tycono 0.1.42 → 0.1.43

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tycono",
-  "version": "0.1.42",
+  "version": "0.1.43",
   "description": "Build an AI company. Watch them work.",
   "type": "module",
   "bin": {

package/src/api/src/engine/agent-loop.ts

@@ -245,96 +245,201 @@ export async function runAgentLoop(config: AgentConfig): Promise<AgentResult> {
     onTurnComplete?.(turns);
   }
 
-  // ── Verification turn: auto-inject for engineer/cto at depth 0 with write access ──
-  const verifiableRoles = ['engineer', 'cto'];
-  if (verifiableRoles.includes(roleId) && !readOnly && depth === 0 && turns > 0) {
-    const hasFileChanges = allToolCalls.some((tc) =>
-      ['write', 'edit', 'bash'].includes(tc.name.toLowerCase()),
-    );
-
-    if (hasFileChanges) {
-      const verifyPrompt = [
-        '[AUTO-VERIFICATION] 작업이 완료되었습니다. 아래 검증을 수행하세요:',
-        '1. `cd src/api && npx tsc --noEmit` — 타입 에러 확인',
-        '2. `cd src/web && npx tsc --noEmit` — 프론트엔드 타입 에러 확인',
-        '3. UI/CSS 변경이 있었다면 Playwright MCP로 스크린샷을 촬영하여 시각 검증',
-        '검증 결과를 간단히 보고하세요.',
+  // ── Post-execution phases (depth 0 only) ──
+  if (!readOnly && depth === 0 && turns > 0) {
+    const node = orgTree.nodes.get(roleId);
+    const isCLevel = node?.level === 'c-level';
+
+    // Phase A: C-Level Supervision Loop — review dispatches, update knowledge, dispatch next
+    if (isCLevel && dispatches.length > 0) {
+      const dispatchSummary = dispatches.map((d, i) =>
+        `${i + 1}. **${d.roleId}**: "${d.task.slice(0, 80)}"\n   Result: ${d.result.slice(0, 300)}`,
+      ).join('\n\n');
+
+      const supervisionPrompt = [
+        '[SUPERVISION LOOP] Your subordinates have completed their tasks. Follow the C-Level Protocol:',
+        '',
+        '## Subordinate Results',
+        dispatchSummary,
+        '',
+        '## Required Actions (do ALL of these):',
+        '',
+        '### 1. Review',
+        'Does each result meet the acceptance criteria? If not, re-dispatch with specific feedback.',
+        '',
+        '### 2. Knowledge Update (The Loop Step ④)',
+        'Record any new decisions, findings, or analysis in appropriate AKB documents:',
+        '- Update your journal (`roles/' + roleId + '/journal/`)',
+        '- Update relevant project docs if needed',
+        '- Update knowledge/ if there are reusable insights',
+        '',
+        '### 3. Task Update (The Loop Step ⑤)',
+        'Update task status in the relevant tasks.md or project documents.',
+        'Mark completed items as DONE. Identify the NEXT task to dispatch.',
+        '',
+        '### 4. Next Dispatch',
+        'If there are remaining tasks (e.g., QA after Engineer, or the next task in the backlog):',
+        '- Dispatch the next task to the appropriate subordinate',
+        '- If all work is done, synthesize a final report for your superior',
+        '',
+        'Execute these actions now using your tools (Read, Edit, Bash, dispatch).',
       ].join('\n');
 
-      messages.push({ role: 'user', content: verifyPrompt });
-
-      // Run one verification turn
-      if (turns < maxTurns) {
+      // Run supervision loop (up to 3 additional rounds of tool use)
+      messages.push({ role: 'user', content: supervisionPrompt });
+      const maxSupervisionRounds = 3;
+      for (let round = 0; round < maxSupervisionRounds && turns < maxTurns; round++) {
+        if (abortSignal?.aborted) break;
         turns++;
-        const verifyResponse = await llm.chat(context.systemPrompt, messages, tools, abortSignal);
-        totalInput += verifyResponse.usage.inputTokens;
-        totalOutput += verifyResponse.usage.outputTokens;
+
+        const supResponse = await llm.chat(context.systemPrompt, messages, tools, abortSignal);
+        totalInput += supResponse.usage.inputTokens;
+        totalOutput += supResponse.usage.outputTokens;
         config.tokenLedger?.record({
           ts: new Date().toISOString(),
           jobId: config.jobId ?? 'unknown',
           roleId,
           model: config.model ?? 'unknown',
-          inputTokens: verifyResponse.usage.inputTokens,
-          outputTokens: verifyResponse.usage.outputTokens,
+          inputTokens: supResponse.usage.inputTokens,
+          outputTokens: supResponse.usage.outputTokens,
         });
 
-        messages.push({ role: 'assistant', content: verifyResponse.content });
-
-        for (const block of verifyResponse.content) {
+        messages.push({ role: 'assistant', content: supResponse.content });
+        for (const block of supResponse.content) {
           if (block.type === 'text' && block.text) {
             outputParts.push(block.text);
             onText?.(block.text);
           }
         }
 
-        // If verification needs tool calls, execute them
-        if (verifyResponse.stopReason === 'tool_use') {
-          const verifyToolCalls = verifyResponse.content.filter(
-            (b): b is MessageContent & { type: 'tool_use' } => b.type === 'tool_use',
+        // If no tool calls, supervision is done
+        if (supResponse.stopReason !== 'tool_use') break;
+
+        // Execute tool calls
+        const supToolCalls = supResponse.content.filter(
+          (b): b is MessageContent & { type: 'tool_use' } => b.type === 'tool_use',
+        );
+        const supResults: ToolResult[] = [];
+        for (const tc of supToolCalls) {
+          allToolCalls.push({ name: tc.name, input: tc.input });
+          const result = await executeTool(
+            { id: tc.id, name: tc.name, input: tc.input },
+            toolExecOptions,
           );
-          const verifyResults: ToolResult[] = [];
-          for (const tc of verifyToolCalls) {
-            allToolCalls.push({ name: tc.name, input: tc.input });
-            const result = await executeTool(
-              { id: tc.id, name: tc.name, input: tc.input },
-              toolExecOptions,
-            );
-            verifyResults.push(result);
+          supResults.push(result);
+
+          // Track additional dispatches from supervision
+          if (tc.name === 'dispatch' && !result.is_error) {
+            dispatches.push({
+              roleId: String(tc.input.roleId),
+              task: String(tc.input.task),
+              result: result.content,
+            });
           }
-          // Feed results back for final summary
-          messages.push({
-            role: 'user',
-            content: verifyResults.map((r) => ({
-              type: 'tool_result' as const,
-              tool_use_id: r.tool_use_id,
-              content: r.content,
-              is_error: r.is_error,
-            })) as unknown as MessageContent[],
+        }
+
+        messages.push({
+          role: 'user',
+          content: supResults.map((r) => ({
+            type: 'tool_result' as const,
+            tool_use_id: r.tool_use_id,
+            content: r.content,
+            is_error: r.is_error,
+          })) as unknown as MessageContent[],
+        });
+
+        onTurnComplete?.(turns);
+      }
+    }
+
+    // Phase B: Engineer/CTO Verification — type checking + visual verification
+    const verifiableRoles = ['engineer', 'cto'];
+    if (verifiableRoles.includes(roleId)) {
+      const hasFileChanges = allToolCalls.some((tc) =>
+        ['write', 'edit', 'bash'].includes(tc.name.toLowerCase()),
+      );
+
+      if (hasFileChanges) {
+        const verifyPrompt = [
+          '[AUTO-VERIFICATION] 작업이 완료되었습니다. 아래 검증을 수행하세요:',
+          '1. `cd src/api && npx tsc --noEmit` — 타입 에러 확인',
+          '2. `cd src/web && npx tsc --noEmit` — 프론트엔드 타입 에러 확인',
+          '3. UI/CSS 변경이 있었다면 Playwright MCP로 스크린샷을 촬영하여 시각 검증',
+          '검증 결과를 간단히 보고하세요.',
+        ].join('\n');
+
+        messages.push({ role: 'user', content: verifyPrompt });
+
+        if (turns < maxTurns) {
+          turns++;
+          const verifyResponse = await llm.chat(context.systemPrompt, messages, tools, abortSignal);
+          totalInput += verifyResponse.usage.inputTokens;
+          totalOutput += verifyResponse.usage.outputTokens;
+          config.tokenLedger?.record({
+            ts: new Date().toISOString(),
+            jobId: config.jobId ?? 'unknown',
+            roleId,
+            model: config.model ?? 'unknown',
+            inputTokens: verifyResponse.usage.inputTokens,
+            outputTokens: verifyResponse.usage.outputTokens,
           });
 
-          if (turns < maxTurns) {
-            turns++;
-            const summaryResponse = await llm.chat(context.systemPrompt, messages, tools, abortSignal);
-            totalInput += summaryResponse.usage.inputTokens;
-            totalOutput += summaryResponse.usage.outputTokens;
-            config.tokenLedger?.record({
-              ts: new Date().toISOString(),
-              jobId: config.jobId ?? 'unknown',
-              roleId,
-              model: config.model ?? 'unknown',
-              inputTokens: summaryResponse.usage.inputTokens,
-              outputTokens: summaryResponse.usage.outputTokens,
+          messages.push({ role: 'assistant', content: verifyResponse.content });
+          for (const block of verifyResponse.content) {
+            if (block.type === 'text' && block.text) {
+              outputParts.push(block.text);
+              onText?.(block.text);
+            }
+          }
+
+          // Execute verification tool calls if needed
+          if (verifyResponse.stopReason === 'tool_use') {
+            const verifyToolCalls = verifyResponse.content.filter(
+              (b): b is MessageContent & { type: 'tool_use' } => b.type === 'tool_use',
+            );
+            const verifyResults: ToolResult[] = [];
+            for (const tc of verifyToolCalls) {
+              allToolCalls.push({ name: tc.name, input: tc.input });
+              const result = await executeTool(
+                { id: tc.id, name: tc.name, input: tc.input },
+                toolExecOptions,
+              );
+              verifyResults.push(result);
+            }
+            messages.push({
+              role: 'user',
+              content: verifyResults.map((r) => ({
+                type: 'tool_result' as const,
+                tool_use_id: r.tool_use_id,
+                content: r.content,
+                is_error: r.is_error,
+              })) as unknown as MessageContent[],
             });
-            for (const block of summaryResponse.content) {
-              if (block.type === 'text' && block.text) {
-                outputParts.push(block.text);
-                onText?.(block.text);
+
+            if (turns < maxTurns) {
+              turns++;
+              const summaryResponse = await llm.chat(context.systemPrompt, messages, tools, abortSignal);
+              totalInput += summaryResponse.usage.inputTokens;
+              totalOutput += summaryResponse.usage.outputTokens;
+              config.tokenLedger?.record({
+                ts: new Date().toISOString(),
+                jobId: config.jobId ?? 'unknown',
+                roleId,
+                model: config.model ?? 'unknown',
+                inputTokens: summaryResponse.usage.inputTokens,
+                outputTokens: summaryResponse.usage.outputTokens,
+              });
+              for (const block of summaryResponse.content) {
+                if (block.type === 'text' && block.text) {
+                  outputParts.push(block.text);
+                  onText?.(block.text);
+                }
               }
             }
           }
-        }
 
-        onTurnComplete?.(turns);
+          onTurnComplete?.(turns);
+        }
       }
     }
   }

package/src/api/src/engine/context-assembler.ts

@@ -363,6 +363,9 @@ function loadCeoDecisions(companyRoot: string): string | null {
 }
 
 function buildDispatchSection(orgTree: OrgTree, roleId: string, subordinates: string[], teamStatus?: TeamStatus): string {
+  const node = orgTree.nodes.get(roleId);
+  const isCLevel = node?.level === 'c-level';
+
   const subInfo = subordinates.map((id) => {
     const sub = orgTree.nodes.get(id);
     const base = sub ? `- **${sub.name}** (\`${id}\`): ${sub.persona.split('\n')[0]}` : `- ${id}`;
@@ -376,9 +379,7 @@ function buildDispatchSection(orgTree: OrgTree, roleId: string, subordinates: st
 
   const exampleSubId = subordinates[0] ?? 'engineer';
 
-  return `# Dispatch (Team Management)
-
-You can assign tasks to your direct reports. They will execute independently and return results.
+  let section = `# Dispatch (Team Management)
 
 ## Available Team Members
 ${subInfo}
@@ -401,21 +402,76 @@ The command will:
 If the subordinate takes longer than 100s, you'll get a job ID. Check the result with:
 \`\`\`bash
 python3 "$DISPATCH_CMD" --check <jobId>
-\`\`\`
+\`\`\``;
 
-## Examples
+  // C-level roles get mandatory delegation rules
+  if (isCLevel) {
+    section += `
 
-\`\`\`bash
-# Assign a task and wait for result
-python3 "$DISPATCH_CMD" ${exampleSubId} "프로젝트 현황을 확인하고 보고서를 작성해"
+## C-Level Delegation Protocol (MANDATORY)
+
+⛔ **You are a MANAGER. You do NOT write code, tests, or implementation yourself.**
+⛔ **Your job is to PLAN, DELEGATE, REVIEW, and UPDATE KNOWLEDGE.**
+
+### Core Rule: Always Delegate Down
+
+When you receive a directive:
+1. **Analyze** — Break it into sub-tasks appropriate for each subordinate
+2. **Dispatch** — Assign tasks to subordinates with clear acceptance criteria
+3. **Monitor** — Wait for results, review quality
+4. **Follow up** — If output doesn't meet criteria, dispatch back with feedback
+5. **Report** — Synthesize results and report to your superior
+
+### What You Do vs What Subordinates Do
+
+| YOU (C-Level) | SUBORDINATES (Members) |
+|---------------|----------------------|
+| Plan & decompose tasks | Implement code/design/tests |
+| Dispatch with clear specs | Execute and return results |
+| Review output quality | Fix issues when told |
+| Update knowledge & tasks | Update their own journals |
+| Report to superior | Report to you |
 
-# Check a previously dispatched job result
-python3 "$DISPATCH_CMD" --check job-xxx-123
+### The Supervision Loop (CRITICAL)
+
+After EVERY dispatch, follow this loop:
+
+\`\`\`
+DISPATCH → WAIT → REVIEW → DECIDE
+                              ├── PASS → Knowledge Update → Task Update → Next Dispatch
+                              └── FAIL → Re-dispatch with feedback
 \`\`\`
 
+1. **Review**: Does the output meet acceptance criteria?
+2. **Knowledge Update**: Record decisions, findings, analysis in AKB (journals, knowledge/)
+3. **Task Update**: Update task status in tasks.md or project docs
+4. **Next Dispatch**: Identify and dispatch the next task
+
+### Dispatch Quality Requirements
+
+Every dispatch MUST include:
+- **Context**: What documents/files to read first (CLAUDE.md + relevant Hub + SKILL.md)
+- **Task**: Specific deliverable with acceptance criteria
+- **Constraints**: File paths, standards, what NOT to do
+- **AKB instruction**: "⛔ AKB Rule: Read CLAUDE.md before starting work."
+
+### Anti-Patterns (NEVER do these)
+
+- ❌ Writing code yourself instead of dispatching to engineer
+- ❌ Dispatching without acceptance criteria
+- ❌ Accepting output without reviewing it
+- ❌ Forgetting to update knowledge/tasks after work completes
+- ❌ Doing only 1 dispatch when you should chain multiple (Engineer → QA)
+- ❌ Reporting to superior without synthesizing subordinate outputs`;
+  } else {
+    section += `
+
 ## Rules
 - Only dispatch to your direct reports listed above
 - Include clear task description, acceptance criteria, and relevant file paths
 - The dispatched agent will work independently and return results to you
 - After receiving results, synthesize and report back`;
+  }
+
+  return section;
 }

package/src/api/src/routes/knowledge.ts

@@ -277,10 +277,10 @@ knowledgeRouter.get('/{*path}', (req: Request, res: Response, next: NextFunction
       return;
     }
 
-    const absPath = path.join(knowledgeDir(), docId);
+    const absPath = path.resolve(companyRoot(), docId);
 
-    // Security: ensure path stays within knowledgeDir
-    if (!absPath.startsWith(knowledgeDir())) {
+    // Security: ensure path stays within companyRoot
+    if (!absPath.startsWith(companyRoot() + path.sep) && absPath !== companyRoot()) {
       res.status(403).json({ error: 'Forbidden' });
       return;
     }