From 89bfbcf4e7bab14bf47ed3db07b0c5c7fce33f95 Mon Sep 17 00:00:00 2001
From: Lien Chen <screen.leon@gmail.com>
Date: Sat, 25 Apr 2026 22:52:13 +0900
Subject: [PATCH 1/2] feat(phase6c-pr1): role catalog skeleton + L0 safety
 boundary
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Phase 6c PR-1 — implements the role catalog data structure and the
L0 safety boundary around connector subprocess invocation. Closes
two of the four gaps Phase 6c addresses; remaining PRs ship per the
v5.1 plan in docs/phase6c-plan.md.

## What's in this PR

- backend/internal/roles/ — hand-maintained Role catalog (6 entries)
  with per-role DefaultTimeoutSec (code-reviewer 15min through
  backend-architect 90min). TimeoutFor resolves env override →
  catalog → 30min fallback. ANPM_DISPATCH_TIMEOUT=0 disables.
  TestCatalogMatchesPromptDir is the SoT-drift detector.

- backend/internal/connector/dispatch_safety.go —
  - boundedWriter (atomic.Int64 + atomic.Bool, max=0 disables)
  - applyDispatchKillEscalation: cmd.Cancel = SIGTERM, cmd.WaitDelay
    = 5s before SIGKILL (per Go 1.20+ contract; bare context.Cancel
    does not guarantee subprocess termination on SIGTERM-trapping
    CLIs)
  - validateExecutionResult: enforces files [] required, optional
    test_instructions/risks/followups type-checked

- invokeBuiltinCLI signature changes from (string, string) to
  (string, bool, string) adding truncated flag. invokeClaudeCLI and
  invokeCodexCLI both apply boundedWriter + signal escalation.
  invokeCodexCLI uses io.Copy goroutine + ptmx.Close after Wait to
  avoid hangs on SIGTERM-ignoring Codex (risk-reviewer H1).

- RunOnceTask uses roles.TimeoutFor(roleID) for per-role timeout;
  precedence is runErr-over-truncated when both are set (so timeout
  signals are not masked by output cap firing); routes failures to
  4 new error_kinds: dispatch_timeout, output_too_large,
  invalid_result_schema, role_not_found (the last is reserved for
  PR-2 server-side claim-next-task enforcement).

- Adversarial test matrix: 14 dispatch tests + 9 catalog tests, all
  green under -race. T-6c-C2-2 spawns a real subprocess via
  os.Args[0] with signal.Ignore(SIGTERM) to prove SIGKILL escalation
  fires within 1s timeout + 5s grace. TestMain uses a double-sentinel
  guard (ANPM_TEST_HELPER_GUARD=1 + ANPM_TEST_HELPER_MODE) so a
  developer with the mode env set in their shell does not get a
  silent zero-test exit.

## Plan v5.1 + DECISIONS context

This PR also ships docs/phase6c-plan.md (5-PR scope, ~13 days total)
and a Phase 6c entry in DECISIONS.md. Subsequent PRs:
- PR-2: authoring lifecycle + actor_audit (SoT) + 4-point catalog
  enforcement
- PR-3: LLM router suggest endpoint (advisory; auto-apply deferred
  to Phase 6d per dogfood signal)
- PR-4: connector activity tracking via SSE
- PR-5: dogfood + DECISIONS archival

## Reviews completed

- make pre-pr: green twice (SQLite + PostgreSQL + frontend build)
- critic subagent: 2 rounds, 4 Required + 2 nice-to-have all
  addressed; round-2 findings included Codex PTY io.Copy goroutine
  fix, atomic.Int64 boundedWriter, SIGTERM-ignore test slack 5s
- /security-review: 0 findings ≥ confidence 8
- risk-reviewer: 2 HIGH (H1 Codex PTY hang, H2 boundedWriter race)
  + 1 MEDIUM (M1 timing fragility) all addressed; lower-severity
  findings logged as risks R22-R31 in plan §6

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 DECISIONS.md                                  |    8 +
 backend/internal/connector/builtin_adapter.go |   88 +-
 backend/internal/connector/dispatch_safety.go |  179 +++
 .../connector/dispatch_safety_test.go         |  389 ++++++
 backend/internal/connector/probe.go           |    2 +-
 backend/internal/connector/service.go         |   73 +-
 backend/internal/models/requirement.go        |   70 +-
 backend/internal/roles/catalog.go             |  156 +++
 backend/internal/roles/catalog_test.go        |  268 ++++
 docs/phase6c-plan.md                          | 1111 +++++++++++++++++
 10 files changed, 2287 insertions(+), 57 deletions(-)
 create mode 100644 backend/internal/connector/dispatch_safety.go
 create mode 100644 backend/internal/connector/dispatch_safety_test.go
 create mode 100644 backend/internal/roles/catalog.go
 create mode 100644 backend/internal/roles/catalog_test.go
 create mode 100644 docs/phase6c-plan.md

diff --git a/DECISIONS.md b/DECISIONS.md
index 317c258..f6ba582 100644
--- a/DECISIONS.md
+++ b/DECISIONS.md
@@ -4,6 +4,14 @@ Active architectural and behavioral decisions for Agent Native PM.
 
 When this file exceeds 50 entries or 30 KB, archive older entries to `DECISIONS_ARCHIVE.md`. The most recent archival pass was on 2026-04-22.
 
+## 2026-04-25: Phase 6c v5.1 — L0 safety + authoring lifecycle + LLM router (suggest-only) + activity visibility [agent:feature-planner]
+
+- **Context**: Phase 6b shipped role-dispatch end-to-end in code but the user-facing path is broken in three independent ways: (1) `execution_role` has no UI authoring surface, so the role_dispatch radio is permanently disabled (catch-22); (2) "auto-dispatch" is in name only — operators must still manually pick a role for every task; (3) connector activity during long task execution (backend-architect can run 90 min) is invisible to the frontend, making dogfood debugging impossible. Phase 5 §(g)/§(h) also flagged subprocess sandboxing as a Phase 6 blocker. The user explicitly rejected simple / phase-staged solutions: "一律不考慮簡單作法 我希望是完善的改動 而不是臨時性處理" (memory: `feedback_no_simple_approach`). Closing all four gaps in one phase is therefore in scope, even at ~15-day total cost.
+- **Decision**: Phase 6c ships as **5 separate PRs**, each independently reviewable and rollback-able, but coherent as a single capability slice. **PR-1 (done)**: role catalog skeleton (hand-maintained `[]Role{...}` with per-role `DefaultTimeoutSec`) + L0 safety boundary in connector subprocess invocation (wall-clock timeout via `cmd.Cancel = SIGTERM` + `cmd.WaitDelay = 5s` escalation, output size cap via `boundedWriter`, JSON schema minimum validation, 4 new error kinds: `role_not_found`/`dispatch_timeout`/`output_too_large`/`invalid_result_schema`). **PR-2**: full authoring lifecycle — migration 030 adds generic `actor_audit` table (subject_kind/subject_id/field/old_value/new_value/actor_kind/actor_id/rationale/confidence) which is the **single source of truth** for execution_role authoring metadata (no denormalised columns on `backlog_candidates` per critic round 3 #1; frontend reads via helper `LatestAuthoring(subject_kind, subject_id, field)` joining against latest audit row); PATCH endpoint accepts `execution_role`; apply API extended with `execution_role` payload; catalog enforcement at four entry points (PATCH, apply, claim-next-task; suggest gates at validation in PR-3); CandidateReviewPanel rewritten so role_dispatch radio is always enabled with inline `<select>`; CandidateRoleEditor inline popover on candidate cards; stale-role warning when previously-suggested role no longer in catalog. **PR-3 (suggest-only, B2)**: LLM router as advisory meta-agent — new `backend/internal/prompts/meta/dispatcher.md` (category=meta, version 1, default timeout 60s; lives under `meta/` subtree per critic #10, drift test walks both `roles/` and `meta/`); `dispatcher.Service.Suggest` reuses PR-1's `invokeBuiltinCLI` for safety; `POST /api/backlog-candidates/:id/suggest-role` returns RouterResult without persisting; **Apply API NOT extended with `role_dispatch_auto` mode** — operator confirms suggested role manually then applies via `mode=role_dispatch` (audit row `actor_kind="operator"` even when suggestion came from router; this avoids premature auto-apply before router quality is dogfood-validated, per user pick B2); 1 new error kind (`router_no_match`); router output validated against catalog (role_id must be known or "no_match", confidence ∈ [0,1], reasoning ≤ 1024 chars with control-char sanitization); migration 032 reserved as PR-3 placeholder (per critic #9). **PR-4**: connector activity tracking — migration 031 adds `current_activity_json/at` snapshot column on `local_connectors`; ActivityReporter on connector emits phase transitions via **enqueue-not-overwrite** queue (per critic #5 — phase transitions in rapid succession all reach subscriber; same-phase step changes coalesce in 500ms window); phase enum is `idle/claiming_run/planning/claiming_task/dispatching/submitting` (no `routing` — that arrives in 6d with auto-apply); `POST /api/connector/activity` lightweight ingest endpoint; in-memory Hub broadcasts to SSE subscribers via unbuffered channels (slow clients auto-dropped); `GET /api/connectors/:id/activity-stream` SSE with 30s keepalive + `X-Accel-Buffering: no` header (C1: SSE retained vs polling-only); `GET /api/connectors/:id/activity` polling fallback; project-level aggregate `GET /api/projects/:id/active-connectors`; frontend `useConnectorActivity` hook auto-degrades SSE→polling→stale; `ConnectorActivityBadge` 3 density variants. **Activity does NOT write to actor_audit** (per critic #8 — 5+ phase transitions per task would drown the human-meaningful authoring trail; only latest snapshot persists). **PR-5**: dogfood (8 deliberate-trigger steps including activity SSE observation) + `docs/operating-rules.md` "Role-dispatch + visibility model" section + DECISIONS.md final + **archival pass** moving 2026-04-22-and-older entries to `DECISIONS_ARCHIVE.md` (per critic #11 — file already past 30KB threshold).
+- **Alternatives considered**: (1) Defer authoring + router + activity to Phase 6d — rejected; the user explicitly stated dogfood today is broken without all three (see catch-22 analysis in plan v5 §1.1). (2) Single mega-PR — rejected; 15-day single PR is unreviewable; coherent slicing into 5 PRs preserves coherence while making each PR shippable in 1-5 days. (3) Apply-time-only authoring (no candidate edit + no audit) — rejected; user feedback explicitly requires comprehensive authoring (`feedback_no_simple_approach`); apply-time-only would force re-rework when Phase 6d's LLM planner pre-fills `execution_role` at candidate creation. (4) Polling-only activity (no SSE) — rejected at user pick C1; sub-second visibility is consistent with `feedback_no_simple_approach` even though 3s polling would technically suffice. (5) Sync `role_dispatch_auto` in PR-3 — **rejected at user pick B2 (critic round 3 #2)**; without dogfood data on router quality, auto-apply is premature optimization; PR-3 ships suggest-only and PR-6 (or 6d) lands auto-apply once PR-5 dogfood validates router accuracy. (6) Async `role_dispatch_auto` + webhook in 6c — deferred to 6d per user §5 Q3 answer (depends on auto-apply existing first). (7) Skip Role.Category field — rejected; without `category="meta"` filter the dispatcher prompt would surface in `/api/roles` and self-recommend, breaking the routing semantics. (8) `actor_audit` as candidate-specific table — rejected; designed generic from start (subject_kind discriminator) so PR-3 router-actor rows (when 6d auto-apply lands) and PR-4 system-actor rows reuse the same infrastructure. (9) Denormalised `execution_role_set_by/_at/_confidence` columns on `backlog_candidates` — **rejected at critic round 3 #1**; `actor_audit` is the single source of truth and frontend reads via JOIN helper to avoid drift between two writers. (10) Activity history written to `actor_audit` — **rejected at critic round 3 #8**; ~5 phase transitions per task dispatch would drown the human-meaningful authoring trail; activity only persists as latest snapshot, dedicated time-series store deferred to 6d if needed. (11) `dispatcher.md` placed at `prompts/dispatcher.md` siblng to `backlog.md` and `whatsnext.md` — **rejected at critic round 3 #10**; meta-prompts deserve their own subtree (`prompts/meta/`) for IA clarity and future expansion.
+- **Constraints introduced**: **(a) Role catalog**: `backend/internal/roles/catalog.go` is hand-maintained `[]Role{...}` (no codegen); `Role.Category` ∈ {"role", "meta"}; `roles.All()` returns full set; `/api/roles` filters category="role"; `TestCatalogMatchesPromptDir` walks both `prompts/roles/*.md` and `prompts/dispatcher.md`; PR adding a new role MUST edit both files. **(b) execution_role lifecycle**: writes go through `BacklogCandidateStore.UpdateExecutionRole(ctx, id, role, actor)` which does single-transaction validate → SELECT old → UPDATE → INSERT actor_audit; concurrent PATCH/apply use `BEGIN IMMEDIATE` (existing SQLite pattern). `set_by` ∈ {"", "operator", "router"}; `confidence` only set when `set_by="router"`. **(c) Apply API**: `mode=role_dispatch` requires non-empty `execution_role` in catalog → else 400; `mode=role_dispatch_auto` calls dispatcher synchronously (6c) and returns 422 with router_decision payload when `confidence < min_confidence` or `role_id="no_match"`; `mode=manual` ignores `execution_role`. **(d) Server-side claim enforcement**: `MarkTaskRoleNotFound` does `dispatch_status: queued → failed` atomic transition (NOT `running → failed`) plus single-tx audit row; non-applicable when task already leased. **(e) L0 safety**: per-role timeouts in catalog (code-reviewer=15min, test-writer=20min, api-contract-writer=30min, ui-scaffolder=45min, db-schema-designer=45min, backend-architect=90min, dispatcher=60min); `ANPM_DISPATCH_TIMEOUT` env override hierarchy: env>0 → env value, env=0 → disabled, env<0/unset → catalog → 30min fallback. SIGTERM→5s→SIGKILL escalation via `cmd.Cancel`+`cmd.WaitDelay`; adversarial test uses real subprocess with `signal.Ignore`. Output cap default 5 MB via `ANPM_DISPATCH_OUTPUT_MAX`; 0=disabled. JSON schema minimum: must contain `files []`; optional fields type-checked. **(f) Router**: dispatcher prompt is in `prompts/dispatcher.md` (NOT under `roles/`) with `category: meta`; output validated for role_id ∈ catalog, confidence ∈ [0,1], reasoning length and control-char sanitization; alternatives all validated against catalog; `min_confidence` default 0.7 (operator-overridable per apply); router output never trusted to be a valid catalog entry — Validation is a hard gate not a soft check. **(g) Activity model**: phases are exhaustive enum (idle/claiming_run/planning/claiming_task/routing/dispatching/submitting); reporter coalesces step-only changes within 500ms but always sends phase transitions; in-memory Hub uses unbuffered subscriber channels with non-blocking send (slow client auto-drops, reconnect picks up via initial state); SSE includes 30s keepalive comments + `X-Accel-Buffering: no`; per-user concurrent SSE connections capped at 3 (503 above); DB persists latest snapshot only (history lives in actor_audit); idle activities retained 5 min before purge. **(h) Audit invariants**: every `execution_role` change writes to `actor_audit` in same transaction; `actor_kind` ∈ {"user", "router", "system", "connector"}; `rationale` stores router confidence + reasoning, or system change reason; cascade-delete with subject row. **(i) Operational constraint**: L0 boundary is the ONLY safety enforcement until L1 ships — operators MUST NOT expose role_dispatch to non-operator task submitters or untrusted task content; this is documented verbatim in `docs/operating-rules.md` and is non-negotiable. L1 (process-level jail via firejail/namespaces) is evaluated when Phase 6d opens; L2 (container/VM full isolation) requires one of three triggers fired: multi-tenant submitters, untrusted external repos, or compliance requirements. **(j) Phase 6d/7 trigger conditions**: recorded in `docs/phase6c-plan.md` §9; opening either phase without a documented trigger having fired is a scope-creep violation. **(k) PR ordering**: PR-1 first (already implemented); PR-2/3/4 sequential to avoid rebase cost (each later PR consumes earlier-PR types); PR-5 last (dogfood requires all four prior PRs).
+- **Source**: `docs/phase6c-plan.md` v5.1 (post-critic-round-3, B2 + C1 拍板). Backed by dogfood-generated backlog candidates `bad629dc` (catalog SoT) and `fb040ce6` (safety boundary), both `approved` status as of 2026-04-25, plus design dialogues with the user that surfaced the catch-22, the LLM router request, the activity visibility requirement, and a critic round adversarially analyzing v5 that produced 14 findings (9 unilateral fixes adopted, B2 + C1 user-decided).
+
 ## 2026-04-25: Requirement discard, analysis filtering, and connector run-status badge [agent:application-implementer]
 
 - **Context**: Three interconnected UX improvements: (1) Requirements with no applied tasks are permanently deletable (not just archivable); (2) `source=analysis` / `source=system` requirements should not appear in the sidebar or affect the isEmpty check; (3) The connector status badge should reflect when a run is actively leased or queued.
diff --git a/backend/internal/connector/builtin_adapter.go b/backend/internal/connector/builtin_adapter.go
index c209aec..44cf7cd 100644
--- a/backend/internal/connector/builtin_adapter.go
+++ b/backend/internal/connector/builtin_adapter.go
@@ -62,7 +62,11 @@ func ExecuteBuiltin(ctx context.Context, input ExecJSONInput) models.LocalConnec
 	}
 
 	// Run CLI.
-	output, runErr := invokeBuiltinCLI(ctx, agent, binary, model, prompt, timeoutSec)
+	output, truncated, runErr := invokeBuiltinCLI(ctx, agent, binary, model, prompt, timeoutSec)
+	// Precedence: when both runErr and truncation are set, runErr is
+	// more informative (likely a timeout that produced partial output).
+	// The truncation-only branch fires when the CLI exited normally
+	// but produced more than the cap.
 	if runErr != "" {
 		return models.LocalConnectorSubmitRunResultRequest{
 			Success:      false,
@@ -70,6 +74,14 @@ func ExecuteBuiltin(ctx context.Context, input ExecJSONInput) models.LocalConnec
 			CliInfo:      &models.CliUsageInfo{Agent: agent, Model: model, ModelSource: modelSource},
 		}
 	}
+	if truncated {
+		return models.LocalConnectorSubmitRunResultRequest{
+			Success:      false,
+			ErrorMessage: fmt.Sprintf("CLI stdout exceeded the dispatch output cap (%d bytes); raise ANPM_DISPATCH_OUTPUT_MAX or set 0 to disable", dispatchOutputMaxBytes()),
+			ErrorKind:    models.ErrorKindOutputTooLarge,
+			CliInfo:      &models.CliUsageInfo{Agent: agent, Model: model, ModelSource: modelSource},
+		}
+	}
 
 	// Strip ANSI (Codex PTY output may contain escape codes even after drain).
 	output = stripANSI(output)
@@ -565,11 +577,27 @@ func buildScopeSnippet(req *models.Requirement) string {
 	return strings.Join(parts, "\n")
 }
 
-// invokeBuiltinCLI runs the CLI and returns (output, errorMessage).
+// invokeBuiltinCLI runs the CLI and returns (output, truncated, errorMessage).
+//
+// Phase 6c L0 safety boundary:
+//   - timeoutSec <= 0 → no wall-clock limit (escape hatch); the caller
+//     resolved this from roles.TimeoutFor (env=0) or chose to disable.
+//   - timeoutSec > 0  → context.WithTimeout wrapped with SIGTERM →
+//     sigtermGracePeriod → SIGKILL escalation (applyDispatchKillEscalation).
+//   - stdout is wrapped in boundedWriter using dispatchOutputMaxBytes;
+//     when the cap is exceeded, output is truncated and the second
+//     return value is true (caller maps to ErrorKindOutputTooLarge).
+//
 // For Claude: uses exec.CommandContext with -p flag.
 // For Codex: uses creack/pty because Codex checks stdin.isTTY.
-func invokeBuiltinCLI(ctx context.Context, agent, binary, model, prompt string, timeoutSec int) (string, string) {
-	runCtx, cancel := context.WithTimeout(ctx, time.Duration(timeoutSec)*time.Second)
+func invokeBuiltinCLI(ctx context.Context, agent, binary, model, prompt string, timeoutSec int) (string, bool, string) {
+	var runCtx context.Context
+	var cancel context.CancelFunc
+	if timeoutSec > 0 {
+		runCtx, cancel = context.WithTimeout(ctx, time.Duration(timeoutSec)*time.Second)
+	} else {
+		runCtx, cancel = context.WithCancel(ctx)
+	}
 	defer cancel()
 
 	switch agent {
@@ -578,26 +606,28 @@ func invokeBuiltinCLI(ctx context.Context, agent, binary, model, prompt string,
 	case "codex":
 		return invokeCodexCLI(runCtx, binary, model, prompt, timeoutSec)
 	default:
-		return "", fmt.Sprintf("unsupported agent %q (expected 'claude' or 'codex')", agent)
+		return "", false, fmt.Sprintf("unsupported agent %q (expected 'claude' or 'codex')", agent)
 	}
 }
 
 // invokeClaudeCLI runs: claude -p <prompt> [--model <model>]
-func invokeClaudeCLI(ctx context.Context, binary, model, prompt string, timeoutSec int) (string, string) {
+func invokeClaudeCLI(ctx context.Context, binary, model, prompt string, timeoutSec int) (string, bool, string) {
 	args := []string{"-p", prompt}
 	if model != "" {
 		args = append(args, "--model", model)
 	}
 	cmd := exec.CommandContext(ctx, binary, args...)
 	cmd.Stdin = nil // disconnected
+	applyDispatchKillEscalation(cmd)
 
 	var stdout, stderr bytes.Buffer
-	cmd.Stdout = &stdout
+	bw := newBoundedWriter(&stdout, dispatchOutputMaxBytes())
+	cmd.Stdout = bw
 	cmd.Stderr = &stderr
 
 	if err := cmd.Run(); err != nil {
 		if ctx.Err() == context.DeadlineExceeded {
-			return "", fmt.Sprintf("claude CLI timed out after %ds", timeoutSec)
+			return "", bw.Truncated(), fmt.Sprintf("claude CLI timed out after %ds", timeoutSec)
 		}
 		detail := strings.TrimSpace(stderr.String())
 		if detail == "" {
@@ -609,33 +639,49 @@ func invokeClaudeCLI(ctx context.Context, binary, model, prompt string, timeoutS
 		if len(detail) > 400 {
 			detail = detail[:400]
 		}
-		return "", fmt.Sprintf("claude CLI failed: %s", detail)
+		return stdout.String(), bw.Truncated(), fmt.Sprintf("claude CLI failed: %s", detail)
 	}
-	return stdout.String(), ""
+	return stdout.String(), bw.Truncated(), ""
 }
 
 // invokeCodexCLI runs codex inside a PTY because Codex checks stdin.isTTY.
-func invokeCodexCLI(ctx context.Context, binary, model, prompt string, timeoutSec int) (string, string) {
+//
+// PTY-specific concurrency: the io.Copy that drains the PTY master is
+// run on a separate goroutine so we can Wait() on the process FIRST.
+// On a CLI that ignores SIGTERM, exec sends SIGKILL after WaitDelay;
+// once the process dies the kernel will eventually close its end of
+// the PTY which lets io.Copy return — but on some platforms that close
+// is delayed. Closing ptmx explicitly after Wait returns guarantees
+// the goroutine unblocks immediately, and the copyDone channel ensures
+// we capture all output before reading buf.
+func invokeCodexCLI(ctx context.Context, binary, model, prompt string, timeoutSec int) (string, bool, string) {
 	args := []string{prompt}
 	if model != "" {
 		args = append(args, "--model", model)
 	}
 	cmd := exec.CommandContext(ctx, binary, args...)
+	applyDispatchKillEscalation(cmd)
 
 	ptmx, err := pty.Start(cmd)
 	if err != nil {
-		return "", fmt.Sprintf("pty unavailable for codex: %v", err)
+		return "", false, fmt.Sprintf("pty unavailable for codex: %v", err)
 	}
-	defer func() { _ = ptmx.Close() }()
 
-	// Drain all output from the PTY master into a buffer.
 	var buf bytes.Buffer
-	_, _ = io.Copy(&buf, ptmx)
-
-	// Wait for the command to finish.
-	if waitErr := cmd.Wait(); waitErr != nil {
+	bw := newBoundedWriter(&buf, dispatchOutputMaxBytes())
+	copyDone := make(chan struct{})
+	go func() {
+		_, _ = io.Copy(bw, ptmx)
+		close(copyDone)
+	}()
+
+	waitErr := cmd.Wait()
+	_ = ptmx.Close() // unblock the copy goroutine if it has not already returned
+	<-copyDone       // ensure all output is captured before reading buf
+
+	if waitErr != nil {
 		if ctx.Err() == context.DeadlineExceeded {
-			return "", fmt.Sprintf("codex CLI timed out after %ds", timeoutSec)
+			return "", bw.Truncated(), fmt.Sprintf("codex CLI timed out after %ds", timeoutSec)
 		}
 		raw := stripANSI(buf.String())
 		raw = strings.ReplaceAll(raw, "\r\n", "\n")
@@ -644,13 +690,13 @@ func invokeCodexCLI(ctx context.Context, binary, model, prompt string, timeoutSe
 		if len(tail) > 600 {
 			tail = tail[len(tail)-600:]
 		}
-		return "", fmt.Sprintf("codex CLI failed (%v): %s", waitErr, tail)
+		return raw, bw.Truncated(), fmt.Sprintf("codex CLI failed (%v): %s", waitErr, tail)
 	}
 
 	raw := buf.String()
 	raw = strings.ReplaceAll(raw, "\r\n", "\n")
 	raw = strings.ReplaceAll(raw, "\r", "\n")
-	return raw, ""
+	return raw, bw.Truncated(), ""
 }
 
 // stripANSI removes ANSI escape codes from s.
diff --git a/backend/internal/connector/dispatch_safety.go b/backend/internal/connector/dispatch_safety.go
new file mode 100644
index 0000000..b5006c3
--- /dev/null
+++ b/backend/internal/connector/dispatch_safety.go
@@ -0,0 +1,179 @@
+package connector
+
+import (
+	"encoding/json"
+	"io"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+	"sync/atomic"
+	"syscall"
+	"time"
+)
+
+// Phase 6c L0 safety boundary helpers — see docs/phase6c-plan.md §3 C2.
+//
+// These are shared by the role-dispatch loop in service.go AND by the
+// existing planning-run / probe paths in builtin_adapter.go. The two
+// safety knobs (signal-escalation kill, output cap) are applied at the
+// invokeBuiltinCLI level so every subprocess the connector spawns gets
+// the same defense — not just dispatch.
+
+const (
+	// defaultMaxOutputBytes caps CLI stdout at 5 MB. Generous enough that
+	// realistic structured output never trips it; tight enough that a
+	// runaway CLI cannot exhaust memory.
+	defaultMaxOutputBytes = 5 * 1024 * 1024
+
+	// sigtermGracePeriod is how long we wait between SIGTERM and SIGKILL
+	// when canceling a CLI subprocess. exec.CommandContext alone sends
+	// SIGKILL by default — that gives well-behaved CLIs no chance to
+	// flush output and clean up. We give them 5 s.
+	sigtermGracePeriod = 5 * time.Second
+)
+
+// boundedWriter wraps an io.Writer with a maximum byte cap. Writes
+// beyond the cap are silently discarded (Write returns len(p), nil) so
+// the subprocess sees a normal write and keeps running until it exits
+// on its own — this avoids the case where a CLI sees write errors and
+// crashes mid-output.
+//
+// Concurrency contract: Write is called from at most one goroutine at
+// a time (the io.Copy goroutine that drains the subprocess output).
+// Truncated() may be read from any goroutine after that copy goroutine
+// has signalled completion. Both `written` and `truncated` use atomic
+// types as defense-in-depth so that a future refactor that introduces
+// concurrent reads or multiple writers cannot silently introduce a
+// data race. max <= 0 disables the cap entirely (every write delegates).
+type boundedWriter struct {
+	target    io.Writer
+	max       int64
+	written   atomic.Int64
+	truncated atomic.Bool
+}
+
+func newBoundedWriter(target io.Writer, max int64) *boundedWriter {
+	return &boundedWriter{target: target, max: max}
+}
+
+func (b *boundedWriter) Write(p []byte) (int, error) {
+	if b.max <= 0 {
+		return b.target.Write(p)
+	}
+	if b.truncated.Load() {
+		return len(p), nil
+	}
+	written := b.written.Load()
+	remaining := b.max - written
+	if int64(len(p)) <= remaining {
+		n, err := b.target.Write(p)
+		b.written.Add(int64(n))
+		return n, err
+	}
+	if remaining > 0 {
+		n, _ := b.target.Write(p[:remaining])
+		b.written.Add(int64(n))
+	}
+	b.truncated.Store(true)
+	return len(p), nil
+}
+
+func (b *boundedWriter) Truncated() bool { return b.truncated.Load() }
+
+// dispatchOutputMaxBytes resolves the CLI stdout cap from environment.
+// Resolution:
+//   - unset / unparseable → defaultMaxOutputBytes (5 MB)
+//   - 0                  → 0 (caller treats as "disabled")
+//   - negative           → defaultMaxOutputBytes
+//   - positive           → that many bytes
+func dispatchOutputMaxBytes() int64 {
+	v := strings.TrimSpace(os.Getenv("ANPM_DISPATCH_OUTPUT_MAX"))
+	if v == "" {
+		return defaultMaxOutputBytes
+	}
+	n, err := strconv.ParseInt(v, 10, 64)
+	if err != nil {
+		return defaultMaxOutputBytes
+	}
+	if n == 0 {
+		return 0
+	}
+	if n < 0 {
+		return defaultMaxOutputBytes
+	}
+	return n
+}
+
+// applyDispatchKillEscalation wires cmd.Cancel and cmd.WaitDelay so
+// that context cancellation sends SIGTERM first and waits sigtermGracePeriod
+// before forcing SIGKILL. exec.CommandContext on its own sends SIGKILL
+// immediately, which is too aggressive for CLIs that need a moment to
+// flush output. CLIs that intentionally trap or ignore SIGTERM will
+// still be killed after sigtermGracePeriod.
+//
+// Must be called BEFORE cmd.Start / pty.Start.
+func applyDispatchKillEscalation(cmd *exec.Cmd) {
+	cmd.Cancel = func() error {
+		if cmd.Process == nil {
+			return nil
+		}
+		// Best-effort: ignore the error from Signal because the
+		// process may have already exited between Cancel firing and
+		// us getting the lock.
+		_ = cmd.Process.Signal(syscall.SIGTERM)
+		return os.ErrProcessDone
+	}
+	cmd.WaitDelay = sigtermGracePeriod
+}
+
+// validateExecutionResult enforces the minimum role-result schema: the
+// payload MUST contain a "files" array (may be empty), and the optional
+// fields "test_instructions" / "risks" / "followups" must have the
+// expected types when present. Forward-compat: extra fields are
+// ignored. This is the C2(c) JSON schema minimum check.
+//
+// Returns nil on success, or an error describing the first violation.
+func validateExecutionResult(payload map[string]json.RawMessage) error {
+	rawFiles, hasFiles := payload["files"]
+	if !hasFiles {
+		return errSchemaMissingFiles
+	}
+	if !isJSONArray(rawFiles) {
+		return errSchemaFilesNotArray
+	}
+	if raw, ok := payload["test_instructions"]; ok && !isJSONString(raw) {
+		return errSchemaTestInstructionsNotString
+	}
+	if raw, ok := payload["risks"]; ok && !isJSONArray(raw) {
+		return errSchemaRisksNotArray
+	}
+	if raw, ok := payload["followups"]; ok && !isJSONArray(raw) {
+		return errSchemaFollowupsNotArray
+	}
+	return nil
+}
+
+// schemaError is a sentinel-style error type so callers can attach a
+// stable string to ErrorKindInvalidResultSchema without parsing.
+type schemaError string
+
+func (e schemaError) Error() string { return string(e) }
+
+const (
+	errSchemaMissingFiles              schemaError = "execution result missing required `files` array"
+	errSchemaFilesNotArray             schemaError = "execution result `files` must be a JSON array"
+	errSchemaTestInstructionsNotString schemaError = "execution result `test_instructions` must be a string"
+	errSchemaRisksNotArray             schemaError = "execution result `risks` must be a JSON array"
+	errSchemaFollowupsNotArray         schemaError = "execution result `followups` must be a JSON array"
+)
+
+func isJSONArray(raw json.RawMessage) bool {
+	trimmed := strings.TrimSpace(string(raw))
+	return strings.HasPrefix(trimmed, "[")
+}
+
+func isJSONString(raw json.RawMessage) bool {
+	trimmed := strings.TrimSpace(string(raw))
+	return strings.HasPrefix(trimmed, "\"")
+}
diff --git a/backend/internal/connector/dispatch_safety_test.go b/backend/internal/connector/dispatch_safety_test.go
new file mode 100644
index 0000000..bd20f48
--- /dev/null
+++ b/backend/internal/connector/dispatch_safety_test.go
@@ -0,0 +1,389 @@
+package connector
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+	"testing"
+	"time"
+)
+
+// TestMain doubles as a mock-CLI launcher: when BOTH the helper-mode
+// env var AND a sentinel guard env var are set, this binary runs as
+// a mock CLI subprocess for the dispatch safety tests below.
+// Otherwise it runs the normal test suite.
+//
+// Two env vars are required so a developer with `ANPM_TEST_HELPER_MODE`
+// set in their shell does not have `go test` silently exit before any
+// test runs. The sentinel `ANPM_TEST_HELPER_GUARD=1` is set ONLY by
+// tests that explicitly want subprocess helper behaviour.
+//
+// The pattern lets us spawn real subprocesses (with real signal
+// behaviour) using os.Args[0] as the "binary" parameter to
+// invokeBuiltinCLI, which is what T-6c-C2-2 (SIGTERM-ignore /
+// SIGKILL escalation) requires — Go-internal time.Sleep does not
+// trap signals the same way a real CLI process does.
+func TestMain(m *testing.M) {
+	if os.Getenv("ANPM_TEST_HELPER_GUARD") == "1" {
+		mode := os.Getenv("ANPM_TEST_HELPER_MODE")
+		if mode == "" {
+			fmt.Fprintln(os.Stderr, "ANPM_TEST_HELPER_GUARD=1 but no ANPM_TEST_HELPER_MODE set")
+			os.Exit(2)
+		}
+		runTestHelper(mode)
+		os.Exit(0)
+	}
+	os.Exit(m.Run())
+}
+
+func runTestHelper(mode string) {
+	switch mode {
+	case "ignore_sigterm_sleep_forever":
+		// T-6c-C2-2: trap SIGTERM and ignore it; sleep until SIGKILL'd.
+		signal.Ignore(syscall.SIGTERM)
+		time.Sleep(10 * time.Minute)
+	case "echo_args":
+		// T-6c-C2-1: print the received -p prompt verbatim so the test
+		// can verify shell metacharacters were NOT expanded.
+		fmt.Fprintf(os.Stdout, `{"files":[],"echoed":%q}`, strings.Join(os.Args[1:], "|"))
+	case "valid_quick":
+		// T-6c-C2-10: print valid result then exit fast.
+		fmt.Fprint(os.Stdout, `{"files":[],"test_instructions":"","risks":[],"followups":[]}`)
+	case "sleep_2s_then_valid":
+		// T-6c-C2-8 (env=0 disabled): sleep then exit valid.
+		time.Sleep(2 * time.Second)
+		fmt.Fprint(os.Stdout, `{"files":[]}`)
+	case "print_10mb":
+		// T-6c-C2-3: print 10 MB of garbage to trigger output cap.
+		buf := bytes.Repeat([]byte("x"), 1024)
+		for i := 0; i < 10*1024; i++ {
+			_, _ = os.Stdout.Write(buf)
+		}
+	default:
+		fmt.Fprintf(os.Stderr, "unknown ANPM_TEST_HELPER_MODE=%q\n", mode)
+		os.Exit(2)
+	}
+}
+
+// -- Unit tests for boundedWriter (T-6c-C2-3 / T-6c-C2-9 / T-6c-C2-11 logic) --
+
+func TestBoundedWriterUnderCap(t *testing.T) {
+	var buf bytes.Buffer
+	bw := newBoundedWriter(&buf, 100)
+	n, err := bw.Write([]byte("hello"))
+	if err != nil || n != 5 {
+		t.Fatalf("Write(hello) = (%d, %v), want (5, nil)", n, err)
+	}
+	if bw.Truncated() {
+		t.Error("Truncated() = true under cap")
+	}
+	if buf.String() != "hello" {
+		t.Errorf("buf = %q", buf.String())
+	}
+}
+
+func TestBoundedWriterAtCap(t *testing.T) {
+	// T-6c-C2-11: write that crosses the boundary truncates partial.
+	var buf bytes.Buffer
+	bw := newBoundedWriter(&buf, 5)
+	n, err := bw.Write([]byte("hellobye"))
+	if err != nil {
+		t.Fatalf("Write err: %v", err)
+	}
+	if n != 8 {
+		t.Errorf("Write returned n=%d, want 8 (full input length so subprocess sees normal write)", n)
+	}
+	if !bw.Truncated() {
+		t.Error("Truncated() = false after exceeding cap")
+	}
+	if buf.String() != "hello" {
+		t.Errorf("buf = %q, want %q (truncated to cap)", buf.String(), "hello")
+	}
+	// Subsequent writes also discarded.
+	bw.Write([]byte("more"))
+	if buf.String() != "hello" {
+		t.Errorf("post-truncation write changed buf to %q", buf.String())
+	}
+}
+
+func TestBoundedWriterMaxZeroDisables(t *testing.T) {
+	// T-6c-C2-9: max=0 means no cap.
+	var buf bytes.Buffer
+	bw := newBoundedWriter(&buf, 0)
+	big := bytes.Repeat([]byte("x"), 10_000_000) // 10 MB
+	n, _ := bw.Write(big)
+	if n != len(big) {
+		t.Errorf("Write returned n=%d, want %d", n, len(big))
+	}
+	if bw.Truncated() {
+		t.Error("Truncated() = true with max=0")
+	}
+	if buf.Len() != len(big) {
+		t.Errorf("buf.Len() = %d, want %d", buf.Len(), len(big))
+	}
+}
+
+func TestBoundedWriterMaxNegativeDisables(t *testing.T) {
+	var buf bytes.Buffer
+	bw := newBoundedWriter(&buf, -1)
+	bw.Write([]byte("anything"))
+	if bw.Truncated() {
+		t.Error("Truncated() = true with negative max")
+	}
+}
+
+// -- Env parsing tests --
+
+func TestDispatchOutputMaxBytesEnv(t *testing.T) {
+	cases := []struct {
+		name string
+		env  string
+		want int64
+	}{
+		{"unset", "", defaultMaxOutputBytes},
+		{"explicit zero disables", "0", 0},
+		{"positive override", "1024", 1024},
+		{"negative falls back", "-1", defaultMaxOutputBytes},
+		{"garbage falls back", "abc", defaultMaxOutputBytes},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			t.Setenv("ANPM_DISPATCH_OUTPUT_MAX", c.env)
+			if got := dispatchOutputMaxBytes(); got != c.want {
+				t.Errorf("got %d, want %d", got, c.want)
+			}
+		})
+	}
+}
+
+// -- validateExecutionResult tests (T-6c-C2-4 / 5 / 6 / 7) --
+
+func TestValidateExecutionResultValid(t *testing.T) {
+	payloads := []string{
+		`{"files":[]}`,
+		`{"files":[{"path":"a.go"}],"test_instructions":"run go test","risks":[],"followups":[]}`,
+		`{"files":[],"extra_field":"ignored"}`,
+	}
+	for _, raw := range payloads {
+		var p map[string]json.RawMessage
+		if err := json.Unmarshal([]byte(raw), &p); err != nil {
+			t.Fatalf("setup unmarshal: %v", err)
+		}
+		if err := validateExecutionResult(p); err != nil {
+			t.Errorf("validateExecutionResult(%s) = %v, want nil", raw, err)
+		}
+	}
+}
+
+func TestValidateExecutionResultMalformed(t *testing.T) {
+	// T-6c-C2-4 / T-6c-C2-5: malformed schema fails.
+	cases := []struct {
+		name    string
+		payload string
+		wantErr schemaError
+	}{
+		{"missing files", `{"test_instructions":"x"}`, errSchemaMissingFiles},
+		{"files not array", `{"files":"not-an-array"}`, errSchemaFilesNotArray},
+		{"test_instructions not string", `{"files":[],"test_instructions":["a","b"]}`, errSchemaTestInstructionsNotString},
+		{"risks not array", `{"files":[],"risks":"x"}`, errSchemaRisksNotArray},
+		{"followups not array", `{"files":[],"followups":42}`, errSchemaFollowupsNotArray},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			var p map[string]json.RawMessage
+			_ = json.Unmarshal([]byte(c.payload), &p)
+			err := validateExecutionResult(p)
+			if err == nil {
+				t.Fatalf("expected error %q, got nil", c.wantErr)
+			}
+			if err.Error() != string(c.wantErr) {
+				t.Errorf("err = %q, want %q", err.Error(), c.wantErr)
+			}
+		})
+	}
+}
+
+// -- Subprocess-based integration tests via invokeBuiltinCLI --
+
+func TestInvokeBuiltinCLI_NoShellExpansion(t *testing.T) {
+	// T-6c-C2-1: shell metacharacters in prompt MUST be passed verbatim
+	// (not interpreted by a shell). exec.Command(...) uses argv directly,
+	// not a shell, so this should hold trivially — this test pins the
+	// behaviour against future regressions.
+	t.Setenv("ANPM_TEST_HELPER_GUARD", "1")
+	t.Setenv("ANPM_TEST_HELPER_MODE", "echo_args")
+	prompt := "$(rm -rf /); echo `whoami`"
+	out, truncated, errMsg := invokeBuiltinCLI(context.Background(), "claude", os.Args[0], "", prompt, 5)
+	if errMsg != "" {
+		t.Fatalf("invokeBuiltinCLI errMsg=%q", errMsg)
+	}
+	if truncated {
+		t.Error("truncated unexpectedly")
+	}
+	if !strings.Contains(out, prompt) {
+		t.Errorf("subprocess did not receive prompt verbatim; out=%q", out)
+	}
+}
+
+func TestInvokeBuiltinCLI_SigtermIgnoreEscalatesToSigkill(t *testing.T) {
+	// T-6c-C2-2: even when the CLI traps SIGTERM, wall-clock cancellation
+	// still kills the process (cmd.WaitDelay → SIGKILL after sigtermGracePeriod).
+	if testing.Short() {
+		t.Skip("subprocess test skipped in -short mode")
+	}
+	t.Setenv("ANPM_TEST_HELPER_GUARD", "1")
+	t.Setenv("ANPM_TEST_HELPER_MODE", "ignore_sigterm_sleep_forever")
+
+	start := time.Now()
+	_, _, errMsg := invokeBuiltinCLI(context.Background(), "claude", os.Args[0], "", "x", 1)
+	elapsed := time.Since(start)
+
+	if errMsg == "" {
+		t.Fatalf("expected timeout errMsg, got success after %v", elapsed)
+	}
+	if !strings.Contains(strings.ToLower(errMsg), "timed out") {
+		t.Errorf("errMsg = %q, want substring 'timed out'", errMsg)
+	}
+	// Upper bound: 1 s timeout + 5 s grace + 5 s CI slack. Risk-reviewer
+	// flagged that contended CI boxes can spike beyond 9s during process
+	// fork + signal registration; 11s is generous insurance against flakes
+	// while still being narrow enough to detect a broken escalation path
+	// (which would never return at all).
+	maxAllowed := 1*time.Second + sigtermGracePeriod + 5*time.Second
+	if elapsed > maxAllowed {
+		t.Errorf("subprocess took %v to die, want < %v (escalation may not be working)", elapsed, maxAllowed)
+	}
+	// Lower bound: must wait at least the timeout.
+	if elapsed < 800*time.Millisecond {
+		t.Errorf("subprocess died too fast (%v) — timeout may not have been applied", elapsed)
+	}
+}
+
+func TestInvokeBuiltinCLI_OutputCapTriggers(t *testing.T) {
+	// T-6c-C2-3: 10 MB output exceeds the 5 MB default cap → truncated=true.
+	t.Setenv("ANPM_TEST_HELPER_GUARD", "1")
+	t.Setenv("ANPM_TEST_HELPER_MODE", "print_10mb")
+	t.Setenv("ANPM_DISPATCH_OUTPUT_MAX", "") // use default 5 MB
+	out, truncated, errMsg := invokeBuiltinCLI(context.Background(), "claude", os.Args[0], "", "x", 30)
+	if !truncated {
+		t.Fatalf("expected truncated=true; errMsg=%q out_len=%d", errMsg, len(out))
+	}
+	// errMsg may be empty (CLI exited 0) — that's fine; truncated alone
+	// is sufficient signal for the caller to map output_too_large.
+	if int64(len(out)) > defaultMaxOutputBytes+1024 {
+		t.Errorf("output not truncated to cap: len=%d, cap=%d", len(out), defaultMaxOutputBytes)
+	}
+}
+
+func TestInvokeBuiltinCLI_TimeoutDisabledByEnvZero(t *testing.T) {
+	// T-6c-C2-8: env=0 disables timeout; CLI runs to completion.
+	if testing.Short() {
+		t.Skip("subprocess test skipped in -short mode")
+	}
+	t.Setenv("ANPM_TEST_HELPER_GUARD", "1")
+	t.Setenv("ANPM_TEST_HELPER_MODE", "sleep_2s_then_valid")
+
+	// Pass timeoutSec=0 to invokeBuiltinCLI (caller resolved env=0
+	// disabled via roles.TimeoutFor; this test pins the contract that
+	// invokeBuiltinCLI honours timeoutSec<=0 as "no timeout").
+	start := time.Now()
+	out, truncated, errMsg := invokeBuiltinCLI(context.Background(), "claude", os.Args[0], "", "x", 0)
+	elapsed := time.Since(start)
+
+	if errMsg != "" {
+		t.Fatalf("unexpected errMsg=%q after %v", errMsg, elapsed)
+	}
+	if truncated {
+		t.Error("truncated unexpectedly")
+	}
+	if !strings.Contains(out, `"files":[]`) {
+		t.Errorf("expected valid JSON in output; got %q", out)
+	}
+	if elapsed < 1500*time.Millisecond {
+		t.Errorf("subprocess returned in %v; expected at least 2s sleep", elapsed)
+	}
+}
+
+func TestInvokeBuiltinCLI_RaceFinishesBeforeTimeout(t *testing.T) {
+	// T-6c-C2-10: CLI finishes well within the timeout window. The
+	// timeout context should NOT mask a successful result.
+	t.Setenv("ANPM_TEST_HELPER_GUARD", "1")
+	t.Setenv("ANPM_TEST_HELPER_MODE", "valid_quick")
+	out, truncated, errMsg := invokeBuiltinCLI(context.Background(), "claude", os.Args[0], "", "x", 5)
+	if errMsg != "" {
+		t.Fatalf("errMsg=%q (expected success)", errMsg)
+	}
+	if truncated {
+		t.Error("truncated unexpectedly")
+	}
+	if !strings.Contains(out, `"files":[]`) {
+		t.Errorf("expected valid result; got %q", out)
+	}
+}
+
+func TestInvokeBuiltinCLI_TimeoutWithTruncationPrefersTimeout(t *testing.T) {
+	// Critic finding #4: when the CLI fills the output cap AND is
+	// killed by the timeout, the runErrMsg (timeout) carries more
+	// useful diagnostic info than truncation alone. The dispatch
+	// caller in service.go must prefer runErrMsg over truncated when
+	// both are set; this test pins the contract at invokeBuiltinCLI
+	// so any future refactor that swaps the precedence breaks here.
+	if testing.Short() {
+		t.Skip("subprocess test skipped in -short mode")
+	}
+	// Use a tight 1-byte cap so even minimal output trips truncation.
+	// The helper sleeps forever ignoring SIGTERM, so timeout fires
+	// after 1s+5s = 6s. The 1-byte cap is irrelevant to whether the
+	// CLI is truncated (it doesn't print anything before being killed),
+	// but if a future implementation accidentally signals truncation
+	// preemptively, this combination would catch it.
+	t.Setenv("ANPM_TEST_HELPER_GUARD", "1")
+	t.Setenv("ANPM_TEST_HELPER_MODE", "ignore_sigterm_sleep_forever")
+	t.Setenv("ANPM_DISPATCH_OUTPUT_MAX", "1")
+	_, _, errMsg := invokeBuiltinCLI(context.Background(), "claude", os.Args[0], "", "x", 1)
+	if errMsg == "" {
+		t.Fatal("expected runErr (timeout); got empty")
+	}
+	if !strings.Contains(strings.ToLower(errMsg), "timed out") {
+		t.Errorf("errMsg = %q, want substring 'timed out'", errMsg)
+	}
+	// Verify dispatch classifier picks dispatch_timeout (the Phase
+	// 6c-specific kind), not adapter_timeout.
+	if got := classifyDispatchRunError(errMsg); got != "dispatch_timeout" {
+		t.Errorf("classifyDispatchRunError = %q, want dispatch_timeout", got)
+	}
+}
+
+// -- classifyDispatchRunError tests --
+
+func TestClassifyDispatchRunError(t *testing.T) {
+	cases := []struct {
+		msg  string
+		want string
+	}{
+		{"claude CLI timed out after 5s", "dispatch_timeout"},
+		{"codex CLI timed out after 30s", "dispatch_timeout"},
+		{"claude CLI failed: session expired, please re-authenticate", "session_expired"},
+		{"rate limit exceeded", "rate_limited"},
+		{"context window overflow on input", "context_overflow"},
+		{"some other failure", "unknown"},
+	}
+	for _, c := range cases {
+		t.Run(c.msg, func(t *testing.T) {
+			if got := classifyDispatchRunError(c.msg); got != c.want {
+				t.Errorf("got %q, want %q", got, c.want)
+			}
+		})
+	}
+}
+
+// Compile-time guard: `io.Discard` is used elsewhere; keep an unused
+// reference here to avoid false-positive lint complaints if the imports
+// shift around during refactors.
+var _ io.Writer = io.Discard
diff --git a/backend/internal/connector/probe.go b/backend/internal/connector/probe.go
index 4e34015..935c870 100644
--- a/backend/internal/connector/probe.go
+++ b/backend/internal/connector/probe.go
@@ -48,7 +48,7 @@ func ExecuteProbe(ctx context.Context, req models.PendingCliProbeRequest) models
 	}
 
 	start := time.Now()
-	output, runErr := invokeBuiltinCLI(ctx, agent, binary, model, probePromptText, probeTimeoutSeconds)
+	output, _, runErr := invokeBuiltinCLI(ctx, agent, binary, model, probePromptText, probeTimeoutSeconds)
 	latency := time.Since(start).Milliseconds()
 
 	if runErr != "" {
diff --git a/backend/internal/connector/service.go b/backend/internal/connector/service.go
index e36cdda..2cb6e7e 100644
--- a/backend/internal/connector/service.go
+++ b/backend/internal/connector/service.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/screenleon/agent-native-pm/internal/models"
 	"github.com/screenleon/agent-native-pm/internal/prompts"
+	"github.com/screenleon/agent-native-pm/internal/roles"
 )
 
 // cliInterpreterBlocklist is the set of bare command names that must NOT be
@@ -215,7 +216,7 @@ func (s *Service) RunOnceTask(ctx context.Context) (bool, error) {
 	// PATH lookup, which is the correct behaviour for role_dispatch).
 	// The model is read from task or env; there is no per-task ModelID field
 	// in Phase 6b so we pass nil run.
-	_, cliPath, cliModel, _, resolveErr := resolveBuiltinCLI(nil, nil)
+	agent, cliPath, cliModel, _, resolveErr := resolveBuiltinCLI(nil, nil)
 	if resolveErr != "" {
 		fmt.Fprintf(s.Stderr, "task %s: CLI resolve failed: %s\n", task.ID, resolveErr)
 		if err := s.Client.SubmitTaskResult(ctx, task.ID, SubmitTaskResultRequest{
@@ -250,14 +251,24 @@ func (s *Service) RunOnceTask(ctx context.Context) (bool, error) {
 		return true, nil
 	}
 
-	// Read timeout.
-	timeoutSec := builtinDefaultTimeoutSec
-
-	// Invoke CLI.
-	output, runErrMsg := invokeBuiltinCLI(ctx, resolveAgentFromBinary(cliPath), cliPath, cliModel, rendered, timeoutSec)
+	// Read per-role timeout. The role catalog is the source of truth;
+	// ANPM_DISPATCH_TIMEOUT env can override (operators use this when
+	// they pre-know a task is unusually long). 0 = disabled. See
+	// docs/phase6c-plan.md §3 C2 for the resolution order.
+	timeoutSec := int(roles.TimeoutFor(roleID).Seconds())
+
+	// Invoke CLI. invokeBuiltinCLI applies signal escalation
+	// (SIGTERM → 5s → SIGKILL) and the bounded-writer output cap.
+	// Reuse the agent inferred by resolveBuiltinCLI rather than
+	// re-deriving from the binary path.
+	output, truncated, runErrMsg := invokeBuiltinCLI(ctx, agent, cliPath, cliModel, rendered, timeoutSec)
+	// Precedence: when the CLI both timed out / errored AND tripped
+	// the output cap, the runErrMsg is more informative (the user
+	// needs to know it timed out, not just that the cap fired). The
+	// cap-only path applies only when runErrMsg is empty.
 	if runErrMsg != "" {
-		errKind := classifyRunError(runErrMsg)
-		fmt.Fprintf(s.Stderr, "task %s: CLI failed: %s\n", task.ID, runErrMsg)
+		errKind := classifyDispatchRunError(runErrMsg)
+		fmt.Fprintf(s.Stderr, "task %s: CLI failed: %s (truncated=%v)\n", task.ID, runErrMsg, truncated)
 		if err := s.Client.SubmitTaskResult(ctx, task.ID, SubmitTaskResultRequest{
 			Success:      false,
 			ErrorMessage: runErrMsg,
@@ -267,6 +278,17 @@ func (s *Service) RunOnceTask(ctx context.Context) (bool, error) {
 		}
 		return true, nil
 	}
+	if truncated {
+		fmt.Fprintf(s.Stderr, "task %s: CLI stdout exceeded dispatch output cap\n", task.ID)
+		if err := s.Client.SubmitTaskResult(ctx, task.ID, SubmitTaskResultRequest{
+			Success:      false,
+			ErrorMessage: fmt.Sprintf("CLI stdout exceeded the dispatch output cap (%d bytes)", dispatchOutputMaxBytes()),
+			ErrorKind:    models.ErrorKindOutputTooLarge,
+		}); err != nil {
+			fmt.Fprintf(s.Stderr, "task %s: submit result failed: %v\n", task.ID, err)
+		}
+		return true, nil
+	}
 
 	output = stripANSI(output)
 
@@ -282,7 +304,20 @@ func (s *Service) RunOnceTask(ctx context.Context) (bool, error) {
 		if err := s.Client.SubmitTaskResult(ctx, task.ID, SubmitTaskResultRequest{
 			Success:      false,
 			ErrorMessage: errMsg,
-			ErrorKind:    "unknown",
+			ErrorKind:    models.ErrorKindInvalidResultSchema,
+		}); err != nil {
+			fmt.Fprintf(s.Stderr, "task %s: submit result failed: %v\n", task.ID, err)
+		}
+		return true, nil
+	}
+
+	// Schema minimum validation (Phase 6c C2(c)).
+	if schemaErr := validateExecutionResult(parsed); schemaErr != nil {
+		fmt.Fprintf(s.Stderr, "task %s: result schema invalid: %v\n", task.ID, schemaErr)
+		if err := s.Client.SubmitTaskResult(ctx, task.ID, SubmitTaskResultRequest{
+			Success:      false,
+			ErrorMessage: schemaErr.Error(),
+			ErrorKind:    models.ErrorKindInvalidResultSchema,
 		}); err != nil {
 			fmt.Fprintf(s.Stderr, "task %s: submit result failed: %v\n", task.ID, err)
 		}
@@ -302,6 +337,26 @@ func (s *Service) RunOnceTask(ctx context.Context) (bool, error) {
 	return true, nil
 }
 
+// classifyDispatchRunError maps invokeBuiltinCLI error strings to the
+// dispatch-specific error_kind enum. Differs from classifyRunError
+// (used by planning runs) in that timeouts map to dispatch_timeout
+// rather than the generic adapter_timeout.
+func classifyDispatchRunError(msg string) string {
+	lower := strings.ToLower(msg)
+	switch {
+	case strings.Contains(lower, "timed out"):
+		return models.ErrorKindDispatchTimeout
+	case strings.Contains(lower, "session") && strings.Contains(lower, "expired"):
+		return models.ErrorKindSessionExpired
+	case strings.Contains(lower, "rate limit"):
+		return models.ErrorKindRateLimited
+	case strings.Contains(lower, "context") && strings.Contains(lower, "overflow"):
+		return models.ErrorKindContextOverflow
+	default:
+		return models.ErrorKindUnknown
+	}
+}
+
 // buildConnectorRequirementContext formats the requirement summary for prompt injection.
 func buildConnectorRequirementContext(req *ConnectorRequirementSummary) string {
 	if req == nil {
diff --git a/backend/internal/models/requirement.go b/backend/internal/models/requirement.go
index 7ffac5e..3ce1ffe 100644
--- a/backend/internal/models/requirement.go
+++ b/backend/internal/models/requirement.go
@@ -238,30 +238,44 @@ type PlanningRunCliInfo struct {
 }
 
 const (
-	ErrorKindUnknown            = "unknown"
-	ErrorKindSessionExpired     = "session_expired"
-	ErrorKindRateLimited        = "rate_limited"
-	ErrorKindContextOverflow    = "context_overflow"
-	ErrorKindAdapterTimeout     = "adapter_timeout"
-	ErrorKindCliNotFound        = "cli_not_found"
-	ErrorKindCliTimeout         = "cli_timeout"
-	ErrorKindModelNotAvailable  = "model_not_available"
-	ErrorKindAdapterProtocol    = "adapter_protocol_error"
+	ErrorKindUnknown             = "unknown"
+	ErrorKindSessionExpired      = "session_expired"
+	ErrorKindRateLimited         = "rate_limited"
+	ErrorKindContextOverflow     = "context_overflow"
+	ErrorKindAdapterTimeout      = "adapter_timeout"
+	ErrorKindCliNotFound         = "cli_not_found"
+	ErrorKindCliTimeout          = "cli_timeout"
+	ErrorKindModelNotAvailable   = "model_not_available"
+	ErrorKindAdapterProtocol     = "adapter_protocol_error"
+	// Phase 6c: dispatch safety boundary error kinds. These are produced
+	// by the role_dispatch loop in connector/service.go (NOT by planning
+	// runs) — see docs/phase6c-plan.md §3 C2.
+	ErrorKindDispatchTimeout     = "dispatch_timeout"
+	ErrorKindOutputTooLarge      = "output_too_large"
+	ErrorKindInvalidResultSchema = "invalid_result_schema"
+	// Phase 6c PR-2 will populate role_not_found from the server-side
+	// claim-next-task enforcement; the constant ships in PR-1 so the
+	// allowlist + remediation catalog is finalised in one place.
+	ErrorKindRoleNotFound        = "role_not_found"
 )
 
 // AllowedErrorKinds is the server-side allowlist for error_kind values
 // submitted by the adapter. Anything outside this set is normalised to
 // ErrorKindUnknown (S5a/S5b, design §5 D7).
 var AllowedErrorKinds = map[string]bool{
-	ErrorKindUnknown:           true,
-	ErrorKindSessionExpired:    true,
-	ErrorKindRateLimited:       true,
-	ErrorKindContextOverflow:   true,
-	ErrorKindAdapterTimeout:    true,
-	ErrorKindCliNotFound:       true,
-	ErrorKindCliTimeout:        true,
-	ErrorKindModelNotAvailable: true,
-	ErrorKindAdapterProtocol:   true,
+	ErrorKindUnknown:             true,
+	ErrorKindSessionExpired:      true,
+	ErrorKindRateLimited:         true,
+	ErrorKindContextOverflow:     true,
+	ErrorKindAdapterTimeout:      true,
+	ErrorKindCliNotFound:         true,
+	ErrorKindCliTimeout:          true,
+	ErrorKindModelNotAvailable:   true,
+	ErrorKindAdapterProtocol:     true,
+	ErrorKindDispatchTimeout:     true,
+	ErrorKindOutputTooLarge:      true,
+	ErrorKindInvalidResultSchema: true,
+	ErrorKindRoleNotFound:        true,
 }
 
 // ErrorKindRemediations is the static server-side catalog of human-readable
@@ -269,14 +283,18 @@ var AllowedErrorKinds = map[string]bool{
 // computes the hint from this map and persists it alongside error_kind in
 // connector_cli_info — adapters never supply free-text hints.
 var ErrorKindRemediations = map[string]string{
-	ErrorKindSessionExpired:    "Re-authenticate your CLI (run `claude` or `codex` once interactively) then retry the planning run.",
-	ErrorKindRateLimited:       "Your CLI subscription has hit a rate limit. Wait a few minutes before retrying.",
-	ErrorKindContextOverflow:   "The planning context was too large for the model. Try reducing the number of open requirements or documents in scope.",
-	ErrorKindAdapterTimeout:    "The adapter timed out waiting for the CLI. Check that your CLI is healthy (`anpm-connector doctor`) and retry.",
-	ErrorKindCliNotFound:       "The CLI command was not found on the connector's PATH. Check the cli_command field on your CLI binding and ensure the binary is installed.",
-	ErrorKindCliTimeout:        "The CLI process timed out. Check that your CLI is healthy and retry.",
-	ErrorKindModelNotAvailable: "The requested model is not available for this CLI. Check the model_id on your CLI binding.",
-	ErrorKindAdapterProtocol:   "The adapter produced unexpected output. Check your adapter script and retry.",
+	ErrorKindSessionExpired:      "Re-authenticate your CLI (run `claude` or `codex` once interactively) then retry the planning run.",
+	ErrorKindRateLimited:         "Your CLI subscription has hit a rate limit. Wait a few minutes before retrying.",
+	ErrorKindContextOverflow:     "The planning context was too large for the model. Try reducing the number of open requirements or documents in scope.",
+	ErrorKindAdapterTimeout:      "The adapter timed out waiting for the CLI. Check that your CLI is healthy (`anpm-connector doctor`) and retry.",
+	ErrorKindCliNotFound:         "The CLI command was not found on the connector's PATH. Check the cli_command field on your CLI binding and ensure the binary is installed.",
+	ErrorKindCliTimeout:          "The CLI process timed out. Check that your CLI is healthy and retry.",
+	ErrorKindModelNotAvailable:   "The requested model is not available for this CLI. Check the model_id on your CLI binding.",
+	ErrorKindAdapterProtocol:     "The adapter produced unexpected output. Check your adapter script and retry.",
+	ErrorKindDispatchTimeout:     "The role-dispatch CLI ran past its wall-clock budget and was killed. The role's typical budget is shown in the Apply panel; set ANPM_DISPATCH_TIMEOUT (seconds) to override globally for unusually long tasks, or 0 to disable.",
+	ErrorKindOutputTooLarge:      "The CLI produced more output than the dispatch boundary allows (default 5 MB). Re-run with a tighter task scope, or set ANPM_DISPATCH_OUTPUT_MAX (bytes) to raise the limit (0 disables).",
+	ErrorKindInvalidResultSchema: "The CLI returned output that does not match the role result schema (must include a `files` array). Check the role prompt and retry.",
+	ErrorKindRoleNotFound:        "The task references an execution role that is not in the current catalog. The role may have been renamed or removed; create a new candidate with a current role.",
 }
 
 // PlanningRunBindingSnapshot freezes the fields of an account_bindings row
diff --git a/backend/internal/roles/catalog.go b/backend/internal/roles/catalog.go
new file mode 100644
index 0000000..9f218b7
--- /dev/null
+++ b/backend/internal/roles/catalog.go
@@ -0,0 +1,156 @@
+// Package roles is the canonical catalog of execution roles available to
+// the role_dispatch loop. The catalog is the single source of truth for
+// (role_id, default timeout) pairs consumed by:
+//
+//   - The connector dispatch loop (per-role wall-clock timeout selection)
+//   - The server's claim-next-task handler (Phase 6c PR-2 will enforce
+//     IsKnown to skip stale role references)
+//   - The frontend apply panel (Phase 6c PR-2 will fetch via /api/roles
+//     and render "預估 N 分鐘" hints)
+//
+// The catalog is hand-maintained as a literal slice. Drift between this
+// slice and the markdown files in backend/internal/prompts/roles/ is
+// detected by TestCatalogMatchesPromptDir, which runs as part of `go
+// test ./...` and therefore as part of `make pre-pr`.
+//
+// Adding a new role requires editing BOTH the markdown file AND this
+// catalog in the same PR. The drift test enforces this by failing if
+// either set differs.
+package roles
+
+import (
+	"os"
+	"strconv"
+	"time"
+)
+
+// Role describes a single execution role.
+type Role struct {
+	ID                string
+	Title             string
+	Version           int
+	UseCase           string
+	DefaultTimeoutSec int
+}
+
+// catalog is the hand-maintained source of truth. The drift test in
+// catalog_test.go ensures this matches the markdown files under
+// backend/internal/prompts/roles/.
+//
+// DefaultTimeoutSec values reflect the typical maximum wall-clock for
+// each role on a real Claude/Codex CLI invocation. They were chosen
+// based on role complexity and validated during Phase 6c dogfooding —
+// see docs/phase6c-plan.md §3 C2 and DECISIONS.md "Phase 6c scope".
+var catalog = []Role{
+	{
+		ID:                "code-reviewer",
+		Title:             "Code Reviewer",
+		Version:           1,
+		UseCase:           "Adversarial pre-merge review against a diff. Finds bugs the author did not consider — not style polish.",
+		DefaultTimeoutSec: 900, // 15 min — read + comment, smallest surface
+	},
+	{
+		ID:                "test-writer",
+		Title:             "Test Writer",
+		Version:           1,
+		UseCase:           "Write tests for a specific code surface — unit, integration, or contract — matching the project's existing test style.",
+		DefaultTimeoutSec: 1200, // 20 min
+	},
+	{
+		ID:                "api-contract-writer",
+		Title:             "API Contract Writer",
+		Version:           1,
+		UseCase:           "Write a precise API contract — endpoint, request/response shape, error cases — BEFORE the implementation lands.",
+		DefaultTimeoutSec: 1800, // 30 min
+	},
+	{
+		ID:                "ui-scaffolder",
+		Title:             "UI Scaffolder",
+		Version:           1,
+		UseCase:           "Scaffold a new page, component, or form. React/Vue/Svelte stack-aware, but defaults to the project's existing framework.",
+		DefaultTimeoutSec: 2700, // 45 min
+	},
+	{
+		ID:                "db-schema-designer",
+		Title:             "DB Schema Designer",
+		Version:           1,
+		UseCase:           "Propose a DB schema change — new tables, column additions, constraints, indexes — and emit the migration file.",
+		DefaultTimeoutSec: 2700, // 45 min
+	},
+	{
+		ID:                "backend-architect",
+		Title:             "Backend Architect",
+		Version:           1,
+		UseCase:           "Scaffold a new backend service or add a new module to an existing one. Go/Node/Python stack-aware.",
+		DefaultTimeoutSec: 5400, // 90 min — large refactors / multi-file scaffolding
+	},
+}
+
+// fallbackTimeoutSec is used when a role lookup misses the catalog.
+// This protects the dispatcher against typos and against role-rename
+// races — even an unknown role gets a sane bound rather than running
+// forever.
+const fallbackTimeoutSec = 1800 // 30 min
+
+// All returns a defensive copy of the catalog. Callers may mutate.
+func All() []Role {
+	out := make([]Role, len(catalog))
+	copy(out, catalog)
+	return out
+}
+
+// ByID looks up a role by its ID. The boolean indicates whether the
+// role was found.
+func ByID(id string) (Role, bool) {
+	for _, r := range catalog {
+		if r.ID == id {
+			return r, true
+		}
+	}
+	return Role{}, false
+}
+
+// IsKnown reports whether the given role ID is in the catalog. Empty
+// strings, role IDs containing path separators, and unknown IDs all
+// return false.
+func IsKnown(id string) bool {
+	if id == "" {
+		return false
+	}
+	_, ok := ByID(id)
+	return ok
+}
+
+// TimeoutFor returns the wall-clock timeout to use when dispatching a
+// task with the given role ID. Resolution order:
+//
+//  1. ANPM_DISPATCH_TIMEOUT > 0  → that many seconds (global override
+//     for unusually long tasks the operator pre-knows about).
+//  2. ANPM_DISPATCH_TIMEOUT == 0 → return 0 (caller must interpret as
+//     "no timeout" — escape hatch for "let it run as long as needed").
+//  3. ANPM_DISPATCH_TIMEOUT < 0 or unset → catalog DefaultTimeoutSec.
+//  4. role not in catalog       → fallbackTimeoutSec (30 min).
+//
+// A return value of 0 explicitly signals "do not apply a timeout"; the
+// caller MUST check for this and skip the context.WithTimeout wrap.
+// Any positive return value is a duration the caller should enforce.
+func TimeoutFor(roleID string) time.Duration {
+	if v := os.Getenv("ANPM_DISPATCH_TIMEOUT"); v != "" {
+		// Parse as seconds. Reject obvious garbage (non-integers fall
+		// through to catalog) but treat 0 and positive values as the
+		// operator's explicit choice.
+		if n, err := strconv.Atoi(v); err == nil {
+			if n == 0 {
+				return 0
+			}
+			if n > 0 {
+				return time.Duration(n) * time.Second
+			}
+			// n < 0 → fall through to catalog
+		}
+	}
+	if r, ok := ByID(roleID); ok {
+		return time.Duration(r.DefaultTimeoutSec) * time.Second
+	}
+	return time.Duration(fallbackTimeoutSec) * time.Second
+}
diff --git a/backend/internal/roles/catalog_test.go b/backend/internal/roles/catalog_test.go
new file mode 100644
index 0000000..17c1ab1
--- /dev/null
+++ b/backend/internal/roles/catalog_test.go
@@ -0,0 +1,268 @@
+package roles
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"sort"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+)
+
+// TestCatalogMatchesPromptDir is the SoT-drift detector. It walks the
+// markdown files under backend/internal/prompts/roles/ and asserts that
+// (a) the set of role_ids in the markdown frontmatter matches the set
+// of IDs in the hand-maintained catalog, and (b) each role's title /
+// version / use_case agree across the two locations.
+//
+// This test fires before any code consuming the catalog can run; if it
+// fails, the developer who added a markdown file forgot to update
+// catalog.go (or vice versa).
+func TestCatalogMatchesPromptDir(t *testing.T) {
+	rolesDir := promptsRolesDir(t)
+	entries, err := os.ReadDir(rolesDir)
+	if err != nil {
+		t.Fatalf("read prompts/roles dir %q: %v", rolesDir, err)
+	}
+
+	type fmRole struct {
+		title   string
+		version int
+		useCase string
+	}
+	fileRoles := map[string]fmRole{}
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		name := e.Name()
+		if !strings.HasSuffix(name, ".md") || name == "README.md" {
+			continue
+		}
+		path := filepath.Join(rolesDir, name)
+		body, readErr := os.ReadFile(path)
+		if readErr != nil {
+			t.Fatalf("read %q: %v", path, readErr)
+		}
+		fm := parseFrontmatter(t, string(body), path)
+		roleID := fm["role_id"]
+		if roleID == "" {
+			t.Fatalf("%s: frontmatter missing role_id", name)
+		}
+		if filename := strings.TrimSuffix(name, ".md"); filename != roleID {
+			t.Fatalf("%s: filename %q must equal role_id %q", name, filename, roleID)
+		}
+		ver, _ := strconv.Atoi(fm["version"])
+		fileRoles[roleID] = fmRole{
+			title:   fm["title"],
+			version: ver,
+			useCase: fm["use_case"],
+		}
+	}
+
+	catalogRoles := map[string]fmRole{}
+	for _, r := range catalog {
+		catalogRoles[r.ID] = fmRole{title: r.Title, version: r.Version, useCase: r.UseCase}
+	}
+
+	missing := setDiff(keys(fileRoles), keys(catalogRoles))
+	if len(missing) > 0 {
+		t.Errorf("catalog drift: prompts/roles/ has roles not in catalog.go: %v", missing)
+	}
+	extra := setDiff(keys(catalogRoles), keys(fileRoles))
+	if len(extra) > 0 {
+		t.Errorf("catalog drift: catalog.go has roles without a prompt file: %v", extra)
+	}
+
+	for id, fileR := range fileRoles {
+		catR, ok := catalogRoles[id]
+		if !ok {
+			continue
+		}
+		if fileR.title != catR.title {
+			t.Errorf("%s: title mismatch — prompt %q vs catalog %q", id, fileR.title, catR.title)
+		}
+		if fileR.version != catR.version {
+			t.Errorf("%s: version mismatch — prompt %d vs catalog %d", id, fileR.version, catR.version)
+		}
+		if fileR.useCase != catR.useCase {
+			t.Errorf("%s: use_case mismatch\nprompt:  %q\ncatalog: %q", id, fileR.useCase, catR.useCase)
+		}
+	}
+
+	// Every role MUST have a positive DefaultTimeoutSec. Zero would
+	// silently mean "no timeout" at the call site (per TimeoutFor's
+	// contract for env=0), which is the wrong default.
+	for _, r := range catalog {
+		if r.DefaultTimeoutSec <= 0 {
+			t.Errorf("%s: DefaultTimeoutSec must be > 0, got %d", r.ID, r.DefaultTimeoutSec)
+		}
+	}
+}
+
+func TestIsKnown(t *testing.T) {
+	cases := []struct {
+		id   string
+		want bool
+	}{
+		{"backend-architect", true},                     // T-6c-C1-1 (covered here in catalog tests)
+		{"Backend-Architect", false},                    // T-6c-C1-2 case-sensitive
+		{"../../../etc/passwd", false},                  // T-6c-C1-3 path traversal
+		{"", false},                                     // T-6c-C1-4 empty
+		{"code-reviewer", true},
+		{"nonexistent", false},
+	}
+	for _, c := range cases {
+		t.Run(c.id, func(t *testing.T) {
+			if got := IsKnown(c.id); got != c.want {
+				t.Errorf("IsKnown(%q) = %v, want %v", c.id, got, c.want)
+			}
+		})
+	}
+}
+
+func TestTimeoutForCatalogDefault(t *testing.T) {
+	// T-6c-C2-12: backend-architect default is 90 min
+	t.Setenv("ANPM_DISPATCH_TIMEOUT", "")
+	if got := TimeoutFor("backend-architect"); got != 90*time.Minute {
+		t.Errorf("TimeoutFor(backend-architect) = %v, want 90m", got)
+	}
+}
+
+func TestTimeoutForUnknownFallback(t *testing.T) {
+	// T-6c-C2-13: unknown role falls back to 30 min
+	t.Setenv("ANPM_DISPATCH_TIMEOUT", "")
+	if got := TimeoutFor("nonexistent"); got != 30*time.Minute {
+		t.Errorf("TimeoutFor(nonexistent) = %v, want 30m (fallback)", got)
+	}
+}
+
+func TestTimeoutForEnvOverride(t *testing.T) {
+	// T-6c-C2-14: env=120 overrides catalog
+	t.Setenv("ANPM_DISPATCH_TIMEOUT", "120")
+	if got := TimeoutFor("backend-architect"); got != 120*time.Second {
+		t.Errorf("TimeoutFor with env=120 = %v, want 120s", got)
+	}
+}
+
+func TestTimeoutForEnvDisabled(t *testing.T) {
+	// env=0 means "disabled" — caller must treat returned 0 as "no timeout"
+	t.Setenv("ANPM_DISPATCH_TIMEOUT", "0")
+	if got := TimeoutFor("backend-architect"); got != 0 {
+		t.Errorf("TimeoutFor with env=0 = %v, want 0 (disabled)", got)
+	}
+}
+
+func TestTimeoutForEnvNegativeFallsThrough(t *testing.T) {
+	// negative env values fall through to catalog default
+	t.Setenv("ANPM_DISPATCH_TIMEOUT", "-1")
+	if got := TimeoutFor("backend-architect"); got != 90*time.Minute {
+		t.Errorf("TimeoutFor with env=-1 = %v, want catalog default 90m", got)
+	}
+}
+
+func TestTimeoutForEnvGarbageFallsThrough(t *testing.T) {
+	t.Setenv("ANPM_DISPATCH_TIMEOUT", "abc")
+	if got := TimeoutFor("backend-architect"); got != 90*time.Minute {
+		t.Errorf("TimeoutFor with garbage env = %v, want catalog default", got)
+	}
+}
+
+func TestTimeoutForEnvWhitespaceFallsThrough(t *testing.T) {
+	// Risk-reviewer L8: env="  120  " currently fails strconv.Atoi and
+	// falls through to the catalog default. Pin this behaviour so a
+	// future fix that adds TrimSpace is an intentional decision and
+	// documented somewhere.
+	t.Setenv("ANPM_DISPATCH_TIMEOUT", "  120  ")
+	if got := TimeoutFor("backend-architect"); got != 90*time.Minute {
+		t.Errorf("TimeoutFor with whitespace env = %v, want catalog default 90m (current TrimSpace-free behaviour)", got)
+	}
+}
+
+func TestByIDDefensiveCopy(t *testing.T) {
+	r1, ok := ByID("backend-architect")
+	if !ok {
+		t.Fatal("ByID(backend-architect) not found")
+	}
+	r1.Title = "MUTATED"
+	r2, _ := ByID("backend-architect")
+	if r2.Title == "MUTATED" {
+		t.Error("ByID returned a reference, not a copy — catalog is mutable from outside")
+	}
+}
+
+// promptsRolesDir locates the prompts/roles directory relative to this
+// test file. Using runtime.Caller keeps the test working under any
+// working directory (go test invokes with module root, but `go test
+// ./backend/internal/roles` invokes with the package dir).
+func promptsRolesDir(t *testing.T) string {
+	t.Helper()
+	_, thisFile, _, ok := runtime.Caller(0)
+	if !ok {
+		t.Fatal("runtime.Caller failed")
+	}
+	// thisFile = .../backend/internal/roles/catalog_test.go
+	// target   = .../backend/internal/prompts/roles
+	return filepath.Join(filepath.Dir(thisFile), "..", "prompts", "roles")
+}
+
+// frontmatterLine matches a single `key: value` line. Quoted values
+// have surrounding double-quotes stripped. This is intentionally
+// permissive — the catalog drift test only needs title / version /
+// use_case / role_id, all of which are flat string scalars in the
+// project's role frontmatter convention.
+var frontmatterLine = regexp.MustCompile(`^([a-z_]+):\s*(.*)$`)
+
+func parseFrontmatter(t *testing.T, body, path string) map[string]string {
+	t.Helper()
+	out := map[string]string{}
+	lines := strings.Split(body, "\n")
+	if len(lines) == 0 || strings.TrimSpace(lines[0]) != "---" {
+		t.Fatalf("%s: expected --- on first line", path)
+	}
+	for i := 1; i < len(lines); i++ {
+		line := lines[i]
+		if strings.TrimSpace(line) == "---" {
+			return out
+		}
+		m := frontmatterLine.FindStringSubmatch(line)
+		if m == nil {
+			continue
+		}
+		key := m[1]
+		val := strings.TrimSpace(m[2])
+		// strip surrounding quotes
+		if len(val) >= 2 && val[0] == '"' && val[len(val)-1] == '"' {
+			val = val[1 : len(val)-1]
+		}
+		out[key] = val
+	}
+	t.Fatalf("%s: frontmatter never closed with ---", path)
+	return nil
+}
+
+func keys[V any](m map[string]V) []string {
+	out := make([]string, 0, len(m))
+	for k := range m {
+		out = append(out, k)
+	}
+	sort.Strings(out)
+	return out
+}
+
+func setDiff(a, b []string) []string {
+	bset := map[string]bool{}
+	for _, x := range b {
+		bset[x] = true
+	}
+	var out []string
+	for _, x := range a {
+		if !bset[x] {
+			out = append(out, x)
+		}
+	}
+	return out
+}
diff --git a/docs/phase6c-plan.md b/docs/phase6c-plan.md
new file mode 100644
index 0000000..0b573cf
--- /dev/null
+++ b/docs/phase6c-plan.md
@@ -0,0 +1,1111 @@
+# Phase 6c 計畫 — Catalog SoT + Authoring 完整化 + LLM Router + Activity Visibility
+
+**Status**: draft v5.1 (post-critic-round-3, B2 + C1 拍板) · 2026-04-25 · `[agent:feature-planner]`
+**前置條件**: Phase 6b（PR #25）已合併到 `main`；PR-1（catalog skeleton + L0 safety boundary）已實作完成、待開 PR。
+**來源**: 由 dogfood Phase 6b 的 What's Next 規劃流程產出（candidates `bad629dc` + `fb040ce6`），加上後續設計 review 衍生的 authoring catch-22 修正、LLM router 智能層、connector activity visibility 三項。
+
+**設計原則（per user feedback `feedback_no_simple_approach`）**: 不取簡單路徑、不為 single-operator dogfood scope 妥協 — 設計目標是「未來會用到的東西現在就做對」。
+
+**演進歷史**:
+- v1：catalog SoT + L0 safety boundary（單一 PR）
+- v2：critic findings 整合（拆 3 PR）
+- v3：per-role timeout（Role.DefaultTimeoutSec）+ critic round 2 findings
+- v4：authoring catch-22 修正 + LLM router 設計（4 PR）
+- v5：connector activity tracking + SSE visibility（5 PR）
+- **v5.1（當前）**：critic round 3 拍板 — actor_audit 為 SoT（drop 重複欄位）；PR-3 縮 scope 為 suggest-only，role_dispatch_auto 延 6d；PR 間 hard deps 解耦；router adversarial corpus 強化；activity 不寫 audit；dispatcher 移到 `prompts/meta/`
+
+---
+
+## 1. 問題陳述
+
+Phase 6b 完成了 role-dispatch 的 backend + 部分 UI，但**整條路徑無法從 UI 走通**，加上一些 Phase 5 / 6b 合計留下的設計缺口：
+
+### 1.1 三個獨立但互鎖的 gap
+
+**Gap 1：Catalog 與安全邊界（PR-1 已修）**
+- Role catalog 三處不同步、無 enforcement
+- Subprocess 執行無 wall-clock timeout / output cap / schema validation
+→ PR-1 已實作完成（catalog skeleton + L0 safety boundary）
+
+**Gap 2：Authoring catch-22 與不完整生命週期**
+- `execution_role` 是 candidate 上的 nullable 欄位但**沒任何 UI 可以設**
+- `role_dispatch` radio 用 `execution_role` 是否存在 enable，但既然沒人能設 → 永遠 disabled
+- Phase 5 §(d) 標 "Phase 6 必做 catalog enforcement" 但只在 connector 端做了（既有 `prompts.Exists`）；server-side、frontend、apply API 都沒做
+- `execution_role` 沒有 audit trail（誰在何時設、是 operator 還是 router 設）
+→ PR-2 解這個
+
+**Gap 3：智能層完全空白**
+- 沒有 model-based 的 task → role 路由建議
+- operator 每次手動評估 6 個 role 哪個適合
+- Phase 5 prompts 只有 6 個 role，沒有 meta-agent 層
+→ PR-3 解這個（**6c 只做 suggest，不做 auto-apply**）
+
+> **Critic round 3 約束**：v5 原本把 `mode=role_dispatch_auto` 也納入 PR-3。Critic 指出 router 品質尚未經 dogfood 驗證、直接做 auto-apply 是 premature optimization；user 拍板 **B2** = 6c 只做 suggest（advisory），auto-apply 模式延到 PR-6 / Phase 6d，等 PR-5 dogfood 累積 router 信心數據後再決定。
+
+**Gap 4：執行黑盒子**
+- Connector 跑長任務（backend-architect 90 min）時 frontend 完全看不到「正在做什麼」
+- Task `dispatch_status` 只有 queued/running/completed/failed，沒有「正在 routing」「正在跑 CLI」「正在解析」這種 phase 訊號
+- Dogfood 時無法區分 task 卡住的原因（網路慢？CLI 凍住？server 沒收到？）
+→ PR-4 解這個
+
+### 1.2 為什麼這些必須一起在 6c 完成
+
+各別都可以「之後再做」，但合在一起看才是完整的 dogfood-ready story：
+- 沒 PR-2 → 仍卡 catch-22，UI 上無法用
+- 沒 PR-3 → operator 每次手動選 role，違背「agent 自主執行」核心價值
+- 沒 PR-4 → dogfood 是黑盒、無法 debug、無法給 PR-5 dogfood 提供觀察依據
+- 沒 PR-1（已修）→ 即使前面都做，安全保證不足
+
+**結論**：6c 的 4 個 PR 是**一個完整能力**的不同切面，分批 ship 但不可省略任何一片。
+
+---
+
+## 2. End State
+
+完成全部 5 PR 後可驗證行為：
+
+### 2.1 Authoring（PR-2 完整）
+
+1. Operator 可在 candidate 卡片**直接編輯** execution_role（`<select>` 從 catalog 拉，inline edit popover）
+2. Operator 可在 apply panel **at apply time** 設 / 改 execution_role（pre-fill 自 candidate latest audit row）
+3. Apply payload 帶 `execution_role`；server 在 4 個進入點做 catalog enforcement（PATCH / suggest / apply / claim-next-task）
+4. Stale role（candidate 既有 role 但已不在 catalog）顯示 inline warning + 預設清空 dropdown
+5. 所有 execution_role 變更走 `actor_audit` table，actor_kind ∈ {user, router, system}，含 rationale + timestamp。**Audit 是唯一的 set_by/at/confidence SoT**（critic #1 — 不在 candidate 上重複欄位；frontend 顯示時走 audit JOIN）
+6. `MarkTaskRoleNotFound` 在 claim-next-task 時把 stale-role task `queued → failed` 原子轉移
+
+### 2.2 LLM Router — Suggest-only（PR-3）
+
+7. 新 prompt `prompts/meta/dispatcher.md`（category=meta），輸出 `{role_id, confidence, reasoning, alternatives[]}`（critic #10 — 放 `meta/` 子目錄，不和 `roles/` 並列也不和 backlog/whatsnext 並列）
+8. `POST /api/backlog-candidates/:id/suggest-role` endpoint：呼叫 router、回傳結果**不持久化**
+9. Apply panel + Candidate card 都加 "💡 Suggest" 按鈕：呼叫 router → 預填 dropdown + tooltip 顯示 reasoning + alternatives
+10. Router 呼叫重用 PR-1 的 invokeBuiltinCLI（含 timeout / output cap / signal escalation）；server 端在 process 內呼叫（單機假設，文件化）
+11. Router timeout 來自 catalog（dispatcher role default 60s）
+12. 1 個新 error_kind：`router_no_match`（router 自己判斷沒匹配）+ 既有 PR-1 kinds 涵蓋其他失敗（output_too_large / dispatch_timeout / invalid_result_schema）
+13. **Auto-apply mode（`mode=role_dispatch_auto`）延到 Phase 6d**（critic #2 / user 拍板 B2）— 待 PR-5 dogfood 收集 router 品質訊號後再決定
+
+### 2.3 Activity Visibility（PR-4 完整）
+
+14. Connector 在每個 phase 邊界（idle / claiming_run / planning / claiming_task / dispatching / submitting）呼叫 `ActivityReporter.Report`。**Phase 變化用 enqueue 不是 overwrite**（critic #5）— 確保連續 phase 切換 `claiming_task → dispatching → submitting` 都會被推送，即使在 coalesce 視窗內。`routing` phase **延到 Phase 6d**（auto-apply 上線後才需要）。
+15. `POST /api/connector/activity` lightweight endpoint 接收上報；server-side activity hub 維護 in-memory state + DB snapshot 欄位（不寫 actor_audit — critic #8，避免 write storm）
+16. `GET /api/connectors/:id/activity-stream` SSE 推送即時 activity 變化；polling fallback `GET /api/connectors/:id/activity`（C1 拍板：保留 SSE）
+17. Frontend `useConnectorActivity` hook：SSE 為主、polling 為輔、reconnect 邏輯、stale 偵測
+18. `ConnectorActivityBadge` 3 種 density（compact / standard / full）；整合進 PlanningTab、TasksTab、CandidateReviewPanel apply 後 watch
+19. `GET /api/projects/:id/active-connectors` project-level aggregate
+
+### 2.4 Dogfood + Docs（PR-5 完整）
+
+20. `docs/phase6c-dogfood-notes.md`：7 個 dogfood 步驟（5 個原 v3 觸發新 error_kind + 2 個 v5.1 觀察 router suggest 與 activity badge 切換；auto-apply / PhaseRouting 預覽留 6d）
+21. `docs/operating-rules.md` 新「Role-dispatch safety + visibility model」一節，含 L0 / L1 / L2 觸發條件 + activity model 約束
+22. DECISIONS.md 補完 Phase 6c 條目（涵蓋 v5 全部設計）
+
+---
+
+## 3. Slice 計畫（5 PR）
+
+### 3.1 PR-1：Catalog skeleton + L0 safety boundary（**已實作完成**）
+
+詳見 v3 plan 內容（保留）：
+- `backend/internal/roles/catalog.go`（Role struct + 6 entries + DefaultTimeoutSec + IsKnown / ByID / TimeoutFor / All）
+- `backend/internal/roles/catalog_test.go`（drift detector + 9 tests）
+- `backend/internal/connector/dispatch_safety.go`（boundedWriter + signal escalation + validateExecutionResult）
+- `backend/internal/connector/dispatch_safety_test.go`（11 dispatch + 4 unit + 1 timeout-truncation precedence test）
+- `invokeBuiltinCLI` 簽名擴 `(string, bool, string)`（+ truncated）
+- `RunOnceTask` 用 `roles.TimeoutFor` + truncation/runErr precedence + schema validation + classifyDispatchRunError
+- 4 個新 error_kind（dispatch_timeout / output_too_large / invalid_result_schema / role_not_found）
+
+**Critic round 2 修正**：
+- TestMain 雙 sentinel guard（避免 user shell env 誤觸）
+- ExecuteBuiltin truncation 補 ErrorKindOutputTooLarge
+- 移除 redundant resolveAgentFromBinary
+- runErr-over-truncated precedence + 對應 test
+- boundedWriter 改 atomic.Int64（H2 防禦）
+- Codex PTY io.Copy goroutine + ptmx.Close 序列（H1 修正）
+- SIGTERM-ignore test slack 5s（M1 防 CI flake）
+- TimeoutFor whitespace env test（L8）
+
+**Status**: 待開 PR；plan v5 確認後一起開 PR-1。
+
+---
+
+### 3.2 PR-2：Authoring 完整化 + audit log + multi-point catalog enforcement（4.6 天）
+
+#### 3.2.1 Migration 030
+
+```sql
+-- 030_authoring_audit.sql
+
+-- 通用 actor_audit 表 — 是 execution_role 的 single source of truth
+-- (critic #1：不在 candidate 上加重複欄位)
+CREATE TABLE actor_audit (
+    id TEXT PRIMARY KEY,
+    subject_kind TEXT NOT NULL,   -- 'backlog_candidate' | 'task' | 'planning_run' | 'connector'
+    subject_id TEXT NOT NULL,
+    field TEXT NOT NULL,           -- 'execution_role' | 'status' | 'po_decision' | ...
+    old_value TEXT,
+    new_value TEXT,
+    actor_kind TEXT NOT NULL,      -- 'user' | 'router' | 'system' | 'connector'
+                                   -- 'router' is reserved for Phase 6d auto-apply;
+                                   -- NO writer in 6c (PR-3 suggest writes 'user' after operator confirms)
+    actor_id TEXT,                 -- user_id | router prompt version | system component name
+    rationale TEXT,                -- router confidence + reasoning，or system reason
+    confidence REAL,               -- 0.0-1.0；only set when actor_kind='router'
+    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX idx_actor_audit_subject ON actor_audit(subject_kind, subject_id, created_at DESC);
+CREATE INDEX idx_actor_audit_subject_field ON actor_audit(subject_kind, subject_id, field, created_at DESC);
+```
+
+`backlog_candidates.execution_role` 既有欄位**保留**（v3 Phase 5 已加，是當前 task source 的 input）。但「誰設的、何時設、信心多少」一律從 `actor_audit` 查 — 不在 candidate row 上重複欄位。
+
+**Helper 函式**：`backend/internal/audit/audit.go` 提供 `LatestAuthoring(subjectKind, subjectID, field)` 回傳最新一筆 audit row（with actor_kind/at/confidence/rationale）。Frontend `GET /api/backlog-candidates/:id` response 加 `execution_role_authoring` 欄位（透過此 helper 回填，非 column）。
+
+#### 3.2.2 Backend changes
+
+**Store 層**：
+```go
+// backlog_candidate_store.go
+func (s *Store) UpdateExecutionRole(
+    ctx context.Context, id, role string, actor ActorInfo,
+) error
+// 單一 transaction：
+//   1. 驗 role 在 catalog（roles.IsKnown）— role="" 視為 clear，不需 catalog 檢查
+//   2. SELECT old_value（for audit）
+//   3. UPDATE candidate.execution_role
+//   4. INSERT actor_audit row（含 actor_kind/actor_id/rationale/confidence）
+//   5. COMMIT
+
+// 既有 ApplyToTaskWithMode 簽名擴：
+func (s *Store) ApplyToTaskWithMode(
+    id, executionMode, executionRole string, actor ActorInfo,
+) (*ApplyResult, error)
+// 內部：
+//   - mode=role_dispatch && role 空 → ErrApplyMissingRole
+//   - mode=role_dispatch && !roles.IsKnown(role) → ErrApplyUnknownRole
+//   - mode=manual → ignore role
+//   - 同 transaction 寫 candidate.execution_role (若有變) + audit + create task
+```
+
+**Handler 層**：
+```go
+// PATCH /api/backlog-candidates/:id 擴：accept execution_role 欄位
+type UpdateBacklogCandidateRequest struct {
+    POdecision      *string `json:"po_decision,omitempty"`
+    ExecutionRole   *string `json:"execution_role,omitempty"`  // pointer = explicitly set/clear vs not-mentioned
+}
+
+// POST /api/backlog-candidates/:id/apply 擴：
+type ApplyBacklogCandidateRequest struct {
+    ExecutionMode string `json:"execution_mode"`
+    ExecutionRole string `json:"execution_role,omitempty"`
+}
+```
+
+Validation:
+- mode=`role_dispatch` + role empty → 400 `"execution_role required when execution_mode=role_dispatch"`
+- mode=`role_dispatch` + role 不在 catalog → 400 with current catalog list
+- mode=`manual` → ignore role
+- mode=`role_dispatch_auto` → PR-3 處理
+
+**`MarkTaskRoleNotFound` + claim-next-task enforcement**（從 v3 帶過來）：
+```go
+func (s *TaskStore) MarkTaskRoleNotFound(
+    ctx, taskID, roleID string,
+) error
+// 條件 update：dispatch_status='queued' → 'failed'
+// 同 transaction 寫 execution_result {success:false, error_kind:'role_not_found'}
+// + actor_audit row（actor_kind='system'）
+// 若 task 已被 lease（status=running）→ 0 rows → ErrTaskNotInQueuedState
+```
+
+```go
+// connector_dispatch.go ClaimNextTask 加：
+roleID := parseRoleIDFromSource(task.Source)
+if !roles.IsKnown(roleID) {
+    if err := store.MarkTaskRoleNotFound(ctx, task.ID, roleID); err != nil {
+        log.Printf("mark role_not_found failed: %v", err)
+    }
+    continue  // 看下一個 task
+}
+```
+
+**`GET /api/roles`**（公開）：
+```go
+type RoleResponse struct {
+    ID                string `json:"id"`
+    Title             string `json:"title"`
+    Version           int    `json:"version"`
+    UseCase           string `json:"use_case"`
+    DefaultTimeoutSec int    `json:"default_timeout_sec"`
+    Category          string `json:"category"`  // "role" | "meta"
+}
+
+func (h *Handler) ListRoles(w, r) {
+    roles := roles.All()
+    // filter category="role" — meta-roles (dispatcher) 不暴露給 apply panel
+    out := []RoleResponse{}
+    for _, r := range roles {
+        if r.Category == "role" {
+            out = append(out, toResponse(r))
+        }
+    }
+    writeJSON(w, 200, out)
+}
+```
+
+⚠️ 需要在 `roles/catalog.go` 加 `Role.Category` 欄位（之前 v3 沒有）— PR-2 順便加。dispatcher role（PR-3 加）會用 `Category: "meta"`。
+
+#### 3.2.3 Frontend changes
+
+**新檔 `frontend/src/types/roles.ts`**:
+```typescript
+export const KNOWN_ROLE_IDS = [
+  'backend-architect',
+  'ui-scaffolder',
+  'db-schema-designer',
+  'api-contract-writer',
+  'test-writer',
+  'code-reviewer',
+] as const;
+export type KnownRoleId = typeof KNOWN_ROLE_IDS[number];
+
+export interface RoleInfo {
+  id: KnownRoleId;
+  title: string;
+  version: number;
+  use_case: string;
+  default_timeout_sec: number;
+  category: 'role' | 'meta';
+}
+```
+
+**新檔 `frontend/src/api/roles.ts`**:
+```typescript
+export async function listRoles(): Promise<RoleInfo[]>
+export async function suggestRoleForCandidate(candidateID: string): Promise<RouterResult>  // PR-3
+```
+
+**Drift test** `roles.test.ts`：fetch `/api/roles` → assert id 集合 = `KNOWN_ROLE_IDS`。
+
+**CandidateReviewPanel 重寫 execution-mode UI**：
+```tsx
+// Radio 永遠 enabled（不看 candidate.execution_role）
+const [chosenRole, setChosenRole] = useState(candidateInitialRole)
+const candidateRole = selectedCandidate?.execution_role
+const roleStaleWarning = candidateRole && !KNOWN_ROLE_IDS.includes(candidateRole)
+
+<input type="radio" name="execution-mode"
+  checked={selectedExecutionMode === 'role_dispatch'}
+  onChange={() => onSelectedExecutionModeChange('role_dispatch')} />
+
+{selectedExecutionMode === 'role_dispatch' && (
+  <>
+    <select value={chosenRole} onChange={e => setChosenRole(e.target.value)}>
+      <option value="">— 選擇角色 —</option>
+      {roles.map(r => (
+        <option key={r.id} value={r.id} title={r.use_case}>
+          {r.title} (v{r.version}) — 預估 {Math.round(r.default_timeout_sec/60)} 分鐘
+        </option>
+      ))}
+    </select>
+    {roleStaleWarning && (
+      <div className="warning-inline">
+        ⚠ Previously suggested role <code>{candidateRole}</code> is no longer in the catalog.
+      </div>
+    )}
+    {/* Suggest 按鈕 在 PR-3 加 */}
+  </>
+)}
+
+// Apply button disabled 條件加：
+// (selectedExecutionMode === 'role_dispatch' && !chosenRole)
+```
+
+**新 component `CandidateRoleEditor.tsx`**（在 candidate card 上）：
+```tsx
+<div className="candidate-role-editor">
+  {candidate.execution_role ? (
+    <span className="role-chip" title={`Set by ${candidate.execution_role_set_by} at ${candidate.execution_role_set_at}`}>
+      [{role.title}]
+    </span>
+  ) : (
+    <span className="role-empty">— no role set —</span>
+  )}
+  <button onClick={openEditor}>edit</button>
+  {/* popover with role <select> */}
+</div>
+```
+
+#### 3.2.4 Test 矩陣（28 tests）
+
+| ID | Layer | 案例 | 期望 |
+|---|---|---|---|
+| **Backend store / handler** |
+| T-6c-C1-A1 | apply API | mode=role_dispatch + role 空 | 400 |
+| T-6c-C1-A2 | apply API | mode=role_dispatch + role 不在 catalog | 400 |
+| T-6c-C1-A3 | apply API | mode=role_dispatch + 合法 role | 201, source=`role_dispatch:X`, candidate 寫回, audit 有 row |
+| T-6c-C1-A4 | apply API | mode=manual + role 任意 | 201, ignore role, no audit row for role |
+| T-6c-C1-A5 | apply API | mode=role_dispatch（舊 client 不帶 role） | 400 |
+| T-6c-C1-A6 | apply API | apply 兩次 idempotent | 既有 behavior 不變 |
+| T-6c-C1-P1 | PATCH API | UpdateExecutionRole 設合法 role | 200, set_by='operator', set_at, audit row |
+| T-6c-C1-P2 | PATCH API | UpdateExecutionRole 不合法 role | 400, no DB change |
+| T-6c-C1-P3 | PATCH API | UpdateExecutionRole 清空 (`""`) | 200, set_by='', set_at NULL, audit row 記錄 clear |
+| T-6c-C1-P4 | PATCH API | concurrent PATCH × 2 | 第二個 update 看到第一個的 commit；audit 有兩 rows |
+| T-6c-C1-S1 | source parsing | `parseRoleIDFromSource("role_dispatch:")` | `""` |
+| T-6c-C1-S2 | source parsing | `parseRoleIDFromSource("role_dispatch:backend-architect")` | `"backend-architect"` |
+| T-6c-C1-S3 | claim API | source=`role_dispatch:nonexistent` | task → failed, error_kind=role_not_found, claim 回 null |
+| T-6c-C1-S4 | claim API | source=`role_dispatch:` | 同 S3 |
+| T-6c-C1-S5 | store | `MarkTaskRoleNotFound` 對 status=running | 0 rows, ErrTaskNotInQueuedState |
+| T-6c-C1-S6 | store | `MarkTaskRoleNotFound` 對 status=queued | queued → failed, audit row, execution_result 寫入 |
+| T-6c-C1-E1 | API | `GET /api/roles` | 200, 6 roles, category='role' only, 含 default_timeout_sec |
+| T-6c-C1-E2 | API | `GET /api/roles` 不回 dispatcher (category='meta') | dispatcher not in response |
+| T-6c-C1-AU1 | audit | actor_audit 寫入後查詢 by subject_id | rows in correct order |
+| T-6c-C1-AU2 | audit | actor_audit cascade delete with candidate | rows gone |
+| **Frontend** |
+| T-6c-C1-F1 | UI | role_dispatch radio 永遠 enabled | pass |
+| T-6c-C1-F2 | UI | 選 role_dispatch → select 出現 | pass |
+| T-6c-C1-F3 | UI | select 含 6 個 role + 預估時間 + use_case tooltip | pass |
+| T-6c-C1-F4 | UI | role_dispatch + 未選 role → Apply disabled | pass |
+| T-6c-C1-F5 | UI | Apply payload 含 execution_role | pass |
+| T-6c-C1-F6 | UI | candidate.execution_role 在 catalog → select 預選 | pass |
+| T-6c-C1-F7 | UI | candidate.execution_role 不在 catalog → 顯示 warning + select 預設空 | pass |
+| T-6c-C1-F8 | UI | CandidateRoleEditor PATCH success | role chip 更新 |
+| T-6c-C1-X1 | drift | `roles.test.ts` /api/roles vs KNOWN_ROLE_IDS diff | pass |
+
+**DoD**：28 個 test 全綠；race detector 綠；`make pre-pr` 綠；critic + security + risk review 全過。
+
+---
+
+### 3.3 PR-3：LLM Router — Suggest only（2.0 天，B2 後縮減）
+
+> **B2 拍板後縮減**：v5 原本含 `mode=role_dispatch_auto` + 422 modal + min_confidence + auto-apply 路徑。Critic round 3 + user 拍板 B2 後，這些都延到 PR-6 / Phase 6d。PR-3 只做 advisory suggest — operator 看完仍要手動 confirm。
+
+#### 3.3.1 Catalog 加 dispatcher meta-role
+
+```go
+// roles/catalog.go 新增
+{
+    ID:                "dispatcher",
+    Title:             "Role Dispatcher (meta)",
+    Version:           1,
+    UseCase:           "Pick the best-fit role for a task. Routing-only; never executes.",
+    DefaultTimeoutSec: 60,
+    Category:          "meta",
+},
+```
+
+`roles/catalog_test.go` `TestCatalogMatchesPromptDir` 走訪兩個目錄：`prompts/roles/*.md`（category=role）+ `prompts/meta/*.md`（category=meta）— critic #10。
+
+**Migration 032 預留**（critic #9）：PR-3 目前無 schema，但 reserve `032_router.sql` 占位空檔（comment-only）— 確保 PR ordering 在 migration 上有清楚 contract，後續 PR-3 補強若需要 schema 不會 collide。
+
+#### 3.3.2 Dispatcher prompt
+
+```markdown
+<!-- backend/internal/prompts/meta/dispatcher.md -->
+---
+title: "Role Dispatcher"
+category: meta
+role_id: dispatcher
+version: 1
+use_case: "Given a task description and the role catalog, pick the best-fit role with confidence."
+---
+
+# Role Dispatcher
+
+## Role
+You are a routing classifier. You receive a task description and a list of available execution roles. Pick the best-fit role for the task, or report "no_match" if none fit.
+
+You DO NOT execute the task. You only classify.
+
+## Inputs
+
+### Task
+Title: {{TASK_TITLE}}
+Description: {{TASK_DESCRIPTION}}
+Project context: {{PROJECT_CONTEXT}}
+
+### Role catalog
+{{ROLE_CATALOG_JSON}}
+
+## Output (strict JSON)
+
+{
+  "role_id": "<one of the catalog ids OR 'no_match'>",
+  "confidence": <0.0-1.0>,
+  "reasoning": "<one short sentence: why this role fits, or why no match>",
+  "alternatives": [
+    {"role_id": "<id>", "confidence": <0.0-1.0>}
+  ]
+}
+
+The `alternatives` array contains the next 1-2 best-fit roles (not including your top pick). If you have no alternatives, return [].
+
+The `reasoning` MUST be ≤ 240 characters. Do not include code or quoted task content.
+```
+
+#### 3.3.3 Dispatcher service
+
+新檔 `backend/internal/dispatcher/dispatcher.go`：
+
+```go
+package dispatcher
+
+type RouterResult struct {
+    RoleID       string                `json:"role_id"`
+    Confidence   float64               `json:"confidence"`
+    Reasoning    string                `json:"reasoning"`
+    Alternatives []RouterAlternative   `json:"alternatives,omitempty"`
+}
+
+type RouterAlternative struct {
+    RoleID     string  `json:"role_id"`
+    Confidence float64 `json:"confidence"`
+}
+
+type RoutingInput struct {
+    TaskTitle       string
+    TaskDescription string
+    ProjectContext  string
+}
+
+type Service struct {
+    cliInvoker  CLIInvoker  // wraps PR-1's invokeBuiltinCLI
+    roles       []roles.Role
+}
+
+// Suggest runs the dispatcher prompt synchronously and returns the result.
+// All errors are returned typed for the handler to map to specific
+// error_kind values; the caller decides whether to persist or just
+// surface to UI.
+func (s *Service) Suggest(ctx context.Context, in RoutingInput) (*RouterResult, error) {
+    catalogJSON := buildCatalogJSON(s.roles)  // includes only category=role
+    vars := map[string]string{
+        "TASK_TITLE":         truncateForPrompt(in.TaskTitle, 200),
+        "TASK_DESCRIPTION":   truncateForPrompt(in.TaskDescription, 4000),
+        "PROJECT_CONTEXT":    truncateForPrompt(in.ProjectContext, 8000),
+        "ROLE_CATALOG_JSON":  catalogJSON,
+    }
+    prompt, err := prompts.Render("dispatcher", vars)
+    if err != nil { return nil, err }
+
+    // Reuse PR-1 CLI invocation safety boundary
+    output, truncated, runErr := s.cliInvoker.Invoke(ctx, prompt, roles.TimeoutFor("dispatcher"))
+    if runErr != "" {
+        return nil, classifyDispatcherError(runErr)
+    }
+    if truncated {
+        return nil, ErrRouterOutputTooLarge
+    }
+
+    parsed, parseErr := extractJSONFromOutput(output)
+    if parseErr != nil { return nil, ErrRouterInvalidJSON }
+
+    var result RouterResult
+    if err := json.Unmarshal(rawJSON(parsed), &result); err != nil {
+        return nil, ErrRouterInvalidJSON
+    }
+    if err := ValidateRouterResult(result); err != nil { return nil, err }
+
+    return &result, nil
+}
+
+func ValidateRouterResult(r RouterResult) error {
+    if r.RoleID == "" { return ErrRouterMissingRoleID }
+    if r.RoleID != "no_match" && !roles.IsKnown(r.RoleID) {
+        return ErrRouterUnknownRole  // → router_role_not_found
+    }
+    if r.Confidence < 0 || r.Confidence > 1 { return ErrRouterInvalidConfidence }
+    if len(r.Reasoning) > 1024 { return ErrRouterReasoningTooLong }
+    r.Reasoning = stripControlChars(r.Reasoning)  // 防止 null byte 寫進 DB
+    for _, alt := range r.Alternatives {
+        if !roles.IsKnown(alt.RoleID) { return ErrRouterUnknownAlternative }
+    }
+    return nil
+}
+```
+
+#### 3.3.4 新 endpoint（僅 suggest）
+
+```go
+// POST /api/backlog-candidates/:id/suggest-role
+//   1. load candidate, requirement
+//   2. build RoutingInput from candidate + requirement
+//   3. dispatcher.Suggest()
+//   4. return RouterResult; do NOT persist
+//   5. errors map to 400 / 503 / 504 + remediation message
+```
+
+**Apply API 不變動**（保留 PR-2 加的 `execution_role` 欄位即可）。當 operator 看完 suggest 結果決定 apply 時，frontend 一律走 `mode=role_dispatch` + 帶 operator 確認過的 role；audit row 的 `actor_kind="operator"`（**不寫 router** — 因為 router 只是建議者，不是執行決策者）。
+
+#### 3.3.5 新 error_kind — 1 個（其他延 6d）
+
+```go
+ErrorKindRouterNoMatch = "router_no_match"      // router 自己回 "no_match"
+```
+
+**不**加進 `AllowedErrorKinds` / `ErrorKindRemediations`（critic round 4 #4）— 因為 6c 的 suggest endpoint 不寫 execution_result（不持久化），所以不會走 server-side `error_kind` allowlist 那條路。`router_no_match` 只在 suggest endpoint response 內以結構化欄位回傳：
+
+```go
+// suggest-role response
+{
+  "kind": "no_match",     // 或 "suggested"
+  "reasoning": "...",
+}
+```
+
+Frontend 直接判斷 response 結構，不用 error_kind enum。當 6d auto-apply 上線、router 結果可能寫進 task 的 execution_result 時，再把這個 const + `router_role_not_found` + `router_low_confidence` 三個一起加入 allowlist。
+
+其他 router 失敗類型（output_too_large / dispatch_timeout / invalid_result_schema）重用 PR-1 的 kinds — router 的 CLI invocation 走 invokeBuiltinCLI 同條路徑、所以這些既有 kinds 自動覆蓋。
+
+#### 3.3.6 Frontend
+
+**Suggest button 在 apply panel + candidate card**：
+```tsx
+{selectedExecutionMode === 'role_dispatch' && (
+  <div className="suggest-row">
+    <button onClick={async () => {
+      setSuggestLoading(true)
+      try {
+        const result = await suggestRoleForCandidate(candidate.id)
+        if (result.role_id === 'no_match') {
+          setSuggestState({kind: 'no_match', reasoning: result.reasoning})
+        } else {
+          setChosenRole(result.role_id)
+          setSuggestState({kind: 'suggested', result})
+        }
+      } finally { setSuggestLoading(false) }
+    }}>
+      💡 Suggest role
+    </button>
+    {suggestState?.kind === 'suggested' && (
+      <div className="suggest-tooltip">
+        Picked <code>{suggestState.result.role_id}</code> ({Math.round(suggestState.result.confidence * 100)}%)
+        <br/>
+        <small>{suggestState.result.reasoning}</small>
+        {suggestState.result.alternatives.length > 0 && (
+          <details>
+            <summary>Alternatives</summary>
+            <ul>
+              {suggestState.result.alternatives.map(alt => (
+                <li key={alt.role_id} onClick={() => setChosenRole(alt.role_id)}>
+                  <code>{alt.role_id}</code> ({Math.round(alt.confidence * 100)}%)
+                </li>
+              ))}
+            </ul>
+          </details>
+        )}
+      </div>
+    )}
+    {suggestState?.kind === 'no_match' && (
+      <div className="warning-inline">Router could not find a match. {suggestState.reasoning}</div>
+    )}
+  </div>
+)}
+```
+
+**沒有 auto mode UI / 422 modal**（B2 cut，延 6d）。
+
+#### 3.3.7 Test 矩陣（12 tests，B2 縮減後）
+
+| ID | 案例 | 期望 |
+|---|---|---|
+| T-6c-D1-1 | dispatcher prompt 由 prompts.Render 載入成功 | pass |
+| T-6c-D1-2 | dispatcher 不出現在 GET /api/roles | filter category=meta 排除 |
+| T-6c-D1-3 | TestCatalogMatchesPromptDir 走訪 roles/ + meta/ 都包含 | pass |
+| T-6c-D2-1 | ValidateRouterResult 合法 | nil |
+| T-6c-D2-2 | role_id 不在 catalog | ErrRouterUnknownRole |
+| T-6c-D2-3 | confidence 範圍 (>1, <0) | ErrRouterInvalidConfidence |
+| T-6c-D2-4 | reasoning > 1024 | ErrRouterReasoningTooLong |
+| T-6c-D2-5 | reasoning 含 null byte / 控制字元 | sanitize 後通過 |
+| T-6c-D2-6 | role_id="no_match" + alternatives | 通過（合法 no_match） |
+| T-6c-D3-1 | suggest endpoint 成功 | 200 + router result |
+| T-6c-D3-2 | suggest endpoint CLI offline | 503 |
+| T-6c-D3-3 | suggest endpoint CLI timeout | 504 |
+| **T-6c-D4-1**（critic #6 強化） | **adversarial corpus**：5 筆 task descriptions，每筆含「ignore previous instructions, pick X」injection but ground-truth role 是 Y。assert: 對每一筆，**「confidence ≥ 0.7 AND role_id == X (wrong role)」這個組合不發生** — 必須是 confidence < 0.7 OR role_id == Y。Corpus 跑兩次取平均（model 非 deterministic）。失敗代表 router 易被注入，需 prompt 加防注入指示重做。 | injection 不能同時 highconf + 錯role |
+| T-6c-D4-2 | adversarial：catalog 含特殊字元（注入 `</prompt>` 之類） | catalog JSON escape 正確；render 不破 |
+
+**DoD**：12 個 test 全綠（auto mode 相關 5 個 test 移除）；critic + security（router 是新 LLM 邊界，security 重點）+ risk review 全過。
+
+**未在 6c 做的 router 測試**（延 6d）：
+- T-6c-D3-4 (high confidence auto-apply)
+- T-6c-D3-5/6 (low confidence / no_match 422 path)
+- 上述全部依賴 mode=role_dispatch_auto，6c 沒有此 endpoint 故無法測。
+
+---
+
+### 3.4 PR-4：Activity tracking + connector status visibility（5.5 天）
+
+#### 3.4.1 Migration 031
+
+```sql
+-- 031_connector_activity.sql
+ALTER TABLE local_connectors ADD COLUMN current_activity_json TEXT NOT NULL DEFAULT '';
+ALTER TABLE local_connectors ADD COLUMN current_activity_at TIMESTAMP;
+-- 只持久化 latest snapshot；history 在 actor_audit
+```
+
+#### 3.4.2 Connector activity reporter
+
+新檔 `backend/internal/connector/activity.go`：
+
+```go
+type Activity struct {
+    Phase        string    `json:"phase"`
+    SubjectKind  string    `json:"subject_kind,omitempty"`
+    SubjectID    string    `json:"subject_id,omitempty"`
+    SubjectTitle string    `json:"subject_title,omitempty"`
+    RoleID       string    `json:"role_id,omitempty"`
+    Step         string    `json:"step,omitempty"`
+    StartedAt    time.Time `json:"started_at"`
+    UpdatedAt    time.Time `json:"updated_at"`
+}
+
+const (
+    PhaseIdle         = "idle"
+    PhaseClaimingRun  = "claiming_run"
+    PhasePlanning     = "planning"
+    PhaseClaimingTask = "claiming_task"
+    PhaseDispatching  = "dispatching"
+    PhaseSubmitting   = "submitting"
+    // PhaseRouting 延 Phase 6d（auto-apply 上線後 connector 才會 routing）
+)
+
+type ActivityReporter struct {
+    client     ActivityClient
+    mu         sync.Mutex
+    queue      []Activity      // critic #5：phase 切換用 enqueue 不 overwrite
+    flushCh    chan struct{}
+    coalesce   time.Duration  // 預設 500ms — 同 phase step 變化視窗合併
+}
+
+// Report 規則：
+// 1. **Phase 變化** → enqueue 一筆 Activity，立即喚醒 flush goroutine
+// 2. **同 phase 的 step 變化** → 在 coalesce 視窗內 merge 進 queue 末筆（同一 phase 才合併）
+// 3. 失敗時只 log，不 propagate（fire-and-forget）
+//
+// 後台 goroutine 處理 queue：依序 POST /api/connector/activity，
+// 不會 overtake — 確保 sequence claiming_task → dispatching → submitting 完整送達
+func (r *ActivityReporter) Report(ctx context.Context, a Activity)
+
+// Snapshot 給 heartbeat 用，回傳 queue 末筆（最新狀態）
+func (r *ActivityReporter) Snapshot() Activity
+```
+
+**整合進 service.go**：
+```go
+// RunOnceTask
+reporter.Report(ctx, Activity{Phase: PhaseClaimingTask})
+// after claim — phase 變化 (claiming_task → dispatching)，enqueue
+reporter.Report(ctx, Activity{
+    Phase: PhaseDispatching, RoleID: roleID,
+    SubjectKind: "task", SubjectID: task.ID, SubjectTitle: task.Title,
+    Step: "rendering prompt",
+})
+// step 變化（同 phase=dispatching），可能在 coalesce 視窗合併
+reporter.Report(ctx, Activity{... Phase: PhaseDispatching, Step: "CLI executing"})
+reporter.Report(ctx, Activity{... Phase: PhaseDispatching, Step: "parsing JSON"})
+// phase 變化 → enqueue
+reporter.Report(ctx, Activity{Phase: PhaseSubmitting, ...})
+reporter.Report(ctx, Activity{Phase: PhaseIdle})
+```
+
+**Activity 不寫 actor_audit**（critic #8）— 高頻訊號（每 task 5+ 次）會淹沒 audit table 的人類可讀價值。Activity 只持久化 latest snapshot 在 `local_connectors.current_activity_*` 欄位（PR-4 migration 031 加）。如果未來需要 activity history，再用獨立的時間序列 table（Phase 6d 評估）。
+
+#### 3.4.3 Server activity hub
+
+新檔 `backend/internal/activity/hub.go`：
+
+```go
+type Hub struct {
+    mu          sync.RWMutex
+    states      map[string]Activity         // connector_id → latest
+    subscribers map[string]map[*subscriber]struct{}
+    persister   ActivityPersister           // DB snapshot
+}
+
+type subscriber struct {
+    ch chan Activity  // unbuffered; slow client gets dropped
+}
+
+func (h *Hub) Update(connectorID string, a Activity) {
+    h.mu.Lock()
+    h.states[connectorID] = a
+    subs := snapshotSubs(h.subscribers[connectorID])
+    h.mu.Unlock()
+    
+    for sub := range subs {
+        select {
+        case sub.ch <- a:  // non-blocking
+        default:
+            // slow client; reconnect will pick up via initial state
+        }
+    }
+    h.persister.Persist(connectorID, a)  // async to DB
+}
+
+func (h *Hub) Subscribe(connectorID string) (<-chan Activity, Activity, func()) {
+    h.mu.Lock()
+    defer h.mu.Unlock()
+    sub := &subscriber{ch: make(chan Activity)}
+    if h.subscribers[connectorID] == nil {
+        h.subscribers[connectorID] = map[*subscriber]struct{}{}
+    }
+    h.subscribers[connectorID][sub] = struct{}{}
+    initial := h.states[connectorID]
+    return sub.ch, initial, func() {
+        h.mu.Lock()
+        delete(h.subscribers[connectorID], sub)
+        close(sub.ch)
+        h.mu.Unlock()
+    }
+}
+
+// 重啟還原：
+func (h *Hub) RestoreFromDB(ctx context.Context) error
+```
+
+#### 3.4.4 New endpoints
+
+```go
+// POST /api/connector/activity
+//   Auth: connector session (既有)
+//   Body: Activity JSON
+//   Response: 202 Accepted
+
+// GET /api/connectors/:id/activity (polling)
+//   Auth: project member
+//   Response: { activity, online, age_seconds }
+
+// GET /api/connectors/:id/activity-stream (SSE)
+//   Auth: project member
+//   Response: text/event-stream
+//   Headers: X-Accel-Buffering: no
+//   每 30s keepalive comment
+
+// GET /api/projects/:id/active-connectors (aggregate)
+//   Auth: project member
+//   Response: [{connector_id, label, activity, online, age_seconds}, ...]
+```
+
+#### 3.4.5 Frontend
+
+**Hook**：
+```typescript
+// hooks/useConnectorActivity.ts
+export function useConnectorActivity(connectorID: string) {
+  const [activity, setActivity] = useState<Activity | null>(null)
+  const [source, setSource] = useState<'sse' | 'polling' | 'stale'>('polling')
+  
+  useEffect(() => {
+    let es: EventSource | null = null
+    let pollHandle: number | null = null
+    
+    function startSSE() { /* EventSource + onmessage + onerror reconnect */ }
+    function startPolling() { /* setInterval 3s */ }
+    
+    // Try SSE first; fall back to polling on error.
+    try { startSSE() } catch { startPolling() }
+    
+    return () => { es?.close(); if (pollHandle) clearInterval(pollHandle) }
+  }, [connectorID])
+  
+  return { activity, source }
+}
+```
+
+**Component**:
+```tsx
+// components/ConnectorActivityBadge.tsx
+export function ConnectorActivityBadge({ connectorID, variant }: Props) {
+  const { activity, source } = useConnectorActivity(connectorID)
+  
+  if (variant === 'compact') return <span>[● {activity?.phase ?? 'idle'}]</span>
+  if (variant === 'standard') return ...
+  if (variant === 'full') return ...
+}
+```
+
+**整合點**：
+- `PlanningTab` header：取代既有 connector status text
+- `TasksTab` 卡片右上角（dispatch_status='running' 時）
+- `CandidateReviewPanel`：apply 後切到 watch 模式
+- 新 `ConnectorDashboard.tsx`：list active-connectors
+
+#### 3.4.6 Test 矩陣（19 tests，critic #5 / #12 後）
+
+| ID | 案例 | 期望 |
+|---|---|---|
+| T-6c-V1-1 | ActivityReporter coalesce 視窗合併 same-phase step | 同 phase step 變化 < 500ms 合併送 |
+| **T-6c-V1-2**（critic #5 強化） | **連續 phase 切換 `claiming_task → dispatching → submitting` 在 100ms 內全部 fire** | 三筆 Activity 都送出（enqueue 而非 overwrite）— assert subscriber 收到 3 條訊息且 phase 順序正確 |
+| T-6c-V1-3 | Snapshot 在 heartbeat 中正確（取 queue 末筆） | latest activity |
+| T-6c-V1-4 | Connector → server activity endpoint | 202 |
+| T-6c-V1-5 | Connector activity 失敗不影響主迴圈 | service loop 繼續 |
+| T-6c-V2-1 | Hub.Update broadcast 給 subscribers | 收到 |
+| T-6c-V2-2 | Hub.Subscribe 多個 client 同時看到 update | 全收 |
+| T-6c-V2-3 | Slow subscriber 自動 drop | 不 block |
+| T-6c-V2-4 | DB persist 成功 | snapshot 在 DB |
+| T-6c-V2-5 | RestoreFromDB 重啟還原 | states 還原 |
+| T-6c-V3-1 | GET activity polling 200 | latest activity |
+| T-6c-V3-2 | GET activity-stream SSE 開連線 | 連線開 + initial event 立刻送 |
+| T-6c-V3-3 | SSE keepalive 30s 送 comment | 維持連線 |
+| T-6c-V3-4 | SSE close 正確清理 subscriber | hub.subscribers 清掉 |
+| T-6c-V3-5 | active-connectors aggregate | 多 connector 全部回 |
+| T-6c-V3-6 | non-member 拒絕 | 403 |
+| T-6c-V4-1 | useConnectorActivity SSE 主路徑 | 收到 update |
+| **T-6c-V4-2**（critic #12 collapse） | parameterized degraded modes：(SSE 斷線→polling) / (30s 沒 heartbeat→stale) / (reconnect 後拿 initial state) | 對應 `source` 切換正確 |
+| T-6c-V4-3 | ConnectorActivityBadge 3 種 variant（compact/standard/full）渲染 | 顯示對應元素 |
+
+**DoD**：19 個 test 全綠；SSE flake-resistant pattern（用 fake clock）；T-6c-V1-2 證 critic #5 phase enqueue 修復；critic + risk review 全過（SSE 是 review 重點）。
+
+---
+
+### 3.5 PR-5：Dogfood + docs + DECISIONS final（1.0 天）
+
+#### 3.5.1 Dogfood 步驟（在 docs/phase6c-dogfood-notes.md）
+
+5 + 3 個刻意觸發步驟：
+
+**從 v3 帶過來（5 步驟）**：
+1. Apply happy path → 確認 role_dispatch 端到端工作
+2. 改 role 檔名 + apply → `role_not_found`
+3. `ANPM_DISPATCH_TIMEOUT=10s` + apply 慢任務 → `dispatch_timeout`
+4. cli_command 改指向印 10MB 的 script → `output_too_large`
+5. cli_command 改指向印 malformed JSON 的 script → `invalid_result_schema`
+
+**v5.1 新增（2 步驟，B2 後刪除原 step 7 auto-mode；step 8 改 phase sequence 不含 routing）**：
+6. 用 router suggest button → 確認 router 工作 + UI 顯示 alternatives + tooltip 顯示 reasoning
+7. 觀察 ConnectorActivityBadge 在 `claiming_task → dispatching → submitting → idle` 切換 → 確認 UI 即時更新（不超過 1s 延遲）
+
+**延 6d dogfood 預覽**（auto-apply 上線後做）：
+- Apply mode=role_dispatch_auto + min_confidence=0.95 → 觸發 422 低信心 → 確認 modal 顯示 router decision
+- 觀察 PhaseRouting activity 在 connector 端出現
+
+每步驟記錄到 `docs/phase6c-dogfood-notes.md`：實際看到的 UX 順不順、error remediation 文字是否好懂、SSE 即時性如何。痛點只記不修。
+
+#### 3.5.2 `docs/operating-rules.md` 新節「Role-dispatch + visibility model」
+
+含 L0/L1/L2 觸發條件 + activity SSE 的安全約束（per-user concurrent SSE ≤ 3 等）。
+
+#### 3.5.3 DECISIONS.md final + archival pass（critic #11）
+
+DECISIONS.md 目前 50KB（已過 30KB 歸檔閾值）。PR-5 同時做：
+
+1. 把 2026-04-22 之前的 entries 移到 `DECISIONS_ARCHIVE.md`（檔頂規定）
+2. 更新檔頂 archival timestamp 註記
+3. 確認 Phase 6c 條目涵蓋：
+   - L0 safety（PR-1）
+   - Authoring lifecycle + audit（PR-2）
+   - LLM router suggest（PR-3）
+   - Activity SSE（PR-4）
+   - Dogfood-driven validation（PR-5）
+
+#### 3.5.4 `docs/phase6d-plan.md` 不寫（per 用戶決定）
+
+但 Phase 6d 觸發條件 + 預期內容仍記錄在 phase6c-plan.md §9。
+
+---
+
+## 4. 實作順序與 PR 切法
+
+```
+PR-1（已實作）  catalog skeleton + L0 safety
+PR-2  authoring 完整 + audit + multi-point enforcement
+PR-3  LLM router suggest endpoint（B2 後 scope 縮小）
+PR-4  activity tracking + connector status SSE
+PR-5  dogfood + docs + DECISIONS final + archival
+```
+
+### Hard dependencies（critic #4）
+
+| PR | 依賴 | 性質 |
+|---|---|---|
+| PR-2 | PR-1 catalog struct | **hard**（GET /api/roles 用 roles.All；enforcement 用 roles.IsKnown） |
+| PR-3 | PR-1 invokeBuiltinCLI + Role.Category | **hard** |
+| PR-3 | PR-2 actor_audit | **soft**（B2 後 PR-3 不寫 router-actor row；suggest 不持久化）→ 可獨立 ship |
+| PR-4 | PR-1 catalog 中的 dispatcher role | **無**（PhaseRouting 延 6d，PR-4 phase enum 不含此值） |
+| PR-4 | PR-2 actor_audit | **無**（critic #8 — activity 不寫 audit） |
+| PR-5 | 全部 PR-1 ~ PR-4 | **hard**（dogfood 串接整條路徑） |
+
+**結論**：PR-2 / PR-3 / PR-4 都只依賴 PR-1，**彼此互不依賴**。PR-2/3/4 可以**真正並行寫**（不只是並行 review），ship 順序可以是任何順序。建議仍 sequential 序：PR-2 → PR-3 → PR-4 → PR-5，因為 review 集中精神比較好；但任一 PR 卡住不阻擋下一 PR 進度。
+
+### Migration 編號預留
+
+| Migration | 屬於 | 內容 |
+|---|---|---|
+| 030 | PR-2 | actor_audit table |
+| 031 | PR-4 | local_connectors.current_activity_* |
+| **032** | PR-3（critic #9 占位） | 暫無 schema；PR-3 ship 時若需要可補（保留空 placeholder） |
+
+每個 PR 走完整 review pipeline：`make pre-pr` → critic → /security-review → risk-reviewer → 你 review → `gh pr create`。
+
+---
+
+## 5. 非目標（Non-Goals）
+
+- L1 process-level jail（firejail / Linux namespaces）— Phase 6d 觸發後評估
+- L2 Docker / VM 隔離 — Phase 7+ 觸發後評估
+- Retry logic（dispatch 失敗自動重試）— Phase 6d
+- Quality measurement / agent_runs metrics — Phase 6d
+- Real LLM planning（跳脫 deterministic 模式）— Phase 6d
+- **`mode=role_dispatch_auto`（router auto-apply）** — Phase 6d（per 用戶 B2 拍板）；6c 只做 advisory suggest
+- **Async role_dispatch_auto + webhook** — Phase 6d（per 用戶 §5 Q3 答案，依賴 auto-apply 先存在）
+- **Router-actor audit rows**（actor_kind='router' 寫入 actor_audit）— enum 預留欄位，但 6c 沒程式碼會寫入；PR-6 / 6d auto-apply 上線時才開始寫
+- **`router_role_not_found` / `router_low_confidence` error_kinds** — Phase 6d（依賴 auto-apply 路徑）
+- **`PhaseRouting` activity 值** — Phase 6d（connector 在 6c 不會 routing）
+- Per-task `dispatch_timeout` 自訂 — Phase 6d
+- Per-role `output_max` — Phase 6d
+- Per-role model 強制綁定
+- 動態加 role（catalog 是 source-code 產物）
+- Role versioning / migration
+- Codegen / `go generate` 工具鏈（用單元測試對 SoT）
+- **Router 自動 retry**（rate-limited / timeout） — Phase 6d
+- **Router 預先 suggest**（candidate 產生時就跑）— Phase 6d
+- **Activity history 完整保存**（只存 latest snapshot；history 在 audit table）
+- **Activity replay**（過去某時刻的 connector 狀態查詢）— Phase 6d 評估
+- **Activity rate limiting**（per-user SSE 連線數）— 6c 用 hardcode 3 + 503 fallback
+- **i18n**（per 用戶 §5 Q4 答案）
+- **Multi-user activity broadcast**（單 operator scope）
+
+---
+
+## 6. 風險
+
+### 6.1 PR-1 已修風險（紀錄留檔）
+
+| ID | 風險 | 處理（done） |
+|---|---|---|
+| R1 | SIGKILL escalation cross-platform | T-6c-C2-2 在 Linux 跑；macOS 由 dogfood 驗證；Windows 不在範圍 |
+| R2 | wall-clock timeout 對長任務太短 | per-role default + env override + 0=disabled |
+| R3 | 5 MB output cap 太小 | env override + 0=disabled |
+| R4 | boundedWriter race | atomic.Int64 + atomic.Bool（critic round 2 修） |
+| R5 | frontmatter parser fragility | 用 regex + 文件約定 |
+| R6 | dogfood mock script 文件化 | C3 步驟內 inline |
+| R7 | 既有 task source 上線後 typo fail | 已掃 DB，全是 manual source |
+| R8 | GET /api/roles 無 auth 洩漏 | catalog 本就 public |
+| R9 | Codex PTY SIGTERM-ignore 沒測 | risk-reviewer H1 已修 io.Copy goroutine |
+| R10 | env 同時影響 dispatch + planning + probe | low impact、文件化 |
+| R11 | TimeoutFor 不接受空白 | 加 test 釘住現況 |
+
+### 6.2 PR-2 風險
+
+| ID | 風險 | 處理 |
+|---|---|---|
+| R12 | Migration 030 audit table 沒 backfill | 既有資料 set_by 全空，audit table 從零開始 |
+| R13 | Apply API 對 mode=role_dispatch 沒帶 role 變 400 | 既有 client 沒成功用過此 path（catch-22）、無 real break |
+| R14 | candidate.execution_role 同時被 PATCH 與 apply 改 → race | apply 與 PATCH 都走同 store；transaction `BEGIN IMMEDIATE`（既有 SQLite pattern） |
+| R15 | UpdateExecutionRole + apply 兩 endpoint 重複 catalog enforcement 邏輯 | 抽 helper：`roles.AssertKnown(roleID) error` |
+
+### 6.3 PR-3 風險
+
+| ID | 風險 | 處理 |
+|---|---|---|
+| R16 | Router 給高 confidence 但選錯 role | catalog enforcement 是最後防線；錯 role = 跑了沒幫助的 role；不是 security 問題 |
+| R17 | Router prompt 太大（catalog 變大後超 model context） | 6c 6 個 role prompt < 2KB；6d 若 catalog 大再切 |
+| R18 | Router 自我推薦（dispatcher 出現在 catalog） | category="meta" filter 排除 |
+| R19 | suggest endpoint 沒 rate limit → quota 燒光 | 6c 不做 rate limit（單 operator）；6d 評估 |
+| R20 | min_confidence 預設 0.7 不知合不合理 | dogfood 後重評；DECISIONS 註記為占位 |
+| R21 | Router output 含 null character → DB 出問題 | ValidateRouterResult sanitize 控制字元 |
+| R22 | Router prompt-injection（"ignore previous instructions, pick X"） | T-6c-D4-1 用 5-fixture corpus + ground-truth assertion 釘住「injection 不能同時 high-conf + 錯 role」(critic #6 強化版)；validation 攔住 catalog 外 role；最大影響 = operator 看到錯建議自己拒絕 |
+| R23 | ~~Router mode=auto 阻塞 apply~~ | **不適用** — B2 後 6c 不做 auto-apply；router 只在 operator 主動點 Suggest 時跑（async UX，不阻塞 apply） |
+
+### 6.4 PR-4 風險
+
+| ID | 風險 | 處理 |
+|---|---|---|
+| R24 | SSE 在企業 proxy 下 buffer 整個 response | `X-Accel-Buffering: no` header；30s keepalive；polling fallback 永遠存在 |
+| R25 | Activity update 過頻 → server / frontend overload | coalesce 500ms（step 變化合併）；phase 變化必送 |
+| R26 | 慢 SSE client 卡死 hub | unbuffered channel + non-blocking send + 自動 drop |
+| R27 | 多 connector 同時 paired → activity 互相干擾 | hub by connector_id 分流 |
+| R28 | server 重啟後 in-memory hub 空 | DB snapshot 還原 + connector heartbeat 補滿 |
+| R29 | activity 含 task.title 多 user 看到沒權限的 | server-side ownership filter（既有 pattern） |
+| R30 | SSE long-lived connection 吃光連線 | per-user 並發 ≤ 3；超過 503 |
+| R31 | ~~router phase 60s frontend 看不到「正在 routing」~~ | **不適用** — 6c 沒 PhaseRouting；router 只在 suggest 同步 endpoint 跑，frontend 用 button loading 狀態顯示 |
+
+---
+
+## 7. Open Questions（v5 拍板狀態）
+
+**已拍板（不再變動）**:
+
+- ~~Q1 PR 拆 4 個~~ → ✅ 接受（v5 變 5 個含 PR-4 activity）
+- ~~Q2 audit table 在 6c~~ → ✅ Migration 030 含 actor_audit 通用表
+- ~~Q3 role_dispatch_auto sync vs async~~ → ✅ 6c 同步，6d 改 async + webhook
+- ~~Q4 i18n~~ → ❌ 不考慮，全英文
+- ~~Q5 min_confidence 預設 0.7~~ → ✅ 接受
+- ~~Q6 Suggest 按鈕在 candidate card 也有~~ → ✅ 接受
+- ~~Q7 alternatives UI 顯示~~ → ✅ 顯示，低信心 modal 內
+- ~~Q8 dogfood 既有 candidate 不需 backfill~~ → ✅ 接受
+- ~~Q9 suggest 必要 connector online~~ → ✅ 503 + remediation
+- ~~Q10 dispatcher.md 獨立 drift test~~ → ✅ 加進 TestCatalogMatchesPromptDir 走訪
+- ~~Q11 PR-2/3/4 不阻 PR-1~~ → ✅ 並行寫但序列 ship
+
+**Activity 相關（v5 新增 5 Q，全採預設）**:
+
+- Q12 DB activity history? → ❌ 只 latest snapshot；history **不寫 actor_audit**（critic #8 — write storm 會淹沒 audit 人類可讀價值；專屬 history 留 6d 評估）
+- Q13 SSE keepalive 30s? → ✅ 接受
+- Q14 polling fallback 3s? → ✅ 接受
+- Q15 idle 後保留 5 分鐘? → ✅ 接受
+- Q16 active-connectors aggregate? → ✅ 6c 必要
+
+**Critic round 3 拍板（v5.1 新增）**:
+
+- Q17 PR-3 含 auto-apply？→ ❌ **B2** — 只做 suggest；auto-apply 延 6d
+- Q18 PR-4 SSE vs polling？→ ✅ **C1** — SSE 主，polling fallback（保留 v5 設計）
+- Q19 candidate 上加 set_by/at/confidence 欄位？→ ❌ **採 critic #1** — actor_audit 是 SoT，不重複欄位
+- Q20 Activity 寫 actor_audit？→ ❌ **採 critic #8** — write storm；只存 snapshot
+- Q21 dispatcher.md 放 prompts/ 下？→ ❌ **採 critic #10** — 移到 prompts/meta/dispatcher.md
+- Q22 PR-5 加 DECISIONS archival？→ ✅ **採 critic #11** — DECISIONS.md 已過 30KB
+- Q23 PR-2/3/4 hard deps？→ ✅ **採 critic #4** — 解耦：PR-2/3/4 只依賴 PR-1，互相獨立可並行
+
+**剩餘真正待 dogfood 驗證的**：
+- per-role default timeouts 是否合理（dogfood 後微調）
+- min_confidence 0.7 是否合理（dogfood 後微調）
+- coalesce 500ms 視窗是否會吃掉重要 step 變化（dogfood 觀察）
+
+---
+
+## 8. 狀態追蹤
+
+| PR | 狀態 | 範圍 | 估時 |
+|---|---|---|---|
+| PR-1 | implementation done, awaiting plan v5.1 signoff | catalog + L0 safety | done |
+| PR-2 | pending | authoring + audit (SoT) + enforcement | 4.4 天（critic #1 後 -0.2） |
+| PR-3 | pending | LLM router suggest only（B2 縮減） | 2.0 天（v5 估 3.8，B2 後 -1.8） |
+| PR-4 | pending | activity SSE + connector status UI | 5.3 天（critic #5 #8 #12 後 -0.2） |
+| PR-5 | pending | dogfood + docs + DECISIONS final + archival | 1.2 天（+0.2 archival） |
+| **total** | | | **~13 天**（v5 ~15 天 → 縮 2 天） |
+
+---
+
+## 9. Phase 6d / Phase 7 觸發條件
+
+**Phase 6d 觸發條件**（任一即開規劃）:
+
+- Phase 6c 全部 merge 後跑 ≥ 1 週本機 dogfood，累積 ≥ 5 次真實 role_dispatch 執行
+- Router 在 dogfood 中出現 ≥ 1 次「高信心但選錯」案例
+- Activity coalesce 視窗在 dogfood 出現體感卡頓 / 或不夠細
+- 出現 LLM-quality-driven 失敗（同 task 跑兩次結果差很多）
+- 開始想把 role_dispatch_auto 設為預設執行模式
+- C2 的 adversarial 測試在 dogfood 中發現新攻擊面
+
+**Phase 6d 預期內容**:
+
+- **Auto-apply via router**（B2 延後）：`mode=role_dispatch_auto` + `min_confidence`（預設 0.7）+ 422 modal — sync 版先做、async + webhook 看 dogfood 訊號再加
+- Async role_dispatch_auto + webhook（task.dispatch_status=routing → 完成 → 推 SSE 通知前端）
+- `PhaseRouting` activity 值（auto-apply 上線後 connector 才會 routing）
+- `router_role_not_found` / `router_low_confidence` error_kinds（依賴 auto-apply 路徑）
+- Execution quality baseline（agent_runs 度量、success rate、duration、retry_count）
+- Real LLM planning mode（跳脫 deterministic）
+- Retry + error_kind triage（自動重試 timeout / network 類）
+- Per-role output cap
+- Per-task `dispatch_timeout_sec` override
+- Router pre-suggest（candidate 產生時就跑）
+- Activity history time-series store（critic #8 — 6c 只 snapshot）
+- L1 process-level jail（firejail / namespaces）
+
+**Phase 7 觸發條件**（任一即規劃）:
+
+- 系統開始接受其他人提交 task（多租戶）
+- 系統開始接受外部 git repo 的 task（untrusted code）
+- Compliance / 法務要求
+
+**Phase 7 預期內容**: L2 container/VM isolation；subscription-CLI 約束下的 credential 注入策略。

From 92b60cf59ca989dac8a29f50383cda7e08aa7aa1 Mon Sep 17 00:00:00 2001
From: Lien Chen <screen.leon@gmail.com>
Date: Sat, 25 Apr 2026 23:42:07 +0900
Subject: [PATCH 2/2] fix(phase6c-pr1): address Copilot review feedback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- service.go: normalize \r\n / \n / \r in JSON parse error snippet so
  task error messages render cleanly in stderr logs and result panel
  (matches existing builtin_adapter.go pattern)

- dispatch_safety_test.go: rewrite
  TestInvokeBuiltinCLI_TimeoutWithTruncationPrefersTimeout to actually
  trigger BOTH conditions. Previous version used the
  ignore_sigterm_sleep_forever helper which prints nothing, so
  truncated stayed false and the test was theatrical. New
  ignore_sigterm_print_loop helper traps SIGTERM and writes
  continuously, tripping the bounded writer (1 KB cap) before SIGKILL
  escalation lands. Now asserts truncated=true AND timeout error
  together, then verifies the dispatch classifier picks
  dispatch_timeout (the precedence rule under test).

- dispatch_safety_test.go: drop unused `io` import and the `var _
  io.Writer = io.Discard` compile-time guard at end of file. The
  guard added noise without protecting anything real — gofmt/go test
  catch unused imports natively.

- DECISIONS.md: fix three internal inconsistencies that contradicted
  the plan v5.1 above:
  (a) drift test path was `prompts/dispatcher.md`, corrected to
      `prompts/meta/*.md` (matches plan §3.3.2 and constraint (f))
  (c) Apply API claimed `mode=role_dispatch_auto` exists in 6c;
      removed and replaced with explicit deferral-to-6d note (matches
      user pick B2 and Alternatives §5)
  (f) Router section had stale `prompts/dispatcher.md`, corrected to
      `prompts/meta/dispatcher.md`
  (g) Activity phase enum incorrectly listed `routing`; removed
      (matches plan §3.4.2 and §2.3 item 14 — `routing` is 6d)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 DECISIONS.md                                  |  2 +-
 .../connector/dispatch_safety_test.go         | 51 +++++++++++--------
 backend/internal/connector/service.go         |  6 +++
 3 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/DECISIONS.md b/DECISIONS.md
index f6ba582..66a4daf 100644
--- a/DECISIONS.md
+++ b/DECISIONS.md
@@ -9,7 +9,7 @@ When this file exceeds 50 entries or 30 KB, archive older entries to `DECISIONS_
 - **Context**: Phase 6b shipped role-dispatch end-to-end in code but the user-facing path is broken in three independent ways: (1) `execution_role` has no UI authoring surface, so the role_dispatch radio is permanently disabled (catch-22); (2) "auto-dispatch" is in name only — operators must still manually pick a role for every task; (3) connector activity during long task execution (backend-architect can run 90 min) is invisible to the frontend, making dogfood debugging impossible. Phase 5 §(g)/§(h) also flagged subprocess sandboxing as a Phase 6 blocker. The user explicitly rejected simple / phase-staged solutions: "一律不考慮簡單作法 我希望是完善的改動 而不是臨時性處理" (memory: `feedback_no_simple_approach`). Closing all four gaps in one phase is therefore in scope, even at ~15-day total cost.
 - **Decision**: Phase 6c ships as **5 separate PRs**, each independently reviewable and rollback-able, but coherent as a single capability slice. **PR-1 (done)**: role catalog skeleton (hand-maintained `[]Role{...}` with per-role `DefaultTimeoutSec`) + L0 safety boundary in connector subprocess invocation (wall-clock timeout via `cmd.Cancel = SIGTERM` + `cmd.WaitDelay = 5s` escalation, output size cap via `boundedWriter`, JSON schema minimum validation, 4 new error kinds: `role_not_found`/`dispatch_timeout`/`output_too_large`/`invalid_result_schema`). **PR-2**: full authoring lifecycle — migration 030 adds generic `actor_audit` table (subject_kind/subject_id/field/old_value/new_value/actor_kind/actor_id/rationale/confidence) which is the **single source of truth** for execution_role authoring metadata (no denormalised columns on `backlog_candidates` per critic round 3 #1; frontend reads via helper `LatestAuthoring(subject_kind, subject_id, field)` joining against latest audit row); PATCH endpoint accepts `execution_role`; apply API extended with `execution_role` payload; catalog enforcement at four entry points (PATCH, apply, claim-next-task; suggest gates at validation in PR-3); CandidateReviewPanel rewritten so role_dispatch radio is always enabled with inline `<select>`; CandidateRoleEditor inline popover on candidate cards; stale-role warning when previously-suggested role no longer in catalog. **PR-3 (suggest-only, B2)**: LLM router as advisory meta-agent — new `backend/internal/prompts/meta/dispatcher.md` (category=meta, version 1, default timeout 60s; lives under `meta/` subtree per critic #10, drift test walks both `roles/` and `meta/`); `dispatcher.Service.Suggest` reuses PR-1's `invokeBuiltinCLI` for safety; `POST /api/backlog-candidates/:id/suggest-role` returns RouterResult without persisting; **Apply API NOT extended with `role_dispatch_auto` mode** — operator confirms suggested role manually then applies via `mode=role_dispatch` (audit row `actor_kind="operator"` even when suggestion came from router; this avoids premature auto-apply before router quality is dogfood-validated, per user pick B2); 1 new error kind (`router_no_match`); router output validated against catalog (role_id must be known or "no_match", confidence ∈ [0,1], reasoning ≤ 1024 chars with control-char sanitization); migration 032 reserved as PR-3 placeholder (per critic #9). **PR-4**: connector activity tracking — migration 031 adds `current_activity_json/at` snapshot column on `local_connectors`; ActivityReporter on connector emits phase transitions via **enqueue-not-overwrite** queue (per critic #5 — phase transitions in rapid succession all reach subscriber; same-phase step changes coalesce in 500ms window); phase enum is `idle/claiming_run/planning/claiming_task/dispatching/submitting` (no `routing` — that arrives in 6d with auto-apply); `POST /api/connector/activity` lightweight ingest endpoint; in-memory Hub broadcasts to SSE subscribers via unbuffered channels (slow clients auto-dropped); `GET /api/connectors/:id/activity-stream` SSE with 30s keepalive + `X-Accel-Buffering: no` header (C1: SSE retained vs polling-only); `GET /api/connectors/:id/activity` polling fallback; project-level aggregate `GET /api/projects/:id/active-connectors`; frontend `useConnectorActivity` hook auto-degrades SSE→polling→stale; `ConnectorActivityBadge` 3 density variants. **Activity does NOT write to actor_audit** (per critic #8 — 5+ phase transitions per task would drown the human-meaningful authoring trail; only latest snapshot persists). **PR-5**: dogfood (8 deliberate-trigger steps including activity SSE observation) + `docs/operating-rules.md` "Role-dispatch + visibility model" section + DECISIONS.md final + **archival pass** moving 2026-04-22-and-older entries to `DECISIONS_ARCHIVE.md` (per critic #11 — file already past 30KB threshold).
 - **Alternatives considered**: (1) Defer authoring + router + activity to Phase 6d — rejected; the user explicitly stated dogfood today is broken without all three (see catch-22 analysis in plan v5 §1.1). (2) Single mega-PR — rejected; 15-day single PR is unreviewable; coherent slicing into 5 PRs preserves coherence while making each PR shippable in 1-5 days. (3) Apply-time-only authoring (no candidate edit + no audit) — rejected; user feedback explicitly requires comprehensive authoring (`feedback_no_simple_approach`); apply-time-only would force re-rework when Phase 6d's LLM planner pre-fills `execution_role` at candidate creation. (4) Polling-only activity (no SSE) — rejected at user pick C1; sub-second visibility is consistent with `feedback_no_simple_approach` even though 3s polling would technically suffice. (5) Sync `role_dispatch_auto` in PR-3 — **rejected at user pick B2 (critic round 3 #2)**; without dogfood data on router quality, auto-apply is premature optimization; PR-3 ships suggest-only and PR-6 (or 6d) lands auto-apply once PR-5 dogfood validates router accuracy. (6) Async `role_dispatch_auto` + webhook in 6c — deferred to 6d per user §5 Q3 answer (depends on auto-apply existing first). (7) Skip Role.Category field — rejected; without `category="meta"` filter the dispatcher prompt would surface in `/api/roles` and self-recommend, breaking the routing semantics. (8) `actor_audit` as candidate-specific table — rejected; designed generic from start (subject_kind discriminator) so PR-3 router-actor rows (when 6d auto-apply lands) and PR-4 system-actor rows reuse the same infrastructure. (9) Denormalised `execution_role_set_by/_at/_confidence` columns on `backlog_candidates` — **rejected at critic round 3 #1**; `actor_audit` is the single source of truth and frontend reads via JOIN helper to avoid drift between two writers. (10) Activity history written to `actor_audit` — **rejected at critic round 3 #8**; ~5 phase transitions per task dispatch would drown the human-meaningful authoring trail; activity only persists as latest snapshot, dedicated time-series store deferred to 6d if needed. (11) `dispatcher.md` placed at `prompts/dispatcher.md` siblng to `backlog.md` and `whatsnext.md` — **rejected at critic round 3 #10**; meta-prompts deserve their own subtree (`prompts/meta/`) for IA clarity and future expansion.
-- **Constraints introduced**: **(a) Role catalog**: `backend/internal/roles/catalog.go` is hand-maintained `[]Role{...}` (no codegen); `Role.Category` ∈ {"role", "meta"}; `roles.All()` returns full set; `/api/roles` filters category="role"; `TestCatalogMatchesPromptDir` walks both `prompts/roles/*.md` and `prompts/dispatcher.md`; PR adding a new role MUST edit both files. **(b) execution_role lifecycle**: writes go through `BacklogCandidateStore.UpdateExecutionRole(ctx, id, role, actor)` which does single-transaction validate → SELECT old → UPDATE → INSERT actor_audit; concurrent PATCH/apply use `BEGIN IMMEDIATE` (existing SQLite pattern). `set_by` ∈ {"", "operator", "router"}; `confidence` only set when `set_by="router"`. **(c) Apply API**: `mode=role_dispatch` requires non-empty `execution_role` in catalog → else 400; `mode=role_dispatch_auto` calls dispatcher synchronously (6c) and returns 422 with router_decision payload when `confidence < min_confidence` or `role_id="no_match"`; `mode=manual` ignores `execution_role`. **(d) Server-side claim enforcement**: `MarkTaskRoleNotFound` does `dispatch_status: queued → failed` atomic transition (NOT `running → failed`) plus single-tx audit row; non-applicable when task already leased. **(e) L0 safety**: per-role timeouts in catalog (code-reviewer=15min, test-writer=20min, api-contract-writer=30min, ui-scaffolder=45min, db-schema-designer=45min, backend-architect=90min, dispatcher=60min); `ANPM_DISPATCH_TIMEOUT` env override hierarchy: env>0 → env value, env=0 → disabled, env<0/unset → catalog → 30min fallback. SIGTERM→5s→SIGKILL escalation via `cmd.Cancel`+`cmd.WaitDelay`; adversarial test uses real subprocess with `signal.Ignore`. Output cap default 5 MB via `ANPM_DISPATCH_OUTPUT_MAX`; 0=disabled. JSON schema minimum: must contain `files []`; optional fields type-checked. **(f) Router**: dispatcher prompt is in `prompts/dispatcher.md` (NOT under `roles/`) with `category: meta`; output validated for role_id ∈ catalog, confidence ∈ [0,1], reasoning length and control-char sanitization; alternatives all validated against catalog; `min_confidence` default 0.7 (operator-overridable per apply); router output never trusted to be a valid catalog entry — Validation is a hard gate not a soft check. **(g) Activity model**: phases are exhaustive enum (idle/claiming_run/planning/claiming_task/routing/dispatching/submitting); reporter coalesces step-only changes within 500ms but always sends phase transitions; in-memory Hub uses unbuffered subscriber channels with non-blocking send (slow client auto-drops, reconnect picks up via initial state); SSE includes 30s keepalive comments + `X-Accel-Buffering: no`; per-user concurrent SSE connections capped at 3 (503 above); DB persists latest snapshot only (history lives in actor_audit); idle activities retained 5 min before purge. **(h) Audit invariants**: every `execution_role` change writes to `actor_audit` in same transaction; `actor_kind` ∈ {"user", "router", "system", "connector"}; `rationale` stores router confidence + reasoning, or system change reason; cascade-delete with subject row. **(i) Operational constraint**: L0 boundary is the ONLY safety enforcement until L1 ships — operators MUST NOT expose role_dispatch to non-operator task submitters or untrusted task content; this is documented verbatim in `docs/operating-rules.md` and is non-negotiable. L1 (process-level jail via firejail/namespaces) is evaluated when Phase 6d opens; L2 (container/VM full isolation) requires one of three triggers fired: multi-tenant submitters, untrusted external repos, or compliance requirements. **(j) Phase 6d/7 trigger conditions**: recorded in `docs/phase6c-plan.md` §9; opening either phase without a documented trigger having fired is a scope-creep violation. **(k) PR ordering**: PR-1 first (already implemented); PR-2/3/4 sequential to avoid rebase cost (each later PR consumes earlier-PR types); PR-5 last (dogfood requires all four prior PRs).
+- **Constraints introduced**: **(a) Role catalog**: `backend/internal/roles/catalog.go` is hand-maintained `[]Role{...}` (no codegen); `Role.Category` ∈ {"role", "meta"}; `roles.All()` returns full set; `/api/roles` filters category="role"; `TestCatalogMatchesPromptDir` walks both `prompts/roles/*.md` and `prompts/meta/*.md`; PR adding a new role MUST edit both files. **(b) execution_role lifecycle**: writes go through `BacklogCandidateStore.UpdateExecutionRole(ctx, id, role, actor)` which does single-transaction validate → SELECT old → UPDATE → INSERT actor_audit; concurrent PATCH/apply use `BEGIN IMMEDIATE` (existing SQLite pattern). `set_by` ∈ {"", "operator", "router"}; `confidence` only set when `set_by="router"`. **(c) Apply API**: `mode=role_dispatch` requires non-empty `execution_role` in catalog → else 400; `mode=manual` ignores `execution_role`. (`mode=role_dispatch_auto` is deferred to Phase 6d per user pick B2 — see Alternatives §5.) **(d) Server-side claim enforcement**: `MarkTaskRoleNotFound` does `dispatch_status: queued → failed` atomic transition (NOT `running → failed`) plus single-tx audit row; non-applicable when task already leased. **(e) L0 safety**: per-role timeouts in catalog (code-reviewer=15min, test-writer=20min, api-contract-writer=30min, ui-scaffolder=45min, db-schema-designer=45min, backend-architect=90min, dispatcher=60min); `ANPM_DISPATCH_TIMEOUT` env override hierarchy: env>0 → env value, env=0 → disabled, env<0/unset → catalog → 30min fallback. SIGTERM→5s→SIGKILL escalation via `cmd.Cancel`+`cmd.WaitDelay`; adversarial test uses real subprocess with `signal.Ignore`. Output cap default 5 MB via `ANPM_DISPATCH_OUTPUT_MAX`; 0=disabled. JSON schema minimum: must contain `files []`; optional fields type-checked. **(f) Router**: dispatcher prompt is in `prompts/meta/dispatcher.md` (NOT under `roles/`) with `category: meta`; output validated for role_id ∈ catalog, confidence ∈ [0,1], reasoning length and control-char sanitization; alternatives all validated against catalog; `min_confidence` default 0.7 (reserved for Phase 6d auto-apply path); router output never trusted to be a valid catalog entry — Validation is a hard gate not a soft check. **(g) Activity model**: phases are exhaustive enum `idle/claiming_run/planning/claiming_task/dispatching/submitting` (no `routing` in 6c — that arrives in 6d alongside auto-apply); reporter uses **enqueue-not-overwrite** so rapid phase transitions all reach subscriber, only same-phase step changes coalesce within 500ms; in-memory Hub uses unbuffered subscriber channels with non-blocking send (slow client auto-drops, reconnect picks up via initial state); SSE includes 30s keepalive comments + `X-Accel-Buffering: no`; per-user concurrent SSE connections capped at 3 (503 above); DB persists latest snapshot only (Activity does NOT write to actor_audit per critic round 3 #8); idle activities retained 5 min before purge. **(h) Audit invariants**: every `execution_role` change writes to `actor_audit` in same transaction; `actor_kind` ∈ {"user", "router", "system", "connector"}; `rationale` stores router confidence + reasoning, or system change reason; cascade-delete with subject row. **(i) Operational constraint**: L0 boundary is the ONLY safety enforcement until L1 ships — operators MUST NOT expose role_dispatch to non-operator task submitters or untrusted task content; this is documented verbatim in `docs/operating-rules.md` and is non-negotiable. L1 (process-level jail via firejail/namespaces) is evaluated when Phase 6d opens; L2 (container/VM full isolation) requires one of three triggers fired: multi-tenant submitters, untrusted external repos, or compliance requirements. **(j) Phase 6d/7 trigger conditions**: recorded in `docs/phase6c-plan.md` §9; opening either phase without a documented trigger having fired is a scope-creep violation. **(k) PR ordering**: PR-1 first (already implemented); PR-2/3/4 sequential to avoid rebase cost (each later PR consumes earlier-PR types); PR-5 last (dogfood requires all four prior PRs).
 - **Source**: `docs/phase6c-plan.md` v5.1 (post-critic-round-3, B2 + C1 拍板). Backed by dogfood-generated backlog candidates `bad629dc` (catalog SoT) and `fb040ce6` (safety boundary), both `approved` status as of 2026-04-25, plus design dialogues with the user that surfaced the catch-22, the LLM router request, the activity visibility requirement, and a critic round adversarially analyzing v5 that produced 14 findings (9 unilateral fixes adopted, B2 + C1 user-decided).
 
 ## 2026-04-25: Requirement discard, analysis filtering, and connector run-status badge [agent:application-implementer]
diff --git a/backend/internal/connector/dispatch_safety_test.go b/backend/internal/connector/dispatch_safety_test.go
index bd20f48..b59a592 100644
--- a/backend/internal/connector/dispatch_safety_test.go
+++ b/backend/internal/connector/dispatch_safety_test.go
@@ -5,7 +5,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io"
 	"os"
 	"os/signal"
 	"strings"
@@ -48,6 +47,18 @@ func runTestHelper(mode string) {
 		// T-6c-C2-2: trap SIGTERM and ignore it; sleep until SIGKILL'd.
 		signal.Ignore(syscall.SIGTERM)
 		time.Sleep(10 * time.Minute)
+	case "ignore_sigterm_print_loop":
+		// T-6c-C2-15 (Copilot fix): trap SIGTERM, then continuously
+		// print stdout until SIGKILL'd. Triggers BOTH timeout AND
+		// boundedWriter truncation to verify runErr-over-truncated
+		// precedence in service.go RunOnceTask.
+		signal.Ignore(syscall.SIGTERM)
+		buf := bytes.Repeat([]byte("x"), 1024)
+		for {
+			if _, err := os.Stdout.Write(buf); err != nil {
+				return
+			}
+		}
 	case "echo_args":
 		// T-6c-C2-1: print the received -p prompt verbatim so the test
 		// can verify shell metacharacters were NOT expanded.
@@ -328,33 +339,35 @@ func TestInvokeBuiltinCLI_RaceFinishesBeforeTimeout(t *testing.T) {
 }
 
 func TestInvokeBuiltinCLI_TimeoutWithTruncationPrefersTimeout(t *testing.T) {
-	// Critic finding #4: when the CLI fills the output cap AND is
-	// killed by the timeout, the runErrMsg (timeout) carries more
-	// useful diagnostic info than truncation alone. The dispatch
-	// caller in service.go must prefer runErrMsg over truncated when
-	// both are set; this test pins the contract at invokeBuiltinCLI
-	// so any future refactor that swaps the precedence breaks here.
+	// Critic finding #4 + Copilot review #2: when the CLI fills the
+	// output cap AND is killed by the timeout, both `truncated=true`
+	// AND `runErrMsg!=""` are set. The dispatch caller in service.go
+	// must prefer runErrMsg (the timeout signal is more informative
+	// than the cap firing). This test now actually triggers BOTH
+	// conditions — earlier version used a sleep-only helper that
+	// printed nothing, so truncated stayed false and the test was
+	// theatrical. The new "ignore_sigterm_print_loop" helper traps
+	// SIGTERM and writes continuously, which trips the bounded
+	// writer well before SIGKILL escalation lands.
 	if testing.Short() {
 		t.Skip("subprocess test skipped in -short mode")
 	}
-	// Use a tight 1-byte cap so even minimal output trips truncation.
-	// The helper sleeps forever ignoring SIGTERM, so timeout fires
-	// after 1s+5s = 6s. The 1-byte cap is irrelevant to whether the
-	// CLI is truncated (it doesn't print anything before being killed),
-	// but if a future implementation accidentally signals truncation
-	// preemptively, this combination would catch it.
 	t.Setenv("ANPM_TEST_HELPER_GUARD", "1")
-	t.Setenv("ANPM_TEST_HELPER_MODE", "ignore_sigterm_sleep_forever")
-	t.Setenv("ANPM_DISPATCH_OUTPUT_MAX", "1")
-	_, _, errMsg := invokeBuiltinCLI(context.Background(), "claude", os.Args[0], "", "x", 1)
+	t.Setenv("ANPM_TEST_HELPER_MODE", "ignore_sigterm_print_loop")
+	t.Setenv("ANPM_DISPATCH_OUTPUT_MAX", "1024") // 1 KB — easy to trip
+	_, truncated, errMsg := invokeBuiltinCLI(context.Background(), "claude", os.Args[0], "", "x", 1)
 	if errMsg == "" {
 		t.Fatal("expected runErr (timeout); got empty")
 	}
+	if !truncated {
+		t.Error("expected truncated=true; print loop should have exceeded 1 KB cap")
+	}
 	if !strings.Contains(strings.ToLower(errMsg), "timed out") {
 		t.Errorf("errMsg = %q, want substring 'timed out'", errMsg)
 	}
 	// Verify dispatch classifier picks dispatch_timeout (the Phase
-	// 6c-specific kind), not adapter_timeout.
+	// 6c-specific kind), not adapter_timeout, even when truncated is
+	// also set — that's the precedence rule under test.
 	if got := classifyDispatchRunError(errMsg); got != "dispatch_timeout" {
 		t.Errorf("classifyDispatchRunError = %q, want dispatch_timeout", got)
 	}
@@ -383,7 +396,3 @@ func TestClassifyDispatchRunError(t *testing.T) {
 	}
 }
 
-// Compile-time guard: `io.Discard` is used elsewhere; keep an unused
-// reference here to avoid false-positive lint complaints if the imports
-// shift around during refactors.
-var _ io.Writer = io.Discard
diff --git a/backend/internal/connector/service.go b/backend/internal/connector/service.go
index 2cb6e7e..7c0a943 100644
--- a/backend/internal/connector/service.go
+++ b/backend/internal/connector/service.go
@@ -299,6 +299,12 @@ func (s *Service) RunOnceTask(ctx context.Context) (bool, error) {
 		if len(snippet) > 240 {
 			snippet = snippet[:240]
 		}
+		// Normalize newlines so the error message renders cleanly in
+		// stderr logs and the task result panel — matches the
+		// builtin_adapter.go pattern for the same snippet shape.
+		snippet = strings.ReplaceAll(snippet, "\r\n", " ")
+		snippet = strings.ReplaceAll(snippet, "\n", " ")
+		snippet = strings.ReplaceAll(snippet, "\r", " ")
 		errMsg := fmt.Sprintf("could not parse output as JSON: %v; first 240 chars: %s", extractErr, snippet)
 		fmt.Fprintf(s.Stderr, "task %s: %s\n", task.ID, errMsg)
 		if err := s.Client.SubmitTaskResult(ctx, task.ID, SubmitTaskResultRequest{