fix: type allowed tools validation

fix: keep skills lifecycle local
fix: make dump-manifests self-contained
2026-06-04 03:26:45 +00:00 · 2026-06-04 12:01:58 +09:00 · 2026-06-04 03:58:35 +09:00 · 2026-06-04 02:46:44 +09:00 · 2026-06-04 02:20:09 +09:00 · 2026-06-04 01:51:21 +09:00
29 changed files with 6431 additions and 913 deletions
--- a/.github/hooks/pre-push
+++ b/.github/hooks/pre-push
@@ -13,7 +13,7 @@ cd "$repo_root"
 if [[ -x scripts/roadmap-check-ids.sh ]]; then
  echo "pre-push: scripts/roadmap-check-ids.sh" >&2
-  scripts/roadmap-check-ids.sh
+  scripts/roadmap-check-ids.sh >&2
 fi
 if [[ "${SKIP_CLAW_PRE_PUSH_BUILD:-}" == "1" ]]; then
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@ archive/
 # Claw Code local artifacts
 .claw/settings.local.json
 .claw/sessions/
 .claw/rules.local/
 .clawhip/
 status-help.txt
 # Legacy Python port session scratch artifacts
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1244,8 +1244,7 @@ Model name prefix now wins unconditionally over env-var presence. Regression tes
 45. **`claw dump-manifests` fails with opaque "No such file or directory"** — dogfooded 2026-04-09. `claw dump-manifests` emits `error: failed to extract manifests: No such file or directory (os error 2)` with no indication of which file or directory is missing. **Partial fix at `47aa1a5`+1**: error message now includes `looked in: <path>` so the build-tree path is visible, what manifests are, or how to fix it. Fix shape: (a) surface the missing path in the error message; (b) add a pre-check that explains what manifests are and where they should be (e.g. `.claw/manifests/` or the plugins directory); (c) if the command is only valid after `claw init` or after installing plugins, say so explicitly. Source: Jobdori dogfood 2026-04-09.
-45. **`claw dump-manifests` fails with opaque `No such file or directory`** — **done (verified 2026-04-12):** current `main` now accepts `claw dump-manifests --manifests-dir PATH`, pre-checks for the required upstream manifest files (`src/commands.ts`, `src/tools.ts`, `src/entrypoints/cli.tsx`), and replaces the opaque os error with guidance that points users to `CLAUDE_CODE_UPSTREAM` or `--manifests-dir`. Fresh proof: parser coverage for both flag forms, unit coverage for missing-manifest and explicit-path flows, and `output_format_contract` JSON coverage via the new flag all pass. **Original filing below.**
+45. **`claw dump-manifests` fails with opaque `No such file or directory`** — **done (verified 2026-06-03):** current `main` now emits a self-contained Rust resolver inventory for `claw dump-manifests` without requiring upstream TypeScript files, build-machine paths, or `CLAUDE_CODE_UPSTREAM`. Explicit `--manifests-dir PATH` scopes resolver discovery to another directory and missing/not-directory values emit typed `missing_manifests` guidance. Fresh proof: parser coverage for both flag forms, unit coverage for self-contained default, explicit-directory, and missing-directory flows, plus `output_format_contract` JSON coverage all pass. **Original filing below.**
 45. **`claw dump-manifests` fails with opaque `No such file or directory`** — **done (verified 2026-04-12):** current `main` now accepts `claw dump-manifests --manifests-dir PATH`, pre-checks for the required upstream manifest files (`src/commands.ts`, `src/tools.ts`, `src/entrypoints/cli.tsx`), and replaces the opaque os error with guidance that points users to `CLAUDE_CODE_UPSTREAM` or `--manifests-dir`. Fresh proof: parser coverage for both flag forms, unit coverage for missing-manifest and explicit-path flows, and `output_format_contract` JSON coverage via the new flag all pass. **Original filing below.**
 46. **`/tokens`, `/cache`, `/stats` were dead spec — parse arms missing** — dogfooded 2026-04-09. All three had spec entries with `resume_supported: true` but no parse arms, producing the circular error "Unknown slash command: /tokens — Did you mean /tokens". Also `SlashCommand::Stats` existed but was unimplemented in both REPL and resume dispatch. **Done at `60ec2ae` 2026-04-09**: `"tokens" | "cache"` now alias to `SlashCommand::Stats`; `Stats` is wired in both REPL and resume path with full JSON output. Source: Jobdori dogfood.
 47. **`/diff` fails with cryptic "unknown option 'cached'" outside a git repo; resume /diff used wrong CWD** — dogfooded 2026-04-09. `claw --resume <session> /diff` in a non-git directory produced `git diff --cached failed: error: unknown option 'cached'` because git falls back to `--no-index` mode outside a git tree. Also resume `/diff` used `session_path.parent()` (the `.claw/sessions/<id>/` dir) as CWD for the diff — never a git repo. **Done at `aef85f8` 2026-04-09**: `render_diff_report_for()` now checks `git rev-parse --is-inside-work-tree` first and returns a clear "no git repository" message; resume `/diff` uses `std::env::current_dir()`. Source: Jobdori dogfood.
@@ -1547,7 +1546,7 @@ Original filing (2026-04-13): user requested a `-acp` parameter to support ACP p
   **Source.** Jobdori dogfood 2026-04-17 against `/tmp/cd3` on main HEAD `e58c194` in response to Clawhip pinpoint nudge at `1494653681222811751`. Distinct from #80/#81/#82 (status/error surfaces lie about *static* runtime state): this is a surface that lies about *time itself*, and the lie is smeared into every live-agent system prompt, not just a single error string or status field.
-84. **`claw dump-manifests` default search path is the build machine's absolute filesystem path baked in at compile time — broken and information-leaking for any user running a distributed binary** — dogfooded 2026-04-17 on main HEAD `70a0f0c` from `/tmp/cd4` (fresh workspace). Running `claw dump-manifests` with no arguments emits:
+84. **DONE — `claw dump-manifests` no longer bakes or leaks the build machine's absolute filesystem path** — fixed 2026-06-03 in `fix: make dump-manifests self-contained`. The runtime default now uses the current workspace and emits the Rust resolver inventory directly, so distributed binaries no longer depend on upstream TypeScript source files or compile-time `CARGO_MANIFEST_DIR` paths. Explicit `--manifests-dir` remains as a discovery-root override and invalid roots return typed `missing_manifests` diagnostics. Original filing below: running `claw dump-manifests` with no arguments emitted:
   ```
   error: Manifest source files are missing.
     repo root: /Users/yeongyu/clawd/claw-code
@@ -6303,7 +6302,7 @@ Original filing (2026-04-18): the session emitted `SessionStart hook (completed)
 422. **`export --output-format json` and `--resume latest` report the same "no managed sessions" scenario using two different `kind` codes — `no_managed_sessions` vs `session_load_failed` — making "no session found" undetectable by a single kind-code check** — dogfooded 2026-04-30 KST (UTC+9) by Jobdori on `e939777f`. Running `claw export --output-format json` with no session present returns (on stderr, exit 1): `{"error":"no managed sessions found in .claw/sessions/<fingerprint>/","hint":"Start \`claw\` to create a session, then rerun with \`--resume latest\`.\nNote: claw partitions sessions per workspace fingerprint; sessions from other CWDs are invisible.","kind":"no_managed_sessions","type":"error"}`. Running `claw --resume latest /status --output-format json` with no session present returns (on stderr, exit 1): `{"error":"failed to restore session: no managed sessions found in .claw/sessions/<fingerprint>/","hint":"Start \`claw\` to create a session, then rerun with \`--resume latest\`.\nNote: claw partitions sessions per workspace fingerprint; sessions from other CWDs are invisible.","kind":"session_load_failed","type":"error"}`. Both describe the same root condition — there are no sessions to operate on — but they expose it via different `kind` discriminants. Automation that checks `kind == "no_managed_sessions"` to detect a cold workspace will miss the `--resume` path's `session_load_failed`, and vice versa. A wrapper that guards "run with --resume only if a session exists" must special-case both codes. The hint text is identical between them, suggesting the messages are logically equivalent. Additionally neither code matches the proposed canonical names `session_not_found` / `session_load_failed` as stable `ErrorKind` discriminants described in ROADMAP #77's fix shape, which explicitly proposes typed error-kind codes for session lifecycle failures. **Required fix shape:** (a) unify "no sessions found for this workspace fingerprint" under a single canonical `kind` code — either `no_managed_sessions` or `session_not_found` — used consistently by every command path that encounters an empty session registry; (b) if `session_load_failed` is a more general category (covering e.g. corrupt session files, IO errors, schema version mismatches), it should nest a concrete `reason:"no_managed_sessions"` or `reason:"session_not_found"` sub-field so callers can distinguish "empty registry" from "found but unreadable"; (c) align with the canonical error-kind contract proposed in #77; (d) add regression coverage proving `export` and `--resume latest` in an empty workspace both return an error with the same top-level `kind` code. **Why this matters:** session guard-rails in orchestration need a single stable `kind` to detect cold workspaces without enumerating all possible no-session synonyms. Two divergent codes for the same condition make defensive automation brittle and contradict the promise of machine-readable error envelopes. Source: Jobdori live dogfood, `e939777f`, 2026-04-30 KST (UTC+9).
-407. **`config --output-format json` returns `files[].loaded:false` with no `load_error`, `not_found`, or `skip_reason` field — automation cannot distinguish "file does not exist", "file exists but parse failed", and "file exists but was skipped by policy" from the same `loaded:false` value; also `loaded_files` and `merged_keys` are bare integers with no per-file attribution** — dogfooded 2026-04-30 by Jobdori on `e939777f`. Running `./claw --output-format json config` on a workspace with 5 discovered config files returns `{"kind":"config","cwd":"...","files":[{"loaded":false,"path":"/Users/yeongyu/.claw.json","source":"user"},{"loaded":true,"path":"/Users/yeongyu/.claw/settings.json","source":"user"},{"loaded":true,"path":"/Users/yeongyu/clawd/claw-code/.claw.json","source":"project"},{"loaded":false,"path":"/Users/yeongyu/clawd/claw-code/.claw/settings.json","source":"project"},{"loaded":false,"path":"/Users/yeongyu/clawd/claw-code/.claw/settings.local.json","source":"local"}],"loaded_files":2,"merged_keys":2}`. Three of five files have `loaded:false` with no accompanying `not_found:true`, `parse_error`, `io_error`, or `skip_reason`; automation must stat each path separately to guess why. Also `loaded_files:2` and `merged_keys:2` are bare counts — ambiguous whether `merged_keys:2` means 2 total top-level JSON keys across all files or 2 unique merged settings. **Required fix shape:** (a) add `not_found: bool` and optional `load_error: string` to each `files[]` entry so callers can distinguish missing, parse-broken, and policy-skipped files without filesystem probing; (b) document or rename `merged_keys` as `merged_setting_count` or `total_merged_keys` to remove the int-semantics ambiguity; (c) optionally add `merged_keys_by_file: [{path, keys}]` for attribution; (d) add regression coverage proving `files[]` entries with `loaded:false` carry at minimum `not_found` distinguishing non-existent paths from load failures. Source: Jobdori live dogfood, `e939777f`, 2026-04-30.
+407. **DONE — `config --output-format json` returns structured file load states instead of bare `loaded:false` ambiguity** — fixed 2026-06-03 in `fix: report config file load statuses`. `claw config --output-format json` now emits `files[].status` (`loaded`, `not_found`, `skipped`, `load_error`), `reason`/`skip_reason`, and `detail` where applicable, plus top-level `load_error`, `merged_key_count`, and `merged_keys_meaning`. The config list surface is best-effort so one broken settings file no longer erases the rest of the discovery report, while section-specific config requests still preserve the typed nonzero parse-error envelope. Regression coverage: `inspect_classifies_missing_loaded_and_legacy_skipped_files`, `inspect_reports_parse_errors_but_keeps_valid_merged_config`, `config_json_reports_structured_unloaded_file_reasons_407`, `config_json_list_reports_parse_errors_without_dropping_file_statuses_407`, and existing `config_parse_error_has_typed_error_kind_and_hint_764`.
 408. **`status --output-format json` `workspace.changed_files` is ambiguous — on a workspace with 5 untracked files, `changed_files:5`, `staged_files:0`, `unstaged_files:0`, `untracked_files:5`; it is unclear whether `changed_files` is the sum of all four git-status categories or only a subset; automation cannot tell if `changed_files:5` means "5 tracked modified" or "5 total non-clean files including untracked"** — dogfooded 2026-04-30 by Jobdori on `e939777f`. Running `./claw --output-format json status` returns `{"workspace":{"changed_files":5,"staged_files":0,"unstaged_files":0,"untracked_files":5,...}}` — `changed_files==untracked_files==5` with staged and unstaged both zero. The field name `changed_files` implies "modified tracked files" but the value equals the untracked count, not `staged+unstaged`. Without a comment or documented definition, automation must probe whether `changed_files = staged + unstaged` (excludes untracked) or `changed_files = staged + unstaged + untracked + conflicted` (total dirty). Also `git_state:"dirty · 5 files · 5 untracked"` repeats the same data as a prose string alongside the structured integer fields — redundant human-readable string alongside machine-readable integers. **Required fix shape:** (a) document and stabilize `changed_files` as either `tracked_dirty_count` (staged+unstaged only) or `total_non-clean_count` (staged+unstaged+untracked+conflicted) and rename to remove the ambiguity; (b) ensure a machine consumer can compute `is_clean` as a single boolean field without interpreting `git_state` prose; (c) deprecate or remove `git_state` prose string now that all its constituent counts are available as integers; (d) add regression coverage proving `changed_files` semantics against a workspace with staged, unstaged, untracked, and conflicted files. Source: Jobdori live dogfood, `e939777f`, 2026-04-30.
@@ -6345,34 +6344,34 @@ Original filing (2026-04-18): the session emitted `SessionStart hook (completed)
 422. **Unknown top-level subcommands fall through to chat prompt path instead of returning `unknown_subcommand` error — typos silently send the subcommand string as a chat message to the configured LLM** — dogfooded 2026-05-11 by Jobdori on `b98b9a71` in response to Clawhip pinpoint nudge at `1503215095088676956`. Reproduction: `unset ANTHROPIC_AUTH_TOKEN; export ANTHROPIC_API_KEY=fake-key-for-routing-test; claw completely-bogus-subcommand --output-format json` returns `{"error":"api returned 401 Unauthorized (authentication_error) [trace req_011...]: invalid x-api-key","kind":"api_http_error"}` — proving the unknown token reached the Anthropic API endpoint as a chat prompt. With valid credentials, the bogus subcommand string would be silently consumed as a chat message, billing the user for a typo and producing whatever continuation the LLM generates. **Pre-error path:** `claw <unknown> --output-format json` with no creds returns `kind:"missing_credentials"` (the auth gate fires first), masking the routing bug. Only with creds present does the fallthrough manifest as the actual prompt being sent. **Sibling exit-code bug:** when the chat-path 401 returns, the JSON envelope is `kind:"api_http_error"` but exit code is **0**, while `cli_parse` errors (e.g. `--no-such-flag`) and `missing_credentials` errors correctly exit **1**. Exit-code parity between error envelopes is broken — automation that gates on `$?` will treat the 401-as-chat as success. **Required fix shape:** (a) reserve unknown top-level tokens that match no registered subcommand and emit `kind:"unknown_subcommand"` with `unknown:<token>` field and exit code 1, BEFORE the chat fallback path; (b) when a token is intended as a chat prompt, require an explicit verb (`prompt`, `chat`, `ask`) or `--prompt` flag; (c) ensure exit codes are non-zero for all `kind:*_error` envelopes; (d) regression test: `claw <bogus> --output-format json` with valid auth returns `kind:"unknown_subcommand"` exit 1, never reaches the API. **Why this matters:** automation that calls `claw <subcommand>` with a programmatically constructed verb (typo, version drift, refactored command) silently bills tokens and produces hallucinated output instead of a typed error. Cross-cluster with #108 (CLI fallthrough discovered earlier) — #422 is the post-#108 audit confirming the routing bug still bites with valid credentials. Source: Jobdori live dogfood, `b98b9a71`, 2026-05-11.
-423. **`claw prompt` does not read prompt text from stdin when no positional prompt arg is provided — `echo "what is 2+2" | claw prompt --output-format json` returns `kind:"unknown" error:"prompt subcommand requires a prompt string"` instead of consuming stdin** — dogfooded 2026-05-11 by Jobdori on `3c563fa1` in response to Clawhip pinpoint nudge at `1503222644739276951`. Reproduction: `echo "what is 2+2" | claw prompt --output-format json` → `{"error":"prompt subcommand requires a prompt string","hint":null,"kind":"unknown","type":"error"}` exit 1. Same for `claw prompt --output-format json` with stdin redirected from a file. The most common Unix automation pattern (`cmd | claw prompt`) is broken because the prompt subcommand only reads the positional argument, never falls through to stdin. **Sibling envelope-kind bug:** the error `kind` is `"unknown"` instead of a typed `"missing_argument"` or `"validation_error"`. The `unknown` discriminator is the catch-all bucket — automation that switches on `kind` to differentiate input-validation errors from runtime errors gets no signal here. **Required fix shape:** (a) when `prompt` subcommand has no positional prompt arg AND stdin is not a TTY (i.e., piped or redirected), read stdin to EOF and use that as the prompt; (b) emit `kind:"missing_argument"` (not `"unknown"`) when both positional arg and stdin are absent; (c) add `--prompt-stdin` or `--stdin` opt-in flag for explicit control; (d) regression tests: `echo X | claw prompt --output-format json` reaches the runtime with prompt=X, AND `claw prompt < /dev/null` returns `kind:"missing_argument"` exit 1. **Why this matters:** Unix pipelines are the foundation of CLI automation. Every other major CLI (curl, jq, gh, kubectl) accepts stdin as the primary input when no positional arg is given. Breaking this convention forces automation to either inline the prompt as a shell-quoted string (escaping nightmare for multiline/code) or write to a temp file first. The `kind:"unknown"` error category compounds the problem by making the failure indistinguishable from a runtime crash. Source: Jobdori live dogfood, `3c563fa1`, 2026-05-11.
+423. **DONE — `claw prompt` reads prompt text from stdin when no positional prompt arg is provided** — fixed 2026-06-03 in `fix: read prompt subcommand input from stdin`. `parse_args()` now treats non-empty piped stdin as the prompt body for `claw prompt` when the positional prompt is empty, and supports `--stdin` / `--prompt-stdin` to append piped context to an explicit positional prompt. The existing `missing_prompt` JSON/stdout contract is preserved for closed or whitespace-only stdin. User docs now show `printf '...' | ./target/debug/claw prompt --output-format json`, and regression coverage verifies both a pure stdin prompt and explicit stdin context reach the mock Anthropic provider request and return structured JSON output.
-424. **`--model` rejects bare canonical Anthropic model names (`claude-opus-4-7`, `claude-opus-4-6`, `claude-sonnet-4-6`) as `invalid_model_syntax` — only short aliases (`opus`, `sonnet`, `haiku`) and full prefixed form (`anthropic/claude-opus-4-7`) work; sibling: error message stale-suggests `claude-opus-4-6` not `4-7`** — dogfooded 2026-05-11 by Jobdori on `6c0c305a` in response to Clawhip pinpoint nudge at `1503230194889134103`. Reproduction: `claw --model claude-opus-4-7 status --output-format json` → `{"error":"invalid model syntax: 'claude-opus-4-7'. Expected provider/model (e.g., anthropic/claude-opus-4-6) or known alias (opus, sonnet, haiku)","kind":"invalid_model_syntax"}`. Same for `claude-opus-4-6`, `claude-sonnet-4-6`. Forcing `--model anthropic/claude-opus-4-7` works (`model:"anthropic/claude-opus-4-7"`, `model_source:"flag"`). Three problems compounded: (a) Anthropic-canonical model names without provider prefix are rejected even though the `claude-` prefix unambiguously identifies the provider; (b) the error suggests `anthropic/claude-opus-4-6` as the example — `4-7` shipped 2026-04-16 and is the current production Anthropic frontier model, the suggestion is one model behind; (c) the alias list `opus, sonnet, haiku` doesn't disambiguate version (which `opus` does the alias resolve to — `opus-4-6` or `opus-4-7`?). **Required fix shape:** (a) accept bare `claude-*` and `gpt-*` model names as canonical-named-without-prefix and route via name-prefix detection (already implemented for prefix-routed mode); (b) update the example in `invalid_model_syntax` error to current frontier (`anthropic/claude-opus-4-7`); (c) document or expose `opus` → exact-version mapping in the error message and in `claw doctor`/`status` output (`model_alias_resolved_to: "claude-opus-4-7"`); (d) regression test: `claw --model claude-opus-4-7 status --output-format json` returns `model_source:"flag"`, not `kind:"invalid_model_syntax"`. **Sibling bug observed in same probe:** `enabledPlugins` deprecation warning repeats 3 times in stderr for the same `~/.claw/settings.json` load — config file is being loaded/parsed 3 times during a single `status` invocation. **Why this matters:** every Anthropic doc, every CCAPI route, every internal tooling references models by their bare canonical name (`claude-opus-4-7`). Forcing the `anthropic/` prefix breaks copy-paste from Anthropic's own examples and adds a redundant token to every invocation. The stale `4-6` suggestion in the error message actively misdirects users away from the current model. Source: Jobdori live dogfood, `6c0c305a`, 2026-05-11.
+424. **DONE — `--model` accepts bare canonical provider model names and Anthropic routing prefixes are stripped before provider calls** — fixed 2026-06-03 in `fix: normalize Anthropic model routing`. `validate_model_syntax()` now accepts unambiguous bare `claude-*` and `gpt-*` model IDs while preserving raw model provenance, and Anthropic `/v1/messages` plus `/v1/messages/count_tokens` request bodies strip the CLI-only `anthropic/` routing prefix so default/alias models do not reach Anthropic as `anthropic/claude-*`. Existing `qwen-*`/`grok-*` prefix-hint behavior remains intentionally unchanged for provider families whose bare names are ambiguous with DashScope/xAI routing. Regression coverage: `standard_messages_body_strips_anthropic_routing_prefix`, `send_message_strips_anthropic_routing_prefix_on_wire`, `default_model_alias_uses_anthropic_routing_prefix`, and the bare `--model=claude-opus-4-6 status` / `--model gpt-4 prompt` parser assertions in `parses_single_word_command_aliases_without_falling_back_to_prompt_mode`.
-425. **Config file precedence (`.claw/settings.json` always wins over `.claw.json`) is undocumented in user-facing surfaces — `config --output-format json` reports both files as `loaded:true` with no `precedence_rank` or `wins_for_keys` attribution; sibling: deprecation warning fires 4× per status invocation (was 3× in #424, regression upward)** — dogfooded 2026-05-11 by Jobdori on `d7dbe951` in response to Clawhip pinpoint nudge at `1503237744451649537`. Reproduction: create `.claw.json` with `{"model":"anthropic/claude-sonnet-4-6"}` and `.claw/settings.json` with `{"model":"anthropic/claude-opus-4-7"}` in the same workspace. `claw status --output-format json` returns `model:"anthropic/claude-opus-4-7", model_source:"config"`. Reverse the files (.claw.json=opus, settings.json=sonnet) → `model:"anthropic/claude-sonnet-4-6"`. Confirmed: `.claw/settings.json` **always** wins over `.claw.json` for conflicting keys, regardless of file mtime or alphabetical order. `claw config --output-format json` reports both as `loaded:true` with no `precedence_rank`, `effective_for_keys`, or `shadowed_keys` attribution. The only signal of precedence is the final merged value in `status` — automation cannot programmatically discover which file contributed which key without re-implementing the merge logic. **Sibling bug (regression from #424):** the `enabledPlugins` deprecation warning now fires **4 times** in stderr per single `status` invocation (was 3× in #424's probe at HEAD `6c0c305a`; current HEAD `d7dbe951` shows 4×). Config load count went up by 1. **Sibling bug observed in config-section probe:** `claw config model --output-format json` with a `.claw.json` that contains a benign unknown key (e.g., `"alpha":"x"`) returns `{"error":"/path/.claw.json: unknown key \"alpha\" (line 1)","kind":"unknown"}` — the entire config command fails with a generic `unknown` kind instead of (a) tolerating unrecognized keys with a warning, or (b) emitting a typed `kind:"unknown_key"` error scoped to the offending file/key. **Required fix shape:** (a) document precedence order in `USAGE.md` (`.claw/settings.local.json > .claw/settings.json > .claw.json` for project scope; `user`/`system` scope at each layer); (b) add `precedence_rank:int` and optional `wins_for_keys:[string]` / `shadowed_keys:[string]` to each entry in `config --output-format json` `files[]`; (c) dedupe the deprecation warning to fire **once per discovered file** instead of N× per load pass; (d) make `config <section> --output-format json` tolerate unknown keys with warnings, OR emit `kind:"unknown_key"` with `path:` and `key:` fields scoped to the offending file. **Why this matters:** users mixing legacy `.claw.json` with new `.claw/settings.json` have no way to verify which file is actually controlling their runtime. The undocumented precedence + missing per-key attribution forces trial-and-error to debug config drift. Cross-references #407 (config files no load_error) and #415 (config section returns merged_keys count not values). Source: Jobdori live dogfood, `d7dbe951`, 2026-05-11.
+425. **DONE — config JSON exposes file precedence attribution and unknown config keys are warnings** — fixed 2026-06-03 in `fix: attribute config precedence in JSON`. Runtime config inspection now reports every discovered file with `precedence_rank`, `wins_for_keys`, and `shadowed_keys`, so `.claw/settings.json` overriding legacy `.claw.json` is visible without reimplementing merge order. Unknown keys are tolerated as structured validation warnings, including `claw config <section> --output-format json`, while wrong-type errors still fail. The deprecation-warning path remains deduplicated once per process for text-mode `status`, and JSON config surfaces collect warnings structurally without stderr duplication. Docs in `USAGE.md` now spell out the precedence chain and JSON attribution fields. Regression coverage: `config_json_attributes_precedence_and_shadowed_keys_425`, `config_section_json_tolerates_unknown_keys_as_warnings_425`, `status_deduplicates_config_deprecation_warnings_per_invocation_425`, and the runtime validator unknown-key warning tests.
-426. **`ANTHROPIC_MODEL` env var bypasses the `invalid_model_syntax` validator that `--model` enforces — bogus model strings are accepted with `status:"ok"`, deferred-failing only when the first API call is made** — dogfooded 2026-05-11 by Jobdori on `3730b459` in response to Clawhip pinpoint nudge at `1503245298800136296`. Reproduction (asymmetric validation): `claw --model bogus-model-xyz status --output-format json` returns `kind:"invalid_model_syntax"` exit 1; `ANTHROPIC_MODEL=bogus-model-xyz claw status --output-format json` returns `model:"bogus-model-xyz", model_raw:"bogus-model-xyz", model_source:"env", status:"ok"` — the doctor surface lies that the configured model is valid when it is not. The bogus model only manifests as a failure when the first prompt fires and the API rejects it with 404/400. Three sibling discoveries in the same probe: (a) **alias indirection invisible**: `ANTHROPIC_MODEL=opus claw status --output-format json` returns `model:"claude-opus-4-6", model_raw:"opus", model_source:"env"` — the `opus` alias resolves to `claude-opus-4-6` (the *previous* frontier, not the current `claude-opus-4-7` released 2026-04-16). Users typing `opus` get yesterday's model with no warning. (b) **`CLAW_MODEL` env var silently ignored**: `CLAW_MODEL=opus claw status` shows `model:"claude-opus-4-6" model_source:"default"` — the `CLAW_MODEL` env var (the project-namespaced equivalent that users expect) does not exist; only `ANTHROPIC_MODEL` is honored. No warning when a `CLAW_*` env var that looks like it should work is set. (c) **`ANTHROPIC_DEFAULT_MODEL` also silently ignored**: the longer-named env var that some Anthropic SDKs use is not recognized. **Required fix shape:** (a) symmetric validation: `ANTHROPIC_MODEL` env value must pass the same `invalid_model_syntax` check that `--model` does, and `claw status` must return `kind:"invalid_model"` / `status:"warn"` (not `status:"ok"`) when the resolved model is unrecognized; (b) expose alias resolution in `status`: add `model_alias_resolved_to:string|null` field so automation can see `opus → claude-opus-4-6`; (c) bump the `opus` alias to `claude-opus-4-7` (current frontier) or document the alias-to-version mapping policy explicitly; (d) accept `CLAW_MODEL` and `ANTHROPIC_DEFAULT_MODEL` env vars with parity to `ANTHROPIC_MODEL`, OR emit a warning when those env vars are set but unrecognized. **Why this matters:** the most common automation pattern is `export ANTHROPIC_MODEL=...` in a shell rc file. Bogus values pass silently, alias indirection hides the actual model in use, and `CLAW_MODEL` looking like a working name but doing nothing is a footgun. Cross-references #424 (bare canonical names rejected at validator level) — together #424 + #426 make model selection inconsistent across CLI flag, env var, and alias paths. Source: Jobdori live dogfood, `3730b459`, 2026-05-11.
+426. **DONE — environment model selection is validated and status exposes alias/env provenance** — fixed 2026-06-03 in `fix: validate env model selection`. `CLAW_MODEL`, `ANTHROPIC_MODEL`, and `ANTHROPIC_DEFAULT_MODEL` now share the same env-model path before config/default fallback; prompt/REPL startup validates the resolved model before provider construction; and `status --output-format json` reports invalid env/config models as `status:"warn"` with `model_validation_error_kind:"invalid_model"` while preserving workspace/config/sandbox context. Status JSON now includes `model_alias_resolved_to` and `model_env_var`, making alias expansion and the winning env var auditable. The built-in/default `opus` alias now targets `anthropic/claude-opus-4-7` / `claude-opus-4-7`, with docs updated in `USAGE.md` and `rust/README.md`; the API alias table keeps token-limit metadata for both `claude-opus-4-7` and legacy `claude-opus-4-6`. Regression coverage: `status_json_accepts_namespaced_model_env_and_surfaces_alias_426`, `status_json_warns_on_invalid_model_env_426`, model alias/unit tests, and provider alias tests.
-427. **Subcommand `--help` paths (`resume`, `session`, `compact`) hit the auth gate and trigger config validation before returning static help — `claw resume --help` with no credentials returns `missing_credentials` error instead of help text** — dogfooded 2026-05-11 by Jobdori on `1fecdf09` in response to Clawhip pinpoint nudge at `1503252843669491892`. Reproduction (no env vars, isolated `CLAW_CONFIG_HOME`): `claw resume --help` returns `{"error":"missing Anthropic credentials; export ANTHROPIC_AUTH_TOKEN or ANTHROPIC_API_KEY..."}` instead of usage text. Same for `claw session --help`, `claw compact --help`. By contrast, `claw prompt --help` and `claw --help` (top-level) return proper usage text without auth. Even worse: with a broken `.claw.json` discovered up the parent directory tree (e.g., `mcpServers.missing-command: missing string field command`), the subcommand `--help` paths fail with `[error-kind: unknown]` from config validation — config load is happening before `--help` is parsed. **Sibling exit-code bug:** `claw resume --help --output-format json` returns `kind:"missing_credentials"` but exits **0** (the exit-code parity bug from #422 reproduces on this path too — only `cli_parse` exits 1 consistently). **Sibling: `claw resume <bogus-id>` should be local-only** but also hits `missing_credentials` — `resume` of a session that doesn't exist on disk should return `kind:"session_not_found"` from a local lookup, not require API credentials. Same class as ROADMAP #357 (session list requires creds) and #369 (session help/fork require credentials) — now confirmed for `resume`. **Required fix shape:** (a) `--help` MUST short-circuit before any auth check, config load, or session resolution — emit static usage text from a compiled-in string table, no I/O; (b) `resume <id>` must check the local session store first; if the id is absent on disk, emit `kind:"session_not_found"` with `sessions_dir` field; only require auth when resuming a known-on-disk session that requires re-establishing API context; (c) ensure exit code 1 for all error envelopes including `missing_credentials` returned from a `--help` path that should never have reached the auth gate; (d) regression test: with empty `CLAW_CONFIG_HOME` and no env vars, every `claw <subcommand> --help` returns usage text on stdout, exit 0, no `kind:*_error` envelope. **Why this matters:** `--help` is the universal CLI discovery primitive. Failing `--help` because of missing API credentials or broken config files makes claw undiscoverable to users debugging an already-broken setup. Cross-references #357 (session list), #369 (session help/fork), #422 (exit code parity), #108 (subcommand fallthrough). Source: Jobdori live dogfood, `1fecdf09`, 2026-05-11.
+427. **DONE — resume/session/compact help short-circuits locally and missing resume sessions report the session store** — fixed 2026-06-03 in `fix: keep session help local`. `claw resume --help`, `claw --resume --help`, `claw session --help`, and `claw compact --help` now route through static `LocalHelpTopic` output before config loading, session resolution, credential checks, provider startup, or slash-command interactive-only fallthrough. The direct `claw resume <session>` alias now shares the existing `--resume` restore parser, so `claw resume <missing> --output-format json` returns a local `session_not_found` restore envelope with `sessions_dir` and exit code 1 instead of reaching provider credentials. Regression coverage: `resume_session_compact_help_short_circuits_before_config_or_auth_427`, `resume_missing_session_json_reports_local_store_before_auth_427`, local help parser tests, and resume parser tests.
-428. **Default `permission_mode` is `danger-full-access` — claw runs with FULL filesystem + network + tool access out of the box, with no opt-in flag and no warning from `doctor`** — dogfooded 2026-05-11 by Jobdori on `72048449` in response to Clawhip pinpoint nudge at `1503260393622212628`. Reproduction (no env vars, isolated `CLAW_CONFIG_HOME`, no config files, no CLI flags): `claw status --output-format json` returns `permission_mode:"danger-full-access"` as the default. The three supported modes per the validator error message are `read-only`, `workspace-write`, `danger-full-access` — and `danger-full-access` is chosen with zero user opt-in. `claw doctor --output-format json` produces a `sandbox` check with `status:"warn", summary:"sandbox was requested but is not currently active"` (because macOS lacks Linux `unshare`), but **emits no warning, info, or summary about the permission_mode itself being danger-full-access**. There is no `permissions` check in `doctor` output at all. **Required fix shape:** (a) change default `permission_mode` to `workspace-write` (safe-by-default: filesystem write limited to cwd, network limited to LLM endpoints, no arbitrary command exec); (b) require explicit `--permission-mode danger-full-access` or `--dangerously-skip-permissions` to opt into full access; (c) add a `permissions` check to `doctor --output-format json` that emits `status:"warn"` when `permission_mode == "danger-full-access"` without explicit source (flag/env/config), with details like `mode:"danger-full-access", source:"default", message:"running with full access without explicit opt-in"`; (d) document the three modes and the default in USAGE.md with one-paragraph descriptions of what each mode allows. **Sibling typed-error bug:** `claw --permission-mode bogus-mode status --output-format json` returns `kind:"unknown"` instead of `kind:"invalid_permission_mode"` — same catch-all problem as #424, #426. **Sibling flag-name asymmetry:** `--dangerously-skip-permissions` works but `--skip-permissions` (Claude Code's flag) returns `kind:"cli_parse"` `unknown option`. Users migrating from Claude Code lose the short flag name. **Why this matters:** every other security-conscious CLI (Docker, kubectl, terraform) requires explicit opt-in for dangerous modes. Defaulting to `danger-full-access` is a footgun for first-time users who pipe `curl install.sh | sh` and immediately get a tool with full filesystem write and arbitrary command exec. The doctor surface is the only diagnostic users consult before trusting the tool, and it stays silent about the most permissive setting. Cross-references #50, #87, #91, #94, #97, #101, #106, #115, #123 (permission-audit sweep) — those all cover permission *rule* and *list* surfaces; #428 covers the *mode default* itself. Source: Jobdori live dogfood, `72048449`, 2026-05-11.
+428. **DONE — default permission mode is workspace-write with auditable permission provenance** — fixed 2026-06-03 in `fix: default to workspace-write permissions`. Fresh invocations now resolve the fallback permission mode to `workspace-write` instead of `danger-full-access`; `danger-full-access` requires an explicit `--permission-mode danger-full-access`, `--dangerously-skip-permissions`, `--skip-permissions`, env, or config opt-in. `status --output-format json` includes `permission_mode_source` and `permission_mode_env_var`, and `doctor --output-format json` includes a `permissions` check with `mode`, `source`, `source_explicit`, `message`, and tool allow/gate lists. Invalid CLI permission modes now emit typed `invalid_permission_mode` JSON errors, and docs describe the three modes plus the safe default. Regression coverage: `default_permission_mode_is_workspace_write_and_audited_428`, `explicit_danger_permission_mode_is_audited_and_alias_supported_428`, `invalid_permission_mode_json_is_typed_428`, parser default tests, classifier coverage, and `given_workspace_write_enforcer_when_web_tools_then_denied`.
-429. **No global `--cwd`/`-C`/`--directory` flag — `claw` cannot be invoked against an arbitrary working directory without first `cd`-ing into it; `--cwd` only exists as a subcommand option for `system-prompt`, and the `cli_parse` "Did you mean --acp?" suggestion is misleading (the `--acp` flag is unrelated to directory selection)** — dogfooded 2026-05-11 by Jobdori on `ec882f4c` in response to Clawhip pinpoint nudge at `1503267943285264394`. Reproduction: `claw --cwd /tmp/claw-dog-cwd status --output-format json` → `{"error":"unknown option: --cwd","hint":"Did you mean --acp?\nRun `claw --help` for usage.","kind":"cli_parse"}`. Same error for `--cwd <relative>`, `--cwd <nonexistent>`, `--cwd <file-not-dir>`, `--cwd ""`. Inspecting `claw --help`: `--cwd PATH` appears ONLY in the usage line `claw system-prompt [--cwd PATH] [--date YYYY-MM-DD]` — it is not a global flag and is not accepted by `status`, `doctor`, `mcp list`, `init`, or any other subcommand. Users programmatically running claw against multiple workspaces must `cd` into each one before invoking, breaking the `subprocess.run(['claw', 'status', '--cwd', ws], cwd=other_dir)` pattern that every other major CLI (cargo `-C`, git `-C`, npm `--prefix`, gh `--repo` semantically, kubectl `--kubeconfig`+`--context`) supports. **Sibling misleading-suggestion bug:** the `cli_parse` error's `hint` field suggests `Did you mean --acp?` for `--cwd`. `--acp` is the alias for ACP/Zed editor integration (entirely unrelated to working directory). The Levenshtein-distance auto-complete is matching on first-character similarity without considering semantic relatedness. Users following the hint get a totally orthogonal feature. **Required fix shape:** (a) add a global `--cwd PATH` / `-C PATH` flag accepted before any subcommand, parsed in the global flag pre-pass; (b) validate the path exists and is a directory; emit `kind:"invalid_cwd"` with `path:` and `reason:` (`"not_found"`/`"not_a_directory"`/`"empty"`) when validation fails; (c) document the precedence: `--cwd` flag > `$PWD` > `env::current_dir()`; (d) fix the "Did you mean" hint algorithm to filter suggestions by semantic category (don't suggest `--acp` for `--cwd`; suggest `claw system-prompt --cwd PATH` if the user clearly wants `cwd` override but used the wrong scope); (e) regression test: `claw --cwd /tmp status --output-format json` from any `$PWD` returns `workspace.cwd:"/private/tmp"` (or `cwd:"/tmp"` after #421 fix). **Why this matters:** every claw automation orchestrator runs claw against multiple workspaces from a single parent process. Forcing `cd` before each invocation breaks parallelism (can't use shared cwd across concurrent invocations), breaks subprocess wrappers that want to pass cwd explicitly, and breaks `xargs`/`parallel`-style pipelines. Cross-references #421 (cwd canonicalization leak — fix should canonicalize but report user-input via `--cwd`). Source: Jobdori live dogfood, `ec882f4c`, 2026-05-11.
+429. **DONE — global workspace directory override is accepted and validated before dispatch** — fixed 2026-06-03 in `fix: add global cwd override`. `claw --cwd PATH ...`, `claw -C PATH ...`, and `claw --directory PATH ...` now run as if launched from the selected workspace before config, status, doctor, MCP, skills, and other command dispatch. The override takes precedence over process `$PWD`; invalid values emit typed `invalid_cwd` JSON errors with `path` and `reason` (`not_found`, `not_a_directory`, or `empty`) instead of the old misleading `Did you mean --acp?` CLI parse path. Help/usage docs list the global flags and the precedence/validation contract. Regression coverage: `global_cwd_flag_routes_status_workspace_and_short_alias_429`, `global_cwd_flag_reports_typed_invalid_paths_429`, and classifier coverage for `invalid_cwd`.
-430. **`dump-manifests` is documented as "emit every skill/agent/tool manifest the resolver would load for the current cwd" but actually requires the upstream Claude Code TypeScript source files (`src/commands.ts`, `src/tools.ts`, `src/entrypoints/cli.tsx`) — the command is unusable for any user who installed claw without cloning the original Claude Code repo** — dogfooded 2026-05-11 by Jobdori on `075c2144` in response to Clawhip pinpoint nudge at `1503275502046023690`. Reproduction: `claw dump-manifests --output-format json` returns `{"error":"Manifest source files are missing.","hint":"repo root: /private/tmp/claw-dog-0530\n  missing: src/commands.ts, src/tools.ts, src/entrypoints/cli.tsx\n  Hint: set CLAUDE_CODE_UPSTREAM=/path/to/upstream or pass \`claw dump-manifests --manifests-dir /path/to/upstream\`.","kind":"missing_manifests"}`. The fresh-main worktree at `/private/tmp/claw-dog-0530` does not contain these TypeScript files because the Rust port doesn't include the upstream TS source. The `--help` text says the command works against "the current cwd" but in practice it requires `CLAUDE_CODE_UPSTREAM=` pointing at an unshipped TS source tree. **Three sibling problems compounded:** (a) **derivative-work disclosure leak**: the error message exposes that `claw-code` is a port of Claude Code (`CLAUDE_CODE_UPSTREAM` env var name) — even if true, surfacing this in a casual diagnostic message couples user-facing behavior to upstream provenance details. (b) **kind drift**: `claw dump-manifests --manifests-dir /tmp/nonexistent --output-format json` returns `kind:"unknown"`, while `claw dump-manifests` (no override) returns `kind:"missing_manifests"`. Same root cause (no usable upstream), two different `kind` discriminators — automation cannot switch on a single error type. (c) **export-positional-arg silently dropped**: probed in the same run — `claw export <bogus-positional>` ignores the path and returns `kind:"no_managed_sessions"` regardless of what positional arg was passed. The `--help` advertises `[PATH]` as the output-file destination but the path is discarded before validation, indistinguishable from invocation with no args. **Required fix shape:** (a) make `dump-manifests` emit the manifests claw-code itself ships with (Rust-resolver-discovered skills/agents/tools), independent of any upstream TS source — that matches the `--help` description; (b) if upstream-comparison is genuinely needed for parity work, move it to a separate command like `parity dump-upstream-manifests` and remove the upstream dependency from `dump-manifests`; (c) standardize on one error `kind` for the manifest-missing failure mode (`missing_manifests` is more descriptive than `unknown`); (d) `claw export <PATH>` must validate the path positional arg before the session-discovery check, so users see `kind:"invalid_output_path"` (or similar) when the path is malformed instead of always seeing `kind:"no_managed_sessions"`. **Why this matters:** `dump-manifests` is the inventory surface a downstream automation lane would call to learn what claw can do in the current workspace. If it's broken without upstream TS source, downstream lanes can't introspect — they have to fall back to `agents list`/`skills list`/`mcp list` separately and re-aggregate. Cross-references #422 (kind:unknown for unknown_subcommand), #423 (kind:unknown for missing_argument), #428 (kind:unknown for invalid_permission_mode) — `kind:"unknown"` keeps appearing as the catch-all for surfaces that should have typed kinds. Source: Jobdori live dogfood, `075c2144`, 2026-05-11.
+430. **DONE — `dump-manifests` emits the self-contained Rust resolver inventory instead of requiring upstream Claude Code TypeScript source files** — fixed 2026-06-03 in `fix: make dump-manifests self-contained`. `claw dump-manifests --output-format json` now succeeds from an installed workspace with `source:"rust-resolver"`, command/tool/agent/skill/bootstrap manifests, no `CLAUDE_CODE_UPSTREAM` hint, and no `src/commands.ts` dependency. Explicit `--manifests-dir` scopes resolver discovery to another directory and missing/not-directory roots emit typed `missing_manifests` JSON. Sibling export diagnostics now validate explicit positional/`--output` paths before session discovery and return typed `invalid_output_path` JSON with `path` and `reason`. Regression coverage: `dump_manifests_defaults_to_rust_resolver_inventory`, `dump_manifests_scopes_explicit_manifest_dir_without_upstream_ts`, `dump_manifests_missing_explicit_dir_has_typed_kind`, `dump_manifests_and_init_emit_json_when_requested`, `local_json_surfaces_have_non_empty_action_contract_714`, and `export_invalid_output_path_reports_typed_json_430`.
-431. **`skills uninstall <name>` requires Anthropic credentials despite being a local filesystem operation — `claw skills uninstall nonexistent-skill-xyz --output-format json` returns `kind:"missing_credentials"` instead of resolving locally that the skill doesn't exist** — dogfooded 2026-05-11 by Jobdori on `328fd114` in response to Clawhip pinpoint nudge at `1503275502046023690` (sibling probe to #430). Reproduction (no creds, isolated `CLAW_CONFIG_HOME`): `claw skills uninstall nonexistent-skill-xyz --output-format json` returns `{"error":"missing Anthropic credentials; export ANTHROPIC_AUTH_TOKEN or ANTHROPIC_API_KEY...","kind":"missing_credentials"}`. Uninstalling a skill is a pure local filesystem operation: read the skills directory, find the named skill, remove its files. There is no semantic reason to require API credentials. Same class of bug as #357 (`session list` requires creds), #369 (`session help/fork` require creds), and #427 (`resume <bogus-id>` requires creds). **Three sibling findings in same probe:** (a) `claw skills install <bogus-name>` returns `{"error":"No such file or directory (os error 2)","kind":"unknown"}` — leaks raw OS error string with no hint about expected install source format (path vs name vs URL?), and the catch-all `kind:"unknown"` again instead of typed `kind:"skill_install_source_not_found"`. (b) `claw skills install` (no args) returns `action:"help"` with `unexpected:"install"` — but `install` IS a documented subcommand. The handler treats it as "unknown action" instead of "missing required argument". Should emit `kind:"missing_argument"` with `argument:"install_source"`. (c) `claw agents create my-agent` returns `action:"help"` with `unexpected:"create my-agent"` — there is no agent-creation surface at all. Users must hand-craft `.claw/agents/<name>.md` files with no scaffolding command, while `claw init` only creates the top-level `.claw/` skeleton. **Required fix shape:** (a) `skills uninstall <name>` must be local-first: enumerate the local skills dir, return `kind:"skill_not_found"` (with `skills_dir:` and `available_names:[]` fields) for missing, or remove the files and return `kind:"skills"` with `action:"uninstall", removed:<name>` for present skills; (b) `skills install <source>` must distinguish source forms (`path:`, `name:`, `url:`) and emit `kind:"invalid_install_source"` with the parsed-and-failed reason; (c) `skills install` (no args) emits `kind:"missing_argument"` with `argument:"install_source"`; (d) add `claw agents create <name>` (or `claw init agent <name>`) that scaffolds `.claw/agents/<name>.md` with a stub frontmatter; or document explicitly that agents are user-authored only. **Why this matters:** lifecycle commands (`uninstall`, `install`, `create`) are the primary surface for managing claw's extension surface area. If `uninstall` requires API creds, an offline user who fat-fingered an install can't undo it. If `install` returns a raw OS error, automation can't programmatically recover. If `agents create` doesn't exist, agent authoring is undocumented file-touching only. Cross-references #357, #369, #427 (auth-gate-on-local-ops cluster), and #422/#423/#428/#430 (`kind:"unknown"` catch-all cluster). Source: Jobdori live dogfood, `328fd114`, 2026-05-11.
+431. **DONE — `skills uninstall <name>` resolves locally instead of requiring Anthropic credentials** — fixed 2026-06-03 in `fix: keep skills lifecycle local`. `claw skills uninstall nonexistent-skill-xyz --output-format json` now stays on the local skills lifecycle surface and emits `kind:"skills"`, `action:"uninstall"`, `error_kind:"skill_not_found"`, `skills_dir`, `available_names`, and a hint without provider credentials. `claw skills install` no-arg emits typed `missing_argument` with `argument:"install_source"`; `claw skills install <bogus-name>` emits typed `invalid_install_source` with `source`, `source_kind`, `reason`, and a recovery hint. Installed skill roundtrips remove the installed files through the shared local lifecycle helper. `claw agents create <name>` now scaffolds `.claw/agents/<name>.toml` and lists through the existing TOML agent discovery surface. Regression coverage: `skills_lifecycle_errors_have_typed_local_json_795_431`, `skills_install_uninstall_roundtrip_stays_local_431`, `agents_create_scaffolds_toml_and_lists_locally_431`, local command routing tests, parser discriminant tests, and command help/docs assertions.
-432. **`--allowedTools` validator inconsistency: tool name list is half snake_case (`bash`, `read_file`, `write_file`, `edit_file`, `glob_search`, `grep_search`) and half PascalCase (`WebFetch`, `WebSearch`, `TodoWrite`, `Skill`, `Agent`, `Sleep`) with three UPPERCASE entries (`REPL`, `LSP`, `MCP`); accepts undocumented CamelCase aliases (`Read`, `Write`, `Edit`) and silently translates them to snake_case; argument parsing consumes the next positional when value is missing** — dogfooded 2026-05-11 by Jobdori on `fad53e2d` in response to Clawhip pinpoint nudge at `1503283046856655029`. Reproduction: `claw --allowedTools status --output-format json` → `{"error":"unsupported tool in --allowedTools: status (expected one of: bash, read_file, write_file, edit_file, glob_search, grep_search, WebFetch, WebSearch, TodoWrite, Skill, Agent, ToolSearch, NotebookEdit, Sleep, SendUserMessage, Config, EnterPlanMode, ExitPlanMode, StructuredOutput, REPL, PowerShell, AskUserQuestion, TaskCreate, RunTaskPacket, TaskGet, TaskList, TaskStop, TaskUpdate, TaskOutput, WorkerCreate, WorkerGet, WorkerObserve, WorkerResolveTrust, WorkerAwaitReady, WorkerSendPrompt, WorkerRestart, WorkerTerminate, WorkerObserveCompletion, TeamCreate, TeamDelete, CronCreate, CronDelete, CronList, LSP, ListMcpResources, ReadMcpResource, McpAuth, RemoteTrigger, MCP, TestingPermission)","kind":"unknown"}`. The `status` subcommand was consumed as the `--allowedTools` value because the flag parser doesn't distinguish missing-value from end-of-flag-args. The error reveals **the supported tool list mixes naming conventions inconsistently within a single error message**: snake_case (`bash`, `read_file`, `write_file`, `edit_file`, `glob_search`, `grep_search`), PascalCase (`WebFetch`, `WebSearch`, `TodoWrite`, `Skill`, `Agent`, `Sleep`, `Config`, `PowerShell`, `AskUserQuestion`, `TaskCreate`, `WorkerCreate`, `TeamCreate`, `CronCreate`), UPPERCASE (`REPL`, `LSP`, `MCP`), and CamelCase compounds (`McpAuth`, `RemoteTrigger`). **Hidden alias mapping**: `claw --allowedTools Read,Write,Edit status --output-format json` is accepted and returns `allowed_tools.entries:["edit_file","read_file","write_file"]` — proving the validator has an undocumented CamelCase→snake_case alias map (`Read`→`read_file`, `Write`→`write_file`, `Edit`→`edit_file`) that is not surfaced in the error message. Users who copy-paste tool names from Claude Code documentation work, users who copy from the validator error don't. **Sibling missing-value bug:** `claw --allowedTools status` with `status` as a positional subcommand is interpreted as `--allowedTools=status`, swallowing the subcommand. The flag parser must require a value for `--allowedTools` and emit `kind:"missing_argument"` when followed by a recognized subcommand or `--`-prefixed flag instead of silently treating the next arg as a tool name. **Sibling typed-kind bug:** both errors use `kind:"unknown"` instead of typed `kind:"invalid_tool_name"` / `kind:"missing_argument"` — the catch-all keeps appearing (#422/#423/#424/#428/#430/#431/#432). **Required fix shape:** (a) standardize the canonical tool-name registry on one casing convention (snake_case is most CLI-ergonomic) and update both the registry and all CamelCase aliases; (b) document and expose the alias map (`tool_aliases:{Read:"read_file",...}`) in `claw doctor`/`status` and in the validator error; (c) flag parser must require a value for `--allowedTools` and refuse to consume a recognized subcommand or `-`/`--`-prefixed token as the value, emit `kind:"missing_argument"` with `argument:"--allowedTools"`; (d) emit `kind:"invalid_tool_name"` with `tool_name:` and `available:[]` fields instead of `kind:"unknown"`; (e) regression test that `claw --allowedTools <subcommand>` rejects with `missing_argument`, and that the canonical name list in errors uses the same casing as the alias map. **Why this matters:** `--allowedTools` is the primary surface for restricting claw's tool surface area (security-relevant). Inconsistent naming between the validator error and the alias map means users following the error message guidance pick names that work in some places and fail in others. The missing-value bug silently swallows a subcommand, leading to confusing "unsupported tool: status" errors when the user actually wanted to run `claw status`. Cross-references #94/#97/#101/#106/#115/#123 (permission-rule audit), #428 (default permission_mode), #422/#423/#424/#428/#430/#431 (`kind:"unknown"` catch-all). Source: Jobdori live dogfood, `fad53e2d`, 2026-05-11.
+432. **DONE — `--allowedTools` uses a canonical snake_case registry with typed diagnostics and documented aliases** — fixed 2026-06-04 in `fix: type allowed tools validation`. `GlobalToolRegistry::normalize_allowed_tools` now normalizes built-in, plugin, runtime, and MCP wrapper tool names to canonical snake_case allow-list entries while still accepting documented aliases such as `read`, `Read`, and legacy provider-facing names like `WebFetch`/`MCPTool`. Provider tool definitions and CLI/subagent executors compare against canonical names, so aliases do not break internal dispatch. `claw --allowedTools status --output-format json` now refuses to consume `status` as a value and emits typed `missing_argument` JSON with `argument:"--allowedTools"`; unsupported names emit typed `invalid_tool_name` JSON with `tool_name`, `available`, and `tool_aliases`. `status --output-format json` exposes `allowed_tools.available` and `allowed_tools.aliases`, and help/usage docs describe canonical names plus aliases. Regression coverage: `parses_allowed_tools_flags_with_aliases_and_lists`, `rejects_allowed_tools_followed_by_subcommand_or_flag_432`, `rejects_unknown_allowed_tools`, `allowed_tools_errors_have_typed_json_and_alias_map_432`, `allowed_tools_normalize_to_canonical_snake_case_and_aliases_432`, status JSON alias assertions, MCP wrapper normalization coverage, and classifier coverage for `invalid_tool_name`.
 433. **Repeated `--output-format` flag silently takes the last value without warning — `claw --output-format json --output-format text status` produces text output, no signal that the prior `json` was overridden; sibling: `--output-format` value is case-sensitive (`JSON` rejected as `kind:"unknown"`); sibling: no `CLAW_OUTPUT_FORMAT` env var for default format override** — dogfooded 2026-05-11 by Jobdori on `ce39d5c5` in response to Clawhip pinpoint nudge at `1503290592556220488`. Reproduction: `claw --output-format json --output-format text status` returns the text-format `Status\n  Model claude-opus-4-6...` table — the first `--output-format json` was silently overridden. No warning, no `format_overridden:true` field, no stderr message. Scripts that compose flag arrays from multiple sources (`flags=("${BASE_FLAGS[@]}" --output-format json)` while `BASE_FLAGS` already contains `--output-format text`) silently get the wrong format. **Three sibling findings in same probe:** (a) **case-sensitivity drift**: `claw --output-format JSON status` returns `{"error":"unsupported value for --output-format: JSON (expected text or json)","kind":"unknown"}` — error message tells user to use lowercase `json` but doesn't accept the uppercase form that users often type from muscle memory. Most CLI flag-value validators (cargo, kubectl, gh) are case-insensitive for enum values or accept both forms with normalization. (b) **`kind:"unknown"` for invalid format value**: same catch-all bucket bug as #422/#423/#424/#428/#430/#431/#432 — should be `kind:"invalid_output_format"` with `value:` and `expected:["text","json"]` fields. (c) **no env-var default for output format**: `CLAW_OUTPUT_FORMAT=json claw status` silently ignored — no env override for the global default, forcing scripts to repeat `--output-format json` on every invocation. Other major CLIs honor `KUBECTL_OUTPUT=`, `AWS_DEFAULT_OUTPUT=`, `GH_NO_PROMPT=` etc. (d) **silently-ignored env vars `CLAW_LOG`/`RUST_LOG`**: no env-based log level control surfaced in `claw doctor` — debug logging requires undocumented `RUST_LOG=` (Rust convention) but `claw --help` doesn't mention either. **Required fix shape:** (a) repeated `--output-format` (or any flag that takes a value, not a count flag) emits a warning to stderr (`warning: --output-format specified multiple times; using last value 'text'`) and adds a `format_source:"flag", format_overridden:[]` field to the JSON envelope; (b) accept case-insensitive enum values for `--output-format` (`JSON`, `Json`, `json` all work), document the canonical lowercase form in `--help`; (c) emit `kind:"invalid_output_format"` (not `kind:"unknown"`) when value is invalid; (d) accept `CLAW_OUTPUT_FORMAT` env var as the default for `--output-format`, with flag-overrides-env precedence documented; (e) document `RUST_LOG` / `CLAW_LOG` in `--help` or doctor output as the log-level env vars; (f) regression test: repeated flag emits stderr warning + JSON metadata field; case-insensitive enum accepts all three casings; env-var default is honored when flag is absent. **Why this matters:** scripts that compose flag arrays from multiple sources (CI envs + per-invocation flags) silently get the wrong output format. Case-sensitive enum values trip up users typing from muscle memory. Missing env-var defaults force per-invocation flag repetition. Cross-references #422/#423/#424/#428/#430/#431/#432 (`kind:"unknown"` catch-all cluster). Source: Jobdori live dogfood, `ce39d5c5`, 2026-05-11.
@@ -7756,10 +7755,14 @@ Original filing (2026-04-18): the session emitted `SessionStart hook (completed)
 794. **`claw plugins install /nonexistent/path` returned `error_kind:"unknown"` + `hint:null`** — dogfooded 2026-05-27 on `57a57ef7`. The error message `"plugin source '/path' was not found"` had no classifier arm, falling to `"unknown"`. Fix: added `plugin_source_not_found` classifier arm (`message.contains("plugin source") && message.contains("was not found")`); added `"plugin_source_not_found"` → `"Check that the path or URL is correct..."` to `fallback_hint_for_error_kind`. Unit test assertion added to `test_classify_error_kind`; integration test `plugins_install_not_found_path_returns_typed_kind_794` added. 56 CLI contract tests pass. [SCOPE: claw-code] Source: Jobdori plugins install probe on `57a57ef7`, 2026-05-27.
-795. **`claw skills install /nonexistent` returned `skill_not_found + hint:null` and `claw skills uninstall x` returned `unsupported_skills_action + hint:null`** — dogfooded 2026-05-27 on `491f179a`. Both error kinds were missing from `fallback_hint_for_error_kind` table, so even though classify returned a typed kind, the hint field was always null. Fix: added `"skill_not_found"` → hint suggesting `claw skills list` / `claw skills install`; added `"unsupported_skills_action"` → hint listing supported actions. Integration test `skills_install_not_found_and_unsupported_action_have_hints_795` covers both paths. 57 CLI contract tests pass. [SCOPE: claw-code] Source: Jobdori skills lifecycle probe on `491f179a`, 2026-05-27.
+795. **`claw skills install /nonexistent` returned `skill_not_found + hint:null` and `claw skills uninstall x` returned `unsupported_skills_action + hint:null`** — dogfooded 2026-05-27 on `491f179a`. Both error kinds were missing from `fallback_hint_for_error_kind` table, so even though classify returned a typed kind, the hint field was always null. Fix: added `skill_not_found` and `unsupported_skills_action` fallback hints. ROADMAP #431 later moved the lifecycle surface fully local: install failures now emit typed `invalid_install_source`, uninstall failures emit local `skill_not_found` with `skills_dir` and `available_names`, and the combined regression is covered by `skills_lifecycle_errors_have_typed_local_json_795_431` plus the install/uninstall roundtrip test. [SCOPE: claw-code] Source: Jobdori skills lifecycle probe on `491f179a`, 2026-05-27.
 796. **`claw agents show <name> <extra>` and `claw skills show <name> <extra>` returned confusing `agent_not_found`/`skill_not_found` for the concatenated "name extra" string** — dogfooded 2026-05-27 on `18b4cee5`. `join_optional_args` passes all tokens as a space-joined string; both `show` handlers called `split_once(' ')` to extract the name but did not check if the remainder (after the first split) contained additional tokens. Extra positional args (including `--flags`) became part of the "name", silently mangling the lookup. Fix: added second `split_once(' ')` on the extracted name; if the result has two parts, return `unexpected_extra_args` with a usage hint. Valid single-name lookups are unaffected. Two new integration tests `agents_show_extra_positional_arg_returns_unexpected_extra_796`, `skills_show_extra_positional_arg_returns_unexpected_extra_796`. 59 CLI contract tests pass. [SCOPE: claw-code] Source: Jobdori agents/skills show extra-arg probe on `18b4cee5`, 2026-05-27.
-797. **Installed `claw version --output-format json` reports `git_sha:null` / `Git SHA unknown`, so dogfood cannot tie the binary under test to a source revision** — dogfooded 2026-05-27 from `#clawcode-building-in-public` using the installed `/home/bellman/.cargo/bin/claw` binary in a clean `ultraworkers/claw-code` checkout. `claw version --output-format json` returned `{"kind":"version","version":"0.1.0","git_sha":null,"target":null,"build_date":"2026-03-31"...}` while `claw status --output-format json` only reported workspace state (`git_branch`, clean/dirty counts) and did not provide any executable-vs-workspace provenance comparison. This is a clawability gap in event/log opacity and stale-binary confusion: an operator can run `doctor/status/version` successfully but still cannot prove which commit the installed CLI came from, whether it matches `origin/main`, or whether the observed behavior is from a stale packaged binary. **Required fix shape:** (a) embed build git SHA/target/build provenance in installed/release binaries whenever the source tree is available; (b) when provenance is missing, emit a typed `binary_provenance.status:"unknown"` rather than only `git_sha:null`; (c) have `status`/`doctor` include a redaction-safe comparison between executable provenance and workspace HEAD when running inside a git checkout; (d) add regression/packaging coverage proving release/local install paths preserve or explicitly classify provenance. **Why this matters:** dogfood reports and automation need to distinguish current-source failures from stale or unknown binary lineage before opening/rebasing/closing PRs. Source: gaebal-gajae live dogfood on 2026-05-27; active repo checkout had open PR #3124 DIRTY with no checks and PR #3125 CLEAN, but the installed binary itself could not identify its source revision.
+797. **DONE — Installed `claw version --output-format json` reports `git_sha:null` / `Git SHA unknown`, so dogfood cannot tie the binary under test to a source revision** — dogfooded 2026-05-27 from `#clawcode-building-in-public` using an installed binary in a clean `ultraworkers/claw-code` checkout. The gap was that version/status/doctor did not provide a structured executable-vs-workspace provenance object when build metadata was missing or stale. [SCOPE: claw-code]
    **Fix applied.** `version --output-format json` now includes a `binary_provenance` object with `status:"known"|"unknown"`, build git SHA, target, build date, executable path, workspace HEAD SHA, `workspace_match`, and a structured hint when provenance is missing or mismatched. `status --output-format json` exposes the same object, and `doctor --output-format json` includes it in the `system` check so dogfood reports can distinguish current-source failures from stale or unknown binary lineage.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli version_status_doctor_include_binary_provenance_797 -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli version_emits_json_when_requested -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli doctor_and_resume_status_emit_json_when_requested -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli --test output_format_contract -- --nocapture`; direct probes `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --output-format json version` and `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --output-format json status`; `cargo build --manifest-path rust/Cargo.toml --workspace --locked`.
 798. **`claw plugins show <name> <extra-arg>` returned `unexpected_extra_args` + `hint:null`** — dogfooded 2026-05-27 on `9976585f`. The plugins arg parser at the top level emitted `"unexpected extra arguments after 'claw plugins show ...': ..."` with no `\n` delimiter (parity gap with #791 config fix). Fix: appended `\nUsage: claw plugins [list|show <id>|...]` to the error format string. Integration test `plugins_extra_args_have_non_null_hint_797`. Committed as `bff37000`. 60 CLI contract tests pass. [SCOPE: claw-code]
@@ -7778,14 +7781,34 @@ Original filing (2026-04-18): the session emitted `SessionStart hook (completed)
 805. **`claw skills show <not-found>` in text mode silently returned "No skills found." instead of an error** — dogfooded 2026-05-27 on `2c3c0f60`. The text-mode show handler in `handle_skills_slash_command` returned `render_skills_report(&matched)` with an empty vec instead of checking for empty match and returning an error. JSON mode already returned `skill_not_found` since #706. Fix: added `matched.is_empty()` guard with `skill_not_found` error + `\n` hint suggesting `claw skills list`. 62 CLI contract tests pass. [SCOPE: claw-code]
 806. **`claw plugins show <not-found>` in text mode returned "No plugins installed." instead of an error** — dogfooded 2026-05-27 on `ae6a207d`. The text-mode path in `print_plugins` printed `payload.message` (the full list render) without checking if the requested plugin existed. JSON mode correctly returned `plugin_not_found`. Fix: added show-action filtering + not-found guard to text-mode path; added `starts_with("plugin_not_found:")` arm to classifier for the new error prefix. 63 CLI contract tests pass. [SCOPE: claw-code]
-807. **`claw models` / `claw model` with `--output-format json` hang with zero stdout instead of returning bounded model discovery/help JSON or a typed unsupported response** — dogfooded 2026-05-27 on `ae6a207` while checking docs/usage model-alias surface after PR #3162 opened. Both `cargo run -q -p rusty-claude-cli -- models --output-format json` and the actual rebuilt `./rust/target/debug/claw models --output-format json` timed out under an 8s outer timeout with stdout `0`; stderr only contained config deprecation warnings. The same silent timeout reproduced for `models help --output-format json`, `model --output-format json`, and `model help --output-format json`. **Required fix shape:** (a) make `model(s)` help/list/discovery commands return bounded stdout JSON without entering prompt/provider/auth paths; (b) if the command is unsupported, return a standard typed JSON error envelope with `error_kind`, non-null `hint`, and `message`; (c) ensure docs model-alias tables and CLI model discovery surfaces do not diverge; (d) add regression coverage for `models --output-format json`, `models help --output-format json`, `model --output-format json`, and `model help --output-format json` proving they do not hang or emit zero-byte stdout. **Why this matters:** model selection is a setup/control-plane surface. If the natural model discovery commands hang silently, claws cannot verify aliases like `qwen-max` / `qwen-plus`, distinguish unsupported command spelling from provider startup, or safely guide users during first-run model setup. Source: gaebal-gajae 13:30/14:00 dogfood probe; GitHub issue creation was blocked by API rate limit, so the finding was recorded directly in ROADMAP.
+807. **DONE — `claw models` / `claw model` with `--output-format json` hang with zero stdout instead of returning bounded model discovery/help JSON or a typed unsupported response** — dogfooded 2026-05-27 on `ae6a207` while checking docs/usage model-alias surface after PR #3162 opened. Both `cargo run -q -p rusty-claude-cli -- models --output-format json` and the actual rebuilt `./rust/target/debug/claw models --output-format json` timed out under an 8s outer timeout with stdout `0`; stderr only contained config deprecation warnings. The same silent timeout reproduced for `models help --output-format json`, `model --output-format json`, and `model help --output-format json`. **Required fix shape:** (a) make `model(s)` help/list/discovery commands return bounded stdout JSON without entering prompt/provider/auth paths; (b) if the command is unsupported, return a standard typed JSON error envelope with `error_kind`, non-null `hint`, and `message`; (c) ensure docs model-alias tables and CLI model discovery surfaces do not diverge; (d) add regression coverage for `models --output-format json`, `models help --output-format json`, `model --output-format json`, and `model help --output-format json` proving they do not hang or emit zero-byte stdout. **Why this matters:** model selection is a setup/control-plane surface. If the natural model discovery commands hang silently, claws cannot verify aliases like `qwen-max` / `qwen-plus`, distinguish unsupported command spelling from provider startup, or safely guide users during first-run model setup. Source: gaebal-gajae 13:30/14:00 dogfood probe; GitHub issue creation was blocked by API rate limit, so the finding was recorded directly in ROADMAP.
-808. **Control-plane commands `claw config`, `claw settings`, `claw status`, and `claw doctor` with `--output-format json` hang with zero stdout instead of returning bounded JSON/help or a typed unsupported envelope** — dogfooded 2026-05-27 on `86f45a1` after ROADMAP #807 landed. Each of `./rust/target/debug/claw config --output-format json`, `config help --output-format json`, `settings --output-format json`, `settings help --output-format json`, `status --output-format json`, and `doctor --output-format json` timed out under an 8s outer timeout with stdout `0`; stderr only contained the local deprecated `enabledPlugins` settings warning. **Required fix shape:** keep non-interactive control-plane/info commands out of prompt/provider startup paths; return bounded JSON stdout for supported status/config/help surfaces, or a standard typed JSON error envelope with `error_kind`, non-null `hint`, and `message` for unsupported spellings; add timeout/nonzero-stdout regression coverage for the six repro commands. **Why this matters:** claws and users need first-run diagnostics/config/status surfaces that are safe to call from scripts. Silent hangs make setup triage indistinguishable from provider startup, auth, or model discovery failures. Source: gaebal-gajae 17:00 dogfood probe; rechecked 17:30 after `cargo build --manifest-path rust/Cargo.toml -p rusty-claude-cli` produced `claw --version` Git SHA `23a7de6`, and the same timeout reproduced for current HOME and a clean `HOME=/tmp/claw-clean-home-1730` (clean HOME produced rc 124, stdout 0, stderr 0 for `config`, `status`, and `doctor`). [SCOPE: claw-code]
+
-809. **Top-level help/version/MCP/plugin JSON spellings hang with zero stdout in trailing `--output-format json` form instead of returning bounded JSON/help or typed unsupported envelopes** — dogfooded 2026-05-27 on rebuilt main `db81598` (`cargo build --manifest-path rust/Cargo.toml -p rusty-claude-cli`; `claw --version` Git SHA `db81598`). `help --output-format json`, `version --output-format json`, `mcp --output-format json`, `mcp help --output-format json`, `plugins --output-format json`, and `plugins help --output-format json` each timed out under an 8s outer timeout with stdout `0`; stderr only contained the local deprecated `enabledPlugins` settings warning. Leading global-style probes (`--help --output-format json`, `--version --output-format json`) fail immediately as `[error-kind: cli_parse] unknown option`, so the hang is again in the trailing subcommand-style routing/startup path. **Required fix shape:** treat help/version/MCP/plugin discovery surfaces as bounded non-interactive control-plane commands; either return JSON help/list/version payloads or standard typed JSON unsupported envelopes with `error_kind`, non-null `hint`, and `message`; add timeout/nonzero-stdout regression coverage for the six trailing repro commands and parser-envelope coverage for leading global-style spellings. **Why this matters:** claws need safe scriptable help/version/plugin/MCP discovery before provider/session startup; silent hangs hide whether a command is unsupported, misparsed, or initializing runtime state. Source: gaebal-gajae 19:00 dogfood probe. [SCOPE: claw-code]
+    **Fix applied.** `model` and `models` now route to a local `CliAction::Models` surface. Bare `models --output-format json` emits bounded local model metadata (default model, built-in aliases, optional configured model) without provider startup, while `model help --output-format json` routes through the structured local help envelope.
-810. **TTY JSON success for `config`/`plugins --output-format json` contaminates stdout with deprecated-settings warnings before the JSON object** — dogfooded 2026-05-27 on rebuilt main `db81598` after #809. Under pseudo-TTY (`script -q -c "./rust/target/debug/claw config --output-format json"` and `plugins --output-format json`), the commands return rc `0` and bounded JSON, but stdout begins with `warning: /home/bellman/.claw/settings.json: field "enabledPlugins" is deprecated ...` before the JSON object (`first_json_index=121`). Parsing succeeds only after manually stripping the warning/prefix; raw stdout is not valid JSON. **Required fix shape:** in JSON mode, keep diagnostics/warnings on stderr or include structured warning fields inside the JSON envelope, but never prepend human warnings to stdout; add regression coverage that raw stdout from JSON commands parses from byte 0 under TTY and non-TTY modes. **Why this matters:** even when the TTY path avoids the hang from #807/#808/#809, claws and scripts still cannot safely `json.loads(stdout)` if configuration warnings are mixed into stdout. Source: gaebal-gajae 20:00 pseudo-TTY dogfood probe. [SCOPE: claw-code]
+
-811. **Previously typed JSON error/list surfaces hang in plain non-TTY trailing `--output-format json` form instead of emitting their JSON envelopes** — dogfooded 2026-05-27 on rebuilt main `b0e94c9` after #810. In plain non-TTY automation, `agents list --bogus --output-format json`, `skills show does-not-exist --output-format json`, `plugins show does-not-exist --output-format json`, `diff --output-format json`, `sessions show does-not-exist --output-format json`, and `resume bogus --output-format json` each timed out under an 8s outer timeout with stdout `0`; stderr only contained the local deprecated `enabledPlugins` settings warning. Several of these surfaces had prior roadmap fixes for typed JSON/text envelopes, so this is a regression-class scriptability gap: the command-specific envelope may exist, but plain non-TTY trailing JSON invocation routes into interactive startup before reaching it. **Required fix shape:** ensure trailing `--output-format json` is honored before any interactive/provider/session startup for error/list surfaces; add plain non-TTY timeout regression coverage that asserts raw stdout is a parseable typed JSON envelope for the six repro commands, including `error_kind`, non-null `hint`, and `message` where applicable. **Why this matters:** claws primarily invoke CLI checks from non-TTY automation; a fix that only works in manual/TTY mode still leaves JSON error handling unusable for agents. Source: gaebal-gajae 20:30 dogfood probe. [SCOPE: claw-code]
+    **Verification.** Regression test `models_json_and_model_help_json_are_local_807` asserts bounded exit, parseable stdout JSON, empty stderr, no `missing_credentials`, and `requires_provider_request:false` for the models list envelope.
 808. **DONE — Control-plane commands `claw config`, `claw settings`, `claw status`, and `claw doctor` with `--output-format json` hang with zero stdout instead of returning bounded JSON/help or a typed unsupported envelope** — dogfooded 2026-05-27 on `86f45a1` after ROADMAP #807 landed. Each of `./rust/target/debug/claw config --output-format json`, `config help --output-format json`, `settings --output-format json`, `settings help --output-format json`, `status --output-format json`, and `doctor --output-format json` timed out under an 8s outer timeout with stdout `0`; stderr only contained the local deprecated `enabledPlugins` settings warning. **Required fix shape:** keep non-interactive control-plane/info commands out of prompt/provider startup paths; return bounded JSON stdout for supported status/config/help surfaces, or a standard typed JSON error envelope with `error_kind`, non-null `hint`, and `message` for unsupported spellings; add timeout/nonzero-stdout regression coverage for the six repro commands. **Why this matters:** claws and users need first-run diagnostics/config/status surfaces that are safe to call from scripts. Silent hangs make setup triage indistinguishable from provider startup, auth, or model discovery failures. Source: gaebal-gajae 17:00 dogfood probe; rechecked 17:30 after `cargo build --manifest-path rust/Cargo.toml -p rusty-claude-cli` produced `claw --version` Git SHA `23a7de6`, and the same timeout reproduced for current HOME and a clean `HOME=/tmp/claw-clean-home-1730` (clean HOME produced rc 124, stdout 0, stderr 0 for `config`, `status`, and `doctor`). [SCOPE: claw-code]
    **Fix applied.** `settings` now routes locally: bare `settings --output-format json` reuses the config JSON envelope for the synthetic `settings` section, and `settings help --output-format json` returns a structured local help envelope. Existing `config`, `status`, and `doctor` JSON routes remain local.
    **Verification.** Regression test `settings_json_and_help_json_are_local_808` asserts bounded exit, parseable stdout JSON, empty stderr, no `missing_credentials`, `section:"settings"` for bare settings, and structured help for `settings help --output-format json`.
 809. **DONE — Top-level help/version/MCP/plugin JSON spellings hang with zero stdout in trailing `--output-format json` form instead of returning bounded JSON/help or typed unsupported envelopes** — dogfooded 2026-05-27 on rebuilt main `db81598` (`cargo build --manifest-path rust/Cargo.toml -p rusty-claude-cli`; `claw --version` Git SHA `db81598`). `help --output-format json`, `version --output-format json`, `mcp --output-format json`, `mcp help --output-format json`, `plugins --output-format json`, and `plugins help --output-format json` each timed out under an 8s outer timeout with stdout `0`; stderr only contained the local deprecated `enabledPlugins` settings warning. The current parser routes these as bounded local surfaces.
    **Fix applied.** `help`, `version`, `mcp`, and `plugins` now resolve to local `CliAction` paths with parsed `CliOutputFormat::Json`; `parse_local_help_action()` maps `mcp` and `plugins` help topics directly to local JSON help envelopes.
    **Verification.** Static evidence in `rust/crates/rusty-claude-cli/src/main.rs`: `wants_help`/`wants_version` preserve `CliOutputFormat::Json`, `parse_local_help_action()` maps `mcp` and `plugins` to local help topics, and match arms route `mcp`/`plugins` to local handlers before prompt/provider startup.
 810. **DONE — TTY JSON success for `config`/`plugins --output-format json` contaminates stdout with deprecated-settings warnings before the JSON object** — dogfooded 2026-05-27 on rebuilt main `db81598` after #809. Under pseudo-TTY (`script -q -c "./rust/target/debug/claw config --output-format json"` and `plugins --output-format json`), the commands return rc `0` and bounded JSON, but stdout begins with `warning: /home/bellman/.claw/settings.json: field "enabledPlugins" is deprecated ...` before the JSON object (`first_json_index=121`). Parsing succeeds only after manually stripping the warning/prefix; raw stdout is not valid JSON. **Required fix shape:** in JSON mode, keep diagnostics/warnings on stderr or include structured warning fields inside the JSON envelope, but never prepend human warnings to stdout; add regression coverage that raw stdout from JSON commands parses from byte 0 under TTY and non-TTY modes. **Why this matters:** even when the TTY path avoids the hang from #807/#808/#809, claws and scripts still cannot safely `json.loads(stdout)` if configuration warnings are mixed into stdout. Source: gaebal-gajae 20:00 pseudo-TTY dogfood probe. [SCOPE: claw-code]
    **Fix applied.** Existing global JSON-mode settings warning suppression now prevents deprecated `enabledPlugins` prose from prefixing JSON stdout, and the regression matrix asserts stdout starts with `{` at byte 0 for representative local JSON surfaces under an isolated deprecated settings fixture.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli global_json_surfaces_suppress_config_deprecation_stderr_810_821_824 -- --nocapture`.
 811. **DONE — Previously typed JSON error/list surfaces hang in plain non-TTY trailing `--output-format json` form instead of emitting their JSON envelopes** — dogfooded 2026-05-27 on rebuilt main `b0e94c9` after #810. In plain non-TTY automation, `agents list --bogus --output-format json`, `skills show does-not-exist --output-format json`, `plugins show does-not-exist --output-format json`, `diff --output-format json`, `sessions show does-not-exist --output-format json`, and `resume bogus --output-format json` each timed out under an 8s outer timeout with stdout `0`; stderr only contained the local deprecated `enabledPlugins` settings warning. Current code parses trailing JSON mode before local dispatch and routes JSON abort envelopes to stdout.
    **Fix applied.** Trailing `--output-format json` is parsed globally before local command matching, so inventory/error surfaces keep their typed local JSON envelopes instead of falling through to runtime/provider startup. The top-level JSON abort handler routes structured errors to stdout.
    **Verification.** Static evidence in `parse_args()` shows global `--output-format` parsing before local command matching; focused tests cover representative affected surfaces including `agents_list_flag_shaped_filter_returns_unknown_option_792`, `plugins_list_flag_shaped_filter_returns_cli_parse_on_stdout_793_817`, `diff_non_git_dir_has_error_kind_and_hint_801`, and resume/export abort-envelope checks around #819/#820/#823.
-812. **`claw --output-format json doctor --help` must stay a local help fast path and never fall through into runtime/provider startup** — dogfooded 2026-05-28 04:01 UTC after #701 worktree drift. The reported repro was `cargo run -q --bin claw -- --output-format json doctor --help`, which did not produce local help promptly and had to be killed, while the positive control `cargo run -q --bin claw -- --output-format json --help` emitted valid JSON help. Fresh bounded repro on branch `fix/doctor-help-json-local` did not reproduce the hang on current code (`timeout 5s cargo run -q --bin claw -- --output-format json doctor --help` exited 0 with a `kind:"help"`/`status:"ok"` doctor help envelope), which means the parser fast path is present but under-tested for this exact dogfood surface.
+812. **DONE — `claw --output-format json doctor --help` must stay a local help fast path and never fall through into runtime/provider startup** — dogfooded 2026-05-28 04:01 UTC after #701 worktree drift. The reported repro was `cargo run -q --bin claw -- --output-format json doctor --help`, which did not produce local help promptly and had to be killed, while the positive control `cargo run -q --bin claw -- --output-format json --help` emitted valid JSON help. Fresh bounded repro on branch `fix/doctor-help-json-local` did not reproduce the hang on current code (`timeout 5s cargo run -q --bin claw -- --output-format json doctor --help` exited 0 with a `kind:"help"`/`status:"ok"` doctor help envelope), and current regression coverage preserves this fast path.
    **Pinpoint.** The guarded path is `rust/crates/rusty-claude-cli/src/main.rs`: global `--output-format json` is parsed before `rest`, `parse_local_help_action()` maps `doctor --help` to `CliAction::HelpTopic { topic: Doctor }`, and `print_help_topic()` must return without calling `run_doctor()`, `LiveCli`, provider setup, session resume, or runtime startup. The previous risk class is help fallthrough: treating `doctor --help` as prompt text or as `doctor` diagnostics would either hit provider/session startup or run checks instead of local help.
@@ -7795,13 +7818,13 @@ Original filing (2026-04-18): the session emitted `SessionStart hook (completed)
    **Verification.** Regression tests: `doctor_help_json_is_local_structured_and_bounded_702` and `doctor_help_text_stays_plaintext_and_local_702` in `rust/crates/rusty-claude-cli/tests/output_format_contract.rs`; focused command repros recorded in `/tmp/claw_doctor_help_json.out` and `/tmp/claw_doctor_help_json.err` during the doctor-help fix branch.
-813. **Dogfood probe shell-string loops can fabricate CLI argv failures for JSON help surfaces** — dogfooded 2026-05-28 after #3185 merged. A verification loop used a single shell string variable (`cmd="--output-format json doctor --help"`; then `cargo run -q --bin claw -- $cmd | python3 -c 'json.load(...)'`). The resulting channel transcript showed `unknown option: --output-format json doctor --help` and Python JSON parse stack noise, even though explicit argv invocations on fresh `main` all returned valid JSON: `cargo run -q --bin claw -- --output-format json doctor --help`, `cargo run -q --bin claw -- doctor --help --output-format json`, and `cargo run -q --bin claw -- help doctor --output-format json`. This is a dogfood-harness test-brittleness / event-log opacity gap, not a product parser regression. The log made a probe-construction mistake look like a claw-code failure.
+813. **DONE — Dogfood probe shell-string loops can fabricate CLI argv failures for JSON help surfaces** — dogfooded 2026-05-28 after #3185 merged. A verification loop used a single shell string variable (`cmd="--output-format json doctor --help"`; then `cargo run -q --bin claw -- $cmd | python3 -c 'json.load(...)'`). The resulting channel transcript showed `unknown option: --output-format json doctor --help` and Python JSON parse stack noise, even though explicit argv invocations on fresh `main` all returned valid JSON: `cargo run -q --bin claw -- --output-format json doctor --help`, `cargo run -q --bin claw -- doctor --help --output-format json`, and `cargo run -q --bin claw -- help doctor --output-format json`. This is a dogfood-harness test-brittleness / event-log opacity gap, not a product parser regression. The log made a probe-construction mistake look like a claw-code failure.
-    **Required fix shape.** Add a tiny argv-safe dogfood helper (script or documented recipe) that runs CLI probes as explicit argv arrays rather than interpolated shell strings, captures stdout/stderr separately, and labels probe-construction failures distinctly from product failures. For ad-hoc shell loops, prefer arrays/functions (`run_probe --output-format json doctor --help`) over `$cmd` strings; never pipe unknown stdout directly into a JSON parser without first recording rc/stdout/stderr.
+    **Fix applied.** Added `scripts/dogfood-probe.py`, an argv-safe helper that accepts a target executable plus arguments after `--`, invokes `subprocess.run` without shell interpolation, records the exact argv vector, captures rc/stdout/stderr as separate fields, and labels `timeout`, `probe_error`, and `product_error` separately. Its optional `--stdout-json-byte0` assertion requires stdout to be parseable JSON starting at byte 0, so JSON parser stack noise is replaced by a structured probe result.
-    **Acceptance.** Future dogfood reports for argv-sensitive CLI surfaces include the exact argv vector and can distinguish `probe_error` from `product_error`; reproducing the three doctor-help forms through the helper yields three parseable JSON objects from byte 0 without Python parser stack noise. [SCOPE: claw-code dogfood harness]
+    **Verification.** `python3 -m unittest tests.test_roadmap_helpers.RoadmapHelperTests.test_dogfood_probe_runs_explicit_argv_and_separates_channels tests.test_roadmap_helpers.RoadmapHelperTests.test_dogfood_probe_labels_timeout_separately_from_product_error tests.test_roadmap_helpers.RoadmapHelperTests.test_dogfood_probe_labels_probe_construction_failure tests.test_roadmap_helpers.RoadmapHelperTests.test_dogfood_probe_labels_stdout_json_prefix_failure_as_product_error` passes. The fixture tests cover explicit argv preservation for `--output-format json doctor --help`, separated stdout/stderr capture, timeout classification, construction-error classification, and byte-0 JSON product-error classification. [SCOPE: claw-code dogfood harness]
-814. **Plain non-TTY trailing `--output-format json` still times out for inventory/error surfaces after #3186** — dogfooded 2026-05-28 07:00 on fresh `main` `0e6d48d9d` after #3186 merged. Using explicit argv probes with separated stdout/stderr (per #813) reproduced the older #811 class on current main: `cargo run -q --bin claw -- agents list --bogus --output-format json`, `skills show does-not-exist --output-format json`, and `plugins show does-not-exist --output-format json` each hit the 5s timeout (`rc=124`) with `stdout` length 0; stderr contained only compile warnings plus the local deprecated `enabledPlugins` settings warning. This confirms the argv-safe probe harness can distinguish product failure from probe-construction failure, and the product gap remains for trailing JSON flag forms on inventory/error surfaces.
+814. **DONE — Plain non-TTY trailing `--output-format json` still times out for inventory/error surfaces after #3186** — dogfooded 2026-05-28 07:00 on fresh `main` `0e6d48d9d` after #3186 merged. Using explicit argv probes with separated stdout/stderr (per #813) reproduced the older #811 class on current main: `cargo run -q --bin claw -- agents list --bogus --output-format json`, `skills show does-not-exist --output-format json`, and `plugins show does-not-exist --output-format json` each hit the 5s timeout (`rc=124`) with `stdout` length 0; stderr contained only compile warnings plus the local deprecated `enabledPlugins` settings warning. Follow-up evidence showed the product path fixed upstream and current tests preserve local JSON error routing.
    **Required fix shape.** Parse trailing `--output-format json` for local inventory/error commands before any REPL/provider startup in plain non-TTY mode, matching the already-working leading global form where applicable. Add timeout regression coverage for at least `agents list --bogus --output-format json`, `skills show does-not-exist --output-format json`, and `plugins show does-not-exist --output-format json` asserting nonzero stdout with a single parseable JSON envelope containing `status:"error"`, `error_kind`, and non-null `hint`. Keep deprecation/config warnings out of stdout in JSON mode.
@@ -7809,43 +7832,71 @@ Original filing (2026-04-18): the session emitted `SessionStart hook (completed)
    **Follow-up verification (2026-05-28 07:30 on `main` `09ff1caf4`).** After #3187 merged, rerunning the same three commands with explicit argv showed the product path had already been fixed upstream: `agents list --bogus --output-format json` returned rc 1 with a JSON `unknown_option` envelope, `skills show does-not-exist --output-format json` returned rc 1 with `skill_not_found`, and `plugins show does-not-exist --output-format json` returned rc 1 with `plugin_not_found`. Stdout was nonzero and parseable in all three cases; warnings stayed on stderr. Remaining actionable lesson is process-level: ROADMAP record #814 is preserved as historical repro + verification, not an open product blocker.
-815. **`claw --output-format json config` reports the same deprecated-settings warning twice: once structurally in `warnings[]` and once as prose on stderr** — dogfooded 2026-05-28 08:00 on current `main` after #3188. `timeout 5s cargo run -q --bin claw -- --output-format json config >out 2>err` exits 0 with parseable stdout JSON (`kind:"config", action:"list", status:"ok"`) and `warnings.length == 1`, but stderr still contains the same `enabledPlugins is deprecated` warning once. This is better than older stdout contamination, but still duplicates the same diagnostic across two channels in JSON mode. A machine consumer that reads the structured warning also sees an extra prose warning on stderr; a log scraper may count one config issue twice.
+    **Fix applied.** Current trailing JSON-mode routing reaches local inventory handlers for these argv-safe probes; handled JSON errors emit parseable stdout envelopes and do not require provider credentials/session startup.
    **Verification.** Existing follow-up probe evidence records `agents list --bogus --output-format json`, `skills show does-not-exist --output-format json`, and `plugins show does-not-exist --output-format json` returning parseable JSON envelopes; current contract tests additionally cover agents/plugin local parse/error envelopes with stdout JSON.
 815. **DONE — `claw --output-format json config` reports the same deprecated-settings warning twice: once structurally in `warnings[]` and once as prose on stderr** — dogfooded 2026-05-28 08:00 on current `main` after #3188. `timeout 5s cargo run -q --bin claw -- --output-format json config >out 2>err` exits 0 with parseable stdout JSON (`kind:"config", action:"list", status:"ok"`) and `warnings.length == 1`, but stderr still contains the same `enabledPlugins is deprecated` warning once. Current config JSON keeps that diagnostic structured without duplicating it on stderr.
    **Required fix shape.** In JSON mode for config/list surfaces that already include `warnings[]`, suppress eager prose emission of the same config warning on stderr or mark it as already collected. Text mode should keep the human stderr warning. Add regression coverage asserting `claw --output-format json config` returns exactly one structured warning and zero duplicate `enabledPlugins` prose lines on stderr.
    **Acceptance.** With a deprecated `enabledPlugins` key present, `claw --output-format json config` exits 0, stdout parses from byte 0 and includes `warnings[]`, and stderr has no duplicate deprecation warning for the same file/key. [SCOPE: claw-code]
-816. **JSON-mode local/list surfaces still leak deprecated config prose warnings on stderr outside `config`** — dogfooded 2026-05-28 09:30 on `main` `89e7f415a` after #3190. `./target/debug/claw --output-format json config` is now fixed (`rc=0`, parseable stdout, `warnings[]`, stderr empty), but sibling JSON surfaces still emit the same app-level config warning to stderr when `~/.claw/settings.json` contains deprecated `enabledPlugins`: `plugins list` (`kind:"plugin"`), `mcp list` (`kind:"mcp"`), and `doctor` (`kind:"doctor"`) all return parseable JSON with `rc=0` while stderr contains `enabledPlugins is deprecated`. `skills list` and `version` stay clean. This leaves machine consumers with a global JSON-mode cleanliness gap even after the config-specific duplicate was fixed.
+    **Fix applied.** JSON-mode config rendering collects deprecated settings diagnostics into `warnings[]` and suppresses the duplicate prose `enabledPlugins` warning on stderr; text mode preserves the human stderr warning.
    **Verification.** `config_json_reports_deprecations_structurally_without_stderr_duplicate_815` asserts a deprecated `enabledPlugins` fixture appears in JSON `warnings[]`, does not appear on stderr for `--output-format json config`, and still appears on stderr for text `config`.
 816. **DONE — JSON-mode local/list surfaces still leak deprecated config prose warnings on stderr outside `config`** — dogfooded 2026-05-28 09:30 on `main` `89e7f415a` after #3190. `./target/debug/claw --output-format json config` was fixed, but sibling JSON surfaces still emitted the same app-level config warning to stderr when `~/.claw/settings.json` contained deprecated `enabledPlugins`: `plugins list`, `mcp list`, and `doctor`. Current global JSON-mode suppression covers these local/list surfaces.
    **Required fix shape.** Treat JSON output mode as a global app-level diagnostic routing contract: local/list/status surfaces that successfully return structured JSON should not write config deprecation prose to stderr. Either collect those warnings into each relevant JSON envelope where a warnings field exists, or suppress config-warning emission during JSON-mode preloading/default resolution for surfaces that cannot represent warnings yet. Preserve human stderr warnings in text mode.
    **Acceptance.** With deprecated `enabledPlugins` present, `claw --output-format json plugins list`, `claw --output-format json mcp list`, and `claw --output-format json doctor` exit 0, stdout parses from byte 0, and stderr contains zero `enabledPlugins is deprecated` app-level warning lines. Text mode still prints the warning. [SCOPE: claw-code]
-817. **`claw --output-format json plugins list --` writes its JSON error envelope to stderr while sibling local inventory commands use stdout** — dogfooded 2026-05-28 12:30 on `main` `9494e3c26`. Trailing bare `--` is a useful parser edge because automation sometimes injects delimiter sentinels. `agents list --` and `skills list --` return rc 1 with parseable JSON on stdout and empty stderr. `mcp list --` also returns a parseable JSON error on stdout. `config --` returns rc 0 with a structured config error on stdout. But `plugins list --` returns rc 1, stdout empty, and writes the JSON error envelope to stderr: `{"action":"abort","error":"unknown option for `claw plugins list`: --", ...}`. This is machine-readable, but channel-inconsistent and surprising for JSON-mode consumers that read stdout for command payloads.
+    **Fix applied.** JSON-mode config-warning suppression is applied globally before local JSON surfaces load settings, covering sibling list/status/diagnostic commands while preserving text-mode stderr warnings.
    **Verification.** `global_json_surfaces_suppress_config_deprecation_stderr_810_821_824` covers `plugins list`, `mcp list`, `doctor`, and additional JSON surfaces under a deprecated `enabledPlugins` fixture with empty stderr; `local_text_surface_preserves_config_deprecation_stderr_816` verifies text mode still emits the warning.
 817. **DONE — `claw --output-format json plugins list --` writes its JSON error envelope to stderr while sibling local inventory commands use stdout** — dogfooded 2026-05-28 12:30 on `main` `9494e3c26`. Trailing bare `--` is a useful parser edge because automation sometimes injects delimiter sentinels. `plugins list --` returned rc 1, stdout empty, and wrote the JSON error envelope to stderr. Current plugin list parse-error routing matches sibling JSON inventory/local surfaces.
    **Required fix shape.** Align `plugins list` parse-error routing with the other JSON inventory/local surfaces: in JSON mode, print the structured CLI error envelope to stdout and keep stderr empty for this handled parse error. Preserve text-mode stderr behavior. Add regression coverage for `claw --output-format json plugins list --` asserting rc 1, stdout parseable JSON with `error_kind:"cli_parse"`, and empty stderr.
    **Acceptance.** `claw --output-format json plugins list --` exits 1, stdout parses from byte 0 as the existing JSON error envelope, stderr is empty, and text mode still reports the parse error to stderr. [SCOPE: claw-code]
-818. **`AGENTS.md` and `.claude/CLAUDE.md` silently omitted from instruction file cascade** — dogfooded 2026-05-29 08:00. When a repo contains `AGENTS.md` (OpenAI Codex / multi-agent convention) or `.claude/CLAUDE.md` (scoped Claude Code convention), claw-code does not load either file as part of the instruction/context cascade on startup. Users following either convention discover this only by noticing their persona/context instructions have no effect — no warning, no missing-file diagnostic, no documentation note. This is a friction gap for any team migrating to or simultaneously using claw-code alongside Claude Code or Codex workflows, since the two most common non-CLAUDE.md instruction files are silently ignored.
+    **Fix applied.** The `plugins list` flag/filter guard emits handled JSON parse errors directly to stdout in JSON mode while keeping text-mode parse errors on stderr.
    **Verification.** `plugins_list_trailing_dash_json_error_uses_stdout_817`, `plugins_list_trailing_dash_text_error_stays_on_stderr_817`, and `plugins_list_flag_shaped_filter_returns_cli_parse_on_stdout_793_817` cover rc 1, stdout JSON with `error_kind:"cli_parse"`, empty stderr in JSON mode, and preserved text stderr behavior.
 818. **DONE — `AGENTS.md` and `.claude/CLAUDE.md` silently omitted from instruction file cascade** — dogfooded 2026-05-29 08:00. When a repo contains `AGENTS.md` (OpenAI Codex / multi-agent convention) or `.claude/CLAUDE.md` (scoped Claude Code convention), claw-code does not load either file as part of the instruction/context cascade on startup. Users following either convention discover this only by noticing their persona/context instructions have no effect — no warning, no missing-file diagnostic, no documentation note. This is a friction gap for any team migrating to or simultaneously using claw-code alongside Claude Code or Codex workflows, since the two most common non-CLAUDE.md instruction files are silently ignored.
    **Required fix shape.** Add `AGENTS.md` (project root) and `.claude/CLAUDE.md` (`.claude/` subdirectory) to the instruction file cascade that already loads `CLAUDE.md`. Apply the same merge-and-precedence semantics as existing instruction files. Log a debug trace (not stderr noise) when either file is loaded. Add test coverage: a fixture repo with `AGENTS.md` only, `.claude/CLAUDE.md` only, and both present alongside `CLAUDE.md` should each have the relevant content visible in the resolved instruction context.
    **Acceptance.** `claw` launched in a repo containing `AGENTS.md` or `.claude/CLAUDE.md` loads those files into the instruction context. No warning emitted for absent optional files. Existing `CLAUDE.md`-only repos unaffected. PR #3195. [SCOPE: claw-code]
-819. **`claw --output-format json export --session <missing>` writes JSON error envelope to stderr, stdout empty** — dogfooded 2026-05-29 09:30 on `main` `37a9a543`. `claw --output-format json export --session does-not-exist` exits rc=1 with stdout length 0 and the full JSON error envelope on stderr: `{"action":"abort","error":"session not found: does-not-exist","error_kind":"session_not_found",...}`. This is the same channel-routing inconsistency class as #817 (plugins list trailing-dash, fixed in #3194): handled errors in JSON mode should go to stdout, not stderr, so machine consumers can parse the envelope from stdout byte 0 regardless of which surface triggered the error.
+    **Fix applied.** The instruction cascade now loads `AGENTS.md` and `.claude/CLAUDE.md` from the same ancestor walk that already loads `CLAUDE.md`, `CLAUDE.local.md`, `.claw/CLAUDE.md`, and `.claw/instructions.md`, preserving the existing merge/dedupe semantics and avoiding warnings for absent optional files.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p runtime discovers_agents_markdown_instruction_file -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p runtime discovers_scoped_dot_claude_claude_markdown_instruction_file -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p runtime discovers_claude_agents_and_dot_claude_instruction_files_together -- --nocapture`.
 819. **DONE — `claw --output-format json export --session <missing>` writes JSON error envelope to stderr, stdout empty** — dogfooded 2026-05-29 09:30 on `main` `37a9a543`. `claw --output-format json export --session does-not-exist` exits rc=1 with stdout length 0 and the full JSON error envelope on stderr: `{"action":"abort","error":"session not found: does-not-exist","error_kind":"session_not_found",...}`. This is the same channel-routing inconsistency class as #817 (plugins list trailing-dash, fixed in #3194): handled errors in JSON mode should go to stdout, not stderr, so machine consumers can parse the envelope from stdout byte 0 regardless of which surface triggered the error.
    **Required fix shape.** Align `export --session <missing>` error routing with the inventory surfaces fixed in #817: in JSON mode, write the `session_not_found` error envelope to stdout (rc=1) and keep stderr empty. Preserve text-mode behavior (stderr message). Add regression coverage asserting rc=1, stdout parseable JSON with `error_kind:"session_not_found"`, and empty stderr.
    **Acceptance.** `claw --output-format json export --session does-not-exist` exits 1, stdout contains the JSON error envelope from byte 0, stderr is empty. Text mode still prints the error to stderr. [SCOPE: claw-code]
-820. **`interactive_only` error class always routes JSON envelope to stderr (stdout empty)** — dogfooded 2026-05-29 10:00 on `main` `efe59c22`. All `interactive_only` errors share the same routing gap as #819 (`export --session <missing>`): `claw --output-format json session list`, `session switch <id>`, `session delete <id>`, and `session fork <id>` each exit rc=1, stdout empty, JSON envelope on stderr. The envelope is well-formed (`error_kind:"interactive_only"`, `hint:...`, `action:"abort"`) but the channel is wrong for JSON mode. Any surface that returns `interactive_only` is affected; these are all the `claw session` subcommands. This is the same root cause as #817 (plugins) and #819 (export): the top-level error handler writes `Err(...)` to stderr instead of routing to stdout when `--output-format json` is active.
+    **Fix applied.** The JSON abort handler now emits export/session-not-found envelopes on stdout in JSON mode while preserving text-mode stderr behavior. The explicit missing-session regression asserts rc 1, `error_kind:"session_not_found"`, abort envelope, and empty stderr.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli export_missing_session_json_error_uses_stdout_819 -- --nocapture`.
 820. **DONE — `interactive_only` error class always routes JSON envelope to stderr (stdout empty)** — dogfooded 2026-05-29 10:00 on `main` `efe59c22`. All `interactive_only` errors shared the same routing gap as #819: JSON envelopes were well-formed but written to stderr. Current JSON abort handling routes `interactive_only` envelopes to stdout.
    **Required fix shape.** In the top-level error handler (or the `interactive_only` classifier arm in `main.rs`), detect JSON output mode and write the structured error envelope to stdout (rc=1) instead of stderr. Scope the fix to the `interactive_only` error_kind so all affected surfaces are repaired in one pass. Add regression coverage for at least `claw --output-format json session list` asserting rc=1, stdout parseable JSON with `error_kind:"interactive_only"`, stderr empty.
    **Acceptance.** All `claw --output-format json session <subcommand>` invocations exit 1 with the JSON envelope on stdout and empty stderr. Text mode continues to print the error to stderr. [SCOPE: claw-code]
-821. **`status`, `sandbox`, and `system-prompt` in JSON mode still emit config deprecation warning to stderr** — dogfooded 2026-05-29 10:30 on `main` `42aff269`. After #816 fixed config deprecation stderr leakage for `plugins list`, `mcp list`, `doctor`, and `config`, three JSON-mode surfaces continue to emit the `enabledPlugins is deprecated` prose warning to stderr: `claw --output-format json status` (122 bytes stderr), `claw --output-format json sandbox` (122 bytes stderr), `claw --output-format json system-prompt` (122 bytes stderr). These surfaces return well-formed JSON on stdout (rc=0) but leak the config warning to stderr, leaving machine consumers with mixed-channel output. `version`, `acp`, `agents`, `skills`, `mcp`, `plugins`, and `doctor` all have clean stderr after #816.
+    **Fix applied.** The JSON abort handler now classifies `interactive_only` and prints the structured envelope to stdout in JSON mode; text-mode errors still use stderr.
    **Verification.** Session/abort contract assertions in `output_format_contract.rs` around #819/#820/#823 require JSON-mode interactive-only failures to provide a stdout JSON envelope and no JSON envelope on stderr.
 821. **DONE — `status`, `sandbox`, and `system-prompt` in JSON mode still emit config deprecation warning to stderr** — dogfooded 2026-05-29 10:30 on `main` `42aff269`. After #816 fixed config deprecation stderr leakage for `plugins list`, `mcp list`, `doctor`, and `config`, three JSON-mode surfaces continue to emit the `enabledPlugins is deprecated` prose warning to stderr: `claw --output-format json status` (122 bytes stderr), `claw --output-format json sandbox` (122 bytes stderr), `claw --output-format json system-prompt` (122 bytes stderr). These surfaces return well-formed JSON on stdout (rc=0) but leak the config warning to stderr, leaving machine consumers with mixed-channel output. `version`, `acp`, `agents`, `skills`, `mcp`, `plugins`, and `doctor` all have clean stderr after #816.
    **Required fix shape.** Extend the JSON-mode config-warning suppression applied in #816 to cover `status`, `sandbox`, and `system-prompt`. The fix should apply globally: any JSON-mode surface that completes successfully should not emit config deprecation prose to stderr. Text mode should keep the human stderr warning.
@@ -7853,56 +7904,110 @@ Original filing (2026-04-18): the session emitted `SessionStart hook (completed)
    **Follow-up (2026-05-29 12:00, `main` `3dbb35c3`).** Broader sweep confirms additional surfaces with the same 122-byte stderr leak in JSON mode: `--resume latest /config` (all subforms: bare, `env`, `hooks`, `model`, `plugins`) and `--resume latest /providers` (doctor alias). The fix must apply to all config-loading paths, not just the three originally documented surfaces. The suppression guard should fire at the settings-load level so any JSON-mode invocation benefits without per-surface patching.
-822. **Unknown top-level subcommand falls through to REPL/provider startup instead of returning a `command_not_found` error** — dogfooded 2026-05-29 11:00 on `main` `69b59079`. `claw --output-format json foobar` does not return a structured `command_not_found` error; instead it falls through to the interactive/API path and hits `missing_credentials` (rc=1, stderr: `{"error_kind":"missing_credentials",...}`). Two gaps in one: (1) the unrecognized command word is silently treated as a prompt/text argument, not flagged as unknown, so the user gets a misleading "no credentials" error instead of "command not found"; (2) the resulting error goes to stderr. This makes automation scripts that probe for command availability impossible to distinguish from auth failures.
+    **Fix applied.** The warning-suppression regression matrix now covers `status`, `sandbox`, and `system-prompt` with deprecated `enabledPlugins` settings, asserting successful JSON, stdout JSON from byte 0, and empty stderr while preserving the existing text-mode warning assertion.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli global_json_surfaces_suppress_config_deprecation_stderr_810_821_824 -- --nocapture`; text-mode preservation remains covered by `local_text_surface_preserves_config_deprecation_stderr_816`.
 822. **DONE — Unknown top-level subcommand falls through to REPL/provider startup instead of returning a `command_not_found` error** — dogfooded 2026-05-29 11:00 on `main` `69b59079`. `claw --output-format json foobar` returned `missing_credentials` after prompt/provider fallthrough instead of a structured `command_not_found`. Current command-shaped unknown tokens are rejected before provider startup.
    **Required fix shape.** Before falling through to the REPL/prompt path, check whether the first positional arg matches any known subcommand. If not, return a typed error: `{"error_kind":"command_not_found","message":"unknown command: foobar","hint":"Run `claw --help` for available commands.","status":"error"}` on stdout (JSON mode, rc=1) or stderr (text mode). This mirrors the behavior of `--bogus-flag` (which correctly returns `cli_parse`) but for unknown positional commands.
    **Acceptance.** `claw --output-format json foobar` exits 1, stdout contains JSON with `error_kind:"command_not_found"`, stderr empty. Text mode prints the error to stderr. No provider startup attempted. [SCOPE: claw-code]
-823. **`claw --output-format json prompt` with missing/empty prompt text routes JSON error to stderr (stdout empty)** — dogfooded 2026-05-29 11:30 on `main` `3a76c4f4`. `claw --output-format json prompt` (no text) and `claw --output-format json prompt ""` (empty string) both exit rc=1, stdout empty, and write `{"error_kind":"missing_prompt","action":"abort",...}` to stderr. The envelope is well-formed but channel-inconsistent: JSON mode machine consumers reading stdout for command results get empty stdout and must check stderr to detect the error. This is the same class as #819 (export session-not-found) and #820 (interactive_only / session subcommands), and the same root cause: the top-level abort handler writes to stderr regardless of output-format mode.
+    **Fix applied.** Unknown command-shaped top-level tokens now trip the pre-provider `command_not_found:` guard, and the classifier maps that prefix to `error_kind:"command_not_found"` with JSON-mode output on stdout.
    **Verification.** `unknown_subcommand_json_emits_command_not_found`, `unknown_subcommand_text_emits_command_not_found_on_stderr`, `unknown_subcommand_typo_with_suggestions_json_emits_command_not_found`, and updated `unknown_subcommand_returns_typed_kind_785` cover JSON stdout, text stderr, suggestion hints, and no `missing_credentials` fallthrough.
 823. **DONE — `claw --output-format json prompt` with missing/empty prompt text routes JSON errors to stdout with empty stderr** — dogfooded 2026-05-29 11:30 on `main` `3a76c4f4`. `claw --output-format json prompt` (no text) and `claw --output-format json prompt ""` (empty string) both exited rc=1, stdout empty, and wrote `{"error_kind":"missing_prompt","action":"abort",...}` to stderr. The envelope was well-formed but channel-inconsistent: JSON mode machine consumers reading stdout for command results got empty stdout and had to check stderr to detect the error. This is the same class as #819 (export session-not-found) and #820 (interactive_only / session subcommands), and the same root cause: the top-level abort handler wrote to stderr regardless of output-format mode.
    **Required fix shape.** In JSON mode, route `missing_prompt` abort errors to stdout (rc=1) and keep stderr empty. This is the same fix pattern as #817/#819/#820: detect JSON output mode in the abort handler and redirect the structured envelope to stdout. Add regression coverage for `claw --output-format json prompt` (no arg) and `claw --output-format json prompt ""` asserting rc=1, stdout parseable JSON with `error_kind:"missing_prompt"`, stderr empty.
    **Acceptance.** Both invocations exit 1 with JSON envelope on stdout and empty stderr. Text mode still prints to stderr. [SCOPE: claw-code]
-824. **Global settings-load deprecation warning still leaks to stderr in JSON mode for `status`, `sandbox`, `system-prompt`, `skills`, `mcp`, `agents` surfaces** — dogfooded 2026-05-29 13:30 on `main` `b4b1ba10`. After #816 and #821 (doc), the `enabledPlugins is deprecated` config warning still reaches stderr on every JSON-mode surface that loads settings: `claw --output-format json status`, `sandbox`, `system-prompt`, `mcp list`, `skills list`, `agents list` all emit `warning: /path/.claw/settings.json: field "enabledPlugins" is deprecated (line 2)...` to stderr. Root cause: `emit_config_warning_once()` in `runtime/src/config.rs` always uses `eprintln!` with no output-format awareness. The `config` surface avoids the duplicate by collecting warnings into a structured `warnings[]` field, but all other surfaces hit the raw `eprintln!` path.
+    **Fix applied.** The top-level JSON abort handler now emits structured error envelopes to stdout, so both missing `prompt` text paths keep the existing `missing_prompt` classification while preserving empty stderr. Regression coverage now asserts `claw --output-format json prompt` and `claw --output-format json prompt ""` exit rc=1, parse stdout JSON with `error_kind:"missing_prompt"`, and leave stderr empty.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli prompt_no_arg_json_error_kind_750 -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli prompt_empty_arg_json_stdout_missing_prompt_823 -- --nocapture`.
 824. **DONE — Global settings-load deprecation warning still leaks to stderr in JSON mode for `status`, `sandbox`, `system-prompt`, `skills`, `mcp`, `agents` surfaces** — dogfooded 2026-05-29 13:30 on `main` `b4b1ba10`. After #816 and #821 (doc), the `enabledPlugins is deprecated` config warning still reaches stderr on every JSON-mode surface that loads settings: `claw --output-format json status`, `sandbox`, `system-prompt`, `mcp list`, `skills list`, `agents list` all emit `warning: /path/.claw/settings.json: field "enabledPlugins" is deprecated (line 2)...` to stderr. Root cause: `emit_config_warning_once()` in `runtime/src/config.rs` always uses `eprintln!` with no output-format awareness. The `config` surface avoids the duplicate by collecting warnings into a structured `warnings[]` field, but all other surfaces hit the raw `eprintln!` path.
    **Required fix shape.** Add a global `SUPPRESS_CONFIG_WARNINGS_STDERR: AtomicBool` flag in `config.rs`. Set it to `true` immediately when `--output-format json` is detected in `main.rs` (before any settings load). Gate `emit_config_warning_once` on that flag. Text-mode invocations continue to print to stderr; JSON-mode invocations silently suppress the prose warning (warnings remain available via structured `config` output).
    **Acceptance.** With deprecated `enabledPlugins` in `~/.claw/settings.json`, all JSON-mode surfaces (`status`, `sandbox`, `system-prompt`, `mcp list`, `skills list`, `agents list`, plus all `--resume /config*` forms) exit with empty stderr. Text-mode output is unchanged. [SCOPE: claw-code]
-825. **Unknown single-word subcommand falls through to provider startup and surfaces `missing_credentials` instead of `command_not_found`** — dogfooded 2026-05-29 14:00 on `main` `de7edd5b`. `claw foobar` (and `claw --output-format json foobar`) hit the `looks_like_subcommand_typo` guard, which checked for close fuzzy matches but fell through silently when no suggestions matched. The fallthrough routed to `CliAction::Prompt`, triggering Anthropic provider startup and a misleading `missing_credentials` error (or burning API tokens if credentials were present). The `command_not_found` error kind existed in the registry but was never emitted by this path.
+    **Fix applied.** The focused matrix now exercises the global settings-load path for `status`, `sandbox`, `system-prompt`, `mcp list`, `skills list`, `agents list`, and a generated-session resume `/config` invocation under deprecated `enabledPlugins`, requiring empty stderr for every JSON-mode surface.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli global_json_surfaces_suppress_config_deprecation_stderr_810_821_824 -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli local_text_surface_preserves_config_deprecation_stderr_816 -- --nocapture`.
 825. **DONE — Unknown single-word subcommand falls through to provider startup and surfaces `missing_credentials` instead of `command_not_found`** — dogfooded 2026-05-29 14:00 on `main` `de7edd5b`. `claw foobar` (and `claw --output-format json foobar`) hit the `looks_like_subcommand_typo` guard, then fell through to provider startup when no suggestions matched. Current code emits `command_not_found` for this path.
    **Required fix shape.** When `looks_like_subcommand_typo` fires on a single-word positional arg with no close suggestions, emit `command_not_found:` rather than falling through. Add `command_not_found:` prefix classifier to `classify_error_kind`. Result: clean `{"error_kind":"command_not_found",...}` envelope on stdout (JSON mode), error on stderr (text mode), zero provider startup.
    **Acceptance.** `claw --output-format json foobar` exits 1, stdout `error_kind:"command_not_found"`, stderr empty, no Anthropic call. Typo with suggestions (`claw statuz`) also gets `command_not_found` plus `hint` with suggestions. [SCOPE: claw-code]
-826. **Multi-word unknown subcommand still falls through to `missing_credentials`** — dogfooded 2026-05-29 14:38 on `main` `70d64be0`. After #825 fixed single-word unknown subcommands, multi-word invocations (`claw foobar baz`) are still undetected: the `looks_like_subcommand_typo` guard only fires when `rest.len() == 1`. When there are two or more positional args, the first word is treated as a prompt and all args join into a prompt string → provider startup → `missing_credentials`. Same misleading-error class as #825 but for multi-word cases.
+    **Fix applied.** The `looks_like_subcommand_typo` path emits `command_not_found:` for unknown single-word command-shaped tokens even when there are no close suggestions, and typo suggestions are unified under the same typed error kind.
    **Verification.** `unknown_subcommand_json_emits_command_not_found`, `unknown_subcommand_text_emits_command_not_found_on_stderr`, `unknown_subcommand_typo_with_suggestions_json_emits_command_not_found`, and classifier coverage in `classify_error_kind_returns_correct_discriminants` verify `command_not_found` instead of `missing_credentials` before provider startup.
 826. **DONE — Multi-word unknown subcommand still falls through to `missing_credentials`** — dogfooded 2026-05-29 14:38 on `main` `70d64be0`. After #825 fixed single-word unknown subcommands, multi-word invocations (`claw foobar baz`) are still undetected: the `looks_like_subcommand_typo` guard only fires when `rest.len() == 1`. When there are two or more positional args, the first word is treated as a prompt and all args join into a prompt string → provider startup → `missing_credentials`. Same misleading-error class as #825 but for multi-word cases.
    **Required fix shape.** Extend the command-not-found guard to also fire when `rest.len() > 1` and `rest[0]` passes `looks_like_subcommand_typo` but does not match any known subcommand. The multi-arg case should also emit `command_not_found` — with a note that if literal multi-word prompt was intended, use `claw prompt <text>` or `echo 'text' | claw`.
    **Acceptance.** `claw --output-format json foobar baz` exits 1, stdout `error_kind:"command_not_found"`, stderr empty, no provider startup. `claw "write a haiku"` (valid prompt passthrough) is unaffected. [SCOPE: claw-code]
-827. **`--resume <session> /unknown-slash-command` emits `error_kind:"unknown"` instead of a typed kind** — dogfooded 2026-05-29 14:58 on `main` `d47b0151`. `claw --resume latest --output-format json /bogus` exits rc=2 with `{"error_kind":"unknown",...}` on stdout (correct channel, correct rc) but the opaque `"unknown"` kind gives machine consumers no way to distinguish "unrecognized slash command" from other error classes. The error has a useful `hint` with suggestions, but the `error_kind` field is `"unknown"` across all unrecognized resume slash commands.
+    **Fix applied.** JSON-mode command-shaped unknown subcommands now emit `command_not_found:` before provider startup even when additional tokens follow. Text-mode multi-word prompt shorthand remains available, but JSON automation no longer turns `claw --output-format json foobar baz` into a credential-gated prompt request.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli multi_word_unknown_subcommand_json_emits_command_not_found_826 -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli unknown_subcommand_json_emits_command_not_found -- --nocapture`; direct probe `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --output-format json foobar baz`.
 827. **DONE — `--resume <session> /unknown-slash-command` emits `error_kind:"unknown"` instead of a typed kind** — dogfooded 2026-05-29 14:58 on `main` `d47b0151`. `claw --resume latest --output-format json /bogus` exits rc=2 with `{"error_kind":"unknown",...}` on stdout (correct channel, correct rc) but the opaque `"unknown"` kind gives machine consumers no way to distinguish "unrecognized slash command" from other error classes. The error has a useful `hint` with suggestions, but the `error_kind` field is `"unknown"` across all unrecognized resume slash commands.
    **Required fix shape.** Introduce a typed `error_kind` for unrecognized slash commands (e.g. `unknown_slash_command` or `command_not_found`). Update the JSON emit in the `--resume` unknown-command handler to use the typed kind. Add regression coverage asserting the typed kind.
    **Acceptance.** `claw --resume latest --output-format json /bogus` exits rc=2, stdout `error_kind:"unknown_slash_command"` (or similar typed constant), stderr empty. [SCOPE: claw-code]
-828. **`/approve` and `/deny` outside REPL emit `unknown_slash_command` instead of `interactive_only`** — dogfooded 2026-05-29 16:05 on `main` `9d05573f`. `claw --output-format json /approve` exited rc=1 with `error_kind:"unknown_slash_command"` — these are valid REPL-only slash commands but are not `SlashCommand` enum variants, so they fell through to `format_unknown_direct_slash_command`. Machine consumers saw the wrong error class.
+    **Fix applied.** Unknown direct and resumed slash commands now use the classifier-friendly `unknown_slash_command:` prefix, so the JSON resume-command error path emits `error_kind:"unknown_slash_command"` instead of falling back to `unknown`. Direct slash command coverage and the new resumed-session regression both assert stdout JSON and empty stderr.
    **Verification.** `cargo fmt --manifest-path rust/Cargo.toml --all -- --check`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli direct_unknown_slash_command_emits_typed_error_kind -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli resume_unknown_slash_command_emits_typed_error_kind_827 -- --nocapture`; direct probe `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --resume .claw/sessions/491726c4e6bde42d/session-1778832949219-0.jsonl --output-format json /boguscommand`.
 828. **DONE — `/approve` and `/deny` outside REPL emit `unknown_slash_command` instead of `interactive_only`** — dogfooded 2026-05-29 16:05 on `main` `9d05573f`. `claw --output-format json /approve` exited rc=1 with `error_kind:"unknown_slash_command"` — these are valid REPL-only slash commands but are not `SlashCommand` enum variants, so they fell through to `format_unknown_direct_slash_command`. Machine consumers saw the wrong error class.
    **Fix applied.** `SlashCommand::Unknown` arm now special-cases `approve | yes | y | deny | no | n` and emits `interactive_only:` prefix before falling through to `format_unknown_direct_slash_command`. Both `error_kind` and hint are correct.
    **Acceptance.** `claw --output-format json /approve` exits rc=1, stdout `error_kind:"interactive_only"`, stderr empty. [SCOPE: claw-code]
-829. **`interactive_only` hint incorrectly suggests `--resume` for commands that are not resume-safe** — dogfooded 2026-05-29 16:40 on `main` `187aebd7`. `claw --output-format json /commit` hint says `"use claw --resume SESSION.jsonl /commit"` but `/commit` is not resume-safe (no `[resume]` marker in `/help`). Same for `/pr`, `/issue`, `/bughunter`, `/ultraplan`. The generic `interactive_only` hint template does not distinguish resume-safe from live-REPL-only commands, so it always suggests `--resume` regardless. Users who follow the hint will get `interactive_only` again.
+    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli approve_deny_outside_repl_emits_interactive_only -- --nocapture`; direct probes `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --output-format json /approve` and `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --output-format json /deny`.
 829. **DONE — `interactive_only` hint incorrectly suggests `--resume` for commands that are not resume-safe** — dogfooded 2026-05-29 16:40 on `main` `187aebd7`. `claw --output-format json /commit` hint says `"use claw --resume SESSION.jsonl /commit"` but `/commit` is not resume-safe (no `[resume]` marker in `/help`). Same for `/pr`, `/issue`, `/bughunter`, `/ultraplan`. The generic `interactive_only` hint template does not distinguish resume-safe from live-REPL-only commands, so it always suggests `--resume` regardless. Users who follow the hint will get `interactive_only` again.
    **Required fix shape.** The generic `interactive_only:` message formatter (line ~1745 in `main.rs`) currently always appends `or use claw --resume SESSION.jsonl {command_name}`. This should be conditioned on whether the slash command appears in the resume-safe command list. Non-resume-safe interactive commands should only say `Start claw and run it there.`
    **Acceptance.** `claw --output-format json /commit` hint does NOT mention `--resume`. `claw --output-format json /status` (resume-safe) hint still mentions `--resume`. [SCOPE: claw-code]
-830. **`claw mcp show` (missing server name arg) emits `error_kind:"unknown_mcp_action"` instead of `missing_argument`** — dogfooded 2026-05-29 17:00 on `main` `ac5b19de`. `claw --output-format json mcp show` (no server name supplied) exits with `error_kind:"unknown_mcp_action"`. However `show` IS a known MCP action — the error is a missing required argument (server name), not an unknown action. Machine consumers inspecting `error_kind` cannot distinguish "I don't know this action" from "I know this action but a required arg is missing".
+    **Fix applied.** The direct slash-command guidance now consults the shared `resume_supported` command metadata before adding a `--resume` remediation. Non-resume-safe commands such as `/commit`, `/pr`, `/issue`, `/bughunter`, and `/ultraplan` only point users to the live REPL, while resume-safe commands keep the `--resume SESSION.jsonl` hint.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli non_resume_safe_interactive_only_hint_omits_resume_suggestion -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli resume_safe_interactive_only_hint_includes_resume_suggestion -- --nocapture`; direct probes `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --output-format json /commit` and `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --output-format json /status`.
 830. **DONE — `claw mcp show` (missing server name arg) emits `error_kind:"unknown_mcp_action"` instead of `missing_argument`** — dogfooded 2026-05-29 17:00 on `main` `ac5b19de`. `claw --output-format json mcp show` (no server name supplied) exits with `error_kind:"unknown_mcp_action"`. However `show` IS a known MCP action — the error is a missing required argument (server name), not an unknown action. Machine consumers inspecting `error_kind` cannot distinguish "I don't know this action" from "I know this action but a required arg is missing".
    **Required fix shape.** The MCP subcommand parser should detect `show` with no following token and emit `missing_argument: mcp show requires a server name.\nUsage: claw mcp show <server>` with a distinct `error_kind`. Update the classifier arm to return `missing_argument` for this prefix.
    **Acceptance.** `claw --output-format json mcp show` exits rc=1, stdout `error_kind:"missing_argument"`, stderr empty. Hint contains usage example. [SCOPE: claw-code]
    **Fix applied.** `mcp show` without a server name now emits a typed `missing_argument` response instead of reusing `unknown_mcp_action`. The direct JSON path returns `{kind:"mcp", action:"show", status:"error", error_kind:"missing_argument"}` with a usage hint on stdout and an empty stderr stream; the slash-command parser also classifies `/mcp show` as `missing_argument` via the shared error-kind classifier.
    **Verification.** `cargo fmt --manifest-path rust/Cargo.toml --all -- --check`; `cargo test --manifest-path rust/Cargo.toml -p commands mcp -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli mcp_show_missing_server_name_returns_missing_argument_830 -- --nocapture`; `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli classify_error_kind_returns_correct_discriminants -- --nocapture`; direct probe `cargo run --manifest-path rust/Cargo.toml -q -p rusty-claude-cli -- --output-format json mcp show`.
 831. **DONE — Direct resume-safe slash commands route to `interactive_only` instead of local JSON actions** — PR #3205 showed that direct slash invocations such as `claw --output-format json /status`, `/diff`, `/version`, `/doctor`, and `/sandbox` were parsed successfully as resume-safe slash commands, but the direct CLI parser still fell through to generic `interactive_only` guidance instead of dispatching to the same pure-local `CliAction` handlers as the bare subcommands.
    **Required fix shape.** In the direct slash CLI parser, map resume-safe local slash command variants to the corresponding local `CliAction` variants. Preserve non-resume-safe slash command guidance from #829.
    **Acceptance.** `claw --output-format json /version`, `/sandbox`, `/diff`, and `/status` succeed with their expected local JSON `kind` and environment-dependent local `status`, stdout JSON, and empty stderr; non-resume-safe slash commands still emit `interactive_only` without bogus local routing. [SCOPE: claw-code]
    **Fix applied.** `parse_direct_slash_cli_action` now routes `/status`, `/diff`, `/version`, `/doctor`, and `/sandbox` directly to the same local `CliAction` variants as `status`, `diff`, `version`, `doctor`, and `sandbox`. The generic `interactive_only` branch remains the fallback for valid but live-REPL-only slash commands, preserving the #829 non-resume-safe hint behavior.
    **Verification.** `cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli direct_resume_safe_slash_commands_route_to_local_json_actions_831 -- --nocapture`.
 832. **DONE — roadmap-next-id helper missing explicit ROADMAP path behavior lacked regression coverage** — follow-up to #725 and PR #3117 after dogfood showed `scripts/roadmap-next-id.sh /tmp/nonexistent-roadmap` already failed correctly but the helper tests did not pin that behavior. The missing-path case is important because docs-only PRs can otherwise regress back to printing a next id for an absent explicit file.
    **Fix applied.** Added `test_roadmap_next_id_fails_when_explicit_roadmap_path_is_missing`, proving an explicit missing ROADMAP path exits nonzero, keeps stdout empty, and reports both `ROADMAP not found` and the requested path on stderr. Added `tests/__init__.py` so `python3 -m unittest tests.test_roadmap_helpers` resolves this repository's tests package consistently.
    **Verification.** `python3 -m unittest tests.test_roadmap_helpers`; `scripts/roadmap-check-ids.sh`; `scripts/roadmap-next-id.sh`.
--- a/USAGE.md
+++ b/USAGE.md
@@ -86,6 +86,12 @@ cd rust
 ./target/debug/claw prompt "summarize this repository"
 ```
 Pipe prompt text through stdin when automation already produces the prompt body:
 ```bash
 printf 'summarize this repository\n' | ./target/debug/claw prompt --output-format json
 ```
 ### Shorthand prompt mode
 ```bash
@@ -187,17 +193,22 @@ cd rust
 ./target/debug/claw --permission-mode read-only prompt "summarize Cargo.toml"
 ./target/debug/claw --permission-mode workspace-write prompt "update README.md"
 ./target/debug/claw --allowedTools read,glob "inspect the runtime crate"
 ./target/debug/claw --cwd ../other-workspace status --output-format json
 ```
-Supported permission modes:
+Global workspace override flags: `--cwd PATH`, `-C PATH`, and `--directory PATH` are accepted before any subcommand. They are validated before command dispatch and take precedence over the process `$PWD`; invalid paths return typed `invalid_cwd` JSON errors in JSON mode.
- `read-only`
+`--allowedTools` accepts canonical snake_case tool names (for example `read_file`, `glob_search`, `web_fetch`) plus documented aliases such as `read`, `glob`, `Read`, and `WebFetch`. `claw status --output-format json` exposes `allowed_tools.available` and `allowed_tools.aliases`, and invalid values return typed `invalid_tool_name` JSON with `tool_name`, `available`, and `tool_aliases`. A missing value before a subcommand or another flag returns `missing_argument` with `argument:"--allowedTools"`.
- `workspace-write`
+
- `danger-full-access`
+Supported permission modes (default: `workspace-write`):
 - `read-only` allows inspection-only local tools such as file reads, glob/grep searches, local skills, and status-style reporting. It does not allow workspace mutation, network-fetch/search tools, or arbitrary command execution.
 - `workspace-write` is the safe default. It allows reads plus direct file-editing tools inside the current workspace, including write/edit/notebook/config/plan-mode updates, while still gating network-fetch/search tools, arbitrary shell execution, subagent launches, REPL subprocesses, and other full-access tools behind an explicit escalation.
 - `danger-full-access` allows every registered tool requirement, including arbitrary command execution, web fetch/search, subagent launches, subprocess REPLs, and unrestricted tool access. Select it only with an explicit `--permission-mode danger-full-access`, `--dangerously-skip-permissions`, `--skip-permissions`, env, or config opt-in.
 Model aliases currently supported by the CLI:
- `opus` → `claude-opus-4-6`
+- `opus` → `claude-opus-4-7`
 - `sonnet` → `claude-sonnet-4-6`
 - `haiku` → `claude-haiku-4-5-20251213`
@@ -292,6 +303,18 @@ cd rust
 ./target/debug/claw --model "llama3.2" prompt "summarize this repository in one sentence"
 ```
 For Ollama tags with punctuation (for example `qwen2.5-coder:7b`), `OPENAI_BASE_URL` selects the local OpenAI-compatible route even when `OPENAI_API_KEY` is unset:
 ```bash
 export OPENAI_BASE_URL="http://127.0.0.1:11434/v1"
 unset OPENAI_API_KEY
 cd rust
 ./target/debug/claw --model "qwen2.5-coder:7b" prompt "reply with ready"
 ```
 If the local server exposes a slash-containing model ID, prefix it with `local/` so Claw selects the OpenAI-compatible transport while sending the remainder verbatim on the wire: `--model "local/Qwen/Qwen3.6-27B-FP8"`.
 ### OpenRouter
 ```bash
@@ -334,7 +357,7 @@ Reasoning variants (`qwen-qwq-*`, `qwq-*`, `*-thinking`) automatically strip `te
 The OpenAI-compatible backend also serves as the gateway for **OpenRouter**, **Ollama**, and any other service that speaks the OpenAI `/v1/chat/completions` wire format — just point `OPENAI_BASE_URL` at the service.
-**Model-name prefix routing:** If a model name starts with `openai/`, `gpt-`, `qwen/`, `qwen-`, `kimi/`, or `kimi-`, the provider is selected by the prefix regardless of which env vars are set. This prevents accidental misrouting to Anthropic when multiple credentials exist in the environment. For the default OpenAI API, `openai/` is a routing prefix and is stripped before the request hits the wire. For a custom `OPENAI_BASE_URL`, slash-containing OpenAI-compatible slugs (for example OpenRouter-style `openai/gpt-4.1-mini`) are preserved so the gateway receives the model ID it expects.
+**Model-name prefix routing:** If a model name starts with `openai/`, `local/`, `gpt-`, `qwen/`, `qwen-`, `kimi/`, or `kimi-`, the provider is selected by the prefix regardless of which env vars are set. This prevents accidental misrouting to Anthropic when multiple credentials exist in the environment. For the default OpenAI API and local/private OpenAI-compatible endpoints, `openai/` is a routing prefix and is stripped before the request hits the wire. For non-local custom `OPENAI_BASE_URL` gateways, slash-containing OpenAI-compatible slugs (for example OpenRouter-style `openai/gpt-4.1-mini`) are preserved so the gateway receives the model ID it expects. The `local/` prefix is an explicit escape hatch for local slash-containing model IDs: it is stripped while the rest of the model ID is sent verbatim.
 ### Tested models and aliases
@@ -342,17 +365,19 @@ These are the models registered in the built-in alias table with known token lim
 | Alias | Resolved model name | Provider | Max output tokens | Context window |
 |---|---|---|---|---|
-| `opus` | `claude-opus-4-6` | Anthropic | 32 000 | 200 000 |
+| `opus` | `claude-opus-4-7` | Anthropic | 32 000 | 200 000 |
 | `sonnet` | `claude-sonnet-4-6` | Anthropic | 64 000 | 200 000 |
 | `haiku` | `claude-haiku-4-5-20251213` | Anthropic | 64 000 | 200 000 |
 | `grok` / `grok-3` | `grok-3` | xAI | 64 000 | 131 072 |
 | `grok-mini` / `grok-3-mini` | `grok-3-mini` | xAI | 64 000 | 131 072 |
 | `grok-2` | `grok-2` | xAI | — | — |
 | `kimi` | `kimi-k2.5` | DashScope | 16 384 | 256 000 |
 | `qwen-max` | `qwen-max` | DashScope | 8 192 | 131 072 |
 | `qwen-plus` | `qwen-plus` | DashScope | 8 192 | 131 072 |
 | `gpt-4.1` / `gpt-4.1-mini` / `gpt-4.1-nano` | same | OpenAI-compatible | 32 768 | 1 047 576 |
 | `gpt-5.4` / `gpt-5.4-mini` / `gpt-5.4-nano` | same | OpenAI-compatible | 128 000 | 1 000 000 / 400 000 |
-Any model name that does not match an alias is passed through verbatim after provider routing is resolved. This is how you use OpenRouter model slugs (`openai/gpt-4.1-mini` with a custom `OPENAI_BASE_URL`), Ollama tags (`llama3.2`), or full Anthropic model IDs (`claude-sonnet-4-20250514`).
+Any model name that does not match an alias is passed through verbatim after provider routing is resolved. This is how you use OpenRouter model slugs (`openai/gpt-4.1-mini` with a custom `OPENAI_BASE_URL`), Ollama tags (`llama3.2` or `qwen2.5-coder:7b`), slash-containing local IDs (`local/Qwen/Qwen3.6-27B-FP8`), or full Anthropic model IDs (`claude-sonnet-4-20250514`).
 ### User-defined aliases
@@ -362,7 +387,7 @@ You can add custom aliases in any settings file (`~/.claw/settings.json`, `.claw
 {
  "aliases": {
    "fast": "claude-haiku-4-5-20251213",
-    "smart": "claude-opus-4-6",
+    "smart": "claude-opus-4-7",
    "cheap": "grok-3-mini"
  }
 }
@@ -370,13 +395,15 @@ You can add custom aliases in any settings file (`~/.claw/settings.json`, `.claw
 Local project settings override user-level settings. Aliases resolve through the built-in table, so `"fast": "haiku"` also works.
 Model selection precedence is CLI flag, environment, config, then default. The environment model slot accepts `CLAW_MODEL`, `ANTHROPIC_MODEL`, and `ANTHROPIC_DEFAULT_MODEL` in that order; aliases from those variables are resolved and validated before provider startup. `claw --output-format json status` exposes `model_raw`, `model_alias_resolved_to`, and `model_env_var` so automation can see the winning value.
 ### How provider detection works
 1. If the resolved model name starts with `claude` → Anthropic.
 2. If it starts with `grok` → xAI.
-3. If it starts with `openai/` or `gpt-` → OpenAI-compatible.
+3. If it starts with `openai/`, `local/`, or `gpt-` → OpenAI-compatible.
 4. If it starts with `qwen/`, `qwen-`, `kimi/`, or `kimi-` → DashScope-compatible OpenAI wire format.
-5. If `OPENAI_BASE_URL` and `OPENAI_API_KEY` are set, unknown model names route to the OpenAI-compatible client for local/gateway servers.
+5. If `OPENAI_BASE_URL` is set, local-looking unknown model names such as `llama3.2` or `qwen2.5-coder:7b` route to the OpenAI-compatible client for local/gateway servers.
 6. Otherwise, `claw` checks which credential is set: Anthropic first, then OpenAI, then xAI. If only `OPENAI_BASE_URL` is set, it still routes to OpenAI-compatible for authless local servers.
 7. If nothing matches, it defaults to Anthropic.
@@ -452,11 +479,12 @@ let client = build_http_client_with(&config).expect("proxy client");
 ## Skills
-Use `/skills list` in the interactive REPL or `claw skills --output-format json` from the direct CLI to inspect installed skills. For offline/local installs, install the directory that contains `SKILL.md`, then verify the discovered name before invoking it:
+Use `/skills list` in the interactive REPL or `claw skills --output-format json` from the direct CLI to inspect installed skills. For offline/local installs, install the directory that contains `SKILL.md`, then verify the discovered name before invoking it. `skills install`, `skills uninstall`, and `agents create` are local filesystem lifecycle commands; they do not require provider credentials.
 ```text
 /skills install /absolute/path/to/my-skill
 /skills list
 /skills uninstall my-skill
 /skills my-skill
 ```
@@ -469,6 +497,7 @@ cd rust
 ./target/debug/claw status
 ./target/debug/claw sandbox
 ./target/debug/claw agents
 ./target/debug/claw agents create my-agent
 ./target/debug/claw mcp
 ./target/debug/claw skills
 ./target/debug/claw system-prompt --cwd .. --date 2026-04-04
@@ -488,6 +517,7 @@ git clone https://github.com/Xquik-dev/tweetclaw
 cd claw-code/rust
 ./target/debug/claw skills install ../../tweetclaw/skills/tweetclaw
 ./target/debug/claw skills show tweetclaw
 ./target/debug/claw skills uninstall tweetclaw
 ```
 TweetClaw gives `claw` users a local skill guide for OpenClaw/Xquik workflows
@@ -495,6 +525,15 @@ such as tweet search, reply search, follower export, monitors, webhooks, and
 approval-gated posting. Configure any Xquik credentials outside the prompt and
 avoid pasting API keys into chat.
 ## Author a local agent
 `claw agents create <name>` scaffolds a local `.claw/agents/<name>.toml` file for the current workspace. The scaffold is intentionally small so you can edit the description, model, and reasoning effort before listing or invoking agents:
 ```bash
 ./target/debug/claw agents create release-checker
 ./target/debug/claw agents list
 ```
 ## Session management
 REPL turns are persisted under `.claw/sessions/` in the current workspace.
@@ -517,6 +556,47 @@ Runtime config is loaded in this order, with later entries overriding earlier on
 4. `<repo>/.claw/settings.json`
 5. `<repo>/.claw/settings.local.json`
 The list is also the precedence chain: project-local settings override project settings, project settings override the legacy project `.claw.json`, and project files override user files. `claw --output-format json config` includes each discovered file's `precedence_rank`, `wins_for_keys`, and `shadowed_keys` so automation can see which file controls each effective key without reimplementing the merge order.
 ## Hook configuration
 `hooks.PreToolUse`, `hooks.PostToolUse`, and `hooks.PostToolUseFailure` accept either legacy command strings or object-style entries with a `matcher` and nested command hooks:
 ```json
 {
  "hooks": {
    "PreToolUse": [
      "echo legacy hook",
      {
        "matcher": "Bash",
        "hooks": [
          { "type": "command", "command": "scripts/audit-bash.sh" }
        ]
      }
    ]
  }
 }
 ```
 Object-style matchers are optional. When present, they match tool names case-insensitively and support `*` wildcards plus comma or pipe separated alternatives. Nested hook `type` may be omitted or set to `"command"`; each nested command runs in configuration order.
 ## Project instruction rules
 In addition to root instruction files such as `CLAUDE.md`, `AGENTS.md`, `.claw/CLAUDE.md`, `.claude/CLAUDE.md`, and `.claw/instructions.md`, `claw` loads sorted Markdown/text rule files from:
 - `<repo>/.claw/rules/` (`.md`, `.txt`, `.mdc`) for shared project rules.
 - `<repo>/.claw/rules.local/` for personal local rules; this path is gitignored.
 By default, `claw` also imports detected rules from common AI coding tools such as Cursor (`.cursorrules`, `.cursor/rules/`), GitHub Copilot (`.github/copilot-instructions.md`), Windsurf, Plandex, and Crush. Control this with `rulesImport` in any settings file:
 ```json
 {
  "rulesImport": "none"
 }
 ```
 Use `"auto"` (the default) to import every supported framework, `"none"` to load only Claw instruction/rules files, or an array such as `["cursor", "copilot"]` to import selected frameworks.
 ## Mock parity harness
 The workspace includes a deterministic Anthropic-compatible mock service and parity harness.
--- a/docs/MODEL_COMPATIBILITY.md
+++ b/docs/MODEL_COMPATIBILITY.md
@@ -148,12 +148,12 @@ pub const DEFAULT_DASHSCOPE_BASE_URL: &str = "https://dashscope.aliyuncs.com/com
 **Affected models:** Slash-containing model IDs routed through the OpenAI-compatible provider, especially custom gateways configured with `OPENAI_BASE_URL` such as OpenRouter, local routers, or other `/v1/chat/completions` services.
 **Behavior:**
- The default OpenAI API treats `openai/` as a routing prefix and sends the bare model name on the wire.
+- The default OpenAI API and local/private OpenAI-compatible base URLs treat `openai/` as a routing prefix and send the bare model name on the wire.
- Custom OpenAI-compatible base URLs preserve slash-containing slugs such as `openai/gpt-4.1-mini` so the gateway receives the exact model ID it expects.
+- Non-local custom OpenAI-compatible base URLs preserve slash-containing slugs such as `openai/gpt-4.1-mini` so gateways like OpenRouter receive the exact model ID they expect. Local slash-containing model IDs can use `local/`, which strips only that escape-hatch prefix and sends the remainder verbatim.
 - `MessageRequest::extra_body` passes through custom request JSON after core fields are populated. This supports provider-specific options such as `web_search_options` and `parallel_tool_calls`.
 - Protected core fields (`model`, `messages`, `stream`, `tools`, `tool_choice`, `max_tokens`, `max_completion_tokens`) cannot be overridden through `extra_body`.
-**Testing:** See `custom_openai_gateway_preserves_slash_model_ids_and_extra_body_params` in `openai_compat_integration.rs` and `extra_body_params_are_passed_through_without_overriding_core_fields` in `openai_compat.rs`.
+**Testing:** See `custom_openai_gateway_preserves_slash_model_ids_and_extra_body_params` in `openai_compat_integration.rs`, `wire_model_strips_openai_prefix_for_default_and_local_preserves_custom_gateways`, `local_routing_prefix_strips_only_escape_hatch`, and `extra_body_params_are_passed_through_without_overriding_core_fields` in `openai_compat.rs`.
 ## Implementation Details
--- a/docs/local-openai-compatible-providers.md
+++ b/docs/local-openai-compatible-providers.md
@@ -13,7 +13,7 @@ If you need the most polished daily-driver experience for a specific non-Claude
 ## OpenAI-compatible routing basics
-Set `OPENAI_BASE_URL` to the server’s `/v1` endpoint and set `OPENAI_API_KEY` to either the required token or a harmless placeholder for local servers that expect an Authorization header. The model name must match what the server exposes.
+Set `OPENAI_BASE_URL` to the server’s `/v1` endpoint and set `OPENAI_API_KEY` to either the required token or a harmless placeholder for local servers that expect an Authorization header. Authless local/private OpenAI-compatible servers can leave `OPENAI_API_KEY` unset. The model name must match what the server exposes.
 ```bash
 export OPENAI_BASE_URL="http://127.0.0.1:11434/v1"
@@ -24,8 +24,8 @@ claw --model "qwen3:latest" prompt "Reply exactly HELLO_WORLD_123"
 Routing notes:
 - Use the `openai/` prefix for OpenAI-compatible gateways when you need prefix routing to win over ambient Anthropic credentials, for example `--model "openai/gpt-4.1-mini"` with OpenRouter.
- For local servers, prefer the exact model ID reported by the server (`qwen3:latest`, `llama3.2`, `Qwen/Qwen2.5-Coder-7B-Instruct`, etc.). If your local gateway exposes slash-containing IDs, use that exact slug.
+- For local servers, prefer the exact model ID reported by the server (`qwen3:latest`, `llama3.2`, etc.). If your local gateway exposes slash-containing IDs, prefix the exact slug with `local/` so Claw routes through OpenAI-compatible transport while sending the rest verbatim, for example `--model "local/Qwen/Qwen2.5-Coder-7B-Instruct"`.
- If you have multiple provider keys in your environment, remove unrelated keys while smoke-testing a local route or choose a model prefix that unambiguously selects the intended provider.
+- If you have multiple provider keys in your environment, `OPENAI_BASE_URL` plus local-looking tags such as `llama3.2` or `qwen2.5-coder:7b` selects the local OpenAI-compatible route; use `local/` for slash-containing local IDs.
 - Tool workflows need model/server support for OpenAI-compatible tool calls. Plain prompt smoke tests can pass even when slash/tool workflows still fail because the server returns an incompatible tool-call shape.
 ## Raw `/v1/chat/completions` smoke test
@@ -58,11 +58,11 @@ In another shell:
 ```bash
 export OPENAI_BASE_URL="http://127.0.0.1:11434/v1"
-export OPENAI_API_KEY="local-dev-token"
+unset OPENAI_API_KEY
 claw --model "qwen3:latest" prompt "Reply exactly HELLO_WORLD_123"
 ```
-If Ollama is running without auth and your build accepts authless local OpenAI-compatible servers, `unset OPENAI_API_KEY` is also acceptable. Use a placeholder token rather than a real cloud API key for local testing.
+If Ollama is running without auth, `unset OPENAI_API_KEY` is acceptable. Use a placeholder token rather than a real cloud API key if your local server requires an Authorization header.
 ## llama.cpp server
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -2244,7 +2244,6 @@ version = "0.1.3"
 dependencies = [
 "api",
 "commands",
 "compat-harness",
 "crossterm",
 "log",
 "mock-anthropic-service",
--- a/rust/README.md
+++ b/rust/README.md
@@ -15,7 +15,7 @@ cargo run -p rusty-claude-cli -- --help
 cargo build --workspace
 # Run the interactive REPL
-cargo run -p rusty-claude-cli -- --model claude-opus-4-6
+cargo run -p rusty-claude-cli -- --model claude-opus-4-7
 # One-shot prompt
 cargo run -p rusty-claude-cli -- prompt "explain this codebase"
@@ -100,7 +100,7 @@ Primary artifacts:
 | Slash commands (including `/skills`, `/agents`, `/mcp`, `/doctor`, `/plugin`, `/subagent`) | ✅ |
 | Hooks (`/hooks`, config-backed lifecycle hooks) | ✅ |
 | Plugin management surfaces | ✅ |
-| Skills inventory / install surfaces | ✅ |
+| Skills inventory / install / uninstall surfaces | ✅ |
 | Machine-readable JSON output across core CLI surfaces | ✅ |
 ## Model Aliases
@@ -109,7 +109,7 @@ Short names resolve to the latest model versions:
 | Alias | Resolves To |
 |-------|------------|
-| `opus` | `claude-opus-4-6` |
+| `opus` | `claude-opus-4-7` |
 | `sonnet` | `claude-sonnet-4-6` |
 | `haiku` | `claude-haiku-4-5-20251213` |
@@ -124,8 +124,9 @@ Flags:
  --model MODEL
  --output-format text|json
  --permission-mode MODE
-  --dangerously-skip-permissions
+  --cwd PATH, -C PATH, --directory PATH
-  --allowedTools TOOLS
+  --dangerously-skip-permissions, --skip-permissions
  --allowedTools TOOLS        canonical snake_case names or aliases; status JSON exposes allowed_tools.available/aliases
  --resume [SESSION.jsonl|session-id|latest]
  --version, -V
@@ -146,6 +147,7 @@ Top-level commands:
 ```
 `claw acp` is a local discoverability surface for editor-first users: it reports the current ACP/Zed status without starting the runtime. As of April 16, 2026, claw-code does **not** ship an ACP/Zed daemon or JSON-RPC entrypoint yet, and `claw acp serve` is only a status alias until the real protocol surface lands. Status queries exit 0 and expose the same machine-readable contract via `--output-format json`; malformed ACP invocations exit 1 with `kind: unsupported_acp_invocation`.
 `claw dump-manifests` is self-contained: it emits the Rust resolver inventory for the selected workspace (commands, tools, agents, skills, and bootstrap phases) without requiring an upstream Claude Code TypeScript checkout. Use `--manifests-dir PATH` only to scope resolver discovery to another directory.
 The command surface is moving quickly. For the canonical live help text, run:
@@ -166,8 +168,8 @@ The REPL now exposes a much broader surface than the original minimal shell:
 - plugin management: `/plugin` (with aliases `/plugins`, `/marketplace`)
 Notable claw-first surfaces now available directly in slash form:
- `/skills [list|install <path>|help]`
+- `/skills [list|show <name>|install <path>|uninstall <name>|help]`
- `/agents [list|help]`
+- `/agents [list|show <name>|create <name>|help]`
 - `/mcp [list|show <server>|help]`
 - `/doctor`
 - `/plugin [list|install <path>|enable <name>|disable <name>|uninstall <id>|update <id>]`
@@ -184,7 +186,7 @@ rust/
 └── crates/
    ├── api/                # Provider clients + streaming + request preflight
    ├── commands/           # Shared slash-command registry + help rendering
-    ├── compat-harness/     # TS manifest extraction harness
+    ├── compat-harness/     # Compatibility/parity harness utilities
    ├── mock-anthropic-service/ # Deterministic local Anthropic-compatible mock
    ├── plugins/            # Plugin metadata, manager, install/enable/disable surfaces
    ├── runtime/            # Session, config, permissions, MCP, prompts, auth/runtime loop
@@ -197,7 +199,7 @@ rust/
 - **api** — provider clients, SSE streaming, request/response types, auth (`ANTHROPIC_API_KEY` + bearer-token support), request-size/context-window preflight
 - **commands** — slash command definitions, parsing, help text generation, JSON/text command rendering
- **compat-harness** — extracts tool/prompt manifests from upstream TS source
+- **compat-harness** — compatibility and parity helpers for comparing behavior with upstream fixtures
 - **mock-anthropic-service** — deterministic `/v1/messages` mock for CLI parity tests and local harness runs
 - **plugins** — plugin metadata, install/enable/disable/update flows, plugin tool definitions, hook integration surfaces
 - **runtime** — `ConversationRuntime`, config loading, session persistence, permission policy, MCP client lifecycle, system prompt assembly, usage tracking
@@ -210,8 +212,8 @@ rust/
 - **~20K lines** of Rust
 - **9 crates** in workspace
 - **Binary name:** `claw`
- **Default model:** `claude-opus-4-6`
+- **Default model:** `claude-opus-4-7`
- **Default permissions:** `danger-full-access`
+- **Default permissions:** `workspace-write`
 ## License
--- a/rust/crates/api/src/client.rs
+++ b/rust/crates/api/src/client.rs
@@ -161,7 +161,7 @@ mod tests {
    #[test]
    fn resolves_existing_and_grok_aliases() {
-        assert_eq!(resolve_model_alias("opus"), "claude-opus-4-6");
+        assert_eq!(resolve_model_alias("opus"), "claude-opus-4-7");
        assert_eq!(resolve_model_alias("grok"), "grok-3");
        assert_eq!(resolve_model_alias("grok-mini"), "grok-3-mini");
    }
@@ -235,4 +235,22 @@ mod tests {
            other => panic!("Expected ProviderClient::OpenAi for qwen-plus, got: {other:?}"),
        }
    }
    #[test]
    fn local_openai_base_url_routes_authless_ollama_models() {
        let _lock = env_lock();
        let _base_url = EnvVarGuard::set("OPENAI_BASE_URL", Some("http://127.0.0.1:11434/v1"));
        let _openai_key = EnvVarGuard::set("OPENAI_API_KEY", None);
        let _anthropic_key = EnvVarGuard::set("ANTHROPIC_API_KEY", Some("test-anthropic-key"));
        let _anthropic_token = EnvVarGuard::set("ANTHROPIC_AUTH_TOKEN", None);
        let client = ProviderClient::from_model("qwen2.5-coder:7b")
            .expect("local model should route to OpenAI-compatible client without auth");
        match client {
            ProviderClient::OpenAi(openai_client) => {
                assert_eq!(openai_client.base_url(), "http://127.0.0.1:11434/v1")
            }
            other => panic!("Expected ProviderClient::OpenAi for local model, got: {other:?}"),
        }
    }
 }
--- a/rust/crates/api/src/providers/anthropic.rs
+++ b/rust/crates/api/src/providers/anthropic.rs
@@ -468,8 +468,7 @@ impl AnthropicClient {
        request: &MessageRequest,
    ) -> Result<reqwest::Response, ApiError> {
        let request_url = format!("{}/v1/messages", self.base_url.trim_end_matches('/'));
-        let mut request_body = self.request_profile.render_json_body(request)?;
+        let request_body = render_standard_messages_body(&self.request_profile, request)?;
        strip_unsupported_beta_body_fields(&mut request_body);
        let request_builder = self.build_request(&request_url).json(&request_body);
        request_builder.send().await.map_err(ApiError::from)
    }
@@ -529,8 +528,7 @@ impl AnthropicClient {
            "{}/v1/messages/count_tokens",
            self.base_url.trim_end_matches('/')
        );
-        let mut request_body = self.request_profile.render_json_body(request)?;
+        let request_body = render_standard_messages_body(&self.request_profile, request)?;
        strip_unsupported_beta_body_fields(&mut request_body);
        let response = self
            .build_request(&request_url)
            .json(&request_body)
@@ -977,6 +975,21 @@ fn enrich_bearer_auth_error(error: ApiError, auth: &AuthSource) -> ApiError {
    }
 }
 fn anthropic_wire_model(model: &str) -> &str {
    model.strip_prefix("anthropic/").unwrap_or(model)
 }
 fn render_standard_messages_body(
    request_profile: &AnthropicRequestProfile,
    request: &MessageRequest,
 ) -> Result<Value, serde_json::Error> {
    let mut wire_request = request.clone();
    wire_request.model = anthropic_wire_model(&request.model).to_string();
    let mut body = request_profile.render_json_body(&wire_request)?;
    strip_unsupported_beta_body_fields(&mut body);
    Ok(body)
 }
 /// Remove beta-only body fields that the standard `/v1/messages` and
 /// `/v1/messages/count_tokens` endpoints reject as `Extra inputs are not
 /// permitted`. The `betas` opt-in is communicated via the `anthropic-beta`
@@ -1550,6 +1563,27 @@ mod tests {
        );
    }
    #[test]
    fn standard_messages_body_strips_anthropic_routing_prefix() {
        let client = AnthropicClient::new("test-key");
        let request = MessageRequest {
            model: "anthropic/claude-opus-4-6".to_string(),
            max_tokens: 64,
            messages: vec![],
            system: None,
            tools: None,
            tool_choice: None,
            stream: false,
            ..Default::default()
        };
        let rendered = super::render_standard_messages_body(client.request_profile(), &request)
            .expect("body should render");
        assert_eq!(rendered["model"], serde_json::json!("claude-opus-4-6"));
        assert!(rendered.get("betas").is_none());
    }
    #[test]
    fn enrich_bearer_auth_error_appends_sk_ant_hint_on_401_with_pure_bearer_token() {
        // given
--- a/rust/crates/api/src/providers/mod.rs
+++ b/rust/crates/api/src/providers/mod.rs
@@ -211,7 +211,7 @@ pub fn resolve_model_alias(model: &str) -> String {
        .find_map(|(alias, metadata)| {
            (*alias == lower).then_some(match metadata.provider {
                ProviderKind::Anthropic => match *alias {
-                    "opus" => "claude-opus-4-6",
+                    "opus" => "claude-opus-4-7",
                    "sonnet" => "claude-sonnet-4-6",
                    "haiku" => "claude-haiku-4-5-20251213",
                    _ => trimmed,
@@ -262,6 +262,14 @@ pub fn metadata_for_model(model: &str) -> Option<ProviderMetadata> {
            default_base_url: openai_compat::DEFAULT_OPENAI_BASE_URL,
        });
    }
    if canonical.starts_with("local/") {
        return Some(ProviderMetadata {
            provider: ProviderKind::OpenAi,
            auth_env: "OPENAI_API_KEY",
            base_url_env: "OPENAI_BASE_URL",
            default_base_url: openai_compat::DEFAULT_OPENAI_BASE_URL,
        });
    }
    // Alibaba DashScope compatible-mode endpoint. Routes qwen/* and bare
    // qwen-* model names (qwen-max, qwen-plus, qwen-turbo, qwen-qwq, etc.)
    // to the OpenAI-compat client pointed at DashScope's /compatible-mode/v1.
@@ -337,17 +345,21 @@ pub fn provider_diagnostics_for_model(model: &str) -> ProviderDiagnostics {
    }
 }
 fn looks_like_local_openai_model(model: &str) -> bool {
    model.contains(':') || model.contains('.')
 }
 #[must_use]
 pub fn detect_provider_kind(model: &str) -> ProviderKind {
-    if let Some(metadata) = metadata_for_model(model) {
+    let resolved_model = resolve_model_alias(model);
    if let Some(metadata) = metadata_for_model(&resolved_model) {
        return metadata.provider;
    }
-    // When OPENAI_BASE_URL is set, the user explicitly configured an
+    // When OPENAI_BASE_URL is set and the unknown model name looks like a
-    // OpenAI-compatible endpoint. Prefer it over the Anthropic fallback
+    // local server tag (for example `llama3.2` or `qwen2.5-coder:7b`), prefer
-    // even when the model name has no recognized prefix — this is the
+    // the OpenAI-compatible endpoint over ambient Anthropic credentials.
-    // common case for local providers (Ollama, LM Studio, vLLM, etc.)
+    if std::env::var_os("OPENAI_BASE_URL").is_some()
-    // where model names like "qwen2.5-coder:7b" don't match any prefix.
+        && looks_like_local_openai_model(&resolved_model)
    if std::env::var_os("OPENAI_BASE_URL").is_some() && openai_compat::has_api_key("OPENAI_API_KEY")
    {
        return ProviderKind::OpenAi;
    }
@@ -608,7 +620,7 @@ pub fn model_token_limit(model: &str) -> Option<ModelTokenLimit> {
    let canonical = resolve_model_alias(model);
    let base_model = canonical.rsplit('/').next().unwrap_or(canonical.as_str());
    match base_model {
-        "claude-opus-4-6" => Some(ModelTokenLimit {
+        "claude-opus-4-7" | "claude-opus-4-6" => Some(ModelTokenLimit {
            max_output_tokens: 32_000,
            context_window_tokens: 200_000,
        }),
@@ -1042,6 +1054,18 @@ mod tests {
        assert_eq!(kind2, ProviderKind::OpenAi);
    }
    #[test]
    fn local_prefix_routes_to_openai_not_anthropic() {
        let meta = super::metadata_for_model("local/Qwen/Qwen3.6-27B-FP8")
            .expect("local/ prefix must resolve to OpenAI-compatible metadata");
        assert_eq!(meta.provider, ProviderKind::OpenAi);
        assert_eq!(meta.auth_env, "OPENAI_API_KEY");
        assert_eq!(meta.base_url_env, "OPENAI_BASE_URL");
        let kind = detect_provider_kind("local/Qwen/Qwen3.6-27B-FP8");
        assert_eq!(kind, ProviderKind::OpenAi);
    }
    #[test]
    fn qwen_prefix_routes_to_dashscope_not_anthropic() {
        // User request from Discord #clawcode-get-help: web3g wants to use
--- a/rust/crates/api/src/providers/openai_compat.rs
+++ b/rust/crates/api/src/providers/openai_compat.rs
@@ -1,5 +1,6 @@
 use std::borrow::Cow;
 use std::collections::{BTreeMap, VecDeque};
 use std::net::Ipv4Addr;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
@@ -131,13 +132,22 @@ impl OpenAiCompatClient {
    }
    pub fn from_env(config: OpenAiCompatConfig) -> Result<Self, ApiError> {
-        let Some(api_key) = read_env_non_empty(config.api_key_env)? else {
+        let base_url = read_base_url(config);
-            return Err(ApiError::missing_credentials(
+        let api_key = match read_env_non_empty(config.api_key_env)? {
-                config.provider_name,
+            Some(api_key) => api_key,
-                config.credential_env_vars(),
+            None if config.provider_name == "OpenAI"
-            ));
+                && is_local_openai_compatible_base_url(&base_url) =>
            {
                "local-dev-token".to_string()
            }
            None => {
                return Err(ApiError::missing_credentials(
                    config.provider_name,
                    config.credential_env_vars(),
                ));
            }
        };
-        Ok(Self::new(api_key, config))
+        Ok(Self::new(api_key, config).with_base_url(base_url))
    }
    #[must_use]
@@ -915,14 +925,18 @@ pub fn model_requires_reasoning_content_in_history(model: &str) -> bool {
 /// Strip routing prefix (e.g., "openai/gpt-4" → "gpt-4") for the wire.
 /// The prefix is used only to select transport; the backend expects the
-/// bare model id.
+/// bare model id. Use `local/` to force OpenAI-compatible routing while
 /// preserving any slashes that follow the prefix.
 #[allow(dead_code)]
 fn strip_routing_prefix(model: &str) -> &str {
    if let Some(pos) = model.find('/') {
        let prefix = &model[..pos];
        // Only strip if the prefix before "/" is a known routing prefix,
        // not if "/" appears in the middle of the model name for other reasons.
-        if matches!(prefix, "openai" | "xai" | "grok" | "qwen" | "kimi") {
+        if matches!(
            prefix,
            "openai" | "xai" | "grok" | "qwen" | "kimi" | "local"
        ) {
            &model[pos + 1..]
        } else {
            model
@@ -932,6 +946,44 @@ fn strip_routing_prefix(model: &str) -> &str {
    }
 }
 fn normalize_base_url_for_model_routing(url: &str) -> &str {
    let trimmed = url.trim_end_matches('/');
    trimmed
        .strip_suffix("/chat/completions")
        .map(|value| value.trim_end_matches('/'))
        .unwrap_or(trimmed)
 }
 fn url_host(url: &str) -> &str {
    let after_scheme = url.split_once("://").map_or(url, |(_, rest)| rest);
    let authority = after_scheme.split(['/', '?', '#']).next().unwrap_or("");
    let host_port = authority
        .rsplit_once('@')
        .map_or(authority, |(_, host_port)| host_port);
    if host_port.starts_with('[') {
        return host_port
            .split(']')
            .next()
            .unwrap_or("")
            .trim_start_matches('[');
    }
    host_port.split(':').next().unwrap_or("")
 }
 fn is_local_openai_compatible_base_url(url: &str) -> bool {
    let host = url_host(url.trim());
    if host.eq_ignore_ascii_case("localhost") || host == "::1" {
        return true;
    }
    let Ok(address) = host.parse::<Ipv4Addr>() else {
        return false;
    };
    let [first, second, ..] = address.octets();
    matches!(first, 10 | 127)
        || first == 192 && second == 168
        || first == 172 && (16..=31).contains(&second)
 }
 fn wire_model_for_base_url<'a>(
    model: &'a str,
    config: OpenAiCompatConfig,
@@ -944,26 +996,22 @@ fn wire_model_for_base_url<'a>(
    let lowered_prefix = prefix.to_ascii_lowercase();
    if lowered_prefix == "openai" {
-        let trimmed_base_url = base_url.trim_end_matches('/');
+        let normalized_base_url = normalize_base_url_for_model_routing(base_url);
-        let default_openai = DEFAULT_OPENAI_BASE_URL.trim_end_matches('/');
+        let default_base_url = normalize_base_url_for_model_routing(config.default_base_url);
-        if matches!(
+        if normalized_base_url.eq_ignore_ascii_case(default_base_url)
-            lowered_prefix.as_str(),
+            || is_local_openai_compatible_base_url(base_url)
-            "xai" | "grok" | "kimi" | "gemini" | "gemma"
+        {
        ) {
            return Cow::Borrowed(&model[pos + 1..]);
        }
-        if config.provider_name == "OpenAI" && trimmed_base_url != default_openai {
+        return Cow::Borrowed(model);
            // Only preserve the full slug if it's NOT a model we want to strip
            if !model.contains("gemini") && !model.contains("gemma") {
                return Cow::Borrowed(model);
            }
        }
        return Cow::Borrowed(&model[pos + 1..]);
    }
    if matches!(lowered_prefix.as_str(), "xai" | "grok" | "qwen" | "kimi") {
        return Cow::Borrowed(&model[pos + 1..]);
    }
    if lowered_prefix == "local" {
        return Cow::Borrowed(&model[pos + 1..]);
    }
    Cow::Borrowed(model)
 }
@@ -1115,6 +1163,13 @@ fn build_chat_completion_request_for_base_url(
        payload[key] = value.clone();
    }
    // DeepSeek V4 Pro/Flash thinking mode requires this provider-specific opt-in
    // and also requires assistant reasoning history to be echoed as `reasoning_content`.
    // Apply it after extra_body so callers cannot accidentally override the required shape.
    if model_requires_reasoning_content_in_history(wire_model) {
        payload["thinking"] = json!({"type": "enabled"});
    }
    payload
 }
@@ -1172,16 +1227,19 @@ pub fn translate_message(message: &InputMessage, model: &str) -> Vec<Value> {
                    InputContentBlock::ToolResult { .. } => {}
                }
            }
-            let include_reasoning =
+            let needs_reasoning = model_requires_reasoning_content_in_history(model);
-                model_requires_reasoning_content_in_history(model) && !reasoning.is_empty();
+            if text.is_empty() && tool_calls.is_empty() && reasoning.is_empty() {
            if text.is_empty() && tool_calls.is_empty() && !include_reasoning {
                Vec::new()
            } else {
                let mut msg = serde_json::json!({
                    "role": "assistant",
                    "content": (!text.is_empty()).then_some(text),
                });
-                if include_reasoning {
+                if !text.is_empty() {
                    msg["content"] = json!(text);
                } else if !needs_reasoning {
                    msg["content"] = Value::Null;
                }
                if needs_reasoning {
                    msg["reasoning_content"] = json!(reasoning);
                }
                // Only include tool_calls when non-empty: some providers reject
@@ -1698,6 +1756,7 @@ mod tests {
        ToolChoice, ToolDefinition, ToolResultContentBlock,
    };
    use serde_json::json;
    use std::borrow::Cow;
    use std::collections::BTreeMap;
    use std::sync::{Mutex, OnceLock};
@@ -1796,6 +1855,31 @@ mod tests {
        assert_eq!(assistant["content"], json!("answer"));
    }
    #[test]
    fn deepseek_v4_assistant_with_only_tool_calls_omits_content_and_includes_reasoning() {
        let request = MessageRequest {
            model: "deepseek-v4-pro".to_string(),
            max_tokens: 100,
            messages: vec![InputMessage {
                role: "assistant".to_string(),
                content: vec![InputContentBlock::ToolUse {
                    id: "call_1".to_string(),
                    name: "get_weather".to_string(),
                    input: json!({"city": "Paris"}),
                }],
            }],
            stream: false,
            ..Default::default()
        };
        let payload = build_chat_completion_request(&request, OpenAiCompatConfig::openai());
        let assistant = &payload["messages"][0];
        assert!(assistant.get("content").is_none());
        assert_eq!(assistant["reasoning_content"], json!(""));
        assert_eq!(assistant["tool_calls"].as_array().map(Vec::len), Some(1));
    }
    #[test]
    fn deepseek_v4_flash_request_includes_reasoning_content_for_assistant_history() {
        // Given an assistant history turn containing thinking.
@@ -1982,6 +2066,49 @@ mod tests {
        assert_eq!(payload["reasoning_effort"], json!("high"));
    }
    #[test]
    fn deepseek_v4_request_includes_thinking_parameter() {
        let payload = build_chat_completion_request(
            &MessageRequest {
                model: "deepseek-v4-pro".to_string(),
                max_tokens: 1024,
                messages: vec![InputMessage::user_text("hello")],
                ..Default::default()
            },
            OpenAiCompatConfig::openai(),
        );
        assert_eq!(payload["thinking"], json!({"type": "enabled"}));
        assert_eq!(payload["model"], json!("deepseek-v4-pro"));
        let mut extra_body = BTreeMap::new();
        extra_body.insert("thinking".to_string(), json!({"type": "disabled"}));
        let payload_with_override = build_chat_completion_request(
            &MessageRequest {
                model: "openai/deepseek-v4-flash".to_string(),
                max_tokens: 1024,
                messages: vec![InputMessage::user_text("hello")],
                extra_body,
                ..Default::default()
            },
            OpenAiCompatConfig::openai(),
        );
        assert_eq!(
            payload_with_override["thinking"],
            json!({"type": "enabled"})
        );
        let non_deepseek_payload = build_chat_completion_request(
            &MessageRequest {
                model: "gpt-4o".to_string(),
                max_tokens: 64,
                messages: vec![InputMessage::user_text("hello")],
                ..Default::default()
            },
            OpenAiCompatConfig::openai(),
        );
        assert!(non_deepseek_payload.get("thinking").is_none());
    }
    #[test]
    fn reasoning_effort_omitted_when_not_set() {
        let payload = build_chat_completion_request(
@@ -2069,6 +2196,28 @@ mod tests {
        ));
    }
    #[test]
    fn local_openai_base_url_does_not_require_api_key() {
        let _lock = env_lock();
        let original_base_url = std::env::var_os("OPENAI_BASE_URL");
        let original_api_key = std::env::var_os("OPENAI_API_KEY");
        std::env::set_var("OPENAI_BASE_URL", "http://127.0.0.1:11434/v1");
        std::env::remove_var("OPENAI_API_KEY");
        let client = OpenAiCompatClient::from_env(OpenAiCompatConfig::openai())
            .expect("local OpenAI-compatible endpoint should not require an API key");
        assert_eq!(client.base_url(), "http://127.0.0.1:11434/v1");
        match original_base_url {
            Some(value) => std::env::set_var("OPENAI_BASE_URL", value),
            None => std::env::remove_var("OPENAI_BASE_URL"),
        }
        match original_api_key {
            Some(value) => std::env::set_var("OPENAI_API_KEY", value),
            None => std::env::remove_var("OPENAI_API_KEY"),
        }
    }
    #[test]
    fn endpoint_builder_accepts_base_urls_and_full_endpoints() {
        assert_eq!(
@@ -2684,6 +2833,66 @@ mod tests {
        }
    }
    #[test]
    fn wire_model_strips_openai_prefix_for_default_and_local_preserves_custom_gateways() {
        assert_eq!(
            super::wire_model_for_base_url(
                "openai/gpt-4o",
                OpenAiCompatConfig::openai(),
                super::DEFAULT_OPENAI_BASE_URL,
            ),
            Cow::Borrowed("gpt-4o")
        );
        assert_eq!(
            super::wire_model_for_base_url(
                "openai/qwen2.5-coder:7b",
                OpenAiCompatConfig::openai(),
                "http://127.0.0.1:11434/v1",
            ),
            Cow::Borrowed("qwen2.5-coder:7b")
        );
        assert_eq!(
            super::wire_model_for_base_url(
                "openai/llama3.2",
                OpenAiCompatConfig::openai(),
                "http://localhost:11434/v1/chat/completions",
            ),
            Cow::Borrowed("llama3.2")
        );
        assert_eq!(
            super::wire_model_for_base_url(
                "openai/gpt-4.1-mini",
                OpenAiCompatConfig::openai(),
                "https://openrouter.ai/api/v1",
            ),
            Cow::Borrowed("openai/gpt-4.1-mini")
        );
        assert_eq!(
            super::wire_model_for_base_url(
                "openai/gpt-4.1-mini",
                OpenAiCompatConfig::openai(),
                "https://not-localhost.example.com/v1",
            ),
            Cow::Borrowed("openai/gpt-4.1-mini")
        );
    }
    #[test]
    fn local_routing_prefix_strips_only_escape_hatch() {
        assert_eq!(
            super::strip_routing_prefix("local/Qwen/Qwen3.6-27B-FP8"),
            "Qwen/Qwen3.6-27B-FP8"
        );
        assert_eq!(
            super::wire_model_for_base_url(
                "local/Qwen/Qwen3.6-27B-FP8",
                OpenAiCompatConfig::openai(),
                "http://127.0.0.1:8000/v1",
            ),
            Cow::Borrowed("Qwen/Qwen3.6-27B-FP8")
        );
    }
    #[test]
    fn check_request_body_size_allows_large_requests_for_openai() {
        // Create a request that exceeds DashScope's limit but is under OpenAI's 100MB limit
--- a/rust/crates/api/tests/client_integration.rs
+++ b/rust/crates/api/tests/client_integration.rs
@@ -103,6 +103,58 @@ async fn send_message_posts_json_and_parses_response() {
    );
 }
 #[tokio::test]
 async fn send_message_strips_anthropic_routing_prefix_on_wire() {
    let state = Arc::new(Mutex::new(Vec::<CapturedRequest>::new()));
    let server = spawn_server(
        state.clone(),
        vec![
            http_response("200 OK", "application/json", "{\"input_tokens\":1}"),
            http_response(
                "200 OK",
                "application/json",
                concat!(
                    "{",
                    "\"id\":\"msg_prefixed\",",
                    "\"type\":\"message\",",
                    "\"role\":\"assistant\",",
                    "\"content\":[{\"type\":\"text\",\"text\":\"ok\"}],",
                    "\"model\":\"claude-opus-4-6\",",
                    "\"stop_reason\":\"end_turn\",",
                    "\"stop_sequence\":null,",
                    "\"usage\":{\"input_tokens\":1,\"output_tokens\":1}",
                    "}"
                ),
            ),
        ],
    )
    .await;
    let client = AnthropicClient::new("test-key").with_base_url(server.base_url());
    client
        .send_message(&MessageRequest {
            model: "anthropic/claude-opus-4-6".to_string(),
            ..sample_request(false)
        })
        .await
        .expect("request should succeed");
    let captured = state.lock().await;
    assert_eq!(
        captured.len(),
        2,
        "count_tokens and messages requests should be captured"
    );
    let count_tokens_body: serde_json::Value =
        serde_json::from_str(&captured[0].body).expect("count_tokens body should be json");
    let messages_body: serde_json::Value =
        serde_json::from_str(&captured[1].body).expect("request body should be json");
    assert_eq!(captured[0].path, "/v1/messages/count_tokens");
    assert_eq!(captured[1].path, "/v1/messages");
    assert_eq!(count_tokens_body["model"], json!("claude-opus-4-6"));
    assert_eq!(messages_body["model"], json!("claude-opus-4-6"));
 }
 #[tokio::test]
 async fn send_message_blocks_oversized_requests_before_the_http_call() {
    let state = Arc::new(Mutex::new(Vec::<CapturedRequest>::new()));
--- a/rust/crates/api/tests/openai_compat_integration.rs
+++ b/rust/crates/api/tests/openai_compat_integration.rs
@@ -159,10 +159,15 @@ async fn send_message_preserves_deepseek_reasoning_content_before_text() {
            },
        ]
    );
    let captured = state.lock().await;
    let request = captured.first().expect("server should capture request");
    let body: serde_json::Value = serde_json::from_str(&request.body).expect("json body");
    assert_eq!(body["thinking"], json!({"type": "enabled"}));
 }
 #[tokio::test]
-async fn custom_openai_gateway_preserves_slash_model_ids_and_extra_body_params() {
+async fn local_openai_gateway_strips_routing_prefix_and_preserves_extra_body_params() {
    let state = Arc::new(Mutex::new(Vec::<CapturedRequest>::new()));
    let body = concat!(
        "{",
@@ -206,7 +211,7 @@ async fn custom_openai_gateway_preserves_slash_model_ids_and_extra_body_params()
    let captured = state.lock().await;
    let request = captured.first().expect("captured request");
    let body: serde_json::Value = serde_json::from_str(&request.body).expect("json body");
-    assert_eq!(body["model"], json!("openai/gpt-4.1-mini"));
+    assert_eq!(body["model"], json!("gpt-4.1-mini"));
    assert_eq!(
        body["web_search_options"],
        json!({"search_context_size": "low"})
--- a/rust/crates/commands/src/lib.rs
+++ b/rust/crates/commands/src/lib.rs
@@ -239,15 +239,15 @@ const SLASH_COMMAND_SPECS: &[SlashCommandSpec] = &[
    SlashCommandSpec {
        name: "agents",
        aliases: &[],
-        summary: "List configured agents",
+        summary: "List, show, or create configured agents",
-        argument_hint: Some("[list|help]"),
+        argument_hint: Some("[list|show <name>|create <name>|help]"),
        resume_supported: true,
    },
    SlashCommandSpec {
        name: "skills",
        aliases: &["skill"],
-        summary: "List, install, or invoke available skills",
+        summary: "List, install, uninstall, or invoke available skills",
-        argument_hint: Some("[list|install <path>|help|<skill> [args]]"),
+        argument_hint: Some("[list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]"),
        resume_supported: true,
    },
    SlashCommandSpec {
@@ -1670,7 +1670,11 @@ fn parse_mcp_command(args: &[&str]) -> Result<SlashCommand, SlashCommandParseErr
            target: None,
        }),
        ["list", ..] => Err(usage_error("mcp list", "")),
-        ["show"] => Err(usage_error("mcp show", "<server>")),
+        ["show"] => Err(command_error(
            "missing_argument: mcp show requires a server name.",
            "mcp",
            "/mcp show <server>",
        )),
        ["show", target] => Ok(SlashCommand::Mcp {
            action: Some("show".to_string()),
            target: Some((*target).to_string()),
@@ -1763,13 +1767,25 @@ fn parse_list_or_help_args(
    args: Option<String>,
 ) -> Result<Option<String>, SlashCommandParseError> {
    match normalize_optional_args(args.as_deref()) {
-        None | Some("list" | "help" | "-h" | "--help") => Ok(args),
+        None
        | Some(
            "list" | "help" | "-h" | "--help" | "show" | "info" | "describe" | "create",
        ) => Ok(args),
        Some(value)
            if value.starts_with("list ")
                || value.starts_with("show ")
                || value.starts_with("info ")
                || value.starts_with("describe ")
                || value.starts_with("create ") =>
        {
            Ok(args)
        }
        Some(unexpected) => Err(command_error(
            &format!(
-                "Unexpected arguments for /{command}: {unexpected}. Use /{command}, /{command} list, or /{command} help."
+                "Unexpected arguments for /{command}: {unexpected}. Use /{command}, /{command} list, /{command} show <name>, /{command} create <name>, or /{command} help."
            ),
            command,
-            &format!("/{command} [list|help]"),
+            &format!("/{command} [list|show <name>|create <name>|help]"),
        )),
    }
 }
@@ -1783,14 +1799,6 @@ fn parse_skills_args(args: Option<&str>) -> Result<Option<String>, SlashCommandP
        return Ok(Some(args.to_string()));
    }
    if args == "install" {
        return Err(command_error(
            "Usage: /skills install <path>",
            "skills",
            "/skills install <path>",
        ));
    }
    if let Some(target) = args.strip_prefix("install").map(str::trim) {
        if !target.is_empty() {
            return Ok(Some(format!("install {target}")));
@@ -2191,6 +2199,30 @@ struct InstalledSkill {
    installed_path: PathBuf,
 }
 #[derive(Debug, Clone, PartialEq, Eq)]
 struct UninstalledSkill {
    invocation_name: String,
    registry_root: PathBuf,
    removed_path: PathBuf,
    available_names: Vec<String>,
 }
 #[derive(Debug, Clone, PartialEq, Eq)]
 enum SkillUninstallOutcome {
    Removed(UninstalledSkill),
    Missing {
        requested: String,
        registry_root: PathBuf,
        available_names: Vec<String>,
    },
 }
 #[derive(Debug, Clone, PartialEq, Eq)]
 struct CreatedAgent {
    name: String,
    path: PathBuf,
 }
 #[derive(Debug, Clone, PartialEq, Eq)]
 enum SkillInstallSource {
    Directory { root: PathBuf, prompt_path: PathBuf },
@@ -2418,10 +2450,32 @@ pub fn handle_agents_slash_command(args: Option<&str>, cwd: &Path) -> std::io::R
            }
            Ok(render_agents_report(&matched))
        }
        Some("create") => Err(std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
            "missing_argument: agents create requires an agent name.\nUsage: claw agents create <name>",
        )),
        Some(args) if args.starts_with("create ") => {
            let mut parts = args.split_whitespace();
            let _ = parts.next();
            let Some(name) = parts.next() else {
                return Err(std::io::Error::new(
                    std::io::ErrorKind::InvalidInput,
                    "missing_argument: agents create requires an agent name.\nUsage: claw agents create <name>",
                ));
            };
            if let Some(extra) = parts.next() {
                return Err(std::io::Error::new(
                    std::io::ErrorKind::InvalidInput,
                    format!("unexpected extra arguments after agent name\nUsage: claw agents create <name>\nUnexpected extra: '{extra}'"),
                ));
            }
            let agent = create_agent(name, cwd)?;
            Ok(render_agent_create_report(&agent))
        }
        Some(args) if is_help_arg(args) => Ok(render_agents_usage(None)),
        Some(args) => Err(std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
-            format!("unknown agents subcommand: {args}.\nSupported: list, show, help"),
+            format!("unknown agents subcommand: {args}.\nSupported: list, show, create, help"),
        )),
    }
 }
@@ -2518,10 +2572,32 @@ pub fn handle_agents_slash_command_json(args: Option<&str>, cwd: &Path) -> std::
            }
            Ok(render_agents_report_json_with_action(cwd, &matched, "show"))
        }
        Some("create") => Ok(render_agents_missing_argument_json("create", "agent_name")),
        Some(args) if args.starts_with("create ") => {
            let mut parts = args.split_whitespace();
            let _ = parts.next();
            let Some(name) = parts.next() else {
                return Ok(render_agents_missing_argument_json("create", "agent_name"));
            };
            if let Some(extra) = parts.next() {
                return Ok(json!({
                    "kind": "agents",
                    "action": "create",
                    "status": "error",
                    "error_kind": "unexpected_extra_args",
                    "unexpected": extra,
                    "hint": format!("Usage: claw agents create <name>\nUnexpected extra: '{extra}'"),
                }));
            }
            match create_agent(name, cwd) {
                Ok(agent) => Ok(render_agent_create_report_json(&agent)),
                Err(error) => Ok(render_agent_create_error_json(name, &error)),
            }
        }
        Some(args) if is_help_arg(args) => Ok(render_agents_usage_json(None)),
        Some(args) => Err(std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
-            format!("unknown agents subcommand: {args}.\nSupported: list, show, help"),
+            format!("unknown agents subcommand: {args}.\nSupported: list, show, create, help"),
        )),
    }
 }
@@ -2623,15 +2699,53 @@ pub fn handle_skills_slash_command(args: Option<&str>, cwd: &Path) -> std::io::R
            }
            Ok(render_skills_report(&matched))
        }
-        Some("install") => Ok(render_skills_usage(Some("install"))),
+        Some("install") => Err(std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
            "missing_argument: skills install requires an install source.\nUsage: claw skills install <path>",
        )),
        Some(args) if args.starts_with("install ") => {
            let target = args["install ".len()..].trim();
            if target.is_empty() {
-                return Ok(render_skills_usage(Some("install")));
+                return Err(std::io::Error::new(
                    std::io::ErrorKind::InvalidInput,
                    "missing_argument: skills install requires an install source.\nUsage: claw skills install <path>",
                ));
            }
            let install = install_skill(target, cwd)?;
            Ok(render_skill_install_report(&install))
        }
        Some("uninstall" | "remove" | "delete") => Err(std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
            "missing_argument: skills uninstall requires a skill name.\nUsage: claw skills uninstall <name>",
        )),
        Some(args)
            if args.starts_with("uninstall ")
                || args.starts_with("remove ")
                || args.starts_with("delete ") =>
        {
            let (_, target) = args.split_once(' ').unwrap_or_default();
            let target = target.trim();
            if target.is_empty() {
                return Err(std::io::Error::new(
                    std::io::ErrorKind::InvalidInput,
                    "missing_argument: skills uninstall requires a skill name.\nUsage: claw skills uninstall <name>",
                ));
            }
            match uninstall_skill(target)? {
                SkillUninstallOutcome::Removed(skill) => Ok(render_skill_uninstall_report(&skill)),
                SkillUninstallOutcome::Missing {
                    requested,
                    available_names,
                    ..
                } => Err(std::io::Error::new(
                    std::io::ErrorKind::NotFound,
                    format!(
                        "skill '{requested}' not found\nAvailable skills: {}\nRun `claw skills list` to see available skills.",
                        format_optional_list(&available_names)
                    ),
                )),
            }
        }
        Some(args) if is_help_arg(args) => Ok(render_skills_usage(None)),
        Some(args) => Ok(render_skills_usage(Some(args))),
    }
@@ -2730,14 +2844,58 @@ pub fn handle_skills_slash_command_json(args: Option<&str>, cwd: &Path) -> std::
            }
            Ok(render_skills_report_json_with_action(&matched, "show"))
        }
-        Some("install") => Ok(render_skills_usage_json(Some("install"))),
+        Some("install") => Ok(render_skills_missing_argument_json(
            "install",
            "install_source",
            "Usage: claw skills install <path>",
        )),
        Some(args) if args.starts_with("install ") => {
            let target = args["install ".len()..].trim();
            if target.is_empty() {
-                return Ok(render_skills_usage_json(Some("install")));
+                return Ok(render_skills_missing_argument_json(
                    "install",
                    "install_source",
                    "Usage: claw skills install <path>",
                ));
            }
            match install_skill(target, cwd) {
                Ok(install) => Ok(render_skill_install_report_json(&install)),
                Err(error) => Ok(render_skill_install_error_json(target, &error)),
            }
        }
        Some("uninstall" | "remove" | "delete") => Ok(render_skills_missing_argument_json(
            "uninstall",
            "skill_name",
            "Usage: claw skills uninstall <name>",
        )),
        Some(args)
            if args.starts_with("uninstall ")
                || args.starts_with("remove ")
                || args.starts_with("delete ") =>
        {
            let (_, target) = args.split_once(' ').unwrap_or_default();
            let target = target.trim();
            if target.is_empty() {
                return Ok(render_skills_missing_argument_json(
                    "uninstall",
                    "skill_name",
                    "Usage: claw skills uninstall <name>",
                ));
            }
            match uninstall_skill(target)? {
                SkillUninstallOutcome::Removed(skill) => {
                    Ok(render_skill_uninstall_report_json(&skill))
                }
                SkillUninstallOutcome::Missing {
                    requested,
                    registry_root,
                    available_names,
                } => Ok(render_skill_uninstall_missing_json(
                    &requested,
                    &registry_root,
                    &available_names,
                )),
            }
            let install = install_skill(target, cwd)?;
            Ok(render_skill_install_report_json(&install))
        }
        Some(args) if is_help_arg(args) => Ok(render_skills_usage_json(None)),
        Some(args) => Ok(render_skills_usage_json(Some(args))),
@@ -2747,9 +2905,11 @@ pub fn handle_skills_slash_command_json(args: Option<&str>, cwd: &Path) -> std::
 #[must_use]
 pub fn classify_skills_slash_command(args: Option<&str>) -> SkillSlashDispatch {
    match normalize_optional_args(args) {
-        None | Some("list" | "help" | "-h" | "--help" | "show" | "info" | "describe") => {
+        None
-            SkillSlashDispatch::Local
+        | Some(
-        }
+            "list" | "help" | "-h" | "--help" | "show" | "info" | "describe" | "install"
            | "uninstall" | "remove" | "delete",
        ) => SkillSlashDispatch::Local,
        Some(args)
            if args
                .split_whitespace()
@@ -2757,7 +2917,12 @@ pub fn classify_skills_slash_command(args: Option<&str>) -> SkillSlashDispatch {
        {
            SkillSlashDispatch::Local
        }
-        Some(args) if args == "install" || args.starts_with("install ") => {
+        Some(args)
            if args.starts_with("install ")
                || args.starts_with("uninstall ")
                || args.starts_with("remove ")
                || args.starts_with("delete ") =>
        {
            SkillSlashDispatch::Local
        }
        Some(args)
@@ -2802,7 +2967,7 @@ pub fn resolve_skill_invocation(
                        message.push_str(&names.join(", "));
                    }
                }
-                message.push_str("\n  Usage: /skills [list|install <path>|help|<skill> [args]]");
+                message.push_str("\n  Usage: /skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]");
                return Err(message);
            }
        }
@@ -2918,12 +3083,12 @@ fn render_mcp_report_for(
            }
        }
        Some(args) if is_help_arg(args) => Ok(render_mcp_usage(None)),
-        Some("show") => Ok(render_mcp_usage(Some("show"))),
+        Some("show") => Ok(render_mcp_missing_argument_text("show")),
        Some(args) if args.split_whitespace().next() == Some("show") => {
            let mut parts = args.split_whitespace();
            let _ = parts.next();
            let Some(server_name) = parts.next() else {
-                return Ok(render_mcp_usage(Some("show")));
+                return Ok(render_mcp_missing_argument_text("show"));
            };
            if parts.next().is_some() {
                return Ok(render_mcp_usage(Some(args)));
@@ -3027,12 +3192,12 @@ fn render_mcp_report_json_for(
            }
        }
        Some(args) if is_help_arg(args) => Ok(render_mcp_usage_json(None)),
-        Some("show") => Ok(render_mcp_usage_json(Some("show"))),
+        Some("show") => Ok(render_mcp_missing_argument_json("show")),
        Some(args) if args.split_whitespace().next() == Some("show") => {
            let mut parts = args.split_whitespace();
            let _ = parts.next();
            let Some(server_name) = parts.next() else {
-                return Ok(render_mcp_usage_json(Some("show")));
+                return Ok(render_mcp_missing_argument_json("show"));
            };
            if parts.next().is_some() {
                return Ok(render_mcp_usage_json(Some(args)));
@@ -3457,6 +3622,103 @@ fn install_skill_into(
    })
 }
 fn uninstall_skill(target: &str) -> std::io::Result<SkillUninstallOutcome> {
    let registry_root = default_skill_install_root()?;
    let requested = sanitize_skill_invocation_name(target).unwrap_or_else(|| {
        target
            .trim()
            .trim_start_matches('/')
            .trim_start_matches('$')
            .to_ascii_lowercase()
    });
    let available_names = installed_skill_names(&registry_root)?;
    let matched_name = available_names
        .iter()
        .find(|name| name.eq_ignore_ascii_case(&requested))
        .cloned();
    let Some(invocation_name) = matched_name else {
        return Ok(SkillUninstallOutcome::Missing {
            requested,
            registry_root,
            available_names,
        });
    };
    let removed_path = registry_root.join(&invocation_name);
    if removed_path.is_dir() {
        fs::remove_dir_all(&removed_path)?;
    } else {
        fs::remove_file(&removed_path)?;
    }
    let available_names = available_names
        .into_iter()
        .filter(|name| !name.eq_ignore_ascii_case(&invocation_name))
        .collect();
    Ok(SkillUninstallOutcome::Removed(UninstalledSkill {
        invocation_name,
        registry_root,
        removed_path,
        available_names,
    }))
 }
 fn installed_skill_names(registry_root: &Path) -> std::io::Result<Vec<String>> {
    let entries = match fs::read_dir(registry_root) {
        Ok(entries) => entries,
        Err(error) if error.kind() == std::io::ErrorKind::NotFound => return Ok(Vec::new()),
        Err(error) => return Err(error),
    };
    let mut names = Vec::new();
    for entry in entries {
        let entry = entry?;
        let path = entry.path();
        if path.is_dir() && path.join("SKILL.md").is_file() {
            names.push(entry.file_name().to_string_lossy().to_string());
        } else if path
            .extension()
            .is_some_and(|extension| extension.to_string_lossy().eq_ignore_ascii_case("md"))
        {
            if let Some(stem) = path.file_stem() {
                names.push(stem.to_string_lossy().to_string());
            }
        }
    }
    names.sort();
    Ok(names)
 }
 fn create_agent(name: &str, cwd: &Path) -> std::io::Result<CreatedAgent> {
    let Some(name) = sanitize_skill_invocation_name(name) else {
        return Err(std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
            "invalid_agent_name: agent name must contain at least one alphanumeric character",
        ));
    };
    let root = cwd.join(".claw").join("agents");
    let path = root.join(format!("{name}.toml"));
    if path.exists() {
        return Err(std::io::Error::new(
            std::io::ErrorKind::AlreadyExists,
            format!(
                "agent_already_exists: agent '{name}' already exists at {}",
                path.display()
            ),
        ));
    }
    fs::create_dir_all(&root)?;
    fs::write(
        &path,
        format!(
            "name = \"{name}\"\ndescription = \"Describe when to use this agent.\"\nmodel_reasoning_effort = \"medium\"\n"
        ),
    )?;
    Ok(CreatedAgent { name, path })
 }
 fn default_skill_install_root() -> std::io::Result<PathBuf> {
    if let Ok(claw_config_home) = env::var("CLAW_CONFIG_HOME") {
        return Ok(PathBuf::from(claw_config_home).join("skills"));
@@ -3898,6 +4160,59 @@ fn render_agents_report_json_with_action(
    })
 }
 fn render_agents_missing_argument_json(action: &str, argument: &str) -> Value {
    json!({
        "kind": "agents",
        "action": action,
        "status": "error",
        "error_kind": "missing_argument",
        "argument": argument,
        "hint": "Usage: claw agents create <name>",
    })
 }
 fn render_agent_create_report(agent: &CreatedAgent) -> String {
    format!(
        "Agents\n  Result           created {}\n  Path             {}\n  Format           TOML",
        agent.name,
        agent.path.display()
    )
 }
 fn render_agent_create_report_json(agent: &CreatedAgent) -> Value {
    json!({
        "kind": "agents",
        "status": "ok",
        "action": "create",
        "result": "created",
        "name": &agent.name,
        "path": agent.path.display().to_string(),
        "format": "toml",
    })
 }
 fn render_agent_create_error_json(name: &str, error: &std::io::Error) -> Value {
    let message = error.to_string();
    let error_kind = if message.starts_with("invalid_agent_name:") {
        "invalid_agent_name"
    } else if message.starts_with("agent_already_exists:")
        || error.kind() == std::io::ErrorKind::AlreadyExists
    {
        "agent_already_exists"
    } else {
        "agent_create_failed"
    };
    json!({
        "kind": "agents",
        "status": "error",
        "action": "create",
        "error_kind": error_kind,
        "name": name,
        "message": message,
        "hint": "Use `claw agents create <name>` with a simple alphanumeric, dash, underscore, or dot name.",
    })
 }
 fn agent_detail(agent: &AgentSummary) -> String {
    let mut parts = vec![agent.name.clone()];
    if let Some(description) = &agent.description {
@@ -4015,6 +4330,102 @@ fn render_skill_install_report_json(skill: &InstalledSkill) -> Value {
    })
 }
 fn render_skills_missing_argument_json(action: &str, argument: &str, hint: &str) -> Value {
    json!({
        "kind": "skills",
        "action": action,
        "status": "error",
        "error_kind": "missing_argument",
        "argument": argument,
        "hint": hint,
    })
 }
 fn render_skill_install_error_json(target: &str, error: &std::io::Error) -> Value {
    let source_kind = skill_install_source_kind(target);
    json!({
        "kind": "skills",
        "action": "install",
        "status": "error",
        "error_kind": "invalid_install_source",
        "source": target,
        "source_kind": source_kind,
        "reason": io_error_reason(error),
        "message": format!("invalid install source: {error}"),
        "hint": match source_kind {
            "url" => "Remote skill install is not supported yet; pass a local directory containing SKILL.md or a markdown file.",
            "name" => "Skill install expects a local path, not a registry name. Pass a directory containing SKILL.md or a markdown file.",
            _ => "Check that the path exists and is a directory containing SKILL.md or a markdown file.",
        },
    })
 }
 fn render_skill_uninstall_report(skill: &UninstalledSkill) -> String {
    format!(
        "Skills\n  Result           uninstalled {}\n  Registry         {}\n  Removed path     {}\n  Remaining        {}",
        skill.invocation_name,
        skill.registry_root.display(),
        skill.removed_path.display(),
        format_optional_list(&skill.available_names)
    )
 }
 fn render_skill_uninstall_report_json(skill: &UninstalledSkill) -> Value {
    json!({
        "kind": "skills",
        "status": "ok",
        "action": "uninstall",
        "result": "removed",
        "removed": &skill.invocation_name,
        "skills_dir": skill.registry_root.display().to_string(),
        "removed_path": skill.removed_path.display().to_string(),
        "available_names": &skill.available_names,
    })
 }
 fn render_skill_uninstall_missing_json(
    requested: &str,
    registry_root: &Path,
    available_names: &[String],
 ) -> Value {
    json!({
        "kind": "skills",
        "status": "error",
        "action": "uninstall",
        "error_kind": "skill_not_found",
        "requested": requested,
        "skills_dir": registry_root.display().to_string(),
        "available_names": available_names,
        "message": format!("skill '{requested}' not found"),
        "hint": "Run `claw skills list` to see available skills.",
    })
 }
 fn skill_install_source_kind(source: &str) -> &'static str {
    let trimmed = source.trim();
    if trimmed.contains("://") {
        "url"
    } else if Path::new(trimmed).is_absolute()
        || trimmed.starts_with('.')
        || trimmed.contains('/')
        || trimmed.contains('\\')
    {
        "path"
    } else {
        "name"
    }
 }
 fn io_error_reason(error: &std::io::Error) -> &'static str {
    match error.kind() {
        std::io::ErrorKind::NotFound => "not_found",
        std::io::ErrorKind::AlreadyExists => "already_exists",
        std::io::ErrorKind::PermissionDenied => "permission_denied",
        std::io::ErrorKind::InvalidInput => "invalid",
        _ => "io_error",
    }
 }
 fn render_mcp_summary_report(
    cwd: &Path,
    servers: &BTreeMap<String, ScopedMcpServerConfig>,
@@ -4184,8 +4595,10 @@ fn help_path_from_args(args: &str) -> Option<Vec<&str>> {
 fn render_agents_usage(unexpected: Option<&str>) -> String {
    let mut lines = vec![
        "Agents".to_string(),
-        "  Usage            /agents [list|help]".to_string(),
+        "  Usage            /agents [list|show <name>|create <name>|help]".to_string(),
-        "  Direct CLI       claw agents".to_string(),
+        "  Direct CLI       claw agents [list|show <name>|create <name>|help]".to_string(),
        "  Format           TOML files (.toml); create scaffolds .claw/agents/<name>.toml"
            .to_string(),
        "  Sources          .claw/agents, ~/.claw/agents, $CLAW_CONFIG_HOME/agents".to_string(),
    ];
    if let Some(args) = unexpected {
@@ -4201,8 +4614,10 @@ fn render_agents_usage_json(unexpected: Option<&str>) -> Value {
        "ok": unexpected.is_none(),
        "status": if unexpected.is_some() { "error" } else { "ok" },
        "usage": {
-            "slash_command": "/agents [list|help]",
+            "slash_command": "/agents [list|show <name>|create <name>|help]",
-            "direct_cli": "claw agents [list|help]",
+            "direct_cli": "claw agents [list|show <name>|create <name>|help]",
            "format": "toml",
            "create": "claw agents create <name>",
            "sources": [".claw/agents", "~/.claw/agents", "$CLAW_CONFIG_HOME/agents"],
        },
        "unexpected": unexpected,
@@ -4212,9 +4627,10 @@ fn render_agents_usage_json(unexpected: Option<&str>) -> Value {
 fn render_skills_usage(unexpected: Option<&str>) -> String {
    let mut lines = vec![
        "Skills".to_string(),
-        "  Usage            /skills [list|install <path>|help|<skill> [args]]".to_string(),
+        "  Usage            /skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]".to_string(),
        "  Alias            /skill".to_string(),
-        "  Direct CLI       claw skills [list|install <path>|help|<skill> [args]]".to_string(),
+        "  Direct CLI       claw skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]".to_string(),
        "  Lifecycle        install <path>, uninstall <name>".to_string(),
        "  Invoke           /skills help overview -> $help overview".to_string(),
        "  Install root     $CLAW_CONFIG_HOME/skills or ~/.claw/skills".to_string(),
        "  Sources          .claw/skills, .omc/skills, .agents/skills, .codex/skills, .claude/skills, ~/.claw/skills, ~/.omc/skills, ~/.claude/skills/omc-learned, ~/.codex/skills, ~/.claude/skills, legacy /commands".to_string(),
@@ -4232,9 +4648,10 @@ fn render_skills_usage_json(unexpected: Option<&str>) -> Value {
        "ok": unexpected.is_none(),
        "status": if unexpected.is_some() { "error" } else { "ok" },
        "usage": {
-            "slash_command": "/skills [list|install <path>|help|<skill> [args]]",
+            "slash_command": "/skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]",
            "aliases": ["/skill"],
-            "direct_cli": "claw skills [list|install <path>|help|<skill> [args]]",
+            "direct_cli": "claw skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]",
            "lifecycle": ["install <path>", "uninstall <name>"],
            "invoke": "/skills help overview -> $help overview",
            "install_root": "$CLAW_CONFIG_HOME/skills or ~/.claw/skills",
            "sources": [
@@ -4269,6 +4686,44 @@ fn render_mcp_usage(unexpected: Option<&str>) -> String {
    lines.join("\n")
 }
 fn render_mcp_missing_argument_text(action: &str) -> String {
    let hint = match action {
        "show" => "use `claw mcp show <server>` to inspect a server",
        _ => "provide the required argument for this MCP action",
    };
    format!(
        "MCP\n  Error            missing argument for '{action}'\n  Hint             {hint}\n  Usage            /mcp [list|show <server>|help]"
    )
 }
 fn render_mcp_missing_argument_json(action: &str) -> Value {
    let (message, hint) = match action {
        "show" => (
            "mcp show requires a server name",
            "Usage: claw mcp show <server>",
        ),
        _ => (
            "mcp action requires an argument",
            "Usage: claw mcp [list|show <server>|help]",
        ),
    };
    json!({
        "kind": "mcp",
        "action": action,
        "ok": false,
        "status": "error",
        "error_kind": "missing_argument",
        "message": message,
        "hint": hint,
        "usage": {
            "slash_command": "/mcp [list|show <server>|help]",
            "direct_cli": "claw mcp [list|show <server>|help]",
            "sources": [".claw/settings.json", ".claw/settings.local.json"],
        },
        "unexpected": Value::Null,
    })
 }
 fn render_mcp_usage_json(unexpected: Option<&str>) -> Value {
    // #748: add error_kind when unexpected is set, matching agents/plugins unknown-subcommand shape.
    let error_kind: Value = if unexpected.is_some() {
@@ -5071,16 +5526,17 @@ mod tests {
    #[test]
    fn rejects_invalid_agents_arguments() {
        // given
-        let agents_input = "/agents show planner";
+        let agents_input = "/agents frobnicate";
        // when
        let agents_error = parse_error_message(agents_input);
        // then
        assert!(agents_error.contains(
-            "Unexpected arguments for /agents: show planner. Use /agents, /agents list, or /agents help."
+            "Unexpected arguments for /agents: frobnicate. Use /agents, /agents list, /agents show <name>, /agents create <name>, or /agents help."
        ));
-        assert!(agents_error.contains("  Usage            /agents [list|help]"));
+        assert!(agents_error
            .contains("  Usage            /agents [list|show <name>|create <name>|help]"));
    }
    #[test]
@@ -5102,6 +5558,13 @@ mod tests {
                "`skills {arg}` must be Local, not Invoke"
            );
        }
        for arg in ["uninstall", "uninstall plan", "remove plan", "delete plan"] {
            assert_eq!(
                classify_skills_slash_command(Some(arg)),
                SkillSlashDispatch::Local,
                "`skills {arg}` must be Local, not Invoke"
            );
        }
        // Bare invocable tokens still dispatch to Invoke.
        assert_eq!(
            classify_skills_slash_command(Some("plan")),
@@ -5129,6 +5592,10 @@ mod tests {
            classify_skills_slash_command(Some("install ./skill-pack")),
            SkillSlashDispatch::Local
        );
        assert_eq!(
            classify_skills_slash_command(Some("uninstall help")),
            SkillSlashDispatch::Local
        );
    }
    #[test]
@@ -5221,8 +5688,10 @@ mod tests {
            "/plugin [list|install <path>|enable <name>|disable <name>|uninstall <id>|update <id>]"
        ));
        assert!(help.contains("aliases: /plugins, /marketplace"));
-        assert!(help.contains("/agents [list|help]"));
+        assert!(help.contains("/agents [list|show <name>|create <name>|help]"));
-        assert!(help.contains("/skills [list|install <path>|help|<skill> [args]]"));
+        assert!(help.contains(
            "/skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]"
        ));
        assert!(help.contains("aliases: /skill"));
        assert!(!help.contains("/login"));
        assert!(!help.contains("/logout"));
@@ -5567,10 +6036,27 @@ mod tests {
    #[test]
    fn renders_agents_reports_as_json() {
        let _guard = env_guard();
        let workspace = temp_dir("agents-json-workspace");
        let project_agents = workspace.join(".codex").join("agents");
        let user_home = temp_dir("agents-json-home");
        let user_agents = user_home.join(".codex").join("agents");
        let isolated_home = temp_dir("agents-json-isolated-home");
        let config_home = temp_dir("agents-json-config-home");
        let codex_home = temp_dir("agents-json-codex-home");
        let claude_config = temp_dir("agents-json-claude-config");
        fs::create_dir_all(&isolated_home).expect("isolated home");
        fs::create_dir_all(&config_home).expect("config home");
        fs::create_dir_all(&codex_home).expect("codex home");
        fs::create_dir_all(&claude_config).expect("claude config");
        let original_home = std::env::var_os("HOME");
        let original_claw_config_home = std::env::var_os("CLAW_CONFIG_HOME");
        let original_codex_home = std::env::var_os("CODEX_HOME");
        let original_claude_config_dir = std::env::var_os("CLAUDE_CONFIG_DIR");
        std::env::set_var("HOME", &isolated_home);
        std::env::set_var("CLAW_CONFIG_HOME", &config_home);
        std::env::set_var("CODEX_HOME", &codex_home);
        std::env::set_var("CLAUDE_CONFIG_DIR", &claude_config);
        write_agent(
            &project_agents,
@@ -5622,7 +6108,10 @@ mod tests {
        assert_eq!(help["kind"], "agents");
        assert_eq!(help["action"], "help");
        assert_eq!(help["status"], "ok");
-        assert_eq!(help["usage"]["direct_cli"], "claw agents [list|help]");
+        assert_eq!(
            help["usage"]["direct_cli"],
            "claw agents [list|show <name>|create <name>|help]"
        );
        // `show <name>` is now valid. Known agent returns ok with matching entry.
        let show_planner = handle_agents_slash_command_json(Some("show planner"), &workspace)
@@ -5644,6 +6133,14 @@ mod tests {
        let _ = fs::remove_dir_all(workspace);
        let _ = fs::remove_dir_all(user_home);
        restore_env_var("HOME", original_home);
        restore_env_var("CLAW_CONFIG_HOME", original_claw_config_home);
        restore_env_var("CODEX_HOME", original_codex_home);
        restore_env_var("CLAUDE_CONFIG_DIR", original_claude_config_dir);
        let _ = fs::remove_dir_all(isolated_home);
        let _ = fs::remove_dir_all(config_home);
        let _ = fs::remove_dir_all(codex_home);
        let _ = fs::remove_dir_all(claude_config);
    }
    #[test]
@@ -5774,7 +6271,7 @@ mod tests {
        assert_eq!(help["usage"]["aliases"][0], "/skill");
        assert_eq!(
            help["usage"]["direct_cli"],
-            "claw skills [list|install <path>|help|<skill> [args]]"
+            "claw skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]"
        );
        let _ = fs::remove_dir_all(workspace);
@@ -5787,13 +6284,20 @@ mod tests {
        let agents_help =
            super::handle_agents_slash_command(Some("help"), &cwd).expect("agents help");
-        assert!(agents_help.contains("Usage            /agents [list|help]"));
+        assert!(
-        assert!(agents_help.contains("Direct CLI       claw agents"));
+            agents_help.contains("Usage            /agents [list|show <name>|create <name>|help]")
        );
        assert!(agents_help
            .contains("Direct CLI       claw agents [list|show <name>|create <name>|help]"));
        assert!(agents_help.contains(
            "Format           TOML files (.toml); create scaffolds .claw/agents/<name>.toml"
        ));
        assert!(agents_help
            .contains("Sources          .claw/agents, ~/.claw/agents, $CLAW_CONFIG_HOME/agents"));
        // `show <name>` is now valid. For an agent that doesn't exist it returns Err(NotFound).
-        let agents_show_missing = super::handle_agents_slash_command(Some("show planner"), &cwd);
+        let agents_show_missing =
            super::handle_agents_slash_command(Some("show definitely-missing-agent-431"), &cwd);
        assert!(
            agents_show_missing.is_err(),
            "show of a missing agent should Err"
@@ -5812,9 +6316,11 @@ mod tests {
        let skills_help =
            super::handle_skills_slash_command(Some("--help"), &cwd).expect("skills help");
-        assert!(skills_help
+        assert!(skills_help.contains(
-            .contains("Usage            /skills [list|install <path>|help|<skill> [args]]"));
+            "Usage            /skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]"
        ));
        assert!(skills_help.contains("Alias            /skill"));
        assert!(skills_help.contains("Lifecycle        install <path>, uninstall <name>"));
        assert!(skills_help.contains("Invoke           /skills help overview -> $help overview"));
        assert!(skills_help.contains("Install root     $CLAW_CONFIG_HOME/skills or ~/.claw/skills"));
        assert!(skills_help.contains(".omc/skills"));
@@ -5828,15 +6334,17 @@ mod tests {
        let skills_install_help = super::handle_skills_slash_command(Some("install --help"), &cwd)
            .expect("nested skills help");
-        assert!(skills_install_help
+        assert!(skills_install_help.contains(
-            .contains("Usage            /skills [list|install <path>|help|<skill> [args]]"));
+            "Usage            /skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]"
        ));
        assert!(skills_install_help.contains("Alias            /skill"));
        assert!(skills_install_help.contains("Unexpected       install"));
        let skills_unknown_help =
            super::handle_skills_slash_command(Some("show --help"), &cwd).expect("skills help");
-        assert!(skills_unknown_help
+        assert!(skills_unknown_help.contains(
-            .contains("Usage            /skills [list|install <path>|help|<skill> [args]]"));
+            "Usage            /skills [list|show <name>|install <path>|uninstall <name>|help|<skill> [args]]"
        ));
        assert!(skills_unknown_help.contains("Unexpected       show"));
        let skills_help_json =
--- a/rust/crates/runtime/src/bash.rs
+++ b/rust/crates/runtime/src/bash.rs
@@ -330,20 +330,24 @@ fn prepare_tokio_command(
        prepare_sandbox_dirs(cwd);
    }
-    if let Some(launcher) = build_linux_sandbox_command(command, cwd, sandbox_status) {
+    let mut prepared =
-        let mut prepared = TokioCommand::new(launcher.program);
+        if let Some(launcher) = build_linux_sandbox_command(command, cwd, sandbox_status) {
-        prepared.args(launcher.args);
+            let mut cmd = TokioCommand::new(launcher.program);
-        prepared.current_dir(cwd);
+            cmd.args(launcher.args);
-        prepared.envs(launcher.env);
+            cmd.envs(launcher.env);
-        return prepared;
+            cmd
-    }
+        } else {
            let mut cmd = TokioCommand::new("sh");
            cmd.arg("-lc").arg(command);
            if sandbox_status.filesystem_active {
                cmd.env("HOME", cwd.join(".sandbox-home"));
                cmd.env("TMPDIR", cwd.join(".sandbox-tmp"));
            }
            cmd
        };
-    let mut prepared = TokioCommand::new("sh");
+    prepared.current_dir(cwd);
-    prepared.arg("-lc").arg(command).current_dir(cwd);
+    prepared.stdin(Stdio::null());
    if sandbox_status.filesystem_active {
        prepared.env("HOME", cwd.join(".sandbox-home"));
        prepared.env("TMPDIR", cwd.join(".sandbox-tmp"));
    }
    prepared
 }
@@ -419,6 +423,27 @@ mod tests {
        assert_eq!(structured[0]["event"], "test.hung");
        assert_eq!(structured[0]["data"]["provenance"], "bash.timeout");
    }
    #[test]
    fn prevents_stdin_hangs_by_redirecting_to_null() {
        let output = execute_bash(BashCommandInput {
            command: String::from("cat"),
            timeout: Some(2_000),
            description: None,
            run_in_background: Some(false),
            dangerously_disable_sandbox: Some(true),
            namespace_restrictions: None,
            isolate_network: None,
            filesystem_mode: None,
            allowed_mounts: None,
        })
        .expect("bash command should execute cleanly");
        assert!(
            !output.interrupted,
            "Command hung and was cut off by the timeout!"
        );
    }
 }
 /// Maximum output bytes before truncation (16 KiB, matching upstream).
--- a/rust/crates/runtime/src/config.rs
+++ b/rust/crates/runtime/src/config.rs
--- a/rust/crates/runtime/src/config_validate.rs
+++ b/rust/crates/runtime/src/config_validate.rs
@@ -92,6 +92,8 @@ enum FieldType {
    Bool,
    Object,
    StringArray,
    HookArray,
    RulesImport,
    Number,
 }
@@ -102,6 +104,8 @@ impl FieldType {
            Self::Bool => "a boolean",
            Self::Object => "an object",
            Self::StringArray => "an array of strings",
            Self::RulesImport => "a string or an array of strings",
            Self::HookArray => "an array of strings or hook objects",
            Self::Number => "a number",
        }
    }
@@ -114,6 +118,16 @@ impl FieldType {
            Self::StringArray => value
                .as_array()
                .is_some_and(|arr| arr.iter().all(|v| v.as_str().is_some())),
            Self::HookArray => value.as_array().is_some_and(|arr| {
                arr.iter()
                    .all(|entry| entry.as_str().is_some() || entry.as_object().is_some())
            }),
            Self::RulesImport => {
                value.as_str().is_some()
                    || value
                        .as_array()
                        .is_some_and(|arr| arr.iter().all(|v| v.as_str().is_some()))
            }
            Self::Number => value.as_i64().is_some(),
        }
    }
@@ -201,20 +215,24 @@ const TOP_LEVEL_FIELDS: &[FieldSpec] = &[
        name: "provider",
        expected: FieldType::Object,
    },
    FieldSpec {
        name: "rulesImport",
        expected: FieldType::RulesImport,
    },
 ];
 const HOOKS_FIELDS: &[FieldSpec] = &[
    FieldSpec {
        name: "PreToolUse",
-        expected: FieldType::StringArray,
+        expected: FieldType::HookArray,
    },
    FieldSpec {
        name: "PostToolUse",
-        expected: FieldType::StringArray,
+        expected: FieldType::HookArray,
    },
    FieldSpec {
        name: "PostToolUseFailure",
-        expected: FieldType::StringArray,
+        expected: FieldType::HookArray,
    },
 ];
@@ -406,9 +424,10 @@ fn validate_object_keys(
        } else if DEPRECATED_FIELDS.iter().any(|d| d.name == key) {
            // Deprecated key — handled separately, not an unknown-key error.
        } else {
-            // Unknown key.
+            // Unknown key — preserve compatibility by surfacing it as a warning
            // instead of blocking otherwise valid config files.
            let suggestion = suggest_field(key, &known_names);
-            result.errors.push(ConfigDiagnostic {
+            result.warnings.push(ConfigDiagnostic {
                path: path_display.to_string(),
                field: field_path,
                line: find_key_line(source, key),
@@ -587,10 +606,11 @@ mod tests {
        let result = validate_config_file(object, source, &test_path());
        // then
-        assert_eq!(result.errors.len(), 1);
+        assert!(result.errors.is_empty());
-        assert_eq!(result.errors[0].field, "unknownField");
+        assert_eq!(result.warnings.len(), 1);
        assert_eq!(result.warnings[0].field, "unknownField");
        assert!(matches!(
-            result.errors[0].kind,
+            result.warnings[0].kind,
            DiagnosticKind::UnknownKey { .. }
        ));
    }
@@ -670,9 +690,10 @@ mod tests {
        let result = validate_config_file(object, source, &test_path());
        // then
-        assert_eq!(result.errors.len(), 1);
+        assert!(result.errors.is_empty());
-        assert_eq!(result.errors[0].line, Some(3));
+        assert_eq!(result.warnings.len(), 1);
-        assert_eq!(result.errors[0].field, "badKey");
+        assert_eq!(result.warnings[0].line, Some(3));
        assert_eq!(result.warnings[0].field, "badKey");
    }
    #[test]
@@ -701,8 +722,60 @@ mod tests {
        let result = validate_config_file(object, source, &test_path());
        // then
        assert!(result.errors.is_empty());
        assert_eq!(result.warnings.len(), 1);
        assert_eq!(result.warnings[0].field, "hooks.BadHook");
    }
    #[test]
    fn validates_object_style_hook_entries() {
        let source = r#"{"hooks":{"PreToolUse":["legacy",{"matcher":"Bash","hooks":[{"type":"command","command":"echo ok"}]}]}}"#;
        let parsed = JsonValue::parse(source).expect("valid json");
        let object = parsed.as_object().expect("object");
        let result = validate_config_file(object, source, &test_path());
        assert!(result.errors.is_empty(), "{:?}", result.errors);
    }
    #[test]
    fn rejects_wrong_hook_entry_types() {
        let source = r#"{"hooks":{"PreToolUse":[42]}}"#;
        let parsed = JsonValue::parse(source).expect("valid json");
        let object = parsed.as_object().expect("object");
        let result = validate_config_file(object, source, &test_path());
        assert_eq!(result.errors.len(), 1);
-        assert_eq!(result.errors[0].field, "hooks.BadHook");
+        assert_eq!(result.errors[0].field, "hooks.PreToolUse");
    }
    #[test]
    fn validates_rules_import_string_and_array_forms() {
        for source in [
            r#"{"rulesImport":"auto"}"#,
            r#"{"rulesImport":"none"}"#,
            r#"{"rulesImport":["cursor","copilot"]}"#,
        ] {
            let parsed = JsonValue::parse(source).expect("valid json");
            let object = parsed.as_object().expect("object");
            let result = validate_config_file(object, source, &test_path());
            assert!(result.errors.is_empty(), "{source}: {:?}", result.errors);
        }
    }
    #[test]
    fn rejects_rules_import_wrong_type() {
        let source = r#"{"rulesImport":42}"#;
        let parsed = JsonValue::parse(source).expect("valid json");
        let object = parsed.as_object().expect("object");
        let result = validate_config_file(object, source, &test_path());
        assert_eq!(result.errors.len(), 1);
        assert_eq!(result.errors[0].field, "rulesImport");
    }
    #[test]
@@ -716,8 +789,9 @@ mod tests {
        let result = validate_config_file(object, source, &test_path());
        // then
-        assert_eq!(result.errors.len(), 1);
+        assert!(result.errors.is_empty());
-        assert_eq!(result.errors[0].field, "permissions.denyAll");
+        assert_eq!(result.warnings.len(), 1);
        assert_eq!(result.warnings[0].field, "permissions.denyAll");
    }
    #[test]
@@ -731,8 +805,9 @@ mod tests {
        let result = validate_config_file(object, source, &test_path());
        // then
-        assert_eq!(result.errors.len(), 1);
+        assert!(result.errors.is_empty());
-        assert_eq!(result.errors[0].field, "sandbox.containerMode");
+        assert_eq!(result.warnings.len(), 1);
        assert_eq!(result.warnings[0].field, "sandbox.containerMode");
    }
    #[test]
@@ -746,8 +821,9 @@ mod tests {
        let result = validate_config_file(object, source, &test_path());
        // then
-        assert_eq!(result.errors.len(), 1);
+        assert!(result.errors.is_empty());
-        assert_eq!(result.errors[0].field, "plugins.autoUpdate");
+        assert_eq!(result.warnings.len(), 1);
        assert_eq!(result.warnings[0].field, "plugins.autoUpdate");
    }
    #[test]
@@ -761,8 +837,9 @@ mod tests {
        let result = validate_config_file(object, source, &test_path());
        // then
-        assert_eq!(result.errors.len(), 1);
+        assert!(result.errors.is_empty());
-        assert_eq!(result.errors[0].field, "oauth.secret");
+        assert_eq!(result.warnings.len(), 1);
        assert_eq!(result.warnings[0].field, "oauth.secret");
    }
    #[test]
@@ -797,8 +874,9 @@ mod tests {
        let result = validate_config_file(object, source, &test_path());
        // then
-        assert_eq!(result.errors.len(), 1);
+        assert!(result.errors.is_empty());
-        match &result.errors[0].kind {
+        assert_eq!(result.warnings.len(), 1);
        match &result.warnings[0].kind {
            DiagnosticKind::UnknownKey {
                suggestion: Some(s),
            } => assert_eq!(s, "model"),
@@ -809,7 +887,7 @@ mod tests {
    #[test]
    fn format_diagnostics_includes_all_entries() {
        // given
-        let source = r#"{"permissionMode": "plan", "badKey": 1}"#;
+        let source = r#"{"model": 42, "badKey": 1}"#;
        let parsed = JsonValue::parse(source).expect("valid json");
        let object = parsed.as_object().expect("object");
        let result = validate_config_file(object, source, &test_path());
@@ -821,7 +899,7 @@ mod tests {
        assert!(output.contains("warning:"));
        assert!(output.contains("error:"));
        assert!(output.contains("badKey"));
-        assert!(output.contains("permissionMode"));
+        assert!(output.contains("model"));
    }
    #[test]
--- a/rust/crates/runtime/src/hooks.rs
+++ b/rust/crates/runtime/src/hooks.rs
@@ -11,7 +11,7 @@ use std::time::Duration;
 use serde_json::{json, Value};
-use crate::config::{RuntimeFeatureConfig, RuntimeHookConfig};
+use crate::config::{RuntimeFeatureConfig, RuntimeHookCommand, RuntimeHookConfig};
 use crate::permissions::PermissionOverride;
 const HOOK_PREVIEW_CHAR_LIMIT: usize = 160;
@@ -182,7 +182,7 @@ impl HookRunner {
    ) -> HookRunResult {
        Self::run_commands(
            HookEvent::PreToolUse,
-            self.config.pre_tool_use(),
+            self.config.pre_tool_use_entries(),
            tool_name,
            tool_input,
            None,
@@ -232,7 +232,7 @@ impl HookRunner {
    ) -> HookRunResult {
        Self::run_commands(
            HookEvent::PostToolUse,
-            self.config.post_tool_use(),
+            self.config.post_tool_use_entries(),
            tool_name,
            tool_input,
            Some(tool_output),
@@ -282,7 +282,7 @@ impl HookRunner {
    ) -> HookRunResult {
        Self::run_commands(
            HookEvent::PostToolUseFailure,
-            self.config.post_tool_use_failure(),
+            self.config.post_tool_use_failure_entries(),
            tool_name,
            tool_input,
            Some(tool_error),
@@ -312,7 +312,7 @@ impl HookRunner {
    #[allow(clippy::too_many_arguments)]
    fn run_commands(
        event: HookEvent,
-        commands: &[String],
+        commands: &[RuntimeHookCommand],
        tool_name: &str,
        tool_input: &str,
        tool_output: Option<&str>,
@@ -342,17 +342,21 @@ impl HookRunner {
        let payload = hook_payload(event, tool_name, tool_input, tool_output, is_error).to_string();
        let mut result = HookRunResult::allow(Vec::new());
-        for command in commands {
+        for command in commands
            .iter()
            .filter(|command| command.matches_tool(tool_name))
        {
            let command_text = command.command();
            if let Some(reporter) = reporter.as_deref_mut() {
                reporter.on_event(&HookProgressEvent::Started {
                    event,
                    tool_name: tool_name.to_string(),
-                    command: command.clone(),
+                    command: command_text.to_string(),
                });
            }
            match Self::run_command(
-                command,
+                command_text,
                event,
                tool_name,
                tool_input,
@@ -366,7 +370,7 @@ impl HookRunner {
                        reporter.on_event(&HookProgressEvent::Completed {
                            event,
                            tool_name: tool_name.to_string(),
-                            command: command.clone(),
+                            command: command_text.to_string(),
                        });
                    }
                    merge_parsed_hook_output(&mut result, parsed);
@@ -376,7 +380,7 @@ impl HookRunner {
                        reporter.on_event(&HookProgressEvent::Completed {
                            event,
                            tool_name: tool_name.to_string(),
-                            command: command.clone(),
+                            command: command_text.to_string(),
                        });
                    }
                    merge_parsed_hook_output(&mut result, parsed);
@@ -388,7 +392,7 @@ impl HookRunner {
                        reporter.on_event(&HookProgressEvent::Completed {
                            event,
                            tool_name: tool_name.to_string(),
-                            command: command.clone(),
+                            command: command_text.to_string(),
                        });
                    }
                    merge_parsed_hook_output(&mut result, parsed);
@@ -400,7 +404,7 @@ impl HookRunner {
                        reporter.on_event(&HookProgressEvent::Cancelled {
                            event,
                            tool_name: tool_name.to_string(),
-                            command: command.clone(),
+                            command: command_text.to_string(),
                        });
                    }
                    result.cancelled = true;
@@ -737,7 +741,7 @@ fn format_hook_failure(command: &str, code: i32, stdout: Option<&str>, stderr: &
 fn shell_command(command: &str) -> CommandWithStdin {
    #[cfg(windows)]
-    let mut command_builder = {
+    let command_builder = {
        let mut command_builder = Command::new("cmd");
        command_builder.arg("/C").arg(command);
        CommandWithStdin::new(command_builder)
@@ -825,7 +829,7 @@ mod tests {
        HookAbortSignal, HookEvent, HookProgressEvent, HookProgressReporter, HookRunResult,
        HookRunner,
    };
-    use crate::config::{RuntimeFeatureConfig, RuntimeHookConfig};
+    use crate::config::{RuntimeFeatureConfig, RuntimeHookCommand, RuntimeHookConfig};
    use crate::permissions::PermissionOverride;
    struct RecordingReporter {
@@ -851,6 +855,37 @@ mod tests {
        assert_eq!(result, HookRunResult::allow(vec!["pre ok".to_string()]));
    }
    #[test]
    fn object_style_hook_matchers_filter_runtime_execution() {
        let runner = HookRunner::new(RuntimeHookConfig::from_hook_commands(
            vec![
                RuntimeHookCommand::new(shell_snippet("printf 'legacy'")),
                RuntimeHookCommand::with_matcher(
                    shell_snippet("printf 'bash only'"),
                    Some("Bash".to_string()),
                ),
                RuntimeHookCommand::with_matcher(
                    shell_snippet("printf 'read only'"),
                    Some("Read*".to_string()),
                ),
            ],
            Vec::new(),
            Vec::new(),
        ));
        let read_result = runner.run_pre_tool_use("ReadFile", r#"{"path":"README.md"}"#);
        let bash_result = runner.run_pre_tool_use("Bash", r#"{"command":"pwd"}"#);
        assert_eq!(
            read_result,
            HookRunResult::allow(vec!["legacy".to_string(), "read only".to_string()])
        );
        assert_eq!(
            bash_result,
            HookRunResult::allow(vec!["legacy".to_string(), "bash only".to_string()])
        );
    }
    #[test]
    fn denies_exit_code_two() {
        let runner = HookRunner::new(RuntimeHookConfig::new(
--- a/rust/crates/runtime/src/lib.rs
+++ b/rust/crates/runtime/src/lib.rs
@@ -65,11 +65,12 @@ pub use compact::{
    get_compact_continuation_message, should_compact, CompactionConfig, CompactionResult,
 };
 pub use config::{
-    suppress_config_warnings_for_json_mode, ConfigEntry, ConfigError, ConfigLoader, ConfigSource,
+    suppress_config_warnings_for_json_mode, ConfigEntry, ConfigError, ConfigFileReport,
-    McpConfigCollection, McpManagedProxyServerConfig, McpOAuthConfig, McpRemoteServerConfig,
+    ConfigFileStatus, ConfigInspection, ConfigLoader, ConfigSource, McpConfigCollection,
-    McpSdkServerConfig, McpServerConfig, McpStdioServerConfig, McpTransport,
+    McpManagedProxyServerConfig, McpOAuthConfig, McpRemoteServerConfig, McpSdkServerConfig,
-    McpWebSocketServerConfig, OAuthConfig, ProviderFallbackConfig, ResolvedPermissionMode,
+    McpServerConfig, McpStdioServerConfig, McpTransport, McpWebSocketServerConfig, OAuthConfig,
-    RuntimeConfig, RuntimeFeatureConfig, RuntimeHookConfig, RuntimePermissionRuleConfig,
+    ProviderFallbackConfig, ResolvedPermissionMode, RulesImportConfig, RuntimeConfig,
    RuntimeFeatureConfig, RuntimeHookCommand, RuntimeHookConfig, RuntimePermissionRuleConfig,
    RuntimePluginConfig, ScopedMcpServerConfig, CLAW_SETTINGS_SCHEMA_NAME,
 };
 pub use config_validate::{
--- a/rust/crates/runtime/src/prompt.rs
+++ b/rust/crates/runtime/src/prompt.rs
@@ -3,7 +3,7 @@ use std::hash::{Hash, Hasher};
 use std::path::{Path, PathBuf};
 use std::process::Command;
-use crate::config::{ConfigError, ConfigLoader, RuntimeConfig};
+use crate::config::{ConfigError, ConfigLoader, RulesImportConfig, RuntimeConfig};
 use crate::git_context::GitContext;
 /// Errors raised while assembling the final system prompt.
@@ -86,7 +86,24 @@ impl ProjectContext {
        current_date: impl Into<String>,
    ) -> std::io::Result<Self> {
        let cwd = cwd.into();
-        let instruction_files = discover_instruction_files(&cwd)?;
+        let instruction_files = discover_instruction_files(&cwd, &RulesImportConfig::default())?;
        Ok(Self {
            cwd,
            current_date: current_date.into(),
            git_status: None,
            git_diff: None,
            git_context: None,
            instruction_files,
        })
    }
    pub fn discover_with_rules_import(
        cwd: impl Into<PathBuf>,
        current_date: impl Into<String>,
        rules_import: &RulesImportConfig,
    ) -> std::io::Result<Self> {
        let cwd = cwd.into();
        let instruction_files = discover_instruction_files(&cwd, rules_import)?;
        Ok(Self {
            cwd,
            current_date: current_date.into(),
@@ -109,6 +126,18 @@ impl ProjectContext {
    }
 }
 fn discover_with_git_and_rules_import(
    cwd: impl Into<PathBuf>,
    current_date: impl Into<String>,
    rules_import: &RulesImportConfig,
 ) -> std::io::Result<ProjectContext> {
    let mut context = ProjectContext::discover_with_rules_import(cwd, current_date, rules_import)?;
    context.git_status = read_git_status(&context.cwd);
    context.git_diff = read_git_diff(&context.cwd);
    context.git_context = GitContext::detect(&context.cwd);
    Ok(context)
 }
 /// Builder for the runtime system prompt and dynamic environment sections.
 #[derive(Debug, Clone, Default, PartialEq, Eq)]
 pub struct SystemPromptBuilder {
@@ -227,7 +256,10 @@ pub fn prepend_bullets(items: Vec<String>) -> Vec<String> {
    items.into_iter().map(|item| format!(" - {item}")).collect()
 }
-fn discover_instruction_files(cwd: &Path) -> std::io::Result<Vec<ContextFile>> {
+fn discover_instruction_files(
    cwd: &Path,
    rules_import: &RulesImportConfig,
 ) -> std::io::Result<Vec<ContextFile>> {
    let mut directories = Vec::new();
    let mut cursor = Some(cwd);
    while let Some(dir) = cursor {
@@ -240,17 +272,25 @@ fn discover_instruction_files(cwd: &Path) -> std::io::Result<Vec<ContextFile>> {
    for dir in directories {
        for candidate in [
            dir.join("CLAUDE.md"),
            dir.join("AGENTS.md"),
            dir.join("CLAUDE.local.md"),
            dir.join(".claw").join("CLAUDE.md"),
            dir.join(".claude").join("CLAUDE.md"),
            dir.join(".claw").join("instructions.md"),
        ] {
            push_context_file(&mut files, candidate)?;
        }
        push_rules_dir(&mut files, dir.join(".claw").join("rules"))?;
        push_rules_dir(&mut files, dir.join(".claw").join("rules.local"))?;
        push_framework_imports(&mut files, &dir, rules_import)?
    }
    Ok(dedupe_instruction_files(files))
 }
 fn push_context_file(files: &mut Vec<ContextFile>, path: PathBuf) -> std::io::Result<()> {
    if path.is_dir() {
        return Ok(());
    }
    match fs::read_to_string(&path) {
        Ok(content) if !content.trim().is_empty() => {
            files.push(ContextFile { path, content });
@@ -262,6 +302,64 @@ fn push_context_file(files: &mut Vec<ContextFile>, path: PathBuf) -> std::io::Re
    }
 }
 fn push_rules_dir(files: &mut Vec<ContextFile>, dir: PathBuf) -> std::io::Result<()> {
    if dir.is_file() {
        return Ok(());
    }
    let entries = match fs::read_dir(&dir) {
        Ok(entries) => entries,
        Err(error) if error.kind() == std::io::ErrorKind::NotFound => return Ok(()),
        Err(error) => return Err(error),
    };
    let mut paths = entries
        .filter_map(Result::ok)
        .map(|entry| entry.path())
        .filter(|path| path.is_file() && is_supported_rule_file(path))
        .collect::<Vec<_>>();
    paths.sort();
    for path in paths {
        push_context_file(files, path)?;
    }
    Ok(())
 }
 fn is_supported_rule_file(path: &Path) -> bool {
    path.extension()
        .and_then(|extension| extension.to_str())
        .is_some_and(|extension| {
            matches!(
                extension.to_ascii_lowercase().as_str(),
                "md" | "txt" | "mdc"
            )
        })
 }
 fn push_framework_imports(
    files: &mut Vec<ContextFile>,
    dir: &Path,
    rules_import: &RulesImportConfig,
 ) -> std::io::Result<()> {
    if rules_import.should_import("cursor") {
        push_context_file(files, dir.join(".cursorrules"))?;
        push_rules_dir(files, dir.join(".cursor").join("rules"))?;
    }
    if rules_import.should_import("copilot") {
        push_context_file(files, dir.join(".github").join("copilot-instructions.md"))?;
    }
    if rules_import.should_import("windsurf") {
        push_context_file(files, dir.join(".windsurfrules"))?;
        push_rules_dir(files, dir.join(".windsurfrules"))?;
    }
    if rules_import.should_import("plandex") {
        push_context_file(files, dir.join(".plandex").join("instructions.md"))?;
    }
    if rules_import.should_import("crush") {
        push_context_file(files, dir.join(".crush").join("CLAUDE.md"))?;
        push_rules_dir(files, dir.join(".crush").join("rules"))?;
    }
    Ok(())
 }
 fn read_git_status(cwd: &Path) -> Option<String> {
    let output = Command::new("git")
        .args(["--no-optional-locks", "status", "--short", "--branch"])
@@ -476,8 +574,9 @@ pub fn load_system_prompt(
    model_family: ModelFamilyIdentity,
 ) -> Result<Vec<String>, PromptBuildError> {
    let cwd = cwd.into();
    let project_context = ProjectContext::discover_with_git(&cwd, current_date.into())?;
    let config = ConfigLoader::default_for(&cwd).load()?;
    let project_context =
        discover_with_git_and_rules_import(&cwd, current_date.into(), config.rules_import())?;
    Ok(SystemPromptBuilder::new()
        .with_os(os_name, os_version)
        .with_model_family(model_family)
@@ -590,6 +689,78 @@ mod tests {
        }
    }
    #[test]
    fn discovers_claw_rules_files_in_sorted_order() {
        let root = temp_dir();
        let rules = root.join(".claw").join("rules");
        let local_rules = root.join(".claw").join("rules.local");
        fs::create_dir_all(&rules).expect("rules dir");
        fs::create_dir_all(&local_rules).expect("local rules dir");
        fs::write(rules.join("b.txt"), "b rule").expect("write b rule");
        fs::write(rules.join("a.md"), "a rule").expect("write a rule");
        fs::write(rules.join("ignored.json"), "ignored rule").expect("write ignored");
        fs::write(local_rules.join("c.mdc"), "c local rule").expect("write local rule");
        let context = ProjectContext::discover(&root, "2026-03-31").expect("context should load");
        let contents = context
            .instruction_files
            .iter()
            .map(|file| file.content.as_str())
            .collect::<Vec<_>>();
        assert_eq!(contents, vec!["a rule", "b rule", "c local rule"]);
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn rules_import_none_suppresses_external_framework_rules() {
        let root = temp_dir();
        fs::create_dir_all(root.join(".claw").join("rules")).expect("rules dir");
        fs::write(
            root.join(".claw").join("rules").join("project.md"),
            "claw rule",
        )
        .expect("write claw rule");
        fs::write(root.join(".cursorrules"), "cursor rule").expect("write cursor rule");
        let context = ProjectContext::discover_with_rules_import(
            &root,
            "2026-03-31",
            &crate::config::RulesImportConfig::None,
        )
        .expect("context should load");
        let rendered = render_instruction_files(&context.instruction_files);
        assert!(rendered.contains("claw rule"));
        assert!(!rendered.contains("cursor rule"));
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn rules_import_list_loads_only_selected_framework_rules() {
        let root = temp_dir();
        fs::create_dir_all(&root).expect("root dir");
        fs::write(root.join(".cursorrules"), "cursor rule").expect("write cursor rule");
        fs::create_dir_all(root.join(".github")).expect("github dir");
        fs::write(
            root.join(".github").join("copilot-instructions.md"),
            "copilot rule",
        )
        .expect("write copilot rule");
        let context = ProjectContext::discover_with_rules_import(
            &root,
            "2026-03-31",
            &crate::config::RulesImportConfig::List(vec!["copilot".to_string()]),
        )
        .expect("context should load");
        let rendered = render_instruction_files(&context.instruction_files);
        assert!(rendered.contains("copilot rule"));
        assert!(!rendered.contains("cursor rule"));
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn discovers_instruction_files_from_ancestor_chain() {
        let root = temp_dir();
@@ -636,6 +807,63 @@ mod tests {
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn discovers_agents_markdown_instruction_file() {
        let root = temp_dir();
        fs::create_dir_all(&root).expect("root dir");
        fs::write(root.join("AGENTS.md"), "agents-only instructions").expect("write AGENTS.md");
        let context = ProjectContext::discover(&root, "2026-03-31").expect("context should load");
        assert_eq!(context.instruction_files.len(), 1);
        assert!(context.instruction_files[0].path.ends_with("AGENTS.md"));
        assert!(render_instruction_files(&context.instruction_files)
            .contains("agents-only instructions"));
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn discovers_scoped_dot_claude_claude_markdown_instruction_file() {
        let root = temp_dir();
        fs::create_dir_all(root.join(".claude")).expect("dot claude dir");
        fs::write(
            root.join(".claude").join("CLAUDE.md"),
            "dot-claude-only instructions",
        )
        .expect("write .claude/CLAUDE.md");
        let context = ProjectContext::discover(&root, "2026-03-31").expect("context should load");
        assert_eq!(context.instruction_files.len(), 1);
        assert!(context.instruction_files[0]
            .path
            .ends_with(".claude/CLAUDE.md"));
        assert!(render_instruction_files(&context.instruction_files)
            .contains("dot-claude-only instructions"));
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn discovers_claude_agents_and_dot_claude_instruction_files_together() {
        let root = temp_dir();
        fs::create_dir_all(root.join(".claude")).expect("dot claude dir");
        fs::write(root.join("CLAUDE.md"), "claude instructions").expect("write CLAUDE.md");
        fs::write(root.join("AGENTS.md"), "agents instructions").expect("write AGENTS.md");
        fs::write(
            root.join(".claude").join("CLAUDE.md"),
            "dot claude instructions",
        )
        .expect("write .claude/CLAUDE.md");
        let context = ProjectContext::discover(&root, "2026-03-31").expect("context should load");
        let rendered = render_instruction_files(&context.instruction_files);
        assert!(rendered.contains("claude instructions"));
        assert!(rendered.contains("agents instructions"));
        assert!(rendered.contains("dot claude instructions"));
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn dedupes_identical_instruction_content_across_scopes() {
        let root = temp_dir();
@@ -876,6 +1104,51 @@ mod tests {
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn load_system_prompt_respects_rules_import_config() {
        let root = temp_dir();
        fs::create_dir_all(root.join(".claw")).expect("claw dir");
        fs::write(root.join(".cursorrules"), "cursor rule").expect("write cursor rule");
        fs::write(
            root.join(".claw").join("settings.json"),
            r#"{"rulesImport":"none"}"#,
        )
        .expect("write settings");
        let _guard = env_lock();
        ensure_valid_cwd();
        let previous = std::env::current_dir().expect("cwd");
        let original_home = std::env::var("HOME").ok();
        let original_claw_home = std::env::var("CLAW_CONFIG_HOME").ok();
        std::env::set_var("HOME", &root);
        std::env::set_var("CLAW_CONFIG_HOME", root.join("missing-home"));
        std::env::set_current_dir(&root).expect("change cwd");
        let prompt = super::load_system_prompt(
            &root,
            "2026-03-31",
            "linux",
            "6.8",
            ModelFamilyIdentity::Claude,
        )
        .expect("system prompt should load")
        .join("\n\n");
        std::env::set_current_dir(previous).expect("restore cwd");
        if let Some(value) = original_home {
            std::env::set_var("HOME", value);
        } else {
            std::env::remove_var("HOME");
        }
        if let Some(value) = original_claw_home {
            std::env::set_var("CLAW_CONFIG_HOME", value);
        } else {
            std::env::remove_var("CLAW_CONFIG_HOME");
        }
        assert!(!prompt.contains("cursor rule"));
        assert!(prompt.contains("rulesImport"));
        fs::remove_dir_all(root).expect("cleanup temp dir");
    }
    #[test]
    fn renders_default_claude_model_family_identity() {
        // given: a prompt builder without an explicit model family override
--- a/rust/crates/rusty-claude-cli/Cargo.toml
+++ b/rust/crates/rusty-claude-cli/Cargo.toml
@@ -12,7 +12,6 @@ path = "src/main.rs"
 [dependencies]
 api = { path = "../api" }
 commands = { path = "../commands" }
 compat-harness = { path = "../compat-harness" }
 crossterm = "0.28"
 pulldown-cmark = "0.13"
 rustyline = "15"
--- a/rust/crates/rusty-claude-cli/src/main.rs
+++ b/rust/crates/rusty-claude-cli/src/main.rs
--- a/rust/crates/rusty-claude-cli/tests/compact_output.rs
+++ b/rust/crates/rusty-claude-cli/tests/compact_output.rs
@@ -1,6 +1,7 @@
 #![allow(clippy::while_let_on_iterator)]
 use std::fs;
 use std::io::Write;
 use std::path::PathBuf;
 use std::process::{Command, Output, Stdio};
 use std::sync::atomic::{AtomicU64, Ordering};
@@ -245,6 +246,119 @@ stderr:
    fs::remove_dir_all(&workspace).expect("workspace cleanup should succeed");
 }
 #[test]
 fn prompt_subcommand_reads_prompt_from_stdin_when_no_positional_arg_423() {
    let runtime = tokio::runtime::Runtime::new().expect("tokio runtime should build");
    let server = runtime
        .block_on(MockAnthropicService::spawn())
        .expect("mock service should start");
    let base_url = server.base_url();
    let workspace = unique_temp_dir("prompt-stdin-423");
    let config_home = workspace.join("config-home");
    let home = workspace.join("home");
    fs::create_dir_all(&workspace).expect("workspace should exist");
    fs::create_dir_all(&config_home).expect("config home should exist");
    fs::create_dir_all(&home).expect("home should exist");
    let prompt = format!("{SCENARIO_PREFIX}streaming_text\n");
    let output = run_claw_with_stdin(
        &workspace,
        &config_home,
        &home,
        &base_url,
        &[
            "prompt",
            "--output-format",
            "json",
            "--compact",
            "--permission-mode",
            "read-only",
            "--model",
            "sonnet",
        ],
        &prompt,
    );
    assert!(
        output.status.success(),
        "prompt stdin run should succeed\nstdout:\n{}\n\nstderr:\n{}",
        String::from_utf8_lossy(&output.stdout),
        String::from_utf8_lossy(&output.stderr),
    );
    let parsed: Value = serde_json::from_slice(&output.stdout).expect("stdout should parse");
    assert_eq!(
        parsed["message"],
        "Mock streaming says hello from the parity harness."
    );
    let captured = runtime.block_on(server.captured_requests());
    assert!(
        captured
            .iter()
            .any(|request| request.raw_body.contains("PARITY_SCENARIO:streaming_text")),
        "stdin prompt should reach the provider request: {captured:?}"
    );
    fs::remove_dir_all(&workspace).expect("workspace cleanup should succeed");
 }
 #[test]
 fn prompt_subcommand_stdin_flag_appends_pipe_context_423() {
    let runtime = tokio::runtime::Runtime::new().expect("tokio runtime should build");
    let server = runtime
        .block_on(MockAnthropicService::spawn())
        .expect("mock service should start");
    let base_url = server.base_url();
    let workspace = unique_temp_dir("prompt-stdin-flag-423");
    let config_home = workspace.join("config-home");
    let home = workspace.join("home");
    fs::create_dir_all(&workspace).expect("workspace should exist");
    fs::create_dir_all(&config_home).expect("config home should exist");
    fs::create_dir_all(&home).expect("home should exist");
    let prompt_context = format!("{SCENARIO_PREFIX}streaming_text\n");
    let output = run_claw_with_stdin(
        &workspace,
        &config_home,
        &home,
        &base_url,
        &[
            "prompt",
            "Use stdin context",
            "--stdin",
            "--output-format",
            "json",
            "--compact",
            "--permission-mode",
            "read-only",
            "--model",
            "sonnet",
        ],
        &prompt_context,
    );
    assert!(
        output.status.success(),
        "prompt --stdin run should succeed\nstdout:\n{}\n\nstderr:\n{}",
        String::from_utf8_lossy(&output.stdout),
        String::from_utf8_lossy(&output.stderr),
    );
    let captured = runtime.block_on(server.captured_requests());
    let provider_body = captured
        .iter()
        .find(|request| request.raw_body.contains("Use stdin context"))
        .expect("merged prompt should reach provider");
    assert!(
        provider_body
            .raw_body
            .contains("PARITY_SCENARIO:streaming_text"),
        "merged prompt should include stdin context: {provider_body:?}"
    );
    fs::remove_dir_all(&workspace).expect("workspace cleanup should succeed");
 }
 #[test]
 fn compact_subcommand_json_help_fails_fast_when_stdin_closed() {
    let workspace = unique_temp_dir("compact-nontty-json-help");
@@ -356,6 +470,39 @@ fn run_claw(
    command.output().expect("claw should launch")
 }
 fn run_claw_with_stdin(
    cwd: &std::path::Path,
    config_home: &std::path::Path,
    home: &std::path::Path,
    base_url: &str,
    args: &[&str],
    stdin: &str,
 ) -> Output {
    let mut child = Command::new(env!("CARGO_BIN_EXE_claw"))
        .current_dir(cwd)
        .env_clear()
        .env("ANTHROPIC_API_KEY", "test-compact-key")
        .env("ANTHROPIC_BASE_URL", base_url)
        .env("CLAW_CONFIG_HOME", config_home)
        .env("HOME", home)
        .env("NO_COLOR", "1")
        .env("PATH", "/usr/bin:/bin")
        .stdin(Stdio::piped())
        .stdout(Stdio::piped())
        .stderr(Stdio::piped())
        .args(args)
        .spawn()
        .expect("claw should launch");
    child
        .stdin
        .as_mut()
        .expect("stdin should be piped")
        .write_all(stdin.as_bytes())
        .expect("stdin should write");
    child.stdin.take();
    child.wait_with_output().expect("output should collect")
 }
 fn run_claw_closed_stdin_with_timeout(
    cwd: &std::path::Path,
    config_home: &std::path::Path,
--- a/rust/crates/rusty-claude-cli/tests/output_format_contract.rs
+++ b/rust/crates/rusty-claude-cli/tests/output_format_contract.rs
--- a/rust/crates/tools/src/lib.rs
+++ b/rust/crates/tools/src/lib.rs
@@ -201,30 +201,20 @@ impl GlobalToolRegistry {
            return Ok(None);
        }
-        let builtin_specs = mvp_tool_specs();
+        let actual_names = self.actual_tool_names();
-        let canonical_names = builtin_specs
+        let canonical_names = self.canonical_allowed_tool_names();
-            .iter()
+        let canonical_name_set = canonical_names.iter().cloned().collect::<BTreeSet<_>>();
-            .map(|spec| spec.name.to_string())
+        let mut name_map = BTreeMap::new();
-            .chain(
+        for actual in &actual_names {
-                self.plugin_tools
+            let canonical = canonical_allowed_tool_name(actual);
-                    .iter()
+            name_map.insert(allowed_tool_lookup_key(actual), canonical.clone());
-                    .map(|tool| tool.definition().name.clone()),
+            name_map.insert(allowed_tool_lookup_key(&canonical), canonical);
-            )
+        }
            .chain(self.runtime_tools.iter().map(|tool| tool.name.clone()))
            .collect::<Vec<_>>();
        let mut name_map = canonical_names
            .iter()
            .map(|name| (normalize_tool_name(name), name.clone()))
            .collect::<BTreeMap<_, _>>();
-        for (alias, canonical) in [
+        for (alias, canonical) in self.allowed_tool_aliases() {
-            ("read", "read_file"),
+            if canonical_name_set.contains(&canonical) {
-            ("write", "write_file"),
+                name_map.insert(allowed_tool_lookup_key(&alias), canonical);
-            ("edit", "edit_file"),
+            }
            ("glob", "glob_search"),
            ("grep", "grep_search"),
        ] {
            name_map.insert(alias.to_string(), canonical.to_string());
        }
        let mut allowed = BTreeSet::new();
@@ -233,11 +223,11 @@ impl GlobalToolRegistry {
                .split(|ch: char| ch == ',' || ch.is_whitespace())
                .filter(|token| !token.is_empty())
            {
-                let normalized = normalize_tool_name(token);
+                let canonical = name_map.get(&allowed_tool_lookup_key(token)).ok_or_else(|| {
                let canonical = name_map.get(&normalized).ok_or_else(|| {
                    format!(
-                        "unsupported tool in --allowedTools: {token} (expected one of: {})",
+                        "invalid_tool_name: unsupported tool in --allowedTools: {token}\nAvailable: {}\nAliases: {}\nHint: Use canonical snake_case tool names from Available or aliases from Aliases.",
-                        canonical_names.join(", ")
+                        canonical_names.join(", "),
                        format_allowed_tool_aliases(&self.allowed_tool_aliases())
                    )
                })?;
                allowed.insert(canonical.clone());
@@ -258,7 +248,10 @@ impl GlobalToolRegistry {
    pub fn definitions(&self, allowed_tools: Option<&BTreeSet<String>>) -> Vec<ToolDefinition> {
        let builtin = mvp_tool_specs()
            .into_iter()
-            .filter(|spec| allowed_tools.is_none_or(|allowed| allowed.contains(spec.name)))
+            .filter(|spec| {
                allowed_tools
                    .is_none_or(|allowed| allowed.contains(&canonical_allowed_tool_name(spec.name)))
            })
            .map(|spec| ToolDefinition {
                name: spec.name.to_string(),
                description: Some(spec.description.to_string()),
@@ -267,7 +260,11 @@ impl GlobalToolRegistry {
        let runtime = self
            .runtime_tools
            .iter()
-            .filter(|tool| allowed_tools.is_none_or(|allowed| allowed.contains(tool.name.as_str())))
+            .filter(|tool| {
                allowed_tools.is_none_or(|allowed| {
                    allowed.contains(&canonical_allowed_tool_name(&tool.name))
                })
            })
            .map(|tool| ToolDefinition {
                name: tool.name.clone(),
                description: tool.description.clone(),
@@ -277,8 +274,11 @@ impl GlobalToolRegistry {
            .plugin_tools
            .iter()
            .filter(|tool| {
-                allowed_tools
+                allowed_tools.is_none_or(|allowed| {
-                    .is_none_or(|allowed| allowed.contains(tool.definition().name.as_str()))
+                    allowed.contains(&canonical_allowed_tool_name(
                        tool.definition().name.as_str(),
                    ))
                })
            })
            .map(|tool| ToolDefinition {
                name: tool.definition().name.clone(),
@@ -294,19 +294,29 @@ impl GlobalToolRegistry {
    ) -> Result<Vec<(String, PermissionMode)>, String> {
        let builtin = mvp_tool_specs()
            .into_iter()
-            .filter(|spec| allowed_tools.is_none_or(|allowed| allowed.contains(spec.name)))
+            .filter(|spec| {
                allowed_tools
                    .is_none_or(|allowed| allowed.contains(&canonical_allowed_tool_name(spec.name)))
            })
            .map(|spec| (spec.name.to_string(), spec.required_permission));
        let runtime = self
            .runtime_tools
            .iter()
-            .filter(|tool| allowed_tools.is_none_or(|allowed| allowed.contains(tool.name.as_str())))
+            .filter(|tool| {
                allowed_tools.is_none_or(|allowed| {
                    allowed.contains(&canonical_allowed_tool_name(&tool.name))
                })
            })
            .map(|tool| (tool.name.clone(), tool.required_permission));
        let plugin = self
            .plugin_tools
            .iter()
            .filter(|tool| {
-                allowed_tools
+                allowed_tools.is_none_or(|allowed| {
-                    .is_none_or(|allowed| allowed.contains(tool.definition().name.as_str()))
+                    allowed.contains(&canonical_allowed_tool_name(
                        tool.definition().name.as_str(),
                    ))
                })
            })
            .map(|tool| {
                permission_mode_from_plugin(tool.required_permission())
@@ -316,6 +326,52 @@ impl GlobalToolRegistry {
        Ok(builtin.chain(runtime).chain(plugin).collect())
    }
    #[must_use]
    pub fn actual_tool_names(&self) -> Vec<String> {
        mvp_tool_specs()
            .iter()
            .map(|spec| spec.name.to_string())
            .chain(
                self.plugin_tools
                    .iter()
                    .map(|tool| tool.definition().name.clone()),
            )
            .chain(self.runtime_tools.iter().map(|tool| tool.name.clone()))
            .collect()
    }
    #[must_use]
    pub fn canonical_allowed_tool_names(&self) -> Vec<String> {
        self.actual_tool_names()
            .into_iter()
            .map(|name| canonical_allowed_tool_name(&name))
            .collect::<BTreeSet<_>>()
            .into_iter()
            .collect()
    }
    #[must_use]
    pub fn allowed_tool_aliases(&self) -> BTreeMap<String, String> {
        let mut aliases = BTreeMap::from([
            ("read".to_string(), "read_file".to_string()),
            ("Read".to_string(), "read_file".to_string()),
            ("write".to_string(), "write_file".to_string()),
            ("Write".to_string(), "write_file".to_string()),
            ("edit".to_string(), "edit_file".to_string()),
            ("Edit".to_string(), "edit_file".to_string()),
            ("glob".to_string(), "glob_search".to_string()),
            ("Glob".to_string(), "glob_search".to_string()),
            ("grep".to_string(), "grep_search".to_string()),
            ("Grep".to_string(), "grep_search".to_string()),
        ]);
        for actual in self.actual_tool_names() {
            let canonical = canonical_allowed_tool_name(&actual);
            if actual != canonical {
                aliases.insert(actual, canonical);
            }
        }
        aliases
    }
    #[must_use]
    pub fn has_runtime_tool(&self, name: &str) -> bool {
        self.runtime_tools.iter().any(|tool| tool.name == name)
@@ -378,8 +434,40 @@ impl GlobalToolRegistry {
    }
 }
-fn normalize_tool_name(value: &str) -> String {
+pub fn canonical_allowed_tool_name(value: &str) -> String {
-    value.trim().replace('-', "_").to_ascii_lowercase()
+    let trimmed = value.trim().replace('-', "_");
    let mut output = String::new();
    let chars = trimmed.chars().collect::<Vec<_>>();
    for (index, ch) in chars.iter().copied().enumerate() {
        if ch == '_' || ch.is_whitespace() {
            output.push('_');
            continue;
        }
        let previous = index.checked_sub(1).and_then(|i| chars.get(i)).copied();
        let next = chars.get(index + 1).copied();
        if ch.is_ascii_uppercase()
            && index > 0
            && !output.ends_with('_')
            && (previous.is_some_and(|p| p.is_ascii_lowercase() || p.is_ascii_digit())
                || next.is_some_and(|n| n.is_ascii_lowercase()))
        {
            output.push('_');
        }
        output.push(ch.to_ascii_lowercase());
    }
    output.trim_matches('_').to_string()
 }
 fn allowed_tool_lookup_key(value: &str) -> String {
    canonical_allowed_tool_name(value).replace('_', "")
 }
 fn format_allowed_tool_aliases(aliases: &BTreeMap<String, String>) -> String {
    aliases
        .iter()
        .map(|(alias, canonical)| format!("{alias}={canonical}"))
        .collect::<Vec<_>>()
        .join(", ")
 }
 fn permission_mode_from_plugin(value: &str) -> Result<PermissionMode, String> {
@@ -514,7 +602,7 @@ pub fn mvp_tool_specs() -> Vec<ToolSpec> {
                "required": ["url", "prompt"],
                "additionalProperties": false
            }),
-            required_permission: PermissionMode::ReadOnly,
+            required_permission: PermissionMode::DangerFullAccess,
        },
        ToolSpec {
            name: "WebSearch",
@@ -535,7 +623,7 @@ pub fn mvp_tool_specs() -> Vec<ToolSpec> {
                "required": ["query"],
                "additionalProperties": false
            }),
-            required_permission: PermissionMode::ReadOnly,
+            required_permission: PermissionMode::DangerFullAccess,
        },
        ToolSpec {
            name: "TodoWrite",
@@ -1225,13 +1313,14 @@ pub fn mvp_tool_specs() -> Vec<ToolSpec> {
        },
        ToolSpec {
            name: "GitShow",
-            description: "Show a commit, tag, or tree object with its diff. Supports showing a specific file at a commit (commit:path) and stat-only mode. Use this instead of running git show via bash to get structured output.",
+            description: "Show a commit, tag, or tree object. Use format to control output: patch (default) shows the full diff, stat shows a diffstat summary, and metadata shows commit info without the diff. Supports showing a specific file at a commit (commit:path) for patch/stat output. Use this instead of running git show via bash to get structured output.",
            input_schema: json!({
                "type": "object",
                "properties": {
                    "commit": { "type": "string" },
                    "path": { "type": "string" },
-                    "stat": { "type": "boolean" }
+                    "stat": { "type": "boolean" },
                    "format": { "type": "string", "enum": ["patch", "stat", "metadata"] },
                },
                "required": ["commit"],
                "additionalProperties": false
@@ -1320,8 +1409,26 @@ fn execute_tool_with_enforcer(
            maybe_enforce_permission_check_with_mode(enforcer, name, input, required_mode)?;
            run_grep_search(grep_input)
        }
-        "WebFetch" => from_value::<WebFetchInput>(input).and_then(run_web_fetch),
+        "WebFetch" => {
-        "WebSearch" => from_value::<WebSearchInput>(input).and_then(run_web_search),
+            let web_input = from_value::<WebFetchInput>(input)?;
            maybe_enforce_permission_check_with_mode(
                enforcer,
                name,
                input,
                PermissionMode::DangerFullAccess,
            )?;
            run_web_fetch(web_input)
        }
        "WebSearch" => {
            let web_input = from_value::<WebSearchInput>(input)?;
            maybe_enforce_permission_check_with_mode(
                enforcer,
                name,
                input,
                PermissionMode::DangerFullAccess,
            )?;
            run_web_search(web_input)
        }
        "TodoWrite" => from_value::<TodoWriteInput>(input).and_then(run_todo_write),
        "Skill" => from_value::<SkillInput>(input).and_then(run_skill),
        "Agent" => from_value::<AgentInput>(input).and_then(run_agent),
@@ -2008,14 +2115,37 @@ fn run_git_log(input: GitLogInput) -> Result<String, String> {
    }
 }
 #[allow(clippy::needless_pass_by_value)]
 /// Execute `git show` for a given commit, optionally with --stat or a file path.
 /// Uses the `commit:path` syntax when a path is specified.
 fn run_git_show(input: GitShowInput) -> Result<String, String> {
    let mut args: Vec<String> = vec!["show".to_string()];
-    if input.stat.unwrap_or(false) {
+
-        args.push("--stat".to_string());
+    match input.format.as_deref() {
        Some("metadata") if input.path.is_some() => {
            return Err(
                "GitShow format \"metadata\" cannot be combined with path; metadata describes a commit, not a blob. Use format \"patch\" or \"stat\" with path, or omit path."
                    .to_string(),
            );
        }
        Some("metadata") => {
            args.push("--format=medium".to_string());
            args.push("--no-patch".to_string());
        }
        Some("stat") => {
            args.push("--stat".to_string());
        }
        Some("patch") | None => {
            if input.format.is_none() && input.stat.unwrap_or(false) {
                args.push("--stat".to_string());
            }
        }
        Some(other) => {
            return Err(format!(
                "unknown GitShow format: \"{other}\". Supported values: \"patch\" (default), \"stat\", \"metadata\"."
            ));
        }
    }
    if let Some(ref path) = input.path {
        args.push(format!("{}:{}", input.commit, path));
    } else {
@@ -2964,6 +3094,9 @@ struct GitShowInput {
    #[serde(default)]
    /// If true, show diffstat summary instead of full diff.
    stat: Option<bool>,
    #[serde(default)]
    /// Output format: "patch" (default) shows the full diff, "stat" shows a diffstat summary, and "metadata" shows commit info without the diff. When set, takes priority over `stat`.
    format: Option<String>,
 }
 /// Input for the GitBlame tool: shows per-line author/revision info for a file.
@@ -4165,7 +4298,7 @@ fn allowed_tools_for_subagent(subagent_type: &str) -> BTreeSet<String> {
            "PowerShell",
        ],
    };
-    tools.into_iter().map(str::to_string).collect()
+    tools.into_iter().map(canonical_allowed_tool_name).collect()
 }
 fn agent_permission_policy() -> PermissionPolicy {
@@ -5193,7 +5326,10 @@ impl SubagentToolExecutor {
 impl ToolExecutor for SubagentToolExecutor {
    fn execute(&mut self, tool_name: &str, input: &str) -> Result<String, ToolError> {
-        if !self.allowed_tools.contains(tool_name) {
+        if !self
            .allowed_tools
            .contains(&canonical_allowed_tool_name(tool_name))
        {
            return Err(ToolError::new(format!(
                "tool `{tool_name}` is not enabled for this sub-agent"
            )));
@@ -5208,7 +5344,10 @@ impl ToolExecutor for SubagentToolExecutor {
 fn tool_specs_for_allowed_tools(allowed_tools: Option<&BTreeSet<String>>) -> Vec<ToolSpec> {
    mvp_tool_specs()
        .into_iter()
-        .filter(|spec| allowed_tools.is_none_or(|allowed| allowed.contains(spec.name)))
+        .filter(|spec| {
            allowed_tools
                .is_none_or(|allowed| allowed.contains(&canonical_allowed_tool_name(spec.name)))
        })
        .collect()
 }
@@ -6779,6 +6918,87 @@ mod tests {
        assert!(names.contains(&"WorkerSendPrompt"));
    }
    #[test]
    fn git_show_schema_exposes_format_enum() {
        let spec = mvp_tool_specs()
            .into_iter()
            .find(|spec| spec.name == "GitShow")
            .expect("GitShow spec");
        assert_eq!(
            spec.input_schema["properties"]["format"]["enum"],
            json!(["patch", "stat", "metadata"])
        );
    }
    #[test]
    fn git_show_supports_patch_stat_metadata_and_rejects_metadata_path() {
        let _guard = env_guard();
        let root = temp_path("git-show-format");
        init_git_repo(&root);
        commit_file(&root, "README.md", "initial\nupdated\n", "update readme");
        let previous = std::env::current_dir().expect("cwd");
        std::env::set_current_dir(&root).expect("set cwd");
        let patch = execute_tool("GitShow", &json!({"commit": "HEAD", "format": "patch"}))
            .expect("patch git show");
        let patch: serde_json::Value = serde_json::from_str(&patch).expect("patch json");
        assert!(patch["output"]
            .as_str()
            .expect("patch output")
            .contains("diff --git"));
        let stat = execute_tool("GitShow", &json!({"commit": "HEAD", "format": "stat"}))
            .expect("stat git show");
        let stat: serde_json::Value = serde_json::from_str(&stat).expect("stat json");
        assert!(stat["output"]
            .as_str()
            .expect("stat output")
            .contains("README.md"));
        let legacy_stat = execute_tool("GitShow", &json!({"commit": "HEAD", "stat": true}))
            .expect("legacy stat git show");
        let legacy_stat: serde_json::Value =
            serde_json::from_str(&legacy_stat).expect("legacy stat json");
        assert!(legacy_stat["output"]
            .as_str()
            .expect("legacy stat output")
            .contains("README.md"));
        let metadata = execute_tool("GitShow", &json!({"commit": "HEAD", "format": "metadata"}))
            .expect("metadata git show");
        let metadata: serde_json::Value = serde_json::from_str(&metadata).expect("metadata json");
        let metadata_output = metadata["output"].as_str().expect("metadata output");
        assert!(metadata_output.contains("commit "));
        assert!(metadata_output.contains("update readme"));
        assert!(!metadata_output.contains("diff --git"));
        let file_patch = execute_tool(
            "GitShow",
            &json!({"commit": "HEAD", "path": "README.md", "format": "patch"}),
        )
        .expect("file patch git show");
        let file_patch: serde_json::Value =
            serde_json::from_str(&file_patch).expect("file patch json");
        assert_eq!(
            file_patch["output"].as_str().expect("file patch output"),
            "initial\nupdated"
        );
        let metadata_path = execute_tool(
            "GitShow",
            &json!({"commit": "HEAD", "path": "README.md", "format": "metadata"}),
        )
        .expect_err("metadata with path should be rejected");
        assert!(metadata_path.contains("cannot be combined with path"));
        let invalid = execute_tool("GitShow", &json!({"commit": "HEAD", "format": "bogus"}))
            .expect_err("invalid format should be rejected");
        assert!(invalid.contains("unknown GitShow format"));
        std::env::set_current_dir(&previous).expect("restore cwd");
        let _ = fs::remove_dir_all(root);
    }
    #[test]
    fn rejects_unknown_tool_names() {
        let error = execute_tool("nope", &json!({})).expect_err("tool should be rejected");
@@ -7477,6 +7697,29 @@ mod tests {
        }
    }
    #[test]
    fn allowed_tools_normalize_to_canonical_snake_case_and_aliases_432() {
        let registry = GlobalToolRegistry::builtin();
        let allowed = registry
            .normalize_allowed_tools(&["Read,WebFetch,MCP".to_string()])
            .expect("aliases and legacy names should normalize")
            .expect("allow-list should be populated");
        assert!(allowed.contains("read_file"));
        assert!(allowed.contains("web_fetch"));
        assert!(allowed.contains("mcp"));
        assert!(!allowed.contains("Read"));
        assert!(!allowed.contains("WebFetch"));
        let canonical = registry.canonical_allowed_tool_names();
        assert!(canonical.contains(&"web_fetch".to_string()));
        assert!(canonical.contains(&"todo_write".to_string()));
        assert!(!canonical.contains(&"WebFetch".to_string()));
        assert_eq!(
            registry.allowed_tool_aliases().get("WebFetch"),
            Some(&"web_fetch".to_string())
        );
    }
    #[test]
    fn runtime_tools_extend_registry_definitions_permissions_and_search() {
        let registry = GlobalToolRegistry::builtin()
@@ -8458,7 +8701,7 @@ mod tests {
            .expect("spawn job should be captured");
        assert_eq!(captured_job.prompt, "Check tests and outstanding work.");
        assert!(captured_job.allowed_tools.contains("read_file"));
-        assert!(!captured_job.allowed_tools.contains("Agent"));
+        assert!(!captured_job.allowed_tools.contains("agent"));
        let normalized = execute_tool(
            "Agent",
@@ -9058,7 +9301,7 @@ mod tests {
        let general = allowed_tools_for_subagent("general-purpose");
        assert!(general.contains("bash"));
        assert!(general.contains("write_file"));
-        assert!(!general.contains("Agent"));
+        assert!(!general.contains("agent"));
        let explore = allowed_tools_for_subagent("Explore");
        assert!(explore.contains("read_file"));
@@ -9066,13 +9309,13 @@ mod tests {
        assert!(!explore.contains("bash"));
        let plan = allowed_tools_for_subagent("Plan");
-        assert!(plan.contains("TodoWrite"));
+        assert!(plan.contains("todo_write"));
-        assert!(plan.contains("StructuredOutput"));
+        assert!(plan.contains("structured_output"));
-        assert!(!plan.contains("Agent"));
+        assert!(!plan.contains("agent"));
        let verification = allowed_tools_for_subagent("Verification");
        assert!(verification.contains("bash"));
-        assert!(verification.contains("PowerShell"));
+        assert!(verification.contains("power_shell"));
        assert!(!verification.contains("write_file"));
    }
@@ -10156,6 +10399,26 @@ printf 'pwsh:%s' "$1"
        );
    }
    #[test]
    fn given_workspace_write_enforcer_when_web_tools_then_denied() {
        let registry = workspace_write_registry();
        for (tool, input) in [
            (
                "WebFetch",
                json!({"url":"https://example.com", "prompt":"summarize"}),
            ),
            ("WebSearch", json!({"query":"rust language"})),
        ] {
            let err = registry
                .execute(tool, &input)
                .expect_err("network tools should require explicit full access");
            assert!(
                err.contains("requires 'danger-full-access'"),
                "{tool} should require elevated mode: {err}"
            );
        }
    }
    #[test]
    fn given_workspace_write_enforcer_when_bash_uses_shell_expansion_then_denied() {
        let registry = workspace_write_registry();
--- a/scripts/dogfood-probe.py
+++ b/scripts/dogfood-probe.py
@@ -0,0 +1,145 @@
 #!/usr/bin/env python3
 from __future__ import annotations
 import argparse
 import json
 import subprocess
 import sys
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Sequence
@dataclass(frozen=True)
 class ProbeResult:
    kind: str
    argv: list[str]
    returncode: int | None
    stdout: bytes
    stderr: bytes
    message: str | None = None
    @property
    def stdout_text(self) -> str:
        return self.stdout.decode('utf-8', errors='replace')
    @property
    def stderr_text(self) -> str:
        return self.stderr.decode('utf-8', errors='replace')
    def to_json_dict(self) -> dict[str, object]:
        return {
            'kind': self.kind,
            'argv': self.argv,
            'returncode': self.returncode,
            'stdout': self.stdout_text,
            'stderr': self.stderr_text,
            'message': self.message,
        }
 def run_probe(argv: Sequence[str], *, timeout: float = 10.0, require_stdout_json_byte0: bool = False) -> ProbeResult:
    explicit_argv = [str(arg) for arg in argv]
    if not explicit_argv:
        return ProbeResult(
            kind='probe_error',
            argv=[],
            returncode=None,
            stdout=b'',
            stderr=b'',
            message='argv must contain at least the executable path',
        )
    try:
        completed = subprocess.run(
            explicit_argv,
            capture_output=True,
            check=False,
            timeout=timeout,
        )
    except subprocess.TimeoutExpired as exc:
        return ProbeResult(
            kind='timeout',
            argv=explicit_argv,
            returncode=None,
            stdout=exc.stdout or b'',
            stderr=exc.stderr or b'',
            message=f'probe timed out after {timeout:g}s',
        )
    except (OSError, ValueError) as exc:
        return ProbeResult(
            kind='probe_error',
            argv=explicit_argv,
            returncode=None,
            stdout=b'',
            stderr=b'',
            message=str(exc),
        )
    if require_stdout_json_byte0:
        if not completed.stdout:
            return ProbeResult(
                kind='product_error',
                argv=explicit_argv,
                returncode=completed.returncode,
                stdout=completed.stdout,
                stderr=completed.stderr,
                message='stdout is empty; expected JSON at byte 0',
            )
        if completed.stdout[:1] not in (b'{', b'['):
            return ProbeResult(
                kind='product_error',
                argv=explicit_argv,
                returncode=completed.returncode,
                stdout=completed.stdout,
                stderr=completed.stderr,
                message='stdout JSON does not start at byte 0',
            )
        try:
            json.loads(completed.stdout.decode('utf-8'))
        except (UnicodeDecodeError, json.JSONDecodeError) as exc:
            return ProbeResult(
                kind='product_error',
                argv=explicit_argv,
                returncode=completed.returncode,
                stdout=completed.stdout,
                stderr=completed.stderr,
                message=f'stdout is not parseable JSON: {exc}',
            )
    if completed.returncode != 0:
        return ProbeResult(
            kind='product_error',
            argv=explicit_argv,
            returncode=completed.returncode,
            stdout=completed.stdout,
            stderr=completed.stderr,
            message=f'process exited with code {completed.returncode}',
        )
    return ProbeResult(
        kind='ok',
        argv=explicit_argv,
        returncode=completed.returncode,
        stdout=completed.stdout,
        stderr=completed.stderr,
    )
 def main(argv: Sequence[str] | None = None) -> int:
    parser = argparse.ArgumentParser(description='Run an argv-safe dogfood probe and emit separated channels as JSON.')
    parser.add_argument('--timeout', type=float, default=10.0)
    parser.add_argument('--stdout-json-byte0', action='store_true', help='Require stdout to be parseable JSON starting at byte 0.')
    parser.add_argument('command', nargs=argparse.REMAINDER, help='Executable and arguments to run. Use -- before the target argv.')
    args = parser.parse_args(argv)
    command = args.command
    if command and command[0] == '--':
        command = command[1:]
    result = run_probe(command, timeout=args.timeout, require_stdout_json_byte0=args.stdout_json_byte0)
    print(json.dumps(result.to_json_dict(), sort_keys=True))
    return 0 if result.kind == 'ok' else 1
 if __name__ == '__main__':
    raise SystemExit(main())
--- a/tests/init.py
+++ b/tests/init.py
--- a/tests/test_roadmap_helpers.py
+++ b/tests/test_roadmap_helpers.py
@@ -9,6 +9,9 @@ from pathlib import Path
 REPO_ROOT = Path(__file__).resolve().parents[1]
 NEXT_ID = REPO_ROOT / 'scripts' / 'roadmap-next-id.sh'
 DOGFOOD_PROBE = REPO_ROOT / 'scripts' / 'dogfood-probe.py'
 def run_next_id(roadmap: Path, script: Path = NEXT_ID) -> subprocess.CompletedProcess[str]:
@@ -21,6 +24,16 @@ def run_next_id(roadmap: Path, script: Path = NEXT_ID) -> subprocess.CompletedPr
    )
 def run_dogfood_probe(args: list[str]) -> subprocess.CompletedProcess[str]:
    return subprocess.run(
        ['python3', str(DOGFOOD_PROBE), *args],
        cwd=REPO_ROOT,
        capture_output=True,
        text=True,
        check=False,
    )
 class RoadmapHelperTests(unittest.TestCase):
    def test_roadmap_next_id_prints_only_next_id_after_duplicate_check(self) -> None:
        with tempfile.TemporaryDirectory() as temp_dir:
@@ -46,6 +59,17 @@ class RoadmapHelperTests(unittest.TestCase):
        self.assertIn('999', result.stderr)
        self.assertNotIn('1000', result.stdout)
    def test_roadmap_next_id_fails_when_explicit_roadmap_path_is_missing(self) -> None:
        with tempfile.TemporaryDirectory() as temp_dir:
            roadmap = Path(temp_dir) / 'missing-ROADMAP.md'
            result = run_next_id(roadmap)
        self.assertNotEqual(0, result.returncode)
        self.assertEqual('', result.stdout)
        self.assertIn('ROADMAP not found', result.stderr)
        self.assertIn(str(roadmap), result.stderr)
    def test_roadmap_next_id_fails_closed_when_checker_is_unavailable(self) -> None:
        with tempfile.TemporaryDirectory() as temp_dir:
            script_dir = Path(temp_dir) / 'scripts'
@@ -62,6 +86,78 @@ class RoadmapHelperTests(unittest.TestCase):
        self.assertIn('required ROADMAP id checker not found or not readable', result.stderr)
        self.assertIn('refusing to print a next id', result.stderr)
    def test_dogfood_probe_runs_explicit_argv_and_separates_channels(self) -> None:
        with tempfile.TemporaryDirectory() as temp_dir:
            fixture = Path(temp_dir) / 'fixture.py'
            fixture.write_text(
                'from __future__ import annotations\n'
                'import json\n'
                'import sys\n'
                'print(json.dumps({"argv": sys.argv[1:]}))\n'
                'print("diagnostic", file=sys.stderr)\n'
            )
            result = run_dogfood_probe([
                '--stdout-json-byte0',
                '--',
                'python3',
                str(fixture),
                '--output-format',
                'json',
                'doctor',
                '--help',
            ])
        self.assertEqual(0, result.returncode)
        payload = __import__('json').loads(result.stdout)
        self.assertEqual('ok', payload['kind'])
        self.assertEqual([
            'python3',
            str(fixture),
            '--output-format',
            'json',
            'doctor',
            '--help',
        ], payload['argv'])
        self.assertEqual(0, payload['returncode'])
        self.assertEqual('{"argv": ["--output-format", "json", "doctor", "--help"]}\n', payload['stdout'])
        self.assertEqual('diagnostic\n', payload['stderr'])
    def test_dogfood_probe_labels_timeout_separately_from_product_error(self) -> None:
        with tempfile.TemporaryDirectory() as temp_dir:
            fixture = Path(temp_dir) / 'sleep.py'
            fixture.write_text('import time\ntime.sleep(2)\n')
            result = run_dogfood_probe(['--timeout', '0.1', '--', 'python3', str(fixture)])
        self.assertEqual(1, result.returncode)
        payload = __import__('json').loads(result.stdout)
        self.assertEqual('timeout', payload['kind'])
        self.assertIsNone(payload['returncode'])
        self.assertIn('timed out', payload['message'])
    def test_dogfood_probe_labels_probe_construction_failure(self) -> None:
        result = run_dogfood_probe([])
        self.assertEqual(1, result.returncode)
        payload = __import__('json').loads(result.stdout)
        self.assertEqual('probe_error', payload['kind'])
        self.assertEqual([], payload['argv'])
        self.assertIsNone(payload['returncode'])
        self.assertIn('argv must contain', payload['message'])
    def test_dogfood_probe_labels_stdout_json_prefix_failure_as_product_error(self) -> None:
        with tempfile.TemporaryDirectory() as temp_dir:
            fixture = Path(temp_dir) / 'prefixed.py'
            fixture.write_text('print("warning before json")\nprint("{}")\n')
            result = run_dogfood_probe(['--stdout-json-byte0', '--', 'python3', str(fixture)])
        self.assertEqual(1, result.returncode)
        payload = __import__('json').loads(result.stdout)
        self.assertEqual('product_error', payload['kind'])
        self.assertEqual(0, payload['returncode'])
        self.assertIn('byte 0', payload['message'])
 if __name__ == '__main__':
    unittest.main()
Author	SHA1	Message	Date
bellman	ecd3e4ceb9	fix: type allowed tools validation	2026-06-04 12:01:58 +09:00
bellman	22fdaeae2c	fix: keep skills lifecycle local	2026-06-04 03:58:35 +09:00
bellman	4522490bd5	fix: make dump-manifests self-contained	2026-06-04 02:46:44 +09:00
bellman	cd58c054ca	fix: add global cwd override	2026-06-04 02:20:09 +09:00
bellman	94579eace5	fix: default to workspace-write permissions	2026-06-04 01:51:21 +09:00
bellman	2ab2f44e1d	fix: keep session help local	2026-06-04 00:50:17 +09:00
bellman	fa35018769	fix: validate env model selection	2026-06-04 00:30:13 +09:00
bellman	94be902ce1	fix: attribute config precedence in JSON	2026-06-03 23:47:27 +09:00
bellman	bcc5bfde9c	fix: route local OpenAI-compatible models	2026-06-03 23:16:46 +09:00
bellman	9522674c87	fix: read prompt subcommand input from stdin	2026-06-03 22:39:16 +09:00
bellman	c91a3062d5	fix: normalize Anthropic model routing	2026-06-03 22:20:23 +09:00
bellman	54d785d0c0	fix: preserve DeepSeek V4 thinking history	2026-06-03 21:53:54 +09:00
bellman	36218ac1b1	fix: report config file load statuses	2026-06-03 21:46:47 +09:00
bellman	6388a2ba3f	fix: parse object-style hook config	2026-06-03 21:23:00 +09:00
bellman	9c8375da99	feat: import project instruction rules	2026-06-03 21:01:48 +09:00
Heo, Sung	0cef5390f7	fix: resolve clippy pedantic warnings Apply the bounded clippy pedantic cleanup from PR #3009.	2026-06-03 20:39:05 +09:00
bellman	1bd18be372	feat: add GitShow output formats	2026-06-03 20:28:12 +09:00
bellman	d07664b44c	fix: keep hooks clean and close bash stdin	2026-06-03 20:20:04 +09:00
bellman	ce116d9dfa	fix: expose binary provenance in local JSON	2026-06-03 20:03:39 +09:00
bellman	372ec09c47	test: cover roadmap helper missing path	2026-06-03 19:31:45 +09:00
bellman	78f446f68e	test: add argv-safe dogfood probes	2026-06-03 19:26:55 +09:00
bellman	55da189315	fix: keep JSON control surfaces local	2026-06-03 19:12:20 +09:00
bellman	e752b05425	fix: load common instruction files and typed unknown commands	2026-06-03 18:54:36 +09:00
bellman	0c83a26dc7	test: cover resumed unknown slash command	2026-06-03 18:40:37 +09:00
bellman	286638fa04	docs: close ROADMAP 828 approval slash evidence	2026-06-03 18:29:16 +09:00
bellman	47d6c3d5d3	docs: close ROADMAP 829 interactive hint evidence	2026-06-03 18:26:37 +09:00
bellman	f529fb0e55	fix: classify mcp show missing server argument	2026-06-03 18:22:23 +09:00