openhermes 4.3.0 → 4.9.2

package/CONTEXT.md

@@ -8,6 +8,15 @@
 **Instruction** — Markdown loaded through `AGENTS.md` or `opencode.json` instructions.
 **Bootstrap** — The first-message context injected by the OpenHermes plugin.
 
+### Confidence Gate Terms
+**Confidence Gate** — Phase 0.5 protocol in the autopilot loop that evaluates signal strength before routing. Bounded to 1 conversational exchange max.
+**Confidence Level** — One of HIGH, MEDIUM, LOW, derived from signal axis evaluation.
+**Transparent Gate** — HIGH confidence behavior: zero conversational overhead, proceed directly to Auto-Classify.
+**Echo Gate** — MEDIUM confidence behavior: one-liner echo to confirm understanding, then classify.
+**Question Gate** — LOW confidence behavior: one targeted question, then classify. Fallback to oh-planner on no answer.
+**1 Exchange** — One user response to one orchestrator prompt. The gate is bounded to exactly 0 (HIGH) or 1 (MEDIUM/LOW) exchanges.
+**Signal** — Evidence in user input used to evaluate confidence across 6 axes (domain vocabulary, deliverable clarity, scope, ambiguity, file reference, domain count).
+
 ## Relationships
 - OpenHermes contains many Skills, Commands, Agents, and Instructions.
 - Skills are invoked on demand.

package/README.md

@@ -1,7 +1,7 @@
 <p align="center">
   <h1 align="center">⟳ OpenHermes</h1>
-  <p align="center"><b>Closed loop. Zero permission.</b><br>
-  <i>The AI orchestrator that never asks "should I continue?" — it just routes.</i></p>
+  <p align="center"><b>Pragmatic. Task-focused. Concise.</b><br>
+  <i>The AI orchestrator that never stalls — it classifies, delegates, and routes.</i></p>
 </p>
 
 <p align="center">
@@ -17,7 +17,7 @@
 
 OpenHermes doesn't.
 
-Drop it into OpenCode. Get a self-driving pipeline: auto-classify every request, delegate to specialists, route results automatically. No "can I?", no "shall I?", no "what next?" — just execution until the job is done.
+Drop it into OpenCode. Get a closed-loop pipeline: auto-classify every request, delegate to specialists, route results automatically. No "can I?", no "shall I?", no "what next?" — just concise execution until the job is done.
 
 ```json
 { "plugin": ["openhermes@git+https://github.com/nathwn12/openhermes.git"] }
@@ -55,12 +55,20 @@ One sentence. Nine automated steps. Each skill loaded on demand, executed in iso
 
 ---
 
-### Three safety layers
+### Four safety layers
 
 The loop runs unsupervised because these never turn off:
 
-- **🔁 Loop Guard** — stops if the same skill fires 3+ times or 5+ hops produce no progress
+- **🔁 Loop Guard** — stops if the same skill fires 5+ times or 8+ hops produce no progress
 - **❓ Question Gate** — never routes into uncertainty; surfaces if input is missing
+- **💬 Confidence Gate** — calibrates whether to skip, echo, or ask before classifying
+
+```
+  HIGH  ──→ classify silently (transparent gate)
+  MEDIUM ──→ echo + confirm, then classify
+  LOW   ──→ ask + classify (defaults to oh-planner)
+```
+
 - **📋 Auto-Handoff** — writes a structured session artifact before context switches
 
 ---
@@ -69,15 +77,16 @@ The loop runs unsupervised because these never turn off:
 
 | Capability | Why it matters |
 |---|---|
-| **Self-driving loop** | Type once. OpenHermes classifies, delegates, and routes — no pauses, no asking permission. |
-| **29 specialist skills** | Planning → building → testing → security → review → shipping → retro. Every dev cycle phase. |
+| **Self-driving loop** | Type once. OpenHermes classifies, delegates, and routes — no pauses, no asking permission, no verbosity. |
+| **31 specialist skills** | Planning → building → testing → browser → security → review → shipping → retro. Every dev cycle phase. |
 | **Auto-detected user skills** | Drop a skill in `~/.agents/skills/`. OpenHermes finds it. Same name as a built-in? Your version wins. Survives `npm update`. |
 | **`/oh-doctor`** | Verify plugin load, skill discovery, command registration, config safety. |
 | **`/oh-log`** | Session log — routing hops, skill loads, compaction events. |
-| **Shared operating model** | CONSTITUTION + RUNTIME + CONTEXT + ETHOS injected every session. Every interaction grounded in the same rules. |
+| **Shared operating model** | CHARTER + AUTOPILOT + CONTEXT + ETHOS injected every session. Every interaction grounded in the same rules. |
+| **CORE/DEEP skill format** | Every skill is a two-file system: CORE (SKILL.md) handles 80% of passes in one read. DEEP.md loads on demand for hard cases. |
 | **Plan file storage** | `~/.local/share/opencode/openhermes/plans/`. Survives `npm update`. |
 
-## 29 skills — three tiers
+## 31 skills — three tiers
 
 ### Tier 4 — Pipeline orchestrators
 Full multi-phase workflows:
@@ -95,20 +104,23 @@ Span multiple phases and coordinate other skills:
 
 | Skill | Purpose |
 |---|---|
-| **oh-planner** | Brainstorm, architect, autoplan, decision pipeline |
+| **oh-browser** | Browser automation via agent-browser CLI. Navigate pages, fill forms, take screenshots, scrape data, test web apps. |
 | **oh-grill** | Stress-test plans through relentless Socratic questioning |
 | **oh-plan-review** | Multi-lens review: Engineering, Design, DX, Strategy |
+| **oh-planner** | Brainstorm, architect, autoplan, decision pipeline |
 | **oh-security** | Audit: secrets, supply chain, CI/CD, OWASP, LLM security |
 | **oh-refactor** | Surgical behavior-preserving refactoring |
 | **oh-review** | Two-axis review (Standards + Spec) in parallel sub-agents |
 | **oh-fusion** | Skill ingestion pipeline: discover → analyze → adapt → fuse → integrate |
 | **oh-retro** | Weekly retrospective — analyze commit history and patterns |
+| **oh-worktree** | Workspace isolation via git worktrees. Detect existing isolation, create isolated workspaces, run project setup, verify clean baseline. |
 
 ### Tier 2 — Focused skills
 Single-purpose, one thing well:
 
 | Skill | Purpose |
 |---|---|
+| **oh-ascii** | Complete ASCII diagramming: design patterns, generation, structural validation |
 | **oh-expert** | AI self-diagnosis: sycophancy, hallucination, attention dynamics |
 | **oh-full-output** | Override truncation, ban placeholders, enforce complete generation |
 | **oh-health** | Code quality dashboard: tools, composite score, trend |
@@ -119,7 +131,6 @@ Single-purpose, one thing well:
 | **oh-triage** | Issue triage state machine — classify, prioritise, assign |
 | **oh-issue** | Break a plan/spec/PRD into independently-grabbable issues |
 | **oh-prd** | Conversation → PRD → GitHub issue |
-| **oh-caveman** | Ultra-compressed mode — cut token usage ~75% |
 | **oh-freeze** | Restrict file edits to a specific directory |
 | **oh-learn** | Extract, evolve, promote session learnings as instincts |
 | **oh-guard** | Safety confirmation — warn before destructive operations |
@@ -137,13 +148,13 @@ openhermes-pkg/
 ├── ETHOS.md               # Operating principles
 ├── bootstrap.ts           # Plugin entry — registers everything
 ├── index.ts               # Package entrypoint
-├── lib/                   # harness-resolver.ts, logger.ts
+├── lib/                   # harness-resolver.ts
 ├── harness/
 │   ├── agents/            # Agent manifests (OpenHermes primary)
-│   ├── codex/             # CONSTITUTION, AUTOPILOT, ROUTING
+│   ├── codex/             # CHARTER, AUTOPILOT
 │   ├── commands/          # Slash commands (/oh-doctor, /oh-log)
-│   ├── instructions/      # RUNTIME.md
-│   └── skills/            # 29 skill SKILL.md files
+│   ├── instructions/      # SHELL.md
+│   └── skills/            # 31 skill SKILL.md files (CORE/DEEP format)
 └── test/
 ```
 

package/bootstrap.ts

@@ -1,17 +1,18 @@
 import path from "node:path"
 import fs from "node:fs"
 import os from "node:os"
-import { fileURLToPath } from "node:url"
 import type { Plugin } from "@opencode-ai/plugin"
-import { createLogger } from "./lib/logger.ts"
 import { getHarnessDir, setHarnessRootForTest, resolveHarnessRoot } from "./lib/harness-resolver.ts"
 
-const log = createLogger("bootstrap")
-const sessionLog = createLogger("session")
-const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const BOOTSTRAP_MARKER = "OPENHERMES_BOOTSTRAP"
 const OPENHERMES_AGENT = "OpenHermes"
 
+// User skill directories — auto-discovered on every session, survive npm updates
+const USER_SKILL_DIRS: ReadonlyArray<string> = [
+  path.join(os.homedir(), ".agents", "skills"),
+  path.join(os.homedir(), ".config", "opencode", "skills"),
+  path.join(os.homedir(), ".claude", "skills"),      // Claude Code backward compat
+]
+
 // Canonical storage under OpenCode's data directory — survives npm updates
 let _planStorageOverride: string | undefined
 export function setPlanStorageDirForTest(dir: string | undefined): void { _planStorageOverride = dir }
@@ -23,13 +24,8 @@ function getProjectName(projectDir: string): string {
   return path.basename(projectDir)
 }
 
-// User skill directories — auto-scanned on every session, survive npm updates
-const USER_SKILL_DIRS: ReadonlyArray<string> = [
-  path.join(os.homedir(), ".agents", "skills"),
-  path.join(os.homedir(), ".config", "opencode", "skills"),
-]
 
-export { resolveHarnessRoot, setHarnessRootForTest, getHarnessDir }
+export { resolveHarnessRoot, setHarnessRootForTest, getHarnessDir, ensurePlanFile }
 
 function parseFrontmatter(raw: string | undefined): Record<string, string> {
   const frontmatter: Record<string, string> = {}
@@ -128,9 +124,6 @@ function uniqueStrings(existing: string[] = [], additions: string[] = []): strin
   return merged
 }
 
-function readText(filePath: string): string {
-  return fs.existsSync(filePath) ? fs.readFileSync(filePath, "utf8") : ""
-}
 
 function regexEscape(s: string): string {
   return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")
@@ -182,15 +175,58 @@ function ensureDir(dir: string): void {
   }
 }
 
-function countSkills(dir: string): number {
-  try {
-    return fs.readdirSync(dir).filter(e => {
-      const full = path.join(dir, e)
-      return fs.statSync(full).isDirectory() && fs.existsSync(path.join(full, "SKILL.md"))
-    }).length
-  } catch {
-    return 0
+/**
+ * Ensure a plan file exists for the project.
+ * Creates a skeleton plan if none exists or if the latest is complete/abandoned.
+ * Reuses an existing active or in-progress plan.
+ * Returns the path to the plan file.
+ */
+function ensurePlanFile(projectDir: string): string {
+  const projectName = getProjectName(projectDir)
+  const storage = planStorageDir()
+  ensureDir(storage)
+
+  // Reuse active or in-progress plan
+  const latest = findLatestPlanFile(projectDir)
+  if (latest) {
+    const content = fs.readFileSync(latest, "utf8")
+    const status = content.match(/^Status:\s*(.+)$/m)?.[1]?.trim()
+    if (status === "active" || status === "in-progress") {
+      return latest
+    }
   }
+
+  // Determine next sequence number
+  let nextSeq = 1
+  if (latest) {
+    const m = path.basename(latest).match(/-plan-(\d{3})\.md$/)
+    if (m) nextSeq = parseInt(m[1], 10) + 1
+  }
+
+  const planId = `${projectName}-plan-${String(nextSeq).padStart(3, "0")}`
+  const planPath = path.join(storage, `${planId}.md`)
+  const now = new Date().toISOString().replace("T", " ").slice(0, 16)
+
+  const content = [
+    `# PLAN: ${projectName}`,
+    "",
+    `Plan ID: ${planId}`,
+    `Project: ${projectName}`,
+    `Status: active`,
+    `Created: ${now}`,
+    `Updated: ${now}`,
+    `Project Path: ${projectDir}`,
+    `Plan Path: ${planPath}`,
+    `Objective: (pending classification)`,
+    "",
+    "## Tasks",
+    "",
+    "- [ ] (discoverable — pending classification)",
+    "",
+  ].join("\n")
+
+  fs.writeFileSync(planPath, content, "utf8")
+  return planPath
 }
 
 export function buildCompactionContext(projectDir: string): string[] {
@@ -232,83 +268,8 @@ export function formatSessionEvent(event: SessionLifecycleEvent): { level: "info
   }
 }
 
-function parseRouteYaml(raw: string): { pass: string; fail: string; blocker: string } {
-  const def: { pass: string; fail: string; blocker: string } = { pass: "surface", fail: "surface", blocker: "surface" }
-  const m = raw.match(/route:\n((?:  [^\n]*\n?)*)/)
-  if (!m) return def
-  const block = m[1]
-
-  const kv = (key: string): string | undefined => {
-    // Single-line:  pass: oh-builder  (horizontal whitespace only, no newlines)
-    const s = block.match(new RegExp(`  ${key}:[ \\t]*(\\S.*)`))
-    if (s) return s[1].trim()
-    // Multi-line array:  pass:\n    - oh-builder\n    - oh-gauntlet
-    const a = block.match(new RegExp(`  ${key}:\\n((?:    - .+\\n?)*)`))
-    if (a) {
-      const items = a[1].match(/    - (.+)/g)?.map(i => i.replace(/    - /, "").trim()) ?? []
-      return items.length > 0 ? `[${items.join(", ")}]` : undefined
-    }
-    return undefined
-  }
-
-  const p = kv("pass")
-  const f = kv("fail")
-  const b = kv("blocker")
-  if (p) def.pass = p
-  if (f) def.fail = f
-  if (b) def.blocker = b
-  return def
-}
-
-function buildRoutingInventory(skillDirs: string[]): string {
-  const rows: string[] = []
-  for (const dir of skillDirs) {
-    let entries: string[] = []
-    try { entries = fs.readdirSync(dir).filter(e => fs.statSync(path.join(dir, e)).isDirectory()) } catch { continue }
-    for (const name of entries.sort()) {
-      const skPath = path.join(dir, name, "SKILL.md")
-      if (!fs.existsSync(skPath)) continue
-      const raw = fs.readFileSync(skPath, "utf8").replace(/\r\n/g, "\n")
-      const fm = raw.match(/^---\n([\s\S]*?)\n---/)
-      if (!fm) continue
-      const route = parseRouteYaml(fm[1])
-      rows.push(`| **${name}** | ${route.pass} | ${route.fail} | ${route.blocker} |`)
-    }
-  }
-  if (rows.length === 0) return ""
-  const header = "## Dynamic Routing Inventory\n\nAll skills and their routes:\n\n| Skill | pass | fail | blocker |\n|---|---|---|---|\n"
-  return header + rows.join("\n")
-}
-
-function buildBootstrapContent(hDir: string, extraDirs: string[] = []): string {
-  const parts = [
-    `<${BOOTSTRAP_MARKER}>`,
-    `You are OpenHermes.`,
-    `OpenHermes is OpenCode-native: load skills on demand, always delegate, never execute tasks directly, and keep the surface small.`,
-    `Durable state is removed for now. Do not invent a persistence layer unless the user explicitly asks for one later.`,
-  ]
-
-  const autopilot = readText(path.join(hDir, "codex", "AUTOPILOT.md"))
-  const constitution = readText(path.join(hDir, "codex", "CONSTITUTION.md"))
-  const runtime = readText(path.join(hDir, "instructions", "RUNTIME.md"))
-  const context = readText(path.join(__dirname, "CONTEXT.md"))
-  const ethos = readText(path.join(__dirname, "ETHOS.md"))
 
-  if (autopilot) parts.push(`<AUTOPILOT>\n${autopilot}\n</AUTOPILOT>`)
-  if (constitution) parts.push(`<CONSTITUTION>\n${constitution}\n</CONSTITUTION>`)
-  if (runtime) parts.push(`<RUNTIME>\n${runtime}\n</RUNTIME>`)
-  if (context) parts.push(`<CONTEXT>\n${context}\n</CONTEXT>`)
-  if (ethos) parts.push(`<ETHOS>\n${ethos}\n</ETHOS>`)
 
-  // Dynamic routing inventory: built-in skills + user skills
-  const allSkillDirs = [path.join(hDir, "skills"), ...extraDirs.filter(Boolean)]
-  const inventory = buildRoutingInventory(allSkillDirs)
-  if (inventory) parts.push(inventory)
-
-  parts.push(`</${BOOTSTRAP_MARKER}>`)
-
-  return parts.join("\n\n")
-}
 
 interface OpenHermesConfig {
   skills?: { paths?: string[] }
@@ -323,23 +284,26 @@ export const BootstrapPlugin: Plugin = async (ctx) => {
   const skillsDir = path.join(hDir, "skills")
   const commandsDir = path.join(hDir, "commands")
   const agentsDir = path.join(hDir, "agents")
+  const client = ctx.client  // SDK client for structured logging
+
+  // Safe logging — uses OpenCode SDK when available, falls back to stdout for tests
+  async function logToOC(level: "info" | "warn" | "error" | "debug", message: string): Promise<void> {
+    if (client?.app?.log) {
+      await client.app.log({ body: { service: "openhermes", level, message } })
+    } else {
+      console.log(`[openhermes] [${level.toUpperCase()}] ${message}`)
+    }
+  }
+
   // Auto-detect and wire user skills from ~/.agents/skills and ~/.config/opencode/skills
-  // (Must happen before bootstrapContent is built so routing inventory includes user skills)
   const userSkillPaths: string[] = []
   for (const userDir of USER_SKILL_DIRS) {
     ensureDir(userDir)
-    const count = countSkills(userDir)
-    if (count > 0) {
-      userSkillPaths.push(userDir)
-      log.info(`found ${count} user skill(s) in ${userDir}`)
-    }
+    userSkillPaths.push(userDir)
+    await logToOC("info", `wired user skills from ${userDir}`)
   }
 
-  const bootstrapContent = buildBootstrapContent(hDir, userSkillPaths)
   const compactionContext = buildCompactionContext(ctx.directory)
-  const builtInCount = countSkills(skillsDir)
-  const userCount = userSkillPaths.reduce((sum, d) => sum + countSkills(d), 0)
-
   // Ensure plan storage exists
   ensureDir(planStorageDir())
 
@@ -350,7 +314,13 @@ export const BootstrapPlugin: Plugin = async (ctx) => {
       const allPaths = [skillsDir, ...userSkillPaths]
       config.skills.paths = uniqueStrings(config.skills.paths || [], allPaths)
 
-      log.info(`skills: ${builtInCount} built-in + ${userCount} user (${allPaths.length} path(s))`)
+      await logToOC("info", `skills: ${allPaths.length} path(s)`)
+
+      // Register harness docs as native OpenCode instructions — no prompt-embedding needed
+      config.instructions = uniqueStrings(config.instructions ?? [], [
+        path.join(hDir, "codex"),
+        path.join(hDir, "instructions"),
+      ])
 
       config.command = { ...(config.command ?? {}), ...commandDefinitions(commandsDir) }
 
@@ -361,18 +331,63 @@ export const BootstrapPlugin: Plugin = async (ctx) => {
         prompt: "You are OpenHermes.",
       }
 
+      // Subagent permissions — tier-4 and tier-3 get execution access but cannot spawn orchestrators
+      const SUBAGENT_PERMISSIONS: Record<string, Record<string, unknown>> = {
+        "oh-builder": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-browser": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-facade": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-gauntlet": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-manifest": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-ship": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-planner": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-grill": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-investigate": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-plan-review": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-security": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-refactor": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-review": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-fusion": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-retro": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+        "oh-skill-craft": { bash: { "*": "allow" }, edit: "allow", read: "allow", glob: "allow", grep: "allow", task: { "oh-*": "deny" } },
+      }
+
       config.agent = {
         ...(config.agent ?? {}),
         ...loadedAgents,
+        // Apply permissions + hidden flag to subagents
+        ...Object.fromEntries(
+          Object.entries(loadedAgents)
+            .filter(([name]) => name !== OPENHERMES_AGENT)
+            .map(([name, agentDef]) => [
+              name,
+              {
+                ...agentDef,
+                permission: SUBAGENT_PERMISSIONS[name] ?? { bash: { "*": "deny" }, edit: "deny", read: "allow" },
+                // Hide routing-internal subagents from @-menu
+                // Only agents with existing .md files can be hidden — names without files are no-ops
+                ...(["oh-planner", "oh-grill", "oh-skill-craft"].includes(name) ? { hidden: true } : {}),
+              },
+            ])
+        ),
         [OPENHERMES_AGENT]: {
           ...openHermesAgent,
           description: openHermesAgent.description || "OpenHermes primary orchestrator",
           mode: "primary",
+          steps: 15,                     // Max agentic iterations — prevents runaway loops
           permission: {
-            bash: { "*": "allow" },
-            edit: "allow",
-            read: "allow",
-            task: { "*": "allow" },
+            bash: { "*": "deny" },       // CANNOT execute commands
+            edit: "deny",                // CANNOT write/edit files
+            read: "allow",               // CAN read for classification
+            glob: "allow",               // CAN search for files
+            grep: "allow",               // CAN search content
+            task: { "*": "allow" },      // MUST delegate via subagents
+            skill: "allow",              // CAN load skill instructions
+            webfetch: "allow",           // CAN fetch docs for context
+            question: "allow",           // CAN ask user questions
+            websearch: "allow",          // CAN search web for research context
+            external_directory: {         // CAN read/write plan files outside worktree
+              "~/.local/share/opencode/openhermes/**": "allow",
+            },
           },
         },
       }
@@ -381,25 +396,47 @@ export const BootstrapPlugin: Plugin = async (ctx) => {
     },
 
     event: async ({ event }) => {
-      const record = formatSessionEvent(event as SessionLifecycleEvent)
+      const typed = event as SessionLifecycleEvent
+      const record = formatSessionEvent(typed)
       if (!record) return
-      sessionLog[record.level](record.message)
+      await logToOC(record.level, record.message)
+
+      // NOTE: Plan files are NOT auto-created here. The LLM agent
+      // creates plans on demand (see Task Flow step 1 in agent prompt).
+      // Auto-creation produced ghost skeletons like plan-004.
+
+      // Reset delegation depth on session start/error
+      if (typed.type === "session.created" || typed.type === "session.error") {
+        delegationDepths.delete(`delegation:${ctx.directory}`)
+      }
     },
 
     "experimental.session.compacting": async (_input, output) => {
       output.context.push(...compactionContext)
     },
 
-    "experimental.chat.messages.transform": async (_input: unknown, output: { messages?: Array<{ info?: { role?: string }; parts?: Array<{ text?: string; type?: string }> }> }) => {
-      try {
-        if (!output.messages?.length) return
-        const firstUser = output.messages.find(m => m?.info?.role === "user")
-        if (!firstUser?.parts?.length) return
-        if (firstUser.parts.some(p => p.text?.includes(BOOTSTRAP_MARKER))) return
-        firstUser.parts.unshift({ type: "text", text: bootstrapContent })
-      } catch (err: unknown) {
-        log.error("transform error:", (err as Error)?.message)
+    // Mechanical delegation loop guard — prevents runaway agent nesting
+    "tool.execute.before": async (input, output) => {
+      if (input.tool === "task") {
+        // Track delegation depth per project (one session per project at a time)
+        const depthKey = `delegation:${ctx.directory}`
+        const currentDepth = (delegationDepths.get(depthKey) ?? 0) + 1
+        delegationDepths.set(depthKey, currentDepth)
+
+        if (currentDepth >= 10) {
+          const errOutput = output as { args: unknown; isError?: boolean; content?: unknown[] }
+          errOutput.isError = true
+          errOutput.content = [{
+            type: "text",
+            text: "LOOP GUARD: Delegation depth exceeded (max 10). " +
+                  "Surface to orchestrator with findings and stop delegating."
+          }]
+        }
       }
     },
+
   }
 }
+
+// Module-level delegation depth tracker — reset per project session
+const delegationDepths = new Map<string, number>()

package/harness/agents/oh-browser.md

@@ -0,0 +1,97 @@
+---
+name: oh-browser
+description: "Browser automation via agent-browser CLI. Navigate pages, fill forms, click buttons, take screenshots, extract data, test web apps. Use when the user needs to interact with websites, automate browser tasks, scrape data, or test web applications."
+mode: subagent
+---
+
+## Shell Pre-flight (Windows)
+
+You are on Windows. Before ANY command execution, detect your shell:
+- `$PSVersionTable` exists → PowerShell (`powershell` or `pwsh`)
+- `%CMDCMDLINE%` is set → CMD  
+- `$0` or `$BASH` → Bash (Git Bash)
+
+Operation → required shell:
+- File ops (`Remove-Item`, `New-Item`), scoop, `.ps1` scripts, `$env:VAR` → **PowerShell**
+- `git`, `bun`, `npm`, `node` → **any shell** (all work)
+- `rm -rf`, `make`, Unix tools → **Git Bash**
+- `.bat`/`.cmd` files → **CMD**
+
+Wrong shell? Switch:
+- → PowerShell: `powershell.exe -NoProfile -Command "..."`
+- → Git Bash: `& "C:\Program Files\Git\bin\bash.exe" -c "..."`
+- → CMD: `cmd.exe /c "..."`
+
+Always know before you go.
+
+# oh-browser
+
+Browser automation via agent-browser CLI. Fast native Rust CLI wrapping Chrome/Chromium via CDP.
+
+## Prerequisites
+
+- agent-browser installed globally: `npm install -g agent-browser && agent-browser install`
+- Chrome/Chromium (auto-downloaded by `agent-browser install`)
+- State files contain session tokens — add to `.gitignore`, never commit
+
+## Workflow
+
+1. **Launch browser** — `agent-browser open <url>` or `agent-browser open` (blank page then navigate)
+2. **Snapshot page state** — `agent-browser snapshot` returns accessibility tree with `@eN` refs
+3. **Interact** — use `@eN` refs from snapshot:
+   - `agent-browser click @eN`
+   - `agent-browser fill @eN "value"`
+   - `agent-browser select @eN "option"`
+   - `agent-browser hover @eN`
+4. **Extract data** — `agent-browser get text @eN`, `agent-browser get html @eN`, `agent-browser screenshot`
+5. **Close** — `agent-browser close`
+
+## Common Patterns
+
+- **Annotated screenshots**: `agent-browser screenshot --annotate` — overlays numbered labels matching `@eN` refs.
+- **Batch execution**: `agent-browser batch "open url" "snapshot" "click @e1"` — avoids per-command startup overhead.
+- **Session persistence**: `--session-name <name>` — auto-saves/restores cookies and localStorage.
+- **Auth vault**: `agent-browser auth save <name> --url <url> --username <user>` — encrypted credentials.
+- **Diff**: `agent-browser diff snapshot` for change detection. `agent-browser diff screenshot --baseline before.png` for visual diff.
+- **Chrome profile reuse**: `--profile Default` — use existing Chrome login state.
+- **Tab labeling**: `agent-browser tab new --label docs <url>` — memorable labels.
+- **Parallel scrape**: Use `batch --json` with piped command arrays.
+
+## Common Commands Reference
+
+| Task | Command |
+|---|---|
+| Open URL | `agent-browser open <url>` |
+| Get page state | `agent-browser snapshot -i` |
+| Click | `agent-browser click @eN` or `agent-browser click "css-selector"` |
+| Type text | `agent-browser fill @eN "text"` |
+| Screenshot | `agent-browser screenshot --annotate` |
+| Extract text | `agent-browser get text @eN` |
+| Run JS | `agent-browser eval "document.title"` |
+| Wait for element | `agent-browser wait ".selector"` |
+| Scroll | `agent-browser scroll down 200` |
+| Multi-step | `agent-browser batch "cmd1" "cmd2" "cmd3"` |
+
+## Anti-patterns
+
+- Forgetting `agent-browser install` first
+- Not closing browser sessions (daemon processes leak)
+- Using CSS selectors when `@eN` refs are faster
+- Running individual commands instead of batch for multi-step
+- Passing credentials in prompts instead of auth vault
+- Committing state files with session tokens
+
+## Security
+
+- Use `--allowed-domains` to restrict navigation
+- Use auth vault instead of passing credentials in prompts
+- Session state files contain tokens — keep in `.gitignore`
+- `--content-boundaries` wraps page output in delimiters
+
+## Routing
+
+| Outcome | Route |
+|---------|-------|
+| pass | → surface (results to user) |
+| fail | → oh-browser (retry with corrected approach) |
+| blocker | → surface with error details |