ta_submit/

config.rs

//! Workflow configuration structures

use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::path::PathBuf;

/// Top-level workflow configuration from .ta/workflow.toml
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct WorkflowConfig {
    /// Submit adapter configuration
    #[serde(default)]
    pub submit: SubmitConfig,

    /// Source sync configuration (v0.11.1)
    #[serde(default)]
    pub source: SourceConfig,

    /// Diff viewing configuration
    #[serde(default)]
    pub diff: DiffConfig,

    /// Display / output configuration
    #[serde(default)]
    pub display: DisplayConfig,

    /// Build configuration
    #[serde(default)]
    pub build: BuildConfig,

    /// Garbage collection / lifecycle configuration
    #[serde(default)]
    pub gc: GcConfig,

    /// Follow-up goal behavior configuration
    #[serde(default)]
    pub follow_up: FollowUpConfig,

    /// Pre-draft verification gate configuration
    #[serde(default)]
    pub verify: VerifyConfig,

    /// Shell TUI configuration
    #[serde(default)]
    pub shell: ShellConfig,

    /// Desktop notification configuration
    #[serde(default)]
    pub notify: NotifyConfig,

    /// Staging directory management (v0.11.3)
    #[serde(default)]
    pub staging: StagingConfig,

    /// Constitution / compliance checker configuration (v0.12.0)
    #[serde(default)]
    pub constitution: ConstitutionConfig,

    /// Agent sandboxing configuration (v0.14.0)
    #[serde(default)]
    pub sandbox: SandboxConfig,

    /// Audit log attestation configuration (v0.14.1)
    #[serde(default)]
    pub audit: AuditConfig,

    /// Draft approval governance configuration (v0.14.2)
    #[serde(default)]
    pub governance: GovernanceConfig,

    /// VCS configuration (v0.13.17.3)
    #[serde(default)]
    pub vcs: VcsConfig,

    /// Plan file configuration (v0.14.12).
    #[serde(default)]
    pub plan: PlanConfig,

    /// Supervisor agent configuration (v0.13.17.4)
    #[serde(default)]
    pub supervisor: SupervisorConfig,

    /// Draft review configuration (v0.15.4)
    #[serde(default)]
    pub draft: DraftReviewConfig,

    /// Workflow behavior configuration (v0.14.3)
    #[serde(default)]
    pub workflow: WorkflowSection,

    /// Commands to run after agent exit to produce hard validation evidence (v0.13.17).
    ///
    /// Each command is run in the staging workspace. Results are embedded in the
    /// DraftPackage as `validation_log`. Non-zero exit code blocks `ta draft approve`
    /// unless `--override` is passed.
    ///
    /// Default (empty): no required checks. Set in `.ta/workflow.toml`:
    /// ```toml
    /// required_checks = ["cargo build --workspace", "cargo test --workspace"]
    /// ```
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub required_checks: Vec<String>,

    /// Per-file conflict resolution policy for `ta draft apply` (v0.14.3.5).
    ///
    /// Specifies how conflicts are resolved when both the agent and an external
    /// commit touch the same file. Override globally or per-file/glob:
    ///
    /// ```toml
    /// [apply.conflict_policy]
    /// default = "merge"            # attempt 3-way merge first
    /// "PLAN.md" = "keep-source"   # TA owns this — never let agents overwrite
    /// "Cargo.lock" = "keep-source" # auto-generated, always regenerated by cargo
    /// "docs/**" = "merge"
    /// "src/**" = "abort"          # code conflicts need human review
    /// ```
    ///
    /// Valid values: `"abort"`, `"merge"`, `"keep-source"`, `"force-overwrite"`.
    /// Default when section is absent: the `--conflict-resolution` CLI flag value.
    #[serde(default)]
    pub apply: ApplyConfig,

    /// Config-driven TA project/local file classification (v0.14.3.5).
    ///
    /// Specifies which `.ta/` files belong to the project (committed to VCS)
    /// and which are machine-local only (gitignored). At `ta init` time, these
    /// are written with the defaults from `partitioning.rs`.
    ///
    /// Example:
    /// ```toml
    /// [ta.project]
    /// include_paths = ["workflow.toml", "policy.yaml", "agents/"]
    ///
    /// [ta.local]
    /// exclude_paths = ["staging/", "goals/", "store/"]
    /// ```
    #[serde(default)]
    pub ta: TaPathConfig,

    /// Commit auto-staging configuration (v0.14.3.7).
    ///
    /// Lists additional files/globs that are always staged alongside a draft
    /// apply commit, merged with the built-in lock file list. Use this for
    /// project-specific generated files that are always correct to include.
    ///
    /// ```toml
    /// [commit]
    /// auto_stage = [
    ///     "Cargo.lock",
    ///     ".ta/plan_history.jsonl",
    ///     "docs/generated/**",
    /// ]
    /// ```
    #[serde(default)]
    pub commit: CommitConfig,

    /// Project metadata shown in TA Studio (v0.14.18).
    ///
    /// ```toml
    /// [project]
    /// name = "My Pipeline Project"
    /// ```
    #[serde(default)]
    pub project: ProjectSection,

    /// Per-language static analysis configuration (v0.15.14.3).
    ///
    /// Keys are language names (`python`, `typescript`, `rust`, `go`).
    ///
    /// ```toml
    /// [analysis.python]
    /// tool = "mypy"
    /// args = ["--strict"]
    /// on_failure = "agent"
    /// max_iterations = 3
    ///
    /// [analysis.rust]
    /// tool = "cargo-clippy"
    /// args = ["-D", "warnings"]
    /// on_failure = "warn"
    /// ```
    #[serde(default)]
    pub analysis: HashMap<String, ta_goal::analysis::AnalysisConfig>,

    /// Security level profile configuration (v0.15.14.4).
    ///
    /// Sets a named preset of security defaults. Individual settings always
    /// override the level preset.
    ///
    /// ```toml
    /// [security]
    /// level = "mid"   # "low" | "mid" | "high"
    /// ```
    #[serde(default)]
    pub security: SecurityConfig,

    /// Named agent profiles that supervisor and workflow steps can reference.
    ///
    /// ```toml
    /// [agent_profiles.supervisor]
    /// framework = "claude"
    /// model = "claude-sonnet-4-6"
    /// ```
    #[serde(default, skip_serializing_if = "HashMap::is_empty")]
    pub agent_profiles: HashMap<String, AgentProfile>,
}

/// Commit auto-staging configuration (v0.14.3.7).
///
/// Files in `auto_stage` (and the built-in lock file list) are staged
/// automatically during `ta draft apply --git-commit` even when they
/// are not in the draft's artifact list.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct CommitConfig {
    /// Additional files or glob patterns to auto-stage alongside draft apply commits.
    ///
    /// Merged with the built-in lock file list:
    /// `Cargo.lock`, `package-lock.json`, `go.sum`, `Pipfile.lock`,
    /// `poetry.lock`, `yarn.lock`, `bun.lockb`, `flake.lock`.
    ///
    /// Each entry is matched against working-tree paths using simple glob rules.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub auto_stage: Vec<String>,
}

/// Project metadata section in workflow.toml (v0.14.18).
///
/// ```toml
/// [project]
/// name = "My Pipeline Project"
/// ```
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
#[serde(default)]
pub struct ProjectSection {
    /// Human-readable project name shown in TA Studio.
    pub name: Option<String>,
}

/// Apply conflict resolution configuration (v0.14.3.5).
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct ApplyConfig {
    /// Per-file conflict resolution policy.
    ///
    /// Keys are glob patterns (or exact filenames) relative to workspace root.
    /// Values are one of: `"abort"`, `"merge"`, `"keep-source"`, `"force-overwrite"`.
    ///
    /// Special key `"default"` sets the fallback for files not matched by any pattern.
    #[serde(default, skip_serializing_if = "std::collections::HashMap::is_empty")]
    pub conflict_policy: std::collections::HashMap<String, String>,
}

impl ApplyConfig {
    /// Resolve the conflict policy for a given file path.
    ///
    /// Checks patterns in order (most specific first by pattern length).
    /// Falls back to `default` key, then to `None` (caller uses CLI flag).
    pub fn policy_for(&self, rel_path: &str) -> Option<&str> {
        if self.conflict_policy.is_empty() {
            return None;
        }
        // Exact match first.
        if let Some(v) = self.conflict_policy.get(rel_path) {
            return Some(v.as_str());
        }
        // Glob pattern match — check all patterns, prefer longest matching pattern.
        let mut best: Option<(&str, usize)> = None;
        for (pattern, value) in &self.conflict_policy {
            if pattern == "default" {
                continue;
            }
            if glob_matches(pattern, rel_path) {
                let specificity = pattern.len();
                if best.is_none() || specificity > best.unwrap().1 {
                    best = Some((value.as_str(), specificity));
                }
            }
        }
        if let Some((v, _)) = best {
            return Some(v);
        }
        // Default key fallback.
        self.conflict_policy.get("default").map(|s| s.as_str())
    }
}

/// Simple glob matcher supporting `*` (any single component) and `**` (any path).
fn glob_matches(pattern: &str, path: &str) -> bool {
    if pattern.ends_with("/**") || pattern.ends_with("/*") {
        let prefix = pattern.trim_end_matches('*').trim_end_matches('/');
        return path.starts_with(&format!("{}/", prefix)) || path.starts_with(prefix);
    }
    if let Some(suffix) = pattern.strip_prefix("**/") {
        return path.ends_with(suffix) || path.contains(&format!("/{}", suffix));
    }
    if pattern.contains('*') {
        // Simple wildcard: replace * with "match anything in a component".
        let re_pat = pattern.replace('.', "\\.").replace('*', "[^/]*");
        return regex_lite_match(&re_pat, path);
    }
    false
}

fn regex_lite_match(pattern: &str, text: &str) -> bool {
    // Minimal regex-like matching without external crates.
    // Only handles patterns from glob_matches above.
    // Anchored to the full string.
    let anchored = format!("^{}$", pattern);
    let re = anchored;
    // Manual matching: split on [^/]* and check surrounding context.
    let parts: Vec<&str> = re.split("[^/]*").collect();
    if parts.len() == 1 {
        return text == pattern;
    }
    // For simple patterns like "Cargo\\.lock": try ends_with / exact.
    let plain = pattern.replace("\\.", ".").replace("[^/]*", "*");
    let plain_parts: Vec<&str> = plain.split('*').collect();
    let mut pos = 0;
    for (i, part) in plain_parts.iter().enumerate() {
        if part.is_empty() {
            continue;
        }
        if i == 0 {
            if !text.starts_with(part) {
                return false;
            }
            pos = part.len();
        } else if i == plain_parts.len() - 1 {
            return text[pos..].ends_with(part);
        } else if let Some(idx) = text[pos..].find(part) {
            pos += idx + part.len();
        } else {
            return false;
        }
    }
    true
}

/// TA project/local file classification configuration (v0.14.3.5).
///
/// Specifies which `.ta/` files belong to the project (committed to VCS)
/// and which are machine-local only (gitignored). Populated at `ta init`.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct TaPathConfig {
    /// `.ta/` file paths that belong to the project (VCS-committed, shared with team).
    #[serde(default)]
    pub project: TaProjectPaths,
    /// `.ta/` file paths that are machine-local only (gitignored, never shared).
    #[serde(default)]
    pub local: TaLocalPaths,
}

/// Project-scoped `.ta/` paths (committed to VCS).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TaProjectPaths {
    /// Paths inside `.ta/` to include in VCS. Defaults to `SHARED_TA_PATHS`.
    #[serde(default = "default_project_include_paths")]
    pub include_paths: Vec<String>,
}

impl Default for TaProjectPaths {
    fn default() -> Self {
        Self {
            include_paths: default_project_include_paths(),
        }
    }
}

fn default_project_include_paths() -> Vec<String> {
    // Mirror of ta-workspace::partitioning::SHARED_TA_PATHS — kept in sync manually.
    // These are `.ta/` paths committed to VCS and shared with the team.
    vec![
        "workflow.toml".to_string(),
        "policy.yaml".to_string(),
        "constitution.toml".to_string(),
        "memory.toml".to_string(),
        "bmad.toml".to_string(),
        "agents/".to_string(),
        "constitutions/".to_string(),
        "memory/".to_string(),
        "templates/".to_string(),
        "plan_history.jsonl".to_string(),
        "release-history.json".to_string(),
    ]
}

/// Local-scoped `.ta/` paths (gitignored, never shared).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TaLocalPaths {
    /// Paths inside `.ta/` to exclude from VCS. Defaults to `LOCAL_TA_PATHS`.
    #[serde(default = "default_local_exclude_paths")]
    pub exclude_paths: Vec<String>,
}

impl Default for TaLocalPaths {
    fn default() -> Self {
        Self {
            exclude_paths: default_local_exclude_paths(),
        }
    }
}

fn default_local_exclude_paths() -> Vec<String> {
    // Mirror of ta-workspace::partitioning::LOCAL_TA_PATHS — kept in sync manually.
    // These are `.ta/` paths that are machine-local only (gitignored, never shared).
    vec![
        "daemon.toml".to_string(),
        "daemon.local.toml".to_string(),
        "workflow.local.toml".to_string(),
        "local.workflow.toml".to_string(), // deprecated name — kept so existing files stay gitignored
        "memory.rvf".to_string(),
        "staging/".to_string(),
        "store/".to_string(),
        "goals/".to_string(),
        "events/".to_string(),
        "sessions/".to_string(),
        "release.lock".to_string(),
        "velocity-stats.jsonl".to_string(),
        "audit-ledger.jsonl".to_string(),
        "taignore".to_string(),
        "interactions/".to_string(),
    ]
}

/// Constitution / compliance checker configuration.
///
/// Controls which project-specific checkers run during `ta draft build`.
/// These are disabled by default so non-TA projects don't receive
/// TA-internal checks. The TA repo enables them via `.ta/workflow.toml`.
///
/// ```toml
/// [constitution]
/// s4_scan = true  # scan for inject_*/restore_* imbalance (§4)
/// ```
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct ConstitutionConfig {
    /// Run the §4 inject/restore balance scanner on changed .rs files.
    ///
    /// Default: `false`. Enable in `.ta/workflow.toml` for the TA repo.
    /// External projects should leave this unset.
    #[serde(default)]
    pub s4_scan: bool,
}

/// Agent sandboxing configuration (v0.14.0).
///
/// Controls whether agents run in a sandboxed process environment that limits
/// filesystem access, network reach, and syscall surface.
///
/// ```toml
/// [sandbox]
/// enabled = true
/// provider = "native"   # "native" (OS sandbox-exec/landlock) | "openshell" | "oci"
///
/// # Paths the agent is allowed to read (in addition to its working dir)
/// allow_read = ["/usr/lib", "/etc/ssl"]
///
/// # Paths the agent is allowed to write (staging workspace is always included)
/// allow_write = []
///
/// # Hostnames/CIDR ranges the agent may connect to. Empty = block all network.
/// allow_network = ["api.anthropic.com", "api.github.com"]
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SandboxConfig {
    /// Whether sandboxing is enabled. Default: false (safe default — no breakage on upgrade).
    #[serde(default)]
    pub enabled: bool,

    /// Sandbox provider. Default: "native" (macOS sandbox-exec or Linux landlock/seccomp).
    #[serde(default = "default_sandbox_provider")]
    pub provider: String,

    /// Additional paths the agent may read (beyond its working dir and /usr, /lib, /etc/ssl).
    #[serde(default)]
    pub allow_read: Vec<String>,

    /// Additional writable paths (the staging workspace root is always writable).
    #[serde(default)]
    pub allow_write: Vec<String>,

    /// Network destinations the agent is allowed to reach. Empty = block all outbound.
    /// Entries may be hostnames, IPs, or CIDR blocks (e.g., "api.anthropic.com", "10.0.0.0/8").
    #[serde(default)]
    pub allow_network: Vec<String>,
}

fn default_sandbox_provider() -> String {
    "native".to_string()
}

impl Default for SandboxConfig {
    fn default() -> Self {
        Self {
            enabled: false,
            provider: default_sandbox_provider(),
            allow_read: Vec::new(),
            allow_write: Vec::new(),
            allow_network: Vec::new(),
        }
    }
}

/// Audit log attestation configuration (v0.14.1).
///
/// ```toml
/// [audit]
/// attestation = true
/// # keys_dir defaults to .ta/keys/ (relative to workspace root)
/// keys_dir = ".ta/keys"
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditConfig {
    /// Enable Ed25519 attestation signing of every audit event.
    /// Keys are auto-generated in `keys_dir` on first use.
    #[serde(default)]
    pub attestation: bool,

    /// Directory for attestation key files.
    /// Defaults to `.ta/keys` (relative to workspace root).
    #[serde(default = "default_keys_dir")]
    pub keys_dir: String,
}

fn default_keys_dir() -> String {
    ".ta/keys".to_string()
}

impl Default for AuditConfig {
    fn default() -> Self {
        Self {
            attestation: false,
            keys_dir: default_keys_dir(),
        }
    }
}

/// Draft approval governance configuration (v0.14.2).
///
/// Controls how many approvals a draft requires before it can be applied,
/// and which identities are permitted to approve.
///
/// ```toml
/// [governance]
/// require_approvals = 2
/// approvers = ["alice", "bob", "charlie"]
/// # override_identity allows emergency bypass (logged to audit trail).
/// override_identity = "emergency-admin"
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct GovernanceConfig {
    /// Minimum number of distinct approvals required before a draft can be applied.
    /// Default: 1 (single-approver, backward-compatible).
    #[serde(default = "default_require_approvals")]
    pub require_approvals: usize,

    /// Allowlist of reviewer identities permitted to approve.
    /// Empty list = any reviewer is accepted (default, backward-compatible).
    #[serde(default)]
    pub approvers: Vec<String>,

    /// Identity allowed to use `--override` to bypass the quorum requirement.
    /// The override is recorded in the audit log for accountability.
    #[serde(default)]
    pub override_identity: Option<String>,
}

fn default_require_approvals() -> usize {
    1
}

impl Default for GovernanceConfig {
    fn default() -> Self {
        Self {
            require_approvals: default_require_approvals(),
            approvers: Vec::new(),
            override_identity: None,
        }
    }
}

/// VCS environment isolation configuration for spawned agents (v0.13.17.3).
///
/// Controls how TA configures the agent's VCS environment so it operates
/// on the staging directory instead of the developer's real repository.
///
/// ```toml
/// [vcs.agent]
/// git_mode = "isolated"   # "isolated" | "inherit-read" | "none"
/// p4_mode = "shelve"      # "shelve" | "read-only" | "inherit"
/// init_baseline_commit = true
/// ceiling_always = true
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VcsAgentConfig {
    /// Git isolation mode.
    ///
    /// - `"isolated"` (default): `git init` in staging with a baseline commit.
    ///   Agent gets its own isolated `.git`. `GIT_CEILING_DIRECTORIES` blocks
    ///   upward traversal into the developer's real repo.
    /// - `"inherit-read"`: Sets `GIT_CEILING_DIRECTORIES` only. Agent can read
    ///   parent git history (log, blame) but write operations are scoped away.
    /// - `"none"`: Sets `GIT_DIR=/dev/null`. All git operations fail immediately.
    #[serde(default = "default_git_mode")]
    pub git_mode: String,

    /// Perforce isolation mode.
    ///
    /// - `"shelve"` (default): Agent uses a dedicated staging P4 workspace.
    ///   Submit is blocked; shelve is allowed.
    /// - `"read-only"`: Injects `P4CLIENT=` (empty). No P4 writes possible.
    /// - `"inherit"`: Agent inherits the developer's P4CLIENT. Only for
    ///   workflows that explicitly need live P4 access.
    #[serde(default = "default_p4_mode")]
    pub p4_mode: String,

    /// Whether to create an initial "pre-agent" baseline commit in isolated git mode.
    ///
    /// When `true` (default), `git init` + `git add -A` + `git commit -m "pre-agent baseline"`
    /// runs before the agent starts. The agent can then use `git diff`, `git log`, etc.
    /// against a clean history.
    #[serde(default = "default_true")]
    pub init_baseline_commit: bool,

    /// Whether to always set `GIT_CEILING_DIRECTORIES` regardless of mode.
    ///
    /// When `true` (default), `GIT_CEILING_DIRECTORIES` is set to the staging dir's
    /// parent even in `inherit-read` and `isolated` modes, preventing git from
    /// traversing into parent directories beyond the ceiling.
    #[serde(default = "default_true")]
    pub ceiling_always: bool,
}

fn default_git_mode() -> String {
    "isolated".to_string()
}
fn default_p4_mode() -> String {
    "shelve".to_string()
}
fn default_true() -> bool {
    true
}

impl Default for VcsAgentConfig {
    fn default() -> Self {
        Self {
            git_mode: default_git_mode(),
            p4_mode: default_p4_mode(),
            init_baseline_commit: true,
            ceiling_always: true,
        }
    }
}

/// VCS configuration section (v0.13.17.3).
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct VcsConfig {
    /// Agent environment isolation settings.
    #[serde(default)]
    pub agent: VcsAgentConfig,
}

/// Plan file configuration (v0.14.12).
///
/// Allows projects to name their plan file something other than `PLAN.md`.
///
/// ```toml
/// [plan]
/// file = "ROADMAP.md"
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PlanConfig {
    /// Name of the plan file relative to workspace root. Default: "PLAN.md".
    #[serde(default = "default_plan_file")]
    pub file: String,
}

impl Default for PlanConfig {
    fn default() -> Self {
        Self {
            file: default_plan_file(),
        }
    }
}

fn default_plan_file() -> String {
    "PLAN.md".to_string()
}

/// Resolve the plan file path given a workspace root and workflow config.
///
/// Respects the `[plan] file` config setting so projects can name their
/// plan file something other than the default `PLAN.md`.
pub fn resolve_plan_path(
    workspace_root: &std::path::Path,
    config: &WorkflowConfig,
) -> std::path::PathBuf {
    workspace_root.join(&config.plan.file)
}

/// Supervisor agent configuration (v0.13.17.4).
///
/// Controls the AI-powered review that runs after the main agent exits
/// but before `ta draft build`. The supervisor checks goal alignment
/// and constitution compliance.
///
/// ```toml
/// [supervisor]
/// enabled = true
/// agent = "builtin"              # "builtin" | "claude-code" | "codex" | "ollama" | manifest name
/// verdict_on_block = "warn"      # "warn" | "block"
/// constitution_path = ".ta/constitution.toml"
/// skip_if_no_constitution = true
/// heartbeat_stale_secs = 30     # kill if no token received for this long (replaces timeout_secs)
/// # timeout_secs = 120           # deprecated — use heartbeat_stale_secs instead
/// # api_key_env = "OPENAI_API_KEY"  # optional: pre-flight check for codex / custom agents
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SupervisorConfig {
    /// Enable the supervisor agent. Default: true when any agent is configured.
    #[serde(default = "default_supervisor_enabled")]
    pub enabled: bool,

    /// Which agent runs the review.
    /// - "builtin" / "claude-code": spawns the `claude` CLI (uses its own auth).
    /// - "codex": spawns `codex --approval-mode full-auto --quiet`.
    /// - "ollama": invokes via `ta agent run ollama --headless`.
    /// - any other string: looks up `.ta/agents/<name>.toml` manifest.
    #[serde(default = "default_supervisor_agent")]
    pub agent: String,

    /// Behavior when verdict is Block. "warn" = show in draft view only.
    /// "block" = refuse `ta draft approve` without `--override`.
    #[serde(default = "default_verdict_on_block")]
    pub verdict_on_block: String,

    /// Path to the project constitution file (relative to workspace root).
    /// If absent, falls back to `.ta/constitution.toml`, then `docs/TA-CONSTITUTION.md`.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub constitution_path: Option<std::path::PathBuf>,

    /// Don't fail if the constitution file is absent.
    #[serde(default = "default_supervisor_skip_no_constitution")]
    pub skip_if_no_constitution: bool,

    /// Kill supervisor if no token is received for this many seconds (default 30).
    ///
    /// Replaces the wall-clock `timeout_secs`: a supervisor actively streaming a large diff
    /// will never be killed — only one that stops producing output for `heartbeat_stale_secs`
    /// is terminated. Set higher (e.g. 60) if your supervisor uses a slow model.
    #[serde(default = "default_supervisor_heartbeat_stale_secs")]
    pub heartbeat_stale_secs: u64,

    /// Deprecated: wall-clock timeout in seconds. Accepted for backward compatibility.
    /// When present, emits a deprecation warning and the value is ignored in favour of
    /// `heartbeat_stale_secs`. Will be removed in a future version.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub timeout_secs: Option<u64>,

    /// Optional env var name to pre-flight check before spawning the supervisor agent.
    /// When set, TA verifies the var is present and prints an actionable message if missing.
    /// The agent binary handles the credential itself — TA never reads or forwards the value.
    /// Example: `api_key_env = "OPENAI_API_KEY"` for the codex agent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub api_key_env: Option<String>,

    /// Optional agent profile name from `[agent_profiles]`. When set, resolves the
    /// `framework` and `model` for the supervisor from the profile table, overriding
    /// the bare `agent` string. Any registered framework works — not just claude.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub agent_profile: Option<String>,

    /// Allow session hooks to fire in the supervisor subprocess. Default: false.
    ///
    /// By default, TA sets `CLAUDE_CODE_DISABLE_HOOKS=1` when spawning the supervisor
    /// so that `SessionStart` and other hooks do not write JSON to stdout (which could
    /// be mistaken for supervisor content and trigger false stall timeouts). Set to
    /// `true` only if a custom hook must run during supervisor invocations.
    #[serde(default)]
    pub enable_hooks: bool,
}

fn default_supervisor_enabled() -> bool {
    true
}
fn default_supervisor_agent() -> String {
    "builtin".to_string()
}
fn default_verdict_on_block() -> String {
    "warn".to_string()
}
fn default_supervisor_heartbeat_stale_secs() -> u64 {
    30
}
fn default_supervisor_skip_no_constitution() -> bool {
    true
}

impl Default for SupervisorConfig {
    fn default() -> Self {
        Self {
            enabled: default_supervisor_enabled(),
            agent: default_supervisor_agent(),
            verdict_on_block: default_verdict_on_block(),
            constitution_path: None,
            skip_if_no_constitution: default_supervisor_skip_no_constitution(),
            heartbeat_stale_secs: default_supervisor_heartbeat_stale_secs(),
            timeout_secs: None,
            api_key_env: None,
            agent_profile: None,
            enable_hooks: false,
        }
    }
}

/// Named agent profile — associates a framework name with an optional model override.
///
/// Used by `[agent_profiles]` in `workflow.toml`:
/// ```toml
/// [agent_profiles.supervisor]
/// framework = "claude"
/// model = "claude-sonnet-4-6"
/// ```
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct AgentProfile {
    /// Agent framework: "claude" / "claude-code", "codex", "ollama", or a manifest name.
    #[serde(default)]
    pub framework: String,
    /// Optional model override forwarded to the agent binary (e.g. `--model <value>`).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub model: Option<String>,
}

/// Asset diff configuration for `[draft.asset_diff]` in `workflow.toml` (v0.15.4).
///
/// Controls whether `ta draft view` runs an agent diff summary and supervisor
/// confidence check for image and video artifacts.
///
/// ```toml
/// [draft.asset_diff]
/// enabled = true
/// supervisor = true
/// visual_diff = false
/// visual_diff_threshold = 0.3
/// agent = "builtin"
/// timeout_secs = 60
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AssetDiffConfig {
    /// Enable agent diff summaries for image/video artifacts (default: true).
    #[serde(default = "default_asset_diff_enabled")]
    pub enabled: bool,

    /// Write a visual diff placeholder file alongside the review (default: false).
    #[serde(default)]
    pub visual_diff: bool,

    /// Threshold (0–1) for classifying localized vs. global changes (default: 0.3).
    #[serde(default = "default_visual_diff_threshold")]
    pub visual_diff_threshold: f32,

    /// Run supervisor confidence check (default: true).
    #[serde(default = "default_asset_diff_supervisor")]
    pub supervisor: bool,

    /// Agent binary: "builtin"/"claude-code" → `claude` CLI, others by name (default: "builtin").
    #[serde(default = "default_asset_diff_agent")]
    pub agent: String,

    /// Timeout per agent call in seconds (default: 60).
    #[serde(default = "default_asset_diff_timeout")]
    pub timeout_secs: u64,
}

fn default_asset_diff_enabled() -> bool {
    true
}
fn default_visual_diff_threshold() -> f32 {
    0.3
}
fn default_asset_diff_supervisor() -> bool {
    true
}
fn default_asset_diff_agent() -> String {
    "builtin".to_string()
}
fn default_asset_diff_timeout() -> u64 {
    60
}

impl Default for AssetDiffConfig {
    fn default() -> Self {
        Self {
            enabled: default_asset_diff_enabled(),
            visual_diff: false,
            visual_diff_threshold: default_visual_diff_threshold(),
            supervisor: default_asset_diff_supervisor(),
            agent: default_asset_diff_agent(),
            timeout_secs: default_asset_diff_timeout(),
        }
    }
}

/// Draft review configuration (groups settings that apply during `ta draft view`).
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct DraftReviewConfig {
    /// Asset diff configuration (v0.15.4).
    #[serde(default)]
    pub asset_diff: AssetDiffConfig,

    /// Whether an explicit `ta draft approve` step is required before applying (v0.15.14.0).
    ///
    /// - `false` (default): single-author flow — `ta draft apply` accepts `PendingReview`
    ///   directly, auto-approving on apply. No separate approve step needed.
    /// - `true`: multi-author flow — `ta draft apply` requires `Approved` state; applying
    ///   from `PendingReview` errors with a clear message directing the user to approve first.
    ///
    /// ```toml
    /// [draft]
    /// approval_required = false   # set true for multi-author approval workflows
    /// ```
    #[serde(default)]
    pub approval_required: bool,
}

/// Context injection mode for CLAUDE.md (v0.14.3.2).
///
/// Controls how plan and community context are delivered to the agent:
///
/// - `inject` (default): Inject plan + community context directly into CLAUDE.md.
/// - `mcp`: Zero-injection — skip plan + community from CLAUDE.md entirely.
///   Register `ta_plan_status` and community hub as MCP tools instead.
///   Recommended for projects with large plans (>50 phases) or many community resources.
/// - `hybrid`: Skip plan + community from CLAUDE.md, still inject memory context and
///   the original CLAUDE.md. Adds a one-line note pointing to the MCP tools.
///   Recommended for projects with large plans where agents support tool calling.
///
/// ```toml
/// [workflow]
/// context_mode = "inject"  # "inject" | "mcp" | "hybrid"
/// ```
#[derive(Debug, Clone, Serialize, Deserialize, Default, PartialEq, Eq)]
#[serde(rename_all = "lowercase")]
pub enum ContextMode {
    /// Inject plan + community context into CLAUDE.md (default, current behavior).
    #[default]
    Inject,
    /// Zero-injection: skip plan + community from CLAUDE.md; register as MCP tools instead.
    Mcp,
    /// Inject memory + CLAUDE.md only; skip plan + community. Add a one-line tool hint.
    Hybrid,
}

/// Workflow behavior configuration (v0.14.3).
///
/// Controls plan phase ordering enforcement and related guardrails.
///
/// ```toml
/// [workflow]
/// enforce_phase_order = "warn"  # "warn" | "block" | "off"
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct WorkflowSection {
    /// Phase ordering enforcement mode.
    ///
    /// - `"warn"` (default): Print a warning when starting a goal for a phase
    ///   that has an earlier pending phase, but allow the goal to proceed.
    /// - `"block"`: Prompt the user to confirm before proceeding. In
    ///   non-interactive (headless) mode, behaves like `"warn"`.
    /// - `"off"`: Skip the check entirely.
    #[serde(default = "default_enforce_phase_order")]
    pub enforce_phase_order: String,

    /// Maximum character budget for the injected CLAUDE.md context (v0.14.3.1).
    ///
    /// When the assembled injection exceeds this limit, sections are trimmed
    /// in priority order (solutions → parent context → memory → plan window)
    /// until it fits. Set to 0 to disable trimming.
    ///
    /// Default: 40,000 characters.
    ///
    /// ```toml
    /// [workflow]
    /// context_budget_chars = 40000
    /// ```
    #[serde(default = "default_context_budget_chars")]
    pub context_budget_chars: usize,

    /// Number of completed phases to show individually before the current
    /// phase in the windowed plan checklist (v0.14.3.1).
    ///
    /// Default: 5
    #[serde(default = "default_plan_done_window")]
    pub plan_done_window: usize,

    /// Number of pending phases to show individually after the current
    /// phase in the windowed plan checklist (v0.14.3.1).
    ///
    /// Default: 5
    #[serde(default = "default_plan_pending_window")]
    pub plan_pending_window: usize,

    /// Context injection mode (v0.14.3.2).
    ///
    /// Controls whether plan + community context are injected into CLAUDE.md
    /// or served exclusively via MCP tools (`ta_plan_status`, `community_search`).
    ///
    /// Default: `inject` (current behavior — no change for existing projects).
    ///
    /// ```toml
    /// [workflow]
    /// context_mode = "hybrid"
    /// ```
    #[serde(default)]
    pub context_mode: ContextMode,
}

fn default_enforce_phase_order() -> String {
    "warn".to_string()
}

fn default_context_budget_chars() -> usize {
    40_000
}

fn default_plan_done_window() -> usize {
    5
}

fn default_plan_pending_window() -> usize {
    5
}

impl Default for WorkflowSection {
    fn default() -> Self {
        Self {
            enforce_phase_order: default_enforce_phase_order(),
            context_budget_chars: default_context_budget_chars(),
            plan_done_window: default_plan_done_window(),
            plan_pending_window: default_plan_pending_window(),
            context_mode: ContextMode::default(),
        }
    }
}

/// Submit adapter configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SubmitConfig {
    /// Adapter type: "git", "svn", "perforce", or "none"
    #[serde(default = "default_adapter")]
    pub adapter: String,

    /// Run full submit workflow (stage + submit) on `ta draft apply`.
    /// Default: true when adapter != "none". `--no-submit` overrides.
    /// Replaces the deprecated `auto_commit` + `auto_push` pair.
    #[serde(default)]
    pub auto_submit: Option<bool>,

    /// Auto-create review (PR/CL review) after submit.
    /// Default: true when adapter != "none".
    #[serde(default)]
    pub auto_review: Option<bool>,

    /// Co-author trailer appended to every commit made through TA.
    /// Format: "Name <email>". The email should match a GitHub account's
    /// verified email for the contribution to appear in GitHub's graph.
    /// Set to empty string to disable. Default: "Trusted Autonomy <ta@trustedautonomy.dev>"
    #[serde(default = "default_co_author")]
    pub co_author: String,

    /// Git-specific configuration
    #[serde(default)]
    pub git: GitConfig,

    /// Perforce-specific configuration
    #[serde(default)]
    pub perforce: PerforceConfig,

    /// SVN-specific configuration
    #[serde(default)]
    pub svn: SvnConfig,
}

impl SubmitConfig {
    /// Whether the full submit workflow should run by default.
    ///
    /// Resolution order:
    /// 1. `auto_submit` if explicitly set
    /// 2. `true` when adapter is not "none" (default behavior)
    pub fn effective_auto_submit(&self) -> bool {
        self.auto_submit.unwrap_or(self.adapter != "none")
    }

    /// Whether review should be opened after submit.
    ///
    /// Resolution: explicit `auto_review` > default (true when adapter != "none").
    pub fn effective_auto_review(&self) -> bool {
        self.auto_review.unwrap_or(self.adapter != "none")
    }
}

impl Default for SubmitConfig {
    fn default() -> Self {
        Self {
            adapter: default_adapter(),
            auto_submit: None,
            auto_review: None,
            co_author: default_co_author(),
            git: GitConfig::default(),
            perforce: PerforceConfig::default(),
            svn: SvnConfig::default(),
        }
    }
}

/// Perforce adapter configuration
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct PerforceConfig {
    /// Perforce workspace/client name
    pub workspace: Option<String>,

    /// Shelve changes instead of submitting to depot. Default: true.
    #[serde(default = "default_shelve")]
    pub shelve_by_default: bool,
}

fn default_shelve() -> bool {
    true
}

/// SVN adapter configuration
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct SvnConfig {
    /// SVN repository URL (for commit messages / metadata)
    pub repo_url: Option<String>,
}

/// Source-level configuration section (`[source]` in workflow.toml).
///
/// Groups adapter-agnostic sync settings. Provider-specific options
/// live in `[submit.git]`, `[submit.svn]`, etc.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct SourceConfig {
    /// Sync behavior configuration.
    #[serde(default)]
    pub sync: SyncConfig,
}

/// Sync upstream configuration (`[source.sync]` in workflow.toml).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SyncConfig {
    /// Automatically sync upstream after `ta draft apply` succeeds.
    /// Default: false.
    #[serde(default)]
    pub auto_sync: bool,

    /// Git sync strategy: "merge" (default), "rebase", or "ff-only".
    /// Other adapters ignore this field.
    #[serde(default = "default_sync_strategy")]
    pub strategy: String,

    /// Remote name to sync from. Default: "origin".
    #[serde(default = "default_remote")]
    pub remote: String,

    /// Branch to sync from. Default: "main".
    #[serde(default = "default_sync_branch")]
    pub branch: String,
}

impl Default for SyncConfig {
    fn default() -> Self {
        Self {
            auto_sync: false,
            strategy: default_sync_strategy(),
            remote: default_remote(),
            branch: default_sync_branch(),
        }
    }
}

fn default_sync_strategy() -> String {
    "merge".to_string()
}

fn default_sync_branch() -> String {
    "main".to_string()
}

/// Git adapter configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct GitConfig {
    /// Branch naming prefix (e.g., "ta/", "feature/")
    #[serde(default = "default_branch_prefix")]
    pub branch_prefix: String,

    /// Target branch for PRs (e.g., "main", "develop")
    #[serde(default = "default_target_branch")]
    pub target_branch: String,

    /// Merge strategy: "squash", "merge", "rebase"
    #[serde(default = "default_merge_strategy")]
    pub merge_strategy: String,

    /// Path to PR body template (optional)
    pub pr_template: Option<PathBuf>,

    /// Git remote name
    #[serde(default = "default_remote")]
    pub remote: String,

    /// Enable GitHub auto-merge after PR creation (v0.11.2.3).
    /// When true, runs `gh pr merge --auto --squash` after `gh pr create`.
    #[serde(default)]
    pub auto_merge: bool,

    /// Protected branches that agents must never commit to directly (§15).
    /// Defaults to ["main", "master", "trunk", "dev"] when empty.
    #[serde(default)]
    pub protected_branches: Vec<String>,
}

impl Default for GitConfig {
    fn default() -> Self {
        Self {
            branch_prefix: default_branch_prefix(),
            target_branch: default_target_branch(),
            merge_strategy: default_merge_strategy(),
            pr_template: None,
            remote: default_remote(),
            auto_merge: false,
            protected_branches: vec![],
        }
    }
}

// Serde default functions
fn default_adapter() -> String {
    "none".to_string()
}

fn default_co_author() -> String {
    "Trusted Autonomy <266386695+trustedautonomy-agent@users.noreply.github.com>".to_string()
}

fn default_branch_prefix() -> String {
    "ta/".to_string()
}

fn default_target_branch() -> String {
    "main".to_string()
}

fn default_merge_strategy() -> String {
    "squash".to_string()
}

fn default_remote() -> String {
    "origin".to_string()
}

/// Diff viewing configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct DiffConfig {
    /// Open files in external handlers by default when using `ta pr view --file`
    #[serde(default = "default_open_external")]
    pub open_external: bool,

    /// Optional path override for diff-handlers.toml (defaults to .ta/diff-handlers.toml)
    pub handlers_file: Option<PathBuf>,
}

impl Default for DiffConfig {
    fn default() -> Self {
        Self {
            open_external: default_open_external(),
            handlers_file: None,
        }
    }
}

fn default_open_external() -> bool {
    true
}

/// Failure handling strategy for build commands.
#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum BuildOnFail {
    /// Notify the user but continue (default).
    #[default]
    Notify,
    /// Block release pipeline if build/test fails.
    BlockRelease,
    /// Block advancement to the next plan phase.
    BlockNextPhase,
    /// Re-launch an agent to fix the issue.
    Agent,
}

impl std::fmt::Display for BuildOnFail {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Notify => write!(f, "notify"),
            Self::BlockRelease => write!(f, "block_release"),
            Self::BlockNextPhase => write!(f, "block_next_phase"),
            Self::Agent => write!(f, "agent"),
        }
    }
}

/// Build pipeline configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BuildConfig {
    /// Summary enforcement level at `ta draft build` time.
    /// - "ignore": No check — artifacts without descriptions are silently accepted.
    /// - "warning" (default): Print a warning listing artifacts missing descriptions.
    /// - "error": Fail the build if any non-exempt artifact lacks a description.
    ///
    /// Exempt files (lockfiles, config manifests, docs) always get auto-summaries.
    #[serde(default = "default_summary_enforcement")]
    pub summary_enforcement: String,

    /// Build adapter: "cargo", "npm", "script", "webhook", "auto" (default), or "none".
    #[serde(default = "default_build_adapter")]
    pub adapter: String,

    /// Custom build command override (used by script adapter, or overrides cargo/npm default).
    #[serde(default)]
    pub command: Option<String>,

    /// Custom test command override.
    #[serde(default)]
    pub test_command: Option<String>,

    /// Webhook URL for the webhook adapter.
    #[serde(default)]
    pub webhook_url: Option<String>,

    /// Behavior on build/test failure.
    #[serde(default)]
    pub on_fail: BuildOnFail,

    /// Timeout per build/test command in seconds. Default: 600 (10 minutes).
    #[serde(default = "default_build_timeout")]
    pub timeout_secs: u64,
}

impl Default for BuildConfig {
    fn default() -> Self {
        Self {
            summary_enforcement: default_summary_enforcement(),
            adapter: default_build_adapter(),
            command: None,
            test_command: None,
            webhook_url: None,
            on_fail: BuildOnFail::default(),
            timeout_secs: default_build_timeout(),
        }
    }
}

fn default_summary_enforcement() -> String {
    "warning".to_string()
}

fn default_build_adapter() -> String {
    "auto".to_string()
}

fn default_build_timeout() -> u64 {
    600
}

/// Display / output configuration
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct DisplayConfig {
    /// Enable ANSI color output in terminal adapter. Default: false.
    /// Override per-command with `--color`.
    #[serde(default)]
    pub color: bool,
}

/// Garbage collection / draft lifecycle configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct GcConfig {
    /// Number of days after which drafts in terminal states (Applied, Denied, Closed)
    /// become eligible for staging directory cleanup. Default: 7.
    #[serde(default = "default_stale_threshold_days")]
    pub stale_threshold_days: u64,

    /// Number of days after which the startup hint fires for pending/approved drafts.
    /// Default: 3 (informational only — a Friday draft hints on Monday morning).
    /// Set higher (e.g., 5) to reduce noise. Must be ≤ stale_threshold_days.
    #[serde(default = "default_stale_hint_days")]
    pub stale_hint_days: u64,

    /// Emit a one-line warning on `ta` startup if stale drafts exist. Default: true.
    #[serde(default = "default_health_check")]
    pub health_check: bool,
}

impl Default for GcConfig {
    fn default() -> Self {
        Self {
            stale_threshold_days: default_stale_threshold_days(),
            stale_hint_days: default_stale_hint_days(),
            health_check: default_health_check(),
        }
    }
}

fn default_stale_threshold_days() -> u64 {
    7
}

fn default_stale_hint_days() -> u64 {
    3
}

/// Follow-up goal behavior configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct FollowUpConfig {
    /// Default mode for --follow-up: "extend" reuses parent staging, "standalone" creates fresh copy.
    #[serde(default = "default_follow_up_mode")]
    pub default_mode: String,

    /// Auto-supersede parent draft when building from same staging directory.
    #[serde(default = "default_auto_supersede")]
    pub auto_supersede: bool,

    /// Re-snapshot source before applying when source has changed since goal start.
    #[serde(default = "default_rebase_on_apply")]
    pub rebase_on_apply: bool,
}

impl Default for FollowUpConfig {
    fn default() -> Self {
        Self {
            default_mode: default_follow_up_mode(),
            auto_supersede: default_auto_supersede(),
            rebase_on_apply: default_rebase_on_apply(),
        }
    }
}

fn default_follow_up_mode() -> String {
    "extend".to_string()
}

fn default_auto_supersede() -> bool {
    true
}

fn default_rebase_on_apply() -> bool {
    true
}

fn default_health_check() -> bool {
    true
}

/// Failure handling strategy for verification commands.
#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum VerifyOnFailure {
    /// Do not create a draft. Print which command failed with output.
    #[default]
    Block,
    /// Create the draft but attach verification warnings visible in `ta draft view`.
    Warn,
    /// Re-launch the agent with the failure output injected as context.
    Agent,
}

impl std::fmt::Display for VerifyOnFailure {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Block => write!(f, "block"),
            Self::Warn => write!(f, "warn"),
            Self::Agent => write!(f, "agent"),
        }
    }
}

/// A single verification command with optional per-command timeout.
///
/// Used in `[[verify.commands]]` TOML arrays for per-command configuration.
/// When only a string is needed, the flat `commands` list (backward compat) works too.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VerifyCommand {
    /// The shell command to run.
    pub run: String,

    /// Per-command timeout in seconds. If omitted, `default_timeout_secs` is used.
    pub timeout_secs: Option<u64>,
}

/// Pre-draft verification gate configuration.
///
/// Commands run in the staging directory after the agent exits but before
/// the draft is created. If any command fails, behavior depends on `on_failure`.
///
/// Supports two command formats (backward compatible):
/// - Flat string list: `commands = ["cmd1", "cmd2"]` (legacy)
/// - Structured commands: `[[verify.commands]]` with `run` and optional `timeout_secs`
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VerifyConfig {
    /// Commands to run sequentially. All must exit 0 for verification to pass.
    /// Accepts either plain strings or `VerifyCommand` objects.
    #[serde(default, deserialize_with = "deserialize_verify_commands")]
    pub commands: Vec<VerifyCommand>,

    /// Behavior when a command fails: "block" (default), "warn", or "agent".
    #[serde(default)]
    pub on_failure: VerifyOnFailure,

    /// Legacy: global timeout per command in seconds. Default: 300 (5 minutes).
    /// Superseded by `default_timeout_secs`; kept for backward compat.
    #[serde(default = "default_verify_timeout")]
    pub timeout: u64,

    /// Default timeout per command in seconds when not specified per-command.
    /// If set, takes priority over `timeout`. Default: 300.
    pub default_timeout_secs: Option<u64>,

    /// Heartbeat interval in seconds for long-running verification commands.
    /// A progress message is emitted every N seconds. Default: 30.
    #[serde(default = "default_heartbeat_interval")]
    pub heartbeat_interval_secs: u64,
}

impl VerifyConfig {
    /// Effective default timeout: `default_timeout_secs` if set, else legacy `timeout`.
    pub fn effective_default_timeout(&self) -> u64 {
        self.default_timeout_secs.unwrap_or(self.timeout)
    }

    /// Resolve the timeout for a specific command.
    pub fn command_timeout(&self, cmd: &VerifyCommand) -> u64 {
        cmd.timeout_secs
            .unwrap_or_else(|| self.effective_default_timeout())
    }
}

impl Default for VerifyConfig {
    fn default() -> Self {
        Self {
            commands: Vec::new(),
            on_failure: VerifyOnFailure::default(),
            timeout: default_verify_timeout(),
            default_timeout_secs: None,
            heartbeat_interval_secs: default_heartbeat_interval(),
        }
    }
}

fn default_verify_timeout() -> u64 {
    300
}

fn default_heartbeat_interval() -> u64 {
    30
}

/// Deserialize commands from either a list of strings or a list of VerifyCommand objects.
fn deserialize_verify_commands<'de, D>(deserializer: D) -> Result<Vec<VerifyCommand>, D::Error>
where
    D: serde::Deserializer<'de>,
{
    #[derive(Deserialize)]
    #[serde(untagged)]
    enum CommandItem {
        Simple(String),
        Structured(VerifyCommand),
    }

    let items: Vec<CommandItem> = Vec::deserialize(deserializer)?;
    Ok(items
        .into_iter()
        .map(|item| match item {
            CommandItem::Simple(s) => VerifyCommand {
                run: s,
                timeout_secs: None,
            },
            CommandItem::Structured(c) => c,
        })
        .collect())
}

/// Shell TUI configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ShellConfig {
    /// Number of lines to backfill when attaching to a tail stream. Default: 5.
    #[serde(default = "default_tail_backfill_lines")]
    pub tail_backfill_lines: usize,

    /// Maximum number of lines retained in the TUI output buffer. Default: 50000.
    /// Older lines are dropped when this limit is exceeded.
    #[serde(default = "default_output_buffer_lines")]
    pub output_buffer_lines: usize,

    /// Alias for `output_buffer_lines` — configurable as `scrollback_lines` (v0.10.18.2).
    /// If set, overrides `output_buffer_lines`. Minimum enforced: 10,000.
    #[serde(default)]
    pub scrollback_lines: Option<usize>,

    /// Automatically tail agent output when a goal starts. Default: true.
    #[serde(default = "default_auto_tail")]
    pub auto_tail: bool,
}

impl ShellConfig {
    /// Effective scrollback buffer size: `scrollback_lines` if set, else `output_buffer_lines`.
    /// Enforces a minimum of 10,000 lines.
    pub fn effective_scrollback(&self) -> usize {
        let raw = self.scrollback_lines.unwrap_or(self.output_buffer_lines);
        raw.max(10_000)
    }
}

impl Default for ShellConfig {
    fn default() -> Self {
        Self {
            tail_backfill_lines: default_tail_backfill_lines(),
            output_buffer_lines: default_output_buffer_lines(),
            scrollback_lines: None,
            auto_tail: default_auto_tail(),
        }
    }
}

fn default_tail_backfill_lines() -> usize {
    5
}

fn default_output_buffer_lines() -> usize {
    50000
}

fn default_auto_tail() -> bool {
    true
}

/// Desktop notification configuration.
///
/// When enabled, TA sends a system notification (macOS/Linux) when a draft
/// is ready for review, so users don't have to watch the terminal.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct NotifyConfig {
    /// Enable desktop notifications. Default: true.
    #[serde(default = "default_notify_enabled")]
    pub enabled: bool,

    /// Title prefix for notifications. Default: "TA".
    #[serde(default = "default_notify_title")]
    pub title: String,
}

impl Default for NotifyConfig {
    fn default() -> Self {
        Self {
            enabled: default_notify_enabled(),
            title: default_notify_title(),
        }
    }
}

fn default_notify_enabled() -> bool {
    true
}

fn default_notify_title() -> String {
    "TA".to_string()
}

/// How the staging workspace copies the source project (v0.13.13).
///
/// Configured in `workflow.toml` under `[staging]`:
/// ```toml
/// [staging]
/// strategy = "smart"   # "full" | "smart" | "refs-cow"
/// ```
///
/// - **Full** (default): byte-for-byte copy, always works, may be slow for large workspaces.
/// - **Smart**: symlinks `.taignore`/`protected_paths` entries instead of copying them —
///   near-zero staging cost for large ignored directories (e.g., `node_modules/`, UE Content/).
/// - **RefsCow**: Windows ReFS Dev Drive only — instant zero-cost clone via
///   `FSCTL_DUPLICATE_EXTENTS_TO_FILE`; auto-falls back to `smart` on NTFS.
#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "kebab-case")]
pub enum StagingStrategy {
    /// Byte-for-byte copy of the source project. Always works; may be slow for large workspaces.
    #[default]
    Full,
    /// Symlink excluded directories instead of copying. Fast for large workspaces with many ignored dirs.
    Smart,
    /// Windows ReFS CoW clone. Auto-falls back to `smart` on non-ReFS volumes.
    RefsCow,
    /// Windows Projected File System — zero-disk-cost virtual workspace (v0.15.8).
    ///
    /// Files appear in staging instantly; reads hydrate from source on demand.
    /// Writes land in `.projfs-scratch/`. Auto-falls back to `smart` when
    /// `Client-ProjFS` is not installed (requires Windows 10 1809+).
    ProjFs,
}

impl StagingStrategy {
    pub fn as_str(&self) -> &'static str {
        match self {
            Self::Full => "full",
            Self::Smart => "smart",
            Self::RefsCow => "refs-cow",
            Self::ProjFs => "projfs",
        }
    }
}

/// Staging directory management (v0.11.3, extended v0.13.13).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct StagingConfig {
    /// Auto-remove staging after successful apply. Default: true.
    #[serde(default = "default_auto_clean")]
    pub auto_clean: bool,
    /// Minimum free disk space in MB. Default: 2048.
    #[serde(default = "default_min_disk_mb")]
    pub min_disk_mb: u64,
    /// Staging strategy for large workspaces (v0.13.13). Default: Full.
    #[serde(default)]
    pub strategy: StagingStrategy,
}

impl Default for StagingConfig {
    fn default() -> Self {
        Self {
            auto_clean: default_auto_clean(),
            min_disk_mb: default_min_disk_mb(),
            strategy: StagingStrategy::Full,
        }
    }
}

fn default_auto_clean() -> bool {
    true
}
fn default_min_disk_mb() -> u64 {
    2048
}

/// Check available disk space in MB.
pub fn check_disk_space_mb(path: &std::path::Path) -> Result<u64, String> {
    #[cfg(unix)]
    {
        use std::os::unix::ffi::OsStrExt;
        let c_path = std::ffi::CString::new(path.as_os_str().as_bytes())
            .map_err(|e| format!("invalid path: {}", e))?;
        let mut stat: libc::statvfs = unsafe { std::mem::zeroed() };
        let rc = unsafe { libc::statvfs(c_path.as_ptr(), &mut stat) };
        if rc != 0 {
            return Err(format!(
                "statvfs failed for {}: {}",
                path.display(),
                std::io::Error::last_os_error()
            ));
        }
        Ok((stat.f_bavail as u64) * (stat.f_frsize as u64) / (1024 * 1024))
    }
    #[cfg(not(unix))]
    {
        let _ = path;
        Ok(u64::MAX)
    }
}

/// Security level profile configuration (v0.15.14.4).
///
/// Sets a named preset of security defaults. Individual settings always override
/// the level preset. See `ta_goal::SecurityProfile::from_level` for the full
/// default table per level.
///
/// ```toml
/// [security]
/// level = "mid"   # "low" (default) | "mid" | "high"
///
/// # Override individual controls beyond the level preset:
/// # [security.secrets]
/// # scan = "off"   # "off" | "warn" | "block"
///
/// # [security.forbidden_tools]
/// # extra = ["Bash(*aws*)", "Bash(*gcloud*)"]
/// ```
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct SecurityConfig {
    /// Security level preset.
    ///
    /// - `"low"` (default): Frictionless solo-developer mode.
    /// - `"mid"`: Sensible team defaults (sandbox on, forbidden patterns, hash chain).
    /// - `"high"`: High-assurance regulated mode (approval gate, HMAC chain, no WebSearch).
    #[serde(default)]
    pub level: ta_goal::SecurityLevel,

    /// Secret scanning mode override (individual override for `[security.secrets] scan`).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub secret_scan: Option<ta_goal::SecretScanMode>,

    /// Extra forbidden tool patterns added on top of the level preset.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub extra_forbidden_tools: Vec<String>,
}

impl SecurityConfig {
    /// Convert to `SecurityOverrides` for use with `SecurityProfile::from_level`.
    pub fn to_overrides(&self) -> ta_goal::SecurityOverrides {
        ta_goal::SecurityOverrides {
            secret_scan_mode: self.secret_scan,
            extra_forbidden_tools: self.extra_forbidden_tools.clone(),
            ..Default::default()
        }
    }
}

impl WorkflowConfig {
    /// Load workflow config from .ta/workflow.toml, merging any local override file on top.
    ///
    /// Override file resolution (first found wins):
    ///   1. `<dir>/workflow.local.toml`  — canonical name
    ///   2. `<dir>/local.workflow.toml`  — deprecated name (warns and falls back)
    pub fn load(path: &std::path::Path) -> Result<Self, Box<dyn std::error::Error>> {
        let content = std::fs::read_to_string(path)?;
        let mut base: toml::Value = toml::from_str(&content)?;

        let dir = path.parent().unwrap_or(std::path::Path::new("."));
        let canonical_local = dir.join("workflow.local.toml");
        let deprecated_local = dir.join("local.workflow.toml");

        let local_path = if canonical_local.exists() {
            Some(canonical_local)
        } else if deprecated_local.exists() {
            tracing::warn!(
                path = %deprecated_local.display(),
                "'.ta/local.workflow.toml' is deprecated — rename to '.ta/workflow.local.toml'"
            );
            Some(deprecated_local)
        } else {
            None
        };

        if let Some(local) = local_path {
            let local_content = std::fs::read_to_string(&local)?;
            let local_val: toml::Value = toml::from_str(&local_content)?;
            merge_toml_values(&mut base, local_val);
        }

        let config = base.try_into()?;
        Ok(config)
    }

    /// Try to load config, returning default if file doesn't exist
    pub fn load_or_default(path: &std::path::Path) -> Self {
        Self::load(path).unwrap_or_default()
    }
}

/// Recursively merge `overrides` into `base`. Tables are merged key-by-key;
/// all other values are replaced by the override.
fn merge_toml_values(base: &mut toml::Value, overrides: toml::Value) {
    match (base, overrides) {
        (toml::Value::Table(base_map), toml::Value::Table(override_map)) => {
            for (k, v) in override_map {
                let entry = base_map
                    .entry(k)
                    .or_insert(toml::Value::Table(Default::default()));
                merge_toml_values(entry, v);
            }
        }
        (base, overrides) => *base = overrides,
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn build_config_defaults_to_warning() {
        let config = BuildConfig::default();
        assert_eq!(config.summary_enforcement, "warning");
    }

    #[test]
    fn build_config_defaults() {
        let config = BuildConfig::default();
        assert_eq!(config.adapter, "auto");
        assert!(config.command.is_none());
        assert!(config.test_command.is_none());
        assert!(config.webhook_url.is_none());
        assert_eq!(config.on_fail, BuildOnFail::Notify);
        assert_eq!(config.timeout_secs, 600);
    }

    #[test]
    fn workflow_config_default_has_build_section() {
        let config = WorkflowConfig::default();
        assert_eq!(config.build.summary_enforcement, "warning");
        assert_eq!(config.build.adapter, "auto");
    }

    #[test]
    fn parse_toml_with_build_section() {
        let toml = r#"
[build]
summary_enforcement = "error"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.build.summary_enforcement, "error");
    }

    #[test]
    fn parse_toml_with_build_adapter_config() {
        let toml = r#"
[build]
adapter = "cargo"
command = "cargo build --release"
test_command = "cargo test --release"
on_fail = "block_release"
timeout_secs = 1200
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.build.adapter, "cargo");
        assert_eq!(
            config.build.command.as_deref(),
            Some("cargo build --release")
        );
        assert_eq!(
            config.build.test_command.as_deref(),
            Some("cargo test --release")
        );
        assert_eq!(config.build.on_fail, BuildOnFail::BlockRelease);
        assert_eq!(config.build.timeout_secs, 1200);
    }

    #[test]
    fn parse_toml_with_build_script_adapter() {
        let toml = r#"
[build]
adapter = "script"
command = "make all"
test_command = "make test"
on_fail = "agent"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.build.adapter, "script");
        assert_eq!(config.build.command.as_deref(), Some("make all"));
        assert_eq!(config.build.on_fail, BuildOnFail::Agent);
    }

    #[test]
    fn parse_toml_without_build_section_uses_default() {
        let toml = r#"
[submit]
adapter = "git"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.build.summary_enforcement, "warning");
        assert_eq!(config.build.adapter, "auto");
    }

    #[test]
    fn build_on_fail_display() {
        assert_eq!(BuildOnFail::Notify.to_string(), "notify");
        assert_eq!(BuildOnFail::BlockRelease.to_string(), "block_release");
        assert_eq!(BuildOnFail::BlockNextPhase.to_string(), "block_next_phase");
        assert_eq!(BuildOnFail::Agent.to_string(), "agent");
    }

    #[test]
    fn gc_config_defaults() {
        let config = GcConfig::default();
        assert_eq!(config.stale_threshold_days, 7);
        assert_eq!(config.stale_hint_days, 3);
        assert!(config.health_check);
    }

    #[test]
    fn workflow_config_default_has_gc_section() {
        let config = WorkflowConfig::default();
        assert_eq!(config.gc.stale_threshold_days, 7);
        assert_eq!(config.gc.stale_hint_days, 3);
        assert!(config.gc.health_check);
    }

    #[test]
    fn parse_toml_with_gc_section() {
        let toml = r#"
[gc]
stale_threshold_days = 14
stale_hint_days = 5
health_check = false
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.gc.stale_threshold_days, 14);
        assert_eq!(config.gc.stale_hint_days, 5);
        assert!(!config.gc.health_check);
    }

    #[test]
    fn load_or_default_returns_default_for_missing_file() {
        let config = WorkflowConfig::load_or_default(std::path::Path::new("/nonexistent/path"));
        assert_eq!(config.build.summary_enforcement, "warning");
        assert_eq!(config.submit.adapter, "none");
    }

    #[test]
    fn follow_up_config_defaults() {
        let config = FollowUpConfig::default();
        assert_eq!(config.default_mode, "extend");
        assert!(config.auto_supersede);
        assert!(config.rebase_on_apply);
    }

    #[test]
    fn workflow_config_default_has_follow_up_section() {
        let config = WorkflowConfig::default();
        assert_eq!(config.follow_up.default_mode, "extend");
        assert!(config.follow_up.auto_supersede);
        assert!(config.follow_up.rebase_on_apply);
    }

    #[test]
    fn parse_toml_with_follow_up_section() {
        let toml = r#"
[follow_up]
default_mode = "standalone"
auto_supersede = false
rebase_on_apply = false
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.follow_up.default_mode, "standalone");
        assert!(!config.follow_up.auto_supersede);
        assert!(!config.follow_up.rebase_on_apply);
    }

    #[test]
    fn verify_config_defaults() {
        let config = VerifyConfig::default();
        assert!(config.commands.is_empty());
        assert_eq!(config.on_failure, VerifyOnFailure::Block);
        assert_eq!(config.timeout, 300);
        assert_eq!(config.heartbeat_interval_secs, 30);
        assert!(config.default_timeout_secs.is_none());
        assert_eq!(config.effective_default_timeout(), 300);
    }

    #[test]
    fn workflow_config_default_has_verify_section() {
        let config = WorkflowConfig::default();
        assert!(config.verify.commands.is_empty());
        assert_eq!(config.verify.on_failure, VerifyOnFailure::Block);
        assert_eq!(config.verify.timeout, 300);
    }

    #[test]
    fn parse_toml_with_verify_section() {
        let toml = r#"
[verify]
commands = [
    "cargo build --workspace",
    "cargo test --workspace",
]
on_failure = "warn"
timeout = 600
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.verify.commands.len(), 2);
        assert_eq!(config.verify.commands[0].run, "cargo build --workspace");
        assert_eq!(config.verify.on_failure, VerifyOnFailure::Warn);
        assert_eq!(config.verify.timeout, 600);
    }

    #[test]
    fn parse_toml_with_verify_agent_mode() {
        let toml = r#"
[verify]
commands = ["make test"]
on_failure = "agent"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.verify.on_failure, VerifyOnFailure::Agent);
        assert_eq!(config.verify.timeout, 300); // default
    }

    #[test]
    fn parse_toml_without_verify_section_uses_default() {
        let toml = r#"
[submit]
adapter = "git"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert!(config.verify.commands.is_empty());
        assert_eq!(config.verify.on_failure, VerifyOnFailure::Block);
    }

    #[test]
    fn parse_toml_with_per_command_timeout() {
        let toml = r#"
[verify]
default_timeout_secs = 300
heartbeat_interval_secs = 15

[[verify.commands]]
run = "cargo fmt --all -- --check"
timeout_secs = 60

[[verify.commands]]
run = "cargo test --workspace"
timeout_secs = 900
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.verify.commands.len(), 2);
        assert_eq!(config.verify.commands[0].run, "cargo fmt --all -- --check");
        assert_eq!(config.verify.commands[0].timeout_secs, Some(60));
        assert_eq!(config.verify.commands[1].run, "cargo test --workspace");
        assert_eq!(config.verify.commands[1].timeout_secs, Some(900));
        assert_eq!(config.verify.default_timeout_secs, Some(300));
        assert_eq!(config.verify.heartbeat_interval_secs, 15);
        assert_eq!(config.verify.effective_default_timeout(), 300);
        assert_eq!(
            config.verify.command_timeout(&config.verify.commands[0]),
            60
        );
        assert_eq!(
            config.verify.command_timeout(&config.verify.commands[1]),
            900
        );
    }

    #[test]
    fn per_command_timeout_falls_back_to_default() {
        let config = VerifyConfig {
            commands: vec![VerifyCommand {
                run: "test".to_string(),
                timeout_secs: None,
            }],
            default_timeout_secs: Some(600),
            ..Default::default()
        };
        assert_eq!(config.command_timeout(&config.commands[0]), 600);
    }

    #[test]
    fn effective_timeout_falls_back_to_legacy() {
        let config = VerifyConfig {
            timeout: 900,
            default_timeout_secs: None,
            ..Default::default()
        };
        assert_eq!(config.effective_default_timeout(), 900);
    }

    #[test]
    fn verify_on_failure_display() {
        assert_eq!(VerifyOnFailure::Block.to_string(), "block");
        assert_eq!(VerifyOnFailure::Warn.to_string(), "warn");
        assert_eq!(VerifyOnFailure::Agent.to_string(), "agent");
    }

    #[test]
    fn shell_config_defaults() {
        let config = ShellConfig::default();
        assert_eq!(config.tail_backfill_lines, 5);
        assert_eq!(config.output_buffer_lines, 50000);
        assert!(config.scrollback_lines.is_none());
        assert!(config.auto_tail);
        assert_eq!(config.effective_scrollback(), 50000);
    }

    #[test]
    fn workflow_config_default_has_shell_section() {
        let config = WorkflowConfig::default();
        assert_eq!(config.shell.tail_backfill_lines, 5);
        assert_eq!(config.shell.output_buffer_lines, 50000);
        assert!(config.shell.auto_tail);
    }

    #[test]
    fn parse_toml_with_shell_section() {
        let toml = r#"
[shell]
tail_backfill_lines = 20
output_buffer_lines = 5000
auto_tail = false
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.shell.tail_backfill_lines, 20);
        assert_eq!(config.shell.output_buffer_lines, 5000);
        assert!(!config.shell.auto_tail);
    }

    #[test]
    fn parse_toml_without_shell_section_uses_default() {
        let toml = r#"
[submit]
adapter = "git"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.shell.tail_backfill_lines, 5);
        assert_eq!(config.shell.output_buffer_lines, 50000);
        assert!(config.shell.auto_tail);
    }

    // ── v0.11.0.1: auto_submit / auto_review / backward compat ──

    #[test]
    fn effective_auto_submit_defaults_true_when_adapter_set() {
        let config = SubmitConfig {
            adapter: "git".to_string(),
            ..Default::default()
        };
        assert!(config.effective_auto_submit());
    }

    #[test]
    fn effective_auto_submit_defaults_false_when_no_adapter() {
        let config = SubmitConfig::default(); // adapter = "none"
        assert!(!config.effective_auto_submit());
    }

    #[test]
    fn effective_auto_submit_explicit_override() {
        let config = SubmitConfig {
            adapter: "git".to_string(),
            auto_submit: Some(false),
            ..Default::default()
        };
        assert!(!config.effective_auto_submit());
    }

    #[test]
    fn effective_auto_review_defaults_true_when_adapter_set() {
        let config = SubmitConfig {
            adapter: "git".to_string(),
            ..Default::default()
        };
        assert!(config.effective_auto_review());
    }

    #[test]
    fn effective_auto_review_defaults_false_when_no_adapter() {
        let config = SubmitConfig::default();
        assert!(!config.effective_auto_review());
    }

    #[test]
    fn effective_auto_review_explicit_override() {
        let config = SubmitConfig {
            adapter: "git".to_string(),
            auto_review: Some(false),
            ..Default::default()
        };
        assert!(!config.effective_auto_review());
    }

    #[test]
    fn parse_toml_with_auto_submit() {
        let toml = r#"
[submit]
adapter = "git"
auto_submit = true
auto_review = false
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert!(config.submit.effective_auto_submit());
        assert!(!config.submit.effective_auto_review());
    }

    #[test]
    fn parse_toml_with_deprecated_auto_commit_auto_push() {
        // Old-style config with removed fields should still parse (fields are ignored).
        // With adapter = "none", effective_auto_submit() defaults to false.
        let toml = r#"
[submit]
adapter = "none"
auto_review = true
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert!(!config.submit.effective_auto_submit());
        assert!(config.submit.effective_auto_review());
    }

    #[test]
    fn sync_config_defaults() {
        let config = SyncConfig::default();
        assert!(!config.auto_sync);
        assert_eq!(config.strategy, "merge");
        assert_eq!(config.remote, "origin");
        assert_eq!(config.branch, "main");
    }

    #[test]
    fn parse_toml_with_source_sync_section() {
        let toml = r#"
[source.sync]
auto_sync = true
strategy = "rebase"
remote = "upstream"
branch = "develop"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert!(config.source.sync.auto_sync);
        assert_eq!(config.source.sync.strategy, "rebase");
        assert_eq!(config.source.sync.remote, "upstream");
        assert_eq!(config.source.sync.branch, "develop");
    }

    #[test]
    fn parse_toml_without_source_section_uses_default() {
        let toml = r#"
[submit]
adapter = "git"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert!(!config.source.sync.auto_sync);
        assert_eq!(config.source.sync.strategy, "merge");
    }

    #[test]
    fn parse_toml_with_adapter_specific_sections() {
        let toml = r#"
[submit]
adapter = "git"

[submit.git]
branch_prefix = "feature/"
target_branch = "develop"
remote = "upstream"

[submit.perforce]
workspace = "my-ws"
shelve_by_default = false

[submit.svn]
repo_url = "svn://example.com/trunk"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.submit.git.branch_prefix, "feature/");
        assert_eq!(config.submit.git.target_branch, "develop");
        assert_eq!(config.submit.git.remote, "upstream");
        assert_eq!(config.submit.perforce.workspace.as_deref(), Some("my-ws"));
        assert!(!config.submit.perforce.shelve_by_default);
        assert_eq!(
            config.submit.svn.repo_url.as_deref(),
            Some("svn://example.com/trunk")
        );
    }

    #[test]
    fn git_config_auto_merge_default_false() {
        let config = GitConfig::default();
        assert!(!config.auto_merge);
    }

    #[test]
    fn git_config_auto_merge_from_toml() {
        let toml = r#"
[submit.git]
auto_merge = true
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert!(config.submit.git.auto_merge);
    }

    #[test]
    fn sandbox_config_defaults() {
        let config = SandboxConfig::default();
        assert!(!config.enabled);
        assert_eq!(config.provider, "native");
        assert!(config.allow_read.is_empty());
        assert!(config.allow_write.is_empty());
        assert!(config.allow_network.is_empty());
    }

    #[test]
    fn sandbox_config_from_toml() {
        let toml = r#"
[sandbox]
enabled = true
provider = "native"
allow_read = ["/usr/lib"]
allow_write = ["/tmp/scratch"]
allow_network = ["api.anthropic.com"]
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert!(config.sandbox.enabled);
        assert_eq!(config.sandbox.provider, "native");
        assert_eq!(config.sandbox.allow_read, vec!["/usr/lib"]);
        assert_eq!(config.sandbox.allow_write, vec!["/tmp/scratch"]);
        assert_eq!(config.sandbox.allow_network, vec!["api.anthropic.com"]);
    }

    #[test]
    fn workflow_config_default_has_sandbox_section() {
        let config = WorkflowConfig::default();
        assert!(!config.sandbox.enabled, "sandbox disabled by default");
    }

    #[test]
    fn workflow_section_defaults_to_warn() {
        let config = WorkflowConfig::default();
        assert_eq!(
            config.workflow.enforce_phase_order, "warn",
            "enforce_phase_order should default to 'warn'"
        );
    }

    #[test]
    fn workflow_section_parse_toml() {
        let toml = r#"
[workflow]
enforce_phase_order = "block"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.workflow.enforce_phase_order, "block");
    }

    #[test]
    fn workflow_section_parse_toml_off() {
        let toml = r#"
[workflow]
enforce_phase_order = "off"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.workflow.enforce_phase_order, "off");
    }

    // ── v0.14.3.5: ApplyConfig tests ────────────────────────────────────────

    #[test]
    fn apply_config_empty_returns_none() {
        let cfg = ApplyConfig::default();
        assert!(cfg.policy_for("PLAN.md").is_none());
        assert!(cfg.policy_for("src/main.rs").is_none());
    }

    #[test]
    fn apply_config_exact_match() {
        let mut cfg = ApplyConfig::default();
        cfg.conflict_policy
            .insert("PLAN.md".to_string(), "keep-source".to_string());
        cfg.conflict_policy
            .insert("Cargo.lock".to_string(), "keep-source".to_string());

        assert_eq!(cfg.policy_for("PLAN.md"), Some("keep-source"));
        assert_eq!(cfg.policy_for("Cargo.lock"), Some("keep-source"));
        assert_eq!(cfg.policy_for("src/main.rs"), None);
    }

    #[test]
    fn apply_config_default_key_fallback() {
        let mut cfg = ApplyConfig::default();
        cfg.conflict_policy
            .insert("default".to_string(), "merge".to_string());

        // No specific pattern — falls back to "default".
        assert_eq!(cfg.policy_for("src/anything.rs"), Some("merge"));
        assert_eq!(cfg.policy_for("PLAN.md"), Some("merge"));
    }

    #[test]
    fn apply_config_glob_override_wins_over_default() {
        let mut cfg = ApplyConfig::default();
        cfg.conflict_policy
            .insert("default".to_string(), "merge".to_string());
        cfg.conflict_policy
            .insert("src/**".to_string(), "abort".to_string());

        assert_eq!(cfg.policy_for("src/main.rs"), Some("abort"));
        assert_eq!(cfg.policy_for("src/nested/lib.rs"), Some("abort"));
        // Non-src falls back to default.
        assert_eq!(cfg.policy_for("docs/USAGE.md"), Some("merge"));
    }

    #[test]
    fn apply_config_parse_from_toml() {
        let toml = r#"
[apply.conflict_policy]
default = "merge"
"PLAN.md" = "keep-source"
"Cargo.lock" = "keep-source"
"src/**" = "abort"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.apply.policy_for("PLAN.md"), Some("keep-source"));
        assert_eq!(config.apply.policy_for("Cargo.lock"), Some("keep-source"));
        assert_eq!(config.apply.policy_for("src/lib.rs"), Some("abort"));
        assert_eq!(config.apply.policy_for("docs/USAGE.md"), Some("merge"));
    }

    #[test]
    fn ta_path_config_defaults_are_populated() {
        let cfg = TaPathConfig::default();
        assert!(!cfg.project.include_paths.is_empty());
        assert!(cfg
            .project
            .include_paths
            .contains(&"workflow.toml".to_string()));
        assert!(!cfg.local.exclude_paths.is_empty());
        assert!(cfg.local.exclude_paths.contains(&"staging/".to_string()));
    }

    #[test]
    fn ta_path_config_parse_from_toml() {
        let toml = r#"
[ta.project]
include_paths = ["workflow.toml", "agents/"]

[ta.local]
exclude_paths = ["staging/", "goals/"]
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(
            config.ta.project.include_paths,
            vec!["workflow.toml", "agents/"]
        );
        assert_eq!(config.ta.local.exclude_paths, vec!["staging/", "goals/"]);
    }

    #[test]
    fn plan_config_defaults_to_plan_md() {
        let config = PlanConfig::default();
        assert_eq!(config.file, "PLAN.md");
    }

    #[test]
    fn plan_config_custom_file_resolves_path() {
        let config = PlanConfig {
            file: "ROADMAP.md".to_string(),
        };
        let workflow = WorkflowConfig {
            plan: config,
            ..Default::default()
        };
        let root = std::path::Path::new("/workspace");
        let path = resolve_plan_path(root, &workflow);
        assert_eq!(path, std::path::Path::new("/workspace/ROADMAP.md"));
    }

    #[test]
    fn plan_config_default_resolves_to_plan_md() {
        let workflow = WorkflowConfig::default();
        let root = std::path::Path::new("/project");
        let path = resolve_plan_path(root, &workflow);
        assert_eq!(path, std::path::Path::new("/project/PLAN.md"));
    }

    #[test]
    fn plan_config_parses_from_toml() {
        let toml = r#"
[plan]
file = "ROADMAP.md"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.plan.file, "ROADMAP.md");
    }

    #[test]
    fn project_section_parses_name() {
        let toml = r#"
[project]
name = "My Pipeline Project"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.project.name.as_deref(), Some("My Pipeline Project"));
    }

    #[test]
    fn project_section_defaults_to_none_name() {
        let config = WorkflowConfig::default();
        assert!(config.project.name.is_none());
    }

    // ── analysis config (v0.15.14.3) ─────────────────────────────────────────

    #[test]
    fn analysis_config_parses_python() {
        let toml = r#"
[analysis.python]
tool = "mypy"
args = ["--strict"]
on_failure = "agent"
max_iterations = 3
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        let py = config
            .analysis
            .get("python")
            .expect("python analysis config");
        assert_eq!(py.tool, "mypy");
        assert_eq!(py.args, vec!["--strict"]);
        assert_eq!(py.on_failure, ta_goal::analysis::OnFailure::Agent);
        assert_eq!(py.max_iterations, 3);
    }

    #[test]
    fn analysis_config_parses_multiple_languages() {
        let toml = r#"
[analysis.rust]
tool = "cargo-clippy"
args = ["-D", "warnings"]
on_failure = "warn"

[analysis.go]
tool = "golangci-lint"
args = ["run"]
on_failure = "agent"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.analysis.len(), 2);
        let rust = config.analysis.get("rust").unwrap();
        assert_eq!(rust.tool, "cargo-clippy");
        assert_eq!(rust.on_failure, ta_goal::analysis::OnFailure::Warn);
        let go = config.analysis.get("go").unwrap();
        assert_eq!(go.on_failure, ta_goal::analysis::OnFailure::Agent);
    }

    #[test]
    fn analysis_config_defaults_to_empty_map() {
        let config = WorkflowConfig::default();
        assert!(config.analysis.is_empty());
    }

    #[test]
    fn analysis_config_parses_on_max_iterations() {
        let toml = r#"
[analysis.typescript]
tool = "pyright"
on_max_iterations = "fail"
"#;
        let config: WorkflowConfig = toml::from_str(toml).unwrap();
        let ts = config.analysis.get("typescript").unwrap();
        assert_eq!(
            ts.on_max_iterations,
            ta_goal::analysis::OnMaxIterations::Fail
        );
    }
}