sneakoscope 0.6.64 → 0.6.66

package/README.md

@@ -40,7 +40,7 @@ sks selftest --mock
 
 | Area | What it does |
 | --- | --- |
-| CLI runtime | `sks`, `sks cmux`, and `sks --mad --high` open Codex CLI in a cmux workspace. |
+| CLI runtime | `sks`, `sks cmux`, and `sks --mad` open Codex CLI in a cmux workspace. |
 | Codex App commands | Installs generated skills so `$Team`, `$DFix`, `$QA-LOOP`, `$Ralph`, `$DB`, `$Wiki`, `$Help`, and related routes are visible in prompt workflows. |
 | Team orchestration | Runs substantial work through ambiguity handling, scouts, TriWiki refresh, debate, runtime task graphs, worker inboxes, implementation, review, cleanup, reflection, and Honest Mode. |
 | QA loop | Dogfoods UI/API behavior with safety gates, Browser/Computer evidence, safe fixes, and rechecks. |
@@ -59,7 +59,7 @@ sks selftest --mock
 - cmux for the CLI-first runtime
 - Context7 MCP for current-docs-gated routes
 
-On macOS, `sks --mad --high` can install cmux through Homebrew when cmux is missing. You can also install it manually:
+On macOS, `sks --mad` can install cmux through Homebrew when cmux is missing. You can also install it manually:
 
 ```sh
 brew tap manaflow-ai/cmux
@@ -70,8 +70,17 @@ If the CLI is not on `PATH`, SKS also checks the app bundle path:
 
 ```sh
 /Applications/cmux.app/Contents/Resources/bin/cmux
+/Applications/cmux.app/Contents/MacOS/cmux
 ```
 
+`sks --mad` is stricter than the normal runtime path:
+
+- Checks npm for a newer `sneakoscope` before launch and asks whether to update when the terminal can answer y/n.
+- Installs the latest Codex CLI with `npm i -g @openai/codex@latest` when it is missing and you approve or pass `--yes`.
+- Installs or upgrades the latest cmux cask through Homebrew when cmux is missing or not launchable.
+- Re-probes the real cmux binary after install instead of trusting Homebrew's success text alone.
+- Wakes cmux and retries the socket probe; if the socket is broken, SKS attempts a cmux app restart during that explicit launch.
+
 ## Installation
 
 ### Global Install
@@ -154,13 +163,22 @@ sks cmux status --once
 
 `sks` opens a cmux workspace for Codex CLI when running in an interactive terminal. `sks cmux check` is diagnostic and prints readiness without starting a workspace.
 
-### MAD High cmux Workspace
+### MAD cmux Workspace
 
 ```sh
-sks --mad --high
+sks --mad
+sks --mad --yes
+```
+
+This creates/uses the `sks-mad-high` Codex profile for a one-shot full-access, high-reasoning cmux workspace with `approval_policy = "on-request"` and `approvals_reviewer = "auto_review"`. It is scoped to that explicit command and does not change normal SKS/DB safety defaults.
+
+Before launching, SKS checks whether a newer `sneakoscope` exists on npm. In an interactive terminal it prompts:
+
+```text
+SKS 0.x.y -> 0.x.z update before MAD launch? [Y/n]
 ```
 
-This creates/uses the `sks-mad-high` Codex profile for a one-shot full-access, high-reasoning cmux workspace. It is scoped to that explicit command and does not change normal SKS/DB safety defaults.
+Answer `y` to install `sneakoscope@latest`, then rerun `sks --mad`. Answer `n` to continue with the current version. Use `--yes` to approve missing dependency installs automatically.
 
 ### Team Missions
 
@@ -191,7 +209,7 @@ sks gx render homepage --format html
 
 Sneakoscope has two surfaces:
 
-- Terminal commands such as `sks deps check`, `sks team "task"`, and `sks --mad --high`
+- Terminal commands such as `sks deps check`, `sks team "task"`, and `sks --mad`
 - Codex App prompt commands such as `$Team`, `$DFix`, `$QA-LOOP`, and `$Wiki`
 
 After installing, run:
@@ -269,7 +287,7 @@ sks
 For the high-reasoning full-access profile:
 
 ```sh
-sks --mad --high
+sks --mad
 ```
 
 ### Use Codex App `$Team`
@@ -331,7 +349,7 @@ sks deps install cmux
 sks cmux check
 ```
 
-`sks --mad --high` also attempts Homebrew installation automatically on macOS when cmux is missing.
+`sks --mad` also attempts Homebrew installation or upgrade automatically on macOS when cmux is missing. If Homebrew reports the cask installed but the CLI still is not reachable, SKS checks the cmux app bundle paths directly, wakes the app, and retries the socket before reporting a remaining cmux app/socket issue.
 
 ### Codex App tools are missing
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "0.6.64",
+  "version": "0.6.66",
   "description": "Sneakoscope Codex: database-safe Codex CLI/App harness with Team, Ralph, AutoResearch, TriWiki, and Honest Mode.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",

package/src/cli/main.mjs

@@ -30,7 +30,7 @@ import { context7Evidence, evaluateStop, recordContext7Evidence, recordSubagentE
 import { TEAM_DECOMPOSITION_ARTIFACT, TEAM_GRAPH_ARTIFACT, TEAM_INBOX_DIR, TEAM_RUNTIME_TASKS_ARTIFACT, teamRuntimePlanMetadata, teamRuntimeRequiredArtifacts, validateTeamRuntimeArtifacts, writeTeamRuntimeArtifacts } from '../core/team-dag.mjs';
 import { appendTeamEvent, formatRoleCounts, initTeamLive, normalizeTeamSpec, parseTeamSpecArgs, parseTeamSpecText, readTeamDashboard, readTeamLive, readTeamTranscriptTail } from '../core/team-live.mjs';
 import { CODEX_APP_DOCS_URL, codexAppIntegrationStatus, formatCodexAppStatus } from '../core/codex-app.mjs';
-import { buildCmuxLaunchPlan, defaultCmuxWorkspaceName, ensureCmuxInstalled, formatCmuxBanner, launchCmuxTeamView, launchCmuxUi, platformCmuxInstallHint, runCmuxStatus, sanitizeCmuxWorkspaceName, cmuxAvailable } from '../core/cmux-ui.mjs';
+import { CMUX_BREW_COMMAND, CMUX_BREW_UPGRADE_COMMAND, buildCmuxLaunchPlan, defaultCmuxWorkspaceName, ensureCmuxInstalled, formatCmuxBanner, launchCmuxTeamView, launchCmuxUi, platformCmuxInstallHint, runCmuxStatus, sanitizeCmuxWorkspaceName, cmuxAvailable } from '../core/cmux-ui.mjs';
 import { autoReviewProfileName, autoReviewStatus, autoReviewSummary, enableAutoReview, disableAutoReview, enableMadHighProfile, madHighProfileName } from '../core/auto-review.mjs';
 
 const flag = (args, name) => args.includes(name);
@@ -116,7 +116,7 @@ Usage:
   sks bootstrap [--install-scope global|project] [--local-only] [--json]
   sks deps check|install [cmux|codex|context7|all] [--yes] [--json]
   sks codex-app
-  sks --mad --high
+  sks --mad [--high]
   sks auto-review status|enable|start [--high]
   sks --Auto-review [--high]
   sks cmux [--workspace name]
@@ -389,13 +389,13 @@ async function ensureCodexCliTool({ skip = false } = {}) {
   const before = await getCodexInfo().catch(() => ({}));
   if (before.bin) return { status: 'present', bin: before.bin, version: before.version || null };
   const npmBin = await which('npm');
-  if (!npmBin) return { status: 'failed', error: 'npm not found on PATH; install Codex CLI manually with npm i -g @openai/codex.' };
-  const install = await runProcess(npmBin, ['i', '-g', '@openai/codex'], {
+  if (!npmBin) return { status: 'failed', error: 'npm not found on PATH; install Codex CLI manually with npm i -g @openai/codex@latest.' };
+  const install = await runProcess(npmBin, ['i', '-g', '@openai/codex@latest'], {
     timeoutMs: 120000,
     maxOutputBytes: 128 * 1024
   }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
   if (install.code !== 0) {
-    return { status: 'failed', error: `${install.stderr || install.stdout || 'npm i -g @openai/codex failed'}`.trim() };
+    return { status: 'failed', error: `${install.stderr || install.stdout || 'npm i -g @openai/codex@latest failed'}`.trim() };
   }
   const after = await getCodexInfo().catch(() => ({}));
   return {
@@ -1045,10 +1045,30 @@ async function cmuxCommand(sub = 'start', args = []) {
 
 async function madHighCommand(args = []) {
   const cleanArgs = args.filter((arg) => !['--mad', '--MAD', '--mad-sks', '--high', '--no-auto-install-cmux'].includes(arg));
+  if (flag(args, '--json')) {
+    const profile = await enableMadHighProfile();
+    return console.log(JSON.stringify(profile, null, 2));
+  }
+  const update = await maybePromptSksUpdateForMad(args);
+  if (update.status === 'updated') {
+    console.log(`SKS updated from ${PACKAGE_VERSION} to ${update.latest}. Rerun: sks --mad`);
+    return;
+  }
+  if (update.status === 'failed') {
+    console.error(`SKS update failed: ${update.error}`);
+    process.exitCode = 1;
+    return;
+  }
+  const deps = await ensureMadLaunchDependencies(args);
+  if (!deps.ready) {
+    console.error('SKS MAD launch blocked by missing dependencies.');
+    for (const action of deps.actions) printDepsInstallAction(action);
+    process.exitCode = 1;
+    return;
+  }
   const profile = await enableMadHighProfile();
-  if (flag(args, '--json')) return console.log(JSON.stringify(profile, null, 2));
-  console.log(`SKS MAD high profile ready: ${madHighProfileName()}`);
-  console.log('Scope: explicit cmux launch only; normal SKS/DB safety returns after this command.');
+  console.log(`SKS MAD auto-review profile ready: ${madHighProfileName()}`);
+  console.log('Scope: explicit cmux launch only; full access uses Codex auto_review approvals when approval prompts are raised.');
   const workspace = readOption(cleanArgs, '--workspace', readOption(cleanArgs, '--session', `sks-mad-${defaultCmuxWorkspaceName(process.cwd())}`));
   return launchCmuxUi([...cleanArgs, '--workspace', workspace], {
     codexArgs: ['--profile', profile.profile_name],
@@ -1057,6 +1077,44 @@ async function madHighCommand(args = []) {
   });
 }
 
+async function maybePromptSksUpdateForMad(args = []) {
+  if (flag(args, '--json') || flag(args, '--skip-update-check') || process.env.SKS_SKIP_UPDATE_CHECK === '1') return { status: 'skipped' };
+  const latest = await npmPackageVersion('sneakoscope');
+  if (!latest.version || compareVersions(latest.version, PACKAGE_VERSION) <= 0) return { status: 'current', latest: latest.version || null, error: latest.error || null };
+  const command = 'npm i -g sneakoscope@latest';
+  if (flag(args, '--yes') || flag(args, '-y')) return installSksLatest(command, latest.version);
+  if (!canAskYesNo()) {
+    console.log(`SKS update available: ${PACKAGE_VERSION} -> ${latest.version}. Run: ${command}`);
+    return { status: 'available', latest: latest.version, command };
+  }
+  const answer = (await askPostinstallQuestion(`SKS ${PACKAGE_VERSION} -> ${latest.version} update before MAD launch? [Y/n] `)).trim();
+  const yes = answer === '' || /^(y|yes|예|네|응)$/i.test(answer);
+  if (!yes) return { status: 'skipped_by_user', latest: latest.version, command };
+  return installSksLatest(command, latest.version);
+}
+
+async function installSksLatest(command, latestVersion) {
+  const npm = await which('npm').catch(() => null);
+  if (!npm) return { status: 'failed', latest: latestVersion, command, error: 'npm not found on PATH' };
+  const install = await runProcess(npm, ['i', '-g', 'sneakoscope@latest'], { timeoutMs: 180000, maxOutputBytes: 128 * 1024 }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
+  if (install.code !== 0) return { status: 'failed', latest: latestVersion, command, error: `${install.stderr || install.stdout || command + ' failed'}`.trim() };
+  return { status: 'updated', latest: latestVersion, command };
+}
+
+async function ensureMadLaunchDependencies(args = []) {
+  const actions = [];
+  if (!flag(args, '--skip-cli-tools')) {
+    const codex = await getCodexInfo().catch(() => ({}));
+    if (!codex.bin) actions.push(await installCodexDependency(args, { prompt: 'Codex CLI missing. Install latest Codex CLI with npm i -g @openai/codex@latest?' }));
+  }
+  if (!flag(args, '--no-auto-install-cmux')) {
+    const cmux = await cmuxAvailable().catch(() => ({ ok: false }));
+    if (!cmux.ok && !cmux.bin) actions.push(await installCmuxDependency(args));
+  }
+  const status = await depsStatus(await projectRoot());
+  return { ready: Boolean(status.codex_cli.ok && (status.cmux.ok || status.cmux.bin)), actions, status };
+}
+
 async function deps(sub = 'check', args = []) {
   const action = sub || 'check';
   if (action === 'check' || action === 'status') {
@@ -1098,7 +1156,7 @@ async function depsStatus(root = null, opts = {}) {
     context7,
     browser_use: { ok: app.mcp.has_browser_use, cache: app.plugins.browser_use_cache },
     computer_use: { ok: app.mcp.has_computer_use, cache: app.plugins.computer_use_cache },
-    cmux: { ok: Boolean(cmux.ok), version: cmux.version || null, install_hint: cmux.ok ? null : platformCmuxInstallHint(), error: cmux.error || null },
+    cmux: { ok: Boolean(cmux.ok), bin: cmux.bin || null, version: cmux.version || null, install_hint: cmux.ok ? null : platformCmuxInstallHint(), error: cmux.error || null },
     homebrew: process.platform === 'darwin' ? { ok: Boolean(brew), bin: brew, required_for_cmux_install: homebrewNeeded } : { ok: null, bin: null, required_for_cmux_install: false },
     next_actions: depsNextActions({ npmBin, globalBin, codex, app, context7, cmux, brew, nodeOk })
   };
@@ -1153,10 +1211,11 @@ async function depsInstall(args = []) {
   if (!status.ready) process.exitCode = 1;
 }
 
-async function installCodexDependency(args = []) {
+async function installCodexDependency(args = [], opts = {}) {
   const before = await getCodexInfo().catch(() => ({}));
   if (before.bin) return { target: 'codex', status: 'present', bin: before.bin, version: before.version || null };
-  if (!await confirmInstall('Install Codex CLI with npm i -g @openai/codex?', args)) return { target: 'codex', status: 'needs_approval', command: 'npm i -g @openai/codex' };
+  const command = 'npm i -g @openai/codex@latest';
+  if (!await confirmInstall(opts.prompt || `Install Codex CLI with ${command}?`, args)) return { target: 'codex', status: 'needs_approval', command };
   return { target: 'codex', ...(await ensureCodexCliTool()) };
 }
 
@@ -1172,10 +1231,10 @@ async function installCmuxDependency(args = []) {
   if (before.ok) return { target: 'cmux', status: 'present', version: before.version || null };
   if (process.platform === 'darwin') {
     const brew = await which('brew').catch(() => null);
-    const command = 'brew tap manaflow-ai/cmux && brew install --cask cmux';
+    const command = CMUX_BREW_COMMAND;
     if (!brew) return { target: 'cmux', status: 'homebrew_missing', command: `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" && ${command}` };
     if (flag(args, '--dry-run')) return { target: 'cmux', status: 'dry_run', command };
-    if (!await confirmInstall(`Install cmux with Homebrew (${command})?`, args)) return { target: 'cmux', status: 'needs_approval', command };
+    if (!await confirmInstall(`Install/update latest cmux with Homebrew (${command}; ${CMUX_BREW_UPGRADE_COMMAND} if already installed)?`, args)) return { target: 'cmux', status: 'needs_approval', command };
     const installed = await ensureCmuxInstalled({ autoInstall: true });
     return {
       target: 'cmux',
@@ -1191,10 +1250,14 @@ async function installCmuxDependency(args = []) {
 
 async function confirmInstall(question, args = []) {
   if (flag(args, '--yes') || flag(args, '-y')) return true;
-  if (!input.isTTY || !output.isTTY || process.env.CI === 'true') return false;
+  if (!canAskYesNo()) return false;
   return /^(y|yes|예|네|응)$/i.test((await askPostinstallQuestion(`${question} [y/N] `)).trim());
 }
 
+function canAskYesNo() {
+  return Boolean(input.isTTY && output.isTTY && process.env.CI !== 'true');
+}
+
 function printDepsInstallAction(action) {
   if (!action) return;
   console.log(`${action.target}: ${action.status}${action.version ? ` ${action.version}` : ''}`);
@@ -1767,6 +1830,8 @@ async function npmGlobalSksBin() {
 }
 
 async function npmPackageVersion(name) {
+  const envName = `SKS_NPM_VIEW_${String(name || '').replace(/[^A-Za-z0-9]+/g, '_').toUpperCase()}_VERSION`;
+  if (process.env[envName]) return { version: process.env[envName] };
   const npm = await which('npm').catch(() => null);
   if (!npm) return { error: 'npm not found' };
   const result = await runProcess(npm, ['view', name, 'version'], { timeoutMs: 5000, maxOutputBytes: 4096 });
@@ -2259,7 +2324,7 @@ async function selftest() {
   const madProfilePath = path.join(tmp, 'mad-codex-config.toml');
   const madProfile = await enableMadHighProfile({ configPath: madProfilePath });
   const madProfileText = await safeReadText(madProfilePath);
-  if (madProfile.profile_name !== 'sks-mad-high' || !madProfileText.includes('sandbox_mode = "danger-full-access"') || !madProfileText.includes('approval_policy = "never"') || !madProfileText.includes('model_reasoning_effort = "high"')) throw new Error('selftest failed: MAD high profile is not full-access high/fast');
+  if (madProfile.profile_name !== 'sks-mad-high' || !madProfileText.includes('sandbox_mode = "danger-full-access"') || !madProfileText.includes('approval_policy = "on-request"') || !madProfileText.includes('approvals_reviewer = "auto_review"') || !madProfileText.includes('model_reasoning_effort = "high"')) throw new Error('selftest failed: MAD high profile is not full-access auto-review high');
   if (!isMadHighLaunch(['--mad', '--high']) || isMadHighLaunch(['db', '--mad'])) throw new Error('selftest failed: MAD high launch flag parsing is not top-level only');
   const guardBlocked = await checkHarnessModification(tmp, { tool_name: 'apply_patch', command: '*** Update File: .agents/skills/team/SKILL.md\n+tamper\n' });
   if (guardBlocked.action !== 'block') throw new Error('selftest failed: harness guard allowed skill tampering');
@@ -2654,11 +2719,11 @@ async function selftest() {
   const autoReviewEnabled = await enableAutoReview({ env: autoReviewEnv, high: true });
   if (!autoReviewEnabled.enabled || autoReviewEnabled.profile_name !== 'sks-auto-review-high' || !autoReviewEnabled.high_profile) throw new Error('selftest failed: auto-review high profile was not enabled');
   const autoReviewConfig = await safeReadText(path.join(autoReviewHome, '.codex', 'config.toml'));
-  if (!autoReviewConfig.includes('approvals_reviewer = "guardian_subagent"') || autoReviewConfig.includes('approvals_reviewer = "auto_review"') || !autoReviewConfig.includes('[profiles.sks-auto-review-high]')) throw new Error('selftest failed: auto-review config not written');
+  if (!autoReviewConfig.includes('approvals_reviewer = "auto_review"') || autoReviewConfig.includes('approvals_reviewer = "guardian_subagent"') || !autoReviewConfig.includes('[profiles.sks-auto-review-high]')) throw new Error('selftest failed: auto-review config not written');
   const autoReviewDisabled = await disableAutoReview({ env: autoReviewEnv });
   if (autoReviewDisabled.enabled || autoReviewDisabled.approvals_reviewer !== 'user') throw new Error('selftest failed: auto-review disable did not restore user reviewer');
   const autoReviewDisabledConfig = await safeReadText(path.join(autoReviewHome, '.codex', 'config.toml'));
-  if (autoReviewDisabledConfig.includes('approvals_reviewer = "auto_review"')) throw new Error('selftest failed: auto-review disable left legacy invalid reviewer values');
+  if (autoReviewDisabledConfig.includes('approvals_reviewer = "guardian_subagent"')) throw new Error('selftest failed: auto-review disable left legacy reviewer values');
   const analysisAgentExists = await exists(path.join(tmp, '.codex', 'agents', 'analysis-scout.toml'));
   if (!analysisAgentExists) throw new Error('selftest failed: analysis scout agent not installed');
   const teamAgentExists = await exists(path.join(tmp, '.codex', 'agents', 'team-consensus.toml'));

package/src/core/auto-review.mjs

@@ -2,8 +2,8 @@ import os from 'node:os';
 import path from 'node:path';
 import { ensureDir, exists, readText, writeTextAtomic } from './fsx.mjs';
 
-export const AUTO_REVIEW_REVIEWER = 'guardian_subagent';
-export const LEGACY_AUTO_REVIEW_REVIEWER = 'auto_review';
+export const AUTO_REVIEW_REVIEWER = 'auto_review';
+export const LEGACY_AUTO_REVIEW_REVIEWER = 'guardian_subagent';
 export const AUTO_REVIEW_PROFILE = 'sks-auto-review';
 export const AUTO_REVIEW_HIGH_PROFILE = 'sks-auto-review-high';
 export const MAD_HIGH_PROFILE = 'sks-mad-high';
@@ -64,10 +64,12 @@ export async function enableMadHighProfile(opts = {}) {
   let next = upsertTable(current, `profiles.${MAD_HIGH_PROFILE}`, [
     `[profiles.${MAD_HIGH_PROFILE}]`,
     'model = "gpt-5.5"',
-    'approval_policy = "never"',
+    'approval_policy = "on-request"',
+    `approvals_reviewer = "${AUTO_REVIEW_REVIEWER}"`,
     'sandbox_mode = "danger-full-access"',
     'model_reasoning_effort = "high"'
   ].join('\n'));
+  next = upsertAutoReviewPolicy(next);
   if (!next.endsWith('\n')) next += '\n';
   await writeTextAtomic(configPath, next);
   return {
@@ -75,7 +77,8 @@ export async function enableMadHighProfile(opts = {}) {
     profile_name: MAD_HIGH_PROFILE,
     launch_args: ['--profile', MAD_HIGH_PROFILE],
     sandbox_mode: 'danger-full-access',
-    approval_policy: 'never',
+    approval_policy: 'on-request',
+    approvals_reviewer: AUTO_REVIEW_REVIEWER,
     model_reasoning_effort: 'high',
     scope: 'explicit_launch_only'
   };
@@ -111,7 +114,7 @@ export function autoReviewSummary(status = {}) {
     lines.push('Launch high mode with: sks --Auto-review --high');
   }
   if (status.legacy_invalid) {
-    lines.push('', 'Legacy invalid reviewer value found: run sks auto-review enable or sks auto-review disable to rewrite Codex config.');
+    lines.push('', 'Legacy reviewer value found: run sks auto-review enable or sks auto-review disable to rewrite Codex config.');
   }
   return lines.join('\n');
 }

package/src/core/cmux-ui.mjs

@@ -1,4 +1,5 @@
 import path from 'node:path';
+import fsp from 'node:fs/promises';
 import { spawnSync } from 'node:child_process';
 import { exists, packageRoot, projectRoot, runProcess, sha256, which } from './fsx.mjs';
 import { getCodexInfo } from './codex-adapter.mjs';
@@ -14,6 +15,7 @@ export const SKS_CMUX_LOGO = [
 ].join('\n');
 
 export const CMUX_BREW_COMMAND = 'brew tap manaflow-ai/cmux && brew install --cask cmux';
+export const CMUX_BREW_UPGRADE_COMMAND = 'brew tap manaflow-ai/cmux && brew upgrade --cask cmux';
 
 export function sanitizeCmuxWorkspaceName(input) {
   const base = String(input || 'sks').trim().replace(/[^A-Za-z0-9_.-]+/g, '-').replace(/^-+|-+$/g, '');
@@ -34,8 +36,8 @@ export function platformCmuxInstallHint() {
   if (process.platform !== 'darwin') return 'cmux is a native macOS app; install it on macOS 14+ from https://cmux.com or https://github.com/manaflow-ai/cmux.';
   return [
     CMUX_BREW_COMMAND,
-    'then expose the CLI if needed:',
-    'sudo ln -sf "/Applications/cmux.app/Contents/Resources/bin/cmux" /usr/local/bin/cmux'
+    'then run:',
+    'sks cmux check'
   ].join(' ');
 }
 
@@ -44,17 +46,43 @@ export async function findCmuxBinary() {
   if (env && await exists(env)) return env;
   const onPath = await which('cmux').catch(() => null);
   if (onPath) return onPath;
-  const appBin = '/Applications/cmux.app/Contents/Resources/bin/cmux';
-  if (process.platform === 'darwin' && await exists(appBin)) return appBin;
+  for (const candidate of cmuxBinaryCandidates()) {
+    if (await exists(candidate)) return candidate;
+  }
   return null;
 }
 
+export function cmuxBinaryCandidates() {
+  if (process.platform !== 'darwin') return [];
+  const envApps = String(process.env.SKS_CMUX_APP_PATHS || '')
+    .split(path.delimiter)
+    .map((entry) => entry.trim())
+    .filter(Boolean);
+  const appBundles = [
+    ...envApps,
+    '/Applications/cmux.app',
+    '/Applications/Cmux.app',
+    '/Applications/CMUX.app',
+    path.join(process.env.HOME || '', 'Applications', 'cmux.app'),
+    '/opt/homebrew/Caskroom/cmux/latest/cmux.app'
+  ].filter(Boolean);
+  const candidates = [];
+  for (const app of appBundles) {
+    candidates.push(
+      path.join(app, 'Contents', 'Resources', 'bin', 'cmux'),
+      path.join(app, 'Contents', 'MacOS', 'cmux')
+    );
+  }
+  candidates.push('/opt/homebrew/bin/cmux', '/usr/local/bin/cmux');
+  return Array.from(new Set(candidates));
+}
+
 export async function cmuxAvailable() {
   const bin = await findCmuxBinary();
   if (!bin) return { ok: false, bin: null, version: null, error: 'cmux CLI not found' };
-  const probe = await runProcess(bin, ['list-workspaces', '--json'], { timeoutMs: 5000, maxOutputBytes: 16 * 1024 }).catch((err) => ({ code: 1, stderr: err.message, stdout: '' }));
+  const probe = await runProcess(bin, ['version'], { timeoutMs: 5000, maxOutputBytes: 16 * 1024 }).catch((err) => ({ code: 1, stderr: err.message, stdout: '' }));
   const text = `${probe.stdout || ''}${probe.stderr || ''}`.trim();
-  return { ok: probe.code === 0, bin, version: text || 'cmux CLI', error: probe.code === 0 ? null : text || 'cmux workspace probe failed' };
+  return { ok: probe.code === 0, bin, version: text || 'cmux CLI', error: probe.code === 0 ? null : text || 'cmux CLI probe failed' };
 }
 
 export async function ensureCmuxInstalled(opts = {}) {
@@ -70,18 +98,28 @@ export async function ensureCmuxInstalled(opts = {}) {
   if (!brew) {
     return { target: 'cmux', status: 'homebrew_missing', cmux: before, command: CMUX_BREW_COMMAND, error: 'Homebrew is required for automatic cmux install' };
   }
-  if (!opts.quiet) console.log('cmux CLI missing; installing cmux with Homebrew...');
+  if (!opts.quiet) console.log('cmux CLI missing; installing/updating cmux with Homebrew...');
   const tap = await runProcess(brew, ['tap', 'manaflow-ai/cmux'], { timeoutMs: 180000, maxOutputBytes: 128 * 1024 }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
   const install = tap.code === 0
-    ? await runProcess(brew, ['install', '--cask', 'cmux'], { timeoutMs: 300000, maxOutputBytes: 256 * 1024 }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }))
+    ? await installOrUpgradeCmuxCask(brew)
     : tap;
   let after = await cmuxAvailable().catch((err) => ({ ok: false, error: err.message || 'cmux probe failed after install' }));
   if (!after.ok && after.bin) after = await wakeCmuxAndReprobe(after);
   if (after.ok) return { target: 'cmux', status: 'installed', cmux: after, command: CMUX_BREW_COMMAND };
-  const rawError = `${install.stderr || install.stdout || after.error || 'brew install --cask cmux failed'}`.trim();
+  const installText = `${install.stderr || ''}\n${install.stdout || ''}`.trim();
+  const rawError = after.error || installText || 'brew install --cask cmux completed, but no working cmux CLI was found';
   return { target: 'cmux', status: 'failed', cmux: after, command: CMUX_BREW_COMMAND, code: install.code, error: rawError };
 }
 
+async function installOrUpgradeCmuxCask(brew) {
+  const install = await runProcess(brew, ['install', '--cask', 'cmux'], { timeoutMs: 300000, maxOutputBytes: 256 * 1024 }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
+  if (install.code === 0) return install;
+  const text = `${install.stderr || ''}\n${install.stdout || ''}`;
+  if (!/already installed|to upgrade|brew upgrade/i.test(text)) return install;
+  const upgrade = await runProcess(brew, ['upgrade', '--cask', 'cmux'], { timeoutMs: 300000, maxOutputBytes: 256 * 1024 }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
+  return upgrade.code === 0 ? upgrade : install;
+}
+
 export function codexLaunchCommand(root, codexBin, codexArgs = []) {
   const extraArgs = Array.isArray(codexArgs) ? codexArgs : [];
   return [
@@ -139,7 +177,7 @@ export function formatCmuxBanner(status = null) {
     '',
     'CLI-first runtime:',
     '  sks                 open a cmux Codex CLI workspace',
-    '  sks --mad --high    open one-shot MAD-SKS high reasoning workspace',
+    '  sks --mad           open one-shot MAD full-access auto-review workspace',
     '  sks team "task"     prepare Team mission and cmux multi-line agent view',
     '',
     'Useful terminal commands:',
@@ -171,6 +209,13 @@ export async function launchCmuxUi(args = [], opts = {}) {
     process.exitCode = 1;
     return { plan };
   }
+  const daemon = await ensureCmuxDaemonReady(plan.cmux);
+  if (!daemon.ok && !args.includes('--status-only')) {
+    const blocked = { ...plan, ready: false, cmux: { ...plan.cmux, ok: false, error: daemon.error || 'cmux app did not become ready' } };
+    printCmuxLaunchBlocked(blocked, { concise: opts.conciseBlockers, cmuxRepair });
+    process.exitCode = 1;
+    return { plan: blocked };
+  }
   if (!args.includes('--no-open')) await openCmuxApp().catch(() => null);
   const command = codexLaunchCommand(plan.root, plan.codex.bin, plan.codexArgs);
   const created = spawnSync(plan.cmux.bin, ['new-workspace', '--cwd', plan.root, '--command', command], { encoding: 'utf8', stdio: args.includes('--quiet') ? 'pipe' : 'inherit' });
@@ -190,11 +235,16 @@ function printCmuxLaunchBlocked(plan, opts = {}) {
     console.error('SKS cmux launch blocked.');
     if (!plan.cmux.ok) {
       const repair = opts.cmuxRepair;
-      const prefix = repair?.status ? `cmux ${repair.status}` : 'cmux missing';
+      const installedButUnhealthy = Boolean(plan.cmux.bin);
+      const prefix = repair?.status
+        ? `cmux ${repair.status}`
+        : installedButUnhealthy
+          ? 'cmux app/socket unhealthy'
+          : 'cmux missing';
       console.error(`- ${prefix}: ${repair?.error || plan.cmux.error || 'cmux CLI not found'}`);
-      console.error(`- Install command: ${repair?.command || CMUX_BREW_COMMAND}`);
+      console.error(`- ${installedButUnhealthy ? 'Repair command' : 'Install command'}: ${repair?.command || (installedButUnhealthy ? 'sks deps install cmux --yes' : CMUX_BREW_COMMAND)}`);
     }
-    if (!plan.codex.bin) console.error('- Codex CLI missing. Install: npm i -g @openai/codex, or set SKS_CODEX_BIN.');
+    if (!plan.codex.bin) console.error('- Codex CLI missing. Install: npm i -g @openai/codex@latest, or set SKS_CODEX_BIN.');
     return;
   }
   console.log(formatCmuxBanner(plan.app));
@@ -205,15 +255,69 @@ function printCmuxLaunchBlocked(plan, opts = {}) {
 export async function openCmuxApp() {
   if (process.platform !== 'darwin') return { ok: false, reason: 'not_macos' };
   const run = await runProcess('open', ['-a', 'cmux'], { timeoutMs: 5000, maxOutputBytes: 16 * 1024 }).catch((err) => ({ code: 1, stderr: err.message, stdout: '' }));
-  return { ok: run.code === 0, stdout: run.stdout || '', stderr: run.stderr || '' };
+  if (run.code === 0) return { ok: true, stdout: run.stdout || '', stderr: run.stderr || '' };
+  for (const app of ['/Applications/cmux.app', '/Applications/Cmux.app']) {
+    if (!await exists(app)) continue;
+    const byPath = await runProcess('open', [app], { timeoutMs: 5000, maxOutputBytes: 16 * 1024 }).catch((err) => ({ code: 1, stderr: err.message, stdout: '' }));
+    if (byPath.code === 0) return { ok: true, stdout: byPath.stdout || '', stderr: byPath.stderr || '' };
+  }
+  return { ok: false, stdout: run.stdout || '', stderr: run.stderr || '' };
 }
 
 async function wakeCmuxAndReprobe(fallback = {}) {
-  if (process.platform !== 'darwin') return fallback;
+  return ensureCmuxDaemonReady(fallback);
+}
+
+async function ensureCmuxDaemonReady(cmux = {}) {
+  if (!cmux?.bin) return { ok: false, error: cmux?.error || 'cmux CLI not found' };
+  const first = await cmuxSocketProbe(cmux.bin);
+  if (first.ok) return { ...cmux, ok: true, error: null };
+  if (process.platform !== 'darwin') return first;
   const opened = await openCmuxApp().catch(() => null);
-  if (!opened?.ok) return fallback;
+  if (!opened?.ok) return { ok: false, error: opened?.stderr || opened?.reason || first.error || 'cmux app launch failed' };
+  let last = first;
+  for (let i = 0; i < 8; i++) {
+    await new Promise((resolve) => setTimeout(resolve, 750));
+    last = await cmuxSocketProbe(cmux.bin);
+    if (last.ok) return { ...cmux, ok: true, error: null };
+  }
+  if (isRecoverableCmuxSocketError(last.error) && process.env.SKS_CMUX_NO_RESTART !== '1') {
+    await restartCmuxApp();
+    for (let i = 0; i < 8; i++) {
+      await new Promise((resolve) => setTimeout(resolve, 750));
+      last = await cmuxSocketProbe(cmux.bin);
+      if (last.ok) return { ...cmux, ok: true, error: null };
+    }
+  }
+  return { ok: false, error: last.error || 'cmux socket did not become ready' };
+}
+
+async function cmuxSocketProbe(bin) {
+  const probe = await runProcess(bin, ['list-workspaces', '--json'], { timeoutMs: 5000, maxOutputBytes: 16 * 1024 }).catch((err) => ({ code: 1, stderr: err.message, stdout: '' }));
+  const text = `${probe.stdout || ''}${probe.stderr || ''}`.trim();
+  return { ok: probe.code === 0, error: probe.code === 0 ? null : text || 'cmux socket probe failed' };
+}
+
+function isRecoverableCmuxSocketError(error) {
+  return /socket|broken pipe|receive timeout|connection refused/i.test(String(error || ''));
+}
+
+async function restartCmuxApp() {
+  if (process.platform !== 'darwin') return { ok: false, reason: 'not_macos' };
+  const quit = await runProcess('osascript', ['-e', 'tell application "cmux" to quit'], { timeoutMs: 8000, maxOutputBytes: 16 * 1024 }).catch((err) => ({ code: 1, stderr: err.message, stdout: '' }));
+  if (quit.code !== 0) {
+    await runProcess('pkill', ['-TERM', '-f', '/Applications/cmux.app/Contents/MacOS/cmux'], { timeoutMs: 8000, maxOutputBytes: 16 * 1024 }).catch(() => null);
+  }
   await new Promise((resolve) => setTimeout(resolve, 1500));
-  return cmuxAvailable().catch(() => fallback);
+  await removeStaleCmuxSocket().catch(() => null);
+  return openCmuxApp();
+}
+
+async function removeStaleCmuxSocket() {
+  const home = process.env.HOME;
+  if (!home) return;
+  const sock = path.join(home, 'Library', 'Application Support', 'cmux', 'cmux.sock');
+  await fsp.rm(sock, { force: true });
 }
 
 export async function launchCmuxTeamView({ root, missionId, plan = {}, promptFile = null, json = false } = {}) {

package/src/core/fsx.mjs

@@ -5,7 +5,7 @@ import os from 'node:os';
 import crypto from 'node:crypto';
 import { spawn } from 'node:child_process';
 
-export const PACKAGE_VERSION = '0.6.64';
+export const PACKAGE_VERSION = '0.6.66';
 export const DEFAULT_PROCESS_TAIL_BYTES = 256 * 1024;
 export const DEFAULT_PROCESS_TIMEOUT_MS = 30 * 60 * 1000;
 

package/src/core/init.mjs

@@ -404,10 +404,14 @@ export async function initProject(root, opts = {}) {
 
   await writeTextAtomic(path.join(root, '.codex', 'config.toml'), `[features]\ncodex_hooks = true\nmulti_agent = true\n\n[agents]\nmax_threads = 6\nmax_depth = 1\n\n${context7ConfigToml()}\n[agents.analysis_scout]\ndescription = "Read-only SKS scout."\nconfig_file = "./agents/analysis-scout.toml"\nnickname_candidates = ["Scout", "Mapper"]\n\n[agents.team_consensus]\ndescription = "SKS planning/debate agent."\nconfig_file = "./agents/team-consensus.toml"\nnickname_candidates = ["Consensus", "Atlas"]\n\n[agents.implementation_worker]\ndescription = "SKS bounded implementation worker."\nconfig_file = "./agents/implementation-worker.toml"\nnickname_candidates = ["Builder", "Mason"]\n\n[agents.db_safety_reviewer]\ndescription = "Read-only DB safety reviewer."\nconfig_file = "./agents/db-safety-reviewer.toml"\nnickname_candidates = ["Sentinel", "Ledger"]\n\n[agents.qa_reviewer]\ndescription = "Read-only QA reviewer."\nconfig_file = "./agents/qa-reviewer.toml"\nnickname_candidates = ["Verifier", "Scout"]\n\n[profiles.sks-task-medium]\nmodel = "gpt-5.5"\napproval_policy = "on-request"\nsandbox_mode = "workspace-write"\nmodel_reasoning_effort = "medium"\n\n[profiles.sks-logic-high]\nmodel = "gpt-5.5"\napproval_policy = "on-request"\nsandbox_mode = "workspace-write"\nmodel_reasoning_effort = "high"\n\n[profiles.sks-research-xhigh]\nmodel = "gpt-5.5"\napproval_policy = "on-request"\nsandbox_mode = "workspace-write"\nmodel_reasoning_effort = "xhigh"\n\n[profiles.sks-ralph]\nmodel = "gpt-5.5"\napproval_policy = "never"\nsandbox_mode = "workspace-write"\nmodel_reasoning_effort = "high"\n\n[profiles.sks-research]\nmodel = "gpt-5.5"\napproval_policy = "never"\nsandbox_mode = "workspace-write"\nmodel_reasoning_effort = "xhigh"\n\n[profiles.sks-team]\nmodel = "gpt-5.5"\napproval_policy = "on-request"\nsandbox_mode = "workspace-write"\nmodel_reasoning_effort = "high"\n\n[profiles.sks-mad-high]
 model = "gpt-5.5"
-approval_policy = "never"
+approval_policy = "on-request"
+approvals_reviewer = "auto_review"
 sandbox_mode = "danger-full-access"
 model_reasoning_effort = "high"
 
+[auto_review]
+policy = "Deny destructive database operations, credential exfiltration, persistent security weakening, broad file deletion, and writes outside the workspace unless explicitly authorized by the user."
+
 [profiles.sks-default]\nmodel = "gpt-5.5"\napproval_policy = "on-request"\nsandbox_mode = "workspace-write"\nmodel_reasoning_effort = "medium"\n`);
   created.push('.codex/config.toml');
 

package/src/core/routes.mjs

@@ -334,7 +334,7 @@ export const COMMAND_CATALOG = [
   { name: 'deps', usage: 'sks deps check|install [cmux|codex|context7|all] [--yes]', description: 'Check or guided-install Node/npm PATH, Codex CLI/App, Context7, Browser Use, Computer Use, cmux, and Homebrew on macOS.' },
   { name: 'codex-app', usage: 'sks codex-app [check|open]', description: 'Check Codex App install and first-party MCP/plugin readiness, then show app setup files and examples.' },
   { name: 'cmux', usage: 'sks cmux [check|status] [--workspace name]', description: 'Open the SKS cmux runtime with the ㅅㅋㅅ ASCII status pane and Codex CLI.' },
-  { name: 'mad-high', usage: 'sks --mad --high', description: 'Open a one-shot cmux Codex CLI workspace with the SKS MAD high full-access profile.' },
+  { name: 'mad', usage: 'sks --mad [--high]', description: 'Open a one-shot cmux Codex CLI workspace with the SKS MAD full-access auto-review profile.' },
   { name: 'auto-review', usage: 'sks auto-review status|enable|start [--high] | sks --Auto-review --high', description: 'Enable Codex automatic approval review and launch SKS cmux with the auto-review profile.' },
   { name: 'dollar-commands', usage: 'sks dollar-commands [--json]', description: 'List Codex App $ commands such as $DFix and $Team.' },
   { name: 'dfix', usage: 'sks dfix', description: 'Explain $DFix ultralight design/content fix mode.' },