lithermes-ai 0.8.5 → 0.8.6

package/README.md

@@ -51,11 +51,16 @@ Restart any running Hermes CLI or Hermes gateway process. Then open Hermes and t
 - `/lit`: start an Litwork loop immediately.
 - `/lit-loop`: explicit alias for the same execution loop.
 - `/lit-plan`: create a durable implementation plan.
+- Natural routing: a standalone `lit` or `litwork` in normal prose activates Litwork;
+  `lit plan`, `lit review`, `lit research`, and `lit goal` route to the matching
+  Lithermes mode contract. Tokens inside code spans, fenced code, substrings,
+  compounds, paths, and real slash-command mentions are ignored.
 - `/litwork-loop` and `/litwork-plan`: longer aliases.
 - `/lit_loop` and `/lit_plan`: gateway-friendly aliases for Telegram dispatch.
 - Native `/goal` binding: Hermes has no model-facing goal tools, so `/lit`, `/lit-loop`, and `/lit-plan` bind the native standing `/goal` via the session goal manager (persists across turns; native evidence-judge decides completion). Criteria + evidence use the durable `goal_*` tools.
 - Interactive install spinner keeps terminal installs lively while redirected or scripted installs stay plain; use `npx lithermes-ai install --yes --no-spinner` for quiet terminal installs.
-- `start-work`: open or dry-run a LitHermes plan inside Hermes.
+- `/start-work`: execution-only for an approved plan. Natural-language `lit start work`
+  is `BLOCKED` because a hook cannot switch Hermes commands; invoke `/start-work <plan>` explicitly.
 - LitHermes workflow skill set: `ai-slop-remover`, `comment-checker`,
   `debugging`, `deep-interview`, `frontend-ui-ux`, `git-master`, `init-deep`,
   `lsp`, `programming`, `refactor`,
@@ -66,6 +71,33 @@ Restart any running Hermes CLI or Hermes gateway process. Then open Hermes and t
   so each release is reproducible and auditable. Repo-rule loading is handled by
   Hermes' native context-files feature, not a LitHermes hook.
 
+## Mode Contract
+
+- `lit` / `litwork`: execution discipline. Direct `lit <task>` creates run state
+  under `.hermes/lithermes/runs/`; indirect mentions only inject the Litwork loop.
+- `lit plan`: planning-only. It must inspect, interview if needed, and produce a
+  plan; it must not implement or call start-work.
+- `lit review`: review-work mode. It verifies goal/constraints, real-surface QA,
+  code quality, security/safety, and context/docs/package readiness. Missing
+  evidence, timeouts, or cleanup gaps block approval.
+- `lit research`: litresearch mode. Separate verified facts, hypotheses, sources,
+  and uncertainty; keep any journal under `.hermes/lithermes/litresearch/`.
+- `lit goal`: litgoal mode. Bind one objective plus checkable criteria through
+  `goal_set` / `goal_*` tools; state lives in `.hermes/lithermes/litgoal/`.
+- `lit start work`: `BLOCKED` unless the user invokes the native `/start-work`
+  command. `/start-work` is execution-only for approved plans.
+
+Natural routing ignores inline code spans like `` `lit plan` ``, fenced code, real
+slash-command mentions such as `/lit`, substrings like `split`, and compounds like
+`lit-review` or `lit_loop`. Path-like arguments such as `/tmp/repo` and
+`/api/v1/users` remain ordinary task text and do not suppress valid activation.
+
+Secret-bearing prompts are redacted before persistence or model-facing handoff
+(for example `Authorization: Bearer ...`, `api_key=...`, `token=...`, and common
+provider key shapes). Malformed input fails closed without partial run-state.
+Local state under `.hermes/lithermes/`, `plans/`, `runs/`, `evidence/`,
+`state.json`, `ledger.jsonl`, and `notepad.md` is not packaged into npm payloads.
+
 ## Requirements
 
 - Hermes Agent already installed on the machine.

package/README_Ko-KR.md

@@ -51,11 +51,14 @@ npx lithermes-ai install --yes
 - `/lit`: Litwork loop를 바로 시작합니다.
 - `/lit-loop`: 같은 실행 loop를 명시적으로 호출합니다.
 - `/lit-plan`: 구현 계획을 먼저 세웁니다.
+- natural routing: 일반 문장 속 standalone lit / litwork / lit plan / lit review /
+  lit research / lit goal을 Hermes-native mode로 라우팅합니다. code spans,
+  fenced code, substring, compound token, path 안의 lit, 실제 slash-command 언급은 무시합니다.
 - `/litwork-loop`, `/litwork-plan`: 긴 이름의 alias입니다.
 - `/lit_loop`, `/lit_plan`: Telegram dispatch에 맞춘 gateway alias입니다.
 - 네이티브 `/goal` 바인딩: Hermes에는 model-facing goal tool이 없으므로 `/lit`, `/lit-loop`, `/lit-plan`은 세션 goal manager를 통해 네이티브 standing `/goal`을 대신 설정합니다(턴을 넘어 유지되고 네이티브 evidence-judge가 완료를 판정). success criteria와 증거는 durable `goal_*` 도구로 추적합니다.
 - interactive install spinner가 terminal 설치는 더 생동감 있게 보여주고, redirect/script 설치는 기존처럼 plain output을 유지합니다. 조용한 terminal 설치가 필요하면 `npx lithermes-ai install --yes --no-spinner`를 사용합니다.
-- `start-work`: LitHermes plan을 Hermes 작업으로 엽니다.
+- `/start-work`: 승인된 plan만 실행하는 execution-only 명령입니다. 자연어 `lit start work`는 hook이 Hermes command 전환을 할 수 없으므로 `BLOCKED`되고, 사용자가 `/start-work <plan>`을 직접 호출해야 합니다.
 - LitHermes workflow skill set: `ai-slop-remover`, `comment-checker`,
   `debugging`, `deep-interview`, `frontend-ui-ux`, `git-master`, `init-deep`,
   `lsp`, `programming`, `refactor`,
@@ -65,6 +68,22 @@ npx lithermes-ai install --yes
   hook, 모든 skill, durable goal tooling — 이 설치 상태 그대로 번들에 들어가므로,
   각 릴리스는 재현 가능하고 감사할 수 있습니다.
 
+## Mode Contract
+
+- `lit` / `litwork`: 실행 discipline입니다. 직접 `lit <task>`는 `.hermes/lithermes/runs/`에 run state를 씁니다.
+- `lit plan`: planning-only입니다. 구현하거나 start-work를 호출하지 않고 plan을 만들고 승인 대기합니다.
+- `lit review`: review-work mode입니다. behavior, tests, docs/package readiness, security/safety, cleanup evidence를 5-lane으로 검증합니다.
+- `lit research`: verified facts, hypotheses, sources, uncertainty를 분리하고 journal은 `.hermes/lithermes/litresearch/`에 둡니다.
+- `lit goal`: one objective plus checkable criteria를 `.hermes/lithermes/litgoal/`에 `goal_*` 도구로 기록합니다.
+- `lit start work`: `BLOCKED`; 승인된 plan에 대해 native `/start-work <approved-plan>`을 직접 호출해야 합니다.
+
+Natural routing은 `code spans`, fenced code, `/lit` 같은 실제 slash-command mention,
+`split` 같은 substring, `lit-review` / `lit_loop` 같은 compound token을 무시합니다.
+반면 `/tmp/repo`, `/api/v1/users` 같은 path-like argument는 유효한 task text입니다.
+secret-bearing prompt는 durable persistence / model handoff 전에 redact되며,
+malformed input은 partial run-state 없이 실패합니다. `.hermes/lithermes`, `plans/`,
+`runs/`, `evidence/`, `state.json`, `ledger.jsonl`, `notepad.md` 같은 local state는 npm에 not packaged 됩니다.
+
 ## 요구 사항
 
 - Hermes Agent가 이미 설치되어 있어야 합니다.

package/assets/lithermes-plugin/README.md

@@ -7,11 +7,14 @@ first-class Hermes skills:
   goal bootstrap to the Hermes agent instead of stopping at plan creation.
 - `/lit-loop` and `/litwork-loop` create run state under
   `.hermes/lithermes/runs/` and dispatch the task back to the Hermes agent.
-- `/start-work` opens or dry-runs a plan against a workspace.
+- `/start-work` opens or dry-runs an approved plan against a workspace; it is
+  execution-only and never bootstraps a plan from a brief.
 - The `pre_llm_call` hook injects an Litwork directive when the user says
-  `lit` or `litwork`. Hermes has no model-facing goal tools, so a direct
-  `lit <task>` (and the /lit command) binds the native standing `/goal` via the
-  session goal manager; criteria + evidence use the durable `goal_*` tools.
+  a standalone `lit` or `litwork`. It also routes `lit plan`, `lit review`,
+  `lit research`, and `lit goal` to the matching `lithermes:*` skill contract.
+  Hermes has no model-facing goal tools, so a direct `lit <task>` (and the /lit
+  command) binds the native standing `/goal` via the session goal manager;
+  criteria + evidence use the durable `goal_*` tools.
 - Explicit skills are available as:
   `lithermes:ai-slop-remover`, `lithermes:comment-checker`,
   `lithermes:debugging`, `lithermes:deep-interview`,
@@ -25,6 +28,28 @@ first-class Hermes skills:
   run in parallel, the parent blocks for all); there is no named-agent registry
   and no per-child model selection.
 
+## Mode Contract
+
+- `lit` / `litwork`: Litwork execution discipline; direct `lit <task>` writes
+  `.hermes/lithermes/runs/<run>/` and forwards the task.
+- `lit plan`: planning-only. Do not implement or start work; create/refine an
+  approved plan first.
+- `lit review`: review-work verifies behavior, tests, docs/package readiness,
+  security/safety, and cleanup evidence through a 5-lane all-or-nothing gate.
+- `lit research`: separate verified facts, hypotheses, sources, and uncertainty;
+  journals live under `.hermes/lithermes/litresearch/<slug>/`.
+- `lit goal`: bind one objective plus checkable criteria in
+  `.hermes/lithermes/litgoal/`.
+- `lit start work`: `BLOCKED` in natural routing because `pre_llm_call` cannot
+  switch Hermes commands. The user must invoke `/start-work <approved-plan>`.
+
+Natural routing ignores code spans, fenced code, substrings, compounds, path-
+embedded tokens, and real slash-command mentions. `/tmp/repo` and
+`/api/v1/users` are path-like arguments, not suppressors. Secret-bearing prompt
+text is redacted before persistence or model-facing handoff; malformed input
+fails closed without partial run state. Local `.hermes/lithermes` state, plans,
+runs, evidence, `state.json`, `ledger.jsonl`, and `notepad.md` are not packaged.
+
 Enable with:
 
 ```yaml

package/assets/lithermes-plugin/core.py

@@ -10,6 +10,11 @@ from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, Iterable
 
+try:
+    from .redaction import redact_obj, redact_text
+except (ImportError, ModuleNotFoundError):  # standalone test import via PYTHONPATH
+    from redaction import redact_obj, redact_text  # type: ignore
+
 try:
     get_hermes_home = importlib.import_module("hermes_constants").get_hermes_home
 except Exception:
@@ -25,11 +30,12 @@ except Exception:
 LITGOAL_STATE_DIRNAME = "litgoal"
 
 # Fire on a standalone `lit`/`litwork` token delimited by whitespace, string
-# edge, or punctuation — but NOT inside a larger word ("split", "literally") and
-# NOT as a hyphen/underscore compound ("lit-review", "lit_loop"). This keeps
-# "…진행해줘 lit" (trailing token) firing while excluding command-like compounds.
-LIT_PATTERN = re.compile(r"(?<![\w-])(?:litwork|lit)(?![\w-])", re.IGNORECASE)
-DIRECT_LIT_PATTERN = re.compile(r"^\s*(?:lit|litwork)\b\s+(?P<task>.+?)\s*$", re.IGNORECASE | re.DOTALL)
+# edge, or punctuation — but NOT inside a larger word ("split", "literally"),
+# NOT as a hyphen/underscore compound ("lit-review", "lit_loop"), and NOT when
+# the token is path/slash-command embedded (`/lit`, `/tmp/lit.sock`). Path-like
+# slash tokens elsewhere in the prompt do not suppress a valid standalone token.
+LIT_PATTERN = re.compile(r"(?<![\w/-])(?:litwork|lit)(?![\w/-])", re.IGNORECASE)
+DIRECT_LIT_PATTERN = re.compile(r"^\s*(?:lit|litwork)(?![\w-])\s+(?P<task>.+?)\s*$", re.IGNORECASE | re.DOTALL)
 MAX_TASK_LEN = 4000
 _SLUG_PATTERN = re.compile(r"[^a-z0-9]+")
 
@@ -44,6 +50,12 @@ LITBURN_BANNER = "🔥 LITBURN IGNITED 🔥"
 # the banner onto that turn's response before the user sees it. Consumed once.
 _PENDING_IGNITE: set[str] = set()
 
+# Session ids whose current turn must be user-visible BLOCKED. This is used for
+# natural-language requests such as "lit start work": a pre-LLM hook can steer the
+# model, but it cannot switch Hermes modes/agents. The transform hook makes the
+# safe block visible instead of pretending a mode switch occurred.
+_PENDING_BLOCK: dict[str, str] = {}
+
 
 LIT_CONTEXT = "\n".join(
     [
@@ -90,6 +102,15 @@ class CommandArgs:
     options: dict[str, str | bool]
 
 
+@dataclass(frozen=True)
+class NaturalLitRoute:
+    mode: str
+    objective: str = ""
+    visible_message: str = ""
+    blocked: bool = False
+    block_message: str = ""
+
+
 def slugify(text: str, fallback: str = "lithermes-plan") -> str:
     lowered = text.strip().lower()
     slug = _SLUG_PATTERN.sub("-", lowered).strip("-")
@@ -159,6 +180,7 @@ def event_log_path() -> Path:
 
 
 def append_jsonl(path: Path, payload: dict[str, Any]) -> None:
+    payload = redact_obj(payload)
     path.parent.mkdir(parents=True, exist_ok=True)
     with path.open("a", encoding="utf-8") as handle:
         handle.write(json.dumps(payload, sort_keys=True) + "\n")
@@ -212,12 +234,142 @@ def _clamp_task(task: str) -> str:
     A pasted multi-thousand-char prompt would otherwise inflate the injected
     LIT_CONTEXT and the persisted run-state. Clamp to MAX_TASK_LEN chars.
     """
-    task = task.strip()
+    task = redact_text(task).strip()
     if len(task) > MAX_TASK_LEN:
         return task[:MAX_TASK_LEN].rstrip() + " […]"
     return task
 
 
+_FENCED_CODE_RE = re.compile(r"(^|\n)(`{3,}|~{3,})[^\n]*\n.*?(?:\n\2(?=\n|$)|$)", re.DOTALL)
+_INLINE_CODE_RE = re.compile(r"`[^`\n]*`")
+_INDENTED_CODE_LINE_RE = re.compile(r"(?m)^(?: {4,}|\t).*$")
+_MODE_LEAD_RE = re.compile(r"^[\s:;,\-—–]+")
+
+
+def strip_markdown_code(text: str) -> str:
+    """Remove markdown code spans/fences before natural trigger parsing."""
+    without_fences = _FENCED_CODE_RE.sub("\n", str(text or ""))
+    without_indented = _INDENTED_CODE_LINE_RE.sub("", without_fences)
+    return _INLINE_CODE_RE.sub(" ", without_indented)
+
+
+def _after_mode_word(text: str, word: str) -> str | None:
+    m = re.match(rf"^\s*{re.escape(word)}(?![\w-])(?P<rest>.*)$", text, re.IGNORECASE | re.DOTALL)
+    if not m:
+        return None
+    return m.group("rest").strip()
+
+
+def _after_start_work(text: str) -> str | None:
+    m = re.match(r"^\s*start\s+work(?![\w-])(?P<rest>.*)$", text, re.IGNORECASE | re.DOTALL)
+    if not m:
+        return None
+    return m.group("rest").strip()
+
+
+def detect_lit_mode(message: str) -> NaturalLitRoute | None:
+    """Route a natural-language LitHermes activation to a native mode.
+
+    The parser intentionally ignores code spans/fences and only treats standalone
+    `lit`/`litwork` tokens as activations. A token embedded in `/lit`,
+    `/tmp/lit.sock`, `split`, `lit-review`, or `lit_loop` is ignored; path-like
+    slash tokens elsewhere remain ordinary task text.
+    """
+    visible = strip_markdown_code(message)
+    for match in LIT_PATTERN.finditer(visible):
+        token = match.group(0).lower()
+        after = _MODE_LEAD_RE.sub(" ", visible[match.end():]).strip()
+        if token == "litwork":
+            return NaturalLitRoute(mode="litwork", objective=_clamp_task(after), visible_message=visible)
+
+        start_rest = _after_start_work(after)
+        if start_rest is not None:
+            block = (
+                "BLOCKED: natural-language `lit start work` cannot switch Hermes into the "
+                "native execution command. Invoke `/start-work <approved-plan>` explicitly "
+                "after `/lit-plan` has produced an approved plan. No run state was created."
+            )
+            return NaturalLitRoute(
+                mode="start-work",
+                objective=_clamp_task(start_rest),
+                visible_message=visible,
+                blocked=True,
+                block_message=block,
+            )
+
+        for word, mode in (
+            ("plan", "lit-plan"),
+            ("review", "review-work"),
+            ("research", "litresearch"),
+            ("goal", "litgoal"),
+        ):
+            rest = _after_mode_word(after, word)
+            if rest is not None:
+                return NaturalLitRoute(mode=mode, objective=_clamp_task(rest), visible_message=visible)
+        return NaturalLitRoute(mode="litwork", objective=_clamp_task(after), visible_message=visible)
+    return None
+
+
+def build_natural_mode_context(route: NaturalLitRoute) -> str:
+    objective = route.objective or "(no objective text supplied — ask for the missing objective if needed)"
+    if route.blocked:
+        return "\n".join(
+            [
+                "<lithermes-natural-route mode=\"start-work\">",
+                route.block_message,
+                "Do not execute, edit, or create run state from this natural phrase.",
+                "Safe fallback: ask the user to invoke the native command `/start-work <approved-plan>`.",
+                "</lithermes-natural-route>",
+            ]
+        )
+    if route.mode == "lit-plan":
+        return "\n".join(
+            [
+                "<lithermes-natural-route mode=\"lit-plan\">",
+                "Natural routing: standalone lit plan -> lithermes:lit-plan.",
+                f"Objective: {objective}",
+                "Mode Contract: planning-only. Do not implement, edit production code, run start-work, or claim execution is done.",
+                "Load lithermes:lit-plan, inspect first, create/fill a plan under plans/, and wait for explicit approval.",
+                "Durable state: use plans/ and .hermes/lithermes goal tools only; never foreign state roots.",
+                "</lithermes-natural-route>",
+            ]
+        )
+    if route.mode == "review-work":
+        return "\n".join(
+            [
+                "<lithermes-natural-route mode=\"review-work\">",
+                "Natural routing: standalone lit review -> lithermes:review-work.",
+                f"Review target: {objective}",
+                "Mode Contract: verify only. Run the 5-lane review: goal/constraints, real-surface QA, code quality, security/safety, and context/docs/package readiness.",
+                "All lanes must pass; timeout, missing evidence, inconclusive output, or cleanup gaps block approval.",
+                "</lithermes-natural-route>",
+            ]
+        )
+    if route.mode == "litresearch":
+        return "\n".join(
+            [
+                "<lithermes-natural-route mode=\"litresearch\">",
+                "Natural routing: standalone lit research -> lithermes:litresearch.",
+                f"Research demand: {objective}",
+                "Mode Contract: separate verified facts, hypotheses, sources, and uncertainty. Do not present uncited claims as facts.",
+                "Use Hermes-native delegate_task swarms when justified and keep any research journal under .hermes/lithermes/litresearch/<slug>/.",
+                "</lithermes-natural-route>",
+            ]
+        )
+    if route.mode == "litgoal":
+        return "\n".join(
+            [
+                "<lithermes-natural-route mode=\"litgoal\">",
+                "Natural routing: standalone lit goal -> lithermes:litgoal.",
+                f"Objective: {objective}",
+                "Mode Contract: bind one objective plus checkable criteria. Use goal_set with happy/edge/regression criteria before work proceeds.",
+                "Durable state: .hermes/lithermes/litgoal/ via goal_* tools or `hermes lithermes goal status`.",
+                "</lithermes-natural-route>",
+            ]
+        )
+    return LIT_CONTEXT
+
+
 def _extract_run_context_task(message: str) -> str:
     m = _RUN_CONTEXT_TASK_PATTERN.search(message)
     return _clamp_task(m.group("task")) if m else ""
@@ -240,7 +392,7 @@ def _extract_bind_goal(message: str) -> str:
 
 def bind_goal_marker(objective: str) -> str:
     """Render the bind-goal marker a command embeds so pre_llm_call binds /goal."""
-    objective = (objective or "").strip()
+    objective = _clamp_task(objective)
     return f"<lithermes-bind-goal>{objective}</lithermes-bind-goal>" if objective else ""
 
 
@@ -268,6 +420,7 @@ def pre_llm_call(**kwargs: Any) -> dict[str, str] | None:
     # leak the banner onto this turn's response. Re-added below only if THIS turn
     # is a keyword-lit turn — keeping the flag scoped to the current turn.
     _PENDING_IGNITE.discard(session_id)
+    _PENDING_BLOCK.pop(session_id, None)
     # /litgoal & /lit-plan declare an objective via the bind-goal marker. Bind it
     # (we have session_id here) and stop — those messages are self-contained.
     bind_obj = _extract_bind_goal(user_message)
@@ -281,12 +434,33 @@ def pre_llm_call(**kwargs: Any) -> dict[str, str] | None:
         if task:
             bind_native_goal(session_id, task)
         return None
-    if not LIT_PATTERN.search(user_message):
+    route = detect_lit_mode(user_message)
+    if route is None:
         return None
-    direct = DIRECT_LIT_PATTERN.match(user_message)
+
+    record_event(
+        "litwork_trigger",
+        session_id=session_id,
+        platform=str(kwargs.get("platform") or ""),
+        mode=route.mode,
+    )
+    if session_id:
+        _PENDING_IGNITE.add(session_id)
+
+    if route.blocked:
+        if session_id:
+            _PENDING_BLOCK[session_id] = route.block_message
+        return {"context": build_natural_mode_context(route)}
+
+    if route.mode != "litwork":
+        if route.mode in {"lit-plan", "litgoal"} and route.objective:
+            bind_native_goal(session_id, route.objective)
+        return {"context": build_natural_mode_context(route)}
+
+    direct = DIRECT_LIT_PATTERN.match(route.visible_message)
     run_context = ""
     if direct:
-        task = _clamp_task(direct.group("task"))
+        task = route.objective or _clamp_task(direct.group("task"))
         if task:
             bind_native_goal(session_id, task)
             workspace = Path.cwd().resolve()
@@ -296,15 +470,6 @@ def pre_llm_call(**kwargs: Any) -> dict[str, str] | None:
                 command="lit",
             )
             run_context = "\n\n" + build_run_agent_message(load_run_state(run_dir))
-    record_event(
-        "litwork_trigger",
-        session_id=session_id,
-        platform=str(kwargs.get("platform") or ""),
-    )
-    # Flag this turn so transform_llm_output forces the banner onto the response
-    # (the keyword path has no deterministic display channel like slash commands).
-    if session_id:
-        _PENDING_IGNITE.add(session_id)
     return {"context": LIT_CONTEXT + run_context}
 
 
@@ -317,6 +482,10 @@ def transform_llm_output(**kwargs: Any) -> str | None:
     a model that already opened with the banner is not double-bannered.
     """
     session_id = str(kwargs.get("session_id") or "")
+    block = _PENDING_BLOCK.pop(session_id, "")
+    if block:
+        _PENDING_IGNITE.discard(session_id)
+        return f"{LITBURN_BANNER}\n\n{block}" if not block.startswith(LITBURN_BANNER) else block
     if session_id not in _PENDING_IGNITE:
         return None
     _PENDING_IGNITE.discard(session_id)
@@ -348,7 +517,7 @@ def build_goal_instruction(
     plan: Path | None = None,
     workspace: Path | None = None,
 ) -> str:
-    objective = objective.strip() or "Complete the requested LitHermes task with evidence."
+    objective = _clamp_task(objective) or "Complete the requested LitHermes task with evidence."
     plan_line = f"Plan: {plan}" if plan else "Plan: none"
     workspace_line = f"Workspace: {workspace}" if workspace else "Workspace: current"
     return "\n".join(
@@ -372,7 +541,7 @@ def build_goal_instruction(
             "- goal_steer to redirect, goal_checkpoint to snapshot; inspect via `hermes lithermes goal status`;",
             "- goal_complete is REFUSED until every criterion has green + scenario evidence and no blocker is open.",
             "",
-            "Isolation: for risky/parallel edits use a worktree (EnterWorktree, or `claude --worktree <name> --tmux`).",
+            "Isolation: for risky/parallel edits use a git worktree or Hermes-native workspace isolation if available.",
             "",
             "Delegation model (you conduct, workers play):",
             "- Use delegate_task(tasks:[{goal, context}]) to fan out INDEPENDENT work in parallel;",
@@ -392,7 +561,7 @@ def build_goal_instruction(
 
 
 def create_plan(brief: str, workspace: Path | None = None) -> Path:
-    brief = brief.strip()
+    brief = _clamp_task(brief)
     if not brief:
         raise ValueError('usage: /lit-plan "what to build"')
 
@@ -483,7 +652,7 @@ def unchecked_items(markdown: str) -> list[str]:
     for line in markdown.splitlines():
         stripped = line.strip()
         if stripped.startswith("- [ ] "):
-            items.append(stripped[6:].strip())
+            items.append(_clamp_task(stripped[6:].strip()))
     return items
 
 
@@ -507,7 +676,7 @@ def extract_success_criteria(markdown: str) -> list[dict[str, str]]:
                 continue
             key, _, value = field.partition(":")
             key = key.strip().lower()
-            value = value.strip()
+            value = _clamp_task(value)
             if key == "channel":
                 crit["qa_channel"] = value
             elif key == "test":
@@ -520,7 +689,7 @@ def extract_success_criteria(markdown: str) -> list[dict[str, str]]:
 
 def build_notepad(task: str, criteria: list[dict[str, str]]) -> str:
     crit_lines = [
-        f"- {c['id']} [{c.get('qa_channel') or '?'}] {c.get('scenario') or ''} (test: {c.get('test_ref') or '?'})"
+        f"- {c['id']} [{_clamp_task(c.get('qa_channel') or '?')}] {_clamp_task(c.get('scenario') or '')} (test: {_clamp_task(c.get('test_ref') or '?')})"
         for c in criteria
     ] or ["- (define success criteria before claiming progress)"]
     return "\n".join(
@@ -598,6 +767,8 @@ def write_run_state(
     completion_promise: str = "",
     strategy: str = "continue",
 ) -> Path:
+    task = _clamp_task(task)
+    completion_promise = _clamp_task(completion_promise)
     rid = run_id("lithermes")
     run_dir = lithermes_dir(workspace) / "runs" / rid
     evidence_dir = run_dir / "evidence"
@@ -606,7 +777,7 @@ def write_run_state(
     criteria: list[dict[str, str]] = []
     if plan and plan.exists():
         try:
-            criteria = extract_success_criteria(plan.read_text(encoding="utf-8"))
+            criteria = redact_obj(extract_success_criteria(plan.read_text(encoding="utf-8")))
         except OSError:
             criteria = []
 
@@ -720,7 +891,7 @@ def build_plan_agent_message(brief: str, plan: Path, workspace: Path) -> str:
 def command_lit_plan(raw_args: str) -> dict[str, str]:
     args = parse_args(raw_args)
     workspace = workspace_from_option(args.options.get("worktree"))
-    brief = _join_positional(args.positional)
+    brief = _clamp_task(_join_positional(args.positional))
     path = create_plan(brief, workspace)
     return {
         "display": f"Created LitHermes plan: {path}\nForwarding goal bootstrap to Hermes agent now.",
@@ -732,10 +903,10 @@ def command_lit_plan(raw_args: str) -> dict[str, str]:
 def _command_lit_dispatch(raw_args: str, *, command: str) -> dict[str, str]:
     args = parse_args(raw_args)
     workspace = workspace_from_option(args.options.get("worktree"))
-    task = _join_positional(args.positional)
+    task = _clamp_task(_join_positional(args.positional))
     if not task:
         raise ValueError('usage: /lit-loop "task" [--completion-promise TEXT] [--strategy reset|continue]')
-    completion = str(args.options.get("completion-promise") or "")
+    completion = _clamp_task(str(args.options.get("completion-promise") or ""))
     strategy = str(args.options.get("strategy") or "continue")
     if strategy not in {"continue", "reset"}:
         raise ValueError("--strategy must be either 'continue' or 'reset'")
@@ -798,10 +969,10 @@ def detect_run_command(workspace: Path) -> str:
 
 REVIEW_LANES = [
     ("goal", "Goal & constraint verification — does the diff achieve the stated goal within every constraint; flag missed requirements, over-engineering, edge cases. Verdict PASS/FAIL + confidence."),
-    ("qa", "QA by execution — brainstorm 15+ scenarios (happy/boundary/error/regression), then actually run the app/surface and capture evidence. Verdict PASS/FAIL with per-scenario results."),
+    ("qa", "QA by execution — brainstorm 15+ scenarios (happy/boundary/error/regression), then actually run the app/surface and capture evidence; tests alone are insufficient. Verdict PASS/FAIL with per-scenario results."),
     ("code-quality", "Code quality — staff-engineer review across correctness, patterns, naming, error handling, types, perf, tests, API design. Severity CRITICAL/MAJOR/MINOR/NITPICK. Verdict PASS/FAIL."),
-    ("security", "Security (supplementary) — input validation, authz, secrets, data exposure, deps/CVEs, path/file ops. Severity CRITICAL/HIGH/MEDIUM/LOW. Verdict PASS/FAIL."),
-    ("context", "Context mining — git history, issues/PRs, related systems, developer TODO/warnings the diff may have missed. Verdict PASS/FAIL + discovered context."),
+    ("security", "Security/safety (supplementary) — input validation, authz, secrets, data exposure, deps/CVEs, path/file ops, destructive actions. Severity CRITICAL/HIGH/MEDIUM/LOW. Verdict PASS/FAIL."),
+    ("context", "Context/docs/package readiness — git history, issues/PRs, docs, changelog/release checklist, package dry-run/payload guard, cleanup receipts, TODO/warnings the diff may have missed. Verdict PASS/FAIL + discovered context."),
 ]
 
 
@@ -861,7 +1032,7 @@ def command_review_work(raw_args: str) -> dict[str, str]:
 def command_litgoal(raw_args: str) -> dict[str, str]:
     args = parse_args(raw_args)
     workspace = workspace_from_option(args.options.get("worktree"))
-    objective = _join_positional(args.positional)
+    objective = _clamp_task(_join_positional(args.positional))
     intro = (
         "Opened the LitHermes litgoal durable runtime."
         if objective
@@ -942,21 +1113,16 @@ def command_start_work(raw_args: str) -> str | dict[str, str]:
     dry_run = bool(args.options.get("dry-run"))
     plan = find_plan(plan_name, workspace)
 
-    # No-plan bootstrap: /start-work with a brief but no matching plan creates the
-    # plan first (treating start-work as approval to bootstrap), then proceeds.
-    bootstrapped = False
     if plan is None:
-        if not plan_name:
-            raise ValueError(
-                f"no plan found in {plan_dir(workspace)} and no brief given to bootstrap one"
-            )
+        target = plan_name or "(latest plan)"
+        msg = (
+            f"BLOCKED: /start-work is execution-only for approved plans. No plan named "
+            f"'{target}' was found in {plan_dir(workspace)}. Run /lit-plan first, approve "
+            "the plan, then invoke /start-work <plan-name>."
+        )
         if dry_run:
-            return (
-                f"LitHermes dry-run: no plan named '{plan_name}' found; "
-                f"would bootstrap a new plan from it in {plan_dir(workspace)}."
-            )
-        plan = create_plan(plan_name, workspace)
-        bootstrapped = True
+            return msg
+        raise ValueError(msg)
 
     text = plan.read_text(encoding="utf-8")
     open_items = unchecked_items(text)
@@ -972,8 +1138,7 @@ def command_start_work(raw_args: str) -> str | dict[str, str]:
     )
     first_items = "\n".join(f"- {item}" for item in open_items[:5]) or "- no unchecked items found"
     display = (
-        f"{'Bootstrapped a new plan and started' if bootstrapped else 'Started'} "
-        f"LitHermes work run: {run_dir}\n"
+        f"Started LitHermes work run from approved plan: {run_dir}\n"
         f"Plan: {plan}\n"
         f"Open items:\n{first_items}"
     )

package/assets/lithermes-plugin/litgoal/runtime.py

@@ -15,6 +15,15 @@ from typing import Any
 
 from . import model, store
 
+try:
+    from ..redaction import redact_text
+except (ImportError, ModuleNotFoundError):  # standalone import fallback
+    try:
+        from redaction import redact_text  # type: ignore
+    except (ImportError, ModuleNotFoundError):
+        def redact_text(value: str) -> str:  # type: ignore
+            return str(value or "")
+
 
 def _utc_now() -> str:
     return datetime.now(timezone.utc).isoformat()
@@ -37,7 +46,7 @@ def create_goal(
     title: str = "",
     criteria: list[dict[str, Any]] | None = None,
 ) -> model.Goal:
-    objective = (objective or "").strip()
+    objective = redact_text(objective).strip()
     if not objective:
         raise ValueError("objective must be non-empty")
     state = store.load_or_create(workspace)
@@ -47,9 +56,9 @@ def create_goal(
         goal.criteria.append(
             model.Criterion(
                 id=_next_id("C", [c.id for c in goal.criteria]),
-                scenario=str(spec.get("scenario", "")).strip(),
-                qa_channel=str(spec.get("qa_channel", "")).strip(),
-                test_ref=str(spec.get("test_ref", "")).strip(),
+                scenario=redact_text(str(spec.get("scenario", ""))).strip(),
+                qa_channel=redact_text(str(spec.get("qa_channel", ""))).strip(),
+                test_ref=redact_text(str(spec.get("test_ref", ""))).strip(),
             )
         )
     state.goals.append(goal)
@@ -83,9 +92,9 @@ def add_criterion(
     goal = _require_active(state)
     crit = model.Criterion(
         id=_next_id("C", [c.id for c in goal.criteria]),
-        scenario=scenario.strip(),
-        qa_channel=qa_channel.strip(),
-        test_ref=test_ref.strip(),
+        scenario=redact_text(scenario).strip(),
+        qa_channel=redact_text(qa_channel).strip(),
+        test_ref=redact_text(test_ref).strip(),
     )
     goal.criteria.append(crit)
     store.save(workspace, state)
@@ -123,12 +132,12 @@ def add_evidence(
     goal = _require_active(state)
     for crit in goal.criteria:
         if crit.id == criterion_id:
-            ev = model.Evidence(kind=kind, ref=ref, detail=detail, at=_utc_now())
+            ev = model.Evidence(kind=kind, ref=redact_text(ref), detail=redact_text(detail), at=_utc_now())
             crit.evidence.append(ev)
             store.save(workspace, state)
             store.append_ledger(
                 workspace,
-                {"kind": "evidence_added", "criterion_id": criterion_id, "evidence_kind": kind, "ref": ref},
+                {"kind": "evidence_added", "criterion_id": criterion_id, "evidence_kind": kind, "ref": redact_text(ref)},
             )
             return ev
     raise ValueError(f"criterion '{criterion_id}' not found")
@@ -142,7 +151,7 @@ def record_checkpoint(workspace: Path, summary: str, *, active_criterion: str =
     cp = model.Checkpoint(
         id=_next_id("K", [c.id for c in goal.checkpoints]),
         at=_utc_now(),
-        summary=summary.strip(),
+        summary=redact_text(summary).strip(),
         active_criterion=active_criterion.strip(),
     )
     goal.checkpoints.append(cp)
@@ -179,6 +188,7 @@ def _weakening_reason(directive: str) -> str | None:
 def record_steering(workspace: Path, directive: str, *, kind: str = "redirect") -> model.Steering:
     if kind not in model.STEERING_KINDS:
         raise ValueError(f"invalid steering kind '{kind}' (valid: {model.STEERING_KINDS})")
+    directive = redact_text(directive)
     reason = _weakening_reason(directive)
     if reason is not None:
         raise ValueError(
@@ -209,7 +219,7 @@ def add_review_blocker(workspace: Path, detail: str) -> model.ReviewBlocker:
     goal = _require_active(state)
     blocker = model.ReviewBlocker(
         id=_next_id("B", [b.id for b in goal.review_blockers]),
-        detail=detail.strip(),
+        detail=redact_text(detail).strip(),
     )
     goal.review_blockers.append(blocker)
     store.save(workspace, state)

package/assets/lithermes-plugin/litgoal/store.py

@@ -5,6 +5,7 @@ from __future__ import annotations
 import json
 import os
 import tempfile
+from json import JSONDecodeError
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any
@@ -20,6 +21,15 @@ except (ImportError, ModuleNotFoundError):  # pragma: no cover - standalone impo
     except (ImportError, ModuleNotFoundError):
         LITGOAL_STATE_DIRNAME = "litgoal"
 
+try:
+    from ..redaction import redact_obj
+except (ImportError, ModuleNotFoundError):  # pragma: no cover - standalone import fallback
+    try:
+        from redaction import redact_obj  # type: ignore
+    except (ImportError, ModuleNotFoundError):
+        def redact_obj(value):  # type: ignore
+            return value
+
 
 def _utc_now() -> str:
     return datetime.now(timezone.utc).isoformat()
@@ -48,7 +58,10 @@ def brief_path(workspace: Path) -> Path:
 def load_or_create(workspace: Path) -> model.LitgoalState:
     path = goals_path(workspace)
     if path.exists():
-        data = json.loads(path.read_text(encoding="utf-8"))
+        try:
+            data = json.loads(path.read_text(encoding="utf-8"))
+        except JSONDecodeError as exc:
+            raise ValueError(f"malformed litgoal state at {path}: {exc}") from exc
         return model.LitgoalState.from_dict(data)
     return model.LitgoalState(created_at=_utc_now(), updated_at=_utc_now())
 
@@ -85,7 +98,7 @@ def save(workspace: Path, state: model.LitgoalState) -> None:
 def append_ledger(workspace: Path, event: dict[str, Any]) -> None:
     path = ledger_path(workspace)
     path.parent.mkdir(parents=True, exist_ok=True)
-    entry = {"at": _utc_now(), **event}
+    entry = redact_obj({"at": _utc_now(), **event})
     # NOTE: ledger appends are best-effort append-durable; no fsync here to keep
     # high-frequency event writes cheap. Data loss on crash is limited to the
     # last unflushed entry; goals.json (the source of truth) is fsync-durable.

package/assets/lithermes-plugin/payload-version.json

@@ -1,7 +1,7 @@
 {
-  "syncedAt": "2026-06-15T16:35:55.443Z",
+  "syncedAt": "2026-06-19T02:30:00.000Z",
   "source": "source-reference",
-  "sourceHash": "c93c37881e1f6f5730a1adc6c0e62e4dfab1ca44146eed900b8468448438fe8a",
+  "sourceHash": "0a2b29742e4410128d26429945f694c77d47dc5a0d3f80a6bda8b1cbbb21200f",
   "files": [
     {
       "path": "NOTICE.md",
@@ -9,7 +9,7 @@
     },
     {
       "path": "README.md",
-      "sha256": "29f9157e4aa5a667c0d4c2df30d803c4eaa8cc4b30937c84ac1a08b8257e1eca"
+      "sha256": "29a32fca9db9fd12a2a9e307e93f44ba2a8274fde19946011944958c1a1ebc6d"
     },
     {
       "path": "__init__.py",
@@ -17,7 +17,7 @@
     },
     {
       "path": "core.py",
-      "sha256": "70ddccfb4cc2fe1a923a5a61244e5cb36ef8ac0f94d34a76703fa6d82dbabf3f"
+      "sha256": "d0689b196a2721c99c3c83a5e82482869da0d80e57a52c07f54d9268989c31b0"
     },
     {
       "path": "litgoal/__init__.py",
@@ -37,11 +37,11 @@
     },
     {
       "path": "litgoal/runtime.py",
-      "sha256": "65738e1ab77ef0725c4a431886ea6d30f03abddacd968e544d9b212382900a52"
+      "sha256": "6876fa8fd59bb5da0378023a374fb7cdc0d68bf9814f87f47aa7415fc5437bb7"
     },
     {
       "path": "litgoal/store.py",
-      "sha256": "8f5f78fa78e7da2848c76ccc7e512d1a971b483b5de1c99cc79cc053354162b4"
+      "sha256": "bae3f5ab083a57ed433cbe27fa807e1ea703910836760a0ce0ed94563b656ca1"
     },
     {
       "path": "litgoal/tools.py",
@@ -49,7 +49,11 @@
     },
     {
       "path": "plugin.yaml",
-      "sha256": "7761c417acfcd614e8d434b3ca11c498f48422a72f5b70f817a59326aca51b60"
+      "sha256": "9d49a09370193484755d21941af9f6d977dfef780c7a8d6657c115ff643b0bbd"
+    },
+    {
+      "path": "redaction.py",
+      "sha256": "eae670460e8006d04c06bc4e4ad9127dfcaf303de3a00b7e5453e2589ea55531"
     },
     {
       "path": "skills/ai-slop-remover/SKILL.md",
@@ -153,7 +157,7 @@
     },
     {
       "path": "skills/lit-plan/SKILL.md",
-      "sha256": "1f09901f9bb8f19b92add59c3613231228c8b5b7adbefae1cb3eb5cf7c3c61dc"
+      "sha256": "5f00302bff604357c4448d43991af2daf800aa19b50ccbe74e46684e797b8fc3"
     },
     {
       "path": "skills/litgoal/.gitkeep",
@@ -165,7 +169,7 @@
     },
     {
       "path": "skills/litresearch/SKILL.md",
-      "sha256": "3ff390e7a5847aebfa8943fe593fa386f9aeab2716fb30f7b20feaa3990f311f"
+      "sha256": "363468a509f7743037b2f132171b7b1351d11c10680985a49cab1693855a0a20"
     },
     {
       "path": "skills/litwork/SKILL.md",
@@ -573,7 +577,7 @@
     },
     {
       "path": "skills/review-work/SKILL.md",
-      "sha256": "1e30211324dfc09406db4cd9913bc9fe8c3d4d29407dd3d8a37392ddaf8ff06d"
+      "sha256": "4af425ec7924f1cd3d5fac633351f84d587cbaa68498d46daad9faf066c937ec"
     },
     {
       "path": "skills/rules/SKILL.md",
@@ -581,7 +585,7 @@
     },
     {
       "path": "skills/start-work/SKILL.md",
-      "sha256": "194a1d719c00564959da99715c86424a5ecd76196a4db9ca60e64be062dc70b5"
+      "sha256": "9a5243b68236866943b59191fb378d848d6b4f480ace1457291db15c4c57e772"
     },
     {
       "path": "skills/visual-qa/SKILL.md",

package/assets/lithermes-plugin/plugin.yaml

@@ -1,5 +1,5 @@
 name: lithermes
-version: 0.8.5
+version: 0.8.6
 description: "Hermes-native workflow toolkit: litgoal durable runtime, 5-lane review orchestrator, Litwork commands, skills, and prompt steering."
 author: "Hermes Agent"
 kind: standalone

package/assets/lithermes-plugin/redaction.py

@@ -0,0 +1,72 @@
+from __future__ import annotations
+
+import re
+from typing import Any
+
+
+_KEY_VALUE_RE = re.compile(
+    r"(?i)(?<![A-Z0-9_.-])("
+    r"[\"']?[A-Z0-9_.-]*(?:api[_-]?key|access[_-]?token|secret[_-]?access[_-]?key|private[_-]?key|password|token|secret)[A-Z0-9_.-]*[\"']?"
+    r"\s*[=:]\s*[\"']?)([^\s,;\"'}]+)([\"']?)"
+)
+_SENSITIVE_KEY_FRAGMENTS = (
+    "apikey",
+    "accesstoken",
+    "secretaccesskey",
+    "privatekey",
+    "password",
+    "token",
+    "secret",
+)
+
+_SECRET_PATTERNS: tuple[tuple[re.Pattern[str], str], ...] = (
+    (
+        re.compile(r"(?i)\b(authorization\s*:\s*bearer\s+)([^\s,;]+)"),
+        r"\1[REDACTED_SECRET]",
+    ),
+    (
+        re.compile(r"\b(sk-[A-Za-z0-9_-]{8,})\b"),
+        "[REDACTED_SECRET]",
+    ),
+    (
+        re.compile(r"\b((?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{8,})\b"),
+        "[REDACTED_SECRET]",
+    ),
+    (
+        re.compile(r"\b(AKIA[0-9A-Z]{12,})\b"),
+        "[REDACTED_SECRET]",
+    ),
+)
+
+
+def _redact_key_value(match: re.Match[str]) -> str:
+    key = match.group(1)
+    normalized = re.sub(r"[^a-z0-9]", "", key.lower())
+    if any(fragment in normalized for fragment in _SENSITIVE_KEY_FRAGMENTS):
+        return f"{key}[REDACTED_SECRET]{match.group(3)}"
+    return match.group(0)
+
+
+def redact_text(value: str) -> str:
+    """Best-effort redaction before user text is persisted or re-injected.
+
+    This is intentionally conservative and local: it catches common bearer-token,
+    key/value, OpenAI-style, GitHub-style, and AWS-style secrets without trying to
+    classify every high-entropy string as a secret.
+    """
+    text = _KEY_VALUE_RE.sub(_redact_key_value, str(value or ""))
+    for pattern, replacement in _SECRET_PATTERNS:
+        text = pattern.sub(replacement, text)
+    return text
+
+
+def redact_obj(value: Any) -> Any:
+    if isinstance(value, str):
+        return redact_text(value)
+    if isinstance(value, list):
+        return [redact_obj(item) for item in value]
+    if isinstance(value, tuple):
+        return tuple(redact_obj(item) for item in value)
+    if isinstance(value, dict):
+        return {key: redact_obj(item) for key, item in value.items()}
+    return value

package/assets/lithermes-plugin/skills/lit-plan/SKILL.md

@@ -18,14 +18,14 @@ description: Hermes-native planning consultant for /lit-plan — explore-first g
 > `plans/<slug>.md` — this skill injects the consultant discipline that turns
 > that template into a genuinely reasoned artifact.
 
-This skill governs how Hermes behaves when `/lit-plan` is invoked. The plan is
-the **durable artifact** that the subsequent goal loop executes — treat producing
-it with the same rigour you would bring to execution.
+This skill governs how Hermes behaves when `/lit-plan` or natural-language
+`lit plan` is invoked. The plan is the **durable artifact** that a later
+`/start-work` execution run consumes — treat producing it with the same rigour
+you would bring to execution.
 
-LitHermes intentionally fuses planning with execution: `/lit-plan` bootstraps
-the goal and hands off to the execution loop. Do NOT impose a hard
-"planner never implements" rule here. The skill's job is to ensure that what
-gets handed off is grounded, complete, and approved.
+**Mode contract: planning-only.** Do not implement, edit production code, run
+`/start-work`, or claim execution is done in this mode. Stop after the grounded,
+reviewed plan is ready and wait for explicit approval to execute it.
 
 ---
 
@@ -168,11 +168,10 @@ Then close with a literal gate line:
 Ready to generate the plan. Please confirm (or steer) before I finalise.
 ```
 
-**Narrow exception**: if this planning turn was triggered by a `/lit-plan
---bootstrap` flag or an equivalent start-work invocation that is meant to get
-execution started immediately, you may proceed to Phase 4 without waiting — but
-only when the brief is unambiguous, Trivial tier, and exploration found no
-conflicts. Log the skip as `[APPROVAL_GATE_SKIPPED: bootstrap flag + Trivial + no conflicts]`.
+There is no bootstrap shortcut in planning mode. Even Trivial-tier plans must
+clear this gate before Phase 4. `/start-work` is a separate execution-only mode
+that consumes an already-approved plan; it must never be used to bypass planning
+approval.
 
 ---
 

package/assets/lithermes-plugin/skills/litresearch/SKILL.md

@@ -5,7 +5,7 @@ description: "Maximum-saturation LitHermes research orchestrator: decompose a re
 
 # litresearch — maximum-saturation research orchestrator
 
-The LitHermes maximum-saturation research orchestrator, built only on Hermes native surfaces. Decompose a research demand, fan out parallel retrieval swarms, recursively chase every lead until convergence, verify contested claims by running code or adversarial review, and synthesize a fully cited answer — journaling every wave to disk so the work survives compaction. Every mechanism maps to a real Hermes surface: the native `delegate_task` tool (a `tasks:[{goal, context, toolsets?, role?}]` batch for parallel fan-out, parent blocks until all children stop), web retrieval tools, a plain-text live lead tracker, and an on-disk `.lithermes/litresearch/<slug>/` session directory for the durable journal and cited synthesis.
+The LitHermes maximum-saturation research orchestrator, built only on Hermes native surfaces. Decompose a research demand, fan out parallel retrieval swarms, recursively chase every lead until convergence, verify contested claims by running code or adversarial review, and synthesize a fully cited answer — journaling every wave to disk so the work survives compaction. Every mechanism maps to a real Hermes surface: the native `delegate_task` tool (a `tasks:[{goal, context, toolsets?, role?}]` batch for parallel fan-out, parent blocks until all children stop), web retrieval tools, a plain-text live lead tracker, and an on-disk `.hermes/lithermes/litresearch/<slug>/` session directory for the durable journal and cited synthesis.
 
 ## Role
 
@@ -51,10 +51,10 @@ Pick the tier before Phase 1 and record it in the research journal. Never hardco
 4. Open a **durable on-disk session directory** alongside the plain-text tracker. The tracker is your fast live view; the on-disk files are your recovery point after compaction and the user's audit trail. Create a slug from the demand and make the directory:
 
    ```bash
-   mkdir -p .lithermes/litresearch/<slug>
+   mkdir -p .hermes/lithermes/litresearch/<slug>
    ```
 
-   `.lithermes/litresearch/<slug>/` is your `SESSION_DIR`. It is gitignore-friendly — keep it under `.lithermes/` so it stays out of commits. The parent (you) owns every file in it; research children are read-only and never write here. Maintain three kinds of file:
+   `.hermes/lithermes/litresearch/<slug>/` is your `SESSION_DIR`. It is repo-native and gitignore-friendly — keep it under `.hermes/lithermes/` so it stays out of commits and package payloads. The parent (you) owns every file in it; research children are read-only and never write here. Maintain three kinds of file:
 
    - `wave-<N>-<kind>-<axis>.md` — your digest of each child return: key findings, sources with file:line or URL+version, and the child's `## EXPAND` markers copied verbatim.
    - `expansion-log.md` — the lead ledger: per wave, the children spawned, the markers gained, and the leads opened and closed. This is the dedup memory so a closed lead never resurfaces.
@@ -211,7 +211,7 @@ Produce a standalone report only when the user requests one ("report", "document
 | Open-ended web breadth (Exhaustive) | extra librarian + web-search/web-fetch `delegate_task` lanes |
 | Adversarial verification | `delegate_task` child whose `goal` is to refute the claim |
 | Live lead tracker | plain-text tracker in-session, mirrored to `expansion-log.md` |
-| Durable journal / lead ledger / synthesis | on-disk `SESSION_DIR` = `.lithermes/litresearch/<slug>/` (`wave-*.md`, `expansion-log.md`, `verify-*.md`, `SYNTHESIS.md`) |
+| Durable journal / lead ledger / synthesis | on-disk `SESSION_DIR` = `.hermes/lithermes/litresearch/<slug>/` (`wave-*.md`, `expansion-log.md`, `verify-*.md`, `SYNTHESIS.md`) |
 
 ## Stop Rules
 

package/assets/lithermes-plugin/skills/review-work/SKILL.md

@@ -20,9 +20,11 @@ the five lane briefs plus the gate contract. Then:
 | `load_skills=[...]` | name the skills to load inside the child's `message` |
 
 Lane → child mapping (dispatch all five in the single batch):
-`goal` · `qa` · `code-quality` · `security` (supplementary) · `context`.
+`goal` · `qa` · `code-quality` · `security` (supplementary) · `context/docs/package`.
 
 Each child returns: `verdict` (PASS|FAIL), `confidence`, and findings with `file:line`.
+The review must cover behavior, tests, docs/package readiness, security/safety,
+and cleanup evidence; green tests without a real-surface probe are insufficient.
 Aggregate and dedupe across lanes, then apply the **all-or-nothing gate**: any lane FAIL
 ⇒ **REVIEW FAILED** (list blocking issues by severity); all five PASS ⇒ **REVIEW PASSED**
 (non-blocking suggestions only). Record the per-lane verdicts; the plugin's `subagent_stop`
@@ -559,4 +561,4 @@ Compile the final report in this format:
 
 If FAILED - be specific. The user should know exactly what to fix and in what order. No vague "consider improving X" - state the problem, the file, and the fix.
 
-If PASSED - keep it short. Highlight any non-blocking suggestions, but don't turn a passing review into a lecture.
+If PASSED - keep it short. Highlight any non-blocking suggestions, but don't turn a passing review into a lecture.

package/assets/lithermes-plugin/skills/start-work/SKILL.md

@@ -18,10 +18,11 @@ description: Hermes-native plan executor for /start-work — resume from durable
 > for a parallel batch, parent blocks until all children stop. No spawn_agent,
 > no named-agent registry, no per-child model selection.
 
-This skill governs all `/start-work` invocations in Hermes. It resolves a plan
-file (`plans/<slug>.md`), opens or resumes a durable run, and drives every
-top-level checkbox to completion through strict gates. The skill never re-plans
-from scratch mid-run; all recovery is from durable artifacts.
+This skill governs all `/start-work` invocations in Hermes. It resolves an
+approved plan file (`plans/<slug>.md`), opens or resumes a durable run, and drives
+every top-level checkbox to completion through strict gates. The skill never
+plans from scratch, bootstraps a plan from a brief, or weakens the approval gate;
+all recovery is from durable artifacts.
 
 ---
 
@@ -29,28 +30,20 @@ from scratch mid-run; all recovery is from durable artifacts.
 
 The trigger is any of:
 
-- `/start-work <slug>` — resolve `plans/<slug>.md`, open a new run.
+- `/start-work <slug>` — resolve an approved `plans/<slug>.md`, open a new run.
 - `/start-work <slug> --resume` — locate the most recent run for `<slug>` under
   `.hermes/lithermes/runs/` and resume from where `state.json` says.
-- `/start-work` with no slug but a one-liner brief supplied — bootstrap a plan
-  first (see §0 below), then open the run.
+- `/start-work` with no matching plan — **BLOCKED**. Run `/lit-plan` first, get
+  approval, then invoke `/start-work <plan>`.
 
 ---
 
-## §0 — No-plan bootstrap (only when no plan file exists)
+## §0 — Approved plan required
 
-If `/start-work` was given a brief but `plans/<slug>.md` does not yet exist:
-
-1. Derive a slug from the brief (kebab-case, ≤ 40 chars).
-2. Write `plans/<slug>.md` with:
-   - A one-line **Goal** heading.
-   - A **Tasks** section: one `- [ ] T-NNN | <imperative verb phrase>` line per
-     deliverable, ordered by dependency.
-   - A **Success Criteria** section: one machine-parseable row per criterion:
-     `- [ ] C-NNN | channel: <http|tmux|browser|computer> | test: <file::id> | scenario: <one-line>`
-3. Then proceed to §1 as if the plan existed from the start.
-
-The brief is the contract. Do not expand scope beyond it.
+If `/start-work` was given a brief or a slug that does not resolve to an existing
+plan, stop with `BLOCKED`. Do not create a plan here. Planning belongs to
+`/lit-plan` / natural `lit plan`; execution begins only after the user approves a
+real plan artifact.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lithermes-ai",
-  "version": "0.8.5",
+  "version": "0.8.6",
   "description": "npx/bunx installer for the LitHermes Hermes plugin",
   "license": "MIT",
   "repository": {
@@ -22,6 +22,7 @@
     "assets",
     "!assets/**/__pycache__/**",
     "!assets/**/*.pyc",
+    "!assets/**/.lit[o]pencode/**",
     "!assets/**/upstream/**",
     "README.md",
     "README_Ko-KR.md",