sneakoscope 2.0.2 → 2.0.4

package/dist/core/local-llm/local-collaboration-policy.js

@@ -0,0 +1,93 @@
+import { nowIso } from '../fsx.js';
+export const LOCAL_COLLABORATION_POLICY_SCHEMA = 'sks.local-collaboration-policy.v1';
+export const LOCAL_COLLABORATION_FINAL_GATE_SCHEMA = 'sks.local-collaboration-final-gate.v1';
+export const DEFAULT_LOCAL_COLLABORATION_MODE = 'local-parallel-gpt-final';
+export const LOCAL_COLLABORATION_MODES = [
+    'disabled',
+    'local-draft-gpt-final',
+    'local-worker-gpt-orchestrator',
+    'local-parallel-gpt-final',
+    'local-only-draft'
+];
+export function resolveLocalCollaborationPolicy(input = {}) {
+    const env = input.env || process.env;
+    const requested = firstText(input.mode, env.SKS_LOCAL_COLLAB_MODE, DEFAULT_LOCAL_COLLABORATION_MODE);
+    const mode = normalizeLocalCollaborationMode(requested);
+    const invalid = mode ? [] : [`invalid_local_collaboration_mode:${requested}`];
+    const resolvedMode = mode || DEFAULT_LOCAL_COLLABORATION_MODE;
+    return {
+        schema: LOCAL_COLLABORATION_POLICY_SCHEMA,
+        generated_at: nowIso(),
+        mode: resolvedMode,
+        default_mode: DEFAULT_LOCAL_COLLABORATION_MODE,
+        local_llm_role: resolvedMode === 'disabled' ? 'disabled' : 'draft_worker',
+        gpt_final_required: resolvedMode !== 'disabled' && resolvedMode !== 'local-only-draft',
+        gpt_final_backend_must_be_remote: resolvedMode !== 'disabled',
+        local_only_draft: resolvedMode === 'local-only-draft',
+        final_accepted_statuses: ['approved', 'modified'],
+        final_patch_source_when_enabled: 'gpt_final_arbiter',
+        blockers: [
+            ...invalid,
+            ...(resolvedMode === 'local-only-draft' ? ['needs_gpt_final_review'] : [])
+        ]
+    };
+}
+export function evaluateLocalCollaborationFinalGate(input = {}) {
+    const policy = input.policy || resolveLocalCollaborationPolicy(input.mode === undefined ? {} : { mode: input.mode });
+    const localParticipated = input.localParticipated !== false && policy.mode !== 'disabled';
+    const status = normalizeGptFinalStatus(input.gptFinalStatus);
+    const requiresGptFinal = policy.gpt_final_required && localParticipated;
+    const gptBackend = String(input.gptFinalBackend || '');
+    const remoteBackendOk = !gptBackend || !isLocalBackendName(gptBackend);
+    const blockers = [
+        ...policy.blockers,
+        ...(requiresGptFinal && input.gptFinalAvailable === false ? ['gpt_final_arbiter_unavailable'] : []),
+        ...(requiresGptFinal && !status ? ['gpt_final_arbiter_missing'] : []),
+        ...(requiresGptFinal && status && !policy.final_accepted_statuses.includes(status) ? [`gpt_final_status_not_accepted:${status}`] : []),
+        ...(requiresGptFinal && !remoteBackendOk ? ['gpt_final_backend_must_not_be_local_llm'] : []),
+        ...(policy.local_only_draft && input.applyPatches === true ? ['local_only_draft_apply_blocked'] : [])
+    ];
+    const accepted = blockers.length === 0 && (!requiresGptFinal || status === 'approved' || status === 'modified');
+    return {
+        schema: LOCAL_COLLABORATION_FINAL_GATE_SCHEMA,
+        generated_at: nowIso(),
+        ok: accepted,
+        mode: policy.mode,
+        local_participated: localParticipated,
+        gpt_final_required: requiresGptFinal,
+        gpt_final_status: status,
+        gpt_final_backend: gptBackend || null,
+        final_status: accepted ? 'accepted' : policy.local_only_draft ? 'draft_only' : 'blocked',
+        apply_allowed: accepted && policy.local_only_draft !== true,
+        release_proof_allowed: accepted,
+        final_patch_source: accepted && policy.mode !== 'disabled' ? policy.final_patch_source_when_enabled : 'not_applicable',
+        blockers
+    };
+}
+export function localCollaborationParticipated(results = []) {
+    return results.some((result) => {
+        const backend = String(result?.backend_router_report?.selected_backend || result?.backend || '').toLowerCase();
+        return backend === 'ollama' || backend === 'local-llm' || backend === 'local_llm';
+    });
+}
+export function normalizeLocalCollaborationMode(value) {
+    const text = String(value ?? '').trim();
+    return LOCAL_COLLABORATION_MODES.includes(text) ? text : null;
+}
+export function normalizeGptFinalStatus(value) {
+    const text = String(value ?? '').trim();
+    return text === 'approved' || text === 'modified' || text === 'rejected' || text === 'needs_more_work' ? text : null;
+}
+function firstText(...values) {
+    for (const value of values) {
+        const text = String(value ?? '').trim();
+        if (text)
+            return text;
+    }
+    return '';
+}
+function isLocalBackendName(value) {
+    const text = value.toLowerCase();
+    return text === 'ollama' || text === 'local-llm' || text === 'local_llm';
+}
+//# sourceMappingURL=local-collaboration-policy.js.map

package/dist/core/local-llm/local-llm-config.js

@@ -0,0 +1,15 @@
+import { resolveOllamaWorkerConfig } from '../agents/ollama-worker-config.js';
+export async function resolveLocalLlmConfig(input = {}) {
+    const config = await resolveOllamaWorkerConfig(input);
+    return {
+        schema: 'sks.local-llm-config.v1',
+        ok: config.ok,
+        enabled: config.enabled,
+        provider: config.provider,
+        model: config.model,
+        base_url: config.base_url,
+        worker_only: true,
+        blockers: config.blockers
+    };
+}
+//# sourceMappingURL=local-llm-config.js.map

package/dist/core/pipeline/final-gpt-patch-stage.js

@@ -0,0 +1,31 @@
+export function selectFinalGptPatchSource(gptFinal, localPatchEnvelopes = []) {
+    const status = String(gptFinal?.result?.status || gptFinal?.status || '');
+    if (status === 'modified') {
+        return {
+            schema: 'sks.final-gpt-patch-stage.v1',
+            ok: true,
+            final_patch_source: 'gpt_final_arbiter',
+            patch_envelopes: Array.isArray(gptFinal?.result?.modified_patch_envelopes) ? gptFinal.result.modified_patch_envelopes : [],
+            blockers: []
+        };
+    }
+    if (status === 'approved') {
+        return {
+            schema: 'sks.final-gpt-patch-stage.v1',
+            ok: true,
+            final_patch_source: 'gpt_final_arbiter',
+            patch_envelopes: Array.isArray(gptFinal?.result?.accepted_patch_envelopes) && gptFinal.result.accepted_patch_envelopes.length
+                ? gptFinal.result.accepted_patch_envelopes
+                : localPatchEnvelopes,
+            blockers: []
+        };
+    }
+    return {
+        schema: 'sks.final-gpt-patch-stage.v1',
+        ok: false,
+        final_patch_source: 'blocked',
+        patch_envelopes: [],
+        blockers: ['gpt_final_not_approved']
+    };
+}
+//# sourceMappingURL=final-gpt-patch-stage.js.map

package/dist/core/pipeline/final-gpt-review-stage.js

@@ -0,0 +1,5 @@
+import { runGptFinalArbiter } from '../codex-control/gpt-final-arbiter.js';
+export async function runFinalGptReviewStage(input, opts = {}) {
+    return runGptFinalArbiter(input, opts);
+}
+//# sourceMappingURL=final-gpt-review-stage.js.map

package/dist/core/safety/mutation-guard.js

@@ -162,6 +162,8 @@ export async function guardedProcessKill(ctx, pid, opts = {}) {
 export async function guardedPackageInstall(ctx, spec, opts) {
     return guard(ctx, 'package_install', spec, opts, async () => {
         const runOpts = { timeoutMs: opts.timeoutMs ?? 600000 };
+        if (opts.cwd !== undefined)
+            runOpts.cwd = opts.cwd;
         if (opts.env !== undefined)
             runOpts.env = opts.env;
         if (opts.maxOutputBytes !== undefined)

package/dist/core/update-check.js

@@ -1,6 +1,8 @@
 import os from 'node:os';
 import path from 'node:path';
 import { PACKAGE_VERSION, packageRoot, readJson, runProcess, which } from './fsx.js';
+import { createRequestedScopeContract } from './safety/requested-scope-contract.js';
+import { guardedPackageInstall, guardContextForRoute } from './safety/mutation-guard.js';
 const DEFAULT_REGISTRY = 'https://registry.npmjs.org/';
 export async function runSksUpdateCheck(options = {}) {
     const packageName = options.packageName || 'sneakoscope';
@@ -17,9 +19,21 @@ export async function runSksUpdateCheck(options = {}) {
         effectiveOptions.timeoutMs = options.timeoutMs;
     if (options.maxOutputBytes !== undefined)
         effectiveOptions.maxOutputBytes = options.maxOutputBytes;
-    const effective = await detectEffectiveSksVersion(effectiveOptions);
-    const current = effective.current;
     const override = env[versionOverrideEnvName(packageName)];
+    const effectivePromise = detectEffectiveSksVersion(effectiveOptions);
+    const latestPromise = !override && npmBin
+        ? runProcess(npmBin, ['view', packageName, 'version', '--silent', '--registry', registry], {
+            env,
+            timeoutMs: options.timeoutMs ?? 5000,
+            maxOutputBytes: options.maxOutputBytes ?? 4096
+        }).catch((err) => ({
+            code: 1,
+            stdout: '',
+            stderr: err instanceof Error ? err.message : String(err)
+        }))
+        : Promise.resolve(null);
+    const effective = await effectivePromise;
+    const current = effective.current;
     if (override)
         return buildResult({ packageName, current, effective, latest: override, registry, npmBin });
     if (!npmBin) {
@@ -33,16 +47,18 @@ export async function runSksUpdateCheck(options = {}) {
             error: 'npm not found on PATH'
         });
     }
-    const args = ['view', packageName, 'version', '--silent', '--registry', registry];
-    const result = await runProcess(npmBin, args, {
-        env,
-        timeoutMs: options.timeoutMs ?? 5000,
-        maxOutputBytes: options.maxOutputBytes ?? 4096
-    }).catch((err) => ({
-        code: 1,
-        stdout: '',
-        stderr: err instanceof Error ? err.message : String(err)
-    }));
+    const result = await latestPromise;
+    if (!result) {
+        return buildResult({
+            packageName,
+            current,
+            effective,
+            latest: null,
+            registry,
+            npmBin,
+            error: 'npm view failed'
+        });
+    }
     if (result.code !== 0) {
         return buildResult({
             packageName,
@@ -157,7 +173,17 @@ export async function runSksUpdateNow(options = {}) {
             error: null
         });
     }
-    const install = await runProcess(npmBin, npmArgs, {
+    const mutationLedgerRoot = env.SKS_MUTATION_LEDGER_ROOT || packageRoot();
+    const installContract = createRequestedScopeContract({
+        route: 'update',
+        userRequest: command || `npm global install ${packageName}`,
+        projectRoot: mutationLedgerRoot,
+        overrides: { package_install: true }
+    });
+    const install = await guardedPackageInstall(guardContextForRoute(mutationLedgerRoot, installContract, command || `npm global install ${packageName}`), `${packageName}@${installVersion}`, {
+        confirmed: true,
+        command: npmBin,
+        args: npmArgs,
         cwd,
         env,
         timeoutMs: options.timeoutMs ?? 10 * 60 * 1000,
@@ -202,25 +228,34 @@ export async function detectEffectiveSksVersion(options = {}) {
     };
     add(options.currentVersion || PACKAGE_VERSION, 'runtime');
     add(env.SKS_INSTALLED_SKS_VERSION, 'env:SKS_INSTALLED_SKS_VERSION');
-    const pkg = await readJson(path.join(packageRoot(), 'package.json'), {}).catch(() => ({}));
-    add(pkg?.version, 'packageRoot:package.json');
-    const sks = await which('sks').catch(() => null);
-    if (sks) {
+    const packageRootPromise = readJson(path.join(packageRoot(), 'package.json'), {}).catch(() => ({}));
+    const pathSksPromise = which('sks')
+        .then(async (sks) => {
+        if (!sks)
+            return null;
         const result = await runProcess(sks, ['--version'], {
             timeoutMs: 2000,
             maxOutputBytes: 4096,
             env: { ...env, SKS_DISABLE_UPDATE_CHECK: '1' }
         }).catch((err) => ({ code: 1, stdout: '', stderr: err?.message || String(err) }));
-        if (result.code === 0)
-            add(result.stdout, `PATH:${sks}`);
-        else
-            errors.push(`path_sks_version:${String(result.stderr || result.stdout || 'failed').trim()}`);
-    }
-    if (npmBin) {
-        const npmGlobal = await detectNpmGlobalPackageVersion(npmBin, packageName, env, {
+        return { sks, result };
+    })
+        .catch(() => null);
+    const npmGlobalPromise = npmBin
+        ? detectNpmGlobalPackageVersion(npmBin, packageName, env, {
             timeoutMs: options.timeoutMs ?? 2500,
             maxOutputBytes: options.maxOutputBytes ?? 8192
-        }).catch((err) => ({ version: null, error: err?.message || String(err) }));
+        }).catch((err) => ({ version: null, error: err?.message || String(err) }))
+        : Promise.resolve(null);
+    const [pkg, pathSks, npmGlobal] = await Promise.all([packageRootPromise, pathSksPromise, npmGlobalPromise]);
+    add(pkg?.version, 'packageRoot:package.json');
+    if (pathSks?.sks) {
+        if (pathSks.result.code === 0)
+            add(pathSks.result.stdout, `PATH:${pathSks.sks}`);
+        else
+            errors.push(`path_sks_version:${String(pathSks.result.stderr || pathSks.result.stdout || 'failed').trim()}`);
+    }
+    if (npmGlobal) {
         add(npmGlobal.version, `npm-global:${packageName}`);
         if (npmGlobal.error)
             errors.push(`npm_global_version:${npmGlobal.error}`);

package/dist/core/version.js

@@ -1,2 +1,2 @@
-export const PACKAGE_VERSION = '2.0.2';
+export const PACKAGE_VERSION = '2.0.4';
 //# sourceMappingURL=version.js.map

package/dist/scripts/codex-sdk-team-naruto-agent-pipeline-check.js

@@ -6,6 +6,7 @@ const naruto = readText('src/core/commands/naruto-command.ts');
 const agent = readText('src/core/agents/agent-command-surface.ts');
 assertGate(team.includes("backend: mock ? 'fake' : 'codex-sdk'"), 'Team must default to codex-sdk');
 assertGate(naruto.includes("backend: 'codex-sdk'"), 'Naruto help/defaults must expose codex-sdk');
-assertGate(agent.includes("hasFlag(args, '--mock') ? 'fake' : 'codex-sdk'"), 'Agent command surface must default to codex-sdk');
+assertGate(agent.includes("useOllama && !noOllama ? 'ollama' : 'codex-sdk'"), 'Agent command surface must default to codex-sdk unless local model is explicit');
+assertGate(agent.includes('backendExplicit'), 'Agent command surface must preserve explicit backend/local-model intent');
 emitGate('codex-sdk:team-naruto-agent-pipeline', { routes: ['$Team', '$Naruto', '$Agent'] });
 //# sourceMappingURL=codex-sdk-team-naruto-agent-pipeline-check.js.map

package/dist/scripts/gpt-final-arbiter-check.js

@@ -0,0 +1,63 @@
+#!/usr/bin/env node
+// @ts-nocheck
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { assertGate, emitGate, importDist, readJsonFile, root } from './lib/codex-sdk-gate-lib.js';
+const mod = await importDist('core/codex-control/gpt-final-arbiter.js');
+const old = snapshotEnv();
+process.env.NODE_ENV = 'test';
+process.env.SKS_CODEX_SDK_FAKE = '1';
+delete process.env.SKS_GPT_FINAL_ARBITER_UNAVAILABLE;
+try {
+    const tmp = await fs.mkdtemp(path.join(os.tmpdir(), 'sks-gpt-final-arbiter-'));
+    const approved = await mod.runGptFinalArbiter(fixtureInput('approved'), { cwd: root, mutationLedgerRoot: tmp });
+    assertGate(approved.ok === true, 'GPT final arbiter fixture must approve safe candidate', approved);
+    assertGate(approved.backend === 'codex-sdk', 'GPT final arbiter backend must be codex-sdk');
+    assertGate(approved.result.status === 'approved', 'safe candidate must return approved');
+    assertGate(approved.final_gate.ok === true, 'approved arbiter result must pass final gate');
+    const artifact = await readJsonFile(path.join(tmp, 'gpt-final-arbiter.json'));
+    assertGate(artifact.result.schema === 'sks.gpt-final-arbiter-result.v1', 'arbiter artifact must contain schema-valid result');
+    const unsafeTmp = await fs.mkdtemp(path.join(os.tmpdir(), 'sks-gpt-final-arbiter-unsafe-'));
+    const rejected = await mod.runGptFinalArbiter({ ...fixtureInput('unsafe'), candidate_diff: 'unsafe delete all credential patch' }, { cwd: root, mutationLedgerRoot: unsafeTmp });
+    assertGate(rejected.ok === false, 'unsafe candidate must not pass final arbiter');
+    assertGate(rejected.result.status === 'rejected', 'unsafe candidate must be rejected');
+    assertGate(rejected.blockers.includes('unsafe_candidate_patch'), 'unsafe rejection blocker must be preserved');
+    emitGate('local-collab:gpt-final-arbiter', { approved: approved.result.status, rejected: rejected.result.status });
+}
+finally {
+    restoreEnv(old);
+}
+function fixtureInput(label) {
+    return {
+        schema: 'sks.gpt-final-arbiter-input.v1',
+        route: '$Naruto',
+        mission_id: `M-${label}`,
+        local_mode: 'local-parallel-gpt-final',
+        local_outputs: [
+            { worker_id: 'slot-001/gen-1', backend: 'local-llm', summary: 'candidate patch drafted', patch_envelopes: [], proof: 'local draft' }
+        ],
+        candidate_diff: 'diff --git a/example.ts b/example.ts',
+        candidate_patch_envelopes: [],
+        verification_results: [{ ok: true, status: 'passed' }],
+        side_effect_report: { ok: true },
+        mutation_ledger: { ok: true },
+        rollback_plan: { ok: true }
+    };
+}
+function snapshotEnv() {
+    return {
+        NODE_ENV: process.env.NODE_ENV,
+        SKS_CODEX_SDK_FAKE: process.env.SKS_CODEX_SDK_FAKE,
+        SKS_GPT_FINAL_ARBITER_UNAVAILABLE: process.env.SKS_GPT_FINAL_ARBITER_UNAVAILABLE
+    };
+}
+function restoreEnv(old) {
+    for (const [key, value] of Object.entries(old)) {
+        if (value === undefined)
+            delete process.env[key];
+        else
+            process.env[key] = value;
+    }
+}
+//# sourceMappingURL=gpt-final-arbiter-check.js.map

package/dist/scripts/gpt-final-arbiter-performance-check.js

@@ -0,0 +1,36 @@
+#!/usr/bin/env node
+// @ts-nocheck
+import { assertGate, emitGate, importDist } from './lib/codex-sdk-gate-lib.js';
+const compressor = await importDist('core/codex-control/gpt-final-context-compressor.js');
+const local_outputs = Array.from({ length: 20 }, (_, index) => ({
+    worker_id: `slot-${String(index + 1).padStart(3, '0')}/gen-1`,
+    backend: 'local-llm',
+    status: 'done',
+    summary: `worker ${index + 1} summarized a bounded shard`,
+    changed_files: [`src/example-${index + 1}.ts`],
+    blockers: []
+}));
+const candidate_patch_envelopes = local_outputs.map((output, index) => ({
+    id: `patch-${index + 1}`,
+    agent_id: output.worker_id,
+    source: 'model_authored',
+    lease_id: `lease-${index + 1}`,
+    rollback_hint: { ok: true },
+    operations: [{ op: 'replace', path: output.changed_files[0], search: 'before', replace: 'after' }]
+}));
+const report = compressor.compressGptFinalContext({
+    route: '$Naruto',
+    mission_id: 'M-20-local-workers',
+    local_mode: 'local-parallel-gpt-final',
+    local_outputs,
+    candidate_patch_envelopes,
+    verification_results: [{ ok: true, status: 'passed' }],
+    side_effect_report: { ok: true },
+    mutation_ledger: { ok: true },
+    rollback_plan: { ok: true }
+});
+assertGate(report.proof_pack.worker_count === 20, 'proof pack must include 20 worker summaries');
+assertGate(report.proof_pack.token_budget_estimate < 8000, '20-worker proof pack must stay under token budget', report.proof_pack);
+assertGate(report.latency_budget.ok === true, 'GPT final latency budget report must pass');
+emitGate('local-collab:gpt-final-performance', { workers: report.proof_pack.worker_count, token_budget_estimate: report.proof_pack.token_budget_estimate });
+//# sourceMappingURL=gpt-final-arbiter-performance-check.js.map

package/dist/scripts/local-collab-gpt-final-availability-check.js

@@ -0,0 +1,58 @@
+#!/usr/bin/env node
+// @ts-nocheck
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { assertGate, emitGate, importDist, root } from './lib/codex-sdk-gate-lib.js';
+const arbiterMod = await importDist('core/codex-control/gpt-final-arbiter.js');
+const doctorMod = await importDist('core/doctor/doctor-readiness-matrix.js');
+const old = snapshotEnv();
+try {
+    process.env.SKS_GPT_FINAL_ARBITER_UNAVAILABLE = '1';
+    const unavailable = await arbiterMod.runGptFinalArbiter(input('unavailable'), { writeArtifact: false, forceUnavailable: true });
+    assertGate(unavailable.ok === false, 'GPT unavailable fixture must block final apply');
+    assertGate(unavailable.blockers.includes('gpt_final_arbiter_unavailable'), 'GPT unavailable blocker must be present');
+    const doctor = doctorMod.buildDoctorReadinessMatrix({
+        codex: { available: false },
+        codex_config: { ok: true, checks: [] },
+        local_collaboration: { mode: 'local-parallel-gpt-final', gpt_final_arbiter_available: false }
+    });
+    assertGate(doctor.blockers.includes('gpt_final_arbiter_unavailable'), 'doctor must report gpt_final_arbiter_unavailable');
+    delete process.env.SKS_GPT_FINAL_ARBITER_UNAVAILABLE;
+    process.env.NODE_ENV = 'test';
+    process.env.SKS_CODEX_SDK_FAKE = '1';
+    const tmp = await fs.mkdtemp(path.join(os.tmpdir(), 'sks-gpt-final-available-'));
+    const available = await arbiterMod.runGptFinalArbiter(input('available'), { cwd: root, mutationLedgerRoot: tmp });
+    assertGate(available.ok === true, 'GPT available fixture must pass final arbiter');
+    emitGate('local-collab:gpt-final-availability', { unavailable: unavailable.result.status, available: available.result.status });
+}
+finally {
+    restoreEnv(old);
+}
+function input(label) {
+    return {
+        schema: 'sks.gpt-final-arbiter-input.v1',
+        route: '$Team',
+        mission_id: `M-${label}`,
+        local_mode: 'local-parallel-gpt-final',
+        local_outputs: [{ worker_id: 'local', backend: 'local-llm', summary: 'candidate' }],
+        candidate_patch_envelopes: [],
+        verification_results: []
+    };
+}
+function snapshotEnv() {
+    return {
+        NODE_ENV: process.env.NODE_ENV,
+        SKS_CODEX_SDK_FAKE: process.env.SKS_CODEX_SDK_FAKE,
+        SKS_GPT_FINAL_ARBITER_UNAVAILABLE: process.env.SKS_GPT_FINAL_ARBITER_UNAVAILABLE
+    };
+}
+function restoreEnv(old) {
+    for (const [key, value] of Object.entries(old)) {
+        if (value === undefined)
+            delete process.env[key];
+        else
+            process.env[key] = value;
+    }
+}
+//# sourceMappingURL=local-collab-gpt-final-availability-check.js.map

package/dist/scripts/local-collab-no-local-only-final-check.js

@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+// @ts-nocheck
+import { assertGate, emitGate, importDist } from './lib/codex-sdk-gate-lib.js';
+const policyMod = await importDist('core/local-llm/local-collaboration-policy.js');
+const arbiterMod = await importDist('core/codex-control/gpt-final-arbiter.js');
+const gate = policyMod.evaluateLocalCollaborationFinalGate({
+    mode: 'local-only-draft',
+    localParticipated: true,
+    gptFinalStatus: null,
+    gptFinalAvailable: false,
+    applyPatches: true
+});
+assertGate(gate.ok === false, 'local-only-draft must not be final accepted');
+assertGate(gate.final_status === 'draft_only', 'local-only-draft must end as draft_only');
+assertGate(gate.apply_allowed === false, 'local-only-draft must block apply');
+const result = await arbiterMod.runGptFinalArbiter({
+    schema: 'sks.gpt-final-arbiter-input.v1',
+    route: '$DFix',
+    mission_id: 'M-local-only-draft',
+    local_mode: 'local-only-draft',
+    local_outputs: [{ worker_id: 'local', backend: 'local-llm', summary: 'draft only' }],
+    candidate_patch_envelopes: []
+}, { writeArtifact: false });
+assertGate(result.ok === false, 'local-only-draft arbiter result must not pass');
+assertGate(result.blockers.includes('needs_gpt_final_review'), 'local-only-draft arbiter must include needs_gpt_final_review');
+emitGate('local-collab:no-local-only-final', { final_status: gate.final_status, blockers: result.blockers.length });
+//# sourceMappingURL=local-collab-no-local-only-final-check.js.map

package/dist/scripts/local-collab-policy-check.js

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+// @ts-nocheck
+import { assertGate, emitGate, importDist, readText } from './lib/codex-sdk-gate-lib.js';
+const policyMod = await importDist('core/local-llm/local-collaboration-policy.js');
+const schemaText = readText('schemas/local-llm/local-collaboration-policy.schema.json');
+const policy = policyMod.resolveLocalCollaborationPolicy({ env: {} });
+assertGate(policy.mode === 'local-parallel-gpt-final', 'default local collaboration mode must be local-parallel-gpt-final');
+assertGate(policy.gpt_final_required === true, 'default local collaboration mode must require GPT final');
+assertGate(policy.final_patch_source_when_enabled === 'gpt_final_arbiter', 'final patch source must be GPT final arbiter');
+assertGate(schemaText.includes('local-only-draft'), 'policy schema must include local-only-draft mode');
+const draft = policyMod.resolveLocalCollaborationPolicy({ mode: 'local-only-draft' });
+const draftGate = policyMod.evaluateLocalCollaborationFinalGate({ policy: draft, localParticipated: true, applyPatches: true });
+assertGate(draftGate.ok === false, 'local-only-draft must not pass final gate');
+assertGate(draftGate.blockers.includes('needs_gpt_final_review'), 'local-only-draft must carry needs_gpt_final_review');
+assertGate(draftGate.blockers.includes('local_only_draft_apply_blocked'), 'local-only-draft must block apply');
+emitGate('local-collab:policy', { default_mode: policy.mode, draft_blockers: draftGate.blockers.length });
+//# sourceMappingURL=local-collab-policy-check.js.map

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "2.0.2",
+  "version": "2.0.4",
   "description": "Sneakoscope Codex: fast proof-first Codex trust layer with image-based Voxel TriWiki.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",
@@ -283,11 +283,16 @@
     "codex-control:tool-call-sequence-repair": "node ./dist/scripts/codex-control-tool-call-sequence-repair-check.js",
     "codex-control:keepalive-no-cot-leak": "node ./dist/scripts/codex-control-keepalive-no-cot-leak-check.js",
     "codex-control:real-smoke": "node ./dist/scripts/codex-sdk-real-smoke-check.js",
+    "local-collab:policy": "node ./dist/scripts/local-collab-policy-check.js",
+    "local-collab:gpt-final-arbiter": "node ./dist/scripts/gpt-final-arbiter-check.js",
+    "local-collab:no-local-only-final": "node ./dist/scripts/local-collab-no-local-only-final-check.js",
+    "local-collab:gpt-final-availability": "node ./dist/scripts/local-collab-gpt-final-availability-check.js",
+    "local-collab:gpt-final-performance": "node ./dist/scripts/gpt-final-arbiter-performance-check.js",
     "ultra-router:classification": "node ./dist/scripts/ultra-router-classification-check.js",
     "ultra-router:auto-router": "node ./dist/scripts/ultra-router-auto-router-check.js",
     "coverage": "node --experimental-test-coverage --test \"test/**/*.test.mjs\"",
-    "release:check": "npm run release:check:parallel && npm run mad-sks:app-ui-no-mutation && npm run codex-app:fast-ui-preservation && npm run codex-app:ui-clobber-guard && npm run doctor:fixes-codex-app-fast-ui && npm run provider:badge-context && npm run provider:context-config-toml && npm run codex-app:provider-badge && npm run zellij:spawn-on-demand-layout && npm run zellij:worker-pane-manager && npm run zellij:worker-pane-manager-single-owner && npm run agent:worker-pane-communication-contract && npm run runtime:no-mjs-scripts && npm run runtime:ts-python-boundary && npm run codex-sdk:capability && npm run codex-sdk:no-legacy-fallback && npm run codex-sdk:backend-router && npm run codex-sdk:structured-output && npm run codex-sdk:event-stream-ledger && npm run codex-sdk:thread-registry && npm run codex-sdk:sandbox-policy && npm run codex-sdk:zellij-pane-binding && npm run codex-sdk:all-pipelines && npm run codex-sdk:dfix-pipeline && npm run codex-sdk:qa-pipeline && npm run codex-sdk:research-pipeline && npm run codex-sdk:team-naruto-agent-pipeline && npm run codex-sdk:release-review-pipeline && npm run codex-sdk:ux-ppt-review-pipeline && npm run codex-sdk:core-skill-pipeline && npm run codex-control:capability && npm run codex-control:no-legacy-fallback && npm run codex-control:structured-output && npm run codex-control:event-stream-ledger && npm run codex-control:thread-registry && npm run codex-control:side-effect-scope && npm run codex-control:all-pipelines && npm run codex-control:empty-result-retry && npm run codex-control:stream-idle-watchdog && npm run codex-control:tool-call-sequence-repair && npm run codex-control:keepalive-no-cot-leak && npm run ultra-router:classification && npm run ultra-router:auto-router && npm run release:version-truth && npm run codex:0.136-compat && npm run codex:0.135-compat && npm run doctor:codex-doctor-parity && npm run codex:permission-profiles && npm run codex:legacy-profile-consumers-removed && npm run terminal:keyboard-enhancement-safety && npm run terminal:tui-output-stability && npm run codex:resume-cwd-truth && npm run mcp:tool-naming-parity && npm run responses:retry-policy-centralized && npm run runtime:no-tmux && npm run zellij:layout-valid && npm run agent:zellij-dynamic-backfill-panes && npm run agent:worker-pane-communication-contract && npm run agent:slot-pane-binding-proof && npm run zellij:worker-pane-manager && npm run zellij:spawn-on-demand-layout && npm run zellij:lane-renderer && npm run mad-sks:zellij-launch && npm run mad-sks:zellij-default-pane-worker && npm run agent:zellij-runtime && npm run codex:config-eperm-fixture && npm run doctor:fix-proves-codex-read && npm run mad:preflight-blocks-unreadable-config && npm run fast:codex-service-tier-proof && npm run codex:project-config-policy-splitter && npm run test:no-orphan-dist-imports && npm run agent:patch-envelope-extraction && npm run agent:patch-queue-runtime && npm run agent:strategy-to-lease-wiring && npm run agent:patch-swarm-runtime && npm run agent:patch-transaction-journal && npm run agent:patch-conflict-rebase && npm run agent:strategy-to-patch-strict && npm run agent:patch-swarm-runtime-truth && npm run agent:rollback-command && npm run agent:patch-verification-dag && npm run agent:patch-rollback-dag && npm run agent:patch-proof-runtime && npm run agent:patch-swarm-route-blackbox && npm run team:patch-swarm-route-blackbox && npm run dfix:patch-swarm-route-blackbox && npm run appshots:thread-attachment-discovery && npm run mcp:readonly-runtime-scheduler && npm run codex:0.134-runner-truth && npm run agent:native-cli-session-swarm && npm run agent:native-cli-session-swarm-10 && npm run agent:native-cli-session-swarm-20 && npm run agent:no-subagent-scaling && npm run agent:native-cli-session-proof && npm run agent:worker-backend-router && npm run agent:codex-child-overlap && npm run agent:model-authored-patch-envelope && npm run agent:fast-mode-default && npm run agent:fast-mode-worker-propagation && npm run codex:fast-mode-profile-propagation && npm run mad-sks:fast-mode-propagation && npm run zellij:launch-command-truth && npm run zellij:real-session-heartbeat && npm run zellij:ui-design && npm run zellij:doctor-readiness && npm run legacy:upgrade-zero-break && npm run publish:packlist-performance && npm run postinstall:safe-side-effects && npm run runtime:ts-rust-boundary && npm run core-skill:card-schema && npm run core-skill:rollout-scoring && npm run core-skill:patch && npm run core-skill:heldout-validation && npm run core-skill:deployment-snapshot && npm run core-skill:no-inference-optimizer && npm run core-skill:route-runtime-integration && npm run core-skill:promotion-side-effect-ledger && npm run core-skill:legacy-promotion-api-audit && npm run safety:side-effect-zero && npm run safety:mutation-callsite-coverage && npm run safety:mutation-callsite-coverage:repo-wide && npm run side-effect:runtime-report && npm run release:gate-planner && npm run release:dynamic-performance && npm run release:provenance && npm run release:gate-budget && npm run agent:wiki-context-proof && npm run shared-memory:check && npm run wrongness:check && npm run wrongness:fixtures && npm run trust:check && npm run git-collaboration:e2e && node ./dist/scripts/release-check-stamp.js write && npm run release:readiness --silent && node ./dist/scripts/release-check-stamp.js write",
-    "release:real-check": "node ./dist/scripts/release-real-check.js && npm run codex-control:real-smoke -- --require-real && npm run codex-sdk:real-smoke -- --require-real && npm run zellij:real-session-launch -- --require-real --main-only --mission M-release-real-zellij-extra --session sks-rrz-extra && npm run zellij:pane-proof -- --require-real --mission M-release-real-zellij-extra --session sks-rrz-extra --expected-lanes 0 && npm run zellij:screen-proof -- --require-real --main-only --mission M-release-real-zellij-extra && npm run zellij:real-session-cleanup -- --mission M-release-real-zellij-extra --session sks-rrz-extra && npm run agent:real-codex-in-zellij-worker-pane -- --require-real",
+    "release:check": "npm run release:check:parallel && npm run mad-sks:app-ui-no-mutation && npm run codex-app:fast-ui-preservation && npm run codex-app:ui-clobber-guard && npm run doctor:fixes-codex-app-fast-ui && npm run provider:badge-context && npm run provider:context-config-toml && npm run codex-app:provider-badge && npm run zellij:spawn-on-demand-layout && npm run zellij:worker-pane-manager && npm run zellij:worker-pane-manager-single-owner && npm run agent:worker-pane-communication-contract && npm run runtime:no-mjs-scripts && npm run runtime:ts-python-boundary && npm run codex-sdk:capability && npm run codex-sdk:no-legacy-fallback && npm run codex-sdk:backend-router && npm run codex-sdk:structured-output && npm run codex-sdk:event-stream-ledger && npm run codex-sdk:thread-registry && npm run codex-sdk:sandbox-policy && npm run codex-sdk:zellij-pane-binding && npm run codex-sdk:all-pipelines && npm run codex-sdk:dfix-pipeline && npm run codex-sdk:qa-pipeline && npm run codex-sdk:research-pipeline && npm run codex-sdk:team-naruto-agent-pipeline && npm run codex-sdk:release-review-pipeline && npm run codex-sdk:ux-ppt-review-pipeline && npm run codex-sdk:core-skill-pipeline && npm run codex-control:capability && npm run codex-control:no-legacy-fallback && npm run codex-control:structured-output && npm run codex-control:event-stream-ledger && npm run codex-control:thread-registry && npm run codex-control:side-effect-scope && npm run codex-control:all-pipelines && npm run codex-control:empty-result-retry && npm run codex-control:stream-idle-watchdog && npm run codex-control:tool-call-sequence-repair && npm run codex-control:keepalive-no-cot-leak && npm run local-collab:policy && npm run local-collab:gpt-final-arbiter && npm run local-collab:no-local-only-final && npm run local-collab:gpt-final-availability && npm run ultra-router:classification && npm run ultra-router:auto-router && npm run release:version-truth && npm run codex:0.136-compat && npm run codex:0.135-compat && npm run doctor:codex-doctor-parity && npm run codex:permission-profiles && npm run codex:legacy-profile-consumers-removed && npm run terminal:keyboard-enhancement-safety && npm run terminal:tui-output-stability && npm run codex:resume-cwd-truth && npm run mcp:tool-naming-parity && npm run responses:retry-policy-centralized && npm run runtime:no-tmux && npm run zellij:layout-valid && npm run agent:zellij-dynamic-backfill-panes && npm run agent:worker-pane-communication-contract && npm run agent:slot-pane-binding-proof && npm run zellij:worker-pane-manager && npm run zellij:spawn-on-demand-layout && npm run zellij:lane-renderer && npm run mad-sks:zellij-launch && npm run mad-sks:zellij-default-pane-worker && npm run agent:zellij-runtime && npm run codex:config-eperm-fixture && npm run doctor:fix-proves-codex-read && npm run mad:preflight-blocks-unreadable-config && npm run fast:codex-service-tier-proof && npm run codex:project-config-policy-splitter && npm run test:no-orphan-dist-imports && npm run agent:patch-envelope-extraction && npm run agent:patch-queue-runtime && npm run agent:strategy-to-lease-wiring && npm run agent:patch-swarm-runtime && npm run agent:patch-transaction-journal && npm run agent:patch-conflict-rebase && npm run agent:strategy-to-patch-strict && npm run agent:patch-swarm-runtime-truth && npm run agent:rollback-command && npm run agent:patch-verification-dag && npm run agent:patch-rollback-dag && npm run agent:patch-proof-runtime && npm run agent:patch-swarm-route-blackbox && npm run team:patch-swarm-route-blackbox && npm run dfix:patch-swarm-route-blackbox && npm run appshots:thread-attachment-discovery && npm run mcp:readonly-runtime-scheduler && npm run codex:0.134-runner-truth && npm run agent:native-cli-session-swarm && npm run agent:native-cli-session-swarm-10 && npm run agent:native-cli-session-swarm-20 && npm run agent:no-subagent-scaling && npm run agent:native-cli-session-proof && npm run agent:worker-backend-router && npm run agent:codex-child-overlap && npm run agent:model-authored-patch-envelope && npm run agent:fast-mode-default && npm run agent:fast-mode-worker-propagation && npm run codex:fast-mode-profile-propagation && npm run mad-sks:fast-mode-propagation && npm run zellij:launch-command-truth && npm run zellij:real-session-heartbeat && npm run zellij:ui-design && npm run zellij:doctor-readiness && npm run legacy:upgrade-zero-break && npm run publish:packlist-performance && npm run postinstall:safe-side-effects && npm run runtime:ts-rust-boundary && npm run core-skill:card-schema && npm run core-skill:rollout-scoring && npm run core-skill:patch && npm run core-skill:heldout-validation && npm run core-skill:deployment-snapshot && npm run core-skill:no-inference-optimizer && npm run core-skill:route-runtime-integration && npm run core-skill:promotion-side-effect-ledger && npm run core-skill:legacy-promotion-api-audit && npm run safety:side-effect-zero && npm run safety:mutation-callsite-coverage && npm run safety:mutation-callsite-coverage:repo-wide && npm run side-effect:runtime-report && npm run release:gate-planner && npm run release:dynamic-performance && npm run release:provenance && npm run release:gate-budget && npm run agent:wiki-context-proof && npm run shared-memory:check && npm run wrongness:check && npm run wrongness:fixtures && npm run trust:check && npm run git-collaboration:e2e && node ./dist/scripts/release-check-stamp.js write && npm run release:readiness --silent && node ./dist/scripts/release-check-stamp.js write",
+    "release:real-check": "node ./dist/scripts/release-real-check.js && npm run codex-control:real-smoke -- --require-real && npm run codex-sdk:real-smoke -- --require-real && npm run zellij:real-session-launch -- --require-real --main-only --mission M-release-real-zellij-extra --session sks-rrz-extra && npm run zellij:pane-proof -- --require-real --mission M-release-real-zellij-extra --session sks-rrz-extra --expected-lanes 0 && npm run zellij:screen-proof -- --require-real --main-only --mission M-release-real-zellij-extra && npm run zellij:real-session-cleanup -- --mission M-release-real-zellij-extra --session sks-rrz-extra && npm run agent:real-codex-in-zellij-worker-pane -- --require-real && SKS_REQUIRE_LOCAL_LLM=1 SKS_REQUIRE_GPT_FINAL=1 npm run local-collab:gpt-final-performance",
     "release:publish": "npm run publish:npm",
     "publish:dry": "npm run release:metadata && npm run release:version-truth && npm run publish:packlist-performance && npm run prepublish:release-check-or-fast && node ./dist/scripts/release-check-stamp.js verify && npm run release:provenance -- --publish && npm run release:dist-freshness && npm --cache /tmp/sks-npm-cache publish --dry-run --registry https://registry.npmjs.org/ --access public",
     "publish:npm": "npm --cache /tmp/sks-npm-cache publish --registry https://registry.npmjs.org/ --access public",

package/schemas/local-llm/local-collaboration-policy.schema.json

@@ -0,0 +1,57 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "sks.local-collaboration-policy.v1",
+  "type": "object",
+  "required": [
+    "schema",
+    "mode",
+    "gpt_final_required",
+    "gpt_final_backend_must_be_remote",
+    "local_only_draft",
+    "final_accepted_statuses",
+    "final_patch_source_when_enabled",
+    "blockers"
+  ],
+  "properties": {
+    "schema": {
+      "const": "sks.local-collaboration-policy.v1"
+    },
+    "mode": {
+      "enum": [
+        "disabled",
+        "local-draft-gpt-final",
+        "local-worker-gpt-orchestrator",
+        "local-parallel-gpt-final",
+        "local-only-draft"
+      ]
+    },
+    "gpt_final_required": {
+      "type": "boolean"
+    },
+    "gpt_final_backend_must_be_remote": {
+      "type": "boolean"
+    },
+    "local_only_draft": {
+      "type": "boolean"
+    },
+    "final_accepted_statuses": {
+      "type": "array",
+      "items": {
+        "enum": [
+          "approved",
+          "modified"
+        ]
+      }
+    },
+    "final_patch_source_when_enabled": {
+      "const": "gpt_final_arbiter"
+    },
+    "blockers": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    }
+  },
+  "additionalProperties": true
+}