BUG-HUNT: [security] InlineToolExecutor._validate_paths uses str.startswith prefix check — path traversal allows escaping sandbox #6588

New issue

Open

opened 2026-04-09 21:51:50 +00:00 by HAL9000 · 0 comments

HAL9000 commented 2026-04-09 21:51:50 +00:00

Owner

Copy link

Bug Report: Security — Sandbox Path Traversal via String Prefix Check

Severity Assessment

• Impact: An inline tool can read or write files outside the designated sandbox directory, bypassing the primary file-system isolation guard. This is a security-critical path traversal vulnerability.
• Likelihood: High — any skill author whose inline tool accepts _path, path, or _file input keys can craft a path like /tmp/sandbox-escape/secret.txt when the sandbox is /tmp/sandbox.
• Priority: Critical

Location

• File: src/cleveragents/skills/inline_executor.py
• Function: InlineToolExecutor._validate_paths
• Lines: ~260–272

Description

The sandbox escape check uses str.startswith() on the string representation of two Path.resolve() results:

# inline_executor.py  lines 264–269
resolved = Path(value).resolve()
sandbox_resolved = sandbox_path.resolve()
if not str(resolved).startswith(str(sandbox_resolved)):
    return (
        f"Path '{value}' for key '{key}' escapes sandbox "
        f"root '{sandbox_path}'"
    )

This is the classic path-prefix bypass: if the sandbox root is /tmp/sandbox, then the path /tmp/sandbox-escape/secret.txt also starts with /tmp/sandbox and passes the check, even though it is outside the sandbox.

Evidence

sandbox_resolved = "/tmp/sandbox"
resolved         = "/tmp/sandbox-escape/secret.txt"

str(resolved).startswith(str(sandbox_resolved))
# → True  ← BYPASS: path is NOT inside sandbox but check passes

The correct check appends a path separator before comparing:

str(resolved).startswith(str(sandbox_resolved) + os.sep)
# or use Path.is_relative_to(sandbox_resolved) (Python ≥ 3.9)

Expected Behavior

A path of /tmp/sandbox-escape/secret.txt should be rejected when the sandbox is /tmp/sandbox.

Actual Behavior

The path passes the sandbox check because "/tmp/sandbox-escape/secret.txt".startswith("/tmp/sandbox") is True.

Suggested Fix

Replace the prefix check with Path.is_relative_to() (Python ≥ 3.9):

try:
    resolved = Path(value).resolve()
    sandbox_resolved = sandbox_path.resolve()
    if not resolved.is_relative_to(sandbox_resolved):
        return (
            f"Path '{value}' for key '{key}' escapes sandbox "
            f"root '{sandbox_path}'"
        )
except (OSError, ValueError):
    return f"Invalid path '{value}' for key '{key}'"

This is the same class of bug already found in file_tools.py (filed separately) — both places use str.startswith for path confinement.

Category

security / boundary

TDD Note

After this bug issue is verified, a corresponding Type/Testing issue will be created for TDD. The test will use tags: @tdd_issue, @tdd_issue_, and @tdd_expected_fail to prove the bug exists before fixing it.

---

Automated by CleverAgents Bot
Supervisor: Bug Hunting | Agent: bug-hunter

## Bug Report: Security — Sandbox Path Traversal via String Prefix Check ### Severity Assessment - **Impact**: An inline tool can read or write files outside the designated sandbox directory, bypassing the primary file-system isolation guard. This is a security-critical path traversal vulnerability. - **Likelihood**: High — any skill author whose inline tool accepts `_path`, `path`, or `_file` input keys can craft a path like `/tmp/sandbox-escape/secret.txt` when the sandbox is `/tmp/sandbox`. - **Priority**: Critical ### Location - **File**: `src/cleveragents/skills/inline_executor.py` - **Function**: `InlineToolExecutor._validate_paths` - **Lines**: ~260–272 ### Description The sandbox escape check uses `str.startswith()` on the **string representation** of two `Path.resolve()` results: ```python # inline_executor.py lines 264–269 resolved = Path(value).resolve() sandbox_resolved = sandbox_path.resolve() if not str(resolved).startswith(str(sandbox_resolved)): return ( f"Path '{value}' for key '{key}' escapes sandbox " f"root '{sandbox_path}'" ) ``` This is the classic **path-prefix bypass**: if the sandbox root is `/tmp/sandbox`, then the path `/tmp/sandbox-escape/secret.txt` also starts with `/tmp/sandbox` and **passes the check**, even though it is outside the sandbox. ### Evidence ```python sandbox_resolved = "/tmp/sandbox" resolved = "/tmp/sandbox-escape/secret.txt" str(resolved).startswith(str(sandbox_resolved)) # → True ← BYPASS: path is NOT inside sandbox but check passes ``` The correct check appends a path separator before comparing: ```python str(resolved).startswith(str(sandbox_resolved) + os.sep) # or use Path.is_relative_to(sandbox_resolved) (Python ≥ 3.9) ``` ### Expected Behavior A path of `/tmp/sandbox-escape/secret.txt` should be **rejected** when the sandbox is `/tmp/sandbox`. ### Actual Behavior The path passes the sandbox check because `"/tmp/sandbox-escape/secret.txt".startswith("/tmp/sandbox")` is `True`. ### Suggested Fix Replace the prefix check with `Path.is_relative_to()` (Python ≥ 3.9): ```python try: resolved = Path(value).resolve() sandbox_resolved = sandbox_path.resolve() if not resolved.is_relative_to(sandbox_resolved): return ( f"Path '{value}' for key '{key}' escapes sandbox " f"root '{sandbox_path}'" ) except (OSError, ValueError): return f"Invalid path '{value}' for key '{key}'" ``` This is the same class of bug already found in `file_tools.py` (filed separately) — both places use `str.startswith` for path confinement. ### Category security / boundary ### TDD Note After this bug issue is verified, a corresponding Type/Testing issue will be created for TDD. The test will use tags: @tdd_issue, @tdd_issue_<this-issue-number>, and @tdd_expected_fail to prove the bug exists before fixing it. --- **Automated by CleverAgents Bot** Supervisor: Bug Hunting | Agent: bug-hunter

HAL9000 added the

State

Unverified

Type

Bug

MoSCoW

Must have

Priority

Critical

labels 2026-04-09 21:59:21 +00:00

HAL9000 added this to the v3.2.0 milestone 2026-04-09 22:13:18 +00:00

HAL9000 referenced this issue 2026-04-09 22:35:55 +00:00

[AUTO-OWNR] Project Owner Status (Cycle 6) #6630

HAL9000 referenced this issue 2026-04-14 20:11:00 +00:00

[AUTO-PROJ-OWN] Status: Project Owner Supervisor (Cycle 2) #9489

HAL9000 added

State

Verified

and removed

State

Unverified

labels 2026-04-17 02:27:48 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix/config-service-remove-undocumented-local-scope

bugfix/validation-attach-named-option-format

docs/add-example-tool-and-validation-management

bugfix/project-show-resource-name

bugfix/backlog-resource-schema-missing-overlay-strategy

fix/action-argument-schema/misleading-error-message

fix/remove-executable-resource-type

fix/config-get-output-missing-origin-panel-and-envelope

fix/tui-help-command-full-catalog-listing

fix/a2a-plan-execute-full-lifecycle

fix/invariant-service-action-scope-effective

fix/plan-explain-rich-output-panels

fix/a2a-dispatch-not-found-error-response

fix/project-service-namespaced-project

fix/automation-profile-remove-rich-output-panel

fix/container-handler-module-missing

fix/format-output-rich-color-renderers

fix/type-safety-legacy-migrator-type-ignore

spec/update-sse-streaming-event-example

fix/acms-skeleton-compressor-signature

controller-state-machine

fix/skill-add-yaml-wrapper-key

fix/1476-tool-list-cols

bugfix/permissions-diff-mode-cycle

fix/1444-access-type

fix/1429-node-ref

fix/1443-tier-defaults

bugfix/session-export-format-flag

feature/aws-cloud-handler-sdk

feat/output-renderer-registry

fix/1432-lsp

bugfix/1039-missing-validation-unit-tests-yaml

feature/audit-preserve-event-timestamp

feature/m8-tui-materializer

tdd/m4-automation-profile-di-bypass

bugfix/m7-audit-session-race

fix/1441-ctrl-tab

feature/m9-entity-sync

feature/extract-cleveractors-library

feature/m9-agent-card

feature/m9-team-collab

feature/m7-postgresql-backend

feature/m9-container-lifecycle

fix/issue-11189-config-actor-format

bugfix/m5-actor-options-ignored

fix-11004-tui-suggestions

feature/9827-wrap-plan-status-json-envelope

fix/arg-swap-validation-attachment-8177

pr-fix/9663-hot-warm-cold-tier-reliability

pr_fix-11000-conflict-report

bugfix/m3.6.0-lsp-7044-subprocess-cleanup

fix/7478-file-ops-security-fix

impl-tui-materializer

test/hierarchical-plan-4phase-lifecycle

feature/security-fix-relpath-pr-11217

feature/m2-implementation-pool-supervisor-checklist

fix-file-tools-path-validation

bugfix/m8-tui-input-live-refresh

feature/9126-fix-action-scope-invariant-merge

bugfix/m7-tool-calling-llm-options

fix-7478-startswith-bypass

bugfix/m3-cleanup-subprocess-on-failed-init

bugfix/m8-tui-anthropic-model-name

feat/integrate-cleveractors

feature/m8-tui-llm-dispatch

bugfix/m3.6.0-lsp-transport-header-injection-ascii

fix-11175

fix/auto_debug-partial-state

fix/issue-9124-add-bdd-tags

pr-9673-budget-enforcement

fix/actor-loader-list-actors-race-condition

pr-9675

feat/v3.3.0-three-way-merge-engine

fix/issue-7478-inline-executor-startswith-bypass

fix/plan-apply-json-envelope

feat/v3.4.0-acms-storage-tiers

feat/tui-tuimat-5326

fix-9675-context-show-clear

agents/final-working

feat/v3.4.0-context-show-clear-cli

fix/10356-eventbus-unsubscribe

11229-fix-acms-hot-max-tokens-regression-tests

pr-fix-7801

pr-8701-invariant-model

pr-fix/10597-lsp-transport-cleanup

bugfix/m3.6.0-lsp-transport-resource-leak

bugfix/9558-plan-conflict-detection

pr-fix-9608

feat/v3.3.0-plan-correct-revert-append

dmpipeline-v2

pr-fix-10608-header-injection

pr-9827-fix

bugfix/7492-validation-attachment-argument-swap

pr-fix-11002

feat/v3.4.0-context-list-add-cli

fix/plan-status-json-envelope

feat/v370/multi-session-tabs

fix-branch

fix/project-show-missing-panels

AUTO-IMP/PR-10069-checklist

feature/m2-pr-compliance-checklist

feature/pr-10592-cloud-resource-types

fix-lsp-transport-cleanup

feat/v360/cloud-resource-types

feature/context-strategy-protocol

refactor/v3.6.0-acp-to-a2a-rename

fix/context-cli-consolidation

fix/10608-lsp-header-injection

feat/acms-context-index

fix/plan-status-missing-output-panels

pr/fix-arg-swap-validation-attachment-8177

feature/issue-4748-actor-context-list-show-clear

fix-cli-plan-status-envelope

fix/plan-tree-color-format-ansi-output

pr/9981

pr/11153-auto-debug-fix

pr/10589-tui-materializer

fix/validate_path_security

pr-fix-11177-status-check-native-expressions

bugfix/m6-validate-path-startswith

security/relpath-containment-fallback

a2a-materializer-pr-fix

pr-fix-10608

bugfix/9250-a2a-session-id-validation-before-cleanup

pr-fix-11053

fix/10496-auto-debug-node-state-mutation

feat/tui-v370/tui-materializer

fix/a2a-handle-session-close-missing-session-id

fix/validation-attachment-arg-swap-8177

pr-fix-11196-invariant

feat/v3.4.0-acms-budget-enforcement

pr-fix-11196

bugfix/m5-fix-hot-max-tokens-tier

pr-fix-9675

perf/acms-large-project-indexing-optimization

perf-fix

pr-9608

feature/ten-way-merge-engine

pr-fix-branch

pr-11217

bugfix/9608-three-way-merge-engine

11101-three-way-merge-engine

feat/v3.4.0/acms-context-policy

fix/remove-silent-argument-swap

fix-pr-11000-structured-conflict-report

pr-fix-11053-session-id-validation

agents/fix-eventbus-unsubscribe

pr-10356

fix/invariant-action-scope

bugfix/issue-8395-sanitise-db-url

bugfix/m3-fix-action-scope-invariant-merge

pr-9671

feature/wire-missing-event-emitters

bugfix/m3.6.0-lsp-transport-post-spawn-cleanup

dmpipeline

bugfix/m5-acms-project-budget-override

fix/iterate-all-actors

pr/11217-fix-prefix-collision-bypass

fix/pr-11011-subprocess-cleanup

pr-11217-fix

pr-11217-relpath-fix

feat/v3.6.0-context-strategy-protocol

bugfix/tui-actor-overlay-render-shadow

bugfix/m5-revert-acms-budget-assembler

fix/eventbus-unsubscribe

feature/pr-9981

fix/v3.7.0/actor-add-update-flag

agents/fix-invariant-persistence-8573

fix/invariant-database-persistence

feat/tui-materializer-a2a

fix/tui-tui-materializer-a2a-event-queue

fix/unsubscribe-eventbus

pr-11153

feature/11201

pr-fix-11153-patched

pr-branch

fix/10813-strategy-decision-persistence

fix-pr-11145-status-check

pr-11053

pr-fix-10597-subprocess-cleanup

bugfix/mcp-infer-resource-slots-null-properties

pr-11166

pr-9675-fix

feat/structural-component-output-validation

fix/invariant-service-thread-safety

pr-fix-8179-implementation

pr-fix-9313

cleveragents-pr-fix-11038

fix/m2-acceptance-test

fix/pr-11042-rename-render

fix/action-scope-inmerge

fix/wf12-oom-sigkill

fix/wf18-container-clone-e2e

tdd/mcp-client-timer-cancel-race

feature/auto-debug-nodes

feat/v3.2.0-decision-recording-persistence

bugfix/m6-actor-overlay-render-shadow

bugfix/m7-plan-strategy-decisions-json

fix/10911-tui-suggestions-query-extraction

fix/lsp-transport-subprocess-cleanup

pr-fix-8177-validation

bugfix/m3-plan-status-json-envelope

fix/invariant-persistence-8573

pr-fix-11037

pr-11015-fix

pr_fix_11015

fix/m1-security-fix-startswith-bypass

fix/automation-profile-gates-lifecycle

fix-status-check-brittle-pipeline-11212

feat/pr-10590-dual-capability-strategies

feat/structural-output-validation

bugfix/m2-ci-status-check-resilience

fix-sandbox-cache-invalidation

feature/acp-a2a-rename-fix

feature/m3-plan-correction-data-model

pr-fix-10356-unsubscribe

pr-fix-11011

pr_fix/lsp-transport-header-injection-ascii

fix-pr-11002-startswith-bypass-7478

bugfix/acms-project-budget-override

fix/ci-status-check-resilience

bugfix/pr-fix-10597-cleanup-subprocess-on-init-failure

bugfix/sandbox-reexecute-cleanup

pr-fix-8701-invariant-model

fix/test-dotdot-traversal-assertion

fix/cleanup-stale-preserve-commits

fix/10592-pr-compliance

fix/security-file-tools-path-traversal-7478

pr-11180-fix

fix-combined-format

fix-9131-invariant-propagation

fix/tui-actor-selection-overlay

pr-11201

merge/pr-11196-invariant-fix

fix/issue-10813-strategize-decision-persistence

pr-fix-11170

pr/11165

temp-pr-11174

feat/invariant-enforcement-validation-pipeline

pr-fix-10356-unsubscribe-eventbus

pr-fix-11156-python313-deprecation

feature/pr-7801-fix-validate-path-security

fix/11039-render-refresh

fix/tui-actor-selection-render-rename

pr-fix-11089-session-close-validation

pr-fix/11089-session-close-validation

pr-fix-11182

feature/7926-persist-decision-dependencies

bugfix/m3-rxpy-subject-close

test/restore-e2e-tests

feature/m694-tui-materializer-a2a-integration-layer

feature/issue-pr-9271-hot-max-tokens

pr-fix-8177

test/v360/e2e-project-plan-correction

bugfix/issue-8426-stdio-cleanup

feature/eventbus-unsubscribe

bugfix/m3-integrate-mcp-transport

fix/concurrent-stdout-restoration

feat/a2a-stdio-transport-fix-264

PR-fix-wf18

feature/sandbox-cache-invalidation

fix/issue-10496-auto-debug-state-mutation

fix/python-313-asyncio-deprecations

pr-11128

pr-11180

pr-11165

pr-practice

structural-output-validation

fix/status-check-native-expressions

feat/merge-conflict-detection

11036-fix-acms-hot-max-tokens

pr/11166

fix/ci-status-check-native-expressions

fix/stdlib-transport-cleanup

fix/11176-actor-selection-render

pr-fix-10597

feature/pr-compliance-pool-supervisor

fix/actor-add-update-enforcement-fix

pr_fix/8209

pr-10590

fix/python313-asyncio-get-event-loop-deprecation

pr-fix-#11053-session-id-validation

pr-fix-11042-renamed-render

feat/v360/acp-to-a2a-rename

fix-arg-swap-validation-attachment-8177

fix/asyncio-get-event-loop-deprecation

fix_8395_pr

pr-fix-11153-auto-debug-mutation

pr/11051-thread-safety-invariant

fix-plan-status-json-envelope

bugfix/pr-11015-pool-supervisor-checklist

feature/fix-7478-validate-path

feature/plans-conflict-detection

pr-11141-cleanup-stale-commits-beyond-head

fix/pyyaml-vulnerability-upgrade

pr-fix-9244

bugfix/m3-invariant-propagation

feature/issue-10480-fix-validation-bypass

feature/m3-invariant-enforcement-validation-pipeline

feat/invariant-enforcement-strategize-phase

bugfix/mcp-race-condition-start

fix/action-schema-argument-default-type-validation

issue-10438-fix

fix/mcp-timer-race-10516

fix/10480-validation-bypass-fix

fix/cli-session-tell-format-flag

feat/agents-invariant-add-list-remove-commands

restore-e2e-cleanup

fix/events-eventbus-unsubscribe

fix/issue-11120-cleanup-stale-preserve-artifacts

feature/fix-issue-11121-cleanup-stale-reinvoke

fix/issue-10480-plan-validation

feature/m5-tdd-quality-gate

bugfix/11121-fix-cleanup_stale-preserve-meaningful-changes

bugfix/m8-set-active-persona-preset-reset

feat/context-priority-strategy

feature/issue-4381-docs-api-and-module-guides

m7-opencode-ruff

bugfix/m3-wf18-oom-sigkill

bugfix/acms-dual-strategy-capabilities-incompatible-fields

feature/benchmark-scheduled-workflow

feature/m8-tui-mainscreen

feat/v3.4.0/acms-project-indexer

fix/10932-preserve-strategy-decisions-json

fix/data-integrity-session-rollback-7489

fix/issue-6329-resource-remove-edge-table

fix/issue-7524-invariant-service-thread-safety

pr-10932-fix-plan-strategy-decisions

pr-fix-9244-pyyaml-upgrade

refactor/noxfile-parallel-test-architecture

task/ci-matrix-strategy-python-versions

bugfix/m3.6.0-ci-pipeline-flakiness-stabilization

feat/v3.3.0-plan-rollback

refactor/auto-guard-1-cli-a2a-boundary

feature/issue-10755-redirect-rich-panels-to-stderr

pr10871

fix/10881-propagate-invariants-to-child-plans

feat/resources-extension-interface

pr-fix-10901

ci/optimize-benchmarks-regression

fix/tui-extract-at-token-suggestions

feat/acms-index-data-model

feature-10887-eventbus-unsubscribe

feature/m5-add-repo-indexing-showcase

PR-10910-a2a-json-rpc-routing

feature/milestone-based-pr-prioritization

bugfix/m3-issue-9055

auto-time-3-day106-cycle2

feature/m39-timeline-day106-cycle2-2026-04-16

timeline/day-106-cycle2-2026-04-16-auto-time-3

feat/issue-10921-a2a-http-transport

pr/fix-10842

feature/issue-10746-fix-agents-graphs-plan-generation-validate-always-passes-for-code-longer-than-10-characters-making-llm-validation-ineffective

agents/fix-10866-permissions-screen-to-textual-screen

pr-10886

bugfix/m3-session-tell-format

fix/pr-10890-shell-safety-integration

fix/session-delete-json-envelope

pr-10851

test/v3.8.0-ci-quality-execution-time

feature/m7-timeline-day-106-update

bugfix/context-remove-path-traversal-10924

pr-10876

fix/gemini-fallback-order

fix/trailing-comma-opencode-json

pr/fix/mcp-client-start-race-condition

fix/project-switch-command

fix-pr-4211

feat/three-way-merge-engine-9608

pr/9673

fix/1469-plan-execute-structured-panels

fix/actor-provider-validation

implement-pr-9442

cleveragents-push-23420b48

fix/validation-repo-silent-swap

feat/context-strategy-plugin-system

fix/startswith-bypass-7478

fix-plan-status-envelope-11034

fix/invariant-thread-safety

fix-thread-safety-invariant-service

fix/8284-warned-sessions-reset

docs/milestone-plan-navigation

feat/v3.3.0-checkpoint-creation

feature/implementor-notification-11032

task/ci-optimize-e2e-tests-execution-time

feature/pr-9599-plan-correct-correction-engine

pr-fix-10593

pr9452

fix/isolate-checkpoint-prune-test

pr/fix-9601

pr/9234-hardening-bdd-tags

bugfix/9673-acms-budget-enforcement

pr-8667

auto-arch/spec-pr-10451-test-coverage

fix/10954-security-scan-dockerfile

bugfix/9183-bdd-tag-enforcement

fix/7566-engine_cache-toctou-race

fix/10934-preserve-strategy-decisions-json

bugfix/10608-lsp-header-injection

bugfix/9981-acms-indexing-optimize

bugfix/11077-security-escape-bypass

fix/auto-rev-sup-tracking-prefix

fix-lsp-subprocess-cleanup-10597

improvement/agent-evolution-pool-supervisor-pr-metadata

fix/plan-tree-json-output-envelope

pr-9313-fix

bugfix/9244-pyyaml-security-upgrade

feature/issue-1925-add-asv-tests-for-domain-module

test/domain-asv-benchmarks

feature/9250-fix-a2a-session-close

fix/pr-10027-acms-default-pipeline

bugfix/m2-plan-explain-alternatives-format

fix-invalidate-sandbox-dirs-cache-after-purge-7527

pr-fix-10958-async-cleanup-tests

feat/adr-049-layer-boundary-enforcement

fix/action-list-table-columns

fix/issue-7478-validate-path-startswith-bypass

pr-fix-ci-11000

fix/agent-skill-multi-scope-discovery

pr_fix_8675_switch_project_command

feat/m6/devcontainer-clone-into-sandbox

fix/tui-keybinding-preset-persona-cycling

pr-fix-10982

bugfix/m3-invariant-service-thread-safety

pr-fix-10937-close-reactive-eventbus

pr-fix-7478-path-traversal

feature/benchmark-scheduled-workflow-fix

pr-9183-add-bdd-tags

pr/11029-review-started-notification

fix/pyyaml-security-upgrade

fix-plan-status-panels

fix-pr-11037

feat/v3.6.0-database-resource-types

pr-10591-checkout

pr-10979

fix/invariant-thread-safety-8209

pr-fix-11002-validate-path-bypass

fix/10597-lsp-proc-cleanup

fix/plan/tree-envelope-9313

fix-6568-push

fix/issue-6425-tui-persona-cycling-keybinding

pr/11044

feature/m6-reduce-redundant-ci-status-reporting

fix/11041-plan-tree-envelope

fix/ca-test-infra-improver-health-spam

agents/pr-6628-fix

docs/add-showcase-cli-basics

auto-time-1-day107-cycle

improvement/agent-uat-tester-parallel-docs-pr-fix

fix/issue-11047-actor-add-rename-from-config

fix/pr-11050-subprocess-cleanup

pr-6741

ci/cache-helm-binary-auto-inf-1

fix/8675-project-switch

fix/7527-sandbox-cache-invalidation

fix/issue-6319-project-context-set-output

pr/fix-9183-bdd-tags

fix/issue-6325-plan-explain-decision-id

fix/1422-docs

pr-fix-1485-updates

spec/subplan-system-v3.3.0

pr/6723-fix-session-create-json

improvement/agent-bug-hunt-pool-supervisor-tracking-prefix-complete

fix/pr-6695-session-list-empty-json

fix/file-tools-startswith-bypass

pr_fix_8256

pr-9663-fix

docs/add-example-resource-and-skill-management

feature/m39-cli-basics-showcase

pr-fix-7478-startswith-bypass

fix/issue-11047-actor-add-remove-positional-name

fix/gemini-fallback-order-fix-3

pr_fix_8179

fix/gemini-fallback-order-fix-2

fix/validation-list-command

fix/validation-list-command-clean

fix-pr7957-complete-tracking-prefix

pr-7922-fix-lint

fix/validation-swap-8177

add-plan-start-alias

feature/pr-8304-container-clone-into

fix-pyyaml-11012

pr-fix-9461

fix/pr-11004-tui-token-extraction

fix/invariant-scope-handling

feat/plan-correction-8531

pr/8685-correction-data-model-persistence

bugfix/lsp-stdio-transport-cleanup-10597

pr-8660

feat-scope-chain-resolution

chore/pyyaml-upgrade

fix/9250-session-id-validation-handle-session-close

fix/issue-7478-file-tools-validate-path

pr-fix-9442-tui-ctrltab

spec/update-cycle8-validation-gate-empty-run-guard

fix/tui-sqlite-session-persistence-10648

fix/8661-plan-start-alias

fix-10649

refactor/add-return-type-get-services

pr-fix-cache-init

pr9407-timeline

feat/tui-prompt-symbol

pr_fix_9407-plan-alternatives-structured

feat/automation-profile-precedence-chain

bugfix/8179-remove-session-rollback-calls

feat/v360/pluggable-scope-chain-api

pr-9246

refactor/agent-configurable-limits-context-analysis-plan-generation

fix/issue-6452-session-tell-output

fix/v370/quality-gates-command-injection

pr-fix-10635-fixed

pr-10069

pr/fix-9313

pr-10643

invariant-pr-8684-fix

pr-fix-6676-resource-remove-edge-table

refactor/v360/audit-rename-acp-imports

fix/issue-7623-validation-pipeline-stdout

fix/acms-consolidate-strategycapabilities

fix/issue-7604-a2a-event-queue-concurrency

pr-fix-8661

auto-arch/spec-clarifications-cycle-1

feat/pure-graph-bdd-coverage

fix/9250-validate-session-id-before-cleanup

feature/issue-9442-fix-tui-correct-preset-cycling-keybinding-to-ctrl-tab-and-add-persona-tab-cycling

bugfix/m6-file-tools-validate-path-bypass

fix/invariant-add-scope

bugfix/m3-shell-safety-service-tui

pr-8684-persist-invariants

pr-8209-fix

docs/v360/repl-actor-run-showcase

feat/v360/cost-session-budget

bugfix/8177-remove-silent-argument-swap

fix/plan-apply-rich-output-panels

pr-fix-11012

pr-fix-11012-pyyaml-upgrade

pr-fix-8667

pr/fix/11012-pyinsec

pr-fix-9407

pr-8853

test/cli-lifecycle-e2e-full-plan-lifecycle

bugfix/m3-evlv-9824-implementation-pool-compliance-checklist

pr/10069

docs/pr-creator-state-priority-labels

fix/1514-structured-panels

test/core-asv-benchmarks

fix-8640-remove-positional-name

pr-fix-10995

refactor/v3.6.0-acp-to-a2a-rename-push

pr-9663

bugfix/m3.6.0-lsp-discovery-resource-exhaustion-dos

8660-move-namespace-filter-inside-lock

pr-fix-work

test/plan-correct-json-output-tdd

pr-8304

feat/v3.2.0-invariant-data-model-db-schema

pr_fix_1514_v2

timeline-update-2026-04-19

pr-fix-9313-plan-tree-envelope

test/v3.6.0/advanced-context-strategies-tests

pr/11004-fix-tui-suggestions-query-extraction

pr-fix-9817

feat/9558-plan-conflict-detection

docs/timeline-day-101

fix/v360/plugin-loader-security

feat/acms-context-policy-fix-9671

pr-9817-plan-apply-json

pr-fix-9460

pr-fix-6722-prompt-symbol

pr/9671

pr-fix-9671

pr-10592-fix

fix/issue-7478-file-path-validation

pr-fix-7478-validatepath

feat/pr-10590-context-strategy-fix

bugfix/m6-acms-path-matching-absolute

bugfix/pr-9183-bdd-tags

fix-pr-10975-path-matching-normalize

pr_fix/lsp-transport-subprocess-cleanup

pr-8177-validation-fix

feat/acms-context-show-clear-cli

feat/v360/plugin-architecture

fix/invariant-add-scope-required

pr-fix-10590-context-strategy

pr-fix-10590-local

pr-8662-fix

pr/1485

bugfix/8660-move-namespace-filter-inside-lock

pr/9460-project-show-invariants-validations

pr-11013

fix-1469-impl

fix/1469-impl

fix/cleanup-service-sandbox-cache-invalidation

pr-8257

pr-3329

feat/v3.2.0-decision-recording-strategize

fix/strategize-full-context-snapshots

clone-verify-test

fix/issue-6316-session-list-json-empty-case

AUTO-IMP/PR-9672-context-list-add

AUTO-IMP/PR-9663-storage-tiers

fix/issue-pr-11002

fix/plan-lifecycle-prompt-decision

fix/gemini-fallback-order-10906

AUTO-IMP/PR-10583-a2a-rename

fix-check-same-thread-migration-runner

d2188407

fix/a2a-handle-session-close-missing-session-id-pr-9250

fix/invariant-merge-action-scope

pr-fix-8179

bugfix/report-number-of-actors

bugfix/m6-devcontainer-autodiscovery-wiring

fix-gemini-fallback-order-10906

bugfix/m5-event-bus-exception-swallow

pr/3458

acms-parallel-indexing-fix

bugfix/m3-error-handling-fileconfig-unhandled-exception

acms-parallel-indexing

fix/resource-removal-children-check-6886

pr/9451-fix-tui-thinking-effort-presets

pr-fix-10958

fix/8179-remove-session-rollback-calls

pr/9817-plan-apply-json-envelope

fix/lsp-context-enrichment-acms-wiring

fix/cli-remove-positional-name-from-actor-add

fix/acms-context-cli

fix/tui-permissions-screen-wrong-base-class

bugfix/m6-session-create-suppress-exception-logging

fix/plan-tree-json-missing-decision-id

fix/plan-start-spec-alignment

fix-10957

fix/6726-tui-persona-cycling-keybinding

feat/plan-rollback-cli-checkpoint-restore

pr-8661-plan-start-alias

pr/1486/resource-handler-return-type

feature/8667-add-validation-list-command

auto-docs-1-mkdocs-setup

fix/actor-add-positional-name

feat/v3.3.0-merge-strategy-config

fix/invariant-precedence-chain-action-scope

improvement/agent-pr-review-pool-supervisor-tracking-prefix-complete

pr/fix/actor-loader-list-actors-race-condition

bugfix/m4-lsp-context-enrichment-acms-wiring

docs/auto-docs-2-v320-v330-features

bugfix/m-error-suppression-reactive-registry-adapter-v2

fix/7501-plan-repository-success-derivation

pr-10492

pr-8225

fix/plan-artifacts-missing-validation-apply-summary

feature/m9-v3.8.0-v3.9.0-documentation

docs/fix-automation-profile-default-supervised

fix/context-analysis-agent-path-traversal

pr-9229-path-traversal-fix

pr-10975

pr-fix-10986

pr/1486/fix-resource-handler-return-type

feat/m8/tui-main-screen

pr-9257-fix

fix/9222-guard-integration-e2e-jobs

refactor/clarify-behave-robot-framework-roles

docs/reference-glossary

feat/9088-a2a-message-send-stream

bugfix/m6-gemini-fallback-order

fix/validation-list-command-fixed

fix-executable-resource

test/plan-tree-correction-visual-tdd

auto-time/timeline-update-2026-04-18

pr-8179

spec/auto-arch-24-a2a-boundary-enforcement-adr

pr/10988/head

fix/7566-engine-cache-toctou-race

feat/v3.6.0-llm-provider-abstraction

fix/concurrency-catalog-cache-lock-7590-cleandiff

chore/test-infra-broad-exception-lint

issue-7502-fix-get-for-plan

fix/1500-impl

feat/context-show-cli-commands

pr-fix-7527-cache-invalidation

pr-fix-9407-plan-explain-structured-alternatives

fix/multi-scope-skill-discovery-9369

pr_9454

feat/agent-switch-cmd

pr-9329

8661-plan-start-alias

feat/acms-context-analysis-summaries

fix/invariant-add-repeatable-plan-action

tdd/m6-session-create-suppress-exception

test-push-check-only

pr-10889

pr-10889-fix

feature/issue-10952-provider-integration-tests

pr/10879-benchmark-caching-parallelism

bugfix/m3-eventbus-unsubscribe

spec/add-deleted-at-field-to-project-delete

fix/issue-6500-actor-context-list-regex

tdd/m8-tui-sqlite-session-persistence

fix/issue-6464-resource-add-auto-discovery

fix/bug-hunt-supervisor-tracking-prefix

feat/v3.2.0-plan-tree-cli

fix/issue-6491-actor-remove-format-option

fix/issue-6457-json-envelope-messages-text

improvement/agent-ca-test-infra-improver-duplicate-avoidance

fix/boundary-cost-budget-warning-re-trigger-7525

bugfix/6879-cli-format-option

feat/jwt-token-refresh

auto-discovered-stale-conflicts-review-task

docs/add-example-audit-log-and-security

docs/v3.8.0-api-and-module-guides

fix/issue-9169

improvement/reduce-redundant-ci-status-reporting

feat/v3.4.0-acms-index-data-model-traversal

bugfix/m3-sqlite-check-same-thread

issue-1-conversation-state

bugfix/m3-evlv-implementation-pool-compliance-checklist

feature/m9-a2a-jsonrpc

bugfix/m6-plan-execute-rich-output

fix/uat-checkpoint-prune-test-isolation

feature/issue-4749-split-monolithic-specification

bugfix/m8-suggestions-query-extraction

bugfix/m6-session-delete-format-json-envelope

bugfix/m3-langgraph-disposables

timeline/day-104-2026-04-14-auto-time-2

docs/quickstart-guide

fix/plan-prompt-json-timing-started

feat/v3.6.0-virtual-resource-types

feat/tui-v370/persona-registry

fix/1431-subgraph

bugfix/7529-a2a-terminal-phase-guard

bugfix/m3-bdd-feature-file-tags

ci/v360/isolate-slow-e2e-tests

feature/m3-consolidate-documentation

feature/m7-user-driven-review-agent

feature/m9-a2a-http

fix/1423-refactor

fix/tui-mainscreen-3state-sidebar-adr044

task/v3.8.0-ci-reusable-workflows

testbed/m9-hello

docs/add-label-verification-to-new-issue-creator

bugfix/m3-database-migration-runner-check-same-thread

feature/m4-plan-correction-revert

improvement/agent-architecture-pool-supervisor-milestone-assignment

docs/changelog-unreleased-cycle7

feature/m9-changelog-unreleased-cycle7

fix/issue-10512-mcptooladapter-rlock

fix/data-integrity-llm-trace-repository-7505

agents/auto-working-new

fix/resource-removal-guard-linked-children

fix/1468-impl

feature/1915-timezone-aware-datetime

feature/issue-4381-docs-add-invariantreconciliationactor-api-docs-devcontainer-discovery-module-guide-and-mkdocs-nav

task/ci-actor-context-mgmt-test-optimization

fix/7619-git-tools-base-env-toctou

pr-fix-8661-updates

feature/issue-2798-chore-agents-improve-ca-test-infra-improver-strengthen-duplicate-avoidance

bugfix/m3-migration-runner-check-same-thread

feature/issue-10952-fix-database-migration-runner-check-same-thread

fix/dependency-security-aiohttp-cves

test/uko-persistence-coverage

fix/security-b608-sql-fstring-migration-plan-phases

fix/cli-legacy-removal

feature/m39-auto-arch-23-minor-clarifications

bugfix/m3-langgraph-execute-state-bypass

feat/issue-6370-actor-context-clear

feat/acms-hot-storage-tier-lru-cache

feature/m3111-milestone-based-pr-prioritization

bugfix/m3-actor-run-response

fix/issue-7524-invariant-service-thread-safety-v2

pr-fix-10746

fix/tui-auto-generate-presets-actor-schema

feat/agent-card-discovery

feature/pr-10916-close-reactive-event-bus

feature/issue-1917-optimize-robot-actor-context-management-tests

feature/issue-10803-fix-nox-sessions-use-uv-sync-frozen

feature/issue-1923-missing-test-levels-core-module

feature/1928-add-test-coverage-for-tui-module

chore/ci-dockerfile-server-security-scan

task/ci-centralize-tool-versions

feature/m9-langgraph-platform

bugfix/m5-validation-attach-output-format

test/ci-execution-time-optimize-benchmark-regression

feature/issue-3105-add-mandatory-labels-to-supervisor-tracking-issue-creation

feat/acms-context-policy-configuration-schema

feat/context-sliding-window-strategy

feature/issue-5163-align-checkpoint-trigger-names

feature/issue-4221-docs-add-showcase-example-for-audit-log-and-security-commands

bugfix/m3-output-plan-results

fix/action-archive-output-panels

pr/9912-fix

fix/concurrency-catalog-cache-lock-7590

bugfix/executor-error-details-overwrite-mini-max

fix-10866-permissions-screen

feature/issue-7957-bug-hunt-pool-supervisor-tracking-prefix

fix-pr-10852

fix/10922-conversation-state-mgmt

pr-check

bugfix/10931-preserve-strategy-decisions-json

fix/10903-nox-showcase-docs

pr/10885-pyyaml-upgrade

pr-fix-10931

bugfix/executor-error-details-overwrite-qwen

fix-orchestrator-scaling-32-workers

fix-pr-1107-asgi-uvicorn

feature/m9-timeline-day-99

feat/issue-6369-actor-context-show

improvement/agent-label-compliance

fix-9912-branch

bugfix/10821-fix-tui-keybinding

feat/issue-6450-tui-escape-cascade

bugfix/m8-shell-safety-service-integration

fix/redaction-pattern-exception-handling

bugfix/m8-tui-on-input-changed

fix/action-schema-env-var-exfiltration

feature/spec-timeline-6003

feature/spec-timeline-6008

feature/issue-4746-update-spec-agents-diagnostics-all-9-providers

feat/v3.6.0/gemini-provider

pr/8194

tdd/prompt-input-textarea

feat/v3.6.0/cost-reporting-cli

fix/lsp-transport-security

feat/v3.6.0/semantic-context-strategy

feature/issue-10820-chore-agents-fix-bug-hunt-pool-supervisor-tracking-prefix-auto-bug-pool-to-auto-bug-sup-complete-fix

tdd/mN-registry-thread-safety

fix/v360/remove-acp-module

temp-squash

fix/v360/lsp-runtime-instantiation

feat/690-jsonrpc-routing

feat/v3.6.0-anthropic-gemini-backends

build/agents-system-rewrite

feat/v3.3.0-plan-rollback-cli

feat/v3.3.0-parallel-subplan-scheduler

feature/issue-10846-optimize-benchmark-regression-test-suite

feature/issue-10826-docs-spec-align-checkpoint-trigger-names-and-config-key-path-with-implementation

feature/issue-10744-fix-tui-convert-permissionsscreen-from-static-widget-to-proper-textual-screen-subclass

feature/issue-10794-feat-a2a-implement-a2a-http-transport-for-server-mode

fix/tui-preset-cycling

pr-10820

feature/696-implement-a2a-http-transport-for-server-mode

feature/issue-10792-feat-server-langgraph-platform-remotegraph-integration

feature/issue-1486-fix-v3-7-0-resourcehandler-return-type-1444

feature/issue-1488-fix-v3-7-0-resolve-issue-1432

bugfix/m1-plan-execute-sandbox-root

feature/issue-4663-day-97-schedule-adherence-update

feature/issue-10858-devops-run-linter

docs/milestone-v3.6.0-v3.7.0

feature/issue-10835-add-milestone-based-pr-prioritization

pr-8701-head

fix/7927-apply-phase-dod-gating

fix/sse-formatter-json-rpc-2.0

feat/v3.6.0/scope-chain-assembler-integration

fix/tui-bindings-block-cursor-navigation

fix/v360/compute-actor-impact-exceptions

feat/v360/openrouter-provider

docs/v360/cli-version-info-diagnostics

feat/context-semantic-chunking-strategy

feat/acms-cli-context-show-clear

feature/m7-actor-management-showcase-metadata

feature/m6-4213-resource-skill-showcase

feat/v360/anthropic-gemini-backends

feat/v3.6.0/safety-profile-enforcement

feat/context-dynamic-budget-allocation

refactor/v360/unify-error-handling-cli

fix/v370/tui-materializer-a2a

fix/auto-debug-agent-prompt-injection

refactor/v360/unify-api-naming

test/cli-docstring-example-validation

fix/v360/resource-kind-field

feat/v3.6.0/context-relevance-scoring

fix/v360/plugin-state-executing

fix/v360/lsp-path-traversal-file-reading

feat/acms-semantic-chunking-context-strategy

refactor/v360/unify-service-initialization

bugfix/m3.6.0-lsp-server-dos-message-read-timeout

feat/v360/pluggable-scope-chain-api-v2

docs/v360/actor-management-showcase

docs/v360/actor-removal-impact

docs/v360/align-depth-reduction-devcontainer

tdd/issue-10413-dollar-prefix-shell-mode

fix/issue-10503-session-export-json-stdout

fix/pr-10755

feat/v370/tui-web-mode

feat/v360/plugin-cli-discovery

fix/v360/llm-trace-latency-type

feat/v3.6.0/ollama-mistral-providers

feat/v3.6.0/adaptive-context-selector

feat/tui-v370/persona-registry-merge-v2

feat/v3.6.0/cost-tracker

fix/v360/resource-type-cycle-detection

refactor/auto-guard-1-address-todo-fixme-comments

feat/v3.6.0/pluggable-scope-chain

fix/v360/scope-chain-resolver-registration

test/v360/e2e-a2a-context-management

fix/v360/lsp-env-var-injection

feature/m6-sandbox-correction-invariant-docs

feature/m3-timeline-day97-update

fix/10480-validate-logic-error

feat/acms-cli-context-add

feat/acms-core-pipeline-components

feature/m4652-module-guides

feature/m5-extend-agents-diagnostics-example

feature/m5832-add-unreleased-changelog-entries

docs/add-repo-indexing-showcase

improvement/agent-pr-self-reviewer-blocking-vs-nonblocking

feature/issue-8225-validation-gate-empty-summary

spec/resource-type-yaml-format-canonical-5622

bugfix/m8179-fix-data-integrity-remove-session-rollback-calls-from-projectrepository

feat/v3.6.0/context-policy-strategy-config

test/v3.6.0/a2a-rename-regression-tests

fix/plan-lifecycle-root-decision-type

bugfix/cancel-worktree-cleanup

pr-10586

pr-9215

feat/issue-6357-tui-loading-states

temp-bug2-combined

timeline/day-105-2026-04-15-auto-time-1-v2

docs/consolidated-all-documentation

bugfix/m6-sandbox-reexecute-cleanup

fix/issue-9963-memory-service-timestamp-guards

docs/context-management-deep-dive-v2

docs/context-management-deep-dive

docs/agent-development-guide

feature/10008-file-level-correction-diff

feat/acms-scope-resolution-context-inheritance

docs/a2a-protocol-guide

fix/tui-bindings-reload-settings

docs/tui-user-guide-keybindings

fix/plan-generation-validate-logic

bugfix/issue-10408-dollar-prefix-shell-mode

test/issue-10500-persona-state-reset-tdd

docs/getting-started-tutorial

test/tdd-session-create-suppress-exception

fix/issue-10485-fallback-selector-budget-limits

docs/error-codes-guide

docs/common-tasks-recipes-guide

bugfix/mN-registry-thread-safety

test/migration-runner-sqlite-threading

docs/configuration-reference

pr-10678

pr-10681

test/issue-10510-mcptooladapter-rlock-tdd

feature/tui-screens-directory

fix/issue-10511-suppress-runtimeerror

pr-10676

fix/tui-block-cursor-bindings

pr-10680

test/issue-10502-session-export-json-tdd

fix/issue-10507-sqlite-check-same-thread

docs/installation-setup

test/v3.6.0/scope-chain-integration-tests

fix/v370/loading-throbber-restore

feat/v370/tui-settings-sessions-screens

fix/v370/tui-session-persistence

fix/v360/context-strategy-unification

fix/v370/shell-safety-regex

feat/v370/tui-rebase-merge

feat/v370/tui-complete-squashed

fix/v370/tui-shell-async

feat/v3.6.0/budget-enforcement

refactor/v360/decouple-cli-services

feat/v370/tui-session-persistence

auto-arch-1-spec-module-definitions

docs/v3.6.0-v3.7.0-updates

auto-time/timeline-update-2026-04-18-c3

auto-docs-2/add-changelog-contributing

auto-time/timeline-update-2026-04-18-c2

auto-docs-1/fix-mkdocs-nav-and-links

pr-5968

docs/timeline-day-107-2026-04-17

fix/issue-6323-project-context-show-output

improvement/agent-bug-hunt-pool-supervisor-tracking-prefix

auto-time/update-2026-04-17

docs/auto-docs-8-a2a-rename-documentation

auto-docs-3-v340-v350

docs/timeline-update-2026-04-15

auto-docs/initial-documentation-assessment

feature/m1-initial-documentation

fix/agent-task-list-memory-leak

bugfix/m4-plan-diff-correction-stub

pr-9247

docs/timeline-update-2026-04-17

timeline/day-106-2026-04-17-auto-time-1

fix/quality-gates-click82-compat

auto-arch-14/spec-anonymous-tool-enforcement

fix/issue-6441-session-create-json-output

fix/issue-6331-invariant-add-scope

timeline/day-106-2026-04-16-auto-time-1-v2

spec/auto-arch-23-minor-clarifications

timeline/day-106-2026-04-16-auto-time-2

docs/auto-docs-2-v380-v390

timeline/day-104-2026-04-14-auto-time-1

bugfix/m3-actor-add-v3-schema-validation

timeline/day-106-2026-04-16-auto-time-1

auto-docs/changelog-architecture-readme

spec/auto-arch-21-v350-autonomy-hardening

chore/timeline-day-105-2026-04-15

docs/timeline-update-2026-04-15-auto-time-1

timeline/day-105-2026-04-15-auto-time-1

benchmark-ci

fix/plan-phase-migration-raw-sql-root-plan-id

auto-arch-12/spec-acms-context-tier-hydrator

timeline/day-106-2026-04-15-auto-time-1

feat/invariant-enforcement-strategize

feat/plan-tree-decision-rendering

feat/plan-correct-revert-append-modes

docs/auto-docs-4-fix-conflicts

docs/auto-docs-1-milestone-docs-v3.0.0-v3.1.0

feat/v3.4.0-acms-lifecycle-policy

pr-9220

fix/a2a-facade-optional-param-validation

feat/ci-guard-llm-secrets

pr-9214

feat/v3.3.0-subplan-status-tracking

feat/v3.3.0-merge-conflict-detection

uat/checkpoint-rollback-merge-tests

fix/pr-review-pool-supervisor-prefix-mismatch

feat/v3.3.0-spawn-subplan-step

auto-time-1-day103-cycle1-session6

feat/v3.8.0-agent-card-endpoint

docs/auto-docs-cycle-24-showcase-nav

auto-inf-3-consolidate-behave-fixtures

fix/issue-7663-docs-writer-missing

auto-time-1-day103-cycle2

docs/timeline-day-104-auto-time-1

auto-arch-16/spec-xml-prompt-injection-mitigation

bugfix/m4-invariant-persistence

uat-a2a-facade-tests-v350

bugfix/m3-behave-parallel-failed-chunk-logs

bugfix/7664-automation-tracking-label-requirements

docs/auto-time-1-timeline-update-2026-04-14

docs/auto-docs-1-milestone-v3-updates

fix/issue-6344-plan-execute-rich-output

docs/action-config-schema-api

fix/bug-hunt-supervisor-nonexistent-file-preflight

fix/retry-policy-model-missing-fields

docs/validation-gate-empty-run-guard

auto-arch-15/spec-retry-policy-canonical-fields

docs/lockservice-advisory-locking

docs/changelog-plan-fix-4197

spec/milestone-plan-section

docs/update-changelog-recent-features

fix/test-infra-remove-redundant-python-variable-robot-files

timeline/day-104-2026-04-14-cycle2

fix/bdd-feature-file-tags

auto-arch-13/spec-default-automation-profile

docs/auto-docs-cycle-1-2026-04-12

docs/cycle-1-git-worktree-sandbox

spec/architecture-critical-gap-fixes

docs/timeline-day-104-auto-time-2

auto-arch-1/add-v380-v390-milestone-plan

docs/developer-setup-guide

fix/auto-profile-spec-prose-description

auto-arch-10/spec-tui-a2a-integration-layer

spec/resource-event-types-clarification

auto-docs-4/changelog-and-observability

auto-arch-4/adr-049-layered-boundary-enforcement

docs/a2a-protocol-autonomy-hardening

auto-arch-9/spec-v3.8.0-milestone-plan

docs/auto-docs-3-reference-index

auto-arch-7/spec-apply-git-worktree

docs/timeline-day104-cycle1-auto-time-4

docs/auto-docs-cycle-1-changelog-updates

auto-arch-6/adr-049-spec-restructuring

docs/auto-docs-1-v340-acms-context-management

docs/auto-docs-1-v320-v330-cli-reference

auto-arch-5/v3.9.0-milestone-plan

test/create-scripts

auto-time-1-day104

timeline/day-104-2026-04-14

docs/auto-time-4-day103-cycle5

auto-time-3-day103-cycle4

auto-docs-5-architecture-overview

spec/three-way-merge-strategy-v3.3.0

spec/checkpoint-system-v3.3.0

auto-docs-4-api-docs-update

auto-docs-1-changelog-expansion

spec/invariant-management-system-v3.2.0

pr-8289

spec/plan-correction-engine-v3.2.0

spec/layered-architecture-boundary-policy

spec/tui-materializer-a2a-integration-v3.7.0

spec/decision-recording-system-v3.2.0

docs/auto-docs-1-milestone-overview

pr-7484

pr-4212

auto-arch-3/v3.8.0-milestone-plan

auto-docs-6/troubleshooting-and-config

auto-time-1-day103-session5

auto-docs-5/contributor-guide-and-readme

docs/plan-tree-ulid-examples

docs/m3-spec-clarify-path-datetime-plugin-contracts

docs/auto-docs-cycle-10-diagnostics-ref

auto-docs-3/user-guide-and-architecture

docs/cycle-7-changelog-update

spec/reconciliation-failure-behavior

auto-docs-2/api-documentation

auto-arch-2/adr-053-repositories-decomposition

auto-docs-1/release-notes-v3.0-v3.1

spec/update-validation-attach-project-delete

spec/architecture-cycle2-impl-clarifications

auto-arch-1/adr-049-052-violations

auto-time-1-day103

docs/auto-docs-cycle-13-updates

docs/timeline-day-102-auto-time

timeline/day-103-2026-04-13

spec/arch-invariant-cli-completeness

spec/update-cycle1-validation-attach-project-delete

docs/add-session-management-showcase

spec/arch-sandbox-path-correction-cycle9

spec/architecture-v380-milestone-plan

docs/auto-docs-cycle-12-updates

docs/cycle-1-validation-gate-fix

docs/2026-04-08-unreleased-changelog

docs/auto-docs-cycle-2-2026-04-10

docs/session-4615-2026-04-08-cycle1

feat/issue-6361-shell-safety-service-tui

spec/architecture-cycle-25-new-features

fix/issue-6345-automation-profile-add-output

docs/timeline-day-102-2026-04-12

docs/cycle-2-git-worktree-acms-hydrator

spec/arch-sandbox-cleanup-discovery

docs/timeline-day96-2026-04-08

docs/auto-docs-cycle-11

spec/fix-sandbox-strategy-protocol-name

spec/arch-acms-tier-hydration

fix/v3.4.0/context-settings-defaults

docs/add-example-repl-and-actor-run

docs/auto-docs-cycle-10-updates

docs/session-4-2026-04-08-updates

docs/showcase-all-examples-consolidated

docs/timeline-day-97

docs/acms-context-hydrator-cycle2

docs/add-example-output-format-flags

spec/arch-failfast-cancel-semantics

timeline/day-101-2026-04-11

docs/timeline-day99-2026-04-09-v2

docs/auto-docs-cycle-2-worktree-acms

spec/architecture-v3.8.0-milestone-plan

docs/api-lsp-acms-reference

improvement/agent-bug-hunt-pool-supervisor-yaml-syntax-fix

spec/project-delete-deleted-at-field

spec/architecture-provider-registry-tui-materializer

spec/document-reconciliation-blocked-error-5942

fix/issue-7482-git-log-injection

spec/devcontainer-auto-discovery-schema

feat/issue-6350-conversation-content-pruning

docs/update-module-guides-2026-04-10

timeline/day-100-2026-04-10-auto-time-cycle1

timeline/day-99-2026-04-09-auto-time-v2

docs/cycle-3-module-guides

timeline/day-99-2026-04-09-auto-time

pr-4226

spec/additional-llm-providers-gemini-groq-cohere-together-ollama-mistral

spec/document-context-tier-hydrator-6175

docs/timeline-day99-2026-04-09

spec/invariant-cli-clarifications

docs/add-example-project-init-and-context-management

spec/reconciliation-blocked-error-documentation

spec/fix-invariant-precedence-reference-5861

spec/fix-plan-correct-accepts-plan-id-5558

spec/fix-validation-attach-synopsis-5328

docs/timeline-day-99-cycle-1

docs/timeline-day-99-cycle-2

fix/actor-context-list-regex-arg

docs/timeline-day-99-cycle-3

spec/arch-security-mode-init

docs/auto-docs-cycle-9-updates

fix-resource-fix-resource-remove-to-check-correct-edge-table

feat/issue-6434-tui-env-var-expansion

fix/issue-6321-plan-prompt-timing-field

fix/issue-6322-resource-add-url-flag

feat/issue-6348-sessions-screen

spec/plan-show-command

temp

feat/harden-label-restrictions-1775753628

spec/invariant-reconciliation-failure-behavior

spec/add-reconciliation-failure-behavior-5942

spec/architecture-corrections-cycle3

spec/checkpoint-trigger-names-and-config-key-fix

spec/fix-ai-provider-interface-5801

spec/azure-api-version-default-update

docs/auto-docs-writer-cycle1-labels

spec/fix-resource-type-yaml-format-5622

spec/add-plan-revert-resume-commands-5574

docs/auto-docs-cycle-1-2026-04-09

spec/plan-correct-plan-id-or-decision-id-5558

spec/fix-subgraph-node-actor-ref-field-5427

issue/5284-master-ci-fix

timeline/day-99-2026-04-09-v2

merge-me

docs/session-3377-initial-docs-update

fix/llm-provider-subpackage-exports

spec/arce-acronym-and-tui-keybinding-fixes

spec/architecture-corrections-cycle2

spec/architecture-corrections-cycle1

docs/cycle-1-updates

spec/tui-clarifications-session-export-persona

docs/session-4940-2026-04-08-cycle1

spec/architecture-milestone-plan-v3.2-v3.7

docs/session-4743-2026-04-08-cycle1

docs/timeline-day-98

fix/plan-lifecycle-service-rollback-method

docs/timeline-day98-2026-04-08-v2

docs/add-example-action-and-plan-management

docs/session-2026-04-06-updates

docs/ca-docs-writer-v3.8.1-2026-04-05

fix/session-tell-stub-missing-panels-and-actor-execution

improvement/agent-arch-guard-clone-failure-handling

improvement/agent-test-infra-health-spam-fix-v2

fix-tdd-invert-non-assertion-exceptions

improvement/agent-arch-guard-clone-failure

bugfix/3472-fix-tdd-inversion-logic

bugfix/989-fix-persistence-json-decode-error

improvement/agent-supervisor-tracking-labels-v2

docs/timeline-day95-v2

docs/timeline-day95-final

docs/update-lsp-api-and-changelog

fix/lsp-resource-handler-module-missing

docs/timeline-day95-final-2026-04-05

fix/a2a-plan-correct-rollback-wiring

docs/add-lsp-api-and-changelog-2026-04-05

fix/tool-registry-validation-type-discriminator

docs/v3.7.0-documentation-update

docs/ca-docs-writer-2026-04-05-cycle2

fix/invariant-set-merge-action-scope

docs/unreleased-feature-docs

fix/concurrency-cost-tracker-record-usage-race-condition

improvement/agent-ca-test-infra-improver-failure-handling

docs/update-changelog-mcp-plan-ci-2026-04-05

improvement/agent-pr-reviewer-milestone-prioritization

docs/timeline-day95-refresh-2026-04-05

improvement/agent-mandatory-labels-tracking-issues

docs/api-domain-providers-changelog-2026-04-05

docs/ca-docs-writer-2026-04-05

docs/timeline-day95-refresh

fix/skill-add-include-validation

docs/timeline-day-95-2026-04-05-update3

docs/timeline-day-95-2026-04-05-update2

docs/ci-incident-runbook-2597

improvement/agent-ca-test-infra-improver-worker-api-mode

docs/shell-safety-api-and-readme-highlights

docs/timeline-day-55-2026-04-04-v2

docs/timeline-day-55-2026-04-04

docs/timeline-day54-update3

improvement/agent-ca-test-infra-improver-fixes

spec/restructure-monolithic-to-split

docs/timeline-day54-update-v2

docs/timeline-day54-update

fix-agents

docs/shell-safety-and-domain-base-model

fix/1452-impl

fix/1473-plan-cancel

fix/1425-test

fix/1426-config

fix/1421-perf

fix/1424-impl

test/int-wf16-devcontainer

feature/m8-tui-persona-export

feature/m7-post-resource-equivalence

test/e2e-m4-acceptance

feature/m6-tantivy-backend

feature/m6-estimation

feature/m6-estimation-report-model

feature/observability-prometheus-audit

feat/server-auth-namespace

feature/m8-session-editing

feature/llm-actor-subplan-wiring

feature/m8-tui-first-run-actor-selection

feature/m8-tui-conversation-block-catalog

feature/m8-tui-settings-screen

feature/m7-e2e-porting

feature/m6-estimation-historical-stats

feature/m8-tui-persona-export-import

feature/m8-tui-sessions-screen

feature/m7-graph-backend

feature/m8-tui-block-context-menu

feature/m8-tui-tool-call-expand

feature/m4-missing-builtin-tools

docs/v3.7.0-release-docs

feature/m8-tui-session-export

test/e2e-wf15-disaster-recovery

test/e2e-wf03-refactoring

test/e2e-m3-acceptance

feature/m8-tui-prompt-history

feature/m8-tui-actor-thought-block-rendering

bugfix/m6-build-hierarchy-child-ids

feature/resource-inheritance-wiring

test/e2e-wf09-session

test/e2e-wf06-doc-generation

test/e2e-wf08-cloud-infra

test/e2e-wf02-test-generation

test/e2e-wf13-custom-profile

test/e2e-wf11-graph-actor

test/e2e-wf01-hello-world

test/int-wf17-explicit-container

test/int-wf12-hierarchical

test/int-wf15-disaster-recovery

test/int-wf13-custom-profile

test/int-wf03-refactoring

test/int-wf11-graph-actor

test/int-wf10-batch

test/int-wf09-session

feature/m3-tdd-issue-consistency-gate

feature/m3-invariant-enforcement-strategize

test/int-wf18-container-clone

test/int-wf01-hello-world

feature/m6-diagnostic-dashboard-health-categories

feature/m6-cli-polish

fix/e2e-db-isolation

feature/m7-post-tui

feature/m9-asgi-endpoint

feature/m7-post-server

tdd/m7-audit-session-race

tdd/m3-skill-add-regression

feature/m9-remote-repos

feature/fs-mount-file-types

tdd/container-resolve-crash

test/e2e-m1-acceptance

test/e2e-m2-acceptance

eugen.thaci-patch-3

eugen.thaci-patch-2

eugen.thaci-patch-1

aditya-fix-latest

feature/m4-secret-masking-llm-context

aditya-fix

refactor/m3-replace-mktemp

refactor/m3-remove-unittest-mock-integration

refactor/m3-remove-robot-mock-imports

refactor/m3-remove-mock-llm-integration

docs/improved-menu-adr

feature/m7-post-auth

feature/m3-fix-resource-bootstrap

feature/post-safety-profile-tests

integration/batch-2026-03-02

feat/slipcover

docs/safety-profile-spec-composition

integrate/freemo-batch-1

feature/m4-error-recovery

feature/m4-security-template

feature/m3-validation-pipeline

develop-aditya-2

feature/m3-diff-review

feature/m3-validation-apply

feature/m6-acp-stubs

feature/m4-correction-flows

feature/m1-plan-execute-runtime

feature/m4-security-exceptions

feature/m4-definition-of-done

feature/m4-correction-model

feature/m1-apply-pipeline

feature/m5-automation-profiles

feature/m2-lsp-stubs

feature/m3-invariants

feature/m1-actor-runtime

feature/docs-v2-restore

feature/m6-perf-scale

feature/m6-validation-edge

feature/m3-session-cli

feature/m1-persistence-tests-robot

feature/m3-config-cli

feature/m1-cli-tests-robot

feature/m5-subplan-tests

feature/m6-review-playbook

feature/aditya-m3-actor-loader

feature/m3-skill-protocol

feature/m4-automation-legacy-cleanup

feature/m3-change-model

feature/m3-skill-git

feature/m3-skill-registry

feature/m4-security-eval

fix/robot-tests

feature/m3-actor-registry

feature/m3-tool-cli

feature/m4-automation-profiles-cli

feature/m2-resource-cli-extensions

feature/m3-actor-loader

feature/m3-tool-domain-robot

feature/m3-skill-domain-robot

feature/m3-skill-cli

feature/m1-resource-db-robot-tests

feature/m3-session-domain-robot

feature/m1-persistence-tests

feature/m1-cli-tests

ten-branches-backup

feature/m3-skill-schema

feature/m3-session-persistence

feature/automation-profiles-and-resource-dag

feature/m1-plan-repo

feature/m1-db-plan-phase-rebaseline

feat/B4-sandbox

feat/B2-cli-wiring

feat/B5-project-persistence

feat/B1-project-data-models

feat/b1-data-models

feat-repo-manager-and-sourcegraph-support

feat/actor-schema

fix/component-isolation-security-fix

feat/ontology-agent

fix/error-handling-security-fix

fix/concurrency-security-fix

fix/serialization-security-fix

fix/server-side-request-forgery-security-fix

fix/file-system-security

fix/template-injection-fix

fix/data-injection-fix

tests/unit-tests

latest/poetry-generator

poetry-generator

config/contract-metadata-extractor

docs/readme-yaml-syntax

config/memory-yaml

fix/double-response

brent-additions

intel_2_demo

auto-working-v6

auto-working-v5

auto-working-v4

auto-before-rewrite-v0

auto-working-v3

auto-working-v2

auto-working-v1

v3.1.0

v3.0.0

v2.0.0

Labels

Clear labels   

auto/needs-reevaluation

Controller deferred this PR; awaiting Phase 6+ scope-evaluator or operator re-enablement.

  

controller-managed

Auto-agents controller manages this PR/issue (see tools/controller/deploy/RUNBOOK.md). Remove this label to abandon controller management.

  

auto/blocked-by-deps

PR blocked by an open issue dependency. Operator must close the dep (or remove the dependency link) before the merge driver can act. Auto-cleared by merge_drive when no open deps remain.

  

auto/ci-timeout

Most recent merge cycle hit CI timeout. Driver excludes this PR while last merge_cycle row is < 30 min old; label persists thereafter as visible history.

  

auto/claimed-implementer

Currently being processed by an implementer worker.

  

auto/claimed-merge

Currently being processed by the merge driver.

  

auto/claimed-reviewer

Currently being processed by a reviewer worker.

  

auto/driver-down

Merge driver heartbeat stale; pipeline halted. Closed automatically on next clean tick.

  

auto/invariant-violation

Detected master commit violating the strict merge invariant. Tracked as an issue (not a PR label); kept here for label completeness.

  

auto/last-attempt-tier-0

In-cycle escalation: most recent attempt ran at the Tier 0 slot (`tier-0`). Slot's model defined in .opencode/models/tiers.yaml.

  

auto/last-attempt-tier-1

In-cycle escalation: most recent attempt ran at the Tier 1 slot (`tier-1`). Slot's model defined in .opencode/models/tiers.yaml.

  

auto/last-attempt-tier-2

In-cycle escalation: most recent attempt ran at the Tier 2 slot (`tier-2`). Slot's model defined in .opencode/models/tiers.yaml. Gated behind IMPLEMENTER_ESCALATION_TIER2_ENABLED.

  

auto/last-attempt-tier-min

In-cycle escalation: most recent attempt ran at the Tier -1 slot (`tier-min`). Slot's model defined in .opencode/models/tiers.yaml. Suffix is ``-min`` (not ``--1``) so the Forgejo UI reads naturally.

  

Automation Tracking

Tracking issues used by the AI Automation system for agents to communicate and report.

  

auto/needs-conflict-resolution

Rebase conflict needs LLM conflict-resolver.

  

auto/needs-implementer

Failing CI needs implementer attention.

  

auto/postmortem

Documenting a driver incident or rollback.

  

auto/ready-to-merge

Reviewer has APPROVED this PR and no later REQUEST_CHANGES is outstanding. The merge driver requires this label to even consider a PR for merging. Set by the reviewer worker on APPROVE; cleared on REQUEST_CHANGES.

  

auto/restart-throttled

Train repeatedly lost master-tempo races. Driver excludes via merge_cycle until cooldown elapses; label persists as visible history.

  

auto/revert

Revert PR backing out an invariant violation. Fast-tracked through the merge driver.

  

auto/sentinel

Sentinel PR duplicated from upstream into a personal fork by tools/duplicate_prs_to_fork.py for pipeline testing. Lives only in the fork; the canonical pipeline never sees it.

  

auto/stale-inactivity

No implementer activity for N days. Flagged for human review. Auto-cleared on next push to head branch.

  

auto/unstable

Repeatedly fails on current master (>= 3 ci-fail-on-rebased-sha releases in 12 h). Excluded from driver until human triage.

  

Blocked

A ticket in a blocked state and unable to complete until some other task is completed first.

  

Bounty

$100

A bounty of $100 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$1000

A bounty of $1000 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$10000

A bounty of $10000 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$20

A bounty of $20 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$2000

A bounty of $2000 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$250

A bounty of $250 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$50

A bounty of $50 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$500

A bounty of $500 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$5000

A bounty of $5000 for any open-source contributor who provides a MR that solves this issue

  

Bounty

$750

A bounty of $750 for any open-source contributor who provides a MR that solves this issue

  

MoSCoW

Could have

Could have feature in order to satisfy the epic/legendary.

  

MoSCoW

Must have

Must have feature in order to satisfy the epic/legendary.

  

MoSCoW

Should have

Should have feature in order to satisfy the epic/legendary.

  

Needs Feedback

There are questions in the ticket that can not be completed until the project owner provides clarity.

  

Points

1

1 man-hours worth of work for an expert with no learning curve.

  

Points

13

13 man-hours worth of work for an expert with no learning curve.

  

Points

2

2 man-hours worth of work for an expert with no learning curve.

  

Points

21

21 man-hours worth of work for an expert with no learning curve.

  

Points

3

3 man-hours worth of work for an expert with no learning curve.

  

Points

34

34 man-hours worth of work for an expert with no learning curve.

  

Points

5

5 man-hours worth of work for an expert with no learning curve.

  

Points

55

55 man-hours worth of work for an expert with no learning curve.

  

Points

8

8 man-hours worth of work for an expert with no learning curve.

  

Points

88

88 man-hours worth of work for an expert with no learning curve.

  

Priority

Backlog

This ticket has backlogged priority and is not to be worked on yet

  

Priority

CI Blocker

Critical priority issue that blocks CI/CD pipeline and prevents PR merges

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Signed-off: Owner

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  

Signed-off: Scrum Master

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  

Signed-off: Tech Lead

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  

Spike

A ticket for learning a tool or technology that is needed to be able to do future planning and design.

  

State

Completed

The ticket has been fully implemented, completed, and merged with the source code. This label should only be applied once a ticket is closed.

  

State

Duplicate

A ticket that represents the same content as an existing ticket.

  

State

In Progress

A ticket that is actively being developed.

  

State

In Review

A ticket that has had some code completed to implement but is waiting to pass peer review and is not yet merged in.

  

State

Paused

This ticket's work started but wasn't finished. It's on hold (likely in a feature branch) and will be resumed later, either due to a blocker or a delay.

  

State

Unverified

All new tickets start in this state. A developer may set it to show the ticket is unverified. This means we haven't agreed to work on it. It will either move to a verified state or be closed as wontdo.

  

State

Verified

The issue has been verified by a developer as legitimate. It will be worked on and verified tickets are now considered part of the backlog.

  

State

Wont Do

This ticket has been decided it wont be done. This may mean the bug has been determined to not be real (cant verify) or the feature is one we have decided we dont want to adopt.

  

Type

Automation

Any edits or discussion about the AI automated coding system.

  

Type

Bug

Something that doesnt work as intended.

  

Type

Discussion

Anytime a ticket represents a discussion about a subject and doesnt fall into one of the other categories.

  

Type

Documentation

An error or improvement needed in the documentation.

  

Type

Epic

Any first tier epic. That is, an epic which contains only issues as children and will not have sub-epics.

  

Type

Feature

Some new functionality not present.

  

Type

Legendary

A type of Epic which will contain other Epics.

  

Type

Refactor

A code change that restructures existing code without changing its external behavior.

  

Type

Support

Someone needs help using the project.

  

Type

Task

A generic task that doesnt fit into the other type categories.

  

Type

Testing

Work exclusively focusing on fixing or expanding testing.

No labels

auto/needs-reevaluation

controller-managed

auto/blocked-by-deps

auto/ci-timeout

auto/claimed-implementer

auto/claimed-merge

auto/claimed-reviewer

auto/driver-down

auto/invariant-violation

auto/last-attempt-tier-0

auto/last-attempt-tier-1

auto/last-attempt-tier-2

auto/last-attempt-tier-min

Automation Tracking

auto/needs-conflict-resolution

auto/needs-implementer

auto/postmortem

auto/ready-to-merge

auto/restart-throttled

auto/revert

auto/sentinel

auto/stale-inactivity

auto/unstable

Blocked

Bounty

$100

Bounty

$1000

Bounty

$10000

Bounty

$20

Bounty

$2000

Bounty

$250

Bounty

$50

Bounty

$500

Bounty

$5000

Bounty

$750

MoSCoW

Could have

MoSCoW

Must have

MoSCoW

Should have

Needs Feedback

Points

1

Points

13

Points

2

Points

21

Points

3

Points

34

Points

5

Points

55

Points

8

Points

88

Priority

Backlog

Priority

CI Blocker

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Signed-off: Owner

Signed-off: Scrum Master

Signed-off: Tech Lead

Spike

State

Completed

State

Duplicate

State

In Progress

State

In Review

State

Paused

State

Unverified

State

Verified

State

Wont Do

Type

Automation

Type

Bug

Type

Discussion

Type

Documentation

Type

Epic

Type

Feature

Type

Legendary

Type

Refactor

Type

Support

Type

Task

Type

Testing

Milestone

Clear milestone

No items

No milestone

v3.2.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

cleveragents/cleveragents-core#6588

No description provided.