sneakoscope 1.17.0 → 1.18.0

package/README.md

@@ -10,7 +10,7 @@ SKS does not try to clone every other harness. It focuses on one thing: making C
 
 ## Current Release
 
-SKS **1.17.0** makes TypeScript the only runtime source of truth, moves package execution to built `dist/**/*.js`, adds Codex App agent cockpit artifacts, parallelizes release verification with a dependency DAG, and namespaces agent sessions by project hash plus mission id.
+SKS **1.18.0** adds Universal Source Intelligence for Context7 + Codex Web Search, optional X AI MCP search when configured, main no-Scout / worker Scout-limited proof policy, per-agent terminal close evidence, tmux right-lane cockpit manifests, Codex official Goal mode detection, and full P0-P4 release readiness tracking.
 
 ```bash
 sks mad-sks plan --target-root <path> --json
@@ -20,6 +20,9 @@ sks mad-sks rollback-apply --rollback-plan <path> --yes --json
 sks features complete --json
 sks agent status latest --json
 sks agent run "release review" --agents 8 --concurrency 4 --mock --json
+npm run source-intelligence:all-modes
+npm run agent:background-terminals
+npm run agent:tmux-right-lanes
 npm run release:readiness
 ```
 
@@ -48,6 +51,14 @@ Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release
 - Core dominance: [docs/core-dominance.md](docs/core-dominance.md)
 - Performance budgets: [docs/performance-budgets.md](docs/performance-budgets.md)
 - Native Agent Kernel: [docs/native-agent-kernel.md](docs/native-agent-kernel.md)
+- Source Intelligence Layer: [docs/source-intelligence-layer.md](docs/source-intelligence-layer.md)
+- X AI / Context7 / Codex Web policy: [docs/xai-context7-codex-web-policy.md](docs/xai-context7-codex-web-policy.md)
+- Main no-Scout / worker Scout policy: [docs/main-no-scout-worker-scout-policy.md](docs/main-no-scout-worker-scout-policy.md)
+- Agent terminal lanes: [docs/agent-terminal-lanes.md](docs/agent-terminal-lanes.md)
+- tmux right-lane cockpit: [docs/tmux-right-lane-cockpit.md](docs/tmux-right-lane-cockpit.md)
+- Codex official Goal mode: [docs/codex-official-goal-mode.md](docs/codex-official-goal-mode.md)
+- Release parallel full coverage: [docs/release-parallel-full-coverage.md](docs/release-parallel-full-coverage.md)
+- Priority closure P0-P4: [docs/priority-closure-p0-p4.md](docs/priority-closure-p0-p4.md)
 - Image Voxel TriWiki: [docs/image-voxel-ledger.md](docs/image-voxel-ledger.md)
 - Image Wrongness: [docs/image-wrongness.md](docs/image-wrongness.md)
 - Route finalization: [docs/route-finalization.md](docs/route-finalization.md)
@@ -250,7 +261,7 @@ sks codex-lb repair
 sks
 ```
 
-Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the upstream codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = true` as documented by codex-lb. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths run a response-chain health check. `previous_response_not_found` is treated as a stateless-LB warning and keeps codex-lb active. Hard failures are surfaced to the user; SKS only bypasses codex-lb when the user chooses OAuth fallback or `SKS_CODEX_LB_AUTOBYPASS=1` is set.
+Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = false`; PPT/imagegen bridge checks treat that env-key provider as configured without requiring OpenAI OAuth. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths run a response-chain health check. `previous_response_not_found` is treated as a stateless-LB warning and keeps codex-lb active. Hard failures are surfaced to the user; SKS only bypasses codex-lb when the user chooses OAuth fallback or `SKS_CODEX_LB_AUTOBYPASS=1` is set.
 
 If codex-lb provider auth drifts after launch/reinstall, run `sks doctor --fix` or `sks codex-lb repair`; to replace it, run `sks codex-lb reconfigure --host <domain> --api-key <key>`.
 
@@ -601,7 +612,7 @@ npm run release:check
 npm run publish:dry
 ```
 
-`release:check` runs the 1.17.0 parallel P0 DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG covers build, TS runtime source checks, dist parity, proof artifact structure, Codex App cockpit, janitor, multi-project isolation, parallel verification, typecheck, schema, release metadata, and release readiness. Broader live or historical gates remain explicit scripts such as `release:real-check`. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
+`release:check` runs the 1.18.0 parallel P0-P4 closure DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG preserves the 1.17 baseline gates and adds Source Intelligence, X AI/Codex Web policy, Goal mode, main no-Scout, worker Scout-limited, agent terminal, tmux right-lane, visual consistency, release full-coverage, and priority closure checks. Broader live or historical gates remain explicit scripts such as `release:real-check`. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
 
 Version bumps are manual. Run `sks versioning bump` only when preparing release metadata; SKS will not create `.git/hooks/pre-commit` or auto-bump during ordinary commits.
 

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.17.0"
+version = "1.18.0"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.17.0"
+version = "1.18.0"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.17.0"),
+        Some("--version") => println!("sks-rs 1.18.0"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "1.17.0",
-  "source_digest": "527177fcd408d00042f7263b37de99dd135af1fd2fdd0a8d79a220e747de03cb",
-  "source_file_count": 1515,
-  "built_at_source_time": 1779685135168
+  "package_version": "1.18.0",
+  "source_digest": "9593cf876b0f0b49ffb7aaa5e2ca1017bd7fd1508892f92cffbfc7db58fbfef0",
+  "source_file_count": 1279,
+  "built_at_source_time": 1779716030404
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.17.0';
+const FAST_PACKAGE_VERSION = '1.18.0';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,16 +1,16 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.17.0",
-  "package_version": "1.17.0",
+  "version": "1.18.0",
+  "package_version": "1.18.0",
   "typescript": true,
   "mjs_runtime_files": 0,
-  "compiled_file_count": 828,
-  "compiled_js_count": 414,
-  "compiled_dts_count": 414,
-  "source_digest": "527177fcd408d00042f7263b37de99dd135af1fd2fdd0a8d79a220e747de03cb",
-  "source_file_count": 1515,
-  "source_files_hash": "137bd4f96d0913bd90ab4e74364e959627dd8fd29576dae9d57c89c38b9b009f",
-  "source_list_hash": "137bd4f96d0913bd90ab4e74364e959627dd8fd29576dae9d57c89c38b9b009f",
+  "compiled_file_count": 850,
+  "compiled_js_count": 425,
+  "compiled_dts_count": 425,
+  "source_digest": "9593cf876b0f0b49ffb7aaa5e2ca1017bd7fd1508892f92cffbfc7db58fbfef0",
+  "source_file_count": 1279,
+  "source_files_hash": "29895436992640147aab36792cd376edbed9adc6226480db074ef9e9b5104c13",
+  "source_list_hash": "29895436992640147aab36792cd376edbed9adc6226480db074ef9e9b5104c13",
   "src_mjs_runtime_files": 0,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
@@ -240,6 +240,8 @@
     "core/agents/agent-session-rows.js",
     "core/agents/agent-task-slicer.d.ts",
     "core/agents/agent-task-slicer.js",
+    "core/agents/agent-terminal-session.d.ts",
+    "core/agents/agent-terminal-session.js",
     "core/agents/agent-trust-report.d.ts",
     "core/agents/agent-trust-report.js",
     "core/agents/agent-work-partition.d.ts",
@@ -250,6 +252,10 @@
     "core/agents/agent-wrongness.js",
     "core/agents/route-collaboration-ledger.d.ts",
     "core/agents/route-collaboration-ledger.js",
+    "core/agents/scout-policy.d.ts",
+    "core/agents/scout-policy.js",
+    "core/agents/tmux-right-lane-cockpit.d.ts",
+    "core/agents/tmux-right-lane-cockpit.js",
     "core/agents/work-partition/conflict-detector.d.ts",
     "core/agents/work-partition/conflict-detector.js",
     "core/agents/work-partition/dependency-graph.d.ts",
@@ -332,6 +338,10 @@
     "core/codex-lb/codex-lb-setup.js",
     "core/codex-model-guard.d.ts",
     "core/codex-model-guard.js",
+    "core/codex/codex-web-search-adapter.d.ts",
+    "core/codex/codex-web-search-adapter.js",
+    "core/codex/official-goal-mode.d.ts",
+    "core/codex/official-goal-mode.js",
     "core/commands/agent-command.d.ts",
     "core/commands/agent-command.js",
     "core/commands/autoresearch-command.d.ts",
@@ -582,6 +592,10 @@
     "core/mad-sks/write-guard.js",
     "core/managed-paths.d.ts",
     "core/managed-paths.js",
+    "core/mcp/xai-mcp-detector.d.ts",
+    "core/mcp/xai-mcp-detector.js",
+    "core/mcp/xai-search-adapter.d.ts",
+    "core/mcp/xai-search-adapter.js",
     "core/memory-governor.d.ts",
     "core/memory-governor.js",
     "core/memory-summary.d.ts",
@@ -717,6 +731,8 @@
     "core/questions.js",
     "core/recallpulse.d.ts",
     "core/recallpulse.js",
+    "core/release-parallel-full-coverage.d.ts",
+    "core/release-parallel-full-coverage.js",
     "core/research.d.ts",
     "core/research.js",
     "core/retention.d.ts",
@@ -731,6 +747,12 @@
     "core/session/project-namespace.js",
     "core/skill-forge.d.ts",
     "core/skill-forge.js",
+    "core/source-intelligence/source-intelligence-policy.d.ts",
+    "core/source-intelligence/source-intelligence-policy.js",
+    "core/source-intelligence/source-intelligence-proof.d.ts",
+    "core/source-intelligence/source-intelligence-proof.js",
+    "core/source-intelligence/source-intelligence-runner.d.ts",
+    "core/source-intelligence/source-intelligence-runner.js",
     "core/structured-output-adapter.d.ts",
     "core/structured-output-adapter.js",
     "core/team-dag.d.ts",

package/dist/cli/install-helpers.d.ts

@@ -101,6 +101,9 @@ export declare function codexLbStatus(opts?: any): Promise<{
     env_path: any;
     provider_configured: boolean;
     provider_requires_openai_auth: boolean;
+    provider_openai_auth_disabled: boolean;
+    provider_env_key: string | null;
+    provider_uses_codex_lb_env_auth: boolean;
     selected: boolean;
     env_file: boolean;
     env_key_configured: boolean;
@@ -207,6 +210,9 @@ export declare function maybePromptCodexLbSetupForLaunch(args?: any, opts?: any)
     env_path: any;
     provider_configured: boolean;
     provider_requires_openai_auth: boolean;
+    provider_openai_auth_disabled: boolean;
+    provider_env_key: string | null;
+    provider_uses_codex_lb_env_auth: boolean;
     selected: boolean;
     env_file: boolean;
     env_key_configured: boolean;
@@ -245,6 +251,9 @@ export declare function maybePromptCodexLbSetupForLaunch(args?: any, opts?: any)
     env_path: any;
     provider_configured: boolean;
     provider_requires_openai_auth: boolean;
+    provider_openai_auth_disabled: boolean;
+    provider_env_key: string | null;
+    provider_uses_codex_lb_env_auth: boolean;
     selected: boolean;
     env_file: boolean;
     env_key_configured: boolean;

package/dist/cli/install-helpers.js

@@ -132,7 +132,7 @@ async function reportPostinstallCodexLbAuth() {
         console.log(`codex-lb auth: repair skipped (${codexLbAuth.status}${codexLbAuth.error ? `: ${codexLbAuth.error}` : ''}).`);
     const reconcile = codexLbAuth.auth_reconcile;
     if (reconcile?.status === 'oauth_preserved') {
-        console.log(`codex-lb auth: ChatGPT OAuth preserved for Codex App; codex-lb key stays in env_key (OAuth backup at ${reconcile.backup_path ?? 'unknown'}).`);
+        console.log(`codex-lb auth: ChatGPT OAuth preserved as backup; codex-lb key stays in env_key (OpenAI OAuth not required, backup at ${reconcile.backup_path ?? 'unknown'}).`);
     }
     else if (reconcile?.status === 'oauth_restored') {
         console.log(`codex-lb auth: restored ChatGPT OAuth from ${reconcile.backup_path ?? 'unknown'} while keeping codex-lb selected.`);
@@ -452,12 +452,19 @@ export async function codexLbStatus(opts = {}) {
     const selected = hasTopLevelCodexLbSelected(config);
     const baseUrl = codexLbProviderBaseUrl(config) || envLoad.base_url || null;
     const providerRequiresOpenAiAuth = codexLbProviderRequiresOpenAiAuth(config);
+    const providerOpenAiAuthDisabled = codexLbProviderOpenAiAuthDisabled(config);
+    const providerEnvKey = codexLbProviderEnvKey(config);
+    const providerUsesCodexLbEnvAuth = providerConfigured && providerEnvKey === 'CODEX_LB_API_KEY' && providerOpenAiAuthDisabled;
+    const codexAppUsableWithCodexLb = providerUsesCodexLbEnvAuth && envKeyConfigured && Boolean(baseUrl);
     return {
-        ok: providerConfigured && envKeyConfigured && Boolean(baseUrl) && providerRequiresOpenAiAuth,
+        ok: providerConfigured && envKeyConfigured && Boolean(baseUrl) && providerUsesCodexLbEnvAuth,
         config_path: configPath,
         env_path: envPath,
         provider_configured: providerConfigured,
         provider_requires_openai_auth: providerRequiresOpenAiAuth,
+        provider_openai_auth_disabled: providerOpenAiAuthDisabled,
+        provider_env_key: providerEnvKey || null,
+        provider_uses_codex_lb_env_auth: providerUsesCodexLbEnvAuth,
         selected,
         env_file: envExists,
         env_key_configured: envKeyConfigured,
@@ -474,8 +481,8 @@ export async function codexLbStatus(opts = {}) {
         base_url: baseUrl,
         auth_path: authPath,
         auth_mode: authMode.mode,
-        auth_usable_for_codex_app: authMode.codex_app_usable,
-        auth_summary: authMode.summary
+        auth_usable_for_codex_app: authMode.codex_app_usable || codexAppUsableWithCodexLb,
+        auth_summary: codexAppUsableWithCodexLb ? 'codex-lb provider uses CODEX_LB_API_KEY env_key; OpenAI OAuth not required' : authMode.summary
     };
 }
 export function formatCodexLbStatusText(status = {}, opts = {}) {
@@ -487,7 +494,7 @@ export function formatCodexLbStatusText(status = {}, opts = {}) {
         `Configured: ${status.ok ? 'yes' : 'no'}`,
         `Selected:   ${status.selected ? 'yes' : 'no'}`,
         `Provider:   ${status.provider_configured ? 'yes' : 'no'}`,
-        `Provider requires OpenAI auth: ${status.provider_requires_openai_auth ? 'yes' : 'missing'}`,
+        `Provider OpenAI OAuth: ${status.provider_openai_auth_disabled ? 'disabled for codex-lb env_key' : status.provider_requires_openai_auth ? 'required (repair recommended)' : 'missing explicit false'}`,
         `Codex App auth: ${status.auth_usable_for_codex_app ? 'ok' : 'needs sign-in/repair'} (${status.auth_mode || 'unknown'})`
     ];
     if (status.auth_summary)
@@ -521,7 +528,7 @@ export function formatCodexLbRepairResultText(result = {}) {
     if (result.auth_reconcile?.status === 'oauth_restored')
         lines.push(`Codex App auth: ChatGPT OAuth restored from ${result.auth_reconcile.backup_path}.`);
     else if (result.auth_reconcile?.status === 'oauth_preserved')
-        lines.push('Codex App auth: ChatGPT OAuth preserved; codex-lb will use CODEX_LB_API_KEY from env_key.');
+        lines.push('Codex App auth: ChatGPT OAuth preserved as backup; codex-lb will use CODEX_LB_API_KEY from env_key without OpenAI OAuth.');
     else if (result.auth_reconcile?.status === 'apikey_auth_active')
         lines.push('Codex App auth: API-key auth.json is still active. Sign in again if the App asks for ChatGPT OAuth.');
     return `${lines.join('\n')}\n`;
@@ -757,6 +764,14 @@ function codexLbProviderRequiresOpenAiAuth(text = '') {
     const block = String(text || '').match(/(^|\n)\[model_providers\.codex-lb\]([\s\S]*?)(?=\n\[[^\]]+\]|\s*$)/)?.[2] || '';
     return /(^|\n)\s*requires_openai_auth\s*=\s*true\s*(?:#.*)?(?=\n|$)/.test(block);
 }
+function codexLbProviderOpenAiAuthDisabled(text = '') {
+    const block = String(text || '').match(/(^|\n)\[model_providers\.codex-lb\]([\s\S]*?)(?=\n\[[^\]]+\]|\s*$)/)?.[2] || '';
+    return /(^|\n)\s*requires_openai_auth\s*=\s*false\s*(?:#.*)?(?=\n|$)/.test(block);
+}
+function codexLbProviderEnvKey(text = '') {
+    const block = String(text || '').match(/(^|\n)\[model_providers\.codex-lb\]([\s\S]*?)(?=\n\[[^\]]+\]|\s*$)/)?.[2] || '';
+    return block.match(/(^|\n)\s*env_key\s*=\s*"([^"]+)"/)?.[2] || '';
+}
 export async function repairCodexLbAuth(opts = {}) {
     let status = await codexLbStatus(opts);
     let configRepaired = false;
@@ -771,7 +786,7 @@ export async function repairCodexLbAuth(opts = {}) {
             status = await codexLbStatus(opts);
         }
     }
-    if (status.env_key_configured && status.base_url && (!status.ok || !status.selected || !status.provider_requires_openai_auth || legacyAuthMigrated || hasTopLevelCodexModeLock(currentConfig))) {
+    if (status.env_key_configured && status.base_url && (!status.ok || !status.selected || !status.provider_uses_codex_lb_env_auth || legacyAuthMigrated || hasTopLevelCodexModeLock(currentConfig))) {
         await ensureDir(path.dirname(status.config_path));
         const next = normalizeCodexFastModeUiConfig(upsertCodexLbConfig(currentConfig, status.base_url));
         await writeTextAtomic(status.config_path, next);
@@ -816,7 +831,7 @@ export async function ensureCodexLbAuthDuringInstall(opts = {}) {
     if (!status.selected && !status.provider_configured && !status.env_file)
         return { status: 'not_configured', codex_lb: status };
     await migrateCodexAuthKeyFormat({ home: opts.home });
-    if (status.ok && (!status.selected || !status.provider_requires_openai_auth))
+    if (status.ok && (!status.selected || !status.provider_uses_codex_lb_env_auth))
         return repairCodexLbAuth(opts);
     if (!status.ok) {
         if (status.base_url && (status.env_key_configured || status.provider_configured || status.selected || status.env_base_url_configured))
@@ -935,10 +950,9 @@ async function migrateCodexAuthKeyFormat(opts = {}) {
         return { status: 'skipped', reason: 'parse_error' };
     }
 }
-// Codex App needs a refreshable ChatGPT OAuth blob when a provider declares
-// requires_openai_auth=true. For codex-lb, the proxy key belongs in env_key
-// (CODEX_LB_API_KEY), so SKS preserves or restores OAuth by default and only
-// writes apikey auth.json when explicitly requested for CLI-only legacy use.
+// codex-lb authenticates through env_key (CODEX_LB_API_KEY) and explicitly
+// disables OpenAI OAuth on the provider. SKS still preserves existing OAuth
+// blobs, but OAuth is no longer a readiness requirement for codex-lb.
 export async function reconcileCodexLbAuthConflict(opts = {}) {
     const home = opts.home || process.env.HOME || os.homedir();
     const status = opts.status || await codexLbStatus({ ...opts, home });
@@ -979,7 +993,7 @@ export async function reconcileCodexLbAuthConflict(opts = {}) {
         if (process.env.SKS_CODEX_LB_FORCE_APIKEY_AUTH !== '1') {
             return {
                 status: 'oauth_preserved',
-                reason: 'codex_app_requires_refreshable_oauth',
+                reason: 'chatgpt_oauth_preserved_while_codex_lb_uses_env_key',
                 auth_path: authPath,
                 backup_path: backupPath
             };
@@ -1190,7 +1204,7 @@ export async function maybePromptCodexLbSetupForLaunch(args = [], opts = {}) {
     if (args.includes('--json') || args.includes('--skip-codex-lb') || process.env.SKS_SKIP_CODEX_LB_PROMPT === '1')
         return { status: 'skipped' };
     let status = await codexLbStatus(opts);
-    if (status.env_key_configured && status.base_url && (!status.provider_configured || !status.selected || !status.provider_requires_openai_auth)) {
+    if (status.env_key_configured && status.base_url && (!status.provider_configured || !status.selected || !status.provider_uses_codex_lb_env_auth)) {
         let promptedRestore = false;
         if (!status.provider_configured && canAskYesNo()) {
             promptedRestore = true;
@@ -1349,7 +1363,7 @@ function upsertCodexLbConfig(text = '', baseUrl, selectDefault = true) {
         'wire_api = "responses"',
         'env_key = "CODEX_LB_API_KEY"',
         'supports_websockets = true',
-        'requires_openai_auth = true'
+        'requires_openai_auth = false'
     ].join('\n');
     next = upsertTomlTable(next, 'model_providers.codex-lb', block);
     return `${next.trim()}\n`;
@@ -2248,8 +2262,8 @@ export async function selftestCodexLb(tmp) {
     const codexLbAuth = await safeReadText(path.join(codexLbHome, '.codex', 'auth.json'));
     if (!codexLbSetupJson.ok || codexLbSetupJson.base_url !== 'https://lb.example.test/backend-api/codex' || !hasTopLevelCodexLbSelected(codexLbConfig) || !codexLbConfig.includes('[model_providers.codex-lb]') || !codexLbEnv.includes("CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'") || !codexLbEnv.includes("CODEX_LB_API_KEY='sk-test'") || codexLbSetupJson.codex_environment?.ok !== true || codexLbSetupJson.codex_login?.status !== 'skipped' || codexLbAuth.trim())
         throw new Error('selftest: codex-lb setup');
-    if (!codexLbConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: codex-lb setup did not write upstream-required requires_openai_auth');
+    if (!codexLbConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: codex-lb setup did not disable OpenAI OAuth for codex-lb env_key auth');
     const codexLbFailLaunchctl = path.join(codexLbFakeBin, 'launchctl-fail');
     await writeTextAtomic(codexLbFailLaunchctl, '#!/bin/sh\necho "launchctl denied" >&2\nexit 7\n');
     await fsp.chmod(codexLbFailLaunchctl, 0o755);
@@ -2262,8 +2276,8 @@ export async function selftestCodexLb(tmp) {
     const codexLbRepairSetupConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
     if (!hasTopLevelCodexLbSelected(codexLbRepairSetupConfig) || !codexLbRepairSetupConfig.includes('[model_providers.codex-lb]') || !codexLbRepairSetupConfig.includes('https://lb.example.test/backend-api/codex') || codexLbRepairSetupConfig.includes('sk-test'))
         throw new Error('selftest: init codex-lb');
-    if (!codexLbRepairSetupConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: init codex-lb did not preserve upstream-required requires_openai_auth');
+    if (!codexLbRepairSetupConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: init codex-lb did not preserve OpenAI OAuth disablement');
     if (!hasCodexUnstableFeatureWarningSuppression(codexLbRepairSetupConfig))
         throw new Error('selftest: init codex-lb did not suppress Codex unstable feature warning');
     await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), `${codexLbConfig}\n[mcp_servers.supabase]\nurl = "https://mcp.supabase.com/mcp?project_ref=ref&read_only=true&features=database,docs"\n`);
@@ -2281,8 +2295,8 @@ export async function selftestCodexLb(tmp) {
     const pcfg = await safeReadText(path.join(ptmp, '.codex', 'config.toml'));
     if (!hasTopLevelCodexLbSelected(pcfg) || !pcfg.includes('[model_providers.codex-lb]') || !pcfg.includes('[mcp_servers.supabase]') || !pcfg.includes('read_only=true'))
         throw new Error('selftest: project codex-lb');
-    if (!pcfg.includes('requires_openai_auth = true'))
-        throw new Error('selftest: project codex-lb did not copy upstream-required requires_openai_auth');
+    if (!pcfg.includes('requires_openai_auth = false'))
+        throw new Error('selftest: project codex-lb did not copy OpenAI OAuth disablement');
     if (!hasCodexUnstableFeatureWarningSuppression(pcfg))
         throw new Error('selftest: project codex-lb config did not suppress Codex unstable feature warning');
     await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), '{"auth_mode":"browser"}\n');
@@ -2356,8 +2370,8 @@ export async function selftestCodexLb(tmp) {
         throw new Error('selftest: postinstall drift auth');
     if (!hasTopLevelCodexLbSelected(codexLbPostBootstrapConfig) || !codexLbPostBootstrapConfig.includes('[model_providers.codex-lb]') || !codexLbPostBootstrapConfig.includes('https://lb.example.test/backend-api/codex') || codexLbPostBootstrapConfig.includes('sk-test'))
         throw new Error('selftest: postinstall drift config');
-    if (!codexLbPostBootstrapConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: postinstall drift config did not restore upstream-required requires_openai_auth');
+    if (!codexLbPostBootstrapConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: postinstall drift config did not restore OpenAI OAuth disablement');
     const doctorProject = tmpdir();
     await ensureDir(path.join(doctorProject, '.git'));
     await writeTextAtomic(path.join(doctorProject, 'package.json'), '{"name":"codex-lb-doctor-project","version":"0.0.0"}\n');
@@ -2377,8 +2391,8 @@ export async function selftestCodexLb(tmp) {
     const codexLbDoctorConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
     if (!codexLbDoctorJson.repair?.codex_lb?.ok || !codexLbDoctorJson.repair.codex_lb.config_repaired || !codexLbDoctorJson.codex_lb?.ok || !codexLbDoctorAuth.includes('"auth_mode":"browser"') || codexLbDoctorAuth.includes('sk-test') || !hasTopLevelCodexLbSelected(codexLbDoctorConfig) || !codexLbDoctorConfig.includes('https://lb.example.test/backend-api/codex') || !hasCodexUnstableFeatureWarningSuppression(codexLbDoctorConfig))
         throw new Error('selftest: doctor codex-lb');
-    if (!codexLbDoctorConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: doctor codex-lb did not restore upstream-required requires_openai_auth');
+    if (!codexLbDoctorConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: doctor codex-lb did not restore OpenAI OAuth disablement');
     // codex-lb auth: ChatGPT OAuth ↔ codex-lb env_key conflict reconciliation.
     const oauthAuthJson = JSON.stringify({
         auth_mode: 'chatgpt',
@@ -2387,7 +2401,7 @@ export async function selftestCodexLb(tmp) {
     });
     await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), `${oauthAuthJson}\n`);
     await writeTextAtomic(path.join(codexLbHome, '.codex', 'sks-codex-lb.env'), "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n");
-    await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = true\n');
+    await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = false\n');
     await fsp.rm(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), { force: true });
     const codexLbReconcileRepair = await runProcess(process.execPath, [packagedSksEntrypoint(), 'auth', 'repair', '--json'], { cwd: tmp, env: codexLbEnvForSelftest, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
     if (codexLbReconcileRepair.code !== 0)
@@ -2423,7 +2437,7 @@ export async function selftestCodexLb(tmp) {
     // codex-lb auth: release flow — restore ChatGPT OAuth from backup so the user can return to
     // the official ChatGPT account login. Default deselects model_provider; flags control whether
     // the provider stays selected and whether the backup file is removed after restore.
-    const codexLbReleaseConfig = 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = true\n';
+    const codexLbReleaseConfig = 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = false\n';
     const codexLbReleaseEnv = "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n";
     const codexLbReleaseApikeyAuth = '{"auth_mode":"apikey","OPENAI_API_KEY":"sk-test"}\n';
     const codexLbReleaseOauthBackup = `${oauthAuthJson}\n`;
@@ -2719,8 +2733,8 @@ export async function selftestCodexLb(tmp) {
         }
     });
     const missingProviderRepairedConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
-    if (!missingProviderLaunch.ok || missingProviderLaunch.status !== 'present' || missingProviderLaunch.chain_health?.status !== 'chain_ok' || missingProviderLaunchCalls.length !== 2 || !hasTopLevelCodexLbSelected(missingProviderRepairedConfig) || !missingProviderRepairedConfig.includes('[model_providers.codex-lb]') || !missingProviderRepairedConfig.includes('env_key = "CODEX_LB_API_KEY"') || !missingProviderRepairedConfig.includes('supports_websockets = true') || !missingProviderRepairedConfig.includes('requires_openai_auth = true'))
-        throw new Error('selftest: bare sks launch did not restore missing upstream codex-lb provider block from stored env');
+    if (!missingProviderLaunch.ok || missingProviderLaunch.status !== 'present' || missingProviderLaunch.chain_health?.status !== 'chain_ok' || missingProviderLaunchCalls.length !== 2 || !hasTopLevelCodexLbSelected(missingProviderRepairedConfig) || !missingProviderRepairedConfig.includes('[model_providers.codex-lb]') || !missingProviderRepairedConfig.includes('env_key = "CODEX_LB_API_KEY"') || !missingProviderRepairedConfig.includes('supports_websockets = true') || !missingProviderRepairedConfig.includes('requires_openai_auth = false'))
+        throw new Error('selftest: bare sks launch did not restore codex-lb provider block from stored env with OpenAI OAuth disabled');
     const chainCalls = [];
     const okChain = await checkCodexLbResponseChain({ base_url: 'https://lb.example.test/backend-api/codex', env_path: path.join(codexLbHome, '.codex', 'sks-codex-lb.env') }, {
         apiKey: 'sk-test',

package/dist/commands/image-ux-review.d.ts

@@ -524,6 +524,10 @@ export declare function run(command: any, args?: any): Promise<void | {
                     no_overlap_ok: boolean;
                     ledger_hash_chain_ok: boolean;
                     all_sessions_closed: boolean;
+                    terminal_sessions_closed: any;
+                    terminal_close_report: string;
+                    tmux_attach_command: string | null;
+                    tmux_lane_manifest: string;
                     output_schema_ok: boolean;
                     output_tail_report: string;
                     output_tail_records: number;
@@ -538,7 +542,7 @@ export declare function run(command: any, args?: any): Promise<void | {
                 generated_at: string;
                 records: {
                     schema: string;
-                    kind: "recursion_attempt" | "lease_conflict" | "session_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
+                    kind: "xai_available_not_used" | "context7_missing" | "codex_web_search_missing" | "recursion_attempt" | "lease_conflict" | "session_not_closed" | "terminal_missing" | "terminal_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
                     blocker: string;
                     created_at: string;
                     status: string;
@@ -558,6 +562,11 @@ export declare function run(command: any, args?: any): Promise<void | {
                 all_sessions_closed: boolean;
                 launched_count: number;
                 closed_session_count: number;
+                terminal_sessions_closed: boolean;
+                terminal_session_count: number;
+                terminal_close_report: string;
+                tmux_lane_manifest: string;
+                tmux_lane_manifest_ok: boolean;
                 ledger_hash_chain_ok: boolean;
                 no_overlap_ok: boolean;
                 consensus_ok: boolean;

package/dist/commands/ppt.d.ts

@@ -376,6 +376,10 @@ export declare function run(command: any, args?: any): Promise<void | {
                     no_overlap_ok: boolean;
                     ledger_hash_chain_ok: boolean;
                     all_sessions_closed: boolean;
+                    terminal_sessions_closed: any;
+                    terminal_close_report: string;
+                    tmux_attach_command: string | null;
+                    tmux_lane_manifest: string;
                     output_schema_ok: boolean;
                     output_tail_report: string;
                     output_tail_records: number;
@@ -390,7 +394,7 @@ export declare function run(command: any, args?: any): Promise<void | {
                 generated_at: string;
                 records: {
                     schema: string;
-                    kind: "recursion_attempt" | "lease_conflict" | "session_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
+                    kind: "xai_available_not_used" | "context7_missing" | "codex_web_search_missing" | "recursion_attempt" | "lease_conflict" | "session_not_closed" | "terminal_missing" | "terminal_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
                     blocker: string;
                     created_at: string;
                     status: string;
@@ -410,6 +414,11 @@ export declare function run(command: any, args?: any): Promise<void | {
                 all_sessions_closed: boolean;
                 launched_count: number;
                 closed_session_count: number;
+                terminal_sessions_closed: boolean;
+                terminal_session_count: number;
+                terminal_close_report: string;
+                tmux_lane_manifest: string;
+                tmux_lane_manifest_ok: boolean;
                 ledger_hash_chain_ok: boolean;
                 no_overlap_ok: boolean;
                 consensus_ok: boolean;

package/dist/core/agents/agent-codex-cockpit.d.ts

@@ -29,6 +29,12 @@ export interface AgentCodexCockpitState {
     all_sessions_closed: boolean | null;
     janitor_ok: boolean | null;
     proof_status: string | null;
+    source_intelligence_status: string | null;
+    xai_status: string | null;
+    codex_web_search_status: string | null;
+    goal_mode_status: string | null;
+    terminal_session_status: string | null;
+    tmux_attach_command: string | null;
     blockers: string[];
     agents: Array<Record<string, unknown>>;
     recent_events: string[];

package/dist/core/agents/agent-codex-cockpit.js

@@ -34,6 +34,10 @@ export async function buildAgentCodexCockpitState(missionDir, opts = {}) {
     const cleanup = await readJson(path.join(root, 'agent-cleanup.json'), null);
     const janitor = await readJson(path.join(root, 'agent-janitor-report.json'), null);
     const namespace = await readJson(path.join(missionDir, 'project-session-namespace.json'), null);
+    const sourceIntelligence = await readJson(path.join(missionDir, 'source-intelligence-evidence.json'), null);
+    const goalMode = await readJson(path.join(missionDir, 'goal-mode-applied.json'), null);
+    const tmuxLayout = await readJson(path.join(root, 'agent-tmux-layout.json'), null);
+    const terminalClosed = proof?.terminal_sessions_closed === true;
     const eventsTail = await readTailLines(path.join(root, 'agent-events.jsonl'), 8);
     const cockpitEventsTail = await readTailLines(path.join(root, AGENT_CODEX_COCKPIT_EVENTS), 8);
     const teamTail = await readTailLines(path.join(missionDir, 'team-transcript.jsonl'), 8);
@@ -58,6 +62,12 @@ export async function buildAgentCodexCockpitState(missionDir, opts = {}) {
         all_sessions_closed: proof?.all_sessions_closed ?? cleanup?.all_sessions_closed ?? null,
         janitor_ok: janitor?.ok ?? null,
         proof_status: proof?.status || (proof?.ok ? 'passed' : proof ? 'blocked' : null),
+        source_intelligence_status: sourceIntelligence?.ok === true ? sourceIntelligence.mode || 'ok' : sourceIntelligence ? 'blocked' : null,
+        xai_status: sourceIntelligence?.xai_search?.status || sourceIntelligence?.policy?.xai_mcp?.status || null,
+        codex_web_search_status: sourceIntelligence?.codex_web_search?.status || sourceIntelligence?.policy?.codex_web_search?.status || null,
+        goal_mode_status: goalMode?.mode || null,
+        terminal_session_status: terminalClosed ? 'closed' : proof ? 'blocked_or_unverified' : null,
+        tmux_attach_command: tmuxLayout?.attach_command || null,
         blockers,
         agents,
         recent_events: [...eventsTail, ...cockpitEventsTail, ...teamTail].slice(-12),
@@ -81,6 +91,12 @@ export function renderAgentCodexDashboard(state) {
         `- Agents: ${state.agent_count}`,
         `- Concurrency: ${state.concurrency ?? 'unknown'}`,
         `- Proof: ${state.proof_status || 'unknown'}`,
+        `- Source intelligence: ${state.source_intelligence_status || 'unknown'}`,
+        `- X AI: ${state.xai_status || 'unknown'}`,
+        `- Codex Web Search: ${state.codex_web_search_status || 'unknown'}`,
+        `- Goal mode: ${state.goal_mode_status || 'unknown'}`,
+        `- Terminal sessions: ${state.terminal_session_status || 'unknown'}`,
+        `- tmux attach: ${state.tmux_attach_command || 'unknown'}`,
         `- All sessions closed: ${state.all_sessions_closed ?? 'unknown'}`,
         '',
         '| Agent | Persona | Task | State | Heartbeat age | Lease | Blockers | Artifact |',
@@ -125,6 +141,12 @@ function summarizeLiveState(state) {
         concurrency: state.concurrency,
         active_agents: state.agents.filter((agent) => !['closed', 'done', 'completed'].includes(String(agent.status || ''))).length,
         proof_status: state.proof_status,
+        source_intelligence_status: state.source_intelligence_status,
+        xai_status: state.xai_status,
+        codex_web_search_status: state.codex_web_search_status,
+        goal_mode_status: state.goal_mode_status,
+        terminal_session_status: state.terminal_session_status,
+        tmux_attach_command: state.tmux_attach_command,
         blockers: state.blockers,
     };
 }

package/dist/core/agents/agent-orchestrator.d.ts

@@ -143,6 +143,10 @@ export declare function runNativeAgentOrchestrator(opts?: AgentRunOptions): Prom
             no_overlap_ok: boolean;
             ledger_hash_chain_ok: boolean;
             all_sessions_closed: boolean;
+            terminal_sessions_closed: any;
+            terminal_close_report: string;
+            tmux_attach_command: string | null;
+            tmux_lane_manifest: string;
             output_schema_ok: boolean;
             output_tail_report: string;
             output_tail_records: number;
@@ -157,7 +161,7 @@ export declare function runNativeAgentOrchestrator(opts?: AgentRunOptions): Prom
         generated_at: string;
         records: {
             schema: string;
-            kind: "recursion_attempt" | "lease_conflict" | "session_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
+            kind: "xai_available_not_used" | "context7_missing" | "codex_web_search_missing" | "recursion_attempt" | "lease_conflict" | "session_not_closed" | "terminal_missing" | "terminal_not_closed" | "schema_invalid_output" | "stale_heartbeat" | "legacy_multiagent_runtime_usage_attempt";
             blocker: string;
             created_at: string;
             status: string;
@@ -177,6 +181,11 @@ export declare function runNativeAgentOrchestrator(opts?: AgentRunOptions): Prom
         all_sessions_closed: boolean;
         launched_count: number;
         closed_session_count: number;
+        terminal_sessions_closed: boolean;
+        terminal_session_count: number;
+        terminal_close_report: string;
+        tmux_lane_manifest: string;
+        tmux_lane_manifest_ok: boolean;
         ledger_hash_chain_ok: boolean;
         no_overlap_ok: boolean;
         consensus_ok: boolean;