sneakoscope 1.16.2 → 1.18.0

package/README.md

@@ -10,7 +10,7 @@ SKS does not try to clone every other harness. It focuses on one thing: making C
 
 ## Current Release
 
-SKS **1.16.2** carries forward the native multi-session agent kernel and adds Codex App prompt-side Team width control: `$Team 20:agents ...` / `$Team 20:agent ...` can request up to 20 native Team sessions. SKS **1.16.1** closed the kernel itself: `sks agent` and `sks --agent` create bounded agent rosters, non-overlapping leases, append-only ledgers, session lifecycle proof, recursion guards, dynamic per-agent effort routing, and native agent proof evidence. The old multi-agent command surface has been removed; native agents are the only release-supported route collaboration backend.
+SKS **1.18.0** adds Universal Source Intelligence for Context7 + Codex Web Search, optional X AI MCP search when configured, main no-Scout / worker Scout-limited proof policy, per-agent terminal close evidence, tmux right-lane cockpit manifests, Codex official Goal mode detection, and full P0-P4 release readiness tracking.
 
 ```bash
 sks mad-sks plan --target-root <path> --json
@@ -20,6 +20,9 @@ sks mad-sks rollback-apply --rollback-plan <path> --yes --json
 sks features complete --json
 sks agent status latest --json
 sks agent run "release review" --agents 8 --concurrency 4 --mock --json
+npm run source-intelligence:all-modes
+npm run agent:background-terminals
+npm run agent:tmux-right-lanes
 npm run release:readiness
 ```
 
@@ -48,6 +51,14 @@ Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release
 - Core dominance: [docs/core-dominance.md](docs/core-dominance.md)
 - Performance budgets: [docs/performance-budgets.md](docs/performance-budgets.md)
 - Native Agent Kernel: [docs/native-agent-kernel.md](docs/native-agent-kernel.md)
+- Source Intelligence Layer: [docs/source-intelligence-layer.md](docs/source-intelligence-layer.md)
+- X AI / Context7 / Codex Web policy: [docs/xai-context7-codex-web-policy.md](docs/xai-context7-codex-web-policy.md)
+- Main no-Scout / worker Scout policy: [docs/main-no-scout-worker-scout-policy.md](docs/main-no-scout-worker-scout-policy.md)
+- Agent terminal lanes: [docs/agent-terminal-lanes.md](docs/agent-terminal-lanes.md)
+- tmux right-lane cockpit: [docs/tmux-right-lane-cockpit.md](docs/tmux-right-lane-cockpit.md)
+- Codex official Goal mode: [docs/codex-official-goal-mode.md](docs/codex-official-goal-mode.md)
+- Release parallel full coverage: [docs/release-parallel-full-coverage.md](docs/release-parallel-full-coverage.md)
+- Priority closure P0-P4: [docs/priority-closure-p0-p4.md](docs/priority-closure-p0-p4.md)
 - Image Voxel TriWiki: [docs/image-voxel-ledger.md](docs/image-voxel-ledger.md)
 - Image Wrongness: [docs/image-wrongness.md](docs/image-wrongness.md)
 - Route finalization: [docs/route-finalization.md](docs/route-finalization.md)
@@ -250,7 +261,7 @@ sks codex-lb repair
 sks
 ```
 
-Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the upstream codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = true` as documented by codex-lb. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths run a response-chain health check. `previous_response_not_found` is treated as a stateless-LB warning and keeps codex-lb active. Hard failures are surfaced to the user; SKS only bypasses codex-lb when the user chooses OAuth fallback or `SKS_CODEX_LB_AUTOBYPASS=1` is set.
+Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = false`; PPT/imagegen bridge checks treat that env-key provider as configured without requiring OpenAI OAuth. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths run a response-chain health check. `previous_response_not_found` is treated as a stateless-LB warning and keeps codex-lb active. Hard failures are surfaced to the user; SKS only bypasses codex-lb when the user chooses OAuth fallback or `SKS_CODEX_LB_AUTOBYPASS=1` is set.
 
 If codex-lb provider auth drifts after launch/reinstall, run `sks doctor --fix` or `sks codex-lb repair`; to replace it, run `sks codex-lb reconfigure --host <domain> --api-key <key>`.
 
@@ -352,7 +363,7 @@ sks gx render homepage --format html
 sks validate-artifacts latest --json
 sks pipeline plan latest --proof-field --json
 sks perf run --json
-sks perf workflow --json --intent "small CLI change" --changed src/cli/main.mjs,src/core/routes.mjs
+sks perf workflow --json --intent "small CLI change" --changed src/cli/main.ts,src/core/routes.ts
 sks proof-field scan --json --intent "small CLI change"
 sks skill-dream status
 sks skill-dream run --json
@@ -451,7 +462,7 @@ SKS_OPENCLAW=1 sks root
 SKS_OPENCLAW=1 sks commands
 SKS_OPENCLAW=1 sks dollar-commands
 SKS_OPENCLAW=1 sks deps check
-SKS_OPENCLAW=1 sks proof-field scan --intent "small CLI change" --changed src/cli/main.mjs
+SKS_OPENCLAW=1 sks proof-field scan --intent "small CLI change" --changed src/cli/main.ts
 ```
 
 If OpenClaw runs in a sandbox, grant shell execution only for trusted workspaces. Database, migration, and destructive work still follows SKS safety routes.
@@ -601,7 +612,7 @@ npm run release:check
 npm run publish:dry
 ```
 
-`release:check` runs audit, changelog, syntax, feature-registry coverage, all-features contract selftest, selftest, size, and registry checks, then writes a source digest stamp under `.sneakoscope/reports/`. Generate the human-readable registry with `sks features inventory --write-docs`. `1.0.0` is a stable release, so plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
+`release:check` runs the 1.18.0 parallel P0-P4 closure DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG preserves the 1.17 baseline gates and adds Source Intelligence, X AI/Codex Web policy, Goal mode, main no-Scout, worker Scout-limited, agent terminal, tmux right-lane, visual consistency, release full-coverage, and priority closure checks. Broader live or historical gates remain explicit scripts such as `release:real-check`. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
 
 Version bumps are manual. Run `sks versioning bump` only when preparing release metadata; SKS will not create `.git/hooks/pre-commit` or auto-bump during ordinary commits.
 

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.16.2"
+version = "1.18.0"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.16.2"
+version = "1.18.0"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.16.2"),
+        Some("--version") => println!("sks-rs 1.18.0"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "1.16.2",
-  "source_digest": "38a14936b463c4d5f6254412dbaa186a6f351f637dd5e5db82a6eb6b5eff43b9",
-  "source_file_count": 1475,
-  "built_at_source_time": 1779679969693
+  "package_version": "1.18.0",
+  "source_digest": "9593cf876b0f0b49ffb7aaa5e2ca1017bd7fd1508892f92cffbfc7db58fbfef0",
+  "source_file_count": 1279,
+  "built_at_source_time": 1779716030404
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.16.2';
+const FAST_PACKAGE_VERSION = '1.18.0';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,11 +1,17 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.16.2",
-  "package_version": "1.16.2",
+  "version": "1.18.0",
+  "package_version": "1.18.0",
   "typescript": true,
   "mjs_runtime_files": 0,
-  "source_digest": "38a14936b463c4d5f6254412dbaa186a6f351f637dd5e5db82a6eb6b5eff43b9",
-  "source_file_count": 1475,
+  "compiled_file_count": 850,
+  "compiled_js_count": 425,
+  "compiled_dts_count": 425,
+  "source_digest": "9593cf876b0f0b49ffb7aaa5e2ca1017bd7fd1508892f92cffbfc7db58fbfef0",
+  "source_file_count": 1279,
+  "source_files_hash": "29895436992640147aab36792cd376edbed9adc6226480db074ef9e9b5104c13",
+  "source_list_hash": "29895436992640147aab36792cd376edbed9adc6226480db074ef9e9b5104c13",
+  "src_mjs_runtime_files": 0,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
     "bin/sks.d.ts",
@@ -182,6 +188,8 @@
     "core/agents/agent-central-ledger.js",
     "core/agents/agent-cleanup.d.ts",
     "core/agents/agent-cleanup.js",
+    "core/agents/agent-codex-cockpit.d.ts",
+    "core/agents/agent-codex-cockpit.js",
     "core/agents/agent-command-surface.d.ts",
     "core/agents/agent-command-surface.js",
     "core/agents/agent-conflict-graph.d.ts",
@@ -194,6 +202,8 @@
     "core/agents/agent-gate.js",
     "core/agents/agent-heartbeat.d.ts",
     "core/agents/agent-heartbeat.js",
+    "core/agents/agent-janitor.d.ts",
+    "core/agents/agent-janitor.js",
     "core/agents/agent-lease.d.ts",
     "core/agents/agent-lease.js",
     "core/agents/agent-ledger-schemas.d.ts",
@@ -226,8 +236,12 @@
     "core/agents/agent-runner-tmux.js",
     "core/agents/agent-schema.d.ts",
     "core/agents/agent-schema.js",
+    "core/agents/agent-session-rows.d.ts",
+    "core/agents/agent-session-rows.js",
     "core/agents/agent-task-slicer.d.ts",
     "core/agents/agent-task-slicer.js",
+    "core/agents/agent-terminal-session.d.ts",
+    "core/agents/agent-terminal-session.js",
     "core/agents/agent-trust-report.d.ts",
     "core/agents/agent-trust-report.js",
     "core/agents/agent-work-partition.d.ts",
@@ -238,6 +252,10 @@
     "core/agents/agent-wrongness.js",
     "core/agents/route-collaboration-ledger.d.ts",
     "core/agents/route-collaboration-ledger.js",
+    "core/agents/scout-policy.d.ts",
+    "core/agents/scout-policy.js",
+    "core/agents/tmux-right-lane-cockpit.d.ts",
+    "core/agents/tmux-right-lane-cockpit.js",
     "core/agents/work-partition/conflict-detector.d.ts",
     "core/agents/work-partition/conflict-detector.js",
     "core/agents/work-partition/dependency-graph.d.ts",
@@ -320,6 +338,10 @@
     "core/codex-lb/codex-lb-setup.js",
     "core/codex-model-guard.d.ts",
     "core/codex-model-guard.js",
+    "core/codex/codex-web-search-adapter.d.ts",
+    "core/codex/codex-web-search-adapter.js",
+    "core/codex/official-goal-mode.d.ts",
+    "core/codex/official-goal-mode.js",
     "core/commands/agent-command.d.ts",
     "core/commands/agent-command.js",
     "core/commands/autoresearch-command.d.ts",
@@ -570,6 +592,10 @@
     "core/mad-sks/write-guard.js",
     "core/managed-paths.d.ts",
     "core/managed-paths.js",
+    "core/mcp/xai-mcp-detector.d.ts",
+    "core/mcp/xai-mcp-detector.js",
+    "core/mcp/xai-search-adapter.d.ts",
+    "core/mcp/xai-search-adapter.js",
     "core/memory-governor.d.ts",
     "core/memory-governor.js",
     "core/memory-summary.d.ts",
@@ -705,6 +731,8 @@
     "core/questions.js",
     "core/recallpulse.d.ts",
     "core/recallpulse.js",
+    "core/release-parallel-full-coverage.d.ts",
+    "core/release-parallel-full-coverage.js",
     "core/research.d.ts",
     "core/research.js",
     "core/retention.d.ts",
@@ -715,8 +743,16 @@
     "core/rust-accelerator.js",
     "core/secret-redaction.d.ts",
     "core/secret-redaction.js",
+    "core/session/project-namespace.d.ts",
+    "core/session/project-namespace.js",
     "core/skill-forge.d.ts",
     "core/skill-forge.js",
+    "core/source-intelligence/source-intelligence-policy.d.ts",
+    "core/source-intelligence/source-intelligence-policy.js",
+    "core/source-intelligence/source-intelligence-proof.d.ts",
+    "core/source-intelligence/source-intelligence-proof.js",
+    "core/source-intelligence/source-intelligence-runner.d.ts",
+    "core/source-intelligence/source-intelligence-runner.js",
     "core/structured-output-adapter.d.ts",
     "core/structured-output-adapter.js",
     "core/team-dag.d.ts",
@@ -779,6 +815,16 @@
     "core/validators/trust-report-validator.js",
     "core/validators/validation-error.d.ts",
     "core/validators/validation-error.js",
+    "core/verification/verification-artifact-lock.d.ts",
+    "core/verification/verification-artifact-lock.js",
+    "core/verification/verification-dag.d.ts",
+    "core/verification/verification-dag.js",
+    "core/verification/verification-proof.d.ts",
+    "core/verification/verification-proof.js",
+    "core/verification/verification-result.d.ts",
+    "core/verification/verification-result.js",
+    "core/verification/verification-worker-pool.d.ts",
+    "core/verification/verification-worker-pool.js",
     "core/version-manager.d.ts",
     "core/version-manager.js",
     "core/version.d.ts",

package/dist/cli/install-helpers.d.ts

@@ -101,6 +101,9 @@ export declare function codexLbStatus(opts?: any): Promise<{
     env_path: any;
     provider_configured: boolean;
     provider_requires_openai_auth: boolean;
+    provider_openai_auth_disabled: boolean;
+    provider_env_key: string | null;
+    provider_uses_codex_lb_env_auth: boolean;
     selected: boolean;
     env_file: boolean;
     env_key_configured: boolean;
@@ -207,6 +210,9 @@ export declare function maybePromptCodexLbSetupForLaunch(args?: any, opts?: any)
     env_path: any;
     provider_configured: boolean;
     provider_requires_openai_auth: boolean;
+    provider_openai_auth_disabled: boolean;
+    provider_env_key: string | null;
+    provider_uses_codex_lb_env_auth: boolean;
     selected: boolean;
     env_file: boolean;
     env_key_configured: boolean;
@@ -245,6 +251,9 @@ export declare function maybePromptCodexLbSetupForLaunch(args?: any, opts?: any)
     env_path: any;
     provider_configured: boolean;
     provider_requires_openai_auth: boolean;
+    provider_openai_auth_disabled: boolean;
+    provider_env_key: string | null;
+    provider_uses_codex_lb_env_auth: boolean;
     selected: boolean;
     env_file: boolean;
     env_key_configured: boolean;

package/dist/cli/install-helpers.js

@@ -132,7 +132,7 @@ async function reportPostinstallCodexLbAuth() {
         console.log(`codex-lb auth: repair skipped (${codexLbAuth.status}${codexLbAuth.error ? `: ${codexLbAuth.error}` : ''}).`);
     const reconcile = codexLbAuth.auth_reconcile;
     if (reconcile?.status === 'oauth_preserved') {
-        console.log(`codex-lb auth: ChatGPT OAuth preserved for Codex App; codex-lb key stays in env_key (OAuth backup at ${reconcile.backup_path ?? 'unknown'}).`);
+        console.log(`codex-lb auth: ChatGPT OAuth preserved as backup; codex-lb key stays in env_key (OpenAI OAuth not required, backup at ${reconcile.backup_path ?? 'unknown'}).`);
     }
     else if (reconcile?.status === 'oauth_restored') {
         console.log(`codex-lb auth: restored ChatGPT OAuth from ${reconcile.backup_path ?? 'unknown'} while keeping codex-lb selected.`);
@@ -452,12 +452,19 @@ export async function codexLbStatus(opts = {}) {
     const selected = hasTopLevelCodexLbSelected(config);
     const baseUrl = codexLbProviderBaseUrl(config) || envLoad.base_url || null;
     const providerRequiresOpenAiAuth = codexLbProviderRequiresOpenAiAuth(config);
+    const providerOpenAiAuthDisabled = codexLbProviderOpenAiAuthDisabled(config);
+    const providerEnvKey = codexLbProviderEnvKey(config);
+    const providerUsesCodexLbEnvAuth = providerConfigured && providerEnvKey === 'CODEX_LB_API_KEY' && providerOpenAiAuthDisabled;
+    const codexAppUsableWithCodexLb = providerUsesCodexLbEnvAuth && envKeyConfigured && Boolean(baseUrl);
     return {
-        ok: providerConfigured && envKeyConfigured && Boolean(baseUrl) && providerRequiresOpenAiAuth,
+        ok: providerConfigured && envKeyConfigured && Boolean(baseUrl) && providerUsesCodexLbEnvAuth,
         config_path: configPath,
         env_path: envPath,
         provider_configured: providerConfigured,
         provider_requires_openai_auth: providerRequiresOpenAiAuth,
+        provider_openai_auth_disabled: providerOpenAiAuthDisabled,
+        provider_env_key: providerEnvKey || null,
+        provider_uses_codex_lb_env_auth: providerUsesCodexLbEnvAuth,
         selected,
         env_file: envExists,
         env_key_configured: envKeyConfigured,
@@ -474,8 +481,8 @@ export async function codexLbStatus(opts = {}) {
         base_url: baseUrl,
         auth_path: authPath,
         auth_mode: authMode.mode,
-        auth_usable_for_codex_app: authMode.codex_app_usable,
-        auth_summary: authMode.summary
+        auth_usable_for_codex_app: authMode.codex_app_usable || codexAppUsableWithCodexLb,
+        auth_summary: codexAppUsableWithCodexLb ? 'codex-lb provider uses CODEX_LB_API_KEY env_key; OpenAI OAuth not required' : authMode.summary
     };
 }
 export function formatCodexLbStatusText(status = {}, opts = {}) {
@@ -487,7 +494,7 @@ export function formatCodexLbStatusText(status = {}, opts = {}) {
         `Configured: ${status.ok ? 'yes' : 'no'}`,
         `Selected:   ${status.selected ? 'yes' : 'no'}`,
         `Provider:   ${status.provider_configured ? 'yes' : 'no'}`,
-        `Provider requires OpenAI auth: ${status.provider_requires_openai_auth ? 'yes' : 'missing'}`,
+        `Provider OpenAI OAuth: ${status.provider_openai_auth_disabled ? 'disabled for codex-lb env_key' : status.provider_requires_openai_auth ? 'required (repair recommended)' : 'missing explicit false'}`,
         `Codex App auth: ${status.auth_usable_for_codex_app ? 'ok' : 'needs sign-in/repair'} (${status.auth_mode || 'unknown'})`
     ];
     if (status.auth_summary)
@@ -521,7 +528,7 @@ export function formatCodexLbRepairResultText(result = {}) {
     if (result.auth_reconcile?.status === 'oauth_restored')
         lines.push(`Codex App auth: ChatGPT OAuth restored from ${result.auth_reconcile.backup_path}.`);
     else if (result.auth_reconcile?.status === 'oauth_preserved')
-        lines.push('Codex App auth: ChatGPT OAuth preserved; codex-lb will use CODEX_LB_API_KEY from env_key.');
+        lines.push('Codex App auth: ChatGPT OAuth preserved as backup; codex-lb will use CODEX_LB_API_KEY from env_key without OpenAI OAuth.');
     else if (result.auth_reconcile?.status === 'apikey_auth_active')
         lines.push('Codex App auth: API-key auth.json is still active. Sign in again if the App asks for ChatGPT OAuth.');
     return `${lines.join('\n')}\n`;
@@ -757,6 +764,14 @@ function codexLbProviderRequiresOpenAiAuth(text = '') {
     const block = String(text || '').match(/(^|\n)\[model_providers\.codex-lb\]([\s\S]*?)(?=\n\[[^\]]+\]|\s*$)/)?.[2] || '';
     return /(^|\n)\s*requires_openai_auth\s*=\s*true\s*(?:#.*)?(?=\n|$)/.test(block);
 }
+function codexLbProviderOpenAiAuthDisabled(text = '') {
+    const block = String(text || '').match(/(^|\n)\[model_providers\.codex-lb\]([\s\S]*?)(?=\n\[[^\]]+\]|\s*$)/)?.[2] || '';
+    return /(^|\n)\s*requires_openai_auth\s*=\s*false\s*(?:#.*)?(?=\n|$)/.test(block);
+}
+function codexLbProviderEnvKey(text = '') {
+    const block = String(text || '').match(/(^|\n)\[model_providers\.codex-lb\]([\s\S]*?)(?=\n\[[^\]]+\]|\s*$)/)?.[2] || '';
+    return block.match(/(^|\n)\s*env_key\s*=\s*"([^"]+)"/)?.[2] || '';
+}
 export async function repairCodexLbAuth(opts = {}) {
     let status = await codexLbStatus(opts);
     let configRepaired = false;
@@ -771,7 +786,7 @@ export async function repairCodexLbAuth(opts = {}) {
             status = await codexLbStatus(opts);
         }
     }
-    if (status.env_key_configured && status.base_url && (!status.ok || !status.selected || !status.provider_requires_openai_auth || legacyAuthMigrated || hasTopLevelCodexModeLock(currentConfig))) {
+    if (status.env_key_configured && status.base_url && (!status.ok || !status.selected || !status.provider_uses_codex_lb_env_auth || legacyAuthMigrated || hasTopLevelCodexModeLock(currentConfig))) {
         await ensureDir(path.dirname(status.config_path));
         const next = normalizeCodexFastModeUiConfig(upsertCodexLbConfig(currentConfig, status.base_url));
         await writeTextAtomic(status.config_path, next);
@@ -816,7 +831,7 @@ export async function ensureCodexLbAuthDuringInstall(opts = {}) {
     if (!status.selected && !status.provider_configured && !status.env_file)
         return { status: 'not_configured', codex_lb: status };
     await migrateCodexAuthKeyFormat({ home: opts.home });
-    if (status.ok && (!status.selected || !status.provider_requires_openai_auth))
+    if (status.ok && (!status.selected || !status.provider_uses_codex_lb_env_auth))
         return repairCodexLbAuth(opts);
     if (!status.ok) {
         if (status.base_url && (status.env_key_configured || status.provider_configured || status.selected || status.env_base_url_configured))
@@ -935,10 +950,9 @@ async function migrateCodexAuthKeyFormat(opts = {}) {
         return { status: 'skipped', reason: 'parse_error' };
     }
 }
-// Codex App needs a refreshable ChatGPT OAuth blob when a provider declares
-// requires_openai_auth=true. For codex-lb, the proxy key belongs in env_key
-// (CODEX_LB_API_KEY), so SKS preserves or restores OAuth by default and only
-// writes apikey auth.json when explicitly requested for CLI-only legacy use.
+// codex-lb authenticates through env_key (CODEX_LB_API_KEY) and explicitly
+// disables OpenAI OAuth on the provider. SKS still preserves existing OAuth
+// blobs, but OAuth is no longer a readiness requirement for codex-lb.
 export async function reconcileCodexLbAuthConflict(opts = {}) {
     const home = opts.home || process.env.HOME || os.homedir();
     const status = opts.status || await codexLbStatus({ ...opts, home });
@@ -979,7 +993,7 @@ export async function reconcileCodexLbAuthConflict(opts = {}) {
         if (process.env.SKS_CODEX_LB_FORCE_APIKEY_AUTH !== '1') {
             return {
                 status: 'oauth_preserved',
-                reason: 'codex_app_requires_refreshable_oauth',
+                reason: 'chatgpt_oauth_preserved_while_codex_lb_uses_env_key',
                 auth_path: authPath,
                 backup_path: backupPath
             };
@@ -1190,7 +1204,7 @@ export async function maybePromptCodexLbSetupForLaunch(args = [], opts = {}) {
     if (args.includes('--json') || args.includes('--skip-codex-lb') || process.env.SKS_SKIP_CODEX_LB_PROMPT === '1')
         return { status: 'skipped' };
     let status = await codexLbStatus(opts);
-    if (status.env_key_configured && status.base_url && (!status.provider_configured || !status.selected || !status.provider_requires_openai_auth)) {
+    if (status.env_key_configured && status.base_url && (!status.provider_configured || !status.selected || !status.provider_uses_codex_lb_env_auth)) {
         let promptedRestore = false;
         if (!status.provider_configured && canAskYesNo()) {
             promptedRestore = true;
@@ -1349,7 +1363,7 @@ function upsertCodexLbConfig(text = '', baseUrl, selectDefault = true) {
         'wire_api = "responses"',
         'env_key = "CODEX_LB_API_KEY"',
         'supports_websockets = true',
-        'requires_openai_auth = true'
+        'requires_openai_auth = false'
     ].join('\n');
     next = upsertTomlTable(next, 'model_providers.codex-lb', block);
     return `${next.trim()}\n`;
@@ -2248,8 +2262,8 @@ export async function selftestCodexLb(tmp) {
     const codexLbAuth = await safeReadText(path.join(codexLbHome, '.codex', 'auth.json'));
     if (!codexLbSetupJson.ok || codexLbSetupJson.base_url !== 'https://lb.example.test/backend-api/codex' || !hasTopLevelCodexLbSelected(codexLbConfig) || !codexLbConfig.includes('[model_providers.codex-lb]') || !codexLbEnv.includes("CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'") || !codexLbEnv.includes("CODEX_LB_API_KEY='sk-test'") || codexLbSetupJson.codex_environment?.ok !== true || codexLbSetupJson.codex_login?.status !== 'skipped' || codexLbAuth.trim())
         throw new Error('selftest: codex-lb setup');
-    if (!codexLbConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: codex-lb setup did not write upstream-required requires_openai_auth');
+    if (!codexLbConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: codex-lb setup did not disable OpenAI OAuth for codex-lb env_key auth');
     const codexLbFailLaunchctl = path.join(codexLbFakeBin, 'launchctl-fail');
     await writeTextAtomic(codexLbFailLaunchctl, '#!/bin/sh\necho "launchctl denied" >&2\nexit 7\n');
     await fsp.chmod(codexLbFailLaunchctl, 0o755);
@@ -2262,8 +2276,8 @@ export async function selftestCodexLb(tmp) {
     const codexLbRepairSetupConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
     if (!hasTopLevelCodexLbSelected(codexLbRepairSetupConfig) || !codexLbRepairSetupConfig.includes('[model_providers.codex-lb]') || !codexLbRepairSetupConfig.includes('https://lb.example.test/backend-api/codex') || codexLbRepairSetupConfig.includes('sk-test'))
         throw new Error('selftest: init codex-lb');
-    if (!codexLbRepairSetupConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: init codex-lb did not preserve upstream-required requires_openai_auth');
+    if (!codexLbRepairSetupConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: init codex-lb did not preserve OpenAI OAuth disablement');
     if (!hasCodexUnstableFeatureWarningSuppression(codexLbRepairSetupConfig))
         throw new Error('selftest: init codex-lb did not suppress Codex unstable feature warning');
     await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), `${codexLbConfig}\n[mcp_servers.supabase]\nurl = "https://mcp.supabase.com/mcp?project_ref=ref&read_only=true&features=database,docs"\n`);
@@ -2281,8 +2295,8 @@ export async function selftestCodexLb(tmp) {
     const pcfg = await safeReadText(path.join(ptmp, '.codex', 'config.toml'));
     if (!hasTopLevelCodexLbSelected(pcfg) || !pcfg.includes('[model_providers.codex-lb]') || !pcfg.includes('[mcp_servers.supabase]') || !pcfg.includes('read_only=true'))
         throw new Error('selftest: project codex-lb');
-    if (!pcfg.includes('requires_openai_auth = true'))
-        throw new Error('selftest: project codex-lb did not copy upstream-required requires_openai_auth');
+    if (!pcfg.includes('requires_openai_auth = false'))
+        throw new Error('selftest: project codex-lb did not copy OpenAI OAuth disablement');
     if (!hasCodexUnstableFeatureWarningSuppression(pcfg))
         throw new Error('selftest: project codex-lb config did not suppress Codex unstable feature warning');
     await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), '{"auth_mode":"browser"}\n');
@@ -2356,8 +2370,8 @@ export async function selftestCodexLb(tmp) {
         throw new Error('selftest: postinstall drift auth');
     if (!hasTopLevelCodexLbSelected(codexLbPostBootstrapConfig) || !codexLbPostBootstrapConfig.includes('[model_providers.codex-lb]') || !codexLbPostBootstrapConfig.includes('https://lb.example.test/backend-api/codex') || codexLbPostBootstrapConfig.includes('sk-test'))
         throw new Error('selftest: postinstall drift config');
-    if (!codexLbPostBootstrapConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: postinstall drift config did not restore upstream-required requires_openai_auth');
+    if (!codexLbPostBootstrapConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: postinstall drift config did not restore OpenAI OAuth disablement');
     const doctorProject = tmpdir();
     await ensureDir(path.join(doctorProject, '.git'));
     await writeTextAtomic(path.join(doctorProject, 'package.json'), '{"name":"codex-lb-doctor-project","version":"0.0.0"}\n');
@@ -2377,8 +2391,8 @@ export async function selftestCodexLb(tmp) {
     const codexLbDoctorConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
     if (!codexLbDoctorJson.repair?.codex_lb?.ok || !codexLbDoctorJson.repair.codex_lb.config_repaired || !codexLbDoctorJson.codex_lb?.ok || !codexLbDoctorAuth.includes('"auth_mode":"browser"') || codexLbDoctorAuth.includes('sk-test') || !hasTopLevelCodexLbSelected(codexLbDoctorConfig) || !codexLbDoctorConfig.includes('https://lb.example.test/backend-api/codex') || !hasCodexUnstableFeatureWarningSuppression(codexLbDoctorConfig))
         throw new Error('selftest: doctor codex-lb');
-    if (!codexLbDoctorConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: doctor codex-lb did not restore upstream-required requires_openai_auth');
+    if (!codexLbDoctorConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: doctor codex-lb did not restore OpenAI OAuth disablement');
     // codex-lb auth: ChatGPT OAuth ↔ codex-lb env_key conflict reconciliation.
     const oauthAuthJson = JSON.stringify({
         auth_mode: 'chatgpt',
@@ -2387,7 +2401,7 @@ export async function selftestCodexLb(tmp) {
     });
     await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), `${oauthAuthJson}\n`);
     await writeTextAtomic(path.join(codexLbHome, '.codex', 'sks-codex-lb.env'), "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n");
-    await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = true\n');
+    await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = false\n');
     await fsp.rm(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), { force: true });
     const codexLbReconcileRepair = await runProcess(process.execPath, [packagedSksEntrypoint(), 'auth', 'repair', '--json'], { cwd: tmp, env: codexLbEnvForSelftest, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
     if (codexLbReconcileRepair.code !== 0)
@@ -2423,7 +2437,7 @@ export async function selftestCodexLb(tmp) {
     // codex-lb auth: release flow — restore ChatGPT OAuth from backup so the user can return to
     // the official ChatGPT account login. Default deselects model_provider; flags control whether
     // the provider stays selected and whether the backup file is removed after restore.
-    const codexLbReleaseConfig = 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = true\n';
+    const codexLbReleaseConfig = 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = false\n';
     const codexLbReleaseEnv = "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n";
     const codexLbReleaseApikeyAuth = '{"auth_mode":"apikey","OPENAI_API_KEY":"sk-test"}\n';
     const codexLbReleaseOauthBackup = `${oauthAuthJson}\n`;
@@ -2719,8 +2733,8 @@ export async function selftestCodexLb(tmp) {
         }
     });
     const missingProviderRepairedConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
-    if (!missingProviderLaunch.ok || missingProviderLaunch.status !== 'present' || missingProviderLaunch.chain_health?.status !== 'chain_ok' || missingProviderLaunchCalls.length !== 2 || !hasTopLevelCodexLbSelected(missingProviderRepairedConfig) || !missingProviderRepairedConfig.includes('[model_providers.codex-lb]') || !missingProviderRepairedConfig.includes('env_key = "CODEX_LB_API_KEY"') || !missingProviderRepairedConfig.includes('supports_websockets = true') || !missingProviderRepairedConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: bare sks launch did not restore missing upstream codex-lb provider block from stored env');
+    if (!missingProviderLaunch.ok || missingProviderLaunch.status !== 'present' || missingProviderLaunch.chain_health?.status !== 'chain_ok' || missingProviderLaunchCalls.length !== 2 || !hasTopLevelCodexLbSelected(missingProviderRepairedConfig) || !missingProviderRepairedConfig.includes('[model_providers.codex-lb]') || !missingProviderRepairedConfig.includes('env_key = "CODEX_LB_API_KEY"') || !missingProviderRepairedConfig.includes('supports_websockets = true') || !missingProviderRepairedConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: bare sks launch did not restore codex-lb provider block from stored env with OpenAI OAuth disabled');
     const chainCalls = [];
     const okChain = await checkCodexLbResponseChain({ base_url: 'https://lb.example.test/backend-api/codex', env_path: path.join(codexLbHome, '.codex', 'sks-codex-lb.env') }, {
         apiKey: 'sk-test',

package/dist/commands/image-ux-review.d.ts

@@ -524,6 +524,10 @@ export declare function run(command: any, args?: any): Promise<void | {
                     no_overlap_ok: boolean;
                     ledger_hash_chain_ok: boolean;
                     all_sessions_closed: boolean;
+                    terminal_sessions_closed: any;
+                    terminal_close_report: string;
+                    tmux_attach_command: string | null;
+                    tmux_lane_manifest: string;
                     output_schema_ok: boolean;
                     output_tail_report: string;
                     output_tail_records: number;
@@ -538,7 +542,7 @@ export declare function run(command: any, args?: any): Promise<void | {
                 generated_at: string;
                 records: {
                     schema: string;
-                    kind: "recursion_attempt" | "lease_conflict" | "session_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
+                    kind: "xai_available_not_used" | "context7_missing" | "codex_web_search_missing" | "recursion_attempt" | "lease_conflict" | "session_not_closed" | "terminal_missing" | "terminal_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
                     blocker: string;
                     created_at: string;
                     status: string;
@@ -558,6 +562,11 @@ export declare function run(command: any, args?: any): Promise<void | {
                 all_sessions_closed: boolean;
                 launched_count: number;
                 closed_session_count: number;
+                terminal_sessions_closed: boolean;
+                terminal_session_count: number;
+                terminal_close_report: string;
+                tmux_lane_manifest: string;
+                tmux_lane_manifest_ok: boolean;
                 ledger_hash_chain_ok: boolean;
                 no_overlap_ok: boolean;
                 consensus_ok: boolean;
@@ -566,6 +575,8 @@ export declare function run(command: any, args?: any): Promise<void | {
                 timeout_kill_report: string;
                 timeout_killed_sessions: any;
                 cleanup_report: string;
+                janitor_report: string;
+                janitor_ok: boolean;
                 trust_report: string;
                 wrongness_records: string;
                 changed_files_lease_checked: boolean;

package/dist/commands/ppt.d.ts

@@ -376,6 +376,10 @@ export declare function run(command: any, args?: any): Promise<void | {
                     no_overlap_ok: boolean;
                     ledger_hash_chain_ok: boolean;
                     all_sessions_closed: boolean;
+                    terminal_sessions_closed: any;
+                    terminal_close_report: string;
+                    tmux_attach_command: string | null;
+                    tmux_lane_manifest: string;
                     output_schema_ok: boolean;
                     output_tail_report: string;
                     output_tail_records: number;
@@ -390,7 +394,7 @@ export declare function run(command: any, args?: any): Promise<void | {
                 generated_at: string;
                 records: {
                     schema: string;
-                    kind: "recursion_attempt" | "lease_conflict" | "session_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
+                    kind: "xai_available_not_used" | "context7_missing" | "codex_web_search_missing" | "recursion_attempt" | "lease_conflict" | "session_not_closed" | "terminal_missing" | "terminal_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
                     blocker: string;
                     created_at: string;
                     status: string;
@@ -410,6 +414,11 @@ export declare function run(command: any, args?: any): Promise<void | {
                 all_sessions_closed: boolean;
                 launched_count: number;
                 closed_session_count: number;
+                terminal_sessions_closed: boolean;
+                terminal_session_count: number;
+                terminal_close_report: string;
+                tmux_lane_manifest: string;
+                tmux_lane_manifest_ok: boolean;
                 ledger_hash_chain_ok: boolean;
                 no_overlap_ok: boolean;
                 consensus_ok: boolean;
@@ -418,6 +427,8 @@ export declare function run(command: any, args?: any): Promise<void | {
                 timeout_kill_report: string;
                 timeout_killed_sessions: any;
                 cleanup_report: string;
+                janitor_report: string;
+                janitor_ok: boolean;
                 trust_report: string;
                 wrongness_records: string;
                 changed_files_lease_checked: boolean;