pi-sage 0.2.3 → 0.2.5

package/.pi/extensions/sage/index.ts

@@ -39,6 +39,7 @@ const ROLE_HINT_ENV_KEYS = ["TASKPLANE_ROLE", "TASKPLANE_AGENT_ROLE", "PI_AGENT_
 
 const REASONING_LEVELS: ReasoningLevel[] = ["minimal", "low", "medium", "high", "xhigh"];
 const TOOL_PROFILES: ToolProfile[] = ["none", "read-only-lite", "git-review-readonly", "custom-read-only"];
+const MODEL_INHERIT_VALUE = "inherit";
 
 const SAGE_GUIDANCE = [
   "You may call `sage_consult` for high-complexity reasoning, ambiguous debugging, risky architectural decisions, or explicit second-opinion requests.",
@@ -335,6 +336,7 @@ function buildCallerContext(lastInputSource: InputSource | undefined, hasUI: boo
   const isRpcSource = lastInputSource === "rpc";
   const isSubagent = process.env.PI_SAGE_SUBAGENT === "1";
   const interactive = hasUI && lastInputSource === "interactive";
+  const isInteractiveSupervisor = interactive && roleHint === "supervisor";
 
   return {
     session: {
@@ -343,7 +345,7 @@ function buildCallerContext(lastInputSource: InputSource | undefined, hasUI: boo
     agent: {
       role: roleHint ?? "primary",
       isSubagent,
-      isRpcOrchestrated: isRpcSource || Boolean(roleHint && roleHint !== "primary")
+      isRpcOrchestrated: isRpcSource || Boolean(roleHint && roleHint !== "primary" && !isInteractiveSupervisor)
     },
     runtime: {
       mode: process.env.CI ? "ci" : hasUI ? (isRpcSource ? "rpc" : "interactive") : "non-interactive"
@@ -373,12 +375,15 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
     const action = await ctx.ui.select("Sage settings", [
       `Enabled: ${onOff(draft.enabled)}`,
       `Autonomous mode: ${onOff(draft.autonomousEnabled)}`,
+      `Explicit requests bypass soft limits: ${onOff(draft.explicitRequestAlwaysAllowed)}`,
       `Model: ${draft.model}`,
       `Reasoning level: ${draft.reasoningLevel}`,
       `Timeout ms: ${draft.timeoutMs}`,
       `Max calls/turn: ${draft.maxCallsPerTurn}`,
       `Max calls/session: ${draft.maxCallsPerSession}`,
       `Cooldown turns: ${draft.cooldownTurnsBetweenAutoCalls}`,
+      `Max question chars: ${draft.maxQuestionChars}`,
+      `Max context chars: ${draft.maxContextChars}`,
       `Tool profile: ${draft.toolPolicy.profile}`,
       `Custom tools: ${(draft.toolPolicy.customAllowedTools ?? []).join(",") || "(none)"}`,
       `Max tool calls: ${draft.toolPolicy.maxToolCalls ?? 10}`,
@@ -418,8 +423,12 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
       draft = { ...draft, autonomousEnabled: !draft.autonomousEnabled };
       continue;
     }
+    if (action.startsWith("Explicit requests bypass soft limits:")) {
+      draft = { ...draft, explicitRequestAlwaysAllowed: !draft.explicitRequestAlwaysAllowed };
+      continue;
+    }
     if (action.startsWith("Model:")) {
-      const selected = await pickModel(ctx);
+      const selected = await pickModel(ctx, draft.model);
       if (selected) draft = { ...draft, model: selected };
       continue;
     }
@@ -446,6 +455,14 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
       draft = await setNumberSetting(ctx, draft, "cooldownTurnsBetweenAutoCalls", "Cooldown turns", 0);
       continue;
     }
+    if (action.startsWith("Max question chars:")) {
+      draft = await setNumberSetting(ctx, draft, "maxQuestionChars", "Max question chars", 256);
+      continue;
+    }
+    if (action.startsWith("Max context chars:")) {
+      draft = await setNumberSetting(ctx, draft, "maxContextChars", "Max context chars", 512);
+      continue;
+    }
     if (action.startsWith("Tool profile:")) {
       const selected = await ctx.ui.select("Tool profile", [...TOOL_PROFILES]);
       if (selected && TOOL_PROFILES.includes(selected as ToolProfile)) {
@@ -520,23 +537,63 @@ async function runSettingsWizard(ctx: ExtensionCommandContext): Promise<void> {
   }
 }
 
-async function pickModel(ctx: ExtensionContext): Promise<string | undefined> {
+async function pickModel(ctx: ExtensionContext, currentModel: string): Promise<string | undefined> {
   const available = ctx.modelRegistry.getAvailable();
   if (available.length === 0) {
     ctx.ui.notify("No available models found", "warning");
     return undefined;
   }
 
-  const sorted = [...available].sort((a, b) => {
-    const left = `${a.provider}/${a.id}`.toLowerCase();
-    const right = `${b.provider}/${b.id}`.toLowerCase();
-    return left.localeCompare(right);
-  });
+  const currentLower = currentModel.trim().toLowerCase();
+  const providers = [...new Set(available.map((model) => model.provider))].sort((a, b) => a.localeCompare(b));
+
+  while (true) {
+    const providerOptions = [
+      `${MODEL_INHERIT_VALUE} (use current session model)`,
+      ...providers.map((provider) => {
+        const count = available.filter((model) => model.provider === provider).length;
+        return `${provider} (${count})`;
+      })
+    ];
+
+    const providerChoice = await ctx.ui.select("Choose Sage model provider", providerOptions);
+    if (!providerChoice) return undefined;
+
+    if (providerChoice.startsWith(MODEL_INHERIT_VALUE)) {
+      return MODEL_INHERIT_VALUE;
+    }
+
+    const provider = providerChoice.replace(/\s*\(\d+\)$/, "");
+    const providerModels = available
+      .filter((model) => model.provider === provider)
+      .sort((a, b) => {
+        const aComposite = `${a.provider}/${a.id}`.toLowerCase();
+        const bComposite = `${b.provider}/${b.id}`.toLowerCase();
+        const aCurrent = aComposite === currentLower;
+        const bCurrent = bComposite === currentLower;
+        if (aCurrent && !bCurrent) return -1;
+        if (!aCurrent && bCurrent) return 1;
+        return a.id.localeCompare(b.id);
+      });
 
-  const options = sorted.slice(0, 200).map((model) => `${model.provider}/${model.id}${model.name ? ` — ${model.name}` : ""}`);
-  const selected = await ctx.ui.select("Choose Sage model", options);
-  if (!selected) return undefined;
-  return selected.split(" — ")[0];
+    const modelOptionMap = new Map<string, string>();
+    const modelOptions = ["← Back to providers"];
+
+    for (const model of providerModels) {
+      const composite = `${model.provider}/${model.id}`;
+      const isCurrent = composite.toLowerCase() === currentLower;
+      const option = `${model.id}${isCurrent ? "  ✓ current" : ""}`;
+      modelOptions.push(option);
+      modelOptionMap.set(option, composite);
+    }
+
+    const modelChoice = await ctx.ui.select(`Choose Sage model (${provider})`, modelOptions);
+    if (!modelChoice) return undefined;
+    if (modelChoice === "← Back to providers") continue;
+
+    const resolved = modelOptionMap.get(modelChoice);
+    if (resolved) return resolved;
+  }
 }
 
 function resolveModelSpec(
@@ -548,6 +605,22 @@ function resolveModelSpec(
     return { modelArg: undefined, reason: "no available models" };
   }
 
+  if (configuredModel.trim().toLowerCase() === MODEL_INHERIT_VALUE) {
+    if (currentModel) {
+      const present = availableModels.find(
+        (model) => model.provider === currentModel.provider && model.id === currentModel.id
+      );
+      if (present) {
+        return { modelArg: `${present.provider}/${present.id}`, reason: "inherit current model" };
+      }
+    }
+
+    const firstAvailable = availableModels.at(0);
+    return firstAvailable
+      ? { modelArg: `${firstAvailable.provider}/${firstAvailable.id}`, reason: "inherit fallback first available" }
+      : { modelArg: undefined, reason: "no available models" };
+  }
+
   const exactConfigured = availableModels.find((model) => `${model.provider}/${model.id}` === configuredModel);
   if (exactConfigured) {
     return { modelArg: `${exactConfigured.provider}/${exactConfigured.id}`, reason: "configured exact match" };
@@ -596,7 +669,13 @@ function onOff(value: boolean): string {
 async function setNumberSetting(
   ctx: ExtensionContext,
   settings: SageSettings,
-  key: "timeoutMs" | "maxCallsPerTurn" | "maxCallsPerSession" | "cooldownTurnsBetweenAutoCalls",
+  key:
+    | "timeoutMs"
+    | "maxCallsPerTurn"
+    | "maxCallsPerSession"
+    | "cooldownTurnsBetweenAutoCalls"
+    | "maxQuestionChars"
+    | "maxContextChars",
   title: string,
   min: number
 ): Promise<SageSettings> {

package/.pi/extensions/sage/policy.ts

@@ -22,11 +22,17 @@ export function isEligibleCaller(ctx: CallerContext | null | undefined): CallerD
     return { ok: false, blockCode: "subagent", reason: "Sage disabled for subagents" };
   }
 
-  if (ctx.agent.role !== "primary") {
+  const interactiveSupervisor =
+    ctx.agent.role === "supervisor" && ctx.session.interactive === true && ctx.runtime.mode === "interactive";
+
+  if (ctx.agent.role !== "primary" && !interactiveSupervisor) {
     return { ok: false, blockCode: "ineligible-caller", reason: "Only primary agent may invoke Sage" };
   }
 
-  return { ok: true, reason: "eligible" };
+  return {
+    ok: true,
+    reason: interactiveSupervisor ? "eligible (interactive supervisor)" : "eligible"
+  };
 }
 
 export function isHardCostCapExceeded(settings: SageSettings, budgetState: SageBudgetState): boolean {

package/.pi/extensions/sage/settings.ts

@@ -46,18 +46,18 @@ export const DEFAULT_SAGE_SETTINGS: SageSettings = {
   autonomousEnabled: true,
   explicitRequestAlwaysAllowed: true,
   invocationScope: "interactive-primary-only",
-  model: "anthropic/claude-opus-4-6",
+  model: "inherit",
   reasoningLevel: "high",
-  timeoutMs: 120000,
+  timeoutMs: 720000,
   maxCallsPerTurn: 1,
-  maxCallsPerSession: 6,
+  maxCallsPerSession: 100000,
   cooldownTurnsBetweenAutoCalls: 1,
-  maxQuestionChars: 6000,
-  maxContextChars: 20000,
+  maxQuestionChars: 12000,
+  maxContextChars: 64000,
   toolPolicy: {
-    profile: "read-only-lite",
-    maxToolCalls: 10,
-    maxFilesRead: 8,
+    profile: "git-review-readonly",
+    maxToolCalls: 250,
+    maxFilesRead: 100,
     maxBytesPerFile: 200 * 1024,
     maxTotalBytesRead: 1024 * 1024,
     sensitivePathDenylist: DEFAULT_DENYLIST
@@ -82,6 +82,14 @@ function normalizeNumber(value: unknown): number | undefined {
   return value;
 }
 
+function normalizeModelSetting(value: unknown): string | undefined {
+  if (typeof value !== "string") return undefined;
+  const trimmed = value.trim();
+  if (!trimmed) return undefined;
+  if (trimmed.toLowerCase() === "inherit-current") return "inherit";
+  return trimmed;
+}
+
 export function mergeSettings(override: Partial<SageSettings> | undefined): SageSettings {
   const merged: SageSettings = {
     ...DEFAULT_SAGE_SETTINGS,
@@ -92,6 +100,8 @@ export function mergeSettings(override: Partial<SageSettings> | undefined): Sage
     }
   };
 
+  merged.model = normalizeModelSetting(merged.model) ?? DEFAULT_SAGE_SETTINGS.model;
+
   merged.timeoutMs = Math.max(1000, Math.floor(merged.timeoutMs));
   merged.maxCallsPerTurn = Math.max(1, Math.floor(merged.maxCallsPerTurn));
   merged.maxCallsPerSession = Math.max(1, Math.floor(merged.maxCallsPerSession));
@@ -145,7 +155,7 @@ function parseSettingsRaw(content: string): Partial<SageSettings> | undefined {
         typeof parsed.explicitRequestAlwaysAllowed === "boolean" ? parsed.explicitRequestAlwaysAllowed : undefined,
       invocationScope:
         parsed.invocationScope === "interactive-primary-only" ? "interactive-primary-only" : undefined,
-      model: typeof parsed.model === "string" ? parsed.model : undefined,
+      model: normalizeModelSetting(parsed.model),
       reasoningLevel:
         parsed.reasoningLevel === "minimal" ||
         parsed.reasoningLevel === "low" ||
@@ -194,7 +204,15 @@ export function loadSettings(cwd: string): LoadedSettings {
 
 export function saveSettings(path: string, settings: SageSettings): void {
   mkdirSync(dirname(path), { recursive: true });
-  writeFileSync(path, `${JSON.stringify(settings, null, 2)}\n`, "utf8");
+
+  const persisted: Omit<SageSettings, "invocationScope"> & { invocationScope?: SageSettings["invocationScope"] } = {
+    ...settings
+  };
+
+  // invocationScope is currently fixed by policy and not user-configurable in UI.
+  delete persisted.invocationScope;
+
+  writeFileSync(path, `${JSON.stringify(persisted, null, 2)}\n`, "utf8");
 }
 
 export function getSettingsPathForScope(cwd: string, scope: SettingsScope): string {

package/AGENTS.md

@@ -11,7 +11,7 @@ Sage should improve decision quality for complex tasks while preserving strict s
 ## 2) Product Invariants (Do Not Violate)
 
 1. Sage invocation is restricted to **interactive top-level primary** sessions.
-2. RPC-orchestrated roles (`supervisor`, `worker`, `reviewer`, `merger`) cannot invoke Sage.
+2. RPC-orchestrated roles cannot invoke Sage. Exception: an interactive top-level `supervisor` context may invoke Sage when treated as the user-facing primary session.
 3. Sage is **single-shot** per call.
 4. Sage cannot recursively invoke Sage.
 5. Sage is **advisory-only** (analysis/recommendations, not implementation execution).

package/README.md

@@ -44,8 +44,8 @@ Then in Pi run:
 
 ## Tool profiles
 
-- `read-only-lite` (default): `ls, glob, grep, read`
-- `git-review-readonly`: adds restricted `bash` for allowlisted **read-only git** commands
+- `read-only-lite`: `ls, glob, grep, read`
+- `git-review-readonly` (default): adds restricted `bash` for allowlisted **read-only git** commands
 - `none`
 - `custom-read-only`
 

package/docs/SAGE_SPEC.md

@@ -72,7 +72,7 @@ This spec targets a **final architecture** (not MVP): Sage is implemented as a *
      - `pi --mode json -p --no-session --model <configured-model> ...`
    - Provides dedicated Sage system prompt.
    - Enforces **single-shot execution** per call (one request → one response).
-   - Enforces advisory tool policy (default `read-only-lite`: `ls,glob,grep,read`).
+   - Enforces advisory tool policy (default `git-review-readonly`: `ls,glob,grep,read,bash` with strict allowlisted read-only git commands).
    - Supports stricter `none` mode, optional `git-review-readonly` mode, and constrained custom read-only lists.
    - Explicitly disables `sage_consult` inside Sage subprocess context to prevent subagent recursion.
 
@@ -182,21 +182,21 @@ Primary agent guidance to append:
 - `autonomousEnabled: boolean` (applies only in eligible interactive primary sessions; default: true there)
 - `explicitRequestAlwaysAllowed: boolean` (default: true)
 - `invocationScope: "interactive-primary-only"` (default and recommended)
-- `sage_consult` is callable only from the top-level interactive primary agent session.
-- `sage_consult` is blocked for non-interactive/CI contexts and RPC-orchestrated agent roles (e.g., supervisor, worker, reviewer, merger).
+- `sage_consult` is callable only from top-level interactive user-facing sessions.
+- `sage_consult` is blocked for non-interactive/CI contexts and RPC-orchestrated roles. Exception: interactive top-level `supervisor` may be treated as primary.
 
 ## 8.2 Soft limits (defaults)
 Soft limits are policy/budget controls and are bypassable for explicit user requests (`force=true`).
 - `maxCallsPerTurn: 1`
-- `maxCallsPerSession: 6`
+- `maxCallsPerSession: 100000`
 - `cooldownTurnsBetweenAutoCalls: 1`
-- `maxQuestionChars: 6000`
-- `maxContextChars: 20000`
+- `maxQuestionChars: 12000`
+- `maxContextChars: 64000`
 
 ## 8.3 Hard safety limits (non-bypassable)
 - Disallowed caller context (not top-level interactive primary session).
 - Model unavailable or no API key.
-- Timeout exceeded (`timeoutMs`, default `120000`).
+- Timeout exceeded (`timeoutMs`, default `720000`).
 - Absolute cost cap exceeded (`maxEstimatedCostPerSession`, optional).
 
 ## 8.4 Explicit user request behavior
@@ -213,7 +213,7 @@ Implement a deterministic `isEligibleCaller(context)` check before any policy/bu
 
 Required conditions (all must be true):
 1. `context.session.interactive === true`
-2. `context.agent.role === "primary"`
+2. `context.agent.role === "primary"` OR (`context.agent.role === "supervisor"` in interactive top-level context)
 3. `context.agent.isSubagent !== true`
 4. `context.agent.isRpcOrchestrated !== true`
 5. `context.runtime.mode !== "ci"`
@@ -241,20 +241,23 @@ function isEligibleCaller(ctx: CallerContext): { ok: boolean; blockCode?: string
   if (ctx.agent.isSubagent === true) {
     return { ok: false, blockCode: "subagent", reason: "Sage disabled for subagents" };
   }
-  if (ctx.agent.role !== "primary") {
+  const interactiveSupervisor =
+    ctx.agent.role === "supervisor" && ctx.session.interactive === true && ctx.runtime.mode === "interactive";
+  if (ctx.agent.role !== "primary" && !interactiveSupervisor) {
     return { ok: false, blockCode: "ineligible-caller", reason: "Only primary agent may invoke Sage" };
   }
-  return { ok: true, reason: "eligible" };
+  return { ok: true, reason: interactiveSupervisor ? "eligible (interactive supervisor)" : "eligible" };
 }
 ```
 
 ## 8.7 RPC role mapping guidance (orchestration frameworks)
-For orchestrated multi-agent frameworks, map caller role metadata so these roles are always ineligible:
-- `supervisor`
+For orchestrated multi-agent frameworks, map caller role metadata so these roles are ineligible by default:
 - `worker`
 - `reviewer`
 - `merger`
 
+`supervisor` is ineligible unless it is the interactive top-level user-facing session.
+
 If runtime only provides a session name/string, derive role via conservative matching and deny on ambiguity.
 
 ---
@@ -291,11 +294,11 @@ Interactive command to configure Sage runtime behavior.
 8. **Cooldown between autonomous calls**
 9. **Tool profile for Sage subagent**:
    - none (strict advisor mode)
-   - read-only-lite (`ls,glob,grep,read`) **default**
-   - git-review-readonly (`ls,glob,grep,read,bash`) with strict allowlisted git read commands only
+   - read-only-lite (`ls,glob,grep,read`)
+   - git-review-readonly (`ls,glob,grep,read,bash`) with strict allowlisted git read commands only **default**
    - custom read-only list (must exclude mutating/execution tools)
-10. **Per-call max tool calls** (default: 10)
-11. **Per-call max files read** (default: 8)
+10. **Per-call max tool calls** (default: 250)
+11. **Per-call max files read** (default: 100)
 12. **Per-file max bytes** (default: 200KB)
 13. **Per-call max total bytes read** (default: 1MB)
 14. **Sensitive path denylist** (default on; configurable additions)
@@ -317,7 +320,7 @@ Interactive command to configure Sage runtime behavior.
 4. Never pass secrets intentionally unless present in existing prompt/context.
 
 ### 11.1 Tool-access policy (advisor model)
-1. Default Sage tool profile is `read-only-lite`: `ls,glob,grep,read`.
+1. Default Sage tool profile is `git-review-readonly`: `ls,glob,grep,read,bash` with strict read-only git command allowlist.
 2. Allow `none` profile for stricter environments.
 3. Custom profile must be read-only; mutating/execution tools are disallowed.
 4. Explicitly disallow: `edit`, `write`, git-mutating tools, orchestration-control tools, and network/http tools.
@@ -327,8 +330,8 @@ Interactive command to configure Sage runtime behavior.
 1. Restrict reads to workspace/project roots.
 2. Denylist sensitive paths by default (e.g., `.env*`, `*.pem`, `*.key`, `id_rsa*`, credential stores).
 3. Enforce caps per Sage call:
-   - max tool calls: `10`
-   - max files read: `8`
+   - max tool calls: `250`
+   - max files read: `100`
    - max bytes per file: `200KB`
    - max total bytes read: `1MB`
 4. Cap `grep`/`glob` result counts to avoid context explosion.
@@ -372,12 +375,12 @@ On tool-policy/data-policy block:
 
 1. Primary agent autonomously invokes Sage at least once in a complex debug scenario without user explicitly asking (interactive top-level primary session).
 2. In CI/non-interactive mode, Sage invocation is blocked (non-bypassable caller-scope gate).
-3. RPC-orchestrated agents (supervisor/worker/reviewer/merger) cannot invoke `sage_consult`.
+3. RPC-orchestrated agents cannot invoke `sage_consult` (interactive top-level `supervisor` exception).
 4. User phrase “get a second opinion” in an eligible interactive primary session causes at least one Sage consultation in same task flow.
 5. Explicit user-requested Sage consultation can bypass soft limits, but still respects hard safety limits and caller-scope restrictions.
 6. No `/sage` command exists.
-7. `/sage-settings` lists available models interactively and persists selected model.
-8. Default Sage tool profile is `read-only-lite` (`ls,glob,grep,read`), with `none`, `git-review-readonly`, and constrained custom read-only options available.
+7. `/sage-settings` supports model configuration interactively (including `inherit`) and persists selected value.
+8. Default Sage tool profile is `git-review-readonly` (`ls,glob,grep,read,bash` with strict allowlisted read-only git commands), with `none`, `read-only-lite`, and constrained custom read-only options available.
 9. Sage tool profile blocks mutating/execution/network/orchestration tools (including `edit`, `write`, and `sage_consult`), except allowlisted git-read bash commands in `git-review-readonly`.
 10. Sage enforces per-call guardrails (max tool calls/files/bytes and capped `grep`/`glob` output).
 11. Sage calls obey hard safety limits (caller context, model/auth availability, timeout, optional absolute cost cap).
@@ -396,7 +399,7 @@ On tool-policy/data-policy block:
 5. Start with model interpretation for explicit-request detection; add phrase-detection hook only if testing reveals reliability issues.
 6. Sage subagents cannot invoke other Sage subagents (no recursion).
 7. Sage is advisory-only and should not perform implementation actions.
-8. Default Sage tool profile is `read-only-lite` (`ls,glob,grep,read`) with strict guardrails; optional `git-review-readonly` exists for code-review workflows.
+8. Default Sage tool profile is `git-review-readonly` (`ls,glob,grep,read,bash`) with strict guardrails; `bash` is restricted to allowlisted read-only git commands.
 
 ---
 
@@ -410,7 +413,7 @@ On tool-policy/data-policy block:
 6. Add system-prompt guidance injection for autonomous invocation.
 7. Add budget gates and policy telemetry.
 8. Add rendering polish and acceptance tests.
-9. Add a caller-context + tool-policy test matrix (interactive primary allowed; CI blocked; supervisor/worker/reviewer/merger blocked; subagent blocked; unknown context blocked; disallowed tool attempts blocked).
+9. Add a caller-context + tool-policy test matrix (interactive primary allowed; interactive supervisor allowed; CI blocked; rpc-orchestrated roles blocked; subagent blocked; unknown context blocked; disallowed tool attempts blocked).
 
 ---
 
@@ -470,12 +473,12 @@ On tool-policy/data-policy block:
 - [ ] Show effective scope/source (project/global/default) and save target.
 
 ### 17.6 Test checklist
-- [ ] Unit: `isEligibleCaller` allows only interactive primary; blocks CI, non-interactive, subagent, rpc-role, unknown context.
+- [ ] Unit: `isEligibleCaller` allows interactive primary (and interactive supervisor exception); blocks CI, non-interactive, subagent, rpc-role, unknown context.
 - [ ] Unit: `resolveToolPolicy` defaults to `read-only-lite` and strips/blocks disallowed custom tools.
 - [ ] Unit: `isPathAllowed` blocks denylisted paths and non-workspace paths.
 - [ ] Unit: `checkVolumeCaps` trips correctly on call/file/byte overages.
 - [ ] Integration: explicit user request with `force=true` bypasses soft limits but not caller gate.
-- [ ] Integration: RPC roles (`supervisor`, `worker`, `reviewer`, `merger`) receive structured blocked result.
+- [ ] Integration: RPC-orchestrated roles receive structured blocked result (interactive supervisor exception).
 - [ ] Integration: Sage subprocess cannot call `sage_consult` (recursion test).
 - [ ] Integration: tool usage metadata is present in successful responses.
 - [ ] Integration: blocked results include `blockCode` + human-readable reason.

package/docs/coding-standards.md

@@ -74,7 +74,7 @@ Every implementation must preserve these behaviors:
 
 ## 7) Security and Access Controls
 
-1. Enforce advisory tool policy by default (`read-only-lite`: `ls,glob,grep,read`).
+1. Enforce advisory tool policy by default (`git-review-readonly`: `ls,glob,grep,read,bash` with strict read-only git command allowlist).
 2. Disallow mutating/execution/network/orchestration tools in Sage.
 3. Restrict filesystem reads to workspace/project roots.
 4. Apply sensitive-path denylist by default (`.env*`, `*.pem`, `*.key`, etc.).

package/docs/testing-standards.md

@@ -125,7 +125,7 @@ Required E2E checks:
 - [ ] no recursion
 
 ### Tool/data policy
-- [ ] default profile is `read-only-lite`
+- [ ] default profile is `git-review-readonly`
 - [ ] disallowed tools blocked (`edit`, `write`, `bash`, `sage_consult`, etc.)
 - [ ] denylisted paths blocked
 - [ ] volume caps enforced

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-sage",
-  "version": "0.2.3",
+  "version": "0.2.5",
   "private": false,
   "type": "module",
   "description": "Interactive-only advisory Sage extension for Pi",