sneakoscope 1.21.4 → 1.21.6

package/README.md

@@ -16,7 +16,16 @@ Set up this agent project with Sneakoscope Codex. Use [[mandarange/Sneakoscope-C
 
 ## Current Release
 
-SKS **1.21.4** makes Fast mode state and Naruto clone activity directly visible in SKS Zellij lanes. The lane renderer now resolves the project-local `sks fast-mode on|off` preference even before worker scheduler artifacts arrive, and Naruto launches the right-side Zellij lane stack before clone scheduling starts so each clone slot can show live activity. Naruto's host-capacity model also no longer collapses `codex-exec` concurrency to one slot on capable Macs just because `freemem` is low; use `--concurrency` / `--target-active-slots` or `SKS_NARUTO_MAX_CONCURRENCY` for explicit operator control. SKS-launched interactive Codex panes also use `--no-alt-screen` by default so Mac trackpad/wheel gestures scroll the terminal conversation history instead of the prompt textarea/history; set `SKS_ZELLIJ_CODEX_ALT_SCREEN=1` before launch to opt back into alternate-screen mode. It carries forward the 1.21.3 Zellij clipboard, visual lane count, direct-publish stamp repair, and Codex Fast mode repair fixes.
+SKS **1.21.6** promotes OpenAI Codex CLI `rust-v0.136.0` as the current compatibility baseline. The release matrix tracks 0.136 session archive/unarchive, app-server `--stdio`, resumed-turn/status behavior, `CODEX_API_KEY` remote registration, short-lived remote-control tokens, elevated Windows sandbox setup, feature-gated image-generation extension support, ChatGPT auth refresh handling, command-safety hardening, sandbox cleanup, Bedrock region fallback, and rmcp 1.7.0 compatibility.
+
+This release also tightens the day-to-day operator path:
+
+- Zellij lane panes now surface the native worker session they are following, including per-slot worker status and stdout/stderr/heartbeat tails.
+- Native terminal drag-copy is the default in SKS-launched Zellij sessions; hover-pane mouse routing is opt-in with `SKS_ZELLIJ_MOUSE_MODE=1`.
+- Update prompts compare npm latest against an effective installed version that includes source, PATH, and global npm package metadata, so completed global updates stop being re-offered.
+- `sks doctor --fix` can remove duplicate global `sks`/`sneakoscope` npm installs while exempting the Sneakoscope source checkout.
+
+It carries forward the 0.135-era routing/readiness fixes: mixed frustration plus explicit implementation prompts still route to `$Team`, bare `context7 mcp` no longer implies `$DB`, Git Actions readiness uses the `codex remote-control` command/version capability, and repeated substantive prompts prepare fresh Team/Research-style native sessions. Zellij lane, Naruto, terminal scrollback, MAD cockpit, Goal bridge, and Fast profile fixes remain in place.
 
 SKS **1.20.4** is a targeted `sks --mad` / codex-lb Zellij usability patch: when a background MAD Zellij session launches successfully, SKS now prints the exact `Attach with: ZELLIJ_SOCKET_DIR=... zellij attach ...` command so operators can enter the fresh session without manually reconstructing the socket namespace.
 
@@ -30,65 +39,44 @@ SKS **1.20.1** introduces the **SKS Core Skill Engine** — a SkillOpt-style sel
 
 It carries forward the 1.19.x hardening unchanged: legacy 1.18.x/1.19.x→1.20.1 **zero-break upgrade** (user `model`/`service_tier`/`model_reasoning_effort` and user-disabled Codex App flags never overwritten; existing skill cards preserved), the **migration transaction journal** (`.sneakoscope/reports/migration-1.20.1-journal.jsonl`), **Zellij launch-command truth** + real-session **heartbeat-timeout blocker** + the redesigned **Zellij lane UI**, **packlist/publish-performance** gates, a **postinstall safe-side-effects** gate, and the **TS source-of-truth / Rust optional-accelerator** boundary (publish never compiles Rust). `sks zellij status`/`repair` inspects the Zellij runtime without auto-installing anything.
 
+Core release checks:
+
 ```bash
-sks mad-sks plan --target-root <path> --json
-sks mad-sks permissions --json
-sks mad-sks proof --json
-sks mad-sks rollback-apply --rollback-plan <path> --yes --json
-sks features complete --json
-sks agent status latest --json
-sks agent run "release review" --agents 8 --work-items 16 --concurrency 4 --mock --json
-npm run source-intelligence:all-modes
-npm run agent:background-terminals
+npm run codex:0.136-compat
 npm run zellij:lane-renderer
-npm run zellij:pane-proof
-npm run zellij:screen-proof
-npm run agent:cleanup-executor
-npm run agent:cleanup-executor-v2
-npm run retention:cleanup-safety
-npm run agent:intelligent-work-graph
-npm run agent:ast-aware-work-graph
-npm run proof:fake-vs-real-policy
-npm run proof:fake-real-policy-v2
-npm run release:runtime-truth-matrix
-npm run codex:0.134-official-compat
-npm run codex:profile-primary
-npm run codex:managed-proxy-env
-npm run strategy:adhd-orchestrating-gate
-npm run strategy:parallel-modification-plan
-npm run appshots:evidence
-npm run appshots:source-intelligence
-npm run appshots:thread-attachment-discovery
-npm run mcp:0.134-modernization
-npm run mcp:readonly-runtime-scheduler
-npm run codex:0.134-runner-truth
-npm run source-intelligence:codex-history-search
-    npm run agent:parallel-write-kernel
-    npm run agent:patch-swarm-runtime-truth
-    npm run agent:patch-transaction-journal
-    npm run agent:patch-conflict-rebase
-    npm run agent:strategy-to-patch-strict
-    npm run agent:rollback-command
-    npm run agent:native-cli-session-swarm
-    npm run agent:native-cli-session-swarm-10
-    npm run agent:native-cli-session-swarm-20
-    npm run agent:no-subagent-scaling
-    npm run agent:native-cli-session-proof
-    npm run agent:fast-mode-default
-    npm run agent:fast-mode-worker-propagation
-    npm run codex:fast-mode-profile-propagation
-    npm run mad-sks:fast-mode-propagation
-    SKS_TEST_REAL_CODEX_PATCHES=1 npm run agent:real-codex-patch-envelope-smoke
-    npm run release:gate-existence-audit
-npm run route:blackbox-realism
-npm run release:real-check
-npm run agent:backfill-route-blackbox
-npm run team:actual-route-backfill
+npm run mad-sks:zellij-launch
 npm run release:readiness
+npm run release:check
 ```
 
 Detailed release history lives in [CHANGELOG.md](CHANGELOG.md); every version-facing change should be recorded there before release. Current release gate status lives in [docs/release-readiness.md](docs/release-readiness.md).
 
+## Parallelism, UX, And Integrations
+
+- **Extreme parallel fan-out (`$Naruto` / native agents).** Each clone is a separate CLI worker that spends almost all of its wall-clock awaiting the Codex API, so live concurrency scales by **memory and the provider rate limit, not CPU cores** — a capable host can run up to 100 workers in parallel. The 429/rate-limit backoff is handled by the centralized responses retry policy. Tune it with `SKS_NARUTO_MAX_CONCURRENCY` (hard cap, 1–100), `SKS_NARUTO_GB_PER_WORKER` (memory budget per worker), and `SKS_NARUTO_MIN_CONCURRENCY` (low-free-memory floor).
+
+  ```bash
+  sks naruto run "refactor the data layer" --clones 100 --json
+  SKS_NARUTO_MAX_CONCURRENCY=48 sks naruto run "sweep the test suite" --clones 48
+  ```
+
+- **Zellij scrollback and copy.** SKS launches Codex panes with `--no-alt-screen`, so the terminal keeps the conversation transcript in scrollback. Zellij `mouse_mode` is off by default so normal mouse-drag text selection works for copy. Set `SKS_ZELLIJ_MOUSE_MODE=1` only when you prefer Zellij hover-pane wheel routing; in that mode some terminals require Shift-drag for native selection.
+
+- **Live MAD / Naruto cockpit lanes.** `sks --mad` starts a same-mission native agent swarm and opens the right-pane cockpit against that ledger. Lane panes follow per-slot worker artifacts such as `worker.stdout.log`, `worker.stderr.log`, and `worker-heartbeat.jsonl`, so fan-out work shows as live worker status instead of a static "Workers idle" panel. Tune MAD fan-out with `--mad-agents`, `--mad-swarm-work-items`, and `--mad-swarm-backend`; use `--no-mad-swarm` only when you intentionally want the old UI-only launch. Each Zellij lane has per-slot SKS state, a nonblocking JSONL command bus, dynamic pane-id reconciliation from `zellij action list-panes --json --all`, and `nice`/dispatch-throttle metadata. If a lane's own mission ledger is idle, the renderer can mirror the most-recent active agent mission; disable that follow behavior with `SKS_LANE_FOLLOW_ACTIVE_MISSION=0`.
+
+- **Image generation under codex-lb.** `gpt-image-2` routes through the same Codex `/responses` backend the load balancer already proxies, so `$imagegen` works when you are authenticated only through codex-lb (no direct `OPENAI_API_KEY`). The official Codex App `$imagegen` surface stays primary; the codex-lb/OpenAI API path is the fallback. Opt out with `SKS_IMAGEGEN_ALLOW_CODEX_LB_API_FALLBACK=0`.
+
+- **xAI / Grok search.** Wire xAI Live Search into source intelligence as an MCP provider:
+
+  ```bash
+  sks xai check
+  sks xai setup --scope project --command "npx" --arg "-y" --arg "<your-grok-search-mcp>"
+  export XAI_API_KEY=xai-...
+  sks xai docs
+  ```
+
+- **Quieter update prompts.** The "update available" choice is shown once per conversation and then stays quiet for a short window (default 8 min, `SKS_UPDATE_OFFER_THROTTLE_MS`) instead of repeating on every prompt. The check compares npm latest against source metadata, PATH `sks --version`, and the global npm package, so a completed `npm i -g sneakoscope` clears stale pending/accepted offers.
+
 ## Retention And Cleanup
 
 SKS keeps durable learning context separate from disposable route work files. Durable context includes `.sneakoscope/memory/**`, shared TriWiki records, `.sneakoscope/wiki/context-pack.json`, wrongness memory, image voxels, avoidance rules, route Completion Proof, trust reports, evidence indexes, reflections, and agent proof summaries. These files are treated as the long-term learning and audit chain.
@@ -190,9 +178,9 @@ sks rust smoke --json
 2. Image Voxel TriWiki anchors and relations for every visual route
 3. Route contracts, evidence indexes, wrongness memory, trust reports, Codex App, codex-lb, hooks, Rust fallback parity, DB, route modularity, and generated fixtures verified by release gates
 
-## Install Options
+## Install
 
-Recommended: install globally with `npm i -g sneakoscope`, then run `sks` from either a project or any global shell location:
+Recommended path:
 
 ```sh
 npm i -g sneakoscope
@@ -200,22 +188,32 @@ sks root
 sks doctor
 ```
 
-`npm i -g sneakoscope` is the recommended install path. It automatically refreshes the `sks` command shim, global Codex App `$` skills, and SKS bootstrap surface. When the install is run from a project, postinstall bootstraps that project. When it is run outside a repo/project marker, postinstall bootstraps the per-user global runtime root instead of writing `.sneakoscope` into a random current directory. `sks root` tells you which root SKS will use.
+The global npm install refreshes the `sks` command shim, generated Codex App `$` skills, and the SKS bootstrap surface together. If a project marker is present, postinstall bootstraps that project; otherwise SKS uses the per-user global runtime root. `sks root` shows the active root.
 
-If you only want a one-shot run without keeping `sks` installed globally:
+One-shot run without keeping a global install:
 
 ```sh
 npx -y -p sneakoscope sks root
 ```
 
-For a repo-local install:
+Project-pinned install:
 
 ```sh
 npm i -D sneakoscope
 npx sks setup --install-scope project
 ```
 
-Check that the install is usable:
+Source checkout for developing Sneakoscope itself:
+
+```sh
+git clone https://github.com/mandarange/Sneakoscope-Codex.git
+cd Sneakoscope-Codex
+npm install
+npm install -g .
+sks --version
+```
+
+Install health checks:
 
 ```sh
 sks deps check
@@ -257,56 +255,10 @@ brew install zellij
 
 The default `sks` runtime checks npm for newer `sneakoscope` and `@openai/codex` versions before opening the interactive runtime. `npm i -g sneakoscope` runs a safe bootstrap/readiness pass; use `sks bootstrap --yes`, `sks deps check --yes`, or `sks --mad --yes` to install or repair Codex CLI/Zellij when Homebrew is available. `sks --mad` requires Zellij for interactive MAD/lane UI and prints the session, gate, attach command, blockers, and labeled Zellij stderr/stdout details needed to act.
 
-## Installation
-
-### Global Install
-
-Use this recommended path when you want `sks` available from any repo:
-
-```sh
-npm i -g sneakoscope
-sks root
-```
-
-`sks` commands work even when no project root is present. Project-aware commands use the nearest `.sneakoscope`, `.dcodex`, or `.git` root; if none exists, SKS uses a per-user global runtime root. Global npm install/upgrade automatically bootstraps the current project when a project marker is present, otherwise it bootstraps the global runtime root. Run `sks bootstrap` manually only when you intentionally want to initialize or repair the current project after install.
-
 Project setup writes shared `.gitignore` entries for generated SKS files: `.sneakoscope/`, `.codex/`, `.agents/`, and managed `AGENTS.md`. Setup, doctor repair, and npm postinstall refreshes also compare the previous SKS generated-file manifest with the current package templates and prune stale SKS-generated legacy skills or agent files while preserving user-owned custom skills. Use `sks setup --local-only` when you want those excludes kept only in `.git/info/exclude`.
 
 During npm postinstall, SKS installs generated Codex App skills and tries `skills add MohtashamMurshid/getdesign` when the `skills` CLI is available. Design work still flows through one authority: `design.md`.
 
-### One-Shot Install
-
-Use this when you do not want to keep a global install:
-
-```sh
-npx -y -p sneakoscope sks bootstrap
-```
-
-`npx` fetches the package into npm's cache and runs the binary for that command. This is useful for first-time setup or CI-style verification.
-
-### Project Install
-
-Use this when a repo should pin Sneakoscope as a development dependency:
-
-```sh
-npm i -D sneakoscope
-npx sks setup --install-scope project
-```
-
-Project installs are useful when a team wants a repeatable harness version checked through `package-lock.json`.
-
-### Source Checkout
-
-Use this when developing Sneakoscope itself:
-
-```sh
-git clone https://github.com/mandarange/Sneakoscope-Codex.git
-cd Sneakoscope-Codex
-npm install
-npm install -g .
-sks --version
-```
-
 ## Terminal CLI Usage
 
 Use terminal commands when you want to inspect, set up, verify, or start a CLI-first workspace.
@@ -401,9 +353,9 @@ sks --mad
 sks --mad --allow-package-install --allow-service-control --allow-network --yes
 ```
 
-This syncs existing codex-lb provider auth, creates/uses the `sks-mad-high` high-power maintenance profile, opens the MAD-SKS permission gate for that Zellij run, and launches a Codex CLI layout. Bare `sks --mad` grants target-project file and shell scope only; add explicit `--allow-*` flags for packages, services, network, Computer Use, browser use, generated assets, file permissions, DB writes, or other high-risk scopes. MAD-SKS is not a DB-only unlock: it is explicit user authorization to widen approved target-project scopes. Catastrophic database wipe/all-row/project-management safeguards remain active, and the pipeline contract still forbids unrequested fallback implementation code.
+This syncs existing codex-lb provider auth, creates/uses the `sks-mad-high` high-power maintenance profile, opens the MAD-SKS permission gate for that Zellij run, starts a same-mission read-only native agent swarm, and launches a Codex CLI layout whose right-side lanes read that MAD ledger. Bare `sks --mad` grants target-project file and shell scope only; add explicit `--allow-*` flags for packages, services, network, Computer Use, browser use, generated assets, file permissions, DB writes, or other high-risk scopes. MAD-SKS is not a DB-only unlock: it is explicit user authorization to widen approved target-project scopes. Catastrophic database wipe/all-row/project-management safeguards remain active, and the pipeline contract still forbids unrequested fallback implementation code.
 
-Before launching, SKS checks npm for a newer `sneakoscope`; answer `y` to update or `n` to continue. Use `--yes` to approve missing dependency installs automatically.
+Before launching, SKS checks npm for a newer `sneakoscope`; answer `y` to update or `n` to continue. Use `--yes` to approve missing dependency installs automatically. Tune MAD swarm startup with `--mad-agents <n>`, `--mad-swarm-work-items <n>`, and `--mad-swarm-backend <backend>`; `--no-mad-swarm` keeps only the cockpit UI if you need a temporary fallback.
 
 ### Team Missions
 
@@ -533,7 +485,7 @@ For headless remotely controllable Codex App/server sessions on Codex CLI 0.130.
 sks codex-app remote-control -- --help
 ```
 
-`sks codex-app check` reports whether the installed Codex CLI is new enough, whether the required app flags are visible, whether Fast/speed-selector config is unlocked, whether Codex App Git Actions can use Commit, Push, Commit and Push, and PR flows, whether the Codex Chrome Extension path is ready for web/browser/webapp verification, and whether installed OpenAI default plugins such as Browser, Chrome, Computer Use, Documents, Presentations, Spreadsheets, and LaTeX are enabled. `sks codex-app chrome-extension --json` is the rapid preflight for web QA/UX/browser routes. When codex-lb is configured, SKS keeps it selected as the top-level Codex App provider while still preserving required app flags and plugin settings. Codex CLI 0.130.0+ app-server/remote-control threads can pick up config changes live; older CLI/TUI sessions should still be restarted after `.codex/config.toml` or MCP/plugin changes.
+`sks codex-app check` reports whether the installed Codex CLI is new enough, whether the required app flags are visible, whether Fast/speed-selector config is unlocked, whether Codex App Git Actions can use Commit, Push, Commit and Push, and PR flows, whether the Codex Chrome Extension path is ready for web/browser/webapp verification, and whether installed OpenAI default plugins such as Browser, Chrome, Computer Use, Documents, Presentations, Spreadsheets, and LaTeX are enabled. `sks-fast-high` intentionally does not pin `sandbox_mode`, so the Codex App/IDE permissions selector owns Full Access vs workspace-write while SKS supplies the model, Fast service tier, approval, and reasoning defaults. `sks codex-app chrome-extension --json` is the rapid preflight for web QA/UX/browser routes. When codex-lb is configured, SKS keeps it selected as the top-level Codex App provider while still preserving required app flags and plugin settings. Codex CLI 0.130.0+ app-server/remote-control threads can pick up config changes live; older CLI/TUI sessions should still be restarted after `.codex/config.toml` or MCP/plugin changes.
 
 For web-related verification, SKS follows the official Codex Chrome Extension setup path first: https://developers.openai.com/codex/app/chrome-extension. `$QA-LOOP`, `$UX-Review`, `$Image-UX-Review`, browser smoke, authenticated web checks, localhost checks, and web visual review must halt quickly if that extension is missing or disabled. Only after the user says the extension setup is complete should the pipeline resume. Codex Computer Use is for native Mac/non-web targets only; it must not be used as browser/web-app verification evidence.
 
@@ -661,13 +613,25 @@ By default, SKS favors inspection, local files, branch-safe changes, explicit co
 ### `sks` points to an old version
 
 ```sh
-which sks
+which -a sks
 sks --version
 node ./dist/bin/sks.js --version
+npm ls -g sneakoscope --depth=0
 npm install -g .
+sks doctor --fix
 ```
 
-If stale, reinstall globally from the repo or npm.
+If PATH or npm has duplicate global installs, `sks doctor --fix` keeps one global npm install and removes duplicate global `sneakoscope` installs. The Sneakoscope source checkout is exempt so local development files are not removed.
+
+### SKS keeps asking to update after a global update
+
+```sh
+sks update-check --json
+npm ls -g sneakoscope --depth=0
+sks doctor --fix
+```
+
+Update prompts compare npm latest against the effective installed version from source metadata, PATH `sks --version`, and global npm package metadata. If a global update succeeded but an old shim remains earlier on PATH, `sks doctor --fix` can remove duplicate global installs and refresh the managed setup.
 
 ### Zellij is missing
 
@@ -678,6 +642,15 @@ npm run zellij:capability
 
 Install Zellij from [zellij.dev](https://zellij.dev/documentation/installation.html), then run `npm run zellij:capability` or `sks doctor --json`. Without Zellij, non-interactive checks can continue, but `sks --mad` and interactive lane UI report `mad_ready: false`.
 
+### Zellij copy or right lanes feel wrong
+
+```sh
+sks team open-zellij latest
+sks zellij status
+```
+
+Normal mouse-drag copy is the default because SKS launches Zellij with `mouse_mode=false`. Conversation scrollback is still preserved by Codex `--no-alt-screen`. If you prefer Zellij hover-pane wheel routing, launch with `SKS_ZELLIJ_MOUSE_MODE=1`; use Shift-drag if your terminal then captures selection differently. Right lanes are renderer panes that follow SKS worker artifacts, so live native-agent output is shown from per-slot `worker.stdout.log`, `worker.stderr.log`, and `worker-heartbeat.jsonl`.
+
 ### Codex App tools are missing
 
 ```sh
@@ -694,7 +667,7 @@ sks doctor --fix
 sks codex-app check
 ```
 
-`sks codex-app check` now prints `Git Actions`. It should be `ok` for Codex App Commit, Push, Commit and Push, and PR buttons to bypass SKS route gates. If it is blocked, repair config with `sks doctor --fix`; if the blocker mentions remote-control, update Codex CLI to `0.130.0` or newer and restart older app-server/TUI sessions.
+`sks codex-app check` now prints `Git Actions`. It should be `ok` for Codex App Commit, Push, Commit and Push, and PR buttons to bypass SKS route gates. Recent Codex builds expose remote control through the `codex remote-control` command rather than a `remote_control` feature flag, so SKS checks the command/version capability directly. If it is blocked, repair config with `sks doctor --fix`; if the blocker mentions remote-control, update Codex CLI to `0.130.0` or newer and restart older app-server/TUI sessions.
 
 ### Codex App UI looks stale after codex-lb changes
 
@@ -737,7 +710,7 @@ npm run release:check
 npm run publish:dry
 ```
 
-`release:check` runs the current 1.20.x release-closure DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG preserves the 1.18 baseline gates and adds patch swarm runtime truth, transaction journaling, serial conflict rebase, strict strategy-to-patch proof, rollback command proof, Native CLI Session Swarm 5/10/20-process proof, Real Worker Backend Router proof, Codex child overlap proof, model-authored patch-envelope separation, Zellij layout/pane/screen/socket-dir proof, no-subagent-scaling proof, Fast mode default/worker/Codex/MAD propagation proof, Appshots attachment provenance, MCP runtime overlap evidence, Codex 0.134/0.135 runner truth, task graph expansion, schema-bound follow-up work, actual Agent/Team/Research/QA route blackboxes, scheduler proof hardening, Source Intelligence propagation, and Goal mode propagation checks. Broader live gates remain explicit scripts such as `release:real-check`; real Codex patch smoke, real Codex parallel worker proof, and real Zellij proof are optional unless their `SKS_REQUIRE_REAL_*` or `SKS_REQUIRE_ZELLIJ=1` environment variables are set. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
+`release:check` runs the current 1.21.x release-closure DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG preserves the 1.18 baseline gates and adds Codex 0.136 compatibility, inherited Codex 0.135/0.134 runner truth, patch swarm runtime truth, transaction journaling, serial conflict rebase, strict strategy-to-patch proof, rollback command proof, Native CLI Session Swarm 5/10/20-process proof, Real Worker Backend Router proof, Codex child overlap proof, model-authored patch-envelope separation, Zellij layout/pane/screen/socket-dir proof, no-subagent-scaling proof, Fast mode default/worker/Codex/MAD propagation proof, Appshots attachment provenance, MCP runtime overlap evidence, task graph expansion, schema-bound follow-up work, actual Agent/Team/Research/QA route blackboxes, scheduler proof hardening, Source Intelligence propagation, and Goal mode propagation checks. Broader live gates remain explicit scripts such as `release:real-check`; real Codex patch smoke, real Codex parallel worker proof, and real Zellij proof are optional unless their `SKS_REQUIRE_REAL_*` or `SKS_REQUIRE_ZELLIJ=1` environment variables are set. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
 
 Version bumps are manual. Run `sks versioning bump` only when preparing release metadata; SKS will not create `.git/hooks/pre-commit` or auto-bump during ordinary commits.
 

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.21.4"
+version = "1.21.6"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.21.4"
+version = "1.21.6"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.21.4"),
+        Some("--version") => println!("sks-rs 1.21.6"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "1.21.4",
-  "source_digest": "70780332db02a19044731adecdb06abcf7d9efdc8b128627be712ca33b3c6881",
-  "source_file_count": 1755,
-  "built_at_source_time": 1780318491834
+  "package_version": "1.21.6",
+  "source_digest": "3577af7555600bd9748b9c3252bf18a727db23c92740e7a06dc778b467aa1495",
+  "source_file_count": 1771,
+  "built_at_source_time": 1780391165608
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.21.4';
+const FAST_PACKAGE_VERSION = '1.21.6';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--agent' && args[1] === 'worker') {

package/dist/build-manifest.json

@@ -1,16 +1,16 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.21.4",
-  "package_version": "1.21.4",
+  "version": "1.21.6",
+  "package_version": "1.21.6",
   "typescript": true,
   "mjs_runtime_files": 0,
-  "compiled_file_count": 1022,
-  "compiled_js_count": 511,
-  "compiled_dts_count": 511,
-  "source_digest": "70780332db02a19044731adecdb06abcf7d9efdc8b128627be712ca33b3c6881",
-  "source_file_count": 1755,
-  "source_files_hash": "e6487058a1a0894c6b8a629b64319d45be1ad9a0658ab422a39969c1e39ad7e3",
-  "source_list_hash": "e6487058a1a0894c6b8a629b64319d45be1ad9a0658ab422a39969c1e39ad7e3",
+  "compiled_file_count": 1032,
+  "compiled_js_count": 516,
+  "compiled_dts_count": 516,
+  "source_digest": "3577af7555600bd9748b9c3252bf18a727db23c92740e7a06dc778b467aa1495",
+  "source_file_count": 1771,
+  "source_files_hash": "1f79c92a7165654f5ae190c1719e7e8ec89337ed8f265c7a68242ef613848f19",
+  "source_list_hash": "1f79c92a7165654f5ae190c1719e7e8ec89337ed8f265c7a68242ef613848f19",
   "src_mjs_runtime_files": 0,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
@@ -42,6 +42,8 @@
     "cli/recallpulse-command.js",
     "cli/router.d.ts",
     "cli/router.js",
+    "cli/xai-command.d.ts",
+    "cli/xai-command.js",
     "commands/aliases.d.ts",
     "commands/aliases.js",
     "commands/all-features.d.ts",
@@ -402,6 +404,8 @@
     "core/codex/codex-0-134-compat.js",
     "core/codex/codex-0-135-compat.d.ts",
     "core/codex/codex-0-135-compat.js",
+    "core/codex/codex-0-136-compat.d.ts",
+    "core/codex/codex-0-136-compat.js",
     "core/codex/codex-cli-syntax-builder.d.ts",
     "core/codex/codex-cli-syntax-builder.js",
     "core/codex/codex-config-eperm-repair.d.ts",
@@ -538,6 +542,8 @@
     "core/doctor/codex-doctor-bridge.js",
     "core/doctor/doctor-readiness-matrix.d.ts",
     "core/doctor/doctor-readiness-matrix.js",
+    "core/doctor/global-sks-install-cleanup.d.ts",
+    "core/doctor/global-sks-install-cleanup.js",
     "core/doctor/macos-tcc-diagnostic.d.ts",
     "core/doctor/macos-tcc-diagnostic.js",
     "core/dogfood-loop.d.ts",
@@ -863,6 +869,8 @@
     "core/safety/requested-scope-contract.js",
     "core/safety/side-effect-runtime-report.d.ts",
     "core/safety/side-effect-runtime-report.js",
+    "core/safety/ssot-guard.d.ts",
+    "core/safety/ssot-guard.js",
     "core/secret-redaction.d.ts",
     "core/secret-redaction.js",
     "core/session/project-namespace.d.ts",
@@ -1027,6 +1035,8 @@
     "core/zellij/zellij-command.js",
     "core/zellij/zellij-lane-renderer.d.ts",
     "core/zellij/zellij-lane-renderer.js",
+    "core/zellij/zellij-lane-runtime.d.ts",
+    "core/zellij/zellij-lane-runtime.js",
     "core/zellij/zellij-launcher.d.ts",
     "core/zellij/zellij-launcher.js",
     "core/zellij/zellij-layout-builder.d.ts",

package/dist/cli/command-registry.d.ts

@@ -76,6 +76,8 @@ export declare const COMMANDS: {
     'computer-use': CommandEntry;
     cu: CommandEntry;
     context7: CommandEntry;
+    xai: CommandEntry;
+    grok: CommandEntry;
     recallpulse: CommandEntry;
     pipeline: CommandEntry;
     guard: CommandEntry;
@@ -165,6 +167,8 @@ export declare const TYPED_COMMANDS: {
     'computer-use': CommandEntry;
     cu: CommandEntry;
     context7: CommandEntry;
+    xai: CommandEntry;
+    grok: CommandEntry;
     recallpulse: CommandEntry;
     pipeline: CommandEntry;
     guard: CommandEntry;

package/dist/cli/command-registry.js

@@ -129,6 +129,8 @@ export const COMMANDS = {
     'computer-use': entry('beta', 'Record native Mac/non-web Computer Use visual evidence', 'dist/core/commands/computer-use-command.js', commandArgsCommand(() => import('../core/commands/computer-use-command.js'), 'computerUseCommand', 'dist/core/commands/computer-use-command.js')),
     cu: entry('beta', 'Alias for native Computer Use', 'dist/core/commands/computer-use-command.js', commandArgsCommand(() => import('../core/commands/computer-use-command.js'), 'computerUseCommand', 'dist/core/commands/computer-use-command.js')),
     context7: entry('beta', 'Context7 checks and docs', 'dist/cli/context7-command.js', subcommand(() => import('./context7-command.js'), 'context7Command', 'dist/cli/context7-command.js', 'check')),
+    xai: entry('beta', 'Set up and check xAI/Grok search MCP integration', 'dist/cli/xai-command.js', subcommand(() => import('./xai-command.js'), 'xaiCommand', 'dist/cli/xai-command.js', 'check')),
+    grok: entry('beta', 'Alias for xAI/Grok search setup', 'dist/cli/xai-command.js', subcommand(() => import('./xai-command.js'), 'xaiCommand', 'dist/cli/xai-command.js', 'check')),
     recallpulse: entry('labs', 'RecallPulse evidence route', 'dist/commands/recallpulse.js', directCommand(() => import('../commands/recallpulse.js'), 'dist/commands/recallpulse.js')),
     pipeline: entry('beta', 'Inspect pipeline missions', 'dist/commands/pipeline.js', directCommand(() => import('../commands/pipeline.js'), 'dist/commands/pipeline.js')),
     guard: entry('beta', 'Check harness guard', 'dist/commands/guard.js', directCommand(() => import('../commands/guard.js'), 'dist/commands/guard.js')),

package/dist/cli/install-helpers.js

@@ -63,6 +63,10 @@ export async function postinstall({ bootstrap, args = [] }) {
             console.log(`Context7 MCP: skipped (${context7Install.reason}).`);
         else if (context7Install.status === 'failed')
             console.log(`Context7 MCP: auto setup failed. Run \`sks context7 setup --scope global\` or \`sks setup\`. ${context7Install.error || ''}`.trim());
+        // xAI/Grok web search is an optional source-intelligence provider. It needs a
+        // user-chosen MCP server + XAI_API_KEY, so we never auto-configure it — just make
+        // it discoverable (the integration the operator otherwise can't find at install).
+        console.log('xAI/Grok search (optional): add Grok Live Search with `sks xai setup` (then `export XAI_API_KEY=...`); see `sks xai docs`.');
         const fastModeRepair = await ensureGlobalCodexFastModeDuringInstall();
         if (fastModeRepair.status === 'updated')
             console.log(`Codex App Fast mode: updated ${fastModeRepair.config_path}${fastModeRepair.backup_path ? ` (backup ${fastModeRepair.backup_path})` : ''}.`);
@@ -1544,7 +1548,10 @@ function normalizeCodexFastModeUiConfigOnce(text = '', opts = {}) {
     next = upsertTomlTableKey(next, 'profiles.sks-fast-high', 'model = "gpt-5.5"');
     next = upsertTomlTableKey(next, 'profiles.sks-fast-high', 'service_tier = "fast"');
     next = upsertTomlTableKey(next, 'profiles.sks-fast-high', 'approval_policy = "on-request"');
-    next = upsertTomlTableKey(next, 'profiles.sks-fast-high', 'sandbox_mode = "workspace-write"');
+    // Do not force a sandbox from the Codex App fast profile. The App/IDE
+    // permissions selector owns full-access vs workspace-write; this profile only
+    // supplies SKS's model, speed, approval, and reasoning defaults.
+    next = removeTomlTableKey(next, 'profiles.sks-fast-high', 'sandbox_mode');
     next = upsertTomlTableKey(next, 'profiles.sks-fast-high', 'model_reasoning_effort = "high"');
     // Plugin auto-enable is OPT-IN only. Force-writing `[plugins."name@marketplace"] enabled =
     // true` for marketplace plugins the App may not have installed (different build/channel)

package/dist/cli/xai-command.d.ts

@@ -0,0 +1,9 @@
+export declare function xaiCommand(sub?: string, args?: string[]): Promise<void>;
+export declare function xaiMcpToml(opts: {
+    name: string;
+    url?: string | null;
+    command?: string | null;
+    commandArgs?: string[];
+    envKey?: string;
+}): string;
+//# sourceMappingURL=xai-command.d.ts.map