usesteady 0.1.0-alpha.63 → 0.1.0-alpha.64

package/CHANGELOG.md

@@ -1,5 +1,173 @@
 # Changelog
 
+## 0.1.0-alpha.64 - Governed kernel widening: workflow inspect, resume tokens, bounded node -e replay
+
+### Summary
+
+This release widens the governed kernel layer along three independent
+axes -- workflow inspect, resume tokens, and bounded `node -e` inline JS
+replay -- without changing any public-wire contract. The published CLI
+shape, JSON adapter schema, capability advertisement, and rejection
+diagnostics are byte-identical to alpha.63 for every input the prior
+release accepted. Operators upgrading from alpha.63 see new surfaces
+appear; nothing previously working changes shape.
+
+The kernel work is the headline. K6 closes the bounded-`node -e`
+replayability question that K1-K5 deferred: a tightly constrained
+subset of `node -e "<BODY>"` invocations are now deterministically
+replayable under `usesteady replay --execute`. Everything outside that
+closed structural predicate continues to refuse, with the refusal
+reason refined for diagnosability. K5 echo byte-for-byte preservation
+is restored after a transient byte-layer regression introduced during
+K6 implementation.
+
+### What changed (user-visible)
+
+**1. Kernel -- K6: bounded `node -e` deterministic replay.**
+
+A new closed structural predicate admits `node -e "<BODY>"` invocations
+for replay-under-execution when `<BODY>` is one of five `console.log`
+atom forms (single-quoted string, signed integer literal, boolean
+literal, `null` literal; the double-quoted string form is admissible by
+the inline-JS predicate but unreachable via the v1.0 wire-level quoting
+of the outer command). Two-gate defense in depth: a token denylist
+(`require`, `process`, `fs`, `eval`, `Date`, `Math.random`, ...) and a
+syntax denylist (backticks, `${`, `//`, `/*`, optional chaining,
+dynamic property access) both run before the closed allow-list. The
+K6 prefix probe runs before the K5 denylist so the leading `node -e "`
+shape is not collaterally refused by K5's shell-metacharacter screen.
+Full design contract: `docs/KERNEL_RUN_COMMAND_K6_DESIGN.md` v1.0.
+
+**2. Kernel -- new refusal reason `non_deterministic_inline_js`.**
+
+`ExecutionReplayVerdict.refused.reason` and `ClassifierResult.reason`
+gain the value `"non_deterministic_inline_js"`. Emitted when a command
+matches the K6 `node -e "<BODY>"` prefix shape but its body fails the
+inline-JS predicate (denied token, denied syntax fragment, or unmatched
+allow-list atom). Out-of-scope `node` invocations that do not match
+the K6 prefix shape (`node -p`, `node script.js`, etc.) continue to
+refuse with the existing K5-era reason `"non_deterministic_command"`.
+All `switch` sites on these discriminated unions are exhaustively
+updated; TypeScript exhaustiveness guarantees no default fallthrough
+hides a missing branch.
+
+**3. Kernel -- K6 execution is host-shell-free (`shell: false`).**
+
+K6 inline-JS replay invokes `spawnSync('node', ['-e', body], { shell:
+false, cwd: <K4-sandbox>, ... })`. The `shell: false` flag is the K6
+hermeticity invariant: the body string is never reparsed by an
+intermediate host shell, so no platform-specific quoting, glob, or
+metacharacter expansion can mutate observable behavior between
+artifact capture and replay. Execution still binds to the K4 sandbox
+`cwd`; no `KernelResult` widening for stdout, stderr, or exit code.
+
+**4. Kernel -- K5 echo byte-for-byte spawn preservation restored.**
+
+The K6 implementation transiently widened the K5 `echo` executor to
+spawn the trimmed form of the command instead of the raw command
+bytes from the spec. Observable behavior was identical across every
+supported host shell (all strip surrounding whitespace before
+parsing), but the strict byte-for-byte K5 contract from alpha.59 was
+technically violated. Alpha.64 restores the original byte-preservation
+behavior and pins it with a regression-guard test for whitespace-
+padded `echo` invocations.
+
+**5. New CLI surface -- `usesteady workflow inspect <spec>` (P7-min).**
+
+A read-only structural-inspection surface for `WorkflowSpec` files.
+Renders the per-task target tree and IR mapping for a spec without
+executing, persisting state, or producing a `KernelArtifact`. Useful
+for validating spec shape before commit, for triaging
+`run <spec.json>` failures, and for review-time spec audits. The
+surface is purely additive: not invoked by any existing flow, never
+mutates filesystem state, and never advertises beyond its own help
+text.
+
+**6. New CLI surface -- P2-min resume tokens.**
+
+A new resume-token builder, validator, and verifier provide
+survivability for long-running workflows without hidden continuation
+state. Operators can capture a workflow's mid-run state into an
+explicit resume token, inspect it via `usesteady workflow
+resume-info <token>`, and feed it back to resume execution. No
+existing `--prompt` / `run <spec.json>` invocation changes shape; the
+resume surface is opt-in and additive.
+
+**7. Public-surface productization: survivability wedge.**
+
+`README.md`, the marketing landing surface, and the npm description
+field are aligned to the survivability + governed-replay wedge.
+Em-dash and arrow glyphs replaced with ASCII per encoding governance
+(no public-facing file regresses ASCII-cleanliness). Deterministic
+demo recording assets shipped under `docs/demo/` and
+`marketing/public/demo/`: one hero `multistep-refactor` demo plus a
+four-part survivability sequence (kill-mid-run, diverged-fs,
+non-idempotent, resume-info), each as `.cast`, `.svg`, `.preview.svg`,
+and `.session.txt` so all rendering paths are reproducible. Public
+demo links repointed to anonymous-reachable URLs (P0 marketing fix).
+
+**8. No public-wire breaks.**
+
+`KernelResult` shape, the `--json` op schema, `usesteady capabilities`
+output (text and JSON), and rejection-message structure are
+byte-identical to alpha.63 for every input the prior release
+accepted. No CLI flag has been retired or renamed. No JSON adapter
+field has been retired or renamed. The K6 widening expands which
+commands `replay --execute` admits without changing the response
+shape for either the admit path (verdict `match` / `mismatch`) or the
+refuse path (verdict `refused` -- the `reason` enum now carries one
+additional value `non_deterministic_inline_js`, but all prior values
+remain emitted unchanged).
+
+### Files added / changed (release-relevant)
+
+- `src/kernel/inline-js-classifier.ts` -- NEW. Closed structural
+  predicate for K6 inline-JS bodies plus the command-shape prefix
+  probe and body extraction.
+- `src/kernel/command-classifier.ts` -- K6 routing precedence + new
+  `InScopeCommand` discriminated union for the executor.
+- `src/kernel/classifier.ts` -- K6 refusal-reason precedence.
+- `src/kernel/execution-replay.ts` -- K6 `node -e` execution path
+  (`shell: false`) + K5 echo byte-preservation restoration.
+- `src/kernel/types.ts` -- additive widening of
+  `ExecutionReplayVerdict.refused.reason` and `ClassifierResult.reason`.
+- `src/shell/cli/use-steady.ts` -- help-text refresh for K6 shape;
+  workflow inspect + resume-info surfaces.
+- `src/shell/cli/workflow-inspect*.ts`, `workflow-resume-info.ts`,
+  `workflow-spec-loader.ts` -- new workflow inspect and resume-info
+  surfaces (P7-min, P2-min).
+- `src/workflow/resume-token-*.ts`, `resume-verifier*.ts` -- new
+  resume-token builder, validator, verifier.
+- `tests/kernel/inline-js-classifier.test.ts` -- NEW. 90+ unit tests.
+- `tests/kernel/{classifier, command-classifier, execution-replay}.test.ts`
+  -- additive K6 sections plus K5 byte-preservation regression guard.
+- `tests/shell/workflow-inspect*.test.ts`,
+  `tests/shell/workflow-resume-*.test.ts`,
+  `tests/workflow/resume-*.test.ts` -- new workflow inspect and resume
+  test suites.
+- `docs/KERNEL_RUN_COMMAND_K6_DESIGN.md` -- v1.0 design contract.
+- `docs/product/k6-kickoff-report-v1.md`,
+  `p2-min-resume-token-design-v1.md`,
+  `p7-min-workflow-inspect-design-v1.md`,
+  `governed-workflow-primitives-investigation-v1.md`,
+  `workflow-survivability-pressure-report-v1.md`,
+  `public-launch-pack-v1.md`,
+  `messaging-compression-v1.md`,
+  `launch-thread-v1.md` -- design and product docs.
+- `docs/demo/`, `marketing/public/demo/` -- deterministic demo
+  recording assets (hero + four-part survivability).
+- `README.md`, `marketing/src/pages/Landing.tsx`, `package.json`
+  description -- survivability-wedge productization, ASCII encoding.
+
+### Out of scope for alpha.64
+
+- No K7 work.
+- No timeout policy on K6 execution.
+- No multi-segment shell support.
+- No `stdout` / `stderr` / `exitCode` persistence in `KernelResult`.
+- No public-product surface changes beyond the additive workflow
+  inspect, resume-info, and demo / marketing routing.
+
 ## 0.1.0-alpha.63 - JSON adapter publication-truthfulness alignment
 
 ### Publication-truthfulness consolidation after alpha.62's #45 fix

package/README.md

@@ -1,6 +1,88 @@
-# UseSteady - Review AI actions before they run
+# UseSteady
 
-UseSteady shows you exactly what AI will do - before it executes anything.
+**Inspect workflows before execution.**
+**Survive interruption without hidden continuation.**
+
+<p align="center">
+  <a href="docs/demo/hero/">
+    <img alt="Hero demo: AI proposes a 4-task refactor, operator inspects, run is killed mid-flight after task 2, operator verifies the resume token, then resumes - no inherited approvals, no hidden state." src="docs/demo/assets/hero/multistep-refactor.svg" width="900" />
+  </a>
+</p>
+
+<p align="center">
+  <em>One narrative, ~80 seconds, five beats: <strong>inspect</strong> -> approve -> run -> <strong>interrupt</strong> -> verify token -> <strong>resume</strong>. See the <a href="docs/demo/hero/">storyboard</a>.</em>
+</p>
+
+UseSteady is AI-assisted execution that is operationally trustworthy. You describe the workflow, UseSteady inspects it, you approve it, and only then does the work happen. When a long workflow gets interrupted - Ctrl+C, CI timeout, machine reboot - you resume from a visible token without inheriting approval authority and without hidden state.
+
+```bash
+# 1. Inspect a workflow before running it. Read-only. Deterministic. No LLM.
+npx usesteady workflow inspect spec.json
+
+# 2. Run it. After each task, a resume token is written to
+#    <workspace>/.usesteady/resume-tokens/<runId>.json
+npx usesteady run spec.json --yes
+
+# 3. Resume after interruption. Per-task verification against current disk state.
+#    Approvals are NEVER inherited. Diverged state refuses.
+npx usesteady run spec.json --yes --resume-from <token.json>
+
+# 4. Inspect a resume token without running anything.
+npx usesteady workflow resume-info <token.json> --spec spec.json
+```
+
+See the [survivability demo suite](docs/demo/survivability/) for four canonical scenarios - each isolates one property in 30-60 seconds. The [hero demo](docs/demo/hero/) composes all four into one continuous flow.
+
+### Four survivability demos
+
+Each tile prints the operational claim it proves directly into the terminal chrome - a 3-second-readable badge so you know what you are about to watch.
+
+<table>
+  <tr>
+    <td align="center" width="50%">
+      <a href="docs/demo/survivability/01-kill-mid-run.md">
+        <img alt="Kill mid-run -> resume. Badge: Survives interruption." src="docs/demo/assets/survivability/01-kill-mid-run.preview.svg" width="100%" />
+      </a>
+      <br />
+      <strong>Kill mid-run -> resume</strong><br />
+      <em>Survives interruption</em>
+    </td>
+    <td align="center" width="50%">
+      <a href="docs/demo/survivability/02-diverged-fs.md">
+        <img alt="Diverged filesystem -> refusal. Badge: Resume refused." src="docs/demo/assets/survivability/02-diverged-fs.preview.svg" width="100%" />
+      </a>
+      <br />
+      <strong>Diverged filesystem -> refusal</strong><br />
+      <em>Resume refused</em>
+    </td>
+  </tr>
+  <tr>
+    <td align="center" width="50%">
+      <a href="docs/demo/survivability/03-non-idempotent.md">
+        <img alt="Non-idempotent task -> re-prompt. Badge: Operator approval required." src="docs/demo/assets/survivability/03-non-idempotent.preview.svg" width="100%" />
+      </a>
+      <br />
+      <strong>Non-idempotent task -> re-prompt</strong><br />
+      <em>Operator approval required</em>
+    </td>
+    <td align="center" width="50%">
+      <a href="docs/demo/survivability/04-resume-info.md">
+        <img alt="workflow resume-info inspection. Badge: Before execution." src="docs/demo/assets/survivability/04-resume-info.preview.svg" width="100%" />
+      </a>
+      <br />
+      <strong><code>workflow resume-info</code> inspection</strong><br />
+      <em>Before execution</em>
+    </td>
+  </tr>
+</table>
+
+Click any tile for the walkthrough. Each demo also ships as an animated SVG (in-repo, GitHub-renders) and an [asciinema v2 `.cast`](https://docs.asciinema.org/manual/asciicast/v2/) source - upload to asciinema.org for live playback or convert to MP4/GIF with `agg` / `asciicast2gif`.
+
+---
+
+## The smaller, interactive surface
+
+UseSteady also has an interactive single-step mode for proposing and reviewing individual edits - useful before you graduate to multi-task workflows.
 
 ```bash
 # Interactive session
@@ -11,9 +93,6 @@ npx usesteady --prompt "replace 'Submit' with 'Send' in src/Button.tsx"
 
 # Piped stdin
 echo "rename old.ts to new.ts" | npx usesteady
-
-# CI / automation - zero prompts
-npx usesteady run spec.json --yes
 ```
 
 ---
@@ -137,8 +216,37 @@ Vague input  ->  Guidance     ->  You rewrite  ->  SYSTEM WILL
 - No silent execution
 - No vague summaries
 - No hidden changes
+- No hidden continuation across interrupted runs
+- No inherited approvals on resume
+
+You see what changes, why it changes, and how risky it is - before anything runs. When a workflow is interrupted, you see the resume token (a plain JSON file in your workspace), and resume requires an explicit `--resume-from` invocation that re-verifies every "already-done" claim against current disk state.
+
+---
+
+## What UseSteady is NOT
+
+- **Not an autonomous agent.** UseSteady does not run when you are not watching. It does not "figure things out" in the background. It has no daemon, no watcher, no retry loop.
+- **Not a code-generation tool.** UseSteady doesn't write the workflow for you. You describe it (or generate it with whatever tool you like), then UseSteady inspects, approves, runs, and resumes it.
+- **Not a replacement for AI coding assistants.** Use Cursor, Claude, Copilot for the proposal layer. UseSteady is the layer that decides what their proposals are allowed to do to your filesystem.
+- **Not a managed service.** UseSteady runs locally. Your workflows execute on your machine. No telemetry, no cloud workspace, no remote state.
+- **Not a workflow scheduler.** No cron, no triggers, no automatic invocation. The CLI runs when you run it.
+- **Not "smart" about failures.** When a workflow is interrupted and the workspace has diverged from the resume token, UseSteady refuses to resume. It tells you exactly what changed. You decide what to do about it.
+
+---
+
+## How UseSteady differs from common alternatives
+
+| | Autonomous coding agents | AI copilots / chat assistants | Workflow engines (Airflow, Temporal) | UseSteady |
+|---|---|---|---|---|
+| **Who decides what runs** | The agent | The IDE (after suggestion) | The scheduler | The operator, per step |
+| **What "resume" means** | Restore hidden state, continue | n/a (single-prompt scope) | Resume from internal checkpoint | Re-verify visible token against disk; refuse on divergence |
+| **Approval model** | Inherited or implied | Per-completion in IDE | Configuration-time only | Per-step at runtime, never inherited |
+| **What you can inspect** | Logs, traces, agent reasoning | Diff in the IDE | DAG topology | The exact operations, the exact targets, the exact token bytes |
+| **Where it runs** | Often cloud-managed | IDE host | Cluster | Your local machine |
+| **What gets persisted** | Often hidden internal state | n/a | Engine-managed state stores | A visible JSON file in your workspace |
+| **Failure mode** | Best-effort recovery | n/a (single shot) | DAG retry policy | Refuse on divergence; surface a typed reason |
 
-You see what changes, why it changes, and how risky it is - before anything runs.
+UseSteady fits a different niche from any of these: long-horizon, multi-step, multi-operator AI-assisted changes whose **operational trust** is more important than autonomous sophistication.
 
 ---
 

package/dist/src/kernel/classifier.d.ts

@@ -1,7 +1,8 @@
 /**
- * Kernel v1 / K4 + K5 — replay classifier.
+ * Kernel v1 / K4 + K5 + K6 -- replay classifier.
  *
- * ── Scope (PR-K4 design lock §3 D1, §5; K5 v1.0 §3 D1, §5.1) ─────────────────
+ * -- Scope (PR-K4 design section 3 D1, section 5; K5 v1.0 section 3 D1,
+ *          section 5.1; K6 v1.0 section 3 D1) ------------------------------
  *
  *   Pure pre-pass over `WorkflowSpec.tasks`. Decides whether an IR is
  *   replayable end-to-end before any sandbox is created. Drives the per-IR
@@ -16,20 +17,25 @@
  *     - operationType: "append_file"  + targetFiles[0] + content
  *     - operationType: "prepend_file" + targetFiles[0] + content
  *     - structuredReplace: { oldValue, newValue, filePath }
- *     - operationType: "run_command"  + command matching K5 allow-list
- *                                       (echo <args> / true / false; see
- *                                       command-classifier.ts §5.1)
+ *     - operationType: "run_command"  + command matching the K5 + K6
+ *                                       allow-list (echo <args> / true /
+ *                                       false / node -e "<BODY>"; see
+ *                                       command-classifier.ts)
  *
- *   Explicitly NOT replayable in K4 + K5 v1.0:
+ *   Explicitly NOT replayable in K4 + K5 + K6 v1.0:
  *     - bare `{ input: "<NL>" }` (no operationType, no structuredReplace)
- *     - operationType: "run_command" with a command outside the K5 allow-list
- *       (env-dependent or non-deterministic shape; revisit in K6+)
+ *     - operationType: "run_command" with a command outside the K5 + K6
+ *       allow-list (env-dependent or non-deterministic shape; K7+ scope)
  *     - any task with runtime "cursor" | "claude" but no FS op fields set
- *       (would require LLM intake — out of K4)
+ *       (would require LLM intake -- out of K4)
  *
- *   K5 reason discriminant (v1.0 §3 D5):
- *     - run_command with out-of-scope shape → reason: "non_deterministic_command"
- *     - all other non_replayable refusals    → reason: "non_deterministic_task"
+ *   Reason discriminant (K5 v1.0 section 3 D5; K6 v1.0 section 10):
+ *     - run_command + K6 prefix shape (`node -e "..."`) but BODY out of
+ *       K6 scope          -> reason: "non_deterministic_inline_js"
+ *     - run_command, any other out-of-scope shape
+ *                         -> reason: "non_deterministic_command"
+ *     - all other non_replayable refusals
+ *                         -> reason: "non_deterministic_task"
  *
  *   The classifier returns the 1-based index of the first non-replayable task
  *   (matches PR-2's `failed_at_step` convention) so the CLI surface and the

package/dist/src/kernel/classifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"classifier.d.ts","sourceRoot":"","sources":["../../../src/kernel/classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAU,sBAAsB,CAAC;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAyB,YAAY,CAAC;AAwBtE,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,OAAO,CAU3D;AAID;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAoCpE;AAsCD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,YAAY,GAAG,gBAAgB,CASpE"}
+{"version":3,"file":"classifier.d.ts","sourceRoot":"","sources":["../../../src/kernel/classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAU,sBAAsB,CAAC;AAG/E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAyB,YAAY,CAAC;AAwBtE,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,OAAO,CAU3D;AAID;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAsCpE;AAwDD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,YAAY,GAAG,gBAAgB,CASpE"}

package/dist/src/kernel/classifier.js

@@ -1,7 +1,8 @@
 /**
- * Kernel v1 / K4 + K5 — replay classifier.
+ * Kernel v1 / K4 + K5 + K6 -- replay classifier.
  *
- * ── Scope (PR-K4 design lock §3 D1, §5; K5 v1.0 §3 D1, §5.1) ─────────────────
+ * -- Scope (PR-K4 design section 3 D1, section 5; K5 v1.0 section 3 D1,
+ *          section 5.1; K6 v1.0 section 3 D1) ------------------------------
  *
  *   Pure pre-pass over `WorkflowSpec.tasks`. Decides whether an IR is
  *   replayable end-to-end before any sandbox is created. Drives the per-IR
@@ -16,20 +17,25 @@
  *     - operationType: "append_file"  + targetFiles[0] + content
  *     - operationType: "prepend_file" + targetFiles[0] + content
  *     - structuredReplace: { oldValue, newValue, filePath }
- *     - operationType: "run_command"  + command matching K5 allow-list
- *                                       (echo <args> / true / false; see
- *                                       command-classifier.ts §5.1)
+ *     - operationType: "run_command"  + command matching the K5 + K6
+ *                                       allow-list (echo <args> / true /
+ *                                       false / node -e "<BODY>"; see
+ *                                       command-classifier.ts)
  *
- *   Explicitly NOT replayable in K4 + K5 v1.0:
+ *   Explicitly NOT replayable in K4 + K5 + K6 v1.0:
  *     - bare `{ input: "<NL>" }` (no operationType, no structuredReplace)
- *     - operationType: "run_command" with a command outside the K5 allow-list
- *       (env-dependent or non-deterministic shape; revisit in K6+)
+ *     - operationType: "run_command" with a command outside the K5 + K6
+ *       allow-list (env-dependent or non-deterministic shape; K7+ scope)
  *     - any task with runtime "cursor" | "claude" but no FS op fields set
- *       (would require LLM intake — out of K4)
+ *       (would require LLM intake -- out of K4)
  *
- *   K5 reason discriminant (v1.0 §3 D5):
- *     - run_command with out-of-scope shape → reason: "non_deterministic_command"
- *     - all other non_replayable refusals    → reason: "non_deterministic_task"
+ *   Reason discriminant (K5 v1.0 section 3 D5; K6 v1.0 section 10):
+ *     - run_command + K6 prefix shape (`node -e "..."`) but BODY out of
+ *       K6 scope          -> reason: "non_deterministic_inline_js"
+ *     - run_command, any other out-of-scope shape
+ *                         -> reason: "non_deterministic_command"
+ *     - all other non_replayable refusals
+ *                         -> reason: "non_deterministic_task"
  *
  *   The classifier returns the 1-based index of the first non-replayable task
  *   (matches PR-2's `failed_at_step` convention) so the CLI surface and the
@@ -39,6 +45,7 @@
  */
 import { isAbsolute, posix } from "node:path";
 import { isReplayableCommandShape } from "./command-classifier.js";
+import { isK6NodeECommandShape } from "./inline-js-classifier.js";
 // ─── Sandbox containment predicate (K4-I3 defense) ───────────────────────────
 //
 // The classifier MUST reject any task whose paths cannot be safely rooted
@@ -106,9 +113,11 @@ export function isReplayableTaskSpec(spec) {
             return spec.content !== undefined
                 && isContainedRelativePath(target0);
         case "run_command":
-            // K4 excluded all run_command tasks. K5 widens this to a structural
+            // K4 excluded all run_command tasks. K5 widened this to a structural
             // allow-list of three command shapes (echo <args> / true / false).
-            // Out-of-scope commands STILL refuse — see K5 design v1.0 §5.1.
+            // K6 widens it further to also admit `node -e "<BODY>"` where BODY
+            // satisfies the K6 closed inline-JS predicate. Out-of-scope commands
+            // STILL refuse -- see K6 design v1.0 sections 3 + 5.
             return typeof spec.command === "string"
                 && isReplayableCommandShape(spec.command);
         default:
@@ -121,32 +130,46 @@ export function isReplayableTaskSpec(spec) {
 }
 // ─── IR-level classifier ─────────────────────────────────────────────────────
 /**
- * Classifies a non-replayable task's refusal reason for K5 surface reporting.
+ * Classifies a non-replayable task's refusal reason for K5 + K6 surface
+ * reporting.
  *
- * The two reasons separate "we never replay this task shape at all" from
- * "this command shape is outside the deterministic universe":
+ * The three reasons separate three distinct refusal-shape buckets:
  *
- *   - "non_deterministic_command"  : the task IS an `operationType:"run_command"`
- *                                    AND its command string is NOT in the K5
- *                                    allow-list (echo / true / false).
- *                                    This is the precise K5 contribution.
+ *   - "non_deterministic_inline_js" : K6. The task IS an
+ *                                     `operationType:"run_command"` AND its
+ *                                     command matches the K6 prefix shape
+ *                                     `node -e "<BODY>"`, but BODY is NOT
+ *                                     in the K6 closed inline-JS allow-list.
+ *                                     This is the precise K6 contribution.
  *
- *   - "non_deterministic_task"     : every other non-replayable shape.
- *                                    Catch-all for bare NL, path-escape,
- *                                    unknown operationType, missing companion
- *                                    fields, etc. Preserves the K4 surface
- *                                    contract verbatim (so existing callers
- *                                    that only checked the reason for legacy
- *                                    bare-NL refusals continue to read the
- *                                    expected literal).
+ *   - "non_deterministic_command"   : K5. The task IS an
+ *                                     `operationType:"run_command"` AND its
+ *                                     command string is NOT in the K5+K6
+ *                                     allow-list AND it does NOT even match
+ *                                     the K6 prefix shape. Catches every
+ *                                     non-`node -e` out-of-scope command.
+ *                                     Preserves the K5 surface contract.
+ *
+ *   - "non_deterministic_task"      : K4 catch-all. Every other
+ *                                     non-replayable shape. Bare NL,
+ *                                     path-escape, unknown operationType,
+ *                                     missing companion fields, etc.
+ *                                     Preserves the K4 surface contract
+ *                                     verbatim.
  *
  * Private helper. Pure function.
  */
 function classifyRefusalReason(task) {
-    // K5 distinction: only fires when the task IS run_command-shaped. A bare-NL
-    // task that happens to contain the word "command" in `input` still gets the
-    // default "non_deterministic_task" reason, preserving K4 surface contracts.
     if (task.operationType === "run_command") {
+        // K6 distinction: the command matches the K6 prefix shape
+        // (`node -e "<BODY>"`) but the body fell out of the K6 closed allow-list.
+        // We surface this as the K6-specific reason so observers can distinguish
+        // "this command shape is K6 but the body is out of scope" from "this
+        // command shape is not even K5/K6 in form" -- K6 design doc section 10.
+        if (typeof task.command === "string" && isK6NodeECommandShape(task.command)) {
+            return "non_deterministic_inline_js";
+        }
+        // Otherwise the run_command falls out of K5+K6 entirely. K5 reason.
         return "non_deterministic_command";
     }
     return "non_deterministic_task";

package/dist/src/kernel/classifier.js.map

@@ -1 +1 @@
-{"version":3,"file":"classifier.js","sourceRoot":"","sources":["../../../src/kernel/classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAG9C,OAAO,EAAE,wBAAwB,EAAE,MAAsB,yBAAyB,CAAC;AAGnF,gFAAgF;AAChF,EAAE;AACF,0EAA0E;AAC1E,yEAAyE;AACzE,qEAAqE;AACrE,0EAA0E;AAC1E,oEAAoE;AACpE,kEAAkE;AAClE,EAAE;AACF,uEAAuE;AACvE,yEAAyE;AACzE,mDAAmD;AACnD,EAAE;AACF,6BAA6B;AAC7B,+BAA+B;AAC/B,uEAAuE;AACvE,6EAA6E;AAC7E,EAAE;AACF,sEAAsE;AACtE,yEAAyE;AACzE,YAAY;AAEZ,MAAM,UAAU,uBAAuB,CAAC,CAAU;IAChD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAc,OAAO,KAAK,CAAC;IACtE,IAAI,UAAU,CAAC,CAAC,CAAC;QAAwC,OAAO,KAAK,CAAC;IACtE,sEAAsE;IACtE,2EAA2E;IAC3E,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QAA4B,OAAO,KAAK,CAAC;IACtE,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC;QAAW,OAAO,KAAK,CAAC;IACtE,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1D,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAsB;IACzD,uEAAuE;IACvE,wEAAwE;IACxE,yEAAyE;IACzE,6CAA6C;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;IAEtC,QAAQ,IAAI,CAAC,aAAa,EAAE,CAAC;QAC3B,KAAK,YAAY;YACf,OAAO,IAAI,CAAC,OAAO,KAAK,SAAS;mBAC5B,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACxC,KAAK,QAAQ;YACX,OAAO,uBAAuB,CAAC,OAAO,CAAC;mBAClC,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7C,KAAK,aAAa,CAAC;QACnB,KAAK,YAAY;YACf,OAAO,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAC1C,KAAK,aAAa,CAAC;QACnB,KAAK,cAAc;YACjB,OAAO,IAAI,CAAC,OAAO,KAAK,SAAS;mBAC5B,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACxC,KAAK,aAAa;YAChB,oEAAoE;YACpE,mEAAmE;YACnE,gEAAgE;YAChE,OAAO,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;mBAChC,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChD;YACE,yEAAyE;YACzE,OAAO,OAAO,CACZ,IAAI,CAAC,iBAAiB;mBACjB,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,KAAK,QAAQ;mBACnD,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,KAAK,QAAQ;mBACnD,uBAAuB,CAAC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAC9D,CAAC;IACN,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAS,qBAAqB,CAC5B,IAAsB;IAEtB,4EAA4E;IAC5E,4EAA4E;IAC5E,4EAA4E;IAC5E,IAAI,IAAI,CAAC,aAAa,KAAK,aAAa,EAAE,CAAC;QACzC,OAAO,2BAA2B,CAAC;IACrC,CAAC;IACD,OAAO,wBAAwB,CAAC;AAClC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,EAAgB;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,wBAAwB,CAAC;YAC7E,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;QAClE,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AACnC,CAAC"}
+{"version":3,"file":"classifier.js","sourceRoot":"","sources":["../../../src/kernel/classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAEH,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAG9C,OAAO,EAAE,wBAAwB,EAAE,MAAsB,yBAAyB,CAAC;AACnF,OAAO,EAAE,qBAAqB,EAAE,MAAyB,2BAA2B,CAAC;AAGrF,gFAAgF;AAChF,EAAE;AACF,0EAA0E;AAC1E,yEAAyE;AACzE,qEAAqE;AACrE,0EAA0E;AAC1E,oEAAoE;AACpE,kEAAkE;AAClE,EAAE;AACF,uEAAuE;AACvE,yEAAyE;AACzE,mDAAmD;AACnD,EAAE;AACF,6BAA6B;AAC7B,+BAA+B;AAC/B,uEAAuE;AACvE,6EAA6E;AAC7E,EAAE;AACF,sEAAsE;AACtE,yEAAyE;AACzE,YAAY;AAEZ,MAAM,UAAU,uBAAuB,CAAC,CAAU;IAChD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAc,OAAO,KAAK,CAAC;IACtE,IAAI,UAAU,CAAC,CAAC,CAAC;QAAwC,OAAO,KAAK,CAAC;IACtE,sEAAsE;IACtE,2EAA2E;IAC3E,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QAA4B,OAAO,KAAK,CAAC;IACtE,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC;QAAW,OAAO,KAAK,CAAC;IACtE,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1D,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAsB;IACzD,uEAAuE;IACvE,wEAAwE;IACxE,yEAAyE;IACzE,6CAA6C;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;IAEtC,QAAQ,IAAI,CAAC,aAAa,EAAE,CAAC;QAC3B,KAAK,YAAY;YACf,OAAO,IAAI,CAAC,OAAO,KAAK,SAAS;mBAC5B,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACxC,KAAK,QAAQ;YACX,OAAO,uBAAuB,CAAC,OAAO,CAAC;mBAClC,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7C,KAAK,aAAa,CAAC;QACnB,KAAK,YAAY;YACf,OAAO,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAC1C,KAAK,aAAa,CAAC;QACnB,KAAK,cAAc;YACjB,OAAO,IAAI,CAAC,OAAO,KAAK,SAAS;mBAC5B,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACxC,KAAK,aAAa;YAChB,qEAAqE;YACrE,mEAAmE;YACnE,mEAAmE;YACnE,qEAAqE;YACrE,qDAAqD;YACrD,OAAO,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;mBAChC,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChD;YACE,yEAAyE;YACzE,OAAO,OAAO,CACZ,IAAI,CAAC,iBAAiB;mBACjB,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,KAAK,QAAQ;mBACnD,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,KAAK,QAAQ;mBACnD,uBAAuB,CAAC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAC9D,CAAC;IACN,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,SAAS,qBAAqB,CAC5B,IAAsB;IAMtB,IAAI,IAAI,CAAC,aAAa,KAAK,aAAa,EAAE,CAAC;QACzC,0DAA0D;QAC1D,0EAA0E;QAC1E,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5E,OAAO,6BAA6B,CAAC;QACvC,CAAC;QACD,oEAAoE;QACpE,OAAO,2BAA2B,CAAC;IACrC,CAAC;IACD,OAAO,wBAAwB,CAAC;AAClC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,EAAgB;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,wBAAwB,CAAC;YAC7E,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;QAClE,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AACnC,CAAC"}