sneakoscope 1.18.5 → 1.18.7

package/README.md

@@ -6,11 +6,17 @@ Sneakoscope Codex (`sks`) is a Codex CLI/App harness that makes repeatable Codex
 
 SKS does not try to clone every other harness. It focuses on one thing: making Codex work auditable, visual-evidence-bound, safety-gated, and reproducible through Completion Proof.
 
+## LLM Init Prompt for Hermes / OpenClaw Agent Builders
+
+```text
+Set up this agent project with Sneakoscope Codex. Use [[mandarange/Sneakoscope-Codex](https://github.com/mandarange/Sneakoscope-Codex)] as the repo reference and [npm i -g sneakoscope] as the recommended global install command, then run the appropriate `sks` setup, doctor, Codex App, and proof checks for this repo. Keep generated SKS state out of source control unless documented, and record every version-facing change in CHANGELOG.md.
+```
+
 ![Sneakoscope Codex Trust Layer](docs/assets/sneakoscope-architecture-pipeline.jpg)
 
 ## Current Release
 
-SKS **1.18.5** wires the 1.18.4 real-proof tools into the runtime lifecycle: real tmux mode now writes before-drain, after-drain, and final physical pane proof artifacts; real Codex dynamic smoke validates output-schema/result-file/process cleanup and reports `fixture_instrumented_real` honestly; `sks agent close/cleanup` performs process-tree-aware SIGTERM/SIGKILL cleanup; and the task graph carries AST/import/test ownership, critical path, and runtime truth matrix evidence.
+SKS **1.18.7** closes the Codex 0.134 ultra-stability loop: the release matrix now covers `--profile` as the primary selector, bounded local Codex history search, managed proxy propagation, MCP 0.134 environment/OAuth/schema/readOnlyHint policy, proof-safe parallel agent patches, runtime truth P6 rows, the 1.18.7 release gate audit, MAD-SKS as general scoped permission widening, and gpt-image-2 imagegen as a core evidence capability.
 
 ```bash
 sks mad-sks plan --target-root <path> --json
@@ -30,6 +36,13 @@ npm run agent:ast-aware-work-graph
 npm run proof:fake-vs-real-policy
 npm run proof:fake-real-policy-v2
 npm run release:runtime-truth-matrix
+npm run codex:0.134-official-compat
+npm run codex:profile-primary
+npm run codex:managed-proxy-env
+npm run mcp:0.134-modernization
+npm run source-intelligence:codex-history-search
+npm run agent:parallel-write-kernel
+npm run release:gate-existence-audit
 npm run route:blackbox-realism
 npm run release:real-check
 npm run agent:backfill-route-blackbox
@@ -37,7 +50,7 @@ npm run team:actual-route-backfill
 npm run release:readiness
 ```
 
-Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release gate status lives in [docs/release-readiness.md](docs/release-readiness.md).
+Detailed release history lives in [CHANGELOG.md](CHANGELOG.md); every version-facing change should be recorded there before release. Current release gate status lives in [docs/release-readiness.md](docs/release-readiness.md).
 
 ## Documentation
 
@@ -72,7 +85,9 @@ Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release
 - Agent cleanup executor: [docs/agent-cleanup-executor.md](docs/agent-cleanup-executor.md)
 - Intelligent work graph: [docs/intelligent-work-graph.md](docs/intelligent-work-graph.md)
 - Fake vs real proof policy: [docs/fake-vs-real-proof-policy.md](docs/fake-vs-real-proof-policy.md)
-- Migration 1.18.4 to 1.18.5: [docs/migration-1.18.4-to-1.18.5.md](docs/migration-1.18.4-to-1.18.5.md)
+- Runtime truth matrix: [docs/runtime-truth-matrix.md](docs/runtime-truth-matrix.md)
+- Warp MAD tmux lanes: [docs/warp-mad-tmux-lanes.md](docs/warp-mad-tmux-lanes.md)
+- Migration 1.18.6 to 1.18.7: [docs/migration-1.18.6-to-1.18.7.md](docs/migration-1.18.6-to-1.18.7.md)
 - Codex official Goal mode: [docs/codex-official-goal-mode.md](docs/codex-official-goal-mode.md)
 - Release parallel full coverage: [docs/release-parallel-full-coverage.md](docs/release-parallel-full-coverage.md)
 - Priority closure P0-P4: [docs/priority-closure-p0-p4.md](docs/priority-closure-p0-p4.md)
@@ -92,6 +107,8 @@ Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release
 
 ## 60-second start
 
+Recommended install: use the global npm package so `sks` and the Codex App `$` skills are refreshed together.
+
 ```sh
 npm i -g sneakoscope
 sks root
@@ -115,7 +132,7 @@ sks rust smoke --json
 
 ## Install Options
 
-Install globally, then run `sks` from either a project or any global shell location:
+Recommended: install globally with `npm i -g sneakoscope`, then run `sks` from either a project or any global shell location:
 
 ```sh
 npm i -g sneakoscope
@@ -123,7 +140,7 @@ sks root
 sks doctor
 ```
 
-`npm i -g sneakoscope` automatically refreshes the `sks` command shim, global Codex App `$` skills, and SKS bootstrap surface. When the install is run from a project, postinstall bootstraps that project. When it is run outside a repo/project marker, postinstall bootstraps the per-user global runtime root instead of writing `.sneakoscope` into a random current directory. `sks root` tells you which root SKS will use.
+`npm i -g sneakoscope` is the recommended install path. It automatically refreshes the `sks` command shim, global Codex App `$` skills, and SKS bootstrap surface. When the install is run from a project, postinstall bootstraps that project. When it is run outside a repo/project marker, postinstall bootstraps the per-user global runtime root instead of writing `.sneakoscope` into a random current directory. `sks root` tells you which root SKS will use.
 
 If you only want a one-shot run without keeping `sks` installed globally:
 
@@ -184,7 +201,7 @@ The default `sks` runtime checks npm for newer `sneakoscope` and `@openai/codex`
 
 ### Global Install
 
-Use this when you want `sks` available from any repo:
+Use this recommended path when you want `sks` available from any repo:
 
 ```sh
 npm i -g sneakoscope
@@ -278,7 +295,7 @@ sks codex-lb repair
 sks
 ```
 
-Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = false`; PPT/imagegen bridge checks treat that env-key provider as configured without requiring OpenAI OAuth. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths run a response-chain health check. `previous_response_not_found` is treated as a stateless-LB warning and keeps codex-lb active. Hard failures are surfaced to the user; SKS only bypasses codex-lb when the user chooses OAuth fallback or `SKS_CODEX_LB_AUTOBYPASS=1` is set.
+Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = false`; imagegen checks may record this provider as configured codex-lb routing, but it is not accepted as official Codex App `$imagegen` evidence. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths run a response-chain health check. `previous_response_not_found` is treated as a stateless-LB warning and keeps codex-lb active. Hard failures are surfaced to the user; SKS only bypasses codex-lb when the user chooses OAuth fallback or `SKS_CODEX_LB_AUTOBYPASS=1` is set.
 
 If codex-lb provider auth drifts after launch/reinstall, run `sks doctor --fix` or `sks codex-lb repair`; to replace it, run `sks codex-lb reconfigure --host <domain> --api-key <key>`.
 
@@ -315,10 +332,10 @@ This flips `model_provider` away from `codex-lb` in the top-level Codex App conf
 
 ```sh
 sks --mad
-sks --mad --yes
+sks --mad --allow-package-install --allow-service-control --allow-network --yes
 ```
 
-This syncs existing codex-lb provider auth, creates/uses the `sks-mad-high` full-access profile, opens the MAD-SKS permission gate for that tmux run, and launches a single Codex CLI pane. The session recreates the named session so stale split-pane MAD sessions collapse back to one pane. Catastrophic database wipe/all-row/project-management safeguards remain active, and the pipeline contract still forbids unrequested fallback implementation code.
+This syncs existing codex-lb provider auth, creates/uses the `sks-mad-high` high-power maintenance profile, opens the MAD-SKS permission gate for that tmux run, and launches a single Codex CLI pane. Bare `sks --mad` grants target-project file and shell scope only; add explicit `--allow-*` flags for packages, services, network, Computer Use, browser use, generated assets, file permissions, DB writes, or other high-risk scopes. MAD-SKS is not a DB-only unlock: it is explicit user authorization to widen approved target-project scopes. The session recreates the named session so stale split-pane MAD sessions collapse back to one pane. Catastrophic database wipe/all-row/project-management safeguards remain active, and the pipeline contract still forbids unrequested fallback implementation code.
 
 Before launching, SKS checks npm for a newer `sneakoscope`; answer `y` to update or `n` to continue. Use `--yes` to approve missing dependency installs automatically.
 
@@ -362,6 +379,7 @@ Effort is assigned per agent. Simple read-only/docs slices can run low, ordinary
 ```sh
 sks qa-loop prepare "http://localhost:3000"
 sks qa-loop run latest --max-cycles 2
+sks codex-app chrome-extension --json
 sks goal create "persist this migration workflow"
 sks research prepare "evaluate this approach"
 sks research run latest --max-cycles 12 --cycle-timeout-minutes 120
@@ -395,7 +413,7 @@ sks code-structure scan --json
 
 ### Ambiguity Questions
 
-Clarification asks only for ambiguity that changes execution; predictable defaults are inferred and sealed. `sks skill-dream` records cheap counters and periodically writes advisory skill reports. `$Goal` controls native `/goal` persistence without replacing the selected execution route. `$Computer-Use` / `$CU` is the fast Codex Computer Use lane for UI/browser/visual work.
+Clarification asks only for ambiguity that changes execution; predictable defaults are inferred and sealed. `sks skill-dream` records cheap counters and periodically writes advisory skill reports. `$Goal` controls native `/goal` persistence without replacing the selected execution route. Web, browser, localhost, website, webapp, and web-based app verification use the official Codex Chrome Extension path first; if it is not installed/enabled, SKS stops and asks the user to set it up before resuming. `$Computer-Use` / `$CU` is now reserved for native macOS, desktop-app, OS-settings, and non-web visual work.
 
 ### Create A Presentation
 
@@ -417,6 +435,7 @@ After installing, run:
 ```sh
 sks bootstrap
 sks codex-app check
+sks codex-app chrome-extension --json
 sks codex-app remote-control --status
 sks dollar-commands
 ```
@@ -427,9 +446,11 @@ For headless remotely controllable Codex App/server sessions on Codex CLI 0.130.
 sks codex-app remote-control -- --help
 ```
 
-`sks codex-app check` reports whether the installed Codex CLI is new enough, whether the required app flags are visible, whether Fast/speed-selector config is unlocked, whether Codex App Git Actions can use Commit, Push, Commit and Push, and PR flows, and whether installed OpenAI default plugins such as Browser, Chrome, Computer Use, Documents, Presentations, Spreadsheets, and LaTeX are enabled. When codex-lb is configured, SKS keeps it selected as the top-level Codex App provider while still preserving required app flags and plugin settings. Codex CLI 0.130.0+ app-server/remote-control threads can pick up config changes live; older CLI/TUI sessions should still be restarted after `.codex/config.toml` or MCP/plugin changes.
+`sks codex-app check` reports whether the installed Codex CLI is new enough, whether the required app flags are visible, whether Fast/speed-selector config is unlocked, whether Codex App Git Actions can use Commit, Push, Commit and Push, and PR flows, whether the Codex Chrome Extension path is ready for web/browser/webapp verification, and whether installed OpenAI default plugins such as Browser, Chrome, Computer Use, Documents, Presentations, Spreadsheets, and LaTeX are enabled. `sks codex-app chrome-extension --json` is the rapid preflight for web QA/UX/browser routes. When codex-lb is configured, SKS keeps it selected as the top-level Codex App provider while still preserving required app flags and plugin settings. Codex CLI 0.130.0+ app-server/remote-control threads can pick up config changes live; older CLI/TUI sessions should still be restarted after `.codex/config.toml` or MCP/plugin changes.
+
+For web-related verification, SKS follows the official Codex Chrome Extension setup path first: https://developers.openai.com/codex/app/chrome-extension. `$QA-LOOP`, `$UX-Review`, `$Image-UX-Review`, browser smoke, authenticated web checks, localhost checks, and web visual review must halt quickly if that extension is missing or disabled. Only after the user says the extension setup is complete should the pipeline resume. Codex Computer Use is for native Mac/non-web targets only; it must not be used as browser/web-app verification evidence.
 
-Image-review routes are intentionally strict. `$Image-UX-Review`, `$UX-Review`, `$Visual-Review`, and `$UI-UX-Review` require real Codex App `$imagegen`/`gpt-image-2` generated annotated review images before `image-ux-review-gate.json` can pass; disabled or missing `image_generation` remains a blocker that `sks codex-app check` and selftest cover.
+Imagegen is a core SKS capability, not a decorative add-on. `$Image-UX-Review`, `$UX-Review`, `$Visual-Review`, `$UI-UX-Review`, and PPT generated-review paths require real Codex App `$imagegen`/`gpt-image-2` output before full visual verification can pass. For newest-model image requests, prompts should say "Use ChatGPT Images 2.0 / GPT Image 2.0 with gpt-image-2" while still invoking Codex App `$imagegen` when live generation is needed. Use `imagegen-source-scout` when current official docs plus X/social prompt-workflow signals are needed; social sources are prompt heuristics only, not capability or evidence specs. `npm run imagegen:capability` checks that the official Codex App imagegen surface is visible and records that capability detection is not output proof; OpenAI API, Responses image-generation, codex-lb, or `CODEX_LB_API_KEY` fallbacks are non-Codex paths and do not satisfy Codex App generated-image evidence unless a separate API fallback task is explicitly requested. The README architecture asset uses the same rule: run `npm run imagegen:readme-architecture:prompt` to print/write the official prompt, generate the image in Codex App `$imagegen`, then rerun `npm run imagegen:readme-architecture -- --output <path>` after Codex App creates a real gpt-image-2 output. When exactly one current generated_images candidate exists after the prompt, `npm run imagegen:readme-architecture -- --auto-pick-latest` can select it automatically. To let the verifier wait while Codex App writes the file, use `npm run imagegen:readme-architecture -- --wait-ms <milliseconds>`; it still accepts only one current candidate under `$CODEX_HOME/generated_images`. Env forms such as `SKS_CODEX_APP_IMAGEGEN_OUTPUT=<path>` remain supported for automation. Use the selected file directly under `$CODEX_HOME/generated_images`; moved or copied files are not accepted as provenance evidence. Disabled or missing `image_generation` remains a blocker that `sks codex-app check`, `npm run imagegen:capability`, and selftest cover.
 
 Then open Codex App and use prompt commands directly in the chat. Examples:
 
@@ -577,7 +598,7 @@ sks codex-app check
 codex mcp list
 ```
 
-Codex App workflows need the app installed. UI/browser evidence requires first-party Codex Computer Use, and generated raster/image-review evidence requires real `$imagegen`/`gpt-image-2` output. After setup/upgrade, start a fresh thread so Codex reloads plugin tools.
+Codex App workflows need the app installed. Web/browser evidence requires the Codex Chrome Extension path, native Mac/non-web visual evidence requires first-party Codex Computer Use, and generated raster/image-review evidence requires real `$imagegen`/`gpt-image-2` output. After setup/upgrade, start a fresh thread so Codex reloads plugin tools.
 
 ### Codex App commit/push is blocked
 

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.18.5"
+version = "1.18.7"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.18.5"
+version = "1.18.7"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.18.5"),
+        Some("--version") => println!("sks-rs 1.18.7"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "1.18.5",
-  "source_digest": "25698b68e8f9d6ff16ac94f404e60d99db9841e8e85a0f8c5831069a744434cc",
-  "source_file_count": 1430,
-  "built_at_source_time": 1779807721873
+  "package_version": "1.18.7",
+  "source_digest": "49e153f303c7d5abf79e2f2fe77ecfd9215172f34b2fb944fd34095aa9bf638c",
+  "source_file_count": 1466,
+  "built_at_source_time": 1779875860601
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.18.3';
+const FAST_PACKAGE_VERSION = '1.18.7';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,16 +1,16 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.18.5",
-  "package_version": "1.18.5",
+  "version": "1.18.7",
+  "package_version": "1.18.7",
   "typescript": true,
   "mjs_runtime_files": 0,
-  "compiled_file_count": 874,
-  "compiled_js_count": 437,
-  "compiled_dts_count": 437,
-  "source_digest": "25698b68e8f9d6ff16ac94f404e60d99db9841e8e85a0f8c5831069a744434cc",
-  "source_file_count": 1430,
-  "source_files_hash": "f8db0c06ebed73d7f4ee1f33117ef1dc633b59312f6d976ca6abf2e525d527fe",
-  "source_list_hash": "f8db0c06ebed73d7f4ee1f33117ef1dc633b59312f6d976ca6abf2e525d527fe",
+  "compiled_file_count": 896,
+  "compiled_js_count": 448,
+  "compiled_dts_count": 448,
+  "source_digest": "49e153f303c7d5abf79e2f2fe77ecfd9215172f34b2fb944fd34095aa9bf638c",
+  "source_file_count": 1466,
+  "source_files_hash": "743d83c31ee39e65ac8d73c42993b5baffed6474210ec913259194ca1e58900f",
+  "source_list_hash": "743d83c31ee39e65ac8d73c42993b5baffed6474210ec913259194ca1e58900f",
   "src_mjs_runtime_files": 0,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
@@ -214,12 +214,22 @@
     "core/agents/agent-ledger-schemas.js",
     "core/agents/agent-lifecycle.d.ts",
     "core/agents/agent-lifecycle.js",
+    "core/agents/agent-merge-coordinator.d.ts",
+    "core/agents/agent-merge-coordinator.js",
     "core/agents/agent-message-bus.d.ts",
     "core/agents/agent-message-bus.js",
     "core/agents/agent-orchestrator.d.ts",
     "core/agents/agent-orchestrator.js",
     "core/agents/agent-output-validator.d.ts",
     "core/agents/agent-output-validator.js",
+    "core/agents/agent-patch-apply-worker.d.ts",
+    "core/agents/agent-patch-apply-worker.js",
+    "core/agents/agent-patch-proof.d.ts",
+    "core/agents/agent-patch-proof.js",
+    "core/agents/agent-patch-queue.d.ts",
+    "core/agents/agent-patch-queue.js",
+    "core/agents/agent-patch-schema.d.ts",
+    "core/agents/agent-patch-schema.js",
     "core/agents/agent-persona.d.ts",
     "core/agents/agent-persona.js",
     "core/agents/agent-plan.d.ts",
@@ -358,8 +368,12 @@
     "core/codex-lb/codex-lb-setup.js",
     "core/codex-model-guard.d.ts",
     "core/codex-model-guard.js",
+    "core/codex/codex-0-134-compat.d.ts",
+    "core/codex/codex-0-134-compat.js",
     "core/codex/codex-web-search-adapter.d.ts",
     "core/codex/codex-web-search-adapter.js",
+    "core/codex/managed-proxy-env.d.ts",
+    "core/codex/managed-proxy-env.js",
     "core/codex/official-goal-mode.d.ts",
     "core/codex/official-goal-mode.js",
     "core/commands/agent-command.d.ts",
@@ -598,6 +612,8 @@
     "core/mad-sks/guard-middleware.js",
     "core/mad-sks/immutable-harness-guard.d.ts",
     "core/mad-sks/immutable-harness-guard.js",
+    "core/mad-sks/mad-tmux-lane-proof.d.ts",
+    "core/mad-sks/mad-tmux-lane-proof.js",
     "core/mad-sks/permission-model.d.ts",
     "core/mad-sks/permission-model.js",
     "core/mad-sks/proof-evidence.d.ts",
@@ -612,6 +628,8 @@
     "core/mad-sks/write-guard.js",
     "core/managed-paths.d.ts",
     "core/managed-paths.js",
+    "core/mcp/mcp-0-134-policy.d.ts",
+    "core/mcp/mcp-0-134-policy.js",
     "core/mcp/xai-mcp-detector.d.ts",
     "core/mcp/xai-mcp-detector.js",
     "core/mcp/xai-search-adapter.d.ts",
@@ -743,6 +761,8 @@
     "core/proof/route-proof-gate.js",
     "core/proof/route-proof-policy.d.ts",
     "core/proof/route-proof-policy.js",
+    "core/proof/runtime-truth-matrix.d.ts",
+    "core/proof/runtime-truth-matrix.js",
     "core/proof/selftest-proof-fixtures.d.ts",
     "core/proof/selftest-proof-fixtures.js",
     "core/proof/validation.d.ts",
@@ -769,6 +789,8 @@
     "core/session/project-namespace.js",
     "core/skill-forge.d.ts",
     "core/skill-forge.js",
+    "core/source-intelligence/codex-history-search.d.ts",
+    "core/source-intelligence/codex-history-search.js",
     "core/source-intelligence/source-intelligence-policy.d.ts",
     "core/source-intelligence/source-intelligence-policy.js",
     "core/source-intelligence/source-intelligence-proof.d.ts",

package/dist/cli/command-registry.js

@@ -122,8 +122,8 @@ export const COMMANDS = {
     'ux-review': entry('labs', 'Alias for image UX review', 'dist/core/commands/image-ux-review-command.js', commandArgsCommand(() => import('../core/commands/image-ux-review-command.js'), 'imageUxReviewCommand', 'dist/core/commands/image-ux-review-command.js')),
     'visual-review': entry('labs', 'Alias for image UX review', 'dist/core/commands/image-ux-review-command.js', commandArgsCommand(() => import('../core/commands/image-ux-review-command.js'), 'imageUxReviewCommand', 'dist/core/commands/image-ux-review-command.js')),
     'ui-ux-review': entry('labs', 'Alias for image UX review', 'dist/core/commands/image-ux-review-command.js', commandArgsCommand(() => import('../core/commands/image-ux-review-command.js'), 'imageUxReviewCommand', 'dist/core/commands/image-ux-review-command.js')),
-    'computer-use': entry('beta', 'Record Computer Use visual evidence', 'dist/core/commands/computer-use-command.js', commandArgsCommand(() => import('../core/commands/computer-use-command.js'), 'computerUseCommand', 'dist/core/commands/computer-use-command.js')),
-    cu: entry('beta', 'Alias for Computer Use', 'dist/core/commands/computer-use-command.js', commandArgsCommand(() => import('../core/commands/computer-use-command.js'), 'computerUseCommand', 'dist/core/commands/computer-use-command.js')),
+    'computer-use': entry('beta', 'Record native Mac/non-web Computer Use visual evidence', 'dist/core/commands/computer-use-command.js', commandArgsCommand(() => import('../core/commands/computer-use-command.js'), 'computerUseCommand', 'dist/core/commands/computer-use-command.js')),
+    cu: entry('beta', 'Alias for native Computer Use', 'dist/core/commands/computer-use-command.js', commandArgsCommand(() => import('../core/commands/computer-use-command.js'), 'computerUseCommand', 'dist/core/commands/computer-use-command.js')),
     context7: entry('beta', 'Context7 checks and docs', 'dist/cli/context7-command.js', subcommand(() => import('./context7-command.js'), 'context7Command', 'dist/cli/context7-command.js', 'check')),
     recallpulse: entry('labs', 'RecallPulse evidence route', 'dist/commands/recallpulse.js', directCommand(() => import('../commands/recallpulse.js'), 'dist/commands/recallpulse.js')),
     pipeline: entry('beta', 'Inspect pipeline missions', 'dist/commands/pipeline.js', directCommand(() => import('../commands/pipeline.js'), 'dist/commands/pipeline.js')),

package/dist/commands/codex-app.js

@@ -1,11 +1,26 @@
 import { flag } from '../cli/args.js';
 import { printJson } from '../cli/output.js';
-import { codexAccessTokenStatus, codexAppIntegrationStatus, formatCodexAppStatus } from '../core/codex-app.js';
+import { codexAccessTokenStatus, codexAppIntegrationStatus, codexChromeExtensionStatus, formatCodexAppStatus } from '../core/codex-app.js';
 import { codexAppRemoteControlCommand } from '../cli/codex-app-command.js';
 export async function run(_command, args = []) {
     const action = args[0] || 'check';
     if (action === 'remote-control' || action === 'remote')
         return codexAppRemoteControlCommand(args.slice(1));
+    if (action === 'chrome-extension' || action === 'chrome') {
+        const status = await codexChromeExtensionStatus();
+        if (flag(args, '--json')) {
+            printJson(status);
+            if (!status.ok)
+                process.exitCode = 1;
+            return;
+        }
+        console.log(`Codex Chrome Extension: ${status.ok ? 'available' : status.status}`);
+        for (const line of status.guidance || [])
+            console.log(`- ${line}`);
+        if (!status.ok)
+            process.exitCode = 1;
+        return;
+    }
     if (action === 'pat') {
         const status = codexAccessTokenStatus();
         if (flag(args, '--json'))
@@ -29,7 +44,7 @@ export async function run(_command, args = []) {
             process.exitCode = 1;
         return;
     }
-    console.error('Usage: sks codex-app check|status|pat status|remote-control [--json]');
+    console.error('Usage: sks codex-app check|status|chrome-extension|pat status|remote-control [--json]');
     process.exitCode = 1;
 }
 //# sourceMappingURL=codex-app.js.map

package/dist/commands/codex.js

@@ -1,4 +1,4 @@
-import { flag } from '../cli/args.js';
+import { flag, readOption } from '../cli/args.js';
 import { printJson } from '../cli/output.js';
 import { codexCompatibilityReport, codexDoctorReport } from '../core/codex-compat/codex-compat-report.js';
 import { codexVersionReport } from '../core/codex-compat/codex-version.js';
@@ -6,7 +6,8 @@ import { codexSchemaSnapshotReport } from '../core/codex-compat/codex-schema-sna
 export async function run(_command, args = []) {
     const action = args[0] || 'compatibility';
     if (action === 'compatibility' || action === 'compat') {
-        const result = await codexCompatibilityReport();
+        const requiredBaseline = readOption(args, '--require', null);
+        const result = await codexCompatibilityReport({ requiredBaseline, require: requiredBaseline });
         if (flag(args, '--json'))
             return printJson(result);
         console.log(`Codex compatibility: ${result.ok ? result.status : 'blocked'} (${result.required_baseline})`);

package/dist/commands/dfix.d.ts

@@ -103,6 +103,13 @@ export declare function run(command: any, args?: any): Promise<void | {
         };
         selected_template: import("../core/dfix/patch-templates.js").DfixPatchTemplate | null;
         mode: string;
+        route_parallel_write: {
+            write_mode: any;
+            apply_patches: boolean;
+            dry_run_patches: boolean;
+            max_write_agents: number;
+            route_level_flags_wired: boolean;
+        };
         target_file: any;
         find_text_present: boolean;
         replace_text_present: boolean;
@@ -154,6 +161,13 @@ export declare function run(command: any, args?: any): Promise<void | {
         created_at: string;
         explicit_apply_opt_in: boolean;
         apply_opt_in: boolean;
+        route_parallel_write: {
+            write_mode: any;
+            apply_patches: boolean;
+            dry_run_patches: boolean;
+            max_write_agents: number;
+            route_level_flags_wired: boolean;
+        };
         patch_mode: any;
         patch_result_present: boolean;
         patch_applied: any;

package/dist/commands/image-ux-review.d.ts

@@ -46,6 +46,8 @@ export declare function run(command: any, args?: any): Promise<void | {
                 original_resolution_required: boolean;
                 local_only_default: boolean;
                 accepted_sources: string[];
+                web_capture_doc: string;
+                web_verification_policy: string;
                 privacy: string;
             };
             image_generation_review: {
@@ -298,6 +300,7 @@ export declare function run(command: any, args?: any): Promise<void | {
             contract_hash: any;
             real_source_screenshot_present: boolean;
             computer_use_or_user_screenshot_source: any;
+            official_or_user_screenshot_source: any;
             gpt_image_2_callout_generated: boolean;
             generated_image_ingested: boolean;
             callout_extraction_schema_valid: boolean;
@@ -611,6 +614,9 @@ export declare function run(command: any, args?: any): Promise<void | {
                     Proven: string[];
                     Blocked: string[];
                 };
+                runtime_truth_matrix: string | null;
+                proof_level_by_subsystem: any;
+                fake_real_policy: string | null;
                 blockers: any;
             };
             wrongness: {
@@ -624,6 +630,20 @@ export declare function run(command: any, args?: any): Promise<void | {
                     status: string;
                 }[];
             };
+            parallel_write_policy: {
+                schema: string;
+                generated_at: string;
+                route: string;
+                route_command: string;
+                write_mode: "off" | "proof-safe" | "parallel" | "serial";
+                apply_patches: boolean;
+                dry_run_patches: boolean;
+                max_write_agents: number;
+                readonly: boolean;
+                patch_queue_required: boolean;
+                patch_apply_mode: string;
+                route_level_flags_wired: boolean;
+            };
             proof: {
                 schema: string;
                 ok: boolean;
@@ -635,6 +655,12 @@ export declare function run(command: any, args?: any): Promise<void | {
                 route_command: string;
                 route_blackbox_kind: string;
                 real_route_command_used: boolean;
+                parallel_write_policy: string;
+                parallel_write_route_flags_wired: boolean;
+                parallel_write_mode: any;
+                parallel_write_apply_patches: boolean;
+                parallel_write_dry_run_patches: boolean;
+                parallel_write_max_write_agents: number;
                 real_parallel_claim: boolean;
                 fake_backend_disclaimer: string | null;
                 agent_count: any;
@@ -793,6 +819,8 @@ export declare function run(command: any, args?: any): Promise<void | {
                 original_resolution_required: boolean;
                 local_only_default: boolean;
                 accepted_sources: string[];
+                web_capture_doc: string;
+                web_verification_policy: string;
                 privacy: string;
             };
             image_generation_review: {
@@ -1045,6 +1073,7 @@ export declare function run(command: any, args?: any): Promise<void | {
             contract_hash: any;
             real_source_screenshot_present: boolean;
             computer_use_or_user_screenshot_source: any;
+            official_or_user_screenshot_source: any;
             gpt_image_2_callout_generated: boolean;
             generated_image_ingested: boolean;
             callout_extraction_schema_valid: boolean;
@@ -1185,6 +1214,7 @@ export declare function run(command: any, args?: any): Promise<void | {
         contract_hash: any;
         real_source_screenshot_present: boolean;
         computer_use_or_user_screenshot_source: any;
+        official_or_user_screenshot_source: any;
         gpt_image_2_callout_generated: boolean;
         generated_image_ingested: boolean;
         callout_extraction_schema_valid: boolean;

package/dist/commands/ppt.d.ts

@@ -463,6 +463,9 @@ export declare function run(command: any, args?: any): Promise<void | {
                     Proven: string[];
                     Blocked: string[];
                 };
+                runtime_truth_matrix: string | null;
+                proof_level_by_subsystem: any;
+                fake_real_policy: string | null;
                 blockers: any;
             };
             wrongness: {
@@ -476,6 +479,20 @@ export declare function run(command: any, args?: any): Promise<void | {
                     status: string;
                 }[];
             };
+            parallel_write_policy: {
+                schema: string;
+                generated_at: string;
+                route: string;
+                route_command: string;
+                write_mode: "off" | "proof-safe" | "parallel" | "serial";
+                apply_patches: boolean;
+                dry_run_patches: boolean;
+                max_write_agents: number;
+                readonly: boolean;
+                patch_queue_required: boolean;
+                patch_apply_mode: string;
+                route_level_flags_wired: boolean;
+            };
             proof: {
                 schema: string;
                 ok: boolean;
@@ -487,6 +504,12 @@ export declare function run(command: any, args?: any): Promise<void | {
                 route_command: string;
                 route_blackbox_kind: string;
                 real_route_command_used: boolean;
+                parallel_write_policy: string;
+                parallel_write_route_flags_wired: boolean;
+                parallel_write_mode: any;
+                parallel_write_apply_patches: boolean;
+                parallel_write_dry_run_patches: boolean;
+                parallel_write_max_write_agents: number;
                 real_parallel_claim: boolean;
                 fake_backend_disclaimer: string | null;
                 agent_count: any;

package/dist/commands/tmux.d.ts

@@ -37,6 +37,7 @@ export declare function run(_command: any, args?: any): Promise<void | {
     plugins: {
         computer_use_cache: string | null;
         browser_use_cache: string | null;
+        chrome_cache: string | null;
         default_plugins: {
             ok: boolean;
             checked: boolean;
@@ -60,6 +61,7 @@ export declare function run(_command: any, args?: any): Promise<void | {
             fast_mode_config_ok: boolean;
         };
     };
+    chrome_extension: any;
     guidance: any[];
 }>;
 //# sourceMappingURL=tmux.d.ts.map

package/dist/core/agents/agent-cleanup-executor.d.ts

@@ -8,6 +8,8 @@ export interface AgentCleanupExecutorOptions {
     dryRun?: boolean;
     drain?: boolean;
     staleMs?: number;
+    graceMs?: number;
+    killEscalation?: boolean;
 }
 type CleanupActionKind = 'terminate_process' | 'close_tmux_pane' | 'remove_temp_dir' | 'remove_lock' | 'skip_active_session' | 'skip_foreign_namespace' | 'archive_transcript_keep';
 interface CleanupAction {
@@ -44,12 +46,19 @@ export declare function runAgentCleanupExecutor(opts: AgentCleanupExecutorOption
         target: string;
         tree: ProcessTreeEntry[];
     }[];
+    process_tree_count: number;
     sigterm_planned: string[];
     sigterm_sent: string[];
     sigkill_escalations: string[];
     process_exit_verified: string[];
+    sigterm_count: number;
+    sigkill_count: number;
+    verified_exited_count: number;
+    failed_to_kill_count: number;
     stale_tmux_panes_found: string[];
     stale_tmux_panes_closed: string[];
+    tmux_panes_verified_closed: string[];
+    tmux_close_failures: string[];
     orphan_temp_dirs_found: string[];
     orphan_temp_dirs_removed: string[];
     stale_locks_found: string[];