salmon-loop 0.2.13 → 0.2.16

package/dist/core/skills/permissions.js

@@ -0,0 +1,117 @@
+import path from 'node:path';
+import { text } from '../../locales/index.js';
+import { syncFs as fs } from '../adapters/fs/node-fs.js';
+import { tryGetLogger } from '../observability/logger.js';
+/**
+ * Manages skill-level permission policies with exact and prefix matching.
+ *
+ * Persists policies to a JSON file for auditable provenance tracking.
+ * Aligns with the existing permission-rules pattern in the tools layer.
+ */
+export class SkillPermissionManager {
+    policies = [];
+    filePath;
+    constructor(filePath) {
+        this.filePath = filePath;
+        this.load();
+    }
+    /**
+     * Check whether a skill id is allowed by any active policy.
+     *
+     * Evaluates all policies in order: exact matches are checked first,
+     * then prefix matches. Returns true if any policy matches.
+     */
+    isAllowed(skillId) {
+        for (const policy of this.policies) {
+            if (policy.kind === 'exact' && policy.pattern === skillId) {
+                return true;
+            }
+            if (policy.kind === 'prefix' && skillId.startsWith(policy.pattern)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Grant a new permission policy. Deduplicates by pattern+kind.
+     * Persists the updated allowlist to disk.
+     */
+    grant(policy) {
+        const existing = this.policies.findIndex((p) => p.pattern === policy.pattern && p.kind === policy.kind);
+        if (existing >= 0) {
+            // Update provenance on re-grant
+            this.policies[existing] = policy;
+        }
+        else {
+            this.policies.push(policy);
+        }
+        const logger = tryGetLogger();
+        logger?.audit('SKILL_PERMISSION_GRANTED', {
+            pattern: policy.pattern,
+            kind: policy.kind,
+            grantedBy: policy.grantedBy,
+            grantedAt: policy.grantedAt,
+        }, { source: 'skill-permissions', severity: 'low', scope: 'session' });
+        this.save();
+    }
+    /**
+     * Revoke all policies matching a given skill id (exact match on pattern).
+     * Persists the updated allowlist to disk.
+     */
+    revoke(skillId) {
+        const before = this.policies.length;
+        this.policies = this.policies.filter((p) => p.pattern !== skillId);
+        if (this.policies.length < before) {
+            const logger = tryGetLogger();
+            logger?.audit('SKILL_PERMISSION_REVOKED', { skillId, removedCount: before - this.policies.length }, { source: 'skill-permissions', severity: 'low', scope: 'session' });
+            this.save();
+        }
+    }
+    /** Return a readonly snapshot of current policies. */
+    getPolicies() {
+        return [...this.policies];
+    }
+    /** Load policies from the persisted JSON file. */
+    load() {
+        try {
+            if (!fs.existsSync(this.filePath)) {
+                this.policies = [];
+                return;
+            }
+            const raw = fs.readFileSync(this.filePath, 'utf-8');
+            const data = JSON.parse(raw);
+            if (data.version === 1 && Array.isArray(data.policies)) {
+                this.policies = data.policies;
+            }
+            else {
+                const logger = tryGetLogger();
+                logger?.warn(text.skills.permissionFileInvalidFormat(this.filePath));
+                this.policies = [];
+            }
+        }
+        catch {
+            const logger = tryGetLogger();
+            logger?.warn(text.skills.permissionFileLoadError(this.filePath));
+            this.policies = [];
+        }
+    }
+    /** Persist current policies to the JSON file. */
+    save() {
+        try {
+            const dir = path.dirname(this.filePath);
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true });
+            }
+            const data = {
+                version: 1,
+                policies: this.policies,
+            };
+            fs.writeFileSync(this.filePath, JSON.stringify(data, null, 2), 'utf-8');
+        }
+        catch (err) {
+            const logger = tryGetLogger();
+            logger?.error(text.skills.permissionFileSaveError(this.filePath, err instanceof Error ? err.message : String(err)));
+        }
+    }
+}
+//# sourceMappingURL=permissions.js.map

package/dist/core/skills/runtime/MicroTaskRunner.js

@@ -5,15 +5,21 @@ import { getPlatformShellInvocation } from '../../utils/platform-shell.js';
 import { SkillParser } from '../parser.js';
 import { SkillStrategyDSL } from '../strategy.js';
 /**
- * MicroTaskRunner manages the execution loop of a single skill.
- * COMPLIANCE: DSL-Spec-V3
- * - Computation Layer: Handles variable substitution, command extraction, and prompt assembly.
- * - Action Layer: Executes Shell commands and final Tool injection.
+ * @deprecated Legacy MicroTaskRunner — restricted to test context only.
+ *
+ * This runner calls execa directly, bypassing ToolRouter governance.
+ * Production code MUST use executeSkill() from SkillRunner.ts instead.
+ *
+ * A runtime guard throws if instantiated outside a test environment
+ * (process.env.NODE_ENV !== 'test').
  */
 export class MicroTaskRunner {
     skill;
     constructor(skill) {
         this.skill = skill;
+        if (process.env.NODE_ENV !== 'test') {
+            throw new Error(text.skills.legacyRunnerForbidden);
+        }
     }
     async execute(inputs, ctx) {
         const skill = this.skill;

package/dist/core/skills/runtime/SkillRunner.js

@@ -1,8 +1,103 @@
 import * as crypto from 'crypto';
 import { MicroTaskRunner } from '../../grizzco/dsl/MicroTaskRunner.js';
+import { tryGetLogger } from '../../observability/logger.js';
 import { Phase } from '../../types/index.js';
+import { emitSkillAuditEvent, generateSkillTraceId, hashSkillArgs } from '../audit.js';
 import { SkillParser } from '../parser.js';
 import { SkillStrategyDSL } from '../strategy.js';
+/**
+ * Resolve the effective allowed-tools set for a skill.
+ *
+ * Uses only the AgentSkills spec field (`allowed-tools`, space-delimited string)
+ * and returns a single `Set<string>`. Returns `null` when the field is not
+ * declared, meaning the skill places no tool restrictions.
+ *
+ * Distinguishes three states:
+ * - Field not declared → `null` (no restriction)
+ * - Field declared but empty (`""`) → empty `Set` (deny all tools)
+ * - Field declared with values → `Set` containing those tool names
+ *
+ * @see https://agentskills.io/specification — allowed-tools field
+ */
+function resolveAllowedTools(skill) {
+    const specField = skill.metadata?.['allowed-tools'];
+    if (specField === undefined)
+        return null;
+    if (!specField.trim())
+        return new Set();
+    return new Set(specField.split(/\s+/).filter(Boolean));
+}
+/**
+ * Match a tool name against an allowed-tools pattern.
+ *
+ * Supports two modes:
+ * - Exact match: pattern contains no `*` → strict string equality
+ * - Glob match: pattern contains `*` → each `*` matches zero or more characters
+ *
+ * Case-sensitive. Only `*` is treated as special; no `?` or `[...]` ranges.
+ *
+ * Uses an iterative segment-matching algorithm (no regex) to avoid ReDoS risk.
+ *
+ * @param pattern - An allowed-tools entry (e.g. "shell.*", "code.search")
+ * @param toolName - The tool name to check (e.g. "shell.exec")
+ * @returns true if toolName matches the pattern
+ */
+export function matchAllowedTool(pattern, toolName) {
+    // Split pattern on '*' into literal segments
+    const segments = pattern.split('*');
+    // No wildcard → exact match
+    if (segments.length === 1) {
+        return pattern === toolName;
+    }
+    const first = segments[0];
+    const last = segments[segments.length - 1];
+    // toolName must start with the first segment
+    if (!toolName.startsWith(first)) {
+        return false;
+    }
+    // toolName must end with the last segment
+    if (!toolName.endsWith(last)) {
+        return false;
+    }
+    // Guard: the tool name must be long enough to contain all literal segments
+    // without overlap between the first/last anchors
+    let pos = first.length;
+    const endBound = toolName.length - last.length;
+    // Match each middle segment in order (greedy left-to-right scan)
+    for (let i = 1; i < segments.length - 1; i++) {
+        const seg = segments[i];
+        if (seg === '') {
+            // Consecutive '*' — matches any amount of characters, skip
+            continue;
+        }
+        const idx = toolName.indexOf(seg, pos);
+        if (idx === -1 || idx + seg.length > endBound) {
+            return false;
+        }
+        pos = idx + seg.length;
+    }
+    return pos <= endBound;
+}
+/**
+ * Check whether a tool name is permitted by the allowed-tools set.
+ *
+ * @param toolName - The tool name to check
+ * @param allowedTools - The resolved allowed-tools set, or null for no restriction
+ * @returns true if the tool is permitted
+ */
+export function isToolPermitted(toolName, allowedTools) {
+    // null means no restriction — all tools permitted
+    if (allowedTools === null) {
+        return true;
+    }
+    // Iterate entries; return true if any pattern matches
+    for (const pattern of allowedTools) {
+        if (matchAllowedTool(pattern, toolName)) {
+            return true;
+        }
+    }
+    return false;
+}
 function buildStableId(parts) {
     return crypto.createHash('sha256').update(parts.join('\n')).digest('hex').slice(0, 16);
 }
@@ -29,8 +124,24 @@ function formatShellTranscript(shellOutputs) {
  */
 export async function executeSkill(options) {
     const { skill, argsText, toolRouter, toolCtx, signal } = options;
+    const route = options.route ?? 'slash-governed';
     const inputs = { args: argsText ?? '' };
     const rawCommands = SkillParser.extractCommands(skill.instructions || '');
+    const traceId = generateSkillTraceId(skill.id);
+    const argsHash = hashSkillArgs(argsText);
+    const startedAt = Date.now();
+    const allowedTools = resolveAllowedTools(skill);
+    // Emit SKILL_EXECUTION_START before execution
+    emitSkillAuditEvent({
+        type: 'SKILL_EXECUTION_START',
+        skillId: skill.id,
+        route,
+        runnerClass: 'MicroTaskRunner',
+        commandCount: rawCommands.length,
+        authorizationMode: 'blocking',
+        argsHash,
+        traceId,
+    });
     const requiredShKeys = rawCommands.map((cmd) => `sh:${SkillParser.substituteVariables(cmd, inputs)}`);
     const data = {
         skill,
@@ -43,66 +154,134 @@ export async function executeSkill(options) {
         skillId: skill.id,
         path: skill.path,
     };
-    const runner = new MicroTaskRunner({
-        debugLabel: `SkillRunner:${skill.id}`,
-        maxRounds: 10,
-        strategy: (engine) => {
-            // Computation phase: assemble a prompt without any "!..." lines.
-            const promptLines = (skill.instructions || '')
-                .split('\n')
-                .filter((line) => !line.trim().startsWith('!'));
-            const basePrompt = SkillParser.substituteVariables(promptLines.join('\n').trim(), inputs);
-            const transcript = formatShellTranscript(data.shell_outputs);
-            data.prompt = `${basePrompt}${transcript}`.trim();
-            SkillStrategyDSL(engine);
-            return engine;
-        },
-        resolveData: async (_ctx, key) => {
-            if (!key.startsWith('sh:')) {
-                return undefined;
-            }
-            const command = key.slice(3);
-            const callId = `slash-sh-${buildStableId([skill.id, command])}`;
-            const envelope = {
-                id: callId,
-                phase: Phase.SLASH,
-                toolName: 'shell.exec',
-                args: { command },
-                ctx: {
-                    ...toolCtx,
-                    // Ensure ToolPolicy sees worktree isolation for process execution.
-                    worktreeRoot: toolCtx.worktreeRoot ?? toolCtx.repoRoot,
-                },
-            };
-            let result = await toolRouter.call(envelope);
-            if (result.status === 'denied' && result.error?.code === 'AUTH_REQUIRED') {
-                await toolRouter.waitForAuthorization(callId, signal);
-                result = await toolRouter.call(envelope);
-            }
-            if (result.status !== 'ok') {
-                const msg = result.error?.message || 'shell.exec failed';
-                throw new Error(msg);
-            }
-            const output = result.output;
-            const combined = [output.stdout, output.stderr].filter(Boolean).join('\n').trim();
-            data.shell_outputs[command] = combined;
-            data[key] = combined;
-            return combined;
-        },
-    });
-    const decided = await runner.decide(ctx);
-    const plan = decided.plan;
-    const inject = plan.actions.find((a) => a.type === 'INJECT_PROMPT');
-    return {
-        traceId: `skill-${skill.id}-${Date.now()}`,
-        skillId: skill.id,
-        inputs,
-        dynamicCommands: Object.entries(data.shell_outputs).map(([cmd, output]) => ({
-            cmd,
-            output: String(output),
-        })),
-        injectedPrompt: String(inject?.params?.prompt ?? ''),
-        status: plan.shouldAbort ? 'FAILURE' : 'SUCCESS',
-    };
+    try {
+        const runner = new MicroTaskRunner({
+            debugLabel: `SkillRunner:${skill.id}`,
+            maxRounds: 10,
+            strategy: (engine) => {
+                // Computation phase: assemble a prompt without any "!..." lines.
+                const promptLines = (skill.instructions || '')
+                    .split('\n')
+                    .filter((line) => !line.trim().startsWith('!'));
+                const basePrompt = SkillParser.substituteVariables(promptLines.join('\n').trim(), inputs);
+                const transcript = formatShellTranscript(data.shell_outputs);
+                data.prompt = `${basePrompt}${transcript}`.trim();
+                SkillStrategyDSL(engine);
+                return engine;
+            },
+            resolveData: async (_ctx, key) => {
+                if (!key.startsWith('sh:')) {
+                    return undefined;
+                }
+                const command = key.slice(3);
+                const toolName = 'shell.exec';
+                // Enforce allowed-tools constraint from skill frontmatter.
+                // When declared, only pre-approved tools may be invoked.
+                // Uses isToolPermitted for glob pattern matching support.
+                if (!isToolPermitted(toolName, allowedTools)) {
+                    const logger = tryGetLogger();
+                    logger?.warn(`Skill "${skill.id}" attempted to use tool "${toolName}" which is not in allowed-tools: [${[...(allowedTools ?? [])].join(', ')}]`);
+                    emitSkillAuditEvent({
+                        type: 'SKILL_EXECUTION_DENIED',
+                        skillId: skill.id,
+                        route,
+                        runnerClass: 'MicroTaskRunner',
+                        commandCount: rawCommands.length,
+                        authorizationMode: 'blocking',
+                        argsHash,
+                        traceId,
+                        denyReason: 'ALLOWED_TOOLS_VIOLATION',
+                        denySource: `skill-frontmatter:allowed-tools`,
+                        durationMs: Date.now() - startedAt,
+                    });
+                    throw new Error(`Tool "${toolName}" is not permitted by skill "${skill.id}" allowed-tools policy`);
+                }
+                const callId = `slash-sh-${buildStableId([skill.id, command])}`;
+                const envelope = {
+                    id: callId,
+                    phase: Phase.SLASH,
+                    toolName: 'shell.exec',
+                    args: { command },
+                    ctx: {
+                        ...toolCtx,
+                        // Ensure ToolPolicy sees worktree isolation for process execution.
+                        worktreeRoot: toolCtx.worktreeRoot ?? toolCtx.repoRoot,
+                    },
+                };
+                let result = await toolRouter.call(envelope);
+                if (result.status === 'denied' && result.error?.code === 'AUTH_REQUIRED') {
+                    await toolRouter.waitForAuthorization(callId, signal);
+                    result = await toolRouter.call(envelope);
+                }
+                if (result.status !== 'ok') {
+                    const msg = result.error?.message || 'shell.exec failed';
+                    // Emit SKILL_EXECUTION_DENIED for command-level denial
+                    if (result.status === 'denied') {
+                        emitSkillAuditEvent({
+                            type: 'SKILL_EXECUTION_DENIED',
+                            skillId: skill.id,
+                            route,
+                            runnerClass: 'MicroTaskRunner',
+                            commandCount: rawCommands.length,
+                            authorizationMode: 'blocking',
+                            argsHash,
+                            traceId,
+                            denyReason: result.error?.code || 'unknown',
+                            denySource: result.meta?.authorization?.source || 'policy',
+                            durationMs: Date.now() - startedAt,
+                        });
+                    }
+                    throw new Error(msg);
+                }
+                const output = result.output;
+                const combined = [output.stdout, output.stderr].filter(Boolean).join('\n').trim();
+                data.shell_outputs[command] = combined;
+                data[key] = combined;
+                return combined;
+            },
+        });
+        const decided = await runner.decide(ctx);
+        const plan = decided.plan;
+        const inject = plan.actions.find((a) => a.type === 'INJECT_PROMPT');
+        const status = plan.shouldAbort ? 'FAILURE' : 'SUCCESS';
+        // Emit SKILL_EXECUTION_END after successful execution
+        emitSkillAuditEvent({
+            type: 'SKILL_EXECUTION_END',
+            skillId: skill.id,
+            route,
+            runnerClass: 'MicroTaskRunner',
+            commandCount: rawCommands.length,
+            authorizationMode: 'blocking',
+            argsHash,
+            traceId,
+            durationMs: Date.now() - startedAt,
+        });
+        return {
+            traceId,
+            skillId: skill.id,
+            inputs,
+            dynamicCommands: Object.entries(data.shell_outputs).map(([cmd, output]) => ({
+                cmd,
+                output: String(output),
+            })),
+            injectedPrompt: String(inject?.params?.prompt ?? ''),
+            status,
+        };
+    }
+    catch (error) {
+        // Emit SKILL_EXECUTION_END on failure (non-denial errors)
+        emitSkillAuditEvent({
+            type: 'SKILL_EXECUTION_END',
+            skillId: skill.id,
+            route,
+            runnerClass: 'MicroTaskRunner',
+            commandCount: rawCommands.length,
+            authorizationMode: 'blocking',
+            argsHash,
+            traceId,
+            durationMs: Date.now() - startedAt,
+        });
+        throw error;
+    }
 }
 //# sourceMappingURL=SkillRunner.js.map

package/dist/core/strata/layers/shadow-driver/shadow-driver.js

@@ -5,16 +5,41 @@
  */
 import { join } from 'path';
 import { existsSync } from '../../../adapters/fs/node-fs.js';
-import { rm, mkdir, symlink } from '../../../adapters/fs/node-fs.js';
+import { lstat, mkdir, realpath, rm, symlink } from '../../../adapters/fs/node-fs.js';
 import { getLogger } from '../../../observability/logger.js';
 import { spawnCommand } from '../../../runtime/process-runner.js';
-import { normalizePath } from '../../../utils/path.js';
+import { arePathsEquivalent, normalizePath } from '../../../utils/path.js';
 import { getPlatformShellInvocation } from '../../../utils/platform-shell.js';
 import { copyDir, linkDirLinux } from './copy-backend.js';
 import { getEnvInjection } from './env.js';
 import { isEnvironmentError } from './error-classifier.js';
 import { enforceReadOnly, restoreWrite, acquireLock, releaseLock } from './readonly-lock.js';
 import { determineStrategy, planDependencyPaths, detectDependencyPaths } from './strategy.js';
+const DEPENDENCY_LINK_CONFLICT_CODES = new Set([
+    'EEXIST',
+    'EISDIR',
+    'ENOTEMPTY',
+    'ENOTDIR',
+    'EPERM',
+]);
+function getErrorCode(error) {
+    return error && typeof error === 'object' && 'code' in error
+        ? error.code
+        : undefined;
+}
+async function pointsToExpectedDependency(sourcePath, targetPath) {
+    try {
+        await lstat(targetPath);
+        const [resolvedSourcePath, resolvedTargetPath] = await Promise.all([
+            realpath(sourcePath),
+            realpath(targetPath),
+        ]);
+        return arePathsEquivalent(resolvedSourcePath, resolvedTargetPath);
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * ShadowDriver Class
  */
@@ -49,13 +74,18 @@ export class ShadowDriver {
                 getLogger().debug(`Linked dependency: ${depPath}`);
             }
             catch (err) {
-                if ((err && typeof err === 'object' && 'code' in err
-                    ? err.code
-                    : undefined) !== 'EEXIST') {
-                    getLogger().warn(`Failed to link ${depPath}: ${err instanceof Error ? err.message : String(err)}`);
+                const errorCode = getErrorCode(err);
+                if (errorCode && DEPENDENCY_LINK_CONFLICT_CODES.has(errorCode)) {
+                    const alreadyProjected = await pointsToExpectedDependency(sourcePath, targetDepPath);
+                    if (alreadyProjected) {
+                        getLogger().debug(`Dependency projection already matches source: ${depPath}`);
+                        continue;
+                    }
+                    throw new Error(`Dependency projection path conflict for ${depPath}: ${err instanceof Error ? err.message : String(err)}`);
                 }
                 else {
-                    getLogger().debug(`Dependency link already exists: ${depPath}`);
+                    getLogger().warn(`Failed to link ${depPath}: ${err instanceof Error ? err.message : String(err)}`);
+                    throw err instanceof Error ? err : new Error(String(err));
                 }
             }
         }

package/dist/core/strata/layers/worktree.js

@@ -2,10 +2,11 @@ import { randomBytes } from 'crypto';
 import { tmpdir } from 'os';
 import path from 'path';
 import { text } from '../../../locales/index.js';
-import { access, realpath, rm } from '../../adapters/fs/node-fs.js';
+import { access, readdir, realpath, rm } from '../../adapters/fs/node-fs.js';
 import { GitAdapter } from '../../adapters/git/git-adapter.js';
 import { getLogger } from '../../observability/logger.js';
 import { isPathWithinDirectory, normalizePath } from '../../utils/path.js';
+import { detectDependencyPaths } from './shadow-driver/strategy.js';
 function resolveEnvironmentMode(options) {
     return options.environmentMode === 'parity' ? 'parity' : 'strict';
 }
@@ -28,12 +29,11 @@ function resolveParityWorktreeRoot(repoPath) {
     return normalizePath(impl.join(impl.dirname(impl.resolve(normalizedRepoPath)), '.salmonloop', 'worktrees'));
 }
 function isManagedWorktreePath(baseRepoPath, workPath) {
-    if (isPathWithinDirectory(tmpdir(), workPath, { allowEqual: false }))
-        return true;
-    const parityRoot = resolveParityWorktreeRoot(baseRepoPath);
-    if (isPathWithinDirectory(parityRoot, workPath, { allowEqual: false }))
-        return true;
-    return false;
+    const comparableWorkPath = normalizePathForCompare(workPath);
+    const managedRoots = [tmpdir(), resolveParityWorktreeRoot(baseRepoPath)];
+    return managedRoots.some((root) => isPathWithinDirectory(normalizePathForCompare(root), comparableWorkPath, {
+        allowEqual: false,
+    }));
 }
 function normalizePathForCompare(value) {
     const normalized = path.normalize(value).replace(/\\/g, '/');
@@ -67,6 +67,59 @@ async function resolveWorktreeMatchPath(worktreePaths, targetPath) {
     }
     return null;
 }
+async function removeProjectedWorktreeEntries(workPath) {
+    let worktreeRealPath;
+    try {
+        worktreeRealPath = await realpath(workPath);
+    }
+    catch (error) {
+        throw new Error(`Failed to resolve worktree path before git cleanup (${workPath}): ${error instanceof Error ? error.message : String(error)}`);
+    }
+    let entries = [];
+    try {
+        entries = (await readdir(workPath, { withFileTypes: true }));
+    }
+    catch (error) {
+        throw new Error(`Failed to enumerate worktree entries before git cleanup (${workPath}): ${error instanceof Error ? error.message : String(error)}`);
+    }
+    for (const entry of entries) {
+        const name = entry?.name;
+        if (!name || name === '.git')
+            continue;
+        const entryPath = path.join(workPath, name);
+        const entryRealPath = await tryRealpath(entryPath);
+        if (!entryRealPath)
+            continue;
+        if (isPathWithinDirectory(worktreeRealPath, entryRealPath, { allowEqual: false })) {
+            continue;
+        }
+        await rm(entryPath, {
+            recursive: true,
+            force: true,
+            maxRetries: 3,
+            retryDelay: 100,
+        });
+        getLogger().debug(`Removed projected worktree entry before git cleanup: ${entryPath}`);
+    }
+}
+async function pruneWorktreeDependencyRoots(baseRepoPath, worktreePath) {
+    const dependencyPaths = await detectDependencyPaths(baseRepoPath);
+    for (const dependencyPath of dependencyPaths) {
+        const dependencyRoot = path.join(worktreePath, dependencyPath);
+        try {
+            await rm(dependencyRoot, {
+                recursive: true,
+                force: true,
+                maxRetries: 3,
+                retryDelay: 100,
+            });
+            getLogger().debug(`Pruned disposable dependency root before worktree cleanup: ${dependencyRoot}`);
+        }
+        catch (error) {
+            getLogger().debug(`Failed to prune dependency root before worktree cleanup (${dependencyRoot}): ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+}
 /**
  * WorkspaceManager - Manages execution workspace for different checkpoint strategies
  *
@@ -163,9 +216,14 @@ export class WorkspaceManager {
             });
             return;
         }
+        // CRITICAL SAFETY: refuse any destructive cleanup outside managed worktree roots.
+        if (!isManagedWorktreePath(workspace.baseRepoPath, workspace.workPath)) {
+            throw new Error(text.errors.worktreePathNotInManagedRoots);
+        }
         const git = new GitAdapter(workspace.baseRepoPath);
         let removed = false;
         try {
+            await pruneWorktreeDependencyRoots(workspace.baseRepoPath, workspace.workPath);
             const list = await git.query(['worktree', 'list', '--porcelain']);
             const worktreePaths = list
                 .split('\n')
@@ -175,6 +233,8 @@ export class WorkspaceManager {
                 .filter(Boolean);
             const matchPath = await resolveWorktreeMatchPath(worktreePaths, workspace.workPath);
             if (matchPath) {
+                // CRITICAL SAFETY: if projection inspection fails, do not risk git traversing external roots.
+                await removeProjectedWorktreeEntries(workspace.workPath);
                 await git.query(['worktree', 'remove', '--force', matchPath]);
                 removed = true;
                 const directoryStillExists = await (async () => {
@@ -224,9 +284,6 @@ export class WorkspaceManager {
             getLogger().debug(`git worktree remove failed, falling back to filesystem removal: ${msg}`);
         }
         if (!removed) {
-            if (!isManagedWorktreePath(workspace.baseRepoPath, workspace.workPath)) {
-                throw new Error(text.errors.worktreePathNotInManagedRoots);
-            }
             await rm(workspace.workPath, {
                 recursive: true,
                 force: true,