mimetic-cli 0.1.2 → 0.1.3

package/dist/run.js

@@ -1,6 +1,9 @@
 import { createHash, randomUUID } from "node:crypto";
+import { spawn } from "node:child_process";
 import { mkdir, readdir, readFile, stat, writeFile } from "node:fs/promises";
+import os from "node:os";
 import path from "node:path";
+import { buildObserverData } from "./observer-data.js";
 export const RUN_BUNDLE_SCHEMA = "mimetic.run-bundle.v1";
 export const REVIEW_SCHEMA = "mimetic.review.v1";
 export const VERIFY_SCHEMA = "mimetic.verify-result.v1";
@@ -11,6 +14,9 @@ const sensitivePatterns = [
     /gho_[a-z0-9_]{12,}/i,
     /BEGIN (RSA|OPENSSH|PRIVATE) KEY/i
 ];
+const LOCAL_CODEX_TUI_DEFAULT_TIMEOUT_MS = 240_000;
+const LOCAL_CODEX_TUI_MAX_TIMEOUT_MS = 600_000;
+const LOCAL_ACTOR_TRANSCRIPT_MAX_CHARS = 80_000;
 const builtinPersona = {
     id: "builtin-synthetic-new-user",
     name: "Built-in Synthetic New User",
@@ -37,15 +43,15 @@ export async function runDryRun(options) {
             error: cwdError
         };
     }
-    if (!options.dryRun) {
+    if (options.actor !== undefined && !isLocalCodexActor(options.actor)) {
         return {
             schema: "mimetic.run-result.v1",
             ok: false,
             cwd,
             warnings,
             error: {
-                code: "MIMETIC_LIVE_RUN_UNIMPLEMENTED",
-                message: "Only run --dry-run is implemented in this open-source-safe slice."
+                code: "MIMETIC_UNSUPPORTED_ACTOR",
+                message: `Unsupported actor: ${options.actor}`
             }
         };
     }
@@ -62,6 +68,25 @@ export async function runDryRun(options) {
             }
         };
     }
+    if (!options.dryRun) {
+        const actor = resolveRequestedLocalCodexActor(options.actor);
+        if (actor === "codex-tui") {
+            return runLocalCodexTui({ ...options, actor, cwd, simCount });
+        }
+        if (actor === "codex-exec") {
+            return runLocalCodexExec({ ...options, actor, cwd, simCount });
+        }
+        return {
+            schema: "mimetic.run-result.v1",
+            ok: false,
+            cwd,
+            warnings,
+            error: {
+                code: "MIMETIC_LIVE_RUN_UNIMPLEMENTED",
+                message: "Only run --dry-run is implemented unless --actor codex-tui, --actor codex-exec, or the matching MIMETIC_ENABLE_LOCAL_CODEX_* env var is set."
+            }
+        };
+    }
     const now = new Date();
     const createdAt = now.toISOString();
     const runId = options.runId ?? `dryrun-${createdAt.replace(/[:.]/g, "-")}-${randomUUID().slice(0, 8)}`;
@@ -162,14 +187,714 @@ export async function runDryRun(options) {
         warnings
     };
 }
+function isLocalCodexActor(value) {
+    return value === "codex-tui" || value === "codex-exec";
+}
+function resolveRequestedLocalCodexActor(actor) {
+    if (actor && isLocalCodexActor(actor)) {
+        return actor;
+    }
+    if (process.env.MIMETIC_ENABLE_LOCAL_CODEX_TUI === "1") {
+        return "codex-tui";
+    }
+    if (process.env.MIMETIC_ENABLE_LOCAL_CODEX_EXEC === "1") {
+        return "codex-exec";
+    }
+    return undefined;
+}
+async function runLocalCodexTui(options) {
+    const warnings = [];
+    if (options.simCount !== 1) {
+        return {
+            schema: "mimetic.run-result.v1",
+            ok: false,
+            cwd: options.cwd,
+            warnings,
+            error: {
+                code: "MIMETIC_ACTOR_FANOUT_UNIMPLEMENTED",
+                message: "Local Codex TUI actor support is intentionally limited to --sims 1 in this slice. Split 4x fanout after the 1x lifecycle is deterministic."
+            }
+        };
+    }
+    const timeoutMs = normalizeActorTimeout(options.timeoutMs ?? readEnvInteger("MIMETIC_CODEX_ACTOR_TIMEOUT_MS") ?? LOCAL_CODEX_TUI_DEFAULT_TIMEOUT_MS);
+    if (timeoutMs === null) {
+        return {
+            schema: "mimetic.run-result.v1",
+            ok: false,
+            cwd: options.cwd,
+            warnings,
+            error: {
+                code: "MIMETIC_INVALID_TIMEOUT",
+                message: `--timeout-ms must be an integer between 1 and ${LOCAL_CODEX_TUI_MAX_TIMEOUT_MS}.`
+            }
+        };
+    }
+    const now = new Date();
+    const createdAt = now.toISOString();
+    const runId = options.runId ?? `codex-tui-${createdAt.replace(/[:.]/g, "-")}-${randomUUID().slice(0, 8)}`;
+    const artifactRoot = path.join(".mimetic", "runs", runId);
+    const absoluteArtifactRoot = path.join(options.cwd, artifactRoot);
+    const transcriptPath = path.join(absoluteArtifactRoot, "transcripts", "codex-tui-sanitized.txt");
+    const actorTracePath = path.join(absoluteArtifactRoot, "actor.json");
+    const eventsPath = path.join(absoluteArtifactRoot, "events.ndjson");
+    const packageName = await readPackageName(options.cwd);
+    const mimeticSource = await directoryExists(path.join(options.cwd, "mimetic")) ? "present" : "missing";
+    const selection = await loadDryRunSelection(options.cwd, mimeticSource);
+    if (mimeticSource === "missing") {
+        warnings.push("Committed mimetic/ source was not found; using built-in synthetic local actor defaults.");
+    }
+    warnings.push(...selection.warnings);
+    const verdictNonce = randomUUID().slice(0, 12);
+    const prompt = buildLocalCodexTuiPrompt(selection, verdictNonce);
+    const promptDigest = digestText(prompt);
+    const command = resolveLocalCodexTuiCommand(options.cwd, prompt, options.actorCommand);
+    const usesDefaultCodexCommand = options.actorCommand === undefined && process.env.MIMETIC_CODEX_ACTOR_COMMAND === undefined;
+    const simId = "sim-01";
+    const streamId = "sim-01-codex-tui";
+    const events = [];
+    const appendEvent = async (type, message, level = "info") => {
+        events.push({
+            id: `event-${String(events.length + 1).padStart(3, "0")}`,
+            at: new Date().toISOString(),
+            level,
+            type,
+            message,
+            simId,
+            streamId
+        });
+        await writeFile(eventsPath, `${events.map((event) => JSON.stringify(event)).join("\n")}\n`, "utf8");
+    };
+    await mkdir(path.dirname(transcriptPath), { recursive: true });
+    let actor;
+    const trustPreflight = usesDefaultCodexCommand ? await checkCodexWorkspaceTrust(options.cwd) : { ok: true };
+    if (!trustPreflight.ok) {
+        actor = {
+            durationMs: 0,
+            reason: trustPreflight.message,
+            status: "blocked",
+            transcript: `${trustPreflight.message}\nRecovery: ${trustPreflight.recoveryCommand}\n`,
+            transcriptBytes: Buffer.byteLength(trustPreflight.message)
+        };
+        await appendEvent("actor.preflight.blocked", trustPreflight.message, "warn");
+    }
+    else {
+        await appendEvent("actor.spawned", `Spawned local Codex TUI actor command ${command.name} in explicit opt-in mode.`);
+        await appendEvent("actor.prompt.submitted", `Submitted bounded public-safe dogfood prompt digest ${promptDigest}; raw prompt omitted from event log.`);
+        await appendEvent("actor.running", "Published local Codex TUI running snapshot for Observer polling.");
+        const runningAt = new Date().toISOString();
+        const runningBundle = {
+            schema: RUN_BUNDLE_SCHEMA,
+            runId,
+            mode: "live",
+            simCount: 1,
+            createdAt,
+            cwd: options.cwd,
+            artifactRoot,
+            source: {
+                packageName,
+                mimeticSource,
+                git: {
+                    status: "not_captured",
+                    note: "Source git state capture is planned for the core primitives slice."
+                }
+            },
+            persona: selection.persona,
+            scenario: selection.scenario,
+            lifecycle: [
+                {
+                    at: createdAt,
+                    event: "run.created",
+                    message: "Live local Codex TUI run created with one explicit opt-in actor."
+                },
+                {
+                    at: createdAt,
+                    event: "actor.selected",
+                    message: "Selected local codex-tui actor."
+                },
+                {
+                    at: runningAt,
+                    event: "actor.running",
+                    message: "Local Codex TUI actor is running; Observer data will refresh with sanitized evidence after completion."
+                }
+            ],
+            simulations: [
+                {
+                    id: simId,
+                    index: 1,
+                    personaId: selection.persona.id,
+                    scenarioId: selection.scenario.id,
+                    status: "running",
+                    streamKind: "tui",
+                    mode: "tui-sim",
+                    progress: 35,
+                    currentStep: "Local Codex TUI actor running",
+                    summary: "Local Codex TUI actor is running.",
+                    streamIds: [streamId],
+                    startedAt: createdAt,
+                    updatedAt: runningAt
+                }
+            ],
+            streams: [
+                {
+                    id: streamId,
+                    simId,
+                    kind: "tui",
+                    label: "Local Codex TUI actor",
+                    status: "running",
+                    transport: "pty",
+                    updatedAt: runningAt,
+                    embed: {
+                        kind: "terminal",
+                        title: "Local Codex TUI actor"
+                    },
+                    terminal: {
+                        title: "Local Codex TUI actor",
+                        format: "ansi",
+                        stdin: "sent",
+                        tail: "Codex TUI actor is running; sanitized transcript evidence will be linked after completion."
+                    },
+                    completion: {
+                        checkedAt: runningAt,
+                        reason: "actor process is still running",
+                        status: "running"
+                    },
+                    artifacts: [
+                        { label: "run bundle", path: "run.json", kind: "bundle" },
+                        { label: "review", path: "review.md", kind: "review" },
+                        { label: "event log", path: "events.ndjson", kind: "events" }
+                    ]
+                }
+            ],
+            events,
+            redaction: {
+                status: "passed",
+                notes: "Running TUI bundle contains no raw transcript yet; final actor output will be redacted before persistence."
+            },
+            artifacts: {
+                run: "run.json",
+                reviewJson: "review.json",
+                reviewMarkdown: "review.md",
+                observerData: "observer/observer-data.json",
+                events: "events.ndjson"
+            },
+            review: createLocalActorRunningReviewSummary("Codex TUI"),
+            feedbackCandidates: []
+        };
+        await writeRunBundleArtifacts(absoluteArtifactRoot, runningBundle);
+        await writeJson(path.join(options.cwd, ".mimetic", "runs", "latest.json"), {
+            schema: "mimetic.latest-run.v1",
+            runId,
+            path: artifactRoot,
+            updatedAt: runningAt
+        });
+        actor = await executeLocalActorCommand(command, {
+            cwd: options.cwd,
+            timeoutMs,
+            verdictNonce
+        });
+    }
+    const completedAt = new Date().toISOString();
+    const redactedTranscript = redactSensitiveText(actor.transcript);
+    const tail = tailText(redactedTranscript, 6_000);
+    const status = actor.status;
+    const verdictReason = actor.reason;
+    await writeFile(transcriptPath, redactedTranscript.length > 0 ? redactedTranscript : "No transcript output captured.\n", "utf8");
+    await writeJson(actorTracePath, {
+        schema: "mimetic.local-codex-tui-actor.v1",
+        actor: "codex-tui",
+        commandName: command.name,
+        promptDigest,
+        verdictNonce,
+        startedAt: createdAt,
+        completedAt,
+        durationMs: actor.durationMs,
+        exitCode: actor.exitCode,
+        signal: actor.signal,
+        status,
+        timeoutMs,
+        transcriptBytes: actor.transcriptBytes,
+        transcriptPath: "transcripts/codex-tui-sanitized.txt",
+        redaction: "passed"
+    });
+    await appendEvent("actor.observation", `Captured ${actor.transcriptBytes} output byte${actor.transcriptBytes === 1 ? "" : "s"}; sanitized transcript tail recorded with redaction=passed.`);
+    await appendEvent("actor.artifact", "Wrote sanitized Codex TUI transcript and actor trace artifacts under the ignored run directory.");
+    await appendEvent("actor.verdict", `Local Codex TUI actor verdict ${status}: ${verdictReason}`, status === "passed" ? "info" : status === "timed_out" ? "warn" : "error");
+    await appendEvent(status === "timed_out" ? "actor.timeout" : status === "blocked" && !trustPreflight.ok ? "actor.blocked" : "actor.exited", status === "timed_out"
+        ? `Actor timed out after ${timeoutMs}ms; last safe observation retained.`
+        : status === "blocked" && !trustPreflight.ok
+            ? "Actor launch was blocked by preflight before spawn."
+            : `Actor exited with code ${actor.exitCode ?? "null"}${actor.signal ? ` and signal ${actor.signal}` : ""}.`, status === "passed" ? "info" : "warn");
+    const bundle = {
+        schema: RUN_BUNDLE_SCHEMA,
+        runId,
+        mode: "live",
+        simCount: 1,
+        createdAt,
+        cwd: options.cwd,
+        artifactRoot,
+        source: {
+            packageName,
+            mimeticSource,
+            git: {
+                status: "not_captured",
+                note: "Source git state capture is planned for the core primitives slice."
+            }
+        },
+        persona: selection.persona,
+        scenario: selection.scenario,
+        lifecycle: [
+            {
+                at: createdAt,
+                event: "run.created",
+                message: "Live local Codex TUI run created with one explicit opt-in actor."
+            },
+            {
+                at: createdAt,
+                event: "actor.selected",
+                message: "Selected local codex-tui actor."
+            },
+            {
+                at: completedAt,
+                event: "review.skeleton.created",
+                message: "Created review skeleton from sanitized actor lifecycle evidence."
+            }
+        ],
+        simulations: [
+            {
+                id: simId,
+                index: 1,
+                personaId: selection.persona.id,
+                scenarioId: selection.scenario.id,
+                status,
+                streamKind: "tui",
+                mode: "tui-sim",
+                progress: 100,
+                currentStep: status === "passed" ? "Local Codex TUI actor completed" : "Local Codex TUI actor needs review",
+                summary: `Local Codex TUI actor ${status}: ${verdictReason}`,
+                streamIds: [streamId],
+                startedAt: createdAt,
+                updatedAt: completedAt
+            }
+        ],
+        streams: [
+            {
+                id: streamId,
+                simId,
+                kind: "tui",
+                label: "Local Codex TUI actor",
+                status,
+                transport: "pty",
+                updatedAt: completedAt,
+                embed: {
+                    kind: "terminal",
+                    title: "Local Codex TUI actor"
+                },
+                terminal: {
+                    title: "Local Codex TUI actor",
+                    format: "ansi",
+                    stdin: "sent",
+                    tail
+                },
+                completion: {
+                    checkedAt: completedAt,
+                    ...(actor.exitCode === undefined ? {} : { exitCode: actor.exitCode }),
+                    logTail: tail,
+                    reason: verdictReason,
+                    status
+                },
+                artifacts: [
+                    { label: "run bundle", path: "run.json", kind: "bundle" },
+                    { label: "review", path: "review.md", kind: "review" },
+                    { label: "event log", path: "events.ndjson", kind: "events" },
+                    { label: "sanitized transcript", path: "transcripts/codex-tui-sanitized.txt", kind: "log" },
+                    { label: "actor trace", path: "actor.json", kind: "trace" }
+                ]
+            }
+        ],
+        events,
+        redaction: {
+            status: "passed",
+            notes: "Actor output was redacted before transcript and bundle persistence; raw prompt is omitted from event log."
+        },
+        artifacts: {
+            run: "run.json",
+            reviewJson: "review.json",
+            reviewMarkdown: "review.md",
+            observerData: "observer/observer-data.json",
+            events: "events.ndjson"
+        },
+        review: createLocalActorReviewSummary("Codex TUI", status, verdictReason),
+        feedbackCandidates: []
+    };
+    await writeRunBundleArtifacts(absoluteArtifactRoot, bundle);
+    await writeJson(path.join(options.cwd, ".mimetic", "runs", "latest.json"), {
+        schema: "mimetic.latest-run.v1",
+        runId,
+        path: artifactRoot,
+        updatedAt: completedAt
+    });
+    return {
+        schema: "mimetic.run-result.v1",
+        ok: status === "passed",
+        runId,
+        mode: "live",
+        simCount: 1,
+        cwd: options.cwd,
+        artifactRoot,
+        bundlePath: path.join(artifactRoot, "run.json"),
+        reviewPath: path.join(artifactRoot, "review.md"),
+        latestPath: path.join(".mimetic", "runs", "latest.json"),
+        warnings,
+        ...(status === "passed"
+            ? {}
+            : {
+                error: {
+                    code: "MIMETIC_LOCAL_CODEX_TUI_FAILED",
+                    message: `Local Codex TUI actor ${status}: ${verdictReason}`
+                }
+            })
+    };
+}
+function buildLocalCodexExecBundle(args) {
+    return {
+        schema: RUN_BUNDLE_SCHEMA,
+        runId: args.runId,
+        mode: "live",
+        simCount: args.simCount,
+        createdAt: args.createdAt,
+        cwd: args.cwd,
+        artifactRoot: args.artifactRoot,
+        source: {
+            packageName: args.packageName,
+            mimeticSource: args.mimeticSource,
+            git: {
+                status: "not_captured",
+                note: "Source git state capture is planned for the core primitives slice."
+            }
+        },
+        persona: args.persona,
+        scenario: args.scenario,
+        lifecycle: args.lifecycle,
+        simulations: args.lanes.map((lane, index) => ({
+            id: lane.simId,
+            index: index + 1,
+            personaId: `codex-exec-${lane.focus.id}`,
+            scenarioId: args.scenario.id,
+            status: lane.status,
+            streamKind: "terminal",
+            mode: "cli-sim",
+            progress: lane.progress,
+            currentStep: lane.currentStep,
+            summary: lane.summary,
+            streamIds: [lane.streamId],
+            startedAt: args.createdAt,
+            updatedAt: lane.updatedAt
+        })),
+        streams: args.lanes.map((lane) => {
+            const artifacts = [
+                { label: "run bundle", path: "run.json", kind: "bundle" },
+                { label: "review", path: "review.md", kind: "review" },
+                { label: "event log", path: "events.ndjson", kind: "events" },
+                ...(lane.transcriptPath ? [{ label: "sanitized transcript", path: lane.transcriptPath, kind: "log" }] : []),
+                ...(lane.tracePath ? [{ label: "actor trace", path: lane.tracePath, kind: "trace" }] : [])
+            ];
+            return {
+                id: lane.streamId,
+                simId: lane.simId,
+                kind: "terminal",
+                label: `Local Codex exec - ${lane.focus.label}`,
+                status: lane.status,
+                transport: "snapshot",
+                updatedAt: lane.updatedAt,
+                embed: {
+                    kind: "terminal",
+                    title: `Local Codex exec - ${lane.focus.label}`
+                },
+                terminal: {
+                    title: `Local Codex exec - ${lane.focus.label}`,
+                    format: "plain",
+                    stdin: "sent",
+                    tail: lane.terminalTail
+                },
+                ...(lane.completion ? { completion: lane.completion } : {}),
+                artifacts
+            };
+        }),
+        events: args.events,
+        redaction: {
+            status: "passed",
+            notes: "Actor output was redacted before transcript and bundle persistence; raw prompt is omitted from event log."
+        },
+        artifacts: {
+            run: "run.json",
+            reviewJson: "review.json",
+            reviewMarkdown: "review.md",
+            observerData: "observer/observer-data.json",
+            events: "events.ndjson"
+        },
+        review: args.review,
+        feedbackCandidates: []
+    };
+}
+async function runLocalCodexExec(options) {
+    const warnings = [];
+    if (options.simCount > 4) {
+        return {
+            schema: "mimetic.run-result.v1",
+            ok: false,
+            cwd: options.cwd,
+            warnings,
+            error: {
+                code: "MIMETIC_ACTOR_FANOUT_UNIMPLEMENTED",
+                message: "Local Codex exec actor fanout is intentionally limited to --sims 4 in this slice."
+            }
+        };
+    }
+    const timeoutMs = normalizeActorTimeout(options.timeoutMs ?? readEnvInteger("MIMETIC_CODEX_ACTOR_TIMEOUT_MS") ?? LOCAL_CODEX_TUI_DEFAULT_TIMEOUT_MS);
+    if (timeoutMs === null) {
+        return {
+            schema: "mimetic.run-result.v1",
+            ok: false,
+            cwd: options.cwd,
+            warnings,
+            error: {
+                code: "MIMETIC_INVALID_TIMEOUT",
+                message: `--timeout-ms must be an integer between 1 and ${LOCAL_CODEX_TUI_MAX_TIMEOUT_MS}.`
+            }
+        };
+    }
+    const now = new Date();
+    const createdAt = now.toISOString();
+    const runId = options.runId ?? `codex-exec-${createdAt.replace(/[:.]/g, "-")}-${randomUUID().slice(0, 8)}`;
+    const artifactRoot = path.join(".mimetic", "runs", runId);
+    const absoluteArtifactRoot = path.join(options.cwd, artifactRoot);
+    const eventsPath = path.join(absoluteArtifactRoot, "events.ndjson");
+    const packageName = await readPackageName(options.cwd);
+    const mimeticSource = await directoryExists(path.join(options.cwd, "mimetic")) ? "present" : "missing";
+    const selection = await loadDryRunSelection(options.cwd, mimeticSource);
+    if (mimeticSource === "missing") {
+        warnings.push("Committed mimetic/ source was not found; using built-in synthetic local actor defaults.");
+    }
+    warnings.push(...selection.warnings);
+    const events = [];
+    const pushEvent = (type, message, level = "info", simId, streamId) => {
+        events.push({
+            id: `event-${String(events.length + 1).padStart(3, "0")}`,
+            at: new Date().toISOString(),
+            level,
+            type,
+            message,
+            ...(simId === undefined ? {} : { simId }),
+            ...(streamId === undefined ? {} : { streamId })
+        });
+    };
+    await mkdir(path.join(absoluteArtifactRoot, "transcripts"), { recursive: true });
+    await mkdir(path.join(absoluteArtifactRoot, "actors"), { recursive: true });
+    await mkdir(path.join(absoluteArtifactRoot, "observer"), { recursive: true });
+    await writeJson(path.join(options.cwd, ".mimetic", "runs", "latest.json"), {
+        schema: "mimetic.latest-run.v1",
+        runId,
+        path: artifactRoot,
+        updatedAt: createdAt
+    });
+    const lanes = Array.from({ length: options.simCount }, (_, index) => {
+        const focus = localCodexExecFocus(index);
+        const simId = `sim-${String(index + 1).padStart(2, "0")}`;
+        const streamId = `${simId}-codex-exec`;
+        const prompt = buildLocalCodexExecPrompt(selection, {
+            focus,
+            index: index + 1,
+            total: options.simCount
+        });
+        const promptDigest = digestText(prompt);
+        const command = resolveLocalCodexExecCommand(options.cwd, prompt, options.actorCommand);
+        pushEvent("actor.spawned", `Spawned local Codex exec actor lane ${index + 1}/${options.simCount} (${focus.label}) command ${command.name} in explicit opt-in mode.`, "info", simId, streamId);
+        pushEvent("actor.prompt.submitted", `Submitted bounded public-safe dogfood prompt digest ${promptDigest}; raw prompt omitted from event log.`, "info", simId, streamId);
+        return { command, focus, promptDigest, simId, streamId };
+    });
+    for (const lane of lanes) {
+        pushEvent("actor.running", "Published local Codex exec running snapshot for Observer polling.", "info", lane.simId, lane.streamId);
+    }
+    await writeFile(eventsPath, `${events.map((event) => JSON.stringify(event)).join("\n")}\n`, "utf8");
+    const baseLifecycle = [
+        {
+            at: createdAt,
+            event: "run.created",
+            message: `Live local Codex exec run created with ${options.simCount} explicit opt-in actor${options.simCount === 1 ? "" : "s"}.`
+        },
+        {
+            at: createdAt,
+            event: "actor.selected",
+            message: "Selected local codex-exec actor."
+        }
+    ];
+    const runningAt = new Date().toISOString();
+    const runningBundle = buildLocalCodexExecBundle({
+        runId,
+        simCount: options.simCount,
+        createdAt,
+        cwd: options.cwd,
+        artifactRoot,
+        packageName,
+        mimeticSource,
+        persona: selection.persona,
+        scenario: selection.scenario,
+        lifecycle: [
+            ...baseLifecycle,
+            {
+                at: runningAt,
+                event: "actor.running",
+                message: "Local Codex exec actor lanes are running; Observer data will refresh as sanitized evidence arrives."
+            }
+        ],
+        lanes: lanes.map((lane) => ({
+            focus: lane.focus,
+            simId: lane.simId,
+            streamId: lane.streamId,
+            status: "running",
+            progress: 35,
+            currentStep: "Local Codex exec actor running",
+            summary: `Local Codex exec actor ${lane.focus.label} is running.`,
+            terminalTail: "Codex exec actor is running; sanitized transcript evidence will be linked after completion.",
+            updatedAt: runningAt,
+            completion: {
+                checkedAt: runningAt,
+                reason: "actor process is still running",
+                status: "running"
+            }
+        })),
+        events,
+        review: createLocalActorRunningReviewSummary(options.simCount === 1 ? "Codex exec" : "Codex exec fanout")
+    });
+    await writeRunBundleArtifacts(absoluteArtifactRoot, runningBundle);
+    const laneResults = await Promise.all(lanes.map(async (lane) => {
+        const actor = await executeLocalActorCommand(lane.command, {
+            cwd: options.cwd,
+            timeoutMs
+        });
+        const redactedTranscript = redactSensitiveText(actor.transcript);
+        const tail = tailText(redactedTranscript, 6_000);
+        const transcriptPath = options.simCount === 1
+            ? "transcripts/codex-exec-sanitized.jsonl"
+            : `transcripts/${lane.streamId}-sanitized.jsonl`;
+        const tracePath = options.simCount === 1 ? "actor.json" : `actors/${lane.streamId}.json`;
+        await writeFile(path.join(absoluteArtifactRoot, transcriptPath), redactedTranscript.length > 0 ? redactedTranscript : "No transcript output captured.\n", "utf8");
+        await writeJson(path.join(absoluteArtifactRoot, tracePath), {
+            schema: "mimetic.local-codex-exec-actor.v1",
+            actor: "codex-exec",
+            commandName: lane.command.name,
+            focusId: lane.focus.id,
+            promptDigest: lane.promptDigest,
+            startedAt: createdAt,
+            completedAt: new Date().toISOString(),
+            durationMs: actor.durationMs,
+            exitCode: actor.exitCode,
+            signal: actor.signal,
+            status: actor.status,
+            timeoutMs,
+            transcriptBytes: actor.transcriptBytes,
+            transcriptPath,
+            redaction: "passed"
+        });
+        return {
+            actor,
+            command: lane.command,
+            focus: lane.focus,
+            promptDigest: lane.promptDigest,
+            simId: lane.simId,
+            streamId: lane.streamId,
+            tail,
+            tracePath,
+            transcriptPath
+        };
+    }));
+    const completedAt = new Date().toISOString();
+    const laneStatuses = laneResults.map((result) => result.actor.status);
+    const status = aggregateActorStatus(laneStatuses);
+    const verdictReason = options.simCount === 1
+        ? laneResults[0]?.actor.reason ?? "actor did not return a result"
+        : summarizeExecFanout(laneStatuses);
+    for (const result of laneResults) {
+        pushEvent("actor.observation", `Captured ${result.actor.transcriptBytes} output byte${result.actor.transcriptBytes === 1 ? "" : "s"}; sanitized transcript tail recorded with redaction=passed.`, "info", result.simId, result.streamId);
+        pushEvent("actor.artifact", "Wrote sanitized Codex exec transcript and actor trace artifacts under the ignored run directory.", "info", result.simId, result.streamId);
+        pushEvent("actor.verdict", `Local Codex exec actor lane ${result.focus.label} verdict ${result.actor.status}: ${result.actor.reason}`, result.actor.status === "passed" ? "info" : result.actor.status === "timed_out" ? "warn" : "error", result.simId, result.streamId);
+        pushEvent(result.actor.status === "timed_out" ? "actor.timeout" : "actor.exited", result.actor.status === "timed_out"
+            ? `Actor timed out after ${timeoutMs}ms; last safe observation retained.`
+            : `Actor exited with code ${result.actor.exitCode ?? "null"}${result.actor.signal ? ` and signal ${result.actor.signal}` : ""}.`, result.actor.status === "passed" ? "info" : "warn", result.simId, result.streamId);
+    }
+    await writeFile(eventsPath, `${events.map((event) => JSON.stringify(event)).join("\n")}\n`, "utf8");
+    const bundle = buildLocalCodexExecBundle({
+        runId,
+        simCount: options.simCount,
+        createdAt,
+        cwd: options.cwd,
+        artifactRoot,
+        packageName,
+        mimeticSource,
+        persona: selection.persona,
+        scenario: selection.scenario,
+        lifecycle: [
+            ...baseLifecycle,
+            {
+                at: completedAt,
+                event: "review.skeleton.created",
+                message: "Created review skeleton from sanitized actor lifecycle evidence."
+            }
+        ],
+        lanes: laneResults.map((result) => ({
+            focus: result.focus,
+            simId: result.simId,
+            streamId: result.streamId,
+            status: result.actor.status,
+            progress: 100,
+            currentStep: result.actor.status === "passed" ? "Local Codex exec actor completed" : "Local Codex exec actor needs review",
+            summary: `Local Codex exec actor ${result.focus.label} ${result.actor.status}: ${result.actor.reason}`,
+            terminalTail: result.tail,
+            updatedAt: completedAt,
+            transcriptPath: result.transcriptPath,
+            tracePath: result.tracePath,
+            completion: {
+                checkedAt: completedAt,
+                ...(result.actor.exitCode === undefined ? {} : { exitCode: result.actor.exitCode }),
+                logTail: result.tail,
+                reason: result.actor.reason,
+                status: result.actor.status
+            }
+        })),
+        events,
+        review: createLocalActorReviewSummary(options.simCount === 1 ? "Codex exec" : "Codex exec fanout", status, verdictReason)
+    });
+    await writeRunBundleArtifacts(absoluteArtifactRoot, bundle);
+    return {
+        schema: "mimetic.run-result.v1",
+        ok: status === "passed",
+        runId,
+        mode: "live",
+        simCount: options.simCount,
+        cwd: options.cwd,
+        artifactRoot,
+        bundlePath: path.join(artifactRoot, "run.json"),
+        reviewPath: path.join(artifactRoot, "review.md"),
+        latestPath: path.join(".mimetic", "runs", "latest.json"),
+        warnings,
+        ...(status === "passed"
+            ? {}
+            : {
+                error: {
+                    code: "MIMETIC_LOCAL_CODEX_EXEC_FAILED",
+                    message: `Local Codex exec actor ${status}: ${verdictReason}`
+                }
+            })
+    };
+}
 function buildSyntheticObserverFixtures(args) {
     const templates = [
         {
             kind: "ui",
-            mode: "ui-sim",
+            mode: "browser-sim",
             label: "UI journey",
             currentStep: "Route and viewport contract captured",
-            summary: "UI sim lane reserved for browser/VNC playback, screenshots, route state, and interaction trace.",
+            summary: "Browser lane reserved for VNC playback, screenshots, route state, and interaction trace.",
             tail: "open target app\nresolve first-run route\ncapture viewport state\nrecord interaction trace",
             viewport: { width: 1440, height: 960, deviceScaleFactor: 1 }
         },
@@ -193,7 +918,7 @@ function buildSyntheticObserverFixtures(args) {
         },
         {
             kind: "codex-ui",
-            mode: "codex-ui-sim",
+            mode: "codex-app-sim",
             label: "Codex UI",
             currentStep: "App-server embed contract captured",
             summary: "Codex UI lane reserved for app-server sessions that can be watched beside terminal evidence.",
@@ -307,6 +1032,481 @@ function streamTransport(kind) {
         return "polling";
     return "snapshot";
 }
+function resolveLocalCodexTuiCommand(cwd, prompt, overrideCommand) {
+    const envCommand = process.env.MIMETIC_CODEX_ACTOR_COMMAND;
+    const commandParts = overrideCommand && overrideCommand.length > 0
+        ? overrideCommand
+        : envCommand
+            ? parseCommandLine(envCommand)
+            : defaultLocalCodexTuiCommand(cwd, prompt);
+    const [command, ...args] = commandParts;
+    if (!command) {
+        const [fallbackCommand, ...fallbackArgs] = defaultLocalCodexTuiCommand(cwd, prompt);
+        return {
+            command: fallbackCommand ?? "codex",
+            args: fallbackArgs,
+            name: fallbackCommand ? path.basename(fallbackCommand) : "codex"
+        };
+    }
+    return {
+        command,
+        args,
+        name: path.basename(command)
+    };
+}
+function defaultLocalCodexTuiCommand(cwd, prompt) {
+    const codexParts = [
+        "codex",
+        "--no-alt-screen",
+        "-C",
+        cwd,
+        "--sandbox",
+        "read-only",
+        "--ask-for-approval",
+        "never",
+        prompt
+    ];
+    if (process.platform === "linux") {
+        return ["script", "-qfec", shellJoin(codexParts), "/dev/null"];
+    }
+    return codexParts;
+}
+function resolveLocalCodexExecCommand(cwd, prompt, overrideCommand) {
+    const envCommand = process.env.MIMETIC_CODEX_ACTOR_COMMAND;
+    const commandParts = overrideCommand && overrideCommand.length > 0
+        ? overrideCommand
+        : envCommand
+            ? parseCommandLine(envCommand)
+            : defaultLocalCodexExecCommand(cwd, prompt);
+    const [command, ...args] = commandParts;
+    if (!command) {
+        const [fallbackCommand, ...fallbackArgs] = defaultLocalCodexExecCommand(cwd, prompt);
+        return {
+            command: fallbackCommand ?? "codex",
+            args: fallbackArgs,
+            name: fallbackCommand ? path.basename(fallbackCommand) : "codex"
+        };
+    }
+    return {
+        command,
+        args,
+        name: path.basename(command)
+    };
+}
+function defaultLocalCodexExecCommand(cwd, prompt) {
+    return [
+        "codex",
+        "exec",
+        "--skip-git-repo-check",
+        "--ignore-rules",
+        "--ephemeral",
+        "-C",
+        cwd,
+        "--sandbox",
+        "read-only",
+        "--json",
+        prompt
+    ];
+}
+function executeLocalActorCommand(command, options) {
+    const startedAt = Date.now();
+    let transcript = "";
+    let transcriptBytes = 0;
+    let terminalQueryBuffer = "";
+    let observedMarkerStatus = null;
+    let stoppingAfterMarker = false;
+    let timedOut = false;
+    let settled = false;
+    let timer;
+    let markerKillTimer;
+    return new Promise((resolve) => {
+        const finish = (result) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            clearTimeout(timer);
+            clearTimeout(markerKillTimer);
+            const normalizedTranscript = normalizeLocalActorTranscript(transcript);
+            resolve({
+                ...result,
+                durationMs: Date.now() - startedAt,
+                transcript: redactSensitiveText(normalizedTranscript),
+                transcriptBytes
+            });
+        };
+        const child = spawn(command.command, command.args, {
+            cwd: options.cwd,
+            env: {
+                ...process.env,
+                TERM: process.env.TERM ?? "xterm-256color",
+                COLUMNS: process.env.COLUMNS ?? "120",
+                LINES: process.env.LINES ?? "40",
+                ...(options.verdictNonce ? { MIMETIC_ACTOR_VERDICT_NONCE: options.verdictNonce } : {})
+            },
+            stdio: ["pipe", "pipe", "pipe"]
+        });
+        timer = setTimeout(() => {
+            timedOut = true;
+            child.kill("SIGTERM");
+            setTimeout(() => {
+                if (timedOut) {
+                    child.kill("SIGKILL");
+                }
+            }, 2_000).unref();
+        }, options.timeoutMs);
+        timer.unref();
+        const capture = (chunk) => {
+            transcriptBytes += chunk.byteLength;
+            transcript = limitTranscript(transcript + chunk.toString("utf8"));
+            terminalQueryBuffer = respondToTerminalQueries(terminalQueryBuffer, chunk, child.stdin);
+            const markerStatus = observedMarkerStatus ?? extractLocalActorVerdict(normalizeLocalActorTranscript(transcript), options.verdictNonce);
+            if (markerStatus && !observedMarkerStatus) {
+                observedMarkerStatus = markerStatus;
+                stoppingAfterMarker = true;
+                child.kill("SIGTERM");
+                markerKillTimer = setTimeout(() => {
+                    child.kill("SIGKILL");
+                }, 2_000);
+                markerKillTimer.unref();
+            }
+        };
+        child.stdout?.on("data", capture);
+        child.stderr?.on("data", capture);
+        child.once("error", (error) => {
+            finish({
+                status: "blocked",
+                reason: `actor command could not start: ${error.message}`
+            });
+        });
+        child.once("close", (code, signal) => {
+            if (timedOut || (Date.now() - startedAt >= options.timeoutMs && code === null)) {
+                timedOut = false;
+                finish({
+                    status: "timed_out",
+                    reason: `actor exceeded ${options.timeoutMs}ms timeout`,
+                    ...(signal === null ? {} : { signal })
+                });
+                return;
+            }
+            const markerStatus = observedMarkerStatus ?? extractLocalActorVerdict(normalizeLocalActorTranscript(transcript), options.verdictNonce);
+            const processFailed = code !== 0 && !(stoppingAfterMarker && markerStatus);
+            const status = processFailed
+                ? markerStatus === "blocked" ? "blocked" : "failed"
+                : markerStatus ?? "passed";
+            finish({
+                status,
+                reason: processFailed
+                    ? markerStatus === "blocked"
+                        ? `actor reported blocked verdict marker and exited with code ${code ?? "null"}`
+                        : `actor process exited with code ${code ?? "null"}`
+                    : markerStatus
+                        ? `actor reported ${markerStatus} verdict marker`
+                        : "actor process exited successfully",
+                ...(code === null ? {} : { exitCode: code }),
+                ...(signal === null ? {} : { signal })
+            });
+        });
+    });
+}
+function respondToTerminalQueries(currentBuffer, chunk, stdin) {
+    if (!stdin || !stdin.writable) {
+        return "";
+    }
+    let buffer = `${currentBuffer}${chunk.toString("latin1")}`;
+    while (true) {
+        const cprIndex = buffer.indexOf("\x1b[6n");
+        const oscMatch = /\x1b\](10|11|12);\?(?:\x07|\x1b\\)/.exec(buffer);
+        const oscIndex = oscMatch?.index ?? -1;
+        if (cprIndex === -1 && oscIndex === -1) {
+            break;
+        }
+        if (cprIndex !== -1 && (oscIndex === -1 || cprIndex < oscIndex)) {
+            stdin.write("\x1b[24;120R");
+            buffer = buffer.slice(cprIndex + "\x1b[6n".length);
+            continue;
+        }
+        const colorSlot = oscMatch?.[1] ?? "10";
+        stdin.write(terminalColorResponse(colorSlot));
+        buffer = buffer.slice((oscIndex === -1 ? 0 : oscIndex) + (oscMatch?.[0].length ?? 0));
+    }
+    return buffer.slice(-128);
+}
+function terminalColorResponse(slot) {
+    if (slot === "11") {
+        return "\x1b]11;rgb:0000/0000/0000\x07";
+    }
+    return `\x1b]${slot};rgb:ffff/ffff/ffff\x07`;
+}
+function normalizeLocalActorTranscript(transcript) {
+    return transcript
+        .replace(/\x1b\][^\x07]*(?:\x07|\x1b\\)/g, "")
+        .replace(/\x1b\[[0-?]*[ -/]*[@-~]/g, "")
+        .replace(/\x1b[78=>]/g, "")
+        .replace(/\r\n/g, "\n")
+        .replace(/\r/g, "\n")
+        .replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g, "");
+}
+function extractLocalActorVerdict(transcript, verdictNonce) {
+    const compactTranscript = transcript.replace(/\s+/g, "");
+    const match = verdictNonce
+        ? new RegExp(`MIMETIC_ACTOR_VERDICT=(passed|blocked|failed)MIMETIC_ACTOR_NONCE=${escapeRegExp(verdictNonce)}`, "i").exec(compactTranscript)
+        : /MIMETIC_ACTOR_VERDICT=(passed|blocked|failed)/i.exec(compactTranscript);
+    if (!match) {
+        return null;
+    }
+    return match[1]?.toLowerCase();
+}
+async function checkCodexWorkspaceTrust(cwd) {
+    if (process.env.MIMETIC_SKIP_CODEX_TRUST_PREFLIGHT === "1") {
+        return { ok: true };
+    }
+    const trustRoot = await detectCodexTrustRoot(cwd);
+    if (!trustRoot) {
+        return { ok: true };
+    }
+    const configPath = path.join(process.env.CODEX_HOME ?? path.join(os.homedir(), ".codex"), "config.toml");
+    const configText = await readTextIfExists(configPath);
+    if (configText && codexConfigTrustsProject(configText, trustRoot)) {
+        return { ok: true };
+    }
+    return {
+        ok: false,
+        trustRoot,
+        message: `Codex workspace trust preflight blocked local TUI launch; trust root is not explicitly trusted as an exact Codex project root: ${trustRoot}`,
+        recoveryCommand: `codex --no-alt-screen -C ${shellQuote(trustRoot)}`
+    };
+}
+async function detectCodexTrustRoot(cwd) {
+    const worktreeRoot = await findGitWorktreeRoot(cwd);
+    if (!worktreeRoot) {
+        return null;
+    }
+    const dotGitPath = path.join(worktreeRoot, ".git");
+    if (await directoryExists(dotGitPath)) {
+        return worktreeRoot;
+    }
+    const gitFile = await readTextIfExists(dotGitPath);
+    if (!gitFile?.startsWith("gitdir:")) {
+        return worktreeRoot;
+    }
+    const gitDir = gitFile.slice("gitdir:".length).trim();
+    const absoluteGitDir = path.isAbsolute(gitDir) ? gitDir : path.resolve(worktreeRoot, gitDir);
+    const commonDirText = await readTextIfExists(path.join(absoluteGitDir, "commondir"));
+    if (!commonDirText) {
+        return worktreeRoot;
+    }
+    const commonDir = commonDirText.trim();
+    const absoluteCommonDir = path.resolve(absoluteGitDir, commonDir);
+    return path.basename(absoluteCommonDir) === ".git" ? path.dirname(absoluteCommonDir) : worktreeRoot;
+}
+async function findGitWorktreeRoot(cwd) {
+    let current = path.resolve(cwd);
+    while (true) {
+        if (await fileExists(path.join(current, ".git")) || await directoryExists(path.join(current, ".git"))) {
+            return current;
+        }
+        const parent = path.dirname(current);
+        if (parent === current) {
+            return null;
+        }
+        current = parent;
+    }
+}
+function codexConfigTrustsProject(configText, trustRoot) {
+    const sectionPattern = /^\[projects\."((?:\\.|[^"\\])*)"\]\s*$/gm;
+    let sectionMatch;
+    while ((sectionMatch = sectionPattern.exec(configText)) !== null) {
+        const projectPath = unescapeTomlString(sectionMatch[1] ?? "");
+        const afterSection = configText.slice(sectionMatch.index + sectionMatch[0].length);
+        const nextSectionIndex = afterSection.search(/^\[/m);
+        const sectionBody = nextSectionIndex === -1 ? afterSection : afterSection.slice(0, nextSectionIndex);
+        if (/^trust_level\s*=\s*"trusted"\s*$/m.test(sectionBody) && isSamePath(projectPath, trustRoot)) {
+            return true;
+        }
+    }
+    return false;
+}
+function unescapeTomlString(value) {
+    return value.replace(/\\(["\\])/g, "$1");
+}
+function isSamePath(candidatePath, targetPath) {
+    const candidate = path.resolve(candidatePath);
+    const target = path.resolve(targetPath);
+    return candidate === target;
+}
+function normalizeActorTimeout(value) {
+    if (!Number.isInteger(value) || value === undefined || value < 1 || value > LOCAL_CODEX_TUI_MAX_TIMEOUT_MS) {
+        return null;
+    }
+    return value;
+}
+function readEnvInteger(name) {
+    const value = process.env[name];
+    if (value === undefined || value.trim() === "") {
+        return undefined;
+    }
+    return /^\d+$/.test(value) ? Number.parseInt(value, 10) : Number.NaN;
+}
+function buildLocalCodexTuiPrompt(selection, verdictNonce) {
+    return [
+        "You are a Mimetic local Codex TUI dogfood actor.",
+        `Persona: ${selection.persona.name}.`,
+        `Scenario: ${selection.scenario.title}.`,
+        "Inspect this public repository's Mimetic setup, run evidence, and Observer affordances.",
+        "Run at most two read-only inspection commands; prefer file reads, `node dist/cli.js --help`, or `pnpm typecheck` when available.",
+        "Do not run commands that write runtime artifacts or temp config, including `pnpm mimetic`, `mimetic watch`, `mimetic feedback`, `mimetic init`, tests, builds, installs, or commands that write `.mimetic/`.",
+        "If the strongest proof would require writes in this read-only sandbox, inspect existing artifacts instead and name the write-required proof as a follow-up.",
+        "Use passed when read-only inspection confirms the committed harness and existing evidence contract; write-required follow-ups alone are not blockers.",
+        "Do not print secrets, do not commit, do not push, do not open GitHub issues, and do not use private data.",
+        "Finish by summarizing one public-safe harness improvement.",
+        `Then print exactly one final machine-readable line in this format: MIMETIC_ACTOR_VERDICT=<status> MIMETIC_ACTOR_NONCE=${verdictNonce}.`,
+        "Replace <status> with exactly one lowercase word: passed, blocked, or failed."
+    ].join(" ");
+}
+function localCodexExecFocus(index) {
+    const focuses = [
+        {
+            id: "install-readability",
+            label: "install/readability",
+            instruction: "audit whether a new user can understand the committed Mimetic dogfood setup quickly",
+            suggestedCommands: [
+                "test -r mimetic/README.md && sed -n '1,40p' mimetic/README.md",
+                "test -r mimetic/config.ts && wc -l mimetic/config.ts"
+            ]
+        },
+        {
+            id: "public-safety-trust",
+            label: "public-safety/trust",
+            instruction: "check the local actor boundaries, public-safety claims, and trust-bootstrap language",
+            suggestedCommands: [
+                "test -r mimetic/coverage-map.md && sed -n '1,80p' mimetic/coverage-map.md",
+                "test -r docs/architecture/local-codex-tui-actor.md && sed -n '1,80p' docs/architecture/local-codex-tui-actor.md"
+            ]
+        },
+        {
+            id: "observer-evidence",
+            label: "Observer/evidence",
+            instruction: "inspect whether run evidence and Observer expectations are easy to verify",
+            suggestedCommands: [
+                "test -r mimetic/coverage-matrix.md && sed -n '1,80p' mimetic/coverage-matrix.md",
+                "test -r mimetic/scenarios/onboarding-regression.yaml && sed -n '1,120p' mimetic/scenarios/onboarding-regression.yaml"
+            ]
+        },
+        {
+            id: "verification-release",
+            label: "verification/release",
+            instruction: "inspect the verification and release-gate promises exposed to local dogfood actors",
+            suggestedCommands: [
+                "test -r package.json && node -e \"const p=require('./package.json'); console.log(p.scripts.check); console.log(p.scripts['public-surface:scan']);\"",
+                "test -r mimetic/README.md && sed -n '1,80p' mimetic/README.md"
+            ]
+        }
+    ];
+    return focuses[index % focuses.length] ?? focuses[0];
+}
+function aggregateActorStatus(statuses) {
+    if (statuses.includes("failed"))
+        return "failed";
+    if (statuses.includes("timed_out"))
+        return "timed_out";
+    if (statuses.includes("blocked"))
+        return "blocked";
+    return statuses.length > 0 && statuses.every((status) => status === "passed") ? "passed" : "failed";
+}
+function summarizeExecFanout(statuses) {
+    if (statuses.length === 1) {
+        return statuses[0] === "passed" ? "actor process exited successfully" : `actor lane ${statuses[0]}`;
+    }
+    const counts = statuses.reduce((current, status) => ({ ...current, [status]: current[status] + 1 }), { passed: 0, failed: 0, blocked: 0, timed_out: 0 });
+    const summary = Object.keys(counts)
+        .filter((status) => counts[status] > 0)
+        .map((status) => `${counts[status]} ${status}`)
+        .join(", ");
+    return statuses.every((status) => status === "passed")
+        ? `all ${statuses.length} Codex exec lanes passed`
+        : `${statuses.length} Codex exec lanes completed with ${summary}`;
+}
+function buildLocalCodexExecPrompt(selection, lane) {
+    const suggestedCommands = lane?.focus.suggestedCommands ?? [
+        "test -r mimetic/config.ts && wc -l mimetic/config.ts",
+        "test -r mimetic/README.md && sed -n '1,40p' mimetic/README.md"
+    ];
+    return [
+        "You are a Mimetic local Codex exec dogfood actor running noninteractively.",
+        `Persona: ${selection.persona.name}.`,
+        `Scenario: ${selection.scenario.title}.`,
+        ...(lane ? [`Fanout lane ${lane.index}/${lane.total}. Focus: ${lane.focus.instruction}.`] : []),
+        "Run at most two read-only local inspection commands.",
+        `Suggested commands: \`${suggestedCommands[0]}\` and \`${suggestedCommands[1]}\`.`,
+        "Do not edit files, do not run network commands, do not commit, do not push, do not open GitHub issues, and do not print secrets.",
+        "Do not inspect additional files unless one suggested command fails.",
+        "Finish within three sentences with exactly one public-safe verdict line using passed, blocked, or failed."
+    ].join(" ");
+}
+function parseCommandLine(input) {
+    const tokens = [];
+    let current = "";
+    let quote = null;
+    let escaping = false;
+    for (const char of input.trim()) {
+        if (escaping) {
+            current += char;
+            escaping = false;
+            continue;
+        }
+        if (char === "\\" && quote !== "'") {
+            escaping = true;
+            continue;
+        }
+        if (quote) {
+            if (char === quote) {
+                quote = null;
+            }
+            else {
+                current += char;
+            }
+            continue;
+        }
+        if (char === "\"" || char === "'") {
+            quote = char;
+            continue;
+        }
+        if (/\s/.test(char)) {
+            if (current !== "") {
+                tokens.push(current);
+                current = "";
+            }
+            continue;
+        }
+        current += char;
+    }
+    if (current !== "") {
+        tokens.push(current);
+    }
+    return quote ? [] : tokens;
+}
+function shellJoin(parts) {
+    return parts.map(shellQuote).join(" ");
+}
+function shellQuote(value) {
+    if (/^[A-Za-z0-9_/:=.,@%+-]+$/.test(value)) {
+        return value;
+    }
+    return `'${value.replace(/'/g, "'\\''")}'`;
+}
+function limitTranscript(value) {
+    if (value.length <= LOCAL_ACTOR_TRANSCRIPT_MAX_CHARS) {
+        return value;
+    }
+    return `[...sanitized transcript truncated to last ${LOCAL_ACTOR_TRANSCRIPT_MAX_CHARS} characters...]\n${value.slice(-LOCAL_ACTOR_TRANSCRIPT_MAX_CHARS)}`;
+}
+function tailText(value, maxChars) {
+    if (value.length <= maxChars) {
+        return value;
+    }
+    return value.slice(-maxChars);
+}
 function normalizeSimCount(value) {
     if (value === undefined) {
         return 1;
@@ -490,6 +1690,41 @@ function createReviewSummary() {
         ]
     };
 }
+function createLocalActorRunningReviewSummary(actorLabel) {
+    return {
+        schema: REVIEW_SCHEMA,
+        verdict: "contract_proof_only",
+        summary: `Live local ${actorLabel} actor is running. This is an in-progress Observer snapshot; final verdict will be written after sanitized actor evidence is captured.`,
+        gaps: [
+            "Final actor verdict and transcript artifacts are not available until the run completes.",
+            "Live Observer follow depends on polling observer/observer-data.json while this run is active.",
+            "No GitHub mutation, target OSS mutation, E2B substrate, or production data is used by this local actor contract."
+        ]
+    };
+}
+function createLocalActorReviewSummary(actorLabel, status, reason) {
+    const verdict = status === "passed"
+        ? "pass"
+        : status === "timed_out"
+            ? "timed_out"
+            : status === "blocked"
+                ? "blocked"
+                : "fail";
+    const isTui = actorLabel.toLowerCase().includes("tui");
+    const isFanout = actorLabel.toLowerCase().includes("fanout");
+    return {
+        schema: REVIEW_SCHEMA,
+        verdict,
+        summary: `Live local ${actorLabel} actor ${status}: ${reason}. This proves the local actor lifecycle and sanitized evidence path${isFanout ? " across requested fanout lanes" : ""}, not target product behavior.`,
+        gaps: [
+            isTui
+                ? "Only one local Codex TUI actor is supported in this slice."
+                : "Codex TUI trust bootstrap, PTY rendering, and keyboard-focus proof remain separate from the noninteractive exec actor.",
+            "Live follow uses polling Observer snapshots; raw interactive terminal streaming remains a follow-up hardening step.",
+            "No GitHub mutation, target OSS mutation, E2B substrate, or production data was used by this local actor contract."
+        ]
+    };
+}
 async function loadDryRunSelection(cwd, mimeticSource) {
     const warnings = [];
     if (mimeticSource === "missing") {
@@ -531,10 +1766,12 @@ async function loadDryRunSelection(cwd, mimeticSource) {
     };
 }
 function renderReviewMarkdown(bundle) {
-    return `# Mimetic Dry-Run Review
+    return `# Mimetic Run Review
 
 Run: ${bundle.runId}
 
+Mode: ${bundle.mode}
+
 Verdict: ${bundle.review.verdict}
 
 ${bundle.review.summary}
@@ -607,6 +1844,13 @@ async function readTextIfExists(filePath) {
 async function writeJson(filePath, value) {
     await writeFile(filePath, `${JSON.stringify(value, null, 2)}\n`, "utf8");
 }
+async function writeRunBundleArtifacts(absoluteArtifactRoot, bundle) {
+    await writeJson(path.join(absoluteArtifactRoot, "run.json"), bundle);
+    await writeJson(path.join(absoluteArtifactRoot, "review.json"), bundle.review);
+    await writeFile(path.join(absoluteArtifactRoot, "review.md"), renderReviewMarkdown(bundle), "utf8");
+    await mkdir(path.join(absoluteArtifactRoot, "observer"), { recursive: true });
+    await writeJson(path.join(absoluteArtifactRoot, "observer", "observer-data.json"), buildObserverData(bundle));
+}
 async function validateCwd(cwd) {
     try {
         const stats = await stat(cwd);
@@ -653,11 +1897,17 @@ async function fileExists(filePath) {
 function containsSensitivePattern(text) {
     return sensitivePatterns.some((pattern) => pattern.test(text));
 }
+function redactSensitiveText(text) {
+    return sensitivePatterns.reduce((current, pattern) => {
+        const flags = pattern.flags.includes("g") ? pattern.flags : `${pattern.flags}g`;
+        return current.replace(new RegExp(pattern.source, flags), "[REDACTED_SECRET]");
+    }, text);
+}
 function isRunBundle(value) {
     return isRecord(value)
         && value.schema === RUN_BUNDLE_SCHEMA
         && typeof value.runId === "string"
-        && value.mode === "dry-run"
+        && (value.mode === "dry-run" || value.mode === "live")
         && typeof value.createdAt === "string"
         && isRecord(value.review)
         && isReviewSummary(value.review)
@@ -667,7 +1917,11 @@ function isRunBundle(value) {
 function isReviewSummary(value) {
     return isRecord(value)
         && value.schema === REVIEW_SCHEMA
-        && value.verdict === "contract_proof_only"
+        && (value.verdict === "contract_proof_only"
+            || value.verdict === "pass"
+            || value.verdict === "fail"
+            || value.verdict === "blocked"
+            || value.verdict === "timed_out")
         && typeof value.summary === "string"
         && Array.isArray(value.gaps)
         && value.gaps.every((gap) => typeof gap === "string");