sneakoscope 2.0.9 → 2.0.10

package/README.md

@@ -16,15 +16,19 @@ Set up this agent project with Sneakoscope Codex. Use [[mandarange/Sneakoscope-C
 
 ## Current Release
 
-SKS **2.0.9** makes the release path DAG-parallel by default and hardens the Naruto/MAD-SKS worktree proof chain. `release:check` now runs a manifest-backed DAG runner with resource-aware scheduling, hermetic per-gate environments, bounded logs, per-gate reports, cache proof, and parallel speed-budget evidence. Git worktree coding now preserves allocation manifests, detects dirty main worktrees, includes untracked content in exported diffs, emits one `git_apply_patch` envelope operation, applies worktree diffs through an integration queue, and locks retained dirty worktrees.
+SKS **2.0.10** is the slot-only Zellij and Naruto runtime stabilization release. Compact slot panes are now the default visual worker surface, the initial Zellij session stays main-only until the first visible worker is reserved, overflow workers continue headlessly with runtime evidence instead of opening excess panes, and dashboard panes stay opt-in. The release path remains manifest-backed through the v2 DAG runner, with real Zellij/Naruto/worktree proof gates split into `real-check`.
 
 What changed:
 
+- Zellij slot panes render compact worker slots without nested dashboard chrome, and right-column state records visible panes plus headless overflow lifecycle.
+- Naruto active-pool checks now exercise real child-worker spawn/result collection paths, including high-fanout overflow and completed-worker collection order.
+- Visible Zellij reservations are capped before pane launch so concurrent worker starts cannot over-open the right column.
+- Git worktree integration now proves the primary repo receives validated worktree diffs, with rollback hash evidence recorded around the apply step.
+- Agent role config repair detects stale generated role files and rewrites structured GPT-5.5-compatible configs atomically.
+- Release gates now include slot-only UI, compact slot renderer, headless overflow, role-config repair, worktree primary-runtime, real active-pool, extreme real parallelism, and real right-column geometry checks.
+- Release audit, dynamic selection, and stamp hashing use `release-gates.v2.json` as the manifest source of truth.
 - Git capability checks detect repo roots, Git dirs, worktree support, and safe cache roots while blocking in-repo worktree roots unless `SKS_ALLOW_IN_REPO_WORKTREES=1` is explicit.
 - Worker worktree allocation creates isolated branches/paths under `$SKS_WORKTREE_ROOT`, `$XDG_CACHE_HOME/sks/worktrees`, or `~/.cache/sks/worktrees`; main checkouts stay untouched until integration.
-- Worktree diff export records status, changed files, full-index binary diffs, and `git-worktree-diff` patch envelopes for parent-owned integration.
-- Integration worktrees apply worker diffs with `git apply --3way`, while cleanup removes only clean worktrees and retains dirty ones with a lock artifact.
-- Naruto work graphs, active-pool artifacts, Zellij dashboard titles, native worker intake, and GPT Final packs now carry worktree policy and WT/branch context.
 - Product Design plugin readiness now checks both local and remote Codex App catalogs, auto-installs the remote plugin when needed, and records the installed/enabled skill surface.
 - UI/design/PPT runtime routes prefer Product Design for research, ideation, audit, design QA, prototype, URL-to-code, image-to-code, share, and user-context steps.
 - Naruto read-only runs force write mode off, propagate no-patch reasons through worker proof, and skip changed-file lease checks when no write-capable patch envelope exists.

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "2.0.9"
+version = "2.0.10"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "2.0.9"
+version = "2.0.10"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 2.0.9"),
+        Some("--version") => println!("sks-rs 2.0.10"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "2.0.9",
-  "source_digest": "a2c7c47838f03483ee3a406fe6435876148d688fa16037d1b4eab45da1f930c4",
-  "source_file_count": 2017,
-  "built_at_source_time": 1780749751025
+  "package_version": "2.0.10",
+  "source_digest": "ee8d0f4a75b8f5aeb6bfa26042f194cba01728768422448bf9b1e54748007137",
+  "source_file_count": 2030,
+  "built_at_source_time": 1780813031543
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '2.0.9';
+const FAST_PACKAGE_VERSION = '2.0.10';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--agent' && args[1] === 'worker') {

package/dist/build-manifest.json

@@ -1,16 +1,16 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "2.0.9",
-  "package_version": "2.0.9",
+  "version": "2.0.10",
+  "package_version": "2.0.10",
   "typescript": true,
   "mjs_runtime_files": 0,
-  "compiled_file_count": 1079,
-  "compiled_js_count": 1079,
+  "compiled_file_count": 1092,
+  "compiled_js_count": 1092,
   "compiled_dts_count": 0,
-  "source_digest": "a2c7c47838f03483ee3a406fe6435876148d688fa16037d1b4eab45da1f930c4",
-  "source_file_count": 2017,
-  "source_files_hash": "b69bf6184e62a1136caf9dc353eea79dcae63e3ba260a10fbc8eb6a38de7541a",
-  "source_list_hash": "b69bf6184e62a1136caf9dc353eea79dcae63e3ba260a10fbc8eb6a38de7541a",
+  "source_digest": "ee8d0f4a75b8f5aeb6bfa26042f194cba01728768422448bf9b1e54748007137",
+  "source_file_count": 2030,
+  "source_files_hash": "26a7831ee3d5b0909718d62eefcb828bfc074c18f454d5f46f5ebdf2ded482f6",
+  "source_list_hash": "26a7831ee3d5b0909718d62eefcb828bfc074c18f454d5f46f5ebdf2ded482f6",
   "src_mjs_runtime_files": 0,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
@@ -101,6 +101,7 @@
     "commands/versioning.js",
     "commands/wiki.js",
     "commands/zellij-lane.js",
+    "commands/zellij-slot-pane.js",
     "commands/zellij.js",
     "core/agents/agent-central-ledger.js",
     "core/agents/agent-cleanup-executor.js",
@@ -132,6 +133,7 @@
     "core/agents/agent-plan.js",
     "core/agents/agent-proof-evidence.js",
     "core/agents/agent-recursion-guard.js",
+    "core/agents/agent-role-config.js",
     "core/agents/agent-roster.js",
     "core/agents/agent-runner-codex-exec.js",
     "core/agents/agent-runner-fake.js",
@@ -433,6 +435,8 @@
     "core/naruto/naruto-gpt-final-pack.js",
     "core/naruto/naruto-parallel-patch-apply.js",
     "core/naruto/naruto-patch-transaction-batch.js",
+    "core/naruto/naruto-real-worker-child.js",
+    "core/naruto/naruto-real-worker-runtime.js",
     "core/naruto/naruto-role-policy.js",
     "core/naruto/naruto-verification-dag.js",
     "core/naruto/naruto-verification-pool.js",
@@ -634,6 +638,8 @@
     "core/zellij/zellij-right-column-layout-proof.js",
     "core/zellij/zellij-right-column-manager.js",
     "core/zellij/zellij-screen-proof.js",
+    "core/zellij/zellij-slot-pane-renderer.js",
+    "core/zellij/zellij-ui-mode.js",
     "core/zellij/zellij-worker-pane-manager.js",
     "scripts/agent-ast-aware-work-graph-check.js",
     "scripts/agent-backfill-replenishment-check.js",
@@ -688,6 +694,7 @@
     "scripts/agent-real-codex-parallel-workers-5-check.js",
     "scripts/agent-real-codex-parallel-workers-check.js",
     "scripts/agent-real-codex-patch-envelope-smoke.js",
+    "scripts/agent-role-config-repair-check.js",
     "scripts/agent-rollback-command-check.js",
     "scripts/agent-route-blackbox-lib.js",
     "scripts/agent-route-truth-backfill-check.js",
@@ -846,6 +853,7 @@
     "scripts/git-worktree-dirty-lock-check.js",
     "scripts/git-worktree-dirty-main-detection-check.js",
     "scripts/git-worktree-integration-primary-check.js",
+    "scripts/git-worktree-integration-primary-runtime-check.js",
     "scripts/git-worktree-manager-check.js",
     "scripts/git-worktree-manifest-append-check.js",
     "scripts/git-worktree-merge-queue-check.js",
@@ -925,10 +933,12 @@
     "scripts/naruto-active-pool-check.js",
     "scripts/naruto-concurrency-governor-check.js",
     "scripts/naruto-extreme-parallelism-check.js",
+    "scripts/naruto-extreme-parallelism-real-check.js",
     "scripts/naruto-gpt-final-pack-check.js",
     "scripts/naruto-parallel-patch-apply-check.js",
     "scripts/naruto-readonly-routing-check.js",
     "scripts/naruto-real-active-pool-check.js",
+    "scripts/naruto-real-active-pool-runtime-check.js",
     "scripts/naruto-real-local-gpt-final-smoke.js",
     "scripts/naruto-role-distribution-check.js",
     "scripts/naruto-shadow-clone-swarm-check.js",
@@ -1086,8 +1096,11 @@
     "scripts/zellij-real-session-heartbeat-check.js",
     "scripts/zellij-real-session-launch-check.js",
     "scripts/zellij-right-column-geometry-proof.js",
+    "scripts/zellij-right-column-headless-overflow-check.js",
     "scripts/zellij-right-column-manager-check.js",
     "scripts/zellij-screen-proof-check.js",
+    "scripts/zellij-slot-only-ui-check.js",
+    "scripts/zellij-slot-pane-renderer-check.js",
     "scripts/zellij-spawn-on-demand-layout-check.js",
     "scripts/zellij-ui-design-check.js",
     "scripts/zellij-worker-pane-manager-check.js",

package/dist/cli/command-registry.js

@@ -104,6 +104,7 @@ export const COMMANDS = {
     hermes: entry('labs', 'Create Hermes Agent skill package', 'dist/commands/hermes.js', directCommand(() => import('../commands/hermes.js'), 'dist/commands/hermes.js')),
     tmux: entry('beta', 'Show removed-runtime migration notice', 'dist/commands/tmux.js', directCommand(() => import('../commands/tmux.js'), 'dist/commands/tmux.js')),
     'zellij-lane': entry('beta', 'Render a Zellij lane frame for SKS sessions', 'dist/commands/zellij-lane.js', directCommand(() => import('../commands/zellij-lane.js'), 'dist/commands/zellij-lane.js')),
+    'zellij-slot-pane': entry('beta', 'Render a compact Zellij worker slot pane', 'dist/commands/zellij-slot-pane.js', directCommand(() => import('../commands/zellij-slot-pane.js'), 'dist/commands/zellij-slot-pane.js')),
     zellij: entry('beta', 'Inspect Zellij runtime status and explain repair (no auto-install)', 'dist/commands/zellij.js', directCommand(() => import('../commands/zellij.js'), 'dist/commands/zellij.js')),
     mad: entry('beta', 'MAD-SKS Zellij permission launcher', 'dist/commands/mad-sks.js', directCommand(() => import('../commands/mad-sks.js'), 'dist/commands/mad-sks.js')),
     'mad-sks': entry('beta', 'MAD-SKS scoped permission modifier', 'dist/commands/mad-sks.js', directCommand(() => import('../commands/mad-sks.js'), 'dist/commands/mad-sks.js')),

package/dist/commands/doctor.js

@@ -19,6 +19,7 @@ import { repairCodexAppFastUi } from '../core/codex-app/codex-app-fast-ui-repair
 import { resolveProviderContext } from '../core/provider/provider-context.js';
 import { readLocalModelConfig } from '../core/agents/ollama-worker-config.js';
 import { runSksUpdateNow } from '../core/update-check.js';
+import { repairAgentRoleConfigs } from '../core/agents/agent-role-config.js';
 export async function run(_command, args = []) {
     const doctorFix = flag(args, '--fix');
     let setupRepair = null;
@@ -151,6 +152,20 @@ export async function run(_command, args = []) {
     const zellij = await checkZellijCapability({ root, require: process.env.SKS_REQUIRE_ZELLIJ === '1' });
     const localModel = await readLocalModelConfig().catch(() => null);
     const permissionProfiles = await inventoryCodexPermissionProfiles(root, { writeReport: true });
+    const agentRoleConfigRepair = await repairAgentRoleConfigs({
+        root,
+        apply: doctorFix,
+        reportPath: `${root}/.sneakoscope/reports/agent-role-config-repair.json`
+    }).catch((err) => ({
+        schema: 'sks.agent-role-config-repair.v1',
+        ok: false,
+        apply: doctorFix,
+        missing: [],
+        existing: [],
+        created: [],
+        warnings_suppressed: false,
+        blockers: [err?.message || String(err)]
+    }));
     const globalSksInstallCleanup = flag(args, '--fix') && !flag(args, '--local-only')
         ? await cleanDuplicateGlobalSksInstalls({ root, fix: true }).catch((err) => ({ schema: 'sks.global-sks-install-cleanup.v1', ok: false, fix: true, error: err?.message || String(err), blockers: ['global_sks_install_cleanup_exception'] }))
         : null;
@@ -166,6 +181,7 @@ export async function run(_command, args = []) {
         require_codex_doctor: flag(args, '--fix') || flag(args, '--require-actual-codex'),
         zellij,
         local_model: localModel,
+        agent_role_config: agentRoleConfigRepair,
         repair: configRepair,
         codex_app_ui: codexAppUi,
         require_codex_cli_config_load: flag(args, '--fix') || flag(args, '--require-actual-codex'),
@@ -191,6 +207,7 @@ export async function run(_command, args = []) {
         codex_doctor_diff: codexDoctorDiff,
         zellij,
         local_model: localModel,
+        agent_role_config: agentRoleConfigRepair,
         zellij_readiness: zellijReadiness,
         codex_permission_profiles: permissionProfiles,
         imagegen: {
@@ -201,7 +218,7 @@ export async function run(_command, args = []) {
         ready,
         sneakoscope: { ok: await exists(`${root}/.sneakoscope`) },
         package: { bytes: pkgBytes, human: formatBytes(pkgBytes) },
-        repair: { sks_update: sksUpdate, setup: setupRepair, codex_config: configRepair, migration_journal: migrationJournal, global_sks_installs: globalSksInstallCleanup }
+        repair: { sks_update: sksUpdate, setup: setupRepair, codex_config: configRepair, migration_journal: migrationJournal, global_sks_installs: globalSksInstallCleanup, agent_role_config: agentRoleConfigRepair }
     };
     if (flag(args, '--json')) {
         printJson(result);

package/dist/commands/zellij-slot-pane.js

@@ -0,0 +1,26 @@
+import { renderZellijSlotPaneFromArtifacts } from '../core/zellij/zellij-slot-pane-renderer.js';
+export async function run(_command = 'zellij-slot-pane', args = []) {
+    const artifactDir = readOption(args, '--artifact-dir', process.cwd()) || process.cwd();
+    const slotId = readOption(args, '--slot', 'slot-001') || 'slot-001';
+    const generationIndex = Number(readOption(args, '--generation', '1') || 1);
+    const backend = readOption(args, '--backend', null);
+    const role = readOption(args, '--role', null);
+    const mode = readOption(args, '--mode', 'compact-slots');
+    const watch = hasFlag(args, '--watch');
+    const intervalMs = Math.max(250, Number(readOption(args, '--interval-ms', '1000') || 1000));
+    for (;;) {
+        const text = await renderZellijSlotPaneFromArtifacts({ artifactDir, slotId, generationIndex, backend, role, mode });
+        process.stdout.write('\x1Bc' + text + '\n');
+        if (!watch)
+            break;
+        await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    }
+}
+function readOption(args, name, fallback) {
+    const index = args.indexOf(name);
+    return index >= 0 && args[index + 1] ? String(args[index + 1]) : fallback;
+}
+function hasFlag(args, flag) {
+    return args.includes(flag);
+}
+//# sourceMappingURL=zellij-slot-pane.js.map

package/dist/core/agents/agent-orchestrator.js

@@ -1,6 +1,6 @@
 import path from 'node:path';
 import { createMission, missionDir, setCurrent } from '../mission.js';
-import { nowIso, readJson, readText, writeJsonAtomic, writeTextAtomic } from '../fsx.js';
+import { exists, nowIso, readJson, readText, sha256, writeJsonAtomic, writeTextAtomic } from '../fsx.js';
 import { buildAgentRoster, normalizeAgentConcurrency } from './agent-roster.js';
 import { buildAgentWorkPartition } from './agent-work-partition.js';
 import { initializeAgentCentralLedger, appendAgentLedgerEvent, compactAgentLedger } from './agent-central-ledger.js';
@@ -56,6 +56,8 @@ import { allocateWorkerWorktree } from '../git/git-worktree-manager.js';
 import { exportGitWorktreeDiff } from '../git/git-worktree-diff.js';
 import { buildGitWorktreePatchEnvelope } from '../git/git-worktree-patch-envelope.js';
 import { cleanupGitWorktree } from '../git/git-worktree-cleanup.js';
+import { createGitIntegrationWorktree } from '../git/git-integration-worktree.js';
+import { applyGitWorktreeMergeQueue } from '../git/git-worktree-merge-queue.js';
 export async function runNativeAgentOrchestrator(opts = {}) {
     const root = path.resolve(opts.root || process.cwd());
     const prompt = String(opts.prompt || 'Native agent run');
@@ -753,9 +755,18 @@ async function runAgentPatchSwarmRuntime(root, ledgerRoot, input) {
         }
     }
     const pendingEntries = queueStore.queue.queued();
-    const merge = coordinateAgentPatchMerge(pendingEntries);
+    const worktreeEntries = pendingEntries.filter((entry) => entry.envelope?.source === 'git-worktree-diff');
+    const normalEntries = pendingEntries.filter((entry) => entry.envelope?.source !== 'git-worktree-diff');
+    let worktreeMergeReport = null;
+    const worktreeApplyResults = [];
+    if (worktreeEntries.length) {
+        worktreeMergeReport = await runGitWorktreeIntegrationPrimary(root, ledgerRoot, input.missionId, worktreeEntries, queueStore);
+        for (const row of worktreeMergeReport.apply_results || [])
+            worktreeApplyResults.push(row);
+    }
+    const merge = coordinateAgentPatchMerge(normalEntries);
     await writeAgentMergeCoordinatorArtifacts(ledgerRoot, merge);
-    const conflictRebase = await executeAgentPatchConflictRebase(root, pendingEntries, merge, { dryRun: input.dryRun, artifactsDir: ledgerRoot });
+    const conflictRebase = await executeAgentPatchConflictRebase(root, normalEntries, merge, { dryRun: input.dryRun, artifactsDir: ledgerRoot });
     merge.conflict_rebase_results = 'agent-patch-conflict-rebase-results.json';
     merge.rebase_success_count = conflictRebase.succeeded_entry_ids.length;
     merge.rebase_blocker_count = conflictRebase.blockers.length;
@@ -765,11 +776,11 @@ async function runAgentPatchSwarmRuntime(root, ledgerRoot, input) {
     merge.unresolved_conflict_entry_ids = [...conflictedEntryIds];
     merge.ok = conflictedEntryIds.size === 0 && (conflictRebase.failed_entry_ids || []).length === 0 && (conflictRebase.blocked_entry_ids || []).length === 0;
     merge.blockers = merge.ok ? [] : merge.blockers || [];
-    for (const entry of pendingEntries) {
+    for (const entry of normalEntries) {
         if (conflictedEntryIds.has(entry.id))
             await queueStore.markConflicted(entry.id, merge.blockers || ['patch_conflict']);
     }
-    const disjointEntries = pendingEntries.filter((entry) => !conflictedEntryIds.has(entry.id));
+    const disjointEntries = normalEntries.filter((entry) => !conflictedEntryIds.has(entry.id));
     const startedAt = nowIso();
     for (const entryId of rebaseSucceededEntryIds) {
         await queueStore.markApplying(entryId);
@@ -797,6 +808,7 @@ async function runAgentPatchSwarmRuntime(root, ledgerRoot, input) {
         return { entry_id: entry.id, started_at, finished_at, ...applyResult };
     }));
     const applyResults = [
+        ...worktreeApplyResults,
         ...parallelApplyResults,
         ...(conflictRebase.apply_results || []).map((row) => ({ entry_id: row.entry_id, started_at: row.apply_started_at || nowIso(), finished_at: row.apply_ended_at || nowIso(), ...row }))
     ];
@@ -912,7 +924,8 @@ async function runAgentPatchSwarmRuntime(root, ledgerRoot, input) {
         conflictRebase,
         verificationRollbackDag: input.verificationRollbackDag,
         gptFinalArbiter: input.gptFinalArbiter,
-        finalGptPatchStage: input.finalGptPatchStage
+        finalGptPatchStage: input.finalGptPatchStage,
+        worktreeMergeReport
     };
     const initialProof = buildAgentPatchProof(proofInput);
     await writeJsonAtomic(path.join(ledgerRoot, 'agent-patch-proof.json'), initialProof);
@@ -942,6 +955,8 @@ async function runAgentPatchSwarmRuntime(root, ledgerRoot, input) {
         apply_finished_at: finishedAt,
         apply_latency_ms: Math.max(0, Date.parse(finishedAt) - Date.parse(startedAt)),
         parallel_apply_count: parallelEntries.length,
+        worktree_integration_primary_count: worktreeEntries.length,
+        worktree_merge_queue: worktreeMergeReport,
         parallel_apply_groups: merge.parallel_apply_groups || [],
         serial_merge_groups: merge.serial_merge_groups || [],
         conflict_rebase: {
@@ -971,7 +986,8 @@ async function runAgentPatchSwarmRuntime(root, ledgerRoot, input) {
             proof: 'agent-patch-proof.json',
             transaction_journal: 'agent-patch-transaction-journal.jsonl',
             transaction_journal_summary: 'agent-patch-transaction-journal-summary.json',
-            conflict_rebase: 'agent-patch-conflict-rebase-results.json'
+            conflict_rebase: 'agent-patch-conflict-rebase-results.json',
+            git_worktree_merge_queue: worktreeMergeReport ? 'git-worktree-merge-queue-report.json' : null
         },
         blockers
     };
@@ -985,6 +1001,181 @@ async function runAgentPatchSwarmRuntime(root, ledgerRoot, input) {
     await writeJsonAtomic(path.join(ledgerRoot, 'agent-patch-swarm-runtime.json'), report);
     return report;
 }
+async function runGitWorktreeIntegrationPrimary(root, ledgerRoot, missionId, entries, queueStore) {
+    const diffs = entries.map((entry) => gitWorktreeDiffFromQueueEntry(entry)).filter(Boolean);
+    const repoRoot = diffs[0]?.main_repo_root || root;
+    const baseRef = diffs.find((diff) => diff.base_head)?.base_head || undefined;
+    const integration = await createGitIntegrationWorktree({ repoRoot, missionId, ...(baseRef ? { baseRef } : {}) });
+    const applyResults = [];
+    if (!integration.ok) {
+        for (const entry of entries) {
+            await queueStore.markConflicted(entry.id, integration.blockers || ['git_worktree_integration_allocation_failed']);
+            applyResults.push({
+                entry_id: entry.id,
+                started_at: nowIso(),
+                finished_at: nowIso(),
+                ok: false,
+                changed_files: entry.write_paths || entry.envelope?.git_worktree?.changed_files || [],
+                verification: { checks: ['git-worktree-integration-primary'] },
+                violations: integration.blockers || ['git_worktree_integration_allocation_failed']
+            });
+        }
+        const blockedReport = {
+            schema: 'sks.git-worktree-integration-primary-runtime.v1',
+            ok: false,
+            generated_at: nowIso(),
+            integration,
+            integration_worktree_path: integration.worktree_path || null,
+            applied_entry_ids: [],
+            conflicted_entry_ids: entries.map((entry) => entry.id),
+            apply_results: applyResults,
+            blockers: integration.blockers || ['git_worktree_integration_allocation_failed']
+        };
+        await writeJsonAtomic(path.join(ledgerRoot, 'git-worktree-merge-queue-report.json'), blockedReport);
+        return blockedReport;
+    }
+    const startedAt = nowIso();
+    for (const entry of entries)
+        await queueStore.markApplying(entry.id);
+    const queueReport = await applyGitWorktreeMergeQueue({
+        integrationWorktreePath: integration.worktree_path,
+        diffs
+    });
+    const rollbackPlan = queueReport.ok ? await captureGitWorktreeRollbackPlan(repoRoot, queueReport.changed_files || []) : { ok: false, rollback: [], blockers: ['git_worktree_integration_prevalidation_failed'] };
+    const mainApplyReport = queueReport.ok && rollbackPlan.ok
+        ? await applyGitWorktreeMergeQueue({
+            integrationWorktreePath: repoRoot,
+            diffs
+        })
+        : null;
+    const rollbackEvidence = mainApplyReport?.ok
+        ? await completeGitWorktreeRollbackPlan(repoRoot, rollbackPlan.rollback)
+        : rollbackPlan;
+    const finishedAt = nowIso();
+    const conflictsByWorker = new Set([
+        ...(queueReport.conflicts || []).map((row) => String(row.worker_id || row.workerId || '')),
+        ...(mainApplyReport?.conflicts || []).map((row) => String(row.worker_id || row.workerId || ''))
+    ]);
+    const appliedEntryIds = [];
+    const conflictedEntryIds = [];
+    for (const entry of entries) {
+        const workerId = String(entry.envelope?.git_worktree?.worker_id || entry.envelope?.agent_id || entry.agent_id || '');
+        const changedFiles = entry.write_paths || entry.envelope?.git_worktree?.changed_files || [];
+        const ok = queueReport.ok && mainApplyReport?.ok === true && rollbackEvidence.ok === true && !conflictsByWorker.has(workerId);
+        if (ok) {
+            await queueStore.markApplied(entry.id);
+            appliedEntryIds.push(entry.id);
+        }
+        else {
+            await queueStore.markConflicted(entry.id, queueReport.blockers || ['git_worktree_merge_failed']);
+            conflictedEntryIds.push(entry.id);
+        }
+        applyResults.push({
+            entry_id: entry.id,
+            started_at: startedAt,
+            finished_at: finishedAt,
+            ok,
+            changed_files: changedFiles,
+            rollback: ok ? rollbackEvidence.rollback.filter((row) => changedFiles.includes(row.path)) : [],
+            rollback_digest: ok ? `git-worktree-integration:${entry.id}:${sha256(JSON.stringify(rollbackEvidence.rollback.filter((row) => changedFiles.includes(row.path))))}` : null,
+            verification: { checks: ['git-worktree-integration-primary', 'git-apply-3way', 'main-repo-apply', 'rollback-hashes'] },
+            violations: ok ? [] : [...(queueReport.blockers || []), ...(mainApplyReport?.blockers || []), ...(rollbackEvidence.blockers || []), 'git_worktree_main_repo_apply_failed'].filter(Boolean)
+        });
+    }
+    const reportBlockers = [...(queueReport.blockers || []), ...(mainApplyReport?.blockers || []), ...(rollbackEvidence.blockers || [])];
+    const report = {
+        schema: 'sks.git-worktree-integration-primary-runtime.v1',
+        ok: reportBlockers.length === 0 && appliedEntryIds.length === entries.length,
+        generated_at: nowIso(),
+        integration,
+        integration_worktree_path: integration.worktree_path,
+        applied_entry_ids: appliedEntryIds,
+        conflicted_entry_ids: conflictedEntryIds,
+        merge_queue: queueReport,
+        main_repo_apply: mainApplyReport,
+        rollback_evidence: rollbackEvidence,
+        apply_results: applyResults,
+        blockers: reportBlockers
+    };
+    await writeJsonAtomic(path.join(ledgerRoot, 'git-worktree-merge-queue-report.json'), report);
+    return report;
+}
+async function captureGitWorktreeRollbackPlan(root, changedFiles) {
+    const rootResolved = path.resolve(root);
+    const rollback = [];
+    const blockers = [];
+    for (const file of [...new Set(changedFiles.map((row) => String(row || '').trim()).filter(Boolean))]) {
+        const rel = normalizeWorktreeRelPath(file);
+        const absolute = path.resolve(rootResolved, rel);
+        if (!absolute.startsWith(rootResolved + path.sep)) {
+            blockers.push(`git_worktree_rollback_path_outside_root:${rel}`);
+            continue;
+        }
+        const beforeExists = await exists(absolute);
+        const before = beforeExists ? await readText(absolute, '') : '';
+        rollback.push({
+            path: rel,
+            existed: beforeExists,
+            sha256_before: beforeExists ? sha256(String(before)) : null,
+            content_before: beforeExists ? String(before) : null
+        });
+    }
+    return { ok: blockers.length === 0, rollback, blockers };
+}
+async function completeGitWorktreeRollbackPlan(root, rollback) {
+    const rootResolved = path.resolve(root);
+    const blockers = [];
+    const completed = [];
+    for (const row of rollback) {
+        const rel = normalizeWorktreeRelPath(row.path);
+        const absolute = path.resolve(rootResolved, rel);
+        if (!absolute.startsWith(rootResolved + path.sep)) {
+            blockers.push(`git_worktree_rollback_path_outside_root:${rel}`);
+            continue;
+        }
+        const afterExists = await exists(absolute);
+        if (!afterExists) {
+            blockers.push(`git_worktree_rollback_after_missing:${rel}`);
+            completed.push({ ...row, path: rel, sha256_after: null });
+            continue;
+        }
+        const after = await readText(absolute, '');
+        completed.push({
+            ...row,
+            path: rel,
+            sha256_after: sha256(String(after))
+        });
+    }
+    return { ok: blockers.length === 0, rollback: completed, blockers };
+}
+function normalizeWorktreeRelPath(file) {
+    return String(file || '').replace(/\\/g, '/').replace(/^\/+/, '');
+}
+function gitWorktreeDiffFromQueueEntry(entry) {
+    const envelope = entry?.envelope || {};
+    const meta = envelope.git_worktree || {};
+    const operation = Array.isArray(envelope.operations) ? envelope.operations.find((row) => row?.op === 'git_apply_patch') : null;
+    const diff = String(operation?.diff || '');
+    return {
+        schema: 'sks.git-worktree-diff.v1',
+        ok: true,
+        generated_at: nowIso(),
+        mission_id: String(envelope.mission_id || ''),
+        worker_id: String(envelope.agent_id || entry.agent_id || entry.id),
+        main_repo_root: String(meta.main_repo_root || ''),
+        worktree_path: String(meta.worktree_path || ''),
+        branch: meta.branch == null ? null : String(meta.branch),
+        base_head: meta.base_head == null ? null : String(meta.base_head),
+        worktree_head: meta.worktree_head == null ? null : String(meta.worktree_head),
+        status_porcelain: '',
+        changed_files: Array.isArray(meta.changed_files) ? meta.changed_files.map(String) : entry.write_paths || [],
+        untracked_files: [],
+        diff,
+        diff_bytes: Buffer.byteLength(diff),
+        clean: diff.trim().length === 0,
+        blockers: []
+    };
+}
 function normalizeDesiredWorkItemCount(value, minimumValue, targetActiveSlots) {
     const parsed = Number(value);
     const minimum = Number(minimumValue);

package/dist/core/agents/agent-role-config.js

@@ -0,0 +1,92 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { ensureDir, nowIso, writeJsonAtomic, writeTextAtomic } from '../fsx.js';
+import { REQUIRED_CODEX_MODEL } from '../codex-model-guard.js';
+export const AGENT_ROLE_CONFIG_REPAIR_SCHEMA = 'sks.agent-role-config-repair.v1';
+const SKS_OWNED_AGENT_CONFIGS = new Map([
+    ['analysis-scout.toml', roleConfig('analysis_scout', 'Read-only SKS analysis scout retained for stale Codex agent-role config repair.', 'read-only')],
+    ['native-agent-intake.toml', roleConfig('native_agent', 'Read-only Team native agent for repository/docs/tests/API/risk slices.', 'read-only')],
+    ['team-consensus.toml', roleConfig('team_consensus', 'Planning and debate specialist for SKS Team mode.', 'read-only')],
+    ['implementation-worker.toml', roleConfig('implementation_worker', 'Implementation specialist for bounded SKS Team write sets.', 'workspace-write')],
+    ['db-safety-reviewer.toml', roleConfig('db_safety_reviewer', 'Read-only database safety reviewer for SQL, migrations, Supabase, and rollback safety.', 'read-only')],
+    ['qa-reviewer.toml', roleConfig('qa_reviewer', 'Strict read-only verification reviewer for correctness, regressions, and final evidence.', 'read-only')]
+]);
+export async function repairAgentRoleConfigs(input) {
+    const root = path.resolve(input.root);
+    const codexHome = input.codexHome || process.env.CODEX_HOME || path.join(process.env.HOME || '', '.codex');
+    const candidates = [path.join(root, '.codex', 'agents'), path.join(codexHome, 'agents')];
+    const missing = [];
+    const stale = [];
+    const created = [];
+    const repaired = [];
+    const existing = [];
+    for (const [file, config] of SKS_OWNED_AGENT_CONFIGS) {
+        const found = candidates.find((dir) => fs.existsSync(path.join(dir, file)));
+        if (found) {
+            const foundPath = path.join(found, file);
+            const text = fs.readFileSync(foundPath, 'utf8');
+            if (isValidRoleConfig(text, config)) {
+                existing.push(path.relative(root, foundPath) || foundPath);
+                continue;
+            }
+            stale.push(file);
+            if (input.apply) {
+                const target = foundPath.startsWith(path.join(root, '.codex', 'agents')) ? foundPath : path.join(root, '.codex', 'agents', file);
+                await ensureDir(path.dirname(target));
+                await writeTextAtomic(target, config.content);
+                repaired.push(path.relative(root, target));
+            }
+            continue;
+        }
+        missing.push(file);
+        if (input.apply) {
+            const target = path.join(root, '.codex', 'agents', file);
+            await ensureDir(path.dirname(target));
+            await writeTextAtomic(target, config.content);
+            created.push(path.relative(root, target));
+        }
+    }
+    const requiredFixes = missing.length + stale.length;
+    const appliedFixes = created.length + repaired.length;
+    const report = {
+        schema: AGENT_ROLE_CONFIG_REPAIR_SCHEMA,
+        generated_at: nowIso(),
+        ok: input.apply ? requiredFixes === appliedFixes : true,
+        apply: input.apply === true,
+        missing,
+        stale,
+        existing,
+        created,
+        repaired,
+        warnings_suppressed: true,
+        blockers: input.apply && requiredFixes !== appliedFixes ? ['agent_role_config_repair_incomplete'] : []
+    };
+    if (input.reportPath)
+        await writeJsonAtomic(input.reportPath, report);
+    return report;
+}
+function roleConfig(name, description, sandbox) {
+    const content = [
+        `name = "${name}"`,
+        `description = "${description}"`,
+        `model = "${REQUIRED_CODEX_MODEL}"`,
+        'model_reasoning_effort = "medium"',
+        `sandbox_mode = "${sandbox}"`,
+        'approval_policy = "never"',
+        'developer_instructions = """',
+        `You are the SKS ${name} role.`,
+        sandbox === 'read-only' ? 'Do not edit files.' : 'Only edit the bounded files assigned by the parent orchestrator.',
+        'Return concise source-backed findings and LIVE_EVENT lines when applicable.',
+        '"""',
+        ''
+    ].join('\n');
+    return { name, sandbox, content };
+}
+function isValidRoleConfig(text, config) {
+    return text.includes(`name = "${config.name}"`)
+        && text.includes('description = "')
+        && text.includes(`model = "${REQUIRED_CODEX_MODEL}"`)
+        && text.includes(`sandbox_mode = "${config.sandbox}"`)
+        && text.includes('developer_instructions = """');
+}
+//# sourceMappingURL=agent-role-config.js.map