job-forge 2.14.28 → 2.14.30

package/.cursor/rules/main.mdc

@@ -86,18 +86,24 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D16] Treat `templates/preflight.json` as the source of truth for multi-apply dispatch safety. After candidate facts and gates are materialized from authoritative files, run `npx job-forge preflight:plan --candidates <file>` or `npx job-forge preflight:check --candidates <file>` before task dispatch; follow the emitted rounds and pre/post steps. This does not replace H2 four-source grep until those facts are materialized into the candidate JSON.
   why: `iso-preflight` is not an MCP and adds no prompt/tool-schema tokens; it turns file-backed facts, duplicate/location gates, max-two rounds, and cleanup/merge/verify steps into an executable local plan instead of repeated prose
 
+- [D17] Treat `templates/postflight.json` as the source of truth for multi-apply dispatch settlement. Save the JSON preflight plan and per-round observed dispatch/outcome/artifact records, then run `npx job-forge postflight:status --plan <plan.json> --outcomes <outcomes.json>` after each round and `npx job-forge postflight:check ...` after merge/verify. Follow its next action instead of inferring completion from subagent prose.
+  why: `iso-postflight` is not an MCP and adds no prompt/tool-schema tokens; it makes "round complete", missing TSVs, failed candidates, replacements, merge, and verify an executable local gate instead of repeated orchestration prose
+
+- [D18] Treat `templates/redact.json` as the source of truth before exporting local traces, prompts, reports, or fixtures outside the project. Use `npx job-forge redact:scan --input <file>`, `redact:apply --input <file> --output .jobforge-redacted/<file>`, or `redact:verify --input <file>` instead of hand-redacting with prose. This complements H8; it does not make it acceptable to paste secrets into prompts.
+  why: `iso-redact` is not an MCP and adds no prompt/tool-schema tokens; it gives deterministic safe-export checks whose findings do not print matched secret values
+
 ## Procedure
 
 1. Check `cv.md`, `profile.yml`, and `portals.yml`; onboard if any file is missing.
 2. Pick and name the mode from **Routing** [D6]. No match → ask; do not guess.
-3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Decide inline vs delegated work [D1].
+3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Use redaction checks before exporting local artifacts [D18]. Decide inline vs delegated work [D1].
 4. Prepare Geometra dispatches: cleanup [H3], canon/index/ledger prefilter when useful [D8, D13, D15], dedupe [H2], location filter [D5], materialize candidate facts/gates and run preflight plan/check [D16], routing [D2, D10], proxy prompt hygiene [H8].
-5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b].
+5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b], then settle the round with postflight status [D17].
 6. Keep multi-job form-filling out of the orchestrator [H4].
 7. Cross-check subagent facts against authoritative files [H7].
 8. Apply score gate [D4].
 9. Merge contract-validated TSV outcomes [H6, D9].
-10. Verify tracker before ending [H6].
+10. Verify tracker and run postflight check before ending [H6, D17].
 
 ## Routing
 

package/.opencode/skills/job-forge.md

@@ -86,6 +86,10 @@ Preflight dispatch plans (terminal, outside opencode):
   npx job-forge preflight:plan --candidates batch/preflight-candidates.json
   npx job-forge preflight:check --candidates batch/preflight-candidates.json
 
+Postflight dispatch settlement (terminal, outside opencode):
+  npx job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+  npx job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+
 Consumer migrations (terminal, outside opencode):
   npx job-forge migrate:plan           # preview package.json/.gitignore drift
   npx job-forge migrate:apply          # apply safe harness upgrade migrations
@@ -205,7 +209,7 @@ Step 4  — Materialize and check the dispatch plan
     decision.
   - Run npx job-forge preflight:check --candidates <file> to fail on missing
     sources or blocked gates, then npx job-forge preflight:plan --candidates
-    <file> to get the bounded round list.
+    <file> --json > batch/preflight-plan.json to get the bounded round list.
   - Follow the emitted rounds. Do not dispatch blocked candidates, and do not
     replace H2's four-source grep with preflight unless those grep results are
     present in the candidate JSON.
@@ -224,18 +228,24 @@ Step 5  — Loop in rounds of 2 (Hard Limit #1)
     # A returned task/session id is only a launch receipt, not completion.
     # Do not create a "check task status" task; inspect tracker files or
     # iso-trace if the user asks for status later.
-    # Read their return values, log outcomes
+    # Read their return values, log outcomes in batch/postflight-outcomes.json
+    # with candidateId, status, and a tracker-tsv artifact path for every
+    # terminal outcome.
+    npx job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+    # Follow the emitted next action before dispatching the next round.
 
-Step 5  — Between rounds: clean sessions again
+Step 6  — Between rounds: clean sessions again
   - geometra_list_sessions()
   - geometra_disconnect({ closeBrowser: true })
 
-Step 6  — After all rounds: reconcile outcomes (Hard Limit #6)
+Step 7  — After all rounds: reconcile outcomes (Hard Limit #6)
   - bash: npx job-forge merge      # consumes batch/tracker-additions/*.tsv into the day file
   - bash: npx job-forge verify     # validates URL/status consistency
+  - Add merge/verify step observations to batch/postflight-outcomes.json
+  - bash: npx job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
   - Review output; if verify-pipeline reports issues, fix them before ending.
 
-Step 7  — Aggregate and report
+Step 8  — Aggregate and report
   - Summarize: applied, skipped, failed
   - Do NOT re-dispatch failed jobs automatically. Report them to the user.
 ```

package/AGENTS.md

@@ -81,18 +81,24 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D16] Treat `templates/preflight.json` as the source of truth for multi-apply dispatch safety. After candidate facts and gates are materialized from authoritative files, run `npx job-forge preflight:plan --candidates <file>` or `npx job-forge preflight:check --candidates <file>` before task dispatch; follow the emitted rounds and pre/post steps. This does not replace H2 four-source grep until those facts are materialized into the candidate JSON.
   why: `iso-preflight` is not an MCP and adds no prompt/tool-schema tokens; it turns file-backed facts, duplicate/location gates, max-two rounds, and cleanup/merge/verify steps into an executable local plan instead of repeated prose
 
+- [D17] Treat `templates/postflight.json` as the source of truth for multi-apply dispatch settlement. Save the JSON preflight plan and per-round observed dispatch/outcome/artifact records, then run `npx job-forge postflight:status --plan <plan.json> --outcomes <outcomes.json>` after each round and `npx job-forge postflight:check ...` after merge/verify. Follow its next action instead of inferring completion from subagent prose.
+  why: `iso-postflight` is not an MCP and adds no prompt/tool-schema tokens; it makes "round complete", missing TSVs, failed candidates, replacements, merge, and verify an executable local gate instead of repeated orchestration prose
+
+- [D18] Treat `templates/redact.json` as the source of truth before exporting local traces, prompts, reports, or fixtures outside the project. Use `npx job-forge redact:scan --input <file>`, `redact:apply --input <file> --output .jobforge-redacted/<file>`, or `redact:verify --input <file>` instead of hand-redacting with prose. This complements H8; it does not make it acceptable to paste secrets into prompts.
+  why: `iso-redact` is not an MCP and adds no prompt/tool-schema tokens; it gives deterministic safe-export checks whose findings do not print matched secret values
+
 ## Procedure
 
 1. Check `cv.md`, `profile.yml`, and `portals.yml`; onboard if any file is missing.
 2. Pick and name the mode from **Routing** [D6]. No match → ask; do not guess.
-3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Decide inline vs delegated work [D1].
+3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Use redaction checks before exporting local artifacts [D18]. Decide inline vs delegated work [D1].
 4. Prepare Geometra dispatches: cleanup [H3], canon/index/ledger prefilter when useful [D8, D13, D15], dedupe [H2], location filter [D5], materialize candidate facts/gates and run preflight plan/check [D16], routing [D2, D10], proxy prompt hygiene [H8].
-5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b].
+5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b], then settle the round with postflight status [D17].
 6. Keep multi-job form-filling out of the orchestrator [H4].
 7. Cross-check subagent facts against authoritative files [H7].
 8. Apply score gate [D4].
 9. Merge contract-validated TSV outcomes [H6, D9].
-10. Verify tracker before ending [H6].
+10. Verify tracker and run postflight check before ending [H6, D17].
 
 ## Routing
 

package/CLAUDE.md

@@ -81,18 +81,24 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D16] Treat `templates/preflight.json` as the source of truth for multi-apply dispatch safety. After candidate facts and gates are materialized from authoritative files, run `npx job-forge preflight:plan --candidates <file>` or `npx job-forge preflight:check --candidates <file>` before task dispatch; follow the emitted rounds and pre/post steps. This does not replace H2 four-source grep until those facts are materialized into the candidate JSON.
   why: `iso-preflight` is not an MCP and adds no prompt/tool-schema tokens; it turns file-backed facts, duplicate/location gates, max-two rounds, and cleanup/merge/verify steps into an executable local plan instead of repeated prose
 
+- [D17] Treat `templates/postflight.json` as the source of truth for multi-apply dispatch settlement. Save the JSON preflight plan and per-round observed dispatch/outcome/artifact records, then run `npx job-forge postflight:status --plan <plan.json> --outcomes <outcomes.json>` after each round and `npx job-forge postflight:check ...` after merge/verify. Follow its next action instead of inferring completion from subagent prose.
+  why: `iso-postflight` is not an MCP and adds no prompt/tool-schema tokens; it makes "round complete", missing TSVs, failed candidates, replacements, merge, and verify an executable local gate instead of repeated orchestration prose
+
+- [D18] Treat `templates/redact.json` as the source of truth before exporting local traces, prompts, reports, or fixtures outside the project. Use `npx job-forge redact:scan --input <file>`, `redact:apply --input <file> --output .jobforge-redacted/<file>`, or `redact:verify --input <file>` instead of hand-redacting with prose. This complements H8; it does not make it acceptable to paste secrets into prompts.
+  why: `iso-redact` is not an MCP and adds no prompt/tool-schema tokens; it gives deterministic safe-export checks whose findings do not print matched secret values
+
 ## Procedure
 
 1. Check `cv.md`, `profile.yml`, and `portals.yml`; onboard if any file is missing.
 2. Pick and name the mode from **Routing** [D6]. No match → ask; do not guess.
-3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Decide inline vs delegated work [D1].
+3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Use redaction checks before exporting local artifacts [D18]. Decide inline vs delegated work [D1].
 4. Prepare Geometra dispatches: cleanup [H3], canon/index/ledger prefilter when useful [D8, D13, D15], dedupe [H2], location filter [D5], materialize candidate facts/gates and run preflight plan/check [D16], routing [D2, D10], proxy prompt hygiene [H8].
-5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b].
+5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b], then settle the round with postflight status [D17].
 6. Keep multi-job form-filling out of the orchestrator [H4].
 7. Cross-check subagent facts against authoritative files [H7].
 8. Apply score gate [D4].
 9. Merge contract-validated TSV outcomes [H6, D9].
-10. Verify tracker before ending [H6].
+10. Verify tracker and run postflight check before ending [H6, D17].
 
 ## Routing
 

package/README.md

@@ -31,7 +31,7 @@ The scaffolded `opencode.json` already has three MCPs wired up — they launch a
 - **Gmail** — reads replies from recruiters
 - **state-trace** — typed working memory for cross-session context (resumed batches, recent decisions, repeated portal quirks). Install once with `python3 -m pip install "state-trace[mcp]"`; the MCP command is `state-trace-mcp`.
 
-JobForge also keeps MCP-free local workflow state: `templates/canon.json` defines URL/company/role identity keys via `@razroo/iso-canon`, `templates/contracts.json` defines tracker/apply artifact shapes via `@razroo/iso-contract`, `templates/capabilities.json` defines role capability boundaries via `@razroo/iso-capabilities`, `templates/context.json` defines deterministic mode/reference bundles via `@razroo/iso-context`, `templates/preflight.json` defines safe dispatch rounds/gates via `@razroo/iso-preflight`, `templates/migrations.json` defines safe consumer-project upgrades via `@razroo/iso-migrate`, `.jobforge-ledger/events.jsonl` records duplicate/status events via `@razroo/iso-ledger`, `.jobforge-cache/` stores reusable JD/artifact content via `@razroo/iso-cache`, and `.jobforge-index.json` indexes artifact source pointers via `@razroo/iso-index`. None of these add always-on prompt or tool-schema tokens.
+JobForge also keeps MCP-free local workflow state: `templates/canon.json` defines URL/company/role identity keys via `@razroo/iso-canon`, `templates/contracts.json` defines tracker/apply artifact shapes via `@razroo/iso-contract`, `templates/capabilities.json` defines role capability boundaries via `@razroo/iso-capabilities`, `templates/context.json` defines deterministic mode/reference bundles via `@razroo/iso-context`, `templates/preflight.json` defines safe dispatch rounds/gates via `@razroo/iso-preflight`, `templates/postflight.json` defines safe dispatch settlement via `@razroo/iso-postflight`, `templates/redact.json` defines safe-export redaction rules via `@razroo/iso-redact`, `templates/migrations.json` defines safe consumer-project upgrades via `@razroo/iso-migrate`, `.jobforge-ledger/events.jsonl` records duplicate/status events via `@razroo/iso-ledger`, `.jobforge-cache/` stores reusable JD/artifact content via `@razroo/iso-cache`, and `.jobforge-index.json` indexes artifact source pointers via `@razroo/iso-index`. None of these add always-on prompt or tool-schema tokens.
 
 `npm install` also materializes symlinks for every supported agent harness — OpenCode, Cursor, Claude Code, and Codex — so you can run `opencode`, `cursor`, `claude`, or `codex` in the same project and each picks up the shared MCP config and instructions.
 
@@ -78,7 +78,7 @@ JobForge turns opencode into a full job search command center. Instead of manual
 | **Durable Batch Orchestration** | `batch-runner.sh` uses `@razroo/iso-orchestrator` for resumable bundle execution, bounded fan-out, mutexed state writes, and workflow records in `.jobforge-runs/`. |
 | **Pipeline Integrity** | Automated merge, dedup, status normalization, health checks |
 | **Cost-Aware Agent Routing** | Three subagents (`@general-free`, `@general-paid`, `@glm-minimal`) with per-task tool surfaces. On OpenCode, JobForge pins all tiers to `opencode-go/deepseek-v4-flash` so application runs avoid overloaded free-model pools. See [Subagent Routing in AGENTS.md](AGENTS.md) for the task-to-agent mapping. |
-| **Trace + Telemetry + Guard + Contract + Canon + Ledger + Capabilities + Context + Cache + Index + Preflight + Migrate** | `job-forge trace:*` exposes local OpenCode transcripts, `job-forge telemetry:*` summarizes runs, `job-forge guard:*` audits deterministic policy rules, `templates/contracts.json` enforces artifact shape with `iso-contract`, `job-forge canon:*` derives stable URL/company/role identity keys, `job-forge ledger:*` queries append-only workflow state, `job-forge capabilities:*` checks role boundaries, `job-forge context:*` plans mode/reference context bundles, `job-forge cache:*` reuses fetched JD/artifact content, `job-forge index:*` queries compact source pointers, `job-forge preflight:*` plans bounded apply dispatch rounds from file-backed candidate facts, and `job-forge migrate:*` applies safe consumer-project upgrades without MCP/tool-schema overhead. |
+| **Trace + Telemetry + Guard + Contract + Canon + Ledger + Capabilities + Context + Cache + Index + Preflight + Postflight + Redact + Migrate** | `job-forge trace:*` exposes local OpenCode transcripts, `job-forge telemetry:*` summarizes runs, `job-forge guard:*` audits deterministic policy rules, `templates/contracts.json` enforces artifact shape with `iso-contract`, `job-forge canon:*` derives stable URL/company/role identity keys, `job-forge ledger:*` queries append-only workflow state, `job-forge capabilities:*` checks role boundaries, `job-forge context:*` plans mode/reference context bundles, `job-forge cache:*` reuses fetched JD/artifact content, `job-forge index:*` queries compact source pointers, `job-forge preflight:*` plans bounded apply dispatch rounds from file-backed candidate facts, `job-forge postflight:*` settles dispatch outcomes/artifacts/post-steps, `job-forge redact:*` sanitizes local exports, and `job-forge migrate:*` applies safe consumer-project upgrades without MCP/tool-schema overhead. |
 | **Token Cost Visibility** | `job-forge tokens --days 1` for per-session breakdown; `job-forge session-report --since-minutes 60 --log` to flag sessions over budget and append history to `data/token-usage.tsv`. Auto-logged after every batch run. |
 
 ## Usage
@@ -148,6 +148,7 @@ my-search/
 ├── .jobforge-ledger/              # append-only local workflow events (personal, gitignored)
 ├── .jobforge-cache/               # content-addressed local JD/artifact cache (personal, gitignored)
 ├── .jobforge-index.json           # deterministic artifact lookup index (generated, gitignored)
+├── .jobforge-redacted/            # sanitized local exports (generated, gitignored)
 ├── reports/                      # generated evaluation reports (personal, gitignored)
 ├── batch/{batch-input,batch-state}.tsv, tracker-additions/, logs/   # personal
 ├── .jobforge-runs/                # durable batch workflow records (generated)
@@ -164,7 +165,7 @@ my-search/
 ├── .opencode/skills/job-forge.md # → skill router
 ├── .opencode/agents/             # → @general-free, @general-paid, @glm-minimal
 ├── modes/                        # → _shared.md + skill modes
-├── templates/                    # → states.yml, portals.example.yml, cv-template.html, canon.json, capabilities.json, context.json, index.json, preflight.json, migrations.json
+├── templates/                    # → states.yml, portals.example.yml, cv-template.html, canon.json, capabilities.json, context.json, index.json, preflight.json, postflight.json, redact.json, migrations.json
 ├── batch/batch-prompt.md         # → batch worker prompt
 ├── batch/batch-runner.sh         # → parallel orchestrator
 │
@@ -190,7 +191,7 @@ JobForge/
 │   ├── sync.mjs                  # postinstall: creates symlinks in consumer project
 │   └── create-job-forge.mjs      # scaffolder
 ├── modes/                        # _shared.md + 16 skill modes
-├── templates/                    # cv-template.html, portals.example.yml, states.yml, canon.json, capabilities.json, context.json, preflight.json, migrations.json
+├── templates/                    # cv-template.html, portals.example.yml, states.yml, canon.json, capabilities.json, context.json, preflight.json, postflight.json, redact.json, migrations.json
 ├── config/profile.example.yml    # template for consumer's profile.yml
 ├── batch/{batch-prompt.md,batch-runner.sh}   # batch orchestrator
 ├── scripts/
@@ -203,6 +204,8 @@ JobForge/
 │   ├── index.mjs                 # iso-index-backed artifact lookup CLI
 │   ├── canon.mjs                 # iso-canon-backed identity normalization CLI
 │   ├── preflight.mjs             # iso-preflight-backed dispatch planning CLI
+│   ├── postflight.mjs            # iso-postflight-backed dispatch settlement CLI
+│   ├── redact.mjs                # iso-redact-backed safe-export redaction CLI
 │   ├── migrate.mjs               # iso-migrate-backed consumer-project migrations
 │   ├── token-usage-report.mjs    # opencode cost analyzer
 │   └── release/check-source.mjs  # version gate for npm publish

package/bin/create-job-forge.mjs

@@ -154,6 +154,9 @@ const consumerPkg = {
     'preflight:plan': 'job-forge preflight:plan',
     'preflight:check': 'job-forge preflight:check',
     'preflight:explain': 'job-forge preflight:explain',
+    'postflight:status': 'job-forge postflight:status',
+    'postflight:check': 'job-forge postflight:check',
+    'postflight:explain': 'job-forge postflight:explain',
     'migrate:plan': 'job-forge migrate:plan',
     'migrate:apply': 'job-forge migrate:apply',
     'migrate:check': 'job-forge migrate:check',
@@ -261,6 +264,7 @@ Before doing any work, remember where things live in *this* project:
 | Local artifact index | \`.jobforge-index.json\` | Deterministic file/line lookup; use \`job-forge index:*\` |
 | Identity canonicalization | \`templates/canon.json\` | Stable URL/company/role keys; use \`job-forge canon:*\` |
 | Dispatch preflight policy | \`templates/preflight.json\` | Safe apply rounds/gates; use \`job-forge preflight:*\` |
+| Dispatch postflight policy | \`templates/postflight.json\` | Safe apply settlement; use \`job-forge postflight:*\` |
 | Consumer migrations | \`templates/migrations.json\` | Safe script/gitignore upgrades; use \`job-forge migrate:*\` |
 | Scanner config | \`portals.yml\` (project root) | Company configs |
 | Profile / identity | \`config/profile.yml\` | Candidate name, email, target roles |
@@ -273,7 +277,7 @@ Before doing any work, remember where things live in *this* project:
 | Batch input / state | \`batch/batch-input.tsv\`, \`batch/batch-state.tsv\` | Personal data |
 | Generated reports | \`reports/{###}-{company-slug}-{YYYY-MM-DD}.md\` | Gitignored |
 | Generated PDFs | \`output/\` | Gitignored |
-| Templates | \`templates/\` (symlink) | \`cv-template.html\`, \`portals.example.yml\`, \`states.yml\` |
+| Templates | \`templates/\` (symlink) | \`cv-template.html\`, \`portals.example.yml\`, \`states.yml\`, runtime policies |
 | Harness rules | \`AGENTS.harness.md\` (symlink) | Shared operational guide, loaded via \`opencode.json:instructions\` |
 | Harness source | \`node_modules/job-forge/\` | Read this for harness internals |
 
@@ -358,6 +362,9 @@ reports/
 batch/batch-state.tsv
 batch/batch-state.tsv.bak
 batch/batch-input.tsv
+batch/preflight-candidates.json
+batch/preflight-plan.json
+batch/postflight-outcomes.json
 batch/tracker-additions/
 !batch/tracker-additions/.gitkeep
 batch/logs/
@@ -413,6 +420,7 @@ job-forge ledger:status    # local deterministic workflow ledger status
 job-forge index:status     # local artifact index status
 job-forge canon:key company-role --company "Acme, Inc." --role "Senior SWE"
 job-forge preflight:plan --candidates batch/preflight-candidates.json
+job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
 job-forge migrate:check    # verify consumer package scripts/gitignore are current
 job-forge pdf cv.md out.pdf
 job-forge tokens --days 1  # per-session opencode token usage

package/bin/job-forge.mjs

@@ -27,6 +27,8 @@
  *   index:*        Query local artifacts via iso-index
  *   canon:*        Compute deterministic identity keys via iso-canon
  *   preflight:*    Plan safe dispatch rounds via iso-preflight
+ *   postflight:*   Settle dispatch outcomes via iso-postflight
+ *   redact:*       Sanitize local exports via iso-redact
  *   migrate:*      Apply deterministic consumer-project migrations via iso-migrate
  *   sync           Re-run the harness symlink sync (bin/sync.mjs)
  *   help, --help   Show this message
@@ -145,6 +147,21 @@ const preflightAliases = {
   'preflight:path': 'path',
 };
 
+const postflightAliases = {
+  'postflight:status': 'status',
+  'postflight:check': 'check',
+  'postflight:explain': 'explain',
+  'postflight:path': 'path',
+};
+
+const redactAliases = {
+  'redact:scan': 'scan',
+  'redact:verify': 'verify',
+  'redact:apply': 'apply',
+  'redact:explain': 'explain',
+  'redact:path': 'path',
+};
+
 const migrateAliases = {
   'migrate:plan': 'plan',
   'migrate:apply': 'apply',
@@ -209,6 +226,13 @@ Commands:
   preflight:plan          Build bounded dispatch plan from candidate JSON
   preflight:check         Fail if preflight candidates are blocked
   preflight:explain       Show the active preflight workflow policy
+  postflight:status       Reconcile dispatch plan, outcomes, artifacts, and post-steps
+  postflight:check        Fail unless a dispatched workflow is fully settled
+  postflight:explain      Show the active postflight workflow policy
+  redact:scan             Scan local text for sensitive values before export
+  redact:verify           Fail if local text still contains sensitive values
+  redact:apply            Write a sanitized copy of local text
+  redact:explain          Show the active redaction policy
   migrate:plan            Preview deterministic consumer-project migrations
   migrate:apply           Apply deterministic consumer-project migrations
   migrate:check           Fail if migrations are pending
@@ -255,6 +279,10 @@ Pass --help after a command to see its own flags, e.g.:
   job-forge canon:compare company "OpenAI, Inc." "Open AI"
   job-forge preflight:plan --candidates batch/preflight-candidates.json
   job-forge preflight:check --candidates batch/preflight-candidates.json
+  job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+  job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+  job-forge redact:scan --input raw-session.jsonl
+  job-forge redact:apply --input raw-session.jsonl --output .jobforge-redacted/session.jsonl
   job-forge migrate:check
   job-forge migrate:apply
 
@@ -416,6 +444,36 @@ if (cmd === 'preflight' || preflightAliases[cmd]) {
   process.exit(result.status ?? 1);
 }
 
+if (cmd === 'postflight' || postflightAliases[cmd]) {
+  const postflightArgs = cmd === 'postflight'
+    ? (rest.length === 0 ? ['help'] : rest)
+    : [postflightAliases[cmd], ...rest];
+
+  const scriptPath = join(PKG_ROOT, 'scripts/postflight.mjs');
+  const result = spawnSync(process.execPath, [scriptPath, ...postflightArgs], {
+    stdio: 'inherit',
+    cwd: PROJECT_DIR,
+    env: process.env,
+  });
+
+  process.exit(result.status ?? 1);
+}
+
+if (cmd === 'redact' || redactAliases[cmd]) {
+  const redactArgs = cmd === 'redact'
+    ? (rest.length === 0 ? ['help'] : rest)
+    : [redactAliases[cmd], ...rest];
+
+  const scriptPath = join(PKG_ROOT, 'scripts/redact.mjs');
+  const result = spawnSync(process.execPath, [scriptPath, ...redactArgs], {
+    stdio: 'inherit',
+    cwd: PROJECT_DIR,
+    env: process.env,
+  });
+
+  process.exit(result.status ?? 1);
+}
+
 if (cmd === 'migrate' || migrateAliases[cmd]) {
   const migrateArgs = cmd === 'migrate'
     ? (rest.length === 0 ? ['help'] : rest)

package/docs/ARCHITECTURE.md

@@ -32,7 +32,7 @@ my-search/
 ├── .opencode/skills/job-forge.md     # → skill router
 ├── .opencode/agents/                 # → @general-free, @general-paid, @glm-minimal
 ├── modes/                            # → mode files
-├── templates/                        # → states.yml, portals.example.yml, cv-template.html, preflight.json
+├── templates/                        # → states.yml, portals.example.yml, cv-template.html, preflight.json, postflight.json
 ├── batch/batch-prompt.md             # → batch worker prompt
 ├── batch/batch-runner.sh             # → parallel orchestrator
 └── node_modules/job-forge/           # harness, installed from npm
@@ -167,6 +167,7 @@ templates/states.yml     →  Canonical status values
 templates/canon.json      →  Canonical URL/company/role identity keys
 templates/context.json    →  Deterministic mode/reference context bundle policy
 templates/preflight.json  →  Safe apply dispatch rounds/gates policy
+templates/postflight.json →  Safe apply dispatch settlement policy
 templates/migrations.json → Safe consumer-project upgrade policy
 templates/cv-template.html → PDF generation template
 examples/*.md            →  Fictional layouts only (not read by scripts; see examples/README.md)
@@ -183,6 +184,7 @@ Create `data/pipeline.md` when you start using the URL inbox (`/job-forge pipeli
 - Index: `.jobforge-index.json` (created on demand by `job-forge index:*`; gitignored local lookup state)
 - Canon: `templates/canon.json` (identity rules inspected with `job-forge canon:*`)
 - Preflight: `templates/preflight.json` (dispatch rounds/gates inspected with `job-forge preflight:*`)
+- Postflight: `templates/postflight.json` (dispatch outcomes/artifacts/post-steps inspected with `job-forge postflight:*`)
 - Migrations: `templates/migrations.json` (applied by `job-forge sync` and inspectable with `job-forge migrate:*`)
 - Capabilities: `templates/capabilities.json` (role boundary policy inspected with `job-forge capabilities:*`)
 - Context: `templates/context.json` (mode/reference file bundles inspected with `job-forge context:*`)
@@ -232,6 +234,8 @@ Scripts maintain data consistency. In a consumer project they're invoked via the
 | `scripts/canon.mjs` | `npx job-forge canon:normalize` / `canon:key` / `canon:compare` | Deterministic `@razroo/iso-canon` identity normalization for URLs, companies, roles, and company+role pairs |
 | `scripts/context.mjs` | `npx job-forge context:list` / `context:plan` / `context:check` / `context:render` | Deterministic `@razroo/iso-context` mode/reference context bundle planning and rendering |
 | `scripts/preflight.mjs` | `npx job-forge preflight:plan` / `preflight:check` / `preflight:explain` | Deterministic `@razroo/iso-preflight` dispatch planning for file-backed candidate facts and gates |
+| `scripts/postflight.mjs` | `npx job-forge postflight:status` / `postflight:check` / `postflight:explain` | Deterministic `@razroo/iso-postflight` settlement for dispatch outcomes, required tracker TSV artifacts, and merge/verify post-steps |
+| `scripts/redact.mjs` | `npx job-forge redact:scan` / `redact:apply` / `redact:verify` | Deterministic `@razroo/iso-redact` safe-export scanning and sanitization for traces, prompts, reports, and fixtures |
 | `scripts/migrate.mjs` | `npx job-forge migrate:plan` / `migrate:apply` / `migrate:check` | Deterministic `@razroo/iso-migrate` consumer-project upgrades for scripts and generated-artifact ignores |
 | `tracker-lib.mjs` | _(library)_ | Shared helpers for reading/writing day-based tracker files — imported by merge/dedup/verify/normalize |
 | `bin/sync.mjs` | `npx job-forge sync` | Creates the harness symlinks in a consumer project and applies safe migrations (also runs as `postinstall`) |

package/docs/CUSTOMIZATION.md

@@ -162,6 +162,14 @@ URL, company, role, and company+role identity rules live in `templates/canon.jso
 
 Application dispatch policy lives in `templates/preflight.json` and is planned locally by `@razroo/iso-preflight`. After candidate facts and gate results have been materialized into JSON, use `job-forge preflight:plan --candidates <file>` to get bounded rounds and required pre/post steps, or `job-forge preflight:check --candidates <file>` to fail on missing source facts or blocked gates. This is not an MCP and does not add prompt or tool-schema tokens; it consumes only the candidate JSON you deliberately pass to it.
 
+## JobForge postflight settlement
+
+Application settlement policy lives in `templates/postflight.json` and is checked locally by `@razroo/iso-postflight`. After each dispatch round, record observed candidate outcomes and tracker TSV artifact paths in `batch/postflight-outcomes.json`, then run `job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json` to get the next safe action. After `merge` and `verify`, add post-step observations and run `job-forge postflight:check ...` to fail unless the workflow is complete. This is not an MCP and does not add prompt or tool-schema tokens.
+
+## JobForge redaction policy
+
+Safe-export redaction rules live in `templates/redact.json` and are enforced locally by `@razroo/iso-redact`. Use `job-forge redact:scan --input <file>` before sharing traces, prompts, reports, or fixtures outside the project, `job-forge redact:apply --input <file> --output .jobforge-redacted/<file>` to write a sanitized copy, and `job-forge redact:verify --input <file>` to fail if secrets or configured PII remain. Findings never print matched values. This is not an MCP and does not add prompt or tool-schema tokens.
+
 ## JobForge consumer migrations
 
 Consumer-project migrations live in `templates/migrations.json` and are applied locally by `@razroo/iso-migrate`. `job-forge sync` applies safe migrations automatically after refreshing symlinks; use `JOB_FORGE_SKIP_MIGRATIONS=1` to opt out. Use `job-forge migrate:plan`, `job-forge migrate:apply`, and `job-forge migrate:check` to inspect or enforce script/gitignore drift explicitly. This is not an MCP and does not add prompt or tool-schema tokens.

package/docs/README.md

@@ -31,7 +31,7 @@ The harness exposes a single CLI (`job-forge`) installed as a `bin` entry. In a
 
 | What you need | Where to read |
 |---------------|---------------|
-| Full command list (`verify`, `merge`, `dedup`, `normalize`, `pdf`, `sync-check`, `tokens`, `trace`, `telemetry`, `guard`, `ledger`, `canon`, `context`, `preflight`, `sync`). | [SETUP.md — Tracker and scripts (terminal)](SETUP.md#tracker-and-scripts-terminal). |
+| Full command list (`verify`, `merge`, `dedup`, `normalize`, `pdf`, `sync-check`, `tokens`, `trace`, `telemetry`, `guard`, `ledger`, `canon`, `context`, `preflight`, `postflight`, `redact`, `sync`). | [SETUP.md — Tracker and scripts (terminal)](SETUP.md#tracker-and-scripts-terminal). |
 | What each harness `.mjs` script does. | [ARCHITECTURE.md — Pipeline integrity](ARCHITECTURE.md#pipeline-integrity) and the scripts table underneath. |
 | Batch runner, TSV layout, and `batch/tracker-additions/` merge flow. | [batch/README.md](../batch/README.md). |
 | PR gate for harness contributions (`npm run verify` + `npm run build:dashboard`). | [CONTRIBUTING.md — Development](../CONTRIBUTING.md#development). |

package/docs/SETUP.md

@@ -134,6 +134,10 @@ From your project root, these commands maintain the tracker and pipeline checks.
 | Inspect local artifact index | `npx job-forge index:status` | `npm run index:status` |
 | Plan safe application dispatch rounds | `npx job-forge preflight:plan --candidates batch/preflight-candidates.json` | `npm run preflight:plan -- --candidates ...` |
 | Fail on blocked preflight candidates | `npx job-forge preflight:check --candidates batch/preflight-candidates.json` | `npm run preflight:check -- --candidates ...` |
+| Settle dispatch outcomes after a round | `npx job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json` | `npm run postflight:status -- --plan ... --outcomes ...` |
+| Fail unless dispatch outcomes and post-steps are complete | `npx job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json` | `npm run postflight:check -- --plan ... --outcomes ...` |
+| Sanitize local text before exporting it | `npx job-forge redact:apply --input raw-session.jsonl --output .jobforge-redacted/session.jsonl` | `npm run redact:apply -- --input ... --output ...` |
+| Verify local text is safe to export | `npx job-forge redact:verify --input .jobforge-redacted/session.jsonl` | `npm run redact:verify -- --input ...` |
 | Inspect pending consumer migrations | `npx job-forge migrate:plan` | `npm run migrate:plan` |
 | Map status column to canonical labels | `npx job-forge normalize` | `npm run normalize` |
 | Merge duplicate company/role rows | `npx job-forge dedup` | `npm run dedup` |

package/iso/commands/job-forge.md

@@ -89,6 +89,10 @@ Preflight dispatch plans (terminal, outside opencode):
   npx job-forge preflight:plan --candidates batch/preflight-candidates.json
   npx job-forge preflight:check --candidates batch/preflight-candidates.json
 
+Postflight dispatch settlement (terminal, outside opencode):
+  npx job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+  npx job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+
 Consumer migrations (terminal, outside opencode):
   npx job-forge migrate:plan           # preview package.json/.gitignore drift
   npx job-forge migrate:apply          # apply safe harness upgrade migrations
@@ -208,7 +212,7 @@ Step 4  — Materialize and check the dispatch plan
     decision.
   - Run npx job-forge preflight:check --candidates <file> to fail on missing
     sources or blocked gates, then npx job-forge preflight:plan --candidates
-    <file> to get the bounded round list.
+    <file> --json > batch/preflight-plan.json to get the bounded round list.
   - Follow the emitted rounds. Do not dispatch blocked candidates, and do not
     replace H2's four-source grep with preflight unless those grep results are
     present in the candidate JSON.
@@ -227,18 +231,24 @@ Step 5  — Loop in rounds of 2 (Hard Limit #1)
     # A returned task/session id is only a launch receipt, not completion.
     # Do not create a "check task status" task; inspect tracker files or
     # iso-trace if the user asks for status later.
-    # Read their return values, log outcomes
+    # Read their return values, log outcomes in batch/postflight-outcomes.json
+    # with candidateId, status, and a tracker-tsv artifact path for every
+    # terminal outcome.
+    npx job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+    # Follow the emitted next action before dispatching the next round.
 
-Step 5  — Between rounds: clean sessions again
+Step 6  — Between rounds: clean sessions again
   - geometra_list_sessions()
   - geometra_disconnect({ closeBrowser: true })
 
-Step 6  — After all rounds: reconcile outcomes (Hard Limit #6)
+Step 7  — After all rounds: reconcile outcomes (Hard Limit #6)
   - bash: npx job-forge merge      # consumes batch/tracker-additions/*.tsv into the day file
   - bash: npx job-forge verify     # validates URL/status consistency
+  - Add merge/verify step observations to batch/postflight-outcomes.json
+  - bash: npx job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
   - Review output; if verify-pipeline reports issues, fix them before ending.
 
-Step 7  — Aggregate and report
+Step 8  — Aggregate and report
   - Summarize: applied, skipped, failed
   - Do NOT re-dispatch failed jobs automatically. Report them to the user.
 ```

package/iso/instructions.md

@@ -81,18 +81,24 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D16] Treat `templates/preflight.json` as the source of truth for multi-apply dispatch safety. After candidate facts and gates are materialized from authoritative files, run `npx job-forge preflight:plan --candidates <file>` or `npx job-forge preflight:check --candidates <file>` before task dispatch; follow the emitted rounds and pre/post steps. This does not replace H2 four-source grep until those facts are materialized into the candidate JSON.
   why: `iso-preflight` is not an MCP and adds no prompt/tool-schema tokens; it turns file-backed facts, duplicate/location gates, max-two rounds, and cleanup/merge/verify steps into an executable local plan instead of repeated prose
 
+- [D17] Treat `templates/postflight.json` as the source of truth for multi-apply dispatch settlement. Save the JSON preflight plan and per-round observed dispatch/outcome/artifact records, then run `npx job-forge postflight:status --plan <plan.json> --outcomes <outcomes.json>` after each round and `npx job-forge postflight:check ...` after merge/verify. Follow its next action instead of inferring completion from subagent prose.
+  why: `iso-postflight` is not an MCP and adds no prompt/tool-schema tokens; it makes "round complete", missing TSVs, failed candidates, replacements, merge, and verify an executable local gate instead of repeated orchestration prose
+
+- [D18] Treat `templates/redact.json` as the source of truth before exporting local traces, prompts, reports, or fixtures outside the project. Use `npx job-forge redact:scan --input <file>`, `redact:apply --input <file> --output .jobforge-redacted/<file>`, or `redact:verify --input <file>` instead of hand-redacting with prose. This complements H8; it does not make it acceptable to paste secrets into prompts.
+  why: `iso-redact` is not an MCP and adds no prompt/tool-schema tokens; it gives deterministic safe-export checks whose findings do not print matched secret values
+
 ## Procedure
 
 1. Check `cv.md`, `profile.yml`, and `portals.yml`; onboard if any file is missing.
 2. Pick and name the mode from **Routing** [D6]. No match → ask; do not guess.
-3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Decide inline vs delegated work [D1].
+3. Read the active mode file [D3]. Use context bundle checks when changing context loads [D11]. Check cached artifacts before URL/JD refetches [D12]. Use artifact index lookups before broad file reads when they can answer the question [D13]. Use canonical identity keys for duplicate checks [D15]. Use migration checks for harness drift [D14]. Use redaction checks before exporting local artifacts [D18]. Decide inline vs delegated work [D1].
 4. Prepare Geometra dispatches: cleanup [H3], canon/index/ledger prefilter when useful [D8, D13, D15], dedupe [H2], location filter [D5], materialize candidate facts/gates and run preflight plan/check [D16], routing [D2, D10], proxy prompt hygiene [H8].
-5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b].
+5. Dispatch at most 2 tasks per round [H1]; wait for final outcomes, not just task ids [H5b], then settle the round with postflight status [D17].
 6. Keep multi-job form-filling out of the orchestrator [H4].
 7. Cross-check subagent facts against authoritative files [H7].
 8. Apply score gate [D4].
 9. Merge contract-validated TSV outcomes [H6, D9].
-10. Verify tracker before ending [H6].
+10. Verify tracker and run postflight check before ending [H6, D17].
 
 ## Routing
 

package/lib/jobforge-postflight.mjs

@@ -0,0 +1,29 @@
+import { readFileSync } from 'fs';
+import { join } from 'path';
+import {
+  loadPostflightConfig,
+  parseJson,
+  settlePostflight,
+} from '@razroo/iso-postflight';
+
+export const POSTFLIGHT_CONFIG_FILE = 'templates/postflight.json';
+export const POSTFLIGHT_WORKFLOW = 'jobforge.apply';
+
+export function resolveProjectDir(projectDir = process.env.JOB_FORGE_PROJECT || process.cwd()) {
+  return projectDir;
+}
+
+export function jobForgePostflightConfigPath(projectDir = resolveProjectDir()) {
+  return process.env.JOB_FORGE_POSTFLIGHT_CONFIG || join(projectDir, POSTFLIGHT_CONFIG_FILE);
+}
+
+export function readJobForgePostflightConfig(projectDir = resolveProjectDir()) {
+  const path = jobForgePostflightConfigPath(projectDir);
+  return loadPostflightConfig(parseJson(readFileSync(path, 'utf8'), path));
+}
+
+export function settleJobForgePostflight(planInput, observationsInput, options = {}, projectDir = resolveProjectDir()) {
+  return settlePostflight(readJobForgePostflightConfig(projectDir), planInput, observationsInput, {
+    workflow: options.workflow || POSTFLIGHT_WORKFLOW,
+  });
+}

package/lib/jobforge-redact.mjs

@@ -0,0 +1,25 @@
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import {
+  loadRedactConfig,
+  parseJson,
+} from '@razroo/iso-redact';
+
+export const REDACT_CONFIG_FILE = 'templates/redact.json';
+
+export function resolveProjectDir(projectDir = process.env.JOB_FORGE_PROJECT || process.cwd()) {
+  return projectDir;
+}
+
+export function jobForgeRedactConfigPath(projectDir = resolveProjectDir()) {
+  return process.env.JOB_FORGE_REDACT_CONFIG || join(projectDir, REDACT_CONFIG_FILE);
+}
+
+export function redactConfigExists(projectDir = resolveProjectDir()) {
+  return existsSync(jobForgeRedactConfigPath(projectDir));
+}
+
+export function readJobForgeRedactConfig(projectDir = resolveProjectDir()) {
+  const path = jobForgeRedactConfigPath(projectDir);
+  return loadRedactConfig(parseJson(readFileSync(path, 'utf8'), path));
+}

package/modes/apply.md

@@ -188,11 +188,18 @@ Step 4  — For round in ceil(N/2):
             task(apply to pair[1])  # only if pair has 2
             # WAIT for both final outcomes. A session id is not completion.
             # Do not dispatch round N+1 while round N is still in flight.
-Step 5  — Between rounds: geometra_list_sessions() + geometra_disconnect({closeBrowser: true})
-Step 6  — Reconcile outcomes (Hard Limit #6):
+Step 5  — After each round:
+            write/update batch/postflight-outcomes.json with candidateId, status,
+            and tracker-tsv artifact path for every terminal outcome.
+            bash: npx job-forge postflight:status --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+            follow the emitted next action before the next dispatch.
+Step 6  — Between rounds: geometra_list_sessions() + geometra_disconnect({closeBrowser: true})
+Step 7  — Reconcile outcomes (Hard Limit #6):
             bash: npx job-forge merge       # TSVs → day file
             bash: npx job-forge verify      # validate
-Step 7  — Summarize outcomes; do NOT auto-retry failures.
+            add merge/verify step observations to batch/postflight-outcomes.json
+            bash: npx job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json
+Step 8  — Summarize outcomes; do NOT auto-retry failures.
 ```
 
 If a subagent fails, report it in the summary and let the user decide whether to retry. Never auto-retry — re-running a submit step risks duplicate applications. If a subagent returns SKIP because it discovered a duplicate, treat that as a missed preflight check: finish the current round, then choose a replacement candidate only after re-running dedupe against all four sources.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "job-forge",
-  "version": "2.14.28",
+  "version": "2.14.30",
   "description": "AI-powered job search pipeline built on opencode",
   "type": "module",
   "bin": {
@@ -62,6 +62,13 @@
     "preflight:plan": "node bin/job-forge.mjs preflight:plan",
     "preflight:check": "node bin/job-forge.mjs preflight:check",
     "preflight:explain": "node bin/job-forge.mjs preflight:explain",
+    "postflight:status": "node bin/job-forge.mjs postflight:status",
+    "postflight:check": "node bin/job-forge.mjs postflight:check",
+    "postflight:explain": "node bin/job-forge.mjs postflight:explain",
+    "redact:scan": "node bin/job-forge.mjs redact:scan",
+    "redact:verify": "node bin/job-forge.mjs redact:verify",
+    "redact:apply": "node bin/job-forge.mjs redact:apply",
+    "redact:explain": "node bin/job-forge.mjs redact:explain",
     "migrate:plan": "node bin/job-forge.mjs migrate:plan",
     "migrate:apply": "node bin/job-forge.mjs migrate:apply",
     "migrate:check": "node bin/job-forge.mjs migrate:check",
@@ -132,9 +139,9 @@
     "node": ">=20.6.0"
   },
   "dependencies": {
-    "@razroo/iso-capabilities": "^0.1.0",
     "@razroo/iso-cache": "^0.1.0",
     "@razroo/iso-canon": "^0.1.0",
+    "@razroo/iso-capabilities": "^0.1.0",
     "@razroo/iso-context": "^0.1.0",
     "@razroo/iso-contract": "^0.1.0",
     "@razroo/iso-guard": "^0.1.0",
@@ -142,7 +149,9 @@
     "@razroo/iso-ledger": "^0.1.0",
     "@razroo/iso-migrate": "^0.1.0",
     "@razroo/iso-orchestrator": "^0.1.0",
+    "@razroo/iso-postflight": "^0.1.0",
     "@razroo/iso-preflight": "^0.1.0",
+    "@razroo/iso-redact": "^0.1.0",
     "@razroo/iso-trace": "^0.4.0",
     "playwright": "^1.58.1"
   },

package/scripts/postflight.mjs

@@ -0,0 +1,151 @@
+#!/usr/bin/env node
+
+import { readFileSync } from 'fs';
+import { isAbsolute, relative, resolve } from 'path';
+import {
+  formatConfigSummary,
+  formatPostflightResult,
+  loadPostflightConfig,
+  parseJson,
+  settlePostflight,
+} from '@razroo/iso-postflight';
+import { PROJECT_DIR } from '../tracker-lib.mjs';
+import {
+  jobForgePostflightConfigPath,
+  readJobForgePostflightConfig,
+  settleJobForgePostflight,
+} from '../lib/jobforge-postflight.mjs';
+
+const USAGE = `job-forge postflight - deterministic dispatch settlement for JobForge
+
+Usage:
+  job-forge postflight:status --plan <file> --outcomes <file> [--workflow jobforge.apply] [--json]
+  job-forge postflight:check --plan <file> --outcomes <file> [--workflow jobforge.apply] [--json]
+  job-forge postflight:explain [--json]
+  job-forge postflight:path
+
+Plan files are JSON objects with rounds, such as the JSON output from
+job-forge preflight:plan. Outcome files are JSON objects with dispatches,
+outcomes, and post-step observations. The policy is templates/postflight.json.
+This is local project state, not an MCP and not prompt context.`;
+
+const [cmd = 'help', ...rawArgs] = process.argv.slice(2);
+const opts = parseArgs(rawArgs);
+
+if (opts.help || cmd === 'help' || cmd === '--help' || cmd === '-h') {
+  console.log(USAGE);
+  process.exit(0);
+}
+
+try {
+  if (cmd === 'path') {
+    console.log(configPath(opts));
+  } else if (cmd === 'status' || cmd === 'check') {
+    runSettlement(cmd, opts);
+  } else if (cmd === 'explain') {
+    explain(opts);
+  } else {
+    console.error(`unknown postflight command "${cmd}"\n`);
+    console.error(USAGE);
+    process.exit(2);
+  }
+} catch (error) {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+}
+
+function parseArgs(args) {
+  const opts = {
+    json: false,
+    help: false,
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === '--json') {
+      opts.json = true;
+    } else if (arg === '--plan' || arg === '-p') {
+      opts.plan = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--plan=')) {
+      opts.plan = arg.slice('--plan='.length);
+    } else if (arg === '--outcomes' || arg === '--observations' || arg === '-o') {
+      opts.outcomes = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--outcomes=')) {
+      opts.outcomes = arg.slice('--outcomes='.length);
+    } else if (arg.startsWith('--observations=')) {
+      opts.outcomes = arg.slice('--observations='.length);
+    } else if (arg === '--workflow') {
+      opts.workflow = valueAfter(args, ++i, '--workflow');
+    } else if (arg.startsWith('--workflow=')) {
+      opts.workflow = arg.slice('--workflow='.length);
+    } else if (arg === '--config') {
+      opts.config = valueAfter(args, ++i, '--config');
+    } else if (arg.startsWith('--config=')) {
+      opts.config = arg.slice('--config='.length);
+    } else if (arg === '--help' || arg === '-h') {
+      opts.help = true;
+    } else {
+      throw new Error(`unknown flag "${arg}"`);
+    }
+  }
+
+  return opts;
+}
+
+function runSettlement(mode, opts) {
+  if (!opts.plan) throw new Error(`${mode} requires --plan <file>`);
+  if (!opts.outcomes) throw new Error(`${mode} requires --outcomes <file>`);
+  const plan = readJsonFile(resolveInputPath(opts.plan));
+  const observations = readJsonFile(resolveInputPath(opts.outcomes));
+  const result = opts.config
+    ? settlePostflight(readConfig(opts), plan, observations, { workflow: opts.workflow })
+    : settleJobForgePostflight(plan, observations, { workflow: opts.workflow }, PROJECT_DIR);
+
+  if (opts.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(formatPostflightResult(result, mode));
+  }
+
+  if (mode === 'check' && !result.ok) process.exit(1);
+}
+
+function explain(opts) {
+  const config = readConfig(opts);
+  if (opts.json) {
+    console.log(JSON.stringify(config, null, 2));
+    return;
+  }
+  console.log(`config: ${relativePath(configPath(opts))}`);
+  console.log(formatConfigSummary(config));
+}
+
+function readConfig(opts) {
+  if (opts.config) {
+    const path = resolveInputPath(opts.config);
+    return loadPostflightConfig(readJsonFile(path));
+  }
+  return readJobForgePostflightConfig(PROJECT_DIR);
+}
+
+function configPath(opts) {
+  return opts.config ? resolveInputPath(opts.config) : jobForgePostflightConfigPath(PROJECT_DIR);
+}
+
+function readJsonFile(path) {
+  return parseJson(readFileSync(path, 'utf8'), path);
+}
+
+function valueAfter(values, index, flag) {
+  const value = values[index];
+  if (!value || value.startsWith('--')) throw new Error(`${flag} requires a value`);
+  return value;
+}
+
+function resolveInputPath(path) {
+  return isAbsolute(path) ? path : resolve(PROJECT_DIR, path);
+}
+
+function relativePath(path) {
+  return relative(PROJECT_DIR, path) || '.';
+}

package/scripts/redact.mjs

@@ -0,0 +1,180 @@
+#!/usr/bin/env node
+
+import { mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { dirname, isAbsolute, relative, resolve } from 'path';
+import {
+  formatConfigSummary,
+  formatScanResult,
+  loadRedactConfig,
+  parseJson,
+  redactText,
+  scanSources,
+} from '@razroo/iso-redact';
+import { PROJECT_DIR } from '../tracker-lib.mjs';
+import {
+  jobForgeRedactConfigPath,
+  readJobForgeRedactConfig,
+} from '../lib/jobforge-redact.mjs';
+
+const USAGE = `job-forge redact - deterministic local redaction for exports
+
+Usage:
+  job-forge redact:scan   [--input <file> ...] [--stdin] [--config <file>] [--json]
+  job-forge redact:verify [--input <file> ...] [--stdin] [--config <file>] [--json]
+  job-forge redact:apply  (--input <file> | --stdin) [--output <file>] [--config <file>] [--json]
+  job-forge redact:explain [--config <file>] [--json]
+  job-forge redact:path
+
+Default policy is templates/redact.json. Findings never print matched values;
+previews are redacted length markers. Use apply to write a sanitized copy
+before exporting traces, prompts, reports, or fixture text.`;
+
+const [cmd = 'help', ...rawArgs] = process.argv.slice(2);
+const opts = parseArgs(rawArgs);
+
+if (opts.help || cmd === 'help' || cmd === '--help' || cmd === '-h') {
+  console.log(USAGE);
+  process.exit(0);
+}
+
+try {
+  if (cmd === 'path') {
+    console.log(configPath(opts));
+  } else if (cmd === 'scan' || cmd === 'verify') {
+    scan(cmd, opts);
+  } else if (cmd === 'apply') {
+    apply(opts);
+  } else if (cmd === 'explain') {
+    explain(opts);
+  } else {
+    console.error(`unknown redact command "${cmd}"\n`);
+    console.error(USAGE);
+    process.exit(2);
+  }
+} catch (error) {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+}
+
+function parseArgs(args) {
+  const opts = {
+    inputs: [],
+    stdin: false,
+    json: false,
+    help: false,
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === '--json') {
+      opts.json = true;
+    } else if (arg === '--input' || arg === '-i') {
+      opts.inputs.push(valueAfter(args, ++i, arg));
+    } else if (arg.startsWith('--input=')) {
+      opts.inputs.push(arg.slice('--input='.length));
+    } else if (arg === '--stdin') {
+      opts.stdin = true;
+    } else if (arg === '--output' || arg === '-o') {
+      opts.output = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--output=')) {
+      opts.output = arg.slice('--output='.length);
+    } else if (arg === '--config' || arg === '-c') {
+      opts.config = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--config=')) {
+      opts.config = arg.slice('--config='.length);
+    } else if (arg === '--help' || arg === '-h') {
+      opts.help = true;
+    } else if (arg.startsWith('--')) {
+      throw new Error(`unknown flag "${arg}"`);
+    } else {
+      opts.inputs.push(arg);
+    }
+  }
+
+  return opts;
+}
+
+function valueAfter(values, index, flag) {
+  const value = values[index];
+  if (!value || value.startsWith('--')) throw new Error(`${flag} requires a value`);
+  return value;
+}
+
+function scan(mode, opts) {
+  const sources = readSources(opts);
+  if (sources.length === 0) throw new Error(`${mode} requires at least one --input or --stdin source`);
+  const result = scanSources(readConfig(opts), sources);
+  if (opts.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(formatScanResult(result, mode));
+  }
+  if (mode === 'verify' && !result.ok) process.exit(1);
+}
+
+function apply(opts) {
+  const sources = readSources(opts);
+  if (sources.length !== 1) throw new Error('apply requires exactly one --input or --stdin source');
+  const source = sources[0];
+  const result = redactText(readConfig(opts), source.text, { source: source.name });
+  if (opts.output) {
+    const output = resolveOutputPath(opts.output);
+    mkdirSync(dirname(output), { recursive: true });
+    writeFileSync(output, result.text, 'utf8');
+    if (opts.json) {
+      console.log(JSON.stringify({ ...result, text: undefined, output }, null, 2));
+    } else {
+      console.log(`iso-redact: wrote ${relativePath(output)} (${result.findings.length} finding(s) redacted)`);
+    }
+  } else if (opts.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    process.stdout.write(result.text);
+  }
+}
+
+function explain(opts) {
+  const config = readConfig(opts);
+  if (opts.json) {
+    console.log(JSON.stringify(config, null, 2));
+    return;
+  }
+  console.log(`config: ${relativePath(configPath(opts))}`);
+  console.log(formatConfigSummary(config));
+}
+
+function readSources(opts) {
+  const sources = opts.inputs.map((input) => {
+    const path = resolveInputPath(input);
+    return {
+      name: relativePath(path),
+      text: readFileSync(path, 'utf8'),
+    };
+  });
+  if (opts.stdin) sources.push({ name: '<stdin>', text: readFileSync(0, 'utf8') });
+  return sources;
+}
+
+function readConfig(opts) {
+  if (opts.config) {
+    const path = resolveInputPath(opts.config);
+    return loadRedactConfig(parseJson(readFileSync(path, 'utf8'), path));
+  }
+  return readJobForgeRedactConfig(PROJECT_DIR);
+}
+
+function configPath(opts) {
+  return opts.config ? resolveInputPath(opts.config) : jobForgeRedactConfigPath(PROJECT_DIR);
+}
+
+function resolveInputPath(path) {
+  return isAbsolute(path) ? path : resolve(PROJECT_DIR, path);
+}
+
+function resolveOutputPath(path) {
+  return isAbsolute(path) ? path : resolve(PROJECT_DIR, path);
+}
+
+function relativePath(path) {
+  return relative(PROJECT_DIR, path) || '.';
+}

package/templates/migrations.json

@@ -40,6 +40,13 @@
             "preflight:plan": "job-forge preflight:plan",
             "preflight:check": "job-forge preflight:check",
             "preflight:explain": "job-forge preflight:explain",
+            "postflight:status": "job-forge postflight:status",
+            "postflight:check": "job-forge postflight:check",
+            "postflight:explain": "job-forge postflight:explain",
+            "redact:scan": "job-forge redact:scan",
+            "redact:verify": "job-forge redact:verify",
+            "redact:apply": "job-forge redact:apply",
+            "redact:explain": "job-forge redact:explain",
             "migrate:plan": "job-forge migrate:plan",
             "migrate:apply": "job-forge migrate:apply",
             "migrate:check": "job-forge migrate:check",
@@ -61,7 +68,11 @@
             ".jobforge-runs/",
             ".jobforge-ledger/",
             ".jobforge-cache/",
-            ".jobforge-index.json"
+            ".jobforge-index.json",
+            ".jobforge-redacted/",
+            "batch/preflight-candidates.json",
+            "batch/preflight-plan.json",
+            "batch/postflight-outcomes.json"
           ]
         }
       ]

package/templates/postflight.json

@@ -0,0 +1,79 @@
+{
+  "version": 1,
+  "workflows": [
+    {
+      "name": "jobforge.apply",
+      "description": "Settle JobForge application dispatch rounds after subagents return outcomes.",
+      "terminalStatuses": [
+        "APPLIED",
+        "Applied",
+        "APPLY FAILED",
+        "Apply Failed",
+        "FAILED",
+        "Failed",
+        "SKIP",
+        "Skip",
+        "Skipped",
+        "Discarded"
+      ],
+      "successStatuses": [
+        "APPLIED",
+        "Applied"
+      ],
+      "failureStatuses": [
+        "APPLY FAILED",
+        "Apply Failed",
+        "FAILED",
+        "Failed"
+      ],
+      "skipStatuses": [
+        "SKIP",
+        "Skip",
+        "Skipped",
+        "Discarded"
+      ],
+      "inFlightStatuses": [
+        "running",
+        "in-flight",
+        "started",
+        "pending"
+      ],
+      "replacementStatuses": [
+        "APPLY FAILED",
+        "Apply Failed",
+        "FAILED",
+        "Failed"
+      ],
+      "requiredArtifacts": [
+        {
+          "id": "tracker-tsv",
+          "label": "Tracker TSV outcome",
+          "statuses": [
+            "APPLIED",
+            "Applied",
+            "APPLY FAILED",
+            "Apply Failed",
+            "FAILED",
+            "Failed",
+            "SKIP",
+            "Skip",
+            "Skipped",
+            "Discarded"
+          ]
+        }
+      ],
+      "postSteps": [
+        {
+          "id": "merge",
+          "label": "Merge tracker TSV outcomes",
+          "command": "npx job-forge merge"
+        },
+        {
+          "id": "verify",
+          "label": "Verify tracker integrity",
+          "command": "npx job-forge verify"
+        }
+      ]
+    }
+  ]
+}

package/templates/redact.json

@@ -0,0 +1,77 @@
+{
+  "version": 1,
+  "defaults": {
+    "severity": "error",
+    "replacement": "[REDACTED:{id}]"
+  },
+  "builtins": [
+    {
+      "id": "email",
+      "severity": "warn"
+    },
+    {
+      "id": "phone",
+      "severity": "warn"
+    },
+    "openai-api-key",
+    "github-token",
+    "npm-token",
+    "aws-access-key-id",
+    "bearer-token",
+    "private-key",
+    "proxy-url-credentials"
+  ],
+  "fields": [
+    {
+      "id": "profile-contact",
+      "label": "Profile contact field",
+      "severity": "warn",
+      "names": [
+        "email",
+        "phone",
+        "address",
+        "street",
+        "city",
+        "postalCode",
+        "zip",
+        "linkedin"
+      ]
+    },
+    {
+      "id": "proxy-config",
+      "label": "Proxy configuration field",
+      "names": [
+        "proxy",
+        "proxyUrl",
+        "proxy_url",
+        "server",
+        "username",
+        "password",
+        "bypass"
+      ]
+    },
+    {
+      "id": "credential-field",
+      "label": "Credential field",
+      "names": [
+        "apiKey",
+        "api_key",
+        "access_token",
+        "refresh_token",
+        "client_secret",
+        "clientSecret",
+        "authorization",
+        "cookie",
+        "session",
+        "token"
+      ]
+    }
+  ],
+  "patterns": [
+    {
+      "id": "proxy-provider-account",
+      "label": "Proxy provider account identifier",
+      "pattern": "\\bbrd-customer-[A-Za-z0-9_.-]+\\b"
+    }
+  ]
+}