principles-disciple 1.5.4 → 1.7.0

package/dist/core/trust-engine.d.ts

@@ -43,6 +43,7 @@ export declare class TrustEngine {
         sessionId?: string;
         api?: any;
         toolName?: string;
+        error?: string;
     }): void;
     private updateScore;
     resetTrust(newScore?: number): void;
@@ -67,6 +68,7 @@ export declare function recordFailure(type: 'tool' | 'risky' | 'bypass', workspa
     sessionId?: string;
     api?: any;
     toolName?: string;
+    error?: string;
 }): void;
 export declare function getAgentScorecard(workspaceDir: string): TrustScorecard;
 export declare function getTrustStats(scorecard: TrustScorecard): {

package/dist/core/trust-engine.js

@@ -7,6 +7,7 @@ import * as path from 'path';
 import { EventLogService } from './event-log.js';
 import { resolvePdPath } from './paths.js';
 import { ConfigService } from './config-service.js';
+import { TrajectoryRegistry } from './trajectory.js';
 export const EXPLORATORY_TOOLS = [
     // 文件读取
     'read', 'read_file', 'read_many_files', 'image_read',
@@ -26,7 +27,7 @@ export const EXPLORATORY_TOOLS = [
 export const CONSTRUCTIVE_TOOLS = [
     'write', 'write_file', 'edit', 'edit_file', 'replace', 'apply_patch',
     'insert', 'patch', 'delete_file', 'move_file', 'run_shell_command',
-    'pd_spawn_agent', 'sessions_spawn', 'evolve-task', 'init-strategy'
+    'pd_run_worker', 'sessions_spawn', 'evolve-task', 'init-strategy'
 ];
 export class TrustEngine {
     scorecard;
@@ -49,7 +50,8 @@ export class TrustEngine {
         return settings || {
             stages: { stage_1_observer: 30, stage_2_editor: 60, stage_3_developer: 80 },
             cold_start: { initial_trust: 85, grace_failures: 5, cold_start_period_ms: 86400000 },
-            penalties: { tool_failure_base: -2, risky_failure_base: -10, gate_bypass_attempt: -5, failure_streak_multiplier: -2, max_penalty: -20 },
+            // BUGFIX #84: Reduced penalties to prevent Trust collapse
+            penalties: { tool_failure_base: -1, risky_failure_base: -5, gate_bypass_attempt: -3, failure_streak_multiplier: -1, max_penalty: -10 },
             rewards: { success_base: 2, subagent_success: 5, tool_success_reward: 0.2, streak_bonus_threshold: 3, streak_bonus: 5, recovery_boost: 5, max_reward: 15 },
             limits: { stage_2_max_lines: 50, stage_3_max_lines: 300 }
         };
@@ -170,6 +172,13 @@ export class TrustEngine {
             this.updateScore(-1, `Exploratory Failure: ${toolName}`, 'failure', context);
             return;
         }
+        // BUGFIX #84: sessions_send timeout should not be penalized
+        // Communication timeouts are not agent failures - the message may have been delivered
+        const errorStr = String(context?.error || '');
+        if (toolName === 'sessions_send' && (errorStr.includes('timeout') || errorStr === 'timeout')) {
+            this.updateScore(0, `Communication timeout (sessions_send): ignored`, 'info', context);
+            return;
+        }
         // 3. Constructive Failure (Risky or failed writes)
         let delta = 0;
         switch (type) {
@@ -198,8 +207,9 @@ export class TrustEngine {
     updateScore(delta, reason, type, context) {
         const oldScore = this.scorecard.trust_score;
         this.scorecard.trust_score += delta;
-        if (this.scorecard.trust_score < 0)
-            this.scorecard.trust_score = 0;
+        // Floor score: never drop below 30 (prevents Trust collapse from cascades)
+        if (this.scorecard.trust_score < 30)
+            this.scorecard.trust_score = 30;
         if (this.scorecard.trust_score > 100)
             this.scorecard.trust_score = 100;
         this.scorecard.last_updated = new Date().toISOString();
@@ -210,6 +220,22 @@ export class TrustEngine {
             const eventLog = EventLogService.get(this.stateDir);
             eventLog.recordTrustChange(context.sessionId, { previousScore: oldScore, newScore: this.scorecard.trust_score, delta, reason });
         }
+        if (context?.sessionId) {
+            try {
+                TrajectoryRegistry.use(this.workspaceDir, (trajectory) => {
+                    trajectory.recordTrustChange({
+                        sessionId: context.sessionId,
+                        previousScore: oldScore,
+                        newScore: this.scorecard.trust_score,
+                        delta,
+                        reason,
+                    });
+                });
+            }
+            catch {
+                // Do not block trust updates if trajectory storage is unavailable.
+            }
+        }
         const limit = this.trustSettings.history_limit || 50;
         if (this.scorecard.history.length > limit) {
             this.scorecard.history.shift();

package/dist/core/workspace-context.d.ts

@@ -4,6 +4,8 @@ import { EventLog } from './event-log.js';
 import { PainDictionary } from './dictionary.js';
 import { TrustEngine } from './trust-engine.js';
 import { HygieneTracker } from './hygiene/tracker.js';
+import { EvolutionReducerImpl } from './evolution-reducer.js';
+import { TrajectoryDatabase } from './trajectory.js';
 /**
  * WorkspaceContext - Centralized management of workspace-specific paths and services.
  * Implements a cached singleton pattern per workspace directory.
@@ -18,6 +20,8 @@ export declare class WorkspaceContext {
     private _dictionary?;
     private _trust?;
     private _hygiene?;
+    private _evolutionReducer?;
+    private _trajectory?;
     private constructor();
     /**
      * Governance configuration for this workspace.
@@ -39,6 +43,15 @@ export declare class WorkspaceContext {
      * Hygiene tracking service for this workspace.
      */
     get hygiene(): HygieneTracker;
+    /**
+     * Evolution reducer singleton for this workspace.
+     */
+    get evolutionReducer(): EvolutionReducerImpl;
+    /**
+     * Trajectory database for analytics and sample curation.
+     */
+    get trajectory(): TrajectoryDatabase;
+    private getTrajectoryOptions;
     /**
      * Creates or retrieves a WorkspaceContext instance from an OpenClaw hook context.
      * Uses PathResolver to handle path normalization and fallback logic.

package/dist/core/workspace-context.js

@@ -5,6 +5,8 @@ import { EventLogService } from './event-log.js';
 import { DictionaryService } from './dictionary-service.js';
 import { TrustEngine } from './trust-engine.js';
 import { HygieneTracker } from './hygiene/tracker.js';
+import { EvolutionReducerImpl } from './evolution-reducer.js';
+import { TrajectoryRegistry } from './trajectory.js';
 /**
  * WorkspaceContext - Centralized management of workspace-specific paths and services.
  * Implements a cached singleton pattern per workspace directory.
@@ -19,6 +21,8 @@ export class WorkspaceContext {
     _dictionary;
     _trust;
     _hygiene;
+    _evolutionReducer;
+    _trajectory;
     constructor(workspaceDir, stateDir) {
         this.workspaceDir = workspaceDir;
         this.stateDir = stateDir;
@@ -68,22 +72,53 @@ export class WorkspaceContext {
         }
         return this._hygiene;
     }
+    /**
+     * Evolution reducer singleton for this workspace.
+     */
+    get evolutionReducer() {
+        if (!this._evolutionReducer) {
+            this._evolutionReducer = new EvolutionReducerImpl({ workspaceDir: this.workspaceDir });
+        }
+        return this._evolutionReducer;
+    }
+    /**
+     * Trajectory database for analytics and sample curation.
+     */
+    get trajectory() {
+        if (!this._trajectory) {
+            this._trajectory = TrajectoryRegistry.get(this.workspaceDir, this.getTrajectoryOptions());
+        }
+        return this._trajectory;
+    }
+    getTrajectoryOptions() {
+        const inlineThreshold = Number(this.config.get('trajectory.blob_inline_threshold_bytes'));
+        const busyTimeoutMs = Number(this.config.get('trajectory.busy_timeout_ms'));
+        const orphanBlobGraceDays = Number(this.config.get('trajectory.orphan_blob_grace_days'));
+        return {
+            blobInlineThresholdBytes: Number.isFinite(inlineThreshold) && inlineThreshold > 0 ? inlineThreshold : undefined,
+            busyTimeoutMs: Number.isFinite(busyTimeoutMs) && busyTimeoutMs >= 0 ? busyTimeoutMs : undefined,
+            orphanBlobGraceDays: Number.isFinite(orphanBlobGraceDays) && orphanBlobGraceDays >= 0 ? orphanBlobGraceDays : undefined,
+        };
+    }
     /**
      * Creates or retrieves a WorkspaceContext instance from an OpenClaw hook context.
      * Uses PathResolver to handle path normalization and fallback logic.
      * @throws Error if workspaceDir is missing and no fallback available.
      */
     static fromHookContext(ctx) {
+        const logger = ctx.logger;
+        const log = (msg) => logger?.info?.(msg) ?? console.log(msg);
+        const logWarn = (msg) => logger?.warn?.(msg) ?? console.warn(msg);
         let workspaceDir = ctx.workspaceDir;
         if (!workspaceDir) {
-            console.warn('[PD:WorkspaceContext] workspaceDir not provided in context, using PathResolver fallback');
+            logWarn('[PD:WorkspaceContext] workspaceDir not provided in context, using PathResolver fallback');
             workspaceDir = this.pathResolver.getWorkspaceDir();
-            console.log(`[PD:WorkspaceContext] Resolved workspaceDir to: ${workspaceDir}`);
+            log(`[PD:WorkspaceContext] Resolved workspaceDir to: ${workspaceDir}`);
         }
         else {
             const normalized = this.pathResolver.normalizeWorkspacePath(workspaceDir);
             if (normalized !== workspaceDir) {
-                console.log(`[PD:WorkspaceContext] Normalized workspaceDir: ${workspaceDir} -> ${normalized}`);
+                log(`[PD:WorkspaceContext] Normalized workspaceDir: ${workspaceDir} -> ${normalized}`);
                 workspaceDir = normalized;
             }
         }
@@ -93,11 +128,11 @@ export class WorkspaceContext {
         let stateDir = ctx.stateDir;
         if (!stateDir) {
             stateDir = resolvePdPath(workspaceDir, 'STATE_DIR');
-            console.log(`[PD:WorkspaceContext] Computed stateDir: ${stateDir}`);
+            log(`[PD:WorkspaceContext] Computed stateDir: ${stateDir}`);
         }
         const instance = new WorkspaceContext(workspaceDir, stateDir);
         this.instances.set(workspaceDir, instance);
-        console.log(`[PD:WorkspaceContext] Created new context for workspace: ${workspaceDir}`);
+        log(`[PD:WorkspaceContext] Created new context for workspace: ${workspaceDir}`);
         return instance;
     }
     /**
@@ -114,21 +149,29 @@ export class WorkspaceContext {
         this._eventLog = undefined;
         this._dictionary = undefined;
         this._trust = undefined;
+        this._evolutionReducer = undefined;
+        this._trajectory = undefined;
     }
     /**
      * Removes a workspace from the cache.
      */
     static dispose(workspaceDir) {
-        const instance = this.instances.get(workspaceDir);
+        const normalized = this.pathResolver.normalizeWorkspacePath(workspaceDir);
+        const instance = this.instances.get(normalized);
         if (instance) {
             instance.invalidate();
-            this.instances.delete(workspaceDir);
+            this.instances.delete(normalized);
         }
+        TrajectoryRegistry.dispose(normalized);
     }
     /**
      * Clears the instance cache (primarily for testing).
      */
     static clearCache() {
+        for (const instance of this.instances.values()) {
+            instance.invalidate();
+        }
         this.instances.clear();
+        TrajectoryRegistry.clear();
     }
 }

package/dist/hooks/gate.js

@@ -3,16 +3,122 @@ import * as path from 'path';
 import { isRisky, normalizePath, planStatus as getPlanStatus } from '../utils/io.js';
 import { matchesAnyPattern } from '../utils/glob-match.js';
 import { normalizeProfile } from '../core/profile.js';
-import { trackBlock, hasRecentThinking } from '../core/session-tracker.js';
+import { trackBlock, hasRecentThinking, getSession } from '../core/session-tracker.js';
 import { assessRiskLevel, estimateLineChanges } from '../core/risk-calculator.js';
 import { WorkspaceContext } from '../core/workspace-context.js';
 import { checkEvolutionGate } from '../core/evolution-engine.js';
+import { EventLogService } from '../core/event-log.js';
+// ═══ GFI Gate Tool Tiers ═══
+// TIER 0: 只读工具 - 永不拦截
+const READ_ONLY_TOOLS = new Set([
+    'read', 'read_file', 'read_many_files', 'image_read',
+    'search_file_content', 'grep', 'grep_search', 'list_directory', 'ls', 'glob',
+    'lsp_hover', 'lsp_goto_definition', 'lsp_find_references',
+    'web_fetch', 'web_search', 'ref_search_documentation', 'ref_read_url',
+    'resolve-library-id', 'get-library-docs',
+    'todo_read', 'save_memory',
+    'deep_reflect',
+]);
+// TIER 1: 低风险修改 - GFI >= low_risk_block 时拦截
+// 注意：pd_run_worker、sessions_spawn、task 是 Agent 派生工具，不应被 GFI Gate 拦截
+// 它们属于 AGENT_TOOLS，在早期过滤后直接放行
+const LOW_RISK_WRITE_TOOLS = new Set([
+    'write', 'write_file',
+    'edit', 'edit_file', 'replace', 'apply_patch', 'insert', 'patch',
+]);
+// TIER 2: 高风险操作 - GFI >= high_risk_block 时拦截
+const HIGH_RISK_TOOLS = new Set([
+    'delete_file', 'move_file',
+]);
+// TIER 3: Bash 命令 - 根据内容判断
+const BASH_TOOLS_SET = new Set([
+    'bash', 'run_shell_command', 'exec', 'execute', 'shell', 'cmd',
+]);
+/**
+ * 分析 Bash 命令风险等级
+ */
+function analyzeBashCommand(command, safePatterns, dangerousPatterns) {
+    let normalizedCmd = command.trim().toLowerCase();
+    // P2 fix: Unicode de-obfuscation — convert Cyrillic/Unicode lookalikes to ASCII equivalents
+    // Common Cyrillic lookalikes that could bypass detection: аеорсух (Cyrillic) → aeopcyx (Latin)
+    const CYRILLIC_TO_LATIN = {
+        'а': 'a', 'е': 'e', 'о': 'o', 'р': 'p', 'с': 'c', 'у': 'y', 'х': 'x',
+        'А': 'a', 'Е': 'e', 'О': 'o', 'Р': 'p', 'С': 'c', 'У': 'y', 'Х': 'x',
+        // Additional confusable chars
+        'і': 'i', 'ј': 'j', 'ѕ': 's', 'ԁ': 'd', 'ɡ': 'g', 'һ': 'h', 'ⅰ': 'i',
+        'ƚ': 'l', 'м': 'm', 'п': 'n', 'ѵ': 'v', 'ѡ': 'w', 'ᴦ': 'r', 'ꜱ': 's',
+    };
+    normalizedCmd = normalizedCmd.replace(/[а-яА-Яіјѕԁɡһⅰƚмпеꜱѵѡᴦꜱ]/g, m => CYRILLIC_TO_LATIN[m] ?? m);
+    // P2 fix: Tokenize command chain before pattern matching to catch `cmd1 && cmd2` bypasses
+    // Only split on statement separators (; && ||), NOT on pipe (|) which is part of the command
+    const tokens = normalizedCmd
+        .split(/\s*(?:;|&&|\|\|)\s*/)
+        .map(t => t.trim())
+        .filter(t => t.length > 0);
+    // If no tokens (e.g., pure pipe-only), use the original
+    const segments = tokens.length > 0 ? tokens : [normalizedCmd];
+    // P2 fix: Also strip outer $() and backticks from each segment
+    const cleanSegments = segments.map(seg => {
+        let s = seg;
+        // Strip leading $() or ${} or backtick-wrapped commands
+        s = s.replace(/^\$\([^)]+\)$/, '').replace(/^\$\{[^}]+\}$/, '').replace(/^`([^`]+)`$/, '$1');
+        return s.trim();
+    }).filter(s => s.length > 0);
+    // 1. Check dangerous patterns against each segment
+    for (const seg of cleanSegments) {
+        for (const pattern of dangerousPatterns) {
+            try {
+                if (new RegExp(pattern, 'i').test(seg)) {
+                    return 'dangerous';
+                }
+            }
+            catch {
+                // 忽略无效正则
+            }
+        }
+    }
+    // 2. Check safe patterns (only if ALL segments are safe)
+    for (const seg of cleanSegments) {
+        let isSafe = false;
+        for (const pattern of safePatterns) {
+            try {
+                if (new RegExp(pattern, 'i').test(seg)) {
+                    isSafe = true;
+                    break;
+                }
+            }
+            catch {
+                // ignore
+            }
+        }
+        if (!isSafe) {
+            // Not all segments are safe → treat as normal
+            return 'normal';
+        }
+    }
+    // All segments are safe
+    return 'safe';
+}
+/**
+ * 计算动态 GFI 阈值
+ */
+function calculateDynamicThreshold(baseThreshold, trustStage, lineChanges, config) {
+    // 1. Trust Stage 乘数
+    const stageMultiplier = config.trust_stage_multipliers[trustStage.toString()] || 1.0;
+    let threshold = baseThreshold * stageMultiplier;
+    // 2. 大规模修改降低阈值
+    if (lineChanges > config.large_change_lines) {
+        const ratio = Math.min(lineChanges / 200, 0.5); // 最多降低 50%
+        threshold = threshold * (1 - ratio);
+    }
+    return Math.round(Math.max(threshold, 0));
+}
 export function handleBeforeToolCall(event, ctx) {
     const logger = ctx.logger || console;
     // 1. Identify tool type
     const WRITE_TOOLS = ['write', 'edit', 'apply_patch', 'write_file', 'replace', 'insert', 'patch', 'edit_file', 'delete_file', 'move_file'];
     const BASH_TOOLS = ['bash', 'run_shell_command', 'exec', 'execute', 'shell', 'cmd'];
-    const AGENT_TOOLS = ['pd_spawn_agent', 'sessions_spawn'];
+    const AGENT_TOOLS = ['pd_run_worker', 'sessions_spawn'];
     const isBash = BASH_TOOLS.includes(event.toolName);
     const isWriteTool = WRITE_TOOLS.includes(event.toolName);
     const isAgentTool = AGENT_TOOLS.includes(event.toolName);
@@ -45,7 +151,7 @@ export function handleBeforeToolCall(event, ctx) {
         thinking_checkpoint: {
             enabled: false, // Default OFF
             window_ms: 5 * 60 * 1000,
-            high_risk_tools: ['run_shell_command', 'delete_file', 'move_file', 'pd_spawn_agent'],
+            high_risk_tools: ['run_shell_command', 'delete_file', 'move_file', 'pd_run_worker'],
         }
     };
     if (fs.existsSync(profilePath)) {
@@ -71,6 +177,158 @@ export function handleBeforeToolCall(event, ctx) {
             };
         }
     }
+    // ═══ GFI GATE - Hard Intercept ═══
+    // 根据 GFI (疲劳指数) 精细化拦截工具调用
+    // 注意：TIER 0 (只读工具) 已在早期过滤中放行，此处不检查
+    const gfiGateConfig = wctx.config.get('gfi_gate');
+    if (gfiGateConfig?.enabled !== false && ctx.sessionId) {
+        const session = getSession(ctx.sessionId);
+        const currentGfi = session?.currentGfi || 0;
+        // TIER 3: Bash 命令 - 根据内容判断
+        if (BASH_TOOLS_SET.has(event.toolName)) {
+            const command = String(event.params.command || event.params.args || '');
+            const bashRisk = analyzeBashCommand(command, gfiGateConfig?.bash_safe_patterns || [], gfiGateConfig?.bash_dangerous_patterns || []);
+            if (bashRisk === 'dangerous') {
+                // 危险命令 - 直接拦截
+                logger?.warn?.(`[PD:GFI_GATE] Dangerous bash command blocked: ${command.substring(0, 50)}...`);
+                return {
+                    block: true,
+                    blockReason: `[GFI Gate] 危险命令被拦截。
+
+命令: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}
+
+原因: 检测到危险命令模式，需要确认执行意图。
+
+解决方案:
+1. 如果确实需要执行，请确认操作意图后重试
+2. 使用更安全的方式（如手动操作）
+3. 咨询用户确认是否继续
+
+注意: 危险命令需要更严格的审批流程。`,
+                };
+            }
+            // safe 命令 - 放行
+            else if (bashRisk === 'safe') {
+                // 继续执行
+            }
+            // normal 命令 - 按 GFI 阈值判断
+            else {
+                const trustEngine = wctx.trust;
+                const stage = trustEngine.getStage();
+                const baseThreshold = gfiGateConfig?.thresholds?.low_risk_block || 70;
+                const dynamicThreshold = calculateDynamicThreshold(baseThreshold, stage, 0, // bash 命令没有行数概念
+                {
+                    large_change_lines: gfiGateConfig?.large_change_lines || 50,
+                    trust_stage_multipliers: gfiGateConfig?.trust_stage_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5 },
+                });
+                if (currentGfi >= dynamicThreshold) {
+                    logger?.warn?.(`[PD:GFI_GATE] Bash blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
+                    return {
+                        block: true,
+                        blockReason: `[GFI Gate] 疲劳指数过高，操作被拦截。
+
+命令: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}
+GFI: ${currentGfi}/100
+动态阈值: ${dynamicThreshold} (Stage ${stage})
+
+原因: 当前疲劳指数超过阈值，系统进入保护模式。
+
+解决方案:
+1. 执行 /pd-status reset 清零疲劳值
+2. 检查是否存在理解偏差或死循环
+3. 等待问题自然解决后再尝试
+
+注意: 这是系统级硬性拦截，AI 无法绕过。`,
+                    };
+                }
+            }
+        }
+        // TIER 2: 高风险操作 - GFI >= high_risk_block 时拦截
+        else if (HIGH_RISK_TOOLS.has(event.toolName)) {
+            const trustEngine = wctx.trust;
+            const stage = trustEngine.getStage();
+            const baseThreshold = gfiGateConfig?.thresholds?.high_risk_block || 40;
+            const dynamicThreshold = calculateDynamicThreshold(baseThreshold, stage, 0, {
+                large_change_lines: gfiGateConfig?.large_change_lines || 50,
+                trust_stage_multipliers: gfiGateConfig?.trust_stage_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5 },
+            });
+            if (currentGfi >= dynamicThreshold) {
+                const filePath = event.params.file_path || event.params.path || event.params.file || event.params.target || 'unknown';
+                logger?.warn?.(`[PD:GFI_GATE] High-risk tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
+                return {
+                    block: true,
+                    blockReason: `[GFI Gate] 高风险操作被拦截。
+
+工具: ${event.toolName}
+文件: ${filePath}
+GFI: ${currentGfi}/100
+动态阈值: ${dynamicThreshold} (Stage ${stage})
+
+原因: 高风险工具需要更低的 GFI 阈值才能执行。
+
+解决方案:
+1. 执行 /pd-status reset 清零疲劳值
+2. 检查是否存在理解偏差或死循环
+3. 等待 GFI 自然衰减后重试
+
+注意: 这是系统级硬性拦截，AI 无法绕过。`,
+                };
+            }
+        }
+        // TIER 1: 低风险修改 - GFI >= low_risk_block 时拦截
+        else if (LOW_RISK_WRITE_TOOLS.has(event.toolName)) {
+            const trustEngine = wctx.trust;
+            const stage = trustEngine.getStage();
+            const lineChanges = estimateLineChanges({ toolName: event.toolName, params: event.params });
+            const baseThreshold = gfiGateConfig?.thresholds?.low_risk_block || 70;
+            const dynamicThreshold = calculateDynamicThreshold(baseThreshold, stage, lineChanges, {
+                large_change_lines: gfiGateConfig?.large_change_lines || 50,
+                trust_stage_multipliers: gfiGateConfig?.trust_stage_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5 },
+            });
+            if (currentGfi >= dynamicThreshold) {
+                const filePath = event.params.file_path || event.params.path || event.params.file || event.params.target || 'unknown';
+                logger?.warn?.(`[PD:GFI_GATE] Low-risk tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
+                return {
+                    block: true,
+                    blockReason: `[GFI Gate] 疲劳指数过高，操作被拦截。
+
+工具: ${event.toolName}
+文件: ${filePath}
+GFI: ${currentGfi}/100
+动态阈值: ${dynamicThreshold} (Stage ${stage}${lineChanges > 50 ? `, ${lineChanges}行修改` : ''})
+
+原因: 当前疲劳指数超过阈值，系统进入保护模式。
+
+解决方案:
+1. 执行 /pd-status reset 清零疲劳值
+2. 检查是否存在理解偏差或死循环
+3. 等待问题自然解决后再尝试
+
+注意: 这是系统级硬性拦截，AI 无法绕过。`,
+                };
+            }
+        }
+        // AGENT_TOOLS: Block subagent spawn when GFI is critically high (P0 fix: prevent privilege escalation via spawned subagents)
+        if (isAgentTool) {
+            const AGENT_SPAWN_GFI_THRESHOLD = 90;
+            if (currentGfi >= AGENT_SPAWN_GFI_THRESHOLD) {
+                logger?.warn?.(`[PD:GFI_GATE] Agent tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${AGENT_SPAWN_GFI_THRESHOLD}`);
+                return {
+                    block: true,
+                    blockReason: `[GFI Gate] 疲劳指数过高，禁止派生子智能体。
+
+GFI: ${currentGfi}/100
+阈值: ${AGENT_SPAWN_GFI_THRESHOLD} (Stage ${wctx.trust.getStage()})
+
+原因: 高疲劳状态下派生子智能体会放大错误风险。
+
+解决方案:
+1. 执行 /pd-status reset 清零疲劳值
+2. 简化任务后重试`,
+                };
+            }
+        }
+    }
     // Merge pluginConfig (OpenClaw UI settings)
     const configRiskPaths = ctx.pluginConfig?.riskPaths ?? [];
     if (configRiskPaths.length > 0) {
@@ -112,37 +370,35 @@ export function handleBeforeToolCall(event, ctx) {
         };
         const riskLevel = assessRiskLevel(relPath, { toolName: event.toolName, params: event.params }, profile.risk_paths);
         const lineChanges = estimateLineChanges({ toolName: event.toolName, params: event.params });
+        const planApprovals = profile.progressive_gate?.plan_approvals;
+        const canUsePlanApproval = Boolean(stage === 1 &&
+            planApprovals?.enabled &&
+            getPlanStatus(ctx.workspaceDir) === 'READY' &&
+            planApprovals.allowed_operations?.includes(event.toolName) &&
+            matchesAnyPattern(relPath, planApprovals.allowed_patterns || []) &&
+            ((planApprovals.max_lines_override ?? -1) === -1 || lineChanges <= (planApprovals.max_lines_override ?? -1)));
         logger.info(`[PD_GATE] Trust: ${trustScore} (Stage ${stage}), Risk: ${riskLevel}, Path: ${relPath}`);
         // Stage 1 (Bankruptcy): Block ALL writes to risk paths, and all medium+ writes
         if (stage === 1) {
+            if (canUsePlanApproval) {
+                const planStatus = 'READY';
+                wctx.eventLog.recordPlanApproval(ctx.sessionId, {
+                    toolName: event.toolName,
+                    filePath: relPath,
+                    pattern: relPath,
+                    planStatus
+                });
+                wctx.trajectory?.recordGateBlock?.({
+                    sessionId: ctx.sessionId,
+                    toolName: event.toolName,
+                    filePath: relPath,
+                    reason: 'plan_approval',
+                    planStatus,
+                });
+                logger.info(`[PD_GATE] Stage 1 PLAN approval: ${relPath}`);
+                return;
+            }
             if (risky || riskLevel !== 'LOW') {
-                // Check if PLAN whitelist is enabled
-                if (profile.progressive_gate?.plan_approvals?.enabled) {
-                    const planApprovals = profile.progressive_gate.plan_approvals;
-                    const planStatus = getPlanStatus(ctx.workspaceDir);
-                    // Must have READY plan
-                    if (planStatus === 'READY') {
-                        // Check operation type
-                        if (planApprovals.allowed_operations?.includes(event.toolName)) {
-                            // Check path pattern
-                            if (matchesAnyPattern(relPath, planApprovals.allowed_patterns || [])) {
-                                // Check line limit (if configured)
-                                const maxLines = planApprovals.max_lines_override ?? -1;
-                                if (maxLines === -1 || lineChanges <= maxLines) {
-                                    // Record PLAN approval event
-                                    wctx.eventLog.recordPlanApproval(ctx.sessionId, {
-                                        toolName: event.toolName,
-                                        filePath: relPath,
-                                        pattern: relPath,
-                                        planStatus
-                                    });
-                                    logger.info(`[PD_GATE] Stage 1 PLAN approval: ${relPath}`);
-                                    return; // Allow the operation
-                                }
-                            }
-                        }
-                    }
-                }
                 // Block if not approved by whitelist
                 return block(relPath, `Trust score too low (${trustScore}). Stage 1 agents cannot modify risk paths or perform non-trivial edits.`, wctx, event.toolName);
             }
@@ -173,6 +429,21 @@ export function handleBeforeToolCall(event, ctx) {
         // Stage 4 (Architect): Full bypass
         if (stage === 4) {
             logger.info(`[PD_GATE] Trusted Architect bypass for ${relPath}`);
+            // Audit log for Stage 4 bypass (security traceability)
+            try {
+                const stateDir = wctx.resolve('STATE_DIR');
+                const eventLog = EventLogService.get(stateDir);
+                eventLog.recordGateBypass(ctx.sessionId, {
+                    toolName: event.toolName,
+                    filePath: relPath,
+                    bypassType: 'stage4_architect',
+                    trustScore,
+                    trustStage: stage,
+                });
+            }
+            catch (auditErr) {
+                logger?.warn?.(`[PD_GATE] Failed to record Stage 4 bypass audit: ${String(auditErr)}`);
+            }
             return;
         }
         // ── EP SIMULATION MODE (M6验证) ──

package/dist/hooks/llm.d.ts

@@ -1,4 +1,12 @@
 import { PluginHookLlmOutputEvent, PluginHookAgentContext } from '../openclaw-sdk.js';
+export interface EmpathySignal {
+    detected: boolean;
+    severity: 'mild' | 'moderate' | 'severe';
+    confidence: number;
+    reason?: string;
+    mode?: 'structured' | 'legacy_tag';
+}
+export declare function extractEmpathySignal(text: string): EmpathySignal;
 export declare function handleLlmOutput(event: PluginHookLlmOutputEvent, ctx: PluginHookAgentContext & {
     workspaceDir?: string;
 }): void;