cyrus-edge-worker 0.2.39 → 0.2.41

package/dist/EdgeWorker.js

@@ -9,7 +9,7 @@ import { ConfigUpdater } from "cyrus-config-updater";
 import { CLIIssueTrackerService, CLIRPCServer, createLogger, DEFAULT_PROXY_URL, isAgentSessionCreatedWebhook, isAgentSessionPromptedWebhook, isContentUpdateMessage, isIssueAssignedWebhook, isIssueCommentMentionWebhook, isIssueDeletedWebhook, isIssueNewCommentWebhook, isIssueStateChangeMessage, isIssueStateChangeWebhook, isIssueTitleOrDescriptionUpdateWebhook, isIssueUnassignedWebhook, isSessionStartMessage, isStopSignalMessage, isUnassignMessage, isUserPromptMessage, PersistenceManager, requireLinearWorkspaceId, resolvePath, } from "cyrus-core";
 import { CursorRunner } from "cyrus-cursor-runner";
 import { GeminiRunner } from "cyrus-gemini-runner";
-import { extractCommentAuthor, extractCommentBody, extractCommentId, extractCommentUrl, extractPRBaseBranchRef, extractPRBranchRef, extractPRNumber, extractPRTitle, extractRepoFullName, extractRepoName, extractRepoOwner, extractSessionKey, GitHubCommentService, GitHubEventTransport, isCommentOnPullRequest, isIssueCommentPayload, isPullRequestReviewCommentPayload, isPullRequestReviewPayload, stripMention, } from "cyrus-github-event-transport";
+import { extractCommentAuthor, extractCommentBody, extractCommentId, extractCommentUrl, extractPRBaseBranchRef, extractPRBranchRef, extractPRNumber, extractPRTitle, extractRepoFullName, extractRepoName, extractRepoOwner, extractSessionKey, GitHubAppTokenProvider, GitHubCommentService, GitHubEventTransport, isCommentOnPullRequest, isIssueCommentPayload, isPullRequestReviewCommentPayload, isPullRequestReviewPayload, stripMention, } from "cyrus-github-event-transport";
 import { extractDiscussionId, extractSessionKey as extractGitLabSessionKey, extractMRBaseBranchRef, extractMRBranchRef, extractMRIid, extractMRTitle, extractNoteAuthor, extractNoteBody, extractNoteId, extractNoteUrl, extractProjectId, extractProjectPath, GitLabCommentService, GitLabEventTransport, isNoteOnMergeRequest, stripMention as stripGitLabMention, } from "cyrus-gitlab-event-transport";
 import { LinearEventTransport, LinearIssueTrackerService, } from "cyrus-linear-event-transport";
 import { createCyrusToolsServer, } from "cyrus-mcp-tools";
@@ -21,15 +21,16 @@ import { AskUserQuestionHandler } from "./AskUserQuestionHandler.js";
 import { AttachmentService } from "./AttachmentService.js";
 import { ChatSessionHandler } from "./ChatSessionHandler.js";
 import { ConfigManager } from "./ConfigManager.js";
+import { DefaultSkillsDeployer } from "./DefaultSkillsDeployer.js";
 import { GitService } from "./GitService.js";
 import { GlobalSessionRegistry } from "./GlobalSessionRegistry.js";
 import { McpConfigService } from "./McpConfigService.js";
 import { PromptBuilder } from "./PromptBuilder.js";
-import { applyPlatformSubroutines, ProcedureAnalyzer, } from "./procedures/index.js";
 import { RepositoryRouter, } from "./RepositoryRouter.js";
 import { RunnerConfigBuilder } from "./RunnerConfigBuilder.js";
 import { RunnerSelectionService } from "./RunnerSelectionService.js";
 import { SharedApplicationServer } from "./SharedApplicationServer.js";
+import { SkillsPluginResolver } from "./SkillsPluginResolver.js";
 import { SlackChatAdapter } from "./SlackChatAdapter.js";
 import { LinearActivitySink } from "./sinks/LinearActivitySink.js";
 import { ToolPermissionResolver } from "./ToolPermissionResolver.js";
@@ -49,6 +50,7 @@ export class EdgeWorker extends EventEmitter {
     issueTrackers = new Map(); // one issue tracker per Linear workspace (keyed by linearWorkspaceId)
     linearEventTransport = null; // Single event transport for webhook delivery
     gitHubEventTransport = null; // GitHub event transport for forwarded GitHub webhooks
+    gitHubAppTokenProvider = null; // Self-hosted GitHub App token minting
     gitLabEventTransport = null; // GitLab event transport for forwarded GitLab webhooks
     slackEventTransport = null;
     chatSessionHandler = null;
@@ -60,7 +62,6 @@ export class EdgeWorker extends EventEmitter {
     sharedApplicationServer;
     cyrusHome;
     globalSessionRegistry; // Centralized session storage across all repositories
-    procedureAnalyzer; // Intelligent workflow routing
     configPath; // Path to config.json file
     /** @internal - Exposed for testing only */
     repositoryRouter; // Repository routing and selection
@@ -80,6 +81,8 @@ export class EdgeWorker extends EventEmitter {
     activityPoster;
     configManager;
     promptBuilder;
+    defaultSkillsDeployer;
+    skillsPluginResolver;
     cyrusToolsMcpEndpoint = "/mcp/cyrus-tools";
     cyrusToolsMcpRegistered = false;
     cyrusToolsMcpRequestContext = new AsyncLocalStorage();
@@ -102,20 +105,6 @@ export class EdgeWorker extends EventEmitter {
         this.gitLabCommentService = new GitLabCommentService();
         // Initialize global session registry (centralized session storage)
         this.globalSessionRegistry = new GlobalSessionRegistry();
-        // Initialize procedure router for fast classification
-        // Use the configured default runner (or auto-detect from API keys)
-        const simpleRunnerType = this.resolveDefaultSimpleRunnerType();
-        const simpleRunnerModel = simpleRunnerType === "claude"
-            ? "haiku"
-            : simpleRunnerType === "gemini"
-                ? "gemini-2.5-flash-lite"
-                : "gpt-5";
-        this.procedureAnalyzer = new ProcedureAnalyzer({
-            cyrusHome: this.cyrusHome,
-            model: simpleRunnerModel,
-            timeoutMs: 100000,
-            runnerType: simpleRunnerType,
-        });
         // Initialize repository router with dependencies
         const repositoryRouterDeps = {
             fetchIssueLabels: async (issueId, linearWorkspaceId) => {
@@ -176,36 +165,6 @@ export class EdgeWorker extends EventEmitter {
                 return;
             }
             await this.handleResumeParentSession(parentSessionId, prompt, childSessionId, repo, this.agentSessionManager);
-        }, this.procedureAnalyzer, this.sharedApplicationServer);
-        // Subscribe to session events once on the single ASM
-        this.agentSessionManager.on("subroutineComplete", async ({ sessionId, session }) => {
-            const repoId = this.sessionRepositories.get(sessionId);
-            const repo = repoId ? this.repositories.get(repoId) : undefined;
-            if (!repo) {
-                this.logger.error(`No repository found for session ${sessionId} during subroutine transition`);
-                return;
-            }
-            await this.handleSubroutineTransition(sessionId, session, repo, this.agentSessionManager);
-        });
-        this.agentSessionManager.on("validationLoopIteration", async ({ sessionId, session, fixerPrompt, iteration, maxIterations }) => {
-            const repoId = this.sessionRepositories.get(sessionId);
-            const repo = repoId ? this.repositories.get(repoId) : undefined;
-            if (!repo) {
-                this.logger.error(`No repository found for session ${sessionId} during validation loop`);
-                return;
-            }
-            this.logger.info(`Validation loop iteration ${iteration}/${maxIterations}, running fixer`);
-            await this.handleValidationLoopFixer(sessionId, session, repo, this.agentSessionManager, fixerPrompt, iteration);
-        });
-        this.agentSessionManager.on("validationLoopRerun", async ({ sessionId, session, iteration }) => {
-            const repoId = this.sessionRepositories.get(sessionId);
-            const repo = repoId ? this.repositories.get(repoId) : undefined;
-            if (!repo) {
-                this.logger.error(`No repository found for session ${sessionId} during validation rerun`);
-                return;
-            }
-            this.logger.info(`Validation loop re-running verifications (iteration ${iteration})`);
-            await this.handleValidationLoopRerun(sessionId, session, repo, this.agentSessionManager);
         });
         // Initialize repositories with path resolution
         for (const repo of config.repositories) {
@@ -280,12 +239,18 @@ export class EdgeWorker extends EventEmitter {
             gitService: this.gitService,
             config: this.config,
         });
+        this.defaultSkillsDeployer = new DefaultSkillsDeployer(this.cyrusHome, this.logger);
+        this.skillsPluginResolver = new SkillsPluginResolver(this.cyrusHome, this.logger);
         // Components will be initialized and registered in start() method before server starts
     }
     /**
      * Start the edge worker
      */
     async start() {
+        // Deploy default skills to cyrusHome if not already present (one-time setup)
+        await this.defaultSkillsDeployer.ensureDeployed();
+        // Scaffold user skills plugin manifest if needed (one-time setup)
+        await this.skillsPluginResolver.ensureUserPluginScaffolded();
         // Load persisted state for each repository
         await this.loadPersistedState();
         // Start config file watcher via ConfigManager
@@ -295,28 +260,10 @@ export class EdgeWorker extends EventEmitter {
             await this.addNewRepositories(changes.added);
             // Detect and apply workspace token changes before overwriting config
             this.updateLinearWorkspaceTokens(changes.newConfig);
-            const prevDefaultRunner = this.config.defaultRunner;
             this.config = changes.newConfig;
             this.configManager.setConfig(changes.newConfig);
             this.runnerSelectionService.setConfig(changes.newConfig);
             this.toolPermissionResolver.setConfig(changes.newConfig);
-            // Reconstruct ProcedureAnalyzer if the default runner changed,
-            // since its internal SimpleRunner is baked in at construction time.
-            if (changes.newConfig.defaultRunner !== prevDefaultRunner) {
-                const simpleRunnerType = this.resolveDefaultSimpleRunnerType();
-                const simpleRunnerModel = simpleRunnerType === "claude"
-                    ? "haiku"
-                    : simpleRunnerType === "gemini"
-                        ? "gemini-2.5-flash-lite"
-                        : "gpt-5";
-                this.procedureAnalyzer = new ProcedureAnalyzer({
-                    cyrusHome: this.cyrusHome,
-                    model: simpleRunnerModel,
-                    timeoutMs: 100000,
-                    runnerType: simpleRunnerType,
-                });
-                this.logger.info(`🔄 ProcedureAnalyzer reconstructed with runner type: ${simpleRunnerType}`);
-            }
         });
         this.configManager.startConfigWatcher();
         // Initialize and register components BEFORE starting server (routes must be registered before listen())
@@ -479,6 +426,18 @@ export class EdgeWorker extends EventEmitter {
         });
         // Register the /github-webhook endpoint
         this.gitHubEventTransport.register();
+        // Initialize GitHub App token provider for self-hosted users
+        const appId = process.env.GITHUB_APP_ID;
+        const installationId = process.env.GITHUB_APP_INSTALLATION_ID;
+        if (appId && installationId) {
+            const pemPath = join(this.cyrusHome, "github-app.pem");
+            this.gitHubAppTokenProvider = new GitHubAppTokenProvider({
+                appId,
+                installationId,
+                privateKeyPath: pemPath,
+            });
+            this.logger.info("GitHub App token provider initialized (self-hosted mode)");
+        }
         this.logger.info(`GitHub event transport registered (${verificationMode} mode)`);
         this.logger.info("Webhook endpoint: POST /github-webhook");
     }
@@ -528,19 +487,16 @@ export class EdgeWorker extends EventEmitter {
         const chatRepositoryPaths = allRepos.map((repo) => repo.repositoryPath);
         const routingContext = this.promptBuilder.generateRoutingContextForAllWorkspaces();
         const slackAdapter = new SlackChatAdapter(chatRepositoryPaths, this.logger, { repositoryRoutingContext: routingContext });
-        // V1: Source MCP config from first available repo (all repos share the same MCPs today)
+        // V1: Source workspace/repo from first available (all repos share the same MCPs today)
         const firstLinearWorkspaceId = Object.keys(this.config.linearWorkspaces || {})[0];
         const firstRepo = allRepos[0];
-        const mcpConfig = firstLinearWorkspaceId && firstRepo
-            ? this.buildMcpConfig(firstRepo.id, firstLinearWorkspaceId)
-            : undefined;
         if (!firstLinearWorkspaceId || !firstRepo) {
             this.logger.warn("No repositories or workspaces configured — Slack sessions will not have access to MCP tools");
         }
         this.chatSessionHandler = new ChatSessionHandler(slackAdapter, {
             cyrusHome: this.cyrusHome,
             chatRepositoryPaths,
-            mcpConfig,
+            linearWorkspaceId: firstLinearWorkspaceId,
             repository: firstRepo,
             runnerConfigBuilder: this.runnerConfigBuilder,
             createRunner: (config) => {
@@ -598,6 +554,25 @@ export class EdgeWorker extends EventEmitter {
      * This creates a new session for the GitHub PR comment, checks out the PR branch
      * via git worktree, and processes the comment as a task prompt.
      */
+    /**
+     * Resolve a GitHub API token from (in priority order):
+     * 1. Forwarded installation token from CYHOST (cloud/proxy mode)
+     * 2. Self-minted installation token from GitHub App credentials (self-hosted)
+     * 3. Personal access token from GITHUB_TOKEN env var (fallback)
+     */
+    async resolveGitHubToken(event) {
+        if (event.installationToken)
+            return event.installationToken;
+        if (this.gitHubAppTokenProvider) {
+            try {
+                return await this.gitHubAppTokenProvider.getToken();
+            }
+            catch (error) {
+                this.logger.warn("Failed to mint GitHub App installation token, falling back to GITHUB_TOKEN", error instanceof Error ? error : new Error(String(error)));
+            }
+        }
+        return process.env.GITHUB_TOKEN;
+    }
     async handleGitHubWebhook(event) {
         this.activeWebhookCount++;
         try {
@@ -637,7 +612,7 @@ export class EdgeWorker extends EventEmitter {
             }
             this.logger.info(`Processing GitHub webhook: ${repoFullName}#${prNumber} by @${commentAuthor}${isPullRequestReview ? " (pull_request_review)" : ""}`);
             // Add "eyes" reaction to acknowledge receipt (not for pull_request_review — we post a comment instead)
-            const reactionToken = event.installationToken || process.env.GITHUB_TOKEN;
+            const reactionToken = await this.resolveGitHubToken(event);
             if (reactionToken && !isPullRequestReview) {
                 const commentId = extractCommentId(event);
                 if (commentId) {
@@ -758,7 +733,7 @@ export class EdgeWorker extends EventEmitter {
                 this.logger.error(`Failed to create session for GitHub webhook ${event.deliveryId}`);
                 return;
             }
-            // Initialize procedure metadata
+            // Initialize session metadata
             if (!session.metadata) {
                 session.metadata = {};
             }
@@ -774,12 +749,10 @@ export class EdgeWorker extends EventEmitter {
             const disallowedTools = this.buildDisallowedTools(repository);
             const allowedDirectories = [repository.repositoryPath];
             // Create agent runner using the standard config builder
-            const { config: runnerConfig, runnerType } = this.buildAgentRunnerConfig(session, repository, githubSessionId, systemPrompt, allowedTools, allowedDirectories, disallowedTools, undefined, // resumeSessionId
+            const { config: runnerConfig, runnerType } = await this.buildAgentRunnerConfig(session, repository, githubSessionId, systemPrompt, allowedTools, allowedDirectories, disallowedTools, undefined, // resumeSessionId
             undefined, // labels
             undefined, // issueDescription
             200, // maxTurns
-            false, // singleTurn
-            undefined, // disallowAllTools
             { excludeSlackMcp: true });
             const runner = this.createRunnerForType(runnerType, runnerConfig);
             // Store the runner in the session manager
@@ -844,8 +817,8 @@ export class EdgeWorker extends EventEmitter {
                 Accept: "application/vnd.github+json",
                 "X-GitHub-Api-Version": "2022-11-28",
             };
-            // Prefer forwarded installation token, fall back to GITHUB_TOKEN
-            const token = event.installationToken || process.env.GITHUB_TOKEN;
+            // Resolve GitHub token (installation token > App token > PAT)
+            const token = await this.resolveGitHubToken(event);
             if (token) {
                 headers.Authorization = `Bearer ${token}`;
             }
@@ -1007,9 +980,8 @@ ${taskSection}`;
                 this.logger.warn("Cannot post GitHub reply: no PR number");
                 return;
             }
-            // Prefer the forwarded installation token from CYHOST (1-hour expiry)
-            // Fall back to process.env.GITHUB_TOKEN if not provided
-            const token = event.installationToken || process.env.GITHUB_TOKEN;
+            // Resolve GitHub token (installation token > App token > PAT)
+            const token = await this.resolveGitHubToken(event);
             if (!token) {
                 this.logger.warn("Cannot post GitHub reply: no installation token or GITHUB_TOKEN configured");
                 this.logger.debug(`Would have posted reply to ${owner}/${repo}#${prNumber} (comment ${commentId}): ${summary}`);
@@ -1188,12 +1160,10 @@ ${taskSection}`;
             const disallowedTools = this.buildDisallowedTools(repository);
             const allowedDirectories = [repository.repositoryPath];
             // Create agent runner using the standard config builder
-            const { config: runnerConfig, runnerType } = this.buildAgentRunnerConfig(session, repository, gitlabSessionId, systemPrompt, allowedTools, allowedDirectories, disallowedTools, undefined, // resumeSessionId
+            const { config: runnerConfig, runnerType } = await this.buildAgentRunnerConfig(session, repository, gitlabSessionId, systemPrompt, allowedTools, allowedDirectories, disallowedTools, undefined, // resumeSessionId
             undefined, // labels
             undefined, // issueDescription
             200, // maxTurns
-            false, // singleTurn
-            undefined, // disallowAllTools
             { excludeSlackMcp: true });
             const runner = this.createRunnerForType(runnerType, runnerConfig);
             // Store the runner in the session manager
@@ -1538,96 +1508,6 @@ ${taskSection}`;
             log.error(`Error context - Parent issue: ${parentSession.issueId}, Repository: ${parentRepo.name}`);
         }
     }
-    /**
-     * Handle subroutine transition when a subroutine completes
-     * This is triggered by the AgentSessionManager's 'subroutineComplete' event
-     */
-    async handleSubroutineTransition(sessionId, session, repo, agentSessionManager) {
-        const log = this.logger.withContext({ sessionId });
-        log.info(`Handling subroutine completion for session ${sessionId}`);
-        // Get next subroutine (advancement already handled by AgentSessionManager)
-        const nextSubroutine = this.procedureAnalyzer.getCurrentSubroutine(session);
-        if (!nextSubroutine) {
-            log.info(`Procedure complete for session ${sessionId}`);
-            return;
-        }
-        log.info(`Next subroutine: ${nextSubroutine.name}`);
-        // Post a visually distinct status update to Linear so the user knows what's happening next
-        await agentSessionManager.createThoughtActivity(sessionId, `---\n**${nextSubroutine.description}...**`);
-        // Load subroutine prompt
-        let subroutinePrompt;
-        try {
-            subroutinePrompt = await this.loadSubroutinePrompt(nextSubroutine, this.getWorkspaceSlug(requireLinearWorkspaceId(repo)));
-            if (!subroutinePrompt) {
-                // Fallback if loadSubroutinePrompt returns null
-                subroutinePrompt = `Continue with: ${nextSubroutine.description}`;
-            }
-        }
-        catch (error) {
-            log.error(`Failed to load subroutine prompt:`, error);
-            // Fallback to simple prompt
-            subroutinePrompt = `Continue with: ${nextSubroutine.description}`;
-        }
-        // Resume Claude session with subroutine prompt
-        try {
-            await this.resumeAgentSession(session, repo, sessionId, agentSessionManager, subroutinePrompt, "", // No attachment manifest
-            false, // Not a new session
-            [], // No additional allowed directories
-            undefined, // linearWorkspaceId — will fall back to repo.linearWorkspaceId
-            nextSubroutine?.singleTurn ? 1 : undefined);
-            log.info(`Successfully resumed session for ${nextSubroutine.name} subroutine${nextSubroutine.singleTurn ? " (singleTurn)" : ""}`);
-        }
-        catch (error) {
-            log.error(`Failed to resume session for ${nextSubroutine.name} subroutine:`, error);
-        }
-    }
-    /**
-     * Handle validation loop fixer - run the fixer prompt
-     */
-    async handleValidationLoopFixer(sessionId, session, repo, agentSessionManager, fixerPrompt, iteration) {
-        this.logger.info(`Running fixer for session ${sessionId}, iteration ${iteration}`);
-        try {
-            await this.resumeAgentSession(session, repo, sessionId, agentSessionManager, fixerPrompt, "", // No attachment manifest
-            false, // Not a new session
-            [], // No additional allowed directories
-            undefined, // linearWorkspaceId — will fall back to repo.linearWorkspaceId
-            undefined);
-            this.logger.info(`Successfully started fixer for iteration ${iteration}`);
-        }
-        catch (error) {
-            this.logger.error(`Failed to run fixer for iteration ${iteration}:`, error);
-        }
-    }
-    /**
-     * Handle validation loop rerun - re-run the verifications subroutine
-     */
-    async handleValidationLoopRerun(sessionId, session, repo, agentSessionManager) {
-        this.logger.info(`Re-running verifications for session ${sessionId}`);
-        // Get the verifications subroutine definition
-        const verificationsSubroutine = this.procedureAnalyzer.getCurrentSubroutine(session);
-        if (!verificationsSubroutine ||
-            verificationsSubroutine.name !== "verifications") {
-            this.logger.error(`Expected verifications subroutine, got: ${verificationsSubroutine?.name}`);
-            return;
-        }
-        try {
-            // Load the verifications prompt
-            const subroutinePrompt = await this.loadSubroutinePrompt(verificationsSubroutine, this.getWorkspaceSlug(requireLinearWorkspaceId(repo)));
-            if (!subroutinePrompt) {
-                this.logger.error(`Failed to load verifications prompt`);
-                return;
-            }
-            await this.resumeAgentSession(session, repo, sessionId, agentSessionManager, subroutinePrompt, "", // No attachment manifest
-            false, // Not a new session
-            [], // No additional allowed directories
-            undefined, // linearWorkspaceId — will fall back to repo.linearWorkspaceId
-            undefined);
-            this.logger.info(`Successfully re-started verifications`);
-        }
-        catch (error) {
-            this.logger.error(`Failed to re-run verifications:`, error);
-        }
-    }
     /**
      * Detect workspace token changes and update all dependent services.
      *
@@ -2183,7 +2063,7 @@ ${taskSection}`;
         if ("attachments" in updatedFrom)
             changedFields.push("attachments");
         this.logger.info(`Handling issue content update: ${issueIdentifier} (changed: ${changedFields.join(", ")})`);
-        // Find session(s) for this issue (may be running or paused between subroutines)
+        // Find session(s) for this issue
         const sessions = this.agentSessionManager.getSessionsByIssueId(issueId);
         if (sessions.length === 0) {
             if (process.env.CYRUS_WEBHOOK_DEBUG === "true") {
@@ -2284,13 +2164,6 @@ ${taskSection}`;
         }
         return workspaceConfig.linearToken;
     }
-    /**
-     * Get the Linear workspace slug for a workspace from workspace-level config.
-     */
-    getWorkspaceSlug(linearWorkspaceId) {
-        return this.config.linearWorkspaces?.[linearWorkspaceId]
-            ?.linearWorkspaceSlug;
-    }
     /**
      * Create a new Cyrus agent session with all necessary setup
      * @param sessionId The Linear agent activity session ID
@@ -2535,92 +2408,9 @@ ${taskSection}`;
         const sessionData = await this.createCyrusAgentSession(sessionId, issue, repositories, agentSessionManager, linearWorkspaceId, baseBranchOverrides, routingMethod);
         // Destructure the session data (excluding allowedTools which we'll build with promptType)
         const { session, fullIssue, workspace: _workspace, attachmentResult, attachmentsDir: _attachmentsDir, allowedDirectories, } = sessionData;
-        // Initialize procedure metadata using intelligent routing
-        if (!session.metadata) {
-            session.metadata = {};
-        }
-        // Post ephemeral "Routing..." thought
-        await agentSessionManager.postAnalyzingThought(sessionId);
-        // Fetch labels early (needed for label override check)
+        // Fetch labels early (needed for system prompt and runner selection)
         const labels = await this.fetchIssueLabels(fullIssue);
-        // Lowercase labels for case-insensitive comparison
-        const lowercaseLabels = labels.map((label) => label.toLowerCase());
-        // Check for label overrides BEFORE AI routing (use primary repo for label config)
-        const debuggerConfig = primaryRepo.labelPrompts?.debugger;
-        const debuggerLabels = Array.isArray(debuggerConfig)
-            ? debuggerConfig
-            : debuggerConfig?.labels;
-        const hasDebuggerLabel = debuggerLabels?.some((label) => lowercaseLabels.includes(label.toLowerCase()));
-        // ALWAYS check for 'orchestrator' label (case-insensitive) regardless of EdgeConfig
-        // This is a hardcoded rule: any issue with 'orchestrator'/'Orchestrator' label
-        // goes to orchestrator procedure
-        const hasHardcodedOrchestratorLabel = lowercaseLabels.includes("orchestrator");
-        // Also check any additional orchestrator labels from config
-        const orchestratorConfig = primaryRepo.labelPrompts?.orchestrator;
-        const orchestratorLabels = Array.isArray(orchestratorConfig)
-            ? orchestratorConfig
-            : orchestratorConfig?.labels;
-        const hasConfiguredOrchestratorLabel = orchestratorLabels?.some((label) => lowercaseLabels.includes(label.toLowerCase())) ?? false;
-        const hasOrchestratorLabel = hasHardcodedOrchestratorLabel || hasConfiguredOrchestratorLabel;
-        // Check for graphite label (for graphite-orchestrator combination)
-        const graphiteConfig = primaryRepo.labelPrompts?.graphite;
-        const graphiteLabels = Array.isArray(graphiteConfig)
-            ? graphiteConfig
-            : (graphiteConfig?.labels ?? ["graphite"]);
-        const hasGraphiteLabel = graphiteLabels?.some((label) => lowercaseLabels.includes(label.toLowerCase()));
-        // Graphite-orchestrator requires BOTH graphite AND orchestrator labels
-        const hasGraphiteOrchestratorLabels = hasGraphiteLabel && hasOrchestratorLabel;
-        let finalProcedure;
-        let finalClassification;
-        // If labels indicate a specific procedure, use that instead of AI routing
-        if (hasDebuggerLabel) {
-            const debuggerProcedure = this.procedureAnalyzer.getProcedure("debugger-full");
-            if (!debuggerProcedure) {
-                throw new Error("debugger-full procedure not found in registry");
-            }
-            finalProcedure = debuggerProcedure;
-            finalClassification = "debugger";
-            log.info(`Using debugger-full procedure due to debugger label (skipping AI routing)`);
-        }
-        else if (hasGraphiteOrchestratorLabels) {
-            // Graphite-orchestrator takes precedence over regular orchestrator when both labels present
-            const orchestratorProcedure = this.procedureAnalyzer.getProcedure("orchestrator-full");
-            if (!orchestratorProcedure) {
-                throw new Error("orchestrator-full procedure not found in registry");
-            }
-            finalProcedure = orchestratorProcedure;
-            // Use orchestrator classification but the system prompt will be graphite-orchestrator
-            finalClassification = "orchestrator";
-            log.info(`Using orchestrator-full procedure with graphite-orchestrator prompt (graphite + orchestrator labels)`);
-        }
-        else if (hasOrchestratorLabel) {
-            const orchestratorProcedure = this.procedureAnalyzer.getProcedure("orchestrator-full");
-            if (!orchestratorProcedure) {
-                throw new Error("orchestrator-full procedure not found in registry");
-            }
-            finalProcedure = orchestratorProcedure;
-            finalClassification = "orchestrator";
-            log.info(`Using orchestrator-full procedure due to orchestrator label (skipping AI routing)`);
-        }
-        else {
-            // No label override - use AI routing
-            const issueDescription = `${issue.title}\n\n${fullIssue.description || ""}`.trim();
-            const routingDecision = await this.procedureAnalyzer.determineRoutine(issueDescription);
-            finalProcedure = routingDecision.procedure;
-            finalClassification = routingDecision.classification;
-            log.info(`AI routing: ${routingDecision.classification} → ${finalProcedure.name}`);
-        }
-        // Apply platform-specific subroutine substitution (e.g., gh-pr → glab-mr for GitLab repos)
-        const hostingPlatform = primaryRepo.gitlabUrl
-            ? "gitlab"
-            : primaryRepo.githubUrl
-                ? "github"
-                : undefined;
-        finalProcedure = applyPlatformSubroutines(finalProcedure, hostingPlatform);
-        // Initialize procedure metadata in session with final decision
-        this.procedureAnalyzer.initializeProcedureMetadata(session, finalProcedure);
-        // Post single procedure selection result (replaces ephemeral routing thought)
-        await agentSessionManager.postProcedureSelectionThought(sessionId, finalProcedure.name, finalClassification);
+        log.info(`Starting agent session for issue ${fullIssue.identifier}`);
         // Build and start Claude with initial prompt using full issue (streaming mode)
         log.info(`Building initial prompt for issue ${fullIssue.identifier}`);
         try {
@@ -2656,33 +2446,19 @@ ${taskSection}`;
                     await this.postSystemPromptSelectionThought(sessionId, labels, linearWorkspaceId, primaryRepo.id);
                 }
             }
-            // Get current subroutine to check for singleTurn mode and disallowAllTools
-            const currentSubroutine = this.procedureAnalyzer.getCurrentSubroutine(session);
             // Build allowed tools list with Linear MCP tools (now with prompt type context)
-            // If subroutine has disallowAllTools: true, use empty array to disable all tools
-            const allowedTools = currentSubroutine?.disallowAllTools
-                ? []
-                : this.buildAllowedTools(repositories, promptType);
-            const baseDisallowedTools = this.buildDisallowedTools(repositories, promptType);
-            // Merge subroutine-level disallowedTools if applicable
-            const disallowedTools = this.mergeSubroutineDisallowedTools(session, baseDisallowedTools, "EdgeWorker");
-            if (currentSubroutine?.disallowAllTools) {
-                log.debug(`All tools disabled for ${fullIssue.identifier} (subroutine: ${currentSubroutine.name})`);
-            }
-            else {
-                log.debug(`Configured allowed tools for ${fullIssue.identifier}:`, allowedTools);
-            }
+            const allowedTools = this.buildAllowedTools(repositories, promptType);
+            const disallowedTools = this.buildDisallowedTools(repositories, promptType);
+            log.debug(`Configured allowed tools for ${fullIssue.identifier}:`, allowedTools);
             if (disallowedTools.length > 0) {
                 log.debug(`Configured disallowed tools for ${fullIssue.identifier}:`, disallowedTools);
             }
             // Create agent runner with system prompt from assembly
             // buildAgentRunnerConfig now determines runner type from labels internally
-            const { config: runnerConfig, runnerType } = this.buildAgentRunnerConfig(session, primaryRepo, sessionId, assembly.systemPrompt, allowedTools, allowedDirectories, disallowedTools, undefined, // resumeSessionId
+            const { config: runnerConfig, runnerType } = await this.buildAgentRunnerConfig(session, primaryRepo, sessionId, assembly.systemPrompt, allowedTools, allowedDirectories, disallowedTools, undefined, // resumeSessionId
             labels, // Pass labels for runner selection and model override
             fullIssue.description || undefined, // Description tags can override label selectors
             undefined, // maxTurns
-            currentSubroutine?.singleTurn, // singleTurn flag
-            currentSubroutine?.disallowAllTools, // disallowAllTools flag - also disables MCP tools
             undefined, // mcpOptions
             linearWorkspaceId);
             log.debug(`Label-based runner selection for new session: ${runnerType} (session ${sessionId})`);
@@ -2885,7 +2661,7 @@ ${taskSection}`;
                 }
             }
         }
-        // Note: Routing and streaming check happens later in handlePromptWithStreamingCheck
+        // Note: Streaming check happens later in handlePromptWithStreamingCheck
         // after attachments are processed
         // Ensure session is not null after creation/retrieval
         if (!session) {
@@ -3464,19 +3240,12 @@ ${taskSection}`;
             : this.config.serverPort || this.config.webhookPort || 3456;
         return `http://127.0.0.1:${port}${this.cyrusToolsMcpEndpoint}`;
     }
-    /**
-     * Build MCP configuration — delegates to McpConfigService.
-     */
-    buildMcpConfig(repoId, linearWorkspaceId, parentSessionId, options) {
-        return this.mcpConfigService.buildMcpConfig(repoId, linearWorkspaceId, parentSessionId, options);
-    }
     /**
      * Build the complete prompt for a session - shows full prompt assembly in one place
      *
      * New session prompt structure:
      * 1. Issue context (from buildIssueContextPrompt)
-     * 2. Initial subroutine prompt (if procedure initialized)
-     * 3. User comment
+     * 2. User comment
      *
      * Existing session prompt structure:
      * 1. User comment
@@ -3545,7 +3314,7 @@ ${taskSection}`;
         };
     }
     /**
-     * Build prompt for new session - includes issue context, subroutine prompt, and user comment
+     * Build prompt for new session - includes issue context and user comment
      */
     async buildNewSessionPrompt(input) {
         const components = [];
@@ -3571,25 +3340,17 @@ ${taskSection}`;
             const sharedInstructions = await this.loadSharedInstructions();
             systemPrompt = sharedInstructions;
         }
-        // 3. Build issue context using appropriate builder
+        // 3. Append skills guidance — instruct the agent to use skills based on context
+        systemPrompt += await this.skillsPluginResolver.buildSkillsGuidance();
+        // 4. Append agent context — dynamic values for skills to reference
+        systemPrompt += this.buildAgentContextBlock();
+        // 5. Build issue context using appropriate builder
         // Use label-based prompt ONLY if we have a label-based system prompt
         const promptType = this.determinePromptType(input, !!labelBasedSystemPrompt);
         const issueContext = await this.buildIssueContextForPromptAssembly(input.fullIssue, repositories, promptType, input.attachmentManifest, input.guidance, input.agentSession, input.resolvedBaseBranches);
         parts.push(issueContext.prompt);
         components.push("issue-context");
-        // 4. Load and append initial subroutine prompt
-        const currentSubroutine = this.procedureAnalyzer.getCurrentSubroutine(input.session);
-        let subroutineName;
-        if (currentSubroutine) {
-            const resolvedWsId = input.linearWorkspaceId ?? requireLinearWorkspaceId(input.repository);
-            const subroutinePrompt = await this.loadSubroutinePrompt(currentSubroutine, this.getWorkspaceSlug(resolvedWsId));
-            if (subroutinePrompt) {
-                parts.push(subroutinePrompt);
-                components.push("subroutine-prompt");
-                subroutineName = currentSubroutine.name;
-            }
-        }
-        // 5. Add user comment (if present)
+        // 4. Add user comment (if present)
         // Skip for mention-triggered prompts since the comment is already in the mention block
         if (input.userComment.trim() && !input.isMentionTriggered) {
             // If we have author/timestamp metadata, include it for multi-player context
@@ -3619,13 +3380,34 @@ ${input.userComment}
             userPrompt: parts.join("\n\n"),
             metadata: {
                 components,
-                subroutineName,
                 promptType,
                 isNewSession: true,
                 isStreaming: false,
             },
         };
     }
+    /**
+     * Build an <agent_context> block with dynamic values that skills can reference.
+     *
+     * Provides bot usernames so skills (e.g. verify-and-ship) can refer to the
+     * correct bot account without hardcoding.
+     */
+    buildAgentContextBlock() {
+        const githubBot = process.env.GITHUB_BOT_USERNAME || "";
+        const gitlabBot = process.env.GITLAB_BOT_USERNAME || "";
+        if (!githubBot && !gitlabBot) {
+            return "";
+        }
+        const lines = ["\n\n<agent_context>"];
+        if (githubBot) {
+            lines.push(`  <github_bot_username>${githubBot}</github_bot_username>`);
+        }
+        if (gitlabBot) {
+            lines.push(`  <gitlab_bot_username>${gitlabBot}</gitlab_bot_username>`);
+        }
+        lines.push("</agent_context>");
+        return lines.join("\n");
+    }
     /**
      * Build prompt for existing session continuation - user comment and attachments only
      */
@@ -3674,13 +3456,6 @@ ${input.userComment}
         }
         return "fallback";
     }
-    /**
-     * Load a subroutine prompt file
-     * Extracted helper to make prompt assembly more readable
-     */
-    async loadSubroutinePrompt(subroutine, workspaceSlug) {
-        return this.promptBuilder.loadSubroutinePrompt(subroutine, workspaceSlug);
-    }
     /**
      * Load shared instructions that get appended to all system prompts
      */
@@ -3711,35 +3486,12 @@ ${input.userComment}
      * Uses config.defaultRunner if set, otherwise auto-detects from API keys,
      * falling back to "claude".
      */
-    resolveDefaultSimpleRunnerType() {
-        if (this.config.defaultRunner) {
-            this.logger.info(`🏃 SimpleRunner type resolved from config.defaultRunner: ${this.config.defaultRunner}`);
-            return this.config.defaultRunner;
-        }
-        // Auto-detect: if exactly one runner has API keys set, use it
-        const available = [];
-        if (process.env.CLAUDE_CODE_OAUTH_TOKEN || process.env.ANTHROPIC_API_KEY) {
-            available.push("claude");
-        }
-        if (process.env.GEMINI_API_KEY) {
-            available.push("gemini");
-        }
-        if (process.env.OPENAI_API_KEY) {
-            available.push("codex");
-        }
-        if (process.env.CURSOR_API_KEY) {
-            available.push("cursor");
-        }
-        const result = available.length === 1 && available[0] ? available[0] : "claude";
-        this.logger.info(`🏃 SimpleRunner type auto-detected: ${result} (available: ${available.join(", ") || "none"}, config.defaultRunner not set)`);
-        return result;
-    }
     /**
      * Build agent runner configuration with common settings.
      * Delegates to RunnerConfigBuilder for shared config assembly.
      * @returns Object containing the runner config and runner type to use
      */
-    buildAgentRunnerConfig(session, repository, sessionId, systemPrompt, allowedTools, allowedDirectories, disallowedTools, resumeSessionId, labels, issueDescription, maxTurns, singleTurn, disallowAllTools, mcpOptions, linearWorkspaceId) {
+    async buildAgentRunnerConfig(session, repository, sessionId, systemPrompt, allowedTools, allowedDirectories, disallowedTools, resumeSessionId, labels, issueDescription, maxTurns, mcpOptions, linearWorkspaceId) {
         const log = this.logger.withContext({
             sessionId,
             platform: session.issueContext?.trackerId,
@@ -3757,12 +3509,11 @@ ${input.userComment}
             labels,
             issueDescription,
             maxTurns,
-            singleTurn,
-            disallowAllTools,
             mcpOptions,
             linearWorkspaceId,
             cyrusHome: this.cyrusHome,
             logger: log,
+            plugins: await this.skillsPluginResolver.resolve(),
             onMessage: (message) => {
                 this.handleClaudeMessage(sessionId, message, repository.id);
             },
@@ -3793,16 +3544,6 @@ ${input.userComment}
     buildDisallowedTools(repositories, promptType) {
         return this.toolPermissionResolver.buildDisallowedTools(repositories, promptType);
     }
-    /**
-     * Merge subroutine-level disallowedTools with base disallowedTools
-     * @param session Current agent session
-     * @param baseDisallowedTools Base disallowed tools from repository/global config
-     * @param logContext Context string for logging (e.g., "EdgeWorker", "resumeClaudeSession")
-     * @returns Merged disallowed tools list
-     */
-    mergeSubroutineDisallowedTools(session, baseDisallowedTools, logContext) {
-        return this.toolPermissionResolver.mergeSubroutineDisallowedTools(session, baseDisallowedTools, logContext, this.procedureAnalyzer);
-    }
     /**
      * Build allowed tools list with Linear MCP tools automatically included.
      * Accepts single or multiple repositories (union for multi-repo).
@@ -3991,83 +3732,12 @@ ${input.userComment}
     async postRoutingActivity(sessionId, linearWorkspaceId, repoLines, routingMethod) {
         return this.activityPoster.postRoutingActivity(sessionId, linearWorkspaceId, repoLines, routingMethod);
     }
-    /**
-     * Re-route procedure for a session (used when resuming from child or give feedback)
-     * This ensures the currentSubroutine is reset to avoid suppression issues
-     */
-    async rerouteProcedureForSession(session, sessionId, agentSessionManager, promptBody, repository, linearWorkspaceId) {
-        // Initialize procedure metadata using intelligent routing
-        if (!session.metadata) {
-            session.metadata = {};
-        }
-        // Post ephemeral "Routing..." thought
-        await agentSessionManager.postAnalyzingThought(sessionId);
-        // Fetch full issue and labels to check for Orchestrator label override
-        const issueTracker = this.issueTrackers.get(linearWorkspaceId);
-        let hasOrchestratorLabel = false;
-        // Get issueId from issueContext (preferred) or deprecated issueId field
-        const issueId = session.issueContext?.issueId ?? session.issueId;
-        if (issueTracker && issueId) {
-            try {
-                const fullIssue = await issueTracker.fetchIssue(issueId);
-                const labels = await this.fetchIssueLabels(fullIssue);
-                // ALWAYS check for 'orchestrator' label (case-insensitive) regardless of EdgeConfig
-                // This is a hardcoded rule: any issue with 'orchestrator'/'Orchestrator' label
-                // goes to orchestrator procedure
-                const lowercaseLabels = labels.map((label) => label.toLowerCase());
-                const hasHardcodedOrchestratorLabel = lowercaseLabels.includes("orchestrator");
-                // Also check any additional orchestrator labels from config
-                const orchestratorConfig = repository.labelPrompts?.orchestrator;
-                const orchestratorLabels = Array.isArray(orchestratorConfig)
-                    ? orchestratorConfig
-                    : orchestratorConfig?.labels;
-                const hasConfiguredOrchestratorLabel = orchestratorLabels?.some((label) => lowercaseLabels.includes(label.toLowerCase())) ?? false;
-                hasOrchestratorLabel =
-                    hasHardcodedOrchestratorLabel || hasConfiguredOrchestratorLabel;
-            }
-            catch (error) {
-                this.logger.error(`Failed to fetch issue labels for routing:`, error);
-                // Continue with AI routing if label fetch fails
-            }
-        }
-        let selectedProcedure;
-        let finalClassification;
-        // If Orchestrator label is present, ALWAYS use orchestrator-full procedure
-        if (hasOrchestratorLabel) {
-            const orchestratorProcedure = this.procedureAnalyzer.getProcedure("orchestrator-full");
-            if (!orchestratorProcedure) {
-                throw new Error("orchestrator-full procedure not found in registry");
-            }
-            selectedProcedure = orchestratorProcedure;
-            finalClassification = "orchestrator";
-            this.logger.info(`Using orchestrator-full procedure due to Orchestrator label (skipping AI routing)`);
-        }
-        else {
-            // No Orchestrator label - use AI routing based on prompt content
-            const routingDecision = await this.procedureAnalyzer.determineRoutine(promptBody.trim());
-            selectedProcedure = routingDecision.procedure;
-            finalClassification = routingDecision.classification;
-            this.logger.info(`AI routing: ${routingDecision.classification} → ${selectedProcedure.name}`);
-        }
-        // Apply platform-specific subroutine substitution (e.g., gh-pr → glab-mr for GitLab repos)
-        const hostingPlatform = repository.gitlabUrl
-            ? "gitlab"
-            : repository.githubUrl
-                ? "github"
-                : undefined;
-        selectedProcedure = applyPlatformSubroutines(selectedProcedure, hostingPlatform);
-        // Initialize procedure metadata in session (resets currentSubroutine)
-        this.procedureAnalyzer.initializeProcedureMetadata(session, selectedProcedure);
-        // Post procedure selection result (replaces ephemeral routing thought)
-        await agentSessionManager.postProcedureSelectionThought(sessionId, selectedProcedure.name, finalClassification);
-    }
     /**
      * Handle prompt with streaming check - centralized logic for all input types
      *
      * This method implements the unified pattern for handling prompts:
      * 1. Check if runner is actively streaming
-     * 2. Route procedure if NOT streaming (resets currentSubroutine)
-     * 3. Add to stream if streaming, OR resume session if not
+     * 2. Add to stream if streaming, OR resume session if not
      *
      * @param session The Cyrus agent session
      * @param repository Repository configuration
@@ -4082,17 +3752,7 @@ ${input.userComment}
      */
     async handlePromptWithStreamingCheck(session, repository, sessionId, agentSessionManager, promptBody, attachmentManifest, isNewSession, additionalAllowedDirs, logContext, linearWorkspaceId, commentAuthor, commentTimestamp) {
         const log = this.logger.withContext({ sessionId });
-        // Check if runner is actively running before routing
         const existingRunner = session.agentRunner;
-        const isRunning = existingRunner?.isRunning() || false;
-        // Always route procedure for new input, UNLESS actively running
-        if (!isRunning) {
-            await this.rerouteProcedureForSession(session, sessionId, agentSessionManager, promptBody, repository, linearWorkspaceId);
-            log.debug(`Routed procedure for ${logContext}`);
-        }
-        else {
-            log.debug(`Skipping routing for ${sessionId} (${logContext}) - runner is actively running`);
-        }
         // Handle running case - add message to existing stream (if supported)
         if (existingRunner?.isRunning() &&
             existingRunner.supportsStreamingInput &&
@@ -4177,19 +3837,9 @@ ${input.userComment}
         const systemPromptResult = await this.determineSystemPromptFromLabels(labels, repository);
         const systemPrompt = systemPromptResult?.prompt;
         const promptType = systemPromptResult?.type;
-        // Get current subroutine to check for singleTurn mode and disallowAllTools
-        const currentSubroutine = this.procedureAnalyzer.getCurrentSubroutine(session);
-        // Build allowed tools list
-        // If subroutine has disallowAllTools: true, use empty array to disable all tools
-        const allowedTools = currentSubroutine?.disallowAllTools
-            ? []
-            : this.buildAllowedTools(repository, promptType);
-        const baseDisallowedTools = this.buildDisallowedTools(repository, promptType);
-        // Merge subroutine-level disallowedTools if applicable
-        const disallowedTools = this.mergeSubroutineDisallowedTools(session, baseDisallowedTools, "resumeClaudeSession");
-        if (currentSubroutine?.disallowAllTools) {
-            log.debug(`All tools disabled for subroutine: ${currentSubroutine.name}`);
-        }
+        // Build allowed and disallowed tools lists
+        const allowedTools = this.buildAllowedTools(repository, promptType);
+        const disallowedTools = this.buildDisallowedTools(repository, promptType);
         // Set up attachments directory
         const workspaceFolderName = basename(session.workspace.path);
         const attachmentsDir = join(this.cyrusHome, workspaceFolderName, "attachments");
@@ -4215,11 +3865,9 @@ ${input.userComment}
         // Create runner configuration
         // buildAgentRunnerConfig determines runner type from labels for new sessions
         // For existing sessions, we still need labels for model override but ignore runner type
-        const { config: runnerConfig, runnerType } = this.buildAgentRunnerConfig(session, repository, sessionId, systemPrompt, allowedTools, allowedDirectories, disallowedTools, resumeSessionId, labels, // Always pass labels to preserve model override
+        const { config: runnerConfig, runnerType } = await this.buildAgentRunnerConfig(session, repository, sessionId, systemPrompt, allowedTools, allowedDirectories, disallowedTools, resumeSessionId, labels, // Always pass labels to preserve model override
         fullIssue.description || undefined, // Description tags can override label selectors
         maxTurns, // Pass maxTurns if specified
-        currentSubroutine?.singleTurn, // singleTurn flag
-        currentSubroutine?.disallowAllTools, // disallowAllTools flag - also disables MCP tools
         undefined, // mcpOptions
         resolvedWorkspaceId);
         // Create the appropriate runner based on session state