--- Status: Backlog Owner Role: Developer Created: 2026-05-22T07:40:00.000Z Completed: Depends On: 000301 Validation: node ai/runtime/dist/cli.js validate --tier chunk --chunk 000302 --json --- # Command Wrapper Hosted Tool Enforcement Follow-Up for cfd-0036 ## Autopilot - Repository/runtime state is authoritative; chat memory is not authoritative. - Continue autonomously unless a stop condition is reached. - Do not confuse short-lived registered work with bypassed work. ## Goal Make hosted shell command execution policy more enforceable without confusing short-lived registered work with bypassed work. ## Scope - Inspect Runtime command wrapper. - Inspect hosted tool diagnostics. - Inspect work-registration evidence. - Inspect short-lived terminal grace display. - Define policy: - Runtime-owned direct CLI commands may self-register if allowed. - hosted shell commands should use `runtime command run` where practical. - raw hosted work-producing shell commands should be detectable and rejectable by close-gate in assertive mode. - pure inspection must not create false active work. - `apply_patch`/file edits require Developer work registration or changed-file coverage. - Add close-gate detection for raw hosted work-producing commands if reliable evidence exists. - Do not depend only on Codex hooks. - Do not block legitimate direct human/dev usage unless policy explicitly says so. - Preserve command wrapper transparency in Live Work display. ## Acceptance Criteria - Policy distinguishes registered direct Runtime CLI work, wrapped hosted shell work, raw hosted work-producing bypass, pure inspection, and file edit coverage. - Short-lived registered work appears as recent terminal work where appropriate. - Raw hosted work-producing bypass is detected or recorded as exact limitation. - Runtime command wrapper remains canonical for hosted shell commands. - `cfd-0036` is narrowed with exact enforcement state. - Existing validation passes. ## Validation Requirements - Command wrapper tests. - Hosted tool diagnostic tests. - Changed-file coverage test if feasible. - Work-registration entrypoint coverage. - Summary validation. - Canonical validation. ## Stop Conditions - Stop if hosted logs/hooks are insufficient to distinguish bypass reliably. - Stop if enforcement would break normal human/dev workflows without migration. - Stop if file-edit coverage needs broad architecture changes.