runtrim 0.1.16 → 0.1.17

package/dist-cli/runtrim.cjs

@@ -169,6 +169,22 @@ var ENV_FILE_RE = /(?:^|[\s"'`,(])(\.[.]?env(?:\.[a-zA-Z\d]+)?)\b/g;
 var ONLY_EDIT_RE = /\bonly\s+(?:edit|touch|modify|change|update|fix)\b/i;
 var MUST_INCLUDE_RE = /\ballowed\s+scope\s+(?:must\s+)?include\b|\bmust\s+(?:include|contain)\b/i;
 var CLI_SCOPE_RE = /\b(cli|command routing|runtrim command|run compiler|contract generation|scope inference|preview command|agent preview command|agent apply|adapters?|auto-guard|bridge helpers?|daemon|local server|localhost|\.runtrim(?:\s+artifacts?)?)\b/i;
+var NEGATION_PREFIX_RE = /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i;
+function hasNegationNear(text, index) {
+  const start = Math.max(0, index - 64);
+  const window = text.slice(start, index + 8);
+  return NEGATION_PREFIX_RE.test(window);
+}
+function hasPositiveKeywordMention(task, keyword) {
+  const lowerTask = task.toLowerCase();
+  const lowerKeyword = keyword.toLowerCase();
+  let idx = lowerTask.indexOf(lowerKeyword);
+  while (idx !== -1) {
+    if (!hasNegationNear(lowerTask, idx)) return true;
+    idx = lowerTask.indexOf(lowerKeyword, idx + lowerKeyword.length);
+  }
+  return false;
+}
 function extractScopePhrase(task, re) {
   var _a2, _b;
   const m = task.match(re);
@@ -226,18 +242,34 @@ function buildExplicitAllowedScope(task, explicitPaths) {
 }
 function buildExplicitForbiddenScope(task) {
   const out = [];
-  const forbiddenPhrase = extractScopePhrase(task, /\bforbidden\s+scope\s+must\s+include\s+([^\n.]+)/i);
-  if (forbiddenPhrase) out.push(forbiddenPhrase);
-  const doNotTouch = extractScopePhrase(task, /\bdo\s+not\s+touch\s+([^\n.]+)/i);
-  if (doNotTouch) out.push(`Do not touch ${doNotTouch}`);
-  const doNotEdit = extractScopePhrase(task, /\bdo\s+not\s+edit\s+([^\n.]+)/i);
-  if (doNotEdit) out.push(`Do not edit ${doNotEdit}`);
-  const withoutTouching = extractScopePhrase(task, /\bwithout\s+touching\s+([^\n.]+)/i);
-  if (withoutTouching) out.push(`Without touching ${withoutTouching}`);
-  const exclude = extractScopePhrase(task, /\bexclude\s+([^\n.]+)/i);
-  if (exclude) out.push(`Exclude ${exclude}`);
-  const forbidden = extractScopePhrase(task, /\bforbidden\s+([^\n.]+)/i);
-  if (forbidden) out.push(`Forbidden ${forbidden}`);
+  const addBoundaryList = (raw) => {
+    if (!raw) return;
+    const normalized = raw.replace(/\b(logic|internals?|behavior|files?|systems?)\b/gi, "").replace(/\s+/g, " ").trim();
+    const parts = normalized.split(/\s*(?:,|;|\band\b|\bor\b)\s*/i).map((p) => p.trim().replace(/[.]+$/, "")).filter(Boolean).slice(0, 12);
+    for (const p of parts) {
+      if (p.length < 2) continue;
+      out.push(`Do not touch ${p}`);
+    }
+  };
+  const explicitPhrases = [
+    /\bforbidden\s+scope\s+must\s+include\s+([^\n.]+)/i,
+    /\bdo\s+not\s+touch\s+([^\n.]+)/i,
+    /\bdo\s+not\s+edit\s+([^\n.]+)/i,
+    /\bdo\s+not\s+change\s+([^\n.]+)/i,
+    /\bmust\s+not\s+touch\s+([^\n.]+)/i,
+    /\bshould\s+not\s+touch\s+([^\n.]+)/i,
+    /\bwithout\s+changing\s+([^\n.]+)/i,
+    /\bwithout\s+touching\s+([^\n.]+)/i,
+    /\bno\s+changes\s+to\s+([^\n.]+)/i,
+    /\bkeep\s+([^\n.]+?)\s+(?:untouched|unchanged)\b/i,
+    /\bleave\s+([^\n.]+?)\s+untouched\b/i,
+    /\bavoid\s+changing\s+([^\n.]+)/i,
+    /\bexclude\s+([^\n.]+)/i,
+    /\bforbidden\s+([^\n.]+)/i
+  ];
+  for (const re of explicitPhrases) {
+    addBoundaryList(extractScopePhrase(task, re));
+  }
   return [...new Set(out)];
 }
 function extractExplicitPaths(task) {
@@ -469,11 +501,10 @@ var CATEGORY_KEYWORDS = [
 ];
 function classifyTaskCategory(task, explicitPaths) {
   const lower = task.toLowerCase();
-  if (CLI_SCOPE_RE.test(task)) return "cli";
   const pathHints = explicitPaths.join(" ").toLowerCase();
   for (const [category, keywords] of CATEGORY_KEYWORDS) {
     const combined = lower + " " + pathHints;
-    if (keywords.some((kw) => combined.includes(kw))) {
+    if (keywords.some((kw) => hasPositiveKeywordMention(combined, kw))) {
       return category;
     }
   }
@@ -716,6 +747,28 @@ var LOOP_PATTERNS = [
   /\b(keep (trying|going|working)|iterate until|loop until|retry)\b/i,
   /\b(if it doesn.t work.{0,20}try again)\b/i
 ];
+var NEGATION_PREFIX_RE2 = /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i;
+function hasNegationNear2(text, index) {
+  const start = Math.max(0, index - 64);
+  const window = text.slice(start, index + 8);
+  return NEGATION_PREFIX_RE2.test(window);
+}
+function hasPositiveKeywordMention2(taskLower, keyword) {
+  let idx = taskLower.indexOf(keyword.toLowerCase());
+  while (idx !== -1) {
+    if (!hasNegationNear2(taskLower, idx)) return true;
+    idx = taskLower.indexOf(keyword.toLowerCase(), idx + keyword.length);
+  }
+  return false;
+}
+function hasNegatedKeywordMention(taskLower, keyword) {
+  let idx = taskLower.indexOf(keyword.toLowerCase());
+  while (idx !== -1) {
+    if (hasNegationNear2(taskLower, idx)) return true;
+    idx = taskLower.indexOf(keyword.toLowerCase(), idx + keyword.length);
+  }
+  return false;
+}
 function scoreTask(task, flags) {
   let score = 100;
   for (const flag of flags) {
@@ -776,7 +829,7 @@ function detectProjectContext(cwd = process.cwd()) {
 function detectMegaRun(taskLower, task) {
   const found = [];
   for (const [system, keywords] of Object.entries(MEGA_RUN_SYSTEMS)) {
-    if (keywords.some((kw) => taskLower.includes(kw))) {
+    if (keywords.some((kw) => hasPositiveKeywordMention2(taskLower, kw))) {
       found.push(system);
     }
   }
@@ -787,17 +840,24 @@ function detectMegaRun(taskLower, task) {
 function detectAreasTouched(taskLower) {
   const forbidden = [];
   const sensitive = [];
+  const boundaries = [];
   for (const [area, keywords] of Object.entries(ALWAYS_FORBIDDEN_KEYWORDS)) {
-    if (keywords.some((kw) => taskLower.includes(kw))) {
+    if (keywords.some((kw) => hasPositiveKeywordMention2(taskLower, kw))) {
       forbidden.push(area);
     }
+    if (keywords.some((kw) => hasNegatedKeywordMention(taskLower, kw))) {
+      boundaries.push(area);
+    }
   }
   for (const [area, keywords] of Object.entries(SENSITIVE_BILLING_KEYWORDS)) {
-    if (keywords.some((kw) => taskLower.includes(kw))) {
+    if (keywords.some((kw) => hasPositiveKeywordMention2(taskLower, kw))) {
       sensitive.push(area);
     }
+    if (keywords.some((kw) => hasNegatedKeywordMention(taskLower, kw))) {
+      boundaries.push(area);
+    }
   }
-  return { forbidden, sensitive };
+  return { forbidden, sensitive, boundaries: [...new Set(boundaries)] };
 }
 function auditTask(task, config, cwd = process.cwd()) {
   const flags = [];
@@ -887,7 +947,7 @@ function auditTask(task, config, cwd = process.cwd()) {
       detail: "References to full context or entire conversation force expensive context loading."
     });
   }
-  const { forbidden: forbiddenAreasTouched, sensitive: sensitiveAreasRelevant } = detectAreasTouched(taskLower);
+  const { forbidden: forbiddenAreasTouched, sensitive: sensitiveAreasRelevant, boundaries } = detectAreasTouched(taskLower);
   if (forbiddenAreasTouched.length > 0) {
     flags.push({
       code: "touches_forbidden_area",
@@ -904,6 +964,14 @@ function auditTask(task, config, cwd = process.cwd()) {
       detail: `Task touches ${sensitiveAreasRelevant.join(", ")}. These are moved to SENSITIVE SCOPE: inspect allowed, editing requires explicit approval.`
     });
   }
+  if (boundaries.length > 0) {
+    flags.push({
+      code: "forbidden_boundaries_detected",
+      label: `Boundaries detected: ${boundaries.join(", ")}`,
+      severity: "info",
+      detail: "Sensitive systems in negated constraints are treated as forbidden boundaries, not active task scope."
+    });
+  }
   const isSimpleTask = task.length < 80 && flags.filter((f) => f.severity === "critical").length === 0;
   if (isSimpleTask && config.defaultModel === "opus") {
     flags.push({
@@ -981,6 +1049,10 @@ function scoreToRisk2(score) {
 }
 function cleanObjective(task) {
   let t = task.trim();
+  t = t.replace(
+    /(?:^|[\s,.])(do not|don't|dont|must not|should not|without changing|without touching|no changes to|keep .*? unchanged|keep .*? untouched|leave .*? untouched|avoid changing)\b[^.]*\.?/gi,
+    " "
+  );
   t = t.replace(/,?\s*check everything(\s+and\b)?/gi, "");
   t = t.replace(/,?\s*(look|search|scan)\s+everywhere(\s+and\b)?/gi, "");
   t = t.replace(/,?\s*review everything(\s+and\b)?/gi, "");
@@ -4661,21 +4733,21 @@ var MEDIUM_PATH_PATTERNS = [
 ];
 function classifyFileRisk(files) {
   if (files.length === 0) return "low";
-  let maxRisk = "low";
+  let maxRisk2 = "low";
   for (const f of files) {
     const norm = f.replace(/\\/g, "/").toLowerCase();
     if (CRITICAL_PATH_PATTERNS.some((p) => norm.includes(p))) {
       return "critical";
     }
-    if (HIGH_PATH_PATTERNS.some((p) => norm.includes(p)) && maxRisk !== "high") {
-      maxRisk = "high";
+    if (HIGH_PATH_PATTERNS.some((p) => norm.includes(p)) && maxRisk2 !== "high") {
+      maxRisk2 = "high";
       continue;
     }
-    if (MEDIUM_PATH_PATTERNS.some((p) => norm.includes(p)) && maxRisk === "low") {
-      maxRisk = "medium";
+    if (MEDIUM_PATH_PATTERNS.some((p) => norm.includes(p)) && maxRisk2 === "low") {
+      maxRisk2 = "medium";
     }
   }
-  return maxRisk;
+  return maxRisk2;
 }
 function isSensitivePath(filePath) {
   const norm = filePath.replace(/\\/g, "/").toLowerCase();
@@ -5018,6 +5090,24 @@ function getLearningContext(cwd, task, runs) {
 // src/lib/run-planner.ts
 var FAST_PATH_CATEGORIES = /* @__PURE__ */ new Set(["ui", "docs", "tests", "unknown"]);
 var ALWAYS_CONTRACT_CATEGORIES = /* @__PURE__ */ new Set(["auth", "billing", "payment", "webhook", "database", "env", "middleware"]);
+var RISK_ORDER = ["low", "medium", "high", "critical"];
+var NEGATION_PREFIX_RE3 = /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i;
+function maxRisk(a, b) {
+  return RISK_ORDER[Math.max(RISK_ORDER.indexOf(a), RISK_ORDER.indexOf(b))];
+}
+function hasNegationNear3(text, index) {
+  const start = Math.max(0, index - 64);
+  const window = text.slice(start, index + 8);
+  return NEGATION_PREFIX_RE3.test(window);
+}
+function hasPositiveKeywordMention3(taskLower, keyword) {
+  let idx = taskLower.indexOf(keyword.toLowerCase());
+  while (idx !== -1) {
+    if (!hasNegationNear3(taskLower, idx)) return true;
+    idx = taskLower.indexOf(keyword.toLowerCase(), idx + keyword.length);
+  }
+  return false;
+}
 function isFastPathEligible(risk, category, guardMode, hasExplicitPaths) {
   if (guardMode === "strict") return false;
   if (guardMode === "off") return true;
@@ -5033,8 +5123,16 @@ function generatePlan(cwd, task, runs, config, currentChangedFiles) {
   const compiler = compileTask(task);
   const guardMode = (_a2 = config.autoGuardMode) != null ? _a2 : "smart";
   const adapters = detectAdapters(cwd);
-  const riskFiles = compiler.explicitPaths.length > 0 ? compiler.explicitPaths : currentChangedFiles.length > 0 ? currentChangedFiles : [];
-  const rawRisk = classifyFileRisk(riskFiles);
+  const riskFiles = compiler.explicitPaths.length > 0 ? compiler.explicitPaths : [];
+  let rawRisk = classifyFileRisk(riskFiles);
+  if (ALWAYS_CONTRACT_CATEGORIES.has(compiler.taskCategory)) {
+    rawRisk = maxRisk(rawRisk, "high");
+  }
+  const lowerTask = task.toLowerCase();
+  const criticalSystemMentions = ["auth", "billing", "payment", "webhook", "database", "migration", "middleware"].filter((k) => hasPositiveKeywordMention3(lowerTask, k)).length;
+  if (criticalSystemMentions >= 2) {
+    rawRisk = maxRisk(rawRisk, "critical");
+  }
   const catScope = buildCategoryScope(
     compiler.taskCategory,
     true,
@@ -5158,6 +5256,22 @@ var FAST_LOCAL_KEYWORDS = [
   "responsive",
   "ui polish"
 ];
+var NEGATION_PREFIX_RE4 = /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i;
+function hasNegationNear4(text, index) {
+  const start = Math.max(0, index - 64);
+  const window = text.slice(start, index + 8);
+  return NEGATION_PREFIX_RE4.test(window);
+}
+function hasPositiveKeywordMention4(task, keyword) {
+  const lowerTask = task.toLowerCase();
+  const lowerKeyword = keyword.toLowerCase();
+  let idx = lowerTask.indexOf(lowerKeyword);
+  while (idx !== -1) {
+    if (!hasNegationNear4(lowerTask, idx)) return true;
+    idx = lowerTask.indexOf(lowerKeyword, idx + lowerKeyword.length);
+  }
+  return false;
+}
 function normalize(s) {
   return (s != null ? s : "").toLowerCase();
 }
@@ -5216,9 +5330,9 @@ function recommendProviderRouting(ctx) {
   const changedFiles = (_d = ctx.changedFiles) != null ? _d : [];
   const learnedContext = (_e = ctx.learnedContext) != null ? _e : [];
   const hasProofGapSignals = proofRequired.some((p) => /proof gap|missing|vercel log|manual verification/i.test(p));
-  const highRiskByKeyword = HIGH_RISK_KEYWORDS.some((k) => task.includes(k) || category.includes(k));
+  const highRiskByKeyword = HIGH_RISK_KEYWORDS.some((k) => hasPositiveKeywordMention4(task, k) || hasPositiveKeywordMention4(category, k));
   const fastKeyword = FAST_LOCAL_KEYWORDS.some((k) => task.includes(k));
-  const multiCritical = ["auth", "billing", "database", "webhook", "payment", "migration"].filter((k) => task.includes(k)).length >= 2;
+  const multiCritical = ["auth", "billing", "database", "webhook", "payment", "migration"].filter((k) => hasPositiveKeywordMention4(task, k)).length >= 2;
   const broadTask = !ctx.explicitScope && task.split(/\s+/).length > 16;
   const hasSensitiveFiles = sensitiveAreas.length > 0 || changedFiles.some((f) => HIGH_RISK_KEYWORDS.some((k) => normalize(f).includes(k)));
   const noLearning = learnedContext.length === 0 && ((_f = ctx.similarRunsCount) != null ? _f : 0) === 0;
@@ -5483,6 +5597,19 @@ async function getSensitivePathStates(cwd) {
     return /* @__PURE__ */ new Map();
   }
 }
+function extractBoundaryLabels(forbiddenScope) {
+  const labels = /* @__PURE__ */ new Set();
+  for (const line of forbiddenScope) {
+    const lower = line.toLowerCase();
+    if (lower.includes("billing") || lower.includes("subscription") || lower.includes("payment")) labels.add("billing");
+    if (lower.includes("auth") || lower.includes("session") || lower.includes("jwt")) labels.add("auth");
+    if (lower.includes("middleware") || lower.includes("proxy")) labels.add("middleware");
+    if (lower.includes(".env") || lower.includes("secret")) labels.add("env");
+    if (lower.includes("cli")) labels.add("cli");
+    if (lower.includes("mcp")) labels.add("mcp");
+  }
+  return [...labels];
+}
 function nowId() {
   const d = /* @__PURE__ */ new Date();
   const pad = (n) => String(n).padStart(2, "0");
@@ -5544,8 +5671,21 @@ function buildApprovalLevel(risk, task, category) {
   const text = `${task}
 ${category}`.toLowerCase();
   const highSystems = ["auth", "billing", "payment", "dodo", "stripe", "webhook", "database", "migration", "rls", "middleware", "env", "secret"];
+  const hasNegationNear5 = (source, index) => {
+    const start = Math.max(0, index - 64);
+    const window = source.slice(start, index + 8);
+    return /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i.test(window);
+  };
+  const hasPositiveKeyword = (source, keyword) => {
+    let idx = source.indexOf(keyword);
+    while (idx !== -1) {
+      if (!hasNegationNear5(source, idx)) return true;
+      idx = source.indexOf(keyword, idx + keyword.length);
+    }
+    return false;
+  };
   if (risk === "high" || risk === "critical") return "required";
-  if (highSystems.some((k) => text.includes(k))) return "required";
+  if (highSystems.some((k) => hasPositiveKeyword(text, k))) return "required";
   if (risk === "medium") return "recommended";
   return "no";
 }
@@ -5586,6 +5726,7 @@ function writePreviewArtifacts(cwd, preview) {
     "",
     "Forbidden:",
     ...preview.forbiddenScope.length > 0 ? preview.forbiddenScope.slice(0, 8).map((f) => `- ${f}`) : ["- none"],
+    ...preview.boundariesDetected.length > 0 ? ["", `Boundaries detected: ${preview.boundariesDetected.join(", ")} will be forbidden, not treated as active scope.`] : [],
     "",
     "Learned context:",
     ...preview.learnedContext.length > 0 ? preview.learnedContext.map((x) => `- ${x}`) : ["- learning not available yet"],
@@ -5625,6 +5766,9 @@ async function runAgentPreview(task) {
   console.log("");
   console.log(GO_ACCENT.bold("Forbidden"));
   for (const item of preview.forbiddenScope.slice(0, 6)) console.log(DIM("  - ") + chalk.white(item));
+  if (preview.boundariesDetected.length > 0) {
+    console.log(DIM("  Boundaries detected: ") + chalk.white(`${preview.boundariesDetected.join(", ")} will be forbidden, not treated as active scope.`));
+  }
   console.log("");
   console.log(GO_ACCENT.bold("Patch strategy"));
   for (let i = 0; i < preview.patchStrategy.length; i += 1) {
@@ -5689,6 +5833,7 @@ async function buildAgentPreview(task) {
     filesToInspect,
     allowedScope: contract.contract.relevantScope,
     forbiddenScope: contract.contract.forbiddenScope,
+    boundariesDetected: extractBoundaryLabels(contract.contract.forbiddenScope),
     sensitiveAreas: [...contract.contract.sensitiveScope, ...plan.sensitiveAreas].slice(0, 10),
     stopRules: contract.contract.stopRules,
     successCriteria: contract.contract.successCriteria,

package/dist-cli/runtrim.js

@@ -148,6 +148,22 @@ var ENV_FILE_RE = /(?:^|[\s"'`,(])(\.[.]?env(?:\.[a-zA-Z\d]+)?)\b/g;
 var ONLY_EDIT_RE = /\bonly\s+(?:edit|touch|modify|change|update|fix)\b/i;
 var MUST_INCLUDE_RE = /\ballowed\s+scope\s+(?:must\s+)?include\b|\bmust\s+(?:include|contain)\b/i;
 var CLI_SCOPE_RE = /\b(cli|command routing|runtrim command|run compiler|contract generation|scope inference|preview command|agent preview command|agent apply|adapters?|auto-guard|bridge helpers?|daemon|local server|localhost|\.runtrim(?:\s+artifacts?)?)\b/i;
+var NEGATION_PREFIX_RE = /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i;
+function hasNegationNear(text, index) {
+  const start = Math.max(0, index - 64);
+  const window = text.slice(start, index + 8);
+  return NEGATION_PREFIX_RE.test(window);
+}
+function hasPositiveKeywordMention(task, keyword) {
+  const lowerTask = task.toLowerCase();
+  const lowerKeyword = keyword.toLowerCase();
+  let idx = lowerTask.indexOf(lowerKeyword);
+  while (idx !== -1) {
+    if (!hasNegationNear(lowerTask, idx)) return true;
+    idx = lowerTask.indexOf(lowerKeyword, idx + lowerKeyword.length);
+  }
+  return false;
+}
 function extractScopePhrase(task, re) {
   var _a2, _b;
   const m = task.match(re);
@@ -205,18 +221,34 @@ function buildExplicitAllowedScope(task, explicitPaths) {
 }
 function buildExplicitForbiddenScope(task) {
   const out = [];
-  const forbiddenPhrase = extractScopePhrase(task, /\bforbidden\s+scope\s+must\s+include\s+([^\n.]+)/i);
-  if (forbiddenPhrase) out.push(forbiddenPhrase);
-  const doNotTouch = extractScopePhrase(task, /\bdo\s+not\s+touch\s+([^\n.]+)/i);
-  if (doNotTouch) out.push(`Do not touch ${doNotTouch}`);
-  const doNotEdit = extractScopePhrase(task, /\bdo\s+not\s+edit\s+([^\n.]+)/i);
-  if (doNotEdit) out.push(`Do not edit ${doNotEdit}`);
-  const withoutTouching = extractScopePhrase(task, /\bwithout\s+touching\s+([^\n.]+)/i);
-  if (withoutTouching) out.push(`Without touching ${withoutTouching}`);
-  const exclude = extractScopePhrase(task, /\bexclude\s+([^\n.]+)/i);
-  if (exclude) out.push(`Exclude ${exclude}`);
-  const forbidden = extractScopePhrase(task, /\bforbidden\s+([^\n.]+)/i);
-  if (forbidden) out.push(`Forbidden ${forbidden}`);
+  const addBoundaryList = (raw) => {
+    if (!raw) return;
+    const normalized = raw.replace(/\b(logic|internals?|behavior|files?|systems?)\b/gi, "").replace(/\s+/g, " ").trim();
+    const parts = normalized.split(/\s*(?:,|;|\band\b|\bor\b)\s*/i).map((p) => p.trim().replace(/[.]+$/, "")).filter(Boolean).slice(0, 12);
+    for (const p of parts) {
+      if (p.length < 2) continue;
+      out.push(`Do not touch ${p}`);
+    }
+  };
+  const explicitPhrases = [
+    /\bforbidden\s+scope\s+must\s+include\s+([^\n.]+)/i,
+    /\bdo\s+not\s+touch\s+([^\n.]+)/i,
+    /\bdo\s+not\s+edit\s+([^\n.]+)/i,
+    /\bdo\s+not\s+change\s+([^\n.]+)/i,
+    /\bmust\s+not\s+touch\s+([^\n.]+)/i,
+    /\bshould\s+not\s+touch\s+([^\n.]+)/i,
+    /\bwithout\s+changing\s+([^\n.]+)/i,
+    /\bwithout\s+touching\s+([^\n.]+)/i,
+    /\bno\s+changes\s+to\s+([^\n.]+)/i,
+    /\bkeep\s+([^\n.]+?)\s+(?:untouched|unchanged)\b/i,
+    /\bleave\s+([^\n.]+?)\s+untouched\b/i,
+    /\bavoid\s+changing\s+([^\n.]+)/i,
+    /\bexclude\s+([^\n.]+)/i,
+    /\bforbidden\s+([^\n.]+)/i
+  ];
+  for (const re of explicitPhrases) {
+    addBoundaryList(extractScopePhrase(task, re));
+  }
   return [...new Set(out)];
 }
 function extractExplicitPaths(task) {
@@ -448,11 +480,10 @@ var CATEGORY_KEYWORDS = [
 ];
 function classifyTaskCategory(task, explicitPaths) {
   const lower = task.toLowerCase();
-  if (CLI_SCOPE_RE.test(task)) return "cli";
   const pathHints = explicitPaths.join(" ").toLowerCase();
   for (const [category, keywords] of CATEGORY_KEYWORDS) {
     const combined = lower + " " + pathHints;
-    if (keywords.some((kw) => combined.includes(kw))) {
+    if (keywords.some((kw) => hasPositiveKeywordMention(combined, kw))) {
       return category;
     }
   }
@@ -695,6 +726,28 @@ var LOOP_PATTERNS = [
   /\b(keep (trying|going|working)|iterate until|loop until|retry)\b/i,
   /\b(if it doesn.t work.{0,20}try again)\b/i
 ];
+var NEGATION_PREFIX_RE2 = /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i;
+function hasNegationNear2(text, index) {
+  const start = Math.max(0, index - 64);
+  const window = text.slice(start, index + 8);
+  return NEGATION_PREFIX_RE2.test(window);
+}
+function hasPositiveKeywordMention2(taskLower, keyword) {
+  let idx = taskLower.indexOf(keyword.toLowerCase());
+  while (idx !== -1) {
+    if (!hasNegationNear2(taskLower, idx)) return true;
+    idx = taskLower.indexOf(keyword.toLowerCase(), idx + keyword.length);
+  }
+  return false;
+}
+function hasNegatedKeywordMention(taskLower, keyword) {
+  let idx = taskLower.indexOf(keyword.toLowerCase());
+  while (idx !== -1) {
+    if (hasNegationNear2(taskLower, idx)) return true;
+    idx = taskLower.indexOf(keyword.toLowerCase(), idx + keyword.length);
+  }
+  return false;
+}
 function scoreTask(task, flags) {
   let score = 100;
   for (const flag of flags) {
@@ -755,7 +808,7 @@ function detectProjectContext(cwd = process.cwd()) {
 function detectMegaRun(taskLower, task) {
   const found = [];
   for (const [system, keywords] of Object.entries(MEGA_RUN_SYSTEMS)) {
-    if (keywords.some((kw) => taskLower.includes(kw))) {
+    if (keywords.some((kw) => hasPositiveKeywordMention2(taskLower, kw))) {
       found.push(system);
     }
   }
@@ -766,17 +819,24 @@ function detectMegaRun(taskLower, task) {
 function detectAreasTouched(taskLower) {
   const forbidden = [];
   const sensitive = [];
+  const boundaries = [];
   for (const [area, keywords] of Object.entries(ALWAYS_FORBIDDEN_KEYWORDS)) {
-    if (keywords.some((kw) => taskLower.includes(kw))) {
+    if (keywords.some((kw) => hasPositiveKeywordMention2(taskLower, kw))) {
       forbidden.push(area);
     }
+    if (keywords.some((kw) => hasNegatedKeywordMention(taskLower, kw))) {
+      boundaries.push(area);
+    }
   }
   for (const [area, keywords] of Object.entries(SENSITIVE_BILLING_KEYWORDS)) {
-    if (keywords.some((kw) => taskLower.includes(kw))) {
+    if (keywords.some((kw) => hasPositiveKeywordMention2(taskLower, kw))) {
       sensitive.push(area);
     }
+    if (keywords.some((kw) => hasNegatedKeywordMention(taskLower, kw))) {
+      boundaries.push(area);
+    }
   }
-  return { forbidden, sensitive };
+  return { forbidden, sensitive, boundaries: [...new Set(boundaries)] };
 }
 function auditTask(task, config, cwd = process.cwd()) {
   const flags = [];
@@ -866,7 +926,7 @@ function auditTask(task, config, cwd = process.cwd()) {
       detail: "References to full context or entire conversation force expensive context loading."
     });
   }
-  const { forbidden: forbiddenAreasTouched, sensitive: sensitiveAreasRelevant } = detectAreasTouched(taskLower);
+  const { forbidden: forbiddenAreasTouched, sensitive: sensitiveAreasRelevant, boundaries } = detectAreasTouched(taskLower);
   if (forbiddenAreasTouched.length > 0) {
     flags.push({
       code: "touches_forbidden_area",
@@ -883,6 +943,14 @@ function auditTask(task, config, cwd = process.cwd()) {
       detail: `Task touches ${sensitiveAreasRelevant.join(", ")}. These are moved to SENSITIVE SCOPE: inspect allowed, editing requires explicit approval.`
     });
   }
+  if (boundaries.length > 0) {
+    flags.push({
+      code: "forbidden_boundaries_detected",
+      label: `Boundaries detected: ${boundaries.join(", ")}`,
+      severity: "info",
+      detail: "Sensitive systems in negated constraints are treated as forbidden boundaries, not active task scope."
+    });
+  }
   const isSimpleTask = task.length < 80 && flags.filter((f) => f.severity === "critical").length === 0;
   if (isSimpleTask && config.defaultModel === "opus") {
     flags.push({
@@ -960,6 +1028,10 @@ function scoreToRisk2(score) {
 }
 function cleanObjective(task) {
   let t = task.trim();
+  t = t.replace(
+    /(?:^|[\s,.])(do not|don't|dont|must not|should not|without changing|without touching|no changes to|keep .*? unchanged|keep .*? untouched|leave .*? untouched|avoid changing)\b[^.]*\.?/gi,
+    " "
+  );
   t = t.replace(/,?\s*check everything(\s+and\b)?/gi, "");
   t = t.replace(/,?\s*(look|search|scan)\s+everywhere(\s+and\b)?/gi, "");
   t = t.replace(/,?\s*review everything(\s+and\b)?/gi, "");
@@ -4640,21 +4712,21 @@ var MEDIUM_PATH_PATTERNS = [
 ];
 function classifyFileRisk(files) {
   if (files.length === 0) return "low";
-  let maxRisk = "low";
+  let maxRisk2 = "low";
   for (const f of files) {
     const norm = f.replace(/\\/g, "/").toLowerCase();
     if (CRITICAL_PATH_PATTERNS.some((p) => norm.includes(p))) {
       return "critical";
     }
-    if (HIGH_PATH_PATTERNS.some((p) => norm.includes(p)) && maxRisk !== "high") {
-      maxRisk = "high";
+    if (HIGH_PATH_PATTERNS.some((p) => norm.includes(p)) && maxRisk2 !== "high") {
+      maxRisk2 = "high";
       continue;
     }
-    if (MEDIUM_PATH_PATTERNS.some((p) => norm.includes(p)) && maxRisk === "low") {
-      maxRisk = "medium";
+    if (MEDIUM_PATH_PATTERNS.some((p) => norm.includes(p)) && maxRisk2 === "low") {
+      maxRisk2 = "medium";
     }
   }
-  return maxRisk;
+  return maxRisk2;
 }
 function isSensitivePath(filePath) {
   const norm = filePath.replace(/\\/g, "/").toLowerCase();
@@ -4997,6 +5069,24 @@ function getLearningContext(cwd, task, runs) {
 // src/lib/run-planner.ts
 var FAST_PATH_CATEGORIES = /* @__PURE__ */ new Set(["ui", "docs", "tests", "unknown"]);
 var ALWAYS_CONTRACT_CATEGORIES = /* @__PURE__ */ new Set(["auth", "billing", "payment", "webhook", "database", "env", "middleware"]);
+var RISK_ORDER = ["low", "medium", "high", "critical"];
+var NEGATION_PREFIX_RE3 = /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i;
+function maxRisk(a, b) {
+  return RISK_ORDER[Math.max(RISK_ORDER.indexOf(a), RISK_ORDER.indexOf(b))];
+}
+function hasNegationNear3(text, index) {
+  const start = Math.max(0, index - 64);
+  const window = text.slice(start, index + 8);
+  return NEGATION_PREFIX_RE3.test(window);
+}
+function hasPositiveKeywordMention3(taskLower, keyword) {
+  let idx = taskLower.indexOf(keyword.toLowerCase());
+  while (idx !== -1) {
+    if (!hasNegationNear3(taskLower, idx)) return true;
+    idx = taskLower.indexOf(keyword.toLowerCase(), idx + keyword.length);
+  }
+  return false;
+}
 function isFastPathEligible(risk, category, guardMode, hasExplicitPaths) {
   if (guardMode === "strict") return false;
   if (guardMode === "off") return true;
@@ -5012,8 +5102,16 @@ function generatePlan(cwd, task, runs, config, currentChangedFiles) {
   const compiler = compileTask(task);
   const guardMode = (_a2 = config.autoGuardMode) != null ? _a2 : "smart";
   const adapters = detectAdapters(cwd);
-  const riskFiles = compiler.explicitPaths.length > 0 ? compiler.explicitPaths : currentChangedFiles.length > 0 ? currentChangedFiles : [];
-  const rawRisk = classifyFileRisk(riskFiles);
+  const riskFiles = compiler.explicitPaths.length > 0 ? compiler.explicitPaths : [];
+  let rawRisk = classifyFileRisk(riskFiles);
+  if (ALWAYS_CONTRACT_CATEGORIES.has(compiler.taskCategory)) {
+    rawRisk = maxRisk(rawRisk, "high");
+  }
+  const lowerTask = task.toLowerCase();
+  const criticalSystemMentions = ["auth", "billing", "payment", "webhook", "database", "migration", "middleware"].filter((k) => hasPositiveKeywordMention3(lowerTask, k)).length;
+  if (criticalSystemMentions >= 2) {
+    rawRisk = maxRisk(rawRisk, "critical");
+  }
   const catScope = buildCategoryScope(
     compiler.taskCategory,
     true,
@@ -5137,6 +5235,22 @@ var FAST_LOCAL_KEYWORDS = [
   "responsive",
   "ui polish"
 ];
+var NEGATION_PREFIX_RE4 = /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i;
+function hasNegationNear4(text, index) {
+  const start = Math.max(0, index - 64);
+  const window = text.slice(start, index + 8);
+  return NEGATION_PREFIX_RE4.test(window);
+}
+function hasPositiveKeywordMention4(task, keyword) {
+  const lowerTask = task.toLowerCase();
+  const lowerKeyword = keyword.toLowerCase();
+  let idx = lowerTask.indexOf(lowerKeyword);
+  while (idx !== -1) {
+    if (!hasNegationNear4(lowerTask, idx)) return true;
+    idx = lowerTask.indexOf(lowerKeyword, idx + lowerKeyword.length);
+  }
+  return false;
+}
 function normalize(s) {
   return (s != null ? s : "").toLowerCase();
 }
@@ -5195,9 +5309,9 @@ function recommendProviderRouting(ctx) {
   const changedFiles = (_d = ctx.changedFiles) != null ? _d : [];
   const learnedContext = (_e = ctx.learnedContext) != null ? _e : [];
   const hasProofGapSignals = proofRequired.some((p) => /proof gap|missing|vercel log|manual verification/i.test(p));
-  const highRiskByKeyword = HIGH_RISK_KEYWORDS.some((k) => task.includes(k) || category.includes(k));
+  const highRiskByKeyword = HIGH_RISK_KEYWORDS.some((k) => hasPositiveKeywordMention4(task, k) || hasPositiveKeywordMention4(category, k));
   const fastKeyword = FAST_LOCAL_KEYWORDS.some((k) => task.includes(k));
-  const multiCritical = ["auth", "billing", "database", "webhook", "payment", "migration"].filter((k) => task.includes(k)).length >= 2;
+  const multiCritical = ["auth", "billing", "database", "webhook", "payment", "migration"].filter((k) => hasPositiveKeywordMention4(task, k)).length >= 2;
   const broadTask = !ctx.explicitScope && task.split(/\s+/).length > 16;
   const hasSensitiveFiles = sensitiveAreas.length > 0 || changedFiles.some((f) => HIGH_RISK_KEYWORDS.some((k) => normalize(f).includes(k)));
   const noLearning = learnedContext.length === 0 && ((_f = ctx.similarRunsCount) != null ? _f : 0) === 0;
@@ -5462,6 +5576,19 @@ async function getSensitivePathStates(cwd) {
     return /* @__PURE__ */ new Map();
   }
 }
+function extractBoundaryLabels(forbiddenScope) {
+  const labels = /* @__PURE__ */ new Set();
+  for (const line of forbiddenScope) {
+    const lower = line.toLowerCase();
+    if (lower.includes("billing") || lower.includes("subscription") || lower.includes("payment")) labels.add("billing");
+    if (lower.includes("auth") || lower.includes("session") || lower.includes("jwt")) labels.add("auth");
+    if (lower.includes("middleware") || lower.includes("proxy")) labels.add("middleware");
+    if (lower.includes(".env") || lower.includes("secret")) labels.add("env");
+    if (lower.includes("cli")) labels.add("cli");
+    if (lower.includes("mcp")) labels.add("mcp");
+  }
+  return [...labels];
+}
 function nowId() {
   const d = /* @__PURE__ */ new Date();
   const pad = (n) => String(n).padStart(2, "0");
@@ -5523,8 +5650,21 @@ function buildApprovalLevel(risk, task, category) {
   const text = `${task}
 ${category}`.toLowerCase();
   const highSystems = ["auth", "billing", "payment", "dodo", "stripe", "webhook", "database", "migration", "rls", "middleware", "env", "secret"];
+  const hasNegationNear5 = (source, index) => {
+    const start = Math.max(0, index - 64);
+    const window = source.slice(start, index + 8);
+    return /\b(do not|don't|dont|never|avoid|must not|should not|without changing|without touching|no changes to|keep .* untouched|leave .* untouched|keep .* unchanged)\b/i.test(window);
+  };
+  const hasPositiveKeyword = (source, keyword) => {
+    let idx = source.indexOf(keyword);
+    while (idx !== -1) {
+      if (!hasNegationNear5(source, idx)) return true;
+      idx = source.indexOf(keyword, idx + keyword.length);
+    }
+    return false;
+  };
   if (risk === "high" || risk === "critical") return "required";
-  if (highSystems.some((k) => text.includes(k))) return "required";
+  if (highSystems.some((k) => hasPositiveKeyword(text, k))) return "required";
   if (risk === "medium") return "recommended";
   return "no";
 }
@@ -5565,6 +5705,7 @@ function writePreviewArtifacts(cwd, preview) {
     "",
     "Forbidden:",
     ...preview.forbiddenScope.length > 0 ? preview.forbiddenScope.slice(0, 8).map((f) => `- ${f}`) : ["- none"],
+    ...preview.boundariesDetected.length > 0 ? ["", `Boundaries detected: ${preview.boundariesDetected.join(", ")} will be forbidden, not treated as active scope.`] : [],
     "",
     "Learned context:",
     ...preview.learnedContext.length > 0 ? preview.learnedContext.map((x) => `- ${x}`) : ["- learning not available yet"],
@@ -5604,6 +5745,9 @@ async function runAgentPreview(task) {
   console.log("");
   console.log(GO_ACCENT.bold("Forbidden"));
   for (const item of preview.forbiddenScope.slice(0, 6)) console.log(DIM("  - ") + chalk.white(item));
+  if (preview.boundariesDetected.length > 0) {
+    console.log(DIM("  Boundaries detected: ") + chalk.white(`${preview.boundariesDetected.join(", ")} will be forbidden, not treated as active scope.`));
+  }
   console.log("");
   console.log(GO_ACCENT.bold("Patch strategy"));
   for (let i = 0; i < preview.patchStrategy.length; i += 1) {
@@ -5668,6 +5812,7 @@ async function buildAgentPreview(task) {
     filesToInspect,
     allowedScope: contract.contract.relevantScope,
     forbiddenScope: contract.contract.forbiddenScope,
+    boundariesDetected: extractBoundaryLabels(contract.contract.forbiddenScope),
     sensitiveAreas: [...contract.contract.sensitiveScope, ...plan.sensitiveAreas].slice(0, 10),
     stopRules: contract.contract.stopRules,
     successCriteria: contract.contract.successCriteria,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "runtrim",
-  "version": "0.1.16",
+  "version": "0.1.17",
   "description": "The control layer for AI coding agents.",
   "license": "MIT",
   "author": "RunTrim",