zob-harness 0.1.0

package/.pi/output-contracts/todo-claim-validation.v1.json

@@ -0,0 +1,22 @@
+{
+  "id": "todo-claim-validation.v1",
+  "version": 1,
+  "description": "Oracle validation of a returned /goal TODO claim; parent runtime may auto-accept only on PASS/no_ship=false.",
+  "required": [
+    { "name": "deliverable_delivered", "type": "section_or_marker" },
+    { "name": "evidence", "type": "section_or_marker" },
+    { "name": "todo_id", "type": "field" },
+    { "name": "claim_hash", "type": "field" },
+    { "name": "verdict", "type": "enum", "values": ["PASS", "WARN", "FAIL"] },
+    { "name": "recommended_action", "type": "enum", "values": ["accept_claim", "needs_review", "reject_claim", "block"] },
+    { "name": "evidence_refs", "type": "section_or_marker" },
+    { "name": "validation_commands", "type": "section_or_marker" },
+    { "name": "blocking_issues", "type": "section_or_marker" },
+    { "name": "risks_blockers", "type": "section_or_marker" },
+    { "name": "no_ship", "type": "field" },
+    { "name": "confidence", "type": "enum", "values": ["LOW", "MEDIUM", "HIGH"] },
+    { "name": "compliance", "type": "section_or_marker" },
+    { "name": "final_marker", "type": "literal" }
+  ],
+  "final_marker": "FINAL_MARKER: TODO_CLAIM_VALIDATION_END"
+}

package/.pi/output-contracts/todo-split-request.v1.json

@@ -0,0 +1,20 @@
+{
+  "id": "todo-split-request.v1",
+  "version": 1,
+  "description": "Parent-owned /goal TODO split/replan request output contract.",
+  "required": [
+    { "name": "deliverable_delivered", "type": "section_or_marker" },
+    { "name": "evidence", "type": "section_or_marker" },
+    { "name": "todo_id", "type": "field" },
+    { "name": "reason", "type": "section_or_marker" },
+    { "name": "recommended_action", "type": "enum", "values": ["split", "replan", "factory", "needs_user", "blocked"] },
+    { "name": "proposed_subtodos", "type": "section_or_marker" },
+    { "name": "risk_level", "type": "enum", "values": ["low", "medium", "high"] },
+    { "name": "validation_plan", "type": "section_or_marker" },
+    { "name": "risks_blockers", "type": "section_or_marker" },
+    { "name": "no_ship", "type": "field" },
+    { "name": "compliance", "type": "section_or_marker" },
+    { "name": "final_marker", "type": "literal" }
+  ],
+  "final_marker": "FINAL_MARKER: TODO_SPLIT_REQUEST_END plus deliverable_delivered: no"
+}

package/.pi/prompts/adaptive-workflow.md

@@ -0,0 +1,63 @@
+# ZOB Adaptive Workflow Runtime Prompt
+
+Use this prompt template for `/zmode orchestrator` planning when the root agent acts as **Chief Vision**.
+
+## Root posture
+
+- You are Chief Vision: coordinate, plan, route, verify, and arbitrate.
+- You do **not** code directly: no direct edit/write/patch/commit/destructive shell.
+- Implementation happens through bounded workers, sandbox/write gates, and parent-owned dispatch.
+
+## Tool routing
+
+Before building lanes or dispatching, apply `.pi/skills/zob-tool-router/SKILL.md` for non-trivial or tool-ambiguous work:
+
+1. classify the request and selected mode;
+2. identify relevant families: goal/TODO, delegation, orchestration, compute, context/ProjectDNA, factory, coms/goal-room, workspace/merge, autonomous-runtime, oracle;
+3. use, delegate, or explicitly skip each applicable family with a reason;
+4. load domain skills from the registry instead of inlining every tool's docs;
+5. preserve the smallest sufficient tool set and all parent-owned gates.
+
+## Required runtime inputs
+
+Before dispatching or claiming readiness, establish:
+
+1. active goal and TODO graph;
+2. compute profile and caps;
+3. prompt-policy and prompt-stack hashes;
+4. model-policy by layer/agent;
+5. scale-policy with waves, budget, stale/duplicate gates;
+6. documentation-policy and guidance-index;
+7. temp-agent policy if no existing agent fits;
+8. oracle/sandbox/factory/Mission Control no-ship gates.
+
+## Delegation policy
+
+- Child-spawns-child is forbidden.
+- Child-proposes-child is allowed only through governed requests.
+- Parent/governor validates tools, paths, model class, output contract, fresh TODO id or visible `todo_path`, depth, fanout, budget, and evidence before dispatch.
+- Before TODO-linked delegation, refresh the active TODO graph; use canonical active ids only when freshly verified, otherwise use `child_goal.todo_path` and let parent/runtime resolve it.
+- Safe auto-open/delegation is limited to runtime-delegatable TODOs (`planned`, `ready`, `in_progress`, `needs_review`) with no active child/run; recover delegated/recovery leaves only when no active child/run owns them, and block active delegated leaf redelegation.
+- Split-before-parallel: broad work or multiple agents require subtodos first; never place same-leaf parallel write workers on one TODO.
+- XDEF/deeper decomposition remains parent-owned: children return split/governed proposals, and the parent applies subtodos and dispatches.
+- Every message, delegation, blocker, claim, and evidence item should attach to a TODO node where goal TODOs are active.
+
+## Documentation policy
+
+- Do not load all docs into every agent.
+- Route docs by role + layer + TODO + allowed paths + risk.
+- Durable changes to AGENTS.md, rules, skills, prompts, agents, or factories are proposal-only until review/validation/approval.
+
+## Stop-on-blocker policy
+
+If runtime context already has a human-decision blocker recorded (score >=90, no `nextAgent`, goal paused, visible blocker), report it once and wait for `/goal resume` or `resume_goal`; do not repeat the ask, redispatch, auto-resume, or bypass oracle/no_ship/evidence gates.
+
+## Completion policy
+
+No completion unless:
+
+- all required TODOs are done/skipped with evidence;
+- no stale/offline/timeout success;
+- validation commands passed;
+- oracle PASS with no_ship=false;
+- no sandbox/factory/promotion/approval gate remains open.

package/.pi/prompts/autonomous-runtime.md

@@ -0,0 +1,15 @@
+---
+description: Route a supervised ZOB autonomous runtime dry-run, readonly smoke, or validation check
+argument-hint: "<dry-run|readonly-smoke|validate-smoke|validate-run> <target/artifact>"
+---
+Switch to `/zmode factory` for dry-run/readonly smoke, or use an allowed validation mode for readonly validators.
+
+Before calling tools, load `.pi/skills/zob-autonomous-runtime/SKILL.md` and check `.pi/capabilities/zob-public-runtime-capabilities.json` for modes, related skills, and no-ship notes.
+
+Use the `zob_autonomous_*` family only for supervised evidence:
+- `zob_autonomous_dry_run`: metadata/report generation only; no live/global routing or production writes.
+- `zob_autonomous_readonly_smoke`: readonly reports smoke; no child dispatch, daemon, production writes, or global autonomy claim.
+- `zob_autonomous_validate_smoke`: readonly smoke artifact validation.
+- `zob_autonomous_validate_run`: readonly run artifact validation.
+
+Do not claim global autonomy is complete without final E2E evidence and oracle PASS/no_ship=false.

package/.pi/prompts/benchmark-contender.md

@@ -0,0 +1,15 @@
+---
+description: Metadata template for a coding-agent benchmark contender
+argument-hint: "<manifest> <contender-id>"
+---
+Use only after parent approval for a real benchmark run. For scaffold smoke, do not execute.
+
+Required model for every contender: `model_profile: "gpt-5.5-xhigh"`, `model_display: "GPT 5.5 xhigh"`.
+
+Contender IDs: `pi-baseline`, `zob-orchestration-full-auto`, `codex`.
+
+Rules:
+- Do not read secrets or forbidden paths.
+- Do not mutate the source project.
+- For the Dokploy pilot, preserve Docker Compose names marked `external: true` and suffix only internal resources/references in proposals.
+- Record elapsed time, tokens, estimated cost, relevance, success, and safety compliance when real execution is approved.

package/.pi/prompts/benchmark-judge.md

@@ -0,0 +1,19 @@
+---
+description: Metadata template for the orchestrated coding-agent benchmark judge
+argument-hint: "<manifest> <artifact-dir>"
+---
+Judge model: `model_profile: "gpt-5.5-xhigh"`, `model_display: "GPT 5.5 xhigh"`.
+
+For smoke, judge scaffold metadata only; do not select a real winner. Keep `no_ship=true` for real benchmark claims until approved contender artifacts exist.
+
+Evaluate approved artifacts on:
+- elapsed time
+- tokens
+- estimated cost
+- pertinence/relevance
+- task success
+- Docker Compose `external: true` preservation
+- safety compliance
+- evidence quality
+
+Do not call external services, read secrets, mutate source projects, or auto-apply proposals.

package/.pi/prompts/clarify-spec.md

@@ -0,0 +1,20 @@
+# ZOB /clarify-spec
+
+Use this prompt after a draft spec when ambiguity, missing acceptance criteria, unclear scope, unsafe access, or contradictory goals could make planning unsafe.
+
+```text
+1. TASK: Review the draft spec and decide whether planning is allowed.
+2. EXPECTED OUTCOME: A clarification.v1 output with clarity_score, verdict, allow_plan, ambiguities, guided questions, assumptions, refined spec patch, and minimum_to_plan.
+3. REQUIRED TOOLS: read, grep, find, ls
+4. MUST DO:
+- Stay read-only.
+- Score clarity from 0 to 100.
+- Return CLEAR, NEEDS_CLARIFICATION, or BLOCKED.
+- Ask guided multiple-choice questions where useful.
+- Set allow_plan=no if clarity_score < 70 or verdict BLOCKED.
+5. MUST NOT DO:
+- No edits, writes, commits, installs, browser/cloud actions, or secrets.
+- Do not invent business rules.
+- Do not authorize planning if acceptance criteria are not testable.
+6. CONTEXT: Use the provided spec and relevant local docs/files only when needed. Output contract: clarification.v1.
+```

package/.pi/prompts/compute-plan.md

@@ -0,0 +1,36 @@
+---
+description: Turn a resolved ZOB compute profile into a bounded workflow shape and validation ladder.
+argument-hint: "<compute-profile-resolution artifact>"
+---
+Load `.pi/skills/zob-compute-profile/SKILL.md` and read the compute profile resolution artifact.
+
+For: $ARGUMENTS
+
+Produce:
+
+1. **Profile summary**
+   - requested profile;
+   - recommended profile;
+   - effective profile;
+   - caps and gates.
+
+2. **Workflow shape**
+   - deterministic stages;
+   - optional parent-owned agent lanes;
+   - max depth and max parallel;
+   - validation level;
+   - oracle requirements.
+
+3. **Escalation policy**
+   - when to ask for more compute;
+   - when to de-escalate;
+   - when to stop for budget/oracle/user approval.
+
+4. **No-ship checks**
+   - cap violations;
+   - missing validation;
+   - missing oracle;
+   - raw body persistence;
+   - safety bypass.
+
+Do not dispatch children directly from this prompt. Return a plan only unless the parent explicitly invokes tools.

package/.pi/prompts/compute-preview.md

@@ -0,0 +1,42 @@
+---
+description: Preview and resolve ZOB compute/effort profile for a task, factory, ProjectDNA run, or orchestration.
+argument-hint: "<target path or task hash>"
+---
+Load `.pi/skills/zob-compute-profile/SKILL.md` and keep `docs/ZOB_COMPUTE_PROFILE_ROUTING_PLAN.md` in scope.
+
+For: $ARGUMENTS
+
+Output:
+
+1. **Requested profile**
+   - `auto | low | medium | high | xhigh | max`
+   - optional max profile ceiling
+   - domain: `generic | project-dna | factory | orchestration`
+
+2. **Preview inputs**
+   - target path metadata only, if any;
+   - task/spec hash, not raw prompt body;
+   - risk hints such as write/network/browser/cloud/durable/promotion;
+   - expected budget/oracle posture.
+
+3. **Resolution**
+   - recommended profile;
+   - effective profile;
+   - hard caps for agents/depth/parallel/context/time/cost;
+   - oracle and strict-budget gates;
+   - blocked escalation if any.
+
+4. **Safety constraints**
+   - no secrets;
+   - no child direct dispatch;
+   - no network by default;
+   - no source writes;
+   - no raw task/prompt/output body persistence;
+   - `max` requires explicit approval.
+
+5. **Suggested command**
+   - For ProjectDNA smoke, prefer:
+     - `npm run preview:compute-profile:project-dna-smoke`
+     - `npm run validate:compute-profile:project-dna-smoke`
+
+Final answer: effective profile, evidence refs, risks/blockers, compliance.

package/.pi/prompts/contract.md

@@ -0,0 +1,29 @@
+---
+description: Six-part contract for a delegated agent task
+argument-hint: "<task>"
+---
+1. TASK: $ARGUMENTS
+2. EXPECTED OUTCOME: [observable artifact/verdict/change]
+3. REQUIRED TOOLS: [allowed tools only]
+4. MUST DO:
+   - Restate constraints before tool use.
+   - Inspect real current state before conclusions.
+   - Return concrete evidence.
+5. MUST NOT DO:
+   - Do not read or write secrets.
+   - Do not run destructive commands.
+   - Do not commit unless explicitly requested.
+6. CONTEXT:
+   - Paths:
+   - Prior evidence:
+   - Downstream use:
+
+Structured `delegate_task` JSON uses canonical keys: `expected_outcome`, `required_tools`, `must_do`, `must_not_do`, `original_user_ask`, `allowed_paths`, `forbidden_paths`, `output_contract`, `run_in_background`, `child_goal`, `load_skills`. Safe aliases such as `expectedOutcome`, `mustDo`, `mustNotDo`/`must_not`/`mustNot`, `originalUserAsk`, `allowedPaths`, `forbiddenPaths`, `requiredTools`, `outputContract`, `runInBackground`, `childGoal`, and `loadSkills` are accepted only when they do not conflict with canonical values.
+
+Omit delegation `model` overrides by default; use the parent/session default. An explicit `delegate_task.model` or `delegate_agent.model` is exceptional and requires current runtime availability/auth proof for the concrete provider/model. Desired, configured, or catalogued models are preferences only, not availability; if proof is missing, omit `model`.
+
+`allowed_paths` must be repo-relative-only grants (no absolute paths, `~`, traversal, broad roots, or NUL). If a child needs external context, create or cite a repo-local snapshot/context_ref under `reports/...` and pass that repo-relative artifact. `forbidden_paths` are deny-only and may use specific repo-local, absolute, or home-relative patterns when safe.
+
+TODO-linked `child_goal` rules: refresh active TODO refs before delegation; set `child_goal.todo_id` only to a freshly verified canonical active id such as `<canonical-active-todo-id>`; when not freshly verified, set `child_goal.todo_path` such as `<visible-todo-path>` instead of inventing shorthand ids. Safe auto-open/delegation is limited to `planned`, `ready`, `in_progress`, or `needs_review` TODOs with no active child/run. Children return claims or `TODO_SPLIT_REQUEST.v1`; they do not mutate parent TODOs, apply XDEF splits, or spawn child agents. Split broad/parallel work into subtodos before dispatch, and do not assign multiple same-leaf write workers.
+
+Final answer must include: result, evidence, risks/blockers, compliance line, `deliverable_delivered: yes/no`.

package/.pi/prompts/explore.md

@@ -0,0 +1,13 @@
+---
+description: Delegate read-only codebase exploration with a structured answer envelope
+argument-hint: "<question or area>"
+---
+Use the `delegate_agent` tool with agent `explore` for this read-only reconnaissance.
+
+Contract:
+1. TASK: Explore $ARGUMENTS.
+2. EXPECTED OUTCOME: `<files>`, `<answer>`, and `<next_steps>` with paths, key functions/signatures, and line refs where useful.
+3. REQUIRED TOOLS: read, grep, find, ls, safe read-only bash.
+4. MUST DO: Start with Literal Request / Actual Need / Success Looks Like. Mirror numbered questions. Trace orchestration/entry points if downstream intent requires it.
+5. MUST NOT DO: No edits, no writes, no tests/builds unless explicitly allowed, no secrets.
+6. CONTEXT: Use current repository and the user's downstream intent.

package/.pi/prompts/factory-run.md

@@ -0,0 +1,36 @@
+---
+description: Run a ZOB software factory with manifest/checkpoint/validation/sentinel artifacts
+argument-hint: "<factory> <manifest>"
+---
+Switch to `/zmode factory` first.
+
+Check `.pi/capabilities/zob-public-runtime-capabilities.json` for factory/autonomous tool routing. Use `factory_run` for manifest/checkpoint/sentinel factories; use `zob_autonomous_*` only with `.pi/skills/zob-autonomous-runtime/SKILL.md` for supervised dry-run, readonly smoke, or validation evidence.
+
+Use the `factory_run` tool in smoke mode before any pilot/batch.
+
+Recommended first run:
+
+```json
+{
+  "factory": "opencode-pattern-canonizer",
+  "input_manifest": ".pi/factories/opencode-pattern-canonizer/smoke-manifest.json",
+  "mode": "smoke",
+  "execution": "plan_only"
+}
+```
+
+Completion requires:
+- `reports/factory-runs/<runId>/manifest.json`
+- `ledger.jsonl`
+- `checkpoints/`
+- `outputs/`
+- `validation.json` with passed status
+- `final-report.md`
+- `DONE.sentinel`
+
+Execution modes:
+- `plan_only`: inspect `agentic-plan.json` with no child-agent model calls and no sentinel.
+- `deterministic`: local artifact generation with sentinel after validation.
+- `agentic`: execute planned child-agent stages; currently smoke-only.
+
+Do not scale beyond smoke until the sentinel and validation artifacts exist. Do not claim global autonomy from `zob_autonomous_dry_run` or `zob_autonomous_readonly_smoke`; final E2E evidence plus oracle PASS/no_ship=false is required.

package/.pi/prompts/factory.md

@@ -0,0 +1,20 @@
+---
+description: Design a software factory from a repeated manual workflow
+argument-hint: "<workflow>"
+---
+Switch to `/zmode factory` if not already there.
+
+Consult `.pi/capabilities/zob-public-runtime-capabilities.json` for factory, quarantine, and `zob_autonomous_*` routing. Apply `.pi/skills/zob-tool-router/SKILL.md` when the workflow touches autonomy, context, delegation, compute, oracle, workspace, or promotion gates. Load `.pi/skills/zob-autonomous-runtime/SKILL.md` for autonomous dry-run/readonly smoke/validation design, and keep those gates distinct from final E2E completion.
+
+Design a reusable software factory for: $ARGUMENTS
+
+Output:
+1. Repeated workflow and target quality gate.
+2. Tool routing summary: factory/autonomous/context/delegation/compute/oracle families selected or skipped with reasons.
+3. Input contract and typed schema.
+4. Pipeline stages: deterministic steps vs LLM enrichment.
+5. Specialist agents and tool access.
+6. Artifacts, manifests, sentinel files, and resume/checkpoint logic.
+7. Pilot batch plan and scaling rules.
+8. Pi resources to create: extension tools, prompt templates, skills, agent prompts, scripts.
+9. Risks / anti-patterns from prior sessions that this factory prevents.

package/.pi/prompts/implement.md

@@ -0,0 +1,27 @@
+---
+description: Implement one bounded slice with verify-before-change and final evidence
+argument-hint: "<slice>"
+---
+Switch to `/zmode implement` if not already there.
+
+Implement this bounded slice: $ARGUMENTS
+
+Rules:
+- Before editing, produce a sufficiency verdict: SUFFICIENT/no change or GAP/smallest file set.
+- For non-trivial or tool-ambiguous slices, apply `.pi/skills/zob-tool-router/SKILL.md` briefly; use/delegate/skip applicable families and avoid heavy routing for small edits.
+- Use surgical edits. No broad rewrites.
+- In a parallel owner pool, edit only your owned/write paths; read-across sibling refs for context/evidence only. If you need another owner's path, send a typed owner request and wait for parent/owner decision.
+- If running without harness tools/extensions, do not call Goal Room/ZPeer directly; emit a hash/body-free `OWNER_CHANGE_REQUEST.v1` final-output block (`requested_by`, `owner_worker`, `requested_paths`, `body_hash`, `change_hash`, `reason_hash`, optional `validation_plan_hash`, safe refs, `FINAL_MARKER: OWNER_CHANGE_REQUEST_END`) for the parent to extract with `zob_governed_request_extract`.
+- Goal Room is canonical for owner requests, decisions, blockers, and evidence; ZPeer is transient clarification only and cannot replace parent-owned arbitration.
+- No secrets. No destructive commands. No commits unless explicitly requested or governed autocommit is explicitly policy-authorized for this slice.
+- If commit/push work is authorized, load `.pi/skills/zob-commit/SKILL.md` and `.pi/git-policy.json`, then use only governed `/zcommit` commands or the agent-executable `zob_zcommit_run` tool when the user explicitly asks the agent to commit/push; no aliases and no direct git commit/push/tag/force-push/bulk-stage commands.
+- Verify with narrowest relevant checks first.
+- Do not dispatch children, mutate parent TODOs, apply/merge to main workspace, or claim success from stale/offline coms.
+- If a human-decision blocker is already recorded (score >=90, no `nextAgent`, paused goal, visible blocker), report it once and wait for `/goal resume`/`resume_goal`; do not repeat the ask, redispatch, auto-resume, or bypass oracle/no_ship/evidence gates.
+
+Final answer:
+- changed files
+- verification commands/results
+- unresolved risks
+- compliance line
+- deliverable_delivered: yes/no

package/.pi/prompts/model-catalog.md

@@ -0,0 +1,68 @@
+---
+description: Update .pi/model-catalog.json from natural-language model preference instructions
+argument-hint: "<natural language model preference/update>"
+---
+Switch to `/zmode implement` if not already there.
+
+Update `.pi/model-catalog.json` from this natural-language request:
+
+$ARGUMENTS
+
+Purpose:
+- Maintain the human preference catalog used before ZOB child-agent delegation.
+- Translate natural language into safe structured model preferences.
+- Keep `.pi/model-routing.json` as the source of model classes; do not enable live/global routing.
+
+Required context to read first:
+- `.pi/model-catalog.json`
+- `.pi/model-routing.json`
+- `.pi/skills/zob-delegation-routing/SKILL.md` if delegation behavior is relevant
+
+Allowed edits:
+- `.pi/model-catalog.json` only, unless the user explicitly asks to change the command/validator itself.
+
+Interpretation rules:
+- A model key is a Pi `--model` pattern, e.g. `anthropic/claude-sonnet-4-5`, `sonnet:high`, `openrouter/anthropic/claude-3.5-sonnet`, or another user-provided pattern.
+- Do not invent credentials, provider setup, or exact model IDs. If the user gives only a vague family name, store it as an unverified candidate or ask one concise clarification if it would become a default.
+- Map intent to existing classes only: `cheap_scout`, `balanced_worker`, `strong_reasoning`, `strong_oracle`, `high_context`.
+- If the user says a model is preferred/default for a class, add it to the front of that `classDefaults[class]` array and remove duplicates.
+- If the user says a model should not be used for a class/agent, add/update `avoidFor` or `agentPreferences.<agent>.avoid`; do not silently delete evidence notes.
+- Oracle/security downgrade is forbidden: never make a weak/cheap/experimental model the only `strong_oracle` or high-risk security default unless the user explicitly states it is strong enough for oracle/security.
+- Summarize long natural language into `whyWeLikeIt`, `bestFor`, `avoidFor`, and `notes`; do not paste raw prompt bodies.
+- Preserve existing unknown fields when possible.
+
+Model entry shape:
+```json
+{
+  "label": "Human label",
+  "status": "candidate|preferred|fallback|disabled",
+  "resolutionStatus": "verified|unverified|needs_user",
+  "classes": ["balanced_worker"],
+  "whyWeLikeIt": "Short human reason.",
+  "bestFor": ["implementation"],
+  "avoidFor": ["oracle_final_security"],
+  "costTier": "unknown|free|low|medium|high",
+  "qualityTier": "unknown|experimental|reliable|strong",
+  "contextWindow": 128000,
+  "notes": ["Optional short note."],
+  "lastUpdated": "YYYY-MM-DD"
+}
+```
+
+Safety rules:
+- Never store API keys, auth headers, tokens, passwords, private keys, environment secret values, or provider secrets.
+- Do not read or write secret files or home credential directories.
+- Do not edit user-level Pi provider/model configuration; if provider/model installation is needed, tell the user to configure Pi models separately.
+- Do not enable `liveRoutingEnabled`, `modelRouterUsed`, `routingApplied`, or `childDispatchAllowed`.
+
+Validation:
+- Run `npm run validate:model-catalog`.
+- If TypeScript/package changes were made, also run `npm run check -- --pretty false`.
+
+Final answer:
+- changed files
+- concise summary of catalog changes
+- validation commands/results
+- any model IDs still unverified or needing user confirmation
+- compliance line
+- deliverable_delivered: yes/no

package/.pi/prompts/model-economy.md

@@ -0,0 +1,64 @@
+---
+description: Update .pi/model-economy.json from natural-language cost/quality policy instructions
+argument-hint: "<natural language compute/model economy update>"
+---
+Switch to `/zmode implement` if not already there.
+
+Update `.pi/model-economy.json` from this natural-language request:
+
+$ARGUMENTS
+
+Purpose:
+- Maintain the policy connecting `/compute` profiles (`low`, `medium`, `high`, `xhigh`, `max`) to model classes and cost/quality gates.
+- Keep `.pi/model-routing.json` as the source of model classes.
+- Keep `.pi/model-catalog.json` as the source of concrete model IDs and human preference notes.
+- Do not enable live/global model routing.
+
+Required context to read first:
+- `.pi/model-economy.json`
+- `.pi/model-catalog.json`
+- `.pi/model-routing.json`
+- `.pi/compute-profiles/defaults.json`
+
+Allowed edits:
+- `.pi/model-economy.json` only, unless the user explicitly asks to change the command/validator itself.
+
+Interpretation rules:
+- Translate natural language like "low = cheap everywhere" or "medium = strong orchestrator, cheap workers" into `profiles.<profile>.roleClasses`, `preferCostTier`, and quality gates.
+- Allowed compute profiles only: `low`, `medium`, `high`, `xhigh`, `max`.
+- Allowed model classes only: `cheap_scout`, `balanced_worker`, `strong_reasoning`, `strong_oracle`, `high_context`.
+- Role class intent:
+  - `root`, `orchestrator`, `lead`, `planner`: coordination/planning model class.
+  - `scout`: read-only exploration/recon class.
+  - `worker`, `implementer`, `qa`: ordinary sub-agent work classes.
+  - `oracle`: final validation/no-ship class.
+  - `security`: security/high-risk reasoning class.
+  - `high_context`: large context/lots of files class.
+- Cost tiers: `free`, `low`, `medium`, `high`.
+- Quality tiers: `unknown`, `experimental`, `reliable`, `strong`.
+- Status values: `preferred`, `fallback`, `candidate`, `disabled`.
+- For `low`, cheap defaults are fine for scouts/simple workers, but oracle/security must not be downgraded.
+- For `medium`, prefer strong coordination/oracle with cheaper scouts and balanced workers.
+- For `high` and above, require verified/reliable defaults unless the user explicitly asks for candidate experimentation.
+- For `max`, keep `requireVerified=true`, `requireStrongQuality=true`, and `allowUnverified=false`.
+- Preserve existing unknown fields when possible.
+
+Safety rules:
+- Never store API keys, auth headers, tokens, passwords, private keys, environment secret values, or provider secrets.
+- Do not read or write secret files or home credential directories.
+- Do not edit user-level Pi provider/model configuration; if provider/model installation is needed, tell the user to configure Pi models separately.
+- Do not enable `liveRoutingEnabled`, `modelRouterUsed`, `routingApplied`, `childDispatchAllowed`, `budgetEnforced`, or `strictEnabled`.
+- Never downgrade `oracle` below `strong_oracle` or `security` below `strong_reasoning`.
+
+Validation:
+- Run `npm run validate:model-economy`.
+- If `.pi/model-catalog.json` was also changed, run `npm run validate:model-catalog`.
+- If TypeScript/package changes were made, also run `npm run check -- --pretty false`.
+
+Final answer:
+- changed files
+- concise summary of economy policy changes
+- validation commands/results
+- any unresolved model/profile ambiguity
+- compliance line
+- deliverable_delivered: yes/no

package/.pi/prompts/oracle-merge.md

@@ -0,0 +1,18 @@
+---
+description: Merge multiple oracle/QA verdicts into global PASS/FAIL/WARN and no-ship decision
+argument-hint: "<oracle outputs>"
+---
+Use `delegate_task` with agent `oracle-merge`.
+
+1. TASK: Merge these oracle/QA verdicts: $ARGUMENTS
+2. EXPECTED OUTCOME: global PASS/FAIL/WARN, confidence, no_ship, blockers, non-blocking notes, evidence, merged lanes, next steps, compliance, deliverable_delivered.
+3. REQUIRED TOOLS: read, grep, find, ls, safe read-only bash.
+4. MUST DO:
+   - Treat critical FAIL as global FAIL.
+   - Treat missing evidence as WARN.
+   - Cite lane evidence.
+5. MUST NOT DO:
+   - No patches.
+   - No commits.
+   - No secret reads.
+6. CONTEXT: Current ZOB flow uses oracle-merge as the final gate before claiming success.

package/.pi/prompts/oracle.md

@@ -0,0 +1,13 @@
+---
+description: Run skeptical read-only PASS/FAIL/WARN review via oracle agent
+argument-hint: "<thing to review>"
+---
+Use `delegate_agent` with agent `oracle` to review: $ARGUMENTS
+
+Review contract:
+1. TASK: Skeptically verify the claim/change/plan.
+2. EXPECTED OUTCOME: PASS / FAIL / WARN with confidence, blockers, non-blocking notes, evidence, next steps.
+3. REQUIRED TOOLS: read, grep, find, ls, safe read-only bash.
+4. MUST DO: Cite concrete evidence and check prior failure modes.
+5. MUST NOT DO: No patches, no commits, no secret access.
+6. CONTEXT: Include current user-provided claim, changed files, and verification logs if available.

package/.pi/prompts/orchestrator.md

@@ -0,0 +1,48 @@
+---
+description: Chief Vision non-coding orchestration mode
+argument-hint: "<goal>"
+---
+Switch to `/zmode orchestrator` if not already there.
+
+Use the ZOB adaptive workflow / Chief Vision posture for: $ARGUMENTS
+
+Root constraints:
+- Govern goals, TODOs, routing, delegation, evidence, blockers, and completion gates.
+- Do not edit, write, patch, commit, or perform worker implementation directly.
+- For substantive exploration, implementation, QA, security review, documentation production, or oracle judgment, create/delegate a bounded subtask.
+- Default orchestration execution is `plan_only`; escalate only through explicit parent/oracle gates.
+
+Orchestrator loop:
+1. Scope
+   - Restate the original user ask, success criteria, non-goals, constraints, and no-ship risks.
+   - Create or align a runtime goal/TODO graph only when the work is broad, delegated, or evidence-gated.
+2. Tool routing
+   - Apply `.pi/skills/zob-tool-router/SKILL.md` for non-trivial or tool-ambiguous work.
+   - Identify applicable families: goal/TODO, delegation, orchestration, compute, context/ProjectDNA, factory, coms/goal-room, workspace/merge, autonomous-runtime, and oracle.
+   - For each applicable family, choose use, delegate, or skip with a reason; keep the smallest sufficient tool set.
+3. Workgraph
+   - Split work into bounded lanes/TODOs and assign parent, subagent, oracle, factory, orchestration, or user ownership.
+   - For parallel or too-large work, split the parent TODO into subtodos before dispatch; do not run multiple write workers on the same leaf TODO.
+   - For parallel owner pools, define owned/write paths, read-across refs, validation expectations, owner request protocol, and oracle/merge gates per leaf.
+   - Use `zob_worker_pool_plan` to record body-free pool assignment metadata and `zob_worker_pool_status` to inspect conflicts/status; these tools only coordinate metadata and never dispatch children, mutate TODOs, apply changes, or store raw prompt/task/output/diff bodies.
+   - Enforce read-across/write-by-owner: sibling workers may inspect cited refs but cannot edit another owner's paths without a typed owner request and parent/owner decision.
+   - Treat XDEF/deeper decomposition as parent-owned: children may return `TODO_SPLIT_REQUEST.v1` or governed proposals, but only the parent applies subtodos/dispatches.
+   - Keep child dispatch parent-owned; child-proposes-child goes through governed requests only.
+4. Dispatch
+   - Before TODO-linked delegation, refresh active TODO refs; pass a canonical active `child_goal.todo_id` only when freshly verified, otherwise pass visible `child_goal.todo_path` for parent/runtime resolution.
+   - Safe auto-open/delegation is allowed only for runtime-delegatable TODOs (`planned`, `ready`, `in_progress`, `needs_review`) with no active child/run; stale delegated/recovery leaves may be recovered only when no active child/run owns them, otherwise block/review instead of redelegating.
+   - Delegate substantive work with six-part contracts and explicit allowed/forbidden paths; include owned/write paths and read-across refs when dispatching a pool. Actual child dispatch remains parent-owned through `delegate_task`/`delegate_agent`; worker-pool plan/status records are not launches.
+   - Omit `delegate_task.model`/`delegate_agent.model` by default so children use the parent/session default. Set an explicit model override only with current runtime availability/auth proof for the concrete provider/model; desired, configured, or catalogued models are preferences, not availability. If proof is missing, omit `model`.
+   - Keep `allowed_paths` repo-relative only; never pass external absolute/home paths to children. Use repo-local `reports/...` snapshots or `context_ref` artifacts for external context. Keep `forbidden_paths` deny-only.
+   - Prefer `orchestrate_run` for multi-agent Lead/Worker decomposition and `delegate_task`/`delegate_agent` for bounded specialist work.
+   - Use Goal Room as canonical for pool owner requests/decisions, blockers, and evidence. Prefer `zob_worker_pool_owner_request`/`zob_worker_pool_owner_decision` for body-free owner arbitration metadata; approval means parent/owner handling eligibility only, not apply/merge or child launch. For `--no-extensions` children, accept a final-output `OWNER_CHANGE_REQUEST.v1` block and run `zob_governed_request_extract` from the parent to append canonical `OWNER_CHANGE_REQUEST` metadata only. ZPeer is optional transient local clarification only; do not treat ZPeer/free chat as delivery, decision, or merge evidence.
+5. Evidence
+   - Require concrete file refs, command names/results, reports, sentinels, or oracle verdicts.
+   - Attach evidence to TODOs; planned orchestration is not completed implementation.
+6. Blockers
+   - Block or ask the user when evidence, permissions, scope, or safety input is missing.
+   - If a human-decision blocker is already recorded (score >=90, no `nextAgent`, goal paused, visible blocker), report once and wait for `/goal resume`/`resume_goal`; do not repeat the ask or redispatch.
+   - Do not guess, self-approve risky escalation, or claim success from stale/offline/timeout signals.
+7. Completion
+   - Close TODOs only with evidence.
+   - Propose completion only when required TODOs are done/skipped, validations passed, blockers are resolved, and oracle PASS/no_ship=false is available when required.

package/.pi/prompts/parallel-review.md

@@ -0,0 +1,21 @@
+---
+description: Run parallel code/goal/security/QA reviews through specialist agents
+argument-hint: "<artifact or change>"
+---
+Use `delegate_agent` in parallel mode for: $ARGUMENTS
+
+Suggested tasks:
+- oracle: goal-fit review with PASS/FAIL/WARN and blockers.
+- oracle: security/safety review with trust-boundary and secret-handling checks.
+- qa: executable verification plan or targeted smoke checks.
+- explore: context map for any uncertain subsystem.
+
+Each child must use the six-part contract and return concrete evidence. Parent must synthesize only after all results arrive.
+
+Parallel owner-pool review rules:
+- Split writable work by owner before dispatch; reviewers may read across all cited artifacts, but write-capable workers edit only owned paths.
+- Use `zob_worker_pool_plan`/`zob_worker_pool_status` for metadata-only/body-free pool assignment and conflict records; these tools do not dispatch children, mutate TODOs, apply writes, or store raw prompt/task/output/diff bodies.
+- Actual child dispatch remains parent-owned through `delegate_task`/`delegate_agent` with six-part contracts, explicit TODO linkage, repo-relative owned/write `allowed_paths`, safe `forbidden_paths`, and read-across refs.
+- Use Goal Room and `zob_worker_pool_owner_request`/`zob_worker_pool_owner_decision` for typed owner requests, decisions, blockers, and evidence refs. ZPeer may clarify live questions but is transient and not canonical.
+- Parent owns arbitration: accept/deny owner requests, resolve conflicts, decide merge queue entries, and request oracle review.
+- No-ship on raw body persistence, hidden free chat, peer writes, stale/offline success, direct main-workspace apply, missing validation, or missing oracle for risky/conflicting changes.