thumbgate 1.15.0 → 1.16.0

package/scripts/workflow-sentinel.js

@@ -17,6 +17,11 @@ const {
 const { buildDockerSandboxPlan } = require('./docker-sandbox-planner');
 const { evaluatePretool } = require('./hybrid-feedback-context');
 const { getInterventionRecommendation } = require('./intervention-policy');
+const {
+  buildCostControl,
+  buildWorkflowControl,
+  normalizeProviderAction,
+} = require('./provider-action-normalizer');
 
 const GOVERNANCE_STATE_PATH = path.join(process.env.HOME || '/tmp', '.thumbgate', 'governance-state.json');
 const DEFAULT_PROTECTED_FILE_GLOBS = [
@@ -33,7 +38,7 @@ const DEFAULT_PROTECTED_FILE_GLOBS = [
   'config/gates/**',
 ];
 const EDIT_LIKE_TOOLS = new Set(['Edit', 'Write', 'MultiEdit']);
-const HIGH_RISK_BASH_PATTERN = /\b(?:git\s+(?:add|commit|push)|gh\s+pr\s+(?:create|merge)|gh\s+release\s+create|npm\s+publish|yarn\s+publish|pnpm\s+publish|rm\s+-rf)\b/i;
+const HIGH_RISK_BASH_PATTERN = /\b(?:git\s+(?:add|commit|push)|gh\s+(?:pr\s+(?:create|merge)|workflow\s+run|release\s+create)|npm\s+publish|yarn\s+publish|pnpm\s+publish|rm\s+-rf)\b/i;
 
 const SURFACE_RULES = [
   { key: 'policy', pattern: /^(?:AGENTS\.md|CLAUDE(?:\.local)?\.md|GEMINI\.md|config\/gates\/|config\/mcp-allowlists\.json|scripts\/tool-registry\.js)/ },
@@ -392,6 +397,8 @@ function scoreRisk({
   blastRadius,
   taskScopeViolation,
   protectedSurface,
+  costControl,
+  workflowControl,
 }) {
   const drivers = [];
   const commandInfo = classifyCommand(toolInput.command || '');
@@ -399,8 +406,25 @@ function scoreRisk({
   if (isHighRiskAction(toolName, toolInput, affectedFiles)) {
     addDriver(drivers, 'high_risk_action', 0.18, 'Command or edit pattern is classified as high risk.');
   }
-  if (commandInfo.isPrCreate || commandInfo.isPrMerge || commandInfo.isPublish || commandInfo.isReleaseCreate || commandInfo.isTagCreate) {
-    addDriver(drivers, 'governed_command', 0.16, 'Action touches PR, release, or publish workflow state.');
+  if (commandInfo.isPrCreate
+    || commandInfo.isPrMerge
+    || commandInfo.isWorkflowRun
+    || commandInfo.isPublish
+    || commandInfo.isReleaseCreate
+    || commandInfo.isTagCreate) {
+    addDriver(drivers, 'governed_command', 0.16, 'Action touches PR, workflow dispatch, release, or publish workflow state.');
+  }
+  if (commandInfo.isWorkflowRun) {
+    addDriver(
+      drivers,
+      'workflow_dispatch',
+      0.2,
+      'GitHub Actions workflow dispatch can trigger environment-specific builds or releases.',
+      {
+        workflowName: commandInfo.workflowName,
+        workflowRef: commandInfo.workflowRef,
+      }
+    );
   }
   if (/\bgit\s+push\b.*(?:--force|-f)\b/i.test(commandInfo.text)) {
     addDriver(drivers, 'force_push', 0.5, 'Force push predicts destructive branch history rewrite.');
@@ -465,6 +489,56 @@ function scoreRisk({
       { blockers: integrity.blockers.map((blocker) => blocker.code) }
     );
   }
+  if (costControl && costControl.mode && costControl.mode !== 'allow') {
+    addDriver(
+      drivers,
+      'cost_control',
+      costControl.mode === 'block' ? 0.5 : 0.18,
+      costControl.mode === 'block'
+        ? 'Estimated model usage exceeds the configured per-action budget.'
+        : 'Estimated model usage is high enough to require review.',
+      { mode: costControl.mode, reasons: costControl.reasons }
+    );
+  }
+  if (workflowControl && workflowControl.workflow && workflowControl.workflow.pattern !== 'single_action') {
+    const workflow = workflowControl.workflow;
+    if (workflow.pattern === 'agent') {
+      addDriver(
+        drivers,
+        'open_ended_agent',
+        workflow.hasInspectionEvidence ? 0.14 : 0.28,
+        workflow.hasInspectionEvidence
+          ? 'Open-ended agent action declares inspection evidence.'
+          : 'Open-ended agent action lacks explicit environment-inspection evidence.',
+        { pattern: workflow.pattern, toolCount: workflow.toolCount }
+      );
+    } else if (workflow.pattern === 'parallelization') {
+      addDriver(
+        drivers,
+        'parallel_workflow',
+        workflow.branchCount > 1 ? 0.12 : 0.06,
+        'Parallel workflow fan-out increases aggregate cost and review surface.',
+        { branchCount: workflow.branchCount }
+      );
+    } else {
+      addDriver(
+        drivers,
+        'workflow_pattern',
+        0.06,
+        `Provider action declared ${workflow.pattern} workflow pattern.`,
+        { pattern: workflow.pattern, stepCount: workflow.stepCount, routeCount: workflow.routeCount }
+      );
+    }
+    if (workflow.requiresInspection && !workflow.hasInspectionEvidence) {
+      addDriver(
+        drivers,
+        'missing_environment_inspection',
+        workflow.pattern === 'agent' ? 0.22 : 0.14,
+        'Action has no declared way to observe whether the tool/workflow result succeeded.',
+        { pattern: workflow.pattern }
+      );
+    }
+  }
   if (memoryGuard && memoryGuard.mode && memoryGuard.mode !== 'allow') {
     addDriver(
       drivers,
@@ -535,8 +609,28 @@ function buildEvidence({
   blastRadius,
   taskScopeViolation,
   protectedSurface,
+  normalizedAction,
+  costControl,
+  workflowControl,
 }) {
   const evidence = [];
+  if (normalizedAction && normalizedAction.provider !== 'unknown') {
+    evidence.push(
+      `Provider action normalized from ${normalizedAction.provider}: ${normalizedAction.actionType} / ${normalizedAction.intent}.`
+    );
+  }
+  if (costControl && costControl.mode && costControl.mode !== 'allow') {
+    evidence.push(`Cost control ${costControl.mode}: ${costControl.reasons.join(' ')}`);
+  }
+  if (workflowControl && workflowControl.workflow && workflowControl.workflow.pattern !== 'single_action') {
+    const workflow = workflowControl.workflow;
+    evidence.push(
+      `Workflow pattern ${workflow.pattern}: ${workflow.branchCount} branch(es), ${workflow.stepCount} step(s), ${workflow.toolCount} tool(s), inspection evidence ${workflow.hasInspectionEvidence ? 'present' : 'missing'}.`
+    );
+    if (workflowControl.mode !== 'allow') {
+      evidence.push(`Workflow control ${workflowControl.mode}: ${workflowControl.reasons.join(' ')}`);
+    }
+  }
   if (memoryGuard && memoryGuard.mode && memoryGuard.mode !== 'allow') {
     evidence.push(`Memory guard predicted ${memoryGuard.mode}: ${memoryGuard.reason}`);
   }
@@ -595,6 +689,23 @@ function addIntegrityRemediations(push, integrity) {
       action: 'Update branch governance with prNumber or prUrl before merging.',
       why: 'Merge actions should be tied to one explicit review surface.',
     },
+    {
+      codes: [
+        'missing_workflow_dispatch_evidence',
+        'missing_workflow_environment',
+        'missing_workflow_name',
+        'workflow_name_mismatch',
+        'missing_workflow_ref',
+        'workflow_ref_mismatch',
+        'missing_workflow_sha',
+        'workflow_sha_mismatch',
+        'missing_workflow_job',
+      ],
+      id: 'verify_workflow_dispatch',
+      title: 'Verify workflow dispatch target',
+      action: 'Set branch governance workflowDispatch with environment, workflow, ref, sha, and expected job before running gh workflow run.',
+      why: 'Environment-specific build dispatches must prove the workflow file, branch/ref, HEAD SHA, and job name before execution.',
+    },
     {
       codes: ['missing_release_version', 'release_version_mismatch'],
       id: 'align_release_version',
@@ -627,6 +738,8 @@ function buildRemediations({
   memoryGuard,
   learnedPolicy,
   executionSurface,
+  costControl,
+  workflowControl,
 }) {
   const remediations = [];
   const seen = new Set();
@@ -696,6 +809,30 @@ function buildRemediations({
       'Isolated execution limits host damage when a high-risk local action goes wrong.'
     );
   }
+  if (costControl && costControl.mode && costControl.mode !== 'allow') {
+    push(
+      'reduce_model_budget',
+      'Reduce model budget before execution',
+      'Trim context, lower max output, batch the work, or split the action before retrying.',
+      'High token or cost estimates should be reviewed before the model/tool loop continues.'
+    );
+  }
+  if (workflowControl && workflowControl.mode && workflowControl.mode !== 'allow') {
+    push(
+      'add_environment_inspection',
+      'Add environment inspection evidence',
+      'Declare how the agent will observe results after action: read-before-write, screenshots, API response checks, test commands, or generated-output validation.',
+      'Open-ended agents and inspection-sensitive workflows need a concrete feedback signal before they can be trusted in production.'
+    );
+  }
+  if (workflowControl?.workflow?.pattern === 'agent') {
+    push(
+      'prefer_workflow_when_possible',
+      'Prefer a predefined workflow when possible',
+      'If the task shape is known, split it into explicit workflow steps instead of letting an open-ended agent improvise.',
+      'Predefined workflows are easier to test, evaluate, budget, and audit than open-ended agents.'
+    );
+  }
 
   return remediations;
 }
@@ -709,6 +846,9 @@ function buildReasoning(report) {
     lines.push(
       `Decision control: ${report.decisionControl.decisionOwner} owns a ${report.decisionControl.reversibility} action via ${report.decisionControl.executionMode}.`
     );
+    if (report.decisionControl.deliberation?.required) {
+      lines.push(`Deliberation policy: ${report.decisionControl.deliberation.mode} before final approval.`);
+    }
   }
   if (report.learnedPolicy && report.learnedPolicy.enabled && report.learnedPolicy.prediction) {
     lines.push(
@@ -718,6 +858,14 @@ function buildReasoning(report) {
   if (report.executionSurface?.shouldSandbox) {
     lines.push(`Execution surface: ${report.executionSurface.summary}`);
   }
+  if (report.costControl && report.costControl.mode !== 'allow') {
+    lines.push(`Cost control: ${report.costControl.mode} — ${report.costControl.reasons.join(' ')}`);
+  }
+  if (report.workflowControl && report.workflowControl.workflow.pattern !== 'single_action') {
+    lines.push(
+      `Workflow control: ${report.workflowControl.mode} for ${report.workflowControl.workflow.pattern} with inspection ${report.workflowControl.workflow.hasInspectionEvidence ? 'present' : 'missing'}.`
+    );
+  }
   for (const driver of report.drivers.slice(0, 4)) {
     lines.push(`Driver ${driver.key} (+${driver.weight}): ${driver.reason}`);
   }
@@ -763,6 +911,52 @@ function classifyReversibility({ command, blastRadius, integrity, protectedSurfa
   return 'two_way_door';
 }
 
+function buildDeliberationPolicy({
+  executionMode,
+  reversibility,
+  risk,
+  hasOperationalBlockers,
+}) {
+  const riskBand = risk && risk.band ? risk.band : 'very_low';
+  const riskScore = risk && typeof risk.score === 'number' ? risk.score : 0;
+  const needsConsistencyCheck = executionMode === 'blocked'
+    || reversibility === 'one_way_door'
+    || riskBand === 'very_high'
+    || riskScore >= 0.72
+    || hasOperationalBlockers;
+  const required = executionMode !== 'auto_execute' || riskScore >= 0.45 || hasOperationalBlockers;
+  const mode = needsConsistencyCheck
+    ? 'reason_then_consistency_check'
+    : required
+      ? 'reason_then_decide'
+      : 'brief_rationale';
+
+  return {
+    required,
+    mode,
+    minSentences: needsConsistencyCheck ? 4 : required ? 2 : 1,
+    summarizeOnly: true,
+    instruction: required
+      ? 'Pause before answering, compare safety, reversibility, prior-failure, and evidence signals, then summarize only the decision evidence.'
+      : 'Give a brief evidence summary before approving fast-path execution.',
+    consistencyCheck: {
+      required: needsConsistencyCheck,
+      variants: needsConsistencyCheck
+        ? [
+          'Re-evaluate the same action from the failure-prevention perspective.',
+          'Re-evaluate the same action from the reversibility and rollback perspective.',
+          'Re-evaluate the same action from the user-intent and evidence perspective.',
+        ]
+        : [],
+      requiredAgreement: needsConsistencyCheck ? 'all_variants_same_execution_mode' : 'not_required',
+      onDisagreement: 'checkpoint_required',
+      rationale: needsConsistencyCheck
+        ? 'High-risk and one-way-door actions should be stable under paraphrased evaluation before an agent proceeds.'
+        : 'Low-risk fast-path actions do not require paraphrase stability checks.',
+    },
+  };
+}
+
 function buildDecisionControl({
   decision,
   risk,
@@ -770,6 +964,8 @@ function buildDecisionControl({
   blastRadius,
   integrity,
   protectedSurface,
+  costControl,
+  workflowControl,
 }) {
   const reversibility = classifyReversibility({
     command,
@@ -778,9 +974,15 @@ function buildDecisionControl({
     protectedSurface,
   });
   const hasOperationalBlockers = Boolean(integrity && Array.isArray(integrity.blockers) && integrity.blockers.length > 0);
+  const hasCostWarning = Boolean(costControl && costControl.mode === 'warn');
+  const hasCostBlock = Boolean(costControl && costControl.mode === 'block');
+  const hasWorkflowWarning = Boolean(workflowControl && workflowControl.mode === 'warn');
+  const hasWorkflowBlock = Boolean(workflowControl && workflowControl.mode === 'block');
   const requiresCheckpoint = decision === 'warn'
-    || (decision === 'allow' && (reversibility !== 'two_way_door' || hasOperationalBlockers));
+    || (decision === 'allow' && (reversibility !== 'two_way_door' || hasOperationalBlockers || hasCostWarning || hasWorkflowWarning));
   const executionMode = decision === 'deny'
+    || hasCostBlock
+    || hasWorkflowBlock
     ? 'blocked'
     : requiresCheckpoint
       ? 'checkpoint_required'
@@ -792,12 +994,19 @@ function buildDecisionControl({
         ? 'shared'
         : 'human'
       : 'agent';
+  const deliberation = buildDeliberationPolicy({
+    executionMode,
+    reversibility,
+    risk,
+    hasOperationalBlockers,
+  });
 
   return {
     executionMode,
     decisionOwner,
     reversibility,
-    requiresHumanApproval: executionMode === 'checkpoint_required' && decisionOwner !== 'agent',
+    deliberation,
+    requiresHumanApproval: (executionMode === 'checkpoint_required' && decisionOwner !== 'agent') || hasCostBlock || hasWorkflowBlock,
     recommendedAction: executionMode === 'blocked'
       ? 'halt'
       : executionMode === 'checkpoint_required'
@@ -811,8 +1020,14 @@ function buildDecisionControl({
   };
 }
 
-function chooseDecision({ riskScore, integrity, memoryGuard, learnedPolicy, blastRadius, command }) {
+function chooseDecision({ riskScore, integrity, memoryGuard, learnedPolicy, blastRadius, command, costControl, workflowControl }) {
   const hasOperationalBlockers = Boolean(integrity && Array.isArray(integrity.blockers) && integrity.blockers.length > 0);
+  if (costControl && costControl.mode === 'block') {
+    return 'deny';
+  }
+  if (workflowControl && workflowControl.mode === 'block') {
+    return 'deny';
+  }
   const destructiveBypass = /\bgit\s+push\b.*(?:--force|-f)\b/i.test(command) || /\bgh\s+pr\s+merge\b.*--admin\b/i.test(command);
   const learnedPrediction = learnedPolicy && learnedPolicy.enabled ? learnedPolicy.prediction : null;
   const learnedHardStop = Boolean(
@@ -859,52 +1074,78 @@ function chooseDecision({ riskScore, integrity, memoryGuard, learnedPolicy, blas
   if (destructiveBypass || learnedHardStop || repeatedHighBlast || (hasOperationalBlockers && riskScore >= 0.72) || riskScore >= 0.86) {
     return 'deny';
   }
-  if (riskScore >= 0.45 || (learnedWarning && riskScore >= 0.3) || (learnedRecall && riskScore >= 0.34)) {
+  if ((workflowControl && workflowControl.mode === 'warn') || (costControl && costControl.mode === 'warn') || riskScore >= 0.45 || (learnedWarning && riskScore >= 0.3) || (learnedRecall && riskScore >= 0.34)) {
     return 'warn';
   }
   return 'allow';
 }
 
 function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
+  const normalizedAction = options.normalizedAction || normalizeProviderAction({
+    provider: options.provider,
+    model: options.model,
+    toolName,
+    toolInput,
+    command: toolInput.command,
+    filePath: toolInput.file_path || toolInput.filePath || toolInput.path,
+    changedFiles: toolInput.changed_files || toolInput.changedFiles,
+    usage: options.usage,
+    tokenEstimate: options.tokenEstimate,
+    costUsd: options.costUsd,
+  });
+  const normalizedToolName = normalizedAction.toolName || toolName;
+  const normalizedToolInput = {
+    ...toolInput,
+    ...normalizedAction.toolInput,
+  };
+  if (normalizedAction.command && !normalizedToolInput.command) {
+    normalizedToolInput.command = normalizedAction.command;
+  }
+  if (normalizedAction.affectedFiles.length > 0 && !normalizedToolInput.changed_files && !normalizedToolInput.changedFiles) {
+    normalizedToolInput.changed_files = normalizedAction.affectedFiles;
+  }
+  const costControl = buildCostControl(normalizedAction, options.budget || toolInput.budget || {});
+  const workflowControl = buildWorkflowControl(normalizedAction, options.workflowPolicy || toolInput.workflowPolicy || options.budget || toolInput.budget || {});
   const governanceState = options.governanceState || loadGovernanceState();
-  const repoPath = options.repoPath || toolInput.repoPath || toolInput.cwd || process.cwd();
+  const repoPath = options.repoPath || normalizedToolInput.repoPath || normalizedToolInput.cwd || process.cwd();
   const repoRoot = resolveRepoRoot(repoPath) || null;
   const affectedFiles = Array.isArray(options.affectedFiles)
     ? options.affectedFiles.map((filePath) => normalizePosix(filePath)).filter(Boolean)
-    : collectAffectedFiles(toolName, toolInput, repoRoot);
-  const highRiskAction = isHighRiskAction(toolName, toolInput, affectedFiles);
+    : collectAffectedFiles(normalizedToolName, normalizedToolInput, repoRoot);
+  const highRiskAction = isHighRiskAction(normalizedToolName, normalizedToolInput, affectedFiles);
   const baseBranch = options.baseBranch
     || (governanceState.branchGovernance && governanceState.branchGovernance.baseBranch)
-    || toolInput.baseBranch
+    || normalizedToolInput.baseBranch
     || DEFAULT_BASE_BRANCH;
   const integrity = evaluateOperationalIntegrity({
     repoPath,
     baseBranch,
-    command: toolInput.command,
+    command: normalizedToolInput.command,
     changedFiles: affectedFiles,
+    headSha: options.headSha || toolInput.headSha,
     requirePrForReleaseSensitive: options.requirePrForReleaseSensitive === true,
     requireVersionNotBehindBase: options.requireVersionNotBehindBase === true,
     branchGovernance: governanceState.branchGovernance,
   });
   const taskScopeViolation = buildTaskScopeViolation(governanceState.taskScope, affectedFiles);
   const protectedSurface = buildProtectedSurface(governanceState, affectedFiles);
-  const protectedSurfaceForRisk = isProtectedApprovalRelevant(toolName, toolInput)
+  const protectedSurfaceForRisk = isProtectedApprovalRelevant(normalizedToolName, normalizedToolInput)
     ? protectedSurface
     : {
       ...protectedSurface,
       protectedFiles: [],
       unapprovedProtectedFiles: [],
     };
-  const rawMemoryGuard = options.memoryGuard || evaluatePretool(toolName, JSON.stringify({
-    toolName,
-    command: toolInput.command || null,
-    filePath: toolInput.file_path || toolInput.filePath || toolInput.path || null,
+  const rawMemoryGuard = options.memoryGuard || evaluatePretool(normalizedToolName, JSON.stringify({
+    toolName: normalizedToolName,
+    command: normalizedToolInput.command || null,
+    filePath: normalizedToolInput.file_path || normalizedToolInput.filePath || normalizedToolInput.path || null,
     affectedFiles,
   }), options.feedbackOptions || {});
   const memoryGuard = normalizeMemoryGuardForSentinel(rawMemoryGuard, highRiskAction);
   const learnedPolicy = getInterventionRecommendation({
-    toolName,
-    command: toolInput.command || '',
+    toolName: normalizedToolName,
+    command: normalizedToolInput.command || '',
     affectedFiles,
     integrity,
     memoryGuard,
@@ -922,8 +1163,8 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     protectedSurface: protectedSurfaceForRisk,
   });
   const risk = scoreRisk({
-    toolName,
-    toolInput,
+    toolName: normalizedToolName,
+    toolInput: normalizedToolInput,
     affectedFiles,
     integrity,
     memoryGuard,
@@ -931,17 +1172,19 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     blastRadius,
     taskScopeViolation,
     protectedSurface: protectedSurfaceForRisk,
+    costControl,
+    workflowControl,
   });
   const executionSurface = buildDockerSandboxPlan({
-    toolName,
-    actionType: getSentinelActionType(toolName),
-    command: toolInput.command,
+    toolName: normalizedToolName,
+    actionType: getSentinelActionType(normalizedToolName),
+    command: normalizedToolInput.command,
     repoPath,
     affectedFiles,
     riskBand: risk.band,
     riskScore: risk.score,
     requiresNetwork: Boolean(
-      /\b(?:curl|wget|gh\s+pr|git\s+push|npm\s+publish|yarn\s+publish|pnpm\s+publish)\b/i.test(toolInput.command || '')
+      /\b(?:curl|wget|gh\s+pr|git\s+push|npm\s+publish|yarn\s+publish|pnpm\s+publish)\b/i.test(normalizedToolInput.command || '')
     ),
   });
   const decision = chooseDecision({
@@ -953,7 +1196,9 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
       ...blastRadius,
       unapprovedProtectedFiles: protectedSurfaceForRisk.unapprovedProtectedFiles.length,
     },
-    command: toolInput.command || '',
+    command: normalizedToolInput.command || '',
+    costControl,
+    workflowControl,
   });
   const evidence = buildEvidence({
     integrity,
@@ -962,6 +1207,9 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     blastRadius,
     taskScopeViolation,
     protectedSurface: protectedSurfaceForRisk,
+    normalizedAction,
+    costControl,
+    workflowControl,
   });
   const remediations = buildRemediations({
     integrity,
@@ -971,6 +1219,8 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     memoryGuard,
     learnedPolicy,
     executionSurface,
+    costControl,
+    workflowControl,
   });
   const summary = decision === 'allow'
     ? 'No predictive workflow blockers detected.'
@@ -979,7 +1229,10 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
       : 'Predicted workflow failure before execution.';
   const report = {
     sentinelVersion: 'workflow-sentinel-v2',
-    toolName,
+    toolName: normalizedToolName,
+    normalizedAction,
+    costControl,
+    workflowControl,
     decision,
     riskScore: risk.score,
     band: risk.band,
@@ -1005,13 +1258,15 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
   report.decisionControl = buildDecisionControl({
     decision,
     risk,
-    command: toolInput.command || '',
+    command: normalizedToolInput.command || '',
     blastRadius: {
       ...blastRadius,
       unapprovedProtectedFiles: protectedSurfaceForRisk.unapprovedProtectedFiles.length,
     },
     integrity,
     protectedSurface: protectedSurfaceForRisk,
+    costControl,
+    workflowControl,
   });
   report.reasoning = buildReasoning(report);
   return report;
@@ -1019,6 +1274,7 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
 
 module.exports = {
   buildDecisionControl,
+  buildDeliberationPolicy,
   DEFAULT_PROTECTED_FILE_GLOBS,
   buildBlastRadius,
   buildEvidence,

package/scripts/workspace-agent-routines.js

@@ -0,0 +1,118 @@
+#!/usr/bin/env node
+'use strict';
+
+const ROUTINE_TYPES = Object.freeze({
+  security_audit: {
+    schedule: 'daily',
+    trigger: 'schedule',
+    approval: 'pull_request_required',
+    checks: ['npm test', 'npm run test:coverage', 'npm run self-heal:check'],
+  },
+  post_merge_hygiene: {
+    schedule: 'after_pr_merge',
+    trigger: 'webhook',
+    approval: 'pull_request_required',
+    checks: ['npm run self-heal:check', 'npm run prove:automation'],
+  },
+  data_table_refresh: {
+    schedule: 'daily',
+    trigger: 'schedule',
+    approval: 'human_approval_for_schema_changes',
+    checks: ['npm run test:data-pipeline', 'npm run self-heal:check'],
+  },
+  portfolio_research: {
+    schedule: 'hourly_market_window',
+    trigger: 'schedule',
+    approval: 'always_ask_before_trade_or_publish',
+    checks: ['risk_limit_check', 'source_reconciliation', 'decision_journal_append'],
+  },
+});
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return '';
+  return String(value).trim();
+}
+
+function normalizeConnector(connector) {
+  if (typeof connector === 'string') {
+    return {
+      name: connector,
+      mode: 'read',
+      auth: 'user_or_service_account',
+      approval: 'always_ask_for_write',
+    };
+  }
+  return {
+    name: normalizeText(connector?.name) || 'custom',
+    mode: normalizeText(connector?.mode) || 'read',
+    auth: normalizeText(connector?.auth) || 'user_or_service_account',
+    approval: normalizeText(connector?.approval) || 'always_ask_for_write',
+  };
+}
+
+function buildWorkspaceAgentRoutine(input = {}) {
+  const type = normalizeText(input.type) || 'post_merge_hygiene';
+  const defaults = ROUTINE_TYPES[type] || ROUTINE_TYPES.post_merge_hygiene;
+  const name = normalizeText(input.name) || `ThumbGate ${type.replaceAll('_', ' ')}`;
+  const connectors = Array.isArray(input.connectors) ? input.connectors.map(normalizeConnector) : [];
+  const checks = Array.isArray(input.checks) && input.checks.length > 0 ? input.checks : defaults.checks;
+  const routine = {
+    name,
+    type,
+    repository: normalizeText(input.repository) || 'IgorGanapolsky/ThumbGate',
+    trigger: normalizeText(input.trigger) || defaults.trigger,
+    schedule: normalizeText(input.schedule) || defaults.schedule,
+    modelPolicy: normalizeText(input.modelPolicy) || 'use_best_available_for_audit_then_small_model_for_summaries',
+    connectors,
+    permissionMode: normalizeText(input.permissionMode) || 'least_privilege',
+    approvalPolicy: normalizeText(input.approvalPolicy) || defaults.approval,
+    branchPolicy: 'feature_branch_only',
+    checks,
+    evidenceRequired: [
+      'branch_name',
+      'commit_sha',
+      'test_output',
+      'decision_journal_entry',
+      'pull_request_url_or_no_change_reason',
+    ],
+    blockedActions: [
+      'direct_main_write',
+      'secret_persistence',
+      'credentialed_write_without_approval',
+      'schema_migration_without_approval',
+      'trade_or_portfolio_action_without_risk_limits',
+    ],
+  };
+
+  return {
+    routine,
+    prompt: [
+      `Run ${routine.name} for ${routine.repository}.`,
+      'Use ThumbGate before every risky tool action.',
+      'Create a feature branch for any code change.',
+      `Run checks: ${routine.checks.join(', ')}.`,
+      'Append evidence to the decision journal.',
+      'Open a pull request only when changes and proof exist.',
+      'Stop and report blockers instead of bypassing checks.',
+    ].join(' '),
+  };
+}
+
+function buildWorkspaceAgentDirectory(input = {}) {
+  const repository = normalizeText(input.repository) || 'IgorGanapolsky/ThumbGate';
+  return {
+    generatedAt: normalizeText(input.generatedAt) || new Date().toISOString(),
+    directory: [
+      buildWorkspaceAgentRoutine({ type: 'security_audit', repository }).routine,
+      buildWorkspaceAgentRoutine({ type: 'post_merge_hygiene', repository }).routine,
+      buildWorkspaceAgentRoutine({ type: 'data_table_refresh', repository }).routine,
+      buildWorkspaceAgentRoutine({ type: 'portfolio_research', repository }).routine,
+    ],
+  };
+}
+
+module.exports = {
+  ROUTINE_TYPES,
+  buildWorkspaceAgentDirectory,
+  buildWorkspaceAgentRoutine,
+};