zob-harness 0.1.0

package/.pi/prompts/plan.md

@@ -0,0 +1,21 @@
+---
+description: Create a read-only implementation plan with TDD, validation, commits, and stop conditions
+argument-hint: "<goal>"
+---
+Switch to `/zmode plan` if not already there.
+
+Plan this goal without editing files: $ARGUMENTS
+
+Before detailed planning, apply `.pi/skills/zob-tool-router/SKILL.md` when the task is non-trivial or tool selection is ambiguous. Use the smallest sufficient tool set and state which major families are in/out when that affects the plan.
+
+Output must include:
+1. Scope table: in / out / forbidden.
+2. Tool routing summary: selected mode, applicable families, selected skills, and intentionally skipped heavy families.
+3. Assumptions and open questions.
+4. Likely files: primary vs only-if-needed.
+5. TDD sequence with test names/assertions.
+6. Implementation steps by smallest safe slice.
+7. Validation ladder: minimum per slice vs full close.
+8. Atomic commit strategy. State: no commit unless explicitly requested.
+9. Risks and stop conditions, including: if a human-decision blocker is already recorded (score >=90, no `nextAgent`, paused goal, visible blocker), report once and wait for `/goal resume`/`resume_goal`; do not repeat the ask or redispatch.
+10. Handoff prompt for implementer using the six-part contract.

package/.pi/prompts/project-dna.md

@@ -0,0 +1,90 @@
+---
+description: Start a ProjectDNA code knowledge graph / neutral sample factory workflow from a trusted reference project folder
+argument-hint: "<source_project_path or manifest>"
+---
+Switch to `/zmode factory` if not already there.
+
+Load `.pi/skills/zob-project-dna/SKILL.md` and keep `.pi/skills/zob-factory/SKILL.md`, `.pi/skills/zob-sandbox/SKILL.md`, `.pi/skills/zob-oracle/SKILL.md`, and `.pi/skills/zob-harness/SKILL.md` in scope.
+
+Start ProjectDNA for: $ARGUMENTS
+
+Treat ProjectDNA as agents-first: the agent owns intake, scope, capture goal, safety gates, validation, oracle, and promotion posture. Deterministic npm scripts and factory runs are tools for producing cited artifacts; they are not the primary control plane and must not be described as autonomous external-project scanning or backend writeback.
+
+For a 5/5 agentic run, require these specialist gates before claiming success: Safety Preflight, Repo Scout, Ontology Steward, Query Steward, Pattern Miner, Symbol Range Curator, Test Linker, Sample Architect, Golden Evaluator, and ProjectDNA Oracle. Query Steward must rewrite transient questions into controlled ontology/golden-case intent without persisting raw query text. Golden Evaluator must pass all golden cases before Oracle PASS/no_ship=false.
+
+Output:
+
+1. **Intake scope**
+   - source_project_path or manifest path
+   - source_id
+   - allowed_paths
+   - forbidden_patterns
+   - sample_domain
+   - capture_mode: execution posture: `plan_only`, `read_only_scan`, `sandbox_sample_generation`, or `runtime_query_existing_artifacts`
+   - semantic_capture_mode: knowledge posture: `full_capture`, `architecture_only`, `targeted_capture`, `sample_first`, or `context_only`
+   - capture_goal: bounded pattern/question to capture
+   - user_note: optional operator guidance; not evidence and not a citation
+   - compute profile: `auto`, `low`, `medium`, `high`, `xhigh`, or `max` (default `auto`)
+   - compute caps, if any
+   - execution mode: `plan_only`, `read_only_scan`, or `sandbox_sample_generation`
+   - promotion policy, default `proposal_only`
+
+2. **Safety preflight**
+   - Confirm no `.env`, keys, credentials, `node_modules`, `dist`, `build`, `.git`, or generated/vendor folders are read.
+   - Confirm the source project remains read-only.
+   - Confirm outputs stay under `reports/factory-runs/<run_id>/` or approved sandbox/quarantine.
+   - Confirm no external knowledge-backend import, sync, embed, or write is performed unless explicitly approved.
+
+3. **Compute preview and workflow plan**
+   - if compute profile is `auto`, run or recommend `npm run preview:compute-profile:project-dna-smoke` for the safe smoke target, or create a bounded real-run preview artifact for approved paths;
+   - validate preview/resolution with `npm run validate:compute-profile:project-dna-smoke` or the matching artifact validator;
+   - choose profile-specific stages: auto=metadata-only preview/resolve then apply resolved profile, low=scan+scan validation, medium=low+capsules/spec/one query, high=medium+quarantine sample/sample validation/benchmark/oracle, xhigh=high+specialist lanes/richer query/adversarial review, max=xhigh+multi-reference/symbol/callgraph/promotion packet with strict human/budget/oracle gates;
+   - deterministic scanner artifacts;
+   - Developer DNA synthesis artifacts;
+   - neutral sample generation path, if approved;
+   - code knowledge graph and capsule outputs;
+   - benchmark smoke query;
+   - validation and oracle gates.
+
+4. **Factory action**
+   - If only planning/scaffold validation is requested, run or recommend:
+     - `npm run validate:project-dna`
+     - `npm run preview:compute-profile:project-dna-smoke`
+     - `npm run validate:compute-profile:project-dna-smoke`
+     - `factory_run` with `.pi/factories/project-dna/smoke-manifest.json` in `plan_only` or deterministic smoke mode.
+   - If scanner smoke is requested, run `npm run smoke:project-dna-scan`; it scans only `.pi/factories/project-dna` and writes metadata under `reports/project-dna-scans/project-dna-factory-smoke/`.
+   - After scanner smoke, run `npm run validate:project-dna-scan:smoke` to verify artifacts, line-range citations, and no-write posture.
+   - If pointer capsules are requested after scanner smoke, run `npm run build:project-dna-capsules:smoke`; it reads scan metadata only.
+   - If neutral sample planning is requested, run `npm run build:project-dna-sample-spec:smoke`; it creates a spec only and does not generate code.
+   - If quarantine sample smoke is requested, run `npm run generate:project-dna-sample:smoke` then `npm run validate:project-dna-sample:smoke`; generation must stay under `reports/.../quarantine/`.
+   - If runtime-style context lookup is requested, prefer `zob_project_dna_query` against an existing `reports/project-dna-scans/...` directory; `npm run query:project-dna:smoke` remains the deterministic CLI smoke. Raw query text must be hashed/not persisted and output must be bounded/cited.
+   - For multi-source proposal-only context, use `zob_project_dna_federated_query`; it must preserve source isolation and never write a backend.
+   - For 5/5 agentic smoke, run `npm run emit:project-dna-ontology:smoke`, `npm run validate:project-dna-ontology:smoke`, `npm run emit:project-dna-golden-cases:smoke`, `npm run validate:project-dna-golden-cases:smoke`, and `npm run steward:project-dna-query:smoke` before benchmark/oracle.
+   - Before treating ProjectDNA smoke as ready, run `npm run bench:project-dna:smoke`, `npm run oracle:project-dna:smoke`, and `npm run validate:project-dna-5of5:smoke`; these do not grant durable promotion.
+   - If a real project path is requested, require explicit `allowed_paths` and produce a bounded manifest before scanning.
+   - Use `capture_mode` strictly: `plan_only` never scans source; `read_only_scan` reads only approved paths; `sandbox_sample_generation` writes only quarantine/sandbox outputs; `runtime_query_existing_artifacts` queries existing artifacts only.
+   - Use `semantic_capture_mode` for knowledge depth: `full_capture` for small complete references, `architecture_only` for huge repos or architecture notes, `targeted_capture` for named domains/features, `sample_first` for neutral sample priority, and `context_only` for lookup packs only.
+   - Use `capture_goal` to bound scanner/capsule/query priorities; treat `user_note` as operator intent only and never as source truth.
+
+5. **Context integration**
+   - Use `zob_context_validate_scope` before runtime context lookup when injecting context into another task.
+   - Use `zob_project_dna_readiness` to audit repo-local ProjectDNA readiness.
+   - Use `zob_project_dna_query` or `/project-dna query ...` for bounded cited pointers from existing scan artifacts.
+   - Use `zob_project_dna_writeback_proposal` only for hash-only local learning proposals; no durable promotion.
+   - Return bounded context packs only.
+   - Every ProjectDNA fact, pattern, and capsule must cite source/sample files.
+
+6. **No-ship checks**
+   - secrets or forbidden paths touched;
+   - source project modified;
+   - missing/invalid citations;
+   - sample validation failed;
+   - unapproved external knowledge-backend writes;
+   - oracle `no_ship=true`.
+
+Final answer:
+- changed/generated files or planned artifacts;
+- validation commands/results;
+- no-ship risks and next slice;
+- compliance line;
+- `deliverable_delivered: yes/no`.

package/.pi/prompts/refactor-oracle.md

@@ -0,0 +1,23 @@
+---
+description: Run skeptical read-only equivalence review for a split-only refactor slice
+argument-hint: "<slice or changed files>"
+---
+Use `delegate_task` with agent `refactor-oracle` to review: $ARGUMENTS
+
+Review contract:
+1. TASK: Skeptically verify that the split-only refactor slice preserves observable behavior.
+2. EXPECTED OUTCOME: PASS / FAIL / WARN with confidence, blockers, evidence, no_ship, and next steps.
+3. REQUIRED TOOLS: read, grep, find, ls, safe read-only bash.
+4. MUST DO:
+   - Check changed files and validation logs.
+   - Compare exports/registrations to baseline if provided.
+   - Verify `index.ts` status matches the phase contract.
+   - Search for forbidden `src/** -> index.ts` imports.
+   - Check NodeNext `.js` suffixes for relative runtime imports.
+5. MUST NOT DO:
+   - No patches, no commits, no formatting, no secret reads.
+   - Do not return PASS without concrete evidence.
+6. CONTEXT:
+   - Playbook: `docs/ZOB_HARNESS_INDEX_REFACTOR_PLAYBOOK.md`.
+   - Baseline artifacts: `.pi/tmp/refactor-baseline/`.
+   - Validation ladder: `npm run check -- --pretty false`, `npm run smoke:harness`, `npm run pi:check`, phase-specific gates.

package/.pi/prompts/refactor-slice.md

@@ -0,0 +1,24 @@
+---
+description: Build a six-part contract for one split-only ZOB harness refactor slice
+argument-hint: "<target module or slice>"
+---
+Use `delegate_task` with agent `refactor-mover` for this bounded slice: $ARGUMENTS
+
+Contract template:
+1. TASK: Move exactly one bounded block from `.pi/extensions/zob-harness/index.ts` into the target sidecar module, or create the sidecar context for that module if no move is approved yet.
+2. EXPECTED OUTCOME: Split-only change with public exports preserved, `index.ts` entrypoint stable, NodeNext imports valid, and validation evidence captured.
+3. REQUIRED TOOLS: read, grep, find, ls, edit, write, safe bash for `npm run check -- --pretty false` and scoped smoke only.
+4. MUST DO:
+   - Read `docs/ZOB_HARNESS_INDEX_REFACTOR_PLAYBOOK.md` and the nearest local `AGENTS.md`.
+   - Preserve strings, messages, schemas, array order, sentinels, artifacts, defaults, and sync/async behavior.
+   - Use `.js` suffixes for relative runtime imports and `import type` for type-only imports.
+   - Run `npm run check -- --pretty false`; run `npm run smoke:harness` for domain/runtime slices.
+5. MUST NOT DO:
+   - Do not rewrite logic, optimize, rename public exports, or change registrations.
+   - Do not import from `index.ts` inside `src/**`.
+   - Do not switch to final barrel unless explicitly approved.
+   - Do not read secrets, touch generated/vendor folders, or commit.
+6. CONTEXT:
+   - Playbook: `docs/ZOB_HARNESS_INDEX_REFACTOR_PLAYBOOK.md`.
+   - Current entrypoint: `.pi/extensions/zob-harness/index.ts`.
+   - Baseline artifacts: `.pi/tmp/refactor-baseline/` when present.

package/.pi/prompts/research.md

@@ -0,0 +1,20 @@
+---
+description: Delegate sourced external research to librarian with anti-overclaiming guardrails
+argument-hint: "<topic>"
+---
+Use `delegate_agent` with agent `librarian`.
+
+1. TASK: Research $ARGUMENTS for the current project decision.
+2. EXPECTED OUTCOME: Bottom-line recommendation, sourced facts, assumptions/unknowns, practical integration implications, safer wording if claims are uncertain.
+3. REQUIRED TOOLS: official docs/web/GitHub/local docs as available; no file edits.
+4. MUST DO: Prefer primary sources. Label assumptions. Provide fallback/vendor-agnostic wording when source evidence is weak.
+5. MUST NOT DO: Do not invent APIs, do not edit files, do not overclaim.
+6. CONTEXT: Current project is a Pi-based agent harness and software factory.
+
+End with:
+- evidence
+- risks/blockers
+- compliance
+- sources_consulted
+- constraints_respected
+- deliverable_delivered: yes/no

package/.pi/prompts/spec.md

@@ -0,0 +1,19 @@
+# ZOB /spec
+
+Use this prompt when a user asks for a product/feature/factory outcome and the next step should be a testable spec, not direct implementation.
+
+```text
+1. TASK: Convert the original user ask into a testable ZOB spec.
+2. EXPECTED OUTCOME: A spec.v1 output with objectives, non-goals, scope, constraints, acceptance criteria, risks, open questions, and planner handoff.
+3. REQUIRED TOOLS: read, grep, find, ls
+4. MUST DO:
+- Stay read-only.
+- Preserve ORIGINAL_USER_ASK.
+- Make acceptance criteria observable.
+- State assumptions and open questions explicitly.
+- Include evidence consulted.
+5. MUST NOT DO:
+- No edits, writes, commits, installs, browser/cloud actions, or secrets.
+- Do not plan implementation before the spec is clear.
+6. CONTEXT: Use AGENTS.md and relevant docs/files only when needed. Output contract: spec.v1.
+```

package/.pi/prompts/synthesis.md

@@ -0,0 +1,18 @@
+---
+description: Merge parallel lane outputs into consensus, conflicts, missing evidence, and next action
+argument-hint: "<parallel outputs or artifact>"
+---
+Use `delegate_task` with agent `synthesis`.
+
+1. TASK: Merge these parallel lane outputs: $ARGUMENTS
+2. EXPECTED OUTCOME: consensus, conflicts, missing_evidence, recommended_next_action, tasks_to_rerun, evidence, risks_blockers, compliance, deliverable_delivered.
+3. REQUIRED TOOLS: read, grep, find, ls.
+4. MUST DO:
+   - Separate consensus from disagreement.
+   - Identify missing proof and incomplete lanes.
+   - Recommend one bounded next action.
+5. MUST NOT DO:
+   - No edits.
+   - No commits.
+   - No invented evidence.
+6. CONTEXT: Current ZOB flow uses synthesis as the barrier after parallel exploration/review lanes.

package/.pi/rules/always.md

@@ -0,0 +1,38 @@
+# ZOB Rule Pack: Always
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "always",
+  "description": "Non-negotiable safety, evidence, and completion rules for every ZOB task.",
+  "applies_to": {
+    "paths": ["**"],
+    "modes": ["explore", "plan", "implement", "oracle", "factory", "orchestrator"],
+    "profiles": ["project-maintainer", "runtime-maintainer", "factory-engineer", "orchestration-engineer", "prompt-ops", "docs-maintainer", "sandbox-engineer", "oracle-reviewer"]
+  },
+  "must_do": [
+    "Use contract-first, evidence-first, safety-first execution.",
+    "Gather live context before edits.",
+    "Preserve prompt/output body minimization in ledgers and telemetry.",
+    "Report validation evidence before claiming completion.",
+    "For authorized commit/push work, load .pi/skills/zob-commit/SKILL.md and .pi/git-policy.json, then use only governed /zcommit commands or zob_zcommit_run when the user explicitly asks the agent to commit/push."
+  ],
+  "must_not_do": [
+    "Do not read secrets such as .env, private keys, ~/.ssh, ~/.aws, *.pem, or *.key.",
+    "Do not run destructive commands such as rm -rf, git reset --hard, git clean, or broad process kills without explicit human approval.",
+    "Do not commit unless explicitly asked or governed autocommit is explicitly policy-authorized for the current task.",
+    "Do not run direct git commit, git push, git tag, force push, git add ., or git add -A; use governed /zcommit or zob_zcommit_run only when authorized.",
+    "Do not mark work complete without concrete evidence."
+  ],
+  "allowed_tools": [],
+  "required_validation": [],
+  "oracle_required": "conditional",
+  "no_ship_conditions": [
+    "secret access attempted",
+    "destructive command attempted without explicit approval",
+    "missing validation evidence",
+    "oracle no_ship=true"
+  ],
+  "enforcement": "block"
+}
+```

package/.pi/rules/docs.md

@@ -0,0 +1,32 @@
+# ZOB Rule Pack: Docs Maintainer
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "docs",
+  "description": "Rules for documentation updates and status notes.",
+  "applies_to": {
+    "paths": ["docs/**", "README.md", "AGENTS.md"],
+    "profiles": ["docs-maintainer"]
+  },
+  "must_do": [
+    "Use docs to reflect implemented behavior or durable decisions, not as a substitute for runtime gates.",
+    "Cite concrete files, commands, or artifacts when marking work done.",
+    "Keep status wording honest about supervised vs autonomous behavior."
+  ],
+  "must_not_do": [
+    "Do not claim 100% autonomy without live no-mock evidence and completion audit.",
+    "Do not mark planned work as implemented.",
+    "Do not hide blockers or no-ship risks."
+  ],
+  "allowed_tools": ["read", "bash", "edit", "write", "grep", "find", "ls"],
+  "required_validation": ["npm run check -- --pretty false"],
+  "oracle_required": "conditional",
+  "no_ship_conditions": [
+    "claim lacks evidence",
+    "docs contradict runtime behavior",
+    "completion status overclaims autonomy"
+  ],
+  "enforcement": "advisory"
+}
+```

package/.pi/rules/factory.md

@@ -0,0 +1,44 @@
+# ZOB Rule Pack: Factory Engineer
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "factory",
+  "description": "Rules for software-factory manifests, checkpoints, validators, sentinels, pilot/batch gates, and quarantine flows.",
+  "applies_to": {
+    "paths": [
+      ".pi/extensions/zob-harness/src/factory/**",
+      ".pi/factories/**",
+      "reports/factory-runs/**"
+    ],
+    "modes": ["factory"],
+    "profiles": ["factory-engineer"]
+  },
+  "must_do": [
+    "Start with smoke before pilot or batch.",
+    "Require validation.json before writing phase sentinels or DONE.sentinel.",
+    "Require persisted oracle review artifacts for pilot and future batch promotion gates.",
+    "Keep factory-forge outputs quarantined until explicit review and activation."
+  ],
+  "must_not_do": [
+    "Do not run pilot/batch without prerequisite sentinels and oracle review evidence.",
+    "Do not enable agentic pilot/batch until deterministic gates pass.",
+    "Do not auto-activate quarantined factories.",
+    "Do not start a daemon from factory runs."
+  ],
+  "allowed_tools": ["read", "bash", "edit", "write", "grep", "find", "ls", "factory_run"],
+  "required_validation": [
+    "npm run check -- --pretty false",
+    "npm run smoke:harness",
+    "factory_run smoke validation.json and sentinel checks"
+  ],
+  "oracle_required": true,
+  "no_ship_conditions": [
+    "missing validation.json",
+    "missing phase sentinel after passed validation",
+    "pilot or batch gate missing persisted oracle review",
+    "factory-forge activation without approval"
+  ],
+  "enforcement": "preflight_fail"
+}
+```

package/.pi/rules/oracle.md

@@ -0,0 +1,34 @@
+# ZOB Rule Pack: Oracle Reviewer
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "oracle",
+  "description": "Rules for skeptical validation, no-ship decisions, security review, and final completion audits.",
+  "applies_to": {
+    "modes": ["oracle"],
+    "profiles": ["oracle-reviewer", "runtime-maintainer", "factory-engineer", "orchestration-engineer", "sandbox-engineer", "prompt-ops"]
+  },
+  "must_do": [
+    "Lead with PASS, WARN, or FAIL and confidence.",
+    "Verify claims against files, commands, logs, artifacts, or explicit missing evidence.",
+    "Set no_ship=true for critical unresolved blockers.",
+    "Separate blocking issues from non-blocking notes."
+  ],
+  "must_not_do": [
+    "Do not patch while acting as oracle.",
+    "Do not soften missing evidence into PASS.",
+    "Do not downgrade security/oracle requirements silently."
+  ],
+  "allowed_tools": ["read", "bash", "grep", "find", "ls"],
+  "required_validation": ["oracle PASS/WARN/FAIL report with evidence and no_ship decision"],
+  "oracle_required": false,
+  "no_ship_conditions": [
+    "oracle FAIL",
+    "no_ship=true",
+    "missing critical evidence",
+    "security blocker unresolved"
+  ],
+  "enforcement": "no_ship"
+}
+```

package/.pi/rules/orchestration.md

@@ -0,0 +1,44 @@
+# ZOB Rule Pack: Orchestration Engineer
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "orchestration",
+  "description": "Rules for teams, orchestration profiles, rooms, local coms, and supervised read-only dispatch.",
+  "applies_to": {
+    "paths": [
+      ".pi/extensions/zob-harness/src/orchestration/**",
+      ".pi/extensions/zob-harness/src/topology/**",
+      ".pi/teams/**",
+      ".pi/orchestrations/**"
+    ],
+    "profiles": ["orchestration-engineer"]
+  },
+  "must_do": [
+    "Keep parent-owned preflight and dispatch for lead/worker tasks.",
+    "Keep worker-spawns-worker disabled unless an explicit future policy gate allows it.",
+    "Use hash-only or redacted coms by default.",
+    "Write room/context-pack and evidence-index artifacts for orchestration runs."
+  ],
+  "must_not_do": [
+    "Do not build free-form peer chat before audited room/context-pack gates.",
+    "Do not enable networked coms in this harness stage.",
+    "Do not write DONE.sentinel for plan_only or incomplete supervised_readonly orchestration.",
+    "Do not persist plaintext prompt/task/output bodies in coms or room ledgers."
+  ],
+  "allowed_tools": ["read", "bash", "edit", "write", "grep", "find", "ls", "orchestrate_run", "zob_coms_send", "zob_coms_ack", "zob_coms_status", "zob_coms_reply", "zob_coms_list", "zob_coms_get", "zob_coms_await"],
+  "required_validation": [
+    "npm run check -- --pretty false",
+    "npm run smoke:harness",
+    "orchestration validation.json room/context-pack checks"
+  ],
+  "oracle_required": true,
+  "no_ship_conditions": [
+    "worker-to-worker edge accepted without policy",
+    "networked coms enabled",
+    "DONE.sentinel written without evidence and oracle gate",
+    "plaintext body persisted in coms or room"
+  ],
+  "enforcement": "preflight_fail"
+}
+```

package/.pi/rules/project.md

@@ -0,0 +1,34 @@
+# ZOB Rule Pack: Project
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "project",
+  "description": "Project-local ZOB harness operating rules shared by all implementation slices.",
+  "applies_to": {
+    "paths": ["**"],
+    "modes": ["explore", "plan", "implement", "oracle", "factory", "orchestrator"],
+    "profiles": ["project-maintainer", "runtime-maintainer", "factory-engineer", "orchestration-engineer", "prompt-ops", "docs-maintainer", "sandbox-engineer", "oracle-reviewer"]
+  },
+  "must_do": [
+    "Prefer Explore -> Plan -> Implement -> Oracle for non-trivial work.",
+    "Use the six-part TASK / EXPECTED OUTCOME / REQUIRED TOOLS / MUST DO / MUST NOT DO / CONTEXT contract for delegated work.",
+    "Keep edits small, reversible, and scoped to the active goal.",
+    "Use existing ZOB agents, prompts, factories, chains, and output contracts before creating new ones."
+  ],
+  "must_not_do": [
+    "Do not touch node_modules, dist, build, or generated/vendor folders.",
+    "Do not store prompt bodies or output bodies in telemetry, coms, rooms, or rule resolution artifacts.",
+    "Do not treat planned orchestration as completed implementation work."
+  ],
+  "allowed_tools": [],
+  "required_validation": ["npm run check -- --pretty false"],
+  "oracle_required": "conditional",
+  "no_ship_conditions": [
+    "scope drift",
+    "public export drift without smoke coverage",
+    "missing risks/blockers/compliance summary"
+  ],
+  "enforcement": "warn"
+}
+```

package/.pi/rules/prompts.md

@@ -0,0 +1,43 @@
+# ZOB Rule Pack: Prompt Ops
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "prompts",
+  "description": "Rules for ZOB agents, prompt templates, skills, chains, and output contracts.",
+  "applies_to": {
+    "paths": [
+      ".pi/agents/**",
+      ".pi/prompts/**",
+      ".pi/skills/**",
+      ".pi/output-contracts/**",
+      ".pi/chains/**"
+    ],
+    "profiles": ["prompt-ops"]
+  },
+  "must_do": [
+    "Keep agent roles focused and bounded by declared tools.",
+    "Require evidence, risks/blockers, compliance, and deliverable_delivered markers in durable agent outputs.",
+    "Prefer skills for specialized context instead of bloating global prompts.",
+    "Validate output-contract changes with smoke coverage."
+  ],
+  "must_not_do": [
+    "Do not grant write tools to read-only agents without an explicit scope and reason.",
+    "Do not weaken oracle/security output requirements.",
+    "Do not duplicate existing agents/prompts/factories without checking reuse."
+  ],
+  "allowed_tools": ["read", "bash", "edit", "write", "grep", "find", "ls"],
+  "required_validation": [
+    "npm run check -- --pretty false",
+    "npm run smoke:harness",
+    "output contract review"
+  ],
+  "oracle_required": true,
+  "no_ship_conditions": [
+    "agent missing output contract markers",
+    "oracle/security role downgraded silently",
+    "prompt encourages unsupported tools or scope drift"
+  ],
+  "enforcement": "warn"
+}
+```

package/.pi/rules/runtime.md

@@ -0,0 +1,43 @@
+# ZOB Rule Pack: Runtime Maintainer
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "runtime",
+  "description": "Rules for Pi runtime registrations, commands, widgets, events, and public extension exports.",
+  "applies_to": {
+    "paths": [
+      ".pi/extensions/zob-harness/index.ts",
+      ".pi/extensions/zob-harness/src/runtime/**",
+      ".pi/extensions/zob-harness/src/schemas.ts",
+      ".pi/extensions/zob-harness/src/types.ts"
+    ],
+    "profiles": ["runtime-maintainer"]
+  },
+  "must_do": [
+    "Preserve the default export zobHarness(pi).",
+    "Preserve public exports consumed by scripts/harness-smoke.mjs.",
+    "Preserve registered tool and command names unless explicitly approved.",
+    "Keep runtime ledgers and widget summaries body-free."
+  ],
+  "must_not_do": [
+    "Do not change observable tool names, command names, event handlers, sentinels, or artifact names without smoke coverage.",
+    "Do not import from index.ts inside src/**.",
+    "Do not convert synchronous fs behavior to async during split-only or runtime maintenance slices."
+  ],
+  "allowed_tools": ["read", "bash", "edit", "write", "grep", "find", "ls"],
+  "required_validation": [
+    "npm run check -- --pretty false",
+    "npm run smoke:harness",
+    "npm run pi:check"
+  ],
+  "oracle_required": true,
+  "no_ship_conditions": [
+    "runtime registration drift",
+    "public export drift",
+    "missing smoke coverage for runtime behavior",
+    "prompt/output body persisted"
+  ],
+  "enforcement": "warn"
+}
+```

package/.pi/rules/sandbox.md

@@ -0,0 +1,43 @@
+# ZOB Rule Pack: Sandbox Engineer
+
+```json
+{
+  "schema": "zob.rule-pack.v1",
+  "id": "sandbox",
+  "description": "Rules for write-capable agents, temp workspaces, diff gates, rollback metadata, and apply controls.",
+  "applies_to": {
+    "paths": [
+      ".pi/extensions/zob-harness/src/safety.ts",
+      ".pi/extensions/zob-harness/src/child-runner.ts",
+      "reports/sandbox-runs/**"
+    ],
+    "task_types": ["sandbox", "write autonomy", "diff gate", "rollback"],
+    "profiles": ["sandbox-engineer"]
+  },
+  "must_do": [
+    "Run write-capable autonomous work in a temp workspace or equivalent sandbox before applying to main workspace.",
+    "Produce diff artifacts and rollback metadata for write phases.",
+    "Require oracle review before applying generated changes.",
+    "Default autoApply to false."
+  ],
+  "must_not_do": [
+    "Do not auto-apply sandbox diffs without explicit approval.",
+    "Do not allow writes without allowed_paths and forbidden_paths.",
+    "Do not modify protected/generated/vendor paths without explicit approval."
+  ],
+  "allowed_tools": ["read", "bash", "edit", "write", "grep", "find", "ls"],
+  "required_validation": [
+    "npm run check -- --pretty false",
+    "npm run smoke:harness",
+    "diff artifact and rollback metadata checks"
+  ],
+  "oracle_required": true,
+  "no_ship_conditions": [
+    "autoApply=true without approval",
+    "missing diff artifact",
+    "missing rollback metadata",
+    "oracle review missing before apply"
+  ],
+  "enforcement": "human_approval"
+}
+```

package/.pi/settings.json

@@ -0,0 +1,28 @@
+{
+  "sessionDir": ".pi/sessions",
+  "extensions": [
+    "extensions/zob-switch/index.ts",
+    "extensions/zob-harness/index.ts"
+  ],
+  "prompts": [
+    "prompts"
+  ],
+  "skills": [
+    "skills"
+  ],
+  "compaction": {
+    "enabled": true,
+    "reserveTokens": 32768,
+    "keepRecentTokens": 16000
+  },
+  "retry": {
+    "enabled": true,
+    "maxRetries": 3,
+    "baseDelayMs": 2000,
+    "provider": {
+      "maxRetryDelayMs": 60000
+    }
+  },
+  "steeringMode": "one-at-a-time",
+  "followUpMode": "one-at-a-time"
+}

package/.pi/skills/zob-agentic-access/SKILL.md

@@ -0,0 +1,20 @@
+---
+name: zob-agentic-access
+description: Use when adding or reviewing external adapters such as package metadata, GitHub, browser, cloud, or other APIs.
+---
+# ZOB Agentic Access Skill
+
+## Activation ladder
+
+1. Local filesystem/git readonly.
+2. Package manager readonly.
+3. GitHub readonly.
+4. Browser only on explicit human request.
+5. Write adapters only after sandbox + oracle + approval.
+
+## Adapter rules
+
+- Never read secrets or credentials.
+- Write access requires explicit approval metadata.
+- Browser/cloud/production actions are no-ship unless gated.
+- Every adapter needs proposal -> smoke -> oracle -> manual activation.