feat: add everything-claude-code ECC bundle (.claude/commands/add-or-update-skill.md)

.agents/skills/everything-claude-code/SKILL.md

@@ -230,156 +230,124 @@ Add Turkish (tr) docs and update README (#744)
 
 ### Add Or Update Skill
 
-Adds or updates a skill, including its documentation and configuration.
+Adds or updates a skill in the ECC system, including documentation and provenance.
+
+**Frequency**: ~3 times per month
+
+**Steps**:
+1. Create or update SKILL.md in the appropriate skills directory (e.g., skills/{skill-name}/SKILL.md or .claude/skills/{skill-name}/SKILL.md)
+2. Optionally add or update agent YAML files (e.g., .agents/skills/{skill-name}/agents/*.yaml)
+3. Optionally update provenance or placement policy files (e.g., schemas/provenance.schema.json, docs/SKILL-PLACEMENT-POLICY.md)
+
+**Files typically involved**:
+- `skills/*/SKILL.md`
+- `.claude/skills/*/SKILL.md`
+- `.agents/skills/*/SKILL.md`
+- `.agents/skills/*/agents/*.yaml`
+- `schemas/provenance.schema.json`
+- `docs/SKILL-PLACEMENT-POLICY.md`
+
+**Example commit sequence**:
+```
+Create or update SKILL.md in the appropriate skills directory (e.g., skills/{skill-name}/SKILL.md or .claude/skills/{skill-name}/SKILL.md)
+Optionally add or update agent YAML files (e.g., .agents/skills/{skill-name}/agents/*.yaml)
+Optionally update provenance or placement policy files (e.g., schemas/provenance.schema.json, docs/SKILL-PLACEMENT-POLICY.md)
+```
+
+### Add Or Update Command Documentation
+
+Adds or updates documentation for a command, often as part of a new feature or workflow.
+
+**Frequency**: ~4 times per month
+
+**Steps**:
+1. Create or update .claude/commands/{command-name}.md
+2. Optionally update localized docs (e.g., docs/zh-CN/commands/{command-name}.md, docs/tr/commands/{command-name}.md, docs/pt-BR/commands/{command-name}.md)
+
+**Files typically involved**:
+- `.claude/commands/*.md`
+- `docs/zh-CN/commands/*.md`
+- `docs/tr/commands/*.md`
+- `docs/pt-BR/commands/*.md`
+
+**Example commit sequence**:
+```
+Create or update .claude/commands/{command-name}.md
+Optionally update localized docs (e.g., docs/zh-CN/commands/{command-name}.md, docs/tr/commands/{command-name}.md, docs/pt-BR/commands/{command-name}.md)
+```
+
+### Add Or Update Localized Documentation
+
+Adds or updates documentation in a new or existing language (localization).
 
 **Frequency**: ~2 times per month
 
 **Steps**:
-1. Create or update .claude/commands/add-or-update-skill.md
-2. Create or update .claude/skills/<skill-name>/SKILL.md
-3. Optionally update .agents/skills/<skill-name>/SKILL.md
-4. Optionally update .agents/skills/<skill-name>/agents/*.yaml
+1. Add or update files in docs/{locale}/ (where locale is zh-CN, tr, pt-BR, etc.)
+2. Update README.md to reflect new language support
 
 **Files typically involved**:
-- `.claude/commands/add-or-update-skill.md`
+- `docs/zh-CN/**/*`
+- `docs/tr/**/*`
+- `docs/pt-BR/**/*`
+- `README.md`
+
+**Example commit sequence**:
+```
+Add or update files in docs/{locale}/ (where locale is zh-CN, tr, pt-BR, etc.)
+Update README.md to reflect new language support
+```
+
+### Update Or Add Hooks
+
+Adds or updates hooks for validation, config protection, or workflow automation.
+
+**Frequency**: ~2 times per month
+
+**Steps**:
+1. Edit hooks/hooks.json to add or update hook definitions
+2. Create or update scripts/hooks/*.js or .ts for hook logic
+3. Optionally update plugin files (e.g., .opencode/plugins/ecc-hooks.ts)
+
+**Files typically involved**:
+- `hooks/hooks.json`
+- `scripts/hooks/*.js`
+- `.opencode/plugins/*.ts`
+
+**Example commit sequence**:
+```
+Edit hooks/hooks.json to add or update hook definitions
+Create or update scripts/hooks/*.js or .ts for hook logic
+Optionally update plugin files (e.g., .opencode/plugins/ecc-hooks.ts)
+```
+
+### Add Or Update Ecc Bundle
+
+Adds or updates a set of ECC configuration, command, or skill files as a bundle.
+
+**Frequency**: ~2 times per month
+
+**Steps**:
+1. Create or update files in .claude/ (commands, skills, rules, team, identity, etc.)
+2. Optionally update .codex/agents/*.toml and .agents/skills/*
+3. Repeat for each bundle component as needed
+
+**Files typically involved**:
+- `.claude/commands/*.md`
 - `.claude/skills/*/SKILL.md`
+- `.claude/rules/*.md`
+- `.claude/team/*.json`
+- `.claude/identity.json`
+- `.claude/ecc-tools.json`
+- `.codex/agents/*.toml`
 - `.agents/skills/*/SKILL.md`
 - `.agents/skills/*/agents/*.yaml`
 
 **Example commit sequence**:
 ```
-Create or update .claude/commands/add-or-update-skill.md
-Create or update .claude/skills/<skill-name>/SKILL.md
-Optionally update .agents/skills/<skill-name>/SKILL.md
-Optionally update .agents/skills/<skill-name>/agents/*.yaml
-```
-
-### Add Or Update Command Documentation
-
-Adds or updates documentation for a CLI command or workflow.
-
-**Frequency**: ~3 times per month
-
-**Steps**:
-1. Create or update .claude/commands/<command-name>.md
-
-**Files typically involved**:
-- `.claude/commands/*.md`
-
-**Example commit sequence**:
-```
-Create or update .claude/commands/<command-name>.md
-```
-
-### Add Or Update Database Migration Patterns
-
-Adds or updates database migration patterns or documentation.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/commands/database-migration.md
-2. Create or update skills/database-migrations/SKILL.md
-
-**Files typically involved**:
-- `.claude/commands/database-migration.md`
-- `skills/database-migrations/SKILL.md`
-
-**Example commit sequence**:
-```
-Create or update .claude/commands/database-migration.md
-Create or update skills/database-migrations/SKILL.md
-```
-
-### Add Or Update Team Or Identity Config
-
-Adds or updates team configuration or identity files.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/team/everything-claude-code-team-config.json
-2. Create or update .claude/identity.json
-
-**Files typically involved**:
-- `.claude/team/everything-claude-code-team-config.json`
-- `.claude/identity.json`
-
-**Example commit sequence**:
-```
-Create or update .claude/team/everything-claude-code-team-config.json
-Create or update .claude/identity.json
-```
-
-### Add Or Update Guardrails Or Controls
-
-Adds or updates project guardrails, rules, or enterprise controls.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/rules/everything-claude-code-guardrails.md
-2. Create or update .claude/enterprise/controls.md
-
-**Files typically involved**:
-- `.claude/rules/everything-claude-code-guardrails.md`
-- `.claude/enterprise/controls.md`
-
-**Example commit sequence**:
-```
-Create or update .claude/rules/everything-claude-code-guardrails.md
-Create or update .claude/enterprise/controls.md
-```
-
-### Add Or Update Agent Config
-
-Adds or updates agent configuration TOML files.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .codex/agents/*.toml
-
-**Files typically involved**:
-- `.codex/agents/*.toml`
-
-**Example commit sequence**:
-```
-Create or update .codex/agents/*.toml
-```
-
-### Add Or Update Research Playbook
-
-Adds or updates research playbooks or process documentation.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/research/everything-claude-code-research-playbook.md
-
-**Files typically involved**:
-- `.claude/research/everything-claude-code-research-playbook.md`
-
-**Example commit sequence**:
-```
-Create or update .claude/research/everything-claude-code-research-playbook.md
-```
-
-### Add Or Update Ecc Tools Config
-
-Adds or updates ECC tools configuration.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/ecc-tools.json
-
-**Files typically involved**:
-- `.claude/ecc-tools.json`
-
-**Example commit sequence**:
-```
-Create or update .claude/ecc-tools.json
+Create or update files in .claude/ (commands, skills, rules, team, identity, etc.)
+Optionally update .codex/agents/*.toml and .agents/skills/*
+Repeat for each bundle component as needed
 ```
 
 

.claude/commands/add-or-update-skill-documentation.md

@@ -10,12 +10,13 @@ Use this workflow when working on **add-or-update-skill-documentation** in `ever
 
 ## Goal
 
-Adds a new skill or updates existing skill documentation, typically in SKILL.md under skills/<skill-name>/ or docs/<lang>/skills/<skill-name>/SKILL.md.
+Adds a new skill or updates documentation for an existing skill, typically in the form of a SKILL.md file under skills/ or skills/*/SKILL.md.
 
 ## Common Files
 
 - `skills/*/SKILL.md`
-- `docs/*/skills/*/SKILL.md`
+- `AGENTS.md`
+- `README.md`
 
 ## Suggested Sequence
 
@@ -26,9 +27,9 @@ Adds a new skill or updates existing skill documentation, typically in SKILL.md
 
 ## Typical Commit Signals
 
-- Create or update SKILL.md in the appropriate skills/<skill-name>/ directory.
-- Optionally update language-localized documentation under docs/<lang>/skills/<skill-name>/SKILL.md.
-- Commit with a message referencing the skill and summary of the change.
+- Create or update skills/<skill-name>/SKILL.md
+- Optionally update AGENTS.md or README.md to reflect new skill
+- Optionally add architecture diagrams or implementation notes
 
 ## Notes
 

.claude/commands/add-or-update-skill.md

@@ -10,14 +10,16 @@ Use this workflow when working on **add-or-update-skill** in `everything-claude-
 
 ## Goal
 
-Adds or updates a skill, including its documentation and configuration.
+Adds or updates a skill in the ECC system, including documentation and provenance.
 
 ## Common Files
 
-- `.claude/commands/add-or-update-skill.md`
+- `skills/*/SKILL.md`
 - `.claude/skills/*/SKILL.md`
 - `.agents/skills/*/SKILL.md`
 - `.agents/skills/*/agents/*.yaml`
+- `schemas/provenance.schema.json`
+- `docs/SKILL-PLACEMENT-POLICY.md`
 
 ## Suggested Sequence
 
@@ -28,10 +30,9 @@ Adds or updates a skill, including its documentation and configuration.
 
 ## Typical Commit Signals
 
-- Create or update .claude/commands/add-or-update-skill.md
-- Create or update .claude/skills/<skill-name>/SKILL.md
-- Optionally update .agents/skills/<skill-name>/SKILL.md
-- Optionally update .agents/skills/<skill-name>/agents/*.yaml
+- Create or update SKILL.md in the appropriate skills directory (e.g., skills/{skill-name}/SKILL.md or .claude/skills/{skill-name}/SKILL.md)
+- Optionally add or update agent YAML files (e.g., .agents/skills/{skill-name}/agents/*.yaml)
+- Optionally update provenance or placement policy files (e.g., schemas/provenance.schema.json, docs/SKILL-PLACEMENT-POLICY.md)
 
 ## Notes
 

.claude/ecc-tools.json

@@ -2,7 +2,7 @@
   "version": "1.3",
   "schemaVersion": "1.0",
   "generatedBy": "ecc-tools",
-  "generatedAt": "2026-03-24T10:43:54.594Z",
+  "generatedAt": "2026-03-24T10:44:06.345Z",
   "repo": "https://github.com/affaan-m/everything-claude-code",
   "profiles": {
     "requested": "full",

.claude/identity.json

@@ -10,5 +10,5 @@
     "javascript"
   ],
   "suggestedBy": "ecc-tools-repo-analysis",
-  "createdAt": "2026-03-24T10:44:09.205Z"
+  "createdAt": "2026-03-24T10:44:20.963Z"
 }

.claude/research/everything-claude-code-research-playbook.md

@@ -18,4 +18,4 @@ Use this when the task is documentation-heavy, source-sensitive, or requires bro
 
 - Primary language: JavaScript
 - Framework: Not detected
-- Workflows detected: 10
+- Workflows detected: 7

.claude/rules/everything-claude-code-guardrails.md

@@ -26,7 +26,7 @@ Generated by ECC Tools from repository history. Review before treating it as a h
 
 - database-migration: Database schema changes with migration files
 - feature-development: Standard feature implementation workflow
-- add-or-update-skill: Adds or updates a skill, including its documentation and configuration.
+- add-or-update-skill: Adds or updates a skill in the ECC system, including documentation and provenance.
 
 ## Review Reminder
 

.claude/skills/everything-claude-code/SKILL.md

@@ -230,156 +230,124 @@ Add Turkish (tr) docs and update README (#744)
 
 ### Add Or Update Skill
 
-Adds or updates a skill, including its documentation and configuration.
+Adds or updates a skill in the ECC system, including documentation and provenance.
+
+**Frequency**: ~3 times per month
+
+**Steps**:
+1. Create or update SKILL.md in the appropriate skills directory (e.g., skills/{skill-name}/SKILL.md or .claude/skills/{skill-name}/SKILL.md)
+2. Optionally add or update agent YAML files (e.g., .agents/skills/{skill-name}/agents/*.yaml)
+3. Optionally update provenance or placement policy files (e.g., schemas/provenance.schema.json, docs/SKILL-PLACEMENT-POLICY.md)
+
+**Files typically involved**:
+- `skills/*/SKILL.md`
+- `.claude/skills/*/SKILL.md`
+- `.agents/skills/*/SKILL.md`
+- `.agents/skills/*/agents/*.yaml`
+- `schemas/provenance.schema.json`
+- `docs/SKILL-PLACEMENT-POLICY.md`
+
+**Example commit sequence**:
+```
+Create or update SKILL.md in the appropriate skills directory (e.g., skills/{skill-name}/SKILL.md or .claude/skills/{skill-name}/SKILL.md)
+Optionally add or update agent YAML files (e.g., .agents/skills/{skill-name}/agents/*.yaml)
+Optionally update provenance or placement policy files (e.g., schemas/provenance.schema.json, docs/SKILL-PLACEMENT-POLICY.md)
+```
+
+### Add Or Update Command Documentation
+
+Adds or updates documentation for a command, often as part of a new feature or workflow.
+
+**Frequency**: ~4 times per month
+
+**Steps**:
+1. Create or update .claude/commands/{command-name}.md
+2. Optionally update localized docs (e.g., docs/zh-CN/commands/{command-name}.md, docs/tr/commands/{command-name}.md, docs/pt-BR/commands/{command-name}.md)
+
+**Files typically involved**:
+- `.claude/commands/*.md`
+- `docs/zh-CN/commands/*.md`
+- `docs/tr/commands/*.md`
+- `docs/pt-BR/commands/*.md`
+
+**Example commit sequence**:
+```
+Create or update .claude/commands/{command-name}.md
+Optionally update localized docs (e.g., docs/zh-CN/commands/{command-name}.md, docs/tr/commands/{command-name}.md, docs/pt-BR/commands/{command-name}.md)
+```
+
+### Add Or Update Localized Documentation
+
+Adds or updates documentation in a new or existing language (localization).
 
 **Frequency**: ~2 times per month
 
 **Steps**:
-1. Create or update .claude/commands/add-or-update-skill.md
-2. Create or update .claude/skills/<skill-name>/SKILL.md
-3. Optionally update .agents/skills/<skill-name>/SKILL.md
-4. Optionally update .agents/skills/<skill-name>/agents/*.yaml
+1. Add or update files in docs/{locale}/ (where locale is zh-CN, tr, pt-BR, etc.)
+2. Update README.md to reflect new language support
 
 **Files typically involved**:
-- `.claude/commands/add-or-update-skill.md`
+- `docs/zh-CN/**/*`
+- `docs/tr/**/*`
+- `docs/pt-BR/**/*`
+- `README.md`
+
+**Example commit sequence**:
+```
+Add or update files in docs/{locale}/ (where locale is zh-CN, tr, pt-BR, etc.)
+Update README.md to reflect new language support
+```
+
+### Update Or Add Hooks
+
+Adds or updates hooks for validation, config protection, or workflow automation.
+
+**Frequency**: ~2 times per month
+
+**Steps**:
+1. Edit hooks/hooks.json to add or update hook definitions
+2. Create or update scripts/hooks/*.js or .ts for hook logic
+3. Optionally update plugin files (e.g., .opencode/plugins/ecc-hooks.ts)
+
+**Files typically involved**:
+- `hooks/hooks.json`
+- `scripts/hooks/*.js`
+- `.opencode/plugins/*.ts`
+
+**Example commit sequence**:
+```
+Edit hooks/hooks.json to add or update hook definitions
+Create or update scripts/hooks/*.js or .ts for hook logic
+Optionally update plugin files (e.g., .opencode/plugins/ecc-hooks.ts)
+```
+
+### Add Or Update Ecc Bundle
+
+Adds or updates a set of ECC configuration, command, or skill files as a bundle.
+
+**Frequency**: ~2 times per month
+
+**Steps**:
+1. Create or update files in .claude/ (commands, skills, rules, team, identity, etc.)
+2. Optionally update .codex/agents/*.toml and .agents/skills/*
+3. Repeat for each bundle component as needed
+
+**Files typically involved**:
+- `.claude/commands/*.md`
 - `.claude/skills/*/SKILL.md`
+- `.claude/rules/*.md`
+- `.claude/team/*.json`
+- `.claude/identity.json`
+- `.claude/ecc-tools.json`
+- `.codex/agents/*.toml`
 - `.agents/skills/*/SKILL.md`
 - `.agents/skills/*/agents/*.yaml`
 
 **Example commit sequence**:
 ```
-Create or update .claude/commands/add-or-update-skill.md
-Create or update .claude/skills/<skill-name>/SKILL.md
-Optionally update .agents/skills/<skill-name>/SKILL.md
-Optionally update .agents/skills/<skill-name>/agents/*.yaml
-```
-
-### Add Or Update Command Documentation
-
-Adds or updates documentation for a CLI command or workflow.
-
-**Frequency**: ~3 times per month
-
-**Steps**:
-1. Create or update .claude/commands/<command-name>.md
-
-**Files typically involved**:
-- `.claude/commands/*.md`
-
-**Example commit sequence**:
-```
-Create or update .claude/commands/<command-name>.md
-```
-
-### Add Or Update Database Migration Patterns
-
-Adds or updates database migration patterns or documentation.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/commands/database-migration.md
-2. Create or update skills/database-migrations/SKILL.md
-
-**Files typically involved**:
-- `.claude/commands/database-migration.md`
-- `skills/database-migrations/SKILL.md`
-
-**Example commit sequence**:
-```
-Create or update .claude/commands/database-migration.md
-Create or update skills/database-migrations/SKILL.md
-```
-
-### Add Or Update Team Or Identity Config
-
-Adds or updates team configuration or identity files.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/team/everything-claude-code-team-config.json
-2. Create or update .claude/identity.json
-
-**Files typically involved**:
-- `.claude/team/everything-claude-code-team-config.json`
-- `.claude/identity.json`
-
-**Example commit sequence**:
-```
-Create or update .claude/team/everything-claude-code-team-config.json
-Create or update .claude/identity.json
-```
-
-### Add Or Update Guardrails Or Controls
-
-Adds or updates project guardrails, rules, or enterprise controls.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/rules/everything-claude-code-guardrails.md
-2. Create or update .claude/enterprise/controls.md
-
-**Files typically involved**:
-- `.claude/rules/everything-claude-code-guardrails.md`
-- `.claude/enterprise/controls.md`
-
-**Example commit sequence**:
-```
-Create or update .claude/rules/everything-claude-code-guardrails.md
-Create or update .claude/enterprise/controls.md
-```
-
-### Add Or Update Agent Config
-
-Adds or updates agent configuration TOML files.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .codex/agents/*.toml
-
-**Files typically involved**:
-- `.codex/agents/*.toml`
-
-**Example commit sequence**:
-```
-Create or update .codex/agents/*.toml
-```
-
-### Add Or Update Research Playbook
-
-Adds or updates research playbooks or process documentation.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/research/everything-claude-code-research-playbook.md
-
-**Files typically involved**:
-- `.claude/research/everything-claude-code-research-playbook.md`
-
-**Example commit sequence**:
-```
-Create or update .claude/research/everything-claude-code-research-playbook.md
-```
-
-### Add Or Update Ecc Tools Config
-
-Adds or updates ECC tools configuration.
-
-**Frequency**: ~2 times per month
-
-**Steps**:
-1. Create or update .claude/ecc-tools.json
-
-**Files typically involved**:
-- `.claude/ecc-tools.json`
-
-**Example commit sequence**:
-```
-Create or update .claude/ecc-tools.json
+Create or update files in .claude/ (commands, skills, rules, team, identity, etc.)
+Optionally update .codex/agents/*.toml and .agents/skills/*
+Repeat for each bundle component as needed
 ```
 
 

.claude/team/everything-claude-code-team-config.json

@@ -11,5 +11,5 @@
     ".claude/commands/feature-development.md",
     ".claude/commands/add-or-update-skill.md"
   ],
-  "updatedAt": "2026-03-24T10:43:54.594Z"
+  "updatedAt": "2026-03-24T10:44:06.345Z"
 }

ecc2/src/config/mod.rs

@@ -2,7 +2,16 @@ use anyhow::Result;
 use serde::{Deserialize, Serialize};
 use std::path::PathBuf;
 
+#[derive(Debug, Clone, Copy, PartialEq, Serialize, Deserialize)]
+#[serde(default)]
+pub struct RiskThresholds {
+    pub review: f64,
+    pub confirm: f64,
+    pub block: f64,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(default)]
 pub struct Config {
     pub db_path: PathBuf,
     pub worktree_root: PathBuf,
@@ -12,6 +21,7 @@ pub struct Config {
     pub heartbeat_interval_secs: u64,
     pub default_agent: String,
     pub theme: Theme,
+    pub risk_thresholds: RiskThresholds,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -32,11 +42,18 @@ impl Default for Config {
             heartbeat_interval_secs: 30,
             default_agent: "claude".to_string(),
             theme: Theme::Dark,
+            risk_thresholds: Self::RISK_THRESHOLDS,
         }
     }
 }
 
 impl Config {
+    pub const RISK_THRESHOLDS: RiskThresholds = RiskThresholds {
+        review: 0.35,
+        confirm: 0.60,
+        block: 0.85,
+    };
+
     pub fn load() -> Result<Self> {
         let config_path = dirs::home_dir()
             .unwrap_or_else(|| PathBuf::from("."))
@@ -52,3 +69,40 @@ impl Config {
         }
     }
 }
+
+impl Default for RiskThresholds {
+    fn default() -> Self {
+        Config::RISK_THRESHOLDS
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::Config;
+
+    #[test]
+    fn default_config_uses_default_risk_thresholds() {
+        let config = Config::default();
+
+        assert_eq!(config.risk_thresholds, Config::RISK_THRESHOLDS);
+    }
+
+    #[test]
+    fn deserialization_defaults_risk_thresholds() {
+        let config: Config = toml::from_str(
+            r#"
+db_path = "/tmp/ecc2.db"
+worktree_root = "/tmp/ecc-worktrees"
+max_parallel_sessions = 8
+max_parallel_worktrees = 6
+session_timeout_secs = 3600
+heartbeat_interval_secs = 30
+default_agent = "claude"
+theme = "Dark"
+"#,
+        )
+        .expect("config should deserialize");
+
+        assert_eq!(config.risk_thresholds, Config::RISK_THRESHOLDS);
+    }
+}

ecc2/src/observability/mod.rs

@@ -1,6 +1,7 @@
-use anyhow::{bail, Result};
+use anyhow::Result;
 use serde::{Deserialize, Serialize};
 
+use crate::config::RiskThresholds;
 use crate::session::store::StateStore;
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -13,169 +14,278 @@ pub struct ToolCallEvent {
     pub risk_score: f64,
 }
 
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+pub struct RiskAssessment {
+    pub score: f64,
+    pub reasons: Vec<String>,
+    pub suggested_action: SuggestedAction,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum SuggestedAction {
+    Allow,
+    Review,
+    RequireConfirmation,
+    Block,
+}
+
 impl ToolCallEvent {
-    pub fn new(
-        session_id: impl Into<String>,
-        tool_name: impl Into<String>,
-        input_summary: impl Into<String>,
-        output_summary: impl Into<String>,
-        duration_ms: u64,
-    ) -> Self {
-        let tool_name = tool_name.into();
-        let input_summary = input_summary.into();
+    /// Compute risk from the tool type and input characteristics.
+    pub fn compute_risk(
+        tool_name: &str,
+        input: &str,
+        thresholds: &RiskThresholds,
+    ) -> RiskAssessment {
+        let normalized_tool = tool_name.to_ascii_lowercase();
+        let normalized_input = input.to_ascii_lowercase();
+        let mut score = 0.0;
+        let mut reasons = Vec::new();
 
-        Self {
-            session_id: session_id.into(),
-            risk_score: Self::compute_risk(&tool_name, &input_summary),
-            tool_name,
-            input_summary,
-            output_summary: output_summary.into(),
-            duration_ms,
+        let (base_score, base_reason) = base_tool_risk(&normalized_tool);
+        score += base_score;
+        if let Some(reason) = base_reason {
+            reasons.push(reason.to_string());
+        }
+
+        let (file_sensitivity_score, file_sensitivity_reason) =
+            assess_file_sensitivity(&normalized_input);
+        score += file_sensitivity_score;
+        if let Some(reason) = file_sensitivity_reason {
+            reasons.push(reason);
+        }
+
+        let (blast_radius_score, blast_radius_reason) = assess_blast_radius(&normalized_input);
+        score += blast_radius_score;
+        if let Some(reason) = blast_radius_reason {
+            reasons.push(reason);
+        }
+
+        let (irreversibility_score, irreversibility_reason) =
+            assess_irreversibility(&normalized_input);
+        score += irreversibility_score;
+        if let Some(reason) = irreversibility_reason {
+            reasons.push(reason);
+        }
+
+        let score = score.clamp(0.0, 1.0);
+        let suggested_action = SuggestedAction::from_score(score, thresholds);
+
+        RiskAssessment {
+            score,
+            reasons,
+            suggested_action,
         }
     }
+}
 
-    /// Compute risk score based on tool type and input patterns.
-    pub fn compute_risk(tool_name: &str, input: &str) -> f64 {
-        let mut score: f64 = 0.0;
-
-        // Destructive tools get higher base risk
-        match tool_name {
-            "Bash" => score += 0.3,
-            "Write" => score += 0.2,
-            "Edit" => score += 0.1,
-            _ => score += 0.05,
+impl SuggestedAction {
+    fn from_score(score: f64, thresholds: &RiskThresholds) -> Self {
+        if score >= thresholds.block {
+            Self::Block
+        } else if score >= thresholds.confirm {
+            Self::RequireConfirmation
+        } else if score >= thresholds.review {
+            Self::Review
+        } else {
+            Self::Allow
         }
+    }
+}
 
-        // Dangerous patterns in bash commands
-        if tool_name == "Bash" {
-            if input.contains("rm -rf") || input.contains("--force") {
-                score += 0.4;
-            }
-            if input.contains("git push") || input.contains("git reset") {
-                score += 0.3;
-            }
-            if input.contains("sudo") || input.contains("chmod 777") {
-                score += 0.5;
-            }
-        }
-
-        score.min(1.0)
+fn base_tool_risk(tool_name: &str) -> (f64, Option<&'static str>) {
+    match tool_name {
+        "bash" => (
+            0.20,
+            Some("shell execution can modify local or shared state"),
+        ),
+        "write" | "multiedit" => (0.15, Some("writes files directly")),
+        "edit" => (0.10, Some("modifies existing files")),
+        _ => (0.05, None),
     }
 }
 
-#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
-pub struct ToolLogEntry {
-    pub id: i64,
-    pub session_id: String,
-    pub tool_name: String,
-    pub input_summary: String,
-    pub output_summary: String,
-    pub duration_ms: u64,
-    pub risk_score: f64,
-    pub timestamp: String,
-}
+fn assess_file_sensitivity(input: &str) -> (f64, Option<String>) {
+    const SECRET_PATTERNS: &[&str] = &[
+        ".env",
+        "secret",
+        "credential",
+        "token",
+        "api_key",
+        "apikey",
+        "auth",
+        "id_rsa",
+        ".pem",
+        ".key",
+    ];
+    const SHARED_INFRA_PATTERNS: &[&str] = &[
+        "cargo.toml",
+        "package.json",
+        "dockerfile",
+        ".github/workflows",
+        "schema",
+        "migration",
+        "production",
+    ];
 
-#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
-pub struct ToolLogPage {
-    pub entries: Vec<ToolLogEntry>,
-    pub page: u64,
-    pub page_size: u64,
-    pub total: u64,
-}
-
-pub struct ToolLogger<'a> {
-    db: &'a StateStore,
-}
-
-impl<'a> ToolLogger<'a> {
-    pub fn new(db: &'a StateStore) -> Self {
-        Self { db }
-    }
-
-    pub fn log(&self, event: &ToolCallEvent) -> Result<ToolLogEntry> {
-        let timestamp = chrono::Utc::now().to_rfc3339();
-
-        self.db.insert_tool_log(
-            &event.session_id,
-            &event.tool_name,
-            &event.input_summary,
-            &event.output_summary,
-            event.duration_ms,
-            event.risk_score,
-            &timestamp,
+    if contains_any(input, SECRET_PATTERNS) {
+        (
+            0.25,
+            Some("targets a sensitive file or credential surface".to_string()),
         )
-    }
-
-    pub fn query(&self, session_id: &str, page: u64, page_size: u64) -> Result<ToolLogPage> {
-        if page_size == 0 {
-            bail!("page_size must be greater than 0");
-        }
-
-        self.db.query_tool_logs(session_id, page.max(1), page_size)
+    } else if contains_any(input, SHARED_INFRA_PATTERNS) {
+        (
+            0.15,
+            Some("targets shared infrastructure or release-critical files".to_string()),
+        )
+    } else {
+        (0.0, None)
     }
 }
 
-pub fn log_tool_call(db: &StateStore, event: &ToolCallEvent) -> Result<ToolLogEntry> {
-    ToolLogger::new(db).log(event)
+fn assess_blast_radius(input: &str) -> (f64, Option<String>) {
+    const LARGE_SCOPE_PATTERNS: &[&str] = &[
+        "**",
+        "/*",
+        "--all",
+        "--recursive",
+        "entire repo",
+        "all files",
+        "across src/",
+        "find ",
+        " xargs ",
+    ];
+    const SHARED_STATE_PATTERNS: &[&str] = &[
+        "git push --force",
+        "git push -f",
+        "origin main",
+        "origin master",
+        "rm -rf .",
+        "rm -rf /",
+    ];
+
+    if contains_any(input, SHARED_STATE_PATTERNS) {
+        (
+            0.35,
+            Some("has a broad blast radius across shared state or history".to_string()),
+        )
+    } else if contains_any(input, LARGE_SCOPE_PATTERNS) {
+        (
+            0.25,
+            Some("has a broad blast radius across multiple files or directories".to_string()),
+        )
+    } else {
+        (0.0, None)
+    }
+}
+
+fn assess_irreversibility(input: &str) -> (f64, Option<String>) {
+    const HIGH_IRREVERSIBILITY_PATTERNS: &[&str] = &[
+        "rm -rf",
+        "git reset --hard",
+        "git clean -fd",
+        "drop database",
+        "drop table",
+        "truncate ",
+        "shred ",
+    ];
+    const MODERATE_IRREVERSIBILITY_PATTERNS: &[&str] =
+        &["rm -f", "git push --force", "git push -f", "delete from"];
+
+    if contains_any(input, HIGH_IRREVERSIBILITY_PATTERNS) {
+        (
+            0.45,
+            Some("includes an irreversible or destructive operation".to_string()),
+        )
+    } else if contains_any(input, MODERATE_IRREVERSIBILITY_PATTERNS) {
+        (
+            0.40,
+            Some("includes an irreversible or difficult-to-undo operation".to_string()),
+        )
+    } else {
+        (0.0, None)
+    }
+}
+
+fn contains_any(input: &str, patterns: &[&str]) -> bool {
+    patterns.iter().any(|pattern| input.contains(pattern))
+}
+
+pub fn log_tool_call(db: &StateStore, event: &ToolCallEvent) -> Result<()> {
+    db.send_message(
+        &event.session_id,
+        "observability",
+        &serde_json::to_string(event)?,
+        "tool_call",
+    )?;
+    Ok(())
 }
 
 #[cfg(test)]
 mod tests {
-    use super::{ToolCallEvent, ToolLogger};
-    use crate::session::store::StateStore;
-    use crate::session::{Session, SessionMetrics, SessionState};
-    use std::path::PathBuf;
+    use super::{SuggestedAction, ToolCallEvent};
+    use crate::config::Config;
 
-    fn test_db_path() -> PathBuf {
-        std::env::temp_dir().join(format!("ecc2-observability-{}.db", uuid::Uuid::new_v4()))
-    }
+    #[test]
+    fn computes_sensitive_file_risk() {
+        let assessment = ToolCallEvent::compute_risk(
+            "Write",
+            "Update .env.production with rotated API token",
+            &Config::RISK_THRESHOLDS,
+        );
 
-    fn test_session(id: &str) -> Session {
-        let now = chrono::Utc::now();
-
-        Session {
-            id: id.to_string(),
-            task: "test task".to_string(),
-            agent_type: "claude".to_string(),
-            state: SessionState::Pending,
-            worktree: None,
-            created_at: now,
-            updated_at: now,
-            metrics: SessionMetrics::default(),
-        }
+        assert!(assessment.score >= Config::RISK_THRESHOLDS.review);
+        assert_eq!(assessment.suggested_action, SuggestedAction::Review);
+        assert!(assessment
+            .reasons
+            .iter()
+            .any(|reason| reason.contains("sensitive file")));
     }
 
     #[test]
-    fn compute_risk_caps_high_risk_bash_commands() {
-        let score = ToolCallEvent::compute_risk("Bash", "sudo rm -rf /tmp --force");
-        assert_eq!(score, 1.0);
+    fn computes_blast_radius_risk() {
+        let assessment = ToolCallEvent::compute_risk(
+            "Edit",
+            "Apply the same replacement across src/**/*.rs",
+            &Config::RISK_THRESHOLDS,
+        );
+
+        assert!(assessment.score >= Config::RISK_THRESHOLDS.review);
+        assert_eq!(assessment.suggested_action, SuggestedAction::Review);
+        assert!(assessment
+            .reasons
+            .iter()
+            .any(|reason| reason.contains("blast radius")));
     }
 
     #[test]
-    fn logger_persists_entries_and_paginates() -> anyhow::Result<()> {
-        let db_path = test_db_path();
-        let db = StateStore::open(&db_path)?;
-        db.insert_session(&test_session("sess-1"))?;
+    fn computes_irreversible_risk() {
+        let assessment = ToolCallEvent::compute_risk(
+            "Bash",
+            "rm -f /tmp/ecc-temp.txt",
+            &Config::RISK_THRESHOLDS,
+        );
 
-        let logger = ToolLogger::new(&db);
+        assert!(assessment.score >= Config::RISK_THRESHOLDS.confirm);
+        assert_eq!(
+            assessment.suggested_action,
+            SuggestedAction::RequireConfirmation,
+        );
+        assert!(assessment
+            .reasons
+            .iter()
+            .any(|reason| reason.contains("irreversible")));
+    }
 
-        logger.log(&ToolCallEvent::new("sess-1", "Read", "first", "ok", 5))?;
-        logger.log(&ToolCallEvent::new("sess-1", "Write", "second", "ok", 15))?;
-        logger.log(&ToolCallEvent::new("sess-1", "Bash", "third", "ok", 25))?;
+    #[test]
+    fn blocks_combined_high_risk_operations() {
+        let assessment = ToolCallEvent::compute_risk(
+            "Bash",
+            "rm -rf . && git push --force origin main",
+            &Config::RISK_THRESHOLDS,
+        );
 
-        let first_page = logger.query("sess-1", 1, 2)?;
-        assert_eq!(first_page.total, 3);
-        assert_eq!(first_page.entries.len(), 2);
-        assert_eq!(first_page.entries[0].tool_name, "Bash");
-        assert_eq!(first_page.entries[1].tool_name, "Write");
-
-        let second_page = logger.query("sess-1", 2, 2)?;
-        assert_eq!(second_page.total, 3);
-        assert_eq!(second_page.entries.len(), 1);
-        assert_eq!(second_page.entries[0].tool_name, "Read");
-
-        std::fs::remove_file(&db_path).ok();
-
-        Ok(())
+        assert!(assessment.score >= Config::RISK_THRESHOLDS.block);
+        assert_eq!(assessment.suggested_action, SuggestedAction::Block);
     }
 }

ecc2/src/session/manager.rs

@@ -4,7 +4,6 @@ use std::fmt;
 use super::store::StateStore;
 use super::{Session, SessionMetrics, SessionState};
 use crate::config::Config;
-use crate::observability::{log_tool_call, ToolCallEvent, ToolLogEntry, ToolLogPage, ToolLogger};
 use crate::worktree;
 
 pub async fn create_session(
@@ -54,44 +53,6 @@ pub async fn stop_session(db: &StateStore, id: &str) -> Result<()> {
     Ok(())
 }
 
-pub fn record_tool_call(
-    db: &StateStore,
-    session_id: &str,
-    tool_name: &str,
-    input_summary: &str,
-    output_summary: &str,
-    duration_ms: u64,
-) -> Result<ToolLogEntry> {
-    let session = db
-        .get_session(session_id)?
-        .ok_or_else(|| anyhow::anyhow!("Session not found: {session_id}"))?;
-
-    let event = ToolCallEvent::new(
-        session.id.clone(),
-        tool_name,
-        input_summary,
-        output_summary,
-        duration_ms,
-    );
-    let entry = log_tool_call(db, &event)?;
-    db.increment_tool_calls(&session.id)?;
-
-    Ok(entry)
-}
-
-pub fn query_tool_calls(
-    db: &StateStore,
-    session_id: &str,
-    page: u64,
-    page_size: u64,
-) -> Result<ToolLogPage> {
-    let session = db
-        .get_session(session_id)?
-        .ok_or_else(|| anyhow::anyhow!("Session not found: {session_id}"))?;
-
-    ToolLogger::new(db).query(&session.id, page, page_size)
-}
-
 pub struct SessionStatus(Session);
 
 impl fmt::Display for SessionStatus {
@@ -113,41 +74,3 @@ impl fmt::Display for SessionStatus {
         write!(f, "Updated: {}", s.updated_at)
     }
 }
-
-#[cfg(test)]
-mod tests {
-    use super::{create_session, query_tool_calls, record_tool_call};
-    use crate::config::Config;
-    use crate::session::store::StateStore;
-
-    #[tokio::test]
-    async fn record_tool_call_updates_session_metrics() -> anyhow::Result<()> {
-        let db_path =
-            std::env::temp_dir().join(format!("ecc2-session-manager-{}.db", uuid::Uuid::new_v4()));
-        let db = StateStore::open(&db_path)?;
-
-        let cfg = Config {
-            db_path: db_path.clone(),
-            ..Config::default()
-        };
-
-        let session_id =
-            create_session(&db, &cfg, "implement tool logging", "claude", false).await?;
-
-        let entry = record_tool_call(&db, &session_id, "Bash", "git status", "clean worktree", 18)?;
-
-        assert_eq!(entry.session_id, session_id);
-        assert_eq!(entry.tool_name, "Bash");
-
-        let session = db.get_session(&session_id)?.expect("session should exist");
-        assert_eq!(session.metrics.tool_calls, 1);
-
-        let page = query_tool_calls(&db, &session_id[..4], 1, 10)?;
-        assert_eq!(page.total, 1);
-        assert_eq!(page.entries[0].output_summary, "clean worktree");
-
-        std::fs::remove_file(&db_path).ok();
-
-        Ok(())
-    }
-}

ecc2/src/session/store.rs

@@ -3,7 +3,6 @@ use rusqlite::Connection;
 use std::path::Path;
 
 use super::{Session, SessionMetrics, SessionState};
-use crate::observability::{ToolLogEntry, ToolLogPage};
 
 pub struct StateStore {
     conn: Connection,
@@ -113,14 +112,6 @@ impl StateStore {
         Ok(())
     }
 
-    pub fn increment_tool_calls(&self, session_id: &str) -> Result<()> {
-        self.conn.execute(
-            "UPDATE sessions SET tool_calls = tool_calls + 1, updated_at = ?1 WHERE id = ?2",
-            rusqlite::params![chrono::Utc::now().to_rfc3339(), session_id],
-        )?;
-        Ok(())
-    }
-
     pub fn list_sessions(&self) -> Result<Vec<Session>> {
         let mut stmt = self.conn.prepare(
             "SELECT id, task, agent_type, state, worktree_path, worktree_branch, worktree_base,
@@ -192,86 +183,4 @@ impl StateStore {
         )?;
         Ok(())
     }
-
-    pub fn insert_tool_log(
-        &self,
-        session_id: &str,
-        tool_name: &str,
-        input_summary: &str,
-        output_summary: &str,
-        duration_ms: u64,
-        risk_score: f64,
-        timestamp: &str,
-    ) -> Result<ToolLogEntry> {
-        self.conn.execute(
-            "INSERT INTO tool_log (session_id, tool_name, input_summary, output_summary, duration_ms, risk_score, timestamp)
-             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)",
-            rusqlite::params![
-                session_id,
-                tool_name,
-                input_summary,
-                output_summary,
-                duration_ms,
-                risk_score,
-                timestamp,
-            ],
-        )?;
-
-        Ok(ToolLogEntry {
-            id: self.conn.last_insert_rowid(),
-            session_id: session_id.to_string(),
-            tool_name: tool_name.to_string(),
-            input_summary: input_summary.to_string(),
-            output_summary: output_summary.to_string(),
-            duration_ms,
-            risk_score,
-            timestamp: timestamp.to_string(),
-        })
-    }
-
-    pub fn query_tool_logs(
-        &self,
-        session_id: &str,
-        page: u64,
-        page_size: u64,
-    ) -> Result<ToolLogPage> {
-        let page = page.max(1);
-        let offset = (page - 1) * page_size;
-
-        let total: u64 = self.conn.query_row(
-            "SELECT COUNT(*) FROM tool_log WHERE session_id = ?1",
-            rusqlite::params![session_id],
-            |row| row.get(0),
-        )?;
-
-        let mut stmt = self.conn.prepare(
-            "SELECT id, session_id, tool_name, input_summary, output_summary, duration_ms, risk_score, timestamp
-             FROM tool_log
-             WHERE session_id = ?1
-             ORDER BY timestamp DESC, id DESC
-             LIMIT ?2 OFFSET ?3",
-        )?;
-
-        let entries = stmt
-            .query_map(rusqlite::params![session_id, page_size, offset], |row| {
-                Ok(ToolLogEntry {
-                    id: row.get(0)?,
-                    session_id: row.get(1)?,
-                    tool_name: row.get(2)?,
-                    input_summary: row.get::<_, Option<String>>(3)?.unwrap_or_default(),
-                    output_summary: row.get::<_, Option<String>>(4)?.unwrap_or_default(),
-                    duration_ms: row.get::<_, Option<u64>>(5)?.unwrap_or_default(),
-                    risk_score: row.get::<_, Option<f64>>(6)?.unwrap_or_default(),
-                    timestamp: row.get(7)?,
-                })
-            })?
-            .collect::<Result<Vec<_>, _>>()?;
-
-        Ok(ToolLogPage {
-            entries,
-            page,
-            page_size,
-            total,
-        })
-    }
 }