sneakoscope 2.0.5 → 2.0.6

package/dist/scripts/naruto-readonly-routing-check.js

@@ -0,0 +1,116 @@
+#!/usr/bin/env node
+// @ts-nocheck
+import fs from 'node:fs';
+import path from 'node:path';
+import { spawnSync } from 'node:child_process';
+import { assertGate, emitGate, exists, importDist, root } from './sks-1-18-gate-lib.js';
+const worker = await importDist('core/agents/agent-worker-pipeline.js');
+const cli = path.join(root, 'dist', 'bin', 'sks.js');
+assertGate(exists('dist/bin/sks.js'), 'dist/bin/sks.js missing (build first)');
+const readOnlyWorker = worker.validateAgentWorkerResult({
+    mission_id: 'M-readonly-routing',
+    agent_id: 'readonly-agent',
+    session_id: 'readonly-session',
+    persona_id: 'verifier',
+    task_slice_id: 'readonly-slice',
+    status: 'done',
+    backend: 'codex-sdk',
+    summary: 'Read-only worker inspected files without proposing a patch.',
+    findings: ['read-only inspection completed'],
+    proposed_changes: [],
+    changed_files: ['src/core/agents/agent-proof-evidence.ts'],
+    lease_compliance: { ok: true, violations: [] },
+    artifacts: [],
+    blockers: [],
+    confidence: 'fixture',
+    handoff_notes: '',
+    unverified: [],
+    writes: [],
+    no_patch_reason: {
+        ok: true,
+        reason: 'read_only_or_no_write_paths',
+        read_only_or_noop_evidence: true
+    },
+    verification: { status: 'passed', checks: ['readonly-no-patch-routing'] }
+});
+assertGate(readOnlyWorker.status === 'done' && !readOnlyWorker.blockers.includes('no_patch_generated'), 'read-only/no-write worker changed_files must not require patch envelopes', readOnlyWorker);
+const writeWorker = worker.validateAgentWorkerResult({
+    ...readOnlyWorker,
+    agent_id: 'write-agent',
+    session_id: 'write-session',
+    task_slice_id: 'write-slice',
+    changed_files: ['src/core/agents/agent-proof-evidence.ts'],
+    no_patch_reason: undefined
+});
+assertGate(writeWorker.status === 'blocked' && writeWorker.blockers.includes('no_patch_generated'), 'write-capable changed_files without patch envelope must still block', writeWorker);
+const readonlyRun = spawnSync(process.execPath, [
+    cli,
+    'naruto',
+    'run',
+    'readonly routing must inspect `src/core/agents/agent-proof-evidence.ts` and `package.json` without writes',
+    '--clones',
+    '4',
+    '--work-items',
+    '4',
+    '--backend',
+    'fake',
+    '--readonly',
+    '--json'
+], { cwd: root, encoding: 'utf8', timeout: 120000, maxBuffer: 6 * 1024 * 1024 });
+const readonlyJson = parseJson(readonlyRun.stdout);
+assertGate(readonlyRun.status === 0 && readonlyJson?.ok === true, 'readonly Naruto fake blackbox must exit ok', { status: readonlyRun.status, stdout: tail(readonlyRun.stdout), stderr: tail(readonlyRun.stderr) });
+assertGate(readonlyJson.proof === 'passed', 'readonly Naruto proof must pass', { proof: readonlyJson.proof, blockers: readonlyJson.run?.proof?.blockers });
+assertGate(readonlyJson.work_graph?.write_allowed_count === 0, 'readonly Naruto work graph must have zero write-allowed items', readonlyJson.work_graph);
+assertGate(Number(readonlyJson.role_distribution?.implementation_like_workers || 0) === 0, 'readonly Naruto role distribution must have zero implementation-like workers', readonlyJson.role_distribution);
+assertGate((readonlyJson.role_distribution?.entries || []).every((entry) => entry.write_allowed === false), 'readonly Naruto role distribution must deny writes for every role', readonlyJson.role_distribution);
+const readonlyRoot = path.join(root, '.sneakoscope', 'missions', readonlyJson.mission_id, 'agents');
+const readonlyProof = readJson(path.join(readonlyRoot, 'agent-proof-evidence.json'));
+const readonlyStrategy = readJson(path.join(readonlyRoot, 'user-request-strategy.json'));
+const readonlyPolicy = readJson(path.join(readonlyRoot, 'agent-parallel-write-policy.json'));
+assertGate(readonlyPolicy.write_mode === 'off' && readonlyPolicy.readonly === true, 'readonly run must force native write policy off', readonlyPolicy);
+assertGate(readonlyStrategy.gate?.write_task_count === 0, 'readonly strategy must not infer write targets from file mentions', readonlyStrategy.gate);
+assertGate(readonlyProof.changed_files_lease_checked === false, 'readonly no-write proof must skip changed_files write-lease checks', readonlyProof);
+assertGate(!(readonlyProof.blockers || []).some((blocker) => /no_patch_generated|lease_changed_file_violation/.test(String(blocker))), 'readonly proof must not contain patch/lease write blockers', readonlyProof.blockers || []);
+const writeRun = spawnSync(process.execPath, [
+    cli,
+    'naruto',
+    'run',
+    'write-capable routing must patch `README.md` through leased envelopes',
+    '--clones',
+    '3',
+    '--work-items',
+    '3',
+    '--backend',
+    'fake',
+    '--parallel-write',
+    '--json'
+], { cwd: root, encoding: 'utf8', timeout: 120000, maxBuffer: 6 * 1024 * 1024 });
+const writeJson = parseJson(writeRun.stdout);
+assertGate(writeRun.status === 0 && writeJson?.ok === true, 'write-capable Naruto fake blackbox must exit ok', { status: writeRun.status, stdout: tail(writeRun.stdout), stderr: tail(writeRun.stderr) });
+const writeRoot = path.join(root, '.sneakoscope', 'missions', writeJson.mission_id, 'agents');
+const writeStrategy = readJson(path.join(writeRoot, 'user-request-strategy.json'));
+const writePolicy = readJson(path.join(writeRoot, 'agent-parallel-write-policy.json'));
+assertGate(writePolicy.write_mode === 'parallel' && writePolicy.readonly === false, 'write-capable Naruto run must carry parallel write policy', writePolicy);
+assertGate(writeStrategy.gate?.write_task_count >= 1, 'write-capable strategy must retain explicit write target inference', writeStrategy.gate);
+emitGate('naruto:readonly-routing', {
+    readonly_mission_id: readonlyJson.mission_id,
+    write_mission_id: writeJson.mission_id,
+    readonly_write_tasks: readonlyStrategy.gate?.write_task_count,
+    write_write_tasks: writeStrategy.gate?.write_task_count
+});
+function readJson(file) {
+    return JSON.parse(fs.readFileSync(file, 'utf8'));
+}
+function parseJson(text) {
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return null;
+    }
+}
+function tail(value, limit = 2000) {
+    const text = String(value || '');
+    return text.length <= limit ? text : text.slice(-limit);
+}
+//# sourceMappingURL=naruto-readonly-routing-check.js.map

package/dist/scripts/naruto-shadow-clone-swarm-check.js

@@ -5,6 +5,7 @@
 // changing it for any other route, and that an end-to-end `sks naruto run` actually
 // schedules >20 concurrent clone sessions to completion with proof.
 import { spawnSync } from 'node:child_process';
+import fs from 'node:fs';
 import path from 'node:path';
 import { assertGate, emitGate, importDist, root, exists } from './sks-1-18-gate-lib.js';
 const schema = await importDist('core/agents/agent-schema.js');
@@ -98,8 +99,14 @@ assertGate(typeof parsed.concurrency_capped === 'boolean', 'naruto run must repo
 assertGate(parsed.concurrency_capped === (parsed.clones > parsed.target_active_slots), 'concurrency_capped must reflect clones > live slots', { clones: parsed.clones, target_active_slots: parsed.target_active_slots, concurrency_capped: parsed.concurrency_capped });
 assertGate(parsed.system && Number(parsed.system.safe_concurrency) >= 1, 'naruto run must report system safe_concurrency (host-derived cap)', { system: parsed.system });
 assertGate(parsed.work_graph?.write_allowed_count > 0 && parsed.work_graph?.mixed_work_kinds?.length > 1, 'naruto run must report a mixed work graph with write-capable items', { work_graph: parsed.work_graph });
+assertGate(Number(parsed.work_graph?.parallel_write_wave_count || 0) > 0, 'naruto run must expose at least one parallel write-capable wave with non-overlapping leases', { work_graph: parsed.work_graph });
 assertGate(parsed.role_distribution?.verifier_only === false, 'naruto run proof/status must distinguish active worker roles beyond verifier-only', { role_distribution: parsed.role_distribution });
 assertGate(Number(parsed.role_distribution?.implementation_like_ratio || 0) >= 0.4, 'naruto run must include implementation-like role distribution', { role_distribution: parsed.role_distribution });
+const commandGraphPath = path.join(root, '.sneakoscope', 'missions', parsed.mission_id, 'agents', 'naruto-work-graph.json');
+const commandGraph = JSON.parse(fs.readFileSync(commandGraphPath, 'utf8'));
+const writePaths = commandGraph.work_items.filter((row) => row.write_allowed).flatMap((row) => row.write_paths);
+assertGate(new Set(writePaths).size > 1, 'naruto command default patch-envelope leases must be per work item, not one shared write path', { sample: writePaths.slice(0, 8), unique: new Set(writePaths).size });
+assertGate(commandGraph.active_waves.some((wave) => wave.write_paths.length > 1), 'naruto command graph must contain a parallel write wave when route-local patch envelopes do not overlap', { waves: commandGraph.active_waves.slice(0, 3) });
 const state = parsed.run?.scheduler?.state || parsed.run?.scheduler || {};
 assertGate(Number(state.completed_count) === proofClones, 'all clone work items must complete despite throttling', { completed_count: state.completed_count });
 const explicitConcurrency = spawnSync(process.execPath, [cli, 'naruto', 'run', 'explicit concurrency', '--clones', '6', '--backend', 'fake', '--work-items', '6', '--concurrency', '6', '--json'], { cwd: root, encoding: 'utf8', timeout: 120000, maxBuffer: 4 * 1024 * 1024 });

package/dist/scripts/product-design-auto-install-check.js

@@ -0,0 +1,119 @@
+#!/usr/bin/env node
+// @ts-nocheck
+import { ensureProductDesignPluginInstalledWithRequest, findProductDesignPluginSummaryFromMarketplaces, productDesignAutoInstallRequested } from '../core/product-design-app-server.js';
+import { PRODUCT_DESIGN_PLUGIN, PRODUCT_DESIGN_REQUIRED_SKILLS } from '../core/product-design-plugin.js';
+import { assertGate, emitGate, readText } from './lib/codex-sdk-gate-lib.js';
+function pluginReadResponse({ installed, enabled }) {
+    return {
+        plugin: {
+            marketplaceName: PRODUCT_DESIGN_PLUGIN.marketplace,
+            marketplacePath: null,
+            summary: {
+                id: PRODUCT_DESIGN_PLUGIN.id,
+                remotePluginId: PRODUCT_DESIGN_PLUGIN.remote_plugin_id,
+                name: PRODUCT_DESIGN_PLUGIN.name,
+                installed,
+                enabled,
+                interface: {
+                    displayName: PRODUCT_DESIGN_PLUGIN.display_name
+                }
+            },
+            skills: PRODUCT_DESIGN_REQUIRED_SKILLS.map((name) => ({ name, enabled: true }))
+        }
+    };
+}
+let installed = false;
+const installCalls = [];
+const installResult = await ensureProductDesignPluginInstalledWithRequest(async (method, params) => {
+    installCalls.push({ method, params });
+    if (method === 'plugin/read')
+        return pluginReadResponse({ installed, enabled: installed });
+    if (method === 'plugin/install') {
+        assertGate(params.pluginName === PRODUCT_DESIGN_PLUGIN.remote_plugin_id, 'plugin/install must use Product Design remote plugin id', params);
+        installed = true;
+        return { authPolicy: 'ON_USE', appsNeedingAuth: [] };
+    }
+    if (method === 'plugin/installed')
+        return { marketplaces: [], marketplaceLoadErrors: [] };
+    throw new Error(`unexpected method: ${method}`);
+}, { autoInstallProductDesign: true, env: {} });
+assertGate(installResult.ok, 'Product Design ensure must pass after fake plugin/install', installResult);
+assertGate(installResult.install_attempted === true, 'Product Design ensure must attempt install when read evidence is not ready', installResult);
+assertGate(installCalls.some((call) => call.method === 'plugin/install'), 'Product Design ensure did not call plugin/install', installCalls);
+assertGate(installResult.after_evidence.ok, 'Product Design after_evidence must be ready after install', installResult);
+installed = false;
+const dryCalls = [];
+const dryResult = await ensureProductDesignPluginInstalledWithRequest(async (method, params) => {
+    dryCalls.push({ method, params });
+    if (method === 'plugin/read')
+        return pluginReadResponse({ installed: false, enabled: false });
+    throw new Error(`unexpected dry method: ${method}`);
+}, { autoInstallProductDesign: false, env: {} });
+assertGate(!dryResult.ok, 'Product Design dry ensure must not claim ready when read evidence is not ready', dryResult);
+assertGate(dryResult.install_attempted === false, 'Product Design dry ensure must not attempt install', dryResult);
+assertGate(!dryCalls.some((call) => call.method === 'plugin/install'), 'Product Design dry ensure must not call plugin/install', dryCalls);
+const marketplaceList = {
+    marketplaces: [{
+            name: PRODUCT_DESIGN_PLUGIN.marketplace,
+            plugins: [{
+                    id: PRODUCT_DESIGN_PLUGIN.id,
+                    remotePluginId: PRODUCT_DESIGN_PLUGIN.remote_plugin_id,
+                    name: PRODUCT_DESIGN_PLUGIN.name,
+                    installed: true,
+                    enabled: true,
+                    interface: {
+                        displayName: PRODUCT_DESIGN_PLUGIN.display_name
+                    }
+                }]
+        }],
+    marketplaceLoadErrors: []
+};
+const discovered = findProductDesignPluginSummaryFromMarketplaces(marketplaceList);
+assertGate(discovered?.remotePluginId === PRODUCT_DESIGN_PLUGIN.remote_plugin_id, 'Product Design vertical plugin/list discovery must return remote id', discovered);
+let readCount = 0;
+const listCalls = [];
+const listFallbackResult = await ensureProductDesignPluginInstalledWithRequest(async (method, params) => {
+    listCalls.push({ method, params });
+    if (method === 'plugin/read') {
+        readCount += 1;
+        if (readCount === 1)
+            throw new Error('simulated stale read id');
+        return pluginReadResponse({ installed: true, enabled: true });
+    }
+    if (method === 'plugin/list')
+        return marketplaceList;
+    throw new Error(`unexpected list fallback method: ${method}`);
+}, { autoInstallProductDesign: true, env: {} });
+assertGate(listFallbackResult.ok, 'Product Design ensure must recover through vertical plugin/list discovery', listFallbackResult);
+assertGate(listFallbackResult.install_attempted === false, 'Product Design ensure must not install when list-discovered read is already ready', listFallbackResult);
+assertGate(listCalls.some((call) => call.method === 'plugin/list'), 'Product Design ensure must query vertical plugin/list when direct read fails', listCalls);
+assertGate(productDesignAutoInstallRequested({ env: { SKS_PRODUCT_DESIGN_AUTO_INSTALL: '1' } }), 'Product Design auto-install env gate must be honored');
+const codexAppSource = readText('src/core/codex-app.ts');
+const commandSource = readText('src/commands/codex-app.ts');
+const appServerSource = readText('src/core/product-design-app-server.ts');
+const pkg = JSON.parse(readText('package.json'));
+const releaseCheck = String(pkg.scripts?.['release:check'] || '');
+for (const token of [
+    'ensureProductDesignPluginInstalled',
+    'PRODUCT_DESIGN_AUTO_INSTALL_ENV',
+    'autoInstallProductDesign'
+]) {
+    assertGate(codexAppSource.includes(token) || appServerSource.includes(token), `Product Design auto-install source missing token: ${token}`);
+}
+for (const token of [
+    'product-design',
+    'ensure-product-design',
+    '--check-only',
+    '--install-product-design'
+]) {
+    assertGate(commandSource.includes(token), `sks codex-app command missing Product Design token: ${token}`);
+}
+assertGate(Boolean(pkg.scripts?.['codex:product-design-auto-install']), 'package script missing codex:product-design-auto-install');
+assertGate(releaseCheck.includes('codex:product-design-auto-install'), 'release:check must include Product Design auto-install gate');
+emitGate('codex:product-design-auto-install', {
+    install_calls: installCalls.map((call) => call.method),
+    dry_calls: dryCalls.map((call) => call.method),
+    list_fallback_calls: listCalls.map((call) => call.method),
+    env_gate: true
+});
+//# sourceMappingURL=product-design-auto-install-check.js.map

package/dist/scripts/product-design-plugin-routing-check.js

@@ -0,0 +1,101 @@
+#!/usr/bin/env node
+// @ts-nocheck
+import { PRODUCT_DESIGN_PIPELINE_STAGES, PRODUCT_DESIGN_PLUGIN, PRODUCT_DESIGN_REQUIRED_SKILLS, normalizeProductDesignPluginEvidence, productDesignPluginVisibilityFromCodexPluginList } from '../core/product-design-plugin.js';
+import { assertGate, emitGate, readText } from './lib/codex-sdk-gate-lib.js';
+const routesSource = readText('src/core/routes.ts');
+const productDesignSource = readText('src/core/product-design-plugin.ts');
+const runtimeSource = readText('src/core/pipeline-internals/runtime-core.ts');
+const pptSource = readText('src/core/ppt.ts');
+const codexAppSource = readText('src/core/codex-app.ts');
+const initSource = readText('src/core/init.ts');
+const pkg = JSON.parse(readText('package.json'));
+const releaseCheck = String(pkg.scripts?.['release:check'] || '');
+assertGate(PRODUCT_DESIGN_PLUGIN.id === 'product-design@openai-curated-remote', 'Product Design plugin id must use the remote marketplace');
+assertGate(PRODUCT_DESIGN_PLUGIN.marketplace === 'openai-curated-remote', 'Product Design marketplace must be openai-curated-remote');
+assertGate(PRODUCT_DESIGN_PLUGIN.marketplace_kind === 'vertical', 'Product Design marketplace kind must be vertical');
+assertGate(PRODUCT_DESIGN_PLUGIN.remote_plugin_id === 'Plugin_fa77aec24fc08191bc6e57f377126d76', 'Product Design remote plugin id mismatch');
+assertGate(PRODUCT_DESIGN_PLUGIN.app_server.read_params.remoteMarketplaceName === 'openai-curated-remote', 'plugin/read remote marketplace missing');
+assertGate(PRODUCT_DESIGN_PLUGIN.app_server.install_params.remoteMarketplaceName === 'openai-curated-remote', 'plugin/install remote marketplace missing');
+assertGate(PRODUCT_DESIGN_PLUGIN.app_server.read_params.pluginName === PRODUCT_DESIGN_PLUGIN.remote_plugin_id, 'plugin/read must use Product Design remote plugin id');
+assertGate(PRODUCT_DESIGN_PLUGIN.app_server.install_params.pluginName === PRODUCT_DESIGN_PLUGIN.remote_plugin_id, 'plugin/install must use Product Design remote plugin id');
+assertGate(PRODUCT_DESIGN_PLUGIN.app_server.list_params.marketplaceKinds.includes('vertical'), 'plugin/list must query vertical marketplaces');
+for (const skill of ['audit', 'design-qa', 'get-context', 'ideate', 'image-to-code', 'prototype', 'research', 'share', 'url-to-code', 'user-context']) {
+    assertGate(PRODUCT_DESIGN_REQUIRED_SKILLS.includes(skill), `Product Design required skill missing: ${skill}`);
+}
+assertGate(PRODUCT_DESIGN_PIPELINE_STAGES.length >= 5, 'Product Design pipeline stage map too small');
+const fakeReadResponse = {
+    plugin: {
+        marketplaceName: PRODUCT_DESIGN_PLUGIN.marketplace,
+        summary: {
+            id: PRODUCT_DESIGN_PLUGIN.id,
+            remotePluginId: PRODUCT_DESIGN_PLUGIN.remote_plugin_id,
+            name: PRODUCT_DESIGN_PLUGIN.name,
+            installed: true,
+            enabled: true
+        },
+        skills: PRODUCT_DESIGN_REQUIRED_SKILLS.map((name) => ({ name, enabled: true }))
+    }
+};
+const evidence = normalizeProductDesignPluginEvidence(fakeReadResponse);
+assertGate(evidence.ok, 'app-server plugin/read evidence parser must accept ready Product Design response', evidence);
+const hiddenFromLocalList = productDesignPluginVisibilityFromCodexPluginList({ installed: [{ id: 'browser@openai-bundled' }] });
+assertGate(hiddenFromLocalList.requires_remote_vertical_lookup, 'missing local plugin-list entry must require remote vertical lookup');
+for (const token of [
+    'productDesignPluginPolicyText',
+    'Product Design plugin tools are allowed and preferred',
+    'project-local cache/compatibility authority',
+    'PRODUCT_DESIGN_PLUGIN_TOOL_ALLOWLIST'
+]) {
+    assertGate(routesSource.includes(token), `routes.ts missing Product Design routing token: ${token}`);
+}
+const recommendedSkillsBlock = routesSource.match(/export const RECOMMENDED_SKILLS = \[([\s\S]*?)\];/)?.[1] || '';
+for (const legacySkill of ['design-artifact-expert', 'design-system-builder', 'design-ui-editor']) {
+    assertGate(!recommendedSkillsBlock.includes(legacySkill), `legacy design skill should not stay in RECOMMENDED_SKILLS: ${legacySkill}`);
+}
+for (const token of [
+    'Product Design plugin policy',
+    'openai-curated-remote',
+    'plugin/read',
+    'plugin/install',
+    'auto-install/ensure',
+    'vertical',
+    'compatibility fallback only',
+    'PRODUCT_DESIGN_LEGACY_DESIGN_FALLBACK_SKILLS'
+]) {
+    assertGate(productDesignSource.includes(token), `product-design-plugin.ts missing policy token: ${token}`);
+}
+for (const token of [
+    'Product Design plugin first',
+    'design-system-builder',
+    'design-ui-editor',
+    'design-artifact-expert'
+]) {
+    assertGate(runtimeSource.includes(token) || initSource.includes(token), `runtime/init missing fallback token: ${token}`);
+}
+for (const token of [
+    'product_design_plugin',
+    'primary_design_plugin',
+    'legacy_design_skills_fallback_only',
+    'remote_plugin_id'
+]) {
+    assertGate(pptSource.includes(token), `ppt.ts missing Product Design evidence token: ${token}`);
+}
+for (const token of [
+    'codexProductDesignPluginStatus',
+    'design_product',
+    'ensureProductDesignPluginInstalled',
+    'product_design_remote_vertical_lookup_required',
+    'remote vertical marketplace plugin'
+]) {
+    assertGate(codexAppSource.includes(token), `codex-app.ts missing Product Design readiness token: ${token}`);
+}
+assertGate(Boolean(pkg.scripts?.['codex:product-design-plugin-routing']), 'package script missing codex:product-design-plugin-routing');
+assertGate(releaseCheck.includes('codex:product-design-plugin-routing'), 'release:check must include Product Design routing gate');
+emitGate('codex:product-design-plugin-routing', {
+    plugin_id: PRODUCT_DESIGN_PLUGIN.id,
+    remote_plugin_id: PRODUCT_DESIGN_PLUGIN.remote_plugin_id,
+    required_skills: PRODUCT_DESIGN_REQUIRED_SKILLS.length,
+    stages: PRODUCT_DESIGN_PIPELINE_STAGES.length,
+    local_list_hidden_requires_remote_lookup: hiddenFromLocalList.requires_remote_vertical_lookup
+});
+//# sourceMappingURL=product-design-plugin-routing-check.js.map

package/dist/scripts/release-parallel-check.js

@@ -304,8 +304,22 @@ if (result.ok) {
     };
     await writeParallelVerificationProof(reportDir, result);
 }
-console.log(JSON.stringify(result, null, 2));
+console.log(JSON.stringify(releaseParallelStdoutSummary(result), null, 2));
 process.exit(result.ok ? 0 : 1);
+function releaseParallelStdoutSummary(result) {
+    return {
+        schema: 'sks.release-parallel-check.stdout-summary.v1',
+        ok: result.ok,
+        tasks: result.task_count,
+        passed: result.passed,
+        failed: result.failed,
+        skipped: result.skipped,
+        dependency_count: result.dependency_count,
+        report_json: '.sneakoscope/reports/release-parallel-report.json',
+        report_md: '.sneakoscope/reports/release-parallel-report.md',
+        retention_cleanup: result.retention_cleanup ?? null
+    };
+}
 function summarizeReleaseLogsForCleanup(result, logDir) {
     const prefix = `${path.resolve(logDir)}${path.sep}`;
     for (const row of result.results) {

package/dist/scripts/release-provenance-check.js

@@ -17,6 +17,7 @@ const cargoVersion = readVersionFrom('crates/sks-core/Cargo.toml', /^version\s*=
 const latestChangelog = latestVersionedChangelogSection(readText('CHANGELOG.md'));
 const tag = tagStatus(version, currentCommit);
 const main = mainVersion();
+const originMain = originMainVersion();
 const npm = npmVersion();
 const warnings = [];
 const blockers = [];
@@ -24,6 +25,8 @@ if (main.version && main.version !== version)
     warnings.push('main_out_of_date');
 if (publish && main.version && main.version !== version)
     blockers.push('main_version_mismatch');
+if (originMain.version && originMain.version !== version)
+    warnings.push('origin_main_out_of_date');
 if (publish && tag.exists && tag.commit !== currentCommit)
     blockers.push('tag_not_on_current_commit');
 if (publish && npm.version && semverCompare(npm.version, version) >= 0)
@@ -46,6 +49,10 @@ const report = {
     latest_changelog_section: latestChangelog,
     main_version: main.version,
     main_commit: main.commit,
+    main_status: main.status,
+    origin_main_version: originMain.version,
+    origin_main_commit: originMain.commit,
+    origin_main_status: originMain.status,
     npm_version: npm.version,
     npm_status: npm.version ? (semverCompare(npm.version, version) < 0 ? 'registry_behind_candidate' : npm.version === version ? 'candidate_already_published' : 'registry_ahead') : npm.status,
     tag_status: tag,
@@ -63,6 +70,20 @@ function git(argv) {
     return res.status === 0 ? res.stdout.trim() : null;
 }
 function mainVersion() {
+    const ref = git(['rev-parse', '--verify', 'HEAD']);
+    if (!ref)
+        return { version: null, commit: null, status: 'unavailable' };
+    const res = spawnSync('git', ['show', 'HEAD:package.json'], { cwd: root, encoding: 'utf8' });
+    if (res.status !== 0)
+        return { version: null, commit: ref, status: 'package_unavailable' };
+    try {
+        return { version: JSON.parse(res.stdout).version || null, commit: ref, status: 'local_head' };
+    }
+    catch {
+        return { version: null, commit: ref, status: 'unparseable' };
+    }
+}
+function originMainVersion() {
     const ref = git(['rev-parse', '--verify', 'origin/main']);
     if (!ref)
         return { version: null, commit: null, status: 'unavailable' };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "2.0.5",
+  "version": "2.0.6",
   "description": "Sneakoscope Codex: fast proof-first Codex trust layer with image-based Voxel TriWiki.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",
@@ -305,12 +305,14 @@
     "codex:0.137-compat": "node ./dist/scripts/codex-0-137-compat-check.js",
     "codex:0.137-compat:require-real": "node ./dist/scripts/codex-0-137-compat-check.js --require-real",
     "codex:plugin-list-json": "node ./dist/scripts/codex-plugin-list-json-check.js",
+    "codex:product-design-plugin-routing": "node ./dist/scripts/product-design-plugin-routing-check.js",
+    "codex:product-design-auto-install": "node ./dist/scripts/product-design-auto-install-check.js",
     "codex:thread-runtime-choice": "node ./dist/scripts/codex-thread-runtime-choice-check.js",
     "codex:environment-scoped-approvals": "node ./dist/scripts/codex-environment-scoped-approvals-check.js",
     "ultra-router:classification": "node ./dist/scripts/ultra-router-classification-check.js",
     "ultra-router:auto-router": "node ./dist/scripts/ultra-router-auto-router-check.js",
     "coverage": "node --experimental-test-coverage --test \"test/**/*.test.mjs\"",
-    "release:check": "npm run release:check:parallel && npm run mad-sks:app-ui-no-mutation && npm run codex-app:fast-ui-preservation && npm run codex-app:ui-clobber-guard && npm run doctor:fixes-codex-app-fast-ui && npm run provider:badge-context && npm run provider:context-config-toml && npm run codex-app:provider-badge && npm run zellij:spawn-on-demand-layout && npm run zellij:worker-pane-manager && npm run zellij:worker-pane-manager-single-owner && npm run agent:worker-pane-communication-contract && npm run runtime:no-mjs-scripts && npm run runtime:ts-python-boundary && npm run codex-sdk:capability && npm run codex-sdk:no-legacy-fallback && npm run codex-sdk:backend-router && npm run codex-sdk:structured-output && npm run codex-sdk:event-stream-ledger && npm run codex-sdk:thread-registry && npm run codex-sdk:sandbox-policy && npm run codex-sdk:zellij-pane-binding && npm run codex-sdk:all-pipelines && npm run codex-sdk:dfix-pipeline && npm run codex-sdk:qa-pipeline && npm run codex-sdk:research-pipeline && npm run codex-sdk:team-naruto-agent-pipeline && npm run codex-sdk:release-review-pipeline && npm run codex-sdk:ux-ppt-review-pipeline && npm run codex-sdk:core-skill-pipeline && npm run codex-control:capability && npm run codex-control:no-legacy-fallback && npm run codex-control:structured-output && npm run codex-control:event-stream-ledger && npm run codex-control:thread-registry && npm run codex-control:side-effect-scope && npm run codex-control:all-pipelines && npm run codex-control:empty-result-retry && npm run codex-control:stream-idle-watchdog && npm run codex-control:tool-call-sequence-repair && npm run codex-control:keepalive-no-cot-leak && npm run local-collab:policy && npm run local-collab:gpt-final-arbiter && npm run local-collab:no-local-only-final && npm run local-collab:gpt-final-availability && npm run local-llm:capability && npm run local-llm:structured-output && npm run local-llm:tool-call-repair && npm run local-llm:all-pipelines && npm run local-collab:all-pipelines-final-gpt && npm run python-sdk:capability && npm run python-sdk:stream-bridge && npm run python-sdk:sandbox-policy && npm run python-sdk:all-pipelines && npm run codex:plugin-list-json && npm run codex:thread-runtime-choice && npm run codex:environment-scoped-approvals && npm run ultra-router:classification && npm run ultra-router:auto-router && npm run release:version-truth && npm run codex:0.137-compat && npm run codex:0.136-compat && npm run codex:0.135-compat && npm run doctor:codex-doctor-parity && npm run codex:permission-profiles && npm run codex:legacy-profile-consumers-removed && npm run terminal:keyboard-enhancement-safety && npm run terminal:tui-output-stability && npm run codex:resume-cwd-truth && npm run mcp:tool-naming-parity && npm run responses:retry-policy-centralized && npm run runtime:no-tmux && npm run zellij:layout-valid && npm run agent:zellij-dynamic-backfill-panes && npm run agent:worker-pane-communication-contract && npm run agent:slot-pane-binding-proof && npm run zellij:worker-pane-manager && npm run zellij:spawn-on-demand-layout && npm run zellij:lane-renderer && npm run mad-sks:zellij-launch && npm run mad-sks:zellij-default-pane-worker && npm run agent:zellij-runtime && npm run codex:config-eperm-fixture && npm run doctor:fix-proves-codex-read && npm run mad:preflight-blocks-unreadable-config && npm run fast:codex-service-tier-proof && npm run codex:project-config-policy-splitter && npm run test:no-orphan-dist-imports && npm run agent:patch-envelope-extraction && npm run agent:patch-queue-runtime && npm run agent:strategy-to-lease-wiring && npm run agent:patch-swarm-runtime && npm run agent:patch-transaction-journal && npm run agent:patch-conflict-rebase && npm run agent:strategy-to-patch-strict && npm run agent:patch-swarm-runtime-truth && npm run agent:rollback-command && npm run agent:patch-verification-dag && npm run agent:patch-rollback-dag && npm run agent:patch-proof-runtime && npm run agent:patch-swarm-route-blackbox && npm run team:patch-swarm-route-blackbox && npm run dfix:patch-swarm-route-blackbox && npm run appshots:thread-attachment-discovery && npm run mcp:readonly-runtime-scheduler && npm run naruto:work-graph && npm run naruto:concurrency-governor && npm run naruto:active-pool && npm run naruto:role-distribution && npm run naruto:parallel-patch-apply && npm run naruto:verification-pool && npm run naruto:zellij-massive-ui && npm run naruto:gpt-final-pack && npm run prompt:placeholder-guard && npm run codex:0.134-runner-truth && npm run agent:native-cli-session-swarm && npm run naruto:shadow-clone-swarm && npm run agent:native-cli-session-swarm-10 && npm run agent:native-cli-session-swarm-20 && npm run agent:no-subagent-scaling && npm run agent:native-cli-session-proof && npm run agent:worker-backend-router && npm run agent:codex-child-overlap && npm run agent:model-authored-patch-envelope && npm run agent:fast-mode-default && npm run agent:fast-mode-worker-propagation && npm run codex:fast-mode-profile-propagation && npm run mad-sks:fast-mode-propagation && npm run zellij:launch-command-truth && npm run zellij:real-session-heartbeat && npm run zellij:ui-design && npm run zellij:doctor-readiness && npm run legacy:upgrade-zero-break && npm run publish:packlist-performance && npm run postinstall:safe-side-effects && npm run runtime:ts-rust-boundary && npm run core-skill:card-schema && npm run core-skill:rollout-scoring && npm run core-skill:patch && npm run core-skill:heldout-validation && npm run core-skill:deployment-snapshot && npm run core-skill:no-inference-optimizer && npm run core-skill:route-runtime-integration && npm run core-skill:promotion-side-effect-ledger && npm run core-skill:legacy-promotion-api-audit && npm run safety:side-effect-zero && npm run safety:mutation-callsite-coverage && npm run safety:mutation-callsite-coverage:repo-wide && npm run side-effect:runtime-report && npm run release:gate-planner && npm run release:dynamic-performance && npm run release:provenance && npm run release:gate-budget && npm run agent:wiki-context-proof && npm run shared-memory:check && npm run wrongness:check && npm run wrongness:fixtures && npm run trust:check && npm run git-collaboration:e2e && node ./dist/scripts/release-check-stamp.js write && npm run release:readiness --silent && node ./dist/scripts/release-check-stamp.js write",
+    "release:check": "npm run release:check:parallel && npm run mad-sks:app-ui-no-mutation && npm run codex-app:fast-ui-preservation && npm run codex-app:ui-clobber-guard && npm run doctor:fixes-codex-app-fast-ui && npm run provider:badge-context && npm run provider:context-config-toml && npm run codex-app:provider-badge && npm run zellij:spawn-on-demand-layout && npm run zellij:worker-pane-manager && npm run zellij:worker-pane-manager-single-owner && npm run agent:worker-pane-communication-contract && npm run runtime:no-mjs-scripts && npm run runtime:ts-python-boundary && npm run codex-sdk:capability && npm run codex-sdk:no-legacy-fallback && npm run codex-sdk:backend-router && npm run codex-sdk:structured-output && npm run codex-sdk:event-stream-ledger && npm run codex-sdk:thread-registry && npm run codex-sdk:sandbox-policy && npm run codex-sdk:zellij-pane-binding && npm run codex-sdk:all-pipelines && npm run codex-sdk:dfix-pipeline && npm run codex-sdk:qa-pipeline && npm run codex-sdk:research-pipeline && npm run codex-sdk:team-naruto-agent-pipeline && npm run codex-sdk:release-review-pipeline && npm run codex-sdk:ux-ppt-review-pipeline && npm run codex-sdk:core-skill-pipeline && npm run codex-control:capability && npm run codex-control:no-legacy-fallback && npm run codex-control:structured-output && npm run codex-control:event-stream-ledger && npm run codex-control:thread-registry && npm run codex-control:side-effect-scope && npm run codex-control:all-pipelines && npm run codex-control:empty-result-retry && npm run codex-control:stream-idle-watchdog && npm run codex-control:tool-call-sequence-repair && npm run codex-control:keepalive-no-cot-leak && npm run local-collab:policy && npm run local-collab:gpt-final-arbiter && npm run local-collab:no-local-only-final && npm run local-collab:gpt-final-availability && npm run local-llm:capability && npm run local-llm:structured-output && npm run local-llm:tool-call-repair && npm run local-llm:all-pipelines && npm run local-collab:all-pipelines-final-gpt && npm run python-sdk:capability && npm run python-sdk:stream-bridge && npm run python-sdk:sandbox-policy && npm run python-sdk:all-pipelines && npm run codex:plugin-list-json && npm run codex:product-design-plugin-routing && npm run codex:product-design-auto-install && npm run codex:thread-runtime-choice && npm run codex:environment-scoped-approvals && npm run ultra-router:classification && npm run ultra-router:auto-router && npm run release:version-truth && npm run codex:0.137-compat && npm run codex:0.136-compat && npm run codex:0.135-compat && npm run doctor:codex-doctor-parity && npm run codex:permission-profiles && npm run codex:legacy-profile-consumers-removed && npm run terminal:keyboard-enhancement-safety && npm run terminal:tui-output-stability && npm run codex:resume-cwd-truth && npm run mcp:tool-naming-parity && npm run responses:retry-policy-centralized && npm run runtime:no-tmux && npm run zellij:layout-valid && npm run agent:zellij-dynamic-backfill-panes && npm run agent:worker-pane-communication-contract && npm run agent:slot-pane-binding-proof && npm run zellij:worker-pane-manager && npm run zellij:spawn-on-demand-layout && npm run zellij:lane-renderer && npm run mad-sks:zellij-launch && npm run mad-sks:zellij-default-pane-worker && npm run agent:zellij-runtime && npm run codex:config-eperm-fixture && npm run doctor:fix-proves-codex-read && npm run mad:preflight-blocks-unreadable-config && npm run fast:codex-service-tier-proof && npm run codex:project-config-policy-splitter && npm run test:no-orphan-dist-imports && npm run agent:patch-envelope-extraction && npm run agent:patch-queue-runtime && npm run agent:strategy-to-lease-wiring && npm run agent:patch-swarm-runtime && npm run agent:patch-transaction-journal && npm run agent:patch-conflict-rebase && npm run agent:strategy-to-patch-strict && npm run agent:patch-swarm-runtime-truth && npm run agent:rollback-command && npm run agent:patch-verification-dag && npm run agent:patch-rollback-dag && npm run agent:patch-proof-runtime && npm run agent:patch-swarm-route-blackbox && npm run team:patch-swarm-route-blackbox && npm run dfix:patch-swarm-route-blackbox && npm run appshots:thread-attachment-discovery && npm run mcp:readonly-runtime-scheduler && npm run naruto:work-graph && npm run naruto:readonly-routing && npm run naruto:concurrency-governor && npm run naruto:active-pool && npm run naruto:role-distribution && npm run naruto:parallel-patch-apply && npm run naruto:verification-pool && npm run naruto:zellij-massive-ui && npm run naruto:gpt-final-pack && npm run prompt:placeholder-guard && npm run codex:0.134-runner-truth && npm run agent:native-cli-session-swarm && npm run naruto:shadow-clone-swarm && npm run agent:native-cli-session-swarm-10 && npm run agent:native-cli-session-swarm-20 && npm run agent:no-subagent-scaling && npm run agent:native-cli-session-proof && npm run agent:worker-backend-router && npm run agent:codex-child-overlap && npm run agent:model-authored-patch-envelope && npm run agent:fast-mode-default && npm run agent:fast-mode-worker-propagation && npm run codex:fast-mode-profile-propagation && npm run mad-sks:fast-mode-propagation && npm run zellij:launch-command-truth && npm run zellij:real-session-heartbeat && npm run zellij:ui-design && npm run zellij:doctor-readiness && npm run legacy:upgrade-zero-break && npm run publish:packlist-performance && npm run postinstall:safe-side-effects && npm run runtime:ts-rust-boundary && npm run core-skill:card-schema && npm run core-skill:rollout-scoring && npm run core-skill:patch && npm run core-skill:heldout-validation && npm run core-skill:deployment-snapshot && npm run core-skill:no-inference-optimizer && npm run core-skill:route-runtime-integration && npm run core-skill:promotion-side-effect-ledger && npm run core-skill:legacy-promotion-api-audit && npm run safety:side-effect-zero && npm run safety:mutation-callsite-coverage && npm run safety:mutation-callsite-coverage:repo-wide && npm run side-effect:runtime-report && npm run release:gate-planner && npm run release:dynamic-performance && npm run release:provenance && npm run release:gate-budget && npm run agent:wiki-context-proof && npm run shared-memory:check && npm run wrongness:check && npm run wrongness:fixtures && npm run trust:check && npm run git-collaboration:e2e && node ./dist/scripts/release-check-stamp.js write && npm run release:readiness --silent && node ./dist/scripts/release-check-stamp.js write",
     "release:real-check": "node ./dist/scripts/release-real-check.js && npm run codex-control:real-smoke -- --require-real && npm run codex-sdk:real-smoke -- --require-real && SKS_REQUIRE_LOCAL_LLM=1 npm run local-llm:smoke && SKS_REQUIRE_LOCAL_LLM=1 npm run local-llm:throughput && SKS_REQUIRE_LOCAL_LLM=1 npm run local-llm:cache-performance && SKS_REQUIRE_PYTHON_CODEX_SDK=1 npm run python-sdk:real-smoke && SKS_REQUIRE_CODEX_0137=1 npm run codex:0.137-compat:require-real && npm run zellij:real-session-launch -- --require-real --main-only --mission M-release-real-zellij-extra --session sks-rrz-extra && npm run zellij:pane-proof -- --require-real --mission M-release-real-zellij-extra --session sks-rrz-extra --expected-lanes 0 && npm run zellij:screen-proof -- --require-real --main-only --mission M-release-real-zellij-extra && npm run zellij:real-session-cleanup -- --mission M-release-real-zellij-extra --session sks-rrz-extra && npm run agent:real-codex-in-zellij-worker-pane -- --require-real && SKS_REQUIRE_ZELLIJ=1 npm run naruto:zellij-massive-ui -- --require-real && SKS_REQUIRE_LOCAL_LLM=1 SKS_REQUIRE_GPT_FINAL=1 npm run naruto:real-local-gpt-final-smoke && SKS_REQUIRE_LOCAL_LLM=1 SKS_REQUIRE_GPT_FINAL=1 npm run local-collab:gpt-final-performance",
     "release:publish": "npm run publish:npm",
     "publish:dry": "npm run release:metadata && npm run release:version-truth && npm run publish:packlist-performance && npm run prepublish:release-check-or-fast && node ./dist/scripts/release-check-stamp.js verify && npm run release:provenance -- --publish && npm run release:dist-freshness && npm --cache /tmp/sks-npm-cache publish --dry-run --registry https://registry.npmjs.org/ --access public",
@@ -453,6 +455,7 @@
     "agent:native-cli-session-swarm": "node ./dist/scripts/agent-native-cli-session-swarm-check.js",
     "naruto:shadow-clone-swarm": "node ./dist/scripts/naruto-shadow-clone-swarm-check.js",
     "naruto:work-graph": "node ./dist/scripts/naruto-work-graph-check.js",
+    "naruto:readonly-routing": "node ./dist/scripts/naruto-readonly-routing-check.js",
     "naruto:concurrency-governor": "node ./dist/scripts/naruto-concurrency-governor-check.js",
     "naruto:active-pool": "node ./dist/scripts/naruto-active-pool-check.js",
     "naruto:role-distribution": "node ./dist/scripts/naruto-role-distribution-check.js",