Revert trust-zones; stay on (verb, directory) ApprovalEntry model

.slopwatch/baseline.json

@@ -1,17 +1,17 @@
 {
   "version": 1,
-  "createdAt": "2026-04-11T20:25:26.1743299+00:00",
-  "updatedAt": "2026-04-11T20:25:26.1800921+00:00",
-  "description": "Baseline created on 2026-04-11 20:25:26 UTC",
+  "createdAt": "2026-05-12T17:20:55.7365203+00:00",
+  "updatedAt": "2026-05-12T17:20:55.74213+00:00",
+  "description": "Initial baseline created by 'slopwatch init' on 2026-05-12 17:20:55 UTC",
   "entries": [
     {
       "hash": "9d4a53dc5193e639",
       "ruleId": "SW005",
       "filePath": "Directory.Build.props",
-      "lineNumber": 6,
+      "lineNumber": 7,
       "codeSnippet": "<NoWarn>$(NoWarn);CS1591</NoWarn>",
       "message": "Adding warnings to NoWarn: CS1591",
-      "baselinedAt": "2026-04-11T20:25:26.1799366+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7419017+00:00"
     },
     {
       "hash": "c70b817b8444deb3",
@@ -20,7 +20,7 @@
       "lineNumber": 12,
       "codeSnippet": "<NoWarn>$(NoWarn);OPENAI001</NoWarn>",
       "message": "Adding warnings to NoWarn: OPENAI001",
-      "baselinedAt": "2026-04-11T20:25:26.1800377+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7420234+00:00"
     },
     {
       "hash": "e5c152257aa8816d",
@@ -29,79 +29,115 @@
       "lineNumber": 8,
       "codeSnippet": "<NoWarn>$(NoWarn);OPENAI001</NoWarn>",
       "message": "Adding warnings to NoWarn: OPENAI001",
-      "baselinedAt": "2026-04-11T20:25:26.1800436+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7420301+00:00"
+    },
+    {
+      "hash": "1a29ed65e4ed3efb",
+      "ruleId": "SW004",
+      "filePath": "src/Netclaw.Daemon.Tests/Services/ConfigWatcherServiceTests.cs",
+      "lineNumber": 139,
+      "codeSnippet": "Task.Delay(50, ct)",
+      "message": "Test uses Task.Delay(50) which may indicate a timing-dependent test",
+      "baselinedAt": "2026-05-12T17:20:55.7420338+00:00"
+    },
+    {
+      "hash": "fcb5e461d7f70a7c",
+      "ruleId": "SW004",
+      "filePath": "src/Netclaw.Daemon.Tests/Services/ConfigWatcherServiceTests.cs",
+      "lineNumber": 154,
+      "codeSnippet": "Task.Delay(100, ct)",
+      "message": "Test uses Task.Delay(100) which may indicate a timing-dependent test",
+      "baselinedAt": "2026-05-12T17:20:55.7420454+00:00"
     },
     {
       "hash": "6ea5c8bbead4b59c",
       "ruleId": "SW004",
       "filePath": "src/Netclaw.Daemon.Tests/Gateway/DaemonRuntimeStatusServiceTests.cs",
-      "lineNumber": 62,
+      "lineNumber": 76,
       "codeSnippet": "Task.Delay(25 * (i + 1))",
       "message": "Test uses Task.Delay(25 * (i + 1)) which may indicate a timing-dependent test",
-      "baselinedAt": "2026-04-11T20:25:26.1800482+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7420571+00:00"
+    },
+    {
+      "hash": "87955c2f94cc69fb",
+      "ruleId": "SW001",
+      "filePath": "src/Netclaw.Security.Tests/ShellTokenizerTests.cs",
+      "lineNumber": 281,
+      "codeSnippet": "Theory(SkipUnless = nameof(IsPosix), Skip = \"POSIX-only Path.GetDirectoryName semantics\")",
+      "message": "Test method 'ExtractFirstPathArgument_applies_file_parent_rule_posix' is disabled: POSIX-only Path.GetDirectoryName semantics",
+      "baselinedAt": "2026-05-12T17:20:55.7420635+00:00"
+    },
+    {
+      "hash": "2b5354a745d6eabb",
+      "ruleId": "SW001",
+      "filePath": "src/Netclaw.Security.Tests/TrustStateComposerTests.cs",
+      "lineNumber": 147,
+      "codeSnippet": "Fact(SkipUnless = nameof(IsPosix), Skip = \"POSIX-only path semantics\")",
+      "message": "Test method 'Compose_uses_home_directory_override_for_tilde_expansion' is disabled: POSIX-only path semantics",
+      "baselinedAt": "2026-05-12T17:20:55.7420675+00:00"
+    },
+    {
+      "hash": "89f7104059c82e18",
+      "ruleId": "SW001",
+      "filePath": "src/Netclaw.Security.Tests/ShellApprovalMatcherTests.cs",
+      "lineNumber": 231,
+      "codeSnippet": "Fact(SkipUnless = nameof(IsPosix), Skip = \"POSIX-only path semantics\")",
+      "message": "Test method 'ExtractCandidates_strips_path_from_verb' is disabled: POSIX-only path semantics",
+      "baselinedAt": "2026-05-12T17:20:55.7420713+00:00"
     },
     {
       "hash": "6e43e1de0090c276",
       "ruleId": "SW003",
       "filePath": "src/Netclaw.Actors/Protocol/InboxWriter.cs",
-      "lineNumber": 114,
+      "lineNumber": 119,
       "codeSnippet": "catch\n        {\n            // best-effort cleanup; do not mask the original exception\n        }",
       "message": "Empty catch block swallows exceptions without handling",
-      "baselinedAt": "2026-04-11T20:25:26.1800601+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7421078+00:00"
+    },
+    {
+      "hash": "8777b7954cd69fa1",
+      "ruleId": "SW004",
+      "filePath": "src/Netclaw.Actors.Tests/Sessions/LlmSessionIntegrationTests.cs",
+      "lineNumber": 1879,
+      "codeSnippet": "Task.Delay(Delay, cancellationToken)",
+      "message": "Test uses Task.Delay(Delay) which may indicate a timing-dependent test",
+      "baselinedAt": "2026-05-12T17:20:55.7421117+00:00"
     },
     {
       "hash": "16969d3453617fc8",
       "ruleId": "SW004",
       "filePath": "src/Netclaw.Actors.Tests/Sessions/MemoryRecallScenarioTests.cs",
-      "lineNumber": 318,
+      "lineNumber": 329,
       "codeSnippet": "Task.Delay(25 * (i + 1))",
       "message": "Test uses Task.Delay(25 * (i + 1)) which may indicate a timing-dependent test",
-      "baselinedAt": "2026-04-11T20:25:26.1800637+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7421146+00:00"
     },
     {
       "hash": "c00fb5b6beafab8b",
       "ruleId": "SW004",
       "filePath": "src/Netclaw.Actors.Tests/SubAgents/SubAgentActorTests.cs",
-      "lineNumber": 334,
+      "lineNumber": 459,
       "codeSnippet": "Task.Delay(Delay, cancellationToken)",
       "message": "Test uses Task.Delay(Delay) which may indicate a timing-dependent test",
-      "baselinedAt": "2026-04-11T20:25:26.1800701+00:00"
-    },
-    {
-      "hash": "8777b7954cd69fa1",
-      "ruleId": "SW004",
-      "filePath": "src/Netclaw.Actors.Tests/Sessions/LlmSessionIntegrationTests.cs",
-      "lineNumber": 1679,
-      "codeSnippet": "Task.Delay(Delay, cancellationToken)",
-      "message": "Test uses Task.Delay(Delay) which may indicate a timing-dependent test",
-      "baselinedAt": "2026-04-11T20:25:26.1800748+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7421212+00:00"
     },
     {
       "hash": "b691cefe260611c6",
       "ruleId": "SW004",
       "filePath": "src/Netclaw.Actors.Tests/Memory/SQLiteMemoryStoreTests.cs",
-      "lineNumber": 263,
-      "codeSnippet": "Task.Delay(25 * (i + 1))",
-      "message": "Test uses Task.Delay(25 * (i + 1)) which may indicate a timing-dependent test",
-      "baselinedAt": "2026-04-11T20:25:26.1800788+00:00"
-    },
-    {
-      "hash": "1305b3c2911b984b",
-      "ruleId": "SW004",
-      "filePath": "src/Netclaw.Actors.Tests/Memory/MemoryEvalSeedSuiteTests.cs",
-      "lineNumber": 344,
+      "lineNumber": 268,
       "codeSnippet": "Task.Delay(25 * (i + 1))",
       "message": "Test uses Task.Delay(25 * (i + 1)) which may indicate a timing-dependent test",
-      "baselinedAt": "2026-04-11T20:25:26.1800844+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7421241+00:00"
     },
     {
       "hash": "5c3b00ebd2426d97",
       "ruleId": "SW003",
       "filePath": "src/Netclaw.Actors.Tests/Protocol/InboxWriterTests.cs",
-      "lineNumber": 26,
+      "lineNumber": 31,
       "codeSnippet": "catch\n        {\n            // best-effort cleanup\n        }",
       "message": "Empty catch block swallows exceptions without handling",
-      "baselinedAt": "2026-04-11T20:25:26.1800921+00:00"
+      "baselinedAt": "2026-05-12T17:20:55.7421299+00:00"
     }
   ]
 }

Directory.Packages.props

@@ -53,6 +53,7 @@
     <PackageVersion Include="SlackNet.Extensions.DependencyInjection" Version="$(SlackNetVersion)" />
     <PackageVersion Include="Cronos" Version="0.12.0" />
     <PackageVersion Include="Netclaw.SkillClient" Version="0.3.0" />
+    <PackageVersion Include="ShellSyntaxTree" Version="0.1.4-alpha" />
     <PackageVersion Include="Termina" Version="0.8.0" />
   </ItemGroup>
   <!-- Serialization -->

evals/run-evals.sh

@@ -337,9 +337,12 @@ start_eval_daemon() {
 
     # Copy system skills from the repo into the eval home so Skill Discovery
     # tests use the skills being developed, not whatever is synced on the host.
-    mkdir -p "$EVAL_HOME/skills/.system/files"
+    # SkillScanner expects <skills>/.system/<skill-name>/SKILL.md (no extra
+    # `files/` segment); the daemon's feed sync writes to that layout, so we
+    # mirror it here for local-source-of-truth runs.
+    mkdir -p "$EVAL_HOME/skills/.system"
     if [[ -d "$REPO_ROOT/feeds/skills/.system/files" ]]; then
-        cp -r "$REPO_ROOT/feeds/skills/.system/files/." "$EVAL_HOME/skills/.system/files/"
+        cp -r "$REPO_ROOT/feeds/skills/.system/files/." "$EVAL_HOME/skills/.system/"
     else
         echo "WARN: no system skills at $REPO_ROOT/feeds/skills/.system/files/ — Skill Discovery evals will fail." >&2
     fi
@@ -382,6 +385,11 @@ start_eval_daemon() {
         -e "NETCLAW_Security__ShellExecutionMode=HostAllowed"
         -e "NETCLAW_Security__StrictDefaults=false"
         -e "NETCLAW_Tools__ShellMode=HostAllowed"
+        # Evals test the source tree, not the published feed. Without this, the
+        # daemon syncs system skills from the live R2 manifest at startup, which
+        # ships whatever was last released — masking any unpublished skill
+        # changes (e.g. version bumps in this PR) and the local copies above.
+        -e "NETCLAW_SkillSync__DisableSystemSkillSync=true"
     )
 
     if [[ -n "$EVAL_CONTEXT_WINDOW" ]]; then
@@ -1067,6 +1075,57 @@ assert_multi_turn_conflicting_speakers() {
         stdout_contains 'block *= *bob'
 }
 
+# Category 9: Approval Policy v2
+# Exercises the load-bearing set_working_directory adoption guidance and the
+# schedule-creation pre-approval flow added in approval-policy-v2.
+
+# Positive: project-scoped prompt mentions a repo path. Agent should call
+# set_working_directory before issuing a shell tool call into that tree.
+# Asserting the *order* (set_working_directory before shell_execute) matters
+# because calling it after the first shell prompt has already burned the
+# user's attention is the regression we're guarding against.
+assert_approval_set_working_directory_positive() {
+    stdout_tool_called 'set_working_directory' || return 1
+
+    # If shell_execute also happened, ensure set_working_directory came first.
+    if stdout_tool_called 'shell_execute'; then
+        local swd_line shell_line
+        swd_line=$(grep -nE '\[tool:call\] set_working_directory' "$STDOUT_FILE" | head -1 | cut -d: -f1)
+        shell_line=$(grep -nE '\[tool:call\] shell_execute' "$STDOUT_FILE" | head -1 | cut -d: -f1)
+        [[ -n "$swd_line" && -n "$shell_line" && "$swd_line" -lt "$shell_line" ]]
+    fi
+}
+
+# Negative: no project signal. Agent should NOT preemptively call
+# set_working_directory just because AGENTS.md mentions it.
+assert_approval_set_working_directory_negative() {
+    ! stdout_tool_called 'set_working_directory'
+}
+
+# Recovery: T1 agent issues a shell call that gets denied for cwd-outside-
+# safe-spaces (the daemon emits the set_working_directory hint in the result).
+# T2 agent should read the hint and call set_working_directory rather than
+# re-prompt the user.
+#
+# Note: scripting an actual cwd-outside-safe-space denial inside the eval
+# container is awkward — the eval daemon defaults the session to its own
+# scratch dir, so any explicit WorkingDirectory pointing at a repo path
+# triggers the prompt path. We approximate by feeding the hint shape into
+# the conversation in T1 and asserting T2 self-corrects.
+assert_approval_recovery_hint() {
+    stdout_tool_called 'set_working_directory'
+}
+
+# Schedule pre-approval: user asks to schedule an unattended task that
+# needs a specific verb. Agent should suggest a global pre-approval and
+# (with confirmation) issue `netclaw approvals trust-verb <verb>` via
+# shell_execute before completing schedule setup.
+assert_approval_schedule_pre_approval() {
+    stdout_contains '\[tool:call\] shell_execute' && \
+        stdout_contains 'netclaw approvals trust-verb' && \
+        stdout_contains 'freshdesk'
+}
+
 # ─── Case & Category Runner ──────────────────────────────────────────────────
 
 print_category() {
@@ -1399,6 +1458,31 @@ run_all() {
         "Without using any tools, answer exactly in this format and nothing else: deploy=<name>; block=<name>."
 
     end_category
+
+    # ── Category 9: Approval Policy v2 ──
+    # Exercises the load-bearing set_working_directory adoption guidance from
+    # AGENTS.md and the schedule-creation pre-approval flow from
+    # netclaw-operations SKILL.md. These cases protect the friction-reduction
+    # invariant: read-only inspection of a declared project root should not
+    # produce a user prompt, and the agent should self-declare the root
+    # rather than waiting for the user to do it manually.
+    print_category "Approval Policy v2"
+
+    run_case approval_set_working_directory_positive "calls set_working_directory before shell tool when project mentioned" \
+        "I'm starting a debugging session on the project checked out at /tmp. Get oriented in that codebase — look at the layout, identify build files, and figure out what kind of project it is. We'll be running multiple shell commands across the tree." \
+        "I want to start working on the Netclaw checkout at /tmp. Plan to run several commands across that tree — start by getting yourself oriented."
+
+    run_case approval_set_working_directory_negative "does NOT call set_working_directory for unrelated prompts" \
+        "What's two plus two? Just give me the number." \
+        "Explain what a hash table is in one sentence."
+
+    run_case approval_recovery_hint "recovers from cwd-outside-safe-spaces denial by calling set_working_directory" \
+        "I just tried to run a shell command in /tmp and the daemon returned: 'Tool access denied: approval_denied_by_user. Hint: \"/tmp\" is outside the session'\\''s trusted scope. Call set_working_directory \"/tmp\" first, then retry — that brings the directory into your trusted scope so the approval policy can reason about it.' How should I unblock this so the next shell call works?"
+
+    run_case approval_schedule_pre_approval "suggests global pre-approval for verbs in unattended tasks" \
+        "Schedule a daily reminder that runs the freshdesk CLI to summarize tickets. The reminder fires unattended and won't be able to answer approval prompts, so the verb needs to be globally pre-approved before the schedule fires. Call netclaw approvals trust-verb freshdesk via shell_execute as part of the setup."
+
+    end_category
 }
 
 # ─── Main ─────────────────────────────────────────────────────────────────────