helloagents 3.0.7 → 3.0.8-beta.1

package/scripts/cli-doctor.mjs

@@ -140,8 +140,8 @@ function inspectClaudeDoctor(settings) {
     issues.push(buildDoctorIssue('tracked-mode-mismatch', '记录模式与检测模式不一致', 'Tracked mode does not match detected mode'))
   }
   if (detectedMode === 'standby') {
-    if (!checks.carrierMarker) issues.push(buildDoctorIssue('standby-carrier-missing', 'standby 载体缺少 HELLOAGENTS 标记', 'Standby carrier is missing the HELLOAGENTS marker'))
-    if (checks.carrierMarker && !checks.carrierContentMatch) issues.push(buildDoctorIssue('standby-carrier-drift', 'standby 载体内容与当前 bootstrap-lite.md 不一致', 'Standby carrier content differs from the current bootstrap-lite.md'))
+    if (!checks.carrierMarker) issues.push(buildDoctorIssue('standby-carrier-missing', 'standby 规则文件缺少 HELLOAGENTS 标记', 'Standby carrier is missing the HELLOAGENTS marker'))
+    if (checks.carrierMarker && !checks.carrierContentMatch) issues.push(buildDoctorIssue('standby-carrier-drift', 'standby 规则文件内容与当前 bootstrap-lite.md 不一致', 'Standby carrier content differs from the current bootstrap-lite.md'))
     if (!checks.homeLink) issues.push(buildDoctorIssue('standby-link-missing', 'standby home 链接缺失或未指向当前包根目录', 'Standby home link is missing or points to a different package root'))
     if (!checks.settingsHooks) issues.push(buildDoctorIssue('standby-hooks-missing', 'standby settings hooks 缺失', 'Standby settings hooks are missing'))
     if (checks.settingsHooks && !checks.settingsHooksMatch) issues.push(buildDoctorIssue('standby-hooks-drift', 'standby settings hooks 与当前 hooks 配置不一致', 'Standby settings hooks differ from the current hook configuration'))
@@ -160,7 +160,7 @@ function inspectClaudeDoctor(settings) {
     issues.push(buildDoctorIssue('untracked-managed-state', '检测到受管状态，但配置中未记录该 CLI 模式', 'Managed state detected but this CLI mode is not tracked in config'))
   }
   if (trackedMode !== 'none' && detectedMode === 'none' && trackedMode !== 'global') {
-    issues.push(buildDoctorIssue('tracked-state-missing', '配置记录该 CLI 已安装，但未检测到对应受管痕迹', 'Config says this CLI is installed, but no managed artifacts were detected'))
+    issues.push(buildDoctorIssue('tracked-state-missing', '配置记录该 CLI 已安装，但未检测到对应的受管文件或配置', 'Config says this CLI is installed, but no managed artifacts were detected'))
   }
 
   const status = summarizeDoctorStatus(issues, { host, trackedMode, detectedMode })
@@ -188,8 +188,8 @@ function inspectGeminiDoctor(settings) {
     issues.push(buildDoctorIssue('tracked-mode-mismatch', '记录模式与检测模式不一致', 'Tracked mode does not match detected mode'))
   }
   if (detectedMode === 'standby') {
-    if (!checks.carrierMarker) issues.push(buildDoctorIssue('standby-carrier-missing', 'standby 载体缺少 HELLOAGENTS 标记', 'Standby carrier is missing the HELLOAGENTS marker'))
-    if (checks.carrierMarker && !checks.carrierContentMatch) issues.push(buildDoctorIssue('standby-carrier-drift', 'standby 载体内容与当前 bootstrap-lite.md 不一致', 'Standby carrier content differs from the current bootstrap-lite.md'))
+    if (!checks.carrierMarker) issues.push(buildDoctorIssue('standby-carrier-missing', 'standby 规则文件缺少 HELLOAGENTS 标记', 'Standby carrier is missing the HELLOAGENTS marker'))
+    if (checks.carrierMarker && !checks.carrierContentMatch) issues.push(buildDoctorIssue('standby-carrier-drift', 'standby 规则文件内容与当前 bootstrap-lite.md 不一致', 'Standby carrier content differs from the current bootstrap-lite.md'))
     if (!checks.homeLink) issues.push(buildDoctorIssue('standby-link-missing', 'standby home 链接缺失或未指向当前包根目录', 'Standby home link is missing or points to a different package root'))
     if (!checks.settingsHooks) issues.push(buildDoctorIssue('standby-hooks-missing', 'standby settings hooks 缺失', 'Standby settings hooks are missing'))
     if (checks.settingsHooks && !checks.settingsHooksMatch) issues.push(buildDoctorIssue('standby-hooks-drift', 'standby settings hooks 与当前 hooks 配置不一致', 'Standby settings hooks differ from the current hook configuration'))
@@ -207,7 +207,7 @@ function inspectGeminiDoctor(settings) {
     issues.push(buildDoctorIssue('untracked-managed-state', '检测到受管状态，但配置中未记录该 CLI 模式', 'Managed state detected but this CLI mode is not tracked in config'))
   }
   if (trackedMode !== 'none' && detectedMode === 'none' && trackedMode !== 'global') {
-    issues.push(buildDoctorIssue('tracked-state-missing', '配置记录该 CLI 已安装，但未检测到对应受管痕迹', 'Config says this CLI is installed, but no managed artifacts were detected'))
+    issues.push(buildDoctorIssue('tracked-state-missing', '配置记录该 CLI 已安装，但未检测到对应的受管文件或配置', 'Config says this CLI is installed, but no managed artifacts were detected'))
   }
 
   const status = summarizeDoctorStatus(issues, { host, trackedMode, detectedMode })
@@ -215,20 +215,20 @@ function inspectGeminiDoctor(settings) {
 }
 
 function appendCodexStandbyIssues(issues, checks) {
-  if (!checks.carrierMarker) issues.push(buildDoctorIssue('standby-carrier-missing', 'standby 载体缺少 HELLOAGENTS 标记', 'Standby carrier is missing the HELLOAGENTS marker'))
-  if (checks.carrierMarker && !checks.carrierContentMatch) issues.push(buildDoctorIssue('standby-carrier-drift', 'standby 载体内容与当前 bootstrap-lite.md 不一致', 'Standby carrier content differs from the current bootstrap-lite.md'))
+  if (!checks.carrierMarker) issues.push(buildDoctorIssue('standby-carrier-missing', 'standby 规则文件缺少 HELLOAGENTS 标记', 'Standby carrier is missing the HELLOAGENTS marker'))
+  if (checks.carrierMarker && !checks.carrierContentMatch) issues.push(buildDoctorIssue('standby-carrier-drift', 'standby 规则文件内容与当前 bootstrap-lite.md 不一致', 'Standby carrier content differs from the current bootstrap-lite.md'))
   if (!checks.homeLink) issues.push(buildDoctorIssue('standby-link-missing', 'standby home 链接缺失或未指向当前包根目录', 'Standby home link is missing or points to a different package root'))
-  if (checks.modelInstructionsFile) issues.push(buildDoctorIssue('standby-model-instructions-shadow', 'standby config 中仍存在 model_instructions_file，可能覆盖 HelloAGENTS 载体', 'Standby config still contains model_instructions_file, which can shadow the HelloAGENTS carrier'))
+  if (!checks.modelInstructionsFile) issues.push(buildDoctorIssue('standby-model-instructions-missing', 'standby config 缺少受管 model_instructions_file', 'Standby config is missing the managed model_instructions_file'))
+  if (checks.modelInstructionsFile && !checks.modelInstructionsPathMatch) issues.push(buildDoctorIssue('standby-model-instructions-drift', 'standby model_instructions_file 未指向受管 `~/.codex/AGENTS.md`', 'Standby model_instructions_file does not point to the managed `~/.codex/AGENTS.md`'))
   if (!checks.codexNotify) issues.push(buildDoctorIssue('standby-notify-missing', 'standby notify 配置缺失', 'Standby notify configuration is missing'))
   if (checks.codexNotify && !checks.notifyPathMatch) issues.push(buildDoctorIssue('standby-notify-drift', 'standby notify 路径未指向当前包根目录', 'Standby notify path does not point to the current package root'))
-  if (!checks.developerInstructions) issues.push(buildDoctorIssue('standby-developer-instructions-missing', 'standby developer_instructions 缺失', 'Standby developer_instructions block is missing'))
   if (checks.pluginRoot || checks.pluginCache || checks.marketplaceEntry || checks.pluginEnabled || checks.globalNotifyPath) {
-    issues.push(buildDoctorIssue('standby-global-residue', 'standby 模式下仍残留 global 插件链路', 'Global plugin artifacts still remain while Codex is in standby mode'))
+    issues.push(buildDoctorIssue('standby-global-residue', 'standby 模式下仍残留 global 插件文件或配置', 'Global plugin artifacts still remain while Codex is in standby mode'))
   }
 }
 
 function appendCodexGlobalIssues(issues, checks, pluginVersion, cacheVersion) {
-  if (!checks.carrierMarker) issues.push(buildDoctorIssue('global-home-carrier-missing', 'global `~/.codex/AGENTS.md` 缺少 HelloAGENTS 载体', 'Global `~/.codex/AGENTS.md` is missing the HelloAGENTS carrier'))
+  if (!checks.carrierMarker) issues.push(buildDoctorIssue('global-home-carrier-missing', 'global `~/.codex/AGENTS.md` 缺少 HelloAGENTS 规则内容', 'Global `~/.codex/AGENTS.md` is missing the HelloAGENTS carrier'))
   if (checks.carrierMarker && !checks.carrierContentMatch) issues.push(buildDoctorIssue('global-home-carrier-drift', 'global `~/.codex/AGENTS.md` 与当前 bootstrap.md 不一致', 'Global `~/.codex/AGENTS.md` differs from the current bootstrap.md'))
   if (!checks.pluginRoot) issues.push(buildDoctorIssue('global-plugin-root-missing', 'global 插件根目录缺失', 'Global plugin root is missing'))
   if (!checks.pluginCache) issues.push(buildDoctorIssue('global-plugin-cache-missing', 'global 插件缓存目录缺失', 'Global plugin cache directory is missing'))
@@ -236,10 +236,10 @@ function appendCodexGlobalIssues(issues, checks, pluginVersion, cacheVersion) {
   if (checks.pluginCache && !checks.pluginCacheCarrierMatch) issues.push(buildDoctorIssue('global-plugin-cache-carrier-drift', 'global 插件缓存中的 AGENTS.md 与当前 bootstrap.md 不一致', 'Global plugin cache AGENTS.md differs from the current bootstrap.md'))
   if (!checks.marketplaceEntry) issues.push(buildDoctorIssue('global-marketplace-missing', 'global marketplace 条目缺失', 'Global marketplace entry is missing'))
   if (!checks.pluginEnabled) issues.push(buildDoctorIssue('global-plugin-disabled', 'global config 中缺少插件启用段', 'Global plugin enablement block is missing from config'))
-  if (checks.modelInstructionsFile) issues.push(buildDoctorIssue('global-model-instructions-shadow', 'global config 中仍存在 model_instructions_file，可能覆盖 HelloAGENTS 载体', 'Global config still contains model_instructions_file, which can shadow the HelloAGENTS carrier'))
+  if (!checks.modelInstructionsFile) issues.push(buildDoctorIssue('global-model-instructions-missing', 'global config 缺少受管 model_instructions_file', 'Global config is missing the managed model_instructions_file'))
+  if (checks.modelInstructionsFile && !checks.modelInstructionsPathMatch) issues.push(buildDoctorIssue('global-model-instructions-drift', 'global model_instructions_file 未指向受管 `~/.codex/AGENTS.md`', 'Global model_instructions_file does not point to the managed `~/.codex/AGENTS.md`'))
   if (!checks.globalNotifyPath) issues.push(buildDoctorIssue('global-notify-missing', 'global notify 路径缺失', 'Global notify path is missing'))
   if (checks.globalNotifyPath && !checks.globalNotifyPathMatch) issues.push(buildDoctorIssue('global-notify-drift', 'global notify 路径未指向当前插件根目录', 'Global notify path does not point to the current plugin root'))
-  if (!checks.developerInstructions) issues.push(buildDoctorIssue('global-developer-instructions-missing', 'global developer_instructions 缺失', 'Global developer_instructions block is missing'))
   if (pluginVersion && !checks.pluginVersionMatch) issues.push(buildDoctorIssue('global-plugin-version-drift', 'global 插件根目录版本与当前包版本不一致', 'Global plugin root version does not match the current package version'))
   if (cacheVersion && !checks.pluginCacheVersionMatch) issues.push(buildDoctorIssue('global-plugin-cache-version-drift', 'global 插件缓存版本与当前包版本不一致', 'Global plugin cache version does not match the current package version'))
   if (checks.homeLink) {
@@ -260,6 +260,8 @@ function inspectCodexDoctor(settings) {
   const cacheVersion = safeJson(join(pluginCacheRoot, 'package.json'))?.version || ''
   const standbyNotifyPath = normalizePath(join(runtime.pkgRoot, 'scripts', 'notify.mjs'))
   const globalNotifyPath = normalizePath(join(pluginRoot, 'scripts', 'notify.mjs'))
+  const managedHomeCarrierPath = normalizePath(join(codexDir, 'AGENTS.md'))
+  const modelInstructionsLine = readTopLevelTomlLine(codexConfig, 'model_instructions_file')
   const expectedHomeCarrier = (detectedMode === 'global' || (detectedMode === 'none' && trackedMode === 'global'))
     ? 'bootstrap.md'
     : 'bootstrap-lite.md'
@@ -267,10 +269,11 @@ function inspectCodexDoctor(settings) {
     carrierMarker: (safeRead(join(codexDir, 'AGENTS.md')) || '').includes('HELLOAGENTS_START'),
     carrierContentMatch: extractManagedCarrierContent(join(codexDir, 'AGENTS.md')) === readBootstrapContent(expectedHomeCarrier),
     homeLink: safeRealTarget(join(codexDir, 'helloagents')) === runtime.pkgRoot,
-    modelInstructionsFile: !!readTopLevelTomlLine(codexConfig, 'model_instructions_file'),
+    modelInstructionsFile: !!modelInstructionsLine,
+    modelInstructionsPathMatch: !!modelInstructionsLine
+      && normalizePath(modelInstructionsLine).includes(`"${managedHomeCarrierPath}"`),
     codexNotify: codexConfig.includes('codex-notify'),
     notifyPathMatch: codexConfig.includes(standbyNotifyPath),
-    developerInstructions: codexConfig.includes('HelloAGENTS'),
     pluginRoot: existsSync(pluginRoot),
     pluginCache: existsSync(pluginCacheRoot),
     pluginCarrierMatch: normalizeText(safeRead(join(pluginRoot, 'AGENTS.md')) || '') === readBootstrapContent('bootstrap.md'),
@@ -298,7 +301,7 @@ function inspectCodexDoctor(settings) {
     issues.push(buildDoctorIssue('untracked-managed-state', '检测到受管状态，但配置中未记录该 CLI 模式', 'Managed state detected but this CLI mode is not tracked in config'))
   }
   if (trackedMode !== 'none' && detectedMode === 'none') {
-    issues.push(buildDoctorIssue('tracked-state-missing', '配置记录该 CLI 已安装，但未检测到对应受管痕迹', 'Config says this CLI is installed, but no managed artifacts were detected'))
+    issues.push(buildDoctorIssue('tracked-state-missing', '配置记录该 CLI 已安装，但未检测到对应的受管文件或配置', 'Config says this CLI is installed, but no managed artifacts were detected'))
   }
   if (!checks.pluginVersionMatch && !pluginVersion && detectedMode === 'global') {
     notes.push(runtime.msg('未读到 global 插件根目录版本信息', 'Global plugin root version was not readable'))

package/scripts/cli-messages.mjs

@@ -92,7 +92,7 @@ ${msg('单 CLI 管理', 'Scoped CLI management')}:
 ${msg('诊断', 'Diagnostics')}:
   helloagents doctor
   helloagents doctor codex --json
-  ${msg('检查 carrier、链接、hooks、配置注入、Codex 插件链路、model_instructions_file 遮蔽风险与版本漂移', 'Checks carriers, links, hooks, config injections, the Codex plugin chain, model_instructions_file shadowing risks, and version drift')}
+  ${msg('检查 carrier、链接、hooks、配置注入、Codex 插件链路、受管 model_instructions_file 指向与版本漂移', 'Checks carriers, links, hooks, config injections, the Codex plugin chain, managed model_instructions_file targeting, and version drift')}
 
 ${msg('卸载', 'Uninstall')}:
   helloagents cleanup      ${msg('（推荐先执行，显式清理所有 CLI 注入/链接）', '(recommended first, explicitly cleans CLI injections/links)')}

package/scripts/cli-toml.mjs

@@ -33,6 +33,15 @@ function findFirstTomlSectionIndex(text) {
   return normalized.length;
 }
 
+function splitTopLevelToml(text) {
+  const normalized = String(text || '').replace(/\r\n/g, '\n');
+  const topLevelEnd = findFirstTomlSectionIndex(normalized);
+  return {
+    topLevel: normalized.slice(0, topLevelEnd),
+    sections: normalized.slice(topLevelEnd),
+  };
+}
+
 function findTopLevelTomlBlock(text, key) {
   const normalized = String(text || '').replace(/\r\n/g, '\n');
   const topLevelEnd = findFirstTomlSectionIndex(normalized);
@@ -93,6 +102,27 @@ export function removeTopLevelTomlBlock(text, key) {
   return normalizeToml(`${normalized.slice(0, existing.start)}${normalized.slice(existing.end)}`);
 }
 
+export function prependTopLevelTomlBlocks(text, blocks) {
+  const normalizedBlocks = blocks
+    .map((block) => String(block || '').trim())
+    .filter(Boolean);
+
+  const { topLevel, sections } = splitTopLevelToml(text);
+  const normalizedTopLevel = topLevel.replace(/^\n+/, '').trimEnd();
+  const normalizedSections = sections.replace(/^\n+/, '').trimEnd();
+  const remainder = normalizedTopLevel && normalizedSections
+    ? `${normalizedTopLevel}\n\n${normalizedSections}`
+    : normalizedTopLevel || normalizedSections;
+  if (!normalizedBlocks.length) return normalizeToml(remainder);
+  const managedPrelude = normalizedBlocks.join('\n');
+
+  return normalizeToml(
+    remainder
+      ? `${managedPrelude}\n\n${remainder}`
+      : managedPrelude,
+  );
+}
+
 export function upsertTopLevelTomlKey(text, key, value) {
   const re = new RegExp(`^${key}\\s*=.*$`, 'm');
   const next = re.test(text)

package/scripts/guard-rules.mjs

@@ -6,10 +6,12 @@ export const DANGEROUS_PATTERNS = [
   { pattern: /(sudo\s+)?rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+)?(-[a-zA-Z]*f[a-zA-Z]*\s+)?(\/|~|\*)/, reason: 'Recursive delete of critical path' },
   { pattern: /(sudo\s+)?rm\s+--recursive/, reason: 'Recursive delete (long option)' },
   { pattern: /(sudo\s+)?rm\s+-[a-zA-Z]*r[a-zA-Z]*\s+\.\.?(\s|$)/, reason: 'Recursive delete of current/parent directory' },
+  { pattern: /\bcmd(?:\.exe)?\s*\/c\b/i, reason: 'Nested cmd invocation bypasses PowerShell safety rules' },
+  { pattern: /\bStart-Process\s+cmd(?:\.exe)?\b/i, reason: 'Nested cmd invocation bypasses PowerShell safety rules' },
   { pattern: /git\s+push\s+(-f|--force)/, reason: 'Force push (specify branch explicitly)' },
   { pattern: /git\s+reset\s+--hard/, reason: 'Hard reset (destructive operation)' },
   { pattern: /DROP\s+(DATABASE|TABLE|SCHEMA)/i, reason: 'Database destruction command' },
-  { pattern: /TRUNCATE\s+TABLE/i, reason: 'Table truncation' },
+  { pattern: /\bTRUNCATE(?:\s+TABLE)?\b/i, reason: 'Table truncation' },
   { pattern: /chmod\s+777/, reason: 'World-writable permissions' },
   { pattern: /mkfs\b/, reason: 'Filesystem format command' },
   { pattern: /dd\s+.*of=\/dev\//, reason: 'Direct device write' },
@@ -68,6 +70,29 @@ export function scanHighRiskCommands(command) {
   return warnings
 }
 
+export function scanShellSafetyWarnings(command = '') {
+  const warnings = []
+  const normalized = String(command || '')
+
+  if (/\bpowershell(?:\.exe)?\b/i.test(normalized) && /\s-Command\b/i.test(normalized)) {
+    const inlineScript = normalized.split(/\s-Command\b/i).slice(1).join(' ').trim()
+    const logicalLines = inlineScript
+      .split(/[;\r\n]+/)
+      .map((entry) => entry.trim())
+      .filter(Boolean)
+    if (logicalLines.length > 3) {
+      warnings.push('PowerShell inline script exceeds 3 logical lines; prefer a temporary .ps1 file')
+    }
+  }
+
+  const fileOps = normalized.match(/\b(remove-item|move-item|copy-item|new-item|set-content|add-content|out-file|mkdir|md|touch|cp|copy|mv|move|ren|rename|del|erase|rm|rmdir)\b/ig) || []
+  if (fileOps.length > 1 && /[;\r\n]/.test(normalized)) {
+    warnings.push('Multiple file operations are chained in one shell command; split them into separate commands')
+  }
+
+  return warnings
+}
+
 export function scanUnrequestedFiles(filePath, toolName) {
   if (!filePath || toolName?.toLowerCase() !== 'write') return []
   const basename = filePath.split(/[/\\]/).pop() || ''

package/scripts/guard.mjs

@@ -18,6 +18,7 @@ import {
   scanEnvCoverage,
   scanForSecrets,
   scanHighRiskCommands,
+  scanShellSafetyWarnings,
   scanUnrequestedFiles,
 } from './guard-rules.mjs'
 
@@ -122,7 +123,7 @@ function buildPostWriteWarnings(data) {
   const filePath = data.tool_input?.file_path || ''
   return [
     ...(detectIdeaBoundaryContext(data)?.zeroSideEffect
-      ? ['~idea 当前轮要求只读探索；检测到写入工具落地，请回退到探索输出或升级到 ~plan / ~build / ~prd / ~auto 后再修改文件']
+      ? ['~idea 本轮要求只读探索；检测到写入工具落地，请回退到探索输出或升级到 ~plan / ~build / ~prd / ~auto 后再修改文件']
       : []),
     ...scanUnrequestedFiles(filePath, data.tool_name),
     ...(content ? [...scanForSecrets(content), ...scanDangerousPackages(content, filePath)] : []),
@@ -168,7 +169,7 @@ function handleDangerousCommand(data, command) {
 
 function handleHighRiskCommand(data, command) {
   const warnings = scanHighRiskCommands(command)
-  if (warnings.length === 0) return
+  if (warnings.length === 0) return []
 
   const cwd = data.cwd || process.cwd()
   const gate = buildHighRiskGate(warnings, cwd)
@@ -185,20 +186,43 @@ function handleHighRiskCommand(data, command) {
       guardType: 'high-risk-gate',
       matches: warnings.map((warning) => warning.reason),
     })
-    return
+    return null
+  }
+  return warnings.map((warning) => warning.reason)
+}
+
+function emitShellWarnings(data, command, highRiskWarnings, shellSafetyWarnings) {
+  const sections = []
+  if (highRiskWarnings.length > 0) {
+    sections.push(`⚠️ [HelloAGENTS 高风险链路提醒] 检测到高风险命令:\n${highRiskWarnings.map((warning) => `  - ${warning}`).join('\n')}\n请确认已完成相应规划/审查并获得必要授权。`)
+  }
+  if (shellSafetyWarnings.length > 0) {
+    sections.push(`⚠️ [HelloAGENTS Shell 安全提醒] 检测到建议调整的命令写法:\n${shellSafetyWarnings.map((warning) => `  - ${warning}`).join('\n')}\n当前仅提示，不中断执行。`)
   }
+  if (sections.length === 0) return
 
   emitHookPayload({
     hookSpecificOutput: {
       hookEventName: HOOK_EVENT,
-      additionalContext: `⚠️ [HelloAGENTS 高风险链路提醒] 检测到高风险命令:\n${warnings.map((warning) => `  - ${warning.reason}`).join('\n')}\n请确认已完成相应规划/审查并获得必要授权。`,
+      additionalContext: sections.join('\n\n'),
     },
   })
-  emitGuardEvent(cwd, 'guard_warning', 'command', '', {
-    guardType: 'high-risk-warning',
-    command: command.slice(0, 200),
-    warnings: warnings.map((warning) => warning.reason),
-  })
+
+  const cwd = data.cwd || process.cwd()
+  if (highRiskWarnings.length > 0) {
+    emitGuardEvent(cwd, 'guard_warning', 'command', '', {
+      guardType: 'high-risk-warning',
+      command: command.slice(0, 200),
+      warnings: highRiskWarnings,
+    })
+  }
+  if (shellSafetyWarnings.length > 0) {
+    emitGuardEvent(cwd, 'guard_warning', 'command', '', {
+      guardType: 'shell-safety-warning',
+      command: command.slice(0, 200),
+      warnings: shellSafetyWarnings,
+    })
+  }
 }
 
 function handleShellCommand(data) {
@@ -217,7 +241,11 @@ function handleShellCommand(data) {
   }
 
   if (handleDangerousCommand(data, command)) return
-  handleHighRiskCommand(data, command)
+  const highRiskWarnings = handleHighRiskCommand(data, command)
+  if (highRiskWarnings === null) return
+
+  const shellSafetyWarnings = scanShellSafetyWarnings(command)
+  emitShellWarnings(data, command, highRiskWarnings, shellSafetyWarnings)
 }
 
 async function main() {

package/scripts/notify-context.mjs

@@ -31,11 +31,6 @@ function resolveStandbyHostRoot(host) {
 }
 
 function resolveReadRoot({ cwd, pkgRoot, host, settings }) {
-  const projectRoot = join(cwd, 'skills', 'helloagents');
-  if (existsSync(projectRoot)) {
-    return { source: 'project', root: projectRoot };
-  }
-
   if (settings.install_mode === 'standby') {
     const standbyRoot = resolveStandbyHostRoot(host);
     if (standbyRoot && existsSync(standbyRoot)) {
@@ -48,7 +43,7 @@ function resolveReadRoot({ cwd, pkgRoot, host, settings }) {
 
 function buildReadRootBlock(readRoot) {
   if (!readRoot?.root) return '';
-  return `## 当前 HelloAGENTS 读取根目录\n\`\`\`json\n${JSON.stringify(readRoot, null, 2)}\n\`\`\``;
+  return `## 本轮 HelloAGENTS 读取根目录\n\`\`\`json\n${JSON.stringify(readRoot, null, 2)}\n\`\`\``;
 }
 
 export function resolveCanonicalCommandSkill(skillName) {
@@ -172,7 +167,7 @@ export function buildSemanticRouteInstruction(cwd) {
     '当前消息未使用 ~command。',
     '请根据用户请求的真实意图选路，不依赖关键词表。',
     'Delivery Tier: T0=探索/比较；T1=低风险小改动或显式验证；T2=多文件功能/新项目/需要结构化产物；T3=高风险或不可逆链路。',
-    '路由映射：~idea=只读探索，不创建文件；~build=明确实现；~verify=审查/验证；~plan=结构化规划；~prd=重型规格；~auto=自动选路。',
+    '路由映射：~idea=只读探索，不创建文件；~build=明确实现；~verify=审查/验证；~plan=结构化规划；~prd=重型规格；~auto=自动编排并自动衔接后续阶段。',
     '若判定为 T3，默认先走 ~plan / ~prd；纯审查/验证请求才优先 ~verify。',
     `涉及 UI 任务时，设计决策优先级：当前活跃 plan / PRD → ${describeProjectStoreFile(cwd, 'DESIGN.md')} → 通用 UI 规则。`,
     projectStorageHint,

package/scripts/notify.mjs

@@ -10,11 +10,12 @@ import { homedir } from 'node:os';
 import { playSound as _playSound, desktopNotify as _desktopNotify } from './notify-ui.mjs';
 import { resolveNotificationSource } from './notify-source.mjs';
 import { buildCompactionContext, buildInjectContext, buildRouteInstruction, buildSemanticRouteInstruction, resolveCanonicalCommandSkill } from './notify-context.mjs';
-import { claimsTaskComplete, shouldIgnoreCodexNotifyClient, shouldIgnoreFormattedSubagent } from './notify-events.mjs';
+import { claimsTaskComplete, shouldIgnoreCodexNotifyClient } from './notify-events.mjs';
 import { handleRouteCommand, resolveBootstrapFile } from './notify-route.mjs';
 import { readSettings, readStdinJson, output, suppressedOutput, emptySuppress } from './notify-shared.mjs';
 import { clearRouteContext, writeRouteContext } from './runtime-context.mjs';
 import { appendReplayEvent, startReplaySession } from './replay-state.mjs';
+import { clearTurnState, readTurnState } from './turn-state.mjs';
 import { getWorkflowRecommendation } from './workflow-state.mjs';
 
 const __filename = fileURLToPath(import.meta.url);
@@ -114,6 +115,14 @@ function readCompletionText(payload = {}) {
     || '';
 }
 
+function shouldRunDeliveryGate(cwd, lastMsg) {
+  const turnState = readTurnState(cwd);
+  if (turnState?.role === 'main') {
+    return turnState.kind === 'complete';
+  }
+  return claimsTaskComplete(lastMsg);
+}
+
 function cmdPreCompact() {
   const payload = readStdinJson();
   const cwd = payload.cwd || process.cwd();
@@ -140,6 +149,7 @@ function cmdPreCompact() {
 
 function cmdRoute() {
   const payload = readStdinJson();
+  clearTurnState(payload.cwd || process.cwd());
   handleRouteCommand({
     payload,
     host: HOST,
@@ -194,6 +204,7 @@ function cmdInject() {
     cwd,
   });
   clearRouteContext();
+  clearTurnState(cwd);
   suppressedOutput(EVENT_NAME.SessionStart, context || undefined);
 }
 
@@ -207,7 +218,7 @@ function cmdStop() {
     desktopNotify('warning', buildNotifyExtra(payload));
     return;
   }
-  if (claimsTaskComplete(lastMsg) && runDeliveryGate(payload)) {
+  if (shouldRunDeliveryGate(cwd, lastMsg) && runDeliveryGate(payload)) {
     playSound('warning');
     desktopNotify('warning', buildNotifyExtra(payload));
     return;
@@ -243,17 +254,17 @@ function cmdCodexNotify() {
   }
   if (type !== 'agent-turn-complete') return;
 
-  const lastMsg = data['last-assistant-message'] || '';
-  const settings = getSettings();
-  if (shouldIgnoreFormattedSubagent(lastMsg, settings.output_format !== false)) return;
-
   const cwd = data.cwd || process.cwd();
-  if (claimsTaskComplete(lastMsg) && runRalphLoop({ cwd })) {
+  const turnState = readTurnState(cwd);
+  if (!turnState || turnState.role !== 'main') return;
+
+  const settings = getSettings();
+  if (turnState.kind === 'complete' && runRalphLoop({ cwd })) {
     playSound('warning');
     desktopNotify('warning', buildNotifyExtra(data));
     return;
   }
-  if (claimsTaskComplete(lastMsg) && runDeliveryGate({ cwd })) {
+  if (turnState.kind === 'complete' && runDeliveryGate({ cwd })) {
     playSound('warning');
     desktopNotify('warning', buildNotifyExtra(data));
     return;

package/scripts/turn-state.mjs

@@ -0,0 +1,173 @@
+import { mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs'
+import { dirname, join, normalize, resolve } from 'node:path'
+import { homedir } from 'node:os'
+import { fileURLToPath } from 'node:url'
+
+import { appendReplayEvent } from './replay-state.mjs'
+
+const TURN_STATE_PATH = join(homedir(), '.helloagents', 'runtime', 'turn-state.json')
+const TURN_STATE_TTL_MS = 30 * 60 * 1000
+const VALID_KINDS = new Set(['complete', 'waiting', 'blocked', 'progress'])
+const VALID_ROLES = new Set(['main', 'subagent'])
+
+function normalizePath(filePath = '') {
+  return filePath ? normalize(resolve(filePath)) : ''
+}
+
+function ensureRuntimeDir() {
+  mkdirSync(dirname(TURN_STATE_PATH), { recursive: true })
+}
+
+function readStore() {
+  try {
+    return JSON.parse(readFileSync(TURN_STATE_PATH, 'utf-8'))
+  } catch {
+    return {}
+  }
+}
+
+function writeStore(store) {
+  const keys = Object.keys(store)
+  if (keys.length === 0) {
+    rmSync(TURN_STATE_PATH, { force: true })
+    return
+  }
+
+  ensureRuntimeDir()
+  writeFileSync(TURN_STATE_PATH, `${JSON.stringify(store, null, 2)}\n`, 'utf-8')
+}
+
+function getTurnStateKey(cwd = process.cwd()) {
+  return normalizePath(cwd)
+}
+
+function normalizeTurnState(input = {}) {
+  const kind = typeof input.kind === 'string' ? input.kind.trim().toLowerCase() : ''
+  const role = typeof input.role === 'string' ? input.role.trim().toLowerCase() : 'main'
+
+  return {
+    kind: VALID_KINDS.has(kind) ? kind : '',
+    role: VALID_ROLES.has(role) ? role : 'main',
+    phase: typeof input.phase === 'string' ? input.phase.trim().toLowerCase() : '',
+    source: typeof input.source === 'string' && input.source.trim() ? input.source.trim() : 'manual',
+    requiresDeliveryGate: Boolean(input.requiresDeliveryGate),
+  }
+}
+
+function pruneInvalidEntry(store, key) {
+  delete store[key]
+  writeStore(store)
+}
+
+export function clearTurnState(cwd = process.cwd()) {
+  const key = getTurnStateKey(cwd)
+  if (!key) return false
+  const store = readStore()
+  if (!(key in store)) return false
+  delete store[key]
+  writeStore(store)
+  return true
+}
+
+export function readTurnState(cwd = process.cwd(), { now = Date.now() } = {}) {
+  const key = getTurnStateKey(cwd)
+  if (!key) return null
+
+  const store = readStore()
+  const entry = store[key]
+  if (!entry?.cwd || !entry?.kind || !entry?.updatedAt) {
+    if (entry) pruneInvalidEntry(store, key)
+    return null
+  }
+
+  const updatedAt = Date.parse(entry.updatedAt)
+  if (!Number.isFinite(updatedAt) || (now - updatedAt > TURN_STATE_TTL_MS)) {
+    pruneInvalidEntry(store, key)
+    return null
+  }
+
+  const normalized = normalizeTurnState(entry)
+  if (!normalized.kind) {
+    pruneInvalidEntry(store, key)
+    return null
+  }
+
+  return {
+    cwd: normalizePath(entry.cwd),
+    updatedAt: entry.updatedAt,
+    ...normalized,
+  }
+}
+
+export function writeTurnState(cwd = process.cwd(), input = {}) {
+  const key = getTurnStateKey(cwd)
+  const normalized = normalizeTurnState(input)
+  if (!key || !normalized.kind) {
+    throw new Error('turn-state requires cwd and a valid kind')
+  }
+
+  const store = readStore()
+  const payload = {
+    cwd: key,
+    updatedAt: new Date().toISOString(),
+    ...normalized,
+  }
+  store[key] = payload
+  writeStore(store)
+
+  appendReplayEvent(cwd, {
+    event: 'turn_state_written',
+    source: normalized.source,
+    details: {
+      kind: normalized.kind,
+      role: normalized.role,
+      phase: normalized.phase,
+      requiresDeliveryGate: normalized.requiresDeliveryGate,
+    },
+  })
+
+  return payload
+}
+
+function readStdinJson() {
+  try {
+    return JSON.parse(readFileSync(0, 'utf-8'))
+  } catch {
+    return {}
+  }
+}
+
+function main() {
+  const command = process.argv[2] || ''
+  const input = readStdinJson()
+  const cwd = input.cwd || process.cwd()
+
+  if (command === 'write') {
+    const payload = writeTurnState(cwd, input)
+    process.stdout.write(JSON.stringify({
+      suppressOutput: true,
+      path: TURN_STATE_PATH,
+      payload,
+    }))
+    return
+  }
+
+  if (command === 'clear') {
+    process.stdout.write(JSON.stringify({
+      suppressOutput: true,
+      cleared: clearTurnState(cwd),
+    }))
+    return
+  }
+
+  if (command === 'read') {
+    process.stdout.write(JSON.stringify({
+      suppressOutput: true,
+      state: readTurnState(cwd),
+    }))
+  }
+}
+
+if (process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1]) {
+  main()
+}

package/scripts/workflow-core.mjs

@@ -63,7 +63,7 @@ export function determineVerifyMode(plan) {
   if (plan.contractIssues.length > 0) {
     return {
       mode: 'metadata-first',
-      reason: '方案包缺少可信的结构化 contract',
+      reason: '方案包缺少可信的结构化契约',
       guidance: '验证分流：当前还不适合直接进入 reviewer / tester；先回到 ~plan / ~prd 补齐 `contract.json`，明确 `verifyMode`、`reviewerFocus` 和 `testerFocus`。',
     }
   }
@@ -73,7 +73,7 @@ export function determineVerifyMode(plan) {
     const testerFocus = plan.contract.testerFocus.join('；')
     return {
       mode: 'review-first',
-      reason: '方案 contract 已明确要求审查优先',
+      reason: '方案契约已明确要求审查优先',
       guidance: `验证分流：当前更适合审查优先；先执行 reviewer / hello-review 范围审查，再交给 tester / hello-verify 跑完整验证。${reviewerFocus ? ` reviewer 重点：${reviewerFocus}。` : ''}${testerFocus ? ` tester 重点：${testerFocus}。` : ''}`.trim(),
     }
   }
@@ -88,7 +88,7 @@ export function determineVerifyMode(plan) {
 
   return {
     mode: 'test-first',
-    reason: '方案 contract 已明确验证主路径，且任务 contract 已完整',
+    reason: '方案契约已明确验证主路径，且任务契约已完整',
     guidance: `验证分流：当前更适合测试优先；先执行 tester / hello-verify 跑完整验证，再针对失败点或关键边界补充 hello-review。${plan.contract?.testerFocus?.length ? ` tester 重点：${plan.contract.testerFocus.join('；')}。` : ''}`.trim(),
   }
 }
@@ -137,7 +137,7 @@ export function buildStateSyncHintFromSnapshot(snapshot) {
 
 export function buildStateRoleHintFromSnapshot(snapshot) {
   if (!snapshot.state.exists || snapshot.plans.length > 0) return ''
-  return '恢复约束：当前仅检测到 `.helloagents/STATE.md`；先以当前用户消息、显式命令和代码事实确认主线，STATE.md 只用于找回上次停在哪，不是当前任务的自动授权或唯一事实源。'
+  return '恢复约束：当前仅检测到 `.helloagents/STATE.md`；先以当前用户消息、显式命令和代码事实确认主线，STATE.md 只用于找回上次停在哪，不是当前任务的自动授权或唯一判断依据。'
 }
 
 export function buildUiContractHint(cwd, snapshot) {
@@ -154,10 +154,10 @@ export function buildUiContractHint(cwd, snapshot) {
 
   const extraHints = []
   if (styleAdvisorRequired) {
-    extraHints.push('若当前 UI contract 要求 style advisor，收尾前需复用 `.helloagents/.ralph-advisor.json` 留下独立复查证据')
+    extraHints.push('若当前 UI 契约要求 style advisor，收尾前需复用 `.helloagents/.ralph-advisor.json` 留下独立复查证据')
   }
   if (visualValidationRequired) {
-    extraHints.push('若当前 UI contract 要求视觉验收，收尾前需写 `.helloagents/.ralph-visual.json` 记录关键视口、状态与结论')
+    extraHints.push('若当前 UI 契约要求视觉验收，收尾前需写 `.helloagents/.ralph-visual.json` 记录关键视口、状态与结论')
   }
   return `UI 约束提示：如本次属于视觉/交互链路，设计决策优先级固定为：当前活跃 plan.md / prd/03-ui-design.md → ${describeProjectStoreFile(cwd, 'DESIGN.md')} → hello-ui。${extraHints.length > 0 ? ` ${extraHints.join('；')}。` : ''}`
 }