@@ -651,9 +756,14 @@ export function deleteCustomTool(rootDir, toolId, { global: isGlobal = false } =
  * @returns {Promise<CustomToolEntry>} the entry as it now exists in global scope
  */
 export async function promoteToGlobal(rootDir, toolId) {
+  const normalizedToolId = normalizeToolId(toolId);
+  if (!normalizedToolId) {
+    throw new Error(`promoteToGlobal: workspace tool "${toolId}" not found`);
+  }
+
   const wsStore = getToolStore(rootDir, { global: false });
   const wsIndex = safeReadIndex(wsStore);
-  const wsEntry = wsIndex.find((e) => e.id === toolId);
+  const wsEntry = wsIndex.find((e) => e.id === normalizedToolId);
   if (!wsEntry) {
     throw new Error(
       `promoteToGlobal: workspace tool "${toolId}" not found`,
@@ -676,7 +786,7 @@ export async function promoteToGlobal(rootDir, toolId) {
 
   // Upsert in global index
   const globalEntry = { ...wsEntry, scope: "global", updatedAt: nowISO() };
-  const existingIdx = globalIndex.findIndex((e) => e.id === toolId);
+  const existingIdx = globalIndex.findIndex((e) => e.id === normalizedToolId);
   if (existingIdx >= 0) {
     globalIndex[existingIdx] = globalEntry;
   } else {
@@ -722,6 +832,8 @@ export function getToolsPromptBlock(rootDir, opts = {}) {
       template,
       limit,
       includeBuiltins,
+      category,
+      tags,
     });
     const affinityIds = new Set(affinityTools.map((t) => t.id));
     const remaining = listCustomTools(rootDir, { category, tags, includeBuiltins })
@@ -746,12 +858,12 @@ export function getToolsPromptBlock(rootDir, opts = {}) {
     "## Custom Tools Library",
     "",
     discoveryMode
-      ? "Only eagerly-loaded tools are listed below. Use the MCP discovery tools to find the rest at runtime."
-      : "The following reusable helper scripts are available. Run them via",
+      ? "- Eager tools only below. Discover the rest at runtime."
+      : "- Run tools via `node <tool>.mjs`, `bash <tool>.sh`, or `python3 <tool>.py`.",
     discoveryMode
-      ? "Use `search`, then `get_schema`, then `execute` for tools not listed here. Use `call_discovered_tool` only for simple direct calls."
-      : "`node <tool>.mjs`, `bash <tool>.sh`, or `python3 <tool>.py`.",
-    "Built-in tools live in `bosun/tools/`; workspace tools in `.bosun/tools/`.",
+      ? "- Use `search`, then `get_schema`, then `execute` for tools not listed here."
+      : "- Check this library before writing new helper code.",
+    "- Built-in tools: `bosun/tools/`; workspace tools: `.bosun/tools/`.",
     "",
   ];
 
@@ -791,16 +903,13 @@ export function getToolsPromptBlock(rootDir, opts = {}) {
     lines.push(
       "---",
       "",
-      "**Reflect:** Before writing repetitive inline code, check if an existing",
-      "custom tool covers the need. If you encounter a pattern that future agents",
-      "(or yourself on retry) would benefit from having as a persistent script,",
-      "save it to `.bosun/tools/` and register it via the Bosun SDK so the whole",
-      "team benefits. Good candidates: analysis helpers, test generators, codemods,",
-      "build/lint wrappers that differ from what `npm run *` provides.",
+      "Reflect:",
+      "- Check existing tools before writing new helpers.",
+      "- Promote repeated analysis, test, build, transform, or search logic into `.bosun/tools/`.",
+      "- Skip one-off scripts.",
       "",
     );
   }
-
   return lines.join("\n");
 }
 
@@ -931,3 +1040,4 @@ export function getAffinityTools(rootDir, opts = {}) {
     .slice(0, limit)
     .map((s) => s.tool);
 }
+

package/agent/agent-endpoint.mjs

@@ -201,8 +201,7 @@ function isLikelyBosunCommandLine(commandLine) {
     normalized.includes("/bosun/") &&
     (normalized.includes("monitor.mjs") ||
       normalized.includes("cli.mjs") ||
-      normalized.includes("agent-endpoint.mjs") ||
-      normalized.includes("ve-orchestrator"))
+      normalized.includes("agent-endpoint.mjs"))
   ) {
     return true;
   }

package/agent/agent-hooks.mjs

@@ -51,6 +51,9 @@ const MAX_OUTPUT_BYTES = 64 * 1024;
 /** Whether we're running on Windows */
 const IS_WINDOWS = process.platform === "win32";
 
+/** Preferred Windows shell for hook execution. */
+const WINDOWS_SHELL = process.env.ComSpec || "cmd.exe";
+
 /** Default max retries for retryable hooks */
 const DEFAULT_MAX_RETRIES = 2;
 
@@ -643,7 +646,7 @@ export function registerBuiltinHooks(options = {}) {
 
   // ── PrePush: agent preflight quality gate ──
   if (!skipPrePush) {
-    const preflightScript = "node preflight.mjs";
+    const preflightScript = "node infra/preflight.mjs";
 
     registerHook("PrePush", {
       id: "builtin-prepush-preflight",
@@ -841,6 +844,42 @@ function _buildEnv(ctx) {
   return env;
 }
 
+function _getSpawnCommand(command) {
+  const trimmed = String(command ?? "").trim();
+
+  if (IS_WINDOWS) {
+    const lower = trimmed.toLowerCase();
+    if (lower.startsWith("powershell ") || lower.startsWith("powershell.exe ")) {
+      const inlineCommand = trimmed
+        .replace(/^powershell(?:\.exe)?\s+-NoProfile\s+-Command\s+/i, "")
+        .replace(/^powershell(?:\.exe)?\s+-Command\s+/i, "")
+        .replace(/^"|"$/g, "");
+      return {
+        file: "powershell.exe",
+        args: ["-NoProfile", "-Command", inlineCommand],
+      };
+    }
+    if (lower.startsWith("cmd ") || lower.startsWith("cmd.exe ")) {
+      const inlineCommand = trimmed
+        .replace(/^cmd(?:\.exe)?\s+\/d\s+\/s\s+\/c\s+/i, "")
+        .replace(/^cmd(?:\.exe)?\s+\/c\s+/i, "");
+      return {
+        file: WINDOWS_SHELL,
+        args: ["/d", "/s", "/c", inlineCommand],
+      };
+    }
+    return {
+      file: WINDOWS_SHELL,
+      args: ["/d", "/s", "/c", trimmed],
+    };
+  }
+
+  return {
+    file: "/bin/sh",
+    args: ["-c", trimmed],
+  };
+}
+
 // ── Internal: Synchronous Hook Execution ────────────────────────────────────
 
 /**
@@ -892,12 +931,13 @@ function _executeHookSync(hook, ctx, env) {
     };
 
     try {
-      const result = spawnSync(hook.command, {
+      const spawnTarget = _getSpawnCommand(hook.command);
+      const result = spawnSync(spawnTarget.file, spawnTarget.args, {
         cwd,
         env: hookEnv,
         encoding: "utf8",
         timeout,
-        shell: true,
+        shell: false,
         windowsHide: true,
         maxBuffer: MAX_OUTPUT_BYTES,
       });
@@ -999,10 +1039,11 @@ function _executeHookAsyncOnce(hook, ctx, env, attempt) {
 
     let child;
     try {
-      child = spawn(hook.command, {
+      const spawnTarget = _getSpawnCommand(hook.command);
+      child = spawn(spawnTarget.file, spawnTarget.args, {
         cwd,
         env: hookEnv,
-        shell: true,
+        shell: false,
         windowsHide: true,
         stdio: ["ignore", "pipe", "pipe"],
       });
@@ -1253,3 +1294,10 @@ export function registerLibraryHooks(hooksByEvent) {
   }
   return { registered, skipped };
 }
+
+
+
+
+
+
+