Add steward, codex memory daemon, sync resolve config, cleanup binary, and disk headroom

Introduces project steward for repo health scanning and guarded repair,
codex memory session sync daemon over Unix socket, AI merge-resolution
tuning via [sync.resolve] in flow.toml, Go cleanup binary in deploy/install
scripts, disk headroom daemon config, and improved git-guard branch
attachment for jj-colocated repos. Scrubs private path references from
config and test fixtures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: nikivdev

config/disk_headroom.toml

@@ -0,0 +1,84 @@
+[volume]
+path = "/System/Volumes/Data"
+
+[thresholds]
+hard_floor_gb = 50
+warning_gb = 70
+emergency_gb = 40
+stop_target_gb = 85
+
+[daemon]
+poll_interval_minutes = 10
+max_bytes_per_pass_gb = 120
+
+[state]
+root = "~/.config/flow-state/disk-headroom"
+protected_roots_ledger = "~/.config/flow-state/disk-headroom/protected-roots.json"
+
+[protection]
+roots = [
+  "~/code/workspace",
+  "~/code/flow",
+  "~/work/code",
+  "~/work/designer-origin-main",
+]
+pin_markers = [".keep-workspace"]
+
+[tier2]
+workspace_roots = ["~/work"]
+generated_cleanup_horizon_days = 5
+whole_workspace_prune_horizon_days = 21
+generated_dirs = [
+  "node_modules",
+  ".reactron",
+  ".reactron-native",
+  "target",
+  "dist",
+  "build",
+]
+max_scan_depth = 6
+
+[[tier1.allowlist]]
+path = "~/Library/Caches/zed/local-deploy-target"
+kind = "cache"
+reason = "Zed local deploy cache is rebuildable"
+
+[[tier1.allowlist]]
+path = "~/Library/Caches/zed/sccache"
+kind = "cache"
+reason = "Zed compiler cache is rebuildable"
+
+[[tier1.allowlist]]
+path = "~/Library/Caches/codex/local-build-target"
+kind = "build-output"
+reason = "Codex local build target is rebuildable"
+
+[[tier1.allowlist]]
+path = "~/code/flow/target"
+kind = "build-output"
+reason = "Flow Rust target dir is rebuildable"
+
+[[tier1.allowlist]]
+path = "~/code/workspace/target"
+kind = "build-output"
+reason = "Workspace Rust target dir is rebuildable"
+
+[[tier1.allowlist]]
+path = "~/.cache/uv"
+kind = "package-cache"
+reason = "uv package cache is rebuildable"
+
+[[tier1.allowlist]]
+path = "~/Library/Caches/pnpm"
+kind = "package-cache"
+reason = "pnpm package cache is rebuildable"
+
+[[tier1.allowlist]]
+path = "~/Library/Caches/reactron-rs"
+kind = "build-cache"
+reason = "reactron-rs cache is rebuildable"
+
+[[tier1.allowlist]]
+path = "~/Library/Caches/go-build"
+kind = "build-cache"
+reason = "Go build cache is rebuildable"

crates/flow_commit_scan/src/lib.rs

@@ -119,6 +119,24 @@ fn extract_first_quoted_value(s: &str) -> Option<&str> {
     Some(&s[qpos + 1..end])
 }
 
+fn extract_assignment_value(s: &str) -> Option<&str> {
+    s.split_once('=')
+        .or_else(|| s.split_once(':'))
+        .map(|(_, rhs)| rhs.trim())
+}
+
+fn strip_matching_quotes(value: &str) -> &str {
+    let v = value.trim();
+    if v.len() >= 2 {
+        let first = v.as_bytes()[0];
+        let last = v.as_bytes()[v.len() - 1];
+        if (first == b'"' && last == b'"') || (first == b'\'' && last == b'\'') {
+            return &v[1..v.len() - 1];
+        }
+    }
+    v
+}
+
 fn looks_like_identifier_reference(value: &str) -> bool {
     let v = value.trim();
     !v.is_empty()
@@ -161,30 +179,25 @@ fn looks_like_secret_lookup(value: &str) -> bool {
 }
 
 fn generic_secret_assignment_is_false_positive(content: &str, matched: &str) -> bool {
-    if let Some((_, rhs)) = matched.split_once('=') {
+    if let Some(rhs) = extract_assignment_value(matched) {
         let rhs = rhs.trim_start();
         if rhs.starts_with("\"$(") || rhs.starts_with("'$(") || rhs.starts_with("`") {
             return true;
         }
         if rhs.starts_with("\"$") || rhs.starts_with("'$") {
             return true;
         }
-    } else if let Some((_, rhs)) = matched.split_once(':') {
-        let rhs = rhs.trim_start();
-        if rhs.starts_with("\"$(") || rhs.starts_with("'$(") || rhs.starts_with("`") {
-            return true;
-        }
-        if rhs.starts_with("\"$") || rhs.starts_with("'$") {
+
+        let value = strip_matching_quotes(rhs);
+        if looks_like_identifier_reference(value) {
             return true;
         }
-    }
-
-    if let Some(val) = extract_first_quoted_value(matched) {
-        let v = val.trim();
-        if looks_like_identifier_reference(v) {
+        if looks_like_secret_lookup(value) {
             return true;
         }
-        if looks_like_secret_lookup(v) {
+    } else if let Some(val) = extract_first_quoted_value(matched) {
+        let value = val.trim();
+        if looks_like_identifier_reference(value) || looks_like_secret_lookup(value) {
             return true;
         }
     }
@@ -283,7 +296,7 @@ pub fn scan_diff_for_secrets(repo_root: &Path) -> Vec<SecretFinding> {
                         continue;
                     }
 
-                    if *name == "Generic Secret Assignment"
+                    if matches!(*name, "Generic Secret Assignment" | "Env Var Secret")
                         && generic_secret_assignment_is_false_positive(content, matched)
                     {
                         continue;
@@ -312,3 +325,39 @@ pub fn scan_diff_for_secrets(repo_root: &Path) -> Vec<SecretFinding> {
 
     findings
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn find_pattern<'a>(name: &str) -> &'a Regex {
+        compiled_secret_patterns()
+            .iter()
+            .find(|(pattern_name, _)| *pattern_name == name)
+            .map(|(_, re)| re)
+            .expect("secret pattern exists")
+    }
+
+    #[test]
+    fn env_var_secret_ignores_config_key_metadata() {
+        let line = r#"{ key = "REACTRON_DESIGNER_HERMES_BASE_URL", default = "http://hermes.data.svc.od2.prometheus.co" }"#;
+        let matched = find_pattern("Env Var Secret")
+            .find(line)
+            .map(|m| m.as_str())
+            .expect("pattern should match the metadata assignment");
+
+        assert_eq!(matched, r#"key = "REACTRON_DESIGNER_HERMES_BASE_URL""#);
+        assert!(generic_secret_assignment_is_false_positive(line, matched));
+    }
+
+    #[test]
+    fn env_var_secret_keeps_real_secret_like_assignment() {
+        let line = r#"OPENAI_API_KEY = "abcdEFGHijklMNOPqrstUVWXyz0123456789""#;
+        let matched = find_pattern("Env Var Secret")
+            .find(line)
+            .map(|m| m.as_str())
+            .expect("pattern should match a real env-style assignment");
+
+        assert!(!generic_secret_assignment_is_false_positive(line, matched));
+    }
+}

docs/commands/sync.md

@@ -145,6 +145,25 @@ remote = "origin"  # default push remote
 home_branch = "alice" # optional long-lived personal integration branch
 ```
 
+### AI conflict-resolution tuning
+
+Set in `flow.toml` under `[sync.resolve]`:
+
+```toml
+[sync.resolve]
+effort = "xhigh"
+instructions = ["Preserve fork-specific behavior."]
+prioritize_paths = ["src/hot.rs", "tests/*"]
+deprioritize_paths = ["schema/*", "*.snap"]
+```
+
+Notes:
+
+- `effort` is passed through to the Codex merge helper.
+- `instructions` are appended to the merge-resolution prompt.
+- `prioritize_paths` and `deprioritize_paths` use simple `*` wildcards over repo-relative file paths.
+- This is the preferred place for repo-specific fork heuristics; avoid hard-coding them in Flow.
+
 ### Fork push
 
 When a fork push target is configured, sync redirects push to the fork remote automatically.

docs/flow-toml-spec.md

@@ -83,6 +83,12 @@ install = ["linear"]  # optional: ensure skills are installed (local ~/.codex/sk
 # codex_bin = "~/code/flow/scripts/codex-jazz-wrapper"
 # You can set this in repo flow.toml or global ~/.config/flow/flow.toml
 
+[sync.resolve]       # optional: AI merge-resolution tuning for `f sync`
+# effort = "xhigh"   # reasoning effort passed to the Codex helper
+# instructions = ["Preserve fork-specific behavior."]
+# prioritize_paths = ["src/hot.rs", "tests/*"]
+# deprioritize_paths = ["schema/*", "*.snap"]
+
 [commit.testing]      # optional: local commit-time test gate
 # mode = "warn"       # "warn" | "block" | "off"
 # runner = "bun"      # currently optimized for bun in Bun repos
@@ -154,6 +160,7 @@ fr = "f run"
   - `f up` task fallback order: `up`, then `dev` (unless `up_task` is set).
   - `f down` task fallback: `down`; if missing and `down_task` is unset, Flow falls back to project-wide `f kill --all`.
 - `[options]`: optional integration/runtime toggles; use `myflow_mirror` for mirror sync and `codex_bin` to route review calls through a wrapper transport.
+- `[sync.resolve]`: optional AI merge-resolution tuning for `f sync`; use it to set higher reasoning effort, append repo-specific merge instructions, and declare wildcard path priorities instead of hard-coding fork heuristics in Flow.
 - `[commit.testing]`: optional local testing gate evaluated during `f commit`; supports Bun-first strict mode plus optional AI scratch-test fallback (`.ai/test` by default).
 - `[commit.skill_gate]`: optional required-skill policy for `f commit`; can enforce presence and minimum skill versions.
 - `[invariants]`: optional policy checks for forbidden patterns, dependency allowlists, terminology context, and file-size limits. `mode = "block"` makes invariant warnings fail `f invariants` and commit-time invariant gate checks.
@@ -195,6 +202,12 @@ inject_as = "linear"
 [options]
 codex_bin = "~/code/flow/scripts/codex-flow-wrapper"
 
+[sync.resolve]
+effort = "xhigh"
+instructions = ["Preserve fork-specific behavior."]
+prioritize_paths = ["src/hot.rs"]
+deprioritize_paths = ["schema/*", "*.snap"]
+
 [commit.testing]
 mode = "block"
 runner = "bun"