sneakoscope 1.19.0 → 1.20.2

package/README.md

@@ -16,7 +16,13 @@ Set up this agent project with Sneakoscope Codex. Use [[mandarange/Sneakoscope-C
 
 ## Current Release
 
-SKS **1.19.0** is the MAD Zellij dependency repair release: bootstrap/deps repair and `sks --mad --yes` now install or repair required CLI tooling, including Zellij on macOS/Homebrew, before opening the interactive runtime. npm postinstall still bootstraps and reports missing tools, but it does not silently mutate Homebrew/npm global tools unless `SKS_POSTINSTALL_AUTO_INSTALL_CLI_TOOLS=1` is set. MAD and Team layouts now use Zellij's documented background-layout launch form, and launch failures surface labeled Zellij stderr/stdout tails instead of only `zellij_command_failed`.
+SKS **1.20.2** is a stabilization patch that closes the enforcement/integration/execution layers on top of the 1.20.1 infrastructure: a **Mutation Guard** routes genuinely-risky global/config/permission/package mutations through the Requested-Scope Contract + Mutation Ledger (`safety:mutation-callsite-coverage` fails any unguarded, unallowlisted risky call site); `release:check:dynamic:execute` turns the change-aware planner into a real **caching gate runner** (schema v2, real/heavy gates deferred to `release:real-check`, dynamic-only cannot authorize publish); the **Core Skill** deployed snapshot is now read by the route runtime and recorded in `agent-proof-evidence.json` (`selected_core_skill`), with promotions written to the mutation ledger; and `sks doctor` exposes an explicit **`zellij_readiness`** block (`zellij:doctor-readiness`). See `docs/dynamic-release-pipeline.md`.
+
+SKS **1.20.1** introduces the **SKS Core Skill Engine** — a SkillOpt-style self-evolving skill layer — while locking the harness into a deploy-ready stable build. Skills are the agent's *external, versioned state* (Core Skill Cards): an optimizer proposes **bounded** add/delete/replace edits to a single skill document under a **textual edit budget**, edits are accepted **only on strict held-out improvement**, rejected edits are buffered so they are never retried, and the **deployed snapshot is immutable**. Critically, the optimizer runs only in training/evaluation — the **deployment/inference path reads the deployed snapshot and never makes an extra model call**, and a skill patch can never mutate code/config/package/global files.
+
+1.20.1 also adds a **Requested-Scope Contract + Mutation Ledger** so SKS performs **no side effect the user did not request** (deny-by-default; global/destructive mutations require explicit `--yes`/env opt-in and a backup or no-op reason), and a **dynamic, risk-based release pipeline** (`release:gate-planner` builds `release-gates.json`; `release:check:dynamic` runs only P0 always-on gates plus gates whose files changed; `release:gate-budget` reports the slowest gates) so unrelated heavy gates are skipped during incremental checks while publish never skips a required gate.
+
+It carries forward the 1.19.x hardening unchanged: legacy 1.18.x/1.19.x→1.20.1 **zero-break upgrade** (user `model`/`service_tier`/`model_reasoning_effort` and user-disabled Codex App flags never overwritten; existing skill cards preserved), the **migration transaction journal** (`.sneakoscope/reports/migration-1.20.1-journal.jsonl`), **Zellij launch-command truth** + real-session **heartbeat-timeout blocker** + the redesigned **Zellij lane UI**, **packlist/publish-performance** gates, a **postinstall safe-side-effects** gate, and the **TS source-of-truth / Rust optional-accelerator** boundary (publish never compiles Rust). `sks zellij status`/`repair` inspects the Zellij runtime without auto-installing anything.
 
 ```bash
 sks mad-sks plan --target-root <path> --json

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.19.0"
+version = "1.20.2"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.19.0"
+version = "1.20.2"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.19.0"),
+        Some("--version") => println!("sks-rs 1.20.2"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "1.19.0",
-  "source_digest": "5eecdb85fa4e3cd359035b49803cd3e9ea0174810596807caf55b2507fb33d18",
-  "source_file_count": 1690,
-  "built_at_source_time": 1780116105711
+  "package_version": "1.20.2",
+  "source_digest": "d1ccddca4a2c7be54d3129554ea90f8d07efb093592c1e269399fa0e5b92d3ba",
+  "source_file_count": 1740,
+  "built_at_source_time": 1780235613612
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.19.0';
+const FAST_PACKAGE_VERSION = '1.20.2';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--agent' && args[1] === 'worker') {

package/dist/build-manifest.json

@@ -1,16 +1,16 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.19.0",
-  "package_version": "1.19.0",
+  "version": "1.20.2",
+  "package_version": "1.20.2",
   "typescript": true,
   "mjs_runtime_files": 0,
-  "compiled_file_count": 974,
-  "compiled_js_count": 487,
-  "compiled_dts_count": 487,
-  "source_digest": "5eecdb85fa4e3cd359035b49803cd3e9ea0174810596807caf55b2507fb33d18",
-  "source_file_count": 1690,
-  "source_files_hash": "c2267339884b83e1bfed20e6979b80f8a7abc07a05860d74c249d7684cb1c92d",
-  "source_list_hash": "c2267339884b83e1bfed20e6979b80f8a7abc07a05860d74c249d7684cb1c92d",
+  "compiled_file_count": 1016,
+  "compiled_js_count": 508,
+  "compiled_dts_count": 508,
+  "source_digest": "d1ccddca4a2c7be54d3129554ea90f8d07efb093592c1e269399fa0e5b92d3ba",
+  "source_file_count": 1740,
+  "source_files_hash": "7484278e30e61755c2158548e697943af09e5a59de7c6b60018a0ac57848c6ec",
+  "source_list_hash": "7484278e30e61755c2158548e697943af09e5a59de7c6b60018a0ac57848c6ec",
   "src_mjs_runtime_files": 0,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
@@ -186,6 +186,8 @@
     "commands/wiki.js",
     "commands/zellij-lane.d.ts",
     "commands/zellij-lane.js",
+    "commands/zellij.d.ts",
+    "commands/zellij.js",
     "core/agents/agent-central-ledger.d.ts",
     "core/agents/agent-central-ledger.js",
     "core/agents/agent-cleanup-executor.d.ts",
@@ -616,6 +618,8 @@
     "core/image-ux-review.js",
     "core/image-ux-review/callout-extraction.d.ts",
     "core/image-ux-review/callout-extraction.js",
+    "core/image-ux-review/codex-app-generated-image-discovery.d.ts",
+    "core/image-ux-review/codex-app-generated-image-discovery.js",
     "core/image-ux-review/fix-loop.d.ts",
     "core/image-ux-review/fix-loop.js",
     "core/image-ux-review/fix-task-planner.d.ts",
@@ -630,6 +634,8 @@
     "core/image-ux-review/recapture.js",
     "core/imagegen/gpt-image-2-request-validator.d.ts",
     "core/imagegen/gpt-image-2-request-validator.js",
+    "core/imagegen/imagegen-auth-readiness.d.ts",
+    "core/imagegen/imagegen-auth-readiness.js",
     "core/imagegen/imagegen-capability.d.ts",
     "core/imagegen/imagegen-capability.js",
     "core/init.d.ts",
@@ -690,6 +696,8 @@
     "core/memory-governor.js",
     "core/memory-summary.d.ts",
     "core/memory-summary.js",
+    "core/migration/migration-transaction-journal.d.ts",
+    "core/migration/migration-transaction-journal.js",
     "core/mission.d.ts",
     "core/mission.js",
     "core/mistake-memory.d.ts",
@@ -829,6 +837,10 @@
     "core/recallpulse.js",
     "core/release-parallel-full-coverage.d.ts",
     "core/release-parallel-full-coverage.js",
+    "core/release/gate-cache.d.ts",
+    "core/release/gate-cache.js",
+    "core/release/gate-manifest.d.ts",
+    "core/release/gate-manifest.js",
     "core/reporting/markdown-table.d.ts",
     "core/reporting/markdown-table.js",
     "core/research.d.ts",
@@ -841,12 +853,40 @@
     "core/routes.js",
     "core/rust-accelerator.d.ts",
     "core/rust-accelerator.js",
+    "core/safety/mutation-guard.d.ts",
+    "core/safety/mutation-guard.js",
+    "core/safety/mutation-ledger.d.ts",
+    "core/safety/mutation-ledger.js",
+    "core/safety/requested-scope-contract.d.ts",
+    "core/safety/requested-scope-contract.js",
     "core/secret-redaction.d.ts",
     "core/secret-redaction.js",
     "core/session/project-namespace.d.ts",
     "core/session/project-namespace.js",
     "core/skill-forge.d.ts",
     "core/skill-forge.js",
+    "core/skills/core-rollout-trace.d.ts",
+    "core/skills/core-rollout-trace.js",
+    "core/skills/core-skill-card.d.ts",
+    "core/skills/core-skill-card.js",
+    "core/skills/core-skill-deployment.d.ts",
+    "core/skills/core-skill-deployment.js",
+    "core/skills/core-skill-epoch.d.ts",
+    "core/skills/core-skill-epoch.js",
+    "core/skills/core-skill-patch-apply.d.ts",
+    "core/skills/core-skill-patch-apply.js",
+    "core/skills/core-skill-patch.d.ts",
+    "core/skills/core-skill-patch.js",
+    "core/skills/core-skill-runtime.d.ts",
+    "core/skills/core-skill-runtime.js",
+    "core/skills/core-skill-scorer.d.ts",
+    "core/skills/core-skill-scorer.js",
+    "core/skills/core-skill-types.d.ts",
+    "core/skills/core-skill-types.js",
+    "core/skills/core-skill-validation.d.ts",
+    "core/skills/core-skill-validation.js",
+    "core/skills/rejected-skill-patch-buffer.d.ts",
+    "core/skills/rejected-skill-patch-buffer.js",
     "core/source-intelligence/appshots-evidence.d.ts",
     "core/source-intelligence/appshots-evidence.js",
     "core/source-intelligence/codex-history-search.d.ts",
@@ -875,6 +915,8 @@
     "core/team-review-policy.js",
     "core/triwiki-attention.d.ts",
     "core/triwiki-attention.js",
+    "core/triwiki-runtime.d.ts",
+    "core/triwiki-runtime.js",
     "core/triwiki-wrongness/avoidance-rules.d.ts",
     "core/triwiki-wrongness/avoidance-rules.js",
     "core/triwiki-wrongness/image-wrongness.d.ts",

package/dist/cli/command-registry.d.ts

@@ -50,6 +50,7 @@ export declare const COMMANDS: {
     hermes: CommandEntry;
     tmux: CommandEntry;
     'zellij-lane': CommandEntry;
+    zellij: CommandEntry;
     mad: CommandEntry;
     'mad-sks': CommandEntry;
     'auto-review': CommandEntry;
@@ -137,6 +138,7 @@ export declare const TYPED_COMMANDS: {
     hermes: CommandEntry;
     tmux: CommandEntry;
     'zellij-lane': CommandEntry;
+    zellij: CommandEntry;
     mad: CommandEntry;
     'mad-sks': CommandEntry;
     'auto-review': CommandEntry;

package/dist/cli/command-registry.js

@@ -103,6 +103,7 @@ export const COMMANDS = {
     hermes: entry('labs', 'Create Hermes Agent skill package', 'dist/commands/hermes.js', directCommand(() => import('../commands/hermes.js'), 'dist/commands/hermes.js')),
     tmux: entry('beta', 'Show removed-runtime migration notice', 'dist/commands/tmux.js', directCommand(() => import('../commands/tmux.js'), 'dist/commands/tmux.js')),
     'zellij-lane': entry('beta', 'Render a Zellij lane frame for SKS sessions', 'dist/commands/zellij-lane.js', directCommand(() => import('../commands/zellij-lane.js'), 'dist/commands/zellij-lane.js')),
+    zellij: entry('beta', 'Inspect Zellij runtime status and explain repair (no auto-install)', 'dist/commands/zellij.js', directCommand(() => import('../commands/zellij.js'), 'dist/commands/zellij.js')),
     mad: entry('beta', 'MAD-SKS Zellij permission launcher', 'dist/commands/mad-sks.js', directCommand(() => import('../commands/mad-sks.js'), 'dist/commands/mad-sks.js')),
     'mad-sks': entry('beta', 'MAD-SKS scoped permission modifier', 'dist/commands/mad-sks.js', directCommand(() => import('../commands/mad-sks.js'), 'dist/commands/mad-sks.js')),
     'auto-review': entry('beta', 'Manage auto-review profile', 'dist/commands/auto-review.js', directCommand(() => import('../commands/auto-review.js'), 'dist/commands/auto-review.js')),

package/dist/cli/install-helpers.js

@@ -4,6 +4,8 @@ import fsp from 'node:fs/promises';
 import readline from 'node:readline/promises';
 import { stdin as input, stdout as output } from 'node:process';
 import { ensureDir, exists, globalSksRoot, packageRoot, PACKAGE_VERSION, readText, runProcess, tmpdir, which, writeTextAtomic } from '../core/fsx.js';
+import { createRequestedScopeContract } from '../core/safety/requested-scope-contract.js';
+import { guardedPackageInstall, guardContextForRoute } from '../core/safety/mutation-guard.js';
 import { EMPTY_CODEX_INFO, getCodexInfo } from '../core/codex-adapter.js';
 import { formatHarnessConflictReport, llmHarnessCleanupPrompt, scanHarnessConflicts } from '../core/harness-conflicts.js';
 import { initProject, installSkills } from '../core/init.js';
@@ -2124,10 +2126,14 @@ export async function ensureCodexCliTool({ skip = false, args = [] } = {}) {
     if (!await confirmInstallYesDefault(`Codex CLI is missing. Install latest Codex CLI with ${command}?`, args)) {
         return { status: 'needs_approval', command, error: 'Codex CLI not found on PATH.' };
     }
-    const install = await runProcess(npmBin, ['i', '-g', '@openai/codex@latest'], {
-        timeoutMs: 120000,
-        maxOutputBytes: 128 * 1024
-    }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
+    // Global package install is a confirmation-required mutation: route it through
+    // the mutation guard so it is scope-checked and recorded in the ledger. The
+    // user already approved via confirmInstallYesDefault above (confirmed:true).
+    const installRoot = globalSksRoot();
+    const installContract = createRequestedScopeContract({
+        route: 'install', userRequest: command, projectRoot: installRoot, overrides: { package_install: true }
+    });
+    const install = await guardedPackageInstall(guardContextForRoute(installRoot, installContract, command), '@openai/codex@latest', { confirmed: true, command: npmBin, args: ['i', '-g', '@openai/codex@latest'], timeoutMs: 120000 }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
     if (install.code !== 0) {
         return { status: 'failed', error: `${install.stderr || install.stdout || 'npm i -g @openai/codex@latest failed'}`.trim() };
     }
@@ -2159,7 +2165,11 @@ export async function ensureZellijCliTool(args = [], opts = {}) {
     if (!await confirmInstallYesDefault(question, args))
         return { target: 'zellij', status: 'needs_approval', command: repairCommand, error: before.blockers[0] || before.warnings[0] || null };
     const brewArgs = hasInstalledZellij ? ['upgrade', 'zellij'] : ['install', 'zellij'];
-    const install = await runProcess(brew, brewArgs, { timeoutMs: 180000, maxOutputBytes: 128 * 1024 }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
+    const zellijRoot = globalSksRoot();
+    const zellijContract = createRequestedScopeContract({
+        route: 'install', userRequest: repairCommand, projectRoot: zellijRoot, overrides: { package_install: true, zellij_install: true }
+    });
+    const install = await guardedPackageInstall(guardContextForRoute(zellijRoot, zellijContract, repairCommand), 'zellij', { confirmed: true, command: brew, args: brewArgs, timeoutMs: 180000 }).catch((err) => ({ code: 1, stdout: '', stderr: err.message }));
     if (install.code !== 0)
         return { target: 'zellij', status: 'failed', command: repairCommand, error: `${install.stderr || install.stdout || repairCommand + ' failed'}`.trim() };
     const after = await checkZellijCapability({ require: false, writeReport: false });

package/dist/commands/doctor.js

@@ -13,9 +13,14 @@ import { writeDoctorReadinessMatrix } from '../core/doctor/doctor-readiness-matr
 import { runCodexDoctorBridge, compareCodexDoctorBridge } from '../core/doctor/codex-doctor-bridge.js';
 import { checkZellijCapability } from '../core/zellij/zellij-capability.js';
 import { inventoryCodexPermissionProfiles } from '../core/codex/codex-permission-profiles.js';
+import { appendMigrationEvents, hashConfigText } from '../core/migration/migration-transaction-journal.js';
 export async function run(_command, args = []) {
     let setupRepair = null;
+    let migrationPreFix = null;
     if (flag(args, '--fix')) {
+        // Snapshot config content before ANY mutation so the migration journal can
+        // record real before/after hashes for the whole --fix transaction.
+        migrationPreFix = await captureCodexConfigSnapshot();
         const { setupCommand } = await import('../core/commands/basic-cli.js');
         const installScope = installScopeFromArgs(args);
         // Back up the existing managed project config before --force regeneration so a
@@ -44,6 +49,9 @@ export async function run(_command, args = []) {
     };
     const codexDoctorBefore = flag(args, '--fix') ? await runCodexDoctorBridge({ codexBin: codexBin || null, cwd: root, required: flag(args, '--require-actual-codex') }).catch(() => null) : null;
     const configRepair = flag(args, '--fix') ? await repairCodexConfigEperm(root, { fix: true, ...configProbeOpts }) : null;
+    const migrationJournal = flag(args, '--fix')
+        ? await writeFixMigrationJournal(root, migrationPreFix, configRepair, setupRepair).catch(() => null)
+        : null;
     const codexConfig = configRepair?.after || await inspectCodexConfigReadability(root, configProbeOpts);
     const codexDoctor = await runCodexDoctorBridge({ codexBin: codexBin || null, cwd: root, required: flag(args, '--require-actual-codex') });
     const codexDoctorDiff = compareCodexDoctorBridge(codexDoctorBefore, codexDoctor);
@@ -61,6 +69,8 @@ export async function run(_command, args = []) {
     const codexLb = codexLbMetrics(await readCodexLbCircuit(root).catch(() => ({})));
     const zellij = await checkZellijCapability({ root, require: process.env.SKS_REQUIRE_ZELLIJ === '1' });
     const permissionProfiles = await inventoryCodexPermissionProfiles(root, { writeReport: true });
+    const { detectImagegenCapability } = await import('../core/imagegen/imagegen-capability.js');
+    const imagegen = await detectImagegenCapability({ codexBin: codexBin || undefined }).catch((err) => ({ ok: false, error: err.message, auth_readiness: null }));
     const pkgBytes = await dirSize(root).catch(() => 0);
     const ready = await writeDoctorReadinessMatrix(root, {
         codex,
@@ -77,6 +87,7 @@ export async function run(_command, args = []) {
             ...(configRepair?.operator_actions || [])
         ]
     });
+    const zellijReadiness = buildZellijReadiness(root, zellij, ready);
     const result = {
         schema: 'sks.doctor-status.v1',
         ok: ready.ready,
@@ -90,11 +101,17 @@ export async function run(_command, args = []) {
         codex_doctor: codexDoctor,
         codex_doctor_diff: codexDoctorDiff,
         zellij,
+        zellij_readiness: zellijReadiness,
         codex_permission_profiles: permissionProfiles,
+        imagegen: {
+            ok: imagegen.auth_readiness?.available_paths?.length > 0,
+            auth_readiness: imagegen.auth_readiness || null,
+            codex_app_builtin_available: imagegen.codex_app?.available === true
+        },
         ready,
         sneakoscope: { ok: await exists(`${root}/.sneakoscope`) },
         package: { bytes: pkgBytes, human: formatBytes(pkgBytes) },
-        repair: { setup: setupRepair, codex_config: configRepair }
+        repair: { setup: setupRepair, codex_config: configRepair, migration_journal: migrationJournal }
     };
     if (flag(args, '--json')) {
         printJson(result);
@@ -110,11 +127,26 @@ export async function run(_command, args = []) {
     console.log('Project config:');
     console.log(`  node read:       ${ready.codex_config_readable_by_node ? 'ok' : 'failed'}`);
     console.log(`  codex cli read:  ${ready.codex_config_readable_by_codex_cli ? 'ok' : (actual?.status || 'failed')}`);
-    console.log(`  Zellij:          ${zellij.status}`);
     console.log(`  removed runtime: tmux`);
+    console.log('Zellij:');
+    console.log(`  binary:      ${zellijReadiness.binary} ${zellijReadiness.version || ''} ${zellijReadiness.status === 'ok' ? 'ok' : zellijReadiness.status}`);
+    console.log(`  required_for: ${zellijReadiness.required_for.join(', ')}`);
+    console.log(`  layout:      ${zellijReadiness.layout_proof}`);
+    console.log(`  pane proof:  ${zellijReadiness.pane_proof}`);
+    console.log(`  screen proof:${zellijReadiness.screen_proof}`);
+    console.log(`  tmux:        ${zellijReadiness.tmux_removed_runtime ? 'removed_runtime' : 'present'}`);
     console.log(`  codex doctor:    ${codexDoctor.available ? (codexDoctor.exit_code === 0 ? 'ok' : 'warning') : 'unavailable'}`);
     console.log(`Rust acc.: ${rust.mode || (rust.available ? 'rust_accelerated' : 'js_fallback')} ${rust.version || rust.status || ''}`);
     console.log(`Codex App: ${ready.codex_app_ready ? 'ok' : 'optional_missing'}`);
+    const imagegenReady = imagegen.auth_readiness;
+    if (imagegenReady) {
+        const paths = imagegenReady.available_paths?.length ? imagegenReady.available_paths.join(', ') : 'none';
+        console.log(`Image Gen: auth=${imagegenReady.auth_mode} | headless_auto=${imagegenReady.headless_auto_available ? 'available' : 'unavailable'} | paths: ${paths}`);
+        if (!imagegenReady.headless_auto_available) {
+            for (const action of imagegenReady.next_actions || [])
+                console.log(`  - ${action}`);
+        }
+    }
     console.log(`codex-lb:  ${codexLb.ok ? 'ok' : `warning ${codexLb.circuit?.state || 'unknown'}`}`);
     console.log(`Permissions: config profile and permission profile are tracked separately (${permissionProfiles.codex_config_profile_field}, ${permissionProfiles.codex_permission_profile_field})`);
     console.log('Ready:');
@@ -130,6 +162,9 @@ export async function run(_command, args = []) {
         for (const action of configRepair.repair_actions)
             console.log(`  - ${action.name}: ${action.ok ? 'ok' : 'failed'}`);
     }
+    if (migrationJournal?.journal_path) {
+        console.log(`Migration journal: ${migrationJournal.journal_path} (${migrationJournal.event_count} events, ${migrationJournal.mutations_without_rollback} without rollback)`);
+    }
     if (!ready.ready && ready.next_actions?.length) {
         console.log('What still needs you:');
         for (const action of ready.next_actions)
@@ -138,6 +173,103 @@ export async function run(_command, args = []) {
     if (!result.ok)
         process.exitCode = 1;
 }
+// Assemble the explicit Zellij readiness block for `doctor --json` from the
+// capability probe + readiness matrix. Proof statuses are availability-derived:
+// `verified` is reserved for a real environment run (SKS_REQUIRE_ZELLIJ=1 gates);
+// here they report `optional` when the binary is usable and `unavailable` when
+// Zellij is missing/too old. Zellij missing keeps mad_ready=false while cli_ready
+// can remain true (the matrix already enforces this).
+function buildZellijReadiness(root, zellij, ready) {
+    const status = String(zellij?.status || 'missing');
+    const usable = status === 'ok';
+    const proofStatus = usable ? 'optional' : 'unavailable';
+    const readiness = {
+        schema: 'sks.zellij-readiness.v1',
+        binary: zellij?.bin || 'zellij',
+        status,
+        min_version: zellij?.min_version || '0.41.0',
+        version: zellij?.version || null,
+        required_for: zellij?.required_for || ['sks --mad', 'interactive lane UI'],
+        layout_proof: proofStatus,
+        pane_proof: proofStatus,
+        screen_proof: proofStatus,
+        tmux_removed_runtime: true,
+        mad_ready: ready?.mad_ready === true,
+        cli_ready: ready?.cli_ready === true,
+        ready_for_interactive_runtime: ready?.codex_config_readable_in_zellij_context === true
+    };
+    return readiness;
+}
+async function codexHomeConfigPath() {
+    const path = await import('node:path');
+    const os = await import('node:os');
+    const home = process.env.CODEX_HOME || path.join(process.env.HOME || os.homedir(), '.codex');
+    return path.join(home, 'config.toml');
+}
+async function captureCodexConfigSnapshot() {
+    const fsp = await import('node:fs/promises');
+    const path = await import('node:path');
+    const read = async (p) => {
+        if (!p)
+            return null;
+        try {
+            return await fsp.readFile(p, 'utf8');
+        }
+        catch {
+            return null;
+        }
+    };
+    const root = await projectRoot();
+    const projectPath = root ? path.join(root, '.codex', 'config.toml') : null;
+    const homePath = await codexHomeConfigPath();
+    return {
+        project_path: projectPath,
+        project_text: await read(projectPath),
+        home_path: homePath,
+        home_text: await read(homePath)
+    };
+}
+// Build a migration journal for the --fix transaction with real before/after
+// content hashes and the backup paths produced by setup/structure/split repair.
+async function writeFixMigrationJournal(root, preFix, configRepair, setupRepair) {
+    if (!preFix)
+        return null;
+    const fsp = await import('node:fs/promises');
+    const read = async (p) => {
+        if (!p)
+            return null;
+        try {
+            return await fsp.readFile(p, 'utf8');
+        }
+        catch {
+            return null;
+        }
+    };
+    const projectAfter = await read(preFix.project_path);
+    const homeAfter = await read(preFix.home_path);
+    const structureRepairs = Array.isArray(configRepair?.structure_repairs) ? configRepair.structure_repairs : [];
+    const projectStructure = structureRepairs.find((repair) => repair.scope === 'project');
+    const homeStructure = structureRepairs.find((repair) => repair.scope === 'codex_home');
+    const events = [
+        {
+            step: 'doctor_fix_project_config',
+            target: preFix.project_path || '.codex/config.toml',
+            beforeHash: preFix.project_text != null ? hashConfigText(preFix.project_text) : null,
+            afterHash: projectAfter != null ? hashConfigText(projectAfter) : null,
+            backupPath: setupRepair?.config_backup_path || projectStructure?.backup_path || configRepair?.policy?.backup_path || null
+        },
+        {
+            step: 'doctor_fix_codex_home_config',
+            target: preFix.home_path || '~/.codex/config.toml',
+            beforeHash: preFix.home_text != null ? hashConfigText(preFix.home_text) : null,
+            afterHash: homeAfter != null ? hashConfigText(homeAfter) : null,
+            backupPath: homeStructure?.backup_path || null
+        }
+    ].filter((event) => event.beforeHash != null || event.afterHash != null);
+    if (!events.length)
+        return null;
+    return appendMigrationEvents(root, events);
+}
 async function backupProjectConfigBeforeFix() {
     try {
         const fsp = await import('node:fs/promises');

package/dist/commands/image-ux-review.d.ts

@@ -914,6 +914,7 @@ export declare function run(command: any, args?: any): Promise<void | {
                 backend: string;
                 route: string;
                 route_command: string;
+                selected_core_skill: any;
                 route_blackbox_kind: string;
                 real_route_command_used: boolean;
                 native_cli_session_proof: string | null;
@@ -1039,6 +1040,12 @@ export declare function run(command: any, args?: any): Promise<void | {
                 janitor_ok: boolean;
                 trust_report: string;
                 wrongness_records: string;
+                triwiki_context: string;
+                triwiki_context_consulted: boolean;
+                context_pack_hash: any;
+                triwiki_use_first_count: number;
+                triwiki_hydrate_first_count: number;
+                triwiki_claim_count: number;
                 changed_files_lease_checked: boolean;
                 dependency_collision_risk: any;
                 blockers: any[];

package/dist/commands/ppt.d.ts

@@ -763,6 +763,7 @@ export declare function run(command: any, args?: any): Promise<void | {
                 backend: string;
                 route: string;
                 route_command: string;
+                selected_core_skill: any;
                 route_blackbox_kind: string;
                 real_route_command_used: boolean;
                 native_cli_session_proof: string | null;
@@ -888,6 +889,12 @@ export declare function run(command: any, args?: any): Promise<void | {
                 janitor_ok: boolean;
                 trust_report: string;
                 wrongness_records: string;
+                triwiki_context: string;
+                triwiki_context_consulted: boolean;
+                context_pack_hash: any;
+                triwiki_use_first_count: number;
+                triwiki_hydrate_first_count: number;
+                triwiki_claim_count: number;
                 changed_files_lease_checked: boolean;
                 dependency_collision_risk: any;
                 blockers: any[];

package/dist/commands/zellij.d.ts

@@ -0,0 +1,4 @@
+export declare const ZELLIJ_COMMAND_SCHEMA = "sks.zellij-command.v1";
+export declare const ZELLIJ_REPAIR_SCHEMA = "sks.zellij-repair.v1";
+export declare function run(_command?: string, args?: string[]): Promise<void>;
+//# sourceMappingURL=zellij.d.ts.map

package/dist/commands/zellij.js

@@ -0,0 +1,111 @@
+import { projectRoot } from '../core/fsx.js';
+import { flag } from '../cli/args.js';
+import { printJson } from '../cli/output.js';
+import { checkZellijCapability } from '../core/zellij/zellij-capability.js';
+export const ZELLIJ_COMMAND_SCHEMA = 'sks.zellij-command.v1';
+export const ZELLIJ_REPAIR_SCHEMA = 'sks.zellij-repair.v1';
+function installHint() {
+    if (process.platform === 'darwin')
+        return 'brew install zellij';
+    if (process.platform === 'linux')
+        return 'cargo install --locked zellij   # or your distro package, e.g. `apt install zellij` / `pacman -S zellij`';
+    return 'See https://zellij.dev/documentation/installation';
+}
+export async function run(_command = 'zellij', args = []) {
+    const sub = (args.find((arg) => !arg.startsWith('-')) || 'status').toLowerCase();
+    const json = flag(args, '--json');
+    const root = await projectRoot();
+    if (sub === 'help')
+        return printHelp(json);
+    if (sub === 'repair')
+        return zellijRepair(root, args, json);
+    return zellijStatus(root, args, json);
+}
+async function zellijStatus(root, args, json) {
+    const requireReal = flag(args, '--require-real') || process.env.SKS_REQUIRE_ZELLIJ === '1';
+    const capability = await checkZellijCapability({ root, require: requireReal });
+    const status = capability.status || 'unknown';
+    const ready = status === 'ok';
+    const result = {
+        schema: ZELLIJ_COMMAND_SCHEMA,
+        subcommand: 'status',
+        ok: ready || !requireReal,
+        status,
+        version: capability.version || null,
+        required_for: ['sks --mad', 'sks team open-zellij', 'interactive lane UI'],
+        blockers: capability.blockers || [],
+        warnings: capability.warnings || [],
+        install_hint: ready ? null : installHint(),
+        next_actions: ready
+            ? []
+            : [`Install Zellij: ${installHint()}`, 'Then re-run `sks zellij status` and `sks doctor --fix`.']
+    };
+    if (json) {
+        printJson(result);
+    }
+    else {
+        console.log('SKS Zellij runtime');
+        console.log(`  status:   ${status}${result.version ? ` (${result.version})` : ''}`);
+        console.log(`  required: ${result.required_for.join(', ')}`);
+        if (result.blockers.length)
+            console.log(`  blockers: ${result.blockers.join(', ')}`);
+        if (!ready) {
+            console.log('  next:');
+            for (const action of result.next_actions)
+                console.log(`    - ${action}`);
+        }
+    }
+    if (!result.ok)
+        process.exitCode = 1;
+}
+async function zellijRepair(root, args, json) {
+    // Explain-only by default: SKS never auto-installs Zellij (no Homebrew/cargo
+    // side-effects from this command). It surfaces the exact operator steps.
+    const capability = await checkZellijCapability({ root, require: false });
+    const status = capability.status || 'unknown';
+    const autoInstall = false;
+    const result = {
+        schema: ZELLIJ_REPAIR_SCHEMA,
+        subcommand: 'repair',
+        ok: true,
+        mode: 'explain',
+        status,
+        auto_install: autoInstall,
+        operator_actions: [
+            `Install or upgrade Zellij: ${installHint()}`,
+            'Verify: `sks zellij status` (or `npm run zellij:capability`).',
+            'Opt-in dependency repair through SKS: `sks deps check --yes` or `sks bootstrap --yes`.',
+            'Recover Codex config issues: `sks doctor --fix`.'
+        ]
+    };
+    if (json) {
+        printJson(result);
+    }
+    else {
+        console.log('SKS Zellij repair (explain-only; no automatic install)');
+        console.log(`  current status: ${status}`);
+        for (const action of result.operator_actions)
+            console.log(`  - ${action}`);
+    }
+}
+function printHelp(json) {
+    const result = {
+        schema: ZELLIJ_COMMAND_SCHEMA,
+        subcommand: 'help',
+        ok: true,
+        usage: 'sks zellij status|repair|capability [--require-real] [--json]',
+        subcommands: {
+            status: 'Report Zellij runtime capability and interactive-route readiness.',
+            repair: 'Explain how to install/repair Zellij (no automatic install).',
+            capability: 'Alias for status.'
+        }
+    };
+    if (json)
+        printJson(result);
+    else {
+        console.log('sks zellij — inspect and repair the Zellij interactive runtime');
+        console.log('  sks zellij status [--require-real] [--json]');
+        console.log('  sks zellij repair [--explain] [--json]');
+    }
+}
+//# sourceMappingURL=zellij.js.map

package/dist/core/agents/agent-orchestrator.d.ts

@@ -530,6 +530,7 @@ export declare function runNativeAgentOrchestrator(opts?: AgentRunOptions): Prom
         backend: string;
         route: string;
         route_command: string;
+        selected_core_skill: any;
         route_blackbox_kind: string;
         real_route_command_used: boolean;
         native_cli_session_proof: string | null;
@@ -655,6 +656,12 @@ export declare function runNativeAgentOrchestrator(opts?: AgentRunOptions): Prom
         janitor_ok: boolean;
         trust_report: string;
         wrongness_records: string;
+        triwiki_context: string;
+        triwiki_context_consulted: boolean;
+        context_pack_hash: any;
+        triwiki_use_first_count: number;
+        triwiki_hydrate_first_count: number;
+        triwiki_claim_count: number;
         changed_files_lease_checked: boolean;
         dependency_collision_risk: any;
         blockers: any[];