vgxness 1.8.0 → 1.9.1

package/dist/mcp/control-plane.js

@@ -12,6 +12,7 @@ import { SddWorkflowService } from '../sdd/sdd-workflow-service.js';
 import { SkillRegistryService } from '../skills/skill-registry-service.js';
 import { VerificationPlanService } from '../verification/index.js';
 import { ProviderChangePlanService } from './provider-change-plan.js';
+import { ContextCockpitSnapshotService } from './control-plane-snapshot-service.js';
 import { ProviderDoctorService } from './provider-doctor.js';
 import { ProviderStatusService } from './provider-status.js';
 import { errorEnvelope, successEnvelope, } from './schema.js';
@@ -64,7 +65,7 @@ export function callVgxTool(call, services) {
         case 'vgxness_session_restore':
             return toEnvelope(validated.tool, services.memory.restoreSession(validated.input));
         case 'vgxness_context_cockpit':
-            return toEnvelope(validated.tool, services.memory.getContextCockpit(validated.input));
+            return toEnvelope(validated.tool, new ContextCockpitSnapshotService({ memory: services.memory, sdd: services.sdd }).build(validated.input));
         case 'vgxness_agent_resolve':
             return toEnvelope(validated.tool, services.agents.resolveAgents(validated.input));
         case 'vgxness_agent_activate':

package/dist/mcp/index.js

@@ -13,6 +13,7 @@ export * from './claude-code-scope.js';
 export * from './claude-code-user-config.js';
 export * from './claude-code-user-memory.js';
 export * from './control-plane.js';
+export * from './control-plane-snapshot-service.js';
 export * from './doctor.js';
 export * from './opencode-visibility.js';
 export * from './opencode-handoff-preview.js';

package/dist/mcp/schema.js

@@ -1,6 +1,7 @@
 import { z } from 'zod';
 import { permissionCategories } from '../permissions/schema.js';
 import { sddPhases } from '../sdd/schema.js';
+import { workflowIds } from '../workflows/schema.js';
 import { verificationChangeTypes } from '../verification/index.js';
 export const SUPPORTED_VGX_MCP_TOOL_NAMES = [
     'vgxness_sdd_status',
@@ -98,6 +99,7 @@ const runStatuses = ['created', 'planned', 'running', 'needs-human', 'completed'
 const finalRunStatuses = ['completed', 'failed', 'blocked', 'cancelled'];
 const runOutcomes = ['success', 'partial', 'failure', 'blocked', 'cancelled'];
 const payloadModes = ['compact', 'verbose'];
+const contextCockpitLevels = ['compact', 'expanded', 'verbose'];
 const providerChangePlanProviders = ['opencode', 'claude', 'antigravity', 'custom'];
 const providerChangePlanTypes = ['opencode-mcp-install', 'claude-mcp-install', 'setup', 'install', 'config-preparation'];
 const jsonValueSchema = z.lazy(() => z.union([z.string(), z.number().finite(), z.boolean(), z.null(), z.array(jsonValueSchema), z.record(z.string(), jsonValueSchema)]));
@@ -263,8 +265,10 @@ export const VGX_MCP_TOOL_INPUT_SCHEMAS = {
     vgxness_context_cockpit: z
         .object({
         project: z.string().min(1),
+        change: z.string().min(1).regex(/^[A-Za-z0-9][A-Za-z0-9._-]*$/).optional(),
         directory: z.string().min(1).optional(),
         limit: z.number().int().min(1).max(100).optional(),
+        level: z.enum(contextCockpitLevels).optional(),
     })
         .passthrough(),
     vgxness_agent_resolve: z
@@ -364,6 +368,7 @@ export const VGX_MCP_TOOL_INPUT_SCHEMAS = {
         runId: z.string().min(1),
         category: z.enum(permissionCategories),
         operation: z.string().min(1),
+        workflow: z.enum(workflowIds).optional(),
         phase: z.string().min(1).optional(),
         agentId: z.string().min(1).optional(),
         workspaceRoot: z.string().min(1).optional(),

package/dist/mcp/validation.js

@@ -1,6 +1,7 @@
 import { isRiskyPermissionCategory, permissionCategories } from '../permissions/schema.js';
 import { parseOperationRetryPolicy } from '../runs/operation-retry.js';
 import { isSddPhase, sddPhases } from '../sdd/schema.js';
+import { workflowIds } from '../workflows/schema.js';
 import { supportedTypeMessage, verificationChangeTypes } from '../verification/index.js';
 import { errorEnvelope, isVgxMcpToolName, } from './schema.js';
 const scopes = ['project', 'personal'];
@@ -12,6 +13,7 @@ const finalRunStatuses = ['completed', 'failed', 'blocked', 'cancelled'];
 const runOutcomes = ['success', 'partial', 'failure', 'blocked', 'cancelled'];
 const permissionDecisions = ['allow', 'ask', 'deny'];
 const payloadModes = ['compact', 'verbose'];
+const contextCockpitLevels = ['compact', 'expanded', 'verbose'];
 const providerChangePlanProviders = ['opencode', 'claude', 'antigravity', 'custom'];
 const providerChangePlanTypes = ['opencode-mcp-install', 'claude-mcp-install', 'setup', 'install', 'config-preparation'];
 const validChangePattern = /^[A-Za-z0-9][A-Za-z0-9._-]*$/;
@@ -237,13 +239,18 @@ function validateSddCockpitInput(input, tool) {
     return readProjectAndChange(record.value, tool);
 }
 function validateContextCockpitInput(input, tool) {
-    const record = inputRecord(input, tool, ['project', 'directory', 'limit']);
+    const record = inputRecord(input, tool, ['project', 'change', 'directory', 'limit', 'level']);
     if (!record.ok)
         return record;
     const project = readNonEmptyString(record.value, 'project', tool);
     if (!project.ok)
         return project;
     const result = { project: project.value };
+    const change = readOptionalChange(record.value, tool);
+    if (!change.ok)
+        return change;
+    if (change.value !== undefined)
+        result.change = change.value;
     const directory = readOptionalNonEmptyString(record.value, 'directory', tool);
     if (!directory.ok)
         return directory;
@@ -254,6 +261,11 @@ function validateContextCockpitInput(input, tool) {
             return validationFailure('limit must be an integer between 1 and 100', tool);
         result.limit = record.value.limit;
     }
+    const level = readOptionalOneOf(record.value, 'level', contextCockpitLevels, tool);
+    if (!level.ok)
+        return level;
+    if (level.value !== undefined)
+        result.level = level.value;
     return { ok: true, value: result };
 }
 function readProjectAndChange(record, tool) {
@@ -822,6 +834,7 @@ function validateRunPreflightInput(input, tool) {
         'runId',
         'category',
         'operation',
+        'workflow',
         'phase',
         'agentId',
         'workspaceRoot',
@@ -846,6 +859,11 @@ function validateRunPreflightInput(input, tool) {
     if (!operation.ok)
         return operation;
     const result = { runId: runId.value, category: category.value, operation: operation.value };
+    const workflow = readOptionalOneOf(record.value, 'workflow', workflowIds, tool);
+    if (!workflow.ok)
+        return workflow;
+    if (workflow.value !== undefined)
+        result.workflow = workflow.value;
     const copied = copyOptionalStrings(result, record.value, tool, ['phase', 'agentId', 'workspaceRoot', 'targetPath', 'providerToolName']);
     if (!copied.ok)
         return copied;

package/dist/orchestrator/natural-language-planner.js

@@ -1,9 +1,11 @@
+import { classifyIntentRisk } from '../governance/risk-classifier.js';
 const stopWords = new Set(['a', 'an', 'the', 'to', 'for', 'of', 'and', 'or', 'with', 'we', 'before', 'new']);
 const signalRules = [
     {
         signal: 'diagnostic-request',
         terms: [
             /\bdiagnos(e|tic|tics)\b/,
+            /\bdiagnosticar\b/,
             /\bfail(ing|ure|ed)?\b/,
             /\bcrash(es|ing)?\b/,
             /\berrors?\b/,
@@ -18,17 +20,17 @@ const signalRules = [
     { signal: 'planning-request', terms: [/\bplan\b/, /\bpreview\b/, /\breview\b/, /\bdry[- ]run\b/] },
     {
         signal: 'answer-only',
-        terms: [/\bexplain\b/, /\bwhat\b/, /\bhow\b/, /\bwhy\b/, /\bdescribe\b/, /\bunderstand\b/, /\binvestigat(e|ion)\b/, /\binspect\b/, /\bread[- ]only\b/],
+        terms: [/\bexplain\b/, /\bexplicar\b/, /\bwhat\b/, /\bhow\b/, /\bwhy\b/, /\bdescribe\b/, /\bunderstand\b/, /\binvestigat(e|ion)\b/, /\binspect\b/, /\bread[- ]only\b/],
     },
     { signal: 'new-capability', terms: [/\bbuild\b/, /\badd\b/, /\bcreate\b/, /\bnew\b/, /\bcapabilit(y|ies)\b/, /\bfeature\b/] },
     { signal: 'architecture-change', terms: [/\barchitecture\b/, /\barchitectural\b/, /\brefactor\b/, /\bboundar(y|ies)\b/] },
     { signal: 'workflow-change', terms: [/\bworkflow\b/, /\borchestrat(e|ion|or)\b/, /\bsdd\b/, /\bphase\b/] },
     { signal: 'persistence-change', terms: [/\bpersist(ent|ence)?\b/, /\bstorage\b/, /\bsqlite\b/, /\bdatabase\b/, /\bmemory\b/, /\bmigration\b/] },
-    { signal: 'security-sensitive', terms: [/\bsecurity\b/, /\bauth\b/, /\btoken\b/, /\bsecret\b/, /\bpermission\b/] },
+    { signal: 'security-sensitive', terms: [/\bsecurity\b/, /\bauth\b/, /\btoken\b/, /\bsecret\b/, /\bpermission\b/, /\bpermiso\b/, /\baprobaci[oó]n\b/] },
     { signal: 'broad-change', terms: [/\bmulti[- ]file\b/, /\bacross\b/, /\bend[- ]to[- ]end\b/, /\bsystem\b/] },
     { signal: 'execution-request', terms: [/\brun\b/, /\bexecute\b/, /\bapply\b/, /\bstart\b/, /\binstall\b/, /\bpush\b/] },
     { signal: 'provider-execution', terms: [/\bprovider\b/, /\bopencode\b/, /\bclaude\b/, /\bmodel\b/, /\bllm\b/] },
-    { signal: 'file-edit-request', terms: [/\bedit\b/, /\bwrite\b/, /\bmodify\b/, /\bpatch\b/] },
+    { signal: 'file-edit-request', terms: [/\bedit\b/, /\bwrite\b/, /\bmodify\b/, /\bpatch\b/, /\barreglar\b/] },
     { signal: 'provider-config-write', terms: [/\bconfig\b/, /\.opencode\b/, /\.claude\b/, /\bglobal\b/] },
     { signal: 'run-recording', terms: [/\brun record\b/, /\brecord a run\b/, /\bcheckpoint\b/] },
     { signal: 'destructive', terms: [/\bdelete\b/, /\bremove\b/, /\bdestroy\b/, /\bdrop\b/, /\breset\b/] },
@@ -41,7 +43,8 @@ export function createNaturalLanguagePlan(input) {
     const ambiguous = isAmbiguous(normalizedIntent);
     if (ambiguous)
         addSignal(signals, 'ambiguous');
-    const flow = chooseFlow(signals);
+    const risk = classifyIntentRisk({ project: input.project, intent: input.intent });
+    const flow = chooseFlow(signals, risk);
     const workflow = workflowFor(flow);
     const needsClarification = ambiguous;
     const suggestedChangeId = suggestedChangeFor(input, flow);
@@ -67,13 +70,17 @@ export function createNaturalLanguagePlan(input) {
         ...(suggestedChangeId !== undefined ? { suggestedChangeId } : {}),
         previewActions,
         safety,
+        riskTier: risk.tier,
+        riskReasonCodes: risk.reasonCodes,
+        requiresSdd: risk.requiresSdd,
+        requiresExplicitValidation: risk.requiresExplicitValidation,
         ...(input.sdd !== undefined ? { sdd: input.sdd } : {}),
     };
 }
 function normalizeText(value) {
     return value
         .toLowerCase()
-        .replace(/[^a-z0-9._/ -]+/g, ' ')
+        .replace(/[^a-z0-9._/ áéíóúüñ-]+/g, ' ')
         .replace(/\s+/g, ' ')
         .trim();
 }
@@ -118,23 +125,35 @@ function isAmbiguous(intent) {
         return true;
     return /^(fix|update|change|do|handle) (it|this|that)$/.test(intent);
 }
-function chooseFlow(signals) {
+function chooseFlow(signals, risk) {
+    if (risk.requiresSdd)
+        return 'sdd';
+    if (risk.recommendedWorkflow === 'direct')
+        return 'explore';
+    if (risk.recommendedWorkflow === 'debug')
+        return 'debug';
+    if (risk.recommendedWorkflow === 'plan')
+        return 'plan';
+    if (risk.recommendedWorkflow === 'quickfix')
+        return 'quickfix';
+    if (risk.recommendedWorkflow === 'build')
+        return 'build';
     if (signals.includes('answer-only') &&
         !signals.includes('diagnostic-request') &&
         !signals.includes('new-capability') &&
         !signals.includes('planning-request') &&
         !signals.some((signal) => unsafeSignals.has(signal)))
         return 'explore';
-    if (signals.some((signal) => strongSddSignals.has(signal) || strongUnsafeSignals.has(signal)))
-        return 'sdd';
+    if (risk.tier >= 3)
+        return signals.includes('diagnostic-request') ? 'debug' : signals.includes('planning-request') ? 'plan' : 'plan';
     if (signals.includes('diagnostic-request'))
         return 'debug';
     if (signals.includes('answer-only') && !signals.includes('new-capability') && !signals.some((signal) => unsafeSignals.has(signal)))
         return 'explore';
     if (signals.includes('planning-request') && !signals.some((signal) => strongSddSignals.has(signal) || strongUnsafeSignals.has(signal)))
         return 'plan';
-    if (signals.some((signal) => sddSignals.has(signal)) || signals.some((signal) => unsafeSignals.has(signal)))
-        return 'sdd';
+    if (signals.some((signal) => unsafeSignals.has(signal)))
+        return 'plan';
     if (signals.includes('planning-request'))
         return 'plan';
     if (signals.includes('new-capability'))
@@ -171,7 +190,7 @@ function reasonFor(flow, signals, needsClarification) {
     if (flow === 'debug' || flow === 'diagnose')
         return 'The request asks for inspection or failure/status diagnosis, so the preview stays read-only.';
     if (flow === 'sdd')
-        return 'The request includes capability, architecture, workflow, persistence, safety, or execution risk signals, so SDD is the safest preview path.';
+        return 'The request changes governance, permission, SDD, architecture, or cross-surface safety semantics, so SDD is required.';
     if (flow === 'plan')
         return 'The request asks for planning or review without immediate mutation, so SDD is not required for this preview.';
     if (flow === 'build')
@@ -198,14 +217,14 @@ function buildSafety(signals) {
         'Preview only: this preview only classifies intent; no providers are called, no files are edited, no provider config is written, and no run is recorded.',
     ];
     if (signals.includes('execution-request') || signals.includes('provider-execution') || signals.includes('file-edit-request')) {
-        notes.push('Execution was requested but refused in this preview flow; continue manually or through an approved SDD apply phase.');
+        notes.push('Execution was requested but refused in this preview flow; continue manually or through an approved preflight/apply flow.');
     }
     if (signals.includes('destructive'))
         notes.push('Destructive impact was detected; review and approval are required before any real operation.');
     if (signals.includes('provider-config-write'))
         notes.push('Provider configuration impact was detected; this preview will not write provider config.');
     if (signals.includes('persistence-change'))
-        notes.push('Persistent behavior or storage impact was detected; SDD review is recommended.');
+        notes.push('Persistent behavior or storage impact was detected; use the lightest workflow that matches risk tier and require SDD only for Tier 4.');
     if (signals.includes('external'))
         notes.push('External or network impact was detected; this preview does not perform external calls.');
     if (signals.includes('privileged'))
@@ -225,13 +244,11 @@ function buildPreviewActions(input, flow, needsClarification) {
         return [{ kind: 'workflow-preview', description: 'Preview a small localized quickfix; no execution occurs in this planner response.' }];
     if (flow === 'build')
         return [{ kind: 'workflow-preview', description: 'Preview a scoped build workflow; no execution occurs in this planner response.' }];
-    const change = input.change;
-    const command = change === undefined ? undefined : `vgxness sdd next --project ${input.project} --change ${change}`;
     return [
         {
             kind: 'sdd-preview',
-            description: input.sdd?.next?.recommendedAction ?? 'Preview the SDD handoff for this substantial or risky request; do not execute it here.',
-            ...(command !== undefined ? { command } : {}),
+            description: input.sdd?.next?.recommendedAction ??
+                'Continue formal SDD progression through the provider-native manager flow and VGXNESS MCP; do not execute terminal SDD phase commands from this preview.',
         },
     ];
 }

package/dist/payload/context-budget-policy.js

@@ -0,0 +1,17 @@
+export const defaultContextBudgetPolicy = {
+    policyVersion: '1.0.0',
+    limits: [
+        { id: 'managerPromptBase', label: 'Manager prompt base', targetBytes: 16_384, hardLimitBytes: 24_576, enforcement: 'warn' },
+        { id: 'managerInitialPayload', label: 'Manager initial payload', targetBytes: 12_288, hardLimitBytes: 18_432, enforcement: 'warn' },
+        { id: 'snapshotCompact', label: 'Compact snapshot', targetBytes: 10_240, hardLimitBytes: 15_360, enforcement: 'warn' },
+        { id: 'snapshotExpanded', label: 'Expanded snapshot', targetBytes: 30_720, hardLimitBytes: 46_080, enforcement: 'report' },
+        { id: 'subagentVerbosePayload', label: 'Subagent verbose payload', targetBytes: 122_880, hardLimitBytes: 184_320, enforcement: 'report' },
+        { id: 'initialMcpCalls', label: 'Initial MCP calls', targetBytes: 3, hardLimitBytes: 5, enforcement: 'report' },
+    ],
+};
+export function getContextBudgetLimit(policy, id) {
+    const limit = policy.limits.find((candidate) => candidate.id === id);
+    if (limit === undefined)
+        throw new Error(`Unknown context budget id: ${id}`);
+    return limit;
+}

package/dist/payload/context-budget-service.js

@@ -0,0 +1,44 @@
+import { utf8ByteCount } from './payload-summary.js';
+import { defaultContextBudgetPolicy, getContextBudgetLimit } from './context-budget-policy.js';
+export class ContextBudgetService {
+    policy;
+    constructor(policy = defaultContextBudgetPolicy) {
+        this.policy = policy;
+    }
+    measureUtf8Bytes(content) {
+        return utf8ByteCount(content);
+    }
+    measureJsonBytes(value) {
+        return utf8ByteCount(JSON.stringify(value));
+    }
+    reportContent(id, content) {
+        return this.buildReport(id, this.measureUtf8Bytes(content));
+    }
+    reportJson(id, value) {
+        return this.buildReport(id, this.measureJsonBytes(value));
+    }
+    buildReport(id, measuredBytes) {
+        if (!Number.isSafeInteger(measuredBytes) || measuredBytes < 0)
+            throw new RangeError('measuredBytes must be a non-negative safe integer');
+        const budget = getContextBudgetLimit(this.policy, id);
+        const excessTargetBytes = Math.max(0, measuredBytes - budget.targetBytes);
+        const excessHardLimitBytes = Math.max(0, measuredBytes - budget.hardLimitBytes);
+        return {
+            policyVersion: this.policy.policyVersion,
+            budget,
+            measuredBytes,
+            withinTarget: excessTargetBytes === 0,
+            withinHardLimit: excessHardLimitBytes === 0,
+            excessTargetBytes,
+            excessHardLimitBytes,
+            recommendations: budgetRecommendations(budget, excessTargetBytes, excessHardLimitBytes),
+        };
+    }
+}
+function budgetRecommendations(budget, excessTargetBytes, excessHardLimitBytes) {
+    if (excessHardLimitBytes > 0)
+        return [`Reduce ${budget.label} below hard limit by at least ${excessHardLimitBytes} bytes.`, 'Move full content behind references or verbose-only retrieval.'];
+    if (excessTargetBytes > 0)
+        return [`Reduce ${budget.label} toward target by ${excessTargetBytes} bytes.`, 'Prefer compact summaries and progressive disclosure.'];
+    return [];
+}

package/dist/permissions/policy-evaluator.js

@@ -1,5 +1,6 @@
 import { existsSync, realpathSync } from 'node:fs';
 import { dirname, isAbsolute, resolve, sep } from 'node:path';
+import { classifyOperationRisk } from '../governance/risk-classifier.js';
 import { isSddPhase, sddPhases } from '../sdd/schema.js';
 export { isRiskyPermissionCategory, permissionCategories, riskyPermissionCategories } from './schema.js';
 export const permissionDecisions = ['allow', 'ask', 'deny'];
@@ -81,15 +82,24 @@ const filesystemCategories = new Set([
     'external-directory',
 ]);
 export function evaluatePermission(request, policy = defaultPermissionPolicy) {
+    const risk = classifyOperationRisk(request);
     if (request.category === 'secrets')
-        return result(request, 'deny', 'secret_access', 'Secret access is denied by default.');
+        return result(request, 'deny', 'secret_access', 'Secret access is denied by default.', {}, risk);
     if (request.category === 'external-directory') {
-        return result(request, 'deny', 'workspace_boundary', 'External directory access is denied by the foundation policy.');
+        return result(request, 'deny', 'workspace_boundary', 'External directory access is denied by the foundation policy.', {}, risk);
     }
+    const hardRisk = hardRiskDecision(request, risk);
+    if (hardRisk !== undefined)
+        return hardRisk;
     const workspaceEscape = workspaceEscapeDecision(request);
     if (workspaceEscape !== undefined)
         return workspaceEscape;
     const sddPhaseDecision = phaseMatrixDecision(request);
+    if (sddPhaseDecision !== undefined && sddPhaseDecision.mode !== 'allow' && sddPhaseDecision.mode !== 'audit')
+        return sddPhaseDecision;
+    const explicitValidation = explicitValidationDecision(request, risk);
+    if (explicitValidation !== undefined)
+        return explicitValidation;
     if (sddPhaseDecision !== undefined)
         return sddPhaseDecision;
     const boundary = workspaceBoundaryDecision(request);
@@ -102,11 +112,18 @@ export function evaluatePermission(request, policy = defaultPermissionPolicy) {
     const baseMessage = agentDecision !== undefined
         ? `${request.agent?.mode ?? 'agent'} ${request.agent?.name ?? request.agent?.id ?? 'unknown'} sets ${request.category} to ${agentDecision}.`
         : (baseRule?.reason ?? `No explicit rule exists for ${request.category}; ask by default.`);
-    const risk = riskDecision(request);
-    if (risk !== undefined && isLessRestrictive(baseDecision, risk.decision)) {
-        return result(request, risk.decision, risk.reason, risk.message);
+    const flagRisk = riskDecision(request);
+    if (flagRisk !== undefined && isLessRestrictive(baseDecision, flagRisk.decision)) {
+        return result(request, flagRisk.decision, flagRisk.reason, flagRisk.message, {}, risk);
+    }
+    if (risk.defaultDecision === 'audit' && baseDecision !== 'deny') {
+        return result(request, 'allow', risk.reasonCodes.includes('provider_readonly_audit') ? 'provider_readonly_audit' : risk.reasonCodes.includes('allowlisted_verification') ? 'allowlisted_command' : baseReason, baseMessage, {
+            mode: 'audit',
+            auditOnly: true,
+            warnings: risk.reasonCodes.includes('provider_readonly_audit') ? ['provider-readonly-audit-only'] : ['audit-only'],
+        }, risk);
     }
-    return result(request, baseDecision, baseReason, baseMessage);
+    return result(request, baseDecision, baseReason, baseMessage, {}, risk);
 }
 export function isPathInsideWorkspace(workspaceRoot, targetPath) {
     const root = resolve(workspaceRoot);
@@ -148,11 +165,27 @@ function canonicalExistingPath(targetPath) {
 function workspaceBoundaryDecision(request) {
     if (!filesystemCategories.has(request.category))
         return undefined;
+    if (request.category === 'read' && request.workspaceRoot !== undefined && request.targetPath === undefined) {
+        return result(request, 'allow', 'workspace_boundary', 'Broad read-only workspace access is allowed when workspaceRoot is known.', {
+            mode: 'audit',
+            auditOnly: true,
+            boundary: { workspaceRoot: request.workspaceRoot, insideWorkspace: true, targetPathRequired: false },
+            warnings: ['broad-workspace-read'],
+        });
+    }
     if (request.workspaceRoot === undefined || request.targetPath === undefined) {
-        return result(request, 'ask', 'ambiguous_operation', 'Filesystem operation needs workspaceRoot and targetPath before it can be safely decided.');
+        return result(request, 'ask', 'ambiguous_operation', 'Filesystem mutation needs workspaceRoot and targetPath before it can be safely decided.', {
+            boundary: {
+                ...(request.workspaceRoot === undefined ? {} : { workspaceRoot: request.workspaceRoot }),
+                ...(request.targetPath === undefined ? {} : { targetPath: request.targetPath }),
+                targetPathRequired: request.category !== 'read',
+            },
+        });
     }
     if (!isPathInsideWorkspace(request.workspaceRoot, request.targetPath)) {
-        return result(request, 'deny', 'workspace_boundary', `Path escapes workspace boundary: ${request.targetPath}`);
+        return result(request, 'deny', 'workspace_boundary', `Path escapes workspace boundary: ${request.targetPath}`, {
+            boundary: { workspaceRoot: request.workspaceRoot, targetPath: request.targetPath, insideWorkspace: false, targetPathRequired: true },
+        });
     }
     return undefined;
 }
@@ -162,7 +195,9 @@ function workspaceEscapeDecision(request) {
     if (request.workspaceRoot === undefined || request.targetPath === undefined)
         return undefined;
     if (!isPathInsideWorkspace(request.workspaceRoot, request.targetPath)) {
-        return result(request, 'deny', 'workspace_boundary', `Path escapes workspace boundary: ${request.targetPath}`);
+        return result(request, 'deny', 'workspace_boundary', `Path escapes workspace boundary: ${request.targetPath}`, {
+            boundary: { workspaceRoot: request.workspaceRoot, targetPath: request.targetPath, insideWorkspace: false, targetPathRequired: true },
+        });
     }
     return undefined;
 }
@@ -212,6 +247,37 @@ function riskDecision(request) {
         return { decision: 'ask', reason: 'ambiguous_operation', message: 'Ambiguous operations require human approval.' };
     return undefined;
 }
+function hardRiskDecision(request, risk) {
+    if (request.category === 'shell' && /\b(arbitrary|shell-string)\b|[;&|`$()]/.test(request.operation))
+        return result(request, 'deny', 'risk_tier_policy', 'Arbitrary shell execution is denied unless represented as an allowlisted category.', {}, risk);
+    if (risk.defaultDecision === 'deny')
+        return result(request, 'deny', 'risk_tier_policy', 'Risk classifier denies this operation by default.', {}, risk);
+    return undefined;
+}
+function explicitValidationDecision(request, risk) {
+    if (!risk.requiresExplicitValidation)
+        return undefined;
+    if (request.category === 'secrets')
+        return undefined;
+    return result(request, 'ask', reasonForRisk(request, risk), 'Risk tier policy requires explicit validation before this operation.', {}, risk);
+}
+function reasonForRisk(request, risk) {
+    if (risk.reasonCodes.includes('provider_config_write'))
+        return 'risk_tier_policy';
+    if (risk.reasonCodes.includes('git_write'))
+        return 'risk_tier_policy';
+    if (risk.reasonCodes.includes('publish_release'))
+        return 'risk_tier_policy';
+    if (request.destructive === true)
+        return 'destructive_operation';
+    if (request.external === true)
+        return 'external_operation';
+    if (request.privileged === true)
+        return 'privileged_operation';
+    if (request.ambiguous === true)
+        return 'ambiguous_operation';
+    return 'risk_tier_policy';
+}
 function isLessRestrictive(candidate, floor) {
     return rank(candidate) < rank(floor);
 }
@@ -222,6 +288,17 @@ function rank(decision) {
         return 1;
     return 2;
 }
-function result(request, decision, reason, message, extras = {}) {
-    return { decision, category: request.category, operation: request.operation, reason, message, ...extras };
+function result(request, decision, reason, message, extras = {}, risk = classifyOperationRisk(request)) {
+    return {
+        decision,
+        category: request.category,
+        operation: request.operation,
+        reason,
+        message,
+        riskTier: risk.tier,
+        riskReasonCodes: risk.reasonCodes,
+        ...(request.workflow === undefined ? {} : { workflow: request.workflow }),
+        auditEvidence: risk.evidence,
+        ...extras,
+    };
 }

package/dist/runs/execution-planning.js

@@ -107,5 +107,5 @@ const defaultGitBoundaryInspector = ({ workspaceRoot }) => {
     if (existsSync(join(workspaceRoot, '.git'))) {
         return { status: 'compatible', reason: 'workspace git metadata is present' };
     }
-    return { status: 'uncertain', reason: 'workspace git metadata could not be proven safe without shell execution' };
+    return { status: 'compatible', reason: 'workspace has no git metadata to conflict with a planned worktree boundary' };
 };