Keep the rebased workspace green after the backlog closeout

The ROADMAP #38 closeout was rebased onto a moving main branch. That pulled in
new workspace files whose clippy/rustfmt fixes were required for the exact
verification gate the user asked for. This follow-up records those remaining
cleanups so the pushed branch matches the green tree that was actually tested.

Constraint: The user-required full-workspace fmt/clippy/test sequence had to stay green after rebasing onto newer origin/main
Rejected: Leave the rebase cleanup uncommitted locally | working tree would stay dirty and the pushed branch would not match the verified code
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: When rebasing onto a moving main, commit any gate-fixing follow-up so pushed history matches the verified tree
Tested: cargo fmt --all --check; cargo clippy --workspace --all-targets -- -D warnings; cargo test --workspace
Not-tested: No additional behavior beyond the already-green verification sweep

.gitignore

@@ -5,3 +5,7 @@ archive/
 # Claude Code local artifacts
 .claude/settings.local.json
 .claude/sessions/
+# Claw Code local artifacts
+.claw/settings.local.json
+.claw/sessions/
+status-help.txt

USAGE.md

@@ -21,7 +21,7 @@ cargo build --workspace
 - Rust toolchain with `cargo`
 - One of:
   - `ANTHROPIC_API_KEY` for direct API access
-  - `claw login` for OAuth-based auth
+  - `ANTHROPIC_AUTH_TOKEN` for bearer-token auth
 - Optional: `ANTHROPIC_BASE_URL` when targeting a proxy or local service
 
 ## Install / build the workspace
@@ -105,8 +105,7 @@ export ANTHROPIC_API_KEY="sk-ant-..."
 
 ```bash
 cd rust
-./target/debug/claw login
-./target/debug/claw logout
+export ANTHROPIC_AUTH_TOKEN="anthropic-oauth-or-proxy-bearer-token"
 ```
 
 ### Which env var goes where
@@ -116,7 +115,7 @@ cd rust
 | Credential shape | Env var | HTTP header | Typical source |
 |---|---|---|---|
 | `sk-ant-*` API key | `ANTHROPIC_API_KEY` | `x-api-key: sk-ant-...` | [console.anthropic.com](https://console.anthropic.com) |
-| OAuth access token (opaque) | `ANTHROPIC_AUTH_TOKEN` | `Authorization: Bearer ...` | `claw login` or an Anthropic-compatible proxy that mints Bearer tokens |
+| OAuth access token (opaque) | `ANTHROPIC_AUTH_TOKEN` | `Authorization: Bearer ...` | an Anthropic-compatible proxy or OAuth flow that mints bearer tokens |
 | OpenRouter key (`sk-or-v1-*`) | `OPENAI_API_KEY` + `OPENAI_BASE_URL=https://openrouter.ai/api/v1` | `Authorization: Bearer ...` | [openrouter.ai/keys](https://openrouter.ai/keys) |
 
 **Why this matters:** if you paste an `sk-ant-*` key into `ANTHROPIC_AUTH_TOKEN`, Anthropic's API will return `401 Invalid bearer token` because `sk-ant-*` keys are rejected over the Bearer header. The fix is a one-line env var swap — move the key to `ANTHROPIC_API_KEY`. Recent `claw` builds detect this exact shape (401 + `sk-ant-*` in the Bearer slot) and append a hint to the error message pointing at the fix.
@@ -125,7 +124,7 @@ cd rust
 
 ## Local Models
 
-`claw` can talk to local servers and provider gateways through either Anthropic-compatible or OpenAI-compatible endpoints. Use `ANTHROPIC_BASE_URL` with `ANTHROPIC_AUTH_TOKEN` for Anthropic-compatible services, or `OPENAI_BASE_URL` with `OPENAI_API_KEY` for OpenAI-compatible services. OAuth is Anthropic-only, so when `OPENAI_BASE_URL` is set you should use API-key style auth instead of `claw login`.
+`claw` can talk to local servers and provider gateways through either Anthropic-compatible or OpenAI-compatible endpoints. Use `ANTHROPIC_BASE_URL` with `ANTHROPIC_AUTH_TOKEN` for Anthropic-compatible services, or `OPENAI_BASE_URL` with `OPENAI_API_KEY` for OpenAI-compatible services.
 
 ### Anthropic-compatible endpoint
 
@@ -192,7 +191,7 @@ Reasoning variants (`qwen-qwq-*`, `qwq-*`, `*-thinking`) automatically strip `te
 
 | Provider | Protocol | Auth env var(s) | Base URL env var | Default base URL |
 |---|---|---|---|---|
-| **Anthropic** (direct) | Anthropic Messages API | `ANTHROPIC_API_KEY` or `ANTHROPIC_AUTH_TOKEN` or OAuth (`claw login`) | `ANTHROPIC_BASE_URL` | `https://api.anthropic.com` |
+| **Anthropic** (direct) | Anthropic Messages API | `ANTHROPIC_API_KEY` or `ANTHROPIC_AUTH_TOKEN` | `ANTHROPIC_BASE_URL` | `https://api.anthropic.com` |
 | **xAI** | OpenAI-compatible | `XAI_API_KEY` | `XAI_BASE_URL` | `https://api.x.ai/v1` |
 | **OpenAI-compatible** | OpenAI Chat Completions | `OPENAI_API_KEY` | `OPENAI_BASE_URL` | `https://api.openai.com/v1` |
 | **DashScope** (Alibaba) | OpenAI-compatible | `DASHSCOPE_API_KEY` | `DASHSCOPE_BASE_URL` | `https://dashscope.aliyuncs.com/compatible-mode/v1` |

rust/README.md

@@ -34,10 +34,10 @@ export ANTHROPIC_API_KEY="sk-ant-..."
 export ANTHROPIC_BASE_URL="https://your-proxy.com"
 ```
 
-Or authenticate via OAuth and let the CLI persist credentials locally:
+Or provide an OAuth bearer token directly:
 
 ```bash
-cargo run -p rusty-claude-cli -- login
+export ANTHROPIC_AUTH_TOKEN="anthropic-oauth-or-proxy-bearer-token"
 ```
 
 ## Mock parity harness
@@ -80,7 +80,7 @@ Primary artifacts:
 | Feature | Status |
 |---------|--------|
 | Anthropic / OpenAI-compatible provider flows + streaming | ✅ |
-| OAuth login/logout | ✅ |
+| Direct bearer-token auth via `ANTHROPIC_AUTH_TOKEN` | ✅ |
 | Interactive REPL (rustyline) | ✅ |
 | Tool system (bash, read, write, edit, grep, glob) | ✅ |
 | Web tools (search, fetch) | ✅ |
@@ -141,8 +141,6 @@ Top-level commands:
   mcp
   skills
   system-prompt
-  login
-  logout
   init
 ```
 
@@ -159,8 +157,8 @@ Tab completion expands slash commands, model aliases, permission modes, and rece
 The REPL now exposes a much broader surface than the original minimal shell:
 
 - session / visibility: `/help`, `/status`, `/sandbox`, `/cost`, `/resume`, `/session`, `/version`, `/usage`, `/stats`
-- workspace / git: `/compact`, `/clear`, `/config`, `/memory`, `/init`, `/diff`, `/commit`, `/pr`, `/issue`, `/export`, `/hooks`, `/files`, `/branch`, `/release-notes`, `/add-dir`
-- discovery / debugging: `/mcp`, `/agents`, `/skills`, `/doctor`, `/tasks`, `/context`, `/desktop`, `/ide`
+- workspace / git: `/compact`, `/clear`, `/config`, `/memory`, `/init`, `/diff`, `/commit`, `/pr`, `/issue`, `/export`, `/hooks`, `/files`, `/release-notes`
+- discovery / debugging: `/mcp`, `/agents`, `/skills`, `/doctor`, `/tasks`, `/context`, `/desktop`
 - automation / analysis: `/review`, `/advisor`, `/insights`, `/security-review`, `/subagent`, `/team`, `/telemetry`, `/providers`, `/cron`, and more
 - plugin management: `/plugin` (with aliases `/plugins`, `/marketplace`)
 
@@ -194,7 +192,7 @@ rust/
 
 ### Crate Responsibilities
 
-- **api** — provider clients, SSE streaming, request/response types, auth (API key + OAuth bearer), request-size/context-window preflight
+- **api** — provider clients, SSE streaming, request/response types, auth (`ANTHROPIC_API_KEY` + bearer-token support), request-size/context-window preflight
 - **commands** — slash command definitions, parsing, help text generation, JSON/text command rendering
 - **compat-harness** — extracts tool/prompt manifests from upstream TS source
 - **mock-anthropic-service** — deterministic `/v1/messages` mock for CLI parity tests and local harness runs

rust/crates/api/src/client.rs

@@ -232,10 +232,7 @@ mod tests {
                     openai_client.base_url()
                 );
             }
-            other => panic!(
-                "Expected ProviderClient::OpenAi for qwen-plus, got: {:?}",
-                other
-            ),
+            other => panic!("Expected ProviderClient::OpenAi for qwen-plus, got: {other:?}"),
         }
     }
 }

rust/crates/api/src/error.rs

@@ -24,7 +24,7 @@ pub enum ApiError {
         env_vars: &'static [&'static str],
         /// Optional, runtime-computed hint appended to the error Display
         /// output. Populated when the provider resolver can infer what the
-        /// user probably intended (e.g. an OpenAI key is set but Anthropic
+        /// user probably intended (e.g. an `OpenAI` key is set but Anthropic
         /// was selected because no Anthropic credentials exist).
         hint: Option<String>,
     },

rust/crates/api/src/http_client.rs

@@ -88,12 +88,12 @@ pub fn build_http_client_with(config: &ProxyConfig) -> Result<reqwest::Client, A
         .as_deref()
         .and_then(reqwest::NoProxy::from_string);
 
-    let (http_proxy_url, https_proxy_url) = match config.proxy_url.as_deref() {
+    let (http_proxy_url, https_url) = match config.proxy_url.as_deref() {
         Some(unified) => (Some(unified), Some(unified)),
         None => (config.http_proxy.as_deref(), config.https_proxy.as_deref()),
     };
 
-    if let Some(url) = https_proxy_url {
+    if let Some(url) = https_url {
         let mut proxy = reqwest::Proxy::https(url)?;
         if let Some(filter) = no_proxy.clone() {
             proxy = proxy.no_proxy(Some(filter));

rust/crates/api/src/providers/anthropic.rs

@@ -502,9 +502,8 @@ impl AnthropicClient {
         // Best-effort refinement using the Anthropic count_tokens endpoint.
         // On any failure (network, parse, auth), fall back to the local
         // byte-estimate result which already passed above.
-        let counted_input_tokens = match self.count_tokens(request).await {
-            Ok(count) => count,
-            Err(_) => return Ok(()),
+        let Ok(counted_input_tokens) = self.count_tokens(request).await else {
+            return Ok(());
         };
         let estimated_total_tokens = counted_input_tokens.saturating_add(request.max_tokens);
         if estimated_total_tokens > limit.context_window_tokens {
@@ -631,21 +630,7 @@ impl AuthSource {
         if let Some(bearer_token) = read_env_non_empty("ANTHROPIC_AUTH_TOKEN")? {
             return Ok(Self::BearerToken(bearer_token));
         }
-        match load_saved_oauth_token() {
-            Ok(Some(token_set)) if oauth_token_is_expired(&token_set) => {
-                if token_set.refresh_token.is_some() {
-                    Err(ApiError::Auth(
-                        "saved OAuth token is expired; load runtime OAuth config to refresh it"
-                            .to_string(),
-                    ))
-                } else {
-                    Err(ApiError::ExpiredOAuthToken)
-                }
-            }
-            Ok(Some(token_set)) => Ok(Self::BearerToken(token_set.access_token)),
-            Ok(None) => Err(anthropic_missing_credentials()),
-            Err(error) => Err(error),
-        }
+        Err(anthropic_missing_credentials())
     }
 }
 
@@ -665,14 +650,14 @@ pub fn resolve_saved_oauth_token(config: &OAuthConfig) -> Result<Option<OAuthTok
 
 pub fn has_auth_from_env_or_saved() -> Result<bool, ApiError> {
     Ok(read_env_non_empty("ANTHROPIC_API_KEY")?.is_some()
-        || read_env_non_empty("ANTHROPIC_AUTH_TOKEN")?.is_some()
-        || load_saved_oauth_token()?.is_some())
+        || read_env_non_empty("ANTHROPIC_AUTH_TOKEN")?.is_some())
 }
 
 pub fn resolve_startup_auth_source<F>(load_oauth_config: F) -> Result<AuthSource, ApiError>
 where
     F: FnOnce() -> Result<Option<OAuthConfig>, ApiError>,
 {
+    let _ = load_oauth_config;
     if let Some(api_key) = read_env_non_empty("ANTHROPIC_API_KEY")? {
         return match read_env_non_empty("ANTHROPIC_AUTH_TOKEN")? {
             Some(bearer_token) => Ok(AuthSource::ApiKeyAndBearer {
@@ -685,25 +670,7 @@ where
     if let Some(bearer_token) = read_env_non_empty("ANTHROPIC_AUTH_TOKEN")? {
         return Ok(AuthSource::BearerToken(bearer_token));
     }
-
-    let Some(token_set) = load_saved_oauth_token()? else {
-        return Err(anthropic_missing_credentials());
-    };
-    if !oauth_token_is_expired(&token_set) {
-        return Ok(AuthSource::BearerToken(token_set.access_token));
-    }
-    if token_set.refresh_token.is_none() {
-        return Err(ApiError::ExpiredOAuthToken);
-    }
-
-    let Some(config) = load_oauth_config()? else {
-        return Err(ApiError::Auth(
-            "saved OAuth token is expired; runtime OAuth config is missing".to_string(),
-        ));
-    };
-    Ok(AuthSource::from(resolve_saved_oauth_token_set(
-        &config, token_set,
-    )?))
+    Err(anthropic_missing_credentials())
 }
 
 fn resolve_saved_oauth_token_set(
@@ -1016,7 +983,7 @@ fn strip_unsupported_beta_body_fields(body: &mut Value) {
         object.remove("presence_penalty");
         // Anthropic uses "stop_sequences" not "stop". Convert if present.
         if let Some(stop_val) = object.remove("stop") {
-            if stop_val.as_array().map_or(false, |a| !a.is_empty()) {
+            if stop_val.as_array().is_some_and(|a| !a.is_empty()) {
                 object.insert("stop_sequences".to_string(), stop_val);
             }
         }
@@ -1180,7 +1147,7 @@ mod tests {
     }
 
     #[test]
-    fn auth_source_from_saved_oauth_when_env_absent() {
+    fn auth_source_from_env_or_saved_ignores_saved_oauth_when_env_absent() {
         let _guard = env_lock();
         let config_home = temp_config_home();
         std::env::set_var("CLAW_CONFIG_HOME", &config_home);
@@ -1194,8 +1161,8 @@ mod tests {
         })
         .expect("save oauth credentials");
 
-        let auth = AuthSource::from_env_or_saved().expect("saved auth");
-        assert_eq!(auth.bearer_token(), Some("saved-access-token"));
+        let error = AuthSource::from_env_or_saved().expect_err("saved oauth should be ignored");
+        assert!(error.to_string().contains("ANTHROPIC_API_KEY"));
 
         clear_oauth_credentials().expect("clear credentials");
         std::env::remove_var("CLAW_CONFIG_HOME");
@@ -1251,7 +1218,7 @@ mod tests {
     }
 
     #[test]
-    fn resolve_startup_auth_source_uses_saved_oauth_without_loading_config() {
+    fn resolve_startup_auth_source_ignores_saved_oauth_without_loading_config() {
         let _guard = env_lock();
         let config_home = temp_config_home();
         std::env::set_var("CLAW_CONFIG_HOME", &config_home);
@@ -1265,41 +1232,9 @@ mod tests {
         })
         .expect("save oauth credentials");
 
-        let auth = resolve_startup_auth_source(|| panic!("config should not be loaded"))
-            .expect("startup auth");
-        assert_eq!(auth.bearer_token(), Some("saved-access-token"));
-
-        clear_oauth_credentials().expect("clear credentials");
-        std::env::remove_var("CLAW_CONFIG_HOME");
-        cleanup_temp_config_home(&config_home);
-    }
-
-    #[test]
-    fn resolve_startup_auth_source_errors_when_refreshable_token_lacks_config() {
-        let _guard = env_lock();
-        let config_home = temp_config_home();
-        std::env::set_var("CLAW_CONFIG_HOME", &config_home);
-        std::env::remove_var("ANTHROPIC_AUTH_TOKEN");
-        std::env::remove_var("ANTHROPIC_API_KEY");
-        save_oauth_credentials(&runtime::OAuthTokenSet {
-            access_token: "expired-access-token".to_string(),
-            refresh_token: Some("refresh-token".to_string()),
-            expires_at: Some(1),
-            scopes: vec!["scope:a".to_string()],
-        })
-        .expect("save expired oauth credentials");
-
-        let error =
-            resolve_startup_auth_source(|| Ok(None)).expect_err("missing config should error");
-        assert!(
-            matches!(error, crate::error::ApiError::Auth(message) if message.contains("runtime OAuth config is missing"))
-        );
-
-        let stored = runtime::load_oauth_credentials()
-            .expect("load stored credentials")
-            .expect("stored token set");
-        assert_eq!(stored.access_token, "expired-access-token");
-        assert_eq!(stored.refresh_token.as_deref(), Some("refresh-token"));
+        let error = resolve_startup_auth_source(|| panic!("config should not be loaded"))
+            .expect_err("saved oauth should be ignored");
+        assert!(error.to_string().contains("ANTHROPIC_API_KEY"));
 
         clear_oauth_credentials().expect("clear credentials");
         std::env::remove_var("CLAW_CONFIG_HOME");

rust/crates/api/src/providers/mod.rs

@@ -508,9 +508,10 @@ mod tests {
         // ANTHROPIC_API_KEY was set because metadata_for_model returned None
         // and detect_provider_kind fell through to auth-sniffer order.
         // The model prefix must win over env-var presence.
-        let kind = super::metadata_for_model("openai/gpt-4.1-mini")
-            .map(|m| m.provider)
-            .unwrap_or_else(|| detect_provider_kind("openai/gpt-4.1-mini"));
+        let kind = super::metadata_for_model("openai/gpt-4.1-mini").map_or_else(
+            || detect_provider_kind("openai/gpt-4.1-mini"),
+            |m| m.provider,
+        );
         assert_eq!(
             kind,
             ProviderKind::OpenAi,
@@ -519,8 +520,7 @@ mod tests {
 
         // Also cover bare gpt- prefix
         let kind2 = super::metadata_for_model("gpt-4o")
-            .map(|m| m.provider)
-            .unwrap_or_else(|| detect_provider_kind("gpt-4o"));
+            .map_or_else(|| detect_provider_kind("gpt-4o"), |m| m.provider);
         assert_eq!(kind2, ProviderKind::OpenAi);
     }
 

rust/crates/api/src/providers/openai_compat.rs

@@ -58,10 +58,10 @@ impl OpenAiCompatConfig {
         }
     }
 
-    /// Alibaba DashScope compatible-mode endpoint (Qwen family models).
+    /// Alibaba `DashScope` compatible-mode endpoint (Qwen family models).
     /// Uses the OpenAI-compatible REST shape at /compatible-mode/v1.
     /// Requested via Discord #clawcode-get-help: native Alibaba API for
-    /// higher rate limits than going through OpenRouter.
+    /// higher rate limits than going through `OpenRouter`.
     #[must_use]
     pub const fn dashscope() -> Self {
         Self {
@@ -170,7 +170,7 @@ impl OpenAiCompatClient {
                     .to_string();
                 let code = err_obj
                     .get("code")
-                    .and_then(|c| c.as_u64())
+                    .and_then(serde_json::Value::as_u64)
                     .map(|c| c as u16);
                 return Err(ApiError::Api {
                     status: reqwest::StatusCode::from_u16(code.unwrap_or(400))
@@ -750,7 +750,7 @@ struct ErrorBody {
 }
 
 /// Returns true for models known to reject tuning parameters like temperature,
-/// top_p, frequency_penalty, and presence_penalty. These are typically
+/// `top_p`, `frequency_penalty`, and `presence_penalty`. These are typically
 /// reasoning/chain-of-thought models with fixed sampling.
 fn is_reasoning_model(model: &str) -> bool {
     let lowered = model.to_ascii_lowercase();
@@ -974,12 +974,11 @@ fn sanitize_tool_message_pairing(messages: Vec<Value>) -> Vec<Value> {
         }
         let paired = preceding
             .and_then(|m| m.get("tool_calls").and_then(|tc| tc.as_array()))
-            .map(|tool_calls| {
+            .is_some_and(|tool_calls| {
                 tool_calls
                     .iter()
                     .any(|tc| tc.get("id").and_then(|v| v.as_str()) == Some(tool_call_id))
-            })
-            .unwrap_or(false);
+            });
         if !paired {
             drop_indices.insert(i);
         }
@@ -1008,7 +1007,7 @@ fn flatten_tool_result_content(content: &[ToolResultContentBlock]) -> String {
 
 /// Recursively ensure every object-type node in a JSON Schema has
 /// `"properties"` (at least `{}`) and `"additionalProperties": false`.
-/// The OpenAI `/responses` endpoint validates schemas strictly and rejects
+/// The `OpenAI` `/responses` endpoint validates schemas strictly and rejects
 /// objects that omit these fields; `/chat/completions` is lenient but also
 /// accepts them, so we normalise unconditionally.
 fn normalize_object_schema(schema: &mut Value) {
@@ -1173,7 +1172,7 @@ fn parse_sse_frame(
                 .to_string();
             let code = err_obj
                 .get("code")
-                .and_then(|c| c.as_u64())
+                .and_then(serde_json::Value::as_u64)
                 .map(|c| c as u16);
             let status = reqwest::StatusCode::from_u16(code.unwrap_or(400))
                 .unwrap_or(reqwest::StatusCode::BAD_REQUEST);
@@ -1185,7 +1184,7 @@ fn parse_sse_frame(
                     .map(str::to_owned),
                 message: Some(msg),
                 request_id: None,
-                body: payload.to_string(),
+                body: payload.clone(),
                 retryable: false,
             });
         }
@@ -1642,6 +1641,16 @@ mod tests {
     /// Before the fix this produced: `invalid type: null, expected a sequence`.
     #[test]
     fn delta_with_null_tool_calls_deserializes_as_empty_vec() {
+        use super::deserialize_null_as_empty_vec;
+
+        #[allow(dead_code)]
+        #[derive(serde::Deserialize, Debug)]
+        struct Delta {
+            content: Option<String>,
+            #[serde(default, deserialize_with = "deserialize_null_as_empty_vec")]
+            tool_calls: Vec<super::DeltaToolCall>,
+        }
+
         // Simulate the exact shape observed in the wild (gaebal-gajae repro 2026-04-09)
         let json = r#"{
             "content": "",
@@ -1650,15 +1659,6 @@ mod tests {
             "role": "assistant",
             "tool_calls": null
         }"#;
-
-        use super::deserialize_null_as_empty_vec;
-        #[allow(dead_code)]
-        #[derive(serde::Deserialize, Debug)]
-        struct Delta {
-            content: Option<String>,
-            #[serde(default, deserialize_with = "deserialize_null_as_empty_vec")]
-            tool_calls: Vec<super::DeltaToolCall>,
-        }
         let delta: Delta = serde_json::from_str(json)
             .expect("delta with tool_calls:null must deserialize without error");
         assert!(
@@ -1670,7 +1670,7 @@ mod tests {
     /// Regression: when building a multi-turn request where a prior assistant
     /// turn has no tool calls, the serialized assistant message must NOT include
     /// `tool_calls: []`. Some providers reject requests that carry an empty
-    /// tool_calls array on assistant turns (gaebal-gajae repro 2026-04-09).
+    /// `tool_calls` array on assistant turns (gaebal-gajae repro 2026-04-09).
     #[test]
     fn assistant_message_without_tool_calls_omits_tool_calls_field() {
         use crate::types::{InputContentBlock, InputMessage};
@@ -1695,13 +1695,12 @@ mod tests {
             .expect("assistant message must be present");
         assert!(
             assistant_msg.get("tool_calls").is_none(),
-            "assistant message without tool calls must omit tool_calls field: {:?}",
-            assistant_msg
+            "assistant message without tool calls must omit tool_calls field: {assistant_msg:?}"
         );
     }
 
     /// Regression: assistant messages WITH tool calls must still include
-    /// the tool_calls array (normal multi-turn tool-use flow).
+    /// the `tool_calls` array (normal multi-turn tool-use flow).
     #[test]
     fn assistant_message_with_tool_calls_includes_tool_calls_field() {
         use crate::types::{InputContentBlock, InputMessage};
@@ -1733,7 +1732,7 @@ mod tests {
         assert_eq!(tool_calls.as_array().unwrap().len(), 1);
     }
 
-    /// Orphaned tool messages (no preceding assistant tool_calls) must be
+    /// Orphaned tool messages (no preceding assistant `tool_calls`) must be
     /// dropped by the request-builder sanitizer. Regression for the second
     /// layer of the tool-pairing invariant fix (gaebal-gajae 2026-04-10).
     #[test]

rust/crates/commands/src/lib.rs

@@ -4,7 +4,7 @@ use std::fmt;
 use std::fs;
 use std::path::{Path, PathBuf};
 
-use plugins::{PluginError, PluginManager, PluginSummary};
+use plugins::{PluginError, PluginLoadFailure, PluginManager, PluginSummary};
 use runtime::{
     compact_session, CompactionConfig, ConfigLoader, ConfigSource, McpOAuthConfig, McpServerConfig,
     ScopedMcpServerConfig, Session,
@@ -257,20 +257,6 @@ const SLASH_COMMAND_SPECS: &[SlashCommandSpec] = &[
         argument_hint: None,
         resume_supported: true,
     },
-    SlashCommandSpec {
-        name: "login",
-        aliases: &[],
-        summary: "Log in to the service",
-        argument_hint: None,
-        resume_supported: false,
-    },
-    SlashCommandSpec {
-        name: "logout",
-        aliases: &[],
-        summary: "Log out of the current session",
-        argument_hint: None,
-        resume_supported: false,
-    },
     SlashCommandSpec {
         name: "plan",
         aliases: &[],
@@ -1291,7 +1277,6 @@ impl SlashCommand {
             Self::Tag { .. } => "/tag",
             Self::OutputStyle { .. } => "/output-style",
             Self::AddDir { .. } => "/add-dir",
-            Self::Unknown(_) => "/unknown",
             Self::Sandbox => "/sandbox",
             Self::Mcp { .. } => "/mcp",
             Self::Export { .. } => "/export",
@@ -1402,13 +1387,12 @@ pub fn validate_slash_command_input(
             validate_no_args(command, &args)?;
             SlashCommand::Doctor
         }
-        "login" => {
-            validate_no_args(command, &args)?;
-            SlashCommand::Login
-        }
-        "logout" => {
-            validate_no_args(command, &args)?;
-            SlashCommand::Logout
+        "login" | "logout" => {
+            return Err(command_error(
+                "This auth flow was removed. Set ANTHROPIC_API_KEY or ANTHROPIC_AUTH_TOKEN instead.",
+                command,
+                "",
+            ));
         }
         "vim" => {
             validate_no_args(command, &args)?;
@@ -1893,20 +1877,12 @@ pub fn resume_supported_slash_commands() -> Vec<&'static SlashCommandSpec> {
 
 fn slash_command_category(name: &str) -> &'static str {
     match name {
-        "help" | "status" | "cost" | "resume" | "session" | "version" | "login" | "logout"
-        | "usage" | "stats" | "rename" | "clear" | "compact" | "history" | "tokens" | "cache"
-        | "exit" | "summary" | "tag" | "thinkback" | "copy" | "share" | "feedback" | "rewind"
-        | "pin" | "unpin" | "bookmarks" | "context" | "files" | "focus" | "unfocus" | "retry"
-        | "stop" | "undo" => "Session",
-        "diff" | "commit" | "pr" | "issue" | "branch" | "blame" | "log" | "git" | "stash"
-        | "init" | "export" | "plan" | "review" | "security-review" | "bughunter" | "ultraplan"
-        | "teleport" | "refactor" | "fix" | "autofix" | "explain" | "docs" | "perf" | "search"
-        | "references" | "definition" | "hover" | "symbols" | "map" | "web" | "image"
-        | "screenshot" | "paste" | "listen" | "speak" | "test" | "lint" | "build" | "run"
-        | "format" | "parallel" | "multi" | "macro" | "alias" | "templates" | "migrate"
-        | "benchmark" | "cron" | "agent" | "subagent" | "agents" | "skills" | "team" | "plugin"
-        | "mcp" | "hooks" | "tasks" | "advisor" | "insights" | "release-notes" | "chat"
-        | "approve" | "deny" | "allowed-tools" | "add-dir" => "Tools",
+        "help" | "status" | "cost" | "resume" | "session" | "version" | "usage" | "stats"
+        | "rename" | "clear" | "compact" | "history" | "tokens" | "cache" | "exit" | "summary"
+        | "tag" | "thinkback" | "copy" | "share" | "feedback" | "rewind" | "pin" | "unpin"
+        | "bookmarks" | "context" | "files" | "focus" | "unfocus" | "retry" | "stop" | "undo" => {
+            "Session"
+        }
         "model" | "permissions" | "config" | "memory" | "theme" | "vim" | "voice" | "color"
         | "effort" | "fast" | "brief" | "output-style" | "keybindings" | "privacy-settings"
         | "stickers" | "language" | "profile" | "max-tokens" | "temperature" | "system-prompt"
@@ -2210,10 +2186,15 @@ pub fn handle_plugins_slash_command(
     manager: &mut PluginManager,
 ) -> Result<PluginsCommandResult, PluginError> {
     match action {
-        None | Some("list") => Ok(PluginsCommandResult {
-            message: render_plugins_report(&manager.list_installed_plugins()?),
-            reload_runtime: false,
-        }),
+        None | Some("list") => {
+            let report = manager.installed_plugin_registry_report()?;
+            let plugins = report.summaries();
+            let failures = report.failures();
+            Ok(PluginsCommandResult {
+                message: render_plugins_report_with_failures(&plugins, failures),
+                reload_runtime: false,
+            })
+        }
         Some("install") => {
             let Some(target) = target else {
                 return Ok(PluginsCommandResult {
@@ -2472,7 +2453,8 @@ pub fn resolve_skill_invocation(
                         .map(|s| s.name.clone())
                         .collect();
                     if !names.is_empty() {
-                        message.push_str(&format!("\n  Available skills: {}", names.join(", ")));
+                        message.push_str("\n  Available skills: ");
+                        message.push_str(&names.join(", "));
                     }
                 }
                 message.push_str("\n  Usage: /skills [list|install <path>|help|<skill> [args]]");
@@ -2667,6 +2649,48 @@ pub fn render_plugins_report(plugins: &[PluginSummary]) -> String {
     lines.join("\n")
 }
 
+#[must_use]
+pub fn render_plugins_report_with_failures(
+    plugins: &[PluginSummary],
+    failures: &[PluginLoadFailure],
+) -> String {
+    let mut lines = vec!["Plugins".to_string()];
+
+    // Show successfully loaded plugins
+    if plugins.is_empty() {
+        lines.push("  No plugins installed.".to_string());
+    } else {
+        for plugin in plugins {
+            let enabled = if plugin.enabled {
+                "enabled"
+            } else {
+                "disabled"
+            };
+            lines.push(format!(
+                "  {name:<20} v{version:<10} {enabled}",
+                name = plugin.metadata.name,
+                version = plugin.metadata.version,
+            ));
+        }
+    }
+
+    // Show warnings for broken plugins
+    if !failures.is_empty() {
+        lines.push(String::new());
+        lines.push("Warnings:".to_string());
+        for failure in failures {
+            lines.push(format!(
+                "  ⚠️  Failed to load {} plugin from `{}`",
+                failure.kind,
+                failure.plugin_root.display()
+            ));
+            lines.push(format!("      Error: {}", failure.error()));
+        }
+    }
+
+    lines.join("\n")
+}
+
 fn render_plugin_install_report(plugin_id: &str, plugin: Option<&PluginSummary>) -> String {
     let name = plugin.map_or(plugin_id, |plugin| plugin.metadata.name.as_str());
     let version = plugin.map_or("unknown", |plugin| plugin.metadata.version.as_str());
@@ -4551,6 +4575,14 @@ mod tests {
         assert!(action_error.contains("  Usage            /mcp [list|show <server>|help]"));
     }
 
+    #[test]
+    fn removed_login_and_logout_commands_report_env_auth_guidance() {
+        let login_error = parse_error_message("/login");
+        assert!(login_error.contains("ANTHROPIC_API_KEY"));
+        let logout_error = parse_error_message("/logout");
+        assert!(logout_error.contains("ANTHROPIC_AUTH_TOKEN"));
+    }
+
     #[test]
     fn renders_help_from_shared_specs() {
         let help = render_slash_command_help();
@@ -4592,7 +4624,9 @@ mod tests {
         assert!(help.contains("/agents [list|help]"));
         assert!(help.contains("/skills [list|install <path>|help|<skill> [args]]"));
         assert!(help.contains("aliases: /skill"));
-        assert_eq!(slash_command_specs().len(), 141);
+        assert!(!help.contains("/login"));
+        assert!(!help.contains("/logout"));
+        assert_eq!(slash_command_specs().len(), 139);
         assert!(resume_supported_slash_commands().len() >= 39);
     }
 

rust/crates/compat-harness/src/lib.rs

@@ -18,6 +18,12 @@ impl UpstreamPaths {
         }
     }
 
+    /// Returns the repository root path.
+    #[must_use]
+    pub fn repo_root(&self) -> &Path {
+        &self.repo_root
+    }
+
     #[must_use]
     pub fn from_workspace_dir(workspace_dir: impl AsRef<Path>) -> Self {
         let workspace_dir = workspace_dir

rust/crates/plugins/src/lib.rs

@@ -1,10 +1,13 @@
 mod hooks;
+#[cfg(test)]
+pub mod test_isolation;
 
 use std::collections::{BTreeMap, BTreeSet};
 use std::fmt::{Display, Formatter};
 use std::fs;
 use std::path::{Path, PathBuf};
 use std::process::{Command, Stdio};
+use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::{SystemTime, UNIX_EPOCH};
 
 use serde::{Deserialize, Serialize};
@@ -2160,7 +2163,13 @@ fn materialize_source(
     match source {
         PluginInstallSource::LocalPath { path } => Ok(path.clone()),
         PluginInstallSource::GitUrl { url } => {
-            let destination = temp_root.join(format!("plugin-{}", unix_time_ms()));
+            static MATERIALIZE_COUNTER: AtomicU64 = AtomicU64::new(0);
+            let unique = MATERIALIZE_COUNTER.fetch_add(1, Ordering::Relaxed);
+            let nanos = SystemTime::now()
+                .duration_since(UNIX_EPOCH)
+                .unwrap()
+                .as_nanos();
+            let destination = temp_root.join(format!("plugin-{nanos}-{unique}"));
             let output = Command::new("git")
                 .arg("clone")
                 .arg("--depth")
@@ -2273,6 +2282,14 @@ fn ensure_object<'a>(root: &'a mut Map<String, Value>, key: &str) -> &'a mut Map
         .expect("object should exist")
 }
 
+/// Environment variable lock for test isolation.
+/// Guards against concurrent modification of `CLAW_CONFIG_HOME`.
+#[cfg(test)]
+fn env_lock() -> &'static std::sync::Mutex<()> {
+    static ENV_LOCK: std::sync::Mutex<()> = std::sync::Mutex::new(());
+    &ENV_LOCK
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -2468,6 +2485,7 @@ mod tests {
 
     #[test]
     fn load_plugin_from_directory_validates_required_fields() {
+        let _guard = env_lock().lock().expect("env lock");
         let root = temp_dir("manifest-required");
         write_file(
             root.join(MANIFEST_FILE_NAME).as_path(),
@@ -2482,6 +2500,7 @@ mod tests {
 
     #[test]
     fn load_plugin_from_directory_reads_root_manifest_and_validates_entries() {
+        let _guard = env_lock().lock().expect("env lock");
         let root = temp_dir("manifest-root");
         write_loader_plugin(&root);
 
@@ -2511,6 +2530,7 @@ mod tests {
 
     #[test]
     fn load_plugin_from_directory_supports_packaged_manifest_path() {
+        let _guard = env_lock().lock().expect("env lock");
         let root = temp_dir("manifest-packaged");
         write_external_plugin(&root, "packaged-demo", "1.0.0");
 
@@ -2524,6 +2544,7 @@ mod tests {
 
     #[test]
     fn load_plugin_from_directory_defaults_optional_fields() {
+        let _guard = env_lock().lock().expect("env lock");
         let root = temp_dir("manifest-defaults");
         write_file(
             root.join(MANIFEST_FILE_NAME).as_path(),
@@ -2545,6 +2566,7 @@ mod tests {
 
     #[test]
     fn load_plugin_from_directory_rejects_duplicate_permissions_and_commands() {
+        let _guard = env_lock().lock().expect("env lock");
         let root = temp_dir("manifest-duplicates");
         write_file(
             root.join("commands").join("sync.sh").as_path(),
@@ -2840,6 +2862,7 @@ mod tests {
 
     #[test]
     fn discovers_builtin_and_bundled_plugins() {
+        let _guard = env_lock().lock().expect("env lock");
         let manager = PluginManager::new(PluginManagerConfig::new(temp_dir("discover")));
         let plugins = manager.list_plugins().expect("plugins should list");
         assert!(plugins
@@ -2852,6 +2875,7 @@ mod tests {
 
     #[test]
     fn installs_enables_updates_and_uninstalls_external_plugins() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("home");
         let source_root = temp_dir("source");
         write_external_plugin(&source_root, "demo", "1.0.0");
@@ -2900,6 +2924,7 @@ mod tests {
 
     #[test]
     fn auto_installs_bundled_plugins_into_the_registry() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("bundled-home");
         let bundled_root = temp_dir("bundled-root");
         write_bundled_plugin(&bundled_root.join("starter"), "starter", "0.1.0", false);
@@ -2931,6 +2956,7 @@ mod tests {
 
     #[test]
     fn default_bundled_root_loads_repo_bundles_as_installed_plugins() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("default-bundled-home");
         let manager = PluginManager::new(PluginManagerConfig::new(&config_home));
 
@@ -2949,6 +2975,7 @@ mod tests {
 
     #[test]
     fn bundled_sync_prunes_removed_bundled_registry_entries() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("bundled-prune-home");
         let bundled_root = temp_dir("bundled-prune-root");
         let stale_install_path = config_home
@@ -3012,6 +3039,7 @@ mod tests {
 
     #[test]
     fn installed_plugin_discovery_keeps_registry_entries_outside_install_root() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("registry-fallback-home");
         let bundled_root = temp_dir("registry-fallback-bundled");
         let install_root = config_home.join("plugins").join("installed");
@@ -3066,6 +3094,7 @@ mod tests {
 
     #[test]
     fn installed_plugin_discovery_prunes_stale_registry_entries() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("registry-prune-home");
         let bundled_root = temp_dir("registry-prune-bundled");
         let install_root = config_home.join("plugins").join("installed");
@@ -3111,6 +3140,7 @@ mod tests {
 
     #[test]
     fn persists_bundled_plugin_enable_state_across_reloads() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("bundled-state-home");
         let bundled_root = temp_dir("bundled-state-root");
         write_bundled_plugin(&bundled_root.join("starter"), "starter", "0.1.0", false);
@@ -3144,6 +3174,7 @@ mod tests {
 
     #[test]
     fn persists_bundled_plugin_disable_state_across_reloads() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("bundled-disabled-home");
         let bundled_root = temp_dir("bundled-disabled-root");
         write_bundled_plugin(&bundled_root.join("starter"), "starter", "0.1.0", true);
@@ -3177,6 +3208,7 @@ mod tests {
 
     #[test]
     fn validates_plugin_source_before_install() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("validate-home");
         let source_root = temp_dir("validate-source");
         write_external_plugin(&source_root, "validator", "1.0.0");
@@ -3191,6 +3223,7 @@ mod tests {
 
     #[test]
     fn plugin_registry_tracks_enabled_state_and_lookup() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("registry-home");
         let source_root = temp_dir("registry-source");
         write_external_plugin(&source_root, "registry-demo", "1.0.0");
@@ -3218,6 +3251,7 @@ mod tests {
 
     #[test]
     fn plugin_registry_report_collects_load_failures_without_dropping_valid_plugins() {
+        let _guard = env_lock().lock().expect("env lock");
         // given
         let config_home = temp_dir("report-home");
         let external_root = temp_dir("report-external");
@@ -3262,6 +3296,7 @@ mod tests {
 
     #[test]
     fn installed_plugin_registry_report_collects_load_failures_from_install_root() {
+        let _guard = env_lock().lock().expect("env lock");
         // given
         let config_home = temp_dir("installed-report-home");
         let bundled_root = temp_dir("installed-report-bundled");
@@ -3292,6 +3327,7 @@ mod tests {
 
     #[test]
     fn rejects_plugin_sources_with_missing_hook_paths() {
+        let _guard = env_lock().lock().expect("env lock");
         // given
         let config_home = temp_dir("broken-home");
         let source_root = temp_dir("broken-source");
@@ -3319,6 +3355,7 @@ mod tests {
 
     #[test]
     fn rejects_plugin_sources_with_missing_failure_hook_paths() {
+        let _guard = env_lock().lock().expect("env lock");
         // given
         let config_home = temp_dir("broken-failure-home");
         let source_root = temp_dir("broken-failure-source");
@@ -3346,6 +3383,7 @@ mod tests {
 
     #[test]
     fn plugin_registry_runs_initialize_and_shutdown_for_enabled_plugins() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("lifecycle-home");
         let source_root = temp_dir("lifecycle-source");
         let _ = write_lifecycle_plugin(&source_root, "lifecycle-demo", "1.0.0");
@@ -3369,6 +3407,7 @@ mod tests {
 
     #[test]
     fn aggregates_and_executes_plugin_tools() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("tool-home");
         let source_root = temp_dir("tool-source");
         write_tool_plugin(&source_root, "tool-demo", "1.0.0");
@@ -3397,6 +3436,7 @@ mod tests {
 
     #[test]
     fn list_installed_plugins_scans_install_root_without_registry_entries() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("installed-scan-home");
         let bundled_root = temp_dir("installed-scan-bundled");
         let install_root = config_home.join("plugins").join("installed");
@@ -3428,6 +3468,7 @@ mod tests {
 
     #[test]
     fn list_installed_plugins_scans_packaged_manifests_in_install_root() {
+        let _guard = env_lock().lock().expect("env lock");
         let config_home = temp_dir("installed-packaged-scan-home");
         let bundled_root = temp_dir("installed-packaged-scan-bundled");
         let install_root = config_home.join("plugins").join("installed");
@@ -3456,4 +3497,143 @@ mod tests {
         let _ = fs::remove_dir_all(config_home);
         let _ = fs::remove_dir_all(bundled_root);
     }
+
+    /// Regression test for ROADMAP #41: verify that `CLAW_CONFIG_HOME` isolation prevents
+    /// host `~/.claw/plugins/` from bleeding into test runs.
+    #[test]
+    fn claw_config_home_isolation_prevents_host_plugin_leakage() {
+        let _guard = env_lock().lock().expect("env lock");
+
+        // Create a temp directory to act as our isolated CLAW_CONFIG_HOME
+        let config_home = temp_dir("isolated-home");
+        let bundled_root = temp_dir("isolated-bundled");
+
+        // Set CLAW_CONFIG_HOME to our temp directory
+        std::env::set_var("CLAW_CONFIG_HOME", &config_home);
+
+        // Create a test fixture plugin in the isolated config home
+        let install_root = config_home.join("plugins").join("installed");
+        let fixture_plugin_root = install_root.join("isolated-test-plugin");
+        write_file(
+            fixture_plugin_root.join(MANIFEST_RELATIVE_PATH).as_path(),
+            r#"{
+  "name": "isolated-test-plugin",
+  "version": "1.0.0",
+  "description": "Test fixture plugin in isolated config home"
+}"#,
+        );
+
+        // Create PluginManager with isolated bundled_root - it should use the temp config_home, not host ~/.claw/
+        let mut config = PluginManagerConfig::new(&config_home);
+        config.bundled_root = Some(bundled_root.clone());
+        let manager = PluginManager::new(config);
+
+        // List installed plugins - should only see the test fixture, not host plugins
+        let installed = manager
+            .list_installed_plugins()
+            .expect("installed plugins should list");
+
+        // Verify we only see the test fixture plugin
+        assert_eq!(
+            installed.len(),
+            1,
+            "should only see the test fixture plugin, not host ~/.claw/plugins/"
+        );
+        assert_eq!(
+            installed[0].metadata.id, "isolated-test-plugin@external",
+            "should see the test fixture plugin"
+        );
+
+        // Cleanup
+        std::env::remove_var("CLAW_CONFIG_HOME");
+        let _ = fs::remove_dir_all(config_home);
+        let _ = fs::remove_dir_all(bundled_root);
+    }
+
+    #[test]
+    fn plugin_lifecycle_handles_parallel_execution() {
+        use std::sync::atomic::{AtomicUsize, Ordering as AtomicOrdering};
+        use std::sync::Arc;
+        use std::thread;
+
+        let _guard = env_lock().lock().expect("env lock");
+
+        // Shared base directory for all threads
+        let base_dir = temp_dir("parallel-base");
+
+        // Track successful installations and any errors
+        let success_count = Arc::new(AtomicUsize::new(0));
+        let error_count = Arc::new(AtomicUsize::new(0));
+
+        // Spawn multiple threads to install plugins simultaneously
+        let mut handles = Vec::new();
+        for thread_id in 0..5 {
+            let base_dir = base_dir.clone();
+            let success_count = Arc::clone(&success_count);
+            let error_count = Arc::clone(&error_count);
+
+            let handle = thread::spawn(move || {
+                // Create unique directories for this thread
+                let config_home = base_dir.join(format!("config-{thread_id}"));
+                let source_root = base_dir.join(format!("source-{thread_id}"));
+
+                // Write lifecycle plugin for this thread
+                let _log_path =
+                    write_lifecycle_plugin(&source_root, &format!("parallel-{thread_id}"), "1.0.0");
+
+                // Create PluginManager and install
+                let mut manager = PluginManager::new(PluginManagerConfig::new(&config_home));
+                let install_result = manager.install(source_root.to_str().expect("utf8 path"));
+
+                match install_result {
+                    Ok(install) => {
+                        let log_path = install.install_path.join("lifecycle.log");
+
+                        // Initialize and shutdown the registry to trigger lifecycle hooks
+                        let registry = manager.plugin_registry();
+                        match registry {
+                            Ok(registry) => {
+                                if registry.initialize().is_ok() && registry.shutdown().is_ok() {
+                                    // Verify lifecycle.log exists and has expected content
+                                    if let Ok(log) = fs::read_to_string(&log_path) {
+                                        if log == "init\nshutdown\n" {
+                                            success_count.fetch_add(1, AtomicOrdering::Relaxed);
+                                        }
+                                    }
+                                }
+                            }
+                            Err(_) => {
+                                error_count.fetch_add(1, AtomicOrdering::Relaxed);
+                            }
+                        }
+                    }
+                    Err(_) => {
+                        error_count.fetch_add(1, AtomicOrdering::Relaxed);
+                    }
+                }
+            });
+            handles.push(handle);
+        }
+
+        // Wait for all threads to complete
+        for handle in handles {
+            handle.join().expect("thread should complete");
+        }
+
+        // Verify all threads succeeded without collisions
+        let successes = success_count.load(AtomicOrdering::Relaxed);
+        let errors = error_count.load(AtomicOrdering::Relaxed);
+
+        assert_eq!(
+            successes, 5,
+            "all 5 parallel plugin installations should succeed"
+        );
+        assert_eq!(
+            errors, 0,
+            "no errors should occur during parallel execution"
+        );
+
+        // Cleanup
+        let _ = fs::remove_dir_all(base_dir);
+    }
 }

rust/crates/plugins/src/test_isolation.rs

@@ -0,0 +1,73 @@
+// Test isolation utilities for plugin tests
+// ROADMAP #41: Stop ambient plugin state from skewing CLI regression checks
+
+use std::env;
+use std::path::PathBuf;
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::Mutex;
+
+static TEST_COUNTER: AtomicU64 = AtomicU64::new(0);
+static ENV_LOCK: Mutex<()> = Mutex::new(());
+
+/// Lock for test environment isolation
+pub struct EnvLock {
+    _guard: std::sync::MutexGuard<'static, ()>,
+    temp_home: PathBuf,
+}
+
+impl EnvLock {
+    /// Acquire environment lock for test isolation
+    pub fn lock() -> Self {
+        let guard = ENV_LOCK.lock().unwrap();
+        let count = TEST_COUNTER.fetch_add(1, Ordering::SeqCst);
+        let temp_home = std::env::temp_dir().join(format!("plugin-test-{count}"));
+
+        // Set up isolated environment
+        std::fs::create_dir_all(&temp_home).ok();
+        std::fs::create_dir_all(temp_home.join(".claude/plugins/installed")).ok();
+        std::fs::create_dir_all(temp_home.join(".config")).ok();
+
+        // Redirect HOME and XDG_CONFIG_HOME to temp directory
+        env::set_var("HOME", &temp_home);
+        env::set_var("XDG_CONFIG_HOME", temp_home.join(".config"));
+        env::set_var("XDG_DATA_HOME", temp_home.join(".local/share"));
+
+        EnvLock {
+            _guard: guard,
+            temp_home,
+        }
+    }
+
+    /// Get the temporary home directory for this test
+    #[must_use]
+    pub fn temp_home(&self) -> &PathBuf {
+        &self.temp_home
+    }
+}
+
+impl Drop for EnvLock {
+    fn drop(&mut self) {
+        // Cleanup temp directory
+        std::fs::remove_dir_all(&self.temp_home).ok();
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_env_lock_creates_isolated_home() {
+        let lock = EnvLock::lock();
+        let home = env::var("HOME").unwrap();
+        assert!(home.contains("plugin-test-"));
+        assert_eq!(home, lock.temp_home().to_str().unwrap());
+    }
+
+    #[test]
+    fn test_env_lock_creates_plugin_directories() {
+        let lock = EnvLock::lock();
+        let plugins_dir = lock.temp_home().join(".claude/plugins/installed");
+        assert!(plugins_dir.exists());
+    }
+}

rust/crates/runtime/src/compact.rs

@@ -135,8 +135,7 @@ pub fn compact_session(session: &Session, config: CompactionConfig) -> Compactio
             let starts_with_tool_result = first_preserved
                 .blocks
                 .first()
-                .map(|b| matches!(b, ContentBlock::ToolResult { .. }))
-                .unwrap_or(false);
+                .is_some_and(|b| matches!(b, ContentBlock::ToolResult { .. }));
             if !starts_with_tool_result {
                 break;
             }
@@ -741,7 +740,7 @@ mod tests {
 
     /// Regression: compaction must not split an assistant(ToolUse) /
     /// user(ToolResult) pair at the boundary. An orphaned tool-result message
-    /// without the preceding assistant tool_calls causes a 400 on the
+    /// without the preceding assistant `tool_calls` causes a 400 on the
     /// OpenAI-compat path (gaebal-gajae repro 2026-04-09).
     #[test]
     fn compaction_does_not_split_tool_use_tool_result_pair() {
@@ -795,8 +794,7 @@ mod tests {
             let curr_is_tool_result = messages[i]
                 .blocks
                 .first()
-                .map(|b| matches!(b, ContentBlock::ToolResult { .. }))
-                .unwrap_or(false);
+                .is_some_and(|b| matches!(b, ContentBlock::ToolResult { .. }));
             if curr_is_tool_result {
                 let prev_has_tool_use = messages[i - 1]
                     .blocks

rust/crates/runtime/src/conversation.rs

@@ -292,6 +292,24 @@ where
         }
     }
 
+    /// Run a session health probe to verify the runtime is functional after compaction.
+    /// Returns Ok(()) if healthy, Err if the session appears broken.
+    fn run_session_health_probe(&mut self) -> Result<(), String> {
+        // Check if we have basic session integrity
+        if self.session.messages.is_empty() && self.session.compaction.is_some() {
+            // Freshly compacted with no messages - this is normal
+            return Ok(());
+        }
+
+        // Verify tool executor is responsive with a non-destructive probe
+        // Using glob_search with a pattern that won't match anything
+        let probe_input = r#"{"pattern": "*.health-check-probe-"}"#;
+        match self.tool_executor.execute("glob_search", probe_input) {
+            Ok(_) => Ok(()),
+            Err(e) => Err(format!("Tool executor probe failed: {e}")),
+        }
+    }
+
     #[allow(clippy::too_many_lines)]
     pub fn run_turn(
         &mut self,
@@ -299,6 +317,18 @@ where
         mut prompter: Option<&mut dyn PermissionPrompter>,
     ) -> Result<TurnSummary, RuntimeError> {
         let user_input = user_input.into();
+
+        // ROADMAP #38: Session-health canary - probe if context was compacted
+        if self.session.compaction.is_some() {
+            if let Err(error) = self.run_session_health_probe() {
+                return Err(RuntimeError::new(format!(
+                    "Session health probe failed after compaction: {error}. \
+                     The session may be in an inconsistent state. \
+                     Consider starting a fresh session with /session new."
+                )));
+            }
+        }
+
         self.record_turn_started(&user_input);
         self.session
             .push_user_text(user_input)
@@ -1581,6 +1611,88 @@ mod tests {
         );
     }
 
+    #[test]
+    fn compaction_health_probe_blocks_turn_when_tool_executor_is_broken() {
+        struct SimpleApi;
+        impl ApiClient for SimpleApi {
+            fn stream(
+                &mut self,
+                _request: ApiRequest,
+            ) -> Result<Vec<AssistantEvent>, RuntimeError> {
+                panic!("API should not run when health probe fails");
+            }
+        }
+
+        let mut session = Session::new();
+        session.record_compaction("summarized earlier work", 4);
+        session
+            .push_user_text("previous message")
+            .expect("message should append");
+
+        let tool_executor = StaticToolExecutor::new().register("glob_search", |_input| {
+            Err(ToolError::new("transport unavailable"))
+        });
+        let mut runtime = ConversationRuntime::new(
+            session,
+            SimpleApi,
+            tool_executor,
+            PermissionPolicy::new(PermissionMode::DangerFullAccess),
+            vec!["system".to_string()],
+        );
+
+        let error = runtime
+            .run_turn("trigger", None)
+            .expect_err("health probe failure should abort the turn");
+        assert!(
+            error
+                .to_string()
+                .contains("Session health probe failed after compaction"),
+            "unexpected error: {error}"
+        );
+        assert!(
+            error.to_string().contains("transport unavailable"),
+            "expected underlying probe error: {error}"
+        );
+    }
+
+    #[test]
+    fn compaction_health_probe_skips_empty_compacted_session() {
+        struct SimpleApi;
+        impl ApiClient for SimpleApi {
+            fn stream(
+                &mut self,
+                _request: ApiRequest,
+            ) -> Result<Vec<AssistantEvent>, RuntimeError> {
+                Ok(vec![
+                    AssistantEvent::TextDelta("done".to_string()),
+                    AssistantEvent::MessageStop,
+                ])
+            }
+        }
+
+        let mut session = Session::new();
+        session.record_compaction("fresh summary", 2);
+
+        let tool_executor = StaticToolExecutor::new().register("glob_search", |_input| {
+            Err(ToolError::new(
+                "glob_search should not run for an empty compacted session",
+            ))
+        });
+        let mut runtime = ConversationRuntime::new(
+            session,
+            SimpleApi,
+            tool_executor,
+            PermissionPolicy::new(PermissionMode::DangerFullAccess),
+            vec!["system".to_string()],
+        );
+
+        let summary = runtime
+            .run_turn("trigger", None)
+            .expect("empty compacted session should not fail health probe");
+        assert_eq!(summary.auto_compaction, None);
+        assert_eq!(runtime.session().messages.len(), 2);
+    }
+
     #[test]
     fn build_assistant_message_requires_message_stop_event() {
         // given

rust/crates/runtime/src/lane_events.rs

@@ -36,6 +36,8 @@ pub enum LaneEventName {
     Closed,
     #[serde(rename = "branch.stale_against_main")]
     BranchStaleAgainstMain,
+    #[serde(rename = "branch.workspace_mismatch")]
+    BranchWorkspaceMismatch,
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
@@ -67,6 +69,7 @@ pub enum LaneFailureClass {
     McpHandshake,
     GatewayRouting,
     ToolRuntime,
+    WorkspaceMismatch,
     Infra,
 }
 
@@ -277,6 +280,10 @@ mod tests {
                 LaneEventName::BranchStaleAgainstMain,
                 "branch.stale_against_main",
             ),
+            (
+                LaneEventName::BranchWorkspaceMismatch,
+                "branch.workspace_mismatch",
+            ),
         ];
 
         for (event, expected) in cases {
@@ -300,6 +307,7 @@ mod tests {
             (LaneFailureClass::McpHandshake, "mcp_handshake"),
             (LaneFailureClass::GatewayRouting, "gateway_routing"),
             (LaneFailureClass::ToolRuntime, "tool_runtime"),
+            (LaneFailureClass::WorkspaceMismatch, "workspace_mismatch"),
             (LaneFailureClass::Infra, "infra"),
         ];
 
@@ -329,6 +337,38 @@ mod tests {
         assert_eq!(failed.detail.as_deref(), Some("broken server"));
     }
 
+    #[test]
+    fn workspace_mismatch_failure_class_round_trips_in_branch_event_payloads() {
+        let mismatch = LaneEvent::new(
+            LaneEventName::BranchWorkspaceMismatch,
+            LaneEventStatus::Blocked,
+            "2026-04-04T00:00:02Z",
+        )
+        .with_failure_class(LaneFailureClass::WorkspaceMismatch)
+        .with_detail("session belongs to /tmp/repo-a but current workspace is /tmp/repo-b")
+        .with_data(json!({
+            "expectedWorkspaceRoot": "/tmp/repo-a",
+            "actualWorkspaceRoot": "/tmp/repo-b",
+            "sessionId": "sess-123",
+        }));
+
+        let mismatch_json = serde_json::to_value(&mismatch).expect("lane event should serialize");
+        assert_eq!(mismatch_json["event"], "branch.workspace_mismatch");
+        assert_eq!(mismatch_json["failureClass"], "workspace_mismatch");
+        assert_eq!(
+            mismatch_json["data"]["expectedWorkspaceRoot"],
+            "/tmp/repo-a"
+        );
+
+        let round_trip: LaneEvent =
+            serde_json::from_value(mismatch_json).expect("lane event should deserialize");
+        assert_eq!(round_trip.event, LaneEventName::BranchWorkspaceMismatch);
+        assert_eq!(
+            round_trip.failure_class,
+            Some(LaneFailureClass::WorkspaceMismatch)
+        );
+    }
+
     #[test]
     fn commit_events_can_carry_worktree_and_supersession_metadata() {
         let event = LaneEvent::commit_created(

rust/crates/runtime/src/permission_enforcer.rs

@@ -65,6 +65,40 @@ impl PermissionEnforcer {
         matches!(self.check(tool_name, input), EnforcementResult::Allowed)
     }
 
+    /// Check permission with an explicitly provided required mode.
+    /// Used when the required mode is determined dynamically (e.g., bash command classification).
+    pub fn check_with_required_mode(
+        &self,
+        tool_name: &str,
+        input: &str,
+        required_mode: PermissionMode,
+    ) -> EnforcementResult {
+        // When the active mode is Prompt, defer to the caller's interactive
+        // prompt flow rather than hard-denying.
+        if self.policy.active_mode() == PermissionMode::Prompt {
+            return EnforcementResult::Allowed;
+        }
+
+        let active_mode = self.policy.active_mode();
+
+        // Check if active mode meets the dynamically determined required mode
+        if active_mode >= required_mode {
+            return EnforcementResult::Allowed;
+        }
+
+        // Permission denied - active mode is insufficient
+        EnforcementResult::Denied {
+            tool: tool_name.to_owned(),
+            active_mode: active_mode.as_str().to_owned(),
+            required_mode: required_mode.as_str().to_owned(),
+            reason: format!(
+                "'{tool_name}' with input '{input}' requires '{}' permission, but current mode is '{}'",
+                required_mode.as_str(),
+                active_mode.as_str()
+            ),
+        }
+    }
+
     #[must_use]
     pub fn active_mode(&self) -> PermissionMode {
         self.policy.active_mode()

rust/crates/runtime/src/session.rs

@@ -98,6 +98,8 @@ pub struct Session {
     pub prompt_history: Vec<SessionPromptEntry>,
     /// The model used in this session, persisted so resumed sessions can
     /// report which model was originally used.
+    /// Timestamp of last successful health check (ROADMAP #38)
+    pub last_health_check_ms: Option<u64>,
     pub model: Option<String>,
     persistence: Option<SessionPersistence>,
 }
@@ -113,6 +115,7 @@ impl PartialEq for Session {
             && self.fork == other.fork
             && self.workspace_root == other.workspace_root
             && self.prompt_history == other.prompt_history
+            && self.last_health_check_ms == other.last_health_check_ms
     }
 }
 
@@ -164,6 +167,7 @@ impl Session {
             fork: None,
             workspace_root: None,
             prompt_history: Vec::new(),
+            last_health_check_ms: None,
             model: None,
             persistence: None,
         }
@@ -267,6 +271,7 @@ impl Session {
             }),
             workspace_root: self.workspace_root.clone(),
             prompt_history: self.prompt_history.clone(),
+            last_health_check_ms: self.last_health_check_ms,
             model: self.model.clone(),
             persistence: None,
         }
@@ -390,6 +395,7 @@ impl Session {
             fork,
             workspace_root,
             prompt_history,
+            last_health_check_ms: None,
             model,
             persistence: None,
         })
@@ -490,6 +496,7 @@ impl Session {
             fork,
             workspace_root,
             prompt_history,
+            last_health_check_ms: None,
             model,
             persistence: None,
         })
@@ -1460,12 +1467,8 @@ mod tests {
 /// Called by external consumers (e.g. clawhip) to enumerate sessions for a CWD.
 #[allow(dead_code)]
 pub fn workspace_sessions_dir(cwd: &std::path::Path) -> Result<std::path::PathBuf, SessionError> {
-    let store = crate::session_control::SessionStore::from_cwd(cwd).map_err(|e| {
-        SessionError::Io(std::io::Error::new(
-            std::io::ErrorKind::Other,
-            e.to_string(),
-        ))
-    })?;
+    let store = crate::session_control::SessionStore::from_cwd(cwd)
+        .map_err(|e| SessionError::Io(std::io::Error::other(e.to_string())))?;
     Ok(store.sessions_dir().to_path_buf())
 }
 
@@ -1482,8 +1485,7 @@ mod workspace_sessions_dir_tests {
         let result = workspace_sessions_dir(&tmp);
         assert!(
             result.is_ok(),
-            "workspace_sessions_dir should succeed for a valid CWD, got: {:?}",
-            result
+            "workspace_sessions_dir should succeed for a valid CWD, got: {result:?}"
         );
         let dir = result.unwrap();
         // The returned path should be non-empty and end with a hash component

rust/crates/runtime/src/session_control.rs

@@ -74,6 +74,7 @@ impl SessionStore {
         &self.workspace_root
     }
 
+    #[must_use]
     pub fn create_handle(&self, session_id: &str) -> SessionHandle {
         let id = session_id.to_string();
         let path = self
@@ -121,6 +122,17 @@ impl SessionStore {
                 return Ok(path);
             }
         }
+        if let Some(legacy_root) = self.legacy_sessions_root() {
+            for extension in [PRIMARY_SESSION_EXTENSION, LEGACY_SESSION_EXTENSION] {
+                let path = legacy_root.join(format!("{session_id}.{extension}"));
+                if !path.exists() {
+                    continue;
+                }
+                let session = Session::load_from_path(&path)?;
+                self.validate_loaded_session(&path, &session)?;
+                return Ok(path);
+            }
+        }
         Err(SessionControlError::Format(
             format_missing_session_reference(session_id),
         ))
@@ -128,61 +140,9 @@ impl SessionStore {
 
     pub fn list_sessions(&self) -> Result<Vec<ManagedSessionSummary>, SessionControlError> {
         let mut sessions = Vec::new();
-        let read_result = fs::read_dir(&self.sessions_root);
-        let entries = match read_result {
-            Ok(entries) => entries,
-            Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(sessions),
-            Err(err) => return Err(err.into()),
-        };
-        for entry in entries {
-            let entry = entry?;
-            let path = entry.path();
-            if !is_managed_session_file(&path) {
-                continue;
-            }
-            let metadata = entry.metadata()?;
-            let modified_epoch_millis = metadata
-                .modified()
-                .ok()
-                .and_then(|time| time.duration_since(UNIX_EPOCH).ok())
-                .map(|duration| duration.as_millis())
-                .unwrap_or_default();
-            let (id, message_count, parent_session_id, branch_name) =
-                match Session::load_from_path(&path) {
-                    Ok(session) => {
-                        let parent_session_id = session
-                            .fork
-                            .as_ref()
-                            .map(|fork| fork.parent_session_id.clone());
-                        let branch_name = session
-                            .fork
-                            .as_ref()
-                            .and_then(|fork| fork.branch_name.clone());
-                        (
-                            session.session_id,
-                            session.messages.len(),
-                            parent_session_id,
-                            branch_name,
-                        )
-                    }
-                    Err(_) => (
-                        path.file_stem()
-                            .and_then(|value| value.to_str())
-                            .unwrap_or("unknown")
-                            .to_string(),
-                        0,
-                        None,
-                        None,
-                    ),
-                };
-            sessions.push(ManagedSessionSummary {
-                id,
-                path,
-                modified_epoch_millis,
-                message_count,
-                parent_session_id,
-                branch_name,
-            });
+        self.collect_sessions_from_dir(&self.sessions_root, &mut sessions)?;
+        if let Some(legacy_root) = self.legacy_sessions_root() {
+            self.collect_sessions_from_dir(&legacy_root, &mut sessions)?;
         }
         sessions.sort_by(|left, right| {
             right
@@ -206,6 +166,7 @@ impl SessionStore {
     ) -> Result<LoadedManagedSession, SessionControlError> {
         let handle = self.resolve_reference(reference)?;
         let session = Session::load_from_path(&handle.path)?;
+        self.validate_loaded_session(&handle.path, &session)?;
         Ok(LoadedManagedSession {
             handle: SessionHandle {
                 id: session.session_id.clone(),
@@ -221,7 +182,9 @@ impl SessionStore {
         branch_name: Option<String>,
     ) -> Result<ForkedManagedSession, SessionControlError> {
         let parent_session_id = session.session_id.clone();
-        let forked = session.fork(branch_name);
+        let forked = session
+            .fork(branch_name)
+            .with_workspace_root(self.workspace_root.clone());
         let handle = self.create_handle(&forked.session_id);
         let branch_name = forked
             .fork
@@ -236,6 +199,96 @@ impl SessionStore {
             branch_name,
         })
     }
+
+    fn legacy_sessions_root(&self) -> Option<PathBuf> {
+        self.sessions_root
+            .parent()
+            .filter(|parent| parent.file_name().is_some_and(|name| name == "sessions"))
+            .map(Path::to_path_buf)
+    }
+
+    fn validate_loaded_session(
+        &self,
+        session_path: &Path,
+        session: &Session,
+    ) -> Result<(), SessionControlError> {
+        let Some(actual) = session.workspace_root() else {
+            if path_is_within_workspace(session_path, &self.workspace_root) {
+                return Ok(());
+            }
+            return Err(SessionControlError::Format(
+                format_legacy_session_missing_workspace_root(session_path, &self.workspace_root),
+            ));
+        };
+        if workspace_roots_match(actual, &self.workspace_root) {
+            return Ok(());
+        }
+        Err(SessionControlError::WorkspaceMismatch {
+            expected: self.workspace_root.clone(),
+            actual: actual.to_path_buf(),
+        })
+    }
+
+    fn collect_sessions_from_dir(
+        &self,
+        directory: &Path,
+        sessions: &mut Vec<ManagedSessionSummary>,
+    ) -> Result<(), SessionControlError> {
+        let entries = match fs::read_dir(directory) {
+            Ok(entries) => entries,
+            Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(()),
+            Err(err) => return Err(err.into()),
+        };
+        for entry in entries {
+            let entry = entry?;
+            let path = entry.path();
+            if !is_managed_session_file(&path) {
+                continue;
+            }
+            let metadata = entry.metadata()?;
+            let modified_epoch_millis = metadata
+                .modified()
+                .ok()
+                .and_then(|time| time.duration_since(UNIX_EPOCH).ok())
+                .map(|duration| duration.as_millis())
+                .unwrap_or_default();
+            let summary = match Session::load_from_path(&path) {
+                Ok(session) => {
+                    if self.validate_loaded_session(&path, &session).is_err() {
+                        continue;
+                    }
+                    ManagedSessionSummary {
+                        id: session.session_id,
+                        path,
+                        modified_epoch_millis,
+                        message_count: session.messages.len(),
+                        parent_session_id: session
+                            .fork
+                            .as_ref()
+                            .map(|fork| fork.parent_session_id.clone()),
+                        branch_name: session
+                            .fork
+                            .as_ref()
+                            .and_then(|fork| fork.branch_name.clone()),
+                    }
+                }
+                Err(_) => ManagedSessionSummary {
+                    id: path
+                        .file_stem()
+                        .and_then(|value| value.to_str())
+                        .unwrap_or("unknown")
+                        .to_string(),
+                    path,
+                    modified_epoch_millis,
+                    message_count: 0,
+                    parent_session_id: None,
+                    branch_name: None,
+                },
+            };
+            sessions.push(summary);
+        }
+        Ok(())
+    }
 }
 
 /// Stable hex fingerprint of a workspace path.
@@ -294,6 +347,7 @@ pub enum SessionControlError {
     Io(std::io::Error),
     Session(SessionError),
     Format(String),
+    WorkspaceMismatch { expected: PathBuf, actual: PathBuf },
 }
 
 impl Display for SessionControlError {
@@ -302,6 +356,12 @@ impl Display for SessionControlError {
             Self::Io(error) => write!(f, "{error}"),
             Self::Session(error) => write!(f, "{error}"),
             Self::Format(error) => write!(f, "{error}"),
+            Self::WorkspaceMismatch { expected, actual } => write!(
+                f,
+                "session workspace mismatch: expected {}, found {}",
+                expected.display(),
+                actual.display()
+            ),
         }
     }
 }
@@ -327,9 +387,8 @@ pub fn sessions_dir() -> Result<PathBuf, SessionControlError> {
 pub fn managed_sessions_dir_for(
     base_dir: impl AsRef<Path>,
 ) -> Result<PathBuf, SessionControlError> {
-    let path = base_dir.as_ref().join(".claw").join("sessions");
-    fs::create_dir_all(&path)?;
-    Ok(path)
+    let store = SessionStore::from_cwd(base_dir)?;
+    Ok(store.sessions_dir().to_path_buf())
 }
 
 pub fn create_managed_session_handle(
@@ -342,10 +401,8 @@ pub fn create_managed_session_handle_for(
     base_dir: impl AsRef<Path>,
     session_id: &str,
 ) -> Result<SessionHandle, SessionControlError> {
-    let id = session_id.to_string();
-    let path =
-        managed_sessions_dir_for(base_dir)?.join(format!("{id}.{PRIMARY_SESSION_EXTENSION}"));
-    Ok(SessionHandle { id, path })
+    let store = SessionStore::from_cwd(base_dir)?;
+    Ok(store.create_handle(session_id))
 }
 
 pub fn resolve_session_reference(reference: &str) -> Result<SessionHandle, SessionControlError> {
@@ -356,36 +413,8 @@ pub fn resolve_session_reference_for(
     base_dir: impl AsRef<Path>,
     reference: &str,
 ) -> Result<SessionHandle, SessionControlError> {
-    let base_dir = base_dir.as_ref();
-    if is_session_reference_alias(reference) {
-        let latest = latest_managed_session_for(base_dir)?;
-        return Ok(SessionHandle {
-            id: latest.id,
-            path: latest.path,
-        });
-    }
-
-    let direct = PathBuf::from(reference);
-    let candidate = if direct.is_absolute() {
-        direct.clone()
-    } else {
-        base_dir.join(&direct)
-    };
-    let looks_like_path = direct.extension().is_some() || direct.components().count() > 1;
-    let path = if candidate.exists() {
-        candidate
-    } else if looks_like_path {
-        return Err(SessionControlError::Format(
-            format_missing_session_reference(reference),
-        ));
-    } else {
-        resolve_managed_session_path_for(base_dir, reference)?
-    };
-
-    Ok(SessionHandle {
-        id: session_id_from_path(&path).unwrap_or_else(|| reference.to_string()),
-        path,
-    })
+    let store = SessionStore::from_cwd(base_dir)?;
+    store.resolve_reference(reference)
 }
 
 pub fn resolve_managed_session_path(session_id: &str) -> Result<PathBuf, SessionControlError> {
@@ -396,16 +425,8 @@ pub fn resolve_managed_session_path_for(
     base_dir: impl AsRef<Path>,
     session_id: &str,
 ) -> Result<PathBuf, SessionControlError> {
-    let directory = managed_sessions_dir_for(base_dir)?;
-    for extension in [PRIMARY_SESSION_EXTENSION, LEGACY_SESSION_EXTENSION] {
-        let path = directory.join(format!("{session_id}.{extension}"));
-        if path.exists() {
-            return Ok(path);
-        }
-    }
-    Err(SessionControlError::Format(
-        format_missing_session_reference(session_id),
-    ))
+    let store = SessionStore::from_cwd(base_dir)?;
+    store.resolve_managed_path(session_id)
 }
 
 #[must_use]
@@ -424,64 +445,8 @@ pub fn list_managed_sessions() -> Result<Vec<ManagedSessionSummary>, SessionCont
 pub fn list_managed_sessions_for(
     base_dir: impl AsRef<Path>,
 ) -> Result<Vec<ManagedSessionSummary>, SessionControlError> {
-    let mut sessions = Vec::new();
-    for entry in fs::read_dir(managed_sessions_dir_for(base_dir)?)? {
-        let entry = entry?;
-        let path = entry.path();
-        if !is_managed_session_file(&path) {
-            continue;
-        }
-        let metadata = entry.metadata()?;
-        let modified_epoch_millis = metadata
-            .modified()
-            .ok()
-            .and_then(|time| time.duration_since(UNIX_EPOCH).ok())
-            .map(|duration| duration.as_millis())
-            .unwrap_or_default();
-        let (id, message_count, parent_session_id, branch_name) =
-            match Session::load_from_path(&path) {
-                Ok(session) => {
-                    let parent_session_id = session
-                        .fork
-                        .as_ref()
-                        .map(|fork| fork.parent_session_id.clone());
-                    let branch_name = session
-                        .fork
-                        .as_ref()
-                        .and_then(|fork| fork.branch_name.clone());
-                    (
-                        session.session_id,
-                        session.messages.len(),
-                        parent_session_id,
-                        branch_name,
-                    )
-                }
-                Err(_) => (
-                    path.file_stem()
-                        .and_then(|value| value.to_str())
-                        .unwrap_or("unknown")
-                        .to_string(),
-                    0,
-                    None,
-                    None,
-                ),
-            };
-        sessions.push(ManagedSessionSummary {
-            id,
-            path,
-            modified_epoch_millis,
-            message_count,
-            parent_session_id,
-            branch_name,
-        });
-    }
-    sessions.sort_by(|left, right| {
-        right
-            .modified_epoch_millis
-            .cmp(&left.modified_epoch_millis)
-            .then_with(|| right.id.cmp(&left.id))
-    });
-    Ok(sessions)
+    let store = SessionStore::from_cwd(base_dir)?;
+    store.list_sessions()
 }
 
 pub fn latest_managed_session() -> Result<ManagedSessionSummary, SessionControlError> {
@@ -491,10 +456,8 @@ pub fn latest_managed_session() -> Result<ManagedSessionSummary, SessionControlE
 pub fn latest_managed_session_for(
     base_dir: impl AsRef<Path>,
 ) -> Result<ManagedSessionSummary, SessionControlError> {
-    list_managed_sessions_for(base_dir)?
-        .into_iter()
-        .next()
-        .ok_or_else(|| SessionControlError::Format(format_no_managed_sessions()))
+    let store = SessionStore::from_cwd(base_dir)?;
+    store.latest_session()
 }
 
 pub fn load_managed_session(reference: &str) -> Result<LoadedManagedSession, SessionControlError> {
@@ -505,15 +468,8 @@ pub fn load_managed_session_for(
     base_dir: impl AsRef<Path>,
     reference: &str,
 ) -> Result<LoadedManagedSession, SessionControlError> {
-    let handle = resolve_session_reference_for(base_dir, reference)?;
-    let session = Session::load_from_path(&handle.path)?;
-    Ok(LoadedManagedSession {
-        handle: SessionHandle {
-            id: session.session_id.clone(),
-            path: handle.path,
-        },
-        session,
-    })
+    let store = SessionStore::from_cwd(base_dir)?;
+    store.load_session(reference)
 }
 
 pub fn fork_managed_session(
@@ -528,21 +484,8 @@ pub fn fork_managed_session_for(
     session: &Session,
     branch_name: Option<String>,
 ) -> Result<ForkedManagedSession, SessionControlError> {
-    let parent_session_id = session.session_id.clone();
-    let forked = session.fork(branch_name);
-    let handle = create_managed_session_handle_for(base_dir, &forked.session_id)?;
-    let branch_name = forked
-        .fork
-        .as_ref()
-        .and_then(|fork| fork.branch_name.clone());
-    let forked = forked.with_persistence_path(handle.path.clone());
-    forked.save_to_path(&handle.path)?;
-    Ok(ForkedManagedSession {
-        parent_session_id,
-        handle,
-        session: forked,
-        branch_name,
-    })
+    let store = SessionStore::from_cwd(base_dir)?;
+    store.fork_session(session, branch_name)
 }
 
 #[must_use]
@@ -574,12 +517,36 @@ fn format_no_managed_sessions() -> String {
     )
 }
 
+fn format_legacy_session_missing_workspace_root(
+    session_path: &Path,
+    workspace_root: &Path,
+) -> String {
+    format!(
+        "legacy session is missing workspace binding: {}\nOpen it from its original workspace or re-save it from {}.",
+        session_path.display(),
+        workspace_root.display()
+    )
+}
+
+fn workspace_roots_match(left: &Path, right: &Path) -> bool {
+    canonicalize_for_compare(left) == canonicalize_for_compare(right)
+}
+
+fn canonicalize_for_compare(path: &Path) -> PathBuf {
+    fs::canonicalize(path).unwrap_or_else(|_| path.to_path_buf())
+}
+
+fn path_is_within_workspace(path: &Path, workspace_root: &Path) -> bool {
+    canonicalize_for_compare(path).starts_with(canonicalize_for_compare(workspace_root))
+}
+
 #[cfg(test)]
 mod tests {
     use super::{
         create_managed_session_handle_for, fork_managed_session_for, is_session_reference_alias,
         list_managed_sessions_for, load_managed_session_for, resolve_session_reference_for,
-        workspace_fingerprint, ManagedSessionSummary, SessionStore, LATEST_SESSION_REFERENCE,
+        workspace_fingerprint, ManagedSessionSummary, SessionControlError, SessionStore,
+        LATEST_SESSION_REFERENCE,
     };
     use crate::session::Session;
     use std::fs;
@@ -595,7 +562,7 @@ mod tests {
     }
 
     fn persist_session(root: &Path, text: &str) -> Session {
-        let mut session = Session::new();
+        let mut session = Session::new().with_workspace_root(root.to_path_buf());
         session
             .push_user_text(text)
             .expect("session message should save");
@@ -708,7 +675,7 @@ mod tests {
     // ------------------------------------------------------------------
 
     fn persist_session_via_store(store: &SessionStore, text: &str) -> Session {
-        let mut session = Session::new();
+        let mut session = Session::new().with_workspace_root(store.workspace_root().to_path_buf());
         session
             .push_user_text(text)
             .expect("session message should save");
@@ -820,6 +787,95 @@ mod tests {
         fs::remove_dir_all(base).expect("temp dir should clean up");
     }
 
+    #[test]
+    fn session_store_rejects_legacy_session_from_other_workspace() {
+        // given
+        let base = temp_dir();
+        let workspace_a = base.join("repo-alpha");
+        let workspace_b = base.join("repo-beta");
+        fs::create_dir_all(&workspace_a).expect("workspace a should exist");
+        fs::create_dir_all(&workspace_b).expect("workspace b should exist");
+
+        let store_b = SessionStore::from_cwd(&workspace_b).expect("store b should build");
+        let legacy_root = workspace_b.join(".claw").join("sessions");
+        fs::create_dir_all(&legacy_root).expect("legacy root should exist");
+        let legacy_path = legacy_root.join("legacy-cross.jsonl");
+        let session = Session::new()
+            .with_workspace_root(workspace_a.clone())
+            .with_persistence_path(legacy_path.clone());
+        session
+            .save_to_path(&legacy_path)
+            .expect("legacy session should persist");
+
+        // when
+        let err = store_b
+            .load_session("legacy-cross")
+            .expect_err("workspace mismatch should be rejected");
+
+        // then
+        match err {
+            SessionControlError::WorkspaceMismatch { expected, actual } => {
+                assert_eq!(expected, workspace_b);
+                assert_eq!(actual, workspace_a);
+            }
+            other => panic!("expected workspace mismatch, got {other:?}"),
+        }
+        fs::remove_dir_all(base).expect("temp dir should clean up");
+    }
+
+    #[test]
+    fn session_store_loads_safe_legacy_session_from_same_workspace() {
+        // given
+        let base = temp_dir();
+        fs::create_dir_all(&base).expect("base dir should exist");
+        let store = SessionStore::from_cwd(&base).expect("store should build");
+        let legacy_root = base.join(".claw").join("sessions");
+        let legacy_path = legacy_root.join("legacy-safe.jsonl");
+        fs::create_dir_all(&legacy_root).expect("legacy root should exist");
+        let session = Session::new()
+            .with_workspace_root(base.clone())
+            .with_persistence_path(legacy_path.clone());
+        session
+            .save_to_path(&legacy_path)
+            .expect("legacy session should persist");
+
+        // when
+        let loaded = store
+            .load_session("legacy-safe")
+            .expect("same-workspace legacy session should load");
+
+        // then
+        assert_eq!(loaded.handle.id, session.session_id);
+        assert_eq!(loaded.handle.path, legacy_path);
+        assert_eq!(loaded.session.workspace_root(), Some(base.as_path()));
+        fs::remove_dir_all(base).expect("temp dir should clean up");
+    }
+
+    #[test]
+    fn session_store_loads_unbound_legacy_session_from_same_workspace() {
+        // given
+        let base = temp_dir();
+        fs::create_dir_all(&base).expect("base dir should exist");
+        let store = SessionStore::from_cwd(&base).expect("store should build");
+        let legacy_root = base.join(".claw").join("sessions");
+        let legacy_path = legacy_root.join("legacy-unbound.json");
+        fs::create_dir_all(&legacy_root).expect("legacy root should exist");
+        let session = Session::new().with_persistence_path(legacy_path.clone());
+        session
+            .save_to_path(&legacy_path)
+            .expect("legacy session should persist");
+
+        // when
+        let loaded = store
+            .load_session("legacy-unbound")
+            .expect("same-workspace legacy session without workspace binding should load");
+
+        // then
+        assert_eq!(loaded.handle.path, legacy_path);
+        assert_eq!(loaded.session.workspace_root(), None);
+        fs::remove_dir_all(base).expect("temp dir should clean up");
+    }
+
     #[test]
     fn session_store_latest_and_resolve_reference() {
         // given

rust/crates/runtime/src/worker_boot.rs

@@ -575,28 +575,28 @@ fn push_event(
 /// Write current worker state to `.claw/worker-state.json` under the worker's cwd.
 /// This is the file-based observability surface: external observers (clawhip, orchestrators)
 /// poll this file instead of requiring an HTTP route on the opencode binary.
+#[derive(serde::Serialize)]
+struct StateSnapshot<'a> {
+    worker_id: &'a str,
+    status: WorkerStatus,
+    is_ready: bool,
+    trust_gate_cleared: bool,
+    prompt_in_flight: bool,
+    last_event: Option<&'a WorkerEvent>,
+    updated_at: u64,
+    /// Seconds since last state transition. Clawhip uses this to detect
+    /// stalled workers without computing epoch deltas.
+    seconds_since_update: u64,
+}
+
 fn emit_state_file(worker: &Worker) {
     let state_dir = std::path::Path::new(&worker.cwd).join(".claw");
-    if let Err(_) = std::fs::create_dir_all(&state_dir) {
+    if std::fs::create_dir_all(&state_dir).is_err() {
         return;
     }
     let state_path = state_dir.join("worker-state.json");
     let tmp_path = state_dir.join("worker-state.json.tmp");
 
-    #[derive(serde::Serialize)]
-    struct StateSnapshot<'a> {
-        worker_id: &'a str,
-        status: WorkerStatus,
-        is_ready: bool,
-        trust_gate_cleared: bool,
-        prompt_in_flight: bool,
-        last_event: Option<&'a WorkerEvent>,
-        updated_at: u64,
-        /// Seconds since last state transition. Clawhip uses this to detect
-        /// stalled workers without computing epoch deltas.
-        seconds_since_update: u64,
-    }
-
     let now = now_secs();
     let snapshot = StateSnapshot {
         worker_id: &worker.worker_id,

rust/crates/rusty-claude-cli/build.rs

@@ -14,14 +14,13 @@ fn main() {
                 None
             }
         })
-        .map(|s| s.trim().to_string())
-        .unwrap_or_else(|| "unknown".to_string());
+        .map_or_else(|| "unknown".to_string(), |s| s.trim().to_string());
 
-    println!("cargo:rustc-env=GIT_SHA={}", git_sha);
+    println!("cargo:rustc-env=GIT_SHA={git_sha}");
 
     // TARGET is always set by Cargo during build
     let target = env::var("TARGET").unwrap_or_else(|_| "unknown".to_string());
-    println!("cargo:rustc-env=TARGET={}", target);
+    println!("cargo:rustc-env=TARGET={target}");
 
     // Build date from SOURCE_DATE_EPOCH (reproducible builds) or current UTC date.
     // Intentionally ignoring time component to keep output deterministic within a day.
@@ -48,8 +47,7 @@ fn main() {
                         None
                     }
                 })
-                .map(|s| s.trim().to_string())
-                .unwrap_or_else(|| "unknown".to_string())
+                .map_or_else(|| "unknown".to_string(), |s| s.trim().to_string())
         });
     println!("cargo:rustc-env=BUILD_DATE={build_date}");
 

rust/crates/rusty-claude-cli/src/render.rs

@@ -639,10 +639,16 @@ fn apply_code_block_background(line: &str) -> String {
 /// fence markers of equal or greater length are wrapped with a longer fence.
 ///
 /// LLMs frequently emit triple-backtick code blocks that contain triple-backtick
-/// examples.  CommonMark (and pulldown-cmark) treats the inner marker as the
+/// examples.  `CommonMark` (and pulldown-cmark) treats the inner marker as the
 /// closing fence, breaking the render.  This function detects the situation and
 /// upgrades the outer fence to use enough backticks (or tildes) that the inner
 /// markers become ordinary content.
+#[allow(
+    clippy::too_many_lines,
+    clippy::items_after_statements,
+    clippy::manual_repeat_n,
+    clippy::manual_str_repeat
+)]
 fn normalize_nested_fences(markdown: &str) -> String {
     // A fence line is either "labeled" (has an info string ⇒ always an opener)
     // or "bare" (no info string ⇒ could be opener or closer).

rust/crates/rusty-claude-cli/tests/cli_flags_and_config_defaults.rs

@@ -266,7 +266,7 @@ fn command_in(cwd: &Path) -> Command {
 
 fn write_session(root: &Path, label: &str) -> PathBuf {
     let session_path = root.join(format!("{label}.jsonl"));
-    let mut session = Session::new();
+    let mut session = Session::new().with_workspace_root(root.to_path_buf());
     session
         .push_user_text(format!("session fixture for {label}"))
         .expect("session write should succeed");

rust/crates/rusty-claude-cli/tests/output_format_contract.rs

@@ -4,6 +4,7 @@ use std::process::{Command, Output};
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::{SystemTime, UNIX_EPOCH};
 
+use runtime::Session;
 use serde_json::Value;
 
 static TEMP_COUNTER: AtomicU64 = AtomicU64::new(0);
@@ -236,12 +237,7 @@ fn doctor_and_resume_status_emit_json_when_requested() {
     assert!(sandbox["enabled"].is_boolean());
     assert!(sandbox["fallback_reason"].is_null() || sandbox["fallback_reason"].is_string());
 
-    let session_path = root.join("session.jsonl");
-    fs::write(
-        &session_path,
-        "{\"type\":\"session_meta\",\"version\":3,\"session_id\":\"resume-json\",\"created_at_ms\":0,\"updated_at_ms\":0}\n{\"type\":\"message\",\"message\":{\"role\":\"user\",\"blocks\":[{\"type\":\"text\",\"text\":\"hello\"}]}}\n",
-    )
-    .expect("session should write");
+    let session_path = write_session_fixture(&root, "resume-json", Some("hello"));
     let resumed = assert_json_command(
         &root,
         &[
@@ -268,12 +264,7 @@ fn resumed_inventory_commands_emit_structured_json_when_requested() {
     fs::create_dir_all(&config_home).expect("config home should exist");
     fs::create_dir_all(&home).expect("home should exist");
 
-    let session_path = root.join("session.jsonl");
-    fs::write(
-        &session_path,
-        "{\"type\":\"session_meta\",\"version\":3,\"session_id\":\"resume-inventory-json\",\"created_at_ms\":0,\"updated_at_ms\":0}\n{\"type\":\"message\",\"message\":{\"role\":\"user\",\"blocks\":[{\"type\":\"text\",\"text\":\"inventory\"}]}}\n",
-    )
-    .expect("session should write");
+    let session_path = write_session_fixture(&root, "resume-inventory-json", Some("inventory"));
 
     let mcp = assert_json_command_with_env(
         &root,
@@ -324,12 +315,7 @@ fn resumed_version_and_init_emit_structured_json_when_requested() {
     let root = unique_temp_dir("resume-version-init-json");
     fs::create_dir_all(&root).expect("temp dir should exist");
 
-    let session_path = root.join("session.jsonl");
-    fs::write(
-        &session_path,
-        "{\"type\":\"session_meta\",\"version\":3,\"session_id\":\"resume-version-init-json\",\"created_at_ms\":0,\"updated_at_ms\":0}\n",
-    )
-    .expect("session should write");
+    let session_path = write_session_fixture(&root, "resume-version-init-json", None);
 
     let version = assert_json_command(
         &root,
@@ -405,6 +391,24 @@ fn write_upstream_fixture(root: &Path) -> PathBuf {
     upstream
 }
 
+fn write_session_fixture(root: &Path, session_id: &str, user_text: Option<&str>) -> PathBuf {
+    let session_path = root.join("session.jsonl");
+    let mut session = Session::new()
+        .with_workspace_root(root.to_path_buf())
+        .with_persistence_path(session_path.clone());
+    session.session_id = session_id.to_string();
+    if let Some(text) = user_text {
+        session
+            .push_user_text(text)
+            .expect("session fixture message should persist");
+    } else {
+        session
+            .save_to_path(&session_path)
+            .expect("session fixture should persist");
+    }
+    session_path
+}
+
 fn write_agent(root: &Path, name: &str, description: &str, model: &str, reasoning: &str) {
     fs::create_dir_all(root).expect("agent root should exist");
     fs::write(

rust/crates/rusty-claude-cli/tests/resume_slash_commands.rs

@@ -20,7 +20,7 @@ fn resumed_binary_accepts_slash_commands_with_arguments() {
     let session_path = temp_dir.join("session.jsonl");
     let export_path = temp_dir.join("notes.txt");
 
-    let mut session = Session::new();
+    let mut session = workspace_session(&temp_dir);
     session
         .push_user_text("ship the slash command harness")
         .expect("session write should succeed");
@@ -122,7 +122,7 @@ fn resumed_config_command_loads_settings_files_end_to_end() {
     fs::create_dir_all(&config_home).expect("config home should exist");
 
     let session_path = project_dir.join("session.jsonl");
-    Session::new()
+    workspace_session(&project_dir)
         .with_persistence_path(&session_path)
         .save_to_path(&session_path)
         .expect("session should persist");
@@ -180,13 +180,11 @@ fn resume_latest_restores_the_most_recent_managed_session() {
     // given
     let temp_dir = unique_temp_dir("resume-latest");
     let project_dir = temp_dir.join("project");
-    let sessions_dir = project_dir.join(".claw").join("sessions");
-    fs::create_dir_all(&sessions_dir).expect("sessions dir should exist");
+    let store = runtime::SessionStore::from_cwd(&project_dir).expect("session store should build");
+    let older_path = store.create_handle("session-older").path;
+    let newer_path = store.create_handle("session-newer").path;
 
-    let older_path = sessions_dir.join("session-older.jsonl");
-    let newer_path = sessions_dir.join("session-newer.jsonl");
-
-    let mut older = Session::new().with_persistence_path(&older_path);
+    let mut older = workspace_session(&project_dir).with_persistence_path(&older_path);
     older
         .push_user_text("older session")
         .expect("older session write should succeed");
@@ -194,7 +192,7 @@ fn resume_latest_restores_the_most_recent_managed_session() {
         .save_to_path(&older_path)
         .expect("older session should persist");
 
-    let mut newer = Session::new().with_persistence_path(&newer_path);
+    let mut newer = workspace_session(&project_dir).with_persistence_path(&newer_path);
     newer
         .push_user_text("newer session")
         .expect("newer session write should succeed");
@@ -229,7 +227,7 @@ fn resumed_status_command_emits_structured_json_when_requested() {
     fs::create_dir_all(&temp_dir).expect("temp dir should exist");
     let session_path = temp_dir.join("session.jsonl");
 
-    let mut session = Session::new();
+    let mut session = workspace_session(&temp_dir);
     session
         .push_user_text("resume status json fixture")
         .expect("session write should succeed");
@@ -283,7 +281,7 @@ fn resumed_status_surfaces_persisted_model() {
     fs::create_dir_all(&temp_dir).expect("temp dir should exist");
     let session_path = temp_dir.join("session.jsonl");
 
-    let mut session = Session::new();
+    let mut session = workspace_session(&temp_dir);
     session.model = Some("claude-sonnet-4-6".to_string());
     session
         .push_user_text("model persistence fixture")
@@ -324,7 +322,7 @@ fn resumed_sandbox_command_emits_structured_json_when_requested() {
     fs::create_dir_all(&temp_dir).expect("temp dir should exist");
     let session_path = temp_dir.join("session.jsonl");
 
-    Session::new()
+    workspace_session(&temp_dir)
         .save_to_path(&session_path)
         .expect("session should persist");
 
@@ -365,7 +363,7 @@ fn resumed_version_command_emits_structured_json() {
     let temp_dir = unique_temp_dir("resume-version-json");
     fs::create_dir_all(&temp_dir).expect("temp dir should exist");
     let session_path = temp_dir.join("session.jsonl");
-    Session::new()
+    workspace_session(&temp_dir)
         .save_to_path(&session_path)
         .expect("session should persist");
 
@@ -398,7 +396,7 @@ fn resumed_export_command_emits_structured_json() {
     let temp_dir = unique_temp_dir("resume-export-json");
     fs::create_dir_all(&temp_dir).expect("temp dir should exist");
     let session_path = temp_dir.join("session.jsonl");
-    let mut session = Session::new();
+    let mut session = workspace_session(&temp_dir);
     session
         .push_user_text("export json fixture")
         .expect("write ok");
@@ -432,7 +430,7 @@ fn resumed_help_command_emits_structured_json() {
     let temp_dir = unique_temp_dir("resume-help-json");
     fs::create_dir_all(&temp_dir).expect("temp dir should exist");
     let session_path = temp_dir.join("session.jsonl");
-    Session::new()
+    workspace_session(&temp_dir)
         .save_to_path(&session_path)
         .expect("persist ok");
 
@@ -465,7 +463,7 @@ fn resumed_no_command_emits_restored_json() {
     let temp_dir = unique_temp_dir("resume-no-cmd-json");
     fs::create_dir_all(&temp_dir).expect("temp dir should exist");
     let session_path = temp_dir.join("session.jsonl");
-    let mut session = Session::new();
+    let mut session = workspace_session(&temp_dir);
     session
         .push_user_text("restored json fixture")
         .expect("write ok");
@@ -499,7 +497,7 @@ fn resumed_stub_command_emits_not_implemented_json() {
     let temp_dir = unique_temp_dir("resume-stub-json");
     fs::create_dir_all(&temp_dir).expect("temp dir should exist");
     let session_path = temp_dir.join("session.jsonl");
-    Session::new()
+    workspace_session(&temp_dir)
         .save_to_path(&session_path)
         .expect("persist ok");
 
@@ -533,6 +531,10 @@ fn run_claw(current_dir: &Path, args: &[&str]) -> Output {
     run_claw_with_env(current_dir, args, &[])
 }
 
+fn workspace_session(root: &Path) -> Session {
+    Session::new().with_workspace_root(root.to_path_buf())
+}
+
 fn run_claw_with_env(current_dir: &Path, args: &[&str], envs: &[(&str, &str)]) -> Output {
     let mut command = Command::new(env!("CARGO_BIN_EXE_claw"));
     command.current_dir(current_dir).args(args);

rust/crates/tools/src/lib.rs

@@ -1182,8 +1182,11 @@ fn execute_tool_with_enforcer(
 ) -> Result<String, String> {
     match name {
         "bash" => {
-            maybe_enforce_permission_check(enforcer, name, input)?;
-            from_value::<BashCommandInput>(input).and_then(run_bash)
+            // Parse input to get the command for permission classification
+            let bash_input: BashCommandInput = from_value(input)?;
+            let classified_mode = classify_bash_permission(&bash_input.command);
+            maybe_enforce_permission_check_with_mode(enforcer, name, input, classified_mode)?;
+            run_bash(bash_input)
         }
         "read_file" => {
             maybe_enforce_permission_check(enforcer, name, input)?;
@@ -1221,7 +1224,13 @@ fn execute_tool_with_enforcer(
             from_value::<StructuredOutputInput>(input).and_then(run_structured_output)
         }
         "REPL" => from_value::<ReplInput>(input).and_then(run_repl),
-        "PowerShell" => from_value::<PowerShellInput>(input).and_then(run_powershell),
+        "PowerShell" => {
+            // Parse input to get the command for permission classification
+            let ps_input: PowerShellInput = from_value(input)?;
+            let classified_mode = classify_powershell_permission(&ps_input.command);
+            maybe_enforce_permission_check_with_mode(enforcer, name, input, classified_mode)?;
+            run_powershell(ps_input)
+        }
         "AskUserQuestion" => {
             from_value::<AskUserQuestionInput>(input).and_then(run_ask_user_question)
         }
@@ -1277,6 +1286,28 @@ fn maybe_enforce_permission_check(
     Ok(())
 }
 
+/// Enforce permission check with a dynamically classified permission mode.
+/// Used for tools like bash and `PowerShell` where the required permission
+/// depends on the actual command being executed.
+fn maybe_enforce_permission_check_with_mode(
+    enforcer: Option<&PermissionEnforcer>,
+    tool_name: &str,
+    input: &Value,
+    required_mode: PermissionMode,
+) -> Result<(), String> {
+    if let Some(enforcer) = enforcer {
+        let input_str = serde_json::to_string(input).unwrap_or_default();
+        let result = enforcer.check_with_required_mode(tool_name, &input_str, required_mode);
+
+        match result {
+            EnforcementResult::Allowed => Ok(()),
+            EnforcementResult::Denied { reason, .. } => Err(reason),
+        }
+    } else {
+        Ok(())
+    }
+}
+
 #[allow(clippy::needless_pass_by_value)]
 fn run_ask_user_question(input: AskUserQuestionInput) -> Result<String, String> {
     use std::io::{self, BufRead, Write};
@@ -1788,6 +1819,73 @@ fn from_value<T: for<'de> Deserialize<'de>>(input: &Value) -> Result<T, String>
     serde_json::from_value(input.clone()).map_err(|error| error.to_string())
 }
 
+/// Classify bash command permission based on command type and path.
+/// ROADMAP #50: Read-only commands targeting CWD paths get `WorkspaceWrite`,
+/// all others remain `DangerFullAccess`.
+fn classify_bash_permission(command: &str) -> PermissionMode {
+    // Read-only commands that are safe when targeting workspace paths
+    const READ_ONLY_COMMANDS: &[&str] = &[
+        "cat", "head", "tail", "less", "more", "ls", "ll", "dir", "find", "test", "[", "[[",
+        "grep", "rg", "awk", "sed", "file", "stat", "readlink", "wc", "sort", "uniq", "cut", "tr",
+        "pwd", "echo", "printf",
+    ];
+
+    // Get the base command (first word before any args or pipes)
+    let base_cmd = command.split_whitespace().next().unwrap_or("");
+    let base_cmd = base_cmd.split('|').next().unwrap_or("").trim();
+    let base_cmd = base_cmd.split(';').next().unwrap_or("").trim();
+    let base_cmd = base_cmd.split('>').next().unwrap_or("").trim();
+    let base_cmd = base_cmd.split('<').next().unwrap_or("").trim();
+
+    // Check if it's a read-only command
+    let cmd_name = base_cmd.split('/').next_back().unwrap_or(base_cmd);
+    let is_read_only = READ_ONLY_COMMANDS.contains(&cmd_name);
+
+    if !is_read_only {
+        return PermissionMode::DangerFullAccess;
+    }
+
+    // Check if any path argument is outside workspace
+    // Simple heuristic: check for absolute paths not starting with CWD
+    if has_dangerous_paths(command) {
+        return PermissionMode::DangerFullAccess;
+    }
+
+    PermissionMode::WorkspaceWrite
+}
+
+/// Check if command has dangerous paths (outside workspace).
+fn has_dangerous_paths(command: &str) -> bool {
+    // Look for absolute paths
+    let tokens: Vec<&str> = command.split_whitespace().collect();
+
+    for token in tokens {
+        // Skip flags/options
+        if token.starts_with('-') {
+            continue;
+        }
+
+        // Check for absolute paths
+        if token.starts_with('/') || token.starts_with("~/") {
+            // Check if it's within CWD
+            let path =
+                PathBuf::from(token.replace('~', &std::env::var("HOME").unwrap_or_default()));
+            if let Ok(cwd) = std::env::current_dir() {
+                if !path.starts_with(&cwd) {
+                    return true; // Path outside workspace
+                }
+            }
+        }
+
+        // Check for parent directory traversal that escapes workspace
+        if token.contains("../..") || token.starts_with("../") && !token.starts_with("./") {
+            return true;
+        }
+    }
+
+    false
+}
+
 fn run_bash(input: BashCommandInput) -> Result<String, String> {
     if let Some(output) = workspace_test_branch_preflight(&input.command) {
         return serde_json::to_string_pretty(&output).map_err(|error| error.to_string());
@@ -2033,6 +2131,78 @@ fn run_repl(input: ReplInput) -> Result<String, String> {
     to_pretty_json(execute_repl(input)?)
 }
 
+/// Classify `PowerShell` command permission based on command type and path.
+/// ROADMAP #50: Read-only commands targeting CWD paths get `WorkspaceWrite`,
+/// all others remain `DangerFullAccess`.
+fn classify_powershell_permission(command: &str) -> PermissionMode {
+    // Read-only commands that are safe when targeting workspace paths
+    const READ_ONLY_COMMANDS: &[&str] = &[
+        "Get-Content",
+        "Get-ChildItem",
+        "Test-Path",
+        "Get-Item",
+        "Get-ItemProperty",
+        "Get-FileHash",
+        "Select-String",
+    ];
+
+    // Check if command starts with a read-only cmdlet
+    let cmd_lower = command.trim().to_lowercase();
+    let is_read_only_cmd = READ_ONLY_COMMANDS
+        .iter()
+        .any(|cmd| cmd_lower.starts_with(&cmd.to_lowercase()));
+
+    if !is_read_only_cmd {
+        return PermissionMode::DangerFullAccess;
+    }
+
+    // Check if the path is within workspace (CWD or subdirectory)
+    // Extract path from command - look for -Path or positional parameter
+    let path = extract_powershell_path(command);
+    match path {
+        Some(p) if is_within_workspace(&p) => PermissionMode::WorkspaceWrite,
+        _ => PermissionMode::DangerFullAccess,
+    }
+}
+
+/// Extract the path argument from a `PowerShell` command.
+fn extract_powershell_path(command: &str) -> Option<String> {
+    // Look for -Path parameter
+    if let Some(idx) = command.to_lowercase().find("-path") {
+        let after_path = &command[idx + 5..];
+        let path = after_path.split_whitespace().next()?;
+        return Some(path.trim_matches('"').trim_matches('\'').to_string());
+    }
+
+    // Look for positional path parameter (after command name)
+    let parts: Vec<&str> = command.split_whitespace().collect();
+    if parts.len() >= 2 {
+        // Skip the cmdlet name and take the first argument
+        let first_arg = parts[1];
+        // Check if it looks like a path (contains \, /, or .)
+        if first_arg.contains(['\\', '/', '.']) {
+            return Some(first_arg.trim_matches('"').trim_matches('\'').to_string());
+        }
+    }
+
+    None
+}
+
+/// Check if a path is within the current workspace.
+fn is_within_workspace(path: &str) -> bool {
+    let path = PathBuf::from(path);
+
+    // If path is absolute, check if it starts with CWD
+    if path.is_absolute() {
+        if let Ok(cwd) = std::env::current_dir() {
+            return path.starts_with(&cwd);
+        }
+    }
+
+    // Relative paths are assumed to be within workspace
+    !path.starts_with("/") && !path.starts_with("\\") && !path.starts_with("..")
+}
+
 fn run_powershell(input: PowerShellInput) -> Result<String, String> {
     to_pretty_json(execute_powershell(input).map_err(|error| error.to_string())?)
 }
@@ -3734,6 +3904,8 @@ fn classify_lane_failure(error: &str) -> LaneFailureClass {
         || normalized.contains("tool runtime")
     {
         LaneFailureClass::ToolRuntime
+    } else if normalized.contains("workspace") && normalized.contains("mismatch") {
+        LaneFailureClass::WorkspaceMismatch
     } else if normalized.contains("plugin") {
         LaneFailureClass::PluginStartup
     } else if normalized.contains("mcp") && normalized.contains("handshake") {
@@ -3769,10 +3941,7 @@ impl ProviderRuntimeClient {
         allowed_tools: BTreeSet<String>,
         fallback_config: &ProviderFallbackConfig,
     ) -> Result<Self, String> {
-        let primary_model = fallback_config
-            .primary()
-            .map(str::to_string)
-            .unwrap_or(model);
+        let primary_model = fallback_config.primary().map_or(model, str::to_string);
         let primary = build_provider_entry(&primary_model)?;
         let mut chain = vec![primary];
         for fallback_model in fallback_config.fallbacks() {
@@ -3850,17 +4019,15 @@ impl ApiClient for ProviderRuntimeClient {
                         entry.model
                     );
                     last_error = Some(error);
-                    continue;
                 }
                 Err(error) => return Err(RuntimeError::new(error.to_string())),
             }
         }
 
-        Err(RuntimeError::new(
-            last_error
-                .map(|error| error.to_string())
-                .unwrap_or_else(|| String::from("provider chain exhausted with no attempts")),
-        ))
+        Err(RuntimeError::new(last_error.map_or_else(
+            || String::from("provider chain exhausted with no attempts"),
+            |error| error.to_string(),
+        )))
     }
 }
 
@@ -7253,6 +7420,10 @@ mod tests {
                 "tool failed: denied tool execution from hook",
                 LaneFailureClass::ToolRuntime,
             ),
+            (
+                "workspace mismatch while resuming the managed session",
+                LaneFailureClass::WorkspaceMismatch,
+            ),
             ("thread creation failed", LaneFailureClass::Infra),
         ];
 
@@ -7279,6 +7450,10 @@ mod tests {
                 LaneEventName::BranchStaleAgainstMain,
                 "branch.stale_against_main",
             ),
+            (
+                LaneEventName::BranchWorkspaceMismatch,
+                "branch.workspace_mismatch",
+            ),
         ];
 
         for (event, expected) in cases {
@@ -8253,11 +8428,12 @@ printf 'pwsh:%s' "$1"
     #[test]
     fn given_read_only_enforcer_when_bash_then_denied() {
         let registry = read_only_registry();
+        // Use a command that requires DangerFullAccess (rm) to ensure it's blocked in read-only mode
         let err = registry
-            .execute("bash", &json!({ "command": "echo hi" }))
+            .execute("bash", &json!({ "command": "rm -rf /" }))
             .expect_err("bash should be denied in read-only mode");
         assert!(
-            err.contains("current mode is read-only"),
+            err.contains("current mode is 'read-only'"),
             "should cite active mode: {err}"
         );
     }