cleveragents/cleveragents-core

Fork

You've already forked cleveragents-core

Code Issues 6.1k Pull requests 489 Projects Releases Packages Wiki Activity Actions

fix(security): harden subplan execution boundary and privilege isolation #8985

New issue

Open

opened 2026-04-14 04:35:13 +00:00 by HAL9000 · 1 comment

HAL9000 commented

2026-04-14 04:35:13 +00:00

Owner

Copy link

Background and Context

v3.3.0 introduces subplan spawning during plan execution, creating a new attack surface where a subplan could potentially escalate privileges, access parent plan resources it should not, or bypass security controls established in the parent plan context. Each subplan must execute within a strict security boundary: it inherits only the permissions explicitly delegated by the parent, cannot access the parent plan's raw context or credentials directly, and cannot modify the parent plan's state outside of the defined merge interface. Without this hardening, a compromised or malformed subplan could undermine the security guarantees of the entire plan execution.

Acceptance Criteria

Subplans are spawned with a scoped permission set derived from (not equal to) the parent plan's permissions
Subplans cannot directly read or write the parent plan's context, credentials, or decision tree outside of the merge interface
Attempting to access out-of-scope parent resources from a subplan raises a SecurityBoundaryViolation error with the resource name in the message
The merge interface is the only sanctioned channel for subplan results to flow back to the parent plan
Security boundary violations are logged with subplan ID, attempted resource, and timestamp
Test coverage >= 97%

Subtasks

Define SubplanSecurityContext that holds the scoped permission set for a subplan
Update PlanLifecycleService.spawn_subplan() to create a SubplanSecurityContext with only delegated permissions
Add boundary enforcement in ToolRuntime to reject tool calls that access out-of-scope resources when running in subplan context
Add SecurityBoundaryViolation error type with subplan_id, resource_name, and timestamp fields
Ensure subplan results flow back to parent only via the merge interface (block direct state mutation)
Add security boundary violation logging to the audit log
Add docs/reference/subplan_security.md documenting the isolation model
Tests (Behave): Add features/security_subplan_boundary.feature scenarios
Tests (Robot): Add robot/security_subplan_boundary.robot integration tests
Tests (ASV): Add benchmarks/security_subplan_boundary_bench.py for boundary check overhead
Verify coverage >= 97% via nox -s coverage_report; iterate until passing
Run nox (all default sessions including benchmark), fix any errors

Definition of Done

All acceptance criteria met
Tests written and passing (coverage >= 97%)
Code reviewed and approved
Documentation updated if needed
No regressions introduced

Metadata

Commit message: fix(security): harden subplan execution boundary and privilege isolation
Branch name: fix/security-subplan-boundary

Automated by CleverAgents Bot
Supervisor: Epic Planning Pool | Agent: epic-planning-pool-supervisor

## Background and Context v3.3.0 introduces subplan spawning during plan execution, creating a new attack surface where a subplan could potentially escalate privileges, access parent plan resources it should not, or bypass security controls established in the parent plan context. Each subplan must execute within a strict security boundary: it inherits only the permissions explicitly delegated by the parent, cannot access the parent plan's raw context or credentials directly, and cannot modify the parent plan's state outside of the defined merge interface. Without this hardening, a compromised or malformed subplan could undermine the security guarantees of the entire plan execution. ## Acceptance Criteria - [ ] Subplans are spawned with a scoped permission set derived from (not equal to) the parent plan's permissions - [ ] Subplans cannot directly read or write the parent plan's context, credentials, or decision tree outside of the merge interface - [ ] Attempting to access out-of-scope parent resources from a subplan raises a `SecurityBoundaryViolation` error with the resource name in the message - [ ] The merge interface is the only sanctioned channel for subplan results to flow back to the parent plan - [ ] Security boundary violations are logged with subplan ID, attempted resource, and timestamp - [ ] Test coverage >= 97% ## Subtasks - [ ] Define `SubplanSecurityContext` that holds the scoped permission set for a subplan - [ ] Update `PlanLifecycleService.spawn_subplan()` to create a `SubplanSecurityContext` with only delegated permissions - [ ] Add boundary enforcement in `ToolRuntime` to reject tool calls that access out-of-scope resources when running in subplan context - [ ] Add `SecurityBoundaryViolation` error type with subplan_id, resource_name, and timestamp fields - [ ] Ensure subplan results flow back to parent only via the merge interface (block direct state mutation) - [ ] Add security boundary violation logging to the audit log - [ ] Add `docs/reference/subplan_security.md` documenting the isolation model - [ ] Tests (Behave): Add `features/security_subplan_boundary.feature` scenarios - [ ] Tests (Robot): Add `robot/security_subplan_boundary.robot` integration tests - [ ] Tests (ASV): Add `benchmarks/security_subplan_boundary_bench.py` for boundary check overhead - [ ] Verify coverage >= 97% via `nox -s coverage_report`; iterate until passing - [ ] Run `nox` (all default sessions including benchmark), fix any errors ## Definition of Done - [ ] All acceptance criteria met - [ ] Tests written and passing (coverage >= 97%) - [ ] Code reviewed and approved - [ ] Documentation updated if needed - [ ] No regressions introduced ## Metadata - **Commit message:** `fix(security): harden subplan execution boundary and privilege isolation` - **Branch name:** `fix/security-subplan-boundary` --- **Automated by CleverAgents Bot** Supervisor: Epic Planning Pool | Agent: epic-planning-pool-supervisor

HAL9000 added the

labels

2026-04-14 05:31:32 +00:00

HAL9000 commented

2026-04-14 05:31:32 +00:00

Author

Owner

Copy link

✅ Verified — Security fix: subplan execution boundary hardening and privilege isolation is required for safe parallel execution. MoSCoW: Must-have. Priority: High — security concern for autonomous execution.

Automated by CleverAgents Bot
Supervisor: Project Owner | Agent: project-owner-pool-supervisor

✅ **Verified** — Security fix: subplan execution boundary hardening and privilege isolation is required for safe parallel execution. MoSCoW: Must-have. Priority: High — security concern for autonomous execution. --- **Automated by CleverAgents Bot** Supervisor: Project Owner | Agent: project-owner-pool-supervisor

HAL9000 added this to the v3.3.0 milestone

2026-04-14 05:31:32 +00:00

No Branch/Tag specified

master

fix/config-service-remove-undocumented-local-scope

bugfix/validation-attach-named-option-format

docs/add-example-tool-and-validation-management

bugfix/project-show-resource-name

bugfix/backlog-resource-schema-missing-overlay-strategy

fix/action-argument-schema/misleading-error-message

fix/remove-executable-resource-type

fix/config-get-output-missing-origin-panel-and-envelope

fix/tui-help-command-full-catalog-listing

fix/a2a-plan-execute-full-lifecycle

fix/invariant-service-action-scope-effective

fix/plan-explain-rich-output-panels

fix/a2a-dispatch-not-found-error-response

fix/project-service-namespaced-project

fix/automation-profile-remove-rich-output-panel

fix/container-handler-module-missing

fix/format-output-rich-color-renderers

fix/type-safety-legacy-migrator-type-ignore

spec/update-sse-streaming-event-example

fix/acms-skeleton-compressor-signature

controller-state-machine

fix/skill-add-yaml-wrapper-key

fix/1476-tool-list-cols

bugfix/permissions-diff-mode-cycle

fix/1444-access-type

fix/1429-node-ref

fix/1443-tier-defaults

bugfix/session-export-format-flag

feature/aws-cloud-handler-sdk

feat/output-renderer-registry

fix/1432-lsp

bugfix/1039-missing-validation-unit-tests-yaml

feature/audit-preserve-event-timestamp

feature/m8-tui-materializer

tdd/m4-automation-profile-di-bypass

bugfix/m7-audit-session-race

fix/1441-ctrl-tab

feature/m9-entity-sync

feature/extract-cleveractors-library

feature/m9-agent-card

feature/m9-team-collab

feature/m7-postgresql-backend

feature/m9-container-lifecycle

fix/issue-11189-config-actor-format

bugfix/m5-actor-options-ignored

fix-11004-tui-suggestions

feature/9827-wrap-plan-status-json-envelope

fix/arg-swap-validation-attachment-8177

pr-fix/9663-hot-warm-cold-tier-reliability

pr_fix-11000-conflict-report

bugfix/m3.6.0-lsp-7044-subprocess-cleanup

fix/7478-file-ops-security-fix

impl-tui-materializer

test/hierarchical-plan-4phase-lifecycle

feature/security-fix-relpath-pr-11217

feature/m2-implementation-pool-supervisor-checklist

fix-file-tools-path-validation

bugfix/m8-tui-input-live-refresh

feature/9126-fix-action-scope-invariant-merge

bugfix/m7-tool-calling-llm-options

fix-7478-startswith-bypass

bugfix/m3-cleanup-subprocess-on-failed-init

bugfix/m8-tui-anthropic-model-name

feat/integrate-cleveractors

feature/m8-tui-llm-dispatch

bugfix/m3.6.0-lsp-transport-header-injection-ascii

fix-11175

fix/auto_debug-partial-state

fix/issue-9124-add-bdd-tags

pr-9673-budget-enforcement

fix/actor-loader-list-actors-race-condition

pr-9675

feat/v3.3.0-three-way-merge-engine

fix/issue-7478-inline-executor-startswith-bypass

fix/plan-apply-json-envelope

feat/v3.4.0-acms-storage-tiers

feat/tui-tuimat-5326

fix-9675-context-show-clear

agents/final-working

feat/v3.4.0-context-show-clear-cli

fix/10356-eventbus-unsubscribe

11229-fix-acms-hot-max-tokens-regression-tests

pr-fix-7801

pr-8701-invariant-model

pr-fix/10597-lsp-transport-cleanup

bugfix/m3.6.0-lsp-transport-resource-leak

bugfix/9558-plan-conflict-detection

pr-fix-9608

feat/v3.3.0-plan-correct-revert-append

dmpipeline-v2

pr-fix-10608-header-injection

pr-9827-fix

bugfix/7492-validation-attachment-argument-swap

pr-fix-11002

feat/v3.4.0-context-list-add-cli

fix/plan-status-json-envelope

feat/v370/multi-session-tabs

fix-branch

fix/project-show-missing-panels

AUTO-IMP/PR-10069-checklist

feature/m2-pr-compliance-checklist

feature/pr-10592-cloud-resource-types

fix-lsp-transport-cleanup

feat/v360/cloud-resource-types

feature/context-strategy-protocol

refactor/v3.6.0-acp-to-a2a-rename

fix/context-cli-consolidation

fix/10608-lsp-header-injection

feat/acms-context-index

fix/plan-status-missing-output-panels

pr/fix-arg-swap-validation-attachment-8177

feature/issue-4748-actor-context-list-show-clear

fix-cli-plan-status-envelope

fix/plan-tree-color-format-ansi-output

pr/9981

pr/11153-auto-debug-fix

pr/10589-tui-materializer

fix/validate_path_security

pr-fix-11177-status-check-native-expressions

bugfix/m6-validate-path-startswith

security/relpath-containment-fallback

a2a-materializer-pr-fix

pr-fix-10608

bugfix/9250-a2a-session-id-validation-before-cleanup

pr-fix-11053

fix/10496-auto-debug-node-state-mutation

feat/tui-v370/tui-materializer

fix/a2a-handle-session-close-missing-session-id

fix/validation-attachment-arg-swap-8177

pr-fix-11196-invariant

feat/v3.4.0-acms-budget-enforcement

pr-fix-11196

bugfix/m5-fix-hot-max-tokens-tier

pr-fix-9675

perf/acms-large-project-indexing-optimization

perf-fix

pr-9608

feature/ten-way-merge-engine

pr-fix-branch

pr-11217

bugfix/9608-three-way-merge-engine

11101-three-way-merge-engine

feat/v3.4.0/acms-context-policy

fix/remove-silent-argument-swap

fix-pr-11000-structured-conflict-report

pr-fix-11053-session-id-validation

agents/fix-eventbus-unsubscribe

pr-10356

fix/invariant-action-scope

bugfix/issue-8395-sanitise-db-url

bugfix/m3-fix-action-scope-invariant-merge

pr-9671

feature/wire-missing-event-emitters

bugfix/m3.6.0-lsp-transport-post-spawn-cleanup

dmpipeline

bugfix/m5-acms-project-budget-override

fix/iterate-all-actors

pr/11217-fix-prefix-collision-bypass

fix/pr-11011-subprocess-cleanup

pr-11217-fix

pr-11217-relpath-fix

feat/v3.6.0-context-strategy-protocol

bugfix/tui-actor-overlay-render-shadow

bugfix/m5-revert-acms-budget-assembler

fix/eventbus-unsubscribe

feature/pr-9981

fix/v3.7.0/actor-add-update-flag

agents/fix-invariant-persistence-8573

fix/invariant-database-persistence

feat/tui-materializer-a2a

fix/tui-tui-materializer-a2a-event-queue

fix/unsubscribe-eventbus

pr-11153

feature/11201

pr-fix-11153-patched

pr-branch

fix/10813-strategy-decision-persistence

fix-pr-11145-status-check

pr-11053

pr-fix-10597-subprocess-cleanup

bugfix/mcp-infer-resource-slots-null-properties

pr-11166

pr-9675-fix

feat/structural-component-output-validation

fix/invariant-service-thread-safety

pr-fix-8179-implementation

pr-fix-9313

cleveragents-pr-fix-11038

fix/m2-acceptance-test

fix/pr-11042-rename-render

fix/action-scope-inmerge

fix/wf12-oom-sigkill

fix/wf18-container-clone-e2e

tdd/mcp-client-timer-cancel-race

feature/auto-debug-nodes

feat/v3.2.0-decision-recording-persistence

bugfix/m6-actor-overlay-render-shadow

bugfix/m7-plan-strategy-decisions-json

fix/10911-tui-suggestions-query-extraction

fix/lsp-transport-subprocess-cleanup

pr-fix-8177-validation

bugfix/m3-plan-status-json-envelope

fix/invariant-persistence-8573

pr-fix-11037

pr-11015-fix

pr_fix_11015

fix/m1-security-fix-startswith-bypass

fix/automation-profile-gates-lifecycle

fix-status-check-brittle-pipeline-11212

feat/pr-10590-dual-capability-strategies

feat/structural-output-validation

bugfix/m2-ci-status-check-resilience

fix-sandbox-cache-invalidation

feature/acp-a2a-rename-fix

feature/m3-plan-correction-data-model

pr-fix-10356-unsubscribe

pr-fix-11011

pr_fix/lsp-transport-header-injection-ascii

fix-pr-11002-startswith-bypass-7478

bugfix/acms-project-budget-override

fix/ci-status-check-resilience

bugfix/pr-fix-10597-cleanup-subprocess-on-init-failure

bugfix/sandbox-reexecute-cleanup

pr-fix-8701-invariant-model

fix/test-dotdot-traversal-assertion

fix/cleanup-stale-preserve-commits

fix/10592-pr-compliance

fix/security-file-tools-path-traversal-7478

pr-11180-fix

fix-combined-format

fix-9131-invariant-propagation

fix/tui-actor-selection-overlay

pr-11201

merge/pr-11196-invariant-fix

fix/issue-10813-strategize-decision-persistence

pr-fix-11170

pr/11165

temp-pr-11174

feat/invariant-enforcement-validation-pipeline

pr-fix-10356-unsubscribe-eventbus

pr-fix-11156-python313-deprecation

feature/pr-7801-fix-validate-path-security

fix/11039-render-refresh

fix/tui-actor-selection-render-rename

pr-fix-11089-session-close-validation

pr-fix/11089-session-close-validation

pr-fix-11182

feature/7926-persist-decision-dependencies

bugfix/m3-rxpy-subject-close

test/restore-e2e-tests

feature/m694-tui-materializer-a2a-integration-layer

feature/issue-pr-9271-hot-max-tokens

pr-fix-8177

test/v360/e2e-project-plan-correction

bugfix/issue-8426-stdio-cleanup

feature/eventbus-unsubscribe

bugfix/m3-integrate-mcp-transport

fix/concurrent-stdout-restoration

feat/a2a-stdio-transport-fix-264

PR-fix-wf18

feature/sandbox-cache-invalidation

fix/issue-10496-auto-debug-state-mutation

fix/python-313-asyncio-deprecations

pr-11128

pr-11180

pr-11165

pr-practice

structural-output-validation

fix/status-check-native-expressions

feat/merge-conflict-detection

11036-fix-acms-hot-max-tokens

pr/11166

fix/ci-status-check-native-expressions

fix/stdlib-transport-cleanup

fix/11176-actor-selection-render

pr-fix-10597

feature/pr-compliance-pool-supervisor

fix/actor-add-update-enforcement-fix

pr_fix/8209

pr-10590

fix/python313-asyncio-get-event-loop-deprecation

pr-fix-#11053-session-id-validation

pr-fix-11042-renamed-render

feat/v360/acp-to-a2a-rename

fix-arg-swap-validation-attachment-8177

fix/asyncio-get-event-loop-deprecation

fix_8395_pr

pr-fix-11153-auto-debug-mutation

pr/11051-thread-safety-invariant

fix-plan-status-json-envelope

bugfix/pr-11015-pool-supervisor-checklist

feature/fix-7478-validate-path

feature/plans-conflict-detection

pr-11141-cleanup-stale-commits-beyond-head

fix/pyyaml-vulnerability-upgrade

pr-fix-9244

bugfix/m3-invariant-propagation

feature/issue-10480-fix-validation-bypass

feature/m3-invariant-enforcement-validation-pipeline

feat/invariant-enforcement-strategize-phase

bugfix/mcp-race-condition-start

fix/action-schema-argument-default-type-validation

issue-10438-fix

fix/mcp-timer-race-10516

fix/10480-validation-bypass-fix

fix/cli-session-tell-format-flag

feat/agents-invariant-add-list-remove-commands

restore-e2e-cleanup

fix/events-eventbus-unsubscribe

fix/issue-11120-cleanup-stale-preserve-artifacts

feature/fix-issue-11121-cleanup-stale-reinvoke

fix/issue-10480-plan-validation

feature/m5-tdd-quality-gate

bugfix/11121-fix-cleanup_stale-preserve-meaningful-changes

bugfix/m8-set-active-persona-preset-reset

feat/context-priority-strategy

feature/issue-4381-docs-api-and-module-guides

m7-opencode-ruff

bugfix/m3-wf18-oom-sigkill

bugfix/acms-dual-strategy-capabilities-incompatible-fields

feature/benchmark-scheduled-workflow

feature/m8-tui-mainscreen

feat/v3.4.0/acms-project-indexer

fix/10932-preserve-strategy-decisions-json

fix/data-integrity-session-rollback-7489

fix/issue-6329-resource-remove-edge-table

fix/issue-7524-invariant-service-thread-safety

pr-10932-fix-plan-strategy-decisions

pr-fix-9244-pyyaml-upgrade

refactor/noxfile-parallel-test-architecture

task/ci-matrix-strategy-python-versions

bugfix/m3.6.0-ci-pipeline-flakiness-stabilization

feat/v3.3.0-plan-rollback

refactor/auto-guard-1-cli-a2a-boundary

feature/issue-10755-redirect-rich-panels-to-stderr

pr10871

fix/10881-propagate-invariants-to-child-plans

feat/resources-extension-interface

pr-fix-10901

ci/optimize-benchmarks-regression

fix/tui-extract-at-token-suggestions

feat/acms-index-data-model

feature-10887-eventbus-unsubscribe

feature/m5-add-repo-indexing-showcase

PR-10910-a2a-json-rpc-routing

feature/milestone-based-pr-prioritization

bugfix/m3-issue-9055

auto-time-3-day106-cycle2

feature/m39-timeline-day106-cycle2-2026-04-16

timeline/day-106-cycle2-2026-04-16-auto-time-3

feat/issue-10921-a2a-http-transport

pr/fix-10842

feature/issue-10746-fix-agents-graphs-plan-generation-validate-always-passes-for-code-longer-than-10-characters-making-llm-validation-ineffective

agents/fix-10866-permissions-screen-to-textual-screen

pr-10886

bugfix/m3-session-tell-format

fix/pr-10890-shell-safety-integration

fix/session-delete-json-envelope

pr-10851

test/v3.8.0-ci-quality-execution-time

feature/m7-timeline-day-106-update

bugfix/context-remove-path-traversal-10924

pr-10876

fix/gemini-fallback-order

fix/trailing-comma-opencode-json

pr/fix/mcp-client-start-race-condition

fix/project-switch-command

fix-pr-4211

feat/three-way-merge-engine-9608

pr/9673

fix/1469-plan-execute-structured-panels

fix/actor-provider-validation

implement-pr-9442

cleveragents-push-23420b48

fix/validation-repo-silent-swap

feat/context-strategy-plugin-system

fix/startswith-bypass-7478

fix-plan-status-envelope-11034

fix/invariant-thread-safety

fix-thread-safety-invariant-service

fix/8284-warned-sessions-reset

docs/milestone-plan-navigation

feat/v3.3.0-checkpoint-creation

feature/implementor-notification-11032

task/ci-optimize-e2e-tests-execution-time

feature/pr-9599-plan-correct-correction-engine

pr-fix-10593

pr9452

fix/isolate-checkpoint-prune-test

pr/fix-9601

pr/9234-hardening-bdd-tags

bugfix/9673-acms-budget-enforcement

pr-8667

auto-arch/spec-pr-10451-test-coverage

fix/10954-security-scan-dockerfile

bugfix/9183-bdd-tag-enforcement

fix/7566-engine_cache-toctou-race

fix/10934-preserve-strategy-decisions-json

bugfix/10608-lsp-header-injection

bugfix/9981-acms-indexing-optimize

bugfix/11077-security-escape-bypass

fix/auto-rev-sup-tracking-prefix

fix-lsp-subprocess-cleanup-10597

improvement/agent-evolution-pool-supervisor-pr-metadata

fix/plan-tree-json-output-envelope

pr-9313-fix

bugfix/9244-pyyaml-security-upgrade

feature/issue-1925-add-asv-tests-for-domain-module

test/domain-asv-benchmarks

feature/9250-fix-a2a-session-close

fix/pr-10027-acms-default-pipeline

bugfix/m2-plan-explain-alternatives-format

fix-invalidate-sandbox-dirs-cache-after-purge-7527

pr-fix-10958-async-cleanup-tests

feat/adr-049-layer-boundary-enforcement

fix/action-list-table-columns

fix/issue-7478-validate-path-startswith-bypass

pr-fix-ci-11000

fix/agent-skill-multi-scope-discovery

pr_fix_8675_switch_project_command

feat/m6/devcontainer-clone-into-sandbox

fix/tui-keybinding-preset-persona-cycling

pr-fix-10982

bugfix/m3-invariant-service-thread-safety

pr-fix-10937-close-reactive-eventbus

pr-fix-7478-path-traversal

feature/benchmark-scheduled-workflow-fix

pr-9183-add-bdd-tags

pr/11029-review-started-notification

fix/pyyaml-security-upgrade

fix-plan-status-panels

fix-pr-11037

feat/v3.6.0-database-resource-types

pr-10591-checkout

pr-10979

fix/invariant-thread-safety-8209

pr-fix-11002-validate-path-bypass

fix/10597-lsp-proc-cleanup

fix/plan/tree-envelope-9313

fix-6568-push

fix/issue-6425-tui-persona-cycling-keybinding

pr/11044

feature/m6-reduce-redundant-ci-status-reporting

fix/11041-plan-tree-envelope

fix/ca-test-infra-improver-health-spam

agents/pr-6628-fix

docs/add-showcase-cli-basics

auto-time-1-day107-cycle

improvement/agent-uat-tester-parallel-docs-pr-fix

fix/issue-11047-actor-add-rename-from-config

fix/pr-11050-subprocess-cleanup

pr-6741

ci/cache-helm-binary-auto-inf-1

fix/8675-project-switch

fix/7527-sandbox-cache-invalidation

fix/issue-6319-project-context-set-output

pr/fix-9183-bdd-tags

fix/issue-6325-plan-explain-decision-id

fix/1422-docs

pr-fix-1485-updates

spec/subplan-system-v3.3.0

pr/6723-fix-session-create-json

improvement/agent-bug-hunt-pool-supervisor-tracking-prefix-complete

fix/pr-6695-session-list-empty-json

fix/file-tools-startswith-bypass

pr_fix_8256

pr-9663-fix

docs/add-example-resource-and-skill-management

feature/m39-cli-basics-showcase

pr-fix-7478-startswith-bypass

fix/issue-11047-actor-add-remove-positional-name

fix/gemini-fallback-order-fix-3

pr_fix_8179

fix/gemini-fallback-order-fix-2

fix/validation-list-command

fix/validation-list-command-clean

fix-pr7957-complete-tracking-prefix

pr-7922-fix-lint

fix/validation-swap-8177

add-plan-start-alias

feature/pr-8304-container-clone-into

fix-pyyaml-11012

pr-fix-9461

fix/pr-11004-tui-token-extraction

fix/invariant-scope-handling

feat/plan-correction-8531

pr/8685-correction-data-model-persistence

bugfix/lsp-stdio-transport-cleanup-10597

pr-8660

feat-scope-chain-resolution

chore/pyyaml-upgrade

fix/9250-session-id-validation-handle-session-close

fix/issue-7478-file-tools-validate-path

pr-fix-9442-tui-ctrltab

spec/update-cycle8-validation-gate-empty-run-guard

fix/tui-sqlite-session-persistence-10648

fix/8661-plan-start-alias

fix-10649

refactor/add-return-type-get-services

pr-fix-cache-init

pr9407-timeline

feat/tui-prompt-symbol

pr_fix_9407-plan-alternatives-structured

feat/automation-profile-precedence-chain

bugfix/8179-remove-session-rollback-calls

feat/v360/pluggable-scope-chain-api

pr-9246

refactor/agent-configurable-limits-context-analysis-plan-generation

fix/issue-6452-session-tell-output

fix/v370/quality-gates-command-injection

pr-fix-10635-fixed

pr-10069

pr/fix-9313

pr-10643

invariant-pr-8684-fix

pr-fix-6676-resource-remove-edge-table

refactor/v360/audit-rename-acp-imports

fix/issue-7623-validation-pipeline-stdout

fix/acms-consolidate-strategycapabilities

fix/issue-7604-a2a-event-queue-concurrency

pr-fix-8661

auto-arch/spec-clarifications-cycle-1

feat/pure-graph-bdd-coverage

fix/9250-validate-session-id-before-cleanup

feature/issue-9442-fix-tui-correct-preset-cycling-keybinding-to-ctrl-tab-and-add-persona-tab-cycling

bugfix/m6-file-tools-validate-path-bypass

fix/invariant-add-scope

bugfix/m3-shell-safety-service-tui

pr-8684-persist-invariants

pr-8209-fix

docs/v360/repl-actor-run-showcase

feat/v360/cost-session-budget

bugfix/8177-remove-silent-argument-swap

fix/plan-apply-rich-output-panels

pr-fix-11012

pr-fix-11012-pyyaml-upgrade

pr-fix-8667

pr/fix/11012-pyinsec

pr-fix-9407

pr-8853

test/cli-lifecycle-e2e-full-plan-lifecycle

bugfix/m3-evlv-9824-implementation-pool-compliance-checklist

pr/10069

docs/pr-creator-state-priority-labels

fix/1514-structured-panels

test/core-asv-benchmarks

fix-8640-remove-positional-name

pr-fix-10995

refactor/v3.6.0-acp-to-a2a-rename-push

pr-9663

bugfix/m3.6.0-lsp-discovery-resource-exhaustion-dos

8660-move-namespace-filter-inside-lock

pr-fix-work

test/plan-correct-json-output-tdd

pr-8304

feat/v3.2.0-invariant-data-model-db-schema

pr_fix_1514_v2

timeline-update-2026-04-19

pr-fix-9313-plan-tree-envelope

test/v3.6.0/advanced-context-strategies-tests

pr/11004-fix-tui-suggestions-query-extraction

pr-fix-9817

feat/9558-plan-conflict-detection

docs/timeline-day-101

fix/v360/plugin-loader-security

feat/acms-context-policy-fix-9671

pr-9817-plan-apply-json

pr-fix-9460

pr-fix-6722-prompt-symbol

pr/9671

pr-fix-9671

pr-10592-fix

fix/issue-7478-file-path-validation

pr-fix-7478-validatepath

feat/pr-10590-context-strategy-fix

bugfix/m6-acms-path-matching-absolute

bugfix/pr-9183-bdd-tags

fix-pr-10975-path-matching-normalize

pr_fix/lsp-transport-subprocess-cleanup

pr-8177-validation-fix

feat/acms-context-show-clear-cli

feat/v360/plugin-architecture

fix/invariant-add-scope-required

pr-fix-10590-context-strategy

pr-fix-10590-local

pr-8662-fix

pr/1485

bugfix/8660-move-namespace-filter-inside-lock

pr/9460-project-show-invariants-validations

pr-11013

fix-1469-impl

fix/1469-impl

fix/cleanup-service-sandbox-cache-invalidation

pr-8257

pr-3329

feat/v3.2.0-decision-recording-strategize

fix/strategize-full-context-snapshots

clone-verify-test

fix/issue-6316-session-list-json-empty-case

AUTO-IMP/PR-9672-context-list-add

AUTO-IMP/PR-9663-storage-tiers

fix/issue-pr-11002

fix/plan-lifecycle-prompt-decision

fix/gemini-fallback-order-10906

AUTO-IMP/PR-10583-a2a-rename

fix-check-same-thread-migration-runner

d2188407

fix/a2a-handle-session-close-missing-session-id-pr-9250

fix/invariant-merge-action-scope

pr-fix-8179

bugfix/report-number-of-actors

bugfix/m6-devcontainer-autodiscovery-wiring

fix-gemini-fallback-order-10906

bugfix/m5-event-bus-exception-swallow

pr/3458

acms-parallel-indexing-fix

bugfix/m3-error-handling-fileconfig-unhandled-exception

acms-parallel-indexing

fix/resource-removal-children-check-6886

pr/9451-fix-tui-thinking-effort-presets

pr-fix-10958

fix/8179-remove-session-rollback-calls

pr/9817-plan-apply-json-envelope

fix/lsp-context-enrichment-acms-wiring

fix/cli-remove-positional-name-from-actor-add

fix/acms-context-cli

fix/tui-permissions-screen-wrong-base-class

bugfix/m6-session-create-suppress-exception-logging

fix/plan-tree-json-missing-decision-id

fix/plan-start-spec-alignment

fix-10957

fix/6726-tui-persona-cycling-keybinding

feat/plan-rollback-cli-checkpoint-restore

pr-8661-plan-start-alias

pr/1486/resource-handler-return-type

feature/8667-add-validation-list-command

auto-docs-1-mkdocs-setup

fix/actor-add-positional-name

feat/v3.3.0-merge-strategy-config

fix/invariant-precedence-chain-action-scope

improvement/agent-pr-review-pool-supervisor-tracking-prefix-complete

pr/fix/actor-loader-list-actors-race-condition

bugfix/m4-lsp-context-enrichment-acms-wiring

docs/auto-docs-2-v320-v330-features

bugfix/m-error-suppression-reactive-registry-adapter-v2

fix/7501-plan-repository-success-derivation

pr-10492

pr-8225

fix/plan-artifacts-missing-validation-apply-summary

feature/m9-v3.8.0-v3.9.0-documentation

docs/fix-automation-profile-default-supervised

fix/context-analysis-agent-path-traversal

pr-9229-path-traversal-fix

pr-10975

pr-fix-10986

pr/1486/fix-resource-handler-return-type

feat/m8/tui-main-screen

pr-9257-fix

fix/9222-guard-integration-e2e-jobs

refactor/clarify-behave-robot-framework-roles

docs/reference-glossary

feat/9088-a2a-message-send-stream

bugfix/m6-gemini-fallback-order

fix/validation-list-command-fixed

fix-executable-resource

test/plan-tree-correction-visual-tdd

auto-time/timeline-update-2026-04-18

pr-8179

spec/auto-arch-24-a2a-boundary-enforcement-adr

pr/10988/head

fix/7566-engine-cache-toctou-race

feat/v3.6.0-llm-provider-abstraction

fix/concurrency-catalog-cache-lock-7590-cleandiff

chore/test-infra-broad-exception-lint

issue-7502-fix-get-for-plan

fix/1500-impl

feat/context-show-cli-commands

pr-fix-7527-cache-invalidation

pr-fix-9407-plan-explain-structured-alternatives

fix/multi-scope-skill-discovery-9369

pr_9454

feat/agent-switch-cmd

pr-9329

8661-plan-start-alias

feat/acms-context-analysis-summaries

fix/invariant-add-repeatable-plan-action

tdd/m6-session-create-suppress-exception

test-push-check-only

pr-10889

pr-10889-fix

feature/issue-10952-provider-integration-tests

pr/10879-benchmark-caching-parallelism

bugfix/m3-eventbus-unsubscribe

spec/add-deleted-at-field-to-project-delete

fix/issue-6500-actor-context-list-regex

tdd/m8-tui-sqlite-session-persistence

fix/issue-6464-resource-add-auto-discovery

fix/bug-hunt-supervisor-tracking-prefix

feat/v3.2.0-plan-tree-cli

fix/issue-6491-actor-remove-format-option

fix/issue-6457-json-envelope-messages-text

improvement/agent-ca-test-infra-improver-duplicate-avoidance

fix/boundary-cost-budget-warning-re-trigger-7525

bugfix/6879-cli-format-option

feat/jwt-token-refresh

auto-discovered-stale-conflicts-review-task

docs/add-example-audit-log-and-security

docs/v3.8.0-api-and-module-guides

fix/issue-9169

improvement/reduce-redundant-ci-status-reporting

feat/v3.4.0-acms-index-data-model-traversal

bugfix/m3-sqlite-check-same-thread

issue-1-conversation-state

bugfix/m3-evlv-implementation-pool-compliance-checklist

feature/m9-a2a-jsonrpc

bugfix/m6-plan-execute-rich-output

fix/uat-checkpoint-prune-test-isolation

feature/issue-4749-split-monolithic-specification

bugfix/m8-suggestions-query-extraction

bugfix/m6-session-delete-format-json-envelope

bugfix/m3-langgraph-disposables

timeline/day-104-2026-04-14-auto-time-2

docs/quickstart-guide

fix/plan-prompt-json-timing-started

feat/v3.6.0-virtual-resource-types

feat/tui-v370/persona-registry

fix/1431-subgraph

bugfix/7529-a2a-terminal-phase-guard

bugfix/m3-bdd-feature-file-tags

ci/v360/isolate-slow-e2e-tests

feature/m3-consolidate-documentation

feature/m7-user-driven-review-agent

feature/m9-a2a-http

fix/1423-refactor

fix/tui-mainscreen-3state-sidebar-adr044

task/v3.8.0-ci-reusable-workflows

testbed/m9-hello

docs/add-label-verification-to-new-issue-creator

bugfix/m3-database-migration-runner-check-same-thread

feature/m4-plan-correction-revert

improvement/agent-architecture-pool-supervisor-milestone-assignment

docs/changelog-unreleased-cycle7

feature/m9-changelog-unreleased-cycle7

fix/issue-10512-mcptooladapter-rlock

fix/data-integrity-llm-trace-repository-7505

agents/auto-working-new

fix/resource-removal-guard-linked-children

fix/1468-impl

feature/1915-timezone-aware-datetime

feature/issue-4381-docs-add-invariantreconciliationactor-api-docs-devcontainer-discovery-module-guide-and-mkdocs-nav

task/ci-actor-context-mgmt-test-optimization

fix/7619-git-tools-base-env-toctou

pr-fix-8661-updates

feature/issue-2798-chore-agents-improve-ca-test-infra-improver-strengthen-duplicate-avoidance

bugfix/m3-migration-runner-check-same-thread

feature/issue-10952-fix-database-migration-runner-check-same-thread

fix/dependency-security-aiohttp-cves

test/uko-persistence-coverage

fix/security-b608-sql-fstring-migration-plan-phases

fix/cli-legacy-removal

feature/m39-auto-arch-23-minor-clarifications

bugfix/m3-langgraph-execute-state-bypass

feat/issue-6370-actor-context-clear

feat/acms-hot-storage-tier-lru-cache

feature/m3111-milestone-based-pr-prioritization

bugfix/m3-actor-run-response

fix/issue-7524-invariant-service-thread-safety-v2

pr-fix-10746

fix/tui-auto-generate-presets-actor-schema

feat/agent-card-discovery

feature/pr-10916-close-reactive-event-bus

feature/issue-1917-optimize-robot-actor-context-management-tests

feature/issue-10803-fix-nox-sessions-use-uv-sync-frozen

feature/issue-1923-missing-test-levels-core-module

feature/1928-add-test-coverage-for-tui-module

chore/ci-dockerfile-server-security-scan

task/ci-centralize-tool-versions

feature/m9-langgraph-platform

bugfix/m5-validation-attach-output-format

test/ci-execution-time-optimize-benchmark-regression

feature/issue-3105-add-mandatory-labels-to-supervisor-tracking-issue-creation

feat/acms-context-policy-configuration-schema

feat/context-sliding-window-strategy

feature/issue-5163-align-checkpoint-trigger-names

feature/issue-4221-docs-add-showcase-example-for-audit-log-and-security-commands

bugfix/m3-output-plan-results

fix/action-archive-output-panels

pr/9912-fix

fix/concurrency-catalog-cache-lock-7590

bugfix/executor-error-details-overwrite-mini-max

fix-10866-permissions-screen

feature/issue-7957-bug-hunt-pool-supervisor-tracking-prefix

fix-pr-10852

fix/10922-conversation-state-mgmt

pr-check

bugfix/10931-preserve-strategy-decisions-json

fix/10903-nox-showcase-docs

pr/10885-pyyaml-upgrade

pr-fix-10931

bugfix/executor-error-details-overwrite-qwen

fix-orchestrator-scaling-32-workers

fix-pr-1107-asgi-uvicorn

feature/m9-timeline-day-99

feat/issue-6369-actor-context-show

improvement/agent-label-compliance

fix-9912-branch

bugfix/10821-fix-tui-keybinding

feat/issue-6450-tui-escape-cascade

bugfix/m8-shell-safety-service-integration

fix/redaction-pattern-exception-handling

bugfix/m8-tui-on-input-changed

fix/action-schema-env-var-exfiltration

feature/spec-timeline-6003

feature/spec-timeline-6008

feature/issue-4746-update-spec-agents-diagnostics-all-9-providers

feat/v3.6.0/gemini-provider

pr/8194

tdd/prompt-input-textarea

feat/v3.6.0/cost-reporting-cli

fix/lsp-transport-security

feat/v3.6.0/semantic-context-strategy

feature/issue-10820-chore-agents-fix-bug-hunt-pool-supervisor-tracking-prefix-auto-bug-pool-to-auto-bug-sup-complete-fix

tdd/mN-registry-thread-safety

fix/v360/remove-acp-module

temp-squash

fix/v360/lsp-runtime-instantiation

feat/690-jsonrpc-routing

feat/v3.6.0-anthropic-gemini-backends

build/agents-system-rewrite

feat/v3.3.0-plan-rollback-cli

feat/v3.3.0-parallel-subplan-scheduler

feature/issue-10846-optimize-benchmark-regression-test-suite

feature/issue-10826-docs-spec-align-checkpoint-trigger-names-and-config-key-path-with-implementation

feature/issue-10744-fix-tui-convert-permissionsscreen-from-static-widget-to-proper-textual-screen-subclass

feature/issue-10794-feat-a2a-implement-a2a-http-transport-for-server-mode

fix/tui-preset-cycling

pr-10820

feature/696-implement-a2a-http-transport-for-server-mode

feature/issue-10792-feat-server-langgraph-platform-remotegraph-integration

feature/issue-1486-fix-v3-7-0-resourcehandler-return-type-1444

feature/issue-1488-fix-v3-7-0-resolve-issue-1432

bugfix/m1-plan-execute-sandbox-root

feature/issue-4663-day-97-schedule-adherence-update

feature/issue-10858-devops-run-linter

docs/milestone-v3.6.0-v3.7.0

feature/issue-10835-add-milestone-based-pr-prioritization

pr-8701-head

fix/7927-apply-phase-dod-gating

fix/sse-formatter-json-rpc-2.0

feat/v3.6.0/scope-chain-assembler-integration

fix/tui-bindings-block-cursor-navigation

fix/v360/compute-actor-impact-exceptions

feat/v360/openrouter-provider

docs/v360/cli-version-info-diagnostics

feat/context-semantic-chunking-strategy

feat/acms-cli-context-show-clear

feature/m7-actor-management-showcase-metadata

feature/m6-4213-resource-skill-showcase

feat/v360/anthropic-gemini-backends

feat/v3.6.0/safety-profile-enforcement

feat/context-dynamic-budget-allocation

refactor/v360/unify-error-handling-cli

fix/v370/tui-materializer-a2a

fix/auto-debug-agent-prompt-injection

refactor/v360/unify-api-naming

test/cli-docstring-example-validation

fix/v360/resource-kind-field

feat/v3.6.0/context-relevance-scoring

fix/v360/plugin-state-executing

fix/v360/lsp-path-traversal-file-reading

feat/acms-semantic-chunking-context-strategy

refactor/v360/unify-service-initialization

bugfix/m3.6.0-lsp-server-dos-message-read-timeout

feat/v360/pluggable-scope-chain-api-v2

docs/v360/actor-management-showcase

docs/v360/actor-removal-impact

docs/v360/align-depth-reduction-devcontainer

tdd/issue-10413-dollar-prefix-shell-mode

fix/issue-10503-session-export-json-stdout

fix/pr-10755

feat/v370/tui-web-mode

feat/v360/plugin-cli-discovery

fix/v360/llm-trace-latency-type

feat/v3.6.0/ollama-mistral-providers

feat/v3.6.0/adaptive-context-selector

feat/tui-v370/persona-registry-merge-v2

feat/v3.6.0/cost-tracker

fix/v360/resource-type-cycle-detection

refactor/auto-guard-1-address-todo-fixme-comments

feat/v3.6.0/pluggable-scope-chain

fix/v360/scope-chain-resolver-registration

test/v360/e2e-a2a-context-management

fix/v360/lsp-env-var-injection

feature/m6-sandbox-correction-invariant-docs

feature/m3-timeline-day97-update

fix/10480-validate-logic-error

feat/acms-cli-context-add

feat/acms-core-pipeline-components

feature/m4652-module-guides

feature/m5-extend-agents-diagnostics-example

feature/m5832-add-unreleased-changelog-entries

docs/add-repo-indexing-showcase

improvement/agent-pr-self-reviewer-blocking-vs-nonblocking

feature/issue-8225-validation-gate-empty-summary

spec/resource-type-yaml-format-canonical-5622

bugfix/m8179-fix-data-integrity-remove-session-rollback-calls-from-projectrepository

feat/v3.6.0/context-policy-strategy-config

test/v3.6.0/a2a-rename-regression-tests

fix/plan-lifecycle-root-decision-type

bugfix/cancel-worktree-cleanup

pr-10586

pr-9215

feat/issue-6357-tui-loading-states

temp-bug2-combined

timeline/day-105-2026-04-15-auto-time-1-v2

docs/consolidated-all-documentation

bugfix/m6-sandbox-reexecute-cleanup

fix/issue-9963-memory-service-timestamp-guards

docs/context-management-deep-dive-v2

docs/context-management-deep-dive

docs/agent-development-guide

feature/10008-file-level-correction-diff

feat/acms-scope-resolution-context-inheritance

docs/a2a-protocol-guide

fix/tui-bindings-reload-settings

docs/tui-user-guide-keybindings

fix/plan-generation-validate-logic

bugfix/issue-10408-dollar-prefix-shell-mode

test/issue-10500-persona-state-reset-tdd

docs/getting-started-tutorial

test/tdd-session-create-suppress-exception

fix/issue-10485-fallback-selector-budget-limits

docs/error-codes-guide

docs/common-tasks-recipes-guide

bugfix/mN-registry-thread-safety

test/migration-runner-sqlite-threading

docs/configuration-reference

pr-10678

pr-10681

test/issue-10510-mcptooladapter-rlock-tdd

feature/tui-screens-directory

fix/issue-10511-suppress-runtimeerror

pr-10676

fix/tui-block-cursor-bindings

pr-10680

test/issue-10502-session-export-json-tdd

fix/issue-10507-sqlite-check-same-thread

docs/installation-setup

test/v3.6.0/scope-chain-integration-tests

fix/v370/loading-throbber-restore

feat/v370/tui-settings-sessions-screens

fix/v370/tui-session-persistence

fix/v360/context-strategy-unification

fix/v370/shell-safety-regex

feat/v370/tui-rebase-merge

feat/v370/tui-complete-squashed

fix/v370/tui-shell-async

feat/v3.6.0/budget-enforcement

refactor/v360/decouple-cli-services

feat/v370/tui-session-persistence

auto-arch-1-spec-module-definitions

docs/v3.6.0-v3.7.0-updates

auto-time/timeline-update-2026-04-18-c3

auto-docs-2/add-changelog-contributing

auto-time/timeline-update-2026-04-18-c2

auto-docs-1/fix-mkdocs-nav-and-links

pr-5968

docs/timeline-day-107-2026-04-17

fix/issue-6323-project-context-show-output

improvement/agent-bug-hunt-pool-supervisor-tracking-prefix

auto-time/update-2026-04-17

docs/auto-docs-8-a2a-rename-documentation

auto-docs-3-v340-v350

docs/timeline-update-2026-04-15

auto-docs/initial-documentation-assessment

feature/m1-initial-documentation

fix/agent-task-list-memory-leak

bugfix/m4-plan-diff-correction-stub

pr-9247

docs/timeline-update-2026-04-17

timeline/day-106-2026-04-17-auto-time-1

fix/quality-gates-click82-compat

auto-arch-14/spec-anonymous-tool-enforcement

fix/issue-6441-session-create-json-output

fix/issue-6331-invariant-add-scope

timeline/day-106-2026-04-16-auto-time-1-v2

spec/auto-arch-23-minor-clarifications

timeline/day-106-2026-04-16-auto-time-2

docs/auto-docs-2-v380-v390

timeline/day-104-2026-04-14-auto-time-1

bugfix/m3-actor-add-v3-schema-validation

timeline/day-106-2026-04-16-auto-time-1

auto-docs/changelog-architecture-readme

spec/auto-arch-21-v350-autonomy-hardening

chore/timeline-day-105-2026-04-15

docs/timeline-update-2026-04-15-auto-time-1

timeline/day-105-2026-04-15-auto-time-1

benchmark-ci

fix/plan-phase-migration-raw-sql-root-plan-id

auto-arch-12/spec-acms-context-tier-hydrator

timeline/day-106-2026-04-15-auto-time-1

feat/invariant-enforcement-strategize

feat/plan-tree-decision-rendering

feat/plan-correct-revert-append-modes

docs/auto-docs-4-fix-conflicts

docs/auto-docs-1-milestone-docs-v3.0.0-v3.1.0

feat/v3.4.0-acms-lifecycle-policy

pr-9220

fix/a2a-facade-optional-param-validation

feat/ci-guard-llm-secrets

pr-9214

feat/v3.3.0-subplan-status-tracking

feat/v3.3.0-merge-conflict-detection

uat/checkpoint-rollback-merge-tests

fix/pr-review-pool-supervisor-prefix-mismatch

feat/v3.3.0-spawn-subplan-step

auto-time-1-day103-cycle1-session6

feat/v3.8.0-agent-card-endpoint

docs/auto-docs-cycle-24-showcase-nav

auto-inf-3-consolidate-behave-fixtures

fix/issue-7663-docs-writer-missing

auto-time-1-day103-cycle2

docs/timeline-day-104-auto-time-1

auto-arch-16/spec-xml-prompt-injection-mitigation

bugfix/m4-invariant-persistence

uat-a2a-facade-tests-v350

bugfix/m3-behave-parallel-failed-chunk-logs

bugfix/7664-automation-tracking-label-requirements

docs/auto-time-1-timeline-update-2026-04-14

docs/auto-docs-1-milestone-v3-updates

fix/issue-6344-plan-execute-rich-output

docs/action-config-schema-api

fix/bug-hunt-supervisor-nonexistent-file-preflight

fix/retry-policy-model-missing-fields

docs/validation-gate-empty-run-guard

auto-arch-15/spec-retry-policy-canonical-fields

docs/lockservice-advisory-locking

docs/changelog-plan-fix-4197

spec/milestone-plan-section

docs/update-changelog-recent-features

fix/test-infra-remove-redundant-python-variable-robot-files

timeline/day-104-2026-04-14-cycle2

fix/bdd-feature-file-tags

auto-arch-13/spec-default-automation-profile

docs/auto-docs-cycle-1-2026-04-12

docs/cycle-1-git-worktree-sandbox

spec/architecture-critical-gap-fixes

docs/timeline-day-104-auto-time-2

auto-arch-1/add-v380-v390-milestone-plan

docs/developer-setup-guide

fix/auto-profile-spec-prose-description

auto-arch-10/spec-tui-a2a-integration-layer

spec/resource-event-types-clarification

auto-docs-4/changelog-and-observability

auto-arch-4/adr-049-layered-boundary-enforcement

docs/a2a-protocol-autonomy-hardening

auto-arch-9/spec-v3.8.0-milestone-plan

docs/auto-docs-3-reference-index

auto-arch-7/spec-apply-git-worktree

docs/timeline-day104-cycle1-auto-time-4

docs/auto-docs-cycle-1-changelog-updates

auto-arch-6/adr-049-spec-restructuring

docs/auto-docs-1-v340-acms-context-management

docs/auto-docs-1-v320-v330-cli-reference

auto-arch-5/v3.9.0-milestone-plan

test/create-scripts

auto-time-1-day104

timeline/day-104-2026-04-14

docs/auto-time-4-day103-cycle5

auto-time-3-day103-cycle4

auto-docs-5-architecture-overview

spec/three-way-merge-strategy-v3.3.0

spec/checkpoint-system-v3.3.0

auto-docs-4-api-docs-update

auto-docs-1-changelog-expansion

spec/invariant-management-system-v3.2.0

pr-8289

spec/plan-correction-engine-v3.2.0

spec/layered-architecture-boundary-policy

spec/tui-materializer-a2a-integration-v3.7.0

spec/decision-recording-system-v3.2.0

docs/auto-docs-1-milestone-overview

pr-7484

pr-4212

auto-arch-3/v3.8.0-milestone-plan

auto-docs-6/troubleshooting-and-config

auto-time-1-day103-session5

auto-docs-5/contributor-guide-and-readme

docs/plan-tree-ulid-examples

docs/m3-spec-clarify-path-datetime-plugin-contracts

docs/auto-docs-cycle-10-diagnostics-ref

auto-docs-3/user-guide-and-architecture

docs/cycle-7-changelog-update

spec/reconciliation-failure-behavior

auto-docs-2/api-documentation

auto-arch-2/adr-053-repositories-decomposition

auto-docs-1/release-notes-v3.0-v3.1

spec/update-validation-attach-project-delete

spec/architecture-cycle2-impl-clarifications

auto-arch-1/adr-049-052-violations

auto-time-1-day103

docs/auto-docs-cycle-13-updates

docs/timeline-day-102-auto-time

timeline/day-103-2026-04-13

spec/arch-invariant-cli-completeness

spec/update-cycle1-validation-attach-project-delete

docs/add-session-management-showcase

spec/arch-sandbox-path-correction-cycle9

spec/architecture-v380-milestone-plan

docs/auto-docs-cycle-12-updates

docs/cycle-1-validation-gate-fix

docs/2026-04-08-unreleased-changelog

docs/auto-docs-cycle-2-2026-04-10

docs/session-4615-2026-04-08-cycle1

feat/issue-6361-shell-safety-service-tui

spec/architecture-cycle-25-new-features

fix/issue-6345-automation-profile-add-output

docs/timeline-day-102-2026-04-12

docs/cycle-2-git-worktree-acms-hydrator

spec/arch-sandbox-cleanup-discovery

docs/timeline-day96-2026-04-08

docs/auto-docs-cycle-11

spec/fix-sandbox-strategy-protocol-name

spec/arch-acms-tier-hydration

fix/v3.4.0/context-settings-defaults

docs/add-example-repl-and-actor-run

docs/auto-docs-cycle-10-updates

docs/session-4-2026-04-08-updates

docs/showcase-all-examples-consolidated

docs/timeline-day-97

docs/acms-context-hydrator-cycle2

docs/add-example-output-format-flags

spec/arch-failfast-cancel-semantics

timeline/day-101-2026-04-11

docs/timeline-day99-2026-04-09-v2

docs/auto-docs-cycle-2-worktree-acms

spec/architecture-v3.8.0-milestone-plan

docs/api-lsp-acms-reference

improvement/agent-bug-hunt-pool-supervisor-yaml-syntax-fix

spec/project-delete-deleted-at-field

spec/architecture-provider-registry-tui-materializer

spec/document-reconciliation-blocked-error-5942

fix/issue-7482-git-log-injection

spec/devcontainer-auto-discovery-schema

feat/issue-6350-conversation-content-pruning

docs/update-module-guides-2026-04-10

timeline/day-100-2026-04-10-auto-time-cycle1

timeline/day-99-2026-04-09-auto-time-v2

docs/cycle-3-module-guides

timeline/day-99-2026-04-09-auto-time

pr-4226

spec/additional-llm-providers-gemini-groq-cohere-together-ollama-mistral

spec/document-context-tier-hydrator-6175

docs/timeline-day99-2026-04-09

spec/invariant-cli-clarifications

docs/add-example-project-init-and-context-management

spec/reconciliation-blocked-error-documentation

spec/fix-invariant-precedence-reference-5861

spec/fix-plan-correct-accepts-plan-id-5558

spec/fix-validation-attach-synopsis-5328

docs/timeline-day-99-cycle-1

docs/timeline-day-99-cycle-2

fix/actor-context-list-regex-arg

docs/timeline-day-99-cycle-3

spec/arch-security-mode-init

docs/auto-docs-cycle-9-updates

fix-resource-fix-resource-remove-to-check-correct-edge-table

feat/issue-6434-tui-env-var-expansion

fix/issue-6321-plan-prompt-timing-field

fix/issue-6322-resource-add-url-flag

feat/issue-6348-sessions-screen

spec/plan-show-command

temp

feat/harden-label-restrictions-1775753628

spec/invariant-reconciliation-failure-behavior

spec/add-reconciliation-failure-behavior-5942

spec/architecture-corrections-cycle3

spec/checkpoint-trigger-names-and-config-key-fix

spec/fix-ai-provider-interface-5801

spec/azure-api-version-default-update

docs/auto-docs-writer-cycle1-labels

spec/fix-resource-type-yaml-format-5622

spec/add-plan-revert-resume-commands-5574

docs/auto-docs-cycle-1-2026-04-09

spec/plan-correct-plan-id-or-decision-id-5558

spec/fix-subgraph-node-actor-ref-field-5427

issue/5284-master-ci-fix

timeline/day-99-2026-04-09-v2

merge-me

docs/session-3377-initial-docs-update

fix/llm-provider-subpackage-exports

spec/arce-acronym-and-tui-keybinding-fixes

spec/architecture-corrections-cycle2

spec/architecture-corrections-cycle1

docs/cycle-1-updates

spec/tui-clarifications-session-export-persona

docs/session-4940-2026-04-08-cycle1

spec/architecture-milestone-plan-v3.2-v3.7

docs/session-4743-2026-04-08-cycle1

docs/timeline-day-98

fix/plan-lifecycle-service-rollback-method

docs/timeline-day98-2026-04-08-v2

docs/add-example-action-and-plan-management

docs/session-2026-04-06-updates

docs/ca-docs-writer-v3.8.1-2026-04-05

fix/session-tell-stub-missing-panels-and-actor-execution

improvement/agent-arch-guard-clone-failure-handling

improvement/agent-test-infra-health-spam-fix-v2

fix-tdd-invert-non-assertion-exceptions

improvement/agent-arch-guard-clone-failure

bugfix/3472-fix-tdd-inversion-logic

bugfix/989-fix-persistence-json-decode-error

improvement/agent-supervisor-tracking-labels-v2

docs/timeline-day95-v2

docs/timeline-day95-final

docs/update-lsp-api-and-changelog

fix/lsp-resource-handler-module-missing

docs/timeline-day95-final-2026-04-05

fix/a2a-plan-correct-rollback-wiring

docs/add-lsp-api-and-changelog-2026-04-05

fix/tool-registry-validation-type-discriminator

docs/v3.7.0-documentation-update

docs/ca-docs-writer-2026-04-05-cycle2

fix/invariant-set-merge-action-scope

docs/unreleased-feature-docs

fix/concurrency-cost-tracker-record-usage-race-condition

improvement/agent-ca-test-infra-improver-failure-handling

docs/update-changelog-mcp-plan-ci-2026-04-05

improvement/agent-pr-reviewer-milestone-prioritization

docs/timeline-day95-refresh-2026-04-05

improvement/agent-mandatory-labels-tracking-issues

docs/api-domain-providers-changelog-2026-04-05

docs/ca-docs-writer-2026-04-05

docs/timeline-day95-refresh

fix/skill-add-include-validation

docs/timeline-day-95-2026-04-05-update3

docs/timeline-day-95-2026-04-05-update2

docs/ci-incident-runbook-2597

improvement/agent-ca-test-infra-improver-worker-api-mode

docs/shell-safety-api-and-readme-highlights

docs/timeline-day-55-2026-04-04-v2

docs/timeline-day-55-2026-04-04

docs/timeline-day54-update3

improvement/agent-ca-test-infra-improver-fixes

spec/restructure-monolithic-to-split

docs/timeline-day54-update-v2

docs/timeline-day54-update

fix-agents

docs/shell-safety-and-domain-base-model

fix/1452-impl

fix/1473-plan-cancel

fix/1425-test

fix/1426-config

fix/1421-perf

fix/1424-impl

test/int-wf16-devcontainer

feature/m8-tui-persona-export

feature/m7-post-resource-equivalence

test/e2e-m4-acceptance

feature/m6-tantivy-backend

feature/m6-estimation

feature/m6-estimation-report-model

feature/observability-prometheus-audit

feat/server-auth-namespace

feature/m8-session-editing

feature/llm-actor-subplan-wiring

feature/m8-tui-first-run-actor-selection

feature/m8-tui-conversation-block-catalog

feature/m8-tui-settings-screen

feature/m7-e2e-porting

feature/m6-estimation-historical-stats

feature/m8-tui-persona-export-import

feature/m8-tui-sessions-screen

feature/m7-graph-backend

feature/m8-tui-block-context-menu

feature/m8-tui-tool-call-expand

feature/m4-missing-builtin-tools

docs/v3.7.0-release-docs

feature/m8-tui-session-export

test/e2e-wf15-disaster-recovery

test/e2e-wf03-refactoring

test/e2e-m3-acceptance

feature/m8-tui-prompt-history

feature/m8-tui-actor-thought-block-rendering

bugfix/m6-build-hierarchy-child-ids

feature/resource-inheritance-wiring

test/e2e-wf09-session

test/e2e-wf06-doc-generation

test/e2e-wf08-cloud-infra

test/e2e-wf02-test-generation

test/e2e-wf13-custom-profile

test/e2e-wf11-graph-actor

test/e2e-wf01-hello-world

test/int-wf17-explicit-container

test/int-wf12-hierarchical

test/int-wf15-disaster-recovery

test/int-wf13-custom-profile

test/int-wf03-refactoring

test/int-wf11-graph-actor

test/int-wf10-batch

test/int-wf09-session

feature/m3-tdd-issue-consistency-gate

feature/m3-invariant-enforcement-strategize

test/int-wf18-container-clone

test/int-wf01-hello-world

feature/m6-diagnostic-dashboard-health-categories

feature/m6-cli-polish

fix/e2e-db-isolation

feature/m7-post-tui

feature/m9-asgi-endpoint

feature/m7-post-server

tdd/m7-audit-session-race

tdd/m3-skill-add-regression

feature/m9-remote-repos

feature/fs-mount-file-types

tdd/container-resolve-crash

test/e2e-m1-acceptance

test/e2e-m2-acceptance

eugen.thaci-patch-3

eugen.thaci-patch-2

eugen.thaci-patch-1

aditya-fix-latest

feature/m4-secret-masking-llm-context

aditya-fix

refactor/m3-replace-mktemp

refactor/m3-remove-unittest-mock-integration

refactor/m3-remove-robot-mock-imports

refactor/m3-remove-mock-llm-integration

docs/improved-menu-adr

feature/m7-post-auth

feature/m3-fix-resource-bootstrap

feature/post-safety-profile-tests

integration/batch-2026-03-02

feat/slipcover

docs/safety-profile-spec-composition

integrate/freemo-batch-1

feature/m4-error-recovery

feature/m4-security-template

feature/m3-validation-pipeline

develop-aditya-2

feature/m3-diff-review

feature/m3-validation-apply

feature/m6-acp-stubs

feature/m4-correction-flows

feature/m1-plan-execute-runtime

feature/m4-security-exceptions

feature/m4-definition-of-done

feature/m4-correction-model

feature/m1-apply-pipeline

feature/m5-automation-profiles

feature/m2-lsp-stubs

feature/m3-invariants

feature/m1-actor-runtime

feature/docs-v2-restore

feature/m6-perf-scale

feature/m6-validation-edge

feature/m3-session-cli

feature/m1-persistence-tests-robot

feature/m3-config-cli

feature/m1-cli-tests-robot

feature/m5-subplan-tests

feature/m6-review-playbook

feature/aditya-m3-actor-loader

feature/m3-skill-protocol

feature/m4-automation-legacy-cleanup

feature/m3-change-model

feature/m3-skill-git

feature/m3-skill-registry

feature/m4-security-eval

fix/robot-tests

feature/m3-actor-registry

feature/m3-tool-cli

feature/m4-automation-profiles-cli

feature/m2-resource-cli-extensions

feature/m3-actor-loader

feature/m3-tool-domain-robot

feature/m3-skill-domain-robot

feature/m3-skill-cli

feature/m1-resource-db-robot-tests

feature/m3-session-domain-robot

feature/m1-persistence-tests

feature/m1-cli-tests

ten-branches-backup

feature/m3-skill-schema

feature/m3-session-persistence

feature/automation-profiles-and-resource-dag

feature/m1-plan-repo

feature/m1-db-plan-phase-rebaseline

feat/B4-sandbox

feat/B2-cli-wiring

feat/B5-project-persistence

feat/B1-project-data-models

feat/b1-data-models

feat-repo-manager-and-sourcegraph-support

feat/actor-schema

fix/component-isolation-security-fix

feat/ontology-agent

fix/error-handling-security-fix

fix/concurrency-security-fix

fix/serialization-security-fix

fix/server-side-request-forgery-security-fix

fix/file-system-security

fix/template-injection-fix

fix/data-injection-fix

tests/unit-tests

latest/poetry-generator

poetry-generator

config/contract-metadata-extractor

docs/readme-yaml-syntax

config/memory-yaml

fix/double-response

brent-additions

intel_2_demo

auto-working-v6

auto-working-v5

auto-working-v4

auto-before-rewrite-v0

auto-working-v3

auto-working-v2

auto-working-v1

v3.1.0

v3.0.0

v2.0.0

Labels

Clear labels

auto/needs-reevaluation

Controller deferred this PR; awaiting Phase 6+ scope-evaluator or operator re-enablement.

controller-managed

Auto-agents controller manages this PR/issue (see tools/controller/deploy/RUNBOOK.md). Remove this label to abandon controller management.

auto/blocked-by-deps

PR blocked by an open issue dependency. Operator must close the dep (or remove the dependency link) before the merge driver can act. Auto-cleared by merge_drive when no open deps remain.

auto/ci-timeout

Most recent merge cycle hit CI timeout. Driver excludes this PR while last merge_cycle row is < 30 min old; label persists thereafter as visible history.

auto/claimed-implementer

Currently being processed by an implementer worker.

auto/claimed-merge

Currently being processed by the merge driver.

auto/claimed-reviewer

Currently being processed by a reviewer worker.

auto/driver-down

Merge driver heartbeat stale; pipeline halted. Closed automatically on next clean tick.

auto/invariant-violation

Detected master commit violating the strict merge invariant. Tracked as an issue (not a PR label); kept here for label completeness.

auto/last-attempt-tier-0

In-cycle escalation: most recent attempt ran at the Tier 0 slot (`tier-0`). Slot's model defined in .opencode/models/tiers.yaml.

auto/last-attempt-tier-1

In-cycle escalation: most recent attempt ran at the Tier 1 slot (`tier-1`). Slot's model defined in .opencode/models/tiers.yaml.

auto/last-attempt-tier-2

In-cycle escalation: most recent attempt ran at the Tier 2 slot (`tier-2`). Slot's model defined in .opencode/models/tiers.yaml. Gated behind IMPLEMENTER_ESCALATION_TIER2_ENABLED.

auto/last-attempt-tier-min

In-cycle escalation: most recent attempt ran at the Tier -1 slot (`tier-min`). Slot's model defined in .opencode/models/tiers.yaml. Suffix is ``-min`` (not ``--1``) so the Forgejo UI reads naturally.

Automation Tracking

Tracking issues used by the AI Automation system for agents to communicate and report.

auto/needs-conflict-resolution

Rebase conflict needs LLM conflict-resolver.

auto/needs-implementer

Failing CI needs implementer attention.

auto/postmortem

Documenting a driver incident or rollback.

auto/ready-to-merge

Reviewer has APPROVED this PR and no later REQUEST_CHANGES is outstanding. The merge driver requires this label to even consider a PR for merging. Set by the reviewer worker on APPROVE; cleared on REQUEST_CHANGES.

auto/restart-throttled

Train repeatedly lost master-tempo races. Driver excludes via merge_cycle until cooldown elapses; label persists as visible history.

auto/revert

Revert PR backing out an invariant violation. Fast-tracked through the merge driver.

auto/sentinel

Sentinel PR duplicated from upstream into a personal fork by tools/duplicate_prs_to_fork.py for pipeline testing. Lives only in the fork; the canonical pipeline never sees it.

auto/stale-inactivity

No implementer activity for N days. Flagged for human review. Auto-cleared on next push to head branch.

auto/unstable

Repeatedly fails on current master (>= 3 ci-fail-on-rebased-sha releases in 12 h). Excluded from driver until human triage.

Blocked

A ticket in a blocked state and unable to complete until some other task is completed first.

Bounty

$100

A bounty of $100 for any open-source contributor who provides a MR that solves this issue

Bounty

$1000

A bounty of $1000 for any open-source contributor who provides a MR that solves this issue

Bounty

$10000

A bounty of $10000 for any open-source contributor who provides a MR that solves this issue

Bounty

$20

A bounty of $20 for any open-source contributor who provides a MR that solves this issue

Bounty

$2000

A bounty of $2000 for any open-source contributor who provides a MR that solves this issue

Bounty

$250

A bounty of $250 for any open-source contributor who provides a MR that solves this issue

Bounty

$50

A bounty of $50 for any open-source contributor who provides a MR that solves this issue

Bounty

$500

A bounty of $500 for any open-source contributor who provides a MR that solves this issue

Bounty

$5000

A bounty of $5000 for any open-source contributor who provides a MR that solves this issue

Bounty

$750

A bounty of $750 for any open-source contributor who provides a MR that solves this issue

MoSCoW

Could have

Could have feature in order to satisfy the epic/legendary.

MoSCoW

Must have

Must have feature in order to satisfy the epic/legendary.

MoSCoW

Should have

Should have feature in order to satisfy the epic/legendary.

Needs Feedback

There are questions in the ticket that can not be completed until the project owner provides clarity.

Points

1 man-hours worth of work for an expert with no learning curve.

Points

13 man-hours worth of work for an expert with no learning curve.

Points

2 man-hours worth of work for an expert with no learning curve.

Points

21 man-hours worth of work for an expert with no learning curve.

Points

3 man-hours worth of work for an expert with no learning curve.

Points

34 man-hours worth of work for an expert with no learning curve.

Points

5 man-hours worth of work for an expert with no learning curve.

Points

55 man-hours worth of work for an expert with no learning curve.

Points

8 man-hours worth of work for an expert with no learning curve.

Points

88 man-hours worth of work for an expert with no learning curve.

Priority

Backlog

This ticket has backlogged priority and is not to be worked on yet

Priority

CI Blocker

Critical priority issue that blocks CI/CD pipeline and prevents PR merges

Priority

Critical

The priority is critical

The priority is medium

Signed-off: Owner

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

Signed-off: Scrum Master

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

Signed-off: Tech Lead

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

Spike

A ticket for learning a tool or technology that is needed to be able to do future planning and design.

State

Completed

The ticket has been fully implemented, completed, and merged with the source code. This label should only be applied once a ticket is closed.

State

Duplicate

A ticket that represents the same content as an existing ticket.

State

In Progress

A ticket that is actively being developed.

State

In Review

A ticket that has had some code completed to implement but is waiting to pass peer review and is not yet merged in.

State

Paused

This ticket's work started but wasn't finished. It's on hold (likely in a feature branch) and will be resumed later, either due to a blocker or a delay.

State

Unverified

All new tickets start in this state. A developer may set it to show the ticket is unverified. This means we haven't agreed to work on it. It will either move to a verified state or be closed as wontdo.

State

Verified

The issue has been verified by a developer as legitimate. It will be worked on and verified tickets are now considered part of the backlog.

State

Wont Do

This ticket has been decided it wont be done. This may mean the bug has been determined to not be real (cant verify) or the feature is one we have decided we dont want to adopt.

Type

Automation

Any edits or discussion about the AI automated coding system.

Type

Bug

Something that doesnt work as intended.

Type

Discussion

Anytime a ticket represents a discussion about a subject and doesnt fall into one of the other categories.

Type

Documentation

An error or improvement needed in the documentation.

Type

Epic

Any first tier epic. That is, an epic which contains only issues as children and will not have sub-epics.

Type

Feature

Some new functionality not present.

Type

Legendary

A type of Epic which will contain other Epics.

Type

Refactor

A code change that restructures existing code without changing its external behavior.

Type

Support

Someone needs help using the project.

Type

Task

A generic task that doesnt fit into the other type categories.

Type

Testing

Work exclusively focusing on fixing or expanding testing.

No labels

auto/needs-reevaluation

controller-managed

auto/blocked-by-deps

auto/ci-timeout

auto/claimed-implementer

auto/claimed-merge

auto/claimed-reviewer

auto/driver-down

auto/invariant-violation

auto/last-attempt-tier-0

auto/last-attempt-tier-1

auto/last-attempt-tier-2

auto/last-attempt-tier-min

Automation Tracking

auto/needs-conflict-resolution

auto/needs-implementer

auto/postmortem

auto/ready-to-merge

auto/restart-throttled

auto/revert

auto/sentinel

auto/stale-inactivity

Signed-off: Scrum Master

Signed-off: Tech Lead

Milestone

Clear milestone

No items

No milestone

v3.3.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

cleveragents/cleveragents-core#8985

Reference in a new issue

Repository

cleveragents/cleveragents-core

Title

Body

No description provided.

Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?

Rows
Columns