sneakoscope 0.9.17 → 0.9.18

package/README.md

@@ -2,20 +2,22 @@
 
 Fast legacy-free proof-first Codex trust layer with image-based Voxel TriWiki.
 
-Sneakoscope Codex (`sks`) is a Codex CLI/App harness that makes repeatable Codex work auditable. `0.9.17` removes the old route command monolith, adds a read-only five-scout intake before serious route implementation, automatically seals serious route fixture paths with Completion Proof, binds visual/UI claims to Image Voxel TriWiki anchors and relations, and release-gates real command fixtures, route modularity, Rust fallback parity, and DB safety evidence.
+Sneakoscope Codex (`sks`) is a Codex CLI/App harness that makes repeatable Codex work auditable. `0.9.18` makes route execution hermetic and evidence-strict: Five-Scout intake can use real Codex/tmux engines when available, route E2E runs in temp project roots, feature fixtures no longer receive implicit static-pass fallback, and pipeline planning is exposed through split policy modules with a facade compatibility layer.
 
 ![Sneakoscope Codex architecture and pipeline](https://raw.githubusercontent.com/mandarange/Sneakoscope-Codex/dev/docs/assets/sneakoscope-architecture-pipeline.jpg)
 
-## 0.9.17 Current Release
+## 0.9.18 Current Release
 
-`0.9.17` completes the route modularity cleanup that started in 0.9.14. `src/core/commands/route-cli.mjs` is gone; every serious route now owns a focused command module, and release checks fail if the monolith returns or if command modules drift past their budget.
+0.9.18 makes SKS route execution hermetic and evidence-strict. Five-Scout intake can run through real Codex/tmux engines when available, falls back honestly when not, and never claims speedup from mock/static evidence. E2E route tests run in isolated temp project roots. Feature fixtures no longer receive implicit static-pass fallback; every feature declares an explicit fixture. Pipeline architecture is split into stage policy, scout policy, prompt context, active context, and stop-gate modules.
 
 Highlights:
 
 - Serious route mock/fixture commands call `maybeFinalizeRoute`, so Team, QA-LOOP, Research, PPT, Image UX Review, Computer Use, DB, Wiki, and GX fixtures produce route-local `completion-proof.json` without a separate repair/finalize step.
-- Serious routes run or validate five read-only scouts for code surface, verification, safety/DB, visual/Voxel evidence, and simplification/integration before proof is written.
-- E2E route tests run actual route commands such as `sks team fixture --mock --json`, `sks qa-loop run <mission> --mock --json`, and `sks wiki image-ingest ... --json`.
-- Feature fixtures execute deterministic allowlisted commands and validate artifacts generated by those commands, including mission-local proof, visual ledgers, DB reports, and GX/Wiki evidence.
+- `sks scouts engines --json` reports Codex exec, tmux, Codex App subagent, local static, and sequential fallback availability with blockers.
+- Scout read-only guards snapshot source state and allow only mission-local `scout-*` artifacts plus scout reports.
+- E2E route tests run actual route commands inside isolated temp roots instead of sharing the source checkout `.sneakoscope`.
+- Feature fixtures execute deterministic allowlisted commands in hermetic temp roots and validate artifacts generated by those commands, including mission-local proof, visual ledgers, DB reports, and GX/Wiki evidence.
+- `npm run release:check` includes `pipeline-budget:check`, `scout-engines:check`, strict scout validation, and hermetic fixture execution.
 - `sks rust status|smoke --json` reports optional Rust availability, detects stale native binaries, and proves JS fallback parity when native Rust is missing or version-mismatched.
 - `npm run release:check` includes `route-modularity:check`, `command-budget:check`, and `feature-fixtures:strict`.
 
@@ -36,6 +38,9 @@ Learn more:
 - Image Voxel TriWiki: [docs/image-voxel-ledger.md](docs/image-voxel-ledger.md)
 - Route finalization: [docs/route-finalization.md](docs/route-finalization.md)
 - Feature fixtures: [docs/feature-fixtures.md](docs/feature-fixtures.md)
+- Scout engines: [docs/scout-engines.md](docs/scout-engines.md)
+- Hermetic E2E: [docs/testing-hermetic-e2e.md](docs/testing-hermetic-e2e.md)
+- Pipeline architecture: [docs/pipeline-architecture.md](docs/pipeline-architecture.md)
 - Rust accelerator: [docs/rust-accelerator.md](docs/rust-accelerator.md)
 - Codex App Hooks/PAT: [docs/hooks-pat.md](docs/hooks-pat.md)
 - codex-lb: [docs/codex-lb.md](docs/codex-lb.md)

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "0.9.17"
+version = "0.9.18"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "0.9.17"
+version = "0.9.18"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 0.9.17"),
+        Some("--version") => println!("sks-rs 0.9.18"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "0.9.17",
+  "version": "0.9.18",
   "description": "Sneakoscope Codex: fast proof-first Codex trust layer with image-based Voxel TriWiki.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",
@@ -43,24 +43,27 @@
     "legacy-free:check": "node ./scripts/check-legacy-free.mjs",
     "route-modularity:check": "node ./scripts/check-route-modularity.mjs",
     "command-budget:check": "node ./scripts/check-command-module-budget.mjs",
+    "pipeline-budget:check": "node ./scripts/check-pipeline-budget.mjs",
     "sizecheck": "node ./scripts/sizecheck.mjs",
     "registry:check": "node ./scripts/release-registry-check.mjs",
     "feature:check": "node ./bin/sks.mjs features check --json",
     "all-features:selftest": "node ./bin/sks.mjs all-features selftest --mock --json",
     "all-features:execute-fixtures": "node ./bin/sks.mjs all-features selftest --mock --execute-fixtures --strict-artifacts --json",
-    "feature-fixtures:strict": "node ./bin/sks.mjs all-features selftest --mock --execute-fixtures --strict-artifacts --json",
-    "scouts:selftest": "node ./bin/sks.mjs scouts run latest --mock --json",
-    "scouts:check": "node ./bin/sks.mjs scouts validate latest --json",
+    "feature-fixtures:strict": "node ./bin/sks.mjs all-features selftest --mock --execute-fixtures --strict-artifacts --hermetic --json",
+    "scout-engines:check": "node ./bin/sks.mjs scouts engines --json",
+    "scouts:selftest": "node ./bin/sks.mjs scouts run latest --engine local-static --mock --json",
+    "scouts:check": "node ./bin/sks.mjs scouts validate latest --strict --json",
     "perf:cold-start": "node ./bin/sks.mjs perf cold-start --json",
     "perf:gate": "node ./scripts/perf-gate.mjs",
     "test": "node --test \"test/**/*.test.mjs\"",
     "test:unit": "node --test \"test/unit/**/*.test.mjs\"",
     "test:integration:mock": "node --test \"test/integration/**/*.test.mjs\"",
     "test:e2e:mock": "node --test \"test/e2e/**/*.test.mjs\"",
+    "test:real-scouts": "node --test \"test/real/**/*.test.mjs\"",
     "rust:check": "cargo check --manifest-path crates/sks-core/Cargo.toml",
     "rust:smoke": "node ./scripts/rust-smoke.mjs",
     "coverage": "node --experimental-test-coverage --test \"test/**/*.test.mjs\"",
-    "release:check": "npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run legacy-free:check && npm run packcheck && npm run route-modularity:check && npm run command-budget:check && npm run feature:check && npm run all-features:selftest && npm run scouts:selftest && npm run scouts:check && npm run feature-fixtures:strict && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run test:e2e:mock && npm run rust:check && npm run rust:smoke && npm run perf:gate && npm run sizecheck && npm run registry:check",
+    "release:check": "npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run legacy-free:check && npm run route-modularity:check && npm run command-budget:check && npm run pipeline-budget:check && npm run packcheck && npm run feature:check && npm run all-features:selftest && npm run scout-engines:check && npm run scouts:selftest && npm run scouts:check && npm run feature-fixtures:strict && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run test:e2e:mock && npm run rust:check && npm run rust:smoke && npm run perf:gate && npm run sizecheck && npm run registry:check",
     "publish:dry": "npm run release:check && npm --cache /tmp/sks-npm-cache publish --dry-run --registry https://registry.npmjs.org/ --access public",
     "publish:npm": "npm --cache /tmp/sks-npm-cache publish --registry https://registry.npmjs.org/ --access public",
     "prepublishOnly": "npm run release:check && node ./scripts/release-registry-check.mjs --require-unpublished"

package/src/core/commands/command-utils.mjs

@@ -30,7 +30,7 @@ export function positionalArgs(args = []) {
     '--lines', '--intent', '--changed', '--route', '--skills', '--prompt-signature',
     '--mission-id', '--source', '--image-id', '--bbox', '--label', '--evidence',
     '--claim-id', '--type', '--before', '--after', '--anchors', '--verification',
-    '--status', '--scouts'
+    '--status', '--scouts', '--engine'
   ]);
   for (let i = 0; i < args.length; i += 1) {
     const arg = String(args[i]);

package/src/core/commands/ppt-command.mjs

@@ -81,7 +81,7 @@ function mockPptFixtureGate(gate = {}) {
 
 function fixtureAnswers() {
   return {
-    PRESENTATION_AUDIENCE_PROFILE: 'Release reviewer validating SKS 0.9.17 route evidence.',
+    PRESENTATION_AUDIENCE_PROFILE: 'Release reviewer validating SKS 0.9.18 route evidence.',
     PRESENTATION_STP_STRATEGY: 'Segment: developer tooling. Target: Codex trust-layer maintainers. Positioning: proof-first release readiness.',
     PRESENTATION_DELIVERY_CONTEXT: 'Mock release gate fixture.',
     PRESENTATION_PAINPOINT_SOLUTION_MAP: [

package/src/core/commands/scouts-command.mjs

@@ -6,10 +6,12 @@ import { buildScoutTeamPlan, normalizeScoutPolicy, routeRequiresScoutIntake, sco
 import { readScoutGateStatus, readScoutResults } from '../scouts/scout-gate.mjs';
 import { runFiveScoutIntake } from '../scouts/scout-runner.mjs';
 import { readScoutProofEvidence } from '../scouts/scout-proof-evidence.mjs';
+import { detectScoutEngines } from '../scouts/engines/scout-engine-detect.mjs';
+import { selectScoutEngine } from '../scouts/engines/scout-engine-policy.mjs';
 import { SCOUT_COUNT } from '../scouts/scout-schema.mjs';
 import { flag, readFlagValue, resolveMissionId } from './command-utils.mjs';
 
-const ACTIONS = new Set(['plan', 'run', 'status', 'consensus', 'handoff', 'validate', 'help', '--help', '-h']);
+const ACTIONS = new Set(['plan', 'run', 'status', 'consensus', 'handoff', 'validate', 'engines', 'bench', 'help', '--help', '-h']);
 
 export async function scoutsCommand(args = []) {
   const root = await projectRoot();
@@ -18,10 +20,19 @@ export async function scoutsCommand(args = []) {
   if (action === 'help' || action === '--help' || action === '-h') return scoutsHelp();
   const json = flag(actionArgs, '--json');
   const mock = flag(actionArgs, '--mock');
+  const strict = flag(actionArgs, '--strict');
+  const requestedEngine = readFlagValue(actionArgs, '--engine', 'auto');
+  const requireRealParallel = flag(actionArgs, '--require-real-parallel');
   const force = flag(actionArgs, '--force-scouts') || flag(actionArgs, '--force');
   const noScouts = flag(actionArgs, '--no-scouts');
   const missionArg = actionArgs.find((arg) => !String(arg).startsWith('--')) || 'latest';
-  const { id, dir, mission, created } = await resolveOrCreateScoutMission(root, missionArg, { mock, action });
+  if (action === 'engines') {
+    const result = await detectScoutEngines(root, {});
+    if (json) return console.log(JSON.stringify(result, null, 2));
+    for (const engine of result.engines) console.log(`${engine.name}: ${engine.available ? 'available' : 'blocked'}${engine.reason ? ` (${engine.reason})` : ''}`);
+    return;
+  }
+  const { id, dir, mission, created } = await resolveOrCreateScoutMission(root, missionArg, { mock, action, strict });
   const context = await inferScoutContext(root, id, { route: readFlagValue(actionArgs, '--route', null), task: readFlagValue(actionArgs, '--task', null) });
   if (action === 'plan') {
     const parallelMode = flag(actionArgs, '--sequential') ? 'sequential_fallback' : 'parallel';
@@ -51,6 +62,8 @@ export async function scoutsCommand(args = []) {
       task: context.task,
       mode: mock ? 'mock' : 'manual',
       parallel: !flag(actionArgs, '--sequential'),
+      engine: requestedEngine,
+      requireRealParallel,
       mock
     });
     await setCurrent(root, {
@@ -75,6 +88,8 @@ export async function scoutsCommand(args = []) {
       route: context.route,
       scout_count: SCOUT_COUNT,
       completed_scouts: results.filter((row) => row.status === 'done').length,
+      engine: gate.gate?.engine || null,
+      real_parallel: gate.gate?.real_parallel === true,
       gate: gate.gate,
       missing: gate.missing
     };
@@ -112,13 +127,14 @@ export async function scoutsCommand(args = []) {
   }
   if (action === 'validate') {
     let gate = await readScoutGateStatus(root, id);
-    if (!gate.ok && !flag(actionArgs, '--strict')) {
+    if (!gate.ok && !strict) {
       const run = await runFiveScoutIntake(root, {
         missionId: id,
         route: context.route,
         task: context.task,
         mode: 'validate-fixture',
         parallel: true,
+        engine: 'local-static',
         mock: true
       });
       gate = { ok: run.gate?.passed === true, gate: run.gate, missing: run.gate?.blockers || [] };
@@ -136,13 +152,61 @@ export async function scoutsCommand(args = []) {
     console.log(`Scout validation: ${result.ok ? 'pass' : 'blocked'}`);
     return;
   }
+  if (action === 'bench') {
+    const selection = await selectScoutEngine(root, {
+      requested: requestedEngine,
+      requireRealParallel,
+      missionId: id,
+      route: context.route,
+      mock
+    });
+    const parallelRun = await runFiveScoutIntake(root, {
+      missionId: id,
+      route: context.route,
+      task: context.task,
+      mode: 'bench-parallel',
+      parallel: true,
+      engine: selection.selected,
+      requireRealParallel,
+      mock
+    });
+    const sequentialRun = await runFiveScoutIntake(root, {
+      missionId: id,
+      route: context.route,
+      task: context.task,
+      mode: 'bench-sequential',
+      parallel: false,
+      engine: 'sequential-fallback',
+      mock: true
+    });
+    const sequentialMs = Number(sequentialRun.performance?.duration_ms || 0);
+    const parallelMs = Number(parallelRun.performance?.duration_ms || 0);
+    const result = {
+      schema: 'sks.scout-benchmark.v1',
+      engine: selection.selected,
+      real_parallel: selection.real_parallel === true,
+      sequential_ms: sequentialMs,
+      parallel_ms: parallelMs,
+      speedup: selection.real_parallel && parallelMs > 0 ? Number((sequentialMs / parallelMs).toFixed(2)) : null,
+      claim_allowed: selection.real_parallel === true && parallelRun.performance?.claim_allowed === true,
+      confidence: selection.real_parallel ? 'medium' : 'low',
+      notes: selection.real_parallel ? [] : ['mock/static benchmarks cannot claim real speedup']
+    };
+    await writeJsonAtomic(path.join(dir, 'scout-benchmark.json'), result);
+    if (json) return console.log(JSON.stringify(result, null, 2));
+    console.log(`Scout benchmark: ${result.claim_allowed ? 'claim allowed' : 'claim not allowed'}`);
+    return;
+  }
 }
 
 async function resolveOrCreateScoutMission(root, missionArg, opts = {}) {
   const resolved = await resolveMissionId(root, missionArg);
   if (resolved) return { id: resolved, ...(await loadMission(root, resolved)), created: false };
+  if (opts.strict) {
+    throw new Error('No mission found for strict scout validation; strict mode never creates scout artifacts.');
+  }
   if (!opts.mock && opts.action !== 'validate' && opts.action !== 'run' && opts.action !== 'plan') {
-    throw new Error('No mission found. Use sks scouts run latest --mock --json to create a fixture mission.');
+    throw new Error('No mission found. Use sks scouts run latest --engine local-static --mock --json to create a fixture mission.');
   }
   const created = await createMission(root, { mode: 'scouts', prompt: 'Five Scout fixture intake' });
   return { id: created.id, dir: created.dir, mission: created.mission, created: true };
@@ -189,11 +253,15 @@ function scoutsHelp() {
 
 Usage:
   sks scouts plan latest --json
-  sks scouts run latest --mock --json
+  sks scouts run latest --engine auto --json
+  sks scouts run latest --engine local-static --mock --json
+  sks scouts run latest --require-real-parallel --json
   sks scouts status latest --json
+  sks scouts engines --json
+  sks scouts bench latest --engine local-static --mock --json
   sks scouts consensus latest --json
   sks scouts handoff latest
-  sks scouts validate latest --json
+  sks scouts validate latest --strict --json
 
 Alias:
   sks scout run latest --json

package/src/core/feature-fixture-runner.mjs

@@ -12,12 +12,14 @@ export function runFeatureFixture(feature, {
 } = {}) {
   const fixture = feature.fixture || {};
   const expected = normalizeExpectedArtifacts(fixture.expected_artifacts);
-  const latestBefore = latestMissionId(root);
-  const execution = execute && commandArgs ? executeCommand(root, commandArgs) : null;
-  const latestAfter = execution?.mission_id || latestMissionId(root) || latestBefore;
+  const useHermeticRoot = fixture.root_mode !== 'source_checkout_required' && (execute || validateArtifacts || fixture.kind === 'execute_and_validate_artifacts');
+  const projectRoot = useHermeticRoot ? prepareHermeticFixtureRoot(root, tempRoot) : root;
+  const latestBefore = latestMissionId(projectRoot);
+  const execution = execute && commandArgs ? executeCommand(root, projectRoot, commandArgs, fixture) : null;
+  const latestAfter = execution?.mission_id || latestMissionId(projectRoot) || latestBefore;
   const shouldValidateArtifacts = validateArtifacts && (fixture.kind === 'execute_and_validate_artifacts' || execution);
   const artifacts = shouldValidateArtifacts
-    ? expected.map((artifact) => inspectExpectedArtifact(root, tempRoot, artifact, { latestMissionId: latestAfter }))
+    ? expected.map((artifact) => inspectExpectedArtifact(projectRoot, tempRoot, artifact, { latestMissionId: latestAfter }))
     : expected.map((artifact) => ({ path: artifact.path, requested_path: artifact.path, schema: artifact.schema || inferSchema(artifact.path), exists: null, schema_ok: null, content_ok: null, skipped: 'contract_only' }));
   const artifactFailures = shouldValidateArtifacts
     ? artifacts.filter((artifact) => !artifact.exists || !artifact.schema_ok || !artifact.content_ok).map((artifact) => `${feature.id}:${artifact.path}:${artifact.failure || 'artifact_invalid'}`)
@@ -26,17 +28,20 @@ export function runFeatureFixture(feature, {
     id: feature.id,
     kind: fixture.kind || 'static',
     command: fixture.command || null,
-    temp_root: tempRoot,
+    temp_root: useHermeticRoot ? projectRoot : tempRoot,
+    root_mode: useHermeticRoot ? 'hermetic_temp_project' : 'source_checkout_required',
     latest_mission_id: latestAfter,
     executed: Boolean(execution),
     execution,
     expected_artifacts: artifacts,
     artifact_schema_validated: validateArtifacts,
-    ok: (!execution || execution.ok) && artifactFailures.length === 0 && !(validateArtifacts && fixture.kind === 'execute_and_validate_artifacts' && expected.length && !execution),
+    no_plaintext_secrets: validateNoPlaintextSecrets(projectRoot),
+    ok: (!execution || execution.ok) && artifactFailures.length === 0 && validateNoPlaintextSecrets(projectRoot) && !(validateArtifacts && fixture.kind === 'execute_and_validate_artifacts' && expected.length && !execution),
     failures: [
       ...(!fixture.command && fixture.status === 'pass' ? [`${feature.id}:fixture_command_missing`] : []),
       ...(validateArtifacts && fixture.kind === 'execute_and_validate_artifacts' && expected.length && !execution ? [`${feature.id}:command_not_executed_for_artifact_validation`] : []),
       ...(execution && !execution.ok ? [`${feature.id}:command_exit_${execution.status}`] : []),
+      ...(validateNoPlaintextSecrets(projectRoot) ? [] : [`${feature.id}:plaintext_secret_detected`]),
       ...artifactFailures
     ]
   };
@@ -52,12 +57,15 @@ export function writeFeatureFixtureReports(root, report) {
   return { json: jsonPath, md: mdPath };
 }
 
-function executeCommand(root, spec) {
+function executeCommand(sourceRoot, projectRoot, spec, fixture = {}) {
   const normalized = Array.isArray(spec) ? { command: spec } : spec;
-  const setup = normalized.setup || [];
-  const setupResults = setup.map((args) => spawnSks(root, args));
+  const setup = [
+    ...(fixture.root_mode === 'source_checkout_required' ? [] : [['setup', '--local-only', '--json']]),
+    ...(normalized.setup || [])
+  ];
+  const setupResults = setup.map((args) => spawnSks(sourceRoot, projectRoot, args));
   const command = normalized.command || normalized.args || [];
-  const result = command.length ? spawnSks(root, command) : { status: 0, signal: null, ok: true, stdout_bytes: 0, stderr_bytes: 0, args: [] };
+  const result = command.length ? spawnSks(sourceRoot, projectRoot, command) : { status: 0, signal: null, ok: true, stdout_bytes: 0, stderr_bytes: 0, args: [] };
   const missionId = result.mission_id || [...setupResults].reverse().find((row) => row.mission_id)?.mission_id || null;
   return {
     args: command,
@@ -71,9 +79,9 @@ function executeCommand(root, spec) {
   };
 }
 
-function spawnSks(root, args = []) {
-  const result = spawnSync(process.execPath, [path.join(root, 'bin', 'sks.mjs'), ...args], {
-    cwd: root,
+function spawnSks(sourceRoot, projectRoot, args = []) {
+  const result = spawnSync(process.execPath, [path.join(sourceRoot, 'bin', 'sks.mjs'), ...args], {
+    cwd: projectRoot,
     encoding: 'utf8',
     timeout: 30_000,
     env: { ...process.env, CI: 'true', SKS_SKIP_NPM_FRESHNESS_CHECK: '1' }
@@ -91,6 +99,26 @@ function spawnSks(root, args = []) {
   };
 }
 
+function prepareHermeticFixtureRoot(sourceRoot, tempRoot) {
+  fs.mkdirSync(tempRoot, { recursive: true });
+  const packageFile = path.join(tempRoot, 'package.json');
+  if (!fs.existsSync(packageFile)) {
+    fs.writeFileSync(packageFile, `${JSON.stringify({ name: 'sks-hermetic-fixture', private: true, version: '0.0.0' }, null, 2)}\n`);
+  }
+  const readme = path.join(tempRoot, 'README.md');
+  if (!fs.existsSync(readme)) fs.writeFileSync(readme, '# SKS Hermetic Fixture\n');
+  copyFixtureFile(sourceRoot, tempRoot, 'test/fixtures/images/one-by-one.png');
+  return tempRoot;
+}
+
+function copyFixtureFile(sourceRoot, tempRoot, rel) {
+  const src = path.join(sourceRoot, rel);
+  const dest = path.join(tempRoot, rel);
+  if (!fs.existsSync(src) || fs.existsSync(dest)) return;
+  fs.mkdirSync(path.dirname(dest), { recursive: true });
+  fs.copyFileSync(src, dest);
+}
+
 function parseJsonOutput(text = '') {
   const trimmed = String(text || '').trim();
   if (!trimmed) return null;
@@ -198,7 +226,7 @@ export function validateImageVoxelArtifact(file, { requireAnchors = true, requir
 }
 
 export function validateNoPlaintextSecrets(root) {
-  const secretPattern = /(sk-proj-|sk-clb-|github_pat_|CODEX_ACCESS_TOKEN|OPENAI_API_KEY)/;
+  const secretPattern = /(sk-proj-[A-Za-z0-9_-]{8,}|sk-clb-[A-Za-z0-9_-]{8,}|github_pat_[A-Za-z0-9_]{8,}|(?:CODEX_ACCESS_TOKEN|OPENAI_API_KEY)\s*[:=]\s*["']?(?:sk-[A-Za-z0-9_-]{8,}|[A-Za-z0-9_-]{32,}))/;
   const reportDir = path.join(root, '.sneakoscope');
   if (!fs.existsSync(reportDir)) return true;
   const stack = [reportDir];

package/src/core/feature-fixtures.mjs

@@ -31,7 +31,7 @@ const FIXTURES = Object.freeze({
   'cli-hproof': fixture('mock', 'sks hproof check latest', ['completion-proof.json'], 'pass'),
   'cli-proof-field': fixture('static', 'sks proof-field scan --json --intent fixture', [], 'pass'),
   'cli-recallpulse': fixture('mock', 'sks recallpulse status latest --json', ['recallpulse-report.json'], 'pass'),
-  'cli-scouts': fixture('execute_and_validate_artifacts', 'sks scouts run latest --mock --json', ['scout-team-plan.json', 'scout-consensus.json', 'scout-handoff.md', 'scout-gate.json'], 'pass'),
+  'cli-scouts': fixture('execute_and_validate_artifacts', 'sks scouts run latest --engine local-static --mock --json', ['scout-team-plan.json', 'scout-consensus.json', 'scout-handoff.md', 'scout-gate.json', 'scout-engine-result.json'], 'pass'),
   'cli-scout': fixture('mock', 'sks scout status latest --json', ['scout-gate.json'], 'pass'),
   'cli-gx': fixture('mock', 'sks gx validate fixture', ['gx-validation.json'], 'pass'),
   'cli-perf': fixture('static', 'sks perf cold-start --json --iterations 1', [], 'pass'),
@@ -63,12 +63,58 @@ const FIXTURES = Object.freeze({
   'route-db': fixture('execute_and_validate_artifacts', 'sks db check --sql "SELECT 1" --json', ['completion-proof.json', 'db-operation-report.json'], 'pass'),
   'route-wiki': fixture('execute_and_validate_artifacts', 'sks wiki image-ingest test/fixtures/images/one-by-one.png --json', [{ path: 'completion-proof.json', schema: 'sks.completion-proof.v1' }, { path: 'image-voxel-ledger.json', schema: 'sks.image-voxel-ledger.v1' }], 'pass'),
   'route-gx': fixture('execute_and_validate_artifacts', 'sks gx validate fixture --mock --json', ['completion-proof.json', { path: 'image-voxel-ledger.json', schema: 'sks.image-voxel-ledger.v1' }, 'gx-validation.json'], 'pass'),
-  'route-five-scout-intake': fixture('mock', 'sks scouts validate latest --json', ['scout-team-plan.json', 'scout-consensus.json', 'scout-handoff.md', 'scout-gate.json'], 'pass'),
+  'route-five-scout-intake': fixture('mock', 'sks scouts validate latest --strict --json', ['scout-team-plan.json', 'scout-consensus.json', 'scout-handoff.md', 'scout-gate.json'], 'pass'),
   'proof-scout-evidence': fixture('mock', 'sks team "fixture" --mock --json', ['completion-proof.json', 'scout-gate.json'], 'pass')
 });
 
+const STATIC_CONTRACT_FEATURES = new Set([
+  'cli-wizard',
+  'cli-bootstrap',
+  'cli-deps',
+  'cli-auth',
+  'cli-openclaw',
+  'cli-tmux',
+  'cli-mad',
+  'cli-auto-review',
+  'cli-commit',
+  'cli-commit-and-push',
+  'cli-context7',
+  'cli-all-features',
+  'cli-eval',
+  'cli-harness',
+  'cli-team',
+  'cli-reasoning',
+  'cli-profile',
+  'handler-$',
+  'handler-autoresearch',
+  'handler-autoreview',
+  'handler-computer-use',
+  'handler-cu',
+  'handler-dollars',
+  'handler-mad-sks',
+  'handler-postinstall',
+  'route-sks',
+  'route-commit',
+  'route-commit-and-push',
+  'route-help'
+]);
+
 export function fixtureForFeature(featureId) {
-  return FIXTURES[featureId] || fixture('static', 'sks features check --json', [], 'pass');
+  if (FIXTURES[featureId]) return FIXTURES[featureId];
+  if (STATIC_CONTRACT_FEATURES.has(featureId)) {
+    return fixture('static', `explicit static contract fixture: ${featureId}`, [], 'pass', {
+      quality: 'static_contract',
+      root_mode: 'source_checkout_required'
+    });
+  }
+  if (String(featureId || '').startsWith('skill-')) {
+    return fixture('static', `skill contract: ${featureId}`, [], 'pass', { quality: 'static_contract', root_mode: 'source_checkout_required' });
+  }
+  return fixture('not_available', null, [], 'missing', {
+    quality: 'missing',
+    fallback_removed: true,
+    reason: 'No explicit fixture registered for this feature.'
+  });
 }
 
 export function fixtureSummary(features = []) {
@@ -96,6 +142,7 @@ export function validateFeatureFixtures(features = []) {
       continue;
     }
     if (!['contract', 'execute', 'execute_and_validate_artifacts', 'mock', 'static', 'real_optional', 'not_available'].includes(fx.kind)) blockers.push(`${feature.id}:fixture_kind`);
+    if (!['real_optional', 'execute_and_validate_artifacts', 'execute', 'mock', 'static_contract', 'missing'].includes(fx.quality)) blockers.push(`${feature.id}:fixture_quality`);
     if (!['pass', 'missing', 'blocked', 'not_required'].includes(fx.status)) blockers.push(`${feature.id}:fixture_status`);
     if ((fx.kind === 'mock' || fx.kind === 'static') && !fx.command && fx.status !== 'not_required') blockers.push(`${feature.id}:fixture_command`);
     if (!Array.isArray(fx.expected_artifacts)) blockers.push(`${feature.id}:fixture_expected_artifacts`);
@@ -103,6 +150,18 @@ export function validateFeatureFixtures(features = []) {
   return { ok: blockers.length === 0, blockers };
 }
 
-function fixture(kind, command, expected_artifacts, status) {
-  return { kind, command, expected_artifacts, status };
+function fixture(kind, command, expected_artifacts, status, extra = {}) {
+  const quality = extra.quality || (kind === 'static' ? 'static_contract' : kind);
+  const rootMode = extra.root_mode || (kind === 'execute_and_validate_artifacts' || kind === 'execute' || kind === 'mock' ? 'hermetic_temp_project' : 'source_checkout_required');
+  return {
+    kind,
+    quality,
+    root_mode: rootMode,
+    command,
+    expected_artifacts,
+    status,
+    explicit: true,
+    fallback_removed: true,
+    ...extra
+  };
 }

package/src/core/feature-registry.mjs

@@ -149,6 +149,7 @@ export function buildAllFeaturesSelftest(registry, opts = {}) {
     checkRow('voxel_triwiki_contracts_present', registry.features.every((feature) => Boolean(feature.voxel_triwiki_integration)), missingFeatureField(registry, 'voxel_triwiki_integration')),
     checkRow('failure_contracts_present', registry.features.every((feature) => Array.isArray(feature.known_gaps)), missingFeatureField(registry, 'known_gaps')),
     checkRow('fixture_contracts_present', fixtures.ok, fixtures.blockers),
+    checkRow('fixture_fallback_removed', registry.features.every((feature) => feature.fixture?.fallback_removed === true && feature.fixture?.status !== 'missing'), registry.features.filter((feature) => feature.fixture?.fallback_removed !== true || feature.fixture?.status === 'missing').map((feature) => feature.id)),
     checkRow('proof_fixture_contract_present', registry.features.some((feature) => feature.id === 'cli-proof' && feature.fixture?.status === 'pass'), ['cli-proof']),
     checkRow('voxel_fixture_contract_present', registry.features.some((feature) => feature.id === 'cli-wiki' && feature.fixture?.expected_artifacts?.some((artifact) => expectedArtifactPath(artifact).includes('image-voxel-ledger'))), ['cli-wiki']),
     checkRow('five_scout_intake_contract_present', registry.features.some((feature) => feature.id === 'route-five-scout-intake'), ['route-five-scout-intake']),
@@ -265,7 +266,7 @@ const SAFE_EXECUTABLE_FIXTURE_ARGS = Object.freeze({
   'cli-wiki': ['wiki', 'image-ingest', 'test/fixtures/images/one-by-one.png', '--json'],
   'cli-codex-lb': ['codex-lb', 'metrics', '--json'],
   'cli-hooks': ['hooks', 'trust-report', '--json'],
-  'cli-scouts': ['scouts', 'run', 'latest', '--mock', '--json'],
+  'cli-scouts': ['scouts', 'run', 'latest', '--engine', 'local-static', '--mock', '--json'],
   'cli-perf': ['perf', 'cold-start', '--json', '--iterations', '1'],
   'cli-rust': ['rust', 'smoke', '--json'],
   'route-team': ['team', 'fixture', '--mock', '--json'],
@@ -303,14 +304,15 @@ export function renderFeatureInventoryMarkdown(registry) {
     '',
     '## Stable / Beta / Labs Map',
     '',
-    '| Feature | Category | Maturity | Commands / Routes | Fixture | Known Gaps |',
-    '| --- | --- | --- | --- | --- | --- |'
+    '| Feature | Category | Maturity | Commands / Routes | Fixture | Quality | Known Gaps |',
+    '| --- | --- | --- | --- | --- | --- | --- |'
   ];
   for (const feature of registry.features) {
     const commands = [...(feature.commands || []), ...(feature.aliases || [])].map(markdownTableCell).join('<br>');
     const gaps = (feature.known_gaps || []).map(markdownTableCell).join('<br>') || 'none recorded';
     const fixture = feature.fixture ? `${feature.fixture.kind}:${feature.fixture.status}` : 'missing';
-    lines.push(`| \`${feature.id}\` | ${feature.category} | ${feature.maturity} | ${commands || '-'} | ${fixture} | ${gaps} |`);
+    const quality = feature.fixture?.quality || 'missing';
+    lines.push(`| \`${feature.id}\` | ${feature.category} | ${feature.maturity} | ${commands || '-'} | ${fixture} | ${quality} | ${gaps} |`);
   }
   lines.push('', '## Unmapped Coverage', '');
   for (const [kind, values] of Object.entries(coverage.unmapped || {})) {
@@ -405,7 +407,7 @@ function routeFeature(route) {
 function fiveScoutIntakeFeature() {
   return baseFeature({
     id: 'route-five-scout-intake',
-    commands: ['sks scouts run latest --mock --json'],
+    commands: ['sks scouts run latest --engine local-static --mock --json'],
     aliases: ['sks scout run latest --json'],
     category: 'proof-route',
     maturity: 'beta',

package/src/core/fsx.mjs

@@ -5,7 +5,7 @@ import os from 'node:os';
 import crypto from 'node:crypto';
 import { spawn } from 'node:child_process';
 
-export const PACKAGE_VERSION = '0.9.17';
+export const PACKAGE_VERSION = '0.9.18';
 export const DEFAULT_PROCESS_TAIL_BYTES = 256 * 1024;
 export const DEFAULT_PROCESS_TIMEOUT_MS = 30 * 60 * 1000;
 

package/src/core/pipeline/active-context.mjs

@@ -0,0 +1,3 @@
+export {
+  activeRouteContext
+} from '../pipeline-runtime.mjs';

package/src/core/pipeline/pipeline-plan-writer.mjs

@@ -0,0 +1,8 @@
+export {
+  PIPELINE_PLAN_ARTIFACT,
+  PIPELINE_PLAN_SCHEMA_VERSION,
+  routePrompt,
+  buildPipelinePlan,
+  writePipelinePlan,
+  validatePipelinePlan
+} from '../pipeline-runtime.mjs';

package/src/core/pipeline/plan-schema.mjs

@@ -0,0 +1,4 @@
+export {
+  PIPELINE_PLAN_ARTIFACT,
+  PIPELINE_PLAN_SCHEMA_VERSION
+} from '../pipeline-runtime.mjs';

package/src/core/pipeline/prompt-context.mjs

@@ -0,0 +1,6 @@
+export {
+  promptPipelineContext,
+  dfixQuickContext,
+  answerOnlyContext,
+  computerUseFastContext
+} from '../pipeline-runtime.mjs';

package/src/core/pipeline/route-prep.mjs

@@ -0,0 +1,3 @@
+export {
+  prepareRoute
+} from '../pipeline-runtime.mjs';

package/src/core/pipeline/scout-stage-policy.mjs

@@ -0,0 +1,4 @@
+export {
+  buildPipelinePlan,
+  validatePipelinePlan
+} from '../pipeline-runtime.mjs';

package/src/core/pipeline/stage-policy.mjs

@@ -0,0 +1,4 @@
+export {
+  buildPipelinePlan,
+  validatePipelinePlan
+} from '../pipeline-runtime.mjs';

package/src/core/pipeline/stop-gate.mjs

@@ -0,0 +1,10 @@
+export {
+  recordContext7Evidence,
+  recordSubagentEvidence,
+  subagentEvidence,
+  hasSubagentEvidence,
+  context7Evidence,
+  hasContext7DocsEvidence,
+  projectGateStatus,
+  evaluateStop
+} from '../pipeline-runtime.mjs';

package/src/core/pipeline/validation.mjs

@@ -0,0 +1,3 @@
+export {
+  validatePipelinePlan
+} from '../pipeline-runtime.mjs';