principles-disciple 1.6.0 → 1.7.1

package/dist/hooks/gate.js

@@ -7,6 +7,7 @@ import { trackBlock, hasRecentThinking, getSession } from '../core/session-track
 import { assessRiskLevel, estimateLineChanges } from '../core/risk-calculator.js';
 import { WorkspaceContext } from '../core/workspace-context.js';
 import { checkEvolutionGate } from '../core/evolution-engine.js';
+import { EventLogService } from '../core/event-log.js';
 // ═══ GFI Gate Tool Tiers ═══
 // TIER 0: 只读工具 - 永不拦截
 const READ_ONLY_TOOLS = new Set([
@@ -19,7 +20,7 @@ const READ_ONLY_TOOLS = new Set([
     'deep_reflect',
 ]);
 // TIER 1: 低风险修改 - GFI >= low_risk_block 时拦截
-// 注意：pd_spawn_agent、sessions_spawn、task 是 Agent 派生工具，不应被 GFI Gate 拦截
+// 注意：pd_run_worker、sessions_spawn、task 是 Agent 派生工具，不应被 GFI Gate 拦截
 // 它们属于 AGENT_TOOLS，在早期过滤后直接放行
 const LOW_RISK_WRITE_TOOLS = new Set([
     'write', 'write_file',
@@ -36,32 +37,69 @@ const BASH_TOOLS_SET = new Set([
 /**
  * 分析 Bash 命令风险等级
  */
-function analyzeBashCommand(command, safePatterns, dangerousPatterns) {
-    const normalizedCmd = command.trim().toLowerCase();
-    // 1. 优先检查危险命令
-    for (const pattern of dangerousPatterns) {
-        try {
-            if (new RegExp(pattern, 'i').test(normalizedCmd)) {
+function analyzeBashCommand(command, safePatterns, dangerousPatterns, logger) {
+    let normalizedCmd = command.trim().toLowerCase();
+    // P2 fix: Unicode de-obfuscation — convert Cyrillic/Unicode lookalikes to ASCII equivalents
+    // Common Cyrillic lookalikes that could bypass detection: аеорсух (Cyrillic) → aeopcyx (Latin)
+    const CYRILLIC_TO_LATIN = {
+        'а': 'a', 'е': 'e', 'о': 'o', 'р': 'p', 'с': 'c', 'у': 'y', 'х': 'x',
+        'А': 'a', 'Е': 'e', 'О': 'o', 'Р': 'p', 'С': 'c', 'У': 'y', 'Х': 'x',
+        // Additional confusable chars
+        'і': 'i', 'ј': 'j', 'ѕ': 's', 'ԁ': 'd', 'ɡ': 'g', 'һ': 'h', 'ⅰ': 'i',
+        'ƚ': 'l', 'м': 'm', 'п': 'n', 'ѵ': 'v', 'ѡ': 'w', 'ᴦ': 'r', 'ꜱ': 's',
+    };
+    normalizedCmd = normalizedCmd.replace(/[а-яА-Яіјѕԁɡһⅰƚмпеꜱѵѡᴦꜱ]/g, m => CYRILLIC_TO_LATIN[m] ?? m);
+    // P2 fix: Tokenize command chain before pattern matching to catch `cmd1 && cmd2` bypasses
+    // Only split on statement separators (; && ||), NOT on pipe (|) which is part of the command
+    const tokens = normalizedCmd
+        .split(/\s*(?:;|&&|\|\|)\s*/)
+        .map(t => t.trim())
+        .filter(t => t.length > 0);
+    // If no tokens (e.g., pure pipe-only), use the original
+    const segments = tokens.length > 0 ? tokens : [normalizedCmd];
+    // P2 fix: Also strip outer $() and backticks from each segment
+    const cleanSegments = segments.map(seg => {
+        let s = seg;
+        // Strip leading $() or ${} or backtick-wrapped commands
+        s = s.replace(/^\$\([^)]+\)$/, '').replace(/^\$\{[^}]+\}$/, '').replace(/^`([^`]+)`$/, '$1');
+        return s.trim();
+    }).filter(s => s.length > 0);
+    // 1. Check dangerous patterns against each segment
+    for (const seg of cleanSegments) {
+        for (const pattern of dangerousPatterns) {
+            try {
+                if (new RegExp(pattern, 'i').test(seg)) {
+                    return 'dangerous';
+                }
+            }
+            catch (error) {
+                logger?.warn?.(`[PD_GATE] Invalid dangerous bash regex "${pattern}": ${String(error)}. Failing closed.`);
                 return 'dangerous';
+                // Fail-closed: 无效的危险模式正则视为匹配危险命令
             }
         }
-        catch {
-            // 忽略无效正则
-        }
     }
-    // 2. 检查安全命令
-    for (const pattern of safePatterns) {
-        try {
-            if (new RegExp(pattern, 'i').test(normalizedCmd)) {
-                return 'safe';
+    // 2. Check safe patterns (only if ALL segments are safe)
+    for (const seg of cleanSegments) {
+        let isSafe = false;
+        for (const pattern of safePatterns) {
+            try {
+                if (new RegExp(pattern, 'i').test(seg)) {
+                    isSafe = true;
+                    break;
+                }
+            }
+            catch (error) {
+                logger?.warn?.(`[PD_GATE] Invalid safe bash regex "${pattern}": ${String(error)}. Ignoring safe override.`);
             }
         }
-        catch {
-            // 忽略无效正则
+        if (!isSafe) {
+            // Not all segments are safe → treat as normal
+            return 'normal';
         }
     }
-    // 3. 默认为普通命令
-    return 'normal';
+    // All segments are safe
+    return 'safe';
 }
 /**
  * 计算动态 GFI 阈值
@@ -82,7 +120,7 @@ export function handleBeforeToolCall(event, ctx) {
     // 1. Identify tool type
     const WRITE_TOOLS = ['write', 'edit', 'apply_patch', 'write_file', 'replace', 'insert', 'patch', 'edit_file', 'delete_file', 'move_file'];
     const BASH_TOOLS = ['bash', 'run_shell_command', 'exec', 'execute', 'shell', 'cmd'];
-    const AGENT_TOOLS = ['pd_spawn_agent', 'sessions_spawn'];
+    const AGENT_TOOLS = ['pd_run_worker', 'sessions_spawn'];
     const isBash = BASH_TOOLS.includes(event.toolName);
     const isWriteTool = WRITE_TOOLS.includes(event.toolName);
     const isAgentTool = AGENT_TOOLS.includes(event.toolName);
@@ -115,7 +153,7 @@ export function handleBeforeToolCall(event, ctx) {
         thinking_checkpoint: {
             enabled: false, // Default OFF
             window_ms: 5 * 60 * 1000,
-            high_risk_tools: ['run_shell_command', 'delete_file', 'move_file', 'pd_spawn_agent'],
+            high_risk_tools: ['run_shell_command', 'delete_file', 'move_file', 'pd_run_worker'],
         }
     };
     if (fs.existsSync(profilePath)) {
@@ -151,7 +189,7 @@ export function handleBeforeToolCall(event, ctx) {
         // TIER 3: Bash 命令 - 根据内容判断
         if (BASH_TOOLS_SET.has(event.toolName)) {
             const command = String(event.params.command || event.params.args || '');
-            const bashRisk = analyzeBashCommand(command, gfiGateConfig?.bash_safe_patterns || [], gfiGateConfig?.bash_dangerous_patterns || []);
+            const bashRisk = analyzeBashCommand(command, gfiGateConfig?.bash_safe_patterns || [], gfiGateConfig?.bash_dangerous_patterns || [], logger);
             if (bashRisk === 'dangerous') {
                 // 危险命令 - 直接拦截
                 logger?.warn?.(`[PD:GFI_GATE] Dangerous bash command blocked: ${command.substring(0, 50)}...`);
@@ -272,6 +310,26 @@ GFI: ${currentGfi}/100
                 };
             }
         }
+        // AGENT_TOOLS: Block subagent spawn when GFI is critically high (P0 fix: prevent privilege escalation via spawned subagents)
+        if (isAgentTool) {
+            const AGENT_SPAWN_GFI_THRESHOLD = 90;
+            if (currentGfi >= AGENT_SPAWN_GFI_THRESHOLD) {
+                logger?.warn?.(`[PD:GFI_GATE] Agent tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${AGENT_SPAWN_GFI_THRESHOLD}`);
+                return {
+                    block: true,
+                    blockReason: `[GFI Gate] 疲劳指数过高，禁止派生子智能体。
+
+GFI: ${currentGfi}/100
+阈值: ${AGENT_SPAWN_GFI_THRESHOLD} (Stage ${wctx.trust.getStage()})
+
+原因: 高疲劳状态下派生子智能体会放大错误风险。
+
+解决方案:
+1. 执行 /pd-status reset 清零疲劳值
+2. 简化任务后重试`,
+                };
+            }
+        }
     }
     // Merge pluginConfig (OpenClaw UI settings)
     const configRiskPaths = ctx.pluginConfig?.riskPaths ?? [];
@@ -314,71 +372,17 @@ GFI: ${currentGfi}/100
         };
         const riskLevel = assessRiskLevel(relPath, { toolName: event.toolName, params: event.params }, profile.risk_paths);
         const lineChanges = estimateLineChanges({ toolName: event.toolName, params: event.params });
+        const planApprovals = profile.progressive_gate?.plan_approvals;
+        const canUsePlanApproval = Boolean(stage === 1 &&
+            planApprovals?.enabled &&
+            getPlanStatus(ctx.workspaceDir) === 'READY' &&
+            planApprovals.allowed_operations?.includes(event.toolName) &&
+            matchesAnyPattern(relPath, planApprovals.allowed_patterns || []) &&
+            ((planApprovals.max_lines_override ?? -1) === -1 || lineChanges <= (planApprovals.max_lines_override ?? -1)));
         logger.info(`[PD_GATE] Trust: ${trustScore} (Stage ${stage}), Risk: ${riskLevel}, Path: ${relPath}`);
-        // Stage 1 (Bankruptcy): Block ALL writes to risk paths, and all medium+ writes
-        if (stage === 1) {
-            if (risky || riskLevel !== 'LOW') {
-                // Check if PLAN whitelist is enabled
-                if (profile.progressive_gate?.plan_approvals?.enabled) {
-                    const planApprovals = profile.progressive_gate.plan_approvals;
-                    const planStatus = getPlanStatus(ctx.workspaceDir);
-                    // Must have READY plan
-                    if (planStatus === 'READY') {
-                        // Check operation type
-                        if (planApprovals.allowed_operations?.includes(event.toolName)) {
-                            // Check path pattern
-                            if (matchesAnyPattern(relPath, planApprovals.allowed_patterns || [])) {
-                                // Check line limit (if configured)
-                                const maxLines = planApprovals.max_lines_override ?? -1;
-                                if (maxLines === -1 || lineChanges <= maxLines) {
-                                    // Record PLAN approval event
-                                    wctx.eventLog.recordPlanApproval(ctx.sessionId, {
-                                        toolName: event.toolName,
-                                        filePath: relPath,
-                                        pattern: relPath,
-                                        planStatus
-                                    });
-                                    logger.info(`[PD_GATE] Stage 1 PLAN approval: ${relPath}`);
-                                    return; // Allow the operation
-                                }
-                            }
-                        }
-                    }
-                }
-                // Block if not approved by whitelist
-                return block(relPath, `Trust score too low (${trustScore}). Stage 1 agents cannot modify risk paths or perform non-trivial edits.`, wctx, event.toolName);
-            }
-        }
-        // Stage 2 (Editor): Block writes to risk paths. Block large changes.
-        if (stage === 2) {
-            if (risky) {
-                return block(relPath, `Stage 2 agents are not authorized to modify risk paths.`, wctx, event.toolName);
-            }
-            const stage2Limit = trustSettings.limits?.stage_2_max_lines ?? 50;
-            if (lineChanges > stage2Limit) {
-                return block(relPath, `Modification too large (${lineChanges} lines) for Stage 2. Max allowed is ${stage2Limit}.`, wctx, event.toolName);
-            }
-        }
-        // Stage 3 (Developer): Allow normal writes. Require READY plan for risk paths.
-        if (stage === 3) {
-            if (risky) {
-                const planStatus = getPlanStatus(ctx.workspaceDir);
-                if (planStatus !== 'READY') {
-                    return block(relPath, `No READY plan found. Stage 3 requires a plan for risk path modifications.`, wctx, event.toolName);
-                }
-            }
-            const stage3Limit = trustSettings.limits?.stage_3_max_lines ?? 300;
-            if (lineChanges > stage3Limit) {
-                return block(relPath, `Modification too large (${lineChanges} lines) for Stage 3. Max allowed is ${stage3Limit}.`, wctx, event.toolName);
-            }
-        }
-        // Stage 4 (Architect): Full bypass
-        if (stage === 4) {
-            logger.info(`[PD_GATE] Trusted Architect bypass for ${relPath}`);
-            return;
-        }
         // ── EP SIMULATION MODE (M6验证) ──
         // 记录EP系统的模拟决策，但不生效（仅用于对比分析）
+        // BUGFIX #90: 移到所有Stage检查之前，确保所有Stage都触发EP simulation记录
         try {
             const epDecision = checkEvolutionGate(ctx.workspaceDir, {
                 toolName: event.toolName,
@@ -416,13 +420,81 @@ GFI: ${currentGfi}/100
             const errMsg = err instanceof Error ? err.message : String(err);
             logger.warn(`[PD_EP_SIM] Simulation failed: ${errMsg}, continuing with Trust Engine`);
         }
+        // Stage 1 (Bankruptcy): Block ALL writes to risk paths, and all medium+ writes
+        if (stage === 1) {
+            if (canUsePlanApproval) {
+                const planStatus = 'READY';
+                wctx.eventLog.recordPlanApproval(ctx.sessionId, {
+                    toolName: event.toolName,
+                    filePath: relPath,
+                    pattern: relPath,
+                    planStatus
+                });
+                wctx.trajectory?.recordGateBlock?.({
+                    sessionId: ctx.sessionId,
+                    toolName: event.toolName,
+                    filePath: relPath,
+                    reason: 'plan_approval',
+                    planStatus,
+                });
+                logger.info(`[PD_GATE] Stage 1 PLAN approval: ${relPath}`);
+                return;
+            }
+            if (risky || riskLevel !== 'LOW') {
+                // Block if not approved by whitelist
+                return block(relPath, `Trust score too low (${trustScore}). Stage 1 agents cannot modify risk paths or perform non-trivial edits.`, wctx, event.toolName, ctx.sessionId);
+            }
+        }
+        // Stage 2 (Editor): Block writes to risk paths. Block large changes.
+        if (stage === 2) {
+            if (risky) {
+                return block(relPath, `Stage 2 agents are not authorized to modify risk paths.`, wctx, event.toolName, ctx.sessionId);
+            }
+            const stage2Limit = trustSettings.limits?.stage_2_max_lines ?? 50;
+            if (lineChanges > stage2Limit) {
+                return block(relPath, `Modification too large (${lineChanges} lines) for Stage 2. Max allowed is ${stage2Limit}.`, wctx, event.toolName, ctx.sessionId);
+            }
+        }
+        // Stage 3 (Developer): Allow normal writes. Require READY plan for risk paths.
+        if (stage === 3) {
+            if (risky) {
+                const planStatus = getPlanStatus(ctx.workspaceDir);
+                if (planStatus !== 'READY') {
+                    return block(relPath, `No READY plan found. Stage 3 requires a plan for risk path modifications.`, wctx, event.toolName, ctx.sessionId);
+                }
+            }
+            const stage3Limit = trustSettings.limits?.stage_3_max_lines ?? 300;
+            if (lineChanges > stage3Limit) {
+                return block(relPath, `Modification too large (${lineChanges} lines) for Stage 3. Max allowed is ${stage3Limit}.`, wctx, event.toolName, ctx.sessionId);
+            }
+        }
+        // Stage 4 (Architect): Full bypass
+        if (stage === 4) {
+            logger.info(`[PD_GATE] Trusted Architect bypass for ${relPath}`);
+            // Audit log for Stage 4 bypass (security traceability)
+            try {
+                const stateDir = wctx.resolve('STATE_DIR');
+                const eventLog = EventLogService.get(stateDir);
+                eventLog.recordGateBypass(ctx.sessionId, {
+                    toolName: event.toolName,
+                    filePath: relPath,
+                    bypassType: 'stage4_architect',
+                    trustScore,
+                    trustStage: stage,
+                });
+            }
+            catch (auditErr) {
+                logger?.warn?.(`[PD_GATE] Failed to record Stage 4 bypass audit: ${String(auditErr)}`);
+            }
+            return;
+        }
     }
     else {
         // FALLBACK: Legacy Gate Logic
         if (risky && profile.gate?.require_plan_for_risk_paths) {
             const planStatus = getPlanStatus(ctx.workspaceDir);
             if (planStatus !== 'READY') {
-                return block(relPath, `No READY plan found in PLAN.md.`, wctx, event.toolName);
+                return block(relPath, `No READY plan found in PLAN.md.`, wctx, event.toolName, ctx.sessionId);
             }
         }
     }
@@ -443,10 +515,22 @@ GFI: ${currentGfi}/100
         }
     }
 }
-function block(filePath, reason, wctx, toolName) {
+function block(filePath, reason, wctx, toolName, sessionId) {
     const logger = console;
     logger.error(`[PD_GATE] BLOCKED: ${filePath}. Reason: ${reason}`);
-    trackBlock(wctx.workspaceDir);
+    if (sessionId) {
+        trackBlock(sessionId);
+    }
+    try {
+        wctx.eventLog.recordGateBlock(sessionId, {
+            toolName,
+            filePath,
+            reason,
+        });
+    }
+    catch (error) {
+        logger.warn(`[PD_GATE] Failed to record gate block event: ${String(error)}`);
+    }
     return {
         block: true,
         blockReason: `[Principles Disciple] Security Gate Blocked this action.\nFile: ${filePath}\nReason: ${reason}\n\nHint: You may need a READY plan or a higher trust score to perform this action.`,

package/dist/hooks/llm.js

@@ -2,8 +2,11 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { trackFriction, trackLlmOutput, recordThinkingCheckpoint, resetFriction } from '../core/session-tracker.js';
 import { writePainFlag } from '../core/pain.js';
+import { ControlUiDatabase } from '../core/control-ui-db.js';
 import { DetectionService } from '../core/detection-service.js';
+import { detectThinkingModelMatches, deriveThinkingScenarios } from '../core/thinking-models.js';
 import { WorkspaceContext } from '../core/workspace-context.js';
+import { sanitizeAssistantText } from './message-sanitize.js';
 const empathyDedupState = new Map();
 const empathyRateState = new Map();
 function clamp(value, min, max) {
@@ -184,6 +187,25 @@ export function handleLlmOutput(event, ctx) {
     if (!event.assistantTexts || event.assistantTexts.length === 0)
         return;
     const text = event.assistantTexts.join('\n');
+    const signal = extractEmpathySignal(text);
+    const createdAt = new Date().toISOString();
+    let assistantTurnId = null;
+    try {
+        assistantTurnId = wctx.trajectory?.recordAssistantTurn?.({
+            sessionId: ctx.sessionId,
+            runId: event.runId,
+            provider: event.provider,
+            model: event.model,
+            rawText: text,
+            sanitizedText: sanitizeAssistantText(text),
+            usageJson: event.usage || {},
+            empathySignalJson: signal,
+            createdAt,
+        });
+    }
+    catch (error) {
+        ctx.logger?.warn?.(`[PD:LLM] Failed to persist assistant turn to trajectory: ${String(error)}`);
+    }
     // ── Track B: Semantic Pain Detection (V1.3.0 Funnel) ──
     const detectionService = DetectionService.get(wctx.stateDir);
     const detection = detectionService.detect(text);
@@ -205,7 +227,6 @@ export function handleLlmOutput(event, ctx) {
     // empathy sub-pipeline (enabled by default)
     const empathyEnabled = config.get('empathy_engine.enabled');
     if (empathyEnabled !== false) {
-        const signal = extractEmpathySignal(text);
         if (signal.detected) {
             const dedupeWindow = Number(config.get('empathy_engine.dedupe_window_ms') ?? 60000);
             const deduped = shouldDedupe(ctx.sessionId, event.runId, signal, dedupeWindow);
@@ -216,7 +237,21 @@ export function handleLlmOutput(event, ctx) {
                 const calibratedScore = Math.round(weightedScore * calibrationFactor);
                 const boundedScore = applyRateLimit(ctx.sessionId, event.runId, calibratedScore, config);
                 if (boundedScore > 0) {
-                    trackFriction(ctx.sessionId, boundedScore, `user_empathy_${signal.severity}`, ctx.workspaceDir);
+                    trackFriction(ctx.sessionId, boundedScore, `user_empathy_${signal.severity}`, ctx.workspaceDir, { source: 'user_empathy' });
+                    try {
+                        wctx.trajectory?.recordPainEvent?.({
+                            sessionId: ctx.sessionId,
+                            source: 'user_empathy',
+                            score: boundedScore,
+                            reason: signal.reason || 'Assistant self-reported user emotional distress.',
+                            severity: signal.severity,
+                            origin: 'assistant_self_report',
+                            confidence: signal.confidence,
+                        });
+                    }
+                    catch (error) {
+                        ctx.logger?.warn?.(`[PD:LLM] Failed to persist empathy pain event to trajectory: ${String(error)}`);
+                    }
                     // Generate unique event ID for rollback support
                     const eventId = `emp_${Date.now()}_${Math.random().toString(36).substring(2, 8)}`;
                     eventLog.recordPainSignal(ctx.sessionId, {
@@ -263,7 +298,10 @@ export function handleLlmOutput(event, ctx) {
             const rolledBackScore = eventLog.rollbackEmpathyEvent(eventId, ctx.sessionId, 'Natural language rollback request detected', 'natural_language');
             if (rolledBackScore > 0) {
                 // Reset GFI after successful rollback
-                resetFriction(ctx.sessionId);
+                resetFriction(ctx.sessionId, ctx.workspaceDir, {
+                    source: 'user_empathy',
+                    amount: rolledBackScore,
+                });
             }
         }
     }
@@ -297,56 +335,18 @@ export function handleLlmOutput(event, ctx) {
         });
     }
     // ═══ Thinking OS: Mental Model Usage Tracking ═══
-    trackThinkingModelUsage(text, wctx, ctx.sessionId);
+    trackThinkingModelUsage({
+        text,
+        wctx,
+        sessionId: ctx.sessionId,
+        runId: event.runId,
+        assistantTurnId,
+        createdAt,
+        logger: ctx.logger,
+    });
 }
-const THINKING_MODEL_SIGNALS = {
-    'T-01': [
-        /let me (first )?(understand|map|outline|survey|review the (structure|architecture|dependencies))/i,
-        /让我先(梳理|了解|画出|理解|查看)(一下)?(结构|架构|依赖|全貌)/,
-    ],
-    'T-02': [
-        /(type|test|contract|schema|interface) (constraint|requirement|check|validation)/i,
-        /we (must|need to) (respect|follow|adhere to) the/i,
-        /(必须|需要).*?(遵守|符合|满足).*?(类型|测试|契约|接口|规范)/,
-    ],
-    'T-03': [
-        /based on (the |this )?(evidence|logs?|output|error|stack trace|test result)/i,
-        /let me (check|verify|confirm|read|look at) (the |)(actual|source|code|file|log)/i,
-        /根据(日志|证据|输出|报错|堆栈|测试结果)/,
-    ],
-    'T-04': [
-        /this (is|would be) (irreversible|destructive|permanent|not easily undone)/i,
-        /(reversible|can be undone|safely roll back)/i,
-        /(不可逆|破坏性|永久的|无法回滚|可以回滚|安全地撤销)/,
-    ],
-    'T-05': [
-        /we (must|should) (not|never|avoid|prevent|ensure we don't)/i,
-        /(critical|important) (not to|that we don't|to avoid)/i,
-        /(绝不能|必须避免|不可以|禁止|确保不会)/,
-    ],
-    'T-06': [
-        /(simpl(er|est|ify)|minimal|straightforward|lean) (approach|solution|fix|implementation)/i,
-        /(simple is better|keep it simple|no need to over)/i,
-        /(最简(单|洁)|精简|没有必要(过度|额外))/,
-    ],
-    'T-07': [
-        /(minimal|smallest|narrowest|least) (change|diff|modification|impact)/i,
-        /only (change|modify|touch|edit) (the |what)/i,
-        /(最小(改动|变更|修改)|只(改|动|修))/,
-    ],
-    'T-08': [
-        /this (error|failure|issue) (tells us|indicates|signals|suggests|means)/i,
-        /let me (stop|pause|step back|reconsider|rethink)/i,
-        /这个(错误|失败|问题)(告诉我们|表明|说明|意味)/,
-        /让我(停下|暂停|退一步|重新(考虑|思考|审视))/,
-    ],
-    'T-09': [
-        /(break|split|decompose|divide) (this |the task |it )?(into|down)/i,
-        /(step 1|first,? (we|i|let's)|phase 1)/i,
-        /(拆分|分解|分步|分阶段|第一步)/,
-    ],
-};
-function trackThinkingModelUsage(text, wctx, sessionId) {
+function trackThinkingModelUsage(args) {
+    const { text, wctx, sessionId, runId, assistantTurnId, createdAt, logger } = args;
     const logPath = wctx.resolve('THINKING_OS_USAGE');
     const logDir = path.dirname(logPath);
     if (!fs.existsSync(logDir))
@@ -360,27 +360,75 @@ function trackThinkingModelUsage(text, wctx, sessionId) {
             console.error(`[PD:LLM] Failed to parse thinking OS usage log: ${String(e)}`);
         }
     }
-    let anyMatch = false;
-    for (const [modelId, patterns] of Object.entries(THINKING_MODEL_SIGNALS)) {
-        for (const pattern of patterns) {
-            if (pattern.test(text)) {
-                usageLog[modelId] = (usageLog[modelId] || 0) + 1;
-                anyMatch = true;
-                break;
-            }
-        }
+    const matches = detectThinkingModelMatches(text);
+    for (const match of matches) {
+        usageLog[match.modelId] = (usageLog[match.modelId] || 0) + 1;
     }
     usageLog['_total_turns'] = (usageLog['_total_turns'] || 0) + 1;
-    if (anyMatch) {
-        // Record thinking checkpoint for gate enforcement
-        if (sessionId) {
-            recordThinkingCheckpoint(sessionId, wctx.workspaceDir);
-        }
-        try {
-            fs.writeFileSync(logPath, JSON.stringify(usageLog, null, 2), 'utf8');
-        }
-        catch (e) {
-            console.error(`[PD:LLM] Failed to write thinking OS usage log: ${String(e)}`);
+    try {
+        fs.writeFileSync(logPath, JSON.stringify(usageLog, null, 2), 'utf8');
+    }
+    catch (e) {
+        console.error(`[PD:LLM] Failed to write thinking OS usage log: ${String(e)}`);
+    }
+    if (matches.length === 0) {
+        return;
+    }
+    if (sessionId) {
+        recordThinkingCheckpoint(sessionId, wctx.workspaceDir);
+    }
+    if (!sessionId || !assistantTurnId) {
+        return;
+    }
+    const uiDb = new ControlUiDatabase({ workspaceDir: wctx.workspaceDir });
+    try {
+        const recentContext = uiDb.getRecentThinkingContext(sessionId, createdAt);
+        const toolContext = recentContext.toolCalls.map((call) => ({
+            toolName: call.toolName,
+            outcome: call.outcome,
+            errorType: call.errorType,
+        }));
+        const painContext = recentContext.painEvents.map((event) => ({
+            source: event.source,
+            score: event.score,
+        }));
+        const principleContext = recentContext.principleEvents.map((event) => ({
+            principleId: event.principleId,
+            eventType: event.eventType,
+        }));
+        const triggerExcerpt = text.length > 280 ? `${text.slice(0, 277)}...` : text;
+        for (const match of matches) {
+            const scenarios = deriveThinkingScenarios(match.modelId, {
+                recentToolCalls: toolContext,
+                recentPainEvents: painContext,
+                recentGateBlocks: recentContext.gateBlocks.map((block) => ({
+                    toolName: block.toolName,
+                    reason: block.reason,
+                })),
+                recentUserCorrections: recentContext.userCorrections.map((correction) => ({
+                    correctionCue: correction.correctionCue,
+                })),
+                recentPrincipleEvents: principleContext,
+            });
+            uiDb.recordThinkingModelEvent({
+                sessionId,
+                runId,
+                assistantTurnId,
+                modelId: match.modelId,
+                matchedPattern: match.matchedPattern,
+                scenarioJson: scenarios,
+                toolContextJson: toolContext,
+                painContextJson: painContext,
+                principleContextJson: principleContext,
+                triggerExcerpt,
+                createdAt,
+            });
         }
     }
+    catch (error) {
+        logger?.warn?.(`[PD:LLM] Failed to persist thinking model events: ${String(error)}`);
+    }
+    finally {
+        uiDb.dispose();
+    }
 }