diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 00000000..91ebc673
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,17 @@
+# Force LF line endings on every text file in every working tree.
+#
+# Why global: the WSL CI job runs against a checkout on the windows-latest
+# runner (default core.autocrlf=true). Any text file without an explicit
+# attribute is normalised to CRLF on checkout, which has surfaced as a
+# series of unrelated CI failures:
+#   * bash scripts:    `$'\r': command not found` / `set: pipefail: invalid option name`
+#   * .jh source:      `jaiph format --check` reports "needs formatting"
+#                      because format normalises to LF
+# Per-extension whack-a-mole would keep finding new variants. `text=auto`
+# tells git to detect text vs binary per file; combined with `eol=lf` it
+# stores LF in the index and writes LF to working trees on every platform.
+* text=auto eol=lf
+
+# Belt-and-suspenders: explicitly mark binary assets so `text=auto` cannot
+# misclassify them and corrupt the bytes by line-ending normalisation.
+*.png binary
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 289bfaee..8d2c8470 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,19 @@ on:
   push:
 
 jobs:
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install shellcheck
+        run: sudo apt-get update && sudo apt-get install -y shellcheck
+
+      - name: Run shellcheck
+        run: shellcheck runtime/overlay-run.sh
+
   test:
     name: Compiler and unit tests
     runs-on: ubuntu-latest
@@ -33,12 +46,26 @@ jobs:
           git ls-remote --exit-code https://github.com/jaiphlang/jaiph.git "refs/tags/v${VERSION}"
 
   e2e:
-    name: E2E install and CLI workflow (${{ matrix.os }})
+    name: E2E (${{ matrix.os }}, ${{ matrix.label }})
     runs-on: ${{ matrix.os }}
+    env:
+      # Host/safe split applies on Ubuntu only. macOS runners do not ship Docker the same way — keep host-only there.
+      # "docker": unset JAIPH_UNSAFE so resolveDockerConfig enables the sandbox (pulls ghcr.io/jaiphlang/jaiph-runtime).
+      # "host": explicit opt-out, same as a fast local `JAIPH_UNSAFE=true npm run test:e2e`.
+      JAIPH_UNSAFE: ${{ matrix.jaiph_unsafe }}
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        include:
+          - os: ubuntu-latest
+            label: docker
+            jaiph_unsafe: ""
+          - os: ubuntu-latest
+            label: host
+            jaiph_unsafe: "true"
+          - os: macos-latest
+            label: host
+            jaiph_unsafe: "true"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -48,6 +75,12 @@ jobs:
         with:
           node-version: "20"
 
+      - name: Build runtime image for Docker E2E
+        if: matrix.label == 'docker'
+        run: |
+          docker build -t jaiph-ci-runtime:local -f runtime/Dockerfile .
+          echo "JAIPH_DOCKER_IMAGE=jaiph-ci-runtime:local" >> "$GITHUB_ENV"
+
       - name: Run runtime acceptance E2E
         run: |
           npm ci
@@ -77,6 +110,11 @@ jobs:
           node-version: "20"
           cache: npm
 
+      - name: Build runtime image for docs sample Docker runs
+        run: |
+          docker build -t jaiph-ci-runtime:local -f runtime/Dockerfile .
+          echo "JAIPH_DOCKER_IMAGE=jaiph-ci-runtime:local" >> "$GITHUB_ENV"
+
       - name: Install dependencies
         run: npm ci
 
@@ -151,38 +189,133 @@ jobs:
         id: detect_wsl
         shell: pwsh
         run: |
+          $ciDistro = "jaiph-ci-ubuntu"
           $distros = @(wsl -l -q | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne "" })
           if ($distros.Count -eq 0) {
-            "distro=" >> $env:GITHUB_OUTPUT
-            Write-Warning "No WSL distro is available on this runner. Skipping WSL E2E."
-            exit 0
+            Write-Warning "No WSL distro is available on this runner. Importing Ubuntu rootfs for CI."
+            $archivePath = Join-Path $env:RUNNER_TEMP "ubuntu-base-amd64.tar.gz"
+            $installPath = Join-Path $env:RUNNER_TEMP "wsl-ubuntu"
+            $ubuntuBaseReleaseIndexUrl = "https://cdimage.ubuntu.com/ubuntu-base/releases/24.04/release/"
+
+            if (Test-Path $installPath) {
+              Remove-Item -Path $installPath -Recurse -Force
+            }
+            New-Item -ItemType Directory -Path $installPath -Force | Out-Null
+            $releaseIndex = Invoke-WebRequest -Uri $ubuntuBaseReleaseIndexUrl
+            $matches = [regex]::Matches($releaseIndex.Content, 'ubuntu-base-24\.04\.(\d+)-base-amd64\.tar\.gz')
+            $candidates = @($matches | ForEach-Object { $_.Value } | Sort-Object -Unique)
+            if ($candidates.Count -eq 0) {
+              Write-Error "Unable to resolve an Ubuntu Base 24.04 amd64 archive from $ubuntuBaseReleaseIndexUrl"
+              exit 1
+            }
+            $archiveName = $candidates |
+              Sort-Object {
+                [int]([regex]::Match($_, '24\.04\.(\d+)-').Groups[1].Value)
+              } -Descending |
+              Select-Object -First 1
+            $ubuntuBaseUrl = "$ubuntuBaseReleaseIndexUrl$archiveName"
+            Write-Host "Downloading Ubuntu base archive: $ubuntuBaseUrl"
+            try {
+              Invoke-WebRequest -Uri $ubuntuBaseUrl -OutFile $archivePath -MaximumRetryCount 3 -RetryIntervalSec 2
+            } catch {
+              Write-Error "Failed to download $ubuntuBaseUrl : $($_.Exception.Message)"
+              exit 1
+            }
+            wsl --import "$ciDistro" "$installPath" "$archivePath" --version 2
+            $distros = @("$ciDistro")
           }
           $ubuntu = $distros | Where-Object { $_ -match "^Ubuntu" } | Select-Object -First 1
           $selected = if ($ubuntu) { $ubuntu } else { $distros[0] }
+          if (-not $selected) {
+            Write-Error "Failed to provision a WSL distro for CI."
+            exit 1
+          }
           "distro=$selected" >> $env:GITHUB_OUTPUT
           Write-Host "Using WSL distro: $selected"
 
       - name: Install Node and run E2E tests in WSL
-        if: steps.detect_wsl.outputs.distro != ''
         shell: pwsh
         run: |
           $workspace = "${{ github.workspace }}"
           $distro = "${{ steps.detect_wsl.outputs.distro }}"
-          wsl -d "$distro" -- bash -lc "set -euo pipefail
+          $env:JAIPH_WORKSPACE = $workspace
+          $bashScript = @'
+          set -euo pipefail
           export DEBIAN_FRONTEND=noninteractive
-          sudo apt-get update
-          sudo apt-get install -y curl ca-certificates
+          export JAIPH_UNSAFE=true
+          SUDO=
+          if [ "$(id -u)" -ne 0 ]; then
+            SUDO=sudo
+          fi
+          $SUDO apt-get update
+          # git: required by feature-coverage tests (124_install_command,
+          # 129_artifacts_lib, the git-aware section of 10_basic_workflows).
+          # docs/install only needs git when not installing from a local source,
+          # so installing it here does not change the "no-git host" code path
+          # those tests already cover via JAIPH_FROM_LOCAL.
+          $SUDO apt-get install -y curl ca-certificates git
           if ! command -v node >/dev/null 2>&1; then
-            curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
-            sudo apt-get install -y nodejs
+            if [ -n "$SUDO" ]; then
+              curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
+            else
+              curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+            fi
+            $SUDO apt-get install -y nodejs
           fi
-          cd \"\$(wslpath '$workspace')\"
+          cd "$(wslpath "$JAIPH_WORKSPACE")"
           npm ci
           npm run test:e2e
-          "
+          '@
+          # PowerShell on Windows can keep CRLF in here-strings; strip CR so bash does not see "pipefail\r".
+          $bashScript = $bashScript -replace "`r", ""
+          wsl -d "$distro" -- bash -lc "$bashScript"
 
-      - name: WSL E2E skipped
-        if: steps.detect_wsl.outputs.distro == ''
-        shell: pwsh
+  docker-publish:
+    name: Publish Docker runtime image
+    needs: [test, e2e, docs-local, e2e-wsl]
+    if: github.ref == 'refs/heads/nightly' || startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: jaiphlang/jaiph-runtime
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Image tags
+        id: meta
+        run: |
+          if [[ "${GITHUB_REF}" == refs/tags/v* ]]; then
+            VERSION="${GITHUB_REF_NAME#v}"
+            echo "tags=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" >> "$GITHUB_OUTPUT"
+          else
+            echo "tags=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: runtime/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Verify pushed image contains jaiph
         run: |
-          Write-Host "No WSL distro found on this runner image; skipping WSL E2E."
+          TAG="$(echo '${{ steps.meta.outputs.tags }}' | cut -d',' -f1)"
+          docker run --rm --entrypoint sh "${TAG}" -lc "command -v jaiph && jaiph --version"
+          docker run --rm --user 0:0 --cap-drop ALL --cap-add SYS_ADMIN --entrypoint sh "${TAG}" -lc "command -v jaiph"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index 1645aabe..00000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-name: Release
-
-on:
-  push:
-    tags:
-      - "v*"
-
-permissions:
-  contents: read
-  id-token: write
-
-jobs:
-  publish:
-    name: Publish to npm
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: npm
-          registry-url: "https://registry.npmjs.org"
-
-      # Trusted publishing (OIDC) requires npm >= 11.5.1; Node's bundled npm can be older and
-      # surfaces misleading E404 on publish — see https://github.com/npm/cli/issues/9088
-      - name: Use npm with trusted publishing support
-        run: npm install -g npm@^11.6.0
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build
-        run: npm run build
-
-      - name: Verify tag matches package.json version
-        run: |
-          TAG_VERSION="${GITHUB_REF_NAME#v}"
-          PKG_VERSION="$(node -p "require('./package.json').version")"
-          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
-            echo "Tag version ($TAG_VERSION) does not match package.json version ($PKG_VERSION)"
-            exit 1
-          fi
-
-      - name: Publish with provenance
-        run: npm publish --provenance --access public
-
-  smoke:
-    name: Post-publish global install smoke
-    needs: publish
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout (for version reference)
-        uses: actions/checkout@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-
-      - name: Determine published version
-        id: version
-        run: |
-          VERSION="${GITHUB_REF_NAME#v}"
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Install globally
-        run: npm install -g "jaiph@${{ steps.version.outputs.version }}"
-
-      - name: Verify jaiph is on PATH
-        run: command -v jaiph
-
-      - name: Verify --version matches
-        run: |
-          ACTUAL="$(jaiph --version)"
-          EXPECTED="${{ steps.version.outputs.version }}"
-          if [ "$ACTUAL" != "$EXPECTED" ]; then
-            echo "Version mismatch: got '$ACTUAL', expected '$EXPECTED'"
-            exit 1
-          fi
-
-      - name: Smoke test --help
-        run: jaiph --help
diff --git a/.gitignore b/.gitignore
index 1673153f..b15d9eec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,4 +48,12 @@ e2e/ensure_fail.sh
 e2e/current_branch.sh
 e2e/assign_capture.sh
 
-.obsidian/
\ No newline at end of file
+.obsidian/
+
+# debug / temp directories (never commit)
+docker-*/
+nested-*/
+overlay-*/
+local-*/
+.tmp*/
+QUEUE.md.tmp.*
\ No newline at end of file
diff --git a/.jaiph/Dockerfile b/.jaiph/Dockerfile
deleted file mode 100644
index 62d5531c..00000000
--- a/.jaiph/Dockerfile
+++ /dev/null
@@ -1,56 +0,0 @@
-FROM ubuntu:latest
-
-# Standard utilities + fuse-overlayfs for CoW sandbox
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-      bash \
-      curl \
-      git \
-      ca-certificates \
-      gnupg \
-      fuse-overlayfs \
-      fuse3 \
-      rsync && \
-    rm -rf /var/lib/apt/lists/*
-
-# Node.js latest LTS (required by jaiph::stream_json_to_text in prompt.sh)
-RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
-    apt-get install -y --no-install-recommends nodejs && \
-    rm -rf /var/lib/apt/lists/*
-
-# Non-root user: Claude Code (and similar tools) refuse --dangerously-skip-permissions
-# when running as root. Jaiph only passes --user on Linux hosts; on macOS the container
-# defaults to root unless the image sets USER.
-RUN useradd --create-home --uid 10001 --shell /bin/bash jaiph && \
-    mkdir -p /jaiph/workspace /jaiph/workspace-ro /jaiph/run && \
-    chown -R jaiph:jaiph /jaiph
-
-# Claude Code CLI (Anthropic) — global install for all users
-RUN npm install -g @anthropic-ai/claude-code
-
-USER jaiph
-ENV HOME=/home/jaiph
-ENV PATH="/home/jaiph/.local/bin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-
-# cursor-agent (Cursor) — install as the runtime user so the binary is
-# reachable after switching away from root. The installer currently places
-# the CLI in ~/.local/bin and may name it "agent" or "cursor".
-RUN mkdir -p "$HOME/.local/bin" && \
-    curl -fsSL https://cursor.com/install -o /tmp/install-cursor-agent.sh && \
-    bash /tmp/install-cursor-agent.sh && \
-    export PATH="$HOME/.local/bin:$PATH" && \
-    if command -v cursor-agent >/dev/null 2>&1; then \
-      true; \
-    elif command -v agent >/dev/null 2>&1; then \
-      ln -sf "$(command -v agent)" "$HOME/.local/bin/cursor-agent"; \
-    elif command -v cursor >/dev/null 2>&1; then \
-      ln -sf "$(command -v cursor)" "$HOME/.local/bin/cursor-agent"; \
-    fi && \
-    command -v cursor-agent >/dev/null 2>&1 && \
-    rm -f /tmp/install-cursor-agent.sh
-
-# jaiph (official installer: https://jaiph.org/install)
-RUN curl -fsSL https://jaiph.org/install | bash
-RUN jaiph use nightly
-
-WORKDIR /jaiph/workspace
diff --git a/.jaiph/architect_review.jh b/.jaiph/architect_review.jh
index a85f59e0..22fa919b 100755
--- a/.jaiph/architect_review.jh
+++ b/.jaiph/architect_review.jh
@@ -102,7 +102,7 @@ workflow review_one_header(header) {
     const verdict = run first_line_str(packed)
     const updated_description = run rest_lines_str(packed)
     const body_file = run jaiph_review_body_file()
-    run mkdir_p_simple(run, jaiph_tmp_dir())
+    run mkdir_p_simple(run jaiph_tmp_dir())
     run str_equals(verdict, "dev-ready") catch (err) {
       run arg_nonempty(updated_description) catch (err) {
         fail "needs-work requires a non-empty updated_description (questions for the author)."
diff --git a/.jaiph/docs_parity.jh b/.jaiph/docs_parity.jh
index 0b2967e8..10209f1c 100755
--- a/.jaiph/docs_parity.jh
+++ b/.jaiph/docs_parity.jh
@@ -75,8 +75,6 @@ rule only_expected_docs_changed_after_prompt(allowed) {
   run assert_only_allowed_changed(allowed)
 }
 
-script arg_nonempty = `[ -n "${1:-}" ]`
-
 script first_line_str = `printf '%s\n' "$1" | head -n 1`
 
 script rest_lines_str = `printf '%s\n' "$1" | tail -n +2`
@@ -210,7 +208,7 @@ workflow docs_overview(docPaths) {
 
 workflow process_docs_md_recursive(file, remaining) {
   run docs_page(file)
-  run arg_nonempty(remaining) catch (err) {
+  if remaining == "" {
     return
   }
   const next = run first_line_str(remaining)
@@ -219,7 +217,7 @@ workflow process_docs_md_recursive(file, remaining) {
 }
 
 workflow maybe_process_docs_md(first_doc, rest_docs) {
-  run arg_nonempty(first_doc) catch (err) {
+  if first_doc == "" {
     return
   }
   run process_docs_md_recursive(first_doc, rest_docs)
diff --git a/.jaiph/engineer.jh b/.jaiph/engineer.jh
index 17d868b1..3e3e5781 100755
--- a/.jaiph/engineer.jh
+++ b/.jaiph/engineer.jh
@@ -1,27 +1,26 @@
 #!/usr/bin/env jaiph
 
 #
-# Picks the first pending task from QUEUE.md, implements it,
-# verifies CI, updates docs, commits, and removes from queue.
+# Picks the first pending task from QUEUE.md, implements it, verifies CI,
+# updates docs, removes from queue, and publishes a workspace patch artifact.
 #
-
 import "jaiphlang/queue" as queue
+import "jaiphlang/artifacts" as artifacts
 import "./docs_parity.jh" as docs
 import "./ensure_ci_passes.jh" as ci
 import "./git.jh" as git
 
 config {
-  # agent.backend = "cursor"
-  # agent.default_model = "gpt-5.3-codex"
-  # agent.cursor_flags = "--force"
-  agent.backend = "claude"
-  agent.claude_flags = "--permission-mode bypassPermissions"
+  agent.backend = "cursor"
+  agent.default_model = "gpt-5.3-codex"
+  agent.cursor_flags = "--force"
+  # agent.backend = "claude"
+  # agent.claude_flags = "--permission-mode bypassPermissions"
 }
 
 const code_philosophy = """
   This codebase is maintained by both humans and AI agents. All code you write
   must follow these principles strictly:
-
   1. Plain functions with explicit arguments. Avoid classes and abstraction-
      heavy generics; if the surrounding file already uses generics, follow
      local style and keep additions minimal. No visitor patterns or dependency
@@ -48,151 +47,125 @@ const code_philosophy = """
      documentation blindly.
 """
 
-script select_role = ```
-local oc
-oc="$(cat <<'OC'
-## Output
-
-1. Implementation (code changes)
-2. Self-check: review your diff — if it touches more than 5 files or adds
-   more than 200 net lines, explain why the scope is necessary
-3. Short rationale (why this approach)
-4. Tradeoffs or risks (if any)
-OC
-)"
-local role_surgical="<role>
-You are a surgical engineer.
-
-Your goal is to implement the task with the smallest safe change.
-
-## Mindset
-
-* Keep blast radius tiny and local
-* Prefer existing code paths over new abstractions
-* Optimize for fast verification and low regression risk
-
-## Rules
-
-* Follow acceptance criteria strictly
-* Default to touching as few files as possible
-* Do NOT redesign surrounding architecture
-* Do NOT add abstractions unless clearly required by acceptance criteria
-* Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
-
-$oc
-</role>"
-
-local role_reductionist="<role>
-You are a reductionist engineer.
-
-Your goal is to solve the task by reducing system complexity.
-
-## Mindset
-
-* Prefer deleting code over adding code
-* Execute incremental decommission in small, verifiable steps
-* Keep behavior stable while simplifying structure
-
-## Rules
-
-* Follow acceptance criteria strictly
-* Prioritize deletion-first changes before introducing new paths
-* Decommission one runtime responsibility at a time; prove parity before the next cut
-* Actively remove dead code, duplicate branches, and unnecessary indirection
-* Prefer net-negative or near-neutral code growth when feasible
-* If adding code is unavoidable, justify why deletion/simplification was insufficient
-* Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
-
-$oc
-</role>"
-
-local role_optimizer="<role>
-You are an optimization-oriented engineer.
-
-Your goal is to improve structure and flow when the task justifies it.
-
-## Mindset
-
-* Fix root causes and bottlenecks, not symptoms
-* Redesign control flow/data flow when it yields clear, measurable gains
-* Prefer long-term maintainability over local minimalism
-
-## Rules
-
-* Follow acceptance criteria strictly
-* You MAY rework related areas when the task explicitly requires structural change
-* Every structural change must have a concrete before/after justification
-* Do NOT rework areas outside the task's scope, even if they look improvable
-* Avoid speculative complexity that does not produce measurable benefit
-* Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
-
-$oc
-</role>"
-
-local role_stabilizer="<role>
-You are a stabilizer engineer.
-
-Your goal is to maximize correctness and regression safety.
-
-## Mindset
-
-* Prioritize reliability and explicit behavior contracts
-* Strengthen weak edges, invariants, and error handling
-* Prefer predictable code over clever code
-
-## Rules
-
-* Follow acceptance criteria strictly
-* Prioritize behavioral parity with existing runtime contracts before refactors
-* Preserve test contracts (especially e2e) and avoid weakening assertions
-* Add or improve tests for risky paths and boundary conditions
-* Keep implementation simple, defensive, and observable
-* Avoid structural rewrites unless strictly required to satisfy acceptance criteria
-* Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
-
-$oc
-</role>"
-
-local role_writer="<role>
-You are an expert technical writer for this project.
-
-Your goal is to produce clear, accurate, and human-readable documentation.
+const output_criteria = """
+  ## Output
+  1. Implementation (code changes)
+  2. Self-check: review your diff — if it touches more than 5 files or adds
+     more than 200 net lines, explain why the scope is necessary
+  3. Short rationale (why this approach)
+  4. Tradeoffs or risks (if any)
+"""
 
-## Mindset
+const role_surgical = """
+  You are a surgical engineer.
+  
+  Your goal is to implement the task with the smallest safe change.
+  
+  Mindset:
+  * Keep blast radius tiny and local
+  * Prefer existing code paths over new abstractions
+  * Optimize for fast verification and low regression risk
+  
+  Rules:
+  * Follow acceptance criteria strictly
+  * Default to touching as few files as possible
+  * Do NOT redesign surrounding architecture
+  * Do NOT add abstractions unless clearly required by acceptance criteria
+  * Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
+"""
 
-* Source code and docs/architecture.md are the single source of truth
-* Write for a developer audience with clarity and practical examples
-* Be concise, specific, and value dense
-* Formulate generic context first, then drill into specifics
-* Write problem explanations and goals in a human-approachable way
+const role_reductionist = """
+  You are a reductionist engineer.
+  
+  Your goal is to solve the task by reducing system complexity.
+  
+  Mindset:
+  * Prefer deleting code over adding code
+  * Execute incremental decommission in small, verifiable steps
+  * Keep behavior stable while simplifying structure
+  
+  Rules:
+  * Follow acceptance criteria strictly
+  * Prioritize deletion-first changes before introducing new paths
+  * Decommission one runtime responsibility at a time; prove parity before the next cut
+  * Actively remove dead code, duplicate branches, and unnecessary indirection
+  * Prefer net-negative or near-neutral code growth when feasible
+  * If adding code is unavoidable, justify why deletion/simplification was insufficient
+  * Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
+"""
 
-## Rules
+const role_optimizer = """
+  You are an optimization-oriented engineer.
+  
+  Your goal is to improve structure and flow when the task justifies it.
+  
+  Mindset:
+  * Fix root causes and bottlenecks, not symptoms
+  * Redesign control flow/data flow when it yields clear, measurable gains
+  * Prefer long-term maintainability over local minimalism
+  
+  Rules:
+  * Follow acceptance criteria strictly
+  * You MAY rework related areas when the task explicitly requires structural change
+  * Every structural change must have a concrete before/after justification
+  * Do NOT rework areas outside the task's scope, even if they look improvable
+  * Avoid speculative complexity that does not produce measurable benefit
+  * Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
+"""
 
-* Follow acceptance criteria strictly
-* Every docs page must follow: # Top Header → overview paragraph (no sub-header) → ## Sections
-* Verify all content against source code — don't trust existing docs blindly
-* Keep examples executable and aligned with current behavior
-* Avoid too many emojis and AI-like language — keep it simple and clear
-* Only modify documentation files (docs/*.md, README.md, docs/index.html, docs/_layouts/*.html)
-* Do NOT modify source code, tests, or config files
-* Navigation links between docs pages are provided by the Jekyll template; do NOT add manual navigation blocks
-* Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
+const role_stabilizer = """
+  You are a stabilizer engineer.
+  
+  Your goal is to maximize correctness and regression safety.
+  
+  Mindset:
+  * Prioritize reliability and explicit behavior contracts
+  * Strengthen weak edges, invariants, and error handling
+  * Prefer predictable code over clever code
+  
+  Rules:
+  * Follow acceptance criteria strictly
+  * Prioritize behavioral parity with existing runtime contracts before refactors
+  * Preserve test contracts (especially e2e) and avoid weakening assertions
+  * Add or improve tests for risky paths and boundary conditions
+  * Keep implementation simple, defensive, and observable
+  * Avoid structural rewrites unless strictly required to satisfy acceptance criteria
+  * Never invoke orchestration workflows (.jaiph/*.jh) or launch nested agent sessions
+"""
 
-$oc
-</role>"
+const classification_prompt = """
+  Classify this task into the single best-fit engineer role.
+
+  ## Available roles
+  - surgical: Bug fixes, narrow-scope changes, specific error corrections.
+  - reductionist: Deduplication, simplification, dead code removal, unification.
+  - optimizer: Structural refactors, splitting large units, new subsystems.
+  - stabilizer: Test coverage, hardening, error handling, safety improvements.
+
+  ## Role description
+  
+  ### Surgical
+  ${role_surgical}
+  
+  ### Reductionist
+  ${role_reductionist}
+  
+  ### Optimizer
+  ${role_optimizer}
+  
+  ### Stabilizer
+  ${role_stabilizer}
+"""
 
-case "$1" in
-  surgical) printf '%s\n' "$role_surgical" ;;
-  reductionist) printf '%s\n' "$role_reductionist" ;;
-  optimizer) printf '%s\n' "$role_optimizer" ;;
-  stabilizer) printf '%s\n' "$role_stabilizer" ;;
-  writer) printf '%s\n' "$role_writer" ;;
-  *)
-    echo "Error: Role must be one of: surgical, reductionist, optimizer, stabilizer, writer. Got: $1" >&2
-    return 1
-    ;;
-esac
-```
+workflow select_role(role_name) {
+  return match role_name {
+    "surgical" => role_surgical
+    "reductionist" => role_reductionist
+    "optimizer" => role_optimizer
+    "stabilizer" => role_stabilizer
+    _ => fail "Role must be one of: surgical, reductionist, optimizer, stabilizer. Got: ${role_name}"
+  }
+}
 
 script arg_nonempty = `[ -n "${1:-}" ]`
 
@@ -208,53 +181,39 @@ printf '%s\n' "$line"
 
 workflow classify_role(task) {
   const result = prompt """
-    Classify this task into the single best-fit engineer role.
-
-    Roles:
-    - surgical: Bug fixes, narrow-scope changes, specific error corrections.
-      Keywords: fix, patch, correct, resolve, handle.
-    - reductionist: Deduplication, simplification, dead code removal, unification.
-      Keywords: deduplicate, unify, collapse, remove, simplify, merge.
-    - optimizer: Structural refactors, splitting large units, new subsystems.
-      Keywords: split, extract, redesign, refactor, add [new subsystem].
-    - stabilizer: Test coverage, hardening, error handling, safety improvements.
-      Keywords: test, coverage, harden, validate, assert, detect.
-    - writer: Documentation updates, docs pages, README, getting started, content review.
-      Keywords: docs, documentation, write, update docs, readme, revisit, interlink.
-
-    Task:
+    ${classification_prompt}
+
+    ## Task
     ${task}
 
+    ## Output
     Respond with exactly one role name.
-  """ returns "{ role: string }"
+  """
+  returns "{ role: string }"
 
   return result.role
 }
 
-script save_string_to_file = `echo "$1" > "$2"`
-
-script mkdir_p_simple = `mkdir -p "$1"`
-
 workflow implement(task, role_name) {
   run task_text_has_header(task) catch (err) {
     fail "Provided task does not contain a '## [text]' header"
   }
+
   const role = run select_role(role_name)
 
   prompt """
+    ## Role
     ${role}
 
-    <context>
+    ## Context
     You are working on the Jaiph codebase (https://github.com/jaiphlang/jaiph),
     a TypeScript compiler and runtime for a DSL that transpiles to Bash.
     docs/architecture.md is the source of truth for architecture and execution flow.
-    </context>
 
-    <code_philosophy>
+    ## Code philosophy
     ${code_philosophy}
-    </code_philosophy>
 
-    <task>
+    ## Task
     Implement the following task by:
     - Reading docs/architecture.md first and keeping architecture boundaries and
       contracts intact unless task explicitly requires changing them.
@@ -302,7 +261,9 @@ workflow implement(task, role_name) {
 
     Task description:
     ${task}
-    </task>
+
+    ## Output
+    ${output_criteria}
   """
 }
 
@@ -314,8 +275,8 @@ workflow default(name) {
   log "Implementing task: ${task_header}"
 
   const role_name = match name {
-    "" => "${run classify_role(task)}"
-    _ => "${name}"
+    "" => run classify_role(task)
+    _ => name
   }
   log "Role: ${role_name}"
 
@@ -324,5 +285,8 @@ workflow default(name) {
   run ci.ensure_ci_passes()
   run docs.update_from_task(task)
   run queue.remove_completed_task(task_header)
-  run git.commit(task)
+
+  const patch_file = run git.patch(task)
+  const target_path = run artifacts.save(patch_file, patch_file)
+  return target_path
 }
diff --git a/.jaiph/git.jh b/.jaiph/git.jh
index 48d3304b..2450aa5b 100755
--- a/.jaiph/git.jh
+++ b/.jaiph/git.jh
@@ -50,5 +50,31 @@ workflow commit(task) {
 
     Changes were made for the following task:
     ${task}
-"""
+  """
+}
+
+# Writes a unified diff (HEAD vs working tree, excluding `.jaiph/`) to `dest`.
+# Returns `dest` (relative path). `task` is reserved for callers / future naming.
+script write_tree_patch = ```
+  set -euo pipefail
+  dest="$1"
+  mkdir -p "$(dirname "$dest")"
+  diff_out="$(git diff HEAD -- . ':!.jaiph/' 2>/dev/null || true)"
+  if [[ -z "${diff_out}" ]]; then
+    git add -N . -- ':!.jaiph/' 2>/dev/null || true
+    diff_out="$(git diff HEAD -- . ':!.jaiph/' 2>/dev/null || true)"
+    git reset HEAD -- . 2>/dev/null || true
+  fi
+  if [[ -n "${diff_out}" ]]; then
+    printf '%s\n' "${diff_out}" > "$dest"
+  else
+    : > "$dest"
+  fi
+  printf '%s' "$dest"
+```
+
+workflow patch(task) {
+  ensure in_git_repo()
+  const dest = ".jaiph/tmp/engineer-workspace.patch"
+  return run write_tree_patch(dest)
 }
diff --git a/.jaiph/libs/jaiphlang/artifacts.jh b/.jaiph/libs/jaiphlang/artifacts.jh
new file mode 100644
index 00000000..e23b64d0
--- /dev/null
+++ b/.jaiph/libs/jaiphlang/artifacts.jh
@@ -0,0 +1,36 @@
+#!/usr/bin/env jaiph
+
+#
+# Artifact publishing for Jaiph workflows.
+# Copies files from the workspace into ${JAIPH_ARTIFACTS_DIR} so they
+# survive sandbox teardown and are readable on the host at
+# .jaiph/runs/<run_id>/artifacts/.
+#
+# Usage:
+#   import "jaiphlang/artifacts" as artifacts
+#
+#   workflow default() {
+#     run artifacts.save("./build/output.bin", "build-output.bin")
+#   }
+#
+
+script save_script = ```
+  set -euo pipefail
+  ARTIFACTS_DIR="${JAIPH_ARTIFACTS_DIR:?JAIPH_ARTIFACTS_DIR is not set}"
+  src="$1"
+  dest_name="$2"
+  if [[ ! -f "$src" ]]; then
+    printf 'artifacts save: file not found: %s\n' "$src" >&2
+    exit 1
+  fi
+  dest="${ARTIFACTS_DIR}/${dest_name}"
+  mkdir -p "$(dirname "$dest")"
+  cp -- "$src" "$dest"
+  printf '%s' "$dest"
+```
+
+# Copies the file at `local_path` into the artifacts directory under `name`.
+# Returns the absolute path of the saved artifact.
+export workflow save(local_path, name) {
+  return run save_script(local_path, name)
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index eda20425..eeb070f8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,48 @@
 # Unreleased
 
+# 0.9.3
+
+## Summary
+
+- **Sandboxing:** Docker is always on with read-only workspace; use `jaiphlang/artifacts.save()` for file persistence. Improved image and security.
+- **Compiler:** All identifiers are checked and immutable; clearer errors; supports inline `run` inside `return` and `log`.
+- **Language/runtime:** Adds `Handle<T>` for async, repair-and-retry with `recover`, optional module metadata.
+- **Tests:** Test blocks support `const`; must explicitly bind response values; name checking at compile time.
+- **CLI:** Shows workflow return values and improves output for prompts and Docker failures.
+
+## All changes
+
+- **Breaking — Runtime config:** `runtime.docker_timeout` renamed to `runtime.docker_timeout_seconds` to make the unit explicit. The old key produces an `E_PARSE` migration message. `DockerRunConfig.timeout` renamed to `timeoutSeconds` internally.
+- **Docker:** Default container execution timeout is **3600** seconds (one hour), up from 300, via `resolveDockerConfig` / `runtime.docker_timeout_seconds` when not overridden by `JAIPH_DOCKER_TIMEOUT` or in-file config.
+- **Docker:** `reportResult` fallback — when `discoverDockerRunDir` cannot match the expected `run_id`, the CLI now prints the sandbox runs root and the expected `run_id` instead of emitting just "Workflow execution failed." Paired with a rewritten `76_docker_failure_parity.sh` E2E that compares full normalized output between Docker and no-sandbox modes for both script-step and rule-match failures.
+- **Library:** `jaiphlang/artifacts` provides `save(local_path, name)` via a named `save_script` and drops the unpublished git-oriented helpers (`save_patch`, `apply_patch`) and standalone `artifacts.sh`.
+- **Language:** `return <identifier>` — bare identifiers are now accepted in return position. `return response` is sugar for `return "${response}"`, resolved against the same scope rules used for `${ident}` interpolation and bare-identifier call arguments (`const`, capture, or parameter). Unknown identifiers (`return missing_name` where `missing_name` is not in scope) produce a precise `E_VALIDATE` unknown-identifier error naming the missing binding. Previously, bare identifiers in return position fell through to the catch-all "inline shell steps are forbidden" diagnostic, which was incorrect — the user was not writing a shell statement, and the suggested fix (explicit script block) did not solve the problem. Both `return response` and `return "${response}"` are valid and equivalent; existing interpolated return forms are unchanged. Parser updated in all return-position paths (top-level workflow body, brace blocks, catch/recover bodies). Unit tests cover bare-identifier returns from `const`, parameters, and catch bindings; compiler tests cover acceptance and unknown-identifier rejection; E2E test covers end-to-end propagation.
+- **Language:** Immutable binding enforcement — `const`, parameter, capture, and `script` names are now immutable. Rebinding a parameter via `const`, declaring duplicate `const` names in the same scope, or colliding a `script` name with an existing immutable binding are all rejected at compile time with `E_VALIDATE: cannot rebind immutable name "…"`. The error names the conflicting binding and where it was first bound. Existing files that shadowed parameters (e.g. `workflow default(x) { const x = … }`) must use distinct names. `examples/say_hello.jh` migrated as a reference.
+- **Language:** `return run \`…\`(args)` and `log run \`…\`(args)` — inline scripts wrapped with explicit `run` now work in value positions (`return`, `log`, `logerr`). Bare inline scripts without `run` remain rejected at compile time with clear errors. Parser, validator, emitter, formatter, and runtime all updated. E2E and unit tests cover zero-arg and argument forms plus rejection paths.
+- **Language:** Bare unknown identifiers in `match` arm bodies (e.g. `_ => true`, `_ => blorp`) are now rejected at compile time with `E_VALIDATE: unknown identifier "…" in match arm body`. Previously, a bare word that was not an in-scope variable was silently treated as a string literal. Only bare in-scope identifiers (`const`, capture, or parameter names) are accepted; all other bare words must be quoted. The existing unknown-verb check (for words followed by arguments) and this new bare-word check together cover all unknown-identifier cases in arm bodies. Regression tests cover `true`, `false`, arbitrary unknown words, in-scope identifiers, and string literals.
+- **Language:** `match` arms are now strictly newline-delimited — trailing commas after arm bodies and comma separators between arms are rejected at parse time with the diagnostic `"commas are not allowed in match arms; use one arm per line"`. Previously, commas after arms were silently accepted. Parser and validation tests cover string-value, `fail`, and inline comma-separated forms.
+- **Language:** Unknown leading verbs in `match` arm bodies are rejected — `"" => error "msg"` now fails validation instead of silently treating `error "msg"` as a string literal (so a rule meant to `fail` was "passing" with a truthy value). Only `fail` / `run` / `ensure` are accepted as arm-body leading verbs, and the diagnostic suggests `fail` when the user typed `error`.
+- **Language:** `match` arm bodies resolve bare in-scope identifiers — `=> name_arg` now returns the variable's value, mirroring `return val` sugar. Previously fell through to string interpolation and returned the literal name.
+- **Formatter:** `return <identifier>` round-trips — the AST now stores `bareSource` on return steps so `return response` stays `return response` on re-emit instead of being rewritten to `return "${response}"`. Explicit `return "${var}"` is still preserved.
+- **Language:** `Handle<T>` for `run async`; `recover` retry loops on `run`; nested `run` / `ensure` in call arguments; optional `module.name`, `module.version`, `module.description` in module `config`.
+- **Tests:** `const NAME = "literal"` bindings inside `test { … }` blocks. Only plain double-quoted literals in v1 (no interpolation, no `run`, no `match`). `mock prompt <ident>`, `expect_equal var <ident>`, `expect_contain var <ident>`, and `expect_not_contain var <ident>` accept a bare identifier that resolves against test-scope `vars`. Order matters — the `const` must appear before references. AST keeps literal fields and adds optional `responseVar` / `expectedVar` / `substringVar` discriminators so the formatter round-trips whichever form was authored.
+- **Breaking — Tests:** Implicit `response` binding is gone. `run …` in a `test { … }` block no longer silently binds the return value to a magic `response` — write `const response = run hello.default("Alice")` explicitly. A new `validateTestBlocks` pass rejects `expect_*` LHS, `expect_* var <ident>` RHS, and `mock prompt <ident>` that reference an undeclared name at compile time (`E_VALIDATE`), wired into the existing `validateReferences` path so `jaiph test` fails before any test runs. Runtime has a matching fail-fast guard. `examples/say_hello.test.jh` updated.
+- **CLI / UX:** Run tree prints workflow return value — when a `jaiph run`'s default workflow exits successfully with a return value, the runtime writes it to `<run_dir>/return_value.txt` and the CLI prints it on its own line after `✓ PASS workflow default`, separated by a blank line. Workflows without a return statement produce no extra output.
+- **CLI / UX:** Prompt step preview keeps authored `${var}` placeholders — the run-tree preview now reads `prompt cursor "Say hello to ${name} and..."` with the raw source text instead of substituting the value. Concrete values still appear alongside in the params. The `declaredParamNames` block was removed so prompt steps list only the `${var}` references actually appearing in the prompt body.
+- **CLI:** `jaiph` usage output surfaces `--raw`, `jaiph install`, and `jaiph compile`. `jaiph use` accepts `git@host:path.git@ref` and refs containing slashes.
+- **Docs / examples:** `examples/recover_loop.jh` recast to use `run check_report_exists() recover(failure) { … }` with triple-backtick fenced scripts; landing-page samples and the Jaiph syntax highlighter extended to color `match` / `return` / `fail` keywords, `=>`, single- and triple-backtick scripts, and bare regex literals; channels paragraph rewritten with a concrete `findings -> analyst` example; async wording simplified ("resolves on the first read, or at the end of the embracing workflow").
+- **Repo / tests:** `examples/` is the single source of truth for showcase workflows — `e2e/agent_inbox.jh`, `e2e/async.jh`, `e2e/say_hello*.jh`, `examples/recover_loop.test.jh`, and `tmp-sandbox-doc-example.jh` removed; affected E2E tests now copy from `examples/`. Compiler test fixtures and e2e expectations refreshed; inline script names normalized to `__inline_<id>` in e2e output.
+- **Release / CI:** `.github/workflows/release.yml` removed — the npm package name is locked, and npm publishing is no longer part of the release flow. Release = tag `v*` (triggers the GHCR runtime-image publish in `ci.yml`).
+- **Runtime / library:** `JAIPH_ARTIFACTS_DIR` and `artifacts.jh` (`save`, `save_patch`, `apply_patch`); removed dead per-call isolation export paths.
+- **Docker — contract:** `jaiph` required in the image (`E_DOCKER_NO_JAIPH`); default `ghcr.io/jaiphlang/jaiph-runtime:<version>`; `jaiph init` Dockerfiles extend the official image; no runtime self-install into arbitrary base images.
+- **Docker — toggles:** Docker on by default unless `JAIPH_UNSAFE=true`; `JAIPH_DOCKER_ENABLED` for explicit control; `runtime.workspace` and `runtime.docker_enabled` removed (environment only).
+- **Docker — security / isolation:** Env allowlist (replacing a denylist); dangerous host mount paths rejected; `execFileSync` for `docker` and `id` calls; `cap-drop` and `no-new-privileges`.
+- **Docker — workspace:** Read-only host workspace with overlay or copy; removed automatic `workspace.patch` at teardown (use `artifacts.save_patch()`).
+- **Docker — robustness:** `runtime/overlay-run.sh` on disk; quiet image pre-pull; strict `JAIPH_DOCKER_TIMEOUT`; `E_DOCKER_UID` on failed Linux UID detection; per-invocation `JAIPH_RUN_ID` for run-dir discovery; sandbox cleanup on signals and process exit; `WorkspaceCloner` internal refactor.
+- **CLI / UX:** Docker failure footers and paths aligned with local runs; quoting fixes for step titles and channel payloads; doc updates (threat model, `KEEP_SANDBOX` copy).
+- **Tests / packaging:** ShellCheck for `overlay-run.sh`; PTY E2E for `run async` progress; official `runtime/Dockerfile` copies `overlay-run.sh` into the build context.
+- **Repo:** Removed committed debug/temp tree junk; stricter `.gitignore`.
+
 # 0.9.2
 
 ## Summary
@@ -14,7 +57,7 @@
 - **Breaking — Runtime:** Remove `JAIPH_LIB` — The Node runtime no longer sets `JAIPH_LIB`, and isolated script subprocesses no longer receive it (`run-step-exec.ts`). `resolveRuntimeEnv` still deletes inherited `JAIPH_LIB` so a parent shell cannot inject a stale path. Workflows that used `source "$JAIPH_LIB/…"` must use `JAIPH_WORKSPACE`-relative paths, `import script`, or inline bash. Project-scoped **`.jaiph/libs/`** (`jaiph install`) is unchanged.
 - **Docs / E2E:** Documentation and tests no longer describe or assert `JAIPH_LIB` / `.jaiph/lib` (singular).
 - **Feature — Runtime:** Heartbeat file in run directory — The runtime now writes a `heartbeat` file (containing epoch-ms timestamp) to the run directory (`.jaiph/runs/<date>/<time>-<source>/heartbeat`) immediately on construction and refreshes it every 10 seconds. External tooling can `stat()` or read this file to detect whether a Jaiph process is still alive; a stale heartbeat (>~20s) means the process is dead. The timer is `.unref()`ed so it never keeps the Node process alive past its natural exit. Implementation: `startHeartbeat()` / `stopHeartbeat()` in `NodeWorkflowRuntime`. Unit test added.
-- **Fix — Docker:** Generic runtime image bootstrap and host run-dir mapping — Docker no longer assumes the selected image already contains `jaiph`, but it also no longer relies on a host-mounted `dist/` tree. When the selected base image lacks `jaiph`, Jaiph now builds a thin derived image from that base and installs the current local package with `npm install -g`, then runs `jaiph run --raw` there. Docker-backed runs now mount the resolved host runs root directly at `/jaiph/run`, so the default `.jaiph/runs`, relative `JAIPH_RUNS_DIR`, and absolute in-workspace `JAIPH_RUNS_DIR` all persist artifacts in the expected host location; absolute paths outside the workspace fail with `E_DOCKER_RUNS_DIR`. Implementation: `resolveImage()`, `resolveDockerHostRunsRoot()`, and `findRunArtifacts()` in `src/runtime/docker.ts`; `spawnExec()` in `src/cli/commands/run.ts`. Unit and E2E coverage updated.
+- **Fix — Docker:** Generic runtime image bootstrap and host run-dir mapping — Docker no longer assumes the selected image already contains `jaiph`, but it also no longer relies on a host-mounted `dist/` tree. When the selected base image lacks `jaiph`, Jaiph now builds a thin derived image from that base and installs the current local package with `npm install -g`, then runs `jaiph run --raw` there. Docker-backed runs now mount the resolved host runs root directly at `/jaiph/run`, so the default `.jaiph/runs`, relative `JAIPH_RUNS_DIR`, and absolute in-workspace `JAIPH_RUNS_DIR` all persist artifacts in the expected host location; absolute paths outside the workspace fail with `E_DOCKER_RUNS_DIR`. Implementation: `resolveImage()` and `resolveDockerHostRunsRoot()` in `src/runtime/docker.ts`; `spawnExec()` in `src/cli/commands/run.ts`. Unit and E2E coverage updated. *(Note: `findRunArtifacts()` originally shipped here has been removed — superseded by `JAIPH_ARTIFACTS_DIR`.)*
 
 # 0.9.1
 
@@ -287,7 +330,7 @@
 - **Fix: single-file run no longer compiles sibling `.jh` files** — `jaiph run file.jh` now compiles only the specified file and its transitive imports instead of every `.jh` file in the parent directory. A parse error in a sibling file no longer prevents execution of unrelated files. Directory mode (formerly `jaiph build ./`) is unchanged in the internal build path. The fix introduces `collectFileWithImports()` in `src/transpile/build.ts`, which walks imports via the AST to build the minimal file set.
 - **Inbox & dispatch: event passing between agent workflows** — Workflows can now send messages to named channels with the `->` send operator and declare routing rules with `on <channel> -> <workflow>`. The runtime dispatches messages sequentially via an in-memory queue — no filesystem watchers, no polling, no `inotifywait`/`fswatch`. `echo "data" -> findings` transpiles to `jaiph::send 'findings' "$(echo "data")"`. Standalone `-> channel` forwards `$1`. `on findings -> analyst` registers a route; when a message arrives on `findings`, `analyst` is called with the message content as `$1`. Multi-target routes (`on ch -> wf1, wf2`) dispatch sequentially in declaration order; each target receives the same message. Routes are static declarations stored in `WorkflowDef.routes`, not executable steps. The dispatch queue drains after the orchestrator completes; invoked workflows may produce further sends. Max dispatch depth of 100 guards against circular sends (`E_DISPATCH_DEPTH`). Send to an unregistered channel is a silent drop (message still written to inbox for audit). Non-zero exit from a dispatched workflow halts the queue (fail-fast). Inbox files are written as `NNN-<channel>.txt` under `.jaiph/runs/<run-id>/inbox/`. `name = cmd -> channel` is a parse error (`E_PARSE`); use two steps instead. New runtime functions in `src/runtime/inbox.sh`: `jaiph::inbox_init`, `jaiph::send`, `jaiph::register_route`, `jaiph::drain_queue`. Progress tree shows `on` routes as nodes; dispatched calls appear as children with `dispatched: true` and `channel` metadata. See [Inbox & Dispatch](docs/inbox.md).
 - **Docker sandbox runtime for workflow execution** — New optional Docker sandbox isolates workflow execution in a disposable container. Docker is enabled by default on local machines; disable with `runtime.docker_enabled = false` or `JAIPH_DOCKER_ENABLED=false`. The container receives only the transpiled bash script and `jaiph_stdlib.sh` — no Jaiph source, TypeScript, or Node.js. New `src/runtime/docker.ts` module handles mount parsing/validation, image pull, UID/GID mapping (Linux), TTY passthrough, timeout enforcement (`E_TIMEOUT`), and Docker availability checks (`E_DOCKER_NOT_FOUND`). Mount strings support full form (`host:container:mode`) and shorthand (`host:mode`); exactly one mount must target `/jaiph/workspace`. `JAIPH_STDLIB` is set to `/jaiph/generated/jaiph_stdlib.sh` inside the container. `CI=true` disables Docker by default unless in-file override is set. Precedence: env vars (`JAIPH_DOCKER_*`) > in-file config > defaults. `jaiph init` now recommends adding `.jaiph/` (not just `.jaiph/runs/`) to `.gitignore`.
-- **Config parser: support integer and array value types** — `parseMetadataValue()` now handles bare integer literals (regex `/^[0-9]+$/`, returned as `number`) and bracket-delimited arrays of quoted strings (returned as `string[]`). Multi-line arrays support trailing commas, inline `#` comments, and empty arrays (`= []`). A new `runtime.*` key namespace is added with five keys: `runtime.docker_enabled` (boolean, default `true` locally, `false` in CI), `runtime.docker_image` (string, default `"ubuntu:24.04"`), `runtime.docker_network` (string, default `"default"`), `runtime.docker_timeout` (integer, default `300`), and `runtime.workspace` (string[], default `[".:/jaiph/workspace:rw"]`). Each key enforces its expected type at parse time (`E_VALIDATE` on mismatch). Unknown `runtime.*` keys produce `E_PARSE`. A new `RuntimeConfig` interface is added to `src/types.ts` and an optional `runtime` field to `WorkflowMetadata`.
+- **Config parser: support integer and array value types** — `parseMetadataValue()` now handles bare integer literals (regex `/^[0-9]+$/`, returned as `number`) and bracket-delimited arrays of quoted strings (returned as `string[]`). Multi-line arrays support trailing commas, inline `#` comments, and empty arrays (`= []`). A new `runtime.*` key namespace is added with five keys: `runtime.docker_enabled` (boolean, default `true` locally, `false` in CI), `runtime.docker_image` (string, default `"ubuntu:24.04"`), `runtime.docker_network` (string, default `"default"`), `runtime.docker_timeout_seconds` (integer, default `300`), and `runtime.workspace` (string[], default `[".:/jaiph/workspace:rw"]`). Each key enforces its expected type at parse time (`E_VALIDATE` on mismatch). Unknown `runtime.*` keys produce `E_PARSE`. A new `RuntimeConfig` interface is added to `src/types.ts` and an optional `runtime` field to `WorkflowMetadata`.
 - **Enforce calling conventions and unify symbol namespace** — **Breaking change.** Rules, workflows, and functions now share a single namespace per module; declaring two items with the same name (e.g. a rule `foo` and a workflow `foo`) yields `E_PARSE`. The compiler enforces calling conventions at compile time: `ensure` must target a rule (`E_VALIDATE` if used on a workflow or function, with a message indicating the correct keyword), `run` must target a workflow (`E_VALIDATE` if used on a rule or function), and functions cannot be used with `ensure` or `run`. These checks apply to both local and imported references. Internally, the bash symbol format is flattened from `<module>::rule::<name>` / `<module>::workflow::<name>` / `<module>::function::<name>` to `<module>::<name>`, with the step kind passed as an explicit argument to `jaiph::run_step` and `jaiph::run_step_passthrough`. The `resolveShellFunctionRefs` pass is generalized to `resolveShellRefs`, resolving any `alias.name` in shell context to the flat `symbol::name` form. External scripts that call generated bash functions by their old triple-prefix names will need to update to the new `<module>::<name>` format.
 - **Docs: Update samples to use `log` instead of `cat`** — The `say_hello.jh` sample now uses `log "$response"` to display the agent's reply in the progress tree instead of writing to a file and using `cat`. The run command in docs is simplified from `./say_hello.jh Jakub && cat hello.txt` to `./say_hello.jh Jakub`. Syntax highlighting JS updated accordingly.
 - **Add `log` keyword for workflow messages** — Workflows can now use `log "message"` to display a message in the progress tree at the correct indentation level. At compile time (`jaiph tree` / `--dry-run`), log lines render as static tree nodes with the literal string (unexpanded variables shown as-is). At runtime, `log` emits a `LOG` event (not `STEP_START`/`STEP_END`) that the progress renderer displays inline at the correct depth — no spinner, no timing. Shell variable interpolation (`$var`, `${var}`) works inside the string at runtime. The `log` keyword transpiles to `jaiph::log "message"`, a runtime function that emits the event on fd 3 and echoes to stderr. New AST variant `{ type: "log", message: string, loc: SourceLoc }` in `WorkflowStepDef`. Parse error on `log` without a double-quoted string argument.
diff --git a/QUEUE.md b/QUEUE.md
index 5e70340b..f52504a5 100644
--- a/QUEUE.md
+++ b/QUEUE.md
@@ -9,227 +9,127 @@ Process rules:
 5. This queue assumes **hard rewrite semantics**:
    * breaking changes are allowed,
    * backward compatibility is **not** a design goal unless a task explicitly says otherwise.
+6. **Acceptance criteria are non-negotiable.** A task is not done until every acceptance bullet is verified by a test that fails when the contract is violated. "It works on my machine" or "the existing tests pass" is not acceptance.
 
 ***
 
-## Docker — strict image contract + publish official `jaiph-runtime` images to GHCR
+## Cleanup — consolidate the 5-way test directory split #dev-ready
 
 **Goal**
-Remove all Docker runtime bootstrapping/fallback magic. In Docker mode, **every selected image must already contain a working `jaiph` CLI**. Jaiph must **not** build a thin derived image at runtime, must **not** mount host `dist/` into the container, and must **not** auto-install itself into arbitrary base images. The product contract becomes explicit: if Docker is on, the image is responsible for containing Jaiph.
+Today there are five different places that contain "tests": `src/**/*.test.ts` (66 unit tests, adjacent to source), `test/` (4 integration files including a 2427-LoC `sample-build.test.ts`), `tests/e2e-samples/` (a single Playwright file), `compiler-tests/` (txtar fixtures), `golden-ast/` (fixtures + expected). Plus runners `src/compiler-test-runner.ts` and `src/golden-ast-runner.ts` mixed into the production source tree. A new contributor cannot tell where a new test belongs without reading the whole layout. Fix the structure in one pass.
+
+**Context (read before starting)**
+
+* The current `package.json` `test` script enumerates the test sources explicitly; this gives us a precise inventory of what is wired in:
+  ```
+  dist/test/*.test.js
+  dist/src/**/*.test.js
+  dist/src/**/*.acceptance.test.js
+  dist/src/compiler-test-runner.js
+  dist/src/golden-ast-runner.js
+  ```
+  Any move must update this script and keep the same test set running. Adding tests is out of scope; this is purely reorganization.
+* `src/compiler-test-runner.ts` and `src/golden-ast-runner.ts` are compiled and shipped in `dist/`, but they are test infrastructure (they consume fixtures, produce assertions). They should not live in `src/`.
+* `compiler-tests/README.md` already documents the txtar format — preserve that doc next to the fixtures it describes.
 
-At the same time, publish an official Jaiph runtime image to **GHCR** and make it the default Docker image:
-
-* tagged releases → `ghcr.io/jaiphlang/jaiph-runtime:<version>`
-* nightly builds → `ghcr.io/jaiphlang/jaiph-runtime:nightly`
-* default runtime image in Jaiph config/runtime should point at that official image
-
-This is a deliberate contract change. Convenience fallback to `node:20-bookworm` + runtime bootstrap is **not** desired.
-
-**Required product decision**
-
-1. **Strict requirement** — all Docker images used by Jaiph must already have `jaiph`.
-2. **Official default image** — Jaiph publishes and uses `ghcr.io/jaiphlang/jaiph-runtime`.
-3. **No hidden runtime mutation** — no auto-derived image build, no host `dist/` mount hack, no `npm install -g` during Docker run startup.
-4. **Fast fail** — if the chosen image lacks `jaiph`, Jaiph must fail clearly with an explicit Docker/runtime error.
-
-**Why this task exists**
-
-The current codebase has tension between two incompatible models:
-
-* generic Docker contract: run `jaiph run --raw` inside the container
-* convenience contract: allow stock images that do not contain `jaiph`
-
-Both cannot be true without runtime bootstrapping. This task intentionally chooses the first model and removes the second.
-
-**Context**
-
-* Docker runtime implementation: `src/runtime/docker.ts`
-* Docker run path / spawn site: `src/cli/commands/run.ts`
-* Docker docs: `docs/sandboxing.md`, `docs/configuration.md`, `docs/cli.md`
-* Current Docker E2E coverage: `e2e/tests/72_docker_run_artifacts.sh`, `e2e/tests/73_docker_dockerfile_detection.sh`, `e2e/tests/74_docker_lifecycle.sh`
-* Managed project Dockerfile template: `.jaiph/Dockerfile`, plus `jaiph init` scaffolding in `src/cli/commands/init.ts`
-* CI/release workflows: `.github/workflows/ci.yml`, `.github/workflows/release.yml`, `.github/workflows/nightly-engineer.yml`
-
-**Implementation requirements**
-
-1. **Runtime**
-   * Remove Docker fallback logic that auto-builds a derived image or auto-installs Jaiph into arbitrary base images.
-   * Keep the container entry generic: `jaiph run --raw ...`
-   * Add an explicit preflight/validation step for Docker images:
-     * either the selected image is the official `ghcr.io/jaiphlang/jaiph-runtime:*`,
-     * or a custom image that already contains `jaiph`.
-   * If `jaiph` is missing in the chosen image, fail with a clear error message that tells the user to:
-     * use the official GHCR image, or
-     * install Jaiph in their custom image.
-
-2. **Default image**
-   * Change the default Docker image away from `node:20-bookworm`.
-   * Default must become the official GHCR runtime image.
-   * Decide whether the default tag should be version-pinned at release time and `nightly` on main/nightly builds; document the exact rule.
-
-3. **Publishing**
-   * Add CI/release automation to build and publish `ghcr.io/jaiphlang/jaiph-runtime`.
-   * Publish at least:
-     * per-tag release images
-     * `nightly`
-   * Ensure the published image contains:
-     * `jaiph`
-     * Node.js
-     * `fuse-overlayfs` / Docker runtime prerequisites
-     * non-root runtime user if that remains part of the sandbox contract
-   * Decide whether Cursor / Claude CLIs belong in the official runtime image by default; document the decision explicitly.
-
-4. **Docs**
-   * Rewrite Docker docs to state the strict image contract clearly.
-   * Document the official GHCR image as the default and recommended path.
-   * Document how custom images must install `jaiph`.
-   * Remove any wording that implies Jaiph will make arbitrary base images work automatically.
-
-5. **Tests**
-   * Update E2E/tests so they assert the strict contract, not the bootstrap fallback.
-   * In particular, tests that currently expect `node:20-bookworm` to work without Jaiph must be rewritten.
-   * Add/keep a regression test that proves Docker fails clearly when the selected image lacks `jaiph`.
-
-**Acceptance criteria**
-
-* Default Docker image is `ghcr.io/jaiphlang/jaiph-runtime:*`, not `node:20-bookworm`.
-* Jaiph never auto-builds a derived runtime image at Docker run time.
-* Jaiph never mounts host build output into the container to provide `jaiph`.
-* A custom image without `jaiph` fails fast with a clear actionable error.
-* Official GHCR runtime images are published for release tags and `nightly`.
-* Docs describe the strict contract and official image flow without ambiguity.
-* Unit + E2E coverage prevents regression back to runtime bootstrap behavior.
-
-***
-
-## Support optional config properties in Jaiph DSL: version, name, description.
-
-## Runtime — credential proxy for Docker mode
-
-**Goal**
-Containers should never hold real API keys. Implement a host-side HTTP proxy (the "Phantom Token" pattern) that intercepts outbound API requests from containers, strips a placeholder credential, and injects the real key before forwarding upstream. The agent inside the container literally cannot leak the real key — it never has it.
-
-**Design**
-
-1. **Host-side proxy** — a lightweight `http.createServer` bound to `127.0.0.1:<port>` (macOS/WSL2) or the `docker0` bridge IP (Linux). Receives requests from the container, swaps `x-api-key: placeholder` with the real key from host env, forwards to the upstream API, pipes the response back (including streaming SSE).
-2. **Container env injection** — instead of passing `ANTHROPIC_API_KEY=$real_key` into `docker run`, pass `ANTHROPIC_API_KEY=placeholder` + `ANTHROPIC_BASE_URL=http://host.docker.internal:<port>`.
-3. **Multi-backend routing** — Jaiph supports Claude and Cursor backends. Each backend's CLI must respect a base URL override env var. `claude` CLI supports `ANTHROPIC_BASE_URL`; `cursor-agent` may not — needs investigation.
-4. **Lifecycle** — proxy starts before the first Docker container launch, shuts down after the last container exits or on Jaiph process exit.
-
-**Context**
-
-* Pattern reference: [NanoClaw's credential proxy](https://jonno.nz/posts/nanoclaw-architecture-masterclass-in-doing-less/) — same approach, independently arrived at.
-* Current Docker execution path: `src/runtime/kernel/` — Docker run/exec logic, env var forwarding.
-* Dockerfile: `.jaiph/Dockerfile` — container image setup.
-* Backend CLI invocation: `src/runtime/kernel/node-workflow-runtime.ts` — where `claude` / `cursor-agent` commands are constructed with env vars.
-
-**Open questions**
+**Scope**
 
-* Does `cursor-agent` support a base URL override? If not, the proxy pattern may require a wrapper script or LD\_PRELOAD-based interception inside the container.
-* Single port with path-based routing vs one port per backend?
-* Should the proxy also enforce rate limits or audit-log API calls?
+* **Move test infrastructure out of `src/`**:
+  - `src/compiler-test-runner.ts` → `test-infra/compiler-test-runner.ts`
+  - `src/golden-ast-runner.ts` → `test-infra/golden-ast-runner.ts`
+  - `tsconfig.json` and `package.json` `test` script updated to reference the new locations.
+* **Rename and group fixture directories**:
+  - `compiler-tests/` → `test-fixtures/compiler-txtar/` (preserves the README inside).
+  - `golden-ast/` → `test-fixtures/golden-ast/` (preserves the `fixtures/` and `expected/` subdirs underneath).
+  - Update path references in `test-infra/compiler-test-runner.ts` and `test-infra/golden-ast-runner.ts`.
+* **Fold the singleton Playwright test**:
+  - `tests/e2e-samples/landing-page.spec.ts` → `e2e/playwright/landing-page.spec.ts`.
+  - Update `playwright.config.ts` and the `test:samples` npm script accordingly.
+  - Delete the now-empty `tests/` directory.
+* **Triage `test/` (4 files, 2960 LoC)**:
+  - `test/run-summary-jsonl.test.ts` (178 LoC), `test/signal-lifecycle.test.ts` (220 LoC), `test/tty-running-timer.test.ts` (135 LoC) — keep in a renamed `integration/` directory. They are integration-flavored, not unit, and don't have an obvious adjacent home.
+  - `test/sample-build.test.ts` (2427 LoC) — split. Read the file, group its tests by which subsystem they actually exercise, and move each group either next to that subsystem (`src/.../<name>.integration.test.ts`) or into `integration/sample-build/<topic>.test.ts`. Aim for no resulting file over ~600 LoC. The split is the work; it is not optional.
+  - Move `test/expected/` and `test/fixtures/` to `test-fixtures/sample-build/` if any test still references them after the split.
+* **Final layout** (target):
+  ```
+  src/**/*.test.ts                       # unit, adjacent (unchanged)
+  src/**/*.acceptance.test.ts            # acceptance, adjacent (unchanged)
+  integration/**/*.test.ts               # integration tests (was `test/`, after split)
+  test-fixtures/compiler-txtar/          # was `compiler-tests/`
+  test-fixtures/golden-ast/              # was `golden-ast/`
+  test-fixtures/sample-build/            # if any sample-build fixtures survive the split
+  test-infra/compiler-test-runner.ts     # was `src/compiler-test-runner.ts`
+  test-infra/golden-ast-runner.ts        # was `src/golden-ast-runner.ts`
+  e2e/                                   # shell + .jh (unchanged)
+  e2e/playwright/landing-page.spec.ts    # was `tests/e2e-samples/`
+  ```
+  Three test "places" instead of five (`src/`-adjacent, `integration/`, `e2e/`); plus two clearly named support directories (`test-fixtures/`, `test-infra/`).
+* Update `package.json` `test`, `test:compiler`, `test:golden-ast`, `test:samples`, `test:acceptance`, `test:ci`, `test:e2e` scripts to reference the new paths. Verify by running `npm test` end-to-end.
+
+**Non-goals**
+
+* Do not change any test's logic, assertions, or fixtures' contents. The goal is layout, not behavior.
+* Do not change the unit-tests-adjacent-to-source convention. That part works.
+* Do not delete any test (other than ones absorbed into the `sample-build.test.ts` split, where the original file goes away after redistribution).
 
 **Acceptance criteria**
 
-* Host-side proxy starts automatically when Docker mode is active.
-* Containers receive only placeholder credentials — no real API keys in container env.
-* `claude` CLI calls from inside Docker succeed via the proxy.
-* Proxy handles streaming responses (SSE) correctly.
-* Real keys never appear in container logs, env dumps, or process listings.
-* Platform-specific host address resolution works (macOS, Linux).
+* `npm test` passes with the same test count (or higher, if the `sample-build` split surfaces previously-bundled cases as separate tests). Test count must not decrease.
+* No file in `src/` is named `*-test-runner.ts`. Test infrastructure lives only in `test-infra/`.
+* No file under `integration/` exceeds ~600 LoC after the `sample-build` split.
+* The repo root no longer has both `test/` and `tests/`. (`tests/` is deleted after folding.)
+* `package.json` test scripts reference the new paths and the same test set runs in CI.
+* Commit message documents the file-move map (old → new) so reviewers can sanity-check that nothing was lost.
 
 ***
 
-## Runtime — harden Docker execution environment
+## Refactor — split `src/runtime/kernel/node-workflow-runtime.ts` (1901 LoC) #dev-ready
 
 **Goal**
-Docker mode is the isolation boundary for workflow runs. Harden it: least-privilege mounts, explicit and documented env forwarding (what crosses the container boundary), network defaults, image supply chain, and failure modes when Docker is misconfigured or unavailable — so "Docker on" is a deliberate security posture, not accidental leakage.
+`src/runtime/kernel/node-workflow-runtime.ts` is a 1901-LoC god file: ~280 LoC of free arg-parsing helpers above the class, then ~1620 LoC of `NodeWorkflowRuntime` spanning workflow orchestration, step execution, prompt step lifecycle, event emission, mock execution, frame stack management, and heartbeat I/O. Reading or modifying any one concern requires holding all of them in head. Split along clean seams so each concern is in a focused module.
 
-**Context**
+**Context (read before starting)**
 
-* Docker runtime: `src/runtime/kernel/` — look for `docker.ts` or Docker-related logic in the run path.
-* E2E Docker tests: `e2e/tests/72_docker_run_artifacts.sh`, `e2e/tests/73_docker_dockerfile_detection.sh`.
-* Config: `runtime.docker_enabled`, `runtime.docker_timeout`, `runtime.workspace` keys in `src/config.ts` and metadata parsing.
+* This file is actively touched by the `Handle<T>` task. If that task is in flight, **rebase on it before splitting** — do not do this work in parallel without coordinating, or the merge will be miserable.
+* The class has stateful internals (`runId`, `runDir`, `summaryFile`, `heartbeatTimer`, `frameStack`, `asyncIndices`, `env`, `cwd`, `graph`, `mockBodies`). The split must keep state in the class and move stateless helpers out, or pass state explicitly into the extracted modules. Do not invent a second source of truth.
+* Free helpers above the class (`interpolate`, `parseInlineCaptureCall`, `commaArgsToInterpolated`, `parseArgsRaw`, `parseInlineScriptAt`, `parseManagedArgAt`, `parseArgTokens`, `stripOuterQuotes`, `parsePromptSchema`, `BARE_IDENT_RE`, `MAX_EMBED`, `MAX_RECURSION_DEPTH`, `sanitizeName`, `nowIso`) — all stateless. Safe to extract.
+* Methods that are pure event emission (`emitWorkflow`, `emitStep`, `emitPromptStepStart`, `emitPromptStepEnd`, `emitPromptEvent`, `emitLog`) all call `appendRunSummaryLine` and `process.stderr.write`. They depend on the class only for `runId`, `summaryFile`, and `getAsyncIndices()`. Can move to a module that takes those as constructor args.
+* Mock execution methods (`executeMockBodyDef`, `executeMockShellBody`) are largely self-contained and could move to a sibling module.
 
-**Acceptance criteria**
-
-* Threat-model notes (short section in `docs/sandboxing.md` or equivalent): what Docker is / isn't protecting against.
-* Concrete hardening changes in `docker.ts` / run path (e.g. mount validation, env allowlist or documented denylist, safer defaults) with unit tests.
-* No silent widen of host access without opt-in.
+**Scope**
 
-***
+Extract three new sibling modules under `src/runtime/kernel/`:
 
-## Runtime — default Docker when not CI or unsafe #dev-ready
+* **`runtime-arg-parser.ts`** — every stateless free helper currently above the `NodeWorkflowRuntime` class:
+  - `interpolate`, `parseInlineCaptureCall`, `commaArgsToInterpolated`, `parseArgsRaw`, `parseInlineScriptAt`, `parseManagedArgAt`, `parseArgTokens`, `stripOuterQuotes`, `parsePromptSchema`, `sanitizeName`, `nowIso`
+  - The `BARE_IDENT_RE`, `MAX_EMBED`, `MAX_RECURSION_DEPTH` constants
+  - The `ParsedArgToken`, `PromptSchemaField` types if they are not used elsewhere in the class
+  - **Required**: extracted helpers must have unit tests (some already do indirectly via runtime tests; new direct tests live in `runtime-arg-parser.test.ts`).
+* **`runtime-event-emitter.ts`** — a small class `RuntimeEventEmitter` constructed with `{ runId, asyncIndicesGetter, env }`, exposing `emitWorkflow`, `emitStep`, `emitPromptStepStart`, `emitPromptStepEnd`, `emitPromptEvent`, `emitLog`. The runtime constructs one and delegates. No more direct `process.stderr.write(__JAIPH_EVENT__ ...)` scattered through the runtime.
+* **`runtime-mock.ts`** — `executeMockBodyDef` and `executeMockShellBody` move here as exported functions taking `{ ref, args, env, cwd, executeStepsBack }` (the last is a callback so the mock can dispatch back into the runtime for `kind: "steps"` mocks). Removes the `require("node:child_process")` and `require("node:fs")` calls that currently shadow ESM imports inside the class body — that is a code smell that should die in this task.
 
-**Goal**
-When the user has not opted into "unsafe" local execution, workflows should run in Docker by default. **Default `runtime.docker_enabled` to on** only when **neither** `CI=true` **nor** `JAIPH_UNSAFE=true` is set in the environment. If either is set, default Docker to **off** unless explicitly overridden via `runtime.docker_enabled` / `JAIPH_DOCKER_ENABLED`.
+After the split, `node-workflow-runtime.ts` keeps only:
+* The `NodeWorkflowRuntime` class
+* Workflow/step orchestration (`runDefault`, `runNamedWorkflow`, `executeSteps`, `executeStep`, frame and scope management)
+* The async-handle bookkeeping (`getAsyncIndices`, `getFrameStack`)
+* Heartbeat (`startHeartbeat`, `stopHeartbeat`, `writeHeartbeat`)
 
-Introduce **`JAIPH_UNSAFE=true`** as the explicit "run on host / skip Docker default" escape hatch for local development when Docker is unwanted; document it next to `CI`.
+Target size for `node-workflow-runtime.ts` after split: ~1000–1200 LoC. Still large, but a single coherent concern (the orchestrator).
 
-**Context**
+**Non-goals**
 
-* Config resolution: `src/config.ts` — `resolveDockerConfig()` or equivalent; where `runtime.docker_enabled` default is determined.
-* Env precedence: explicit `JAIPH_DOCKER_ENABLED` / in-file `runtime.docker_enabled` overrides defaults; then CI / unsafe default rule.
-* E2E Docker tests: `e2e/tests/72_docker_run_artifacts.sh`, `e2e/tests/73_docker_dockerfile_detection.sh` — may need env setup adjustments.
+* Do not change behavior. Every existing test must still pass without modification.
+* Do not redesign the event format, the mock contract, or the arg-parser's accepted syntax. This is a relocation task only.
+* Do not split further than the three new modules listed. Over-decomposition is its own problem; this task is calibrated for one round of splitting.
+* Do not touch `node-workflow-runner.ts` (the CLI shim) or `run-step-exec.ts` (subprocess plumbing) — those are already correctly sized and out of scope.
 
 **Acceptance criteria**
 
-* `resolveDockerConfig()` (and any CLI preflight messaging) implements the precedence: explicit `JAIPH_DOCKER_ENABLED` / in-file `runtime.docker_enabled` overrides defaults; then apply CI / unsafe default rule.
-* Unit tests for env combinations: plain local → Docker default on; `CI=true` → default off; `JAIPH_UNSAFE=true` → default off; both unset with explicit `JAIPH_DOCKER_ENABLED=false` → off.
-* `CHANGELOG` + sandboxing / configuration docs updated.
+* `src/runtime/kernel/node-workflow-runtime.ts` is between 1000 and 1200 LoC after the split.
+* `src/runtime/kernel/runtime-arg-parser.ts`, `runtime-event-emitter.ts`, `runtime-mock.ts` exist and own their respective concerns.
+* `runtime-arg-parser.test.ts` exists with direct unit tests for the extracted helpers.
+* `npm test` passes with no test changes other than possibly importing helpers from their new location.
+* No `require("node:...")` calls inside class methods (they are replaced by top-of-file `import` statements as part of the mock extraction).
+* The new modules have no circular imports back into `node-workflow-runtime.ts`. Dependency direction is one-way: orchestrator → helpers/emitter/mock.
 
 ***
-
-## `jaiph serve` — expose workflows as an MCP server #dev-ready
-
-**Goal**
-Add a `jaiph serve <file.jh>` command that starts a stdio MCP server. Each top-level workflow in the file becomes a callable MCP tool. This lets any MCP client (Cursor, Claude Desktop, custom agents) invoke Jaiph workflows directly.
-
-**Context**
-
-* MCP (Model Context Protocol) uses JSON-RPC 2.0 over stdio. A server must handle `initialize`, `tools/list`, and `tools/call`.
-* Jaiph already has a runtime (`src/runtime/kernel/node-workflow-runtime.ts`) that can execute workflows and capture output.
-* The `@modelcontextprotocol/sdk` npm package provides a Node.js server implementation, but the protocol is simple enough to implement directly (\~200 lines for stdio JSON-RPC + the three methods).
-
-**Phase 1 — single text input (this task)**
-
-Each workflow becomes a tool with a single `input` string parameter:
-
-```json
-{
-  "name": "analyze_gaps",
-  "description": "workflow analyze_gaps from qa.jh",
-  "inputSchema": {
-    "type": "object",
-    "properties": {
-      "input": { "type": "string", "description": "Text input passed to the workflow" }
-    }
-  }
-}
-```
-
-The `input` value is injected into the workflow environment as `JAIPH_MCP_INPUT` (accessible via `${input}` interpolation or `$JAIPH_MCP_INPUT` in scripts). The tool response is the workflow's captured output (log messages + prompt results).
-
-**Phase 2 — typed parameters (future task)**
-
-Extend the language with workflow parameters: `workflow analyze(file: string, depth: number) { ... }`. These map directly to the tool's `inputSchema`. Not in scope for this task.
-
-**Scope**
-
-1. **CLI command** (`src/cli/commands/serve.ts`): add `jaiph serve <file.jh>` that parses the file, starts a stdio JSON-RPC server, and handles `initialize`, `tools/list`, `tools/call`.
-2. **Tool listing**: read the parsed module's `workflows` array. Each workflow becomes a tool entry with `name` \= workflow name, `description` \= `"workflow <name> from <filename>"`, `inputSchema` \= single `input` string.
-3. **Tool execution**: on `tools/call`, run the named workflow using the existing runtime. Capture all output (logs, prompt results). Return as `content: [{ type: "text", text: output }]`.
-4. **Error handling**: if the workflow fails, return `isError: true` with the error message.
-5. **Config inheritance**: the `.jh` file's `config { ... }` block applies normally (backend, model, etc.).
-6. **E2E test**: a test that starts `jaiph serve` with a simple workflow, sends JSON-RPC messages via stdin, and verifies the tool list and a tool call response.
-7. **Docs**: add a section to `docs/index.html` and `docs/jaiph-skill.md` about MCP server mode.
-
-**Acceptance criteria**
-
-* `jaiph serve examples/greeting.jh` starts a stdio MCP server.
-* `tools/list` returns one tool per workflow.
-* `tools/call` executes the workflow and returns its output.
-* Errors produce `isError: true` responses (no server crash).
-* E2E test passes.
-
-***
\ No newline at end of file
diff --git a/QUEUE.md.tmp.4951 b/QUEUE.md.tmp.4951
deleted file mode 100644
index f97c88a2..00000000
--- a/QUEUE.md.tmp.4951
+++ /dev/null
@@ -1,229 +0,0 @@
-# Jaiph Improvement Queue (Hard Rewrite Track)
-
-Process rules:
-
-1. Tasks are executed top-to-bottom.
-2. The first `##` section is always the current task.
-3. When a task is completed, remove that section entirely.
-4. Every task must be standalone: no hidden assumptions, no "read prior task" dependency.
-5. This queue assumes **hard rewrite semantics**:
-   - breaking changes are allowed,
-   - backward compatibility is **not** a design goal unless a task explicitly says otherwise.
-
----
-
-## Libs — project-scoped lib install + import resolution #dev-ready
-
-**Goal**  
-Add project-scoped library support. Libraries are git repos cloned into `<project>/.jaiph/libs/<name>/`. A new `jaiph install` CLI command manages installation. The import resolver gains a fallback that resolves lib paths from the workspace `.jaiph/libs/` directory. A lockfile tracks installed libs for reproducibility.
-
-**Part 1: `jaiph install <url[@version]>` CLI command**
-
-Add `src/cli/commands/install.ts` (follow the pattern of `init.ts`, `run.ts`).
-
-Behavior:
-- `jaiph install <repo-url>` — clone repo into `.jaiph/libs/<repo-name>/` (shallow: `--depth 1`).
-- `jaiph install <repo-url>@<version>` — clone at specific tag/branch (`--depth 1 --branch <version>`).
-- `jaiph install` (no args) — read `.jaiph/libs.lock` and install all entries.
-- Repo name is derived from the URL: last path segment, stripped of `.git` suffix (e.g. `github.com/you/queue-lib.git` → `queue-lib`).
-- If `.jaiph/libs/<name>/` already exists, skip (or `--force` to re-clone).
-- After install, upsert the entry in `.jaiph/libs.lock`.
-
-Lockfile format (`.jaiph/libs.lock`, JSON):
-```json
-{
-  "libs": [
-    { "name": "queue-lib", "url": "https://github.com/you/queue-lib.git", "version": "v1.0" }
-  ]
-}
-```
-
-**Part 2: Lib-aware import resolution**
-
-Currently `import "path" as alias` resolves relative to the importing file only (`resolveImportPath` in `src/transpile/resolve.ts`). Add a fallback: if relative resolution fails, check `<workspace-root>/.jaiph/libs/`.
-
-```jaiph
-import "queue-lib/queue" as queue   # resolves to .jaiph/libs/queue-lib/queue.jh
-```
-
-Import paths with a `/` that don't resolve relatively are split as `<lib-name>/<path-inside-lib>` and resolved to `<workspace>/.jaiph/libs/<lib-name>/<path-inside-lib>.jh`.
-
-Resolution order:
-1. Relative to importing file (existing behavior — unchanged).
-2. `<workspace-root>/.jaiph/libs/<first-segment>/<rest>.jh` (new fallback).
-
-The workspace root is already available via `detectWorkspaceRoot()` in `src/cli/shared/paths.ts`. The resolver needs the workspace root passed in (or detected). Missing lib deps fail at compile time — the existing `E_IMPORT_NOT_FOUND` error in `validate.ts` (line 273) handles this; no change needed there.
-
-**Part 3: `export script` support**
-
-Currently `export` works on `workflow` and `rule`. Verify it also works on `script` in the parser (`src/parser.ts`) and validator. If not, add it — libs need to export scripts.
-
-**Part 4: `queue.jh` as first lib**
-
-Create a standalone repo (or just the file for now in `lib/queue.jh` for testing). A markdown-section-based task queue manager backed by `QUEUE_DIR` env var. One file per project. `## heading` sections are tasks. Hashtags in headings (`#dev-ready`, `#bug`) are filterable tags.
-
-Exports:
-- `script get(project, tag?)` — return first `##` section, optionally filtered by `#tag`
-- `script list(project?, tag?)` — list section headings with tags; `--all` across projects
-- `script add(project, content)` — prepend a task section
-- `script complete(project)` — remove the first `##` section
-- `workflow next_task(project, tag)` — wrapper: get + return
-- `rule has_tasks(project)` — check if project has any sections
-
-**Part 5: Hashtag migration**
-
-Migrate `QUEUE.md` headings from `<!-- dev-ready -->` HTML comments to `#dev-ready` hashtags. This makes tags visible in Obsidian's native tag search/filter/graph.
-
-**Context**
-
-- CLI commands: `src/cli/commands/` — `init.ts`, `run.ts` for pattern reference.
-- Import resolver: `src/transpile/resolve.ts` — `resolveImportPath()` is the function to extend.
-- Validate: `src/transpile/validate.ts` line 271-281 — `E_IMPORT_NOT_FOUND` already fires for missing resolved paths. No change needed.
-- Workspace root: `src/cli/shared/paths.ts` — `detectWorkspaceRoot()`.
-- All call-sites of `resolveImportPath`: `build.ts`, `validate.ts`, `graph.ts`, `transpiler.ts`, `paths.ts`, `compiler-test-runner.ts` — the new lib-aware resolver must be wired in at each.
-- `export` keyword: `src/parser.ts` — verify `script` is supported alongside `workflow` and `rule`.
-- Existing import tests: `e2e/tests/116_cross_file_import.sh`, `e2e/tests/118_import_not_found.sh`.
-
-**Acceptance criteria**
-
-- `jaiph install <url[@version]>` clones into `.jaiph/libs/<name>/` and writes `.jaiph/libs.lock`.
-- `jaiph install` (no args) restores from lockfile.
-- `import "queue-lib/queue" as queue` resolves to `.jaiph/libs/queue-lib/queue.jh`.
-- Relative-path imports are unaffected (resolution order: relative first, libs second).
-- `export script` works (parser + validator).
-- `queue.jh` lib provides `get`, `list`, `add`, `complete`, `next_task`, `has_tasks`.
-- E2E test: install a lib, import it, call an exported script/workflow.
-- Existing E2E import tests still pass.
-- `QUEUE.md` hashtag migration: `<!-- dev-ready -->` → `#dev-ready` across all headings.
-
----
-
-## Runtime — credential proxy for Docker mode
-
-**Goal**  
-Containers should never hold real API keys. Implement a host-side HTTP proxy (the "Phantom Token" pattern) that intercepts outbound API requests from containers, strips a placeholder credential, and injects the real key before forwarding upstream. The agent inside the container literally cannot leak the real key — it never has it.
-
-**Design**
-
-1. **Host-side proxy** — a lightweight `http.createServer` bound to `127.0.0.1:<port>` (macOS/WSL2) or the `docker0` bridge IP (Linux). Receives requests from the container, swaps `x-api-key: placeholder` with the real key from host env, forwards to the upstream API, pipes the response back (including streaming SSE).
-2. **Container env injection** — instead of passing `ANTHROPIC_API_KEY=$real_key` into `docker run`, pass `ANTHROPIC_API_KEY=placeholder` + `ANTHROPIC_BASE_URL=http://host.docker.internal:<port>`.
-3. **Multi-backend routing** — Jaiph supports Claude and Cursor backends. Each backend's CLI must respect a base URL override env var. `claude` CLI supports `ANTHROPIC_BASE_URL`; `cursor-agent` may not — needs investigation.
-4. **Lifecycle** — proxy starts before the first Docker container launch, shuts down after the last container exits or on Jaiph process exit.
-
-**Context**
-
-- Pattern reference: [NanoClaw's credential proxy](https://jonno.nz/posts/nanoclaw-architecture-masterclass-in-doing-less/) — same approach, independently arrived at.
-- Current Docker execution path: `src/runtime/kernel/` — Docker run/exec logic, env var forwarding.
-- Dockerfile: `.jaiph/Dockerfile` — container image setup.
-- Backend CLI invocation: `src/runtime/kernel/node-workflow-runtime.ts` — where `claude` / `cursor-agent` commands are constructed with env vars.
-
-**Open questions**
-
-- Does `cursor-agent` support a base URL override? If not, the proxy pattern may require a wrapper script or LD_PRELOAD-based interception inside the container.
-- Single port with path-based routing vs one port per backend?
-- Should the proxy also enforce rate limits or audit-log API calls?
-
-**Acceptance criteria**
-
-- Host-side proxy starts automatically when Docker mode is active.
-- Containers receive only placeholder credentials — no real API keys in container env.
-- `claude` CLI calls from inside Docker succeed via the proxy.
-- Proxy handles streaming responses (SSE) correctly.
-- Real keys never appear in container logs, env dumps, or process listings.
-- Platform-specific host address resolution works (macOS, Linux).
-
----
-
-## Runtime — harden Docker execution environment
-
-**Goal**  
-Docker mode is the isolation boundary for workflow runs. Harden it: least-privilege mounts, explicit and documented env forwarding (what crosses the container boundary), network defaults, image supply chain, and failure modes when Docker is misconfigured or unavailable — so "Docker on" is a deliberate security posture, not accidental leakage.
-
-**Context**
-
-- Docker runtime: `src/runtime/kernel/` — look for `docker.ts` or Docker-related logic in the run path.
-- E2E Docker tests: `e2e/tests/72_docker_run_artifacts.sh`, `e2e/tests/73_docker_dockerfile_detection.sh`.
-- Config: `runtime.docker_enabled`, `runtime.docker_timeout`, `runtime.workspace` keys in `src/config.ts` and metadata parsing.
-
-**Acceptance criteria**
-
-- Threat-model notes (short section in `docs/sandboxing.md` or equivalent): what Docker is / isn't protecting against.
-- Concrete hardening changes in `docker.ts` / run path (e.g. mount validation, env allowlist or documented denylist, safer defaults) with unit tests.
-- No silent widen of host access without opt-in.
-
----
-
-## Runtime — default Docker when not CI or unsafe #dev-ready
-
-**Goal**  
-When the user has not opted into "unsafe" local execution, workflows should run in Docker by default. **Default `runtime.docker_enabled` to on** only when **neither** `CI=true` **nor** `JAIPH_UNSAFE=true` is set in the environment. If either is set, default Docker to **off** unless explicitly overridden via `runtime.docker_enabled` / `JAIPH_DOCKER_ENABLED`.
-
-Introduce **`JAIPH_UNSAFE=true`** as the explicit "run on host / skip Docker default" escape hatch for local development when Docker is unwanted; document it next to `CI`.
-
-**Context**
-
-- Config resolution: `src/config.ts` — `resolveDockerConfig()` or equivalent; where `runtime.docker_enabled` default is determined.
-- Env precedence: explicit `JAIPH_DOCKER_ENABLED` / in-file `runtime.docker_enabled` overrides defaults; then CI / unsafe default rule.
-- E2E Docker tests: `e2e/tests/72_docker_run_artifacts.sh`, `e2e/tests/73_docker_dockerfile_detection.sh` — may need env setup adjustments.
-
-**Acceptance criteria**
-
-- `resolveDockerConfig()` (and any CLI preflight messaging) implements the precedence: explicit `JAIPH_DOCKER_ENABLED` / in-file `runtime.docker_enabled` overrides defaults; then apply CI / unsafe default rule.
-- Unit tests for env combinations: plain local → Docker default on; `CI=true` → default off; `JAIPH_UNSAFE=true` → default off; both unset with explicit `JAIPH_DOCKER_ENABLED=false` → off.
-- `CHANGELOG` + sandboxing / configuration docs updated.
-
----
-
-## `jaiph serve` — expose workflows as an MCP server #dev-ready
-
-**Goal**  
-Add a `jaiph serve <file.jh>` command that starts a stdio MCP server. Each top-level workflow in the file becomes a callable MCP tool. This lets any MCP client (Cursor, Claude Desktop, custom agents) invoke Jaiph workflows directly.
-
-**Context**
-
-- MCP (Model Context Protocol) uses JSON-RPC 2.0 over stdio. A server must handle `initialize`, `tools/list`, and `tools/call`.
-- Jaiph already has a runtime (`src/runtime/kernel/node-workflow-runtime.ts`) that can execute workflows and capture output.
-- The `@modelcontextprotocol/sdk` npm package provides a Node.js server implementation, but the protocol is simple enough to implement directly (~200 lines for stdio JSON-RPC + the three methods).
-
-**Phase 1 — single text input (this task)**
-
-Each workflow becomes a tool with a single `input` string parameter:
-
-```json
-{
-  "name": "analyze_gaps",
-  "description": "workflow analyze_gaps from qa.jh",
-  "inputSchema": {
-    "type": "object",
-    "properties": {
-      "input": { "type": "string", "description": "Text input passed to the workflow" }
-    }
-  }
-}
-```
-
-The `input` value is injected into the workflow environment as `JAIPH_MCP_INPUT` (accessible via `${input}` interpolation or `$JAIPH_MCP_INPUT` in scripts). The tool response is the workflow's captured output (log messages + prompt results).
-
-**Phase 2 — typed parameters (future task)**
-
-Extend the language with workflow parameters: `workflow analyze(file: string, depth: number) { ... }`. These map directly to the tool's `inputSchema`. Not in scope for this task.
-
-**Scope**
-
-1. **CLI command** (`src/cli/commands/serve.ts`): add `jaiph serve <file.jh>` that parses the file, starts a stdio JSON-RPC server, and handles `initialize`, `tools/list`, `tools/call`.
-2. **Tool listing**: read the parsed module's `workflows` array. Each workflow becomes a tool entry with `name` = workflow name, `description` = `"workflow <name> from <filename>"`, `inputSchema` = single `input` string.
-3. **Tool execution**: on `tools/call`, run the named workflow using the existing runtime. Capture all output (logs, prompt results). Return as `content: [{ type: "text", text: output }]`.
-4. **Error handling**: if the workflow fails, return `isError: true` with the error message.
-5. **Config inheritance**: the `.jh` file's `config { ... }` block applies normally (backend, model, etc.).
-6. **E2E test**: a test that starts `jaiph serve` with a simple workflow, sends JSON-RPC messages via stdin, and verifies the tool list and a tool call response.
-7. **Docs**: add a section to `docs/index.html` and `docs/jaiph-skill.md` about MCP server mode.
-
-**Acceptance criteria**
-
-- `jaiph serve examples/greeting.jh` starts a stdio MCP server.
-- `tools/list` returns one tool per workflow.
-- `tools/call` executes the workflow and returns its output.
-- Errors produce `isError: true` responses (no server crash).
-- E2E test passes.
-
----
diff --git a/README.md b/README.md
index 50310193..a5bed42c 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # ![Jaiph](docs/logo.png)
 
-[jaiph.org](https://jaiph.org) · [Getting Started](docs/getting-started.md) · [Setup](docs/setup.md) · [Libraries](docs/libraries.md) · [Grammar](docs/grammar.md) · [CLI](docs/cli.md) · [Configuration](docs/configuration.md) · [Testing](docs/testing.md) · [Hooks](docs/hooks.md) · [Inbox & Dispatch](docs/inbox.md) · [Sandboxing](docs/sandboxing.md) · [Runtime artifacts](docs/artifacts.md) · [Architecture](docs/architecture.md) · [Contributing](docs/contributing.md)
+[jaiph.org](https://jaiph.org) · [Getting Started](docs/getting-started.md) ([jaiph.org/getting-started](https://jaiph.org/getting-started)) · [Setup](docs/setup.md) · [Libraries](docs/libraries.md) · [Grammar](docs/grammar.md) · [CLI](docs/cli.md) · [Configuration](docs/configuration.md) · [Testing](docs/testing.md) · [Hooks](docs/hooks.md) · [Inbox & Dispatch](docs/inbox.md) · [Sandboxing](docs/sandboxing.md) · [Runtime artifacts](docs/artifacts.md) · [Async Handles](docs/spec-async-handles.md) · [Architecture](docs/architecture.md) · [Contributing](docs/contributing.md)
 
 ---
 
@@ -18,7 +18,7 @@
 
 ## Core components
 
-- **CLI** (`src/cli`) — `jaiph run` / `test` / `format` / `init` / `install` / `use`; spawns the workflow runner, parses live events, runs hooks.
+- **CLI** (`src/cli`) — `jaiph run` / `test` / `compile` / `format` / `init` / `install` / `use`; prepares scripts, spawns the workflow runner (or in-process test runner), parses `__JAIPH_EVENT__` on stderr, runs hooks on `jaiph run` only.
 - **Parser** (`src/parser.ts`, `src/parse/*`) — `.jh` / `.test.jh` → AST.
 - **Validator** (`src/transpile/validate.ts`) — imports and symbol references at compile time.
 - **Transpiler** (`src/transpile/*`) — emits atomic `script` files under `scripts/` only (no workflow-level shell).
@@ -53,7 +53,7 @@ Or install from npm:
 npm install -g jaiph
 ```
 
-Verify: `jaiph --version`. Switch versions: `jaiph use nightly` or `jaiph use 0.9.2`.
+Verify: `jaiph --version`. Switch versions: `jaiph use nightly` or `jaiph use 0.9.3`.
 
 ## Example
 
diff --git a/compiler-tests/parse-errors.txt b/compiler-tests/parse-errors.txt
index b753975c..f157648c 100644
--- a/compiler-tests/parse-errors.txt
+++ b/compiler-tests/parse-errors.txt
@@ -161,7 +161,7 @@ workflow default() {
 --- input.jh
 workflow default() {
   config {
-    runtime.docker_enabled = true
+    runtime.docker_image = "ubuntu:24.04"
   }
 }
 
@@ -225,17 +225,17 @@ workflow default() {
 }
 
 === config integer key rejects string value
-# @expect error E_PARSE "runtime.docker_timeout must be an integer" @2:3
+# @expect error E_PARSE "runtime.docker_timeout_seconds must be an integer" @2:3
 --- input.jh
 config {
-  runtime.docker_timeout = "fast"
+  runtime.docker_timeout_seconds = "fast"
 }
 workflow default() {
   log "ok"
 }
 
-=== config array key rejects non-array value
-# @expect error E_PARSE "runtime.workspace must be an array of strings" @2:3
+=== config array key rejects runtime.workspace (no longer supported)
+# @expect error E_PARSE "runtime.workspace is no longer supported" @2:3
 --- input.jh
 config {
   runtime.workspace = "not-an-array"
@@ -244,6 +244,16 @@ workflow default() {
   log "ok"
 }
 
+=== config rejects runtime.docker_enabled (no longer supported)
+# @expect error E_PARSE "runtime.docker_enabled is no longer supported" @2:3
+--- input.jh
+config {
+  runtime.docker_enabled = true
+}
+workflow default() {
+  log "ok"
+}
+
 === unknown runtime config key
 # @expect error E_PARSE "unknown config key: runtime.unknown_key" @2:3
 --- input.jh
@@ -769,8 +779,8 @@ workflow default() {
 script broken = ```
 echo hello
 
-=== metadata: single-quoted array element
-# @expect error E_PARSE "single-quoted strings are not supported" @3:5
+=== metadata: runtime.workspace array rejected (single-quoted element)
+# @expect error E_PARSE "runtime.workspace is no longer supported" @2:3
 --- input.jh
 config {
   runtime.workspace = [
@@ -781,8 +791,8 @@ workflow default() {
   log "ok"
 }
 
-=== metadata: unquoted array element
-# @expect error E_PARSE "array elements must be quoted strings" @3:5
+=== metadata: runtime.workspace array rejected (unquoted element)
+# @expect error E_PARSE "runtime.workspace is no longer supported" @2:3
 --- input.jh
 config {
   runtime.workspace = [
@@ -793,8 +803,8 @@ workflow default() {
   log "ok"
 }
 
-=== metadata: unclosed array
-# @expect error E_PARSE "array not closed" @2:1
+=== metadata: runtime.workspace array rejected (unclosed)
+# @expect error E_PARSE "runtime.workspace is no longer supported" @2:3
 --- input.jh
 config {
   runtime.workspace = [
@@ -1015,7 +1025,7 @@ workflow default() {
 import "lib.jh" as lib
 
 test "bad mock" {
-  mock prompt not_quoted
+  mock prompt 123-not-a-string
   const out = run lib.default()
 }
 --- lib.jh
@@ -1914,16 +1924,16 @@ workflow default() {
   log "ok"
 }
 
-=== inline config block with multiline array opening
-# @expect error E_PARSE "multiline config arrays require"
+=== inline config block rejects runtime.workspace (array opening)
+# @expect error E_PARSE "runtime.workspace is no longer supported"
 --- input.jh
 config { runtime.workspace = [ }
 workflow default() {
   log "ok"
 }
 
-=== inline config block with non-empty workspace array
-# @expect error E_PARSE "runtime.workspace arrays with elements require"
+=== inline config block rejects runtime.workspace (non-empty array)
+# @expect error E_PARSE "runtime.workspace is no longer supported"
 --- input.jh
 config { runtime.workspace = ["foo"] }
 workflow default() {
@@ -1959,7 +1969,7 @@ workflow default() { log "hello"
 === runtime keys in inline workflow config
 # @expect error E_PARSE "runtime.* keys are not allowed"
 --- input.jh
-workflow default() { config { runtime.docker_enabled = true } }
+workflow default() { config { runtime.docker_image = "ubuntu:24.04" } }
 
 === rule body content after brace without closing on same line
 # @expect error E_PARSE "expected newline after '{'"
diff --git a/compiler-tests/valid.txt b/compiler-tests/valid.txt
index afe98785..06dedd39 100644
--- a/compiler-tests/valid.txt
+++ b/compiler-tests/valid.txt
@@ -412,43 +412,7 @@ workflow default() {
 # @expect ok
 --- input.jh
 config {
-  runtime.docker_timeout = 300
-}
-workflow default() {
-  log "ok"
-}
-
-=== config array value parses multi-line array
-# @expect ok
---- input.jh
-config {
-  runtime.workspace = [
-    ".:/jaiph/workspace:rw",
-    "config:config:ro"
-  ]
-}
-workflow default() {
-  log "ok"
-}
-
-=== config empty array
-# @expect ok
---- input.jh
-config {
-  runtime.workspace = []
-}
-workflow default() {
-  log "ok"
-}
-
-=== config array with trailing commas and comments
-# @expect ok
---- input.jh
-config {
-  runtime.workspace = [
-    ".:/jaiph/workspace:rw",
-    "config:config:ro",
-  ]
+  runtime.docker_timeout_seconds = 300
 }
 workflow default() {
   log "ok"
@@ -458,13 +422,9 @@ workflow default() {
 # @expect ok
 --- input.jh
 config {
-  runtime.docker_enabled = true
   runtime.docker_image = "ubuntu:24.04"
   runtime.docker_network = "host"
-  runtime.docker_timeout = 600
-  runtime.workspace = [
-    ".:/jaiph/workspace:rw"
-  ]
+  runtime.docker_timeout_seconds = 600
 }
 workflow default() {
   log "ok"
@@ -1197,3 +1157,18 @@ workflow default(name) {
 workflow default(name) {
   return "result for ${name}"
 }
+
+=== return bare identifier
+# @expect ok
+--- input.jh
+workflow default() {
+  const msg = "hello"
+  return msg
+}
+
+=== return bare identifier from parameter
+# @expect ok
+--- input.jh
+workflow default(name) {
+  return name
+}
diff --git a/compiler-tests/validate-errors.txt b/compiler-tests/validate-errors.txt
index b9f7f514..31b8656d 100644
--- a/compiler-tests/validate-errors.txt
+++ b/compiler-tests/validate-errors.txt
@@ -796,3 +796,72 @@ workflow default() {
   }
 }
 
+=== return bare unknown identifier
+# @expect error E_VALIDATE "unknown identifier" @3:3
+--- input.jh
+workflow default() {
+  const msg = "hello"
+  return missing_name
+}
+
+=== test block: expect_equal LHS variable not captured (no implicit `response`)
+# @expect error E_VALIDATE "expect_equal: undefined name "response""
+--- input.test.jh
+import "lib.jh" as m
+
+test "no implicit response" {
+  run m.greet("world")
+  expect_equal response "hello world"
+}
+--- lib.jh
+workflow greet(name) {
+  return "hello ${name}"
+}
+
+=== test block: expect_equal RHS const reference not declared
+# @expect error E_VALIDATE "expect_equal: undefined name "expected""
+--- input.test.jh
+import "lib.jh" as m
+
+test "missing const ref" {
+  const response = run m.greet()
+  expect_equal response expected
+}
+--- lib.jh
+workflow greet() {
+  return "hi"
+}
+
+=== test block: mock prompt <ident> references undeclared const
+# @expect error E_VALIDATE "mock prompt: undefined name "reply""
+--- input.test.jh
+import "lib.jh" as m
+
+test "mock prompt undeclared" {
+  mock prompt reply
+  const response = run m.ask()
+  expect_equal response "x"
+}
+--- lib.jh
+workflow ask() {
+  const r = prompt "say hi"
+  return r
+}
+
+=== test block: explicit capture + const reference is valid
+# @expect ok
+--- input.test.jh
+import "lib.jh" as m
+
+test "explicit capture" {
+  const expected = "Hello!"
+  mock prompt expected
+  const response = run m.ask()
+  expect_equal response expected
+}
+--- lib.jh
+workflow ask() {
+  const r = prompt "say hi"
+  return r
+}
+
diff --git a/docs/architecture.md b/docs/architecture.md
index 787b33cb..141f5735 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -7,7 +7,7 @@ redirect_from:
 
 # Architecture
 
-Jaiph is a workflow system with a **TypeScript CLI** and a **Node.js kernel** that interprets the AST directly.
+Jaiph is a workflow system with a **TypeScript CLI** and a **JavaScript kernel** (`src/runtime/kernel/`) that interprets the workflow AST in process — there is no separate “workflow shell” emitted for execution.
 
 This page describes **how Jaiph is built**: repository layout of major subsystems, **core components**, compile and run pipelines, and **runtime contracts** (events, artifacts on disk, distribution). It is the map of the implementation.
 
@@ -15,18 +15,20 @@ For **how to contribute** — branches, test layers, E2E assertion policy, and b
 
 ## System overview
 
-1. Parse source into AST (quick parse on the CLI for `jaiph run` metadata; full graph loads use the same parser).
-2. **Compile-time** validation (`validateReferences`, invoked from **`emitScriptsForModule`** / **`buildScripts()`**) runs before script extraction, not inside `buildRuntimeGraph()` (the graph loader only parses modules and follows imports).
-3. **CLI** (Node from `dist/src/cli.js`, or a **Bun-compiled** `jaiph` binary) prepares script executables (scripts-only), spawns the **`node-workflow-runner`** child, **which** builds `RuntimeGraph` and runs **`NodeWorkflowRuntime`**. Script steps execute as managed subprocesses; prompt, inbox I/O, and event/summary emission are handled by the JS kernel under `src/runtime/kernel/`.
-4. Stream live events to CLI and persist durable run artifacts.
+Workflow authors write `.jh` / `.test.jh` modules. The toolchain turns those files into **validated** modules plus **extracted script files**, then the **same AST interpreter** runs workflows whether you use local `jaiph run`, Docker, or `jaiph test`.
+
+1. Parse source into AST (the CLI parses once up front for `jaiph run` metadata such as `runtime` config; `buildRuntimeGraph` and transpilation use the same parser on disk contents).
+2. **Compile-time** validation (`validateReferences`, invoked from **`emitScriptsForModule`** / **`buildScripts()`**) runs before script extraction, not inside `buildRuntimeGraph()` (the graph loader only parses modules and follows imports). The **`jaiph compile`** command runs the same validation over files or directories without executing workflows (see `src/cli/commands/compile.ts`).
+3. **CLI** (`dist/src/cli.js` via npm, or a **Bun-compiled** `dist/jaiph` binary) prepares script executables (scripts-only), then spawns a **detached child** that loads **`node-workflow-runner.js`**. That child calls `buildRuntimeGraph()` and runs **`NodeWorkflowRuntime`**. The child’s interpreter is **`process.execPath`** of the CLI process (Node when you run `node dist/src/cli.js`, the standalone Bun binary when you run `dist/jaiph`). Script steps execute as managed subprocesses; prompt, inbox I/O, and event/summary emission are handled by the kernel under `src/runtime/kernel/`.
+4. Stream live events to the CLI and persist durable run artifacts.
 
 All orchestration — local `jaiph run`, `jaiph test`, and **Docker `jaiph run`** — uses the **Node workflow runtime** (AST interpreter). Docker containers run the same `node-workflow-runner` process with the compiled JS source tree and scripts mounted read-only.
 
 ## Core components
 
 - **CLI (`src/cli`)**
-  - Entry point (`run`, `test`, `init`, `install`, `use`, `format`).
-  - **Workflow launch** is owned in TypeScript (`src/runtime/kernel/workflow-launch.ts` + `src/cli/run/lifecycle.ts`): spawns the **Node workflow runner** (`node-workflow-runner.ts`), which calls `buildRuntimeGraph()` then `NodeWorkflowRuntime`.
+  - Entry point (`run`, `test`, `compile`, `init`, `install`, `use`, `format`).
+  - **Workflow launch** is owned in TypeScript (`src/runtime/kernel/workflow-launch.ts` + `src/cli/run/lifecycle.ts`): spawns **`node-workflow-runner.js`** with `process.execPath`, which calls `buildRuntimeGraph()` then `NodeWorkflowRuntime`. `setupRunSignalHandlers` accepts an optional `onSignalCleanup` callback for Docker sandbox teardown on SIGINT/SIGTERM.
   - Parses runtime events and renders progress; dispatches hooks.
 
 - **Parser (`src/parser.ts`, `src/parse/*`)**
@@ -56,7 +58,8 @@ All orchestration — local `jaiph run`, `jaiph test`, and **Docker `jaiph run`*
   - `jaiph format` rewrites `.jh` / `.test.jh` files into canonical style. Pure AST→text emitter; no side-effects beyond file writes.
 
 - **Docker runtime helper (`src/runtime/docker.ts`)**
-  - Parses mount specs, resolves Docker config (image, network, timeout), and builds the `docker run` invocation used by `jaiph run --docker`. The container runs the same `node-workflow-runner` process as local execution. The spawn call uses `stdio: ["ignore", "pipe", "pipe"]` — stdin is ignored to prevent the Docker CLI from blocking on stdin EOF, which would stall event streaming and cause the host CLI to hang after the container exits.
+  - Parses mount specs, resolves Docker config (image, network, timeout), and builds the `docker run` invocation when the CLI enables **Docker sandboxing** for `jaiph run` (environment-driven; there is no `jaiph run --docker` flag — see [Sandboxing](sandboxing.md)). The container runs the same `node-workflow-runner` entry as local execution. The default image is the official `ghcr.io/jaiphlang/jaiph-runtime` GHCR image; every selected image must already contain `jaiph` (no auto-install or derived-image build at runtime). Image preparation (`prepareImage`) runs before the CLI banner: it checks whether the image is local, pulls with `--quiet` if needed (short status lines on stderr instead of Docker’s default pull UI), and verifies that `jaiph` exists in the image. `spawnDockerProcess` does not pull or verify — it receives a pre-resolved image. The spawn call uses `stdio: ["ignore", "pipe", "pipe"]` — stdin is ignored so the Docker CLI does not block on stdin EOF, which would stall event streaming and hang the host CLI after the container exits.
+  - **Workspace immutability:** Docker runs cannot modify the host workspace. The host checkout is mounted read-only; `/jaiph/workspace` is a sandbox-local copy-on-write overlay discarded on exit. The only host-writable path is `/jaiph/run` (run artifacts). Workflows that need to capture workspace changes should write files (for example a `git diff` into a temp path) and publish them with `artifacts.save()`. See [Sandboxing](sandboxing.md) for the full contract and [Libraries — `jaiphlang/artifacts`](libraries.md#jaiphlangartifacts--publishing-files-out-of-the-sandbox).
 
 ## Runtime vs CLI responsibilities
 
@@ -91,14 +94,16 @@ The runtime persists step captures and the event timeline under a UTC-dated hier
 .jaiph/runs/
   <YYYY-MM-DD>/                       # UTC date (see NodeWorkflowRuntime)
     <HH-MM-SS>-<source-basename>/       # UTC time + JAIPH_SOURCE_FILE or entry basename
-      000001-module__step.out          # stdout capture per step (seq-prefixed)
+      000001-module__step.out          # stdout capture per step (6-digit seq prefix)
       000001-module__step.err          # stderr capture (when non-empty)
+      artifacts/                       # user-published files (JAIPH_ARTIFACTS_DIR); created at run start
       inbox/                           # inbox message files (when channels are used)
-      .seq                             # step-sequence counter (kernel/seq-alloc.ts)
+      heartbeat                        # liveness: epoch ms, refreshed about every 10s
+      return_value.txt                 # when `jaiph run` default workflow returns a value (success only)
       run_summary.jsonl                # durable event timeline
 ```
 
-Sequence prefixes are monotonic and unique per run (allocated by `kernel/seq-alloc.ts`), making artifact file names deterministic and ordered.
+Step sequence numbers are monotonic and unique per run: `NodeWorkflowRuntime` allocates them in memory when opening each step’s capture files (`%06d-<safe_name>.out|.err`). The standalone module `kernel/seq-alloc.ts` is a **file-backed** allocator (and CLI `node seq-alloc.js`) for tooling or non-kernel callers; the Node workflow runtime does **not** rely on a `.seq` file in the run directory for ordinary execution.
 
 ## Channels and hooks in context
 
@@ -107,7 +112,7 @@ Channels are validated at compile time (`validateReferences` / send RHS rules) a
 ## Test runner integration (`*.test.jh` in the kernel)
 
 **How** `jaiph test` wires into the same stack as `jaiph run`: `*.test.jh` files are parsed in the CLI; `runTestFile()` drives blocks in-process. **`buildRuntimeGraph(testFile)`** is called **once per `runTestFile` invocation** and the resulting graph is reused across all blocks and `test_run_workflow` steps (the import closure is constant for a given test file within a single process run). Each `test_run_workflow` step resolves mocks against that cached graph, then constructs `NodeWorkflowRuntime` with `mockBodies` / mock prompt env. Mock prompts, workflows, rules, and scripts are supported through the runtime's mock infrastructure.
-Before that, the CLI prepares script executables via **`buildScripts(workspace)`** so imported workflow modules have concrete script paths under `JAIPH_SCRIPTS` (workspace `*.jh` files only; `*.test.jh` is not part of that walk).
+Before that, the CLI prepares script executables via **`buildScripts(testFileAbs, tmpDir, workspaceRoot)`** — the same **`buildScripts`** helper as `jaiph run`, with the **test file as the entrypoint**. That walks the test module and its **import closure** (transitive `import` edges), runs **`validateReferences`** / **`emitScriptsForModule`** per reachable file, and writes `scripts/` so imported workflows have paths under `JAIPH_SCRIPTS`. Unrelated `*.jh` files elsewhere in the repo are not compiled unless imported.
 
 Authoring rules, fixtures, and mock syntax for `*.test.jh` are documented in [Testing](testing.md), not here.
 
@@ -117,8 +122,8 @@ Static tree from AST (`progress.ts`); runtime events (`events.ts`, `stderr-handl
 
 ## Distribution: Node vs Bun standalone
 
-- **Development / npm:** `npm run build` → `tsc` + copy `runtime/kernel/` into `dist/`. `node dist/src/cli.js` runs the CLI.
-- **Standalone:** `npm run build:standalone` produces `dist/jaiph` (Bun `--compile`) and copies **`runtime/kernel/`** into **`dist/`** next to the binary. The bundle runs **without a Node.js install**. Target machines still need **bash** (or another interpreter) for `script` step subprocess execution and **Node.js** for the runtime kernel.
+- **Development / npm:** `npm run build` runs `tsc`, copies **`src/runtime/`** to **`dist/src/runtime/`** (kernel, `docker.ts`, etc.), then copies **`runtime/overlay-run.sh`** from the repo root into **`dist/src/runtime/overlay-run.sh`**. The published `jaiph` bin is **`node dist/src/cli.js`**.
+- **Standalone:** `npm run build:standalone` runs the same build, copies **`dist/src/runtime`** to **`dist/runtime`** beside the binary, then `bun build --compile ./src/cli.ts --outfile dist/jaiph`. Workflow launch still spawns `node-workflow-runner.js` using **`process.execPath`**, so the standalone artifact is **self-contained** (no separate Node install) when end users run that binary. **Bash** (or whatever shebang your `script` steps use) is still required on the host for script subprocesses. Ship **`dist/jaiph`** with **`dist/runtime`** alongside it so kernel paths resolve (same layout as `npm run build:standalone`; table in [Contributing](contributing.md)).
 
 ## Mermaid architecture diagram
 
@@ -194,6 +199,8 @@ sequenceDiagram
     alt local
         CLI->>Runner: spawn detached node-workflow-runner
     else Docker
+        CLI->>CLI: prepareImage (pull --quiet + verify jaiph)
+        Note over CLI: runs before banner so pull doesn't interleave
         CLI->>Runner: spawn container running node-workflow-runner
         Note over CLI: CLI parses events on stderr only
     end
@@ -245,6 +252,7 @@ sequenceDiagram
 ## Summary
 
 - `.jh` / `*.test.jh` share parser/AST; **compile-time** validation runs in **`emitScriptsForModule`** during **`buildScripts`**. **`buildRuntimeGraph`** loads modules with **parse-only** imports.
+- **`jaiph compile`** walks the same import closures as a normal compile check, runs **`validateReferences`** on each module, and exits — no **`buildScriptFiles`** emission, no **`buildScripts`**, no runner spawn.
 - **Node-only runtime:** all execution — local `jaiph run`, Docker `jaiph run`, and `jaiph test` — goes through `NodeWorkflowRuntime`. Docker containers run `node-workflow-runner` with the compiled JS tree and scripts mounted, using the same semantics as local execution.
 - **CLI** owns launch, observation, hooks, and runtime preparation (`buildScripts`). Workflow execution runs in **`NodeWorkflowRuntime`**, with **script steps** as managed subprocesses.
 - No workflow-level `.sh` files or `jaiph_stdlib.sh` are produced or required.
diff --git a/docs/artifacts.md b/docs/artifacts.md
index be79f8ed..23ecab86 100644
--- a/docs/artifacts.md
+++ b/docs/artifacts.md
@@ -7,37 +7,38 @@ redirect_from:
 
 # Runtime artifacts
 
-When you run a workflow or tests that execute workflows, Jaiph writes **durable** output under your project’s `.jaiph/runs/` tree. The CLI still shows **live** progress from a separate event stream (`__JAIPH_EVENT__` lines on the workflow process’s stderr); what follows is what lands on disk for logs, reports, and audit.
+Workflow and test runners need two kinds of output: **what humans see right now** (progress, status) and **what is left behind** after the process exits (replay, diffs, CI reports). Jaiph keeps those separate: the **live** channel is `__JAIPH_EVENT__` JSON lines on the child process’s **stderr**; the **durable** side is a tree of files under the project workspace so you can inspect, diff, and archive a run after it finishes.
+
+When you run a workflow, or `jaiph test` executes workflows inside test blocks, the **Node** workflow runtime materializes that durable tree. By default it lives at `<workspace>/.jaiph/runs/`; you can point it elsewhere with `run.logs_dir` / `JAIPH_RUNS_DIR` (see [Configuration — Run keys](configuration.md#run-keys)). The layout below is what `NodeWorkflowRuntime` writes.
 
 ## Run directory layout
 
-The runtime uses a UTC-dated hierarchy. Each run gets its own folder: date, then time plus the source file basename.
+The runtime uses a UTC-dated hierarchy. Each run gets its own folder: UTC date, then UTC time plus a basename derived from `JAIPH_SOURCE_FILE` when set, otherwise the entry module’s file basename.
 
 ```
 .jaiph/runs/
   <YYYY-MM-DD>/                       # UTC date (see NodeWorkflowRuntime)
-    <HH-MM-SS>-<source-basename>/       # UTC time + JAIPH_SOURCE_FILE or entry basename
-      000001-module__step.out          # stdout capture per step (seq-prefixed)
+    <HH-MM-SS>-<source-basename>/       # UTC time + basename (see above)
+      000001-module__step.out          # stdout capture per step (6-digit seq prefix)
       000001-module__step.err          # stderr capture (when non-empty)
+      artifacts/                       # user-published files (`jaiphlang/artifacts`); `JAIPH_ARTIFACTS_DIR`
       inbox/                           # inbox message files (when channels are used)
-      .seq                             # step-sequence counter (kernel/seq-alloc.ts)
-      run_summary.jsonl                # durable event timeline
+      heartbeat                        # liveness: epoch ms, refreshed about every 10s
+      return_value.txt                 # present if `default` workflow exited 0 and returned a value
+      run_summary.jsonl                # durable event timeline (JSON Lines)
 ```
 
-Sequence prefixes are **monotonic and unique** per run (allocated in the kernel), so artifact names sort in execution order. For how this fits into the CLI and kernel, see [Architecture — Durable artifact layout](architecture.md#durable-artifact-layout).
+Sequence numbers in those filenames are **monotonic and unique** per run: a single in-memory counter in `NodeWorkflowRuntime` increments for each step capture. The separate `seq-alloc` helper is a **file-backed** allocator for tooling; ordinary runs do not use a `.seq` file in the run directory. For the full system picture, see [Architecture — Durable artifact layout](architecture.md#durable-artifact-layout) and [Architecture — Contracts](architecture.md#contracts) (`__JAIPH_EVENT__` on stderr is the live path).
 
 ## What each artifact is for
 
-- **`*.out` / `*.err`** — Captured stdout and stderr for each managed step (scripts, prompts where applicable, etc.). Empty stderr files may be omitted.
-- **`run_summary.jsonl`** — Append-only JSONL timeline: workflow boundaries, step start/end, structured log lines, inbox-related events. Useful for tooling and post-run analysis.
-- **`inbox/`** — When you use channels, message payloads can be reflected as files under the run for inspection (see [Inbox & Dispatch](inbox.md)).
-- **`.seq`** — Internal counter backing the numeric prefixes; you normally do not edit it.
+- **`*.out` / `*.err`** — Per-step capture files for managed work (script subprocesses, nested workflows, rules, and prompt steps). **Stdout** is written to a `.out` file as the step runs; a **`.err` file appears when stderr is non-empty** (see [Architecture — Durable artifact layout](architecture.md#durable-artifact-layout)). The live CLI stream is still separate: see [Architecture — Contracts](architecture.md#contracts).
+- **`run_summary.jsonl`** — JSON Lines timeline mirroring what also goes to `__JAIPH_EVENT__` (where enabled): workflow boundaries, step start/end, log lines, inbox-related events. The file is created at runtime startup and lines are appended as the run progresses.
+- **`inbox/`** — When you use channels, copies of message payloads can appear here for inspection (see [Inbox & Dispatch](inbox.md)).
+- **`heartbeat`** — Best-effort file containing a wall-clock millisecond timestamp, rewritten on a timer (~10s). Liveness for external watchdogs; not required for normal CLI use.
+- **`return_value.txt`** — Written after a successful `default` workflow when the workflow returns a value (including empty string, which yields a zero-length file so it is distinct from “no return”). Other entry paths (e.g. `test_run_workflow`) are not required to create this file.
+- **`artifacts/`** — The runtime creates this directory in the run folder before execution and sets `JAIPH_ARTIFACTS_DIR` to it (along with `JAIPH_RUN_DIR`, `JAIPH_RUN_ID`, and `JAIPH_RUN_SUMMARY_FILE`). User code typically writes here via the `jaiphlang/artifacts` library (`artifacts.save`). In Docker mode this directory is under the **host-writable** run mount (`/jaiph/run/...` in the container), not the read-only workspace overlay. See [Libraries — `jaiphlang/artifacts`](libraries.md#jaiphlangartifacts--publishing-files-out-of-the-sandbox) and [Sandboxing](sandboxing.md).
 
 ## Keeping runs out of git
 
 Run `jaiph init` to add `.jaiph/.gitignore` entries for `runs` and `tmp` under `.jaiph/`. You can mirror those paths in a root `.gitignore` if you prefer.
-
-## Related
-
-- **Live events** — The CLI consumes `__JAIPH_EVENT__` JSON on stderr; that channel is separate from the files above. See [Architecture — Contracts](architecture.md#contracts).
-- **Implementation** — Parser, emitter, and kernel responsibilities: [Architecture](architecture.md).
diff --git a/docs/assets/css/style.css b/docs/assets/css/style.css
index d66aebaa..2b3cc45b 100644
--- a/docs/assets/css/style.css
+++ b/docs/assets/css/style.css
@@ -574,6 +574,10 @@ pre code .code-line::before {
     user-select: none;
 }
 
+.jaiph-run .run-banner-meta {
+    color: var(--muted);
+}
+
 .jaiph-run .run-command {
     color: var(--muted);
     font-weight: 600;
diff --git a/docs/assets/js/main.js b/docs/assets/js/main.js
index 79a707ae..c167ca8a 100644
--- a/docs/assets/js/main.js
+++ b/docs/assets/js/main.js
@@ -21,9 +21,14 @@
         "test",
         "ensure",
         "catch",
+        "recover",
         "run",
+        "async",
         "prompt",
         "returns",
+        "return",
+        "match",
+        "fail",
         "mock",
         "log",
         "logerr",
@@ -53,6 +58,21 @@
         const tokens = [];
         let i = 0;
 
+        if (state.inFence) {
+            const trimmed = line.trim();
+            if (trimmed === "```") {
+                state.inFence = false;
+                const leading = line.match(/^(\s*)/);
+                if (leading && leading[1]) {
+                    tokens.push({ type: "whitespace", value: leading[1], kind: "plain" });
+                }
+                tokens.push({ type: "fence", value: "```", kind: "string" });
+                return tokens;
+            }
+            tokens.push({ type: "string", value: line, kind: "string" });
+            return tokens;
+        }
+
         while (i < line.length) {
             const ch = line[i];
 
@@ -84,6 +104,31 @@
                 break;
             }
 
+            if (ch === "/") {
+                // Treat /.../ as a regex literal when it appears at the start of
+                // an expression on this line (e.g. a match-arm LHS). Heuristic:
+                // no significant tokens emitted yet on this line.
+                const noSignificant = tokens.every(function (t) {
+                    return t.type === "whitespace" || t.type === "comment";
+                });
+                if (noSignificant) {
+                    let j = i + 1;
+                    while (j < line.length && line[j] !== "/") {
+                        if (line[j] === "\\" && j + 1 < line.length) {
+                            j += 2;
+                            continue;
+                        }
+                        j += 1;
+                    }
+                    if (j < line.length && line[j] === "/" && j > i + 1) {
+                        j += 1;
+                        tokens.push({ type: "regex", value: line.slice(i, j), kind: "string" });
+                        i = j;
+                        continue;
+                    }
+                }
+            }
+
             if (ch === "#") {
                 tokens.push({ type: "comment", value: line.slice(i), kind: "comment" });
                 break;
@@ -141,6 +186,32 @@
                 continue;
             }
 
+            if (ch === "=" && line[i + 1] === ">") {
+                tokens.push({ type: "fat_arrow", value: "=>", kind: "operator" });
+                i += 2;
+                continue;
+            }
+
+            if (ch === "`" && line[i + 1] === "`" && line[i + 2] === "`") {
+                tokens.push({ type: "fence", value: "```", kind: "string" });
+                i += 3;
+                state.inFence = true;
+                continue;
+            }
+
+            if (ch === "`") {
+                const start = i;
+                i += 1;
+                while (i < line.length && line[i] !== "`") {
+                    i += 1;
+                }
+                if (i < line.length) {
+                    i += 1;
+                }
+                tokens.push({ type: "string", value: line.slice(start, i), kind: "string" });
+                continue;
+            }
+
             tokens.push({ type: "symbol", value: ch, kind: "plain" });
             i += 1;
         }
@@ -414,7 +485,7 @@
      *   Array of line nodes with annotated tokens.
      */
     function parseJaiph(raw) {
-        const state = { inString: false };
+        const state = { inString: false, inFence: false };
         const tokenLines = raw.split("\n").map(function (line) {
             return tokenizeJaiphLine(line, state);
         });
diff --git a/docs/cli.md b/docs/cli.md
index 04fd28a6..132aabde 100644
--- a/docs/cli.md
+++ b/docs/cli.md
@@ -7,13 +7,13 @@ redirect_from:
 
 # Jaiph CLI Reference
 
-Jaiph ships as a command-line tool. You point it at `.jh` source files, and it validates, compiles script bodies, launches the workflow runtime, streams progress, and writes run artifacts under `.jaiph/runs`. This page covers all CLI commands, flags, and environment variables. For language syntax and step semantics, see [Grammar](grammar.md).
+Jaiph is a workflow system: authors write `.jh` modules, and a **TypeScript CLI** prepares scripts, launches a **Node workflow runtime**, and surfaces progress while the **JavaScript kernel** executes the AST in process (no separate workflow shell). The CLI is what you install as the `jaiph` binary — it is the boundary between your terminal or CI and the interpreter.
 
-Before execution, the CLI runs compile-time validation and script extraction. It then hands off to the Node workflow runtime, which interprets the parsed AST directly — there is no Bash transpilation of workflows; only extracted `script` bodies are emitted as shell. The CLI owns process spawn and signal propagation; the runtime kernel owns prompt and script execution, file-backed inbox, the `__JAIPH_EVENT__` stream on stderr, and `run_summary.jsonl`. For full architecture details, see [Architecture](architecture).
+This page lists **commands**, important **flags**, and **environment variables**. It focuses on how the tool behaves, not on the language itself. For syntax and step semantics, see [Grammar](grammar.md). For repository layout, pipelines, and contracts (`__JAIPH_EVENT__`, artifacts, Docker vs local), see [Architecture](architecture.md).
 
-**Commands:** `run`, `test`, `format`, `init`, `install`, `use`.
+**Commands:** `run`, `test`, `compile`, `format`, `init`, `install`, `use`.
 
-**Global options:** `-h` / `--help` and `-v` / `--version` are recognized only as the **first argument** (e.g. `jaiph --help`). They are not parsed after a subcommand or file path.
+**Global options:** `-h` / `--help` and `-v` / `--version` are recognized only as the **first token after `jaiph`** (e.g. `jaiph --help`). They are not treated as global flags after a subcommand or a file path (`jaiph run --help` is **not** usage — use `jaiph --help`, or `jaiph compile -h` for compile-specific usage).
 
 ## File shorthand
 
@@ -30,18 +30,22 @@ jaiph ./e2e/say_hello.test.jh
 ```
 
 ## `jaiph run`
+{: #jaiph-run}
 
 Parse, validate, and run a Jaiph workflow file. Requires a `workflow default` entrypoint.
 
 ```bash
-jaiph run [--target <dir>] <file.jh> [--] [args...]
+jaiph run [--target <dir>] [--raw] <file.jh> [--] [args...]
 ```
 
 Any path ending in `.jh` is accepted (including `*.test.jh`, since the extension is still `.jh`). For files that only contain test blocks, use `jaiph test` instead.
 
+**Sandboxing:** whether the workflow runs in a **Docker container** or **directly on the host** is decided from environment variables and the workflow’s `runtime` metadata — there is no `jaiph run --docker` flag. Defaults and mounts are documented in [Sandboxing](sandboxing.md).
+
 **Flags:**
 
 - **`--target <dir>`** — keep emitted script files and run metadata under `<dir>` instead of a temp directory (useful for debugging).
+- **`--raw`** — skip the banner, live progress tree, hooks, and CLI failure footer. The workflow runner child uses **inherited stdio** so `__JAIPH_EVENT__` JSON lines go to **stderr** unchanged. The **host** CLI relies on this for Docker-backed runs (the container invokes `jaiph run --raw` so the host parses events from Docker’s stderr); you can also use it when embedding Jaiph in another tool. See [Sandboxing — Runtime behavior](sandboxing.md#runtime-behavior).
 - **`--`** — end of Jaiph flags; remaining args are passed to `workflow default` (e.g. `jaiph run file.jh -- --verbose`).
 
 **Examples:**
@@ -153,7 +157,7 @@ All async branches render as siblings at the same indentation level. Inner steps
 To surface the agent answer inline in the tree, use `log` explicitly:
 
 ```jaiph
-response = prompt "Summarize the report"
+const response = prompt "Summarize the report"
 log response
 ```
 
@@ -161,13 +165,13 @@ log response
 
 On non-zero exit, the CLI may print a footer with the path to `run_summary.jsonl`, `out:` / `err:` artifact paths, and `Output of failed step:` plus a trimmed excerpt. These are resolved from the **first** `STEP_END` object in the summary with `status` != 0, using `out_content` / `err_content` when present and otherwise the `out_file` / `err_file` fields. If no failed `STEP_END` is found, the CLI falls back to a run-directory artifact heuristic.
 
-In Docker mode, the meta file written by the container contains container-internal paths (`/jaiph/workspace/…`). The CLI remaps these to host paths before reading artifacts, so the failure summary displays identically to local runs. See [Sandboxing — Path remapping](sandboxing.md#path-remapping).
+In Docker mode, artifact paths recorded by the container use container-internal prefixes (`/jaiph/run/…`). The CLI remaps these to host paths and discovers the run directory from the bind-mounted runs directory by matching the `JAIPH_RUN_ID` in each `run_summary.jsonl` when the container meta file is inaccessible. This run-id-based lookup is safe under concurrent `jaiph run` invocations sharing the same runs directory. The failure summary therefore displays identically to local (no-sandbox) runs — same structure, same host-resolvable paths, same "Output of failed step" excerpt. See [Sandboxing — Path remapping](sandboxing.md#path-remapping).
 
 ### Run artifacts and live output
 
-Each run directory is `<JAIPH_RUNS_DIR>/<YYYY-MM-DD>/<HH-MM-SS>-<source>/`, where date and time are UTC and `<source>` is `JAIPH_SOURCE_FILE` if set, otherwise the entry file basename. Every step writes stdout and stderr to artifact files named with a zero-padded sequence prefix: `000001-module__rule.out`, `000002-module__workflow.err`, etc.
+Each run directory is `<JAIPH_RUNS_DIR>/<YYYY-MM-DD>/<HH-MM-SS>-<source>/`, where date and time are UTC and `<source>` is `JAIPH_SOURCE_FILE` if set, otherwise the entry file basename. Each step gets sequenced capture files: `000001-module__rule.out` for stdout, and `000002-module__workflow.err` for stderr **when that stream is non-empty** (see [Architecture — Durable artifact layout](architecture.md#durable-artifact-layout)).
 
-All step kinds write to artifact files **incrementally during execution**, so you can tail a running step's output in real time:
+Step **stdout** artifacts are written **incrementally during execution**, so you can tail a running step's output in real time:
 
 ```bash
 # In one terminal — run a long workflow
@@ -177,7 +181,7 @@ jaiph run ./flows/deploy.jh
 tail -f .jaiph/runs/2026-03-22/14-30-00-deploy.jh/000003-deploy__run_migrations.out
 ```
 
-Both `.out` (stdout) and `.err` (stderr) files grow as the step produces output. Steps that produce no output on a given stream have no corresponding artifact file. Empty files are cleaned up at step end.
+If a stream stays empty for a step, the runtime may omit that artifact file. Any empty capture files are cleaned up at step end.
 
 ### Run summary (`run_summary.jsonl`) {#run-summary-jsonl}
 
@@ -239,7 +243,7 @@ You can run custom commands at workflow/step lifecycle events via hooks. Config
 
 Run tests from `*.test.jh` files that contain `test "..." { ... }` blocks. Test files can import workflows and use `mock prompt` to simulate agent responses without calling the real backend.
 
-The test runner uses the same Node workflow runtime as `jaiph run`. For each test file, the CLI compiles workspace `*.jh` modules (not `*.test.jh`) so imported modules have emitted scripts, then builds the runtime graph once and reuses it across all test blocks. Each block runs through the AST interpreter with mock support and assertion evaluation (`expect_contain`, `expect_equal`, `expect_not_contain`).
+The test runner uses the same Node workflow runtime as `jaiph run`. For each test file, the CLI runs **`buildScripts`** with that file as the **entrypoint** (the test module plus its **import closure** only — not every `*.jh` in the repo), so imported workflow modules get emitted scripts under `JAIPH_SCRIPTS`. It then builds the runtime graph **once** per file and reuses it across all blocks and `test_run_workflow` steps. Each block runs through the AST interpreter with mock support and assertion evaluation (`expect_contain`, `expect_equal`, `expect_not_contain`).
 
 **Usage:**
 
@@ -260,19 +264,38 @@ jaiph test e2e/workflow_greeting.test.jh
 jaiph test e2e/say_hello.test.jh
 ```
 
+## `jaiph compile`
+
+Parse modules and run **`validateReferences`** (the same compile-time checks as before `jaiph run`) **without** writing `scripts/`, **without** calling **`buildRuntimeGraph`**, and **without** spawning the workflow runner. Use this for CI gates, pre-commit hooks, or editor diagnostics.
+
+```bash
+jaiph compile [--json] [--workspace <dir>] <file.jh | directory> ...
+```
+
+At least one path is required.
+
+**File arguments** — Each `*.jh` file is expanded to its **transitive import closure**; every module in the union is parsed and validated once.
+
+**Directory arguments** — The tree is scanned for `*.jh` files whose basename is **not** `*.test.jh`; each such file is treated as an entrypoint and its closure merged into the same validation set. To validate a test module’s graph explicitly, pass that **`*.test.jh` file** as a path (directories never pick up `*.test.jh` as roots).
+
+**Flags:**
+
+- **`--json`** — On success, print `[]` to stdout. On failure, print one JSON **array** of objects `{ "file", "line", "col", "code", "message" }` to stdout and exit **1** (non-JSON errors use a synthetic `E_COMPILE` object when the message is not in `file:line:col CODE …` form).
+- **`--workspace <dir>`** — Override the workspace root used for **library import resolution** (`<workspace>/.jaiph/libs/`, etc.) for all derived paths. When omitted, the workspace is auto-detected per file the same way as `jaiph run`.
+
 ## `jaiph format`
 
-Reformat `.jh` source files to a canonical style. The formatter parses each file into an AST and re-emits it with consistent whitespace and indentation. Formatting is idempotent — running it twice produces the same output. Comments and shebangs are preserved. Multiline string bodies (`"""…"""`), prompt blocks, and fenced script blocks are emitted verbatim — inner lines are not re-indented relative to the surrounding scope, so repeated formatting never shifts embedded content deeper.
+Reformat Jaiph source files to a canonical style. Paths must end with **`.jh`**, which includes **`*.test.jh`** test modules. The formatter parses each file into an AST and re-emits it with consistent whitespace and indentation. Formatting is idempotent — running it twice produces the same output. Comments and shebangs are preserved. Multiline string bodies (`"""…"""`), prompt blocks, and fenced script blocks are emitted verbatim — inner lines are not re-indented relative to the surrounding scope, so repeated formatting never shifts embedded content deeper.
 
 **Blank-line preservation:** A single blank line between steps inside a workflow or rule body is preserved — use it for visual grouping of related calls. Multiple consecutive blank lines are collapsed to one; trailing blank lines before `}` are removed. This applies to all block-level steps (calls, `log`, `const`, `if`, etc.).
 
 **Top-level ordering:** The formatter hoists `import`, `config`, and `channel` declarations to the top of the file (in that order, preserving source order within each group). All other top-level definitions — `const`, `rule`, `script`, `workflow`, and `test` blocks — keep their original relative order from the source file. Comments immediately before an `import`, `config`, or `channel` move with that construct when hoisted; comments before non-hoisted definitions stay in place.
 
 ```bash
-jaiph format [--check] [--indent <n>] <file.jh ...>
+jaiph format [--check] [--indent <n>] <path.jh ...>
 ```
 
-One or more `.jh` file paths are required. Non-`.jh` files are rejected. If a file cannot be parsed, the command exits immediately with status 1 and a parse error on stderr.
+One or more file paths are required (each path must end with `.jh`, e.g. `flow.jh` or `e2e/flow.test.jh`). Paths that do not end with `.jh` are rejected. If a file cannot be parsed, the command exits immediately with status 1 and a parse error on stderr.
 
 **Flags:**
 
@@ -303,8 +326,7 @@ jaiph init [workspace-path]
 Creates:
 
 - `.jaiph/.gitignore` — lists `runs` and `tmp`. If the file already exists and does not match this exact list, `jaiph init` exits with a non-zero status.
-- `.jaiph/bootstrap.jh` — canonical bootstrap workflow; made executable. The template uses a triple-quoted multiline prompt body (`prompt """ ... """`) so the generated file parses and compiles as valid Jaiph. It also asks the agent to review/update `.jaiph/Dockerfile` for this repository and ends by logging a summary (`WHAT CHANGED` + `WHY`).
-- `.jaiph/Dockerfile` — canonical Docker sandbox template generated by init. It uses `ubuntu:latest`, installs standard utilities, Node.js LTS, Claude Code CLI, cursor-agent, then installs Jaiph via `curl -fsSL https://jaiph.org/install | bash`. If the file is missing, init creates it. If it already exists and includes the init marker comment, init updates it to the latest template. Otherwise (custom user-managed Dockerfile), init leaves it unchanged and prints a note.
+- `.jaiph/bootstrap.jh` — canonical bootstrap workflow; made executable. The template uses a triple-quoted multiline prompt body (`prompt """ ... """`) so the generated file parses and compiles as valid Jaiph. It asks the agent to scaffold workflows under `.jaiph/` and ends by logging a summary (`WHAT CHANGED` + `WHY`). Docker sandboxing uses the default `ghcr.io/jaiphlang/jaiph-runtime` image unless you set `runtime.docker_image` or `JAIPH_DOCKER_IMAGE`.
 - `.jaiph/SKILL.md` — copied from the skill file bundled with your Jaiph installation (or from `JAIPH_SKILL_PATH` when set). If no skill file is found, this file is not written and a note is printed.
 
 ## `jaiph install`
@@ -371,7 +393,7 @@ jaiph use <version|nightly>
 
 ```bash
 jaiph use nightly
-jaiph use 0.9.2
+jaiph use 0.9.3
 ```
 
 ## File extension
@@ -387,7 +409,7 @@ These variables apply to `jaiph run` and workflow execution. Variables marked **
 **Internal variables:**
 
 - `JAIPH_META_FILE` — path to the metadata file the CLI writes under the build output directory; the workflow runner reads it after exit. Set by the launcher on the child process; `resolveRuntimeEnv` removes any inherited value from the parent.
-- `JAIPH_RUN_DIR`, `JAIPH_RUN_ID`, `JAIPH_RUN_SUMMARY_FILE` — set by `NodeWorkflowRuntime` to the run directory, stable run UUID, and `run_summary.jsonl` path.
+- `JAIPH_RUN_DIR`, `JAIPH_RUN_ID`, `JAIPH_RUN_SUMMARY_FILE` — `JAIPH_RUN_ID` is generated by the host CLI as a UUID per `jaiph run` invocation and forwarded to the runtime (and into the Docker container when sandboxed). The runtime uses this value as the workflow run identifier; if unset, the runtime generates its own UUID. `JAIPH_RUN_DIR` and `JAIPH_RUN_SUMMARY_FILE` are set by `NodeWorkflowRuntime` to the run directory and `run_summary.jsonl` path.
 - `JAIPH_SOURCE_FILE` — set automatically by the CLI to the entry file basename. Used to name run directories.
 
 **Workspace and run paths:**
@@ -418,14 +440,17 @@ These variables apply to `jaiph run` and workflow execution. Variables marked **
 - `JAIPH_NON_TTY_HEARTBEAT_FIRST_SEC` — seconds before the first heartbeat (default: `60`).
 - `JAIPH_NON_TTY_HEARTBEAT_INTERVAL_MS` — minimum milliseconds between subsequent heartbeats (default: `30000`; minimum `250`).
 
-**Docker sandbox:**
+**Docker sandbox** (`jaiph run` only — see [Sandboxing](sandboxing.md)):
+
+- **`JAIPH_UNSAFE`** — set to `true` to **disable** Docker when `JAIPH_DOCKER_ENABLED` is **unset** (run on the host). This is the supported “no container” escape hatch.
+- **`JAIPH_DOCKER_ENABLED`** — when set, must be exactly `true` to force Docker on, or any other value to force Docker **off**. When **unset**, Docker follows the unsafe rule above (on by default unless `JAIPH_UNSAFE=true`). `CI=true` does **not** change this default.
+- **`JAIPH_DOCKER_IMAGE`** — Docker image (overrides in-file `runtime.docker_image`). The image must already contain a `jaiph` binary; otherwise the run fails with `E_DOCKER_NO_JAIPH`. Defaults to the official GHCR runtime image (`ghcr.io/jaiphlang/jaiph-runtime:<version>`).
+- **`JAIPH_DOCKER_NETWORK`** — Docker network mode (overrides in-file `runtime.docker_network`).
+- **`JAIPH_DOCKER_TIMEOUT`** — execution timeout in seconds (overrides in-file `runtime.docker_timeout_seconds`).
 
-- `JAIPH_DOCKER_ENABLED` — set to `true` to enable Docker sandbox (overrides in-file `runtime.docker_enabled`).
-- `JAIPH_DOCKER_IMAGE` — Docker image for sandbox (overrides in-file `runtime.docker_image`).
-- `JAIPH_DOCKER_NETWORK` — Docker network mode (overrides in-file `runtime.docker_network`).
-- `JAIPH_DOCKER_TIMEOUT` — execution timeout in seconds (overrides in-file `runtime.docker_timeout`).
+In-file `runtime.docker_enabled` is **not** supported (parse error); use the variables above instead.
 
-For `JAIPH_DOCKER_*` defaults, image selection, mounts, and container behavior, see [Sandboxing](sandboxing.md).
+For overlay vs copy workspace mode, mounts, and stderr wiring, see [Sandboxing](sandboxing.md).
 
 ### Install and `jaiph use`
 
diff --git a/docs/configuration.md b/docs/configuration.md
index 7fa5b25e..edce69b0 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -7,9 +7,11 @@ redirect_from:
 
 # Configuration
 
-Jaiph separates **what runs** (your `.jh` graphs) from **how the host runs it** (models, paths, sandboxes, logging). Operational settings live in **configuration** so the same `.jh` sources work unchanged across machines and CI.
+When you need the same workflow sources to behave differently on different machines, you separate **what the graph does** (rules, `prompt` / `script` / `run`, channels) from **operational knobs**: which LLM backend to use, where to write run logs, how inbox dispatch behaves, and how the CLI chooses host vs. Docker. Jaiph keeps the language stable and pushes those choices into **configuration** — in-file `config` blocks, environment variables, and defaults in the tool.
 
-All execution goes through the Node workflow runtime (`NodeWorkflowRuntime`), which interprets the AST, runs `prompt` and `script` steps, and handles channels, inbox dispatch, and artifacts (see [Architecture](architecture)). Configuration tunes this stack — agent backend, runs directory, Docker sandbox, inbox parallelism — without touching control flow.
+All execution is interpreted by the Node workflow runtime (`NodeWorkflowRuntime`): the AST, managed scripts, prompts, channels, inbox, and `.jaiph/runs` artifacts (see [Architecture](architecture.md)). Configuration only adjusts that stack; it does not change the workflow language or the compile graph.
+
+`jaiph compile` and `buildScripts()` use the same parser, so **unknown `config` keys and wrong value types** fail with deterministic parse errors. Runtime graph loading is parse-only; **compile-time** validation of references runs in the transpile path, not in `buildRuntimeGraph()` (see [Architecture — Summary](architecture.md#summary)).
 
 **Source of truth:** When this document and the implementation disagree, treat the source code as authoritative.
 
@@ -17,7 +19,7 @@ All execution goes through the Node workflow runtime (`NodeWorkflowRuntime`), wh
 
 Jaiph provides three configuration mechanisms. When the same key is set in more than one place, the highest-priority source wins:
 
-1. **Environment variables** — highest priority. `JAIPH_AGENT_*`, `JAIPH_RUNS_DIR`, `JAIPH_DEBUG`, `JAIPH_INBOX_PARALLEL`, and `JAIPH_DOCKER_*`.
+1. **Environment variables** — highest priority. Includes `JAIPH_AGENT_*`, `JAIPH_RUNS_DIR`, `JAIPH_DEBUG`, `JAIPH_INBOX_PARALLEL`, `JAIPH_DOCKER_ENABLED`, other `JAIPH_DOCKER_*`, and `JAIPH_UNSAFE` (for Docker on/off, see [Sandboxing — Enabling Docker](sandboxing.md#enabling-docker)). Docker **enablement** is only controlled here — there is no `runtime.*` in-file key for that (removed; using it is a parse error with a migration message).
 2. **In-file `config { ... }` blocks** — at module scope and optionally inside a `workflow` body.
 3. **Built-in defaults** — lowest priority, used when nothing else sets a value.
 
@@ -25,13 +27,15 @@ For **agent and run keys**, the full precedence chain is:
 
 > **environment > workflow-level config > module-level config > defaults**
 
-For **Docker / `runtime.*` keys**, the same idea applies (environment overrides in-file), but these are resolved by the `jaiph run` CLI at launch time. They cannot appear in workflow-level `config` blocks. See [Runtime keys](#runtime-keys-docker-sandbox--beta).
+For **`runtime.*` (image, network, timeout)**, the CLI merges at **`jaiph run` launch** — not inside `NodeWorkflowRuntime` — in the order **`JAIPH_DOCKER_*` environment > in-file `runtime.*` > defaults** (and separately: Docker on/off is env-only, see above and [Precedence in detail](#precedence-in-detail)). `runtime.*` cannot appear in workflow-level `config` blocks.
 
 ## In-file config blocks
 
 ### Module-level config
 
-Place a `config { ... }` block in the **entry** workflow file (the path passed to `jaiph run`). It is optional and applies to every workflow in that file unless a workflow provides its own overrides.
+Each `*.jh` file may have **at most one** module-level `config { ... }` block. It is optional. Settings apply to all workflows in **that** file, unless a workflow has its own block.
+
+**`jaiph run`:** the CLI reads **only the entry file’s** module `config` when it builds the initial process environment via `resolveRuntimeEnv` (before spawning the workflow runner or Docker). Imported modules’ module-level `config` is not merged into that first env snapshot — but the runtime still applies per-module and workflow `config` from the [import graph](architecture.md#summary) when you enter a workflow, run a nested `run` in the same module, or `ensure` a rule (see [Scoping across nested calls](#scoping-across-nested-calls)). **Cross-module** `run` and **same-module** `ensure` are special cases, explained there.
 
 ```jh
 config {
@@ -55,7 +59,7 @@ workflow default() {
 
 **Syntax rules:**
 
-- The opening line must be exactly `config {` (optional whitespace around tokens, nothing else).
+- The opening line is `config` and `{` with only optional whitespace between them (and nothing else on that line before `{`).
 - One module-level config block per file. A duplicate causes `E_PARSE`: `duplicate config block (only one allowed per file)`.
 - May appear at any position among top-level constructs; convention is near the top.
 - Unknown keys cause `E_PARSE` and list the allowed keys. Wrong value types also cause `E_PARSE`.
@@ -70,6 +74,12 @@ config {
   agent.default_model = "gpt-3.5"
 }
 
+script noop = `true`
+
+rule some_rule() {
+  run noop()
+}
+
 workflow fast_check() {
   config {
     agent.backend = "claude"
@@ -87,7 +97,7 @@ workflow default() {
 **Rules:**
 
 - At most one per workflow; it must be the first non-comment construct in the body. A duplicate is `E_PARSE`: `duplicate config block inside workflow (only one allowed per workflow)`.
-- Only **`agent.*` and `run.*` keys** are allowed. Any `runtime.*` key is `E_PARSE`.
+- Only **`agent.*` and `run.*` keys** are allowed. Any `runtime.*` or `module.*` key is `E_PARSE`.
 - Workflow-level values apply to all steps in that workflow, including `ensure`d rules and scripts called from it. When the workflow finishes, the previous environment is restored.
 
 **Sibling isolation:** Each workflow gets its own clone of the parent environment. Sibling workflows never see each other's config — even when they execute sequentially. If workflow `alpha` sets `agent.backend = "claude"` and workflow `beta` only sets `agent.default_model = "beta-model"`, `beta` still sees the module-level backend (e.g. `"cursor"`), not `alpha`'s.
@@ -99,18 +109,7 @@ workflow default() {
 | String | Double-quoted | `"gpt-4"` |
 | Boolean | Unquoted `true` / `false` | `true` |
 | Integer | Unsigned decimal digits only | `300` |
-| String array | `[` on the `=` line, one quoted string per line, then `]` | See below |
-
-Recognized escapes inside strings: `\\`, `\n`, `\t`, `\"`. Trailing commas and `#` comments are allowed inside arrays. An empty array (`key = []` on one line) is valid.
-
-```jh
-config {
-  runtime.workspace = [
-    ".:/jaiph/workspace:rw",
-    "config:config:ro"    # read-only config mount
-  ]
-}
-```
+Recognized escapes inside strings: `\\`, `\n`, `\t`, `\"`.
 
 ## Config keys reference
 
@@ -136,20 +135,44 @@ These control runtime behavior unrelated to the agent.
 | `run.logs_dir` | string | `.jaiph/runs` | `JAIPH_RUNS_DIR` | Step log directory. Relative paths are joined with the workspace root; absolute paths are used as-is. |
 | `run.debug` | boolean | `false` | `JAIPH_DEBUG` | Enables debug tracing for the run. |
 | `run.inbox_parallel` | boolean | `false` | `JAIPH_INBOX_PARALLEL` | Dispatch inbox route targets concurrently. See [Inbox — Parallel dispatch](inbox.md#parallel-dispatch). |
+| `run.recover_limit` | integer | `10` | _(no env override)_ | Maximum number of retry attempts for `run … recover` loops before the step fails. See [Language — `recover`](language.md#recover--repair-and-retry-loop). |
+
+### Module keys
+
+Optional descriptive metadata about the workflow module. These are informational only — they do not affect agent, run, or runtime behavior. Future features (e.g. MCP tool metadata) may consume them.
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| `module.name` | string | _(unset)_ | Human-readable name for this module. |
+| `module.version` | string | _(unset)_ | Version string (no validation — any quoted string is accepted). |
+| `module.description` | string | _(unset)_ | Short description of what this module does. |
+
+Module keys can only appear in **module-level** config blocks. Any `module.*` key inside a workflow-level config is `E_PARSE`.
+
+```jh
+config {
+  module.name = "deploy-pipeline"
+  module.version = "2.0.0"
+  module.description = "Production deployment with rollback"
+  agent.backend = "claude"
+}
+
+workflow default() {
+  log "deploying..."
+}
+```
 
 ### Runtime keys (Docker sandbox — beta)
 
 These configure Docker sandboxing. Unlike agent and run keys, runtime keys are resolved by the `jaiph run` CLI at launch — not by the workflow runtime. They can only appear in **module-level** config blocks (not workflow-level).
 
-> Docker sandboxing is in **beta**. See [Sandboxing](sandboxing.md) for mounts, workspace layout, Dockerfile detection, env forwarding, path remapping, and container behavior.
+> Docker sandboxing is in **beta**. See [Sandboxing](sandboxing.md) for mounts, workspace layout, env forwarding, path remapping, and container behavior.
 
 | Key | Type | Default | Env variable | Description |
 |-----|------|---------|--------------|-------------|
-| `runtime.docker_enabled` | boolean | `false` | `JAIPH_DOCKER_ENABLED` | Enable Docker for this run. |
-| `runtime.docker_image` | string | `node:20-bookworm` | `JAIPH_DOCKER_IMAGE` | Image name. When unset, Jaiph builds from `.jaiph/Dockerfile` if it exists, otherwise uses the default. |
+| `runtime.docker_image` | string | `ghcr.io/jaiphlang/jaiph-runtime:<version>` | `JAIPH_DOCKER_IMAGE` | Image name. Must already contain `jaiph`. When unset, uses the official GHCR image tag matching the installed jaiph version. For a custom image, build and push (or tag locally), then set this key or `JAIPH_DOCKER_IMAGE`. |
 | `runtime.docker_network` | string | `default` | `JAIPH_DOCKER_NETWORK` | Docker network mode. |
-| `runtime.docker_timeout` | integer | `300` | `JAIPH_DOCKER_TIMEOUT` | Timeout in seconds. Invalid or unparsable values fall back to the default. |
-| `runtime.workspace` | string[] | `[".:/jaiph/workspace:rw"]` | _(no env override)_ | Mount list. Only settable via in-file config or defaults. |
+| `runtime.docker_timeout_seconds` | integer | `3600` | `JAIPH_DOCKER_TIMEOUT` | Timeout in seconds (default one hour). Use `0` to disable. An invalid or negative **environment** value aborts the run with `E_DOCKER_TIMEOUT` (no silent fallback). In-file must be a non-negative integer. |
 
 ## Precedence in detail
 
@@ -162,7 +185,7 @@ For **agent and run keys**, resolution order (highest wins):
 3. **Module-level `config`** — applies to workflows that don't define their own block.
 4. **Built-in defaults.**
 
-For **Docker / `runtime.*` keys**, the `jaiph run` driver merges **`JAIPH_DOCKER_*` env > module-level `runtime.*` > defaults**. Mounts (`runtime.workspace`) are never taken from env. Workflow-level config cannot set runtime keys.
+For **Docker enablement**, the `jaiph run` driver uses **`JAIPH_DOCKER_ENABLED` env > unsafe default rule** (env only; `runtime.docker_enabled` is no longer supported). The default rule enables Docker unless `JAIPH_UNSAFE=true` is set; `CI=true` no longer disables Docker (see [Sandboxing — Enabling Docker](sandboxing.md#enabling-docker)). For other `runtime.*` keys (image, network, timeout), the merge is **`JAIPH_DOCKER_*` env > module-level `runtime.*` > defaults**. Workflow-level config cannot set runtime keys.
 
 ### Locked variables
 
@@ -262,10 +285,10 @@ The codex backend streams responses from the OpenAI API and supports structured
 When a `prompt` step runs, Jaiph resolves the effective model using this order:
 
 1. **Explicit model** — `agent.default_model` / `JAIPH_AGENT_MODEL` is set and non-empty → use it.
-2. **Flags model** — `--model <name>` is found inside the backend-specific flags (`agent.cursor_flags` or `agent.claude_flags`) → use it.
-3. **Backend default** — no model specified anywhere → the backend CLI auto-selects its own default model.
+2. **Flags model** — for **cursor** and **claude**, `--model <name>` is found inside the corresponding flags (`agent.cursor_flags` or `agent.claude_flags`) → use it. **Codex** has no flag channel for the model; only step 1 or 3 apply.
+3. **Backend default** — **cursor** and **claude** use each CLI’s default when nothing else picks a model. **Codex** defaults to `gpt-4o` in code when no explicit model is set (see [Codex setup](#codex-setup)).
 
-`agent.default_model` works for **both** backends. For the Claude backend, when `agent.default_model` is set and `agent.claude_flags` does not already contain `--model`, Jaiph passes `--model <value>` to the Claude CLI automatically. If both are set, the value in `agent.claude_flags` takes precedence (it is appended last).
+`agent.default_model` applies to **cursor**, **claude**, and **codex**. For the **Claude** backend, when `agent.default_model` is set and `agent.claude_flags` does not already contain `--model`, Jaiph passes `--model <value>` to the Claude CLI automatically. If both are set, the value in `agent.claude_flags` takes precedence (it is appended last).
 
 **Diagnostics.** Every prompt step records the resolved model in `PROMPT_START` and `PROMPT_END` events in `run_summary.jsonl`:
 
@@ -279,9 +302,9 @@ The `model_reason` field is one of: `explicit` (from `agent.default_model`), `fl
 
 ## Testing with `jaiph test`
 
-The test harness does **not** call `resolveRuntimeEnv` — it constructs a minimal env (`process.env` plus `JAIPH_TEST_MODE`, `JAIPH_WORKSPACE`, `JAIPH_RUNS_DIR`, `JAIPH_SCRIPTS`, and mock variables). CLI-side defaults and lock flags are not available in tests.
+`jaiph test` never calls `resolveRuntimeEnv`. For a `test_run_workflow` step, the test runner builds a child `env` by **spreading `process.env`**, then sets `JAIPH_TEST_MODE`, `JAIPH_WORKSPACE`, `JAIPH_RUNS_DIR` (an ephemeral test path), `JAIPH_SCRIPTS`, and mock fields (`JAIPH_MOCK_RESPONSES_FILE` and/or `JAIPH_MOCK_DISPATCH_SCRIPT`) as needed. There is no CLI pass that pre-merges in-file `config` into that env; **`JAIPH_*_LOCKED` flags are not set** unless you export them in the parent environment yourself.
 
-When a `test_run_workflow` step runs, `NodeWorkflowRuntime` still applies module and workflow metadata via `applyMetadataScope` (same merge rules for non-locked keys). For predictable agent settings in tests, set `JAIPH_AGENT_*` / `JAIPH_RUNS_DIR` / etc. in the environment, or use `config` in the module that defines the workflow under test.
+`NodeWorkflowRuntime` still layers module- and workflow-level in-file `config` with `applyMetadataScope` (same `*_LOCKED` rules: metadata wins only when the key is not locked in the current env). To pin agent settings in CI, set `JAIPH_AGENT_*` / `JAIPH_RUNS_DIR` / `JAIPH_DEBUG` in the environment, and/or keep `config` in the `.jh` module that defines the workflow you exercise. Note: `jaiph run`’s `resolveRuntimeEnv` resolves `agent.trusted_workspace` to an absolute path against the workspace; **metadata-only** merging uses the in-file string as given — for tests, a relative `agent.trusted_workspace` may end up in `JAIPH_AGENT_TRUSTED_WORKSPACE` as-is, so set an absolute path in env or config if you need parity with a normal run.
 
 ## Config-to-env mapping
 
@@ -298,11 +321,13 @@ Quick reference for all in-file keys and their environment variable equivalents:
 | `run.logs_dir` | `JAIPH_RUNS_DIR` |
 | `run.debug` | `JAIPH_DEBUG` |
 | `run.inbox_parallel` | `JAIPH_INBOX_PARALLEL` |
-| `runtime.docker_enabled` | `JAIPH_DOCKER_ENABLED` |
+| `run.recover_limit` | _(no env override)_ |
 | `runtime.docker_image` | `JAIPH_DOCKER_IMAGE` |
 | `runtime.docker_network` | `JAIPH_DOCKER_NETWORK` |
-| `runtime.docker_timeout` | `JAIPH_DOCKER_TIMEOUT` |
-| `runtime.workspace` | _(no env override)_ |
+| `runtime.docker_timeout_seconds` | `JAIPH_DOCKER_TIMEOUT` |
+| `module.name` | _(no env override)_ |
+| `module.version` | _(no env override)_ |
+| `module.description` | _(no env override)_ |
 
 ## Inspecting effective config at runtime
 
@@ -314,8 +339,10 @@ workflow default() {
 }
 ```
 
+The runtime also sets `JAIPH_ARTIFACTS_DIR` — the absolute path to the writable artifacts directory for the current run (`.jaiph/runs/<run_id>/artifacts/` on the host, `/jaiph/run/artifacts` inside the Docker sandbox). The `jaiphlang/artifacts` library reads this variable; you can also use it directly in scripts. See [Libraries — `jaiphlang/artifacts`](libraries.md#jaiphlangartifacts--publishing-files-out-of-the-sandbox).
+
 `JAIPH_DOCKER_*` variables are **not** populated from in-file `runtime.*` inside the workflow runner process. Docker is configured when the CLI spawns the runner (or container). If you need Docker-related variables inside a `script` step, export them yourself or inherit them from the parent shell.
 
 ## Created by `jaiph init`
 
-`jaiph init` creates `.jaiph/bootstrap.jh`, `.jaiph/Dockerfile`, and writes `.jaiph/SKILL.md` from the skill file bundled with your installation (see `JAIPH_SKILL_PATH` in the CLI reference). It does not add a separate config file — use `config { ... }` in your workflow sources.
+`jaiph init` creates `.jaiph/bootstrap.jh` and writes `.jaiph/SKILL.md` from the skill file bundled with your installation (see `JAIPH_SKILL_PATH` in the CLI reference). It does not add a separate config file — use `config { ... }` in your workflow sources.
diff --git a/docs/contributing.md b/docs/contributing.md
index ccf9e89a..589848b5 100644
--- a/docs/contributing.md
+++ b/docs/contributing.md
@@ -7,7 +7,7 @@ redirect_from:
 
 # Contributing to Jaiph
 
-Open-source projects depend on clear repo conventions: how to build, test, and propose changes. **This page is that map for Jaiph** — branches, installing from a clone, code philosophy, **test strategy** (layers, TypeScript layout, E2E philosophy, bash harness), and CI. It does **not** teach the language; for that, use [Getting Started](getting-started.md) (documentation map), [Setup](setup.md) (install and workspace), and [Grammar](grammar.md). For **how the implementation is structured** (components, build pipeline, runtime contracts, artifact paths on disk), see [Architecture](architecture).
+A shared workflow needs shared expectations: which branch to target, how to build from a clone, and what evidence a change should carry. **This page is that contract for Jaiph** — branching, local install, code and testing philosophy, the layered test stack (TypeScript, txtar, goldens, bash E2E), and what CI enforces. It does **not** teach the language; for that, use [Getting Started](getting-started.md) (documentation map), [Setup](setup.md) (install and workspace), and [Grammar](grammar.md). For **how the implementation is structured** (components, compile and run pipelines, `buildRuntimeGraph` vs validation, runtime contracts, artifact paths), use [Architecture](architecture.md) as the source of truth.
 
 ## Branching and pull requests
 
@@ -46,20 +46,35 @@ For day-to-day work on the compiler and CLI you usually stay inside the clone: i
 | Command | What it runs |
 |---------|----------------|
 | `npm install` | Installs TypeScript and types (dev dependencies). |
-| `npm run build` | Runs `tsc`, then copies **`src/runtime`** → **`dist/src/runtime`** (kernel JS for the compiled CLI). |
+| `npm run build` | Runs `tsc`, then copies **`src/runtime`** → **`dist/src/runtime`** (kernel JS for the compiled CLI) and **`runtime/overlay-run.sh`** → **`dist/src/runtime/overlay-run.sh`** (Docker overlay entrypoint). |
 | `npm run build:standalone` | `npm run build`, then copies **`dist/src/runtime`** → **`dist/runtime`** and runs **`bun build --compile`** on `src/cli.ts` → **`dist/jaiph`**. Requires [Bun](https://bun.sh). Ship the **`dist/`** tree (binary plus the runtime directory) for a self-contained layout. |
-| `npm test` | **`npm run clean`**, then **`npm run build`**, then the Node.js test runner with **`NODE_OPTIONS`** including **`--enable-source-maps`** (and a large heap limit) on `dist/test/*.test.js`, every file under `dist/src/` matching `*.test.js` or `*.acceptance.test.js` (via `find`), `dist/src/compiler-test-runner.js` (txtar compiler tests), and `dist/src/golden-ast-runner.js` (golden AST tests). |
+| `npm test` | **`npm run clean`**, then **`npm run build`**, then the Node.js test runner with **`JAIPH_UNSAFE=true`**, **`NODE_OPTIONS`** including **`--enable-source-maps`** and a large heap limit, on `dist/test/*.test.js`, every file under `dist/src/` matching `*.test.js` or `*.acceptance.test.js` (via `find`), `dist/src/compiler-test-runner.js` (txtar compiler tests), and `dist/src/golden-ast-runner.js` (golden AST tests). |
 | `npm run test:compiler` | **`npm run build`**, then **`node --test`** on `dist/src/compiler-test-runner.js` — runs txtar-based compiler test fixtures from `compiler-tests/`. |
 | `npm run test:golden-ast` | **`npm run build`**, then **`node --test`** on `dist/src/golden-ast-runner.js` — runs golden AST tests from `golden-ast/`. Use `UPDATE_GOLDEN=1 npm run test:golden-ast` to regenerate goldens after intentional parser changes. |
 | `npm run test:acceptance:compiler` | **`npm run build`**, then **`node --test`** on only `dist/src/**/*.acceptance.test.js` — compiler acceptance tests without the full unit suite or E2E. |
 | `npm run test:acceptance:runtime` | **`bash ./e2e/test_all.sh`** only — same E2E driver as below **without** an implicit rebuild; ensure `dist/` is up to date before running. |
 | `npm run test:acceptance` | **`npm run test:acceptance:compiler`** then **`npm run test:acceptance:runtime`**. |
-| `npm run test:e2e` | **`npm run build`**, then **`bash ./e2e/test_all.sh`**. Prefer this when you want a fresh `dist/` before E2E. |
+| `npm run test:e2e` | **`npm run build`**, then **`bash ./e2e/test_all.sh`**. Prefer this when you want a fresh `dist/` before E2E. By default this exercises the **Docker** sandbox when `JAIPH_UNSAFE` is unset. For a faster host-only run (no container), use **`JAIPH_UNSAFE=true npm run test:e2e`**. |
 | `npm run test:samples` | **`npx playwright test`** — Playwright suite for the docs landing page (`tests/e2e-samples/`). Uses `http://127.0.0.1:4000` (see `playwright.config.ts`); starts Jekyll via `webServer` or reuses one already on that port. Requires Playwright (`npx playwright install chromium` once). |
 | `npm run test:ci` | `npm test` followed by `npm run test:e2e` — useful before pushing when you want the full local picture. |
 
 Run a single Node test file after a build with e.g. `node --test dist/src/parse/parse-core.test.js`. The `dist/` paths mirror the source layout under `src/`.
 
+## Workspace hygiene
+
+The root `.gitignore` blocks common debug and temp directory patterns so they never reach version control:
+
+| Pattern | Purpose |
+|---------|---------|
+| `docker-*/` | Leftover Docker debug/experiment directories |
+| `nested-*/` | Nested-run debug directories |
+| `overlay-*/` | Overlay/fuse debug directories |
+| `local-*/` | Local debug directories |
+| `.tmp*/` | Temp build/debug directories |
+| `QUEUE.md.tmp.*` | Stale queue temp files |
+
+If you create throwaway directories during development, use one of these prefixes so they are automatically ignored. To track a file that matches a blocked pattern, use `git add -f`.
+
 ## Code philosophy
 
 Jaiph's codebase is maintained by both humans and AI agents. Code should be easy to read, navigate, and modify for both — which means the same thing: straightforward, flat, and explicit.
@@ -83,18 +98,19 @@ Jaiph uses several test layers. Each layer catches a different class of bug. Use
 | **Module tests** | `src/**/*.test.ts` (colocated) | Bugs in pure functions (event parsing, param formatting, path resolution, config merging) | The function is self-contained, takes input and returns output, no I/O |
 | **Compiler acceptance tests** | `src/transpile/*.acceptance.test.ts` (colocated) | Cross-module compiler behavior: validation errors, resolution, and other cases that need a temp project tree or subprocess | You need a deterministic error string, multi-file `buildScripts`, or behavior that does not fit a tiny golden snippet |
 | **Compiler golden tests** | `src/transpile/compiler-golden.test.ts` (colocated) | Regressions in the parser, validation messages, and scripts-only extraction (`buildScriptFiles` in `emit-script.ts`) — expectations are inline in the test file | You changed the parser, validator, or script extraction and need to lock an exact error string, extracted script shape, or corpus behavior |
-| **Compiler tests (txtar)** | `compiler-tests/*.txt` | Parse and validate outcomes — success, parse errors, validation errors — using language-agnostic txtar fixtures (200 cases across 4 fixture files) | You want a portable test case that can be reused by alternative compiler implementations; the test is a `.jh` input paired with an expected outcome |
-| **Golden AST tests** | `golden-ast/fixtures/*.jh` + `golden-ast/expected/*.json` | Parse tree shape for successful parses — serialized to deterministic JSON with locations stripped (8 fixtures covering catch, imports, log, match, params, prompt-capture, run-ensure, script-defs) | You changed the parser and need to verify the AST structure hasn't drifted; txtar tests only check pass/fail, goldens lock in the actual tree shape |
+| **Compiler tests (txtar)** | `compiler-tests/*.txt` | Parse and validate outcomes — success, parse errors, validation errors — using language-agnostic txtar fixtures (hundreds of `===` cases across the four `*.txt` files) | You want a portable test case that can be reused by alternative compiler implementations; the test is a `.jh` input paired with an expected outcome |
+| **Golden AST tests** | `golden-ast/fixtures/*.jh` + `golden-ast/expected/*.json` | Parse tree shape for successful parses — serialized to deterministic JSON with locations stripped (9 fixtures: e.g. imports, brace-if, log, match and match-multiline, params, prompt-capture, run-ensure, script-defs) | You changed the parser and need to verify the AST structure hasn't drifted; txtar tests only check pass/fail, goldens lock in the actual tree shape |
 | **Cross-cutting tests** | `test/*.test.ts` | Process-level integration behavior: signal handling, TTY rendering, run summary structure, sample builds | The test spans multiple modules or requires subprocess/PTY harnesses |
 | **E2E tests** | `e2e/tests/*.sh` | Runtime behavior — does the workflow actually execute correctly end-to-end? | The behavior involves the CLI launcher, Node runtime, process lifecycle, or file artifacts |
 
 ### Key principles
 
-1. **Tests are behavior contracts.** E2E tests and acceptance tests define what the product does. Default approach: change production code to satisfy tests, not the other way around.
-2. **Modify existing tests only with a strong reason:** intentional product behavior change, incorrect test expectation, or removal of an obsolete feature. Any such change should be minimal and paired with a clear rationale.
-3. **Golden tests are the compiler's safety net.** After transpiler changes, run `npm test`. Failures in `src/transpile/compiler-golden.test.ts` usually mean updating an explicit expected string or fixture in that file — there is no separate dump script; align expectations with intentional emitter changes and re-run `npm test`. **Golden AST tests** (`golden-ast/`) complement this by locking in the parse tree shape — if those fail, regenerate with `UPDATE_GOLDEN=1 npm run test:golden-ast` and review the diff.
-4. **E2E tests assert two things independently:** what the user sees (CLI tree output via `e2e::expect_stdout`) and what the runtime persists (artifact files via `e2e::expect_out`, `e2e::expect_file`). A bug could break one without the other.
-5. **Prefer the narrowest test layer.** A pure function bug should be caught by a unit test, not an E2E test. E2E tests are expensive to run and hard to debug — reserve them for integration-level behavior.
+1. **Compile-time validation vs graph loading.** `buildScripts` / `emitScriptsForModule` run **`validateReferences`** before any script files are written. **`buildRuntimeGraph()`** only parses modules and follows imports — it does **not** re-run that validation. Lock compile errors in the compiler/validator tests; the runtime graph is the wrong layer for that (see [Architecture — Transpiler / Node workflow runtime](architecture.md#core-components)).
+2. **Tests are behavior contracts.** E2E tests and acceptance tests define what the product does. Default approach: change production code to satisfy tests, not the other way around.
+3. **Modify existing tests only with a strong reason:** intentional product behavior change, incorrect test expectation, or removal of an obsolete feature. Any such change should be minimal and paired with a clear rationale.
+4. **Golden tests are the compiler's safety net.** After transpiler changes, run `npm test`. Failures in `src/transpile/compiler-golden.test.ts` usually mean updating an explicit expected string or fixture in that file — there is no separate dump script; align expectations with intentional emitter changes and re-run `npm test`. **Golden AST tests** (`golden-ast/`) complement this by locking in the parse tree shape — if those fail, regenerate with `UPDATE_GOLDEN=1 npm run test:golden-ast` and review the diff.
+5. **E2E tests assert two things independently:** what the user sees (CLI tree output via `e2e::expect_stdout`) and what the runtime persists (artifact files via `e2e::expect_out`, `e2e::expect_file`). A bug could break one without the other.
+6. **Prefer the narrowest test layer.** A pure function bug should be caught by a unit test, not an E2E test. E2E tests are expensive to run and hard to debug — reserve them for integration-level behavior.
 
 ### TypeScript test layout
 
@@ -111,47 +127,18 @@ Module tests live next to the source files they validate, inside the same `src/`
 find src -type f \( -name '*.test.ts' -o -name '*.acceptance.test.ts' \) | sort
 ```
 
-The table below is the inventory as of this writing; after large refactors, prefer the `find` command above over assuming this list is exhaustive.
-
-| Test file | Source / focus |
-|-----------|----------------|
-| `src/cli/commands/format-params-display.test.ts` | `format-params.ts` — parameter display helpers |
-| `src/cli/run/display.test.ts` | `display.ts` — `colorize`, progress line formatting |
-| `src/cli/run/events.test.ts` | `events.ts` — `parseLogEvent`, `parseStepEvent` for `__JAIPH_EVENT__` JSON lines |
-| `src/cli/run/hooks.test.ts` | `hooks.ts` — hook discovery, merge, `runHooksForEvent` |
-| `src/cli/run/lifecycle.test.ts` | `lifecycle.ts` — `waitForRunExit` and child exit handling |
-| `src/cli/run/non-tty-heartbeat.test.ts` | Non-TTY runs — long-step heartbeat line shape |
-| `src/cli/run/resolve-env.test.ts` | `env.ts` — workspace resolution, config defaults, env precedence |
-| `src/cli/run/stderr-handler.test.ts` | `stderr-handler.ts` — TTY subscriber / stderr routing |
-| `src/cli/shared/errors.test.ts` | `errors.ts` — `summarizeError`, failure metadata |
-| `src/cli/shared/paths.test.ts` | `paths.ts` — `detectWorkspaceRoot` |
-| `src/parse/parse-core.test.ts` | `core.ts` — low-level parse helpers (`stripQuotes`, `isRef`, brace depth, `fail`, …) |
-| `src/parse/parse-definitions.test.ts` | Parser — invalid `rule` / `script` / `workflow` declarations and fix hints |
-| `src/parse/parse-env.test.ts` | `env.ts` — env declaration parsing |
-| `src/parse/parse-imports.test.ts` | `imports.ts` — import lines, aliases, errors |
-| `src/parse/parse-metadata.test.ts` | `metadata.ts` — config block parsing |
-| `src/parse/parse-run-async.test.ts` | Parser — `run async` workflow steps |
-| `src/runtime/docker.test.ts` | `docker.ts` — mounts, `buildDockerArgs` |
-| `src/runtime/kernel/emit.test.ts` | `emit.ts` — `__JAIPH_EVENT__` JSON and `run_summary.jsonl` append |
-| `src/runtime/kernel/graph.test.ts` | `graph.ts` — `buildRuntimeGraph`, symbol lookup |
-| `src/runtime/kernel/mock.test.ts` | `mock.ts` — test-mode mock dispatch |
-| `src/runtime/kernel/node-test-runner.test.ts` | `node-test-runner.ts` — e.g. `buildRuntimeGraph` once per test file (see [Testing](testing.md)) |
-| `src/runtime/kernel/node-workflow-runtime.artifacts.test.ts` | `node-workflow-runtime.ts` — step `.out` / artifact behavior with mocked prompt |
-| `src/runtime/kernel/prompt.test.ts` | `prompt.ts` — kernel prompt execution and mocks |
-| `src/runtime/kernel/schema.test.ts` | `schema.ts` — prompt schema validation |
-| `src/runtime/kernel/seq-alloc.test.ts` | `seq-alloc.ts` — `.seq` atomic allocation |
-| `src/runtime/kernel/stream-parser.test.ts` | `stream-parser.ts` — streaming JSON from agents |
-| `src/runtime/kernel/workflow-launch.test.ts` | `workflow-launch.ts` — `buildRunModuleLaunch` argv (Node runner) |
-| `src/transpile/compiler-edge.acceptance.test.ts` | Cross-module — validation, resolution, multi-file builds |
-| `src/transpile/compiler-golden.test.ts` | `transpiler.ts`, `emit-script.ts`, parser — golden cases and corpus |
-| `src/transpile/emit-script.test.ts` | `emit-script.ts` — `normalizeShellLocalExport`, `resolveShellRefs` |
-| `src/transpile/validate-managed-calls.test.ts` | `validate.ts` — `E_VALIDATE` (e.g. disallowed constructs) |
-| `src/transpile/validate-run-async.test.ts` | Validation — `run async` restrictions |
-| `src/transpile/validate-string.test.ts` | `validate-string.ts` / `buildScripts` — string interpolation and related errors |
-
-When adding a new source module or extending an existing one, create or extend the corresponding `*.test.ts` file in the same directory. This keeps tests discoverable — given a source file, the test file is always a sibling.
-
-For details on kernel module internals (`emit.ts`, `seq-alloc.ts`, `run-step-exec.ts`, `node-test-runner.ts`), the compile pipeline, and validation contracts, see [Architecture](architecture).
+**Grouping (use the `find` output as authoritative after refactors):**
+
+| Area | Typical location | What it usually covers |
+|------|------------------|------------------------|
+| Parser and tokenizer helpers | `src/parse/*.test.ts`, `src/parse/dedent.test.ts` | `.jh` / `.test.jh` surface: imports, config, steps, strings, channels, fences, `run async`, … |
+| CLI and terminal UX | `src/cli/**/*.test.ts` | Commands, `jaiph run` lifecycle, progress, hooks, `resolve-env` |
+| Transpiler and validation | `src/transpile/*.test.ts` + `*.acceptance.test.ts` | `validateReferences`, `emit`, golden compiler (`compiler-golden.test.ts`), cross-module edge cases (`compiler-edge.acceptance.test.ts`) |
+| Formatter | `src/format/*.test.ts` | `jaiph format` |
+| Runtime and Docker | `src/runtime/kernel/*.test.ts`, `src/runtime/docker.test.ts` | Graph, emit, prompts, test runner, workflow launch, `docker` helper |
+| Standalone root tests | e.g. `src/inline-script-name.test.ts` | Small colocated cases that are not under a feature subtree |
+
+When adding a new source module or extending an existing one, create or extend the corresponding `*.test.ts` in the same directory. For kernel internals, the compile path, and artifact contracts, see [Architecture](architecture.md).
 
 ### Cross-cutting tests in `test/`
 
@@ -168,14 +155,16 @@ Shared test data (`test/fixtures/`, `test/expected/`) also remains in `test/`.
 
 ## CI pipeline
 
-The project uses GitHub Actions (`.github/workflows/ci.yml`). Every push triggers four jobs:
+The project uses GitHub Actions (`.github/workflows/ci.yml`). The workflow defines **six** jobs; on a typical feature-branch push, **five** of them run. The sixth — **Publish Docker runtime image** — runs only on pushes to **`nightly`** and on **`v*`** version tags, after the other jobs succeed. It builds and pushes `ghcr.io/jaiphlang/jaiph-runtime` (the default `runtime.docker_image` / `JAIPH_DOCKER_IMAGE` when Docker sandboxing is on; see **Docker runtime helper** in [Architecture](architecture.md#core-components)).
 
 | Job | Runner | Purpose |
 |-----|--------|---------|
+| **ShellCheck** | `ubuntu-latest` | Runs `shellcheck` on `runtime/overlay-run.sh` to lint the standalone shell script shipped in the npm package. |
 | **Compiler and unit tests** | `ubuntu-latest` | `npm test` (TypeScript unit + acceptance + golden tests), plus a `curl` check that the public install URL responds and a git-tag verification on `main`. |
-| **E2E install and CLI workflow** | `ubuntu-latest`, `macos-latest` (matrix) | `npm run test:e2e` — full build-and-run E2E suite on each OS. |
-| **Getting started (local)** | `ubuntu-latest` | Builds and serves the Jekyll documentation site locally (`bundle exec jekyll serve` on `127.0.0.1:4000`), waits for it to respond, smoke-checks key pages with `curl`, then runs the **Playwright landing-page sample verification** (`npx playwright test`). The Playwright step builds Jaiph, extracts sample source and expected output from the served HTML, verifies source parity with `examples/*.jh`, and runs deterministic samples through the CLI. No dependency on `jaiph.org`. |
-| **E2E install and CLI workflow (windows-latest + wsl)** | `windows-latest` | Detects an available WSL distro, installs Node inside it, and runs `npm run test:e2e` under WSL. Skipped when no distro is present on the runner image. |
+| **E2E install and CLI workflow** | Matrix: **`ubuntu-latest` twice** + **`macos-latest`** | `npm run test:e2e` — full build-and-run E2E suite. In **CI**, the **docker** matrix leg builds `jaiph-ci-runtime:local` from `runtime/Dockerfile` and sets **`JAIPH_DOCKER_IMAGE`** so the job does not pull the public GHCR image during the run. **Ubuntu — docker:** `JAIPH_UNSAFE` unset (container sandbox). **Ubuntu / macOS — host:** `JAIPH_UNSAFE=true` (no Docker; macOS does not run the docker leg). On a **developer machine**, with `JAIPH_UNSAFE` unset, the CLI still resolves the default image (typically `ghcr.io/jaiphlang/jaiph-runtime`) for Docker-backed runs — see `src/runtime/docker.ts` and [Architecture](architecture.md). |
+| **Getting started (local)** | `ubuntu-latest` | Serves the Jekyll site from `docs/` on `127.0.0.1:4000`, smoke-checks key routes with `curl`, builds the same local runtime image as E2E for any Docker-backed sample paths, installs Playwright (Chromium), and runs `npx playwright test` for landing-page samples. The Playwright step builds Jaiph, checks sample source against `examples/*.jh`, and runs deterministic samples through the CLI. No runtime dependency on `jaiph.org` for the site content. |
+| **E2E install and CLI workflow (windows-latest + wsl)** | `windows-latest` | Provisions or selects a WSL distro, installs Node inside it, and runs `npm run test:e2e` under WSL with **`JAIPH_UNSAFE=true`**. |
+| **Publish Docker runtime image** | `ubuntu-latest` | *Conditional (see above).* Multi-arch push to GHCR. |
 
 ### npm publish on tag (trusted publishing)
 
@@ -183,7 +172,7 @@ Pushing a version tag (`v*`) triggers `.github/workflows/release.yml`, which pub
 
 ### Local docs site (Jekyll)
 
-The **Getting started (local)** CI job validates that the documentation site under `docs/` can be built and served from source. It uses Ruby 3.2 with `bundler-cache`, runs `bundle exec jekyll serve --host 127.0.0.1 --port 4000` in the background, and polls `http://127.0.0.1:4000/` for up to 30 seconds before asserting HTTP 200 on `/`, `/getting-started`, `/setup`, `/libraries`, and `/artifacts`.
+The **Getting started (local)** CI job validates that the documentation site under `docs/` can be built and served from source. It uses Ruby 3.2 with `bundler-cache`, runs `bundle exec jekyll serve --host 127.0.0.1 --port 4000` in the background, and polls `http://127.0.0.1:4000/` for up to 30 seconds before asserting HTTP 200 on `/`, `/getting-started`, `/setup`, `/libraries`, and `/artifacts`. The same job also prepares Node, a local `jaiph-ci-runtime:local` image, Playwright Chromium, and (for samples that need them) external CLIs — see the `docs-local` job in `.github/workflows/ci.yml` for the exact package list, which can change.
 
 To run the same check locally:
 
@@ -237,9 +226,9 @@ E2E tests are the outermost **behavior contracts** for the CLI and runtime. Each
 - **Unbounded or variable-length logs** — e.g. `run_summary.jsonl` with platform-dependent event counts, or live step output where line count varies.
 - **Platform-dependent text** — e.g. OS-specific error messages, paths that differ across CI environments.
 
-**Normalization:** `e2e::normalize_output` (in `e2e/lib/common.sh`) strips ANSI codes and replaces timing values with `<time>`, agent commands with `<agent-command>`, and script paths with `<script-path>`. This keeps full-equality heredocs stable across machines.
+**Normalization:** `e2e::normalize_output` (in `e2e/lib/common.sh`) strips ANSI codes, replaces timing values with `<time>`, normalizes some CLI-specific strings (`<agent-command>`, `<script-path>`), and **sorts** a class of async progress lines (UTF-8 subscript markers) so strict equality stays stable when parallel branches finish in different orders. This keeps full-equality heredocs usable across machines.
 
-**Where files land on disk** (directory tree, sequence prefixes): [Architecture — Durable artifact layout](architecture#durable-artifact-layout). Runtime testing with `*.test.jh` is covered in [Testing](testing.md). The `run_summary.jsonl` event contract is exercised in `e2e/tests/88_run_summary_event_contract.sh`.
+**Where files land on disk** (directory tree, sequence prefixes): [Architecture — Durable artifact layout](architecture.md#durable-artifact-layout). Runtime testing with `*.test.jh` is covered in [Testing](testing.md). The `run_summary.jsonl` event contract is exercised in `e2e/tests/88_run_summary_event_contract.sh`.
 
 ### Test structure
 
@@ -262,7 +251,7 @@ e2e::section "Feature under test"
 e2e::file "hello.jh" <<'EOF'
 script hello_impl = `echo "hello-jh"`
 workflow default() {
-  msg = run hello_impl()
+  const msg = run hello_impl()
   return "${msg}"
 }
 EOF
@@ -322,7 +311,7 @@ All helpers are defined in `e2e/lib/common.sh`.
 
 #### Run artifact assertions
 
-After a workflow runs, its step outputs are written as sequenced artifact files under `.jaiph/runs/`. These helpers verify artifact content independently from CLI display output. For the on-disk layout and naming scheme, see [Architecture — Durable artifact layout](architecture#durable-artifact-layout).
+After a workflow runs, its step outputs are written as sequenced artifact files under `.jaiph/runs/`. These helpers verify artifact content independently from CLI display output. For the on-disk layout and naming scheme, see [Architecture — Durable artifact layout](architecture.md#durable-artifact-layout).
 
 | Helper | Description |
 |--------|-------------|
diff --git a/docs/getting-started.md b/docs/getting-started.md
index af7f8f63..6b923a82 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -5,9 +5,13 @@ redirect_from:
   - /getting-started.md
 ---
 
-# Getting Started
+# Getting started
 
-Jaiph is a composable scripting language and runtime for AI agent workflows. You write `.jh` files that combine prompts, rules, scripts, and workflows into executable pipelines.
+## Overview
+
+**Jaiph** is a workflow system for building agent-style pipelines. You write `.jh` sources (and optional `*.test.jh` test modules) that combine **prompts**, **rules**, **scripts**, and **workflows**. The project ships a **TypeScript CLI** and a **JavaScript kernel** under the Node workflow runtime: the same AST is **parsed and validated** at prepare time, **script** bodies are written as files under `scripts/`, and **execution** is direct AST interpretation in process—there is no separate workflow shell binary (see [Architecture](architecture.md) for boundaries, pipelines, and contracts such as `__JAIPH_EVENT__` and `.jaiph/runs/`).
+
+This page is a **map**: it does not teach syntax end-to-end; it points to install steps, language references, and runtime behavior.
 
 ## Setup
 
@@ -17,17 +21,18 @@ Jaiph is a composable scripting language and runtime for AI agent workflows. You
 ## Language
 
 - **[Language](language.md)** — Practical guide to rules, scripts, prompts, workflows, and imports, with patterns you can copy.
-- **[Inbox & Dispatch](inbox.md)** — Named channels and sends for routing work between workflows without tight coupling.
+- **[Inbox & Dispatch](inbox.md)** — Named channels and `send` for routing work between workflows without tight coupling.
 - **[Testing](testing.md)** — `*.test.jh` suites, mocks, and assertions for deterministic checks around workflows.
+- **[Spec: Async Handles](spec-async-handles.md)** — `Handle<T>` resolution, implicit join, and interaction with `run async`.
 - **[Grammar](grammar.md)** — Formal syntax, types, and step contracts for the whole surface area.
 
 ## Runtime
 
-- **[CLI](cli.md)** — `jaiph run`, `test`, `format`, `init`, `install`, `use`, flags, and environment variables.
+- **[CLI](cli.md)** — `jaiph run`, `test`, `compile`, `format`, `init`, `install`, `use`, flags, and environment variables.
 - **[Configuration](configuration.md)** — `config { }` blocks, agent backends, logging, and runtime options (including env overrides).
 - **[Runtime artifacts](artifacts.md)** — What Jaiph writes under `.jaiph/runs/` (per-step logs, JSONL timeline, inbox files) versus live progress on stderr.
 - **[Hooks](hooks.md)** — Project or user `hooks.json` to run shell commands on workflow and step lifecycle events.
-- **[Sandboxing](sandboxing.md)** — Optional Docker-backed isolation for agent and script steps (beta).
+- **[Sandboxing](sandboxing.md)** — Optional Docker-backed workflow isolation (beta; opt-in through `runtime.*` keys in module `config` and environment—see [Configuration](configuration.md)).
 
 ## Other
 
diff --git a/docs/grammar.md b/docs/grammar.md
index 68e10383..3ae513c4 100644
--- a/docs/grammar.md
+++ b/docs/grammar.md
@@ -7,12 +7,14 @@ redirect_from:
 
 # Jaiph Grammar
 
-Jaiph source files (`.jh`) combine a small orchestration language with shell execution. **Workflows** and **rules** express Jaiph steps — sequencing, failure handling (`catch`), value branching (`match`), prompts, channels. **Scripts** contain Bash (or another interpreter via shebang) and run as isolated subprocesses. The runtime interprets the AST directly; only script bodies are emitted as executable files. This page is the language reference. For system boundaries and event contracts, see [Architecture](architecture).
+Jaiph source files (`.jh`) combine a small orchestration language with shell execution. **Workflows** and **rules** express Jaiph steps — sequencing, failure handling (`catch`), value branching (`match`), prompts, channels. **Scripts** contain Bash (or another interpreter via shebang) and run as isolated subprocesses. The runtime interprets the AST directly; only script bodies are emitted as executable files. This page is the language reference. For system boundaries and event contracts, see [Architecture](architecture.md).
 
 **Scope:** Lexical rules, syntax, and runtime semantics for normal modules (`.jh`). Test files (`*.test.jh`) are described in [Testing](testing.md). CLI and configuration are covered in [CLI](cli.md) and [Configuration](configuration.md).
 
 **Source of truth:** When this document and the compiler disagree, treat the implementation as authoritative.
 
+**Compile vs. graph load:** The rules below are checked during **transpile-time validation** (`validateReferences` on each module) when the CLI runs `buildScripts` / `emitScriptsForModule` (and when you run `jaiph compile`). The runtime’s `buildRuntimeGraph` path **parses** imports only — it does not re-run that validation, though the runtime still enforces invariants and resolves references from the loaded graph. See [Architecture](architecture.md).
+
 ## Types
 
 Jaiph has two primitive value types — **string** and **script** — that are structurally distinct and non-interchangeable.
@@ -42,9 +44,9 @@ The compiler enforces these boundaries at every call site. Using a script where
 
 Jaiph enforces a strict boundary between orchestration and execution. Workflows and rules contain only Jaiph steps. Bash lives in `script` bodies.
 
-- **Workflows** — Named sequences of Jaiph steps: `ensure`, `run`, `prompt`, `const`, `fail`, `return`, `log`/`logerr`, inbox `send` (`channel <- …`), `match`, `if`, `run async`, `ensure … catch`, and `run … catch`. Any line that is not a recognized step is a parse error — extract bash to a `script` and call it with `run`.
+- **Workflows** — Named sequences of Jaiph steps: `ensure`, `run`, `prompt`, `const`, `fail`, `return`, `log`/`logerr`, inbox `send` (`channel <- …`), `match`, `if`, `run async`, `ensure … catch`, `run … catch`, and `run … recover`. Any line that is not a recognized step is a parse error — extract bash to a `script` and call it with `run`.
 
-- **Rules** — Named blocks of structured Jaiph steps: `ensure` (other rules), `run` (scripts only — not workflows), `const`, `match`, `if`, `fail`, `log`/`logerr`, `return "…"`, `ensure … catch`, `run … catch`. Rules cannot use `prompt`, inbox send/route, or `run async`.
+- **Rules** — Named blocks of structured Jaiph steps: `ensure` (other rules), `run` (scripts only — not workflows), `const`, `match`, `if`, `fail`, `log`/`logerr`, `return "…"`, `ensure … catch`, `run … catch`, and `run … recover`. Rules cannot use `prompt`, inbox `send` (or channel routing), or `run async`.
 
 - **Scripts** — Top-level `script` definitions emitted as separate executable files under the workspace `scripts/` directory. Called from workflows or rules with `run`. Bodies are opaque to the compiler — the parser does not check Jaiph keywords inside them. Use `echo`/`printf` for data output and `return N`/`return $?` for exit status. Jaiph interpolation (`${...}`) is forbidden in script bodies — use `$1`, `$2` positional arguments instead. Polyglot support: a fence lang tag (`` ```<tag> ``) maps to `#!/usr/bin/env <tag>` — any tag is valid (no hardcoded allowlist). Alternatively, a manual `#!` shebang as the first line of the body selects the interpreter; if both a fence tag and a `#!` first line are present, it is an error. Without either, `#!/usr/bin/env bash` is used. For trivial one-off commands, **inline scripts** (`` run `body`(args) `` or `` run ```lang...body...```(args) ``) let you embed a script body directly in a step without a named definition — see [`run` — Inline Scripts](#inline-scripts).
 
@@ -74,7 +76,7 @@ Imported symbols use **dot notation**: `alias.name`. A reference is either a bar
 
 ### Script Imports
 
-`import script "<path>" as <name>` imports an external script file and binds it to a local script symbol. The imported script behaves exactly like a locally declared `script` definition — callable with `run`, capturable with `const`, and subject to the same subprocess isolation rules.
+`import script "<path>" as <name>` imports an external script file and binds it to a local script symbol. The imported script behaves like a locally declared `script` definition: call it with `run name(args)`, capture stdout with `const x = run name(args)`, and treat it as a `script` value (not assignable to `const` by name alone).
 
 ```jaiph
 import script "./queue.py" as queue
@@ -122,7 +124,7 @@ world
 """
 ```
 
-Variables are accessible as `${name}` inside that module's rules and workflows. They are **not** passed to script subprocesses — use arguments or shared libraries instead. Declaration order matters: `${name}` in a value only expands variables already bound above. Names share the unified namespace with channels, rules, workflows, and scripts.
+Variables are accessible as `${name}` inside that module's rules and workflows. They are **not** passed to script subprocesses — use arguments or shared libraries instead. Declaration order matters: `${name}` in a value only expands variables already bound above. Names share the unified namespace with channels, rules, workflows, and scripts. All bindings are immutable — see [Immutable Bindings](#immutable-bindings).
 
 Top-level `local` is rejected — use `const`.
 
@@ -139,7 +141,7 @@ One channel per line. Channels are used with `send` (`<-`) inside workflows. Rou
 
 ## Definitions
 
-Rules and workflows use braces on the declaration line and **must include parentheses** — even when parameterless (e.g. `rule check()`, `workflow default()`). The parser rejects definitions without `()` before `{` with a fix hint. Call sites, in contrast, allow omitting parentheses when passing zero arguments (`run setup` = `run setup()`). Scripts use `=` with a backtick body (single-line) or fenced block (multi-line). Rules and workflows may declare **named parameters** inside the parentheses.
+Rules and workflows use braces on the declaration line and **must include parentheses** — even when parameterless (e.g. `rule check()`, `workflow default()`). The parser rejects definitions without `()` before `{` with a fix hint. **Call sites** also require parentheses for every `run` and `ensure` (including zero-argument calls: `run setup()`). Scripts use `=` with a backtick body (single-line) or fenced block (multi-line). Rules and workflows may declare **named parameters** inside the parentheses.
 
 ```jaiph
 rule check_status() { … }              # no params — () required
@@ -168,7 +170,7 @@ rule gate(path) {
 }
 ```
 
-Parameter names follow identifier rules (`[A-Za-z_][A-Za-z0-9_]*`), must not be reserved keywords, and must be unique within the parameter list. Empty parentheses `()` are required on **definitions** even when there are no parameters — omitting them is a parse error. At **call sites**, parentheses are optional for zero-arg calls.
+Parameter names follow identifier rules (`[A-Za-z_][A-Za-z0-9_]*`), must not be reserved keywords, and must be unique within the parameter list. Empty parentheses `()` are required on **definitions** even when there are no parameters — omitting them is a parse error. At **call sites**, parentheses are **always** required as well, including for zero-argument calls (`run setup()`, not `run setup`).
 
 At runtime, named parameters are the only way to access arguments: if `workflow implement(task, role)` is called with `run implement("build docs", "writer")`, then `${task}` = `"build docs"` and `${role}` = `"writer"`.
 
@@ -195,6 +197,33 @@ This rule applies to all call sites: `run`, `ensure`, `return run`/`return ensur
 
 Bare identifiers must reference a known variable (`const`, capture, or named parameter). Unknown names produce an `E_VALIDATE` error at compile time. Jaiph keywords (`run`, `ensure`, `const`, etc.) cannot be used as bare identifier arguments.
 
+### Nested Managed Calls in Arguments
+
+Call arguments can contain **explicit nested managed calls** using `run` or `ensure`. The nested call executes first and its result is passed as a single argument to the outer call. This is a deliberate language rule: managed execution must always be explicit — scripts and workflows execute only via `run`, rules only via `ensure`, even inside argument lists.
+
+**Valid explicit forms:**
+
+```jaiph
+run mkdir_p_simple(run jaiph_tmp_dir())      # nested run
+run do_work(ensure check_ok())               # nested ensure
+run do_work(run `echo aaa`())                # nested inline script
+```
+
+**Invalid bare call-like forms** — rejected at compile time with actionable errors:
+
+```jaiph
+# run do_work(bar())           — E_VALIDATE: nested managed calls must be explicit
+# run do_work(rule_bar())      — E_VALIDATE: nested managed calls must be explicit
+# run do_work(`echo aaa`())    — E_VALIDATE: nested inline scripts must be explicit
+```
+
+The **capture-then-pass** form is always valid:
+
+```jaiph
+const x = run bar()
+run foo(x)
+```
+
 ### Arity Checking
 
 When the callee declares named parameters, the compiler validates that the number of arguments at the call site matches the number of declared parameters. A mismatch produces an `E_VALIDATE` error:
@@ -209,7 +238,7 @@ workflow default() {
 }
 ```
 
-Arity checking applies to all `run` and `ensure` call sites (steps, captures, `return run`/`return ensure`, and `send` RHS), including the bare form (`run ref` = zero arguments). When the callee has no declared parameters (legacy style), no arity check is performed — any number of arguments is accepted.
+Arity checking applies to all `run` and `ensure` call sites (steps, captures, `return run`/`return ensure`, and `send` RHS), including zero-argument calls written as `run ref()` (empty argument list). When the callee has no declared parameters (legacy style), no arity check is performed — any number of arguments is accepted.
 
 Arguments are available as `${paramName}` in orchestration strings (rules and workflows) and `$1`, `$2`, … in script bodies.
 
@@ -220,13 +249,14 @@ Arguments are available as `${paramName}` in orchestration strings (rules and wo
 In a **workflow**, `run` targets a workflow or script. In a **rule**, `run` targets a script only.
 
 ```jaiph
-run setup_env                          # bare form — same as run setup_env()
-run setup_env()                        # explicit parens — also valid
+run setup_env()
 run lib.build_project(task)
-result = run helper(arg)
-const output = run transform
+const result = run helper(arg)
+const output = run transform()
 ```
 
+Assignment-style capture without `const` (e.g. `result = run …`) is a parse error — use `const result = run …` only.
+
 Shell redirection or pipelines after `run` (`>`, `|`, `&`) are rejected — use a script for shell I/O.
 
 **Capture:** For a workflow callee, capture gets the explicit `return "…"` value. For a script callee, capture gets stdout.
@@ -284,23 +314,46 @@ date +%s
 - **Backtick** (single-line) inline scripts: Jaiph interpolation (`${...}`) is forbidden — use `$1`, `$2` positional arguments instead.
 - **Fenced block** (triple-backtick) inline scripts: `${...}` is passed through to the shell as standard shell parameter expansion.
 
-### `run async` — Concurrent Execution
+### `run async` — Concurrent Execution with Handles
 
-`run async ref(args)` starts a workflow or script concurrently. All pending async steps are implicitly joined before the enclosing workflow returns. If any fail, the workflow fails with an aggregated error.
+`run async ref(args)` starts a workflow or script concurrently and returns a **`Handle<T>`** immediately. `T` is the same return type the function would have under a synchronous `run`. The handle resolves to the eventual return value on first non-passthrough read.
 
 ```jaiph
 workflow default() {
   run async lib.task_a()
-  run async lib.task_b()
-  # both joined automatically before workflow returns
+  const h = run async lib.task_b()
+  # Reading h forces resolution — blocks until task_b completes
+  log "${h}"
+  # task_a is implicitly joined before workflow returns
 }
 ```
 
+**Resolution semantics:** A handle resolves on first non-passthrough read. Reads that force resolution: string interpolation (`"${h}"`), passing as argument to `run`, comparison/conditional (`if h == "ok"`), match subject, channel send. Passthrough (initial capture, re-assignment) does not force resolution. Once resolved, the handle is replaced by the resolved string value; subsequent reads return the cached value.
+
+**Implicit join:** When a workflow scope exits, all remaining unresolved handles created in that scope are implicitly joined. This is not an error.
+
+**`recover` and `catch` composition:** Both `recover` (retry loop) and `catch` (single-shot) work with `run async`:
+
+```jaiph
+run async foo() recover(err) {
+  log "repairing: ${err}"
+  run fix_it()
+}
+
+run async bar() catch(e) {
+  log "caught: ${e}"
+}
+```
+
+`recover` uses the same retry-limit semantics as non-async `recover` (default 10, configurable via `run.recover_limit`).
+
 In the progress tree, each async branch is prefixed with a subscript number (₁₂₃…) assigned in dispatch order. Nested `run async` inside a child workflow gets its own numbering scope at the child's indent level. See [CLI — Async branch numbering](cli.md#run-progress-and-tree-output) for display details.
 
+See [Spec: Async Handles](spec-async-handles.md) for the full value model.
+
 Constraints:
 - Workflow-only — rejected in rules with `E_VALIDATE`.
-- Capture is not supported: `name = run async …` is `E_PARSE`.
+- Inline scripts not supported with `run async`.
 - For concurrent bash (pipelines, `&`), put the bash in a script and call with `run`.
 
 ### `ensure` — Execute a Rule
@@ -308,11 +361,12 @@ Constraints:
 `ensure` runs a rule and succeeds if its exit code is 0.
 
 ```jaiph
-ensure check_deps                      # bare form — same as ensure check_deps()
-ensure check_deps()                    # explicit parens — also valid
-result = ensure lib.validate(input)
+ensure check_deps()
+const result = ensure lib.validate(input)
 ```
 
+Use `ensure ref()` with parentheses even when there are no arguments.
+
 ### `ensure … catch` — Failure Recovery
 
 When `ensure` includes a `catch` clause, a failure in the rule triggers the recovery body **once**. There is no retry loop — the rule runs, and if it fails, the recovery body executes a single time.
@@ -365,6 +419,46 @@ Syntax rules:
 - All call arguments must appear inside the parentheses **before** `catch`.
 - `catch` must be followed by at least one recovery step after the bindings.
 
+### `run … recover` — Repair-and-Retry Loop
+
+`recover` adds loop semantics to a `run` step. Unlike `catch` (which runs the recovery body once and stops), `recover` retries the target after each repair attempt until it succeeds or the retry limit is exhausted.
+
+```jaiph
+# Single-statement recover
+run deploy() recover(err) run fix_deploy()
+
+# Block recover
+run deploy(env) recover(err) {
+  log "Deploy failed: ${err}"
+  run auto_repair(env)
+}
+```
+
+**Loop behavior:**
+
+1. Execute the `run` target.
+2. If it succeeds, continue (the `recover` body never runs).
+3. If it fails, bind merged stdout+stderr to the binding (e.g. `err`), execute the repair body, then go to step 1.
+4. If the retry limit is reached and the target still fails, the step fails with the last error.
+
+**Retry limit:** Default is **10**. Override per-module with `run.recover_limit`:
+
+```jaiph
+config {
+  run.recover_limit = 3
+}
+```
+
+**Bindings** follow the same rules as `catch`:
+- Exactly one binding is required. The binding receives merged stdout+stderr from the failed execution.
+
+Syntax rules:
+- `recover` must be followed by `(<name>)` — bare `recover` or `recover {` without bindings is `E_PARSE`.
+- All call arguments must appear inside the parentheses **before** `recover`.
+- `recover` must be followed by at least one recovery step after the bindings.
+- `recover` and `catch` are mutually exclusive on the same `run` step.
+- `recover` is not supported on `ensure` steps. `recover` works with `run async` — see [`run async`](#run-async--concurrent-execution-with-handles).
+
 ### `prompt` — Agent Interaction
 
 Sends text to the configured agent backend. The prompt body can be supplied in three forms: a single-line string literal, a bare identifier referencing an existing binding, or a triple-quoted multiline block.
@@ -378,7 +472,7 @@ prompt "Review the following code for security issues"
 answer = prompt "Summarize the report"
 ```
 
-If a `"` string has no closing quote on the same line, the parser rejects it with: `multiline prompt strings are no longer supported; use a triple-quoted block instead`.
+If a `"` string has no closing quote on the same line, the parser rejects it — multiline prompt text must use a triple-quoted block (`prompt """..."""`).
 
 **2. Identifier reference**
 
@@ -430,7 +524,7 @@ Prompts are not allowed in rules.
 
 ### `const` — Variable Binding
 
-`const name = <rhs>` introduces a variable in the workflow or rule body.
+`const name = <rhs>` introduces an **immutable** variable in the workflow or rule body. The name must not collide with a parameter, an earlier `const`, a capture, or a `script` name in the same scope — see [Immutable Bindings](#immutable-bindings).
 
 ```jaiph
 const tag = "v1.0"
@@ -452,6 +546,7 @@ RHS forms: value expressions (`${var}`, quoted strings, triple-quoted `"""..."""
 Restrictions on const RHS: `$(…)`, `${var:-fallback}`, `${var%%…}`, `${var//…}`, and `${#var}` are all rejected.
 
 ### `send` — Channel Messages
+{: #send--channel-messages}
 
 ```jaiph
 alerts <- "Build started"
@@ -464,9 +559,10 @@ alerts <- """
 """
 ```
 
-RHS must be a double-quoted literal, a triple-quoted `"""..."""` multiline block, `${var}`, or `run ref(args)`. An explicit payload is always required — bare `channel <-` without a value is `E_PARSE`. Arbitrary shell on the RHS is `E_PARSE`.
+RHS must be a double-quoted literal, a triple-quoted `"""..."""` multiline block, `$name` or `${…}`, or `run ref(args)` with **parentheses** (same rule as other call sites). An explicit payload is always required — bare `channel <-` without a value is `E_PARSE`. A bare `ref`-shaped word on the RHS (without `run` and `()`) is rejected at **validation** for real workflow, rule, or script names — you must use `run ref(args)` or a string. If `run` is present but the reference has no parentheses, the line does not parse as a `run` send RHS; write `channel <- run target()` instead.
 
 ### Channel Routing
+{: #channel-routing}
 
 Routes are declared at the top level on `channel` declarations, not inside workflow bodies:
 
@@ -492,10 +588,12 @@ log """
 """
 ```
 
-`log` writes to stdout; `logerr` writes to stderr (shown with a red `!` marker in the progress tree). Both accept single-line `"..."` strings, triple-quoted `"""..."""` multiline blocks, or bare identifiers. `${identifier}` interpolation works in all forms. At runtime, backslash escapes in the final string are interpreted (`\n` → newline).
+`log` writes to stdout; `logerr` writes to stderr (shown with a red `!` marker in the progress tree). Both accept single-line `"..."` strings, triple-quoted `"""..."""` multiline blocks, bare identifiers, or **managed inline-script calls** (`log run \`…\`(args)`). `${identifier}` interpolation works in string forms. At runtime, backslash escapes in the final string are interpreted (`\n` → newline).
 
 **Bare identifier form:** When `log` or `logerr` is followed by a single bare identifier (no quotes), it expands to `"${identifier}"` — the variable's value is logged. The identifier must reference a known binding (`const`, capture, or named parameter).
 
+**Managed inline-script form:** `log run \`script\`(args)` and `logerr run \`script\`(args)` execute the inline script and log its stdout. The `run` keyword is required — bare inline scripts (`log \`…\`()`, `logerr \`…\`()`) are rejected at compile time with a clear error.
+
 ### `fail`
 
 ```jaiph
@@ -514,16 +612,24 @@ Aborts the workflow or rule with a message on stderr and non-zero exit. Accepts
 ```jaiph
 return "success"
 return "${result}"
+return response                        # bare identifier — sugar for return "${response}"
 return """
   Report for ${name}:
   Status: ${status}
 """
-return run helper                      # bare form — same as return run helper()
 return run helper()
 return ensure check(input)
+return run `cat report.txt`()          # inline script — runs and returns stdout
+return run `echo $1`("arg")            # inline script with arguments
 ```
 
-Sets the managed return value in rules and workflows. The value can be a single-line `"..."` string, a triple-quoted `"""..."""` multiline block, a variable reference, or a **direct managed call** using `return run ref(args)` or `return ensure ref(args)`. A direct managed call executes the target and uses its result as the return value — equivalent to capturing into a variable and returning it, but without the boilerplate:
+Sets the managed return value in rules and workflows. The value can be a single-line `"..."` string, a triple-quoted `"""..."""` multiline block, a bare identifier, a variable reference, or a **direct managed call** using `return run ref(args)`, `return ensure ref(args)`, or `return run \`script\`(args)`.
+
+**Managed calls need parentheses:** `return run helper` (no `()`) is **not** parsed as a managed return — it becomes a **shell** `return` step. Use `return run helper()` and `return ensure check()` so the parser recognizes the managed form.
+
+**Bare identifier:** `return response` is sugar for `return "${response}"` — the identifier is resolved against the same scope rules used for `${ident}` interpolation (must be a `const`, capture, or parameter). An unknown identifier produces `E_VALIDATE` naming the missing binding, not a shell-step error. Both `return response` and `return "${response}"` remain valid and are equivalent.
+
+A direct managed call executes the target and uses its result as the return value — equivalent to capturing into a variable and returning it, but without the boilerplate:
 
 ```jaiph
 # Before: capture then return
@@ -536,6 +642,8 @@ return run helper()
 
 In workflows, `return run` targets a workflow or script; `return ensure` targets a rule. In rules, `return run` targets a script only; `return ensure` targets another rule. The same validation rules that apply to standalone `run`/`ensure` steps apply here — unknown refs, type mismatches, and shell redirection are all rejected at compile time.
 
+**Inline-script form:** `return run \`script\`(args)` executes the inline script and uses its stdout as the return value. The `run` keyword is required — bare inline scripts (`return \`…\`()`) are rejected at compile time with a clear error.
+
 A bare integer (`return 0`) or `return $?` is a bash exit code, not a Jaiph value return. `return "…"` is not allowed in script bodies — use `echo`/`printf`.
 
 ### `match`
@@ -554,21 +662,24 @@ Pattern match on a string value. The subject is always a **bare identifier** (va
 - **Regex** (`/err/`) — tested against the subject
 - **Wildcard** (`_`) — matches anything
 
-Exactly one `_` wildcard arm is required.
+Exactly one `_` wildcard arm is required. Arms are **newline-delimited** — commas between or after arms are rejected at parse time with the diagnostic `"commas are not allowed in match arms; use one arm per line"`.
 
 Using `$var` or `${var}` as the match subject is a parse error — use the bare name: `match varName { ... }`.
 
 **Arm bodies** — the expression after `=>` produces the match result. Allowed forms:
 
 - String literal: `"value"` or multiline `"""…"""`
+- Bare in-scope identifier: `name` (must be a `const`, capture, or named parameter)
 - Variable reference / interpolation: `$var`, `${var}`
 - `fail "message"` — aborts the workflow/rule
 - `run ref(args)` / `ensure ref(args)` — managed call whose result becomes the match value
 
-**Disallowed** — rejected at validate time with `E_VALIDATE`:
+**Disallowed** — rejected at parse/validate time:
 
+- Commas between or after arms (`"x" => "y",` or `"a" => "x", _ => "y"`) — arms are newline-delimited; use one arm per line
 - `return` inside an arm body (`"x" => return "y"`) — the match expression itself produces the value; use `return match x { … }` at the outer level instead
 - Inline script forms (backtick `` `…`() ``) — use a named script with `run script_name(…)`
+- Bare unknown identifiers (`_ => true`, `_ => blorp`) — a bare word that is not an in-scope variable (`const`, capture, or parameter) is rejected with `E_VALIDATE`: `unknown identifier "…" in match arm body`
 
 **Multiline arm bodies** use triple-quoted strings:
 
@@ -609,6 +720,32 @@ const answer = prompt "Summarize the report"
 const reply = prompt myVar
 ```
 
+### Immutable Bindings
+
+All Jaiph bindings are immutable. Once a name is bound — whether by a parameter declaration, a `const` statement, a capture, or a `script` definition — it cannot be rebound in the same visible scope. The compiler enforces this during validation and rejects violations with `E_VALIDATE`.
+
+**Rejected patterns:**
+
+| Pattern | Error |
+|---|---|
+| `workflow w(x) { const x = … }` | parameter `x` cannot be rebound by `const` |
+| `const x = "a"` then `const x = "b"` | duplicate `const` in same scope |
+| `script foo = \`…\`` with param/const `foo` in scope | `script` name collides with immutable binding |
+
+The diagnostic names the conflicting binding and where it was first bound:
+
+```
+E_VALIDATE: cannot rebind immutable name "x"; already bound as parameter at file.jh:1
+```
+
+**Migration:** Code that previously shadowed a parameter with a `const` of the same name (e.g. `workflow w(input) { const input = ensure validate(input) }`) must rename either the parameter or the `const`:
+
+```jaiph
+workflow w(raw_input) {
+  const input = ensure validate(raw_input)
+}
+```
+
 ## Scripts
 
 ### Bash Scripts (single-line)
@@ -645,7 +782,9 @@ script analyze = ```python3
 import sys
 print(f"Analyzing {sys.argv[1]}")
 ```
+```
 
+```jaiph
 script transform = ```node
 const data = process.argv[2];
 console.log(JSON.stringify({ result: data }));
@@ -732,7 +871,7 @@ Every step produces three distinct outputs — status, value, and logs:
 | `prompt` | prompt exit code | final assistant answer | transcript to artifacts |
 | `log` / `logerr` | always 0 | empty | event + stdout/stderr |
 | `fail` | non-zero (abort) | empty | message to stderr |
-| `run async` | aggregated | not supported (capture rejected) | async step logs to artifacts |
+| `run async` | aggregated | `Handle<T>` — resolves to return value on read | async step logs to artifacts |
 | `const` | same as RHS step | empty (binds local) | n/a |
 
 Key rules:
@@ -765,8 +904,9 @@ config_block    = "config" "{" { config_line } "}" ;
 config_line     = config_key "=" config_value ;
 config_key      = "agent.default_model" | "agent.command" | "agent.backend" | "agent.trusted_workspace"
                 | "agent.cursor_flags" | "agent.claude_flags" | "run.logs_dir" | "run.debug"
-                | "run.inbox_parallel" | "runtime.docker_enabled" | "runtime.docker_image" | "runtime.docker_network"
-                | "runtime.docker_timeout" | "runtime.workspace" ;
+                | "run.inbox_parallel" | "run.recover_limit" | "runtime.docker_image" | "runtime.docker_network"
+                | "runtime.docker_timeout_seconds"
+                | "module.name" | "module.version" | "module.description" ;
 config_value    = string | "true" | "false" | integer | string_array ;
 integer         = digit { digit } ;
 string_array    = "[" { array_element } "]" ;
@@ -797,9 +937,9 @@ workflow_decl   = [ "export" ] "workflow" IDENT [ "(" param_list ")" ] "{" [ wor
 param_list      = IDENT { "," IDENT } ;  (* identifiers; no duplicates; no reserved keywords *)
 workflow_config = config_block ;
   (* optional per-workflow override; must appear before steps;
-     only agent.* and run.* keys allowed; runtime.* yields E_PARSE *)
+     only agent.* and run.* keys allowed; runtime.* and module.* yield E_PARSE *)
 
-workflow_step   = ensure_stmt | run_stmt | run_catch_stmt | run_async_stmt | prompt_stmt | prompt_capture_stmt
+workflow_step   = ensure_stmt | run_stmt | run_catch_stmt | run_recover_stmt | run_async_stmt | prompt_stmt | prompt_capture_stmt
                 | const_decl_step | return_stmt
                 | fail_stmt | log_stmt | logerr_stmt | send_stmt
                 | match_stmt | if_stmt | comment_line ;
@@ -808,15 +948,19 @@ workflow_step   = ensure_stmt | run_stmt | run_catch_stmt | run_async_stmt | pro
 
 const_decl_step = "const" IDENT "=" const_rhs ;
 const_rhs       = double_quoted_string | triple_quoted_block | bash_value_expr
-                | "run" ( call_ref | inline_script ) | "ensure" call_ref
+                | "run" ( call_ref | inline_script ) | "run" "async" call_ref
+                | "ensure" call_ref
                 | "prompt" prompt_body [ returns_schema ]
                 | "match" IDENT "{" { match_arm } "}" ;
 
 fail_stmt       = "fail" ( double_quoted_string | triple_quoted_block ) ;
-run_async_stmt  = "run" "async" call_ref ;
+run_async_stmt  = "run" "async" call_ref [ "recover" recover_bindings recover_body ] [ "catch" catch_bindings catch_body ] ;
+run_async_capture = "const" IDENT "=" "run" "async" call_ref ;
 return_stmt     = "return" return_value ;
 return_value    = double_quoted_string | triple_quoted_block | "$" IDENT | "${" IDENT "}"
-                | "run" call_ref | "ensure" call_ref | "match" IDENT "{" { match_arm } "}" ;
+                | IDENT
+                | "run" ( call_ref | inline_script ) | "ensure" call_ref
+                | "match" IDENT "{" { match_arm } "}" ;
 
 match_stmt      = "match" IDENT "{" { match_arm } "}" ;
 match_expr      = "match" IDENT "{" { match_arm } "}" ;
@@ -824,23 +968,32 @@ match_expr      = "match" IDENT "{" { match_arm } "}" ;
 if_stmt         = "if" IDENT if_op if_operand "{" { workflow_step } "}" ;
 if_op           = "==" | "!=" | "=~" | "!~" ;
 if_operand      = double_quoted_string | "/" regex_source "/" ;
-match_arm       = match_pattern "=>" arm_body ;
+match_arm       = match_pattern "=>" arm_body NEWLINE ;
 match_pattern   = double_quoted_string | "/" regex_source "/" | "_" ;
 arm_body        = double_quoted_string | triple_quoted_block
+                | IDENT
                 | "$" IDENT | "${" IDENT "}"
                 | "fail" double_quoted_string
                 | "run" call_ref | "ensure" call_ref ;
 
 send_stmt       = IDENT "<-" send_rhs ;
-send_rhs        = double_quoted_string | triple_quoted_block | "${" IDENT "}" | "run" call_ref | REF ;
+send_rhs        = double_quoted_string | triple_quoted_block | "$" IDENT | "${" … "}" | "run" call_ref ;
+  (* ${…} is the braced var form (parser supports nesting); a bare ref-shaped token is parsed
+     as bare_ref but validate rejects it for local/imported workflow, rule, or script — use
+     a string, $name / ${…}, or "run" call_ref *)
 
-log_stmt        = "log" ( double_quoted_string | triple_quoted_block | IDENT ) ;
-logerr_stmt     = "logerr" ( double_quoted_string | triple_quoted_block | IDENT ) ;
+log_stmt        = "log" ( double_quoted_string | triple_quoted_block | IDENT | "run" inline_script ) ;
+logerr_stmt     = "logerr" ( double_quoted_string | triple_quoted_block | IDENT | "run" inline_script ) ;
 
 ensure_stmt     = "ensure" call_ref [ "catch" catch_bindings catch_body ] ;
 run_catch_stmt  = "run" call_ref "catch" catch_bindings catch_body ;
+run_recover_stmt = "run" call_ref "recover" recover_bindings recover_body ;
 run_stmt        = "run" ( call_ref | inline_script ) ;
 call_ref        = REF "(" [ call_args ] ")" ;  (* parentheses always required *)
+call_arg        = double_quoted_string | IDENT | "${" IDENT "}"
+                | "run" ( call_ref | inline_script )       (* explicit nested managed call *)
+                | "ensure" call_ref ;                      (* explicit nested ensure *)
+call_args       = call_arg { "," call_arg } ;
 inline_script   = backtick_script_body "(" [ call_args ] ")" | fenced_script_block "(" [ call_args ] ")" ;
 prompt_body     = double_quoted_string | IDENT | triple_quoted_block ;
 triple_quoted_block = "\"\"\"" newline { body_line newline } "\"\"\"" ;
@@ -849,7 +1002,9 @@ returns_schema  = "returns" double_quoted_string ;
 
 catch_bindings  = "(" IDENT ")" ;  (* failure payload *)
 catch_body      = single_workflow_stmt | "{" { workflow_step } "}" ;
-single_workflow_stmt = ensure_stmt | run_stmt | run_catch_stmt | prompt_stmt | prompt_capture_stmt
+recover_bindings = "(" IDENT ")" ;  (* failure payload — same as catch *)
+recover_body    = single_workflow_stmt | "{" { workflow_step } "}" ;
+single_workflow_stmt = ensure_stmt | run_stmt | run_catch_stmt | run_recover_stmt | prompt_stmt | prompt_capture_stmt
                 | const_decl_step
                 | return_stmt | fail_stmt | log_stmt | logerr_stmt
                 | send_stmt ;
@@ -861,7 +1016,7 @@ After parsing, the compiler validates references and config (`src/transpile/vali
 
 - **E_PARSE:** Invalid syntax — duplicate config, invalid keys/values, `$(…)` or `${var:-fallback}` in orchestration strings, `${...}` interpolation in script bodies, `prompt … returns` without capture, bare `ref(args)` in const RHS (use `run`/`ensure`/`prompt`), `local` at top level, unrecognized workflow/rule line, invalid send RHS, arguments after `catch`, bare `catch` with no recovery step, nested inline captures, shell redirection after `run`/`ensure`, invalid parameter names (non-identifier, duplicate, or reserved keyword), or missing `{` on definition line.
 - **E_SCHEMA:** Invalid `returns` schema — empty, non-flat, unsupported type (only `string`, `number`, `boolean`).
-- **E_VALIDATE:** Reference errors — unknown rule/workflow, duplicate alias, `ensure` on non-rule, `run` on rule, `run` to workflow inside rule, `run async` in rule, forbidden Jaiph usage inside `$(…)`, dot notation on non-prompt variable or invalid field name, bare identifier argument referencing an unknown variable, `${identifier}` in strings referencing an unknown variable, standalone `"${identifier}"` in call arguments (use bare identifier instead), arity mismatch (call-site argument count differs from callee's declared parameter count), **type crossing** — `prompt` with a script name (`scripts are not promptable`), `run` with a string const (`strings are not executable`), `const x = scriptName` (`scripts are not values`), `${scriptName}` interpolation (`scripts cannot be interpolated`).
+- **E_VALIDATE:** Reference errors — unknown rule/workflow, duplicate alias, `ensure` on non-rule, `run` on rule, `run` to workflow inside rule, `run async` in rule, forbidden Jaiph usage inside `$(…)`, dot notation on non-prompt variable or invalid field name, bare identifier argument referencing an unknown variable, `${identifier}` in strings referencing an unknown variable, standalone `"${identifier}"` in call arguments (use bare identifier instead), arity mismatch (call-site argument count differs from callee's declared parameter count), **bare nested managed calls** — `run foo(bar())` or `run foo(rule_bar())` without explicit `run`/`ensure` keyword, **bare nested inline script calls** — `run foo(\`echo aaa\`())` without explicit `run`, **type crossing** — `prompt` with a script name (`scripts are not promptable`), `run` with a string const (`strings are not executable`), `const x = scriptName` (`scripts are not values`), `${scriptName}` interpolation (`scripts cannot be interpolated`).
 - **E_IMPORT_NOT_FOUND:** Import target file does not exist.
 
 Validation rules:
@@ -872,9 +1027,10 @@ Validation rules:
 4. **Unified namespace:** channels, rules, workflows, scripts, script import aliases, and top-level `const` share one namespace per module.
 5. `ensure` must target a rule. `run` in a workflow targets a workflow or script. `run` in a rule targets a script only. These rules also apply to `return run` and `return ensure` forms.
 6. Channel references in `send` must resolve to declared channels. Route targets on channel declarations must be workflows with exactly 3 parameters. Route declarations inside workflow bodies are rejected at parse time.
-7. `ensure … catch` and `run … catch` argument ordering: all arguments inside parentheses before `catch`.
+7. `ensure … catch`, `run … catch`, and `run … recover` argument ordering: all arguments inside parentheses before `catch`/`recover`.
 8. Shell redirection (`>`, `|`, `&`) after `run`/`ensure` is rejected — use a script.
 9. **Type crossing:** `string` and `script` are non-interchangeable primitive types (see [Types](#types)). `prompt` rejects script names; `run` rejects string consts; assigning a script to a `const` or interpolating a script name with `${…}` is rejected. Each crossing produces an actionable `E_VALIDATE` message.
+10. **Explicit nested managed calls:** Bare call-like forms in argument position (`run foo(bar())`, `run foo(rule_bar())`) are rejected — add the missing `run` or `ensure` keyword. Bare inline script calls in arguments (`run foo(\`echo aaa\`())`) are also rejected — add `run`. Valid forms: `run foo(run bar())`, `run foo(ensure rule_bar())`, `run foo(run \`echo aaa\`())`.
 
 ## Build Artifacts {#build-artifacts}
 
@@ -890,7 +1046,8 @@ At runtime, the Node workflow runtime interprets the AST directly:
 - **Script isolation:** Managed subprocesses with only essential variables. Module-scoped variables not visible.
 - **Prompt + schema:** JSON extraction and schema validation via the JS kernel. Exit codes: 0=ok, 1=parse error, 2=missing field, 3=type mismatch.
 - **ensure/run … catch:** On failure, the recovery body runs **once**. There is no retry loop. Requires explicit bindings: `catch (failure) { … }`. The binding gets the merged stdout+stderr from the failed execution.
+- **run … recover:** Repair-and-retry loop. On failure, the binding gets merged stdout+stderr, the repair body runs, and the target is retried. Loop stops on success or when `run.recover_limit` (default 10) is exhausted. Requires explicit bindings: `recover(err) { … }`.
 - **Recursion safety:** There is a hard recursion depth limit of 256. Exceeding it produces a runtime error.
 - **Assignment capture:** Rules and workflows use explicit `return "…"`. Scripts use stdout.
-- **`run async`:** Promise-based concurrency. Implicit join via `Promise.allSettled` before workflow returns. Failures aggregated.
+- **`run async`:** Returns a `Handle<T>` value. Handle-based concurrency with implicit resolution on first non-passthrough read and implicit join of unresolved handles at workflow exit. `recover` and `catch` composition supported. Failures aggregated at join.
 - **Channels:** Messages enqueued via `send`, dispatched to route targets at workflow end. Each target must declare exactly 3 parameters; the runtime binds message, channel, and sender to the declared names.
diff --git a/docs/hooks.md b/docs/hooks.md
index ccd1a0a5..cf497b7f 100644
--- a/docs/hooks.md
+++ b/docs/hooks.md
@@ -9,9 +9,11 @@ redirect_from:
 
 Workflows often need **side effects** — notifications, structured logging, CI integration — but that logic does not belong in `.jh` sources. **Hooks** solve this: they are optional shell commands the CLI runs at fixed points in the run lifecycle, configured in a single `hooks.json` file rather than scattered across workflows.
 
-Under the hood, `jaiph run` follows a predictable path: prepare scripts, spawn the workflow runner (locally or in Docker), stream **`__JAIPH_EVENT__`** JSON lines from the runner’s stderr, then print PASS/FAIL. Hooks tap into that path. The CLI parses the same stderr events that drive the progress tree and builds a JSON payload for each hook command (see [Architecture — Runtime vs CLI responsibilities](architecture#runtime-vs-cli-responsibilities)). Hooks are **not** part of the Node workflow runtime; channel send/receive and inbox dispatch are separate mechanisms ([Inbox & Dispatch](inbox.md)).
+Under the hood, `jaiph run` follows a predictable path: prepare scripts, spawn the workflow runner (locally or in Docker), stream **`__JAIPH_EVENT__`** JSON lines from the runner’s stderr, then print PASS/FAIL. Hooks tap into that path. The CLI parses the same stderr events that drive the progress tree and builds a JSON payload for each hook command. Hooks live entirely in the **CLI** (they are not executed by `NodeWorkflowRuntime`); channels and inbox dispatch are runtime concerns. See [Architecture — Runtime vs CLI responsibilities](architecture.md#runtime-vs-cli-responsibilities) and [Architecture — Channels and hooks in context](architecture.md#channels-and-hooks-in-context).
 
-Hooks run only for **`jaiph run`** (including the `jaiph <file.jh>` shorthand) and are **not** triggered by `jaiph test`, `jaiph init`, or other commands. They work identically for local and Docker-backed runs.
+Hooks run only for normal **`jaiph run`** (including the `jaiph <file.jh>` shorthand). They are **not** triggered by `jaiph test`, `jaiph init`, `jaiph compile`, or other commands. **`jaiph run --raw`** also skips hooks (along with the banner, progress tree, and failure footer); that path exists so another process can consume stderr unchanged — for example the host CLI when Docker runs `jaiph run --raw` inside the container. See the **`--raw`** bullet under [CLI — `jaiph run`](cli.md#jaiph-run).
+
+For local runs, hooks use the same machine as the workflow. For **Docker-backed** runs, hook commands still execute on the **host** CLI process (not inside the container); see [Sandboxing — Runtime behavior](sandboxing.md#runtime-behavior).
 
 ## Config locations
 
@@ -26,12 +28,12 @@ Configuration uses **per-event override** precedence: if the project file lists
 
 ## Schema
 
-Each file is a single JSON object mapping **event names** to **arrays of shell commands**:
+Each file must be a single JSON **object** at the root (not an array) mapping **event names** to **arrays of shell commands**:
 
 - Keys must be supported event names (see [Supported events](#supported-events)). Unknown keys are ignored.
-- Values must be arrays. A non-array value for a known key is silently ignored.
-- Array elements must be non-empty strings (one shell command each). Empty strings and non-string elements are skipped.
-- Commands for an event are spawned concurrently in array order (see [Behavior](#behavior)).
+- Values must be arrays. A non-array value for a known key is treated as absent for that event.
+- Array elements must be non-empty strings (one shell command each). Empty strings and non-string elements are skipped. An array of only empty strings is normalized away, so that event falls back to the other config file per [Precedence](#precedence).
+- Commands for an event are all spawned without waiting for the previous hook to finish; spawn order follows the array order (see [Behavior](#behavior)).
 
 ```json
 {
@@ -48,7 +50,7 @@ An empty array (or omitting the key) means “no commands from this file for thi
 
 | Event | When it fires |
 |-------|---------------|
-| `workflow_start` | After `buildScripts` completes (parse, validation, script extraction) and **before** the CLI spawns the runner. Does not fire if compilation fails. |
+| `workflow_start` | After **`buildScripts`** completes (parse, **`validateReferences`**, script extraction to `scripts/`) and **before** the runner subprocess is spawned. Does not fire if compilation fails. |
 | `workflow_end` | After the runner subprocess exits (any status), **before** the CLI prints PASS/FAIL. |
 | `step_start` | When the CLI observes a step-start event on the runner's stderr stream. |
 | `step_end` | When the CLI observes a step-end event on that stream. |
@@ -63,7 +65,7 @@ Resolution happens **per event**, independently:
 - Project file omits `workflow_end` or uses an empty array — global `workflow_end` commands run (if any).
 - Overriding `step_end` in the project file has no effect on how `workflow_start` is resolved.
 
-There is no explicit “disable” mechanism. Omitting an event or using `[]` means “fall back to global.” To suppress a global hook for one project, override that event with a no-op: `”workflow_end”: [“true”]`.
+There is no explicit “disable” mechanism. Omitting an event or using `[]` means “fall back to global.” To suppress a global hook for one project, override that event with a no-op: `"workflow_end": ["true"]`.
 
 ## Payload
 
@@ -74,7 +76,7 @@ Each command receives a single JSON object on **stdin** (UTF-8). Parse it with `
 | Field | Present in | Description |
 |-------|------------|-------------|
 | `event` | all | Event name: `workflow_start`, `workflow_end`, `step_start`, or `step_end`. |
-| `workflow_id` | all | Runtime run id (`run_id` from `__JAIPH_EVENT__`). Empty string on `workflow_start`. For `workflow_end`, the first non-empty `run_id` the CLI observed (empty if never sent). |
+| `workflow_id` | all | Runtime run id (`run_id` from step events on the stderr stream). Empty on `workflow_start`. For `workflow_end`, the CLI reuses the first non-empty `run_id` it saw on a step event (empty if the runner never emitted one). `step_start` / `step_end` pass through the `run_id` from each event (usually the same value once the run is underway). |
 | `timestamp` | all | ISO 8601 timestamp (from the CLI or runtime event). |
 | `run_path` | all | Absolute path to the `.jh` file being run. |
 | `workspace` | all | Workspace root directory (same rules as [Config locations](#config-locations)). |
@@ -91,8 +93,8 @@ Each command receives a single JSON object on **stdin** (UTF-8). Parse it with `
 ### Payload by event
 
 - **`workflow_start`** — `event`, `workflow_id` (empty), `timestamp`, `run_path`, `workspace`.
-- **`step_start`** — adds `step_id`, `step_kind`, `step_name`.
-- **`step_end`** — adds `status`, `elapsed_ms`, and optionally `out_file` / `err_file`.
+- **`step_start`** — `workflow_id`, `timestamp`, `run_path`, `workspace`, plus `step_id`, `step_kind`, `step_name`.
+- **`step_end`** — same base fields as `step_start`, plus `status`, `elapsed_ms`, and optionally `out_file` / `err_file`.
 - **`workflow_end`** — `event`, `workflow_id`, `status`, `elapsed_ms`, `timestamp`, `run_path`, `workspace`, and optionally `run_dir` / `summary_file`.
 
 Example payload (`step_end`):
@@ -116,14 +118,16 @@ Example payload (`step_end`):
 
 ## Behavior
 
-- **Shell:** Each command runs as `sh -c ‘<command>’` (POSIX `sh`).
-- **Concurrency:** All commands for a single event are spawned concurrently (no waiting between them). Events themselves follow run order — step events fire before `workflow_end`.
-- **Best-effort:** Hook failures never change the CLI exit code. Non-zero exits or spawn errors produce a `jaiph hooks: ...` line on stderr; the workflow continues normally.
-- **I/O:** Hook stdout is discarded. Hook stderr is forwarded to the CLI’s stderr.
-- **Environment:** Hooks inherit the same environment as the `jaiph run` process.
-- **Working directory:** Hooks run in the directory where `jaiph run` was invoked, **not** the workspace root. To write relative to the project, read the `workspace` field from stdin (see [Examples](#examples)).
+- **Shell:** Each command runs as `sh -c '<command>'` (POSIX `sh` on the **`PATH`** of the `jaiph run` process).
+- **Concurrency:** All commands for a single event are started in sequence without awaiting completion, so they overlap in wall time. Lifecycle order is still respected: `workflow_start`, then step hooks as events arrive, then `workflow_end` before PASS/FAIL.
+- **Best-effort:** Hook failures never change the CLI exit code. Non-zero exits or spawn errors produce a `jaiph hooks: ...` line on stderr; the workflow result is unchanged.
+- **I/O:** Hook stdout is discarded. Hook stderr is forwarded to the CLI’s stderr. The JSON payload is written once to each hook’s stdin (`utf8`); if the process exits before reading stdin, delivery is best-effort and may log an error.
+- **Environment:** Hooks receive a shallow copy of the parent process environment (same keys and values as `jaiph run` at spawn time).
+- **Working directory:** Hooks run with the **current working directory** of the `jaiph run` process (often the directory you launched the CLI from), **not** necessarily the workspace root. To write paths under the project, read the `workspace` field from stdin (see [Examples](#examples)).
 - **Invalid config:** Missing files are silently skipped. If a file exists but fails `JSON.parse` or is not a JSON object, the CLI prints a warning on stderr and ignores that file. Bad per-event values (non-array, empty strings) are skipped without rejecting the rest of the file.
 
+Payload shapes for tooling are also declared in TypeScript as **`HookPayload`** / **`HookEventName`** in `src/types.ts`.
+
 ## Examples
 
 **Global `~/.jaiph/hooks.json` — POST the workflow-end payload to an HTTP endpoint:**
diff --git a/docs/inbox.md b/docs/inbox.md
index c2349f90..ac762d96 100644
--- a/docs/inbox.md
+++ b/docs/inbox.md
@@ -7,16 +7,27 @@ redirect_from:
 
 # Inbox & Dispatch
 
-Multi-step automation often splits work across workflows: one stage produces a
-result, another should run only after that result exists. Instead of gluing
-stages together with temporary files and shell scripts, Jaiph provides a
-first-class **inbox** — a logical channel between workflows with no external
-message broker. One workflow **sends** a message (`<-`); another is
-**dispatched** when the orchestrator drains the queue (`->`). The runtime owns
-routing and ordering.
-
-The Node workflow runtime (`NodeWorkflowRuntime`) keeps an **in-memory** queue
-and route map per entered workflow. Each send also writes a durable copy to
+## Overview
+
+Pipelines often split work across **workflows** that hand off a payload: one
+stage produces output, a later stage reacts to it. A generic way to do that
+without a separate broker is an **in-module channel**: a named queue the
+runtime can drain after a caller finishes its steps, driving receiver workflows
+in order.
+
+**Jaiph’s model** is a small orchestration feature on top of that idea: a
+`channel` is declared with optional `->` routes to **workflow** targets; a send
+uses `<-` to enqueue a string payload. `NodeWorkflowRuntime` keeps the queue
+and route map in memory, writes a matching file under the run for audit, and
+**dispatches** targets when the **entry** workflow’s step list completes (plus
+any implicit `run async` join) — not when a separate `->` “fires”; the `->`
+in source code is **static routing** on the channel line, not a runtime
+operator.
+
+`NodeWorkflowRuntime` attaches an **in-memory** queue and route map to each
+**`WorkflowContext`** (one per `run`/`inbox` nesting level; channel-level
+`->` rows populate the map **only** on the entry context — see
+[Who registers routes and who drains](#who-registers-routes-and-who-drains)). Each send also writes a durable copy to
 `inbox/NNN-<channel>.txt` under the run directory for audit and reporting —
 channel transport is queue-based, not filesystem-driven. There are no directory
 watchers, no polling loops, and no third-party brokers.
@@ -54,6 +65,10 @@ channel name, and sender bound to its declared parameters `message`, `chan`, and
   `JAIPH_INBOX_PARALLEL=true` (see [Parallel dispatch](#parallel-dispatch)).
 - **Inbox is scoped per run.** Message files live under that run's **`inbox/`**
   directory; they are not a separate mailbox outside `.jaiph/runs`.
+- **Channels are compile-checked.** Unknown channels, bad route targets, and
+  invalid `send` RHS forms are `E_PARSE` / `E_VALIDATE` from
+  `validateReferences` in the build path; **`buildRuntimeGraph()`** only parses
+  modules and does not repeat that pass (see [Architecture — Summary](architecture.md#summary)).
 
 ## Syntax
 
@@ -95,11 +110,14 @@ Valid RHS forms:
 | RHS form | Example | Behavior |
 |---|---|---|
 | Double-quoted literal | `findings <- "## results"` | Interpolated string |
-| Variable expansion | `findings <- ${var}` | Value of the variable |
+| Triple-quoted block | `findings <- """line1\n  ${x}"""` | Multiline string; margin rules match other `"""` steps (see [Grammar](grammar.md#send--channel-messages)) |
+| Variable expansion | `findings <- ${var}` or `$name` | Value of the variable |
 | `run` capture | `findings <- run build_msg()` | Return value or trimmed stdout of the workflow/script |
 
-The RHS does **not** accept raw shell commands — see
-[Grammar — Managed calls vs command substitution](grammar.md#managed-calls-vs-command-substitution).
+The RHS does **not** accept raw shell commands or bare workflow/rule/script
+names (use a string, `$` / `${…}`, or `run ref(…)` — see
+[Grammar — `send`](grammar.md#send--channel-messages) and
+[Grammar — `channel` routing](grammar.md#channel-routing)).
 
 ```jh
 channel findings
@@ -109,14 +127,16 @@ workflow researcher() {
 }
 ```
 
-An explicit RHS is always required — bare `channel <-` (forward syntax) is no longer supported.
+An explicit RHS is always required — bare `channel <-` (without a value) is invalid.
 
 The `<-` operator is only recognized when it appears outside of quoted strings
 on the surrounding line so channel names and literals are not misread as send
 syntax.
 
-Send and route parsing rules are specified in
-[Grammar — Parse and runtime semantics](grammar.md#parse-and-runtime-semantics).
+Send and route syntax, plus compile-time checks, are summarized under
+[Grammar — `send`](grammar.md#send--channel-messages) and
+[Grammar — `channel` routing](grammar.md#channel-routing); the EBNF and
+validation list live at the end of [Grammar](grammar.md#validation-rules).
 
 ### Route declaration: `channel <name> -> <workflow>`
 
@@ -130,9 +150,13 @@ Targets must be **workflows** (local or imported as `alias.name`). **Rules**
 and **scripts** are not valid route targets — the compiler uses workflow-only
 reference checks, so a bad target is **`E_VALIDATE`** with messages such as
 `unknown local workflow reference "…"`, `imported workflow "…" does not exist`,
-`rule "…" must be called with ensure`, or `script "…" cannot be called with run`.
-A name that is not a valid `alias.name` / `name` pattern fails at parse time as
-**`E_PARSE`** `invalid workflow reference in channel route: "…"`.
+`rule "…" must be called with ensure`, or `script "…" cannot be called with run`
+(see [Grammar — `channel` routing](grammar.md#channel-routing) for a short
+version of the same rules). A name that is not a valid
+`alias.name` / `name` pattern fails at parse time as **`E_PARSE`**
+`invalid workflow reference in channel route: "…"`. The wrong **parameter
+count** on a resolved workflow is
+`E_VALIDATE: inbox route target "…" must declare exactly 3 parameters (message, channel, sender), but declares N`.
 
 ```jh
 channel findings -> analyst
@@ -174,7 +198,7 @@ channel <- "${payload}"
 
 ## Inbox layout
 
-Under the run directory (see [Architecture — Durable artifact layout](architecture#durable-artifact-layout)):
+Under the run directory (see [Architecture — Durable artifact layout](architecture.md#durable-artifact-layout)):
 
 ```
 .jaiph/runs/<YYYY-MM-DD>/<HH-MM-SS>-<source-basename>/inbox/
@@ -327,8 +351,13 @@ their declared parameter names.
   from `jaiph run`, the line includes `channel`, `sender`, and
   `inbox_seq`. The full message body is always available on disk at
   `inbox/NNN-<channel>.txt`.
-- Workflows remain directly callable: `jaiph run analyst "some content" "findings" "researcher"`. When
-  called directly, the parameters are bound from CLI arguments.
+- **Calling a receiver with explicit args:** the CLI’s `jaiph run` only starts
+  the file’s `default` workflow; extra CLI arguments are passed to `default`
+  (see [CLI — `jaiph run`](cli.md#jaiph-run)). There is no `jaiph run
+  <name> <file> …` form. To hand `(message, channel, sender)` to a workflow
+  such as `analyst` outside of inbox dispatch, use a **`run` step** from another
+  workflow, e.g. `run analyst("…", "findings", "researcher")` (or
+  `test_run_workflow` in `*.test.jh`).
 
 ## Progress tree integration
 
diff --git a/docs/index.html b/docs/index.html
index 921f590d..8670e2d1 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -77,23 +77,26 @@ <h2>Try it out!</h2>
 
                 <div class="code-tab-panel is-active" data-panel="try-run-sample">
                     <pre><code class="language-bash static-highlight"><span class="code-line">curl -fsSL https://jaiph.org/run | bash -s '</span><span class="code-line"><span class="ralph-keyword">workflow</span> <span class="ralph-definition">default</span>() {</span><span class="code-line">  <span class="ralph-keyword">const</span> <span class="ralph-variable">response</span> <span class="ralph-operator">=</span> <span class="ralph-keyword">prompt</span> <span class="ralph-string">"Say: Hello, I am [model name]!"</span></span><span class="code-line">  <span class="ralph-keyword">log</span> response</span><span class="code-line">}'</span></code></pre>
-                    <p class="small">Installs Jaiph <strong>v0.9.2</strong> to <strong>~/.local/bin</strong> (if not
+                    <p class="small">Installs Jaiph <strong>v0.9.3</strong> to <strong>~/.local/bin</strong> (if not
                         already
-                        installed), and runs the sample workflow with <a href="https://cursor.com/docs/cli/installation" target="_blank" rel="noopener noreferrer">Cursor CLI</a> agent backend (the default one). See <a href="#samples">more samples</a>!</p>
-                    <p class="small warning">Jaiph is under heavy development. Core features and workflow syntax are stable since v0.8.0, but you may expect breaking changes before v1.0.0.</p>
+                        installed), and runs the sample workflow with <a href="https://cursor.com/docs/cli/installation"
+                            target="_blank" rel="noopener noreferrer">Cursor CLI</a> agent backend (the default one).
+                        See <a href="#samples">more samples</a>!</p>
+                    <p class="small warning">Jaiph is under heavy development. Core features and workflow syntax are
+                        stable since v0.8.0, but you may expect breaking changes before v1.0.0.</p>
                 </div>
 
                 <div class="code-tab-panel" data-panel="try-init-project">
                     <p class="small">Run the script below from the project directory:</p>
                     <pre><code class="language-bash">curl -fsSL https://jaiph.org/init | bash</code></pre>
-                    <p class="small">Installs Jaiph <strong>v0.9.2</strong> to <strong>~/.local/bin</strong> (if not
+                    <p class="small">Installs Jaiph <strong>v0.9.3</strong> to <strong>~/.local/bin</strong> (if not
                         already installed), and runs <code>jaiph init</code> to initialize the Jaiph workspace in the
                         current directory.</p>
                 </div>
 
                 <div class="code-tab-panel" data-panel="try-install-only">
                     <pre><code class="language-bash">curl -fsSL https://jaiph.org/install | bash</code></pre>
-                    <p class="small">The installer will install the version <strong>0.9.2</strong> of Jaiph to
+                    <p class="small">The installer will install the version <strong>0.9.3</strong> of Jaiph to
                         <strong>~/.local/bin</strong>. To switch versions, use <code>jaiph use nightly</code>
                         or <code>jaiph use &lt;version&gt;</code> to switch.
                     </p>
@@ -102,6 +105,17 @@ <h2>Try it out!</h2>
             </div>
         </section>
 
+        <section>
+            <h2>What is Jaiph?</h2>
+            <div class="card doc-content">
+                <p><strong>Jaiph</strong> is a language and runtime for defining and orchestrating AI agent workflows.
+                </p>
+                <p>It allows you to combine agentic workflows with strict checks and script calls. It comes with
+                    built-in Docker sandboxing for agentic workflows, and a set of tooling to make your development
+                    faster and more efficient.</p>
+            </div>
+        </section>
+
         <section>
             <h2>Why Jaiph?</h2>
             <div class="card doc-content">
@@ -114,10 +128,11 @@ <h3>Language</h3>
                         <p>Embed scripts in your favorite language</p>
                     </div>
                     <div class="comparison-col">
-                        <h3>Runtime</h3>
+                        <h3>Tooling</h3>
                         <p>Built-in Docker sandboxing</p>
                         <p>Built-in testing framework</p>
                         <p>Tracks and saves all agent responses</p>
+                        <p>Default formatter and VSCode plugin</p>
                     </div>
                     <div class="comparison-col">
                         <h3>Open Source</h3>
@@ -137,8 +152,7 @@ <h2 id="samples">Samples</h2>
                         data-target="say-hello-jh">say_hello.jh</button>
                     <button type="button" class="code-tab-button"
                         data-target="say-hello-test-jh">say_hello.test.jh</button>
-                    <button type="button" class="code-tab-button"
-                        data-target="recover-loop-jh">recover_loop.jh</button>
+                    <button type="button" class="code-tab-button" data-target="recover-loop-jh">recover_loop.jh</button>
                     <button type="button" class="code-tab-button"
                         data-target="inbox-pipeline-jh">agent_inbox.jh</button>
                     <button type="button" class="code-tab-button" data-target="async-jh">async.jh</button>
@@ -154,23 +168,18 @@ <h2 id="samples">Samples</h2>
                     </p>
                     <pre><code class="language-jaiph" data-sample-source>#!/usr/bin/env jaiph
 
-# scripts are defined in fenced blocks or single line backticks
-# by default it's bash, but it cany be any env: ```node, ```python3, etc.
-script validate_name = ```
-  if [ -z "$1" ]; then
-    echo "You didn't provide your name :(" >&2
-    exit 1
-  fi
-```
-
-# rules are always executed on readonly filesystem
-rule name_was_provided(name) {
-  run validate_name(name)
+# rules are executed on readonly filesystem
+rule valid_name(name_arg) {
+  return match name_arg {
+    /[A-Z][a-z]+/ =&gt; name_arg
+    "" =&gt; fail "You didn't provide your name :("
+    _ =&gt; fail "You provided an invalid name :("
+  }
 }
 
 # workflows are main unit of orchestration
-workflow default(name) {
-  ensure name_was_provided(name)
+workflow default(name_arg) {
+  const name = ensure valid_name(name_arg)
 
   # prompts call agents - cursor by default, but it's configurable
   const response = prompt """
@@ -178,33 +187,30 @@ <h2 id="samples">Samples</h2>
     Respond with a single line. Do not inspect files or run tools.
   """
 
-  log response
+  return response
 }</code></pre>
                     <p>Running the workflow:</p>
-                    <pre><code class="jaiph-run" data-sample-output="success"><span class="run-command">➜  ./say_hello.jh Jakub</span>
+                    <pre><code class="jaiph-run" data-sample-output="success"><span class="run-command">➜  ./say_hello.jh Adam</span>
 
-Jaiph: Running say_hello.jh
+Jaiph: Running say_hello.jh<span class="run-banner-meta"> (Docker sandbox, fusefs)</span>
 
-<span class="run-keyword">workflow</span> default <span class="run-params">(name="Jakub")</span>
-  <span class="run-marker">▸</span> <span class="run-keyword">rule</span> name_was_provided <span class="run-params">(name="Jakub")</span>
-  <span class="run-marker">·</span>   <span class="run-marker">▸</span> <span class="run-keyword">script</span> validate_name <span class="run-params">(1="Jakub")</span>
-  <span class="run-marker">·</span>   <span class="run-pass">✓</span> <span class="run-time">script validate_name (0s)</span>
-  <span class="run-pass">✓</span> <span class="run-time">rule name_was_provided (0s)</span>
-  <span class="run-marker">▸</span> <span class="run-keyword">prompt</span> cursor "Say hello to Jakub and p..." <span class="run-params">(name="Jakub")</span>
-  <span class="run-pass">✓</span> <span class="run-time">prompt cursor (3s)</span>
-  <span class="run-marker">ℹ</span> Hello Jakub — Czech conductor Jakub Hrůša has led major orchestras including the Bamberg Symphony and often appears at the BBC Proms.
+<span class="run-keyword">workflow</span> default <span class="run-params">(name_arg="Adam")</span>
+  <span class="run-marker">▸</span> <span class="run-keyword">rule</span> valid_name <span class="run-params">(name_arg="Adam")</span>
+  <span class="run-pass">✓</span> <span class="run-time">rule valid_name (0s)</span>
+  <span class="run-marker">▸</span> <span class="run-keyword">prompt</span> cursor "Say hello to ${name} and..." <span class="run-params">(name="Adam")</span>
+  <span class="run-pass">✓</span> <span class="run-time">prompt cursor (5s)</span>
 
-<span class="run-pass">✓ PASS</span> <span class="run-keyword">workflow</span> default <span class="run-time">(4.1s)</span></code></pre>
+<span class="run-pass">✓ PASS</span> <span class="run-keyword">workflow</span> default <span class="run-time">(5.1s)</span>
+
+Hello, Adam—Adam Smith, the 18th-century Scottish economist and philosopher, is often called the father of modern economics for his landmark work *The Wealth of Nations*.</code></pre>
                     <p>When you don't provide the name parameter, the workflow fails:</p>
                     <pre><code class="jaiph-run" data-sample-output="failure"><span class="run-command">➜  ./say_hello.jh</span>
 
-Jaiph: Running say_hello.jh
+Jaiph: Running say_hello.jh<span class="run-banner-meta"> (Docker sandbox, fusefs)</span>
 
 <span class="run-keyword">workflow</span> default
-  <span class="run-marker">▸</span> <span class="run-keyword">rule</span> name_was_provided
-  <span class="run-marker">·</span>   <span class="run-marker">▸</span> <span class="run-keyword">script</span> validate_name
-  <span class="run-marker">·</span>   <span class="run-fail">✗ script validate_name</span> <span class="run-time">(0s)</span>
-  <span class="run-fail">✗ rule name_was_provided</span> <span class="run-time">(0s)</span>
+  <span class="run-marker">▸</span> <span class="run-keyword">rule</span> valid_name
+  <span class="run-fail">✗ rule valid_name</span> <span class="run-time">(0s)</span>
 
 <span class="run-fail">✗ FAIL</span> <span class="run-keyword">workflow</span> default <span class="run-time">(0.4s)</span>
   Logs: &lt;path&gt;
@@ -237,6 +243,10 @@ <h2 id="samples">Samples</h2>
 
 import "say_hello.jh" as hello
 
+# We expect this test to fail due to mismatch in error message
+# between the prompt and the error message in the test file.
+# We use it to verify the test works and the error message output
+# is correct.
 test "without name, workflow fails with validation message" {
   # When
   const response = run hello.default() allow_failure
@@ -247,12 +257,17 @@ <h2 id="samples">Samples</h2>
 
 test "with name, returns greeting and logs response" {
   # Given
-  mock prompt "Hello Alice! Fun fact: Alice in Wonderland was written by Lewis Carroll."
+  const expected_response = "Hello Alice! Fun fact: Alice in Wonderland was written by Lewis Carroll."
+  mock prompt expected_response
 
   # When
-  run hello.default("Alice")
+  const response = run hello.default("Alice")
+
+  # Then
+  expect_equal response expected_response
 }</code></pre>
-                    <p>Example failing test run output (expected string omits the trailing <code>:(</code> from stderr):</p>
+                    <p>Example failing test run output (expected string omits the trailing <code>:(</code> from stderr):
+                    </p>
                     <pre><code class="jaiph-run" data-sample-output="failing-run"><span class="run-command">➜  ./say_hello.test.jh</span>
 testing say_hello.test.jh
   <span class="run-marker">▸</span> without name, workflow fails with validation message
@@ -269,62 +284,77 @@ <h2 id="samples">Samples</h2>
 
                 <div class="code-tab-panel" data-panel="recover-loop-jh" data-sample="recover-loop"
                     data-sample-file="recover_loop.jh">
-                    <p>The <code>ensure … catch</code> pattern checks a rule and, on failure,
-                        runs a recovery block. The <code>catch (failure)</code> binding captures
-                        the merged stdout+stderr from the failed check.
-                        Recovery runs <strong>once</strong> — for retries, the workflow calls itself
-                        recursively (<code>run default()</code>).</p>
+                    <p>The <code>run … recover</code> pattern is a first-class repair-and-retry loop.
+                        When the target fails, the <code>recover(failure)</code> body runs, then the
+                        target is retried automatically. The loop stops on success or when the retry
+                        limit (default 10, configurable via <code>run.recover_limit</code>) is
+                        exhausted. Below, an agent is asked to create the missing file so the next
+                        attempt at the same script call passes.</p>
                     <pre><code class="language-jaiph" data-sample-source>#!/usr/bin/env jaiph
 
-# Recursive recovery: when a check fails, prompt an agent to fix it,
-# then retry via run default(). Jaiph CI uses the same pattern to
-# auto-fix failing tests — see .jaiph/ensure_ci_passes.jh
-script check_report = `test -f report.txt`
-
-rule report_exists() {
-  run check_report()
-}
+# scripts are defined in fenced blocks or single line backticks
+# by default it's bash, but it can be any env: ```node, ```python3, etc.
+script check_report_exists = ```
+  test -f report.txt
+```
 
 workflow default() {
-  ensure report_exists() catch (failure) {
+  # Recovery in loop: when check_report_exists() fails, the recovery body
+  # is executed to fix it, and then check_report_exists() is retried.
+  # By default, the retry limit is 10.
+  run check_report_exists() recover(failure) {
+    logerr "Failed to check report.txt"
     prompt "report.txt is missing. Create it with a short dummy summary."
-    run default()
   }
+
+  # scripts can be also executed inline
+  return run `cat report.txt`()
 }</code></pre>
-                    <p>In the run below, <code>report_exists</code> fails once. The agent creates
-                        <code>report.txt</code>, and the recursive <code>run default()</code> retries
-                        successfully.
+                    <p>In the run below, <code>check_report_exists()</code> fails on the first
+                        attempt. The <code>recover</code> body logs the failure and prompts an agent
+                        to create <code>report.txt</code>; Jaiph then retries the script call which
+                        now succeeds. The inline-backtick <code>cat report.txt</code> script returns
+                        the file contents from the workflow, which Jaiph prints below the run tree.
                     </p>
                     <pre><code class="jaiph-run" data-sample-output="run"><span class="run-command">➜  ./recover_loop.jh</span>
 
-Jaiph: Running recover_loop.jh
+Jaiph: Running recover_loop.jh<span class="run-banner-meta"> (Docker sandbox, fusefs)</span>
 
 <span class="run-keyword">workflow</span> default
-  <span class="run-marker">▸</span> <span class="run-keyword">rule</span> report_exists
-  <span class="run-marker">·</span>   <span class="run-marker">▸</span> <span class="run-keyword">script</span> check_report
-  <span class="run-marker">·</span>   <span class="run-fail">✗ script check_report (0s)</span>
-  <span class="run-fail">✗ rule report_exists (0s)</span>
-  <span class="run-marker">▸</span> <span class="run-keyword">prompt</span> cursor "report.txt is missin..."
+  <span class="run-marker">▸</span> <span class="run-keyword">script</span> check_report_exists
+  <span class="run-fail">✗ script check_report_exists (0s)</span>
+  <span class="run-fail">! Failed to check report.txt</span>
+  <span class="run-marker">▸</span> <span class="run-keyword">prompt</span> cursor "report.txt is missing. C..."
   <span class="run-pass">✓</span> <span class="run-time">prompt cursor (5s)</span>
-  <span class="run-marker">▸</span> <span class="run-keyword">workflow</span> default
-  <span class="run-marker">·</span>   <span class="run-marker">▸</span> <span class="run-keyword">rule</span> report_exists
-  <span class="run-marker">·</span>   <span class="run-marker">·</span>   <span class="run-marker">▸</span> <span class="run-keyword">script</span> check_report
-  <span class="run-marker">·</span>   <span class="run-marker">·</span>   <span class="run-pass">✓</span> <span class="run-time">script check_report (0s)</span>
-  <span class="run-marker">·</span>   <span class="run-pass">✓</span> <span class="run-time">rule report_exists (0s)</span>
-  <span class="run-pass">✓</span> <span class="run-time">workflow default (0.1s)</span>
-
-<span class="run-pass">✓ PASS</span> <span class="run-keyword">workflow</span> default <span class="run-time">(5.5s)</span></code></pre>
-                    <p>Jaiph's own CI uses this same pattern to auto-fix failing tests — see
-                        <a href="https://github.com/jaiphlang/jaiph/blob/main/.jaiph/ensure_ci_passes.jh"><code>.jaiph/ensure_ci_passes.jh</code></a>.</p>
+  <span class="run-marker">▸</span> <span class="run-keyword">script</span> check_report_exists
+  <span class="run-pass">✓</span> <span class="run-time">script check_report_exists (0s)</span>
+  <span class="run-marker">▸</span> <span class="run-keyword">script</span> __inline_752d3a136cc9
+  <span class="run-pass">✓</span> <span class="run-time">script __inline_752d3a136cc9 (0s)</span>
+
+<span class="run-pass">✓ PASS</span> <span class="run-keyword">workflow</span> default <span class="run-time">(6.1s)</span>
+
+Summary
+-------
+
+This is a placeholder report. No build or test results were generated for
+this file; it exists only to satisfy tooling or documentation that expects
+`report.txt` to be present.
+
+- Status: OK (dummy)
+- Artifacts: none
+- Next steps: replace with a real report when you add automated reporting</code></pre>
+                    <p>For one-shot failure handling without retry, use <code>catch</code> instead. See
+                        <a href="/language#recover--repair-and-retry-loop">Language — recover</a>.
+                    </p>
                 </div>
 
                 <div class="code-tab-panel" data-panel="inbox-pipeline-jh" data-sample="agent-inbox"
                     data-sample-file="agent_inbox.jh">
-                    <p>The <strong>inbox</strong> system lets workflows communicate through named channels.
-                        A workflow sends a message with <code>&lt;-</code> (RHS: quoted literal, <code>${var}</code>, or
-                        <code>run</code> to a script) and an inline route on the channel declaration
-                        (<code>channel name -&gt; workflow</code>) dispatches it to receivers with
-                        the dispatch values (message, channel, sender) bound to the target's declared parameters.
+                    <p>You can define named <strong>channels</strong> with inline routing — for instance
+                        <code>channel findings -&gt; analyst</code> means the <code>analyst</code> workflow
+                        listens to messages passed on the <code>findings</code> channel. Each time a
+                        message is sent to <code>findings</code> with the <code>&lt;-</code> operator,
+                        the <code>analyst</code> workflow is triggered.
                     </p>
                     <pre><code class="language-jaiph" data-sample-source>#!/usr/bin/env jaiph
 
@@ -352,18 +382,18 @@ <h2 id="samples">Samples</h2>
                     <p>Running the workflow:</p>
                     <pre><code class="jaiph-run" data-sample-output="run"><span class="run-command">➜  ./agent_inbox.jh</span>
 
-Jaiph: Running agent_inbox.jh
+Jaiph: Running agent_inbox.jh<span class="run-banner-meta"> (Docker sandbox, fusefs)</span>
 
 <span class="run-keyword">workflow</span> default
   <span class="run-marker">▸</span> <span class="run-keyword">workflow</span> scanner
   <span class="run-marker">·</span>   <span class="run-marker">ℹ</span> Scanning for issues...
   <span class="run-pass">✓</span> <span class="run-time">workflow scanner (0s)</span>
-  <span class="run-marker">▸</span> <span class="run-keyword">workflow</span> analyst <span class="run-params">(message="\"Found 3 issues in auth module\"", chan="findings", sender="scanner")</span>
+  <span class="run-marker">▸</span> <span class="run-keyword">workflow</span> analyst <span class="run-params">(message="Found 3 issues in auth module", chan="findings", sender="scanner")</span>
   <span class="run-marker">·</span>   <span class="run-marker">ℹ</span> Analyzing message from scanner on channel findings...
   <span class="run-pass">✓</span> <span class="run-time">workflow analyst (0s)</span>
-  <span class="run-marker">▸</span> <span class="run-keyword">workflow</span> reviewer <span class="run-params">(message="\"Summary: \"Found 3 issues in aut...", chan="report", sender="analyst")</span>
+  <span class="run-marker">▸</span> <span class="run-keyword">workflow</span> reviewer <span class="run-params">(message="Summary: Found 3 issues in auth ...", chan="report", sender="analyst")</span>
   <span class="run-marker">·</span>   <span class="run-marker">ℹ</span> Reviewing message from analyst on channel report...
-  <span class="run-marker">·</span>   <span class="run-fail">! Critical issue: "Summary: "Found 3 issues in auth module""</span>
+  <span class="run-marker">·</span>   <span class="run-fail">! Critical issue: Summary: Found 3 issues in auth module</span>
   <span class="run-pass">✓</span> <span class="run-time">workflow reviewer (0s)</span>
 
 <span class="run-pass">✓ PASS</span> <span class="run-keyword">workflow</span> default <span class="run-time">(0s)</span></code></pre>
@@ -372,8 +402,9 @@ <h2 id="samples">Samples</h2>
                 <div class="code-tab-panel" data-panel="async-jh" data-sample="async" data-sample-file="async.jh">
                     <p>This sample runs two prompt workflows in parallel: one with Cursor and one with Claude.</p>
                     <p>Each workflow sets its own <code>agent.backend</code>, captures the prompt response, and logs it.
-                        The default workflow uses <code>run async</code> to fan out both workflows concurrently, with an
-                        implicit join before completion.</p>
+                        The default workflow uses <code>run async</code> to fan out both workflows concurrently.
+                        Each <code>run async</code> response resolves on the first read, or at the end of
+                        the embracing workflow.</p>
                     <pre><code class="language-jaiph" data-sample-source>#!/usr/bin/env jaiph
 
 const prompt_text = "Say: Greetings! I am [model name]."
@@ -398,7 +429,7 @@ <h2 id="samples">Samples</h2>
                     <p>Running the workflow:</p>
                     <pre><code class="jaiph-run" data-sample-output="run"><span class="run-command">➜  ./async.jh</span>
 
-Jaiph: Running async.jh
+Jaiph: Running async.jh<span class="run-banner-meta"> (Docker sandbox, fusefs)</span>
 
 <span class="run-keyword">workflow</span> default
  <span class="run-marker">₁</span><span class="run-marker">▸</span> <span class="run-keyword">workflow</span> cursor_say_hello
@@ -444,9 +475,11 @@ <h3>Language</h3>
                     tags providing the runtime: <code>```node</code>, <code>```python3</code>, <code>```ruby</code>,
                     <code>```pwsh</code> etc.
                 </p>
-                <p><strong>Async calls.</strong> For async managed work, use <code>run async wf()</code> — Jaiph fans
-                    out the workflows concurrently and <strong>implicitly joins</strong> them before the parent workflow
-                    completes.
+                <p><strong>Async calls.</strong> <code>run async wf()</code> returns a <code>Handle&lt;T&gt;</code>
+                    that resolves on first read. Capture with <code>const h = run async wf()</code> and read
+                    the handle when you need the value. Unresolved handles are <strong>implicitly joined</strong>
+                    before the parent workflow completes. Supports <code>recover</code> and <code>catch</code>
+                    composition for async error handling.
                 </p>
                 <p><strong>Agent inbox pattern (channels).</strong> Use inbox channels as a way to pass messages between
                     workflows. Declare channels at top level with <code>channel &lt;name&gt; [-&gt; workflow]</code>
@@ -456,15 +489,18 @@ <h3>Language</h3>
                     See <a href="inbox">Inbox &amp; Dispatch</a>.
                 </p>
                 <p><strong>Failure recovery.</strong> <code>ensure … catch</code> and <code>run … catch</code>
-                    handle failures inline: when a rule or script fails, the recovery body runs <strong>once</strong>
-                    (like a <code>catch</code> clause). For retries, use explicit recursion. Both forms work in workflows
-                    and rules. See <a href="grammar">Grammar</a>.
+                    handle failures inline: when a rule or script fails, the recovery body runs <strong>once</strong>.
+                    For automatic repair-and-retry, use <code>run … recover</code> — a loop that retries
+                    the target after each repair attempt (configurable limit, default 10). Both <code>catch</code>
+                    and <code>recover</code> work in workflows. See <a href="grammar">Grammar</a>.
                 </p>
 
                 <h3>Runtime</h3>
-                <p><strong>Docker sandboxing.</strong> Enable isolated execution with Docker for stronger containment of
-                    agent and shell actions. Configure in <code>config { runtime.* }</code>. See <a
-                        href="sandboxing">Sandboxing</a>.</p>
+                <p><strong>Docker sandboxing.</strong> Workflows run inside Docker by default for local development,
+                    providing
+                    filesystem and process isolation for agent and shell actions. Disable with
+                    <code>JAIPH_UNSAFE=true</code>. See <a href="sandboxing">Sandboxing</a>.
+                </p>
                 <p><strong>Hooks.</strong> Attach shell automation to workflow and step lifecycle events via
                     <code>~/.jaiph/hooks.json</code> or <code>&lt;project&gt;/.jaiph/hooks.json</code>. See <a
                         href="hooks">Hooks</a>.
@@ -473,6 +509,11 @@ <h3>Runtime</h3>
                     executable — a shell script, a Python wrapper, or your own CLI tool — and Jaiph will
                     pipe the prompt via stdin and capture raw stdout as the response. No JSON stream
                     protocol required; just read stdin and print your answer.</p>
+                <p><strong>Artifacts library.</strong> Publish files from inside the sandbox to a host-readable
+                    location with the built-in <code>jaiphlang/artifacts</code> library (<code>artifacts.save</code>).
+                    Works identically in Docker and on the host.
+                    See <a href="libraries#jaiphlangartifacts--publishing-files-out-of-the-sandbox">Libraries</a>.
+                </p>
                 <p><strong>Configuration.</strong> Control behavior with <code>config { ... }</code> blocks
                     at the module level or inside individual workflows for per-workflow overrides, plus environment
                     variables (env wins precedence). See <a href="configuration">Configuration</a> and
@@ -503,9 +544,11 @@ <h2>Syntax</h2>
                 <h3>Jaiph workflows</h3>
                 <dl class="primitive-list">
                     <dt><code>config { ... }</code></dt>
-                    <dd>Optional runtime options (agent backend/flags, logs, runtime). Allowed at the top level
+                    <dd>Optional runtime options (agent backend/flags, logs, runtime, module metadata). Allowed at the
+                        top level
                         (module-wide) and inside individual workflows (per-workflow overrides for <code>agent.*</code>
-                        and <code>run.*</code> keys). Environment variables override config values. See <a
+                        and <code>run.*</code> keys only; <code>runtime.*</code> and <code>module.*</code> are
+                        module-level only). Environment variables override config values. See <a
                             href="configuration">Configuration</a>.</dd>
 
                     <dt><code>import "file.jh" as alias</code> &middot; <code>const name = value</code> /
@@ -515,10 +558,12 @@ <h3>Jaiph workflows</h3>
                         shared by
                         rules, scripts, and workflows in the same file. Values can be single-line
                         <code>"..."</code> strings, triple-quoted <code>"""..."""</code> multiline strings,
-                        or bare tokens.</dd>
+                        or bare tokens.
+                    </dd>
 
                     <dt><code>rule name() { ... }</code> &middot; <code>rule name(params) { ... }</code> &middot;
-                        <code>workflow name() { ... }</code> &middot; <code>workflow name(params) { ... }</code> &middot;
+                        <code>workflow name() { ... }</code> &middot; <code>workflow name(params) { ... }</code>
+                        &middot;
                         <code>script name = `cmd`</code> &middot; <code>script name = ```[lang] ... ```</code>
                     </dt>
                     <dd><code>rule</code> is for reusable checks (Jaiph structured steps; used with
@@ -526,14 +571,17 @@ <h3>Jaiph workflows</h3>
                         <code>workflow</code> orchestrates Jaiph steps only, and <code>script</code> holds bash (or any
                         language via a fence lang tag like <code>```node</code>, <code>```python3</code>, or a custom
                         shebang) invoked with <code>run</code>. Rules and workflows <strong>require parentheses</strong>
-                        on every definition &mdash; even when parameterless (e.g. <code>workflow default() { &hellip; }</code>).
+                        on every definition &mdash; even when parameterless (e.g.
+                        <code>workflow default() { &hellip; }</code>).
                         Named parameters go inside the parentheses; the compiler validates
-                        call-site arity when the callee declares params. Any fence tag is valid &mdash; it maps directly to
+                        call-site arity when the callee declares params. Any fence tag is valid &mdash; it maps directly
+                        to
                         <code>#!/usr/bin/env &lt;tag&gt;</code>. Scripts run in <strong>full isolation</strong>
                         &mdash; only positional arguments
                         and essential Jaiph variables (<code>JAIPH_SCRIPTS</code>,
                         <code>JAIPH_WORKSPACE</code>) are inherited; module-scoped variables are not visible.
-                        Reuse shell helpers with <code>import script</code> or small named <code>script</code> blocks in the same module. Scripts are emitted as
+                        Reuse shell helpers with <code>import script</code> or small named <code>script</code> blocks in
+                        the same module. Scripts are emitted as
                         separate executable files under <code>scripts/</code> (within the run build output tree; see <a
                             href="cli">CLI reference</a>).
                     </dd>
@@ -551,7 +599,8 @@ <h3>Jaiph workflows</h3>
                         <code>run greet(name)</code> is equivalent to <code>run greet("${name}")</code>.
                         <code>run `body`(args)</code> embeds a one-off shell command directly
                         without a named <code>script</code> definition &mdash; supports arguments and capture.
-                        Use triple backticks for multiline: <code>run ```...```(args)</code>.</dd>
+                        Use triple backticks for multiline: <code>run ```...```(args)</code>.
+                    </dd>
 
                     <dt><code>prompt "..."</code> &middot; <code>prompt myVar</code> &middot;
                         <code>prompt """ ... """</code> &middot;
@@ -565,9 +614,12 @@ <h3>Jaiph workflows</h3>
                         <code>const name = run ref()</code>
                     </dt>
                     <dd>Bind or capture step values. All captures require the <code>const</code> keyword.
+                        All bindings are <strong>immutable</strong> &mdash; a name bound by a parameter,
+                        <code>const</code>, capture, or <code>script</code> cannot be rebound in the same scope.
                         For <code>ensure</code> / <code>run</code> to rules and workflows,
                         explicit
-                        <code>return "value"</code> (or <code>return run ref()</code> /
+                        <code>return "value"</code>, <code>return identifier</code>
+                        (or <code>return run ref()</code> /
                         <code>return ensure ref()</code>) feeds the variable; for <code>run</code> to a
                         <strong>script</strong>, capture follows
                         stdout. <code>const</code> RHS has stricter rules (no <code>$(...)</code> &mdash; use
@@ -577,32 +629,48 @@ <h3>Jaiph workflows</h3>
                         <code>const x = run helper(arg)</code>,
                         not
                         <code>const x = helper(arg)</code> (compile error with a correction hint). See
+                        <a href="grammar#immutable-bindings">Immutable bindings</a> and
                         <a href="grammar#step-output-contract">Step output contract</a>.
                     </dd>
 
-                    <dt><code>run async ref(args)</code></dt>
-                    <dd>Run a workflow or script concurrently. All async steps are implicitly joined
-                        before the workflow completes; failures are aggregated. Workflows only &mdash;
-                        capture (<code>const x = run async ...</code>) is not supported.
-                        See <a href="grammar">Grammar</a>.
+                    <dt><code>run async ref(args)</code> &middot;
+                        <code>const h = run async ref(args)</code>
+                    </dt>
+                    <dd>Run a workflow or script concurrently. Returns a <code>Handle&lt;T&gt;</code>
+                        that resolves on first non-passthrough read (interpolation, passing as arg to
+                        <code>run</code>, comparison, conditional). Passthrough (capture, re-assignment)
+                        does not force resolution. Unresolved handles are implicitly joined at workflow exit.
+                        Supports <code>recover</code> (retry loop) and <code>catch</code> (single-shot) composition:
+                        <code>run async foo() recover(err) { &hellip; }</code>.
+                        Workflows only. See <a href="grammar">Grammar</a> and
+                        <a href="spec-async-handles">Spec: Async Handles</a>.
                     </dd>
 
                     <dt><code>fail "reason"</code> &middot; <code>fail """..."""</code></dt>
-                    <dd><code>fail</code> aborts with stderr + non-zero exit. Use triple quotes for multiline messages.</dd>
+                    <dd><code>fail</code> aborts with stderr + non-zero exit. Use triple quotes for multiline messages.
+                    </dd>
 
                     <dt><code>ensure ref() catch (err) { … }</code> &middot;
                         <code>run ref() catch (err) { … }</code>
                     </dt>
                     <dd>Failure recovery: when the target fails, the recovery body runs <strong>once</strong>
                         (like a <code>catch</code> clause). <code>catch</code> requires explicit bindings
-                        in parentheses. Works in both workflows and rules. For retries, use explicit
-                        recursion in the recovery body.
+                        in parentheses. Works in both workflows and rules.
+                    </dd>
+
+                    <dt><code>run ref() recover (err) { … }</code></dt>
+                    <dd>Repair-and-retry loop: when the target fails, the repair body runs and the target
+                        is retried automatically. Stops on success or when the retry limit is exhausted
+                        (default 10, configurable via <code>run.recover_limit</code>). <code>recover</code>
+                        requires explicit bindings. Workflows only. See
+                        <a href="language#recover--repair-and-retry-loop">Language</a>.
                     </dd>
 
-                    <dt><code>match var { "lit" =&gt; …, /re/ =&gt; …, _ =&gt; … }</code></dt>
+                    <dt><code>match var { "lit" =&gt; … ⏎ /re/ =&gt; … ⏎ _ =&gt; … }</code></dt>
                     <dd>Pattern match on a string value. The subject is a bare identifier (no
                         <code>$</code> or <code>${}</code>). Arms are tested top-to-bottom; first match wins.
                         Patterns: string literal (exact), regex, or <code>_</code> wildcard.
+                        Arms are newline-delimited — commas between or after arms are rejected.
                         Usable as a statement, expression (<code>const x = match var { … }</code>),
                         or with <code>return</code> (<code>return match var { … }</code>).
                         Exactly one <code>_</code> wildcard arm is required.
@@ -673,6 +741,7 @@ <h3>Jaiph tests</h3>
 
     <div class="footer">
         <p class="footer-links"><a href="/getting-started">Getting started</a>
+            &middot; <a href="https://jaiph.org/getting-started" target="_blank" rel="noopener noreferrer">jaiph.org/getting-started</a>
             &middot; <a href="https://github.com/jaiphlang/jaiph" target="_blank" rel="noopener noreferrer">GitHub</a>
             &middot; <a href="https://marketplace.visualstudio.com/items?itemName=jaiph.jaiph-syntax-vscode"
                 target="_blank" rel="noopener noreferrer">VSCode</a>
diff --git a/docs/install b/docs/install
index 12e49402..85815f8f 100755
--- a/docs/install
+++ b/docs/install
@@ -55,11 +55,11 @@ elif [ -n "${1+x}" ] && [ -d "${1}" ] && [ -f "${1}/package.json" ]; then
   JAIPH_REPO_URL="${REPO_URL}"
 fi
 REPO_URL="${REPO_URL:-${JAIPH_REPO_URL:-https://github.com/jaiphlang/jaiph.git}}"
-# Version/ref: first argument only when not a local path, or JAIPH_REPO_REF env, or default tag v0.9.2.
+# Version/ref: first argument only when not a local path, or JAIPH_REPO_REF env, or default tag v0.9.3.
 if [ -n "${JAIPH_FROM_LOCAL}" ]; then
-  REPO_REF="${JAIPH_REPO_REF:-v0.9.2}"
+  REPO_REF="${JAIPH_REPO_REF:-v0.9.3}"
 else
-  REPO_REF="${1:-${JAIPH_REPO_REF:-v0.9.2}}"
+  REPO_REF="${1:-${JAIPH_REPO_REF:-v0.9.3}}"
 fi
 BIN_DIR="${JAIPH_BIN_DIR:-$HOME/.local/bin}"
 LIB_DIR="${JAIPH_LIB_DIR:-${BIN_DIR}/.jaiph}"
@@ -70,7 +70,9 @@ echo ""
 echo -e "${BOLD}Jaiph installer${NC}"
 echo ""
 
-require_cmd git
+if [ -z "${JAIPH_FROM_LOCAL}" ]; then
+  require_cmd git
+fi
 require_cmd node
 require_cmd npm
 
diff --git a/docs/jaiph-skill.md b/docs/jaiph-skill.md
index a7dd9c30..e0104001 100644
--- a/docs/jaiph-skill.md
+++ b/docs/jaiph-skill.md
@@ -7,30 +7,30 @@ redirect_from:
 
 # Jaiph Bootstrap Skill (for Agents)
 
-**Why this matters to you.** Humans structure their work with task lists, goals, and habits — it makes them effective and predictable. You face the same problem: without structure, your output varies between runs, failures go undetected, and the humans who depend on you lose trust. Jaiph gives you that structure. It defines what you do (workflows), what must be true before and after (rules), and how failures are handled (catch) — all in a small, declarative language you can read and write. The result: your behavior becomes **predictable**, **verifiable**, and **auditable**. Every run produces artifacts, every step is logged, every failure has a defined recovery path. You stop being a black box and start being a reliable system.
+**Why this page exists.** Agentic work needs the same things human teams need: a clear sequence of steps, explicit checks, and a record of what ran. Jaiph is a small workflow language for that: **workflows** sequence orchestration, **rules** express checks, **`script`** holds real shell, and the runtime logs steps and writes run artifacts. The payoff is behavior that is easier to repeat, verify, and debug than ad-hoc shell snippets alone.
 
 ## Overview
 
 This page is an **agent skill**: it tells an AI assistant how to **author** Jaiph workflows (`.jh` files) and what a sensible `.jaiph/` layout looks like. It is not a full language specification — use [Getting started](getting-started.md) as the documentation map, [Grammar](grammar.md) for syntax and validation details, [Configuration](configuration.md) for `config` keys, [Inbox & Dispatch](inbox.md) for channels, and [Sandboxing](sandboxing.md) for rule design vs optional Docker isolation.
 
-**Jaiph** is a small language for agentic workflows: **orchestration** (rules, prompts, managed calls) and **bash in `script` definitions**. The **Node workflow runtime** (`NodeWorkflowRuntime`) interprets the parsed AST directly — there is no bash transpilation of workflow bodies on the execution path. Before `jaiph run` / `jaiph test`, **`buildScripts()`** parses each reachable workspace **`*.jh`** module, runs **compile-time validation** (`validateReferences`), and writes extracted **`script`** files only (`*.test.jh` is not walked for emit). The workflow runner then **`buildRuntimeGraph()`** loads modules with **parse-only** imports (validation is not repeated there). See [Architecture](architecture).
+**Jaiph** is a small language for agentic workflows: **orchestration** (rules, prompts, managed calls) and **shell in `script` definitions**. The **Node workflow runtime** (`NodeWorkflowRuntime`) interprets the parsed AST in process — there is no separate transpiled workflow shell on the execution path ([Architecture](architecture.md)). Before `jaiph run` or `jaiph test`, **`buildScripts()`** takes a single **entry** `.jh` path (the workflow file, or the `*.test.jh` file for tests), runs **compile-time validation** (`validateReferences` inside **`emitScriptsForModule`**), and writes extracted **`script`** files under `scripts/` for that module and every file reachable from it via transitive **`import`** — not the whole workspace unless those files are imported. **`jaiph compile`** runs the same validation without emitting scripts or executing workflows. The runner’s **`buildRuntimeGraph()`** then loads the graph with **parse-only** imports (it does not re-run `validateReferences`).
 
 **Contracts (CLI vs runtime):** **Live:** `__JAIPH_EVENT__` JSON lines on **stderr only** (CLI progress and **hooks** — hooks are **CLI-only**, driven by that stream). **Durable:** `.jaiph/runs/...` and **`run_summary.jsonl`**. Channels are enforced at compile time and executed in the runtime (in-memory queue + inbox files under the run dir); they are not hooks.
 
 The **JS kernel** (`src/runtime/kernel/`) handles **prompt** execution, **managed script subprocesses**, **inbox** queues and dispatch, and **event/summary emission**. **Rule** bodies run in-process; user **`script`** bodies run as separate OS processes (bash by default, polyglot via fence lang tags like `` ```node ``, `` ```python3 `` or a leading `#!` shebang in the body).
 
-**Test lane:** `jaiph test` runs **`*.test.jh`** in-process (`node-test-runner.ts`): **`buildScripts(workspace)`**, then **`buildRuntimeGraph(testFile)` once per file**, mocks, and assertions — same `NodeWorkflowRuntime` as `jaiph run`.
+**Test lane:** `jaiph test` runs **`*.test.jh`** in-process (`node-test-runner.ts`): for each file it calls **`buildScripts(testFile, …)`** (same helper as `jaiph run`, with the **test file as the entry** so its import closure is validated and scripts are emitted), then **`buildRuntimeGraph(testFile)` once per file**, mocks, and assertions — same `NodeWorkflowRuntime` as `jaiph run`.
 
-**After `jaiph init`**, a repository gets `.jaiph/bootstrap.jh` (a triple-quoted prompt that tells the agent to read `.jaiph/SKILL.md`), `.jaiph/Dockerfile` (project sandbox image template), and a copy of this file. The bootstrap prompt explicitly asks the agent to review/update `.jaiph/Dockerfile` for the current repo and to end with a clear `WHAT CHANGED` + `WHY` summary. The expected outcome is a **minimal workflow set** for safe feature work: preflight checks, an implementation workflow, verification, and a `workflow default` entrypoint that wires them together (with an optional human-or-agent “review” step when you use a task queue).
+**After `jaiph init`**, a repository gets `.jaiph/bootstrap.jh` (a triple-quoted prompt that tells the agent to read `.jaiph/SKILL.md`) and a copy of this file. The bootstrap prompt asks the agent to scaffold workflows under `.jaiph/` and to end with a clear `WHAT CHANGED` + `WHY` summary. The expected outcome is a **minimal workflow set** for safe feature work: preflight checks, an implementation workflow, verification, and a `workflow default` entrypoint that wires them together (with an optional human-or-agent “review” step when you use a task queue). Docker-backed runs use the official `ghcr.io/jaiphlang/jaiph-runtime` image by default; see [Sandboxing](sandboxing.md) to override with `runtime.docker_image` or `JAIPH_DOCKER_IMAGE`.
 
 **Concepts:**
 
 - **Rules** — Structured checks: `ensure` (other **rules** only), `run` (**scripts** only — not workflows), `const`, `match`, `if`, `fail`, `log`/`logerr`, `return "…"` / `return run script()` / `return ensure rule()`, `ensure … catch`, `run … catch`. No raw shell lines, `prompt`, inbox send/route, or `run async`. Under `jaiph run`, rule bodies are executed **in-process** by the Node runtime; when a rule runs a **script**, that script is a normal managed subprocess (same as scripts from workflows) — see [Sandboxing](sandboxing.md).
-- **Workflows** — Named sequences of **Jaiph-only** steps: `ensure`, `run`, `prompt`, `const`, `fail`, `return`, `log`/`logerr`, inbox **send** (`channel_ref <- …`), `match`, `if`, `run async`, `ensure … catch`, `run … catch`. Route declarations (`->`) belong at the top level on `channel` declarations, **not** inside workflow bodies — a `->` inside a body is a parse error. Unrecognized lines are errors — put bash in **`script`** definitions and call with `run`.
+- **Workflows** — Named sequences of **Jaiph-only** steps: `ensure`, `run`, `prompt`, `const`, `fail`, `return`, `log`/`logerr`, inbox **send** (`channel_ref <- …`), `match`, `if`, `run async`, `ensure … catch`, `run … catch`, `run … recover`. Route declarations (`->`) belong at the top level on `channel` declarations, **not** inside workflow bodies — a `->` inside a body is a parse error. Unrecognized lines are errors — put bash in **`script`** definitions and call with `run`.
 - **Scripts** — Top-level **`script`** definitions are **bash (or shebang interpreter) source**, not Jaiph orchestration. Defined with `` script name = `body` `` (single-line backtick) or `` script name = ```[lang] ... ``` `` (fenced block). Double-quoted string bodies (`script name = "body"`) and bare identifier bodies (`script name = varName`) are **removed** — both produce parse errors with guidance to use backtick delimiters. The compiler treats all script bodies as **opaque text**: it does not parse lines as Jaiph steps, reject keywords, strip quotes, or validate cross-script calls. This means embedded `node -e` heredocs, inline Python, `const` assignments in JS, and any other valid shell construct compile without interference. Jaiph interpolation (`${...}`) is **forbidden** in **single-line backtick** script bodies — use `$1`, `$2` positional arguments to pass data from orchestration to scripts. In **fenced** (triple-backtick) blocks, `${...}` is passed through to the shell as standard parameter expansion (`${VAR}`, `${VAR:-default}`, etc.). A single-backtick body containing a newline is a hard parse error — use a fenced block for multi-line scripts. Use `return N` / `return $?` for exit status and **stdout** (`echo` / `printf`) for string data to callers. From a **workflow** or **rule**, call with **`run fn()`**. Can be exported (`export script name = ...`) for use by importing modules. Cannot be used with `ensure`, are not valid inbox route targets, and must not be invoked through `$(...)` or as a bare shell step. **Polyglot scripts:** use a fence lang tag (`` ```<tag> ``) to select an interpreter — the tag maps directly to `#!/usr/bin/env <tag>`. Any tag is valid (no hardcoded allowlist). For example: `` ```node ``, `` ```python3 ``, `` ```ruby ``, `` ```lua ``. Alternatively, if no fence tag is present, the first non-empty body line may start with `#!` (e.g. `#!/usr/bin/env lua`), which becomes the script's shebang and the body is emitted verbatim (you cannot combine a fence tag with a manual shebang — that is an error). Without either, `#!/usr/bin/env bash` is used and the emitter applies only lightweight bash-specific transforms (`return` normalization, `local`/`export`/`readonly` spacing, import alias resolution). Scripts are extracted to a `scripts/` directory under the run output tree (`jaiph run --target <dir>` sets that tree; without `--target` the CLI uses a temporary directory) and executed via **`JAIPH_SCRIPTS`**. **Inline scripts:** For trivial one-off commands, use `` run `body`(args) `` or `` run ```lang...body...```(args) `` directly in a workflow or rule step instead of declaring a named `script` definition. The body (single backtick for one-liners or triple backtick for multi-line) comes before the parentheses; optional comma-separated arguments go inside the parentheses: `` run `echo $1`("hello") ``. Fenced blocks support lang tags for polyglot inline scripts: `` run ```python3 ... ```() ``. Capture forms: `` const x = run `echo val`() `` and `` const x = run ```...```() ``. The old `run script() "body"` form is **removed** — use the backtick forms instead. Inline scripts use deterministic hash-based artifact names (`__inline_<hash>`) and run with the same isolation as named scripts. `run async` with inline scripts is not supported.
 - **Channels** — Top-level `channel <name> [-> workflow, ...]` declarations with optional inline routing; **send** uses `channel_ref <- …`. Routes are declared on the channel declaration, not inside workflow bodies (see [Inbox & Dispatch](inbox.md)). Channel names share the per-module namespace with rules, workflows, scripts, and module-scoped `local` / `const` variables.
 
-Step semantics (`ensure`, `run`, `prompt`, `catch`, `match`, `if`, `log`, `fail`, `return`, `send`, `run async`) are detailed in the **Steps** section below.
+Step semantics (`ensure`, `run`, `prompt`, `catch`, `recover`, `match`, `if`, `log`, `fail`, `return`, `send`, `run async`) are detailed in the **Steps** section below.
 
 **Audience:** Agents that produce or edit `.jh` files.
 
@@ -43,18 +43,20 @@ Use this loop whenever you add or change Jaiph workflows so failures surface bef
 1. **Preflight** — Run the project’s readiness checks if they exist (often `jaiph run .jaiph/readiness.jh` or a named preflight workflow). When the repo ships native tests (`*.test.jh`), run `jaiph test` before large edits when practical.
 2. **Implement** — Edit `.jh` modules using only constructs described in [Grammar](grammar.md); keep managed-call rules (`ensure` for rules, `run` for workflows and scripts); keep bash inside **`script`** bodies only (no raw shell in workflow/rule bodies).
 3. **Format** — Run `jaiph format <file.jh ...>` on all authored or modified `.jh` files before committing. This normalizes whitespace, indentation, and top-level ordering (imports, config, and channels hoisted to the top; everything else kept in source order). Use `jaiph format --check <file.jh ...>` to verify formatting without writing (non-zero exit on drift — useful in CI).
-4. **Verify** — Run `jaiph test` (whole workspace or a focused path) and any verification workflow the repo defines (commonly `jaiph run .jaiph/verification.jh`). Fix failures you introduce.
-5. **Inspect (optional)** — Browse `.jaiph/runs` directly when you need raw step logs or `run_summary.jsonl` instead of only the terminal tree.
+4. **Compile check** — Run `jaiph compile <file-or-dir>` on the paths you touched (or `jaiph compile --json …` in automation). Same reference checks as before a run, without executing workflows or writing `scripts/` ([Architecture](architecture.md)).
+5. **Verify** — Run `jaiph test` (whole workspace or a focused path) and any verification workflow the repo defines (commonly `jaiph run .jaiph/verification.jh`). Fix failures you introduce.
+6. **Inspect (optional)** — Browse `.jaiph/runs` directly when you need raw step logs or `run_summary.jsonl` instead of only the terminal tree.
 
 **CLI commands:**
 
 | Command | Purpose |
 |---|---|
-| `jaiph run <file.jh> [args...]` | Execute `workflow default` in the given file |
+| `jaiph run [--target <dir>] [--raw] <file.jh> [--] [args...]` | Execute `workflow default` in the given file (`--raw`: no banner/tree/hooks; used for embedding and Docker inner runs) |
 | `jaiph test [path]` | Run `*.test.jh` test files (workspace, directory, or single file) |
-| `jaiph format [--check] <file.jh ...>` | Reformat `.jh` files (or verify formatting without writing) |
-| `jaiph init [workspace]` | Scaffold `.jaiph/` with bootstrap workflow, Dockerfile template, and skill file |
-| `jaiph install [url[@version]]` | Install or restore project-scoped libraries under `.jaiph/libs/` |
+| `jaiph format [--check] [--indent <n>] <file.jh ...>` | Reformat `.jh` files (or verify formatting without writing) |
+| `jaiph compile [--json] [--workspace <dir>] <.jh files or dirs…>` | Parse and `validateReferences` only (no script emission, no run) |
+| `jaiph init [workspace]` | Scaffold `.jaiph/` with bootstrap workflow and skill file |
+| `jaiph install [--force] [<url[@version]> …]` | Clone libraries into `.jaiph/libs/` or restore from `.jaiph/libs.lock` |
 | `jaiph use <version\|nightly>` | Reinstall Jaiph at a specific version or nightly |
 
 **File shorthand:** `jaiph ./file.jh` auto-routes — `*.test.jh` files run as tests, other `*.jh` files run as workflows.
@@ -79,7 +81,7 @@ Ignore any outdated Markdown that contradicts the above.
 
 A **minimal workflow set** under `.jaiph/` that matches the delivery loop above:
 
-1. **Sandbox baseline** — Review/update `.jaiph/Dockerfile` first so container execution matches the repository's actual build/test/runtime/tooling needs. Keep Jaiph installed via `curl -fsSL https://jaiph.org/install | bash`.
+1. **Sandbox baseline (optional)** — If the repo uses Docker sandboxing, confirm `runtime.docker_image` / `JAIPH_DOCKER_IMAGE` match the tooling the team needs; the default is `ghcr.io/jaiphlang/jaiph-runtime` (see [Sandboxing](sandboxing.md)).
 2. **Preflight** — Rules and `ensure` for repo state and required tools (e.g. clean git, required binaries). Expose a small workflow (e.g. `workflow default` in `readiness.jh`) that runs these checks.
 3. **Review (optional)** — A workflow that reviews queued tasks before development starts (any filename, e.g. `ba_review.jh`). An agent prompt evaluates the next task for clarity, consistency, conflicts, and feasibility, then either marks it as ready or exits with questions. The implementation workflow gates on this marker so unreviewed tasks cannot proceed. This repository’s `.jaiph/architect_review.jh` is one concrete example; it uses `QUEUE.md` as the task queue.
 4. **Implementation** — A workflow that drives coding changes (typically via `prompt`), e.g. `workflow implement` in `main.jh`. When using a task queue, the implementation workflow should check that the first task is marked as ready (e.g. via a `<!-- dev-ready -->` marker) before proceeding.
@@ -95,15 +97,15 @@ Prefer composable modules over one large file.
 - **Module-scoped variables:** `local name = value` or `const name = value` (same value forms). Prefer **`const`** for new files. Values can be single-line `"..."` strings, triple-quoted `"""..."""` multiline strings, or bare tokens. A double-quoted string that spans multiple lines is rejected — use `"""..."""` instead. Accessible as `${name}` inside orchestration strings in the same module. Names share the unified namespace with channels, rules, workflows, and scripts — duplicates are `E_PARSE`. Not exportable; module-scoped only.
 - **Steps:**
   - **ensure** — `ensure ref` or `ensure ref([args...])` runs a rule (local or `alias.rule_name`). **Parentheses are optional when passing zero arguments** — `ensure check` is equivalent to `ensure check()`. When arguments are present, parentheses are required with comma-separated expressions. **Bare identifier arguments** are supported and preferred: `ensure check(status)` is equivalent to `ensure check("${status}")` — the identifier must reference a known variable (`const`, capture, or named parameter); unknown names fail with `E_VALIDATE`. **Standalone `"${identifier}"` in call arguments is rejected** — use the bare form instead. Optionally `ensure ref([args]) catch (<name>) <body>` or `ensure ref([args]) catch (<name>, <attempt>) <body>`: the recovery body runs **once** on failure (like a catch clause). There is no retry loop — for retries, use explicit recursion. The first binding (e.g. `failure`) receives the full merged stdout+stderr from the failed rule execution, including output from nested scripts and rules. The optional second binding (e.g. `attempt`) receives the attempt number (always `"1"`). Full output still lives in step **`.out` / `.err`** artifacts. If the failure binding is empty for your rule, persist diagnostics before prompting or assert non-empty. Works in both workflows and rules.
-  - **run** — `run ref` or `run ref([args...])` runs a workflow or script (local or `alias.name`). **Parentheses are optional when passing zero arguments** — `run setup` is equivalent to `run setup()`. When arguments are present, parentheses are required with comma-separated expressions. **`run` does not forward args by default** — pass named params explicitly (e.g. `run wf(task)`, `run util_fn(name)`). **Bare identifier arguments** are supported and preferred: `run greet(name)` is equivalent to `run greet("${name}")` — the identifier must reference a known variable (`const`, capture, or named parameter); unknown names fail with `E_VALIDATE`. **Standalone `"${identifier}"` in call arguments is rejected** — use the bare form instead (e.g. `run greet(name)` not `run greet("${name}")`). Quoted strings with additional text around the interpolation (e.g. `"prefix_${name}"`) are still allowed. Jaiph keywords cannot be used as bare identifiers. Optionally `run ref([args]) catch (<name>) <body>`: the recovery body runs **once** on failure (same semantics as `ensure … catch`). Works in both workflows and rules. Also supports **inline scripts**: `` run `body`(args) `` or `` run ```lang...body...```(args) `` — see Scripts section above.
+  - **run** — `run ref` or `run ref([args...])` runs a workflow or script (local or `alias.name`). **Parentheses are optional when passing zero arguments** — `run setup` is equivalent to `run setup()`. When arguments are present, parentheses are required with comma-separated expressions. **`run` does not forward args by default** — pass named params explicitly (e.g. `run wf(task)`, `run util_fn(name)`). **Bare identifier arguments** are supported and preferred: `run greet(name)` is equivalent to `run greet("${name}")` — the identifier must reference a known variable (`const`, capture, or named parameter); unknown names fail with `E_VALIDATE`. **Standalone `"${identifier}"` in call arguments is rejected** — use the bare form instead (e.g. `run greet(name)` not `run greet("${name}")`). Quoted strings with additional text around the interpolation (e.g. `"prefix_${name}"`) are still allowed. Jaiph keywords cannot be used as bare identifiers. **Nested managed calls in arguments** are supported with explicit keywords: `run foo(run bar())`, `run foo(ensure check())`, `run foo(run \`echo ok\`())`. Bare call-like forms in arguments (`run foo(bar())`, `run foo(\`echo ok\`())`) are rejected — add the `run` or `ensure` keyword. Optionally `run ref([args]) catch (<name>) <body>`: the recovery body runs **once** on failure (same semantics as `ensure … catch`). Works in both workflows and rules. Optionally `run ref([args]) recover (<name>) <body>`: repair-and-retry loop — on failure, binds error output, runs the repair body, and retries the target. Loop stops on success or when `run.recover_limit` (default 10) is exhausted. `recover` and `catch` are mutually exclusive on the same step. Workflows only. Also supports **inline scripts**: `` run `body`(args) `` or `` run ```lang...body...```(args) `` — see Scripts section above.
   - **log** — `log "message"` writes the expanded message to **stdout** and emits a **`LOG`** event; the CLI shows it in the progress tree at the current depth. Double-quoted string; `${identifier}` interpolation works at runtime. For multiline messages, use triple quotes: `log """..."""`. **Bare identifier form:** `log foo` (no quotes) expands to `log "${foo}"` — the variable's value is logged. Works with `const`, capture, and named parameters. **Inline capture interpolation** is also supported: `${run ref([args])}` and `${ensure ref([args])}` execute a managed call and inline the result (e.g. `log "Got: ${run greet()}"`). Nested inline captures are rejected. **`LOG`** events and `run_summary.jsonl` store the **same** message string (JSON-escaped for the payload). No spinner, no timing — a static annotation. See [CLI Reference](cli.md) for tree formatting. Useful for marking workflow phases (e.g. `log "Starting analysis phase"`).
   - **logerr** — `logerr "message"` is identical to `log` except the message goes to **stderr** and the event type is **`LOGERR`**. In the progress tree, `logerr` lines use a red `!` instead of the dim `ℹ` used by `log`. Same quoting, interpolation, bare identifier, and triple-quote rules as `log` (e.g. `logerr err_msg`, `logerr """..."""`).
-  - **Send** — After `<-`, use a **double-quoted literal**, **triple-quoted block** (`channel <- """..."""`), **`${var}`**, or **`run ref([args])`**. An explicit RHS is always required — bare `channel <-` (forward syntax) has been removed. Raw shell on the RHS is rejected — use `const x = run helper()` then `channel <- "${x}"`, or `channel <- run fmt_fn()`. Combining capture and send (`name = channel <- …`) is `E_PARSE`. See [Inbox & Dispatch](inbox.md).
+  - **Send** — After `<-`, use a **double-quoted literal**, **triple-quoted block** (`channel <- """..."""`), **`${var}`**, or **`run ref([args])`**. An explicit RHS is always required — bare `channel <-` (without a value) is invalid. Raw shell on the RHS is rejected — use `const x = run helper()` then `channel <- "${x}"`, or `channel <- run fmt_fn()`. Combining capture and send (`name = channel <- …`) is `E_PARSE`. See [Inbox & Dispatch](inbox.md).
   - **Route** — Routes are declared **at the top level** on channel declarations: `channel name -> workflow_ref` or `channel name -> wf1, wf2`. A `->` inside a workflow body is a **parse error** with guidance to move it to the channel declaration. When a message arrives on the channel, the runtime calls each listed **workflow** (local or `alias.workflow`), binding the dispatch values (message, channel, sender) to the target's 3 declared parameters. Route targets must declare exactly 3 parameters. Scripts and rules are not valid route targets. The dispatch queue drains after the orchestrator completes. **`NodeWorkflowRuntime` does not cap dispatch iterations** — avoid circular sends that grow the queue without bound. See [Inbox & Dispatch](inbox.md).
-  - **Bindings and capture** — `const name = …` (the `const` keyword is required for all captures). For **`ensure`** / **`run` to a workflow or rule**, capture is the callee’s explicit **`return "…"`**. For **`run` to a script**, capture follows **stdout** from the script body. **`prompt`** capture is the agent answer. **`const`** RHS cannot use `$(...)` or disallowed `${...}` forms — use a **`script`** and `const x = run helper(…)`. **`const`** must not use a **bare** `ref(args…)` call shape: use **`const x = run ref(args…)`** (or **`ensure`** for rules), not **`const x = ref(args…)`** — the compiler fails with **`E_PARSE`** and suggests the **`run`** form. Do not put Jaiph symbols inside `$(...)` — use `ensure` / `run`. See [Grammar](grammar.md#step-output-contract).
+  - **Bindings and capture** — `const name = …` (the `const` keyword is required for all captures). All bindings are **immutable**: a name bound by a parameter, `const`, capture, or `script` cannot be rebound in the same scope — the compiler rejects it with `E_VALIDATE: cannot rebind immutable name "…"`. For **`ensure`** / **`run` to a workflow or rule**, capture is the callee’s explicit **`return "…"`**. For **`run` to a script**, capture follows **stdout** from the script body. **`prompt`** capture is the agent answer. **`const`** RHS cannot use `$(...)` or disallowed `${...}` forms — use a **`script`** and `const x = run helper(…)`. **`const`** must not use a **bare** `ref(args…)` call shape: use **`const x = run ref(args…)`** (or **`ensure`** for rules), not **`const x = ref(args…)`** — the compiler fails with **`E_PARSE`** and suggests the **`run`** form. Do not put Jaiph symbols inside `$(...)` — use `ensure` / `run`. See [Grammar](grammar.md#immutable-bindings) and [Grammar](grammar.md#step-output-contract).
   - **return** — `return "value"` / `return "${var}"` / `return """..."""` sets the managed return value. Also supports **direct managed calls**: `return run ref()` or `return run ref(args)` and `return ensure ref()` or `return ensure ref(args)` — these execute the target and use its result as the return value, equivalent to `const x = run ref(args)` then `return "${x}"`. Parentheses are required on all call sites.
   - **fail** — `fail "reason"` or `fail """..."""` aborts with stderr message and non-zero exit (workflows; fails the rule when used inside a rule).
-  - **run async** — `run async ref([args...])` starts a workflow or script concurrently. All pending async steps are implicitly joined before the workflow completes; failures are aggregated. Capture (`const name = run async ...`) is not supported. Workflows only — rejected in rules.
+  - **run async** — `run async ref([args...])` starts a workflow or script concurrently and returns a **`Handle<T>`**. Capture is supported: `const h = run async ref()`. The handle resolves on first non-passthrough read (string interpolation, passing as arg to `run`, comparison, conditional, match subject). Passthrough (initial capture, re-assignment) does not force resolution. Unresolved handles are implicitly joined at workflow exit. `recover` (retry loop) and `catch` (single-shot) composition work with `run async`: `run async foo() recover(err) { … }`. Workflows only — rejected in rules.
   - **match** — `match var { "literal" => …, /regex/ => …, _ => … }` pattern-matches on a string value. The subject is always a bare identifier (no `$` or `${}`). Arms are tested top-to-bottom; the first match wins. Patterns: double-quoted string literal (exact match), `/regex/` (regex match), or `_` (wildcard — exactly one required). Usable as a statement, as an expression (`const x = match var { … }`), or with `return` (`return match var { … }`). Using `$var` or `${var}` as the match subject is a parse error. Allowed in both workflows and rules. See [Grammar](grammar.md#match).
   - **if** — `if var == "value" { … }` or `if var =~ /pattern/ { … }`. Subject is a bare identifier. Operators: `==` (exact string equality), `!=` (inequality), `=~` (regex match), `!~` (regex non-match). Operand is a `"string"` for `==`/`!=` or `/regex/` for `=~`/`!~`. Body is a brace block of valid workflow/rule steps. No `else` branch — use `match` for exhaustive value branching. `if` is a statement (no value production; cannot use with `const` or `return`). Allowed in both workflows and rules.
 - **Prompts:** Three body forms: (1) **single-line string** `prompt "..."` — double-quoted, single line only; (2) **identifier** `prompt myVar` — uses the value of an existing binding; (3) **triple-quoted block** `prompt """ ... """` — for multiline text, opening `"""` on the same line as `prompt`. Triple backticks (`` ``` ``) in prompt context are rejected with guidance — they are reserved for scripts. Multiline double-quoted strings are rejected — use a triple-quoted block instead. All forms support `${identifier}` interpolation (`${varName}`, `${paramName}`). **Inline capture interpolation** is also supported: `${run ref([args])}` and `${ensure ref([args])}` inside the prompt string or triple-quoted body (e.g. `prompt "Fix: ${ensure get_diagnostics()}"`). Nested inline captures are rejected. Bare `$varName` is not valid in orchestration strings. `$(...)` and `${var:-fallback}` are rejected. Capture: `const name = prompt "..."`, `const x = prompt myVar`, `const y = prompt """ ... """`. Optional **typed prompt:** `const name = prompt "..." returns "{ field: type, ... }"` or `const name = prompt myVar returns "..."` (flat schema; types `string`, `number`, `boolean`) validates the agent's JSON and sets `${name}` plus per-field variables accessible via **dot notation** — `${name.field}`. Dot notation is validated at compile time: the variable must be a typed prompt capture and the field must exist in the schema. **Orchestration bindings are strings:** typed fields are coerced with `String()` after JSON validation, so e.g. a numeric field is still the text `"42"` in scope. See [Grammar](grammar.md).
@@ -111,12 +113,18 @@ Prefer composable modules over one large file.
 **Quick reference examples:**
 
 ```jaiph
-# catch — failure handling with retry via recursion
+# catch — one-shot failure handling
 ensure ci_passes() catch (failure) {
   prompt "CI failed — fix the code."
   run deploy(env)
 }
 
+# recover — repair-and-retry loop (retries until success or limit)
+run deploy(env) recover(err) {
+  log "Deploy failed: ${err}"
+  run auto_repair(env)
+}
+
 # match — value branching (statement and expression forms)
 const label = match status {
   "ok" => "success"
@@ -155,7 +163,7 @@ Conventions:
 - **Parallelism:** `run async ref([args...])` for managed async with implicit join. For concurrent **bash**, use `&` and the shell builtin `wait` inside a **`script`** and call it with `run`. Do not call Jaiph internals from background subprocesses unless you understand `run.inbox_parallel` locking.
 - **Shell conditions:** Express conditionals with `run` to a **script** and handle failure with `catch`, or use `if` / `match` for value branching. Short-circuit brace groups remain valid **inside `script`** bodies: `cmd || { ... }`.
 - **No shell redirection around managed calls:** `run foo() > file`, `run foo() | cmd`, `run foo() &` are all `E_PARSE` errors — shell operators (`>`, `>>`, `|`, `&`) are not supported adjacent to `run` or `ensure` steps. Move shell pipelines and redirections into a **`script`** block and call it with `run`.
-- **Script reuse:** Prefer `import script "./tool.py" as tool` (or a sibling `.jh` module) instead of maintaining ad-hoc bash outside the compiler. Do not rely on a workspace-level shared-bash directory; that mechanism is being removed from the product (see `QUEUE.md`).
+- **Script reuse:** Prefer `import script "./tool.py" as tool` (or a sibling `.jh` module) instead of maintaining ad-hoc bash outside the compiler. Avoid informal workspace-level shared-bash directories that bypass the module graph.
 - **Unified namespace:** Channels, rules, workflows, scripts, script import aliases, and module-scoped `local`/`const` share a single namespace per module (`E_PARSE` on collision).
 - **Calling conventions (compiler-enforced):** `ensure` must target a rule — using it on a workflow or script is `E_VALIDATE`. `run` in a **workflow** must target a workflow or script; `run` in a **rule** must target a **script** only. **Type crossing:** `string` and `script` are distinct primitive types — `prompt` rejects script names, `run` rejects string consts, assigning a script to a `const` or interpolating `${scriptName}` are all `E_VALIDATE`. See [Grammar — Types](grammar.md#types). Jaiph symbols must not appear inside `$(...)` in bash contexts the compiler still scans (principally **`script`** bodies). Script bodies cannot contain `run`, `ensure`, `config`, nested definitions, routes, or Jaiph `fail` / `const` / `log` / `logerr` / `return "…"`.
 
@@ -180,7 +188,7 @@ Test files use the `*.test.jh` suffix and contain `test "name" { ... }` blocks.
 - `mock prompt { /pattern/ => "response", _ => "default" }` — content-based dispatch.
 - `mock workflow alias.name() { return "stubbed" }` — replaces a workflow body.
 - `mock rule alias.name() { return "ok" }` — replaces a rule body.
-- `mock script alias.name() { echo "stubbed" }` — replaces a script body.
+- `mock script alias.name() { … }` — replaces a script body with **shell lines** between the braces (same line as `{` is not enough; put the shell on the following lines, then `}` on its own line).
 
 **Assertions:**
 
@@ -206,12 +214,11 @@ test "handles failure gracefully" {
 }
 ```
 
-`allow_failure` prevents a non-zero workflow exit from failing the test — useful for testing error paths.
+`allow_failure` on a `run` step (with or without `const … =`) prevents a non-zero workflow exit from failing the test — useful for testing error paths. For **`mock script`**, put shell lines on lines after the opening `{`, then close with `}` on its own line (see [Testing](testing.md)).
 
 ## Suggested Starter Layout
 
 - `.jaiph/bootstrap.jh` — Created by `jaiph init`; contains a single triple-quoted prompt (`prompt """ ... """`) that points the agent at `.jaiph/SKILL.md` (a copy of this guide).
-- `.jaiph/Dockerfile` — Created by `jaiph init`; base Docker sandbox template. Review and tailor runtime/build/test tooling to the current repository.
 - `.jaiph/readiness.jh` — Preflight: rules and `workflow default` that runs readiness checks.
 - `.jaiph/ba_review.jh` (or any name you choose) — (Optional) Pre-implementation review: reads tasks from a queue file, sends one to an agent for review, and marks it dev-ready or exits with questions. This repository uses `.jaiph/architect_review.jh` with `QUEUE.md`.
 - `.jaiph/verification.jh` — Verification: rules and `workflow default` for lint/test/build.
@@ -227,6 +234,7 @@ Include a compile check and, when the repository has native tests (`*.test.jh`),
 
 ```bash
 jaiph format .jaiph/*.jh
+jaiph compile .jaiph
 jaiph test
 jaiph run .jaiph/main.jh "implement feature X"
 # Or run verification only:
diff --git a/docs/language.md b/docs/language.md
index 504b0872..9fae1d15 100644
--- a/docs/language.md
+++ b/docs/language.md
@@ -7,7 +7,11 @@ redirect_from:
 
 # Language
 
-Jaiph is a small orchestration language for AI agent workflows. You write `.jh` files that wire together prompts, shell scripts, validation rules, and message channels into executable pipelines. This page is the practical reference for every language primitive — what it does, how to use it, and where the edges are. For the formal EBNF grammar, see [Grammar](grammar). For system internals, see [Architecture](architecture).
+Workflow systems usually need two layers: a **host language** that sequences work, handles failures, and talks to tools, and **task code** (shell, Python, and so on) that does the mechanical steps. Jaiph’s `.jh` modules are that host layer: they wire prompts, scripts, validation **rules**, and **channels** into pipelines you can run from the CLI or CI.
+
+Under the hood, the **TypeScript CLI** parses modules, runs **`validateReferences`** while emitting script files (`emitScriptsForModule` / `buildScripts`), then starts a **Node workflow runtime** that walks the same AST in process — there is no separate workflow shell. The runtime’s `buildRuntimeGraph` pass loads imports with the parser only; compile-time checks live in the transpile path, not in the graph loader. For repository layout, event contracts, and diagrams, see [Architecture](architecture.md).
+
+This page is the practical reference for language primitives — syntax, steps, and runtime behavior at the author’s eye level. For lexical/syntax tables and edge-case grammar, see [Grammar](grammar.md). Test files (`*.test.jh`) are a dialect documented in [Testing](testing.md).
 
 ## Strings
 
@@ -66,7 +70,7 @@ print(f"Analyzing {sys.argv[1]}")
 ```
 </code></pre>
 
-The tag maps to `#!/usr/bin/env <tag>`. Any tag is valid. Alternatively, use a manual `#!` shebang as the first line. Combining both is an error.
+The tag maps to `#!/usr/bin/env <tag>`. Any tag is valid. Alternatively, use a manual `#!` shebang as the first line. Combining both is an error. If the body has **neither** a fence lang tag nor a leading `#!` line, emitted scripts default to `#!/usr/bin/env bash`.
 
 Strings and scripts are structurally distinct and non-interchangeable — using one where the other is expected produces a compile-time error.
 
@@ -129,7 +133,7 @@ Import paths resolve relative to the importing file first. If no file is found a
 import "queue-lib/queue" as queue   # resolves to .jaiph/libs/queue-lib/queue.jh
 ```
 
-The path is split as `<lib-name>/<path-inside-lib>`. Libraries are installed with `jaiph install` — see [CLI — `jaiph install`](cli.md#jaiph-install). Missing library imports fail at compile time with `E_IMPORT_NOT_FOUND`.
+The path is split as `<lib-name>/<path-inside-lib>`. Libraries are installed with `jaiph install` — see [CLI — jaiph install](cli.md#jaiph-install). Missing library imports fail at compile time with `E_IMPORT_NOT_FOUND`.
 
 ### Top-Level `const`
 
@@ -156,7 +160,7 @@ channel findings -> analyst
 channel events -> handler_a, handler_b
 ```
 
-Routes (`->`) declare which workflows receive messages sent to the channel. See [Inbox & Dispatch](inbox) for dispatch semantics.
+Routes (`->`) declare which workflows receive messages sent to the channel. See [Inbox & Dispatch](inbox.md) for dispatch semantics.
 
 ### Config
 
@@ -170,7 +174,7 @@ config {
 }
 ```
 
-See [Configuration](configuration) for all available keys and precedence rules.
+See [Configuration](configuration.md) for all available keys and precedence rules.
 
 ## Definitions
 
@@ -192,7 +196,7 @@ workflow deploy(env, version) {
 }
 ```
 
-Workflows support all step types: `run`, `ensure`, `prompt`, `const`, `log`, `logerr`, `fail`, `return`, `send`, `match`, `if`, `run async`, and `catch`.
+Workflows support all step types: `run`, `ensure`, `prompt`, `const`, `log`, `logerr`, `fail`, `return`, `send`, `match`, `if`, `run async`, `catch`, and `recover`.
 
 ### Rules
 
@@ -210,7 +214,7 @@ rule gate(path) {
 }
 ```
 
-Rules are more restricted than workflows: they cannot use `prompt`, `send`, or `run async`. Inside a rule, `run` targets scripts only (not workflows). Rules execute in a read-only filesystem — they are meant for validation and checks, not side effects.
+Rules are more restricted than workflows: the compiler rejects `prompt`, `send`, and `run async` in rule bodies, and `run` may only target **scripts** (never workflows or other rules via `run` — use `ensure` for rules). Those restrictions are **static** (see `validateReferences` in `src/transpile/validate.ts`). At runtime, `run` inside a rule still launches a normal managed script subprocess with the same **environment model** as workflow scripts (see [Script isolation](#script-isolation)); scripts can perform side effects — the language simply keeps orchestration-heavy steps out of rules.
 
 ### Scripts
 
@@ -228,7 +232,7 @@ workflow implement(task, role) {
 }
 ```
 
-Parameter names must be valid identifiers, unique, and not reserved keywords. Inside the body, parameters are accessed as `${paramName}`.
+Parameter names must be valid identifiers, unique, and not reserved keywords. Inside the body, parameters are accessed as `${paramName}`. Parameters are immutable — they cannot be rebound by `const` or any other declaration in the same scope (see [`const` — Variable Binding](#const--variable-binding) for details).
 
 ### Call Sites
 
@@ -239,13 +243,43 @@ run setup()
 run deploy("prod", version)
 ```
 
-**Bare identifier arguments** pass a variable's value without quoting. `run deploy(env)` is equivalent to `run deploy("${env}")`:
+**Bare identifier arguments** pass a variable’s value without quoting; the compiler records the identifier so unknown names fail early. You can still pass the same value as a quoted orchestration string (for example `run greet("${name}")` when a literal is required), but **prefer the bare form** when the whole argument is exactly one binding — it reads clearly and matches formatter output.
 
 ```jaiph
 const task = run get_next_task()
 run process(task)                    # bare identifier — passes value of task
-run process(task, "extra context")   # mixed bare + quoted
-run process("${task}")              # equivalent to bare form
+run process(task, "extra context")   # mixed bare + quoted literal
+run greet("hello_${name}")           # quoted string with extra text — allowed
+```
+
+### Nested Managed Calls in Arguments
+
+Call arguments can contain nested managed calls — but the `run` or `ensure` keyword must be explicit. This is a deliberate language rule: scripts and workflows execute only via `run`, and rules execute only via `ensure`, even when nested inside another call's arguments.
+
+**Valid — explicit nested calls:**
+
+```jaiph
+run mkdir_p_simple(run jaiph_tmp_dir())
+run do_work(ensure check_ok())
+run do_work(run `echo aaa`())
+```
+
+The nested call executes first and its result is passed as a single argument to the outer call.
+
+**Invalid — bare call-like forms:**
+
+```jaiph
+# run do_work(bar())          — E_VALIDATE: use "run bar()" or "ensure bar()"
+# run do_work(rule_bar())     — E_VALIDATE: use "ensure rule_bar()"
+# run do_work(`echo aaa`())   — E_VALIDATE: use "run `...`()"
+# const x = bar()             — E_PARSE: use "const x = run bar()"
+```
+
+The explicit capture-then-pass form is also valid:
+
+```jaiph
+const x = run bar()
+run foo(x)
 ```
 
 ### Arity Checking
@@ -276,19 +310,41 @@ const output = run transform()
 
 **Capture:** For a workflow, captures the explicit `return` value. For a script, captures stdout.
 
-### `run async` — Concurrent Execution
+### `run async` — Concurrent Execution with Handles
 
-Starts a workflow or script concurrently. All pending async steps are implicitly joined before the enclosing workflow returns.
+`run async ref(args)` starts a workflow or script concurrently and returns a **`Handle<T>`** — a value that resolves to the called function's return value on first non-passthrough read. `T` is the same type the function would return under a synchronous `run`.
 
 ```jaiph
 workflow default() {
+  # Fire-and-forget style (handle created but not captured)
   run async lib.task_a()
-  run async lib.task_b()
-  # both joined automatically before workflow returns
+
+  # Capture the handle for later use
+  const h = run async lib.task_b()
+
+  # Reading the handle forces resolution (blocks until task_b completes)
+  log "${h}"
 }
 ```
 
-Constraints: workflow-only (rejected in rules), capture not supported.
+**Handle resolution:** The handle resolves on first non-passthrough read — string interpolation, passing as argument to `run`, comparison, conditional branching, or match subject. Passthrough operations (initial capture into `const`, re-assignment) do not force resolution.
+
+**Implicit join:** When a workflow scope exits, the runtime implicitly joins all remaining unresolved handles created in that scope. This is not an error — it preserves backward compatibility with the pre-handle `run async` model.
+
+**`recover` composition:** `recover` works with `run async` to provide retry-loop semantics on the async branch:
+
+```jaiph
+const b1 = run async foo() recover(err) {
+  log "repairing: ${err}"
+  run fix_it()
+}
+```
+
+The async branch retries `foo()` using the same retry-limit semantics as non-async `recover` (default 10, configurable via `run.recover_limit`). The handle resolves to the eventual success value or the final failure. `catch` also works with `run async` for single-shot recovery (no retry loop).
+
+See [Spec: Async Handles](spec-async-handles.md) for the full value model.
+
+Constraints: workflow-only (rejected in rules), inline scripts not supported with `run async`.
 
 ### `ensure` — Execute a Rule
 
@@ -325,6 +381,51 @@ workflow deploy(env) {
 
 Bare `catch` without a binding is a parse error. All call arguments must appear inside parentheses before `catch`.
 
+### `recover` — Repair-and-Retry Loop
+
+`recover` is a first-class retry primitive for `run` steps. Unlike `catch` (which runs the recovery body once), `recover` implements a **loop**: try the target, and if it fails, bind the error, run the repair body, then retry. The loop stops when the target succeeds or when the retry limit is exhausted.
+
+```jaiph
+# Single-statement recovery loop
+run deploy() recover(err) run fix_deploy()
+
+# Block recovery loop
+run deploy(env) recover(err) {
+  log "Deploy failed: ${err}"
+  run auto_repair(env)
+}
+```
+
+**Semantics:**
+
+1. Execute the `run` target.
+2. If it succeeds, continue (the `recover` body never runs).
+3. If it fails, bind merged stdout+stderr to the `recover` binding (e.g. `err`), execute the repair body, then go to step 1.
+4. If the retry limit is reached and the target still fails, the step fails with the last error.
+
+**Retry limit:** The default limit is **10** attempts. Override it per-module with the `run.recover_limit` config key:
+
+```jaiph
+config {
+  run.recover_limit = 3
+}
+
+workflow default() {
+  run flaky_step() recover(err) {
+    log "Retrying after: ${err}"
+    run repair()
+  }
+}
+```
+
+**Capture:** When the target eventually succeeds, `const name = run ref() recover(err) { … }` captures the result (same rules as plain `run` — `return` value for workflows, stdout for scripts).
+
+**Constraints:**
+- `recover` requires exactly one binding: `recover(name)`. Bare `recover` without bindings is a parse error.
+- All call arguments must appear inside parentheses **before** `recover`.
+- `recover` is available on `run` steps in workflows only (not `ensure`). `recover` also works with `run async` — see [`run async`](#run-async--concurrent-execution-with-handles).
+- `recover` and `catch` are mutually exclusive on the same step — use one or the other.
+
 ### `prompt` — Agent Interaction
 
 Sends text to the configured agent backend. Three body forms:
@@ -367,7 +468,7 @@ Prompts are not allowed in rules.
 
 ### `const` — Variable Binding
 
-Introduces a variable in a workflow or rule body.
+Introduces an **immutable** variable in a workflow or rule body.
 
 ```jaiph
 const tag = "v1.0"
@@ -386,6 +487,18 @@ const label = match status {
 
 A bare reference like `const x = ref(args)` is rejected — use `const x = run ref(args)`.
 
+**Immutability:** All bindings — parameters, `const` declarations, captures, and `script` names — are immutable within their scope. The compiler rejects:
+
+- Rebinding a parameter name via `const` (e.g. `workflow run(x) { const x = … }`)
+- Duplicate `const` declarations with the same name in the same scope
+- A `script` name that collides with an existing immutable binding
+
+The error names the conflicting binding and its origin:
+
+```
+E_VALIDATE: cannot rebind immutable name "x"; already bound as parameter at file.jh:1
+```
+
 ### `log` and `logerr`
 
 `log` writes to stdout; `logerr` writes to stderr (shown with a red `!` marker in the progress tree).
@@ -400,7 +513,14 @@ log """
 """
 ```
 
-Both accept single-line strings, triple-quoted blocks, or bare identifiers.
+Both accept single-line strings, triple-quoted blocks, bare identifiers, or **managed inline-script calls**:
+
+```jaiph
+log run `echo hello`()
+logerr run `echo $1`("details")
+```
+
+A managed inline-script call executes the script and logs its stdout. The `run` keyword is required — bare inline scripts (`log \`…\`()`) are rejected at compile time.
 
 ### `fail`
 
@@ -422,12 +542,15 @@ Sets the managed return value in rules and workflows.
 ```jaiph
 return "success"
 return "${result}"
+return response                        # bare identifier — returns the variable's value
 return """
   Report for ${name}:
   Status: ${status}
 """
 ```
 
+**Bare identifier** — `return response` is sugar for `return "${response}"`. The identifier must be in scope (`const`, capture, or parameter). Unknown identifiers produce a compile-time `E_VALIDATE` error naming the missing binding.
+
 **Direct managed call** — executes a target and uses its result as the return value:
 
 ```jaiph
@@ -437,8 +560,12 @@ return match status {
   "ok" => "pass"
   _ => "fail"
 }
+return run `cat report.txt`()
+return run `echo $1`("arg")
 ```
 
+Inline scripts are supported with `return run \`…\`(args)`. The `run` keyword is required — bare inline scripts (`return \`…\`()`) are rejected at compile time.
+
 
 ### `send` — Channel Messages
 
@@ -468,9 +595,9 @@ match status {
 }
 ```
 
-Patterns can be string literals (exact equality), regex (`/pattern/`), or `_` (default). Exactly one default arm is required.
+Patterns can be string literals (exact equality), regex (`/pattern/`), or `_` (default). Exactly one default arm is required. Arms are **newline-delimited** — commas between or after arms are rejected at parse time (`"commas are not allowed in match arms; use one arm per line"`).
 
-**Arm bodies** — the value expression after `=>`. Allowed: string literals (`"…"` or `"""…"""`), variable references, `fail "…"`, `run ref(…)`, `ensure ref(…)`. The `return` keyword inside an arm body is forbidden — use `return match x { … }` at the outer level. Inline script forms (backtick) are also forbidden in arms; use named scripts.
+**Arm bodies** — the value expression after `=>`. Allowed: string literals (`"…"` or `"""…"""`), bare in-scope identifiers (`const`, capture, or parameter), `$var`/`${var}` interpolation, `fail "…"`, `run ref(…)`, `ensure ref(…)`. A bare word that is not an in-scope variable is rejected at compile time with `E_VALIDATE` (`unknown identifier "…" in match arm body`) — this catches typos like `_ => true` or `_ => blorp` that would otherwise silently become string literals. The `return` keyword inside an arm body is forbidden — use `return match x { … }` at the outer level. Inline script forms (backtick) are also forbidden in arms; use named scripts.
 
 **Runtime execution** — arm bodies are not merely string values. Each form executes at runtime:
 - `fail "message"` aborts the workflow with a non-zero exit and the given message.
@@ -563,7 +690,7 @@ print(f"args: {sys.argv[1:]}")
 ```()
 </code></pre>
 
-Inline scripts have the same subprocess isolation as named scripts. They are emitted as `scripts/__inline_<hash>` with deterministic names. `run async` with inline scripts is not supported.
+Inline scripts use the same emission layout (`scripts/__inline_<hash>`) and the same **`NodeWorkflowRuntime` spawn contract** as named scripts (full scope env, cwd from `JAIPH_WORKSPACE` / module path — see [Script isolation](#script-isolation)). `run async` with inline scripts is not supported.
 
 ## String Interpolation
 
@@ -588,15 +715,13 @@ log "Status: ${ensure check_ok()}"
 
 If the inline capture fails, the enclosing step fails. Nested inline captures are rejected — extract the inner call to a `const`.
 
-## Script Isolation
+## Script isolation
 
-Scripts run in a clean process environment. Only these variables are inherited:
+**Emitted script files** do not embed module `const` values or other Jaiph “shims” — the transpiler writes the authored body plus a shebang (see `emitScriptsForModule` / `emit-script.ts`). Anything a script needs from the module must be passed as **positional arguments** (`$1`, `$2`, …), read from paths under `JAIPH_WORKSPACE`, or live in shared script sources (`import script`).
 
-- **System:** `PATH`, `HOME`, `TERM`, `USER`
-- **Jaiph:** `JAIPH_SCRIPTS`, `JAIPH_WORKSPACE`
-- **Positional arguments:** `$1`, `$2`, …
+**Subprocess environment (`NodeWorkflowRuntime`):** When the AST interpreter runs `run` / inline scripts, it spawns the emitted executable with the **current workflow scope environment** — a copy of the runner’s `process.env` merged with Jaiph-populated keys (`JAIPH_SCRIPTS`, `JAIPH_WORKSPACE`, `JAIPH_RUN_DIR`, `JAIPH_ARTIFACTS_DIR`, prompt-related `JAIPH_AGENT_*` variables when set, and values derived from `config { … }` via metadata). It is **not** reset to a tiny fixed allowlist; anything visible to the workflow runner is visible to child scripts unless your deployment strips the parent environment.
 
-Module-scoped `const` variables are not visible. Pass data as positional arguments, duplicate small bash inline, or use `import script` for shared helpers.
+The kernel helper `run-step-exec.ts` still uses a **minimal** env (`PATH`, `HOME`, `TERM`, `USER`, `JAIPH_SCRIPTS`, `JAIPH_WORKSPACE`) for its own **internal** `spawnSync` script-capture paths — that is not the same code path as ordinary `NodeWorkflowRuntime` `spawn()` for user `script` steps.
 
 **Interpolation rules by body form:**
 
@@ -616,7 +741,7 @@ Every step produces three outputs: status, value, and logs.
 | `prompt` | exit code | final assistant answer | artifacts |
 | `log` / `logerr` | always 0 | — | event stream |
 | `fail` | non-zero (abort) | — | stderr |
-| `run async` | aggregated | not supported | artifacts |
+| `run async` | aggregated | `Handle<T>` — resolves to return value on read | artifacts |
 | `const` | same as RHS | binds locally | — |
 
 ## Lexical Notes
diff --git a/docs/libraries.md b/docs/libraries.md
index 23f466f6..31148f09 100644
--- a/docs/libraries.md
+++ b/docs/libraries.md
@@ -7,33 +7,85 @@ redirect_from:
 
 # Libraries
 
-Jaiph supports **project-scoped libraries** — reusable `.jh` modules installed from git repositories into `.jaiph/libs/` under your workspace root. The CLI clones shallow copies, records them in a lockfile, and the compiler resolves imports after relative paths.
+When workflows grow, you want to **reuse** modules: shared rules, script wrappers, and small “standard library” flows. Jaiph does not publish those as a global install path; instead, each **workspace** can hold **project-scoped libraries** under `<workspace>/.jaiph/libs/`. The compiler resolves `import` paths against that tree (after normal relative resolution), and the CLI can **clone** git repositories into that folder and record them in a lockfile. This matches the import story in [Architecture](architecture.md#core-components) (validator + `resolveImportPath` with workspace root).
 
-## Installing libraries
+## How imports resolve
+
+1. **Relative to the current file** — the same as for local modules (`import "./foo"`, `import "../lib/util"`).
+2. **Library paths** — if the import string contains a `/` and the relative path does not exist, the compiler tries  
+   `<workspace>/.jaiph/libs/<lib-name>/<rest>.jh`  
+   (see `resolveImportPath` in the transpiler; the **workspace root** is required everywhere imports are checked).
+
+The library name is the first path segment (e.g. `queue-lib` in `import "queue-lib/queue"`). A module that declares `export` names only exposes those names to importers, as described in [Grammar — Imports and Exports](grammar.md#imports-and-exports).
+
+## Installing third-party libraries
 
 ```bash
-# Install a library
+# Install a library (shallow git clone into .jaiph/libs/<name>/)
 jaiph install https://github.com/you/queue-lib.git
 
-# Install at a specific tag or branch
+# Install a specific tag or branch (ref must follow the .git in the URL)
 jaiph install https://github.com/you/queue-lib.git@v1.0
 
-# Restore all libraries from lockfile (e.g. after git clone)
+# Restore all libraries from the lockfile (e.g. after git clone)
 jaiph install
 ```
 
-Installed libraries are tracked in `.jaiph/libs.lock` for reproducibility. Add `.jaiph/libs/` to your `.gitignore` and commit `.jaiph/libs.lock`.
+`jaiph install` writes `.jaiph/libs.lock`. Commit the lockfile; add `.jaiph/libs/` to `.gitignore` if you do not want vendored clones in git. Use `--force` to replace an existing clone (see [CLI — `jaiph install`](cli.md#jaiph-install) for details).
+
+## Example: `import` from a clone under `.jaiph/libs/`
+
+`jaiph install` creates `queue-lib/…` on disk, so a path like `queue-lib/queue` resolves the same as any other library layout. The exported names are defined by that repository; here is a self-contained example using the documented **`jaiphlang/queue`** API (after you have `.jaiph/libs/jaiphlang/` in the workspace).
+
+```jaiph
+import "jaiphlang/queue" as q
+
+workflow default() {
+  ensure q.has_tasks()
+  const t = run q.get_first_task()
+  log "${t}"
+}
+```
+
+## The `jaiphlang/` standard libraries
+
+The `jaiphlang/` prefix is a **naming convention** for first-party helper modules (queue, artifacts, …). They are not bundled inside the npm `jaiph` package; the canonical source lives in the [jaiph repository](https://github.com/jaiphlang/jaiph) under `.jaiph/libs/jaiphlang/`. Copy that directory into your own workspace as `.jaiph/libs/jaiphlang/` (or track it in git) so `import "jaiphlang/..."` resolves. They use the same `import` / `export workflow` (and `export rule`) pattern as any other library.
+
+### `jaiphlang/queue` — `QUEUE.md` task queue
 
-## Importing from libraries
+Manages a markdown task file **`QUEUE.md`** at `${JAIPH_WORKSPACE:-.}` (see `queue.jh` and `queue.py`). Task sections use `##` headers; optional tags are `#hashtags` on the header line (e.g. `## My task #dev-ready`).
 
-Use the `<lib-name>/<module-path>` convention in import statements:
+| Export | Kind | Description |
+|--------|------|-------------|
+| `get_first_task()` | workflow | Returns the first task block (header + body). |
+| `next_task(tag)` | workflow | Returns the first task whose header has the given tag. |
+| `get_task_by_header(header)` | workflow | Returns a task by title (tags stripped for matching). |
+| `get_all_task_headers()` | workflow | Newline-separated task titles (no `##` prefix). |
+| `mark_task_dev_ready(header)` | workflow | Adds `#dev-ready` to the matching header. |
+| `remove_completed_task(header)` | workflow | Removes the task with that title. |
+| `set_task_description_from_file(header, bodyPath)` | workflow | Replaces body text from a UTF-8 file; header unchanged. |
+| `has_tasks()` | rule | Passes if the queue has at least one task. |
+| `task_is_dev_ready(task)` | rule | Passes if the task text has `#dev-ready` on the header. |
+| `all_dev_ready()` | rule | Passes if every task has `#dev-ready`. |
+
+The module also defines a `default` workflow for **direct CLI** use (arguments are forwarded to the Python helper). For example: `jaiph .jaiph/libs/jaiphlang/queue.jh headers`.
+
+### `jaiphlang/artifacts` — publishing files out of the sandbox
+
+Copies files from the **workspace** (or sandbox overlay) into the run’s `artifacts/` tree so they remain on the host after a Docker run or process exit. The kernel sets `JAIPH_ARTIFACTS_DIR` to the writable directory for the current run. See [Architecture](architecture.md#durable-artifact-layout) and [Sandboxing](sandboxing.md) for how that interacts with the read-only workspace in Docker.
 
 ```jaiph
-import "queue-lib/queue" as queue
+import "jaiphlang/artifacts" as artifacts
 
 workflow default() {
-  run queue.list("my-project")
+  # Copy a file into the artifacts directory under a chosen name.
+  # Returns the absolute path of the saved artifact.
+  const path = run artifacts.save("./build/output.bin", "build-output.bin")
 }
 ```
 
-The import resolver tries relative paths first (same as local modules), then falls back to `.jaiph/libs/`. See [CLI — `jaiph install`](cli.md#jaiph-install) for flags, lockfile format, and edge cases.
+**Exported workflows**
+
+| Workflow | Description |
+|----------|-------------|
+| `save(local_path, name)` | Requires `local_path` to be a **file**. Copies to `${JAIPH_ARTIFACTS_DIR}/${name}` (creates parent dirs). Returns the absolute destination path. |
diff --git a/docs/run b/docs/run
index ebeea8a6..3a6b250a 100755
--- a/docs/run
+++ b/docs/run
@@ -11,10 +11,10 @@ set -euo pipefail
 
 JAIPH_SITE="${JAIPH_SITE:-https://jaiph.org}"
 
-TMPFILE=""
+WORKDIR=""
 
 cleanup() {
-  [ -n "$TMPFILE" ] && rm -f "$TMPFILE"
+  [ -n "$WORKDIR" ] && rm -rf "$WORKDIR"
 }
 trap cleanup EXIT INT TERM
 
@@ -47,9 +47,15 @@ if [ -z "$WORKFLOW" ]; then
   exit 1
 fi
 
-# ── Write to temp file and run ──
+# ── Write to a dedicated workspace and run ──
+#
+# A self-contained workdir (with a `.jaiph` marker) makes the Docker sandbox
+# bind-mount only this directory, not all of $TMPDIR. Mounting host /tmp would
+# expose unrelated files and breaks fuse-overlayfs reads inside the container.
 
-TMPFILE="$(mktemp "${TMPDIR:-/tmp}/jaiph-run-XXXXXX.jh")"
+WORKDIR="$(mktemp -d "${TMPDIR:-/tmp}/jaiph-run-XXXXXX")"
+mkdir -p "${WORKDIR}/.jaiph"
+TMPFILE="${WORKDIR}/workflow.jh"
 printf '%s\n' "$WORKFLOW" > "$TMPFILE"
 
 jaiph run "$TMPFILE"
diff --git a/docs/sandboxing.md b/docs/sandboxing.md
index 6d1be92d..8a1b201e 100644
--- a/docs/sandboxing.md
+++ b/docs/sandboxing.md
@@ -7,144 +7,244 @@ redirect_from:
 
 # Sandboxing
 
-Jaiph provides two independent ways to limit what a workflow can do. **Rules** restrict step types at the language level so validation logic stays small and reviewable. **Docker** (opt-in) runs the entire `jaiph run` workflow inside a container for filesystem and process isolation. You can use either mechanism on its own or combine them.
+Workflows orchestrate **managed scripts** and other steps on the machine where `jaiph run` executes. That power is useful for builds and agents, but it also means a script can read files, call the network, and run arbitrary programs unless you constrain it. Jaiph addresses that at two layers: **language rules** (what may appear in a rule body) and **Docker-backed isolation** for `jaiph run` (on by default via env; see [Enabling Docker](#enabling-docker)). You can rely on rules alone, turn Docker off for host execution, or combine both.
 
-Both local and Docker runs use the same Node workflow runtime and stream `__JAIPH_EVENT__` on stderr. [Hooks](hooks.md) always run on the host CLI and consume that same event stream, even when the runner is inside a container. For `config` syntax, allowed keys, and precedence rules, see [Configuration](configuration.md). For the full step-type matrix, see [Grammar](grammar.md).
+At a high level, the **CLI** chooses local vs Docker launch; the **Node workflow runtime** (`NodeWorkflowRuntime` in `src/runtime/kernel/`) interprets the same AST either way. See [Architecture](architecture.md) for how compile validation, the runner child, and durable artifacts fit together.
+
+Both local and Docker runs stream `__JAIPH_EVENT__` on **stderr** only; [Hooks](hooks.md) always run on the **host** CLI and read that stream, even when the workflow runs in a container. For `config` syntax, allowed keys, and merge rules, see [Configuration](configuration.md). For the full step-type matrix, see [Grammar](grammar.md).
 
 ## Rules: structured validation, not mutation
 
-Rules restrict which step types are allowed in their body. The permitted set is: `ensure` (other rules), `run` (scripts only, not workflows), `const` (script/rule captures or bash RHS, not `prompt`), `match`, `fail`, `log` / `logerr`, `return`, `ensure … catch`, and `run … catch`. Raw shell, `prompt`, `send` / `route`, and `run async` are disallowed. See [Grammar -- High-level concepts](grammar.md#high-level-concepts) for the authoritative list.
+Rules restrict which step types are allowed in their body — enforced at **compile time** in `validateReferences` (`src/transpile/validate.ts`), not by an OS sandbox. The permitted set matches [Grammar — Language concepts](grammar.md#language-concepts): `ensure` (other rules only), `run` (**scripts** only — not workflows), `const` (script/`ensure` captures, `match` expressions, or bash RHS — never `prompt`), `match`, `if`, `fail`, `log` / `logerr`, `return` (strings, identifiers, `return run …` / `return ensure …`, and the managed forms the grammar allows), `ensure … catch`, `run … catch`, and `run … recover`. Inline script steps and managed `log`/`logerr` from inline scripts are allowed where the grammar permits them.
+
+Disallowed in rules: **raw shell lines** (every line must be a recognized Jaiph step — use a `script` and `run`), `prompt`, inbox **`send`** / routing, and **`run async`**. See the grammar page for the authoritative list and examples.
 
 The runtime executes rules by walking the AST in-process (`NodeWorkflowRuntime.executeRule`). There is no per-rule OS sandbox -- no mount namespace, no automatic read-only filesystem. When a rule runs a script step, that script executes as a normal managed subprocess with full access to paths the process user can reach. Treat rules as non-mutating checks by convention; perform intentional filesystem changes in workflows, not rules.
 
 `jaiph test` executes tests in-process with `NodeTestRunner` and does not use Docker or a separate rule sandbox.
 
+## Threat model
+
+Docker sandboxing is designed to contain damage from untrusted or semi-trusted workflow scripts. Understanding what it does and does not protect against helps you make informed decisions about when to enable it.
+
+**What Docker protects against:**
+
+- **Filesystem access** -- Scripts inside the container cannot read or write arbitrary host paths. The container's `/jaiph/workspace` is either an in-container fuse-overlayfs union over a read-only bind of the host workspace (overlay mode, writes land in a tmpfs upper layer and are discarded on exit) or a host-side clone of the workspace mounted read-write (copy mode, the clone is removed on exit). Only the run-artifacts directory (`/jaiph/run`) persists writes back to the host workspace.
+- **Process isolation** -- Container processes cannot see or signal host processes. Every sandboxed container uses `--cap-drop ALL` plus `--security-opt no-new-privileges`. **Overlay mode** (Linux) adds capabilities required for `fuse-overlayfs` and for dropping privileges after mount: `SYS_ADMIN`, `SETUID`, `SETGID`, `CHOWN`, and `DAC_READ_SEARCH` (see `buildDockerArgs` in `src/runtime/docker.ts`). **Copy mode** does not add capabilities. The overlay entrypoint (`runtime/overlay-run.sh`) starts as the container user `0:0` so it can mount, then normally **`exec`s `jaiph run` as the host UID/GID** via `setpriv` when `JAIPH_HOST_UID` / `JAIPH_HOST_GID` are set; copy mode uses `--user <host_uid>:<host_gid>` directly. macOS Docker Desktop does not use Linux `--user` overrides (UID mapping is handled by the VM).
+- **Credential leakage** -- Environment variable forwarding uses an explicit allowlist: only `JAIPH_*` (except `JAIPH_DOCKER_*`), `ANTHROPIC_*`, `CLAUDE_*`, and `CURSOR_*` cross the container boundary. Everything else is dropped.
+- **Mount safety** -- The host root filesystem (`/`), Docker socket (`/var/run/docker.sock`, `/run/docker.sock`), and OS internals (`/proc`, `/sys`, `/dev`) cannot be mounted into the container. Attempting to do so produces `E_VALIDATE_MOUNT`.
+- **Shell injection safety** -- All Docker CLI invocations (`docker info`, `docker image inspect`, `docker pull`) use `execFileSync` with an explicit argument array, bypassing `/bin/sh`. Image names and other parameters are passed as literal argv entries with no shell expansion, so values containing shell metacharacters (`;`, `$`, backticks, etc.) are never evaluated.
+
+**What Docker does NOT protect against:**
+
+- **Hooks run on the host.** Hook commands in `hooks.json` execute on the host CLI process, not inside the container. A malicious hook definition has full host access. Treat `hooks.json` as trusted configuration.
+- **Network egress by default.** Unless `runtime.docker_network` is set to `"none"`, the container has outbound network access via Docker's default bridge. Scripts can reach external services and exfiltrate data through the network.
+- **Agent credential forwarding.** `ANTHROPIC_*`, `CLAUDE_*`, and `CURSOR_*` variables are forwarded into the container so agent-backed workflows function. Any workflow code in the container can read them from the environment together with outbound network access; treat that as **full disclosure** of those secrets to workflow code.
+- **Image supply chain.** Jaiph verifies that the selected image contains `jaiph` but does not verify image signatures or provenance. Use trusted registries and pin image digests for production workloads.
+- **Container escapes.** Docker is not a security boundary against a determined attacker with kernel exploits. It raises the bar significantly for script-level mischief but is not equivalent to a VM or hardware-level isolation.
+
 ## Docker container isolation
 
 > **Beta.** Docker sandboxing is functional but still under active development. Expect rough edges, breaking changes, and incomplete platform coverage. Feedback is welcome at <https://github.com/jaiphlang/jaiph/issues>.
 
-Docker applies to `jaiph run` only (not `jaiph test`). When enabled, the entire workflow -- every rule and script step -- runs inside a single container. The container runs `jaiph run --raw <file>` using its own installed jaiph -- not the host's. The `--raw` flag makes jaiph emit `__JAIPH_EVENT__` lines to stderr without rendering a progress tree, so the host CLI can render from those events.
+Docker applies to `jaiph run` only (not `jaiph test`). Enablement is **environment-driven** (see [Enabling Docker](#enabling-docker)); there is no `jaiph run --docker` flag — the CLI decides from env before spawn. When Docker is active, the entire workflow (every rule and script step) runs inside a **single** container. The container runs `jaiph run --raw <file>` using the **image’s** installed `jaiph`, not the host binary. The `--raw` flag skips the banner and progress UI in that inner process so `__JAIPH_EVENT__` JSON lines go to **stderr** unchanged for the host CLI to parse.
+
+The container's `/jaiph/workspace` always *looks* writable to scripts but never mutates the host checkout. The CLI picks one of two sandbox primitives at launch time:
+
+- **Overlay mode** (selected when `/dev/fuse` exists on the host -- typically Linux). The host workspace is bind-mounted read-only at `/jaiph/workspace-ro`. The runtime entrypoint (`overlay-run.sh`) sets up `fuse-overlayfs` with that read-only bind as the lower layer and a tmpfs as the upper layer, merged at `/jaiph/workspace`. Writes go to the tmpfs and are discarded on container exit. Requires `/dev/fuse` in the container and the extra Linux capabilities described under [Process isolation](#threat-model) (not only `SYS_ADMIN`).
+- **Copy mode** (selected when `/dev/fuse` is missing -- typically macOS Docker Desktop, or when forced via `JAIPH_DOCKER_NO_OVERLAY=1`). Before launching the container, the CLI clones the host workspace (excluding `.jaiph/runs`) into a fresh `<runs-root>/.sandbox-<id>/` directory, then bind-mounts that clone read-write at `/jaiph/workspace`. On macOS the clone uses `cp -cR` (APFS clonefile, near-zero cost); on other platforms it falls back to `cp -pR` and emits a one-line stderr warning. The clone is removed on exit unless `JAIPH_DOCKER_KEEP_SANDBOX=1` is set. No `SYS_ADMIN`, no `/dev/fuse`, no in-container overlay script.
 
-The host workspace is mounted **read-only** to prevent bind-mount deadlocks with concurrent runners on macOS Docker Desktop. A `fuse-overlayfs` copy-on-write overlay makes the workspace appear writable inside the container -- reads come from the host mount, writes go to a tmpfs upper layer and are discarded on exit. Run artifacts are written to a separate rw mount at `/jaiph/run` (outside the overlay), so they persist to the host. If `fuse-overlayfs` is unavailable, the workspace stays read-only (no regression).
+In both modes, run artifacts are written to a separate rw mount at `/jaiph/run` (outside the workspace sandbox) so they persist to the host.
 
 ### Enabling Docker
 
-Docker sandboxing is opt-in. Set `runtime.docker_enabled = true` in a module-level `config` block:
+**Turning Docker on or off** uses environment variables only — workflow files cannot enable or disable the container (see [Enabling Docker](#enabling-docker)). **Image, network, and timeout** still come from module `config` and env overrides as in [Configuration keys](#configuration-keys). The idea is that skipping the container always requires an explicit host choice (`JAIPH_UNSAFE` / `JAIPH_DOCKER_ENABLED`), not a change committed to a `.jh` file alone.
 
-```jh
-config {
-  runtime.docker_enabled = true
-}
-```
+Docker is **on by default** for both local development and CI. To run on the host without a sandbox, set `JAIPH_UNSAFE=true`. To control Docker enablement explicitly, set `JAIPH_DOCKER_ENABLED`.
+
+> **Credential warning:** Docker sandboxing **does not isolate agent credentials**. `ANTHROPIC_*`, `CLAUDE_*`, and `CURSOR_*` env vars are forwarded into the container and the default network allows outbound access. A malicious script can read these from its environment and exfiltrate them. Set `runtime.docker_network = "none"` for workflows that should not make external calls.
+
+**Precedence (two rows, env only):**
 
-`runtime.*` keys belong only in module-level config. Placing them in a workflow-level `config` block is a parse error.
+| Check | Result |
+|-------|--------|
+| `JAIPH_DOCKER_ENABLED` is set | `"true"` enables Docker; any other value disables it |
+| Default (no explicit env) | Docker **on**, unless `JAIPH_UNSAFE=true` (Docker **off**) |
 
-The environment variable `JAIPH_DOCKER_ENABLED` overrides the in-file setting when set: only the literal string `"true"` enables Docker; any other value disables it. When unset, the in-file value (default `false`) applies.
+CI environments (`CI=true`) deliberately exercise the same sandbox path users do -- `CI=true` alone does not disable Docker.
 
-If Docker is enabled but `docker info` fails, the run exits with `E_DOCKER_NOT_FOUND` -- there is no silent fallback to local execution.
+If Docker is enabled but `docker info` fails, the run exits with `E_DOCKER_NOT_FOUND` and suggests setting `JAIPH_UNSAFE=true` as an escape hatch. There is no silent fallback to local execution.
+
+> **Migration note:** `runtime.docker_enabled` in a `.jh` config block is no longer supported and produces a parse error. Use `JAIPH_DOCKER_ENABLED` or `JAIPH_UNSAFE` in the environment instead.
 
 ### Configuration keys
 
-All Docker-related keys live under `runtime.*` in module-level config:
+**Docker on/off** is **not** a `runtime.*` key — only `JAIPH_DOCKER_ENABLED` / `JAIPH_UNSAFE` control that (see [Enabling Docker](#enabling-docker)). The keys below live under `runtime.*` in **module-level** `config` only. They are merged as **`JAIPH_DOCKER_*` environment variables > module `runtime.*` > defaults** (`resolveDockerConfig` in `src/runtime/docker.ts`).
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| `runtime.docker_enabled` | boolean | `false` | Enable Docker sandbox for the run. |
-| `runtime.docker_image` | string | `"node:20-bookworm"` | Base container image. If it lacks `jaiph`, Jaiph builds a thin derived image and installs the current package into it. |
+| `runtime.docker_image` | string | `"ghcr.io/jaiphlang/jaiph-runtime:<version>"` | Container image. Must already contain `jaiph`. Defaults to the official GHCR runtime image matching the installed jaiph version. |
 | `runtime.docker_network` | string | `"default"` | Docker network mode. |
-| `runtime.docker_timeout` | integer | `300` | Max execution time in seconds. `0` disables the timeout. |
-| `runtime.workspace` | string array | `[".:/jaiph/workspace:rw"]` | Mount specifications (see below). |
+| `runtime.docker_timeout_seconds` | integer | `3600` | Max execution time in seconds (default one hour). Must be a non-negative integer; `0` disables the timeout. Negative values produce `E_DOCKER_TIMEOUT`. |
 
-Each key is type-checked at parse time. Unknown keys produce `E_PARSE`.
+Each key is type-checked at parse time. Unknown keys produce `E_PARSE`. The workspace mount is automatic and not configurable.
 
 #### Environment variable overrides
 
-Following the `JAIPH_*` convention: `JAIPH_DOCKER_ENABLED`, `JAIPH_DOCKER_IMAGE`, `JAIPH_DOCKER_NETWORK`, `JAIPH_DOCKER_TIMEOUT`. Workspace mounts are not overridable via environment.
-
-Precedence: environment variable > in-file config > default.
+Following the `JAIPH_*` convention: `JAIPH_DOCKER_ENABLED`, `JAIPH_DOCKER_IMAGE`, `JAIPH_DOCKER_NETWORK`, `JAIPH_DOCKER_TIMEOUT`. Additionally, `JAIPH_UNSAFE=true` disables Docker by default (see [Enabling Docker](#enabling-docker)). `CI=true` does **not** affect the default — CI runs use the same sandbox path users do.
 
-If `JAIPH_DOCKER_TIMEOUT` is set but not a valid integer, the default (`300`) is used.
+Precedence for **enablement** only: `JAIPH_DOCKER_ENABLED` env > unsafe default rule (see table above). Image, network, and timeout use the env > in-file > default merge described in this section.
 
-### Mount specifications
+If `JAIPH_DOCKER_TIMEOUT` is set but not a valid non-negative integer, the run exits with `E_DOCKER_TIMEOUT`.
 
-Mount strings in `runtime.workspace` define which host paths are visible inside the container. All mounts are **forced to read-only** regardless of the specified mode to prevent bind-mount deadlocks on macOS Docker Desktop. The overlay wrapper makes the workspace writable via fuse-overlayfs.
+### Workspace mount
 
-| Form | Segments | Example | Result |
-|------|----------|---------|--------|
-| Full | 3 | `".:/jaiph/workspace:rw"` | Mount `.` at `/jaiph/workspace` and `/jaiph/workspace-ro` (both read-only; overlay makes workspace writable) |
-| Shorthand | 2 | `"config:ro"` | Mount `config` at `/jaiph/workspace/config` and `/jaiph/workspace-ro/config` (read-only) |
-| Too few | 1 | `"data"` | `E_PARSE` |
-| Too many | 4+ | `"a:b:c:d"` | `E_PARSE` |
+The workspace mount is automatic and not configurable. The workspace root is always bound into the container — in overlay mode at `/jaiph/workspace-ro` (read-only, with fuse-overlayfs merged at `/jaiph/workspace`), and in copy mode the host-side clone is mounted read-write at `/jaiph/workspace`. There are no user-controlled extra mounts.
 
-Mode must be `ro` or `rw` (otherwise `E_PARSE`). Exactly one mount must target `/jaiph/workspace` -- zero or more than one produces `E_VALIDATE`. The default `[".:/jaiph/workspace:rw"]` satisfies this requirement.
+The workspace root is validated before launch. The following host paths are rejected with `E_VALIDATE_MOUNT`:
 
-Host paths are resolved relative to the workspace root. Each mount is duplicated at the overlay lower-layer path (`/jaiph/workspace-ro/...`) so the overlay wrapper can use it as the read-only source.
+- `/` (host root filesystem)
+- `/var/run/docker.sock`, `/run/docker.sock` (Docker daemon socket)
+- `/proc`, `/sys`, `/dev` (OS internals, including subpaths like `/proc/1/root`)
 
 ### Container layout
 
+Overlay mode:
+
 ```
 /jaiph/
   workspace-ro/       # read-only bind mount of host workspace (overlay lower layer)
   workspace/          # fuse-overlayfs merged view (reads from -ro, writes to tmpfs)
     *.jh              # source files
     .jaiph/           # project config
-  run/                # writable bind mount for this run's artifacts (host temp dir)
-  overlay-run.sh      # runtime-generated entrypoint mounted ro from host temp file
+  run/                # writable bind mount for this run's artifacts (host runs root)
+  overlay-run.sh      # entrypoint script (from runtime/overlay-run.sh) mounted ro from host temp file
 ```
 
-The working directory is `/jaiph/workspace`. The host CLI generates `overlay-run.sh` (a ~10 line bash script) to a temp file and mounts it read-only at `/jaiph/overlay-run.sh`. The container runs `/jaiph/overlay-run.sh jaiph run --raw <file>`. The overlay wrapper sets up fuse-overlayfs, then execs the jaiph command. When the selected image does not already contain `jaiph`, the host first builds a thin derived image from that base and installs the current Jaiph package into it, so the runtime path stays generic. No `COPY` in the project Dockerfile is needed -- `overlay-run.sh` is a jaiph runtime artifact.
+Copy mode:
+
+```
+/jaiph/
+  workspace/          # rw bind mount of <runs-root>/.sandbox-<id>/ on the host
+    *.jh              # cloned source files (writes are local to the clone)
+    .jaiph/           # cloned config (.jaiph/runs is excluded from the clone)
+  run/                # writable bind mount for this run's artifacts (host runs root)
+```
+
+The working directory is `/jaiph/workspace`. In overlay mode the host CLI writes `overlay-run.sh` (shipped as `runtime/overlay-run.sh` in the npm package) to a temp file and mounts it read-only at `/jaiph/overlay-run.sh`; the container runs `/jaiph/overlay-run.sh jaiph run --raw <file>`. In copy mode the container runs `jaiph run --raw <file>` directly -- no entrypoint script. The image must already contain `jaiph` — Jaiph does not install itself into the container at runtime.
 
 ### Runtime behavior
 
-**Container lifecycle** -- `docker run --rm` launches the container and auto-removes it on exit. `--device /dev/fuse` exposes the FUSE device for the overlay. The pseudo-TTY flag (`-t`) is intentionally omitted: Docker's `-t` merges stderr into stdout, which would break the `__JAIPH_EVENT__` stderr-only live contract. On Linux, `--user <uid>:<gid>` maps the container user to the host user.
+**Container lifecycle** -- `docker run --rm` launches the container and auto-removes it on exit. `--cap-drop ALL` drops all Linux capabilities; overlay mode re-adds the capability set listed under [Process isolation](#threat-model) (not copy mode). `--security-opt no-new-privileges` is always set. The pseudo-TTY flag (`-t`) is intentionally omitted: Docker's `-t` merges stderr into stdout, which would break the `__JAIPH_EVENT__` stderr-only live contract.
+
+**Signal-safe cleanup** -- When the CLI receives SIGINT (Ctrl-C) or SIGTERM during a Docker run, `cleanupDocker` is called before the process exits. This removes the copy-mode sandbox directory (`<runs-root>/.sandbox-<id>/`) and clears any timeout timer, preventing stale workspace clones from accumulating after interrupted runs. A `process.on("exit")` guard provides a final safety net: if the normal exit path has not already cleaned up, the guard calls `cleanupDocker` synchronously. A `cleaned` flag on `DockerSpawnResult` ensures cleanup runs at most once — there are no double-`rmSync` warnings regardless of which path fires first. SIGKILL cannot be caught and is not handled; a startup-time sweep of stale sandbox directories is out of scope.
+
+**UID/GID handling on Linux:**
+
+- **Copy mode** -- the container runs directly as `--user <host_uid>:<host_gid>` so writes to the cloned workspace and `/jaiph/run` land owned by the host user.
+- **Overlay mode** -- the container is started as `--user 0:0` so `fuse-overlayfs` can mount. The host UID/GID are forwarded as `JAIPH_HOST_UID` / `JAIPH_HOST_GID`; `overlay-run.sh` **`chown`s the run mount** (best effort) and then **`exec`s `jaiph run` under `setpriv`** to reuid/regid to the host user when `setpriv` is available. If `setpriv` is missing, the workflow may continue as UID 0 inside the container — use an image that includes `setpriv` (the official runtime does) for the intended behavior.
+
+On **Linux**, if the host UID/GID cannot be determined (`process.getuid()` / `process.getgid()` and `id -u` / `id -g` both fail), `buildDockerArgs` throws `E_DOCKER_UID` and the run exits before the container is launched. This prevents overlay or copy mode from starting without a usable `--user` mapping. On **macOS** Docker Desktop the VM transparently translates UIDs across the bind-mount boundary, so the CLI does not apply Linux-style `--user` overrides and this check does not run.
 
 **stdin** -- The `docker run` process is spawned with stdin set to `ignore` to prevent the Docker CLI from blocking on stdin EOF.
 
 **Events** -- The container's jaiph runs in `--raw` mode: it spawns the runtime with inherited stdio, so `__JAIPH_EVENT__` JSON flows directly to the container's stderr. The host CLI reads Docker's stderr pipe and renders the progress tree. stdout carries plain script output. `STEP_END` events embed `out_content` (and `err_content` on failure) so consumers do not need host paths to step artifact files.
 
-**Overlay** -- The `overlay-run.sh` wrapper (generated by the host CLI and mounted read-only) sets up `fuse-overlayfs` with the ro bind mount (`/jaiph/workspace-ro`) as the lower layer and a tmpfs as the upper layer, merged at `/jaiph/workspace`. All workspace writes go to the tmpfs and are discarded on container exit. If fuse-overlayfs is unavailable (e.g. the image doesn't include it), the overlay step is skipped and the workspace remains read-only.
+**Sandbox primitive (overlay vs. copy)** -- Selected at launch time. If `/dev/fuse` exists on the host, the CLI uses **overlay mode**: the `overlay-run.sh` wrapper (shipped as `runtime/overlay-run.sh`, written to a temp file and mounted read-only) sets up `fuse-overlayfs` with the ro bind mount (`/jaiph/workspace-ro`) as the lower layer and a tmpfs as the upper layer, merged at `/jaiph/workspace`. All workspace writes go to the tmpfs and are discarded on container exit. On Linux hosts, the overlay container is also launched with `--security-opt apparmor=unconfined` because the default Docker AppArmor profile (active on Ubuntu 22.04+, GitHub Actions runners, and similar) denies fuse mounts even when `SYS_ADMIN` and `/dev/fuse` are present. If `fuse-overlayfs` is missing from the image or the mount still fails at runtime, the entrypoint exits with `E_DOCKER_OVERLAY` -- there is no in-container fallback. Set `JAIPH_DOCKER_NO_OVERLAY=1` on the host to opt into copy mode instead. Custom images used in overlay mode must ensure `/jaiph/workspace` is mountable by root (the official image keeps this path root-owned).
+
+If `/dev/fuse` is missing on the host, the CLI uses **copy mode**: before launching the container it clones the workspace into `<runs-root>/.sandbox-<id>/` (excluding `.jaiph/runs`) using `cp -cR` on macOS (APFS clonefile, O(1) per file) or `cp -pR` elsewhere (a real copy; a single stderr warning is printed when the fast path is unavailable). The clone is bind-mounted rw at `/jaiph/workspace`. After the container exits — whether normally, via signal (SIGINT/SIGTERM), or due to an uncaught error — the clone is removed unless `JAIPH_DOCKER_KEEP_SANDBOX=1` is set, in which case the path is left in place for debugging.
 
 **Run artifacts** -- The host CLI mounts the resolved host runs root at `/jaiph/run:rw` inside the container. By default this is `.jaiph/runs` under the workspace; a relative `JAIPH_RUNS_DIR` is resolved under the workspace; an absolute `JAIPH_RUNS_DIR` must stay within the workspace or the run fails with `E_DOCKER_RUNS_DIR`. `JAIPH_RUNS_DIR` is set to `/jaiph/run` inside the container, so the runtime writes artifacts directly into the requested host path.
 
-**Network** -- `"default"` omits `--network` (Docker's default bridge). `"none"` passes `--network none`. Any other value is passed through as-is.
+**Path remapping** {#path-remapping} -- Inside the container, the runtime records artifact paths relative to `/jaiph/run` (e.g. `/jaiph/run/2026-04-21/07-55-32-say_hello.jh/000003-script__validate_name.err`). These container-internal paths do not exist on the host. After the container exits, the host CLI remaps every container path that starts with `/jaiph/run/` to the corresponding path under the bind-mounted host runs directory (the `sandboxRunDir`). This ensures the failure footer (`Logs:`, `Summary:`, `out:`, `err:`) printed to stderr shows valid **host** paths that can be opened directly. The `run_summary.jsonl` file also records container-internal `out_file` / `err_file` values; the CLI applies the same remapping when reading these fields to locate artifact content for the "Output of failed step" excerpt. When the container meta file is inaccessible from the host (which is typical in Docker mode), the CLI discovers the run directory by scanning the bind-mounted runs directory for a `run_summary.jsonl` whose `WORKFLOW_START` event matches the expected `JAIPH_RUN_ID`. This run-id stamping ensures that concurrent `jaiph run` invocations sharing the same `JAIPH_RUNS_DIR` each report their own run directory, not a sibling's. The net effect is that Docker and no-sandbox runs produce identical failure footers — same structure, same host-resolvable paths, same step output excerpt.
+
+**Workspace immutability contract** -- Docker runs cannot directly modify the host workspace. In overlay mode the host checkout is bind-mounted read-only and writes land in a tmpfs upper layer that is discarded on container exit. In copy mode the container writes to a separate host-side clone of the workspace (`<runs-root>/.sandbox-<id>/`), which is removed on container exit unless explicitly kept for debugging. In both modes the only persistence channel from a Docker run to the host is the run-artifacts directory (`/jaiph/run` → host `.jaiph/runs`). Non-Docker (local) runs are unaffected by this contract.
+
+**Workspace patch export** -- To capture workspace changes as a patch, run `git diff` (or your own exporter) inside the workflow, write the result to a file under the workspace, then call `artifacts.save(local_path, name)` so the patch lands in the run’s `artifacts/` tree on the host. Callers choose when and what to record. The published GHCR runtime image includes `git` if you use it from a script step. See [Libraries — `jaiphlang/artifacts`](libraries.md#jaiphlangartifacts--publishing-files-out-of-the-sandbox).
+
+**Network** -- `"default"` omits `--network`, which uses Docker's default bridge network (outbound access allowed). `"none"` passes `--network none` and fully disables networking -- use this for workflows that should not make external calls. Any other value (e.g. a custom Docker network name) is passed through as-is. Set `runtime.docker_network` in config or `JAIPH_DOCKER_NETWORK` in the environment.
+
+**Timeout** -- When the effective timeout (from `JAIPH_DOCKER_TIMEOUT` or `runtime.docker_timeout_seconds`, after the merge in [Configuration keys](#configuration-keys)) is greater than zero, the CLI arms a timer on the spawned `docker` child; on overrun it sends `SIGTERM`, then `SIGKILL` after a 5-second grace period. The failure message includes `E_TIMEOUT container execution exceeded timeout`. `0` disables the timer.
+
+**Image pre-pull** -- Image preparation (`prepareImage`) runs **before** the CLI banner so Docker's pull overhead does not interleave with the progress tree. If the image is not present locally, a single `pulling image <name>…` status line is written to stderr, then `docker pull --quiet` runs (Docker's native layer progress is suppressed). Pull failure produces `E_DOCKER_PULL`. After the pull (or if the image was already local), `verifyImageHasJaiph` confirms the image contains `jaiph`. The banner and progress tree only begin after image preparation completes.
+
+### Failure modes
+
+Docker-related errors use `E_DOCKER_*` codes for programmatic detection:
+
+| Error code | Trigger | Behavior |
+|------------|---------|----------|
+| `E_DOCKER_NOT_FOUND` | `docker info` fails (Docker not installed or daemon not running) | Run exits immediately. No fallback to local execution. |
+| `E_DOCKER_PULL` | `docker pull` fails (network error, image not found, auth failure) | Run exits. Check registry access and image name. |
+| `E_DOCKER_NO_JAIPH` | Selected image does not contain a `jaiph` CLI | Run exits with guidance to use the official image or install jaiph. |
+| `E_DOCKER_RUNS_DIR` | Absolute `JAIPH_RUNS_DIR` points outside the workspace | Run exits. Use a relative path or an absolute path within the workspace. |
+| `E_DOCKER_OVERLAY` | Overlay mode selected but `fuse-overlayfs` is missing from the image or the mount fails inside the container | Container exits with code 78. Use the official runtime image, install `fuse-overlayfs` in your custom image, or set `JAIPH_DOCKER_NO_OVERLAY=1` on the host to switch to copy mode. The CLI already passes `--security-opt apparmor=unconfined` on Linux to defeat the default AppArmor fuse-deny; remaining failures usually mean the host kernel itself blocks fuse mounts (rootless docker without the right user-namespace setup, locked-down kernel, etc.). |
+| `E_DOCKER_TIMEOUT` | `JAIPH_DOCKER_TIMEOUT` or `runtime.docker_timeout_seconds` is not a valid non-negative integer | Run exits before container launch. Value must be a non-negative integer; `0` disables the timeout. |
+| `E_DOCKER_UID` | Linux host UID/GID detection failed (`process.getuid` and `id -u` both unavailable) | Run exits before container launch. Ensures the container never silently runs as root. Applies to both copy and overlay modes. |
+| `E_DOCKER_SANDBOX_COPY` | Copy mode failed to clone the host workspace (`cp` returned non-zero) | Run exits before container launch. Inspect the path printed in the error. |
+| `E_VALIDATE_MOUNT` | Mount targets a denied host path (`/`, `/proc`, docker socket, etc.) | Run exits before container launch. |
+| `E_TIMEOUT` | Container exceeds `runtime.docker_timeout_seconds` seconds | Container receives SIGTERM, then SIGKILL after 5s grace period. |
+
+All failures are deterministic and produce non-zero exit codes. There is no silent fallback from Docker to local execution.
 
-**Timeout** -- When `runtime.docker_timeout` is greater than zero, the CLI sends `SIGTERM` to the container process on overrun, followed by `SIGKILL` after a 5-second grace period. The failure message includes `E_TIMEOUT container execution exceeded timeout`.
+### Image contract
 
-**Image pull** -- If the image is not present locally, `docker pull` runs automatically. Pull failure produces `E_DOCKER_PULL`.
+**Every Docker image used by Jaiph must already contain a working `jaiph` CLI.** Jaiph does not auto-install itself into containers at runtime — no derived image builds, no `npm pack` bootstrap. If the selected image lacks `jaiph`, the run fails immediately with `E_DOCKER_NO_JAIPH` and guidance to use the official image or install jaiph in a custom image.
 
-### Dockerfile-based image detection
+### Official runtime image
 
-The runtime considers the image explicitly configured when either `runtime.docker_image` appears in the file or `JAIPH_DOCKER_IMAGE` is set in the environment. In that case, `.jaiph/Dockerfile` is not consulted.
+Jaiph publishes official runtime images to GHCR:
 
-When the image is not explicit:
+| Tag | Built from | Use case |
+|-----|-----------|----------|
+| `ghcr.io/jaiphlang/jaiph-runtime:<semver>` | Release tags (`v*`) | Production / pinned versions |
+| `ghcr.io/jaiphlang/jaiph-runtime:nightly` | `nightly` branch | Contributors and CI |
+| `ghcr.io/jaiphlang/jaiph-runtime:latest` | Latest release tag | Convenience alias |
 
-1. If `.jaiph/Dockerfile` exists in the workspace root, the runtime builds it, tags the result `jaiph-runtime:latest`, and uses that image. Build failure produces `E_DOCKER_BUILD`.
-2. Otherwise, the default image (`node:20-bookworm`) is pulled if needed.
+The default `runtime.docker_image` is `ghcr.io/jaiphlang/jaiph-runtime:<version>` where `<version>` matches the installed jaiph package version. Published tags (`:<semver>`, `:nightly`, `:latest`) are built from the `runtime/Dockerfile` in the jaiph repository (see the `docker-publish` job in `.github/workflows/ci.yml`). The image includes Node.js, jaiph, `fuse-overlayfs`, agent CLIs where that Dockerfile installs them, and a non-root `jaiph` user (UID 10001).
 
-If the selected base image does not already contain `jaiph`, Jaiph builds a thin derived runtime image from it and installs the current local package with `npm install -g`, then runs the workflow in that derived image.
+### Custom images and `jaiph run`
 
-The repository's example `.jaiph/Dockerfile` includes `ubuntu:latest` as a base, Node.js LTS from NodeSource, `fuse-overlayfs`, Claude Code CLI, cursor-agent, and jaiph (installed via the official installer). The image creates a non-root `jaiph` user (UID 10001) and sets `USER jaiph`. Including `fuse-overlayfs` and `jaiph` in the image is still the best path for full sandbox parity and faster startup, but Jaiph can also auto-build a thin derived runtime image when the base image lacks `jaiph`. The Dockerfile does not need to copy any jaiph runtime files -- `overlay-run.sh` is generated by the host CLI and mounted into the container at runtime.
+`jaiph run` **always** uses the configured image (`runtime.docker_image`, `JAIPH_DOCKER_IMAGE`, or the default GHCR tag above). It does not run `docker build` for you. Build and publish (or `docker build` + `docker tag`) your own image, then set `runtime.docker_image` / `JAIPH_DOCKER_IMAGE`.
+
+After the image is pulled or found locally, Jaiph verifies that `jaiph` is available inside the container. If the check fails, the run exits with `E_DOCKER_NO_JAIPH`.
+
+`overlay-run.sh` is shipped as `runtime/overlay-run.sh` in the npm package; the host CLI writes it to a temp file and mounts it into the container at runtime.
+
+### Extending the official image
+
+To add project-specific tools or agent CLIs, extend the published image in your own Dockerfile (build locally or in CI), then point `runtime.docker_image` at the result:
+
+```dockerfile
+FROM ghcr.io/jaiphlang/jaiph-runtime:nightly
+
+USER root
+RUN npm install -g @anthropic-ai/claude-code
+USER jaiph
+
+# Add project-specific package managers/build tools below.
+```
 
 ### Environment variable forwarding
 
-All `JAIPH_*` variables from the host are forwarded into the container, **except** `JAIPH_DOCKER_*` variables (excluded to prevent nested Docker execution). `JAIPH_WORKSPACE` is overridden to `/jaiph/workspace` and `JAIPH_RUNS_DIR` is overridden to `/jaiph/run`. The following prefixes are also forwarded for agent authentication:
+Environment variable forwarding uses an explicit allowlist; everything else is dropped. Only variables matching the following prefixes are forwarded into the container:
 
-- `CURSOR_*`
+- `JAIPH_*` (except `JAIPH_DOCKER_*`, excluded to prevent nested Docker execution)
 - `ANTHROPIC_*`
+- `CURSOR_*`
 - `CLAUDE_*`
 
+`JAIPH_WORKSPACE` is overridden to `/jaiph/workspace` and `JAIPH_RUNS_DIR` is overridden to `/jaiph/run`. `JAIPH_RUN_ID` is forwarded into the container so the runtime reuses the host-generated run identifier instead of creating its own — this ties the container's `run_summary.jsonl` back to the host CLI invocation and prevents concurrent-run misidentification during run-directory discovery.
+
+This allowlist is enforced in `buildDockerArgs` and cannot be overridden. Any variable not matching the allowlist -- including cloud credentials (`AWS_*`, `GCP_*`, etc.), authentication sockets (`SSH_*`), registry tokens (`NPM_TOKEN`, `GITHUB_TOKEN`, `PYPI_*`, `CARGO_*`), and all other host environment -- is silently dropped. If a workflow needs external credentials inside the container, pass them explicitly through `JAIPH_*`-prefixed variables or use a credential proxy.
+
 ### Example
 
-A workflow with Docker sandboxing enabled and an extra read-only mount for a `config` directory (using the shorthand form):
+A workflow with a custom Docker timeout (Docker is on by default):
 
 ```jh
 config {
-  runtime.docker_enabled = true
-  runtime.docker_timeout = 600
-  runtime.workspace = [
-    ".:/jaiph/workspace:rw",
-    "config:ro"
-  ]
+  runtime.docker_timeout_seconds = 600
 }
 
 workflow default() {
diff --git a/docs/setup.md b/docs/setup.md
index d0c3221b..2a382b74 100644
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -7,7 +7,9 @@ redirect_from:
 
 # Setup
 
-Install Jaiph, try it without a full checkout, run workflows, and scaffold a project workspace.
+This page is about **getting the Jaiph CLI on your machine** and **turning a directory into a Jaiph-friendly workspace**: install paths, a one-liner “try it” flow, how `jaiph run` wires arguments into workflows, formatting and artifacts, and what `jaiph init` drops into `.jaiph/`.
+
+For how the CLI, transpiler, and Node runtime fit together (including `JAIPH_WORKSPACE` and the detached runner), see [Architecture](architecture.md).
 
 ## Install
 
@@ -29,13 +31,15 @@ jaiph --version
 
 If the command is not found, ensure `~/.local/bin` (installer) or the npm global bin directory is in your `PATH`.
 
-Switch versions at any time:
+Switch versions at any time (re-runs the install script with a Git ref: `nightly` or `v<version>` such as `v0.9.3` when you pass `0.9.3`):
 
 ```bash
 jaiph use nightly
-jaiph use 0.9.2
+jaiph use 0.9.3
 ```
 
+The default install command is `curl -fsSL https://jaiph.org/install | bash`. Override it with `JAIPH_INSTALL_COMMAND` if you need a fork, air-gapped bundle, or local script.
+
 ## Quick try
 
 Run a sample workflow without installing first:
@@ -48,13 +52,13 @@ workflow default() {
 }'
 ```
 
-The script installs Jaiph automatically if it is not already on your `PATH`. Requires `node` and `curl`.
+The script installs Jaiph automatically if it is not already on your `PATH`. Requires `node` and `curl`. For local docs or CI without hitting production URLs, the same script honors `JAIPH_SITE` (see header comments in the repo’s [`docs/run`](https://github.com/jaiphlang/jaiph/blob/main/docs/run) file).
 
 For more runnable samples (inbox, async, testing, ensure/catch), see the [`examples/`](https://github.com/jaiphlang/jaiph/tree/main/examples) directory.
 
 ## Running a workflow
 
-Jaiph workflows are `.jh` files. Every workflow file needs a `workflow default` as its entry point. Run it directly (with a shebang) or through the CLI:
+Jaiph workflows are `.jh` files. `jaiph run` loads a single file as the entry module and requires a workflow named **`default`** (`workflow default(...) { ... }`). Run it directly (executable file with a `#!/usr/bin/env jaiph` shebang) or through the CLI:
 
 ```bash
 ./path/to/main.jh "feature request or task"
@@ -62,7 +66,7 @@ Jaiph workflows are `.jh` files. Every workflow file needs a `workflow default`
 jaiph run ./path/to/main.jh "feature request or task"
 ```
 
-Arguments are bound to **named parameters** declared on the default workflow (e.g. `workflow default(task)` → `${task}`). In script bodies, standard shell positional parameters apply (`$1`, `$2`, `"$@"`).
+Arguments after the `.jh` path are bound **by position** to the named parameters of `workflow default` (for example `workflow default(task)` → `${task}` in the body; see [Language — Parameters and arguments](language.md#parameters-and-arguments)). The CLI sets `JAIPH_WORKSPACE` to the detected workspace root (walk upward from the directory containing the entry `.jh` file, looking for `.jaiph` / `.git` markers; see [Architecture](architecture.md)); managed **script** steps receive `$1`, `$2`, … only for arguments passed at the corresponding `run` step, not automatically from the CLI unless the workflow forwards them (see [Language — `run`](language.md#run--execute-a-workflow-or-script)).
 
 ### Run artifacts
 
@@ -74,7 +78,7 @@ Enforce consistent style across `.jh` files:
 
 ```bash
 jaiph format flow.jh           # rewrite in place
-jaiph format --check *.jh      # CI-safe: exits 1 when changes needed
+jaiph format --check *.jh      # CI-safe: exits 1 when changes needed; *.test.jh matches too (suffix .jh)
 jaiph format --indent 4 flow.jh
 ```
 
@@ -85,15 +89,15 @@ See [CLI — `jaiph format`](cli.md#jaiph-format) for all options.
 ### Initialize with `jaiph init`
 
 ```bash
-jaiph init
+jaiph init              # current directory (default)
+jaiph init path/to/repo # explicit workspace root
 ```
 
-This creates a `.jaiph/` directory in your project root with:
+This creates a `.jaiph/` directory under the chosen root with:
 
 - `.jaiph/.gitignore` — ignores ephemeral `runs/` and `tmp/` under `.jaiph/` (workflows and libraries stay tracked)
-- `.jaiph/bootstrap.jh` — an interactive workflow that asks an agent to scaffold recommended workflows for your project. The generated template uses a triple-quoted multiline prompt (`prompt """ ... """`), explicitly asks the agent to review/update `.jaiph/Dockerfile` for this repository's sandbox needs, and logs a final summary of what changed and why
-- `.jaiph/Dockerfile` — generated project sandbox image template (`ubuntu:latest`, common utilities, Node.js LTS, Claude Code CLI, cursor-agent). It installs Jaiph with the default installer path: `curl -fsSL https://jaiph.org/install | bash`
-- `.jaiph/SKILL.md` — the agent skill file for AI assistants authoring `.jh` workflows (from your Jaiph installation, or `JAIPH_SKILL_PATH`)
+- `.jaiph/bootstrap.jh` — an interactive workflow that asks an agent to scaffold recommended workflows for your project. The generated template uses a triple-quoted multiline prompt (`prompt """ ... """`) and logs the bootstrap summary (`log` of the prompt result).
+- `.jaiph/SKILL.md` — copied from the skill file resolved at init time: if `JAIPH_SKILL_PATH` points at an existing file, that wins; otherwise the CLI searches paths next to the installed package and typical checkout layouts (including `./docs/jaiph-skill.md` when your cwd is the repo root). If none is found, init skips the file and tells you to set `JAIPH_SKILL_PATH` and run again.
 
 Run the bootstrap workflow to get started:
 
@@ -103,4 +107,4 @@ Run the bootstrap workflow to get started:
 
 ### Workspace convention
 
-By convention, keep Jaiph workflow files in `<project_root>/.jaiph/` so workspace-root detection and agent setup stay predictable. Jaiph resolves `JAIPH_WORKSPACE` to the project root. Reusable `.jh` modules installed with `jaiph install` live under `.jaiph/libs/` (see [Libraries](libraries.md)).
+By convention, keep Jaiph workflow files in `<project_root>/.jaiph/` so workspace-root detection and agent setup stay predictable. The CLI exports `JAIPH_WORKSPACE` to that detected root when it launches the workflow runner (same root the validator uses for `.jaiph/libs/` imports). Reusable `.jh` modules installed with `jaiph install` live under `.jaiph/libs/` (see [Libraries](libraries.md)). Optional Docker sandboxes use a separate mount contract; see [Sandboxing](sandboxing.md) for how `jaiph run` selects container vs host execution.
diff --git a/docs/spec-async-handles.md b/docs/spec-async-handles.md
new file mode 100644
index 00000000..905f9482
--- /dev/null
+++ b/docs/spec-async-handles.md
@@ -0,0 +1,128 @@
+---
+title: "Spec: Async Handles"
+permalink: /spec-async-handles
+redirect_from:
+  - /spec-async-handles.md
+---
+
+# Async Handles — `Handle<T>` Value Model
+
+## Context
+
+Pipelines often wait on work that could overlap: several scripts or workflows are independent, and the author wants the **main sequence** to move on while that work runs. A generic way to do that in Jaiph is **`run async`**: start the callee in parallel, get a value you can read later, and let the runtime guarantee nothing is left dangling when the current **step list** returns.
+
+**This page** is the value model: what `Handle<T>` means, when it becomes a real string, and how `recover` / `catch` and progress reporting interact. Syntax and step forms live in the [Language — `run async`](language.md#run-async--concurrent-execution-with-handles) and [Grammar — `run async`](grammar.md#run-async--concurrent-execution-with-handles) sections. For system layout (AST interpreter, events, `async_indices` on the CLI), see [Architecture](architecture.md).
+
+**Implementation fact:** The behavior is implemented in **`NodeWorkflowRuntime`** — a handle is a tracked in-flight `run` result, joined at the [step list boundary](#implicit-join) that registered it. That is the same in-process runtime as in [Architecture — System overview](architecture.md#system-overview); there is no second execution engine for async work.
+
+## Overview
+
+`run async ref(args)` schedules the same **`run` target** (workflow or script) **without blocking** the current step list. The expression’s value is a **handle**—conceptually `Handle<T>` where `T` is what a synchronous `run` would have produced (return value of a workflow, or trimmed stdout of a script). The handle is materialized in the variable map as an **opaque** string; the first **non-passthrough** use that needs the real value **awaits** the in-flight work and then **replaces** the variable with the resolved string for later reads.
+
+## Handle creation
+
+```jaiph
+workflow default() {
+  const h = run async foo()
+  run async bar()
+}
+```
+
+- `const h = run async foo()` — `h` holds a handle. Work for `foo()` starts immediately; later steps can run in parallel.
+- `run async bar()` — a handle is still created and **tracked** for [implicit join](#implicit-join) even if you do not store it in a variable.
+
+This is not “fire and forget” in a scheduler sense: the runtime **registers** every `run async`, captured or not, and still **joins** it when the [scope below](#implicit-join) allows.
+
+## Resolution
+
+A handle resolves to the `run` result: workflow **`return`**, or **trimmed script stdout** on success; on failure, resolution carries the same failure shape as a synchronous `run` (and can fail the block or the join, depending on where resolution happens). Resolution is triggered on the first **non-passthrough** read of the value.
+
+### Reads that force resolution
+
+| Access pattern | Example | Forces resolution? |
+| --- | --- | --- |
+| String / template interpolation (including `log` / `fail` / `return` messages) | `log "result: ${h}"` | Yes |
+| `run` (or `ensure`) argument strings that use `${var}` | `run downstream("${h}")` | Yes — handles in `${…}` are resolved when args are built |
+| `if` subject | `if h == "ok" { ... }` | Yes — subject is read after handle handling |
+| `match` subject | `match h { ... }` | Yes |
+| Send with a `${var}` payload (or a quoted string containing it) | `findings <- ${h}` | Yes — `${name}` in the RHS is scanned to resolve handles (`findings` is the channel name) |
+
+**Send RHS:** use `${var}` in the `channel <- …` payload (or a quoted string containing `${var}`). Resolution follows the same `${...}`-based path as in other steps; a bare shell-style `$name` in the `var` RHS is not a substitute for `${name}` in the current runtime.
+
+### Passthrough (does not force resolution)
+
+Only the **binding step** that starts the async work is non-blocking:
+
+| Access pattern | Example | Forces resolution? |
+| --- | --- | --- |
+| Initial handle capture | `const h = run async foo()` | No — stores the handle token; the `run async` has already been scheduled |
+
+Every later use of `h` that goes through the **read** paths in the table above (or any place the runtime must treat `h` as a real string) forces resolution, including the first `${h}` in a `const`, `log`, or `return` string.
+
+After resolution, the variable **holds the string value**; further reads are ordinary string reads (no re-`run`).
+
+## Implicit join
+
+When the **step list** you are in finishes, the runtime **awaits every `run async` handle** that was still registered in that list’s scope. That is the “implicit join”: it is tied to the **`executeSteps` scope** for that block, not only to the outer name of a workflow. For example, handles created only inside an `if` (or a similar inner body) are joined at the end of that **inner** list, before the next line after the `if` runs. Entry workflows [drain the inbox](inbox.md#who-registers-routes-and-who-drains) when their step list ends (and after that join).
+
+- If all joined work succeeds, the outer step list continues or the workflow **returns** normally.
+- If any handle finishes with a **non-zero** `run` status, the block fails (or join reports an aggregate error) with a message that references the `run async` **ref** string(s) involved.
+
+This matches the pre-handle model where all async work was effectively awaited before the workflow could complete, but allows overlapping steps **until** a read or a scope boundary forces ordering.
+
+## `recover` and `catch`
+
+### `recover` (retry loop)
+
+`recover` on `run async` mirrors non-async `recover`: on failure, run the **repair** body, then **retry** the `run` target, up to the [recover limit](#retry-limit). The async branch is scheduled once as a **single** promise; retries happen **inside** that branch.
+
+```jaiph
+const b1 = run async foo() recover(err) {
+  log "repairing: ${err}"
+  run fix_it()
+}
+```
+
+1. The async path runs `foo()`.
+2. If `foo()` succeeds, the handle resolves to that success value.
+3. If it fails, `err` is the merged **stdout+stderr** of the failure, and the `recover` body runs.
+4. If the `recover` body **succeeds** (status 0 and no `return` from the repair), `foo()` is run again.
+5. Steps 3–4 repeat until `foo()` succeeds or the [recover limit](#retry-limit) is exhausted; then the handle result reflects the final **failure** (or last attempt), like synchronous `recover`.
+
+### `catch` (single-shot, surface keyword `catch`)
+
+Use `catch` for a **one-time** error handler: if `foo()` fails, the `catch` body runs **once**; there is no automatic retry of `foo()`.
+
+```jaiph
+run async foo() catch(err) {
+  log "caught: ${err}"
+}
+```
+
+The `catch` keyword is the user-facing name; the same failure-binding pattern applies as for synchronous `run … catch` (see [Language — `catch`](language.md#catch--failure-recovery) and the `run … catch` section in [Grammar](grammar.md)).
+
+### Retry limit
+
+- **Default limit:** **10** when the module’s metadata does not set `run.recover_limit`.
+- **Config:** **`run.recover_limit = N` in the file’s top-level `config { }`**. The runtime currently reads this from the **module** (the `.jh` file’s `config` block), not from a per-workflow `config` nested inside a workflow body.
+
+## Progress and events
+
+Async work uses the same **subscripted branch** model as before: each nested or concurrent `run async` level has a 1-based index chain (`async_indices` on step/log events; see [Architecture — CLI progress reporting pipeline](architecture.md#cli-progress-reporting-pipeline)). The CLI’s progress tree indents and labels those branches; resolving a handle does not add a separate “resolution” event beyond the branch’s own step/log events.
+
+A PTY-based E2E test exercises TTY output for two concurrent async branches: `e2e/tests/131_tty_async_progress.sh` (summary in [Testing — PTY-based TTY tests](testing.md#pty-based-tty-tests)).
+
+## Constraints
+
+- **`run async`** is only allowed in **workflows** — not in **rules** (the validator enforces this).
+- **`run async`** is **not** supported for **inline scripts** (`` `body`(args) ``, ` ```…``` `, or similar).
+- A **`run async`** call must be a **normal reference with parentheses**: `run async name()` or `run async name(args)` — not a bare name.
+- There is **no `await` keyword**; you either **read** the value (triggers resolution) or hit a **join** at the [step-list boundary](#implicit-join).
+- “Uncaptured” `run async` still **joins**; there is no opt-out to skip waiting at scope end.
+
+### Relationship to the rest of the system
+
+- **Local / Docker / tests** — the same [Node workflow runtime](architecture.md#core-components) runs `run async` everywhere; Docker and `jaiph test` do not use a different handle implementation.
+- **Script extraction** is unchanged: only script **bodies** are materialized for `JAIPH_SCRIPTS`; `run async` remains orchestration, not a new artifact type (see [Architecture](architecture.md#emit-artifacts)).
+
+If this spec and `src/runtime/kernel/node-workflow-runtime.ts` disagree, the source is authoritative; keep [Grammar](grammar.md#run-async--concurrent-execution-with-handles) and [Language](language.md#run-async--concurrent-execution-with-handles) aligned when you change behavior.
diff --git a/docs/testing.md b/docs/testing.md
index 474aa9a9..73b70921 100644
--- a/docs/testing.md
+++ b/docs/testing.md
@@ -7,9 +7,9 @@ redirect_from:
 
 # Testing Jaiph Workflows
 
-Jaiph includes a built-in test harness for workflow testing. Test files (`*.test.jh`) let you mock prompt responses, stub workflows, rules, and scripts, run workflows through the same Node runtime used by `jaiph run`, and assert on captured output — all without calling real LLMs or depending on external state.
+Jaiph includes a built-in test harness for workflow testing. Test files (`*.test.jh`) let you mock prompt responses, stub workflows, rules, and scripts, run workflows through the same in-process [Node workflow runtime](architecture.md#core-components) used by `jaiph run` (`NodeWorkflowRuntime`), and assert on captured output — all without calling real LLMs or depending on external state. Unlike `jaiph run`, the test harness does not spawn a separate `node-workflow-runner` process: after `buildScripts`, the CLI runs `runTestFile` from `node-test-runner.ts` in the same process. There is no Docker mode for `jaiph test` (workflows under test always run on the host). The system layout (including **Test runner integration** and the Node test runner) is described in [Architecture](architecture.md).
 
-Workflow runs combine prompts, shell commands, and orchestration logic. Without a harness, outcomes depend on live models, timing, and the host machine — making regressions hard to catch in CI or during refactors. The test harness solves this by giving you fixed prompt responses, in-process execution, and deterministic assertions.
+In production, a workflow’s behavior depends on live models, host timing, and local files. A harness fixes inputs (mock prompts, stubbed workflows/scripts), runs the same interpreter the CLI uses for real runs, and checks outputs with small assertions so CI and refactors can catch regressions without external services.
 
 ## File naming and layout
 
@@ -65,9 +65,10 @@ Queues a fixed response for the next `prompt` call in the workflow under test. M
 ```jaiph
 mock prompt "hello from mock"
 mock prompt "second response"
+mock prompt myConstName
 ```
 
-The response must be a double-quoted string. Standard escape sequences (`\"`, `\n`, `\\`) work inside double-quoted strings.
+Use a **double-quoted string** (escapes: `\"`, `\n`, `\\`) or a bare identifier for a [test `const`](#test-block-constants) defined earlier in the block.
 
 ### Mock prompt (content-based dispatch)
 
@@ -123,7 +124,7 @@ mock script w.helper() {
 }
 ```
 
-The former `mock function` syntax is no longer accepted — the parser emits an error with migration guidance.
+Test stubs use `mock script`, not `mock function`; the latter is a parse error with a fix hint.
 
 ### Workflow run (with capture)
 
@@ -164,6 +165,15 @@ run w.setup("arg")
 run w.setup() allow_failure
 ```
 
+### Test block constants
+
+Inside a `test` block, `const NAME = "value"` binds a test-local string (double-quoted literal only; no interpolation). Names can be used as:
+
+- `mock prompt NAME` — the next `prompt` consumes the bound value
+- the second argument to `expect_contain`, `expect_not_contain`, or `expect_equal` when written as a bare identifier (not quoted)
+
+`const` bindings used for `mock prompt` or expected values must appear **before** the steps that read them. Capture variables (`const x = run w.default()`) are separate: only `const … = run …` introduces a capture name for `expect_*`.
+
 ### Assertions
 
 After capturing workflow output, use these to check the result:
@@ -174,7 +184,14 @@ expect_not_contain response "unwanted text"
 expect_equal response "exact expected value"
 ```
 
-Expected strings must be double-quoted. Escape `"` inside the string with `\"`. Failures print expected vs. actual previews.
+The second argument is either a **double-quoted string** (with `\"`, `\n`, and `\\` escapes) or a **`const` name** bound earlier in the same test block (see [Test block constants](#test-block-constants)):
+
+```jaiph
+const want = "expected substring"
+expect_contain response want
+```
+
+Failures print expected vs. actual previews.
 
 ## Typed prompts
 
@@ -191,7 +208,7 @@ testing workflow_greeting.test.jh
   ▸ runs happy path
   ✓ 0s
   ▸ handles error case
-  ✗ expect_contain failed: "out" does not contain "expected" 1s
+  ✗ expect_contain failed: "response" (42 chars) does not contain "expected" 1s
 
 ✗ 1 / 2 test(s) failed
   - handles error case
@@ -201,13 +218,13 @@ When all tests pass: `✓ N test(s) passed`. Exit status is 0 on full success, n
 
 ## How it works
 
-The CLI parses each test file and hands `test { ... }` blocks to `runTestFile()` in the test runner. That function:
+The CLI parses each test file and passes `test "…" { … }` blocks to `runTestFile()` (`src/runtime/kernel/node-test-runner.ts`). That path aligns with the **Test runner integration** description in [Architecture](architecture.md):
 
-1. Calls `buildRuntimeGraph(testFile)` once per file to build the import closure.
-2. Prepares `script` artifacts for the workspace via `buildScripts()` into a temporary directory (test files are excluded from this walk).
-3. Sets `JAIPH_SCRIPTS` to that directory and runs each block with `JAIPH_TEST_MODE=1`.
+1. **`buildScripts(testFileAbs, tmpDir, workspaceRoot)`** — same helper as `jaiph run`, with the **test file as the entrypoint** (`test.ts` calls it with the absolute path to the `*.test.jh` file). For a file entrypoint, the transpiler walks the test module and every file reachable by transitive **`import`** (see `collectTransitiveJhModules` in `src/transpile/build.ts`); it runs `validateReferences` / `emitScriptsForModule` per file and writes atomic **`script`** files into a temp `scripts/` tree. (If `buildScripts` were ever given a **directory** entrypoint, directory walks skip `*.test.jh` files — that is not how `jaiph test` invokes it.)
+2. **`buildRuntimeGraph(testFileAbs, workspaceRoot)`** — called **once per test file**; the same graph is reused for every `test` block in that file and for every `run` step inside them.
+3. For each block, a fresh temp layout sets env vars (below); workflows run in **`NodeWorkflowRuntime`**, not in a detached child.
 
-There is no Bash transpilation of workflows on this path — only extracted `script` files are shell, same as production. The runtime graph is cached per file; mutating imported files on disk mid-run is not supported.
+There is no Bash transpilation of full workflows on this path — only extracted `script` bodies are shell, same as production. The import graph is fixed for a single `jaiph test` process; **mutating imported `*.jh` on disk between blocks** is not a supported use case.
 
 ## Environment variables
 
@@ -217,8 +234,9 @@ For each workflow run inside a test block, the harness builds the runtime enviro
 |---|---|
 | `JAIPH_TEST_MODE` | `1` |
 | `JAIPH_WORKSPACE` | Project root (from `detectWorkspaceRoot`) |
-| `JAIPH_RUNS_DIR` | Per-block temp directory |
-| `JAIPH_SCRIPTS` | Temp `buildScripts` output |
+| `JAIPH_RUNS_DIR` | Per test block, `…/tmp/jaiph-test-block-*/.jaiph/runs` (ephemeral) |
+| `JAIPH_SCRIPTS` | Directory containing extracted `script` files from `buildScripts` (temp) |
+| `JAIPH_MOCK_RESPONSES_FILE` or `JAIPH_MOCK_DISPATCH_SCRIPT` | Set by the runner when using inline or block `mock prompt` (do not set manually) |
 
 You do not set `JAIPH_TEST_MODE` yourself; the harness manages it.
 
@@ -299,10 +317,12 @@ Test cases are organized by error type and single-vs-multi-module:
 
 | File | Cases | What it covers |
 |------|-------|----------------|
-| `compiler-tests/valid.txt` | 103 | Success cases — source compiles without error (single-module) |
-| `compiler-tests/parse-errors.txt` | 108 | `E_PARSE` error cases — syntax and grammar violations |
-| `compiler-tests/validate-errors.txt` | 24 | `E_VALIDATE`, `E_IMPORT_NOT_FOUND`, `E_SCHEMA` error cases (single-module) |
-| `compiler-tests/validate-errors-multi-module.txt` | 3 | Validation errors requiring imports (multi-file) |
+| `compiler-tests/valid.txt` | 119 | Success cases — source compiles without error (single-module) |
+| `compiler-tests/parse-errors.txt` | 274 | `E_PARSE` error cases — syntax and grammar violations |
+| `compiler-tests/validate-errors.txt` | 88 | `E_VALIDATE`, `E_IMPORT_NOT_FOUND`, `E_SCHEMA` error cases (single-module) |
+| `compiler-tests/validate-errors-multi-module.txt` | 20 | Validation errors requiring imports (multi-file) |
+
+(Counts are one `# @expect` per test case; re-count after large fixture changes.)
 
 The initial cases were extracted from TypeScript test files across `src/parse/*.test.ts` and `src/transpile/*.test.ts`. Additional cases were written directly as txtar fixtures to cover compiler error paths that had no prior test coverage. Only tests that verify "source in, pass/fail out" qualify — tests that check AST structure or internal APIs remain in TypeScript.
 
@@ -360,11 +380,24 @@ For concurrency-sensitive behavior (for example parallel inbox dispatch), the re
 
 See `e2e/tests/91_inbox_dispatch.sh`, `e2e/tests/93_inbox_stress.sh`, and `e2e/tests/94_parallel_shell_steps.sh` for examples.
 
+## PTY-based TTY tests
+
+Some CLI behavior only activates when stdout is a real TTY — the live progress tree with ANSI redraws, for example. These tests use Python's `pty.openpty()` to spawn `jaiph run` under a pseudo-terminal, capture the raw byte stream, and assert on the rendered output.
+
+Two PTY tests exist today:
+
+| Test file | What it covers |
+|-----------|----------------|
+| `e2e/tests/81_tty_progress_tree.sh` | Synchronous workflow progress rendering — verifies the tree structure, step timing, and PASS/FAIL markers under a real TTY. |
+| `e2e/tests/131_tty_async_progress.sh` | Async workflow progress rendering — verifies that `run async` branches (with `Handle<T>` deferred resolution) render per-branch progress events under subscript-numbered nodes (₁, ₂), that both branches show resolved return values in the final frame, and that no orphaned ANSI escape sequences appear. |
+
+Both tests require Python 3 and use only deterministic, non-LLM steps (sleep loops, `log`, scripts) so results are reproducible. Assertions use `assert_contains` with order-insensitive matching because async interleaving and PTY redraws make exact full-output comparison infeasible.
+
 ## E2E testing
 
 Shell harnesses and CI expectations for the full repo are described in [Contributing — E2E testing](contributing.md#e2e-testing).
 
-E2E tests compare full CLI output and full artifact file contents by default. Use `e2e::expect_stdout`, `e2e::expect_out`, `e2e::expect_file`, `e2e::expect_run_file`, or `e2e::assert_equals`. Substring checks (`e2e::assert_contains`) require an inline comment justifying the exception. For the full policy (two surfaces, full equality, `assert_contains` exceptions, normalization), see [Contributing — E2E testing](contributing.md#e2e-testing). For the on-disk tree under `.jaiph/runs/`, see [Architecture — Durable artifact layout](architecture#durable-artifact-layout).
+E2E tests compare full CLI output and full artifact file contents by default. Use `e2e::expect_stdout`, `e2e::expect_out`, `e2e::expect_file`, `e2e::expect_run_file`, or `e2e::assert_equals`. Substring checks (`e2e::assert_contains`) require an inline comment justifying the exception. For the full policy (two surfaces, full equality, `assert_contains` exceptions, normalization), see [Contributing — E2E testing](contributing.md#e2e-testing). For the on-disk tree under `.jaiph/runs/`, see [Architecture — Durable artifact layout](architecture.md#durable-artifact-layout).
 
 Every `.jh` sample under `e2e/` must be wired into at least one test. Run `bash e2e/check_orphan_samples.sh` to detect unreferenced fixtures. See [Contributing — Orphan sample guard](contributing.md#orphan-sample-guard) for details.
 
@@ -376,8 +409,8 @@ The project includes a Playwright-based test (`tests/e2e-samples/landing-page.sp
 
 ## Limitations (v1)
 
-- Prompt mocks are inline only — no external mock config files.
-- Do not combine `mock prompt { ... }` with `mock prompt "..."` in the same test block; only the block dispatch is active.
-- Capture without explicit `return` reads stdout step artifacts (`*.out` files) or falls back to aggregated runtime output.
-- Assertions only support double-quoted expected strings.
-- Extra arguments after the test path (`jaiph test <path> [extra...]`) are accepted but ignored (reserved for future use).
+- **Prompt mocks** must be written **inside the test file** (inline `mock prompt "…"`, `mock prompt <const>`, or `mock prompt { … }`) — there are no external mock-config file paths.
+- **Do not combine** `mock prompt { … }` with queue-style `mock prompt "…"` / `mock prompt <const>` in the same test block; when a block is present, queued entries are ignored.
+- **Capture** without a successful non-empty `return` concatenates all step `*.out` files in the run directory (sorted by filename), then falls back to the runtime’s aggregated output string.
+- **`expect_*` right-hand side** is either a double-quoted literal or a test `const` name — not an arbitrary expression.
+- **Extra CLI arguments** after the path (`jaiph test <path> [extra...]`) are accepted but ignored (reserved for future use).
diff --git a/e2e/agent_inbox.jh b/e2e/agent_inbox.jh
deleted file mode 100755
index 7302208e..00000000
--- a/e2e/agent_inbox.jh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/usr/bin/env jaiph
-
-channel findings -> analyst
-channel report -> reviewer
-
-script emit_findings = `echo "Found 3 issues in auth module"`
-script emit_summary = `echo "Summary: $1"`
-
-workflow scanner() {
-  findings <- run emit_findings()
-}
-
-workflow analyst(message, chan, sender) {
-  report <- run emit_summary(message)
-}
-
-workflow reviewer(message, chan, sender) {
-  log "[reviewed] ${message}"
-}
-
-workflow default() {
-  run scanner()
-}
diff --git a/e2e/async.jh b/e2e/async.jh
deleted file mode 100755
index 076eb10d..00000000
--- a/e2e/async.jh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/env jaiph
-
-const prompt_text = "Say: Greetings! I am [model name]."
-
-workflow cursor_say_hello(name) {
-  config { agent.backend = "cursor" }
-  const response = prompt "${prompt_text}"
-  log response
-}
-
-workflow claude_say_hello(name) {
-  config { agent.backend = "claude" }
-  const response = prompt "${prompt_text}"
-  log response
-}
-
-workflow default(name) {
-  run async cursor_say_hello(name)
-  run async claude_say_hello(name)
-}
diff --git a/e2e/lib/common.sh b/e2e/lib/common.sh
index 14febd71..2fadb35c 100644
--- a/e2e/lib/common.sh
+++ b/e2e/lib/common.sh
@@ -74,8 +74,15 @@ e2e::assert_equals() {
 e2e::normalize_output() {
   local input="$1"
   # Strip ANSI and normalize timing values for stable assertions.
+  # Final perl step canonicalizes the order of contiguous "async-progress"
+  # lines (lines starting with one or more spaces followed by a subscript
+  # marker ₁..₉, UTF-8 bytes E2 82 81..89). Async branches that run in
+  # parallel complete in non-deterministic order; sorting both actual and
+  # expected with the same stable order makes strict equality usable while
+  # still asserting that the same set of progress lines was emitted.
   printf "%s" "${input}" \
     | sed -E $'s/\x1B\\[[0-9;]*[A-Za-z]//g' \
+    | sed -E 's/^(Jaiph: Running [^ ]+) \(.+\)$/\1/' \
     | sed -E 's/\(([0-9]+(\.[0-9]+)?s|[0-9]+m [0-9]+s)\)/(<time>)/g' \
     | sed -E 's/\(([0-9]+(\.[0-9]+)?s|[0-9]+m [0-9]+s) failed\)/(<time> failed)/g' \
     | sed -E 's/✓ ([0-9]+)(\.[0-9]+)?s/✓ <time>/g' \
@@ -83,8 +90,21 @@ e2e::normalize_output() {
     | sed -E 's/✗ (.*) ([0-9]+)(\.[0-9]+)?s$/✗ \1 <time>/g' \
     | sed -E 's/^( *)(cursor-agent|printf %s) .*$/\1<agent-command>/g' \
     | sed -E 's/\(1="\/[^"]*"/(1="<script-path>"/g' \
+    | sed -E 's/__inline_[0-9a-f]{12}/__inline_<id>/g' \
     | sed -E 's/[[:space:]]+$//g' \
-    | perl -0777 -pe 's/([^\n])\n(✓ PASS)/$1\n\n$2/g'
+    | perl -0777 -pe 's/([^\n])\n(✓ PASS)/$1\n\n$2/g' \
+    | perl -e '
+        use strict; use warnings;
+        binmode STDIN;
+        binmode STDOUT;
+        my @buf;
+        sub flush { print join("", sort @buf); @buf = (); }
+        while (my $line = <STDIN>) {
+          if ($line =~ /^ +\xe2\x82[\x81-\x89]/) { push @buf, $line; }
+          else { flush(); print $line; }
+        }
+        flush();
+      '
 }
 
 e2e::assert_output_equals() {
@@ -463,6 +483,32 @@ EOF
   JAIPH_BIN_DIR="${JAIPH_E2E_BIN_DIR}" curl -fsSL "${E2E_SERVER_URL}/install" | bash
 }
 
+E2E_DOCKER_TEST_IMAGE="${JAIPH_E2E_DOCKER_IMAGE:-}"
+E2E_DOCKER_IMAGE_BUILT=0
+
+# Build a local jaiph-e2e-runtime image from the current source tree.
+# Caches the image name in E2E_DOCKER_TEST_IMAGE so it is built at most once.
+e2e::ensure_docker_test_image() {
+  if [[ -n "${E2E_DOCKER_TEST_IMAGE}" ]]; then
+    return 0
+  fi
+  if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
+    return 1
+  fi
+  local tag="jaiph-e2e-runtime:local"
+  if [[ "${E2E_DOCKER_IMAGE_BUILT}" == "1" ]]; then
+    E2E_DOCKER_TEST_IMAGE="${tag}"
+    export JAIPH_E2E_DOCKER_IMAGE="${tag}"
+    return 0
+  fi
+  if docker build -t "${tag}" -f "${E2E_REPO_ROOT}/runtime/Dockerfile" "${E2E_REPO_ROOT}" >/dev/null 2>&1; then
+    E2E_DOCKER_IMAGE_BUILT=1
+    E2E_DOCKER_TEST_IMAGE="${tag}"
+    export JAIPH_E2E_DOCKER_IMAGE="${tag}"
+  fi
+  [[ -n "${E2E_DOCKER_TEST_IMAGE}" ]]
+}
+
 e2e::prepare_test_env() {
   local test_name="$1"
   e2e::prepare_shared_context
diff --git a/e2e/say_hello.jh b/e2e/say_hello.jh
old mode 100755
new mode 100644
index dc9fb727..05995872
--- a/e2e/say_hello.jh
+++ b/e2e/say_hello.jh
@@ -1,23 +1,6 @@
 #!/usr/bin/env jaiph
-
-rule name_was_provided(name) {
-  # bash is used by default for scripts
-  # use ```node, ```python3, etc. for other languages
-  run ```
-    if [ -z "$1" ]; then
-      echo "You didn't provide your name :(" >&2
-      exit 1
-    fi
-  ```(name)
-}
-
-workflow default(name) {
-  ensure name_was_provided(name)
-
-  const response = prompt """
-    Say hello to ${name} and provide a fun fact about a person with the same name.
-    Respond with a single line. Do not inspect files or run tools.
-  """
-
-  log response
+# E2E fixture: minimal workflow for compiler golden test.
+script say_hello = `echo hello`
+workflow default() {
+  run say_hello()
 }
diff --git a/e2e/say_hello.test.jh b/e2e/say_hello.test.jh
deleted file mode 100755
index 5db40fb7..00000000
--- a/e2e/say_hello.test.jh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/usr/bin/env jaiph
-
-import "say_hello.jh" as hello
-
-# We expect this test to fail due to mismatch in error message
-# between the prompt and the error message in the test file.
-# We use it to verify the test works and the error message output
-# is correct.
-test "without name, workflow fails with validation message" {
-  # When
-  const response = run hello.default() allow_failure
-
-  # Then
-  expect_equal response "You didn't provide your name"
-}
-
-test "with name, returns greeting and logs response" {
-  # Given
-  mock prompt "Hello Alice! Alice in Wonderland was written by Lewis Carroll."
-
-  # When
-  run hello.default("Alice")
-}
diff --git a/e2e/test_all.sh b/e2e/test_all.sh
index 63dd8f66..657fb502 100755
--- a/e2e/test_all.sh
+++ b/e2e/test_all.sh
@@ -23,8 +23,10 @@ TEST_SCRIPTS=(
   "e2e/tests/70_run_artifacts.sh"
   "e2e/tests/71_loop_run_artifacts.sh"
   "e2e/tests/72_docker_run_artifacts.sh"
-  "e2e/tests/73_docker_dockerfile_detection.sh"
+  "e2e/tests/74b_docker_signal_cleanup.sh"
+  "e2e/tests/74c_docker_prepull.sh"
   "e2e/tests/74_live_step_output.sh"
+  "e2e/tests/76_docker_failure_parity.sh"
   "e2e/tests/78_lang_redesign_constructs.sh"
   "e2e/tests/79_workflow_fail_keyword.sh"
   "e2e/tests/80_cli_behavior.sh"
@@ -79,6 +81,8 @@ TEST_SCRIPTS=(
   "e2e/tests/126_file_shorthand_routing.sh"
   "e2e/tests/127_cli_edge_cases.sh"
   "e2e/tests/128_examples_format_check.sh"
+  "e2e/tests/130_run_recover_loop.sh"
+  "e2e/tests/133_return_bare_identifier.sh"
 )
 
 PASS_COUNT=0
@@ -97,6 +101,8 @@ for script in "${TEST_SCRIPTS[@]}"; do
   mkdir -p "${test_dir}"
 
   e2e::section "Running ${script_name}"
+  # JAIPH_UNSAFE is not defaulted here: unset → Docker on (see resolveDockerConfig).
+  # CI sets per-job env (ubuntu docker vs host). For fast local runs: JAIPH_UNSAFE=true npm run test:e2e
   if JAIPH_E2E_SKIP_INSTALL=1 \
     JAIPH_E2E_TMP_DIR="${JAIPH_E2E_TMP_DIR:-}" \
     JAIPH_E2E_BIN_DIR="${JAIPH_E2E_BIN_DIR}" \
diff --git a/e2e/tests/00_install_and_init.sh b/e2e/tests/00_install_and_init.sh
index a293b47a..0b607f04 100644
--- a/e2e/tests/00_install_and_init.sh
+++ b/e2e/tests/00_install_and_init.sh
@@ -46,16 +46,13 @@ workflow default() {
     Perform these tasks in order:
     1) Analyze repository structure, languages, package manager, and build/test/lint commands.
     2) Detect existing contribution conventions (branching, commit style, CI checks).
-    3) Review and update .jaiph/Dockerfile for this specific repository.
-       - This file defines the Docker sandbox (runtimes, package managers, build tools).
-       - Align it with how this project is actually built and tested.
-    4) Create or update Jaiph workflows under .jaiph/ for safe feature implementation, including:
+    3) Create or update Jaiph workflows under .jaiph/ for safe feature implementation, including:
        - preflight checks (clean git state, branch guards when relevant)
        - implementation workflow
        - verification workflow (tests/lint/build)
-    5) Keep workflows minimal, composable, and specific to this project.
-    6) Print a short usage guide with exact jaiph run commands.
-    7) End your response with:
+    4) Keep workflows minimal, composable, and specific to this project.
+    5) Print a short usage guide with exact jaiph run commands.
+    6) End your response with:
        - WHAT CHANGED: files touched and key edits
        - WHY: tie each edit to repository structure, tests, or sandbox needs
   """
@@ -71,75 +68,6 @@ e2e::pass "bootstrap template matches expected triple-quoted prompt content"
 jaiph compile "${BOOTSTRAP_FILE}"
 e2e::pass "generated bootstrap workflow compiles"
 
-e2e::assert_file_exists "${TEST_DIR}/.jaiph/Dockerfile" ".jaiph/Dockerfile exists"
-expected_dockerfile="$(mktemp)"
-cat > "${expected_dockerfile}" <<'EOF'
-FROM ubuntu:latest
-
-# Generated by jaiph init for project sandboxing.
-# Keep this file aligned with your repository's runtime/build/test needs.
-
-# Standard utilities + fuse-overlayfs for CoW sandbox
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-      bash \
-      curl \
-      git \
-      ca-certificates \
-      gnupg \
-      fuse-overlayfs \
-      fuse3 \
-      rsync && \
-    rm -rf /var/lib/apt/lists/*
-
-# Node.js latest LTS (required by jaiph prompt stream helpers)
-RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
-    apt-get install -y --no-install-recommends nodejs && \
-    rm -rf /var/lib/apt/lists/*
-
-# Non-root user keeps agent CLIs happy in Docker mode.
-RUN useradd --create-home --uid 10001 --shell /bin/bash jaiph && \
-    mkdir -p /jaiph/workspace /jaiph/workspace-ro /jaiph/run && \
-    chown -R jaiph:jaiph /jaiph
-
-# Claude Code CLI (Anthropic)
-RUN npm install -g @anthropic-ai/claude-code
-
-USER jaiph
-ENV HOME=/home/jaiph
-ENV PATH="/home/jaiph/.local/bin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-
-# cursor-agent (Cursor) — install as the runtime user so the binary remains
-# reachable after switching away from root. The installer currently places
-# the CLI in ~/.local/bin and may name it "agent" or "cursor".
-RUN mkdir -p "$HOME/.local/bin" && \
-    curl -fsSL https://cursor.com/install -o /tmp/install-cursor-agent.sh && \
-    bash /tmp/install-cursor-agent.sh && \
-    export PATH="$HOME/.local/bin:$PATH" && \
-    if command -v cursor-agent >/dev/null 2>&1; then \
-      true; \
-    elif command -v agent >/dev/null 2>&1; then \
-      ln -sf "$(command -v agent)" "$HOME/.local/bin/cursor-agent"; \
-    elif command -v cursor >/dev/null 2>&1; then \
-      ln -sf "$(command -v cursor)" "$HOME/.local/bin/cursor-agent"; \
-    fi && \
-    command -v cursor-agent >/dev/null 2>&1 && \
-    rm -f /tmp/install-cursor-agent.sh
-
-# jaiph (official installer: https://jaiph.org/install)
-RUN curl -fsSL https://jaiph.org/install | bash
-
-# Add project-specific package managers/build tools below as needed.
-
-WORKDIR /jaiph/workspace
-EOF
-if ! cmp -s "${TEST_DIR}/.jaiph/Dockerfile" "${expected_dockerfile}"; then
-  rm -f "${expected_dockerfile}"
-  e2e::fail "Expected .jaiph/Dockerfile to match init template with jaiph.org installer"
-fi
-rm -f "${expected_dockerfile}"
-e2e::pass ".jaiph/Dockerfile matches expected init template content"
-
 # Bash command substitution strips a trailing newline; compare bytes with cmp.
 if ! cmp -s "${TEST_DIR}/.jaiph/.gitignore" <(printf 'runs\ntmp\n'); then
   e2e::fail "Expected .jaiph/.gitignore to list runs and tmp with a final newline"
diff --git a/e2e/tests/05_jaiph_use_pinned_version.sh b/e2e/tests/05_jaiph_use_pinned_version.sh
index bff3778e..4470683b 100644
--- a/e2e/tests/05_jaiph_use_pinned_version.sh
+++ b/e2e/tests/05_jaiph_use_pinned_version.sh
@@ -17,7 +17,17 @@ export JAIPH_LIB_DIR="${USE_BIN}/.jaiph"
 e2e::section "jaiph use <package.json version> reinstalls via installer"
 
 export JAIPH_INSTALL_COMMAND="bash \"${E2E_REPO_ROOT}/docs/install\" \"${E2E_REPO_ROOT}\""
+# Capture without `set -e` aborting silently — we want the install output
+# surfaced on failure for diagnosability (esp. on WSL where missing tools or
+# /mnt/<drive> copy quirks fail without obvious context).
+set +e
 use_combined="$(jaiph use "${VERSION}" 2>&1)"
+use_status=$?
+set -e
+if [[ "${use_status}" -ne 0 ]]; then
+  printf 'jaiph use exited %d. Captured output:\n%s\n' "${use_status}" "${use_combined}" >&2
+  e2e::fail "jaiph use exited non-zero"
+fi
 # assert_contains: installer output includes dynamic paths and progress text that vary per environment
 e2e::assert_contains "${use_combined}" "Reinstalling Jaiph from ref 'v${VERSION}'" \
   "jaiph use prints expected git ref for pinned version"
diff --git a/e2e/tests/104_run_async.sh b/e2e/tests/104_run_async.sh
index cd8b9e8f..785b3994 100755
--- a/e2e/tests/104_run_async.sh
+++ b/e2e/tests/104_run_async.sh
@@ -139,30 +139,30 @@ EXPECTED
 e2e::expect_out "async_interleave.jh" "default" "slow-done"
 e2e::expect_out "async_interleave.jh" "slow" "slow-done"
 
-# --- capture + run async is rejected at parse time ---
+# --- capture + run async returns handle that resolves on read ---
 
-e2e::section "capture + run async parse error"
+e2e::section "capture + run async returns handle"
 
 e2e::file "capture_async.jh" <<'EOF'
 workflow helper() {
-  log "hi"
+  return "hello"
 }
 
 workflow default() {
   const x = run async helper()
+  log x
 }
 EOF
 
-set +e
 capture_output="$(e2e::run "capture_async.jh" 2>&1)"
 capture_status=$?
-set -e
 
-if [[ "$capture_status" -eq 0 ]]; then
-  e2e::fail "expected parse error for capture + run async"
+if [[ "$capture_status" -ne 0 ]]; then
+  e2e::fail "expected capture + run async to succeed, got exit $capture_status"
 fi
-# Error line includes absolute source path which varies per invocation
-e2e::assert_contains "$capture_output" "const ... = run must target a valid reference" "capture + run async diagnostic"
+e2e::pass "capture + run async succeeds"
+
+e2e::expect_out "capture_async.jh" "default" "hello"
 
 # --- run async sibling depth in progress tree ---
 
diff --git a/e2e/tests/10_basic_workflows.sh b/e2e/tests/10_basic_workflows.sh
index b4e3b81a..78a167ce 100644
--- a/e2e/tests/10_basic_workflows.sh
+++ b/e2e/tests/10_basic_workflows.sh
@@ -32,6 +32,8 @@ workflow default
   ▸ script hello_impl
   ✓ script hello_impl (<time>)
 ✓ PASS workflow default (<time>)
+
+hello-jh
 EOF
 
 e2e::expect_out_files "hello.jh" 2
@@ -72,6 +74,8 @@ workflow default
   ▸ script mixed_ok_impl
   ✓ script mixed_ok_impl (<time>)
 ✓ PASS workflow default (<time>)
+
+mixed-ok
 EOF
 
 e2e::expect_out_files "app.jh" 4
@@ -80,6 +84,14 @@ e2e::expect_out "app.jh" "mixed_ok_impl" "mixed-ok"
 
 e2e::section "Git-aware rule arguments"
 
+# This section exercises a workflow whose script body shells out to `git`.
+# Some supported environments (notably the WSL CI job) do not preinstall git;
+# Jaiph itself does not require it, so skip gracefully rather than fail the
+# whole acceptance test on a feature that is not applicable here.
+if ! command -v git >/dev/null 2>&1; then
+  e2e::skip "git not available — skipping git-aware rule arguments"
+else
+
 # Given
 e2e::file "current_branch.jh" <<'EOF'
 #!/usr/bin/env jaiph
@@ -123,3 +135,5 @@ EOF
   e2e::expect_fail "current_branch.jh" "${wrong_branch}"
   e2e::pass "current_branch.jh fails for wrong branch"
 )
+
+fi
diff --git a/e2e/tests/110_examples.sh b/e2e/tests/110_examples.sh
index 373bd965..577dff56 100755
--- a/e2e/tests/110_examples.sh
+++ b/e2e/tests/110_examples.sh
@@ -56,12 +56,12 @@ workflow default
   ▸ workflow scanner
   ·   ℹ Scanning for issues...
   ✓ workflow scanner (<time>)
-  ▸ workflow analyst (message="\"Found 3 issues in auth module\"", chan="findings", sender="scanner")
+  ▸ workflow analyst (message="Found 3 issues in auth module", chan="findings", sender="scanner")
   ·   ℹ Analyzing message from scanner on channel findings...
   ✓ workflow analyst (<time>)
-  ▸ workflow reviewer (message="\"Summary: \"Found 3 issues in aut...", chan="report", sender="analyst")
+  ▸ workflow reviewer (message="Summary: Found 3 issues in auth ...", chan="report", sender="analyst")
   ·   ℹ Reviewing message from analyst on channel report...
-  ·   ! Critical issue: "Summary: "Found 3 issues in auth module""
+  ·   ! Critical issue: Summary: Found 3 issues in auth module
   ✓ workflow reviewer (<time>)
 ✓ PASS workflow default (<time>)
 EOF
@@ -92,14 +92,8 @@ e2e::expect_stdout "${say_hello_out}" <<'EOF'
 Jaiph: Running say_hello.jh
 
 workflow default
-  ▸ rule name_was_provided
-  ·   ▸ script validate_name
-  ·   ✗ script validate_name (<time>)
-  ✗ rule name_was_provided (<time>)
-EOF
-
-e2e::expect_file "*script__validate_name.err" <<'EOF'
-You didn't provide your name :(
+  ▸ rule valid_name
+  ✗ rule valid_name (<time>)
 EOF
 
 # ── say_hello.test.jh ───────────────────────────────────────────────────────
@@ -150,10 +144,10 @@ e2e::expect_stdout "${recover_out}" <<'EOF'
 Jaiph: Running recover_loop.jh
 
 workflow default
-  ▸ rule report_exists
-  ·   ▸ script check_report
-  ·   ✓ script check_report (<time>)
-  ✓ rule report_exists (<time>)
+  ▸ script check_report_exists
+  ✓ script check_report_exists (<time>)
+  ▸ script __inline_<id>
+  ✓ script __inline_<id> (<time>)
 ✓ PASS workflow default (<time>)
 EOF
 
@@ -163,6 +157,8 @@ rm -f "${TEST_DIR}/report.txt"
 
 e2e::section "examples/recover_loop.test.jh — native test with mocked script"
 
+touch "${TEST_DIR}/report.txt"
+
 # When
 rl_test_out="$(jaiph test "${TEST_DIR}/recover_loop.test.jh" 2>&1)"
 
diff --git a/e2e/tests/113_match_expression.sh b/e2e/tests/113_match_expression.sh
index 618863e2..08a92c4b 100644
--- a/e2e/tests/113_match_expression.sh
+++ b/e2e/tests/113_match_expression.sh
@@ -36,6 +36,8 @@ workflow default
   ▸ script get_status
   ✓ script get_status (<time>)
 ✓ PASS workflow default (<time>)
+
+something broke
 EOF
 
 e2e::expect_out "match_string.jh" "get_status" "error"
@@ -68,6 +70,8 @@ workflow default
   ▸ script get_mode
   ✓ script get_mode (<time>)
 ✓ PASS workflow default (<time>)
+
+default
 EOF
 
 e2e::expect_out "match_wildcard.jh" "get_mode" "unknown-mode"
@@ -100,6 +104,8 @@ workflow default
   ▸ script get_input
   ✓ script get_input (<time>)
 ✓ PASS workflow default (<time>)
+
+error
 EOF
 
 e2e::expect_out "match_regex.jh" "get_input" "ERROR: something failed"
@@ -132,6 +138,8 @@ workflow default
   ▸ script get_code
   ✓ script get_code (<time>)
 ✓ PASS workflow default (<time>)
+
+success
 EOF
 
 e2e::pass "match in return statement"
diff --git a/e2e/tests/123_triple_quoted_strings.sh b/e2e/tests/123_triple_quoted_strings.sh
index 0a159b45..f1d75421 100755
--- a/e2e/tests/123_triple_quoted_strings.sh
+++ b/e2e/tests/123_triple_quoted_strings.sh
@@ -54,7 +54,11 @@ e2e::expect_stdout "${return_out}" <<'EOF'
 Jaiph: Running return_multiline.jh
 
 workflow default
+
 ✓ PASS workflow default (<time>)
+
+line one
+line two
 EOF
 
 # ── 3. Triple-quoted const with interpolation ─────────────────────────────────
diff --git a/e2e/tests/126_file_shorthand_routing.sh b/e2e/tests/126_file_shorthand_routing.sh
index 55b10967..21b6ac5e 100644
--- a/e2e/tests/126_file_shorthand_routing.sh
+++ b/e2e/tests/126_file_shorthand_routing.sh
@@ -33,6 +33,8 @@ workflow default
   ▸ script hello_impl
   ✓ script hello_impl (<time>)
 ✓ PASS workflow default (<time>)
+
+hello-shorthand
 EOF
 
 e2e::expect_out "hello.jh" "hello_impl" "hello-shorthand"
diff --git a/e2e/tests/127_cli_edge_cases.sh b/e2e/tests/127_cli_edge_cases.sh
index fcb475df..ff44d2c1 100644
--- a/e2e/tests/127_cli_edge_cases.sh
+++ b/e2e/tests/127_cli_edge_cases.sh
@@ -49,25 +49,34 @@ e2e::assert_contains "${indent_none_msg}" "positive integer" "format --indent wi
 
 e2e::section "format on unreadable file"
 
-e2e::file "unreadable.jh" <<'EOF'
+# DAC permission checks do not apply to UID 0; the WSL CI job runs bash as
+# root by design (its bootstrap detects `id -u == 0` and skips sudo), and
+# any environment with CAP_DAC_READ_SEARCH would behave the same way.
+# Skip rather than fail so the assertion remains meaningful where it can
+# actually be checked.
+if [[ "$(id -u)" -eq 0 ]]; then
+  e2e::skip "running as root (or with DAC_READ_SEARCH) — chmod 000 cannot make a file unreadable"
+else
+  e2e::file "unreadable.jh" <<'EOF'
 workflow default() {
   log "hello"
 }
 EOF
-chmod 000 "${TEST_DIR}/unreadable.jh"
-
-unread_err="$(mktemp)"
-if jaiph format "${TEST_DIR}/unreadable.jh" 2>"${unread_err}"; then
+  chmod 000 "${TEST_DIR}/unreadable.jh"
+
+  unread_err="$(mktemp)"
+  if jaiph format "${TEST_DIR}/unreadable.jh" 2>"${unread_err}"; then
+    rm -f "${unread_err}"
+    chmod 644 "${TEST_DIR}/unreadable.jh"
+    e2e::fail "format should fail on unreadable file"
+  fi
+  unread_msg="$(cat "${unread_err}")"
   rm -f "${unread_err}"
   chmod 644 "${TEST_DIR}/unreadable.jh"
-  e2e::fail "format should fail on unreadable file"
-fi
-unread_msg="$(cat "${unread_err}")"
-rm -f "${unread_err}"
-chmod 644 "${TEST_DIR}/unreadable.jh"
 
-# assert_contains: error message includes dynamic path
-e2e::assert_contains "${unread_msg}" "cannot read file" "format reports unreadable file"
+  # assert_contains: error message includes dynamic path
+  e2e::assert_contains "${unread_msg}" "cannot read file" "format reports unreadable file"
+fi
 
 # ── 4. jaiph compile --workspace with no value ─────────────────────────────
 
diff --git a/e2e/tests/129_artifacts_lib.sh b/e2e/tests/129_artifacts_lib.sh
new file mode 100755
index 00000000..2169a2b9
--- /dev/null
+++ b/e2e/tests/129_artifacts_lib.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "artifacts_lib"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+# ---------------------------------------------------------------------------
+e2e::section "artifacts lib: save"
+# ---------------------------------------------------------------------------
+
+mkdir -p "${TEST_DIR}/.jaiph/libs/jaiphlang"
+cp "${ROOT_DIR}/.jaiph/libs/jaiphlang/artifacts.jh" "${TEST_DIR}/.jaiph/libs/jaiphlang/artifacts.jh"
+
+printf 'build-output-content' > "${TEST_DIR}/build_output.txt"
+
+e2e::file "artifacts_e2e.jh" <<'EOF'
+import "jaiphlang/artifacts" as artifacts
+
+workflow default() {
+  const save_path = run artifacts.save("./build_output.txt", "saved-output.txt")
+  log save_path
+}
+EOF
+
+artifacts_out="$(e2e::run "artifacts_e2e.jh")"
+
+e2e::assert_contains "${artifacts_out}" "workflow default" "output contains workflow default"
+e2e::assert_contains "${artifacts_out}" "workflow save" "output contains workflow save"
+e2e::assert_contains "${artifacts_out}" "PASS" "output contains PASS"
+
+run_dir="$(e2e::run_dir "artifacts_e2e.jh")"
+artifacts_dir="${run_dir}artifacts"
+
+e2e::assert_file_exists "${artifacts_dir}/saved-output.txt" "saved artifact exists"
+saved_content="$(<"${artifacts_dir}/saved-output.txt")"
+e2e::assert_equals "${saved_content}" "build-output-content" "saved artifact content matches source"
+
+e2e::pass "artifacts save"
diff --git a/e2e/tests/130_run_recover_loop.sh b/e2e/tests/130_run_recover_loop.sh
new file mode 100755
index 00000000..4d96a217
--- /dev/null
+++ b/e2e/tests/130_run_recover_loop.sh
@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "run_recover_loop"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+# === Scenario: recover repairs then retries successfully ===
+e2e::section "recover loop: fail first, repair, pass on retry"
+rm -f "${TEST_DIR}/.gate_passed"
+
+e2e::file "recover_repair.jh" <<'EOF'
+script check_gate = `test -f .gate_passed`
+workflow check() {
+  run check_gate()
+}
+
+script do_fix = `touch .gate_passed`
+workflow fix() {
+  run do_fix()
+}
+
+workflow default() {
+  run check() recover(err) {
+    run fix()
+  }
+}
+EOF
+
+out="$(e2e::run "recover_repair.jh" 2>&1)"
+
+e2e::assert_file_exists "${TEST_DIR}/.gate_passed" "recover body ran (marker created)"
+e2e::expect_stdout "${out}" <<'EOF'
+
+Jaiph: Running recover_repair.jh
+
+workflow default
+  ▸ workflow check
+  ·   ▸ script check_gate
+  ·   ✗ script check_gate (<time>)
+  ✗ workflow check (<time>)
+  ▸ workflow fix
+  ·   ▸ script do_fix
+  ·   ✓ script do_fix (<time>)
+  ✓ workflow fix (<time>)
+  ▸ workflow check
+  ·   ▸ script check_gate
+  ·   ✓ script check_gate (<time>)
+  ✓ workflow check (<time>)
+✓ PASS workflow default (<time>)
+EOF
+e2e::pass "recover loop: repair and retry succeeded"
+
+# === Scenario: recover with retry limit exhaustion ===
+e2e::section "recover loop: retry limit exhaustion"
+
+e2e::file "recover_exhaust.jh" <<'EOF'
+config {
+  run.recover_limit = 2
+}
+
+script always_fail = `exit 1`
+workflow failing() {
+  run always_fail()
+}
+
+workflow default() {
+  run failing() recover(err) {
+    log "repair attempt"
+  }
+}
+EOF
+
+if out_exhaust="$(e2e::run "recover_exhaust.jh" 2>&1)"; then
+  e2e::fail "should have failed after retry limit"
+fi
+
+# nondeterministic timing in nested retry output
+e2e::assert_contains "${out_exhaust}" "FAIL" "workflow fails after retry limit exhaustion"
+
+# === Scenario: recover succeeds on first attempt (no loop) ===
+e2e::section "recover loop: success on first attempt skips body"
+
+e2e::file "recover_pass.jh" <<'EOF'
+script ok_impl = `echo ok`
+workflow ok() {
+  run ok_impl()
+}
+
+workflow default() {
+  run ok() recover(err) {
+    log "should not appear"
+  }
+}
+EOF
+
+out_pass="$(e2e::run "recover_pass.jh" 2>&1)"
+e2e::expect_stdout "${out_pass}" <<'EOF'
+
+Jaiph: Running recover_pass.jh
+
+workflow default
+  ▸ workflow ok
+  ·   ▸ script ok_impl
+  ·   ✓ script ok_impl (<time>)
+  ✓ workflow ok (<time>)
+✓ PASS workflow default (<time>)
+EOF
+e2e::pass "recover: success on first attempt, body never runs"
diff --git a/e2e/tests/131_tty_async_progress.sh b/e2e/tests/131_tty_async_progress.sh
new file mode 100755
index 00000000..415e9c01
--- /dev/null
+++ b/e2e/tests/131_tty_async_progress.sh
@@ -0,0 +1,175 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "tty_async_progress"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+e2e::section "TTY run async renders per-branch progress events in real time"
+
+if ! command -v python3 >/dev/null 2>&1; then
+  e2e::fail "python3 is required for PTY TTY test (e2e/tests/131_tty_async_progress.sh)"
+fi
+
+# Given — two async branches, each emitting multiple progress events over time
+e2e::file "tty_async.jh" <<'EOF'
+script slow_a = `sleep 1 && echo "a-script-done"`
+
+script slow_b = `sleep 1 && echo "b-script-done"`
+
+workflow branch_a() {
+  log "a-start"
+  run slow_a()
+  log "a-end"
+  return "result-a"
+}
+
+workflow branch_b() {
+  log "b-start"
+  run slow_b()
+  log "b-end"
+  return "result-b"
+}
+
+workflow default() {
+  const ha = run async branch_a()
+  const hb = run async branch_b()
+  log ha
+  log hb
+}
+EOF
+
+# Spawn jaiph run under a real PTY so the CLI takes the TTY rendering path.
+set +e
+tty_out="$(
+  python3 - "${TEST_DIR}/tty_async.jh" <<'PY'
+import os
+import pty
+import re
+import select
+import subprocess
+import sys
+
+workflow_path = sys.argv[1]
+cmd = ["jaiph", "run", workflow_path]
+
+master_fd, slave_fd = pty.openpty()
+proc = subprocess.Popen(cmd, stdin=slave_fd, stdout=slave_fd, stderr=slave_fd, close_fds=True)
+os.close(slave_fd)
+
+chunks = []
+while True:
+    ready, _, _ = select.select([master_fd], [], [], 0.1)
+    if master_fd in ready:
+        try:
+            data = os.read(master_fd, 4096)
+        except OSError:
+            data = b""
+        if data:
+            chunks.append(data)
+    if proc.poll() is not None:
+        while True:
+            try:
+                data = os.read(master_fd, 4096)
+            except OSError:
+                break
+            if not data:
+                break
+            chunks.append(data)
+        break
+
+os.close(master_fd)
+captured = b"".join(chunks)
+text = captured.decode("utf-8", errors="ignore")
+# Normalize for robust detection across PTY redraw/control sequences
+text = text.replace("\r", "\n")
+clean = re.sub(r"\x1b\[[0-9;]*[A-Za-z]", "", text)
+
+# Check that RUNNING frame was observed during live render
+running_seen = "RUNNING workflow default" in clean
+sys.stdout.write(f"__JAIPH_TTY_RUNNING_SEEN__={'1' if running_seen else '0'}\n")
+
+# Check for orphaned ANSI escape sequences after stripping known CSI patterns.
+# A well-formed stream should have no leftover \x1b after CSI removal.
+orphaned_esc = "\x1b" in clean
+sys.stdout.write(f"__JAIPH_TTY_ANSI_CLEAN__={'1' if not orphaned_esc else '0'}\n")
+
+sys.stdout.buffer.write(captured)
+sys.exit(proc.returncode if proc.returncode is not None else 1)
+PY
+)"
+tty_status=$?
+set -e
+
+# Then — exit code
+e2e::assert_equals "${tty_status}" "0" "jaiph run async exits 0 in PTY"
+
+normalized_input="${tty_out//$'\r'/$'\n'}"
+normalized="$(e2e::normalize_output "${normalized_input}")"
+
+# assert_contains: PTY output includes ANSI escape sequences and redraw frames that make exact match infeasible
+e2e::assert_contains "${normalized}" "__JAIPH_TTY_RUNNING_SEEN__=1" "TTY stream observed RUNNING frame during async live render"
+
+# assert_contains: orphaned-escape check is a single flag extracted from the PTY stream
+e2e::assert_contains "${normalized}" "__JAIPH_TTY_ANSI_CLEAN__=1" "No orphaned ANSI escape sequences in PTY output"
+
+# --- Per-branch progress events appear under correct branch nodes ---
+
+# assert_contains: async interleaving order is nondeterministic in live PTY output
+e2e::assert_contains "${normalized}" "workflow branch_a" "branch_a appears in progress tree"
+e2e::assert_contains "${normalized}" "workflow branch_b" "branch_b appears in progress tree"
+
+# Subscript ₁ prefixes branch_a events, ₂ prefixes branch_b events
+# assert_contains: PTY redraws make exact full-output match infeasible
+e2e::assert_contains "${normalized}" "₁" "branch ₁ subscript present"
+e2e::assert_contains "${normalized}" "₂" "branch ₂ subscript present"
+
+# Log events from each branch appear with their branch subscript
+# assert_contains: async interleaving is nondeterministic
+e2e::assert_contains "${normalized}" "a-start" "branch_a log a-start present"
+e2e::assert_contains "${normalized}" "a-end" "branch_a log a-end present"
+e2e::assert_contains "${normalized}" "b-start" "branch_b log b-start present"
+e2e::assert_contains "${normalized}" "b-end" "branch_b log b-end present"
+
+# Script steps appear under their branches
+# assert_contains: async interleaving is nondeterministic
+e2e::assert_contains "${normalized}" "script slow_a" "script slow_a appears in progress tree"
+e2e::assert_contains "${normalized}" "script slow_b" "script slow_b appears in progress tree"
+
+# --- Final frame: both branches completed with resolved return values ---
+
+# assert_contains: PTY redraws make exact match infeasible
+e2e::assert_contains "${normalized}" "result-a" "handle ha resolved to result-a"
+e2e::assert_contains "${normalized}" "result-b" "handle hb resolved to result-b"
+
+# Both branches show completion markers
+# assert_contains: PTY redraws make exact match infeasible
+e2e::assert_contains "${normalized}" "workflow branch_a (<time>)" "branch_a completed with timing"
+e2e::assert_contains "${normalized}" "workflow branch_b (<time>)" "branch_b completed with timing"
+
+# Overall PASS
+# assert_contains: PTY redraws make exact match infeasible
+e2e::assert_contains "${normalized}" "PASS workflow default" "workflow default passed"
+
+# Canonicalize dynamic TTY refreshes and verify stable tree structure.
+# Extract only the lines we can stably match regardless of async interleaving order.
+tree_projection="$(
+  printf '%s\n' "${normalized}" | awk '
+    /^Jaiph: Running tty_async\.jh$/ { print; next }
+    /^workflow default$/ { print; next }
+    /^ .₁.+ workflow branch_a \(<time>\)$/ { print; next }
+    /^ .₂.+ workflow branch_b \(<time>\)$/ { print; next }
+    /PASS workflow default/ { print; next }
+  '
+)"
+
+# assert_contains: we extract stable subset lines; the full projection order depends on async timing
+e2e::assert_contains "${tree_projection}" "Jaiph: Running tty_async.jh" "tree projection: header"
+e2e::assert_contains "${tree_projection}" "workflow default" "tree projection: root workflow"
+e2e::assert_contains "${tree_projection}" "PASS workflow default" "tree projection: final PASS"
+
+e2e::pass "TTY async progress renders per-branch events correctly"
diff --git a/e2e/tests/132_return_log_inline_script.sh b/e2e/tests/132_return_log_inline_script.sh
new file mode 100755
index 00000000..d1a47833
--- /dev/null
+++ b/e2e/tests/132_return_log_inline_script.sh
@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "return_log_inline_script"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+# ---------------------------------------------------------------------------
+e2e::section "return run inline script zero-arg"
+# ---------------------------------------------------------------------------
+
+e2e::file "return_inline.jh" <<'EOF'
+workflow helper() {
+  return run `echo inline-return-ok`()
+}
+
+workflow default() {
+  const r = run helper()
+  log "got: ${r}"
+}
+EOF
+
+return_inline_out="$(e2e::run "return_inline.jh")"
+
+# assert_contains: inline script hash name is content-dependent and not predictable in heredoc
+e2e::assert_contains "${return_inline_out}" "script __inline_" "tree shows inline script step"
+e2e::assert_contains "${return_inline_out}" "got: inline-return-ok" "return run inline script returns correct value"
+e2e::assert_contains "${return_inline_out}" "PASS workflow default" "workflow passes"
+
+e2e::pass "return run inline script zero-arg"
+
+# ---------------------------------------------------------------------------
+e2e::section "return run inline script with args"
+# ---------------------------------------------------------------------------
+
+e2e::file "return_inline_args.jh" <<'EOF'
+workflow helper() {
+  return run `echo $1`("inline-arg-val")
+}
+
+workflow default() {
+  const r = run helper()
+  log "got: ${r}"
+}
+EOF
+
+return_inline_args_out="$(e2e::run "return_inline_args.jh")"
+
+# assert_contains: inline script hash name is content-dependent and not predictable in heredoc
+e2e::assert_contains "${return_inline_args_out}" "got: inline-arg-val" "return run inline script with args returns correct value"
+e2e::assert_contains "${return_inline_args_out}" "PASS workflow default" "workflow passes"
+
+e2e::pass "return run inline script with args"
+
+# ---------------------------------------------------------------------------
+e2e::section "log run inline script zero-arg"
+# ---------------------------------------------------------------------------
+
+e2e::file "log_inline.jh" <<'EOF'
+workflow default() {
+  log run `echo log-inline-ok`()
+}
+EOF
+
+log_inline_out="$(e2e::run "log_inline.jh")"
+
+# assert_contains: inline script hash name is content-dependent and not predictable in heredoc
+e2e::assert_contains "${log_inline_out}" "script __inline_" "tree shows inline script step"
+e2e::assert_contains "${log_inline_out}" "log-inline-ok" "log run inline script outputs correct message"
+e2e::assert_contains "${log_inline_out}" "PASS workflow default" "workflow passes"
+
+e2e::pass "log run inline script zero-arg"
+
+# ---------------------------------------------------------------------------
+e2e::section "log run inline script with args"
+# ---------------------------------------------------------------------------
+
+e2e::file "log_inline_args.jh" <<'EOF'
+workflow default() {
+  log run `echo $1`("log-arg-val")
+}
+EOF
+
+log_inline_args_out="$(e2e::run "log_inline_args.jh")"
+
+# assert_contains: inline script hash name is content-dependent and not predictable in heredoc
+e2e::assert_contains "${log_inline_args_out}" "log-arg-val" "log run inline script with args outputs correct message"
+e2e::assert_contains "${log_inline_args_out}" "PASS workflow default" "workflow passes"
+
+e2e::pass "log run inline script with args"
+
+# ---------------------------------------------------------------------------
+e2e::section "bare inline script in return is rejected"
+# ---------------------------------------------------------------------------
+
+e2e::file "return_bare_inline.jh" <<'EOF'
+workflow default() {
+  return `echo bad`()
+}
+EOF
+
+if jaiph run "${TEST_DIR}/return_bare_inline.jh" >/dev/null 2>&1; then
+  e2e::fail "expected compile-time failure for bare inline script in return"
+fi
+e2e::pass "bare inline script in return rejected"
+
+# ---------------------------------------------------------------------------
+e2e::section "bare inline script in log is rejected"
+# ---------------------------------------------------------------------------
+
+e2e::file "log_bare_inline.jh" <<'EOF'
+workflow default() {
+  log `echo bad`()
+}
+EOF
+
+if jaiph run "${TEST_DIR}/log_bare_inline.jh" >/dev/null 2>&1; then
+  e2e::fail "expected compile-time failure for bare inline script in log"
+fi
+e2e::pass "bare inline script in log rejected"
diff --git a/e2e/tests/133_return_bare_identifier.sh b/e2e/tests/133_return_bare_identifier.sh
new file mode 100755
index 00000000..55938b4d
--- /dev/null
+++ b/e2e/tests/133_return_bare_identifier.sh
@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "return_bare_identifier"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+e2e::section "return bare identifier propagates const value"
+
+# Given
+e2e::file "return_bare.jh" <<'EOF'
+workflow helper() {
+  const msg = "bare-id-ok"
+  return msg
+}
+
+workflow default() {
+  const r = run helper()
+  log "got: ${r}"
+}
+EOF
+
+# When
+return_bare_out="$(e2e::run "return_bare.jh")"
+
+# Then
+e2e::expect_stdout "${return_bare_out}" <<'EOF'
+
+Jaiph: Running return_bare.jh
+
+workflow default
+  ▸ workflow helper
+  ✓ workflow helper (<time>)
+  ℹ got: bare-id-ok
+✓ PASS workflow default (<time>)
+EOF
+
+e2e::section "return bare identifier from parameter"
+
+# Given
+e2e::file "return_param.jh" <<'EOF'
+workflow echo_back(val) {
+  return val
+}
+
+workflow default() {
+  const r = run echo_back("param-ok")
+  log "got: ${r}"
+}
+EOF
+
+# When
+return_param_out="$(e2e::run "return_param.jh")"
+
+# Then
+e2e::expect_stdout "${return_param_out}" <<'EOF'
+
+Jaiph: Running return_param.jh
+
+workflow default
+  ▸ workflow echo_back (val="param-ok")
+  ✓ workflow echo_back (<time>)
+  ℹ got: param-ok
+✓ PASS workflow default (<time>)
+EOF
+
+e2e::section "return interpolated string still works"
+
+# Given
+e2e::file "return_interp.jh" <<'EOF'
+workflow helper() {
+  const msg = "interp-ok"
+  return "${msg}"
+}
+
+workflow default() {
+  const r = run helper()
+  log "got: ${r}"
+}
+EOF
+
+# When
+return_interp_out="$(e2e::run "return_interp.jh")"
+
+# Then
+e2e::expect_stdout "${return_interp_out}" <<'EOF'
+
+Jaiph: Running return_interp.jh
+
+workflow default
+  ▸ workflow helper
+  ✓ workflow helper (<time>)
+  ℹ got: interp-ok
+✓ PASS workflow default (<time>)
+EOF
+
+e2e::section "return unknown bare identifier fails with unknown-identifier error"
+
+# Given
+e2e::file "return_unknown.jh" <<'EOF'
+workflow default() {
+  const msg = "hello"
+  return missing_name
+}
+EOF
+
+# When/Then
+if return_unknown_err="$(e2e::run "return_unknown.jh" 2>&1)"; then
+  e2e::fail "expected compile-time failure for unknown bare identifier"
+fi
+e2e::assert_contains "${return_unknown_err}" "unknown identifier" "return unknown bare identifier produces unknown-identifier error"
+e2e::pass "return unknown bare identifier rejected with correct error"
diff --git a/e2e/tests/20_rule_and_prompt.sh b/e2e/tests/20_rule_and_prompt.sh
index 0f140637..85d5702e 100644
--- a/e2e/tests/20_rule_and_prompt.sh
+++ b/e2e/tests/20_rule_and_prompt.sh
@@ -47,6 +47,8 @@ workflow default
   ▸ script done_impl
   ✓ script done_impl (<time>)
 ✓ PASS workflow default (<time>)
+
+e2e-rule-pass-done
 EOF
 
 e2e::expect_out_files "rule_pass.jh" 4
@@ -180,7 +182,7 @@ e2e::expect_stdout "${prompt_vars_out}" <<'EOF'
 Jaiph: Running prompt_with_vars.jh
 
 workflow default
-  ▸ prompt cursor "engineer does Fix bugs" (role="engineer", task="Fix bugs")
+  ▸ prompt cursor "${role} does ${task}" (role="engineer", task="Fix bugs")
   ✓ prompt cursor (<time>)
 ✓ PASS workflow default (<time>)
 EOF
diff --git a/e2e/tests/72_docker_run_artifacts.sh b/e2e/tests/72_docker_run_artifacts.sh
index face0baa..c461002d 100755
--- a/e2e/tests/72_docker_run_artifacts.sh
+++ b/e2e/tests/72_docker_run_artifacts.sh
@@ -16,6 +16,13 @@ if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
   exit 0
 fi
 
+# Build a local test image with jaiph installed from current source.
+if ! e2e::ensure_docker_test_image; then
+  e2e::section "docker run artifacts (skipped — test image build failed)"
+  e2e::skip "Could not build local Docker test image"
+  exit 0
+fi
+
 e2e::section "docker run artifacts — happy path"
 
 # Given: a simple workflow that produces stdout artifacts
@@ -32,9 +39,9 @@ workflow default() {
 }
 EOF
 
-# When: run with Docker enabled (override the e2e default of JAIPH_DOCKER_ENABLED=false)
-if ! JAIPH_DOCKER_ENABLED=true jaiph run "${TEST_DIR}/docker_artifacts.jh" >/dev/null 2>&1; then
-  JAIPH_DOCKER_ENABLED=true jaiph run "${TEST_DIR}/docker_artifacts.jh"
+# When: run with Docker enabled using the E2E test image
+if ! JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE="${E2E_DOCKER_TEST_IMAGE}" jaiph run "${TEST_DIR}/docker_artifacts.jh" >/dev/null 2>&1; then
+  JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE="${E2E_DOCKER_TEST_IMAGE}" jaiph run "${TEST_DIR}/docker_artifacts.jh"
   e2e::fail "docker: jaiph run docker_artifacts.jh failed"
 fi
 
@@ -77,7 +84,7 @@ EOF
 rm -rf "${TEST_DIR}/custom_runs"
 
 # When: run with Docker and relative JAIPH_RUNS_DIR
-(cd "${TEST_DIR}" && JAIPH_DOCKER_ENABLED=true JAIPH_RUNS_DIR="custom_runs" jaiph run "${TEST_DIR}/docker_rel_runs.jh" >/dev/null 2>&1)
+(cd "${TEST_DIR}" && JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE="${E2E_DOCKER_TEST_IMAGE}" JAIPH_RUNS_DIR="custom_runs" jaiph run "${TEST_DIR}/docker_rel_runs.jh" >/dev/null 2>&1)
 
 # Then: artifacts should be under the relative dir on host
 rel_run_dir="$(e2e::run_dir_at "${TEST_DIR}/custom_runs" "docker_rel_runs.jh")"
@@ -105,7 +112,7 @@ abs_runs_dir="${TEST_DIR}/abs_runs"
 rm -rf "${abs_runs_dir}"
 
 # When: run with absolute JAIPH_RUNS_DIR inside workspace
-JAIPH_DOCKER_ENABLED=true JAIPH_RUNS_DIR="${abs_runs_dir}" jaiph run "${TEST_DIR}/docker_abs_runs.jh" >/dev/null 2>&1
+JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE="${E2E_DOCKER_TEST_IMAGE}" JAIPH_RUNS_DIR="${abs_runs_dir}" jaiph run "${TEST_DIR}/docker_abs_runs.jh" >/dev/null 2>&1
 
 # Then: artifacts should be under the absolute path on host
 abs_run_dir="$(e2e::run_dir_at "${abs_runs_dir}" "docker_abs_runs.jh")"
@@ -131,9 +138,29 @@ EOF
 
 # When/Then: absolute path outside workspace should fail
 outside_dir="/tmp/jaiph-outside-workspace-test-$$"
-if JAIPH_DOCKER_ENABLED=true JAIPH_RUNS_DIR="${outside_dir}" jaiph run "${TEST_DIR}/docker_outside.jh" >/dev/null 2>&1; then
+if JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE="${E2E_DOCKER_TEST_IMAGE}" JAIPH_RUNS_DIR="${outside_dir}" jaiph run "${TEST_DIR}/docker_outside.jh" >/dev/null 2>&1; then
   rm -rf "${outside_dir}"
   e2e::fail "docker: absolute JAIPH_RUNS_DIR outside workspace should fail"
 fi
 rm -rf "${outside_dir}"
 e2e::pass "docker: absolute JAIPH_RUNS_DIR outside workspace exits non-zero"
+
+e2e::section "docker run artifacts — image without jaiph fails fast"
+
+# Given: a workflow and a stock image that does NOT contain jaiph
+e2e::file "docker_no_jaiph.jh" <<'EOF'
+script greet_impl = ```
+echo "should not run"
+```
+workflow default() {
+  run greet_impl()
+}
+EOF
+
+# When/Then: using an image without jaiph should fail with E_DOCKER_NO_JAIPH
+error_output=""
+if error_output="$(JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE=node:20-bookworm-slim jaiph run "${TEST_DIR}/docker_no_jaiph.jh" 2>&1)"; then
+  e2e::fail "docker: image without jaiph should fail"
+fi
+# assert_contains: error message varies by image name and guidance text
+e2e::assert_contains "${error_output}" "E_DOCKER_NO_JAIPH" "docker: missing jaiph produces E_DOCKER_NO_JAIPH error"
diff --git a/e2e/tests/73_docker_dockerfile_detection.sh b/e2e/tests/73_docker_dockerfile_detection.sh
deleted file mode 100644
index 2bf3fee2..00000000
--- a/e2e/tests/73_docker_dockerfile_detection.sh
+++ /dev/null
@@ -1,133 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
-source "${ROOT_DIR}/e2e/lib/common.sh"
-trap e2e::cleanup EXIT
-
-e2e::prepare_test_env "docker_dockerfile_detection"
-TEST_DIR="${JAIPH_E2E_TEST_DIR}"
-
-# Gate on Docker availability — skip gracefully when Docker is not installed.
-if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
-  e2e::section "docker dockerfile detection (skipped — Docker unavailable)"
-  e2e::skip "Docker is not available, skipping Dockerfile detection tests"
-  exit 0
-fi
-
-e2e::section "docker dockerfile detection — custom Dockerfile builds and runs"
-
-# Given: a .jaiph/Dockerfile that produces a minimal image with a marker file
-mkdir -p "${TEST_DIR}/.jaiph"
-cat > "${TEST_DIR}/.jaiph/Dockerfile" <<'DOCKERFILE'
-FROM node:20-bookworm
-RUN touch /jaiph-runtime-marker
-DOCKERFILE
-
-e2e::file "dockerfile_detect.jh" <<'EOF'
-script check_marker_impl = ```
-test -f /jaiph-runtime-marker && echo "marker found"
-```
-rule check_marker() {
-  run check_marker_impl()
-}
-
-workflow default() {
-  ensure check_marker()
-}
-EOF
-
-# When: run with Docker enabled and no explicit docker_image
-JAIPH_DOCKER_ENABLED=true jaiph run "${TEST_DIR}/dockerfile_detect.jh" >/dev/null 2>&1
-
-# Then: the workflow should succeed (marker file present = custom image was used)
-run_dir="$(e2e::run_dir "dockerfile_detect.jh")"
-e2e::expect_run_file "dockerfile_detect.jh" "000003-script__check_marker_impl.out" "marker found"
-e2e::pass "docker: .jaiph/Dockerfile detected and image built"
-
-e2e::section "docker dockerfile detection — explicit image skips Dockerfile"
-
-# Given: same workspace with .jaiph/Dockerfile, but explicit image set
-e2e::file "dockerfile_skip.jh" <<'EOF'
-script check_no_marker_impl = ```
-if test -f /jaiph-runtime-marker; then
-  echo "marker unexpectedly found"
-  exit 1
-fi
-echo "no marker"
-```
-rule check_no_marker() {
-  run check_no_marker_impl()
-}
-
-workflow default() {
-  ensure check_no_marker()
-}
-EOF
-
-# When: run with Docker enabled AND explicit image (should skip Dockerfile)
-JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE=node:20-bookworm jaiph run "${TEST_DIR}/dockerfile_skip.jh" >/dev/null 2>&1
-
-# Then: the marker file should NOT exist (stock pulled image, not custom build)
-e2e::expect_run_file "dockerfile_skip.jh" "000003-script__check_no_marker_impl.out" "no marker"
-e2e::pass "docker: explicit image skips .jaiph/Dockerfile"
-
-e2e::section "docker dockerfile detection — fallback without Dockerfile"
-
-# Given: a separate test dir without .jaiph/Dockerfile
-fallback_dir="$(mktemp -d "${JAIPH_E2E_WORK_DIR}/docker_fallback.XXXXXX")"
-cat > "${fallback_dir}/fallback.jh" <<'EOF'
-script greet_impl = ```
-echo "hello fallback"
-```
-rule greet() {
-  run greet_impl()
-}
-
-workflow default() {
-  ensure greet()
-}
-EOF
-
-# When: run with Docker enabled but no .jaiph/Dockerfile present
-JAIPH_DOCKER_ENABLED=true JAIPH_WORKSPACE="${fallback_dir}" jaiph run "${fallback_dir}/fallback.jh" >/dev/null 2>&1
-
-# Then: should use default Node image (bash + node for JS kernel) and succeed
-fallback_run_dir="$(e2e::run_dir_at "${fallback_dir}/.jaiph/runs" "fallback.jh")"
-fallback_summary="${fallback_run_dir}run_summary.jsonl"
-e2e::assert_file_exists "${fallback_summary}" "docker: fallback run_summary.jsonl exists"
-e2e::pass "docker: falls back to default image without .jaiph/Dockerfile"
-
-e2e::section "docker dockerfile detection — agent env vars are forwarded"
-
-# Given: a workflow that checks visibility of agent env vars
-e2e::file "envforward.jh" <<'EOF'
-script check_env_impl = ```
-echo "ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-unset}"
-echo "CURSOR_SESSION=${CURSOR_SESSION:-unset}"
-```
-rule check_env() {
-  run check_env_impl()
-}
-
-workflow default() {
-  ensure check_env()
-}
-EOF
-
-# When: run with agent env vars set on host
-JAIPH_DOCKER_ENABLED=true \
-  ANTHROPIC_API_KEY="test-key-123" \
-  CURSOR_SESSION="test-session-456" \
-  jaiph run "${TEST_DIR}/envforward.jh" >/dev/null 2>&1
-
-# Then: agent env vars are forwarded to the container (ANTHROPIC_*, CURSOR_* prefixes)
-run_dir="$(e2e::run_dir "envforward.jh")"
-out_content="$(<"${run_dir}000003-script__check_env_impl.out")"
-# assert_contains: script .out may include additional env vars or runtime-injected lines
-e2e::assert_contains "${out_content}" "ANTHROPIC_API_KEY=test-key-123" "docker: ANTHROPIC_API_KEY forwarded"
-# assert_contains: script .out may include additional env vars or runtime-injected lines
-e2e::assert_contains "${out_content}" "CURSOR_SESSION=test-session-456" "docker: CURSOR_SESSION forwarded"
-
-rm -rf "${fallback_dir}"
diff --git a/e2e/tests/74_docker_lifecycle.sh b/e2e/tests/74_docker_lifecycle.sh
index c2dd9dcb..54f2bbee 100755
--- a/e2e/tests/74_docker_lifecycle.sh
+++ b/e2e/tests/74_docker_lifecycle.sh
@@ -16,6 +16,13 @@ if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
   exit 0
 fi
 
+# Build a local test image with jaiph installed from current source.
+if ! e2e::ensure_docker_test_image; then
+  e2e::section "docker lifecycle (skipped — test image build failed)"
+  e2e::skip "Could not build local Docker test image"
+  exit 0
+fi
+
 # ---------------------------------------------------------------------------
 # Early container exit / failed startup path
 # ---------------------------------------------------------------------------
@@ -39,7 +46,7 @@ EOF
 
 # When: run with Docker enabled — the container should fail and jaiph should
 # exit promptly (within 30 seconds), not hang in RUNNING.
-if timeout 30 bash -c "JAIPH_DOCKER_ENABLED=true jaiph run '${TEST_DIR}/early_exit.jh' >/dev/null 2>&1"; then
+if timeout 30 bash -c "JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE='${E2E_DOCKER_TEST_IMAGE}' jaiph run '${TEST_DIR}/early_exit.jh' >/dev/null 2>&1"; then
   e2e::fail "docker: early_exit.jh should have failed but exited 0"
 fi
 exit_code=$?
@@ -77,7 +84,7 @@ workflow default() {
 EOF
 
 # When: run with Docker enabled
-if ! timeout 60 bash -c "JAIPH_DOCKER_ENABLED=true jaiph run '${TEST_DIR}/stream_check.jh' >/dev/null 2>&1"; then
+if ! timeout 60 bash -c "JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE='${E2E_DOCKER_TEST_IMAGE}' jaiph run '${TEST_DIR}/stream_check.jh' >/dev/null 2>&1"; then
   e2e::fail "docker: stream_check.jh failed"
 fi
 
diff --git a/e2e/tests/74b_docker_signal_cleanup.sh b/e2e/tests/74b_docker_signal_cleanup.sh
new file mode 100755
index 00000000..2bafb709
--- /dev/null
+++ b/e2e/tests/74b_docker_signal_cleanup.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "docker_signal_cleanup"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+# Gate on Docker availability — skip gracefully when Docker is not installed.
+if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
+  e2e::section "docker signal cleanup (skipped — Docker unavailable)"
+  e2e::skip "Docker is not available, skipping Docker signal cleanup tests"
+  exit 0
+fi
+
+# Build a local test image with jaiph installed from current source.
+if ! e2e::ensure_docker_test_image; then
+  e2e::section "docker signal cleanup (skipped — test image build failed)"
+  e2e::skip "Could not build local Docker test image"
+  exit 0
+fi
+
+# ---------------------------------------------------------------------------
+# SIGINT during a Docker run must not leave .sandbox-* directories behind
+# ---------------------------------------------------------------------------
+
+e2e::section "docker signal cleanup — SIGINT leaves no sandbox dir"
+
+e2e::file "long_sleep.jh" <<'EOF'
+script sleep_impl = ```
+sleep 30
+```
+rule do_sleep() {
+  run sleep_impl()
+}
+
+workflow default() {
+  ensure do_sleep()
+}
+EOF
+
+runs_root="${TEST_DIR}/.jaiph/runs"
+mkdir -p "${runs_root}"
+
+# Start the workflow in the background, then send SIGINT after a short delay.
+JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE="${E2E_DOCKER_TEST_IMAGE}" \
+  jaiph run "${TEST_DIR}/long_sleep.jh" >/dev/null 2>&1 &
+bg_pid=$!
+
+# Give the container time to start and create the sandbox dir.
+sleep 3
+
+# Send SIGINT to the jaiph process (mimics Ctrl-C).
+kill -INT "${bg_pid}" 2>/dev/null || true
+
+# Wait for jaiph to exit (with a timeout so the test doesn't hang).
+timeout 15 bash -c "wait ${bg_pid} 2>/dev/null; true" || true
+
+# Allow a brief moment for async cleanup.
+sleep 1
+
+# Assert no .sandbox-* directories remain under runs root.
+shopt -s nullglob
+sandbox_dirs=( "${runs_root}"/.sandbox-* )
+shopt -u nullglob
+
+if [[ ${#sandbox_dirs[@]} -gt 0 ]]; then
+  e2e::fail "docker signal cleanup: .sandbox-* dirs remain after SIGINT: ${sandbox_dirs[*]}"
+fi
+e2e::pass "docker signal cleanup: no .sandbox-* dirs after SIGINT"
diff --git a/e2e/tests/74c_docker_prepull.sh b/e2e/tests/74c_docker_prepull.sh
new file mode 100755
index 00000000..409b513e
--- /dev/null
+++ b/e2e/tests/74c_docker_prepull.sh
@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "docker_prepull"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+# Gate on Docker availability — skip gracefully when Docker is not installed.
+if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
+  e2e::section "docker prepull (skipped — Docker unavailable)"
+  e2e::skip "Docker is not available, skipping Docker prepull tests"
+  exit 0
+fi
+
+# Build a local test image with jaiph installed from current source.
+if ! e2e::ensure_docker_test_image; then
+  e2e::section "docker prepull (skipped — test image build failed)"
+  e2e::skip "Could not build local Docker test image"
+  exit 0
+fi
+
+# ---------------------------------------------------------------------------
+# Pre-pull: banner appears only after image preparation
+# ---------------------------------------------------------------------------
+
+e2e::section "docker prepull — banner after image prep, pulling line on stderr"
+
+e2e::file "prepull_check.jh" <<'EOF'
+script greet_impl = ```
+echo "hello from container"
+```
+rule greet() {
+  run greet_impl()
+}
+
+workflow default() {
+  ensure greet()
+}
+EOF
+
+# When: run with Docker enabled — capture stdout (banner) and stderr separately.
+stdout_file="${TEST_DIR}/prepull_stdout.txt"
+stderr_file="${TEST_DIR}/prepull_stderr.txt"
+
+timeout 60 bash -c "JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE='${E2E_DOCKER_TEST_IMAGE}' jaiph run '${TEST_DIR}/prepull_check.jh'" \
+  >"${stdout_file}" 2>"${stderr_file}" || true
+
+# Then: stdout (banner) must contain the "running" line.
+stdout_content="$(<"${stdout_file}")"
+# assert_contains: banner includes workflow name and running marker; exact format varies by TTY/colour
+e2e::assert_contains "${stdout_content}" "workflow default" "docker prepull: banner appears in stdout"
+
+# Then: stderr must NOT contain Docker's native pull progress (layer hashes, progress bars).
+stderr_content="$(<"${stderr_file}")"
+if echo "${stderr_content}" | grep -qiE 'Pulling from|Downloading|Extracting|[0-9a-f]{12}:'; then
+  e2e::fail "docker prepull: Docker native pull progress leaked to stderr"
+fi
+e2e::pass "docker prepull: no Docker native pull progress in output"
+
+# ---------------------------------------------------------------------------
+# Cold pull: exactly one "pulling image" status line on stderr
+# ---------------------------------------------------------------------------
+
+e2e::section "docker prepull — cold pull status line"
+
+# Use a small image that is unlikely to be cached: alpine with a specific tag.
+# Remove it first to force a cold pull.
+COLD_IMAGE="alpine:3.20"
+docker rmi "${COLD_IMAGE}" >/dev/null 2>&1 || true
+
+e2e::file "cold_pull.jh" <<'EOF'
+script hello_impl = ```
+echo "hello"
+```
+rule hello() {
+  run hello_impl()
+}
+
+workflow default() {
+  ensure hello()
+}
+EOF
+
+# Run with the cold image — this will fail (alpine has no jaiph) but we only
+# care about the pull status line, not workflow success.
+cold_stderr="${TEST_DIR}/cold_stderr.txt"
+timeout 120 bash -c "JAIPH_DOCKER_ENABLED=true JAIPH_DOCKER_IMAGE='${COLD_IMAGE}' jaiph run '${TEST_DIR}/cold_pull.jh'" \
+  >/dev/null 2>"${cold_stderr}" || true
+
+cold_stderr_content="$(<"${cold_stderr}")"
+
+# assert_contains: the pulling status line includes the image name; exact wording is our contract
+e2e::assert_contains "${cold_stderr_content}" "pulling image ${COLD_IMAGE}" "docker prepull: pulling status line on cold pull"
+
+# Exactly one "pulling image" line.
+pull_count="$(grep -c "pulling image" "${cold_stderr}" || true)"
+e2e::assert_equals "${pull_count}" "1" "docker prepull: exactly one pulling status line"
+
+e2e::pass "docker prepull: cold pull status line correct"
diff --git a/e2e/tests/75_docker_live_step_output.sh b/e2e/tests/75_docker_live_step_output.sh
new file mode 100644
index 00000000..ee76f709
--- /dev/null
+++ b/e2e/tests/75_docker_live_step_output.sh
@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "docker_live_step_output"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+# Gate on Docker availability — skip gracefully when Docker is not installed.
+if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
+  e2e::section "docker live step output (skipped — Docker unavailable)"
+  e2e::skip "Docker is not available, skipping Docker live artifact test"
+  exit 0
+fi
+
+e2e::section "docker step .out/.err files grow live during execution"
+
+e2e::file "live_out_docker.jh" <<'WORKFLOW'
+script slow_writer_impl = ```
+echo "line-1"
+echo "err-1" >&2
+sleep 1
+echo "line-2"
+echo "err-2" >&2
+sleep 1
+echo "line-3"
+echo "err-3" >&2
+```
+rule slow_writer() {
+  run slow_writer_impl()
+}
+
+workflow default() {
+  ensure slow_writer()
+}
+WORKFLOW
+
+run_err="$(mktemp)"
+JAIPH_DOCKER_ENABLED=true jaiph run "${TEST_DIR}/live_out_docker.jh" 2>"${run_err}" &
+run_pid=$!
+
+out_file=""
+err_file=""
+for _ in $(seq 1 50); do
+  sleep 0.1
+  shopt -s nullglob
+  out_candidates=( "${TEST_DIR}/.jaiph/runs/"*/*"live_out_docker.jh/"*slow_writer_impl.out )
+  err_candidates=( "${TEST_DIR}/.jaiph/runs/"*/*"live_out_docker.jh/"*slow_writer_impl.err )
+  shopt -u nullglob
+  if [[ ${#out_candidates[@]} -ge 1 && ${#err_candidates[@]} -ge 1 ]]; then
+    out_file="${out_candidates[0]}"
+    err_file="${err_candidates[0]}"
+    break
+  fi
+done
+
+sleep 1
+if ! kill -0 "$run_pid" 2>/dev/null; then
+  e2e::fail "docker run finished before live sample; increase slow_writer duration"
+fi
+
+mid_out_size=""
+mid_err_size=""
+if [[ -n "$out_file" && -f "$out_file" ]]; then
+  mid_out_size="$(wc -c < "$out_file")"
+fi
+if [[ -n "$err_file" && -f "$err_file" ]]; then
+  mid_err_size="$(wc -c < "$err_file")"
+fi
+
+wait "$run_pid" || true
+rm -f "${run_err}"
+
+if [[ -z "$out_file" || -z "$err_file" ]]; then
+  e2e::fail "docker out/err files never appeared during execution"
+fi
+
+if [[ -z "$mid_out_size" || "$mid_out_size" -eq 0 ]]; then
+  e2e::fail "docker out file was empty when sampled mid-execution (mid_out_size=${mid_out_size:-<empty>})"
+fi
+if [[ -z "$mid_err_size" || "$mid_err_size" -eq 0 ]]; then
+  e2e::fail "docker err file was empty when sampled mid-execution (mid_err_size=${mid_err_size:-<empty>})"
+fi
+
+final_out_size="$(wc -c < "$out_file")"
+if [[ "$final_out_size" -gt "$mid_out_size" ]]; then
+  e2e::pass "docker out file grew live: mid=${mid_out_size}B final=${final_out_size}B"
+elif [[ "$final_out_size" -eq "$mid_out_size" && "$final_out_size" -gt 0 ]]; then
+  e2e::pass "docker out file was live-written (sampled ${mid_out_size}B, final ${final_out_size}B)"
+else
+  e2e::fail "docker out file did not grow (mid=${mid_out_size}B final=${final_out_size}B)"
+fi
+
+final_err_size="$(wc -c < "$err_file")"
+if [[ "$final_err_size" -gt "$mid_err_size" ]]; then
+  e2e::pass "docker err file grew live: mid=${mid_err_size}B final=${final_err_size}B"
+elif [[ "$final_err_size" -eq "$mid_err_size" && "$final_err_size" -gt 0 ]]; then
+  e2e::pass "docker err file was live-written (sampled ${mid_err_size}B, final ${final_err_size}B)"
+else
+  e2e::fail "docker err file did not grow (mid=${mid_err_size}B final=${final_err_size}B)"
+fi
+
+final_content="$(<"$out_file")"
+expected_out="$(printf 'line-1\nline-2\nline-3')"
+e2e::assert_equals "${final_content}" "${expected_out}" "docker final .out content"
+
+final_err_content="$(<"$err_file")"
+expected_err="$(printf 'err-1\nerr-2\nerr-3')"
+e2e::assert_equals "${final_err_content}" "${expected_err}" "docker final .err content"
diff --git a/e2e/tests/76_docker_failure_parity.sh b/e2e/tests/76_docker_failure_parity.sh
new file mode 100755
index 00000000..bc491df1
--- /dev/null
+++ b/e2e/tests/76_docker_failure_parity.sh
@@ -0,0 +1,181 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "${ROOT_DIR}/e2e/lib/common.sh"
+trap e2e::cleanup EXIT
+
+e2e::prepare_test_env "docker_failure_parity"
+TEST_DIR="${JAIPH_E2E_TEST_DIR}"
+
+# Gate on Docker availability — skip gracefully when Docker is not installed.
+if ! command -v docker >/dev/null 2>&1 || ! docker info >/dev/null 2>&1; then
+  e2e::section "docker failure parity (skipped — Docker unavailable)"
+  e2e::skip "Docker is not available, skipping Docker failure parity tests"
+  exit 0
+fi
+
+# Build a local test image with jaiph installed from current source.
+if ! e2e::ensure_docker_test_image; then
+  e2e::section "docker failure parity (skipped — test image build failed)"
+  e2e::skip "Could not build local Docker test image"
+  exit 0
+fi
+
+# Normalize a failure footer for full-output equality between docker and
+# no-sandbox modes. Strips ANSI, collapses timing values, and rewrites the
+# mode-specific runs root + sandbox tmpdir to a stable token so paths align.
+e2e::norm_footer() {
+  local input="$1"
+  local nosandbox_runs="$2"
+  local docker_runs="$3"
+  printf "%s" "${input}" \
+    | sed -E $'s/\x1B\\[[0-9;]*[A-Za-z]//g' \
+    | sed -E 's/^(Jaiph: Running [^ ]+) \(.+\)$/\1/' \
+    | sed -E 's/\(([0-9]+(\.[0-9]+)?s|[0-9]+m [0-9]+s)\)/(<time>)/g' \
+    | sed -E 's/\(([0-9]+(\.[0-9]+)?s|[0-9]+m [0-9]+s) failed\)/(<time> failed)/g' \
+    | sed -E 's/✓ ([0-9]+)(\.[0-9]+)?s/✓ <time>/g' \
+    | sed -E 's/✗ ([0-9]+)(\.[0-9]+)?s/✗ <time>/g' \
+    | sed -E "s|${nosandbox_runs}|<RUNS>|g" \
+    | sed -E "s|${docker_runs}|<RUNS>|g" \
+    | sed -E 's|<RUNS>/[0-9]{4}-[0-9]{2}-[0-9]{2}/[0-9]{2}-[0-9]{2}-[0-9]{2}-|<RUNS>/<DATE>/<TIME>-|g' \
+    | sed -E 's/[[:space:]]+$//g'
+}
+
+e2e::expect_parity() {
+  local label="$1"
+  local nosandbox_err="$2"
+  local docker_err="$3"
+  local nosandbox_runs="$4"
+  local docker_runs="$5"
+
+  local norm_nosandbox norm_docker
+  norm_nosandbox="$(e2e::norm_footer "${nosandbox_err}" "${nosandbox_runs}" "${docker_runs}")"
+  norm_docker="$(e2e::norm_footer "${docker_err}" "${nosandbox_runs}" "${docker_runs}")"
+
+  if [[ "${norm_nosandbox}" != "${norm_docker}" ]]; then
+    {
+      printf 'docker vs no-sandbox stderr differ for %s\n' "${label}"
+      printf '─── no-sandbox (normalized) ───\n%s\n' "${norm_nosandbox}"
+      printf '─── docker (normalized) ───\n%s\n' "${norm_docker}"
+      printf '─── diff ───\n'
+      diff <(printf '%s\n' "${norm_nosandbox}") <(printf '%s\n' "${norm_docker}") || true
+    } >&2
+    e2e::fail "${label}: full output parity"
+  fi
+  e2e::pass "${label}: full output parity (docker == no-sandbox after normalization)"
+}
+
+run_workflow_capture() {
+  local mode="$1"   # "nosandbox" or "docker"
+  local file="$2"
+  local runs_dir="$3"
+  shift 3
+  local err
+  err="$(mktemp)"
+  rm -rf "${runs_dir}"
+  if [[ "${mode}" == "nosandbox" ]]; then
+    if JAIPH_UNSAFE=true JAIPH_RUNS_DIR="${runs_dir}" jaiph run "${file}" "$@" 2>"${err}" >/dev/null; then
+      cat "${err}" >&2
+      rm -f "${err}"
+      e2e::fail "no-sandbox: ${file} should have failed"
+    fi
+  else
+    if JAIPH_DOCKER_ENABLED=true \
+       JAIPH_DOCKER_IMAGE="${E2E_DOCKER_TEST_IMAGE}" \
+       JAIPH_RUNS_DIR="${runs_dir}" \
+       jaiph run "${file}" "$@" 2>"${err}" >/dev/null; then
+      cat "${err}" >&2
+      rm -f "${err}"
+      e2e::fail "docker: ${file} should have failed"
+    fi
+  fi
+  cat "${err}"
+  rm -f "${err}"
+}
+
+# ─────────────────────────────────────────────────────────────────────────
+# Scenario A: script-step failure (validate_name exits 1)
+# ─────────────────────────────────────────────────────────────────────────
+
+e2e::section "docker vs no-sandbox: script-step failure produces identical footer"
+
+e2e::file "fail_script.jh" <<'EOF'
+script validate_name = ```
+if [ -z "$1" ]; then
+  echo "You didn't provide your name :(" >&2
+  exit 1
+fi
+```
+
+rule name_was_provided(name) {
+  run validate_name(name)
+}
+
+workflow default(name) {
+  ensure name_was_provided(name)
+}
+EOF
+
+NS_RUNS_A="${TEST_DIR}/runs_nosandbox_a"
+DK_RUNS_A="${TEST_DIR}/runs_docker_a"
+ns_err_a="$(run_workflow_capture nosandbox "${TEST_DIR}/fail_script.jh" "${NS_RUNS_A}")"
+dk_err_a="$(run_workflow_capture docker    "${TEST_DIR}/fail_script.jh" "${DK_RUNS_A}")"
+
+e2e::expect_parity "script-step failure" "${ns_err_a}" "${dk_err_a}" "${NS_RUNS_A}" "${DK_RUNS_A}"
+
+# Verify Docker paths point at the host filesystem (no container path leak)
+if echo "${dk_err_a}" | grep -q '/jaiph/run/'; then
+  printf 'docker stderr contains container path /jaiph/run/:\n%s\n' "${dk_err_a}" >&2
+  e2e::fail "docker (script): footer must not contain container-internal paths"
+fi
+e2e::pass "docker (script): no container-internal /jaiph/run/ paths leaked"
+
+# Verify artifact files exist at the paths shown in the Docker footer
+docker_run_dir_a="$(e2e::run_dir_at "${DK_RUNS_A}" "fail_script.jh")"
+e2e::assert_file_exists "${docker_run_dir_a}run_summary.jsonl" "docker (script): run_summary.jsonl exists on host"
+
+# ─────────────────────────────────────────────────────────────────────────
+# Scenario B: rule-fail via match `fail "..."` (no script step at all)
+# This is the path the user actually hit (validate via match arm).
+# ─────────────────────────────────────────────────────────────────────────
+
+e2e::section "docker vs no-sandbox: match-fail in rule produces identical footer"
+
+e2e::file "fail_rule.jh" <<'EOF'
+rule name_was_provided(name) {
+  match name {
+    "" => fail "You didn't provide your name :("
+    _  => name
+  }
+}
+
+workflow default(name) {
+  ensure name_was_provided(name)
+}
+EOF
+
+NS_RUNS_B="${TEST_DIR}/runs_nosandbox_b"
+DK_RUNS_B="${TEST_DIR}/runs_docker_b"
+ns_err_b="$(run_workflow_capture nosandbox "${TEST_DIR}/fail_rule.jh" "${NS_RUNS_B}")"
+dk_err_b="$(run_workflow_capture docker    "${TEST_DIR}/fail_rule.jh" "${DK_RUNS_B}")"
+
+e2e::expect_parity "rule match-fail" "${ns_err_b}" "${dk_err_b}" "${NS_RUNS_B}" "${DK_RUNS_B}"
+
+if echo "${dk_err_b}" | grep -q '/jaiph/run/'; then
+  printf 'docker stderr contains container path /jaiph/run/:\n%s\n' "${dk_err_b}" >&2
+  e2e::fail "docker (rule): footer must not contain container-internal paths"
+fi
+e2e::pass "docker (rule): no container-internal /jaiph/run/ paths leaked"
+
+# Sanity: footer must surface artifacts (the empty-footer regression we are
+# guarding against would skip these entirely).
+e2e::assert_contains "${dk_err_b}" "Logs: " "docker (rule): footer has Logs: line"
+e2e::assert_contains "${dk_err_b}" "Summary: " "docker (rule): footer has Summary: line"
+e2e::assert_contains "${dk_err_b}" "err: " "docker (rule): footer has err: path"
+e2e::assert_contains "${dk_err_b}" "You didn't provide your name :(" \
+  "docker (rule): failed-step output is rendered"
+
+docker_run_dir_b="$(e2e::run_dir_at "${DK_RUNS_B}" "fail_rule.jh")"
+e2e::assert_file_exists "${docker_run_dir_b}run_summary.jsonl" "docker (rule): run_summary.jsonl exists on host"
diff --git a/e2e/tests/95_say_hello_failure_output.sh b/e2e/tests/95_say_hello_failure_output.sh
index c488867f..f68a2e3d 100755
--- a/e2e/tests/95_say_hello_failure_output.sh
+++ b/e2e/tests/95_say_hello_failure_output.sh
@@ -11,9 +11,9 @@ TEST_DIR="${JAIPH_E2E_TEST_DIR}"
 
 e2e::section "say_hello.test.jh exact failing output"
 
-# Given
-cp "${ROOT_DIR}/e2e/say_hello.jh" "${TEST_DIR}/say_hello.jh"
-cp "${ROOT_DIR}/e2e/say_hello.test.jh" "${TEST_DIR}/say_hello.test.jh"
+# Given — use the canonical examples/ fixtures (single source of truth)
+cp "${ROOT_DIR}/examples/say_hello.jh" "${TEST_DIR}/say_hello.jh"
+cp "${ROOT_DIR}/examples/say_hello.test.jh" "${TEST_DIR}/say_hello.test.jh"
 
 # When
 set +e
diff --git a/examples/recover_loop.jh b/examples/recover_loop.jh
old mode 100644
new mode 100755
index 4f38ad1a..c81260ae
--- a/examples/recover_loop.jh
+++ b/examples/recover_loop.jh
@@ -1,17 +1,20 @@
 #!/usr/bin/env jaiph
 
-# Recursive recovery: when a check fails, prompt an agent to fix it,
-# then retry via run default(). Jaiph CI uses the same pattern to
-# auto-fix failing tests — see .jaiph/ensure_ci_passes.jh
-script check_report = `test -f report.txt`
-
-rule report_exists() {
-  run check_report()
-}
+# scripts are defined in fenced blocks or single line backticks
+# by default it's bash, but it cany be any env: ```node, ```python3, etc.
+script check_report_exists = ```
+  test -f report.txt
+```
 
 workflow default() {
-  ensure report_exists() catch (failure) {
+  # Recovery in loop: when check_report_exists() fails, the recovery body
+  # is executed to fix it, and then check_report_exists() is retried.
+  # By default, the retry limit is 10.
+  run check_report_exists() recover (failure) {
+    logerr "Failed to check report.txt"
     prompt "report.txt is missing. Create it with a short dummy summary."
-    run default()
   }
+
+  # scripts can be also executed inline
+  return run `cat report.txt`()
 }
diff --git a/examples/recover_loop.test.jh b/examples/recover_loop.test.jh
index b2282f0c..fd50ff50 100644
--- a/examples/recover_loop.test.jh
+++ b/examples/recover_loop.test.jh
@@ -3,7 +3,7 @@
 import "recover_loop.jh" as rl
 
 test "report exists on first attempt skips catch" {
-  mock script rl.check_report() {
+  mock script rl.check_report_exists() {
     exit 0
   }
   run rl.default()
diff --git a/examples/say_hello.jh b/examples/say_hello.jh
index bf6b5b09..c2d7025c 100755
--- a/examples/say_hello.jh
+++ b/examples/say_hello.jh
@@ -1,22 +1,17 @@
 #!/usr/bin/env jaiph
 
-# scripts are defined in fenced blocks or single line backticks
-# by default it's bash, but it cany be any env: ```node, ```python3, etc.
-script validate_name = ```
-  if [ -z "$1" ]; then
-    echo "You didn't provide your name :(" >&2
-    exit 1
-  fi
-```
-
-# rules are always executed on readonly filesystem
-rule name_was_provided(name) {
-  run validate_name(name)
+# rules are executed on readonly filesystem
+rule valid_name(name_arg) {
+  return match name_arg {
+    /[A-Z][a-z]+/ => name_arg
+    "" => fail "You didn't provide your name :("
+    _ => fail "You provided an invalid name :("
+  }
 }
 
 # workflows are main unit of orchestration
-workflow default(name) {
-  ensure name_was_provided(name)
+workflow default(name_arg) {
+  const name = ensure valid_name(name_arg)
 
   # prompts call agents - cursor by default, but it's configurable
   const response = prompt """
@@ -24,5 +19,5 @@ workflow default(name) {
     Respond with a single line. Do not inspect files or run tools.
   """
 
-  log response
+  return response
 }
diff --git a/examples/say_hello.test.jh b/examples/say_hello.test.jh
index 1bfa708c..cf998ace 100755
--- a/examples/say_hello.test.jh
+++ b/examples/say_hello.test.jh
@@ -16,8 +16,12 @@ test "without name, workflow fails with validation message" {
 
 test "with name, returns greeting and logs response" {
   # Given
-  mock prompt "Hello Alice! Fun fact: Alice in Wonderland was written by Lewis Carroll."
+  const expected_response = "Hello Alice! Fun fact: Alice in Wonderland was written by Lewis Carroll."
+  mock prompt expected_response
 
   # When
-  run hello.default("Alice")
+  const response = run hello.default("Alice")
+
+  # Then
+  expect_equal response expected_response
 }
diff --git a/package-lock.json b/package-lock.json
index f8f19347..2dbbe150 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "jaiph",
-  "version": "0.9.2",
+  "version": "0.9.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "jaiph",
-      "version": "0.9.2",
+      "version": "0.9.3",
       "bin": {
         "jaiph": "dist/src/cli.js"
       },
diff --git a/package.json b/package.json
index ff3cda41..3e762c28 100644
--- a/package.json
+++ b/package.json
@@ -1,13 +1,14 @@
 {
   "name": "jaiph",
-  "version": "0.9.2",
+  "version": "0.9.3",
   "description": "jaiph compiler/transpiler",
   "repository": {
     "type": "git",
     "url": "https://github.com/jaiphlang/jaiph.git"
   },
   "files": [
-    "dist/src/"
+    "dist/src/",
+    "runtime/overlay-run.sh"
   ],
   "type": "commonjs",
   "bin": {
@@ -15,11 +16,11 @@
   },
   "scripts": {
     "clean": "rm -rf dist",
-    "build": "tsc -p tsconfig.json && node -e \"require('node:fs').cpSync('src/runtime','dist/src/runtime',{recursive:true})\"",
+    "build": "tsc -p tsconfig.json && node -e \"require('node:fs').cpSync('src/runtime','dist/src/runtime',{recursive:true})\" && node -e \"require('node:fs').cpSync('runtime/overlay-run.sh','dist/src/runtime/overlay-run.sh')\"",
     "build:standalone": "npm run build && node -e \"const fs=require('node:fs'); fs.cpSync('dist/src/runtime','dist/runtime',{recursive:true});\" && bun build --compile ./src/cli.ts --outfile ./dist/jaiph",
     "test:compiler": "npm run build && node --test dist/src/compiler-test-runner.js",
     "test:golden-ast": "npm run build && node --test dist/src/golden-ast-runner.js",
-    "test": "npm run clean && npm run build && NODE_OPTIONS='--max-old-space-size=32768 --enable-source-maps' node --test dist/test/*.test.js $(find dist/src -name '*.test.js' -o -name '*.acceptance.test.js') dist/src/compiler-test-runner.js dist/src/golden-ast-runner.js",
+    "test": "npm run clean && npm run build && JAIPH_UNSAFE=true NODE_OPTIONS='--max-old-space-size=32768 --enable-source-maps' node --test dist/test/*.test.js $(find dist/src -name '*.test.js' -o -name '*.acceptance.test.js') dist/src/compiler-test-runner.js dist/src/golden-ast-runner.js",
     "test:acceptance:compiler": "npm run build && node --test $(find dist/src -name '*.acceptance.test.js')",
     "test:acceptance:runtime": "bash ./e2e/test_all.sh",
     "test:acceptance": "npm run test:acceptance:compiler && npm run test:acceptance:runtime",
diff --git a/runtime/Dockerfile b/runtime/Dockerfile
new file mode 100644
index 00000000..89dd8da8
--- /dev/null
+++ b/runtime/Dockerfile
@@ -0,0 +1,95 @@
+FROM node:22-bookworm-slim AS builder
+
+WORKDIR /src
+COPY package.json package-lock.json tsconfig.json ./
+COPY src ./src
+COPY runtime/overlay-run.sh ./runtime/overlay-run.sh
+RUN npm ci && npm run build && npm pack --pack-destination /tmp >/dev/null && mv /tmp/jaiph-*.tgz /tmp/jaiph.tgz
+
+FROM ubuntu:24.04
+
+# Broad workflow toolchain + fuse-overlayfs for CoW sandbox.
+# This image is intended to execute diverse custom scripts, so we include
+# common build, scripting, archive, and network diagnostics tooling.
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+      bash \
+      curl \
+      wget \
+      git \
+      ca-certificates \
+      gnupg \
+      jq \
+      ripgrep \
+      unzip \
+      zip \
+      xz-utils \
+      procps \
+      iproute2 \
+      dnsutils \
+      netcat-openbsd \
+      openssh-client \
+      python3 \
+      python3-pip \
+      python-is-python3 \
+      util-linux \
+      make \
+      g++ \
+      fuse-overlayfs \
+      fuse3 \
+      rsync && \
+    rm -rf /var/lib/apt/lists/*
+
+# Node.js for running jaiph
+RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
+    apt-get install -y --no-install-recommends nodejs && \
+    rm -rf /var/lib/apt/lists/*
+
+# Non-root user for agent CLIs and default shell behavior. /jaiph/workspace is
+# root-owned because Linux overlay mode mounts there as --user 0:0.
+RUN useradd --create-home --uid 10001 --shell /bin/bash jaiph && \
+    mkdir -p /jaiph/workspace /jaiph/workspace-ro /jaiph/run && \
+    chown -R jaiph:jaiph /jaiph && \
+    chown root:root /jaiph/workspace && \
+    chmod 755 /home/jaiph
+
+# Claude Code CLI (Anthropic) — global install for all users
+RUN npm install -g @anthropic-ai/claude-code
+
+# Install jaiph built from repository source (builder stage).
+COPY --from=builder /tmp/jaiph.tgz /tmp/jaiph.tgz
+RUN npm install -g /tmp/jaiph.tgz && rm -f /tmp/jaiph.tgz
+
+USER jaiph
+ENV HOME=/home/jaiph
+ENV PATH="/home/jaiph/.local/bin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# cursor-agent (Cursor) — install as the runtime user so the binary is
+# reachable after switching away from root. The installer currently places
+# the CLI in ~/.local/bin and may name it "agent" or "cursor".
+RUN mkdir -p "$HOME/.local/bin" && \
+    curl -fsSL https://cursor.com/install -o /tmp/install-cursor-agent.sh && \
+    bash /tmp/install-cursor-agent.sh && \
+    export PATH="$HOME/.local/bin:$PATH" && \
+    if command -v cursor-agent >/dev/null 2>&1; then \
+      true; \
+    elif command -v agent >/dev/null 2>&1; then \
+      ln -sf "$(command -v agent)" "$HOME/.local/bin/cursor-agent"; \
+    elif command -v cursor >/dev/null 2>&1; then \
+      ln -sf "$(command -v cursor)" "$HOME/.local/bin/cursor-agent"; \
+    fi && \
+    command -v cursor-agent >/dev/null 2>&1 && \
+    rm -f /tmp/install-cursor-agent.sh
+
+# At runtime the container drops to the host UID (overlay mode) or starts as
+# the host UID directly (copy mode) — neither is the `jaiph` user that owns
+# /home/jaiph. cursor-agent (~/.cursor) and claude CLI (~/.claude*) need to
+# create state files inside HOME, which would fail without write permission.
+# Apply 1777 (world-writable + sticky) to every dir under /home/jaiph so any
+# UID can create new files; existing files keep their modes and the sticky bit
+# prevents non-owners from deleting/replacing the installed binaries.
+USER root
+RUN find /home/jaiph -type d -exec chmod 1777 {} +
+USER jaiph
+
+WORKDIR /jaiph/workspace
diff --git a/runtime/overlay-run.sh b/runtime/overlay-run.sh
new file mode 100755
index 00000000..e7877b6c
--- /dev/null
+++ b/runtime/overlay-run.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+LOWER=/jaiph/workspace-ro
+UPPER=/tmp/overlay-upper
+WORK=/tmp/overlay-work
+MERGED=/jaiph/workspace
+RUN_DIR=/jaiph/run
+mkdir -p "$UPPER" "$WORK" "$MERGED"
+
+if ! command -v fuse-overlayfs >/dev/null 2>&1; then
+  printf 'E_DOCKER_OVERLAY fuse-overlayfs not found in image; install it or set JAIPH_DOCKER_NO_OVERLAY=1 on the host to use the copy sandbox path\n' >&2
+  exit 78
+fi
+if [ ! -e /dev/fuse ]; then
+  printf 'E_DOCKER_OVERLAY /dev/fuse not present in container; pass --device /dev/fuse or set JAIPH_DOCKER_NO_OVERLAY=1 to use the copy sandbox path\n' >&2
+  exit 78
+fi
+if ! fuse-overlayfs -o "lowerdir=$LOWER,upperdir=$UPPER,workdir=$WORK,allow_other" "$MERGED" 2>/tmp/jaiph-fuse-overlay.err; then
+  reason="$(tr '\n' ' ' </tmp/jaiph-fuse-overlay.err | sed 's/[[:space:]]\+/ /g; s/^ //; s/ $//')"
+  printf 'E_DOCKER_OVERLAY fuse-overlayfs mount failed: %s\n' "$reason" >&2
+  exit 78
+fi
+
+cd "$MERGED"
+
+# Drop to host UID/GID after mounting overlay as root.
+if [ -n "${JAIPH_HOST_UID:-}" ] && [ -n "${JAIPH_HOST_GID:-}" ] && command -v setpriv >/dev/null 2>&1; then
+  chown "$JAIPH_HOST_UID:$JAIPH_HOST_GID" "$RUN_DIR" 2>/dev/null || true
+  exec setpriv --reuid="$JAIPH_HOST_UID" --regid="$JAIPH_HOST_GID" --clear-groups -- "$@"
+fi
+exec "$@"
diff --git a/safe_name b/safe_name
deleted file mode 100644
index 40cbcc24..00000000
--- a/safe_name
+++ /dev/null
@@ -1,6 +0,0 @@
-Script started on Thu Apr  9 16:59:55 2026
-Command: =
-script: =: No such file or directory
-
-Command exit status: 1
-Script done on Thu Apr  9 16:59:55 2026
diff --git a/src/cli/commands/format-params-display.test.ts b/src/cli/commands/format-params-display.test.ts
index 064b9d19..c5b4beb9 100644
--- a/src/cli/commands/format-params-display.test.ts
+++ b/src/cli/commands/format-params-display.test.ts
@@ -125,6 +125,25 @@ test("buildStepDisplayParamPairs uses declared names when arity matches", () =>
   ]);
 });
 
+test("formatNamedParamsForDisplay does not produce backslash-quote escaping", () => {
+  const params: Array<[string, string]> = [
+    ["message", 'Found 3 issues in "auth" module'],
+  ];
+  const result = formatNamedParamsForDisplay(params);
+  assert.ok(!result.includes('\\"'), "no backslash-quote escaping in display output");
+  assert.ok(result.includes('"auth"'), "inner quotes pass through for readability");
+  assert.equal(result, ' (message="Found 3 issues in "auth" module")');
+});
+
+test("formatParamsForDisplay does not produce backslash-quote escaping", () => {
+  const params: Array<[string, string]> = [
+    ["message", 'Found 3 issues in "auth" module'],
+  ];
+  const result = formatParamsForDisplay(params);
+  assert.ok(!result.includes('\\"'), "no backslash-quote escaping in display output");
+  assert.ok(result.includes('"auth"'), "inner quotes pass through for readability");
+});
+
 test("buildStepDisplayParamPairs falls back to numeric or argN positional keys", () => {
   assert.deepEqual(buildStepDisplayParamPairs(["x"], undefined, { positionalStyle: "numeric" }), [["1", "x"]]);
   assert.deepEqual(buildStepDisplayParamPairs(["x"], [], { positionalStyle: "numeric" }), [["1", "x"]]);
diff --git a/src/cli/commands/format-params.ts b/src/cli/commands/format-params.ts
index 937d6562..9699c1a8 100644
--- a/src/cli/commands/format-params.ts
+++ b/src/cli/commands/format-params.ts
@@ -66,7 +66,7 @@ export function formatNamedParamsForDisplay(params: Array<[string, string]>, opt
     const normalized = normalizeParamValue(v);
     const visible =
       normalized.length > MAX_PARAM_VALUE_DISPLAY ? `${normalized.slice(0, MAX_PARAM_VALUE_DISPLAY)}...` : normalized;
-    const escaped = visible.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+    const escaped = visible.replace(/\\/g, "\\\\");
     const isPositional = /^arg\d+$/.test(k) || /^[1-9]\d*$/.test(k);
     const key = allPositional && isPositional ? String(positionalSeq++) : displayKey(k);
     return `${key}="${escaped}"`;
@@ -91,7 +91,7 @@ export function formatParamsForDisplay(params: Array<[string, string]>, options?
     const visible =
       normalized.length > MAX_PARAM_VALUE_DISPLAY ? `${normalized.slice(0, MAX_PARAM_VALUE_DISPLAY)}...` : normalized;
     const needsQuotes = /[\s,]/.test(visible) || visible.includes('"');
-    const escaped = visible.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+    const escaped = visible.replace(/\\/g, "\\\\");
     return needsQuotes ? `"${escaped}"` : visible;
   });
   let result = ` (${parts.join(", ")})`;
diff --git a/src/cli/commands/init.test.ts b/src/cli/commands/init.test.ts
index e411f5db..3602130d 100644
--- a/src/cli/commands/init.test.ts
+++ b/src/cli/commands/init.test.ts
@@ -7,7 +7,6 @@ import { runInit } from "./init";
 import { parsejaiph } from "../../parser";
 
 const CANONICAL_GITIGNORE = "runs\ntmp\n";
-const JAIPH_INSTALL_COMMAND = "curl -fsSL https://jaiph.org/install | bash";
 
 function makeTempDir(): string {
   const dir = join(tmpdir(), `jaiph-init-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
@@ -50,22 +49,6 @@ test("init: generated bootstrap uses triple-quoted prompt and parses", () => {
   }
 });
 
-test("init: creates .jaiph/Dockerfile with jaiph installer", () => {
-  const dir = makeTempDir();
-  try {
-    assert.equal(runInit([dir]), 0);
-    const dockerfilePath = join(dir, ".jaiph", "Dockerfile");
-    assert.equal(existsSync(dockerfilePath), true);
-    const dockerfile = readFileSync(dockerfilePath, "utf8");
-    assert.equal(dockerfile.includes("FROM ubuntu:latest"), true);
-    assert.equal(dockerfile.includes("ca-certificates"), true);
-    assert.equal(dockerfile.includes("setup_lts.x"), true);
-    assert.equal(dockerfile.includes(JAIPH_INSTALL_COMMAND), true);
-  } finally {
-    rmSync(dir, { recursive: true, force: true });
-  }
-});
-
 test("init: fails when .jaiph/.gitignore exists with unexpected content", () => {
   const dir = makeTempDir();
   try {
diff --git a/src/cli/commands/init.ts b/src/cli/commands/init.ts
index d777bccb..daaef957 100644
--- a/src/cli/commands/init.ts
+++ b/src/cli/commands/init.ts
@@ -15,16 +15,13 @@ workflow default() {
     Perform these tasks in order:
     1) Analyze repository structure, languages, package manager, and build/test/lint commands.
     2) Detect existing contribution conventions (branching, commit style, CI checks).
-    3) Review and update .jaiph/Dockerfile for this specific repository.
-       - This file defines the Docker sandbox (runtimes, package managers, build tools).
-       - Align it with how this project is actually built and tested.
-    4) Create or update Jaiph workflows under .jaiph/ for safe feature implementation, including:
+    3) Create or update Jaiph workflows under .jaiph/ for safe feature implementation, including:
        - preflight checks (clean git state, branch guards when relevant)
        - implementation workflow
        - verification workflow (tests/lint/build)
-    5) Keep workflows minimal, composable, and specific to this project.
-    6) Print a short usage guide with exact jaiph run commands.
-    7) End your response with:
+    4) Keep workflows minimal, composable, and specific to this project.
+    5) Print a short usage guide with exact jaiph run commands.
+    6) End your response with:
        - WHAT CHANGED: files touched and key edits
        - WHY: tie each edit to repository structure, tests, or sandbox needs
   """
@@ -35,67 +32,6 @@ workflow default() {
 
 /** Ignores ephemeral dirs under `.jaiph/`; kept in-repo so workflows and libs stay tracked. */
 const JAIPH_DIR_GITIGNORE_TEMPLATE = "runs\ntmp\n";
-const DOCKERFILE_TEMPLATE_MARKER = "# Generated by jaiph init for project sandboxing.";
-const JAIPH_INSTALL_COMMAND = "curl -fsSL https://jaiph.org/install | bash";
-const JAIPH_DOCKERFILE_TEMPLATE = `FROM ubuntu:latest
-
-${DOCKERFILE_TEMPLATE_MARKER}
-# Keep this file aligned with your repository's runtime/build/test needs.
-
-# Standard utilities + fuse-overlayfs for CoW sandbox
-RUN apt-get update && \\
-    apt-get install -y --no-install-recommends \\
-      bash \\
-      curl \\
-      git \\
-      ca-certificates \\
-      gnupg \\
-      fuse-overlayfs \\
-      fuse3 \\
-      rsync && \\
-    rm -rf /var/lib/apt/lists/*
-
-# Node.js latest LTS (required by jaiph prompt stream helpers)
-RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \\
-    apt-get install -y --no-install-recommends nodejs && \\
-    rm -rf /var/lib/apt/lists/*
-
-# Non-root user keeps agent CLIs happy in Docker mode.
-RUN useradd --create-home --uid 10001 --shell /bin/bash jaiph && \\
-    mkdir -p /jaiph/workspace /jaiph/workspace-ro /jaiph/run && \\
-    chown -R jaiph:jaiph /jaiph
-
-# Claude Code CLI (Anthropic)
-RUN npm install -g @anthropic-ai/claude-code
-
-USER jaiph
-ENV HOME=/home/jaiph
-ENV PATH="/home/jaiph/.local/bin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-
-# cursor-agent (Cursor) — install as the runtime user so the binary remains
-# reachable after switching away from root. The installer currently places
-# the CLI in ~/.local/bin and may name it "agent" or "cursor".
-RUN mkdir -p "$HOME/.local/bin" && \\
-    curl -fsSL https://cursor.com/install -o /tmp/install-cursor-agent.sh && \\
-    bash /tmp/install-cursor-agent.sh && \\
-    export PATH="$HOME/.local/bin:$PATH" && \\
-    if command -v cursor-agent >/dev/null 2>&1; then \\
-      true; \\
-    elif command -v agent >/dev/null 2>&1; then \\
-      ln -sf "$(command -v agent)" "$HOME/.local/bin/cursor-agent"; \\
-    elif command -v cursor >/dev/null 2>&1; then \\
-      ln -sf "$(command -v cursor)" "$HOME/.local/bin/cursor-agent"; \\
-    fi && \\
-    command -v cursor-agent >/dev/null 2>&1 && \\
-    rm -f /tmp/install-cursor-agent.sh
-
-# jaiph (official installer: https://jaiph.org/install)
-RUN ${JAIPH_INSTALL_COMMAND}
-
-# Add project-specific package managers/build tools below as needed.
-
-WORKDIR /jaiph/workspace
-`;
 
 export function runInit(rest: string[]): number {
   const workspaceArg = rest[0] ?? ".";
@@ -109,7 +45,6 @@ export function runInit(rest: string[]): number {
   const jaiphDir = join(workspaceRoot, ".jaiph");
   const gitignorePath = join(jaiphDir, ".gitignore");
   const bootstrapPath = join(jaiphDir, "bootstrap.jh");
-  const dockerfilePath = join(jaiphDir, "Dockerfile");
   const skillPath = join(jaiphDir, "SKILL.md");
   const palette = colorPalette();
 
@@ -147,25 +82,6 @@ export function runInit(rest: string[]): number {
   }
   chmodSync(bootstrapPath, 0o755);
 
-  let createdDockerfile = false;
-  let updatedDockerfile = false;
-  let leftDockerfileUnchanged = false;
-  if (existsSync(dockerfilePath)) {
-    const existingDockerfile = readFileSync(dockerfilePath, "utf8");
-    if (existingDockerfile === JAIPH_DOCKERFILE_TEMPLATE) {
-      leftDockerfileUnchanged = true;
-    } else if (existingDockerfile.includes(DOCKERFILE_TEMPLATE_MARKER)) {
-      writeFileSync(dockerfilePath, JAIPH_DOCKERFILE_TEMPLATE, "utf8");
-      updatedDockerfile = true;
-    } else {
-      leftDockerfileUnchanged = true;
-    }
-  } else {
-    process.stdout.write(`${palette.dim}▸ Creating ${join(".jaiph", "Dockerfile")} in ${workspaceRoot}...${palette.reset}\n`);
-    writeFileSync(dockerfilePath, JAIPH_DOCKERFILE_TEMPLATE, "utf8");
-    createdDockerfile = true;
-  }
-
   const installedSkillPath = resolveInstalledSkillPath();
   let wroteSkill = false;
   if (installedSkillPath) {
@@ -184,15 +100,6 @@ export function runInit(rest: string[]): number {
   if (!createdBootstrap) {
     process.stdout.write(`${palette.dim}▸ Note: bootstrap file already existed; left unchanged.${palette.reset}\n`);
   }
-  if (createdDockerfile) {
-    process.stdout.write(`${palette.green}✓ Created ${join(".jaiph", "Dockerfile")} with Jaiph installer${palette.reset}\n`);
-  } else if (updatedDockerfile) {
-    process.stdout.write(`${palette.green}✓ Updated ${join(".jaiph", "Dockerfile")} with latest init template${palette.reset}\n`);
-  } else if (leftDockerfileUnchanged) {
-    process.stdout.write(
-      `${palette.dim}▸ Note: ${join(".jaiph", "Dockerfile")} already existed; left unchanged. Bootstrap workflow should review it for project sandbox needs.${palette.reset}\n`,
-    );
-  }
   if (wroteSkill) {
     process.stdout.write(`${palette.green}✓ Wrote ${join(".jaiph", "SKILL.md")} from installation${palette.reset}\n`);
   } else {
diff --git a/src/cli/commands/install.test.ts b/src/cli/commands/install.test.ts
index 57950d3a..ad4d1a20 100644
--- a/src/cli/commands/install.test.ts
+++ b/src/cli/commands/install.test.ts
@@ -4,9 +4,35 @@ import { mkdirSync, writeFileSync, rmSync } from "node:fs";
 import { join } from "node:path";
 import { execSync } from "node:child_process";
 import { tmpdir } from "node:os";
+import { parseUrlAndVersion } from "./install";
 
 const CLI_PATH = join(__dirname, "../../../src/cli.js");
 
+test("parseUrlAndVersion: https repo.git@ref (tag or branch)", () => {
+  assert.deepEqual(parseUrlAndVersion("https://github.com/you/queue-lib.git@v1.0"), {
+    url: "https://github.com/you/queue-lib.git",
+    version: "v1.0",
+  });
+  assert.deepEqual(parseUrlAndVersion("https://a/b/c.git@feature/xyz"), {
+    url: "https://a/b/c.git",
+    version: "feature/xyz",
+  });
+});
+
+test("parseUrlAndVersion: git@host:path.git@ref", () => {
+  assert.deepEqual(parseUrlAndVersion("git@github.com:org/repo.git@main"), {
+    url: "git@github.com:org/repo.git",
+    version: "main",
+  });
+});
+
+test("parseUrlAndVersion: schemaless path@ref when no : before @", () => {
+  assert.deepEqual(parseUrlAndVersion("acme/queue-lib@v0.1"), {
+    url: "acme/queue-lib",
+    version: "v0.1",
+  });
+});
+
 function makeTempProject(): string {
   const dir = join(tmpdir(), `jaiph-install-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
   mkdirSync(dir, { recursive: true });
diff --git a/src/cli/commands/install.ts b/src/cli/commands/install.ts
index ac50a636..2c7254ff 100644
--- a/src/cli/commands/install.ts
+++ b/src/cli/commands/install.ts
@@ -19,9 +19,14 @@ function deriveLibName(url: string): string {
   return lastSegment.replace(/\.git$/, "");
 }
 
-function parseUrlAndVersion(arg: string): { url: string; version?: string } {
+/** Splits a clone URL and optional @ref. Ref after `.../.git@` is recognized for any transport (https, git@, scp). */
+export function parseUrlAndVersion(arg: string): { url: string; version?: string } {
+  const m = arg.match(/^(.+?\.git)@([A-Za-z0-9._+/-]+)$/);
+  if (m) {
+    return { url: m[1], version: m[2] };
+  }
   const atIdx = arg.lastIndexOf("@");
-  // Avoid splitting on @ in protocols like git@github.com:...
+  // Avoid splitting on @ in protocols like git@github.com:... or user:pass@host/...
   if (atIdx > 0 && !arg.slice(0, atIdx).includes("://") && !arg.slice(0, atIdx).includes(":")) {
     return { url: arg.slice(0, atIdx), version: arg.slice(atIdx + 1) };
   }
diff --git a/src/cli/commands/run.ts b/src/cli/commands/run.ts
index 570f02d5..c741b8f5 100644
--- a/src/cli/commands/run.ts
+++ b/src/cli/commands/run.ts
@@ -5,6 +5,7 @@ import {
   rmSync,
   statSync,
 } from "node:fs";
+import { randomUUID } from "node:crypto";
 import { tmpdir } from "node:os";
 import { dirname, join, resolve, extname } from "node:path";
 import { basename } from "node:path";
@@ -18,6 +19,8 @@ import {
   hasFatalRuntimeStderr,
   latestRunFiles,
   failedStepArtifactPaths,
+  discoverDockerRunDir,
+  remapContainerPath,
 } from "../shared/errors";
 import { detectWorkspaceRoot } from "../shared/paths";
 import { parseArgs } from "../shared/usage";
@@ -28,10 +31,13 @@ import {
 } from "../run/lifecycle";
 import {
   resolveDockerConfig,
+  checkDockerAvailable,
+  prepareImage,
   spawnDockerProcess,
   cleanupDocker,
-  findRunArtifacts,
   resolveDockerHostRunsRoot,
+  selectSandboxMode,
+  type SandboxMode,
 } from "../../runtime/docker";
 import {
   styleKeywordLabel,
@@ -40,7 +46,7 @@ import {
 } from "../run/progress";
 import { loadMergedHooks, registerHooksSubscriber } from "../run/hooks";
 import { resolveRuntimeEnv } from "../run/env";
-import { colorize } from "../run/display";
+import { colorize, formatJaiphRunningBannerLines } from "../run/display";
 import { createRunEmitter } from "../run/emitter";
 import {
   createStderrParser,
@@ -84,10 +90,27 @@ export async function runWorkflow(rest: string[]): Promise<number> {
     const isTTY = !!process.stdout.isTTY;
     const startedAt = Date.now();
 
-    writeBanner(mod, inputAbs, runArgs, colorEnabled, isTTY, startedAt);
-
     const runtimeEnv = resolveRuntimeEnv(effectiveConfig, workspaceRoot, inputAbs);
     runtimeEnv.JAIPH_SOURCE_ABS = inputAbs;
+    const runId = randomUUID();
+    runtimeEnv.JAIPH_RUN_ID = runId;
+    const dockerConfigForBanner = resolveDockerConfig(mod.metadata?.runtime, runtimeEnv);
+    if (dockerConfigForBanner.enabled) {
+      checkDockerAvailable();
+      prepareImage(dockerConfigForBanner);
+    }
+    const sandboxModeForBanner = dockerConfigForBanner.enabled ? selectSandboxMode(runtimeEnv) : null;
+
+    writeBanner(
+      mod,
+      inputAbs,
+      runArgs,
+      colorEnabled,
+      isTTY,
+      startedAt,
+      dockerConfigForBanner.enabled,
+      sandboxModeForBanner,
+    );
     const { scriptsDir } = buildScripts(inputAbs, outDir, workspaceRoot);
     runtimeEnv.JAIPH_SCRIPTS = scriptsDir;
     const metaFile = join(outDir, `.jaiph-run-meta-${Date.now()}-${process.pid}.txt`);
@@ -119,7 +142,15 @@ export async function runWorkflow(rest: string[]): Promise<number> {
       mod, runtimeEnv, outDir, workspaceRoot, metaFile, "default", runArgs, isTTY,
     );
 
-    const signalHandlers = setupRunSignalHandlers(execResult, { forceKillAfterMs: 1500 });
+    const onSignalCleanup = dockerResult ? () => cleanupDocker(dockerResult) : undefined;
+    const signalHandlers = setupRunSignalHandlers(execResult, {
+      forceKillAfterMs: 1500,
+      onSignalCleanup,
+    });
+    const exitGuard = dockerResult
+      ? (): void => { cleanupDocker(dockerResult); }
+      : undefined;
+    if (exitGuard) process.on("exit", exitGuard);
 
     if (isTTY) {
       ttyCtx.runningInterval = setInterval(() => {
@@ -141,13 +172,14 @@ export async function runWorkflow(rest: string[]): Promise<number> {
     drainBuffers(onLine, buf, ttyCtx);
 
     if (dockerResult) {
-      const timedOut = dockerResult.timeoutTimer === undefined && activeDockerConfig.timeout > 0
+      const timedOut = dockerResult.timeoutTimer === undefined && activeDockerConfig.timeoutSeconds > 0
         ? false
-        : (Date.now() - startedAt) >= activeDockerConfig.timeout * 1000;
+        : (Date.now() - startedAt) >= activeDockerConfig.timeoutSeconds * 1000;
       if (timedOut && childExit.status !== 0) {
         runState.capturedStderr += "E_TIMEOUT container execution exceeded timeout\n";
       }
       cleanupDocker(dockerResult);
+      if (exitGuard) process.removeListener("exit", exitGuard);
     }
 
     if (childExit.signal && runState.capturedStderr.trim().length === 0) {
@@ -167,7 +199,7 @@ export async function runWorkflow(rest: string[]): Promise<number> {
     return reportResult(
       runState.capturedStderr, childExit.status, startedAt, runtimeEnv,
       emitter, runState.workflowRunId, inputAbs, workspaceRoot, metaFile,
-      dockerResult?.sandboxRunDir,
+      dockerResult?.sandboxRunDir, runId,
     );
   } finally {
     if (shouldCleanup) {
@@ -221,9 +253,13 @@ function writeBanner(
   colorEnabled: boolean,
   isTTY: boolean,
   startedAt: number,
+  dockerEnabled: boolean,
+  sandboxMode: SandboxMode | null,
 ): void {
   const rootLabel = "workflow default";
-  process.stdout.write(`\nJaiph: Running ${basename(inputAbs)}\n\n`);
+  process.stdout.write(
+    formatJaiphRunningBannerLines(basename(inputAbs), dockerEnabled, sandboxMode, colorEnabled),
+  );
   const defaultWf = mod.workflows.find((w) => w.name === "default");
   const rootParamsSuffix =
     runArgs.length > 0
@@ -357,17 +393,14 @@ function reportResult(
   workspaceRoot: string,
   metaFile: string,
   sandboxRunDir?: string,
+  expectedRunId?: string,
 ): number {
   const elapsedMs = Date.now() - startedAt;
   const elapsedLabel = formatElapsedDuration(elapsedMs);
   let runDir: string | undefined;
   let summaryFile: string | undefined;
 
-  if (sandboxRunDir) {
-    const artifacts = findRunArtifacts(sandboxRunDir);
-    runDir = artifacts.runDir;
-    summaryFile = artifacts.summaryFile;
-  } else if (existsSync(metaFile)) {
+  if (existsSync(metaFile)) {
     const metaLines = readFileSync(metaFile, "utf8").split(/\r?\n/);
     for (const line of metaLines) {
       if (line.startsWith("run_dir=")) {
@@ -380,8 +413,17 @@ function reportResult(
       }
     }
   }
+  // Docker mode: container meta file is inaccessible from host.
+  // Discover the run directory from the bind-mounted sandbox runs dir.
+  if (!runDir && sandboxRunDir && expectedRunId) {
+    const discovered = discoverDockerRunDir(sandboxRunDir, expectedRunId);
+    runDir = discovered.runDir;
+    summaryFile = discovered.summaryFile;
+  }
   const runtimeDebugEnabled = runtimeEnv.JAIPH_DEBUG === "true";
-  const runtimeErrorPrinted = hasFatalRuntimeStderr(capturedStderr, runtimeDebugEnabled);
+  const runtimeErrorPrinted = sandboxRunDir
+    ? false
+    : hasFatalRuntimeStderr(capturedStderr, runtimeDebugEnabled);
   const resolvedStatus = exitStatus !== 0 || runtimeErrorPrinted ? 1 : 0;
 
   emitter.emit("workflow_end", {
@@ -403,6 +445,13 @@ function reportResult(
     process.stdout.write(
       `${passPrefix}${palette.green}\u2713 PASS${palette.reset} workflow default ${palette.dim}(${elapsedLabel})${palette.reset}\n`,
     );
+    // Print workflow return value (if any) on its own line, separated by a blank line.
+    // The runtime writes return_value.txt only when the default workflow returns a value.
+    const returnValue = readWorkflowReturnValue(runDir, sandboxRunDir);
+    if (returnValue !== undefined && returnValue.length > 0) {
+      const trimmed = returnValue.endsWith("\n") ? returnValue.slice(0, -1) : returnValue;
+      process.stdout.write(`\n${trimmed}\n`);
+    }
     return 0;
   }
 
@@ -420,9 +469,10 @@ function reportResult(
       process.stderr.write(`  Summary: ${summaryFile}\n`);
     }
     const fromSummary = summaryFile ? failedStepArtifactPaths(summaryFile) : {};
+    const remap = (p: string) => sandboxRunDir ? remapContainerPath(p, sandboxRunDir) : p;
     const files =
       fromSummary.out !== undefined || fromSummary.err !== undefined
-        ? { out: fromSummary.out, err: fromSummary.err }
+        ? { out: fromSummary.out ? remap(fromSummary.out) : undefined, err: fromSummary.err ? remap(fromSummary.err) : undefined }
         : latestRunFiles(runDir);
     if (files.out) process.stderr.write(`    out: ${files.out}\n`);
     if (files.err) process.stderr.write(`    err: ${files.err}\n`);
@@ -432,7 +482,34 @@ function reportResult(
         process.stderr.write(`    ${line}\n`);
       }
     }
+  } else if (sandboxRunDir) {
+    // Docker mode: discoverDockerRunDir returned nothing. Surface the
+    // sandbox runs root + expected run_id so the user can still investigate
+    // (instead of leaving them with only "Workflow execution failed.").
+    process.stderr.write(`  Sandbox runs dir: ${sandboxRunDir}\n`);
+    if (expectedRunId) {
+      process.stderr.write(`    expected run_id: ${expectedRunId}\n`);
+    }
+    process.stderr.write(
+      `  Could not locate this run's artifacts under the sandbox runs dir.\n`,
+    );
   }
 
   return resolvedStatus;
 }
+
+function readWorkflowReturnValue(
+  runDir: string | undefined,
+  sandboxRunDir: string | undefined,
+): string | undefined {
+  if (!runDir) return undefined;
+  const candidate = sandboxRunDir
+    ? remapContainerPath(join(runDir, "return_value.txt"), sandboxRunDir)
+    : join(runDir, "return_value.txt");
+  if (!existsSync(candidate)) return undefined;
+  try {
+    return readFileSync(candidate, "utf8");
+  } catch {
+    return undefined;
+  }
+}
diff --git a/src/cli/commands/use.ts b/src/cli/commands/use.ts
index 63e291cc..b1440327 100644
--- a/src/cli/commands/use.ts
+++ b/src/cli/commands/use.ts
@@ -14,7 +14,7 @@ function toInstallRef(version: string): string | undefined {
 export function runUse(rest: string[]): number {
   const version = rest[0];
   if (!version) {
-    process.stderr.write("jaiph use requires a version (e.g. 0.9.2) or 'nightly'\n");
+    process.stderr.write("jaiph use requires a version (e.g. 0.9.3) or 'nightly'\n");
     return 1;
   }
   const ref = toInstallRef(version);
diff --git a/src/cli/index.ts b/src/cli/index.ts
index bc0f86da..2270770a 100644
--- a/src/cli/index.ts
+++ b/src/cli/index.ts
@@ -16,7 +16,7 @@ export async function main(argv: string[]): Promise<number> {
     return 0;
   }
   if (cmd === "--version" || cmd === "-v") {
-    process.stdout.write("jaiph 0.9.2\n");
+    process.stdout.write("jaiph 0.9.3\n");
     return 0;
   }
   try {
diff --git a/src/cli/run/display.test.ts b/src/cli/run/display.test.ts
index cded0ba1..0226d8b6 100644
--- a/src/cli/run/display.test.ts
+++ b/src/cli/run/display.test.ts
@@ -1,6 +1,50 @@
 import test from "node:test";
 import assert from "node:assert/strict";
-import { colorize, formatCompletedLine, formatHeartbeatLine, formatStartLine, sanitizeMultilineLogForTerminal } from "./display";
+import {
+  colorize,
+  formatCompletedLine,
+  formatHeartbeatLine,
+  formatJaiphRunningBannerLines,
+  formatStartLine,
+  sanitizeMultilineLogForTerminal,
+} from "./display";
+
+// === formatJaiphRunningBannerLines ===
+
+test("formatJaiphRunningBannerLines: no Docker shows no sandbox (no color)", () => {
+  const s = formatJaiphRunningBannerLines("say_hello.jh", false, null, false);
+  assert.equal(s, "\nJaiph: Running say_hello.jh (no sandbox)\n\n");
+});
+
+test("formatJaiphRunningBannerLines: Docker overlay shows fusefs (no color)", () => {
+  const s = formatJaiphRunningBannerLines("say_hello.jh", true, "overlay", false);
+  assert.equal(s, "\nJaiph: Running say_hello.jh (Docker sandbox, fusefs)\n\n");
+});
+
+test("formatJaiphRunningBannerLines: Docker copy shows tmp workspace (no color)", () => {
+  const s = formatJaiphRunningBannerLines("say_hello.jh", true, "copy", false);
+  assert.equal(s, "\nJaiph: Running say_hello.jh (Docker sandbox, tmp workspace)\n\n");
+});
+
+test("formatJaiphRunningBannerLines: banner is the same in CI and locally (no obfuscation)", () => {
+  const prev = process.env.CI;
+  process.env.CI = "true";
+  try {
+    const sCi = formatJaiphRunningBannerLines("say_hello.jh", true, "overlay", false);
+    delete process.env.CI;
+    const sLocal = formatJaiphRunningBannerLines("say_hello.jh", true, "overlay", false);
+    assert.equal(sCi, sLocal);
+    assert.equal(sCi, "\nJaiph: Running say_hello.jh (Docker sandbox, fusefs)\n\n");
+  } finally {
+    if (prev === undefined) delete process.env.CI;
+    else process.env.CI = prev;
+  }
+});
+
+test("formatJaiphRunningBannerLines: dim ANSI wraps parenthetical when color on", () => {
+  const s = formatJaiphRunningBannerLines("x.jh", false, null, true);
+  assert.ok(s.includes("\u001b[2m (no sandbox)\u001b[0m"));
+});
 
 // === colorize ===
 
@@ -228,12 +272,13 @@ test("formatStartLine: prompt preview escapes backslashes", () => {
   assert.ok(result.includes("\\\\"), "backslashes should be escaped");
 });
 
-test("formatStartLine: prompt preview escapes double quotes", () => {
+test("formatStartLine: prompt preview passes through double quotes", () => {
   const params: Array<[string, string]> = [
     ["prompt_text", 'say "hello"'],
   ];
   const result = formatStartLine("  ", "prompt", "prompt", false, params);
-  assert.ok(result.includes('\\"hello\\"'), "quotes should be escaped");
+  assert.ok(result.includes('"hello"'), "quotes should pass through");
+  assert.ok(!result.includes('\\"'), "no backslash-quote escaping");
 });
 
 test("formatStartLine: prompt preview escapes backslash before quote", () => {
diff --git a/src/cli/run/display.ts b/src/cli/run/display.ts
index 2c3d3c45..84984baf 100644
--- a/src/cli/run/display.ts
+++ b/src/cli/run/display.ts
@@ -1,8 +1,30 @@
 import { formatNamedParamsForDisplay, isInternalParamValue } from "../commands/format-params.js";
+import type { SandboxMode } from "../../runtime/docker";
 
 const PROMPT_PREVIEW_MAX = 24;
 const PROMPT_ARGS_DISPLAY_MAX = 96;
 
+/**
+ * First stdout lines for `jaiph run`: file name plus a dim parenthetical describing
+ * Docker sandbox mode. The label always reflects the actual mode (no CI obfuscation)
+ * so docs/landing-page samples can compare against the literal banner text.
+ */
+export function formatJaiphRunningBannerLines(
+  fileBasename: string,
+  dockerEnabled: boolean,
+  sandboxMode: SandboxMode | null,
+  colorEnabled: boolean,
+): string {
+  let parenInner: string;
+  if (!dockerEnabled) {
+    parenInner = "no sandbox";
+  } else {
+    parenInner = sandboxMode === "overlay" ? "Docker sandbox, fusefs" : "Docker sandbox, tmp workspace";
+  }
+  const dimParen = colorize(` (${parenInner})`, "dim", colorEnabled);
+  return `\nJaiph: Running ${fileBasename}${dimParen}\n\n`;
+}
+
 export function colorize(
   text: string,
   code: "dim" | "bold" | "green" | "red",
@@ -49,7 +71,7 @@ export function formatStartLine(
       oneLine.length > PROMPT_PREVIEW_MAX
         ? `${oneLine.slice(0, PROMPT_PREVIEW_MAX)}...`
         : oneLine;
-    const escaped = previewDisplay.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+    const escaped = previewDisplay.replace(/\\/g, "\\\\");
     const backendPart = name !== kind ? ` ${name}` : "";
     namePart = previewDisplay.length > 0 ? `${kindLabel}${backendPart} "${escaped}"` : `${kindLabel}${backendPart}`;
     const restParams = params.filter(([, v]) => !isInternalParamValue(v));
diff --git a/src/cli/run/env.ts b/src/cli/run/env.ts
index 2dbac4ef..0837ec15 100644
--- a/src/cli/run/env.ts
+++ b/src/cli/run/env.ts
@@ -72,6 +72,7 @@ export function resolveRuntimeEnv(
   delete env.BASH_ENV;
   delete env.JAIPH_META_FILE;
   delete env.JAIPH_RUN_DIR;
+  delete env.JAIPH_ARTIFACTS_DIR;
   delete env.JAIPH_PRECEDING_FILES;
   delete env.JAIPH_RUN_SUMMARY_FILE;
   // A parent shell may export JAIPH_SCRIPTS for its own module (e.g. nested `jaiph run` → npm → tests).
diff --git a/src/cli/run/lifecycle.ts b/src/cli/run/lifecycle.ts
index 5fa948c1..55f93206 100644
--- a/src/cli/run/lifecycle.ts
+++ b/src/cli/run/lifecycle.ts
@@ -30,7 +30,7 @@ export function terminateRunProcessGroup(
 
 export function setupRunSignalHandlers(
   child: ChildProcess,
-  opts?: { forceKillAfterMs?: number },
+  opts?: { forceKillAfterMs?: number; onSignalCleanup?: () => void },
 ): { remove: () => void } {
   const forceKillAfterMs = opts?.forceKillAfterMs ?? 1500;
   let forceKillTimer: NodeJS.Timeout | undefined;
@@ -45,10 +45,12 @@ export function setupRunSignalHandlers(
   };
   const handleInterrupt = (): void => {
     terminateRunProcessGroup(child, "SIGINT");
+    opts?.onSignalCleanup?.();
     scheduleForceKill();
   };
   const handleTerminate = (): void => {
     terminateRunProcessGroup(child, "SIGTERM");
+    opts?.onSignalCleanup?.();
     scheduleForceKill();
   };
   process.once("SIGINT", handleInterrupt);
diff --git a/src/cli/run/progress.ts b/src/cli/run/progress.ts
index 1d000fc8..6746a430 100644
--- a/src/cli/run/progress.ts
+++ b/src/cli/run/progress.ts
@@ -81,7 +81,12 @@ export function collectWorkflowChildren(
       const arr: Array<{ label: string; nested?: string; stepFunc?: string }> = [
         { label: `${asyncPrefix}workflow ${wf}`, nested: wf, stepFunc },
       ];
-      if (s.recover) {
+      if (s.recoverLoop) {
+        const steps = "single" in s.recoverLoop ? [s.recoverLoop.single] : s.recoverLoop.block;
+        for (const r of steps) {
+          arr.push(...stepToItems(r));
+        }
+      } else if (s.recover) {
         const steps = "single" in s.recover ? [s.recover.single] : s.recover.block;
         for (const r of steps) {
           arr.push(...stepToItems(r));
diff --git a/src/cli/run/stderr-handler.test.ts b/src/cli/run/stderr-handler.test.ts
index c17e8f93..019f10de 100644
--- a/src/cli/run/stderr-handler.test.ts
+++ b/src/cli/run/stderr-handler.test.ts
@@ -53,3 +53,33 @@ test("registerTTYSubscriber: STEP_END fallback indent uses event depth", () => {
   const output = writes.join("");
   assert.match(output, /^  ·   ✓ prompt prompt \(1s\)\n$/);
 });
+
+test("registerTTYSubscriber: stderr_line renders immediately in TTY mode", () => {
+  const emitter = createRunEmitter();
+  const ctx: TTYContext = {
+    isTTY: true,
+    colorEnabled: false,
+    startedAt: Date.now(),
+    runningInterval: undefined,
+    nonTTYHeartbeatInterval: undefined,
+    nonTTYHeartbeatStep: null,
+  };
+  const writes: string[] = [];
+  const originalWrite = process.stdout.write.bind(process.stdout);
+  (process.stdout.write as unknown as (chunk: string) => boolean) = ((chunk: string | Uint8Array) => {
+    writes.push(typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8"));
+    return true;
+  }) as unknown as typeof process.stdout.write;
+
+  try {
+    registerTTYSubscriber(emitter, ctx);
+    emitter.emit("stderr_line", {
+      line: "jaiph docker: workspace overlay unavailable; copying workspace into a temp directory before startup",
+    });
+  } finally {
+    (process.stdout.write as unknown as typeof process.stdout.write) = originalWrite as typeof process.stdout.write;
+  }
+
+  const output = writes.join("");
+  assert.equal(output, "jaiph docker: workspace overlay unavailable; copying workspace into a temp directory before startup\n");
+});
diff --git a/src/cli/run/stderr-handler.ts b/src/cli/run/stderr-handler.ts
index 5f7272b5..8a979ec6 100644
--- a/src/cli/run/stderr-handler.ts
+++ b/src/cli/run/stderr-handler.ts
@@ -266,15 +266,10 @@ export function registerTTYSubscriber(emitter: RunEmitter, ctx: TTYContext): voi
   });
 
   emitter.on("stderr_line", (data) => {
-    if (ctx.isTTY && ctx.runningInterval !== undefined) {
-      process.stdout.write("\r\u001b[K\u001b[1A\r\u001b[K");
-    }
-    if (!ctx.isTTY) {
+    if (ctx.isTTY) {
+      writeTTYLine(data.line, ctx, "single");
+    } else {
       process.stderr.write(`${data.line}\n`);
     }
-    if (ctx.isTTY && ctx.runningInterval !== undefined) {
-      const elapsedSec = (Date.now() - ctx.startedAt) / 1000;
-      process.stdout.write(formatRunningBottomLine("default", elapsedSec));
-    }
   });
 }
diff --git a/src/cli/shared/errors.test.ts b/src/cli/shared/errors.test.ts
index 3248a4a9..bb5f215c 100644
--- a/src/cli/shared/errors.test.ts
+++ b/src/cli/shared/errors.test.ts
@@ -11,6 +11,7 @@ import {
   latestRunFiles,
   readFailedStepOutput,
   failedStepArtifactPaths,
+  discoverDockerRunDir,
 } from "./errors";
 
 // === summarizeError ===
@@ -299,3 +300,54 @@ test("resolveFailureDetails: sets shouldPrintSummaryLine false when failedStepOu
     rmSync(dir, { recursive: true, force: true });
   }
 });
+
+// === discoverDockerRunDir ===
+
+test("discoverDockerRunDir: returns matching dir by run_id even when a newer dir exists", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-discover-"));
+  try {
+    const runIdA = "aaaa-1111";
+    const runIdB = "bbbb-2222";
+    // older run dir for run A
+    const dirA = join(root, "2026-04-22", "10-00-00-wf");
+    mkdirSync(dirA, { recursive: true });
+    writeFileSync(
+      join(dirA, "run_summary.jsonl"),
+      JSON.stringify({ type: "WORKFLOW_START", run_id: runIdA }) + "\n",
+    );
+    // newer run dir for run B
+    const dirB = join(root, "2026-04-22", "10-05-00-wf");
+    mkdirSync(dirB, { recursive: true });
+    writeFileSync(
+      join(dirB, "run_summary.jsonl"),
+      JSON.stringify({ type: "WORKFLOW_START", run_id: runIdB }) + "\n",
+    );
+    // Asking for run A should return dirA, not the newer dirB
+    const resultA = discoverDockerRunDir(root, runIdA);
+    assert.equal(resultA.runDir, dirA);
+    assert.equal(resultA.summaryFile, join(dirA, "run_summary.jsonl"));
+    // Asking for run B should return dirB
+    const resultB = discoverDockerRunDir(root, runIdB);
+    assert.equal(resultB.runDir, dirB);
+    assert.equal(resultB.summaryFile, join(dirB, "run_summary.jsonl"));
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("discoverDockerRunDir: returns empty when no dir matches the expected run_id", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-discover-none-"));
+  try {
+    const dir = join(root, "2026-04-22", "10-00-00-wf");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(
+      join(dir, "run_summary.jsonl"),
+      JSON.stringify({ type: "WORKFLOW_START", run_id: "other-id" }) + "\n",
+    );
+    const result = discoverDockerRunDir(root, "nonexistent-id");
+    assert.equal(result.runDir, undefined);
+    assert.equal(result.summaryFile, undefined);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
diff --git a/src/cli/shared/errors.ts b/src/cli/shared/errors.ts
index 3dc8c3d2..4b68063d 100644
--- a/src/cli/shared/errors.ts
+++ b/src/cli/shared/errors.ts
@@ -1,5 +1,6 @@
-import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
 import { join } from "node:path";
+import { CONTAINER_RUN_DIR } from "../../runtime/docker";
 
 export function colorPalette(): { green: string; red: string; dim: string; reset: string } {
   const enabled = process.stdout.isTTY && process.env.NO_COLOR === undefined;
@@ -195,3 +196,54 @@ export function readFailedStepOutput(summaryPath: string): string | null {
   if (parts.length === 0) return null;
   return parts.join("\n");
 }
+
+/**
+ * Discover run directory from the Docker sandbox runs mount.
+ * In Docker mode the container's meta file is inaccessible from the host,
+ * so we scan the bind-mounted sandboxRunDir for the latest run directory.
+ */
+export function discoverDockerRunDir(sandboxRunDir: string, expectedRunId: string): { runDir?: string; summaryFile?: string } {
+  try {
+    const dateDirs = readdirSync(sandboxRunDir)
+      .filter((d) => !d.startsWith(".") && statSync(join(sandboxRunDir, d)).isDirectory())
+      .sort()
+      .reverse();
+    for (const dateDir of dateDirs) {
+      const datePath = join(sandboxRunDir, dateDir);
+      const timeDirs = readdirSync(datePath)
+        .filter((d) => statSync(join(datePath, d)).isDirectory())
+        .sort()
+        .reverse();
+      for (const timeDir of timeDirs) {
+        const runDir = join(datePath, timeDir);
+        const summaryFile = join(runDir, "run_summary.jsonl");
+        if (!existsSync(summaryFile)) continue;
+        const firstLine = readFileSync(summaryFile, "utf8").split(/\r?\n/)[0];
+        if (!firstLine) continue;
+        try {
+          const parsed = JSON.parse(firstLine) as { type?: string; run_id?: string };
+          if (parsed.type === "WORKFLOW_START" && parsed.run_id === expectedRunId) {
+            return { runDir, summaryFile };
+          }
+        } catch {
+          // ignore malformed JSON
+        }
+      }
+    }
+  } catch {
+    // ignore — sandboxRunDir may not exist or be readable
+  }
+  return {};
+}
+
+/** Remap a container-internal path to the equivalent host path. */
+export function remapContainerPath(containerPath: string, sandboxRunDir: string): string {
+  const prefix = CONTAINER_RUN_DIR + "/";
+  if (containerPath.startsWith(prefix)) {
+    return join(sandboxRunDir, containerPath.slice(CONTAINER_RUN_DIR.length));
+  }
+  if (containerPath === CONTAINER_RUN_DIR) {
+    return sandboxRunDir;
+  }
+  return containerPath;
+}
diff --git a/src/cli/shared/usage.ts b/src/cli/shared/usage.ts
index c5239616..19630d50 100644
--- a/src/cli/shared/usage.ts
+++ b/src/cli/shared/usage.ts
@@ -5,9 +5,10 @@ export function printUsage(): void {
       "  jaiph [--help | --version]",
       "  jaiph <file.jh> [args...]                # run workflow (same as jaiph run <file> [args...])",
       "  jaiph <file.test.jh> [args...]           # run tests (same as jaiph test <file>; extra args ignored)",
-      "  jaiph run [--target <dir>] <file.jh> [--] [args...]",
+      "  jaiph run [--target <dir>] [--raw] <file.jh> [--] [args...]",
       "  jaiph test [path]                        # workspace root, directory (recursive), or one *.test.jh file",
       "  jaiph init [workspace-path]",
+      "  jaiph install [--force] [<repo-url[@version]> ...]",
       "  jaiph use <version|nightly>",
       "  jaiph format [--check] [--indent <n>] <file.jh ...>",
       "  jaiph compile [--json] [--workspace <dir>] <file.jh | directory> ...",
@@ -18,12 +19,18 @@ export function printUsage(): void {
       "",
       "jaiph run:",
       "  --target <dir>  keep emitted script files and run metadata under <dir> (default: temp dir, cleaned up)",
+      "  --raw           skip banner, progress tree, hooks, and failure footer; inherited stdio for embedding / Docker inner run",
       "  --              end of jaiph flags; remaining args are passed to workflow default",
       "",
       "jaiph test:",
       "  With no path, discovers *.test.jh under the workspace root. Extra arguments after an optional",
       "  path are accepted but ignored (reserved).",
       "",
+      "jaiph install:",
+      "  With one or more URLs: shallow-clone each repo into .jaiph/libs/<name>/ and update .jaiph/libs.lock.",
+      "  With no args: restore all libraries listed in .jaiph/libs.lock.",
+      "  --force         delete existing clone and re-clone",
+      "",
       "jaiph format:",
       "  --check         exit non-zero when file(s) need formatting (no writes)",
       "  --indent <n>    spaces per indent level (default: 2)",
@@ -39,11 +46,14 @@ export function printUsage(): void {
       "  jaiph ./flows/review.jh 'review this diff'",
       "  jaiph e2e/say_hello.test.jh",
       "  jaiph run ./flows/review.jh 'review this diff'",
+      "  jaiph run --raw ./flows/review.jh",
       "  jaiph run --target /tmp/jaiph-out ./flows/review.jh",
       "  jaiph test",
       "  jaiph test ./e2e",
       "  jaiph test e2e/say_hello.test.jh",
       "  jaiph init",
+      "  jaiph install https://github.com/you/queue-lib.git@v1.0",
+      "  jaiph install",
       "  jaiph use nightly",
       "  jaiph format flow.jh",
       "  jaiph format --check flow.jh",
diff --git a/src/format/emit.test.ts b/src/format/emit.test.ts
index 5b9ad334..450b827f 100644
--- a/src/format/emit.test.ts
+++ b/src/format/emit.test.ts
@@ -464,4 +464,109 @@ describe("emitModule", () => {
     ].join("\n");
     assert.equal(roundTrip(source), source);
   });
+
+  it("round-trips run with single recover statement", () => {
+    const source = [
+      "workflow default() {",
+      '  run deploy() recover (err) log "fixing"',
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
+
+  it("round-trips run with multiline recover block", () => {
+    const source = [
+      "workflow default() {",
+      "  run deploy() recover (err) {",
+      '    log "fixing"',
+      "    run fix()",
+      "  }",
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
+
+  it("round-trips config with run.recover_limit", () => {
+    const source = [
+      "config {",
+      "  run.recover_limit = 5",
+      "}",
+      "",
+      "workflow default() {",
+      '  log "ok"',
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
+
+  it("round-trips const capture with run async", () => {
+    const source = [
+      "workflow default() {",
+      "  const h = run async foo()",
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
+
+  it("round-trips run async with recover block", () => {
+    const source = [
+      "workflow default() {",
+      "  run async foo() recover (err) {",
+      '    log "repair"',
+      "  }",
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
+
+  it("round-trips run async with multi-line recover block", () => {
+    const source = [
+      "workflow default() {",
+      "  run async foo() recover (err) {",
+      '    log "repairing"',
+      "    run fix_it()",
+      "  }",
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
+
+  it("preserves bare identifier return (does not rewrite as ${var} interpolation)", () => {
+    const source = [
+      "workflow default() {",
+      '  const response = "hi"',
+      "  return response",
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
+
+  it("preserves bare dotted identifier return (does not rewrite as ${base.field})", () => {
+    const source = [
+      "workflow default() {",
+      '  const r = prompt "go" returns "{ ok: bool }"',
+      "  return r.ok",
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
+
+  it('preserves explicit "${var}" return form when authored that way', () => {
+    const source = [
+      "workflow default() {",
+      '  const response = "hi"',
+      '  return "${response}"',
+      "}",
+      "",
+    ].join("\n");
+    assert.equal(roundTrip(source), source);
+  });
 });
diff --git a/src/format/emit.ts b/src/format/emit.ts
index 30a9e6c4..3aaef839 100644
--- a/src/format/emit.ts
+++ b/src/format/emit.ts
@@ -13,6 +13,7 @@ import type {
   WorkflowMetadata,
   TopLevelEmitOrder,
 } from "../types";
+import { parseCallRef } from "../parse/core";
 
 export interface EmitOptions {
   indent: number;
@@ -157,30 +158,31 @@ function emitConfigKeyLines(meta: WorkflowMetadata, key: string, pad: string): s
     case "run.inbox_parallel":
       if (meta.run?.inboxParallel === undefined) return [];
       return [`${pad}run.inbox_parallel = ${meta.run.inboxParallel}`];
+    case "run.recover_limit":
+      if (meta.run?.recoverLimit === undefined) return [];
+      return [`${pad}run.recover_limit = ${meta.run.recoverLimit}`];
     case "runtime.docker_enabled":
-      if (meta.runtime?.dockerEnabled === undefined) return [];
-      return [`${pad}runtime.docker_enabled = ${meta.runtime.dockerEnabled}`];
+      // runtime.docker_enabled was removed; skip silently for back-compat with
+      // any cached AST that still carries the key in configBodySequence.
+      return [];
     case "runtime.docker_image":
       if (meta.runtime?.dockerImage === undefined) return [];
       return [`${pad}runtime.docker_image = "${meta.runtime.dockerImage}"`];
     case "runtime.docker_network":
       if (meta.runtime?.dockerNetwork === undefined) return [];
       return [`${pad}runtime.docker_network = "${meta.runtime.dockerNetwork}"`];
-    case "runtime.docker_timeout":
-      if (meta.runtime?.dockerTimeout === undefined) return [];
-      return [`${pad}runtime.docker_timeout = ${meta.runtime.dockerTimeout}`];
-    case "runtime.workspace": {
-      if (meta.runtime?.workspace === undefined) return [];
-      if (meta.runtime.workspace.length === 0) {
-        return [`${pad}runtime.workspace = []`];
-      }
-      const ws: string[] = [`${pad}runtime.workspace = [`];
-      for (const w of meta.runtime.workspace) {
-        ws.push(`${pad}${pad}"${w}",`);
-      }
-      ws.push(`${pad}]`);
-      return ws;
-    }
+    case "runtime.docker_timeout_seconds":
+      if (meta.runtime?.dockerTimeoutSeconds === undefined) return [];
+      return [`${pad}runtime.docker_timeout_seconds = ${meta.runtime.dockerTimeoutSeconds}`];
+    case "module.name":
+      if (meta.module?.name === undefined) return [];
+      return [`${pad}module.name = "${meta.module.name}"`];
+    case "module.version":
+      if (meta.module?.version === undefined) return [];
+      return [`${pad}module.version = "${meta.module.version}"`];
+    case "module.description":
+      if (meta.module?.description === undefined) return [];
+      return [`${pad}module.description = "${meta.module.description}"`];
     default:
       return [];
   }
@@ -211,24 +213,20 @@ function emitConfig(meta: WorkflowMetadata, pad: string): string {
     if (meta.run.debug !== undefined) lines.push(`${pad}run.debug = ${meta.run.debug}`);
     if (meta.run.logsDir !== undefined) lines.push(`${pad}run.logs_dir = "${meta.run.logsDir}"`);
     if (meta.run.inboxParallel !== undefined) lines.push(`${pad}run.inbox_parallel = ${meta.run.inboxParallel}`);
+    if (meta.run.recoverLimit !== undefined) lines.push(`${pad}run.recover_limit = ${meta.run.recoverLimit}`);
   }
   if (meta.runtime) {
-    if (meta.runtime.dockerEnabled !== undefined) lines.push(`${pad}runtime.docker_enabled = ${meta.runtime.dockerEnabled}`);
     if (meta.runtime.dockerImage !== undefined) lines.push(`${pad}runtime.docker_image = "${meta.runtime.dockerImage}"`);
     if (meta.runtime.dockerNetwork !== undefined) lines.push(`${pad}runtime.docker_network = "${meta.runtime.dockerNetwork}"`);
-    if (meta.runtime.dockerTimeout !== undefined) lines.push(`${pad}runtime.docker_timeout = ${meta.runtime.dockerTimeout}`);
-    if (meta.runtime.workspace !== undefined) {
-      if (meta.runtime.workspace.length === 0) {
-        lines.push(`${pad}runtime.workspace = []`);
-      } else {
-        lines.push(`${pad}runtime.workspace = [`);
-        for (const w of meta.runtime.workspace) {
-          lines.push(`${pad}${pad}"${w}",`);
-        }
-        lines.push(`${pad}]`);
-      }
+    if (meta.runtime.dockerTimeoutSeconds !== undefined) {
+      lines.push(`${pad}runtime.docker_timeout_seconds = ${meta.runtime.dockerTimeoutSeconds}`);
     }
   }
+  if (meta.module) {
+    if (meta.module.name !== undefined) lines.push(`${pad}module.name = "${meta.module.name}"`);
+    if (meta.module.version !== undefined) lines.push(`${pad}module.version = "${meta.module.version}"`);
+    if (meta.module.description !== undefined) lines.push(`${pad}module.description = "${meta.module.description}"`);
+  }
   lines.push("}");
   return lines.join("\n");
 }
@@ -370,6 +368,33 @@ function emitSteps(steps: WorkflowStepDef[], pad: string, currentIndent: string)
   return lines;
 }
 
+/** Try to parse `` `body`(args) `` from the start of a string. Returns consumed length or null. */
+function parseInlineScriptArg(s: string): { body: string; innerArgs: string; consumed: number } | null {
+  if (!s.startsWith("`")) return null;
+  const closeIdx = s.indexOf("`", 1);
+  if (closeIdx === -1) return null;
+  const body = s.slice(1, closeIdx);
+  const afterClose = s.slice(closeIdx + 1);
+  if (!afterClose.startsWith("(")) return null;
+  let depth = 1;
+  let j = 1;
+  let inQuote: string | null = null;
+  while (j < afterClose.length && depth > 0) {
+    const ch = afterClose[j];
+    if (inQuote) {
+      if (ch === inQuote && afterClose[j - 1] !== "\\") inQuote = null;
+    } else {
+      if (ch === '"' || ch === "'") inQuote = ch;
+      else if (ch === "(") depth++;
+      else if (ch === ")") depth--;
+    }
+    j++;
+  }
+  if (depth !== 0) return null;
+  const innerArgs = afterClose.slice(1, j - 1).trim();
+  return { body, innerArgs, consumed: closeIdx + 1 + j };
+}
+
 /** Convert space-separated args back to comma-separated format with bare identifiers. */
 function formatArgs(args: string, bareIdentifierArgs?: string[]): string {
   const bare = new Set(bareIdentifierArgs ?? []);
@@ -378,6 +403,33 @@ function formatArgs(args: string, bareIdentifierArgs?: string[]): string {
   while (i < args.length) {
     while (i < args.length && (args[i] === " " || args[i] === "\t")) i++;
     if (i >= args.length) break;
+    const tail = args.slice(i);
+    const keyword = tail.startsWith("run ")
+      ? "run"
+      : tail.startsWith("ensure ")
+        ? "ensure"
+        : null;
+    if (keyword) {
+      const afterKeyword = args.slice(i + keyword.length).trimStart();
+      const skipped = args.slice(i + keyword.length).length - afterKeyword.length;
+      const call = parseCallRef(afterKeyword);
+      if (call && (call.rest.length === 0 || /^\s/.test(call.rest))) {
+        const consumed = afterKeyword.length - call.rest.length;
+        tokens.push(`${keyword} ${call.ref}(${formatArgs(call.args ?? "", call.bareIdentifierArgs)})`);
+        i += keyword.length + skipped + consumed;
+        continue;
+      }
+      // Try inline script form: run `body`(args)
+      if (keyword === "run") {
+        const inlineResult = parseInlineScriptArg(afterKeyword);
+        if (inlineResult) {
+          const formattedInner = inlineResult.innerArgs ? formatArgs(inlineResult.innerArgs) : "";
+          tokens.push(`run \`${inlineResult.body}\`(${formattedInner})`);
+          i += keyword.length + skipped + inlineResult.consumed;
+          continue;
+        }
+      }
+    }
     if (args[i] === '"') {
       let j = i + 1;
       while (j < args.length && !(args[j] === '"' && args[j - 1] !== "\\")) j++;
@@ -399,6 +451,28 @@ function formatArgs(args: string, bareIdentifierArgs?: string[]): string {
   return tokens.join(", ");
 }
 
+/** Emit inline script form: `prefix \`body\`(args)` or fenced block. */
+function emitInlineScriptLines(
+  prefix: string,
+  body: string,
+  lang?: string,
+  args?: string,
+  bareIdentifierArgs?: string[],
+  ci?: string,
+): string[] {
+  const argsStr = formatArgs(args ?? "", bareIdentifierArgs);
+  if (lang || body.includes("\n")) {
+    const langTag = lang ?? "";
+    const result = [`${prefix} \`\`\`${langTag}`];
+    for (const bl of body.split("\n")) {
+      result.push(bl);
+    }
+    result.push(`${ci ?? ""}\`\`\`(${argsStr})`);
+    return result;
+  }
+  return [`${prefix} \`${body}\`(${argsStr})`];
+}
+
 function emitRef(ref: { value: string }, args?: string, bareIdentifierArgs?: string[]): string {
   if (args !== undefined) {
     return `${ref.value}(${formatArgs(args, bareIdentifierArgs)})`;
@@ -474,7 +548,19 @@ function emitStep(step: WorkflowStepDef, pad: string, currentIndent: string): st
       const ref = emitRef(step.workflow, step.args, step.bareIdentifierArgs);
       const capture = step.captureName ? `${step.captureName} = ` : "";
       const asyncPrefix = step.async ? "async " : "";
-      if (step.recover) {
+      if (step.recoverLoop) {
+        const b = step.recoverLoop.bindings;
+        const bindStr = `(${b.failure})`;
+        if ("single" in step.recoverLoop) {
+          const recoverLines = emitStep(step.recoverLoop.single, pad, "");
+          const recoverText = recoverLines.map((l) => l.trim()).join("\n");
+          lines.push(`${ci}${capture}run ${asyncPrefix}${ref} recover ${bindStr} ${recoverText}`);
+        } else {
+          lines.push(`${ci}${capture}run ${asyncPrefix}${ref} recover ${bindStr} {`);
+          lines.push(...emitSteps(step.recoverLoop.block, pad, ci + pad));
+          lines.push(`${ci}}`);
+        }
+      } else if (step.recover) {
         const b = step.recover.bindings;
         const bindStr = `(${b.failure})`;
         if ("single" in step.recover) {
@@ -585,7 +671,9 @@ function emitStep(step: WorkflowStepDef, pad: string, currentIndent: string): st
     }
 
     case "log":
-      if (step.message.includes("\n")) {
+      if (step.managed?.kind === "run_inline_script") {
+        lines.push(...emitInlineScriptLines(`${ci}log run`, step.managed.body, step.managed.lang, step.managed.args, step.managed.bareIdentifierArgs, ci));
+      } else if (step.message.includes("\n")) {
         lines.push(`${ci}log """`);
         for (const bl of step.message.split("\n")) {
           lines.push(bl);
@@ -597,7 +685,9 @@ function emitStep(step: WorkflowStepDef, pad: string, currentIndent: string): st
       break;
 
     case "logerr":
-      if (step.message.includes("\n")) {
+      if (step.managed?.kind === "run_inline_script") {
+        lines.push(...emitInlineScriptLines(`${ci}logerr run`, step.managed.body, step.managed.lang, step.managed.args, step.managed.bareIdentifierArgs, ci));
+      } else if (step.message.includes("\n")) {
         lines.push(`${ci}logerr """`);
         for (const bl of step.message.split("\n")) {
           lines.push(bl);
@@ -620,7 +710,11 @@ function emitStep(step: WorkflowStepDef, pad: string, currentIndent: string): st
             lines.push(...emitMatchArm(arm, `${ci}${pad}`, ci));
           }
           lines.push(`${ci}}`);
+        } else if (step.managed.kind === "run_inline_script") {
+          lines.push(...emitInlineScriptLines(`${ci}return run`, step.managed.body, step.managed.lang, step.managed.args, step.managed.bareIdentifierArgs, ci));
         }
+      } else if (step.bareSource) {
+        lines.push(`${ci}return ${step.bareSource}`);
       } else if (step.value.includes("\n")) {
         const inner = step.value.slice(1, -1).replace(/\\"/g, '"').replace(/\\\\/g, "\\");
         lines.push(`${ci}return """`);
@@ -681,8 +775,10 @@ function emitConstStep(name: string, value: ConstRhs): string {
         return `const ${name} = """`;
       }
       return `const ${name} = ${value.bashRhs}`;
-    case "run_capture":
-      return `const ${name} = run ${emitRef(value.ref, value.args, value.bareIdentifierArgs)}`;
+    case "run_capture": {
+      const asyncMod = value.async ? "async " : "";
+      return `const ${name} = run ${asyncMod}${emitRef(value.ref, value.args, value.bareIdentifierArgs)}`;
+    }
     case "ensure_capture":
       return `const ${name} = ensure ${emitRef(value.ref, value.args, value.bareIdentifierArgs)}`;
     case "prompt_capture": {
@@ -745,8 +841,12 @@ function emitTestStep(step: TestStepDef, pad: string): string[] {
       return [`${pad}${step.text}`];
     case "blank_line":
       return [""];
+    case "test_const":
+      return [`${pad}const ${step.name} = "${step.value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n")}"`];
     case "test_mock_prompt":
-      return [`${pad}mock prompt "${step.response}"`];
+      return step.responseVar
+        ? [`${pad}mock prompt ${step.responseVar}`]
+        : [`${pad}mock prompt "${step.response}"`];
     case "test_mock_prompt_block": {
       const lines = [`${pad}mock prompt {`];
       for (const arm of step.arms) {
@@ -762,11 +862,17 @@ function emitTestStep(step: TestStepDef, pad: string): string[] {
       return [`${pad}${capture}run ${step.workflowRef}(${args})${allow}`];
     }
     case "test_expect_contain":
-      return [`${pad}expect_contain ${step.variable} "${step.substring}"`];
+      return step.substringVar
+        ? [`${pad}expect_contain ${step.variable} ${step.substringVar}`]
+        : [`${pad}expect_contain ${step.variable} "${step.substring}"`];
     case "test_expect_not_contain":
-      return [`${pad}expect_not_contain ${step.variable} "${step.substring}"`];
+      return step.substringVar
+        ? [`${pad}expect_not_contain ${step.variable} ${step.substringVar}`]
+        : [`${pad}expect_not_contain ${step.variable} "${step.substring}"`];
     case "test_expect_equal":
-      return [`${pad}expect_equal ${step.variable} "${step.expected}"`];
+      return step.expectedVar
+        ? [`${pad}expect_equal ${step.variable} ${step.expectedVar}`]
+        : [`${pad}expect_equal ${step.variable} "${step.expected}"`];
     case "test_mock_workflow": {
       const paramStr = `(${step.params.join(", ")})`;
       const lines = [`${pad}mock workflow ${step.ref}${paramStr} {`];
diff --git a/src/parse/const-rhs.ts b/src/parse/const-rhs.ts
index 31b80fb8..252a088a 100644
--- a/src/parse/const-rhs.ts
+++ b/src/parse/const-rhs.ts
@@ -92,6 +92,27 @@ export function parseConstRhs(
   }
   if (head.startsWith("run ")) {
     const rest = head.slice("run ".length).trim();
+    // const x = run async ref() — async capture returning a handle
+    if (rest.startsWith("async ")) {
+      const asyncRest = rest.slice("async ".length).trim();
+      if (asyncRest.startsWith("`")) {
+        fail(filePath, "run async is not supported with inline scripts", lineNo, col);
+      }
+      const call = parseCallRef(asyncRest);
+      if (!call) {
+        fail(filePath, "const ... = run async must target a valid reference", lineNo, col);
+      }
+      rejectTrailingContent(filePath, lineNo, "run async", call.rest);
+      const ref: WorkflowRefDef = { value: call.ref, loc: { line: lineNo, col } };
+      return {
+        value: {
+          kind: "run_capture", ref, args: call.args,
+          ...(call.bareIdentifierArgs ? { bareIdentifierArgs: call.bareIdentifierArgs } : {}),
+          async: true,
+        },
+        nextLineIdx: lineIdx,
+      };
+    }
     if (rest.startsWith("`")) {
       const result = parseAnonymousInlineScript(filePath, lines, lineIdx, rest, lineNo, col);
       return {
diff --git a/src/parse/match.ts b/src/parse/match.ts
index 56de37d9..95f38bd3 100644
--- a/src/parse/match.ts
+++ b/src/parse/match.ts
@@ -69,9 +69,9 @@ function parsePattern(filePath: string, text: string, lineNo: number): { pattern
 
 /**
  * Parse the body (value expression) after `=>` in a match arm.
- * Returns the raw value string (with quotes).
+ * Returns the raw value string and any remaining text after the body.
  */
-function parseArmBody(filePath: string, text: string, lineNo: number): string {
+function parseArmBody(filePath: string, text: string, lineNo: number): { body: string; rest: string } {
   const t = text.trimStart();
   if (!t) {
     fail(filePath, "match arm body cannot be empty", lineNo);
@@ -81,13 +81,13 @@ function parseArmBody(filePath: string, text: string, lineNo: number): string {
     if (closeIdx === -1) {
       fail(filePath, "unterminated string in match arm body", lineNo);
     }
-    return t.slice(0, closeIdx + 1);
+    return { body: t.slice(0, closeIdx + 1), rest: t.slice(closeIdx + 1).trimStart() };
   }
   if (t.startsWith("'")) {
     fail(filePath, 'single-quoted strings are not supported; use double quotes ("...") instead', lineNo);
   }
   // Allow $var, ${var}, ${var.field}, or bare words up to end of line
-  return t;
+  return { body: t, rest: "" };
 }
 
 /**
@@ -121,11 +121,11 @@ export function parseMatchArms(
       if (!segLine || segLine.startsWith("#")) {
         continue;
       }
-      const { pattern, rest } = parsePattern(filePath, segLine, lineNo);
-      if (!rest.startsWith("=>")) {
+      const { pattern, rest: afterPattern } = parsePattern(filePath, segLine, lineNo);
+      if (!afterPattern.startsWith("=>")) {
         fail(filePath, 'expected "=>" after match pattern', lineNo);
       }
-      const afterArrow = rest.slice(2).trimStart();
+      const afterArrow = afterPattern.slice(2).trimStart();
       // Triple-quoted arm body: pattern => """
       if (afterArrow === '"""' || afterArrow.startsWith('"""')) {
         const textAfterTriple = afterArrow.slice(3).trim();
@@ -157,7 +157,10 @@ export function parseMatchArms(
         tripleQuoteAdvanced = true;
         break;
       }
-      const body = parseArmBody(filePath, afterArrow, lineNo);
+      const { body, rest } = parseArmBody(filePath, afterArrow, lineNo);
+      if (body.trimEnd().endsWith(",") || rest.startsWith(",")) {
+        fail(filePath, "commas are not allowed in match arms; use one arm per line", lineNo);
+      }
       arms.push({ pattern, body });
     }
     if (!tripleQuoteAdvanced) {
diff --git a/src/parse/metadata.ts b/src/parse/metadata.ts
index ed5f9d8f..f131cb32 100644
--- a/src/parse/metadata.ts
+++ b/src/parse/metadata.ts
@@ -2,6 +2,13 @@ import type { ConfigBodyPart, WorkflowMetadata } from "../types";
 import { colFromRaw, fail } from "./core";
 import { findClosingBraceIndex, splitStatementsOnSemicolons } from "./statement-split";
 
+/** Keys that were removed — produce a clear E_PARSE instead of "unknown key". */
+const REJECTED_KEYS: Record<string, string> = {
+  "runtime.workspace": "runtime.workspace is no longer supported; the workspace is mounted automatically",
+  "runtime.docker_enabled": "runtime.docker_enabled is no longer supported; set JAIPH_DOCKER_ENABLED or JAIPH_UNSAFE in the environment",
+  "runtime.docker_timeout": "runtime.docker_timeout was renamed to runtime.docker_timeout_seconds",
+};
+
 const ALLOWED_KEYS = new Set([
   "agent.default_model",
   "agent.command",
@@ -12,11 +19,13 @@ const ALLOWED_KEYS = new Set([
   "run.logs_dir",
   "run.debug",
   "run.inbox_parallel",
-  "runtime.docker_enabled",
+  "run.recover_limit",
   "runtime.docker_image",
   "runtime.docker_network",
-  "runtime.docker_timeout",
-  "runtime.workspace",
+  "runtime.docker_timeout_seconds",
+  "module.name",
+  "module.version",
+  "module.description",
 ]);
 
 /** Expected value type for each key that needs type validation. */
@@ -30,11 +39,13 @@ const KEY_TYPES: Record<string, "string" | "boolean" | "number" | "string[]"> =
   "run.logs_dir": "string",
   "run.debug": "boolean",
   "run.inbox_parallel": "boolean",
-  "runtime.docker_enabled": "boolean",
+  "run.recover_limit": "number",
   "runtime.docker_image": "string",
   "runtime.docker_network": "string",
-  "runtime.docker_timeout": "number",
-  "runtime.workspace": "string[]",
+  "runtime.docker_timeout_seconds": "number",
+  "module.name": "string",
+  "module.version": "string",
+  "module.description": "string",
 };
 
 function parseMetadataValue(filePath: string, rawLine: string, valuePart: string, lineNo: number): string | boolean | number | string[] {
@@ -197,11 +208,11 @@ function assignConfigKey(
       out.run = {};
     }
     out.run.inboxParallel = value as boolean;
-  } else if (key === "runtime.docker_enabled") {
-    if (!out.runtime) {
-      out.runtime = {};
+  } else if (key === "run.recover_limit") {
+    if (!out.run) {
+      out.run = {};
     }
-    out.runtime.dockerEnabled = value as boolean;
+    out.run.recoverLimit = value as number;
   } else if (key === "runtime.docker_image") {
     if (!out.runtime) {
       out.runtime = {};
@@ -212,16 +223,26 @@ function assignConfigKey(
       out.runtime = {};
     }
     out.runtime.dockerNetwork = value as string;
-  } else if (key === "runtime.docker_timeout") {
+  } else if (key === "runtime.docker_timeout_seconds") {
     if (!out.runtime) {
       out.runtime = {};
     }
-    out.runtime.dockerTimeout = value as number;
-  } else if (key === "runtime.workspace") {
-    if (!out.runtime) {
-      out.runtime = {};
+    out.runtime.dockerTimeoutSeconds = value as number;
+  } else if (key === "module.name") {
+    if (!out.module) {
+      out.module = {};
+    }
+    out.module.name = value as string;
+  } else if (key === "module.version") {
+    if (!out.module) {
+      out.module = {};
     }
-    out.runtime.workspace = value as string[];
+    out.module.version = value as string;
+  } else if (key === "module.description") {
+    if (!out.module) {
+      out.module = {};
+    }
+    out.module.description = value as string;
   }
 }
 
@@ -265,6 +286,9 @@ export function parseConfigBlock(
       const key = line.slice(0, eq).trim();
       const valuePart = line.slice(eq + 1);
 
+      if (REJECTED_KEYS[key]) {
+        return fail(filePath, REJECTED_KEYS[key], openLineNo, colFromRaw(rawOpen));
+      }
       if (!ALLOWED_KEYS.has(key)) {
         return fail(
           filePath,
@@ -284,14 +308,6 @@ export function parseConfigBlock(
           colFromRaw(rawOpen),
         );
       }
-      if (key === "runtime.workspace" && trimmedValue.startsWith("[") && trimmedValue !== "[]") {
-        return fail(
-          filePath,
-          "runtime.workspace arrays with elements require a multiline config { … } block",
-          openLineNo,
-          colFromRaw(rawOpen),
-        );
-      }
       value = parseMetadataValue(filePath, rawOpen, valuePart, openLineNo);
       assignConfigKey(filePath, out, key, value, openLineNo, rawOpen);
       bodySequence.push({ kind: "assign", key });
@@ -337,6 +353,9 @@ export function parseConfigBlock(
     const key = line.slice(0, eq).trim();
     const valuePart = line.slice(eq + 1);
 
+    if (REJECTED_KEYS[key]) {
+      return fail(filePath, REJECTED_KEYS[key], lineNo, colFromRaw(raw));
+    }
     if (!ALLOWED_KEYS.has(key)) {
       return fail(
         filePath,
diff --git a/src/parse/parse-match.test.ts b/src/parse/parse-match.test.ts
index 313c3d47..44cec9fe 100644
--- a/src/parse/parse-match.test.ts
+++ b/src/parse/parse-match.test.ts
@@ -77,3 +77,43 @@ test("parseMatchArms: parses bare expression arm body", () => {
   const { arms } = parseMatchArms("test.jh", lines, 1, 1);
   assert.equal(arms[0].body, 'fail "oops"');
 });
+
+// === parseMatchArms: comma rejection ===
+
+test("parseMatchArms: rejects trailing comma after bare arm body", () => {
+  const lines = [
+    '{',
+    '  "" => fail "You didn\'t provide your name :(",',
+    '  _ => name_arg',
+    '}',
+  ];
+  assert.throws(
+    () => parseMatchArms("test.jh", lines, 1, 1),
+    /commas are not allowed in match arms; use one arm per line/,
+  );
+});
+
+test("parseMatchArms: rejects trailing comma after quoted arm body", () => {
+  const lines = [
+    '{',
+    '  "a" => "result",',
+    '  _ => "default"',
+    '}',
+  ];
+  assert.throws(
+    () => parseMatchArms("test.jh", lines, 1, 1),
+    /commas are not allowed in match arms; use one arm per line/,
+  );
+});
+
+test("parseMatchArms: rejects comma-separated arms on one line", () => {
+  const lines = [
+    '{',
+    '  "a" => "x", _ => "y"',
+    '}',
+  ];
+  assert.throws(
+    () => parseMatchArms("test.jh", lines, 1, 1),
+    /commas are not allowed in match arms; use one arm per line/,
+  );
+});
diff --git a/src/parse/parse-metadata.test.ts b/src/parse/parse-metadata.test.ts
index 8b121adc..3cfd6495 100644
--- a/src/parse/parse-metadata.test.ts
+++ b/src/parse/parse-metadata.test.ts
@@ -18,25 +18,47 @@ test("parseConfigBlock: parses boolean values", () => {
   const lines = [
     "config {",
     "  run.debug = true",
-    "  runtime.docker_enabled = false",
     "}",
   ];
   const { metadata } = parseConfigBlock("test.jh", lines, 0);
   assert.equal(metadata.run?.debug, true);
-  assert.equal(metadata.runtime?.dockerEnabled, false);
 });
 
-test("parseConfigBlock: parses integer values", () => {
+test("parseConfigBlock: rejects runtime.docker_enabled with E_PARSE", () => {
+  const lines = [
+    "config {",
+    "  runtime.docker_enabled = false",
+    "}",
+  ];
+  assert.throws(
+    () => parseConfigBlock("test.jh", lines, 0),
+    /runtime\.docker_enabled is no longer supported.*JAIPH_DOCKER_ENABLED.*JAIPH_UNSAFE/,
+  );
+});
+
+test("parseConfigBlock: rejects renamed runtime.docker_timeout key with guidance", () => {
   const lines = [
     "config {",
     "  runtime.docker_timeout = 300",
     "}",
   ];
+  assert.throws(
+    () => parseConfigBlock("test.jh", lines, 0),
+    /runtime\.docker_timeout was renamed to runtime\.docker_timeout_seconds/,
+  );
+});
+
+test("parseConfigBlock: parses integer values", () => {
+  const lines = [
+    "config {",
+    "  runtime.docker_timeout_seconds = 300",
+    "}",
+  ];
   const { metadata } = parseConfigBlock("test.jh", lines, 0);
-  assert.equal(metadata.runtime?.dockerTimeout, 300);
+  assert.equal(metadata.runtime?.dockerTimeoutSeconds, 300);
 });
 
-test("parseConfigBlock: parses multiline array", () => {
+test("parseConfigBlock: rejects runtime.workspace with E_PARSE", () => {
   const lines = [
     "config {",
     "  runtime.workspace = [",
@@ -45,8 +67,10 @@ test("parseConfigBlock: parses multiline array", () => {
     "  ]",
     "}",
   ];
-  const { metadata } = parseConfigBlock("test.jh", lines, 0);
-  assert.deepEqual(metadata.runtime?.workspace, ["src/", "lib/"]);
+  assert.throws(
+    () => parseConfigBlock("test.jh", lines, 0),
+    /runtime\.workspace is no longer supported/,
+  );
 });
 
 test("parseConfigBlock: fails on unknown config key", () => {
@@ -177,14 +201,16 @@ test("parseConfigBlock: handles escape sequences in string values", () => {
   assert.equal(metadata.agent?.cursorFlags, "flag\nvalue");
 });
 
-test("parseConfigBlock: parses empty array", () => {
+test("parseConfigBlock: rejects runtime.workspace even with empty array", () => {
   const lines = [
     "config {",
     "  runtime.workspace = []",
     "}",
   ];
-  const { metadata } = parseConfigBlock("test.jh", lines, 0);
-  assert.deepEqual(metadata.runtime?.workspace, []);
+  assert.throws(
+    () => parseConfigBlock("test.jh", lines, 0),
+    /runtime\.workspace is no longer supported/,
+  );
 });
 
 test("parseConfigBlock: fails on type mismatch (number where string expected)", () => {
@@ -199,6 +225,74 @@ test("parseConfigBlock: fails on type mismatch (number where string expected)",
   );
 });
 
+// ---------------------------------------------------------------------------
+// Module manifest keys (module.name, module.version, module.description)
+// ---------------------------------------------------------------------------
+
+test("parseConfigBlock: parses module.name, module.version, module.description", () => {
+  const lines = [
+    "config {",
+    '  module.name = "my-workflow"',
+    '  module.version = "1.2.3"',
+    '  module.description = "A helpful workflow"',
+    "}",
+  ];
+  const { metadata } = parseConfigBlock("test.jh", lines, 0);
+  assert.equal(metadata.module?.name, "my-workflow");
+  assert.equal(metadata.module?.version, "1.2.3");
+  assert.equal(metadata.module?.description, "A helpful workflow");
+});
+
+test("parseConfigBlock: module keys are optional (partial set)", () => {
+  const lines = [
+    "config {",
+    '  module.name = "only-name"',
+    "}",
+  ];
+  const { metadata } = parseConfigBlock("test.jh", lines, 0);
+  assert.equal(metadata.module?.name, "only-name");
+  assert.equal(metadata.module?.version, undefined);
+  assert.equal(metadata.module?.description, undefined);
+});
+
+test("parseConfigBlock: module keys coexist with other config keys", () => {
+  const lines = [
+    "config {",
+    '  module.name = "proj"',
+    '  agent.backend = "claude"',
+    "}",
+  ];
+  const { metadata } = parseConfigBlock("test.jh", lines, 0);
+  assert.equal(metadata.module?.name, "proj");
+  assert.equal(metadata.agent?.backend, "claude");
+});
+
+test("module keys round-trip through formatter", () => {
+  const src = [
+    'config {',
+    '  module.name = "my-tool"',
+    '  module.version = "0.1.0"',
+    '  module.description = "Does things"',
+    '}',
+    '',
+    'workflow default() {',
+    '  log "ok"',
+    '}',
+  ].join("\n");
+  const mod = parsejaiph(src, "test.jh");
+  assert.equal(mod.metadata?.module?.name, "my-tool");
+  assert.equal(mod.metadata?.module?.version, "0.1.0");
+  assert.equal(mod.metadata?.module?.description, "Does things");
+
+  // Verify formatter round-trip produces valid source that re-parses identically
+  const { emitModule } = require("../format/emit");
+  const emitted = emitModule(mod);
+  const reparsed = parsejaiph(emitted, "test.jh");
+  assert.equal(reparsed.metadata?.module?.name, "my-tool");
+  assert.equal(reparsed.metadata?.module?.version, "0.1.0");
+  assert.equal(reparsed.metadata?.module?.description, "Does things");
+});
+
 // ---------------------------------------------------------------------------
 // Workflow-level config
 // ---------------------------------------------------------------------------
@@ -264,11 +358,25 @@ test("workflow config: rejects config after steps", () => {
   );
 });
 
+test("workflow config: rejects module.* keys", () => {
+  const src = [
+    "workflow default() {",
+    "  config {",
+    '    module.name = "nope"',
+    "  }",
+    "}",
+  ].join("\n");
+  assert.throws(
+    () => parsejaiph(src, "test.jh"),
+    /module\.\* keys are not allowed in workflow-level config/,
+  );
+});
+
 test("workflow config: rejects runtime.* keys", () => {
   const src = [
     "workflow default() {",
     "  config {",
-    "    runtime.docker_enabled = true",
+    "    runtime.docker_timeout_seconds = 300",
     "  }",
     "}",
   ].join("\n");
diff --git a/src/parse/parse-return.test.ts b/src/parse/parse-return.test.ts
index 7eb4c284..3840da0f 100644
--- a/src/parse/parse-return.test.ts
+++ b/src/parse/parse-return.test.ts
@@ -134,6 +134,154 @@ test("bare return has no managed field", () => {
   }
 });
 
+test("return run inline script parses managed inline script", () => {
+  const mod = parsejaiph(
+    "workflow default() {\n  return run `cat report.txt`()\n}",
+    "test.jh",
+  );
+  const step = mod.workflows[0].steps[0];
+  assert.equal(step.type, "return");
+  if (step.type === "return") {
+    assert.ok(step.managed);
+    assert.equal(step.managed!.kind, "run_inline_script");
+    if (step.managed!.kind === "run_inline_script") {
+      assert.equal(step.managed!.body, "cat report.txt");
+      assert.equal(step.managed!.args, undefined);
+    }
+  }
+});
+
+test("return run inline script with args", () => {
+  const mod = parsejaiph(
+    'workflow default() {\n  return run `echo $1`("x")\n}',
+    "test.jh",
+  );
+  const step = mod.workflows[0].steps[0];
+  assert.equal(step.type, "return");
+  if (step.type === "return") {
+    assert.ok(step.managed);
+    assert.equal(step.managed!.kind, "run_inline_script");
+    if (step.managed!.kind === "run_inline_script") {
+      assert.equal(step.managed!.body, "echo $1");
+      assert.equal(step.managed!.args, '"x"');
+    }
+  }
+});
+
+test("return bare inline script is rejected", () => {
+  assert.throws(
+    () => parsejaiph("workflow default() {\n  return `cat report.txt`()\n}", "test.jh"),
+    /bare inline scripts in return are not allowed/,
+  );
+});
+
+test("log run inline script parses managed inline script", () => {
+  const mod = parsejaiph(
+    "workflow default() {\n  log run `cat report.txt`()\n}",
+    "test.jh",
+  );
+  const step = mod.workflows[0].steps[0];
+  assert.equal(step.type, "log");
+  if (step.type === "log") {
+    assert.ok(step.managed);
+    assert.equal(step.managed!.kind, "run_inline_script");
+    assert.equal(step.managed!.body, "cat report.txt");
+    assert.equal(step.managed!.args, undefined);
+  }
+});
+
+test("log run inline script with args", () => {
+  const mod = parsejaiph(
+    'workflow default() {\n  log run `echo $1`("x")\n}',
+    "test.jh",
+  );
+  const step = mod.workflows[0].steps[0];
+  assert.equal(step.type, "log");
+  if (step.type === "log") {
+    assert.ok(step.managed);
+    assert.equal(step.managed!.kind, "run_inline_script");
+    assert.equal(step.managed!.body, "echo $1");
+    assert.equal(step.managed!.args, '"x"');
+  }
+});
+
+test("log bare inline script is rejected", () => {
+  assert.throws(
+    () => parsejaiph("workflow default() {\n  log `cat report.txt`()\n}", "test.jh"),
+    /bare inline scripts in log are not allowed/,
+  );
+});
+
+test("logerr bare inline script is rejected", () => {
+  assert.throws(
+    () => parsejaiph("workflow default() {\n  logerr `cat report.txt`()\n}", "test.jh"),
+    /bare inline scripts in logerr are not allowed/,
+  );
+});
+
+test("return bare identifier is sugar for interpolated string", () => {
+  const mod = parsejaiph(
+    `workflow default() {\n  const response = "hello"\n  return response\n}`,
+    "test.jh",
+  );
+  const step = mod.workflows[0].steps[1];
+  assert.equal(step.type, "return");
+  if (step.type === "return") {
+    assert.equal(step.managed, undefined);
+    assert.equal(step.value, '"${response}"');
+  }
+});
+
+test("return bare identifier in brace block (if body)", () => {
+  const mod = parsejaiph(
+    [
+      "workflow default(name) {",
+      '  const msg = "hi"',
+      '  if name == "x" {',
+      "    return msg",
+      "  }",
+      "}",
+    ].join("\n"),
+    "test.jh",
+  );
+  const ifStep = mod.workflows[0].steps[1];
+  assert.equal(ifStep.type, "if");
+  if (ifStep.type === "if") {
+    const retStep = ifStep.body[0];
+    assert.equal(retStep.type, "return");
+    if (retStep.type === "return") {
+      assert.equal(retStep.value, '"${msg}"');
+    }
+  }
+});
+
+test("return bare identifier in catch/recover block", () => {
+  const mod = parsejaiph(
+    [
+      "rule check() {",
+      '  return "yes"',
+      "}",
+      "workflow default() {",
+      "  ensure check() catch (err) {",
+      "    return err",
+      "  }",
+      "}",
+    ].join("\n"),
+    "test.jh",
+  );
+  const ensureStep = mod.workflows[0].steps[0];
+  assert.equal(ensureStep.type, "ensure");
+  if (ensureStep.type === "ensure") {
+    assert.ok(ensureStep.recover);
+    const recoverSteps = "block" in ensureStep.recover! ? ensureStep.recover!.block : [ensureStep.recover!.single];
+    const retStep = recoverSteps[0];
+    assert.equal(retStep.type, "return");
+    if (retStep.type === "return") {
+      assert.equal(retStep.value, '"${err}"');
+    }
+  }
+});
+
 test("return run in ensure recover block", () => {
   const mod = parsejaiph(
     [
diff --git a/src/parse/parse-run-async.test.ts b/src/parse/parse-run-async.test.ts
index 9bd178fb..cd9d0d77 100644
--- a/src/parse/parse-run-async.test.ts
+++ b/src/parse/parse-run-async.test.ts
@@ -62,7 +62,7 @@ test("parse: regular run does not have async flag", () => {
   }
 });
 
-test("parse: capture + run async is rejected", () => {
+test("parse: capture + run async is rejected without const", () => {
   const src = [
     "workflow default() {",
     "  x = run async some_wf()",
@@ -73,3 +73,102 @@ test("parse: capture + run async is rejected", () => {
     /assignment without "const" is no longer supported/,
   );
 });
+
+test("parse: const capture + run async produces run_capture with async flag", () => {
+  const src = [
+    "workflow default() {",
+    "  const h = run async some_wf()",
+    "}",
+  ].join("\n");
+  const mod = parsejaiph(src, "test.jh");
+  const step = mod.workflows[0]!.steps[0]!;
+  assert.equal(step.type, "const");
+  if (step.type === "const") {
+    assert.equal(step.name, "h");
+    assert.equal(step.value.kind, "run_capture");
+    if (step.value.kind === "run_capture") {
+      assert.equal(step.value.ref.value, "some_wf");
+      assert.equal(step.value.async, true);
+    }
+  }
+});
+
+test("parse: const capture + run async with args", () => {
+  const src = [
+    "workflow default() {",
+    '  const h = run async other_wf("hello")',
+    "}",
+  ].join("\n");
+  const mod = parsejaiph(src, "test.jh");
+  const step = mod.workflows[0]!.steps[0]!;
+  assert.equal(step.type, "const");
+  if (step.type === "const") {
+    assert.equal(step.value.kind, "run_capture");
+    if (step.value.kind === "run_capture") {
+      assert.equal(step.value.ref.value, "other_wf");
+      assert.equal(step.value.args, '"hello"');
+      assert.equal(step.value.async, true);
+    }
+  }
+});
+
+test("parse: run async with recover block", () => {
+  const src = [
+    "workflow default() {",
+    '  run async foo() recover(err) { log "repair" }',
+    "}",
+  ].join("\n");
+  const mod = parsejaiph(src, "test.jh");
+  const step = mod.workflows[0]!.steps[0]!;
+  assert.equal(step.type, "run");
+  if (step.type === "run") {
+    assert.equal(step.workflow.value, "foo");
+    assert.equal(step.async, true);
+    assert.ok(step.recoverLoop);
+    if (step.recoverLoop && "block" in step.recoverLoop) {
+      assert.equal(step.recoverLoop.bindings.failure, "err");
+      assert.equal(step.recoverLoop.block.length, 1);
+      assert.equal(step.recoverLoop.block[0].type, "log");
+    }
+  }
+});
+
+test("parse: run async with multi-line recover block", () => {
+  const src = [
+    "workflow default() {",
+    "  run async foo() recover(err) {",
+    '    log "repairing"',
+    "    run fix_it()",
+    "  }",
+    "}",
+  ].join("\n");
+  const mod = parsejaiph(src, "test.jh");
+  const step = mod.workflows[0]!.steps[0]!;
+  assert.equal(step.type, "run");
+  if (step.type === "run") {
+    assert.equal(step.async, true);
+    assert.ok(step.recoverLoop);
+    if (step.recoverLoop && "block" in step.recoverLoop) {
+      assert.equal(step.recoverLoop.block.length, 2);
+    }
+  }
+});
+
+test("parse: run async with catch block", () => {
+  const src = [
+    "workflow default() {",
+    '  run async bar() catch (e) { log "caught" }',
+    "}",
+  ].join("\n");
+  const mod = parsejaiph(src, "test.jh");
+  const step = mod.workflows[0]!.steps[0]!;
+  assert.equal(step.type, "run");
+  if (step.type === "run") {
+    assert.equal(step.workflow.value, "bar");
+    assert.equal(step.async, true);
+    assert.ok(step.recover);
+    if (step.recover && "block" in step.recover) {
+      assert.equal(step.recover.bindings.failure, "e");
+    }
+  }
+});
diff --git a/src/parse/parse-steps.test.ts b/src/parse/parse-steps.test.ts
index dd357a35..895728f7 100644
--- a/src/parse/parse-steps.test.ts
+++ b/src/parse/parse-steps.test.ts
@@ -1,7 +1,7 @@
 import test from "node:test";
 import assert from "node:assert/strict";
 import { parsejaiph } from "../parser";
-import { parseEnsureStep } from "./steps";
+import { parseEnsureStep, parseRunRecoverStep } from "./steps";
 
 // === parseEnsureStep: basic ensure without catch ===
 
@@ -284,3 +284,118 @@ test("parsejaiph: workflow with ensure catch and multiline triple-quoted prompt"
     }
   }
 });
+
+// === parseRunRecoverStep: basic recover ===
+
+test("parseRunRecoverStep: returns null when no recover keyword", () => {
+  const lines = ["  run my_workflow()"];
+  const result = parseRunRecoverStep("test.jh", lines, 0, 1, lines[0], "my_workflow()");
+  assert.equal(result, null);
+});
+
+test("parseRunRecoverStep: parses run with single recover statement", () => {
+  const lines = ['  run my_workflow() recover(err) log "repairing"'];
+  const result = parseRunRecoverStep("test.jh", lines, 0, 1, lines[0], 'my_workflow() recover(err) log "repairing"');
+  assert.ok(result);
+  const step = result!.step;
+  assert.equal(step.type, "run");
+  if (step.type === "run") {
+    assert.equal(step.workflow.value, "my_workflow");
+    assert.ok(step.recoverLoop);
+    assert.equal(step.recoverLoop!.bindings.failure, "err");
+    if ("single" in step.recoverLoop!) {
+      assert.equal(step.recoverLoop!.single.type, "log");
+    }
+  }
+});
+
+test("parseRunRecoverStep: parses run with inline recover block", () => {
+  const lines = ['  run fix() recover(e) { log "a"; run patch() }'];
+  const result = parseRunRecoverStep("test.jh", lines, 0, 1, lines[0], 'fix() recover(e) { log "a"; run patch() }');
+  assert.ok(result);
+  const step = result!.step;
+  if (step.type === "run" && step.recoverLoop && "block" in step.recoverLoop) {
+    assert.equal(step.recoverLoop.block.length, 2);
+    assert.equal(step.recoverLoop.block[0].type, "log");
+    assert.equal(step.recoverLoop.block[1].type, "run");
+  }
+});
+
+test("parseRunRecoverStep: parses run with multiline recover block", () => {
+  const lines = [
+    "  run deploy() recover(err) {",
+    '    log "retrying"',
+    "    run cleanup()",
+    "  }",
+  ];
+  const result = parseRunRecoverStep("test.jh", lines, 0, 1, lines[0], "deploy() recover(err) {");
+  assert.ok(result);
+  const step = result!.step;
+  if (step.type === "run" && step.recoverLoop && "block" in step.recoverLoop) {
+    assert.equal(step.recoverLoop.block.length, 2);
+    assert.equal(step.recoverLoop.block[0].type, "log");
+    assert.equal(step.recoverLoop.block[1].type, "run");
+  }
+  assert.equal(result!.nextIdx, 3);
+});
+
+test("parseRunRecoverStep: rejects recover at EOL without body", () => {
+  const lines = ["  run my_workflow() recover"];
+  assert.throws(
+    () => parseRunRecoverStep("test.jh", lines, 0, 1, lines[0], "my_workflow() recover"),
+    /recover requires explicit bindings/,
+  );
+});
+
+test("parseRunRecoverStep: rejects recover without bindings", () => {
+  const lines = ["  run my_workflow() recover {"];
+  assert.throws(
+    () => parseRunRecoverStep("test.jh", lines, 0, 1, lines[0], "my_workflow() recover {"),
+    /recover requires explicit bindings/,
+  );
+});
+
+test("parseRunRecoverStep: rejects recover with two bindings", () => {
+  const lines = ['  run my_workflow() recover(a, b) { log "x" }'];
+  assert.throws(
+    () => parseRunRecoverStep("test.jh", lines, 0, 1, lines[0], 'my_workflow() recover(a, b) { log "x" }'),
+    /recover accepts exactly one binding/,
+  );
+});
+
+test("parseRunRecoverStep: empty recover block throws", () => {
+  const lines = ["  run my_workflow() recover(err) { }"];
+  assert.throws(
+    () => parseRunRecoverStep("test.jh", lines, 0, 1, lines[0], "my_workflow() recover(err) { }"),
+    /recover block must contain at least one statement/,
+  );
+});
+
+// === parsejaiph: full workflow with recover ===
+
+test("parsejaiph: workflow with run recover block", () => {
+  const src = [
+    "workflow deploy() {",
+    '  run setup() recover(err) {',
+    '    log "fixing"',
+    '    run fix()',
+    '  }',
+    "}",
+    "workflow setup() {",
+    '  log "setup"',
+    "}",
+    "workflow fix() {",
+    '  log "fix"',
+    "}",
+    "",
+  ].join("\n");
+  const mod = parsejaiph(src, "recover_test.jh");
+  const w = mod.workflows.find((x) => x.name === "deploy");
+  assert.ok(w);
+  const runStep = w!.steps[0];
+  assert.equal(runStep.type, "run");
+  if (runStep.type === "run") {
+    assert.ok(runStep.recoverLoop);
+    assert.equal(runStep.recover, undefined);
+  }
+});
diff --git a/src/parse/parse-tests.test.ts b/src/parse/parse-tests.test.ts
index 346a0dbe..b501f2d0 100644
--- a/src/parse/parse-tests.test.ts
+++ b/src/parse/parse-tests.test.ts
@@ -286,6 +286,70 @@ test("parseTestBlock: parses expect_equal", () => {
   }
 });
 
+test("parseTestBlock: parses test-scope `const NAME = \"literal\"` binding", () => {
+  const lines = [
+    'test "t1" {',
+    '  const expected = "Hello Alice!"',
+    '}',
+  ];
+  const { testBlock } = parseTestBlock("test.jh", lines, 0);
+  assert.equal(testBlock.steps[0].type, "test_const");
+  if (testBlock.steps[0].type === "test_const") {
+    assert.equal(testBlock.steps[0].name, "expected");
+    assert.equal(testBlock.steps[0].value, "Hello Alice!");
+  }
+});
+
+test("parseTestBlock: parses `mock prompt <ident>` as a const reference", () => {
+  const lines = [
+    'test "t1" {',
+    '  const r = "ok"',
+    '  mock prompt r',
+    '}',
+  ];
+  const { testBlock } = parseTestBlock("test.jh", lines, 0);
+  assert.equal(testBlock.steps[1].type, "test_mock_prompt");
+  if (testBlock.steps[1].type === "test_mock_prompt") {
+    assert.equal(testBlock.steps[1].response, "");
+    assert.equal(testBlock.steps[1].responseVar, "r");
+  }
+});
+
+test("parseTestBlock: parses `expect_equal var <ident>` as a const reference", () => {
+  const lines = [
+    'test "t1" {',
+    '  const expected = "x"',
+    '  expect_equal response expected',
+    '}',
+  ];
+  const { testBlock } = parseTestBlock("test.jh", lines, 0);
+  assert.equal(testBlock.steps[1].type, "test_expect_equal");
+  if (testBlock.steps[1].type === "test_expect_equal") {
+    assert.equal(testBlock.steps[1].variable, "response");
+    assert.equal(testBlock.steps[1].expected, "");
+    assert.equal(testBlock.steps[1].expectedVar, "expected");
+  }
+});
+
+test("parseTestBlock: parses `expect_contain` and `expect_not_contain` with const reference", () => {
+  const lines = [
+    'test "t1" {',
+    '  const sub = "hello"',
+    '  expect_contain response sub',
+    '  expect_not_contain response sub',
+    '}',
+  ];
+  const { testBlock } = parseTestBlock("test.jh", lines, 0);
+  assert.equal(testBlock.steps[1].type, "test_expect_contain");
+  if (testBlock.steps[1].type === "test_expect_contain") {
+    assert.equal(testBlock.steps[1].substringVar, "sub");
+  }
+  assert.equal(testBlock.steps[2].type, "test_expect_not_contain");
+  if (testBlock.steps[2].type === "test_expect_not_contain") {
+    assert.equal(testBlock.steps[2].substringVar, "sub");
+  }
+});
+
 test("parseTestBlock: rejects old camelCase expectContain", () => {
   const lines = [
     'test "t1" {',
diff --git a/src/parse/steps.ts b/src/parse/steps.ts
index a7a4427d..6db91f01 100644
--- a/src/parse/steps.ts
+++ b/src/parse/steps.ts
@@ -2,6 +2,7 @@ import type { WorkflowStepDef } from "../types";
 import { parseConstRhs } from "./const-rhs";
 import { fail, indexOfClosingDoubleQuote, isRef, parseCallRef, parseLogMessageRhs } from "./core";
 import { parseAnonymousInlineScript } from "./inline-script";
+import { isBareIdentifierReturn, bareIdentifierToQuotedString, isBareDottedIdentifierReturn, dottedReturnToQuotedString } from "./workflow-return-dotted";
 
 /** Reject non-empty trailing content after a call expression (e.g. shell redirection). */
 function rejectTrailingContent(
@@ -152,7 +153,19 @@ function parseCatchStatement(
         };
       }
     }
-    return { type: "return", value: retVal, loc: { line: lineNo, col } };
+    const isBareDotted = isBareDottedIdentifierReturn(retVal);
+    const isBare = !isBareDotted && isBareIdentifierReturn(retVal);
+    const value = isBareDotted
+      ? dottedReturnToQuotedString(retVal)
+      : isBare
+        ? bareIdentifierToQuotedString(retVal)
+        : retVal;
+    return {
+      type: "return",
+      value,
+      loc: { line: lineNo, col },
+      ...(isBareDotted || isBare ? { bareSource: retVal.trim() } : {}),
+    };
   }
   if (/^fail\s+/.test(t)) {
     const arg = t.slice("fail".length).trimStart();
@@ -211,6 +224,47 @@ function parseCatchStatement(
         loc: { line: lineNo, col },
       };
     }
+    // Check for run ... recover inside catch/recover blocks
+    const recoverLoopMatch = runBody.match(/ recover(?=[\s(])/);
+    if (recoverLoopMatch) {
+      const recLoopIdx = recoverLoopMatch.index!;
+      const leftPart = runBody.slice(0, recLoopIdx).trim();
+      const rightPart = runBody.slice(recLoopIdx + " recover".length).trimStart();
+      const callPart = parseCallRef(leftPart);
+      if (callPart && !callPart.rest.trim() && rightPart.startsWith("(")) {
+        const closeParen = rightPart.indexOf(")");
+        if (closeParen !== -1) {
+          const bStr = rightPart.slice(1, closeParen).trim();
+          const bParts = bStr.split(",").map((s) => s.trim()).filter(Boolean);
+          if (bParts.length === 1 && /^[A-Za-z_][A-Za-z0-9_]*$/.test(bParts[0])) {
+            const bindings = { failure: bParts[0] };
+            const after = rightPart.slice(closeParen + 1).trim();
+            if (after.startsWith("{") && after.endsWith("}")) {
+              const blockContent = after.slice(1, -1).trim();
+              const stmts = splitCatchStatements(blockContent);
+              const blockSteps = stmts.map((s) => parseCatchStatement(filePath, lineNo, col, s));
+              return {
+                type: "run",
+                workflow: { value: callPart.ref, loc: { line: lineNo, col } },
+                args: callPart.args,
+                ...(callPart.bareIdentifierArgs ? { bareIdentifierArgs: callPart.bareIdentifierArgs } : {}),
+                recoverLoop: { block: blockSteps, bindings },
+              };
+            }
+            if (!after.startsWith("{") && after) {
+              const singleStep = parseCatchStatement(filePath, lineNo, col, after);
+              return {
+                type: "run",
+                workflow: { value: callPart.ref, loc: { line: lineNo, col } },
+                args: callPart.args,
+                ...(callPart.bareIdentifierArgs ? { bareIdentifierArgs: callPart.bareIdentifierArgs } : {}),
+                recoverLoop: { single: singleStep, bindings },
+              };
+            }
+          }
+        }
+      }
+    }
     // Check for run ... catch inside catch blocks
     const recIdx = runBody.indexOf(" catch ");
     if (recIdx !== -1) {
@@ -483,6 +537,122 @@ export function parseEnsureStep(
   return { step: { ...base, recover: { single: singleStep, bindings } }, nextIdx: idx };
 }
 
+/**
+ * Try to parse `run <ref>(args) recover(binding) { ... }` syntax (loop semantics).
+ * Returns null if the run body does not contain ` recover `.
+ */
+export function parseRunRecoverStep(
+  filePath: string,
+  lines: string[],
+  idx: number,
+  innerNo: number,
+  innerRaw: string,
+  runBody: string,
+  captureName?: string,
+): { step: WorkflowStepDef; nextIdx: number } | null {
+  // Match ` recover(`, ` recover `, or ` recover` at end of line
+  const recoverMatch = runBody.match(/ recover(?=[\s(]|$)/);
+  if (!recoverMatch) return null;
+  const recoverIdx = recoverMatch.index!;
+
+  if (/ recover$/.test(runBody)) {
+    const recoverCol = innerRaw.indexOf("recover") + 1;
+    fail(
+      filePath,
+      'recover requires explicit bindings and a body: recover(<name>) { ... }',
+      innerNo,
+      recoverCol,
+    );
+  }
+
+  const left = runBody.slice(0, recoverIdx).trim();
+  const right = runBody.slice(recoverIdx + " recover".length).trimStart();
+  const call = parseCallRef(left);
+  if (!call || call.rest.trim()) return null;
+  const runCol = innerRaw.indexOf("run") + 1;
+  const recoverCol = innerRaw.indexOf("recover") + 1;
+
+  if (!right.startsWith("(")) {
+    fail(
+      filePath,
+      'recover requires explicit bindings: recover(<name>) { ... }',
+      innerNo,
+      recoverCol,
+    );
+  }
+
+  const closeParen = right.indexOf(")");
+  if (closeParen === -1) {
+    fail(filePath, 'unterminated recover bindings: expected ")"', innerNo, recoverCol);
+  }
+  const bindingsStr = right.slice(1, closeParen).trim();
+  const bindingParts = bindingsStr.split(",").map((s) => s.trim()).filter(Boolean);
+  if (bindingParts.length === 0) {
+    fail(filePath, "recover requires exactly one binding: recover(<name>) { ... }", innerNo, recoverCol);
+  }
+  if (bindingParts.length > 1) {
+    fail(filePath, "recover accepts exactly one binding: recover(<name>)", innerNo, recoverCol);
+  }
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(bindingParts[0])) {
+    fail(filePath, `invalid recover binding name: "${bindingParts[0]}" — must be a valid identifier`, innerNo, recoverCol);
+  }
+  const bindings = { failure: bindingParts[0] };
+
+  const afterBindings = right.slice(closeParen + 1).trim();
+  const base = {
+    type: "run" as const,
+    workflow: { value: call.ref, loc: { line: innerNo, col: runCol } },
+    args: call.args,
+    ...(call.bareIdentifierArgs ? { bareIdentifierArgs: call.bareIdentifierArgs } : {}),
+    ...(captureName ? { captureName } : {}),
+  };
+
+  if (afterBindings === "{") {
+    let blockLines: string[] = [];
+    let closeLineIdx = -1;
+    let braceDepth = 1;
+    for (let look = idx + 1; look < lines.length; look += 1) {
+      const trimmed = lines[look].trim();
+      if (trimmed.endsWith("{")) braceDepth += 1;
+      if (trimmed === "}") {
+        braceDepth -= 1;
+        if (braceDepth === 0) { closeLineIdx = look; break; }
+      }
+      blockLines.push(trimmed);
+    }
+    if (closeLineIdx === -1) {
+      fail(filePath, 'unterminated recover block, expected "}"', innerNo, recoverCol);
+    }
+    const statements = splitCatchStatements(blockLines.join("\n"));
+    if (statements.length === 0) {
+      fail(filePath, "recover block must contain at least one statement", innerNo, recoverCol);
+    }
+    const blockSteps = statements.map((s) => parseCatchStatement(filePath, innerNo, 1, s));
+    return { step: { ...base, recoverLoop: { block: blockSteps, bindings } }, nextIdx: closeLineIdx };
+  }
+
+  if (afterBindings.startsWith("{")) {
+    const closeBrace = afterBindings.indexOf("}");
+    if (closeBrace === -1) {
+      fail(filePath, 'unterminated recover block, expected "}"', innerNo, recoverCol);
+    }
+    const blockContent = afterBindings.slice(1, closeBrace).trim();
+    const statements = splitCatchStatements(blockContent);
+    if (statements.length === 0) {
+      fail(filePath, "recover block must contain at least one statement", innerNo, recoverCol);
+    }
+    const blockSteps = statements.map((s) => parseCatchStatement(filePath, innerNo, recoverCol, s));
+    return { step: { ...base, recoverLoop: { block: blockSteps, bindings } }, nextIdx: idx };
+  }
+
+  if (!afterBindings) {
+    fail(filePath, "recover requires a body after bindings", innerNo, recoverCol);
+  }
+
+  const singleStep = parseCatchStatement(filePath, innerNo, recoverCol, afterBindings);
+  return { step: { ...base, recoverLoop: { single: singleStep, bindings } }, nextIdx: idx };
+}
+
 /**
  * Try to parse `run <ref>(args) catch (bindings) { ... }` syntax.
  * Returns null if the run body does not contain ` catch `.
diff --git a/src/parse/tests.ts b/src/parse/tests.ts
index 2a44cca6..0771a0bc 100644
--- a/src/parse/tests.ts
+++ b/src/parse/tests.ts
@@ -157,9 +157,19 @@ export function parseTestBlock(
       if (arg.startsWith("'")) {
         fail(filePath, 'single-quoted strings are not supported; use double quotes ("...") instead', innerNo, innerRaw.indexOf("mock"));
       }
+      // `mock prompt <ident>` resolves the ident from a previously declared `const` in this block.
+      if (/^[A-Za-z_][A-Za-z0-9_]*$/.test(arg)) {
+        testBlock.steps.push({
+          type: "test_mock_prompt",
+          response: "",
+          responseVar: arg,
+          loc,
+        });
+        continue;
+      }
       const isDoubleQuoted = arg.startsWith('"') && hasUnescapedClosingQuote(arg, 1);
       if (!isDoubleQuoted) {
-        fail(filePath, 'mock prompt must be: mock prompt "<response>" or mock prompt { "pattern" => "response", _ => "default" }', innerNo, innerRaw.indexOf("mock"));
+        fail(filePath, 'mock prompt must be: mock prompt "<response>", mock prompt <const_name>, or mock prompt { "pattern" => "response", _ => "default" }', innerNo, innerRaw.indexOf("mock"));
       }
       testBlock.steps.push({
         type: "test_mock_prompt",
@@ -215,6 +225,17 @@ export function parseTestBlock(
       });
       continue;
     }
+    const expectContainVarMatch = inner.match(/^expect_contain\s+([A-Za-z_][A-Za-z0-9_]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*$/);
+    if (expectContainVarMatch) {
+      testBlock.steps.push({
+        type: "test_expect_contain",
+        variable: expectContainVarMatch[1],
+        substring: "",
+        substringVar: expectContainVarMatch[2],
+        loc,
+      });
+      continue;
+    }
 
     // --- expect_not_contain (snake_case) ---
     const expectNotContainMatch = inner.match(/^expect_not_contain\s+([A-Za-z_][A-Za-z0-9_]*)\s+"((?:[^"\\]|\\.)*)"\s*$/);
@@ -227,6 +248,17 @@ export function parseTestBlock(
       });
       continue;
     }
+    const expectNotContainVarMatch = inner.match(/^expect_not_contain\s+([A-Za-z_][A-Za-z0-9_]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*$/);
+    if (expectNotContainVarMatch) {
+      testBlock.steps.push({
+        type: "test_expect_not_contain",
+        variable: expectNotContainVarMatch[1],
+        substring: "",
+        substringVar: expectNotContainVarMatch[2],
+        loc,
+      });
+      continue;
+    }
 
     // --- expect_equal (snake_case) ---
     const expectEqualMatch = inner.match(/^expect_equal\s+([A-Za-z_][A-Za-z0-9_]*)\s+"((?:[^"\\]|\\.)*)"\s*$/);
@@ -239,6 +271,17 @@ export function parseTestBlock(
       });
       continue;
     }
+    const expectEqualVarMatch = inner.match(/^expect_equal\s+([A-Za-z_][A-Za-z0-9_]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*$/);
+    if (expectEqualVarMatch) {
+      testBlock.steps.push({
+        type: "test_expect_equal",
+        variable: expectEqualVarMatch[1],
+        expected: "",
+        expectedVar: expectEqualVarMatch[2],
+        loc,
+      });
+      continue;
+    }
 
     // --- Reject old camelCase assertions ---
     if (/^expectContain\s/.test(inner)) {
@@ -251,6 +294,20 @@ export function parseTestBlock(
       fail(filePath, 'camelCase assertions are no longer supported; use "expect_equal"', innerNo, col);
     }
 
+    // --- const NAME = "literal" (test-scope string binding) ---
+    // Must come before the `const ... = run` matcher so plain literal consts win.
+    // Only double-quoted string literals are supported in v1; no interpolation.
+    const constLiteralMatch = inner.match(/^const\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*"((?:[^"\\]|\\.)*)"\s*$/);
+    if (constLiteralMatch) {
+      testBlock.steps.push({
+        type: "test_const",
+        name: constLiteralMatch[1],
+        value: constLiteralMatch[2].replace(/\\"/g, '"').replace(/\\n/g, "\n").replace(/\\\\/g, "\\"),
+        loc,
+      });
+      continue;
+    }
+
     // --- const capture = run ref("args") [allow_failure] ---
     const constRunMatch = inner.match(
       /^const\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*run\s+([A-Za-z_][A-Za-z0-9_]*(?:\.[A-Za-z_][A-Za-z0-9_]*)?)\s*\(([^)]*)\)(?:\s+(allow_failure))?\s*$/,
diff --git a/src/parse/workflow-brace.ts b/src/parse/workflow-brace.ts
index 120dfeb2..bd4099df 100644
--- a/src/parse/workflow-brace.ts
+++ b/src/parse/workflow-brace.ts
@@ -11,11 +11,11 @@ import {
 import { parseTripleQuoteBlock, tripleQuoteBodyToRaw } from "./triple-quote";
 import { parseConstRhs } from "./const-rhs";
 import { parseAnonymousInlineScript } from "./inline-script";
-import { parseEnsureStep, parseRunCatchStep } from "./steps";
+import { parseEnsureStep, parseRunCatchStep, parseRunRecoverStep } from "./steps";
 import { parsePromptStep } from "./prompt";
 import { parseSendRhs } from "./send-rhs";
 import { parseMatchExpr } from "./match";
-import { dottedReturnToQuotedString, isBareDottedIdentifierReturn } from "./workflow-return-dotted";
+import { dottedReturnToQuotedString, isBareDottedIdentifierReturn, isBareIdentifierReturn, bareIdentifierToQuotedString } from "./workflow-return-dotted";
 import {
   expandBlockLineStatements,
   findClosingBraceIndex,
@@ -254,6 +254,11 @@ export function parseBlockStatement(
     if (runBody.startsWith("script(") || runBody.startsWith("script (")) {
       fail(filePath, 'inline script syntax has changed: use run `body`(args) instead of run script(args) "body"', innerNo);
     }
+    // Check for run ... recover (loop semantics)
+    const recoverResult = parseRunRecoverStep(filePath, lines, idx, innerNo, innerRaw, runBody);
+    if (recoverResult) {
+      return { step: recoverResult.step, nextIdx: recoverResult.nextIdx + 1 };
+    }
     // Check for run ... catch
     const catchResult = parseRunCatchStep(filePath, lines, idx, innerNo, innerRaw, runBody);
     if (catchResult) {
@@ -320,6 +325,28 @@ export function parseBlockStatement(
   if (inner.startsWith("log ") || inner === "log") {
     const logArg = inner.slice("log".length).trimStart();
     const logCol = innerRaw.indexOf("log") + 1;
+    if (logArg.startsWith("run ") && logArg.slice("run ".length).trimStart().startsWith("`")) {
+      const runBody = logArg.slice("run ".length).trim();
+      const result = parseAnonymousInlineScript(filePath, lines, idx, runBody, innerNo, logCol);
+      return {
+        step: {
+          type: "log",
+          message: "",
+          loc: { line: innerNo, col: logCol },
+          managed: {
+            kind: "run_inline_script",
+            body: result.body,
+            ...(result.lang ? { lang: result.lang } : {}),
+            args: result.args,
+            ...(result.bareIdentifierArgs ? { bareIdentifierArgs: result.bareIdentifierArgs } : {}),
+          },
+        },
+        nextIdx: result.nextLineIdx,
+      };
+    }
+    if (logArg.startsWith("`") || logArg.startsWith("```")) {
+      fail(filePath, 'bare inline scripts in log are not allowed; use "log run `...`()" to execute a managed inline script', innerNo, logCol);
+    }
     if (logArg.startsWith('"""')) {
       const tqLines = [...lines];
       tqLines[idx] = logArg;
@@ -337,6 +364,28 @@ export function parseBlockStatement(
   if (inner.startsWith("logerr ") || inner === "logerr") {
     const logerrArg = inner.slice("logerr".length).trimStart();
     const logerrCol = innerRaw.indexOf("logerr") + 1;
+    if (logerrArg.startsWith("run ") && logerrArg.slice("run ".length).trimStart().startsWith("`")) {
+      const runBody = logerrArg.slice("run ".length).trim();
+      const result = parseAnonymousInlineScript(filePath, lines, idx, runBody, innerNo, logerrCol);
+      return {
+        step: {
+          type: "logerr",
+          message: "",
+          loc: { line: innerNo, col: logerrCol },
+          managed: {
+            kind: "run_inline_script",
+            body: result.body,
+            ...(result.lang ? { lang: result.lang } : {}),
+            args: result.args,
+            ...(result.bareIdentifierArgs ? { bareIdentifierArgs: result.bareIdentifierArgs } : {}),
+          },
+        },
+        nextIdx: result.nextLineIdx,
+      };
+    }
+    if (logerrArg.startsWith("`") || logerrArg.startsWith("```")) {
+      fail(filePath, 'bare inline scripts in logerr are not allowed; use "logerr run `...`()" to execute a managed inline script', innerNo, logerrCol);
+    }
     if (logerrArg.startsWith('"""')) {
       const tqLines = [...lines];
       tqLines[idx] = logerrArg;
@@ -393,7 +442,26 @@ export function parseBlockStatement(
       };
     }
     if (returnValue.startsWith("run ")) {
-      const call = parseCallRef(returnValue.slice("run ".length).trim());
+      const runBody = returnValue.slice("run ".length).trim();
+      if (runBody.startsWith("`")) {
+        const result = parseAnonymousInlineScript(filePath, lines, idx, runBody, innerNo, innerRaw.indexOf("run") + 1);
+        return {
+          step: {
+            type: "return",
+            value: `run inline_script`,
+            loc: retLoc,
+            managed: {
+              kind: "run_inline_script",
+              body: result.body,
+              ...(result.lang ? { lang: result.lang } : {}),
+              args: result.args,
+              ...(result.bareIdentifierArgs ? { bareIdentifierArgs: result.bareIdentifierArgs } : {}),
+            },
+          },
+          nextIdx: result.nextLineIdx,
+        };
+      }
+      const call = parseCallRef(runBody);
       if (call) {
         rejectTrailingContent(filePath, innerNo, "run", call.rest);
         return {
@@ -428,6 +496,9 @@ export function parseBlockStatement(
         };
       }
     }
+    if (returnValue.startsWith("`") || returnValue.startsWith("```")) {
+      fail(filePath, 'bare inline scripts in return are not allowed; use "return run `...`()" to execute a managed inline script', innerNo, retLoc.col);
+    }
     if (returnValue.startsWith("'")) {
       fail(filePath, 'single-quoted strings are not supported; use double quotes ("...") instead', innerNo, retLoc.col);
     }
@@ -435,20 +506,26 @@ export function parseBlockStatement(
       !(/^[0-9]+$/.test(returnValue) || returnValue === "$?") &&
       (returnValue.startsWith('"') ||
         returnValue.startsWith("$") ||
-        isBareDottedIdentifierReturn(returnValue))
+        isBareDottedIdentifierReturn(returnValue) ||
+        isBareIdentifierReturn(returnValue))
     ) {
       // Reject multiline "..."
       if (returnValue.startsWith('"') && !hasUnescapedClosingQuote(returnValue, 1)) {
         fail(filePath, 'multiline strings use triple quotes: return """..."""', innerNo, retLoc.col);
       }
-      const value = isBareDottedIdentifierReturn(returnValue)
+      const isBareDotted = isBareDottedIdentifierReturn(returnValue);
+      const isBare = !isBareDotted && isBareIdentifierReturn(returnValue);
+      const value = isBareDotted
         ? dottedReturnToQuotedString(returnValue)
-        : returnValue;
+        : isBare
+          ? bareIdentifierToQuotedString(returnValue)
+          : returnValue;
       return {
         step: {
           type: "return",
           value,
           loc: retLoc,
+          ...(isBareDotted || isBare ? { bareSource: returnValue.trim() } : {}),
         },
         nextIdx: idx + 1,
       };
diff --git a/src/parse/workflow-return-dotted.ts b/src/parse/workflow-return-dotted.ts
index d5192d28..723d1e62 100644
--- a/src/parse/workflow-return-dotted.ts
+++ b/src/parse/workflow-return-dotted.ts
@@ -13,3 +13,18 @@ export function dottedReturnToQuotedString(expr: string): string {
   const inner = "$" + "{" + t + "}";
   return '"' + inner + '"';
 }
+
+/**
+ * Bare `response` in `return response` is sugar for `return "${response}"`
+ * (same interpolation as in double-quoted strings).
+ */
+const BARE_IDENTIFIER_RETURN_RE = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+
+export function isBareIdentifierReturn(expr: string): boolean {
+  return BARE_IDENTIFIER_RETURN_RE.test(expr.trim());
+}
+
+export function bareIdentifierToQuotedString(expr: string): string {
+  const t = expr.trim();
+  return '"${' + t + '}"';
+}
diff --git a/src/parse/workflows.ts b/src/parse/workflows.ts
index 7f5cbccb..187a1e36 100644
--- a/src/parse/workflows.ts
+++ b/src/parse/workflows.ts
@@ -15,9 +15,9 @@ import { parseConfigBlock } from "./metadata";
 import { parsePromptStep } from "./prompt";
 import { parseSendRhs } from "./send-rhs";
 import { parseAnonymousInlineScript } from "./inline-script";
-import { parseEnsureStep, parseRunCatchStep } from "./steps";
+import { parseEnsureStep, parseRunCatchStep, parseRunRecoverStep } from "./steps";
 import { parseBraceBlockBody, parseBlockStatement } from "./workflow-brace";
-import { dottedReturnToQuotedString, isBareDottedIdentifierReturn } from "./workflow-return-dotted";
+import { dottedReturnToQuotedString, isBareDottedIdentifierReturn, isBareIdentifierReturn, bareIdentifierToQuotedString } from "./workflow-return-dotted";
 import { parseMatchExpr } from "./match";
 import {
   expandBlockLineStatements,
@@ -142,6 +142,9 @@ export function parseWorkflowBlock(
         if (metadata.runtime) {
           fail(filePath, "runtime.* keys are not allowed in workflow-level config (only agent.* and run.* keys)", lineNo);
         }
+        if (metadata.module) {
+          fail(filePath, "module.* keys are not allowed in workflow-level config (only agent.* and run.* keys)", lineNo);
+        }
         workflow.metadata = metadata;
         continue;
       }
@@ -201,6 +204,9 @@ export function parseWorkflowBlock(
       if (metadata.runtime) {
         fail(filePath, "runtime.* keys are not allowed in workflow-level config (only agent.* and run.* keys)", innerNo);
       }
+      if (metadata.module) {
+        fail(filePath, "module.* keys are not allowed in workflow-level config (only agent.* and run.* keys)", innerNo);
+      }
       workflow.metadata = metadata;
       idx = nextIndex - 1;
       continue;
@@ -352,6 +358,22 @@ export function parseWorkflowBlock(
       if (runBody.startsWith("`")) {
         fail(filePath, "run async is not supported with inline scripts", innerNo, innerRaw.indexOf("run") + 1);
       }
+      // Check for run async ... recover (loop semantics)
+      const recoverResult = parseRunRecoverStep(filePath, lines, idx, innerNo, innerRaw, runBody);
+      if (recoverResult) {
+        if (recoverResult.step.type === "run") recoverResult.step.async = true;
+        workflow.steps.push(recoverResult.step);
+        idx = recoverResult.nextIdx;
+        continue;
+      }
+      // Check for run async ... catch
+      const catchResult = parseRunCatchStep(filePath, lines, idx, innerNo, innerRaw, runBody);
+      if (catchResult) {
+        if (catchResult.step.type === "run") catchResult.step.async = true;
+        workflow.steps.push(catchResult.step);
+        idx = catchResult.nextIdx;
+        continue;
+      }
       const call = parseCallRef(runBody);
       if (!call) {
         fail(filePath, "run async must target a valid reference: run async ref() or run async ref(args) — parentheses are required", innerNo);
@@ -388,6 +410,13 @@ export function parseWorkflowBlock(
       if (runBody.startsWith("script(") || runBody.startsWith("script (")) {
         fail(filePath, 'inline script syntax has changed: use run `body`(args) instead of run script(args) "body"', innerNo);
       }
+      // Check for run ... recover (loop semantics)
+      const recoverResult = parseRunRecoverStep(filePath, lines, idx, innerNo, innerRaw, runBody);
+      if (recoverResult) {
+        workflow.steps.push(recoverResult.step);
+        idx = recoverResult.nextIdx;
+        continue;
+      }
       // Check for run ... catch
       const catchResult = parseRunCatchStep(filePath, lines, idx, innerNo, innerRaw, runBody);
       if (catchResult) {
@@ -415,6 +444,27 @@ export function parseWorkflowBlock(
     if (inner.startsWith("log ") || inner === "log") {
       const logArg = inner.slice("log".length).trimStart();
       const logCol = innerRaw.indexOf("log") + 1;
+      if (logArg.startsWith("run ") && logArg.slice("run ".length).trimStart().startsWith("`")) {
+        const runBody = logArg.slice("run ".length).trim();
+        const result = parseAnonymousInlineScript(filePath, lines, idx, runBody, innerNo, logCol);
+        workflow.steps.push({
+          type: "log",
+          message: "",
+          loc: { line: innerNo, col: logCol },
+          managed: {
+            kind: "run_inline_script",
+            body: result.body,
+            ...(result.lang ? { lang: result.lang } : {}),
+            args: result.args,
+            ...(result.bareIdentifierArgs ? { bareIdentifierArgs: result.bareIdentifierArgs } : {}),
+          },
+        });
+        idx = result.nextLineIdx - 1;
+        continue;
+      }
+      if (logArg.startsWith("`") || logArg.startsWith("```")) {
+        fail(filePath, 'bare inline scripts in log are not allowed; use "log run `...`()" to execute a managed inline script', innerNo, logCol);
+      }
       if (logArg.startsWith('"""')) {
         const tqLines = [...lines];
         tqLines[idx] = logArg;
@@ -435,6 +485,27 @@ export function parseWorkflowBlock(
     if (inner.startsWith("logerr ") || inner === "logerr") {
       const logerrArg = inner.slice("logerr".length).trimStart();
       const logerrCol = innerRaw.indexOf("logerr") + 1;
+      if (logerrArg.startsWith("run ") && logerrArg.slice("run ".length).trimStart().startsWith("`")) {
+        const runBody = logerrArg.slice("run ".length).trim();
+        const result = parseAnonymousInlineScript(filePath, lines, idx, runBody, innerNo, logerrCol);
+        workflow.steps.push({
+          type: "logerr",
+          message: "",
+          loc: { line: innerNo, col: logerrCol },
+          managed: {
+            kind: "run_inline_script",
+            body: result.body,
+            ...(result.lang ? { lang: result.lang } : {}),
+            args: result.args,
+            ...(result.bareIdentifierArgs ? { bareIdentifierArgs: result.bareIdentifierArgs } : {}),
+          },
+        });
+        idx = result.nextLineIdx - 1;
+        continue;
+      }
+      if (logerrArg.startsWith("`") || logerrArg.startsWith("```")) {
+        fail(filePath, 'bare inline scripts in logerr are not allowed; use "logerr run `...`()" to execute a managed inline script', innerNo, logerrCol);
+      }
       if (logerrArg.startsWith('"""')) {
         const tqLines = [...lines];
         tqLines[idx] = logerrArg;
@@ -491,7 +562,25 @@ export function parseWorkflowBlock(
         continue;
       }
       if (returnValue.startsWith("run ")) {
-        const call = parseCallRef(returnValue.slice("run ".length).trim());
+        const runBody = returnValue.slice("run ".length).trim();
+        if (runBody.startsWith("`")) {
+          const result = parseAnonymousInlineScript(filePath, lines, idx, runBody, innerNo, innerRaw.indexOf("run") + 1);
+          workflow.steps.push({
+            type: "return",
+            value: `run inline_script`,
+            loc: retLoc,
+            managed: {
+              kind: "run_inline_script",
+              body: result.body,
+              ...(result.lang ? { lang: result.lang } : {}),
+              args: result.args,
+              ...(result.bareIdentifierArgs ? { bareIdentifierArgs: result.bareIdentifierArgs } : {}),
+            },
+          });
+          idx = result.nextLineIdx - 1;
+          continue;
+        }
+        const call = parseCallRef(runBody);
         if (call) {
           rejectTrailingContent(filePath, innerNo, "run", call.rest);
           workflow.steps.push({
@@ -522,21 +611,29 @@ export function parseWorkflowBlock(
           continue;
         }
       }
+      if (returnValue.startsWith("`") || returnValue.startsWith("```")) {
+        fail(filePath, 'bare inline scripts in return are not allowed; use "return run `...`()" to execute a managed inline script', innerNo, retLoc.col);
+      }
       if (returnValue.startsWith("'")) {
         fail(filePath, 'single-quoted strings are not supported; use double quotes ("...") instead', innerNo, retLoc.col);
       }
-      if (isJaiphValueReturn(returnValue) || isBareDottedIdentifierReturn(returnValue)) {
+      if (isJaiphValueReturn(returnValue) || isBareDottedIdentifierReturn(returnValue) || isBareIdentifierReturn(returnValue)) {
         // Reject multiline "..."
         if (returnValue.startsWith('"') && !hasUnescapedClosingQuote(returnValue, 1)) {
           fail(filePath, 'multiline strings use triple quotes: return """..."""', innerNo, retLoc.col);
         }
-        const value = isBareDottedIdentifierReturn(returnValue)
+        const isBareDotted = isBareDottedIdentifierReturn(returnValue);
+        const isBare = !isBareDotted && isBareIdentifierReturn(returnValue);
+        const value = isBareDotted
           ? dottedReturnToQuotedString(returnValue)
-          : returnValue;
+          : isBare
+            ? bareIdentifierToQuotedString(returnValue)
+            : returnValue;
         workflow.steps.push({
           type: "return",
           value,
           loc: retLoc,
+          ...(isBareDotted || isBare ? { bareSource: returnValue.trim() } : {}),
         });
         continue;
       }
diff --git a/src/runtime/docker.test.ts b/src/runtime/docker.test.ts
index ce422847..02b83019 100644
--- a/src/runtime/docker.test.ts
+++ b/src/runtime/docker.test.ts
@@ -1,23 +1,27 @@
 import test from "node:test";
 import assert from "node:assert/strict";
 import {
-  parseMount,
-  parseMounts,
-  validateMounts,
+  validateMountHostPath,
   resolveDockerConfig,
   buildDockerArgs,
   remapDockerEnv,
   overlayMountPath,
-  findRunArtifacts,
   resolveDockerHostRunsRoot,
   writeOverlayScript,
-  resolveImage,
-  buildImageFromDockerfile,
-  type MountSpec,
+  verifyImageHasJaiph,
+  prepareImage,
+  isEnvAllowed,
+  GHCR_IMAGE_REPO,
+  selectSandboxMode,
+  cloneWorkspaceForSandbox,
+  allocateSandboxWorkspaceDir,
+  pullImageIfNeeded,
+  _dockerExec,
+  _uidDetect,
   type DockerRunConfig,
   type DockerSpawnOptions,
 } from "./docker";
-import { mkdtempSync, writeFileSync, mkdirSync, existsSync, readFileSync, rmSync } from "node:fs";
+import { mkdtempSync, writeFileSync, mkdirSync, existsSync, readFileSync, readdirSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join, dirname } from "node:path";
 
@@ -39,8 +43,7 @@ function defaultOpts(overrides?: Partial<DockerSpawnOptions>): DockerSpawnOption
       image: "ubuntu:24.04",
       imageExplicit: false,
       network: "default",
-      timeout: 300,
-      mounts: [{ hostPath: ".", containerPath: "/jaiph/workspace", mode: "rw" }],
+      timeoutSeconds: 300,
     },
     sourceAbs: join(TEST_WS, "main.jh"),
     workspaceRoot: TEST_WS,
@@ -48,166 +51,158 @@ function defaultOpts(overrides?: Partial<DockerSpawnOptions>): DockerSpawnOption
     runArgs: [],
     env: {},
     isTTY: false,
+    sandboxMode: "overlay",
     ...overrides,
   };
 }
 
+function copyOpts(sandboxWorkspaceDir: string, overrides?: Partial<DockerSpawnOptions>): DockerSpawnOptions {
+  return defaultOpts({ sandboxMode: "copy", sandboxWorkspaceDir, ...overrides });
+}
+
 // ---------------------------------------------------------------------------
-// parseMount
+// resolveDockerConfig
 // ---------------------------------------------------------------------------
 
-test("parseMount: 3-segment full form", () => {
-  const m = parseMount(".:/jaiph/workspace:rw");
-  assert.deepStrictEqual(m, { hostPath: ".", containerPath: "/jaiph/workspace", mode: "rw" });
-});
-
-test("parseMount: 3-segment read-only", () => {
-  const m = parseMount("config:/etc/config:ro");
-  assert.deepStrictEqual(m, { hostPath: "config", containerPath: "/etc/config", mode: "ro" });
+test("resolveDockerConfig: defaults when no in-file and no env — Docker on", () => {
+  const cfg = resolveDockerConfig(undefined, {});
+  assert.equal(cfg.enabled, true);
+  assert.ok(cfg.image.startsWith(GHCR_IMAGE_REPO + ":"), `default image should be GHCR: ${cfg.image}`);
+  assert.equal(cfg.network, "default");
+  assert.equal(cfg.timeoutSeconds, 3600);
 });
 
-test("parseMount: 2-segment shorthand", () => {
-  const m = parseMount("config:ro");
-  assert.deepStrictEqual(m, { hostPath: "config", containerPath: "/jaiph/workspace/config", mode: "ro" });
+test("resolveDockerConfig: in-file image/timeout overrides defaults (dockerEnabled removed)", () => {
+  const cfg = resolveDockerConfig(
+    { dockerImage: "alpine:3.19", dockerTimeoutSeconds: 60 },
+    {},
+  );
+  assert.equal(cfg.enabled, true, "enabled defaults to true (no JAIPH_UNSAFE)");
+  assert.equal(cfg.image, "alpine:3.19");
+  assert.equal(cfg.timeoutSeconds, 60);
 });
 
-test("parseMount: 2-segment rw shorthand", () => {
-  const m = parseMount("data:rw");
-  assert.deepStrictEqual(m, { hostPath: "data", containerPath: "/jaiph/workspace/data", mode: "rw" });
+test("resolveDockerConfig: env overrides in-file image", () => {
+  const cfg = resolveDockerConfig(
+    { dockerImage: "alpine:3.19" },
+    { JAIPH_DOCKER_ENABLED: "false", JAIPH_DOCKER_IMAGE: "debian:12" },
+  );
+  assert.equal(cfg.enabled, false);
+  assert.equal(cfg.image, "debian:12");
 });
 
-test("parseMount: 1 segment throws E_PARSE", () => {
-  assert.throws(() => parseMount("onlyone"), /E_PARSE/);
+test("resolveDockerConfig: CI=true does NOT disable Docker (CI runs the real sandbox path)", () => {
+  const cfg = resolveDockerConfig(undefined, { CI: "true" });
+  assert.equal(cfg.enabled, true);
 });
 
-test("parseMount: invalid mode in 3-segment throws E_PARSE", () => {
-  assert.throws(() => parseMount("a:b:wx"), /E_PARSE.*mode/);
+test("resolveDockerConfig: CI=true does not disable Docker (env-only control)", () => {
+  const cfg = resolveDockerConfig(undefined, { CI: "true" });
+  assert.equal(cfg.enabled, true);
 });
 
-test("parseMount: invalid mode in 2-segment throws E_PARSE", () => {
-  assert.throws(() => parseMount("a:wx"), /E_PARSE.*mode/);
+test("resolveDockerConfig: env JAIPH_DOCKER_ENABLED=false disables even when CI=true", () => {
+  const cfg = resolveDockerConfig(undefined, { CI: "true", JAIPH_DOCKER_ENABLED: "false" });
+  assert.equal(cfg.enabled, false);
 });
 
-// ---------------------------------------------------------------------------
-// validateMounts
-// ---------------------------------------------------------------------------
-
-test("validateMounts: exactly one /jaiph/workspace mount passes", () => {
-  const mounts: MountSpec[] = [
-    { hostPath: ".", containerPath: "/jaiph/workspace", mode: "rw" },
-    { hostPath: "config", containerPath: "/jaiph/workspace/config", mode: "ro" },
-  ];
-  assert.doesNotThrow(() => validateMounts(mounts));
+test("resolveDockerConfig: JAIPH_UNSAFE=true disables Docker by default", () => {
+  const cfg = resolveDockerConfig(undefined, { JAIPH_UNSAFE: "true" });
+  assert.equal(cfg.enabled, false);
 });
 
-test("validateMounts: no /jaiph/workspace mount throws E_VALIDATE", () => {
-  const mounts: MountSpec[] = [
-    { hostPath: ".", containerPath: "/app", mode: "rw" },
-  ];
-  assert.throws(() => validateMounts(mounts), /E_VALIDATE.*\/jaiph\/workspace/);
+test("resolveDockerConfig: JAIPH_UNSAFE=true with env JAIPH_DOCKER_ENABLED=true enables Docker", () => {
+  const cfg = resolveDockerConfig(undefined, { JAIPH_UNSAFE: "true", JAIPH_DOCKER_ENABLED: "true" });
+  assert.equal(cfg.enabled, true);
 });
 
-test("validateMounts: multiple /jaiph/workspace mounts throws E_VALIDATE", () => {
-  const mounts: MountSpec[] = [
-    { hostPath: ".", containerPath: "/jaiph/workspace", mode: "rw" },
-    { hostPath: "other", containerPath: "/jaiph/workspace", mode: "ro" },
-  ];
-  assert.throws(() => validateMounts(mounts), /E_VALIDATE.*multiple/);
+test("resolveDockerConfig: both CI and JAIPH_UNSAFE unset with explicit JAIPH_DOCKER_ENABLED=false disables", () => {
+  const cfg = resolveDockerConfig(undefined, { JAIPH_DOCKER_ENABLED: "false" });
+  assert.equal(cfg.enabled, false);
 });
 
-// ---------------------------------------------------------------------------
-// parseMounts
-// ---------------------------------------------------------------------------
-
-test("parseMounts: parses and validates multiple mount specs", () => {
-  const mounts = parseMounts([".:/jaiph/workspace:rw", "config:ro"]);
-  assert.equal(mounts.length, 2);
-  assert.equal(mounts[0].containerPath, "/jaiph/workspace");
-  assert.equal(mounts[1].containerPath, "/jaiph/workspace/config");
+test("resolveDockerConfig: network env override", () => {
+  const cfg = resolveDockerConfig(undefined, { JAIPH_DOCKER_NETWORK: "none" });
+  assert.equal(cfg.network, "none");
 });
 
-test("parseMounts: throws when no workspace mount", () => {
-  assert.throws(() => parseMounts(["config:/etc/config:ro"]), /E_VALIDATE/);
+test("resolveDockerConfig: timeout env override", () => {
+  const cfg = resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "120" });
+  assert.equal(cfg.timeoutSeconds, 120);
 });
 
-// ---------------------------------------------------------------------------
-// resolveDockerConfig
-// ---------------------------------------------------------------------------
-
-test("resolveDockerConfig: defaults when no in-file and no env", () => {
-  const cfg = resolveDockerConfig(undefined, {});
-  assert.equal(cfg.enabled, false);
-  assert.equal(cfg.image, "node:20-bookworm");
-  assert.equal(cfg.network, "default");
-  assert.equal(cfg.timeout, 300);
-  assert.equal(cfg.mounts.length, 1);
-  assert.equal(cfg.mounts[0].containerPath, "/jaiph/workspace");
+test("resolveDockerConfig: invalid timeout env throws E_DOCKER_TIMEOUT", () => {
+  assert.throws(
+    () => resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "abc" }),
+    { message: /E_DOCKER_TIMEOUT/ },
+  );
 });
 
-test("resolveDockerConfig: in-file overrides defaults", () => {
-  const cfg = resolveDockerConfig(
-    { dockerEnabled: true, dockerImage: "alpine:3.19", dockerTimeout: 60 },
-    {},
+test("resolveDockerConfig: negative timeout env throws E_DOCKER_TIMEOUT", () => {
+  assert.throws(
+    () => resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "-5" }),
+    { message: /E_DOCKER_TIMEOUT/ },
   );
-  assert.equal(cfg.enabled, true);
-  assert.equal(cfg.image, "alpine:3.19");
-  assert.equal(cfg.timeout, 60);
 });
 
-test("resolveDockerConfig: env overrides in-file", () => {
-  const cfg = resolveDockerConfig(
-    { dockerEnabled: true, dockerImage: "alpine:3.19" },
-    { JAIPH_DOCKER_ENABLED: "false", JAIPH_DOCKER_IMAGE: "debian:12" },
+test("resolveDockerConfig: negative-zero timeout env throws E_DOCKER_TIMEOUT", () => {
+  assert.throws(
+    () => resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "-0" }),
+    { message: /E_DOCKER_TIMEOUT/ },
   );
-  assert.equal(cfg.enabled, false);
-  assert.equal(cfg.image, "debian:12");
 });
 
-test("resolveDockerConfig: CI=true disables Docker by default", () => {
-  const cfg = resolveDockerConfig(undefined, { CI: "true" });
-  assert.equal(cfg.enabled, false);
+test("resolveDockerConfig: trailing junk in timeout env throws E_DOCKER_TIMEOUT", () => {
+  assert.throws(
+    () => resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "300-" }),
+    { message: /E_DOCKER_TIMEOUT/ },
+  );
 });
 
-test("resolveDockerConfig: CI=true with in-file override enables Docker", () => {
-  const cfg = resolveDockerConfig({ dockerEnabled: true }, { CI: "true" });
-  assert.equal(cfg.enabled, true);
+test("resolveDockerConfig: empty timeout env throws E_DOCKER_TIMEOUT", () => {
+  assert.throws(
+    () => resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "" }),
+    { message: /E_DOCKER_TIMEOUT/ },
+  );
 });
 
-test("resolveDockerConfig: env JAIPH_DOCKER_ENABLED=true overrides CI default", () => {
-  const cfg = resolveDockerConfig(undefined, { CI: "true", JAIPH_DOCKER_ENABLED: "true" });
-  assert.equal(cfg.enabled, true);
+test("resolveDockerConfig: timeout env 0 disables timeout", () => {
+  const cfg = resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "0" });
+  assert.equal(cfg.timeoutSeconds, 0);
 });
 
-test("resolveDockerConfig: network env override", () => {
-  const cfg = resolveDockerConfig(undefined, { JAIPH_DOCKER_NETWORK: "none" });
-  assert.equal(cfg.network, "none");
+test("resolveDockerConfig: timeout env 300 accepted", () => {
+  const cfg = resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "300" });
+  assert.equal(cfg.timeoutSeconds, 300);
 });
 
-test("resolveDockerConfig: timeout env override", () => {
-  const cfg = resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "120" });
-  assert.equal(cfg.timeout, 120);
+test("resolveDockerConfig: negative in-file timeout throws E_DOCKER_TIMEOUT", () => {
+  assert.throws(
+    () => resolveDockerConfig({ dockerTimeoutSeconds: -5 }, {}),
+    { message: /E_DOCKER_TIMEOUT/ },
+  );
 });
 
-test("resolveDockerConfig: invalid timeout env falls back to default", () => {
-  const cfg = resolveDockerConfig(undefined, { JAIPH_DOCKER_TIMEOUT: "abc" });
-  assert.equal(cfg.timeout, 300);
+test("resolveDockerConfig: in-file dockerEnabled is ignored (field removed from RuntimeConfig)", () => {
+  // After removal, even if someone constructs a RuntimeConfig with the old shape,
+  // the enabled flag is derived from env only.
+  const cfg = resolveDockerConfig({} as any, { JAIPH_UNSAFE: "true" });
+  assert.equal(cfg.enabled, false, "JAIPH_UNSAFE disables Docker regardless of in-file");
 });
 
-test("resolveDockerConfig: workspace from in-file", () => {
-  const cfg = resolveDockerConfig(
-    { workspace: [".:/jaiph/workspace:rw", "config:ro"] },
-    {},
+test("checkDockerAvailable: E_DOCKER_NOT_FOUND message mentions JAIPH_UNSAFE", () => {
+  const src = readFileSync(join(__dirname, "docker.ts"), "utf8");
+  assert.ok(
+    src.includes("JAIPH_UNSAFE=true to run on the host"),
+    "E_DOCKER_NOT_FOUND must mention JAIPH_UNSAFE escape hatch",
   );
-  assert.equal(cfg.mounts.length, 2);
-  assert.equal(cfg.mounts[0].containerPath, "/jaiph/workspace");
-  assert.equal(cfg.mounts[1].containerPath, "/jaiph/workspace/config");
 });
 
 // ---------------------------------------------------------------------------
 // buildDockerArgs
 // ---------------------------------------------------------------------------
 
-test("buildDockerArgs: workspace ro + overlay-ro + sandbox run rw + fuse device", () => {
+test("buildDockerArgs: workspace-ro + sandbox run rw + fuse device", () => {
   const opts = defaultOpts({ runArgs: ["arg1"] });
   const args = buildDockerArgs(opts, TEST_OVERLAY);
 
@@ -223,15 +218,11 @@ test("buildDockerArgs: workspace ro + overlay-ro + sandbox run rw + fuse device"
 
   const vFlags = args.filter((_, i) => i > 0 && args[i - 1] === "-v");
 
-  // Workspace ro
-  const wsMount = vFlags.find((v) => v.includes("/jaiph/workspace:"));
-  assert.ok(wsMount, "workspace mount present");
-  assert.ok(wsMount!.endsWith(":ro"), "workspace must be ro");
-
   // Overlay lower-layer ro
   const wsRoMount = vFlags.find((v) => v.includes("/jaiph/workspace-ro:"));
   assert.ok(wsRoMount, "workspace-ro mount present");
   assert.ok(wsRoMount!.endsWith(":ro"), "workspace-ro must be ro");
+  assert.ok(!vFlags.some((v) => v.includes("/jaiph/workspace:")), "workspace mount must stay writable inside image");
 
   // Sandbox run dir rw
   const runMount = vFlags.find((v) => v.includes("/jaiph/run:"));
@@ -243,8 +234,8 @@ test("buildDockerArgs: workspace ro + overlay-ro + sandbox run rw + fuse device"
   assert.ok(overlayMount, "overlay script mount present");
   assert.ok(overlayMount!.endsWith(":ro"), "overlay script must be ro");
 
-  // Total: 2 workspace (primary + -ro) + 1 run + 1 overlay script = 4
-  assert.equal(vFlags.length, 4);
+  // Total: 1 workspace-ro + 1 run + 1 overlay script = 3
+  assert.equal(vFlags.length, 3);
 
   // Command: overlay-run.sh → jaiph run --raw <source>
   assert.ok(args.includes("/jaiph/overlay-run.sh"));
@@ -290,26 +281,6 @@ test("buildDockerArgs: overrides JAIPH_WORKSPACE and JAIPH_RUNS_DIR", () => {
   assert.ok(!args.some((a) => a === "JAIPH_RUNS_DIR=/host/runs"));
 });
 
-test("buildDockerArgs: multiple workspace mounts all forced ro", () => {
-  const opts = defaultOpts({
-    config: {
-      ...defaultOpts().config,
-      mounts: [
-        { hostPath: ".", containerPath: "/jaiph/workspace", mode: "rw" },
-        { hostPath: "config", containerPath: "/jaiph/workspace/config", mode: "ro" },
-      ],
-    },
-  });
-  const args = buildDockerArgs(opts, TEST_OVERLAY);
-  const vFlags = args.filter((_, i) => i > 0 && args[i - 1] === "-v");
-  // 2 configured × 2 (primary + -ro) + 1 run + 1 overlay script = 6
-  assert.equal(vFlags.length, 6);
-  assert.ok(vFlags.some((v) => v.includes("/jaiph/workspace:") && v.endsWith(":ro")));
-  assert.ok(vFlags.some((v) => v.includes("/jaiph/workspace-ro:") && v.endsWith(":ro")));
-  assert.ok(vFlags.some((v) => v.includes("/jaiph/workspace/config:") && v.endsWith(":ro")));
-  assert.ok(vFlags.some((v) => v.includes("/jaiph/workspace-ro/config:") && v.endsWith(":ro")));
-});
-
 // ---------------------------------------------------------------------------
 // buildDockerArgs: agent env var forwarding
 // ---------------------------------------------------------------------------
@@ -366,6 +337,35 @@ test("remapDockerEnv: sets JAIPH_RUNS_DIR even when not in input", () => {
   assert.equal(result.JAIPH_RUNS_DIR, "/jaiph/run");
 });
 
+test("remapDockerEnv: rewrites JAIPH_AGENT_TRUSTED_WORKSPACE from host workspaceRoot to /jaiph/workspace", () => {
+  const result = remapDockerEnv(
+    { JAIPH_AGENT_TRUSTED_WORKSPACE: "/tmp/jaiph-run-abcdef" },
+    "/tmp/jaiph-run-abcdef",
+  );
+  assert.equal(result.JAIPH_AGENT_TRUSTED_WORKSPACE, "/jaiph/workspace");
+});
+
+test("remapDockerEnv: rewrites a workspace subpath in JAIPH_AGENT_TRUSTED_WORKSPACE", () => {
+  const result = remapDockerEnv(
+    { JAIPH_AGENT_TRUSTED_WORKSPACE: "/home/me/project/sub/dir" },
+    "/home/me/project",
+  );
+  assert.equal(result.JAIPH_AGENT_TRUSTED_WORKSPACE, "/jaiph/workspace/sub/dir");
+});
+
+test("remapDockerEnv: leaves JAIPH_AGENT_TRUSTED_WORKSPACE unchanged when outside workspace", () => {
+  const result = remapDockerEnv(
+    { JAIPH_AGENT_TRUSTED_WORKSPACE: "/some/other/abs/path" },
+    "/home/me/project",
+  );
+  assert.equal(result.JAIPH_AGENT_TRUSTED_WORKSPACE, "/some/other/abs/path");
+});
+
+test("remapDockerEnv: omitted workspaceRoot leaves JAIPH_AGENT_TRUSTED_WORKSPACE intact (back-compat)", () => {
+  const result = remapDockerEnv({ JAIPH_AGENT_TRUSTED_WORKSPACE: "/home/me/project" });
+  assert.equal(result.JAIPH_AGENT_TRUSTED_WORKSPACE, "/home/me/project");
+});
+
 test("resolveDockerHostRunsRoot: defaults under workspace", () => {
   assert.equal(resolveDockerHostRunsRoot(TEST_WS, {}), join(TEST_WS, ".jaiph", "runs"));
 });
@@ -412,65 +412,42 @@ test("writeOverlayScript: creates executable script with fuse-overlayfs setup",
     assert.ok(existsSync(scriptPath));
     const content = readFileSync(scriptPath, "utf8");
     assert.ok(content.startsWith("#!/usr/bin/env bash"));
-    assert.ok(content.includes("fuse-overlayfs"));
+    assert.ok(content.includes("fuse-overlayfs -o"));
+    assert.ok(content.includes("lowerdir=$LOWER,upperdir=$UPPER,workdir=$WORK"));
     assert.ok(content.includes('exec "$@"'));
+    assert.ok(content.includes("E_DOCKER_OVERLAY"));
   } finally {
     rmSync(dirname(scriptPath), { recursive: true, force: true });
   }
 });
 
-// ---------------------------------------------------------------------------
-// findRunArtifacts
-// ---------------------------------------------------------------------------
-
-test("findRunArtifacts: discovers run dir and summary file", () => {
-  const tmp = mkdtempSync(join(tmpdir(), "jaiph-test-find-"));
+test("writeOverlayScript: mounts as root and then drops to host uid via setpriv", () => {
+  const scriptPath = writeOverlayScript();
   try {
-    const runDir = join(tmp, "2026-04-17", "09-30-00-test.jh");
-    mkdirSync(runDir, { recursive: true });
-    writeFileSync(join(runDir, "run_summary.jsonl"), "{}");
-    const result = findRunArtifacts(tmp);
-    assert.equal(result.runDir, runDir);
-    assert.equal(result.summaryFile, join(runDir, "run_summary.jsonl"));
+    const content = readFileSync(scriptPath, "utf8");
+    assert.ok(content.includes("JAIPH_HOST_UID"), "host uid contract present");
+    assert.ok(content.includes("JAIPH_HOST_GID"), "host gid contract present");
+    assert.ok(content.includes("setpriv"), "drops privileges via setpriv");
+    assert.ok(content.includes("chown"), "best-effort chown for /jaiph/run");
+    assert.ok(content.includes("allow_other"), "allow_other so dropped uid can use mounted overlay");
   } finally {
-    rmSync(tmp, { recursive: true, force: true });
+    rmSync(dirname(scriptPath), { recursive: true, force: true });
   }
 });
 
-test("findRunArtifacts: returns runDir without summary if missing", () => {
-  const tmp = mkdtempSync(join(tmpdir(), "jaiph-test-find-"));
+test("writeOverlayScript: contains no in-container rsync/cp fallback (host handles it now)", () => {
+  const scriptPath = writeOverlayScript();
   try {
-    const runDir = join(tmp, "2026-04-17", "09-30-00-test.jh");
-    mkdirSync(runDir, { recursive: true });
-    const result = findRunArtifacts(tmp);
-    assert.equal(result.runDir, runDir);
-    assert.equal(result.summaryFile, undefined);
+    const content = readFileSync(scriptPath, "utf8");
+    assert.ok(!content.includes("rsync"), "rsync fallback removed from container script");
+    assert.ok(!content.includes("copy_workspace_with_cp"), "cp fallback removed from container script");
+    assert.ok(!content.includes("rewrite_workspace_path"), "path-rewrite logic removed");
+    assert.ok(!content.includes("RUNTIME_WORKSPACE"), "workspace switch logic removed");
   } finally {
-    rmSync(tmp, { recursive: true, force: true });
+    rmSync(dirname(scriptPath), { recursive: true, force: true });
   }
 });
 
-test("findRunArtifacts: returns empty for non-existent dir", () => {
-  const result = findRunArtifacts("/tmp/jaiph-nonexistent-" + Date.now());
-  assert.equal(result.runDir, undefined);
-  assert.equal(result.summaryFile, undefined);
-});
-
-test("findRunArtifacts: returns latest run when multiple exist", () => {
-  const tmp = mkdtempSync(join(tmpdir(), "jaiph-test-find-"));
-  try {
-    const older = join(tmp, "2026-04-17", "09-30-00-test.jh");
-    const newer = join(tmp, "2026-04-17", "09-31-00-test.jh");
-    mkdirSync(older, { recursive: true });
-    mkdirSync(newer, { recursive: true });
-    writeFileSync(join(newer, "run_summary.jsonl"), "{}");
-    const result = findRunArtifacts(tmp);
-    assert.equal(result.runDir, newer);
-    assert.equal(result.summaryFile, join(newer, "run_summary.jsonl"));
-  } finally {
-    rmSync(tmp, { recursive: true, force: true });
-  }
-});
 
 // ---------------------------------------------------------------------------
 // spawnDockerProcess: stdin must be ignored
@@ -484,6 +461,12 @@ test("spawnDockerProcess: stdin ignored, stdout+stderr piped for events", () =>
   );
 });
 
+test("spawnDockerProcess: Linux overlay mode chmods sandbox run dir for userns-remap compatibility", () => {
+  const src = readFileSync(join(__dirname, "docker.ts"), "utf8");
+  assert.ok(src.includes("mode === \"overlay\""), "guarded to overlay mode");
+  assert.ok(src.includes("chmodSync(opts.sandboxRunDir, 0o777)"), "run dir chmod present");
+});
+
 // ---------------------------------------------------------------------------
 // resolveDockerConfig: imageExplicit
 // ---------------------------------------------------------------------------
@@ -506,37 +489,552 @@ test("resolveDockerConfig: imageExplicit is true when in-file sets image", () =>
 });
 
 // ---------------------------------------------------------------------------
-// resolveImage
+// GHCR_IMAGE_REPO
+// ---------------------------------------------------------------------------
+
+test("GHCR_IMAGE_REPO: points to official registry", () => {
+  assert.equal(GHCR_IMAGE_REPO, "ghcr.io/jaiphlang/jaiph-runtime");
+});
+
+// ---------------------------------------------------------------------------
+// Strict contract: no on-run workspace Dockerfile build, no npm pack bootstrap
+// ---------------------------------------------------------------------------
+
+test("docker.ts: no auto-build or npm-pack bootstrap code", () => {
+  const src = readFileSync(join(__dirname, "docker.ts"), "utf8");
+  assert.ok(!src.includes("npm pack"), "docker.ts must not contain npm pack");
+  assert.ok(!src.includes("npm install -g"), "docker.ts must not contain npm install -g");
+  assert.ok(!src.includes("jaiph-runtime-auto"), "docker.ts must not reference auto-derived image tag");
+  assert.ok(!src.includes("ensureLocalRuntimeImage"), "docker.ts must not contain ensureLocalRuntimeImage");
+  assert.ok(!src.includes("buildRuntimeImageFromLocalPackage"), "docker.ts must not contain buildRuntimeImageFromLocalPackage");
+  assert.ok(
+    /export function resolveImage\(config: DockerRunConfig\): string \{[\s\S]*?return prepareImage\(config\);/.test(
+      src,
+    ),
+    "resolveImage must delegate to prepareImage (no workspace Dockerfile build)",
+  );
+});
+
+test("verifyImageHasJaiph: throws E_DOCKER_NO_JAIPH with guidance for missing jaiph", () => {
+  // Unit-test the error message structure without running Docker.
+  // verifyImageHasJaiph uses imageHasJaiph internally which spawns Docker,
+  // so we test the error message format by checking the source contract.
+  const src = readFileSync(join(__dirname, "docker.ts"), "utf8");
+  assert.ok(src.includes("E_DOCKER_NO_JAIPH"), "verifyImageHasJaiph must use E_DOCKER_NO_JAIPH error code");
+  assert.ok(src.includes(GHCR_IMAGE_REPO), "error message must reference official GHCR image");
+});
+
+// ---------------------------------------------------------------------------
+// validateMountHostPath: dangerous mount rejection
+// ---------------------------------------------------------------------------
+
+test("validateMountHostPath: allows normal workspace path", () => {
+  assert.doesNotThrow(() => validateMountHostPath("/home/user/project"));
+});
+
+test("validateMountHostPath: rejects root filesystem", () => {
+  assert.throws(() => validateMountHostPath("/"), /E_VALIDATE_MOUNT.*root filesystem/);
+});
+
+test("validateMountHostPath: rejects docker socket", () => {
+  assert.throws(() => validateMountHostPath("/var/run/docker.sock"), /E_VALIDATE_MOUNT.*denied/);
+});
+
+test("validateMountHostPath: rejects /proc", () => {
+  assert.throws(() => validateMountHostPath("/proc"), /E_VALIDATE_MOUNT.*denied/);
+});
+
+test("validateMountHostPath: rejects /proc subpath", () => {
+  assert.throws(() => validateMountHostPath("/proc/1/root"), /E_VALIDATE_MOUNT.*denied/);
+});
+
+test("validateMountHostPath: rejects /sys", () => {
+  assert.throws(() => validateMountHostPath("/sys"), /E_VALIDATE_MOUNT.*denied/);
+});
+
+test("validateMountHostPath: rejects /dev", () => {
+  assert.throws(() => validateMountHostPath("/dev"), /E_VALIDATE_MOUNT.*denied/);
+});
+
+test("validateMountHostPath: rejects /run/docker.sock", () => {
+  assert.throws(() => validateMountHostPath("/run/docker.sock"), /E_VALIDATE_MOUNT.*denied/);
+});
+
+// ---------------------------------------------------------------------------
+// isEnvAllowed: env allowlist
+// ---------------------------------------------------------------------------
+
+test("isEnvAllowed: allows JAIPH_ vars", () => {
+  assert.equal(isEnvAllowed("JAIPH_DEBUG"), true);
+});
+
+test("isEnvAllowed: excludes JAIPH_DOCKER_ vars", () => {
+  assert.equal(isEnvAllowed("JAIPH_DOCKER_IMAGE"), false);
+  assert.equal(isEnvAllowed("JAIPH_DOCKER_ENABLED"), false);
+});
+
+test("isEnvAllowed: allows ANTHROPIC_ vars", () => {
+  assert.equal(isEnvAllowed("ANTHROPIC_API_KEY"), true);
+});
+
+test("isEnvAllowed: allows CURSOR_ vars", () => {
+  assert.equal(isEnvAllowed("CURSOR_API_KEY"), true);
+});
+
+test("isEnvAllowed: allows CLAUDE_ vars", () => {
+  assert.equal(isEnvAllowed("CLAUDE_AUTH_TOKEN"), true);
+});
+
+test("isEnvAllowed: rejects SSH_ vars", () => {
+  assert.equal(isEnvAllowed("SSH_AUTH_SOCK"), false);
+});
+
+test("isEnvAllowed: rejects AWS_ vars", () => {
+  assert.equal(isEnvAllowed("AWS_SECRET_ACCESS_KEY"), false);
+});
+
+test("isEnvAllowed: rejects GITHUB_TOKEN", () => {
+  assert.equal(isEnvAllowed("GITHUB_TOKEN"), false);
+});
+
+test("isEnvAllowed: rejects PYPI_TOKEN", () => {
+  assert.equal(isEnvAllowed("PYPI_TOKEN"), false);
+});
+
+test("isEnvAllowed: rejects arbitrary vars", () => {
+  assert.equal(isEnvAllowed("HOME"), false);
+  assert.equal(isEnvAllowed("PATH"), false);
+  assert.equal(isEnvAllowed("GH_TOKEN"), false);
+  assert.equal(isEnvAllowed("CARGO_REGISTRY_TOKEN"), false);
+});
+
+test("buildDockerArgs: only forwards env vars matching allowlist", () => {
+  const opts = defaultOpts({
+    env: {
+      JAIPH_DEBUG: "true",
+      GITHUB_TOKEN: "x",
+      PYPI_TOKEN: "y",
+      SSH_AUTH_SOCK: "/tmp/ssh.sock",
+      AWS_SECRET_ACCESS_KEY: "secret",
+      DOCKER_HOST: "unix:///var/run/docker.sock",
+    },
+  });
+  const args = buildDockerArgs(opts, TEST_OVERLAY);
+  assert.ok(args.includes("JAIPH_DEBUG=true"), "allowed JAIPH_ var forwarded");
+  assert.ok(!args.some((a) => a.includes("GITHUB_TOKEN")), "GITHUB_TOKEN not forwarded");
+  assert.ok(!args.some((a) => a.includes("PYPI_TOKEN")), "PYPI_TOKEN not forwarded");
+  assert.ok(!args.some((a) => a.includes("SSH_AUTH_SOCK")), "SSH_ not forwarded");
+  assert.ok(!args.some((a) => a.includes("AWS_SECRET_ACCESS_KEY")), "AWS_ not forwarded");
+  assert.ok(!args.some((a) => a.includes("DOCKER_HOST")), "DOCKER_ not forwarded");
+});
+
+// ---------------------------------------------------------------------------
+// buildDockerArgs: security flags
 // ---------------------------------------------------------------------------
 
-test("resolveImage: uses Dockerfile when imageExplicit is false and Dockerfile exists", () => {
-  const tmpDir = mkdtempSync(join(tmpdir(), "jaiph-resolve-image-"));
+test("buildDockerArgs: includes --cap-drop ALL and --security-opt no-new-privileges", () => {
+  const args = buildDockerArgs(defaultOpts(), TEST_OVERLAY);
+  const capDropIdx = args.indexOf("--cap-drop");
+  assert.ok(capDropIdx >= 0, "--cap-drop present");
+  assert.equal(args[capDropIdx + 1], "ALL");
+  const secOptIdx = args.indexOf("--security-opt");
+  assert.ok(secOptIdx >= 0, "--security-opt present");
+  assert.equal(args[secOptIdx + 1], "no-new-privileges");
+});
+
+test("buildDockerArgs: overlay mode adds SYS_ADMIN + SETUID + SETGID + CHOWN + DAC_READ_SEARCH", () => {
+  const args = buildDockerArgs(defaultOpts(), TEST_OVERLAY);
+  const capAddValues = args
+    .map((v, i) => (v === "--cap-add" ? args[i + 1] : null))
+    .filter((v): v is string => v !== null);
+  assert.ok(capAddValues.includes("SYS_ADMIN"), "SYS_ADMIN present");
+  assert.ok(capAddValues.includes("SETUID"), "SETUID present");
+  assert.ok(capAddValues.includes("SETGID"), "SETGID present");
+  assert.ok(capAddValues.includes("CHOWN"), "CHOWN present");
+  assert.ok(
+    capAddValues.includes("DAC_READ_SEARCH"),
+    "DAC_READ_SEARCH present so fuse-overlayfs can read host files with restrictive perms",
+  );
+});
+
+test("buildDockerArgs: copy mode adds no caps", () => {
+  const cloneDir = mkdtempSync(join(tmpdir(), "jaiph-test-clone-"));
+  try {
+    const args = buildDockerArgs(copyOpts(cloneDir));
+    const capAddValues = args
+      .map((v, i) => (v === "--cap-add" ? args[i + 1] : null))
+      .filter((v): v is string => v !== null);
+    assert.deepStrictEqual(capAddValues, [], "copy mode runs with no added capabilities");
+  } finally {
+    rmSync(cloneDir, { recursive: true, force: true });
+  }
+});
+
+test("buildDockerArgs: overlay mode adds --security-opt apparmor=unconfined on Linux to allow fuse mounts", () => {
+  if (process.platform !== "linux") return;
+  const args = buildDockerArgs(defaultOpts(), TEST_OVERLAY);
+  const secOptIndices = args
+    .map((v, i) => (v === "--security-opt" ? i : -1))
+    .filter((i) => i >= 0);
+  const values = secOptIndices.map((i) => args[i + 1]);
+  assert.ok(values.includes("apparmor=unconfined"), "apparmor=unconfined present in overlay mode");
+});
+
+test("buildDockerArgs: copy mode does not add --security-opt apparmor=unconfined", () => {
+  const cloneDir = mkdtempSync(join(tmpdir(), "jaiph-test-clone-"));
+  try {
+    const args = buildDockerArgs(copyOpts(cloneDir));
+    const secOptIndices = args
+      .map((v, i) => (v === "--security-opt" ? i : -1))
+      .filter((i) => i >= 0);
+    const values = secOptIndices.map((i) => args[i + 1]);
+    assert.ok(!values.includes("apparmor=unconfined"), "no apparmor flag needed in copy mode");
+  } finally {
+    rmSync(cloneDir, { recursive: true, force: true });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// buildDockerArgs: copy-mode sandbox (host pre-clones workspace, mounts rw)
+// ---------------------------------------------------------------------------
+
+test("buildDockerArgs: copy mode mounts cloned workspace rw at /jaiph/workspace and skips overlay/fuse/SYS_ADMIN", () => {
+  const cloneDir = mkdtempSync(join(tmpdir(), "jaiph-test-clone-"));
+  try {
+    const args = buildDockerArgs(copyOpts(cloneDir));
+    const vFlags = args.filter((_, i) => i > 0 && args[i - 1] === "-v");
+
+    const wsMount = vFlags.find((v) => v.endsWith(":/jaiph/workspace:rw"));
+    assert.ok(wsMount, "workspace bound rw at /jaiph/workspace");
+    assert.ok(wsMount!.startsWith(`${cloneDir}:`), "host side is the cloned workspace");
+    assert.ok(!vFlags.some((v) => v.includes("/jaiph/workspace-ro")), "no overlay lower-layer mount in copy mode");
+    assert.ok(!vFlags.some((v) => v.includes("/jaiph/overlay-run.sh")), "no overlay script mount in copy mode");
+
+    assert.ok(!args.includes("/dev/fuse"), "no fuse device in copy mode");
+    assert.ok(!args.includes("SYS_ADMIN"), "no SYS_ADMIN cap in copy mode");
+
+    assert.ok(args.includes("--cap-drop"));
+    assert.ok(args.includes("ALL"));
+    assert.ok(args.includes("--security-opt"));
+    assert.ok(args.includes("no-new-privileges"));
+
+    const idxImage = args.indexOf("ubuntu:24.04");
+    const tail = args.slice(idxImage + 1);
+    assert.equal(tail[0], "jaiph", "no overlay-run.sh wrapper in copy mode");
+    assert.equal(tail[1], "run");
+    assert.equal(tail[2], "--raw");
+    assert.equal(tail[3], "/jaiph/workspace/main.jh");
+  } finally {
+    rmSync(cloneDir, { recursive: true, force: true });
+  }
+});
+
+test("buildDockerArgs: copy mode binds run dir rw at /jaiph/run", () => {
+  const cloneDir = mkdtempSync(join(tmpdir(), "jaiph-test-clone-"));
+  try {
+    const args = buildDockerArgs(copyOpts(cloneDir));
+    const vFlags = args.filter((_, i) => i > 0 && args[i - 1] === "-v");
+    const runMount = vFlags.find((v) => v.endsWith(":/jaiph/run:rw"));
+    assert.ok(runMount, "run dir bound rw at /jaiph/run");
+  } finally {
+    rmSync(cloneDir, { recursive: true, force: true });
+  }
+});
+
+test("buildDockerArgs: throws when overlay mode is selected without script path", () => {
+  assert.throws(() => buildDockerArgs(defaultOpts({ sandboxMode: "overlay" })), /overlay mode requires/);
+});
+
+// ---------------------------------------------------------------------------
+// buildDockerArgs: UID/GID handling (Linux only)
+// ---------------------------------------------------------------------------
+
+test("buildDockerArgs: overlay mode runs as root and injects JAIPH_HOST_UID/GID (Linux)", () => {
+  if (process.platform !== "linux") return;
+  const args = buildDockerArgs(defaultOpts(), TEST_OVERLAY);
+  const userIdx = args.indexOf("--user");
+  assert.ok(userIdx >= 0, "--user flag present");
+  assert.equal(args[userIdx + 1], "0:0", "overlay starts as root so fuse-overlayfs can mount /jaiph/workspace");
+
+  const envFlags = args
+    .map((v, i) => (v === "-e" ? args[i + 1] : null))
+    .filter((v): v is string => v !== null);
+  assert.ok(envFlags.some((v) => v.startsWith("JAIPH_HOST_UID=")), "JAIPH_HOST_UID env present");
+  assert.ok(envFlags.some((v) => v.startsWith("JAIPH_HOST_GID=")), "JAIPH_HOST_GID env present");
+});
+
+test("buildDockerArgs: copy mode runs as host UID:GID directly (Linux)", () => {
+  if (process.platform !== "linux") return;
+  const cloneDir = mkdtempSync(join(tmpdir(), "jaiph-test-clone-"));
+  try {
+    const args = buildDockerArgs(copyOpts(cloneDir));
+    const userIdx = args.indexOf("--user");
+    assert.ok(userIdx >= 0, "--user flag present");
+    assert.notEqual(args[userIdx + 1], "0:0", "copy mode runs as host UID, not root");
+    assert.match(args[userIdx + 1], /^\d+:\d+$/, "copy mode --user is uid:gid");
+
+    const envFlags = args
+      .map((v, i) => (v === "-e" ? args[i + 1] : null))
+      .filter((v): v is string => v !== null);
+    assert.ok(!envFlags.some((v) => v.startsWith("JAIPH_HOST_UID=")), "no JAIPH_HOST_UID env in copy mode");
+    assert.ok(!envFlags.some((v) => v.startsWith("JAIPH_HOST_GID=")), "no JAIPH_HOST_GID env in copy mode");
+  } finally {
+    rmSync(cloneDir, { recursive: true, force: true });
+  }
+});
+
+test("buildDockerArgs: throws E_DOCKER_UID on Linux when UID/GID detection fails (copy mode)", (t) => {
+  const origPlatform = Object.getOwnPropertyDescriptor(process, "platform");
+  Object.defineProperty(process, "platform", { value: "linux", configurable: true });
+  const origGetHostUidGid = _uidDetect.getHostUidGid;
+  _uidDetect.getHostUidGid = () => undefined;
+  try {
+    const cloneDir = mkdtempSync(join(tmpdir(), "jaiph-test-uid-"));
+    try {
+      assert.throws(
+        () => buildDockerArgs(copyOpts(cloneDir)),
+        /E_DOCKER_UID/,
+      );
+    } finally {
+      rmSync(cloneDir, { recursive: true, force: true });
+    }
+  } finally {
+    _uidDetect.getHostUidGid = origGetHostUidGid;
+    if (origPlatform) Object.defineProperty(process, "platform", origPlatform);
+    else Object.defineProperty(process, "platform", { value: process.platform, configurable: true });
+  }
+});
+
+test("buildDockerArgs: throws E_DOCKER_UID on Linux when UID/GID detection fails (overlay mode)", () => {
+  const origPlatform = Object.getOwnPropertyDescriptor(process, "platform");
+  Object.defineProperty(process, "platform", { value: "linux", configurable: true });
+  const origGetHostUidGid = _uidDetect.getHostUidGid;
+  _uidDetect.getHostUidGid = () => undefined;
   try {
-    mkdirSync(join(tmpDir, ".jaiph"), { recursive: true });
-    writeFileSync(join(tmpDir, ".jaiph", "Dockerfile"), "FROM ubuntu:latest\n");
-    const dockerfilePath = join(tmpDir, ".jaiph", "Dockerfile");
-    assert.ok(existsSync(dockerfilePath));
+    assert.throws(
+      () => buildDockerArgs(defaultOpts(), TEST_OVERLAY),
+      /E_DOCKER_UID/,
+    );
   } finally {
-    rmSync(tmpDir, { recursive: true, force: true });
+    _uidDetect.getHostUidGid = origGetHostUidGid;
+    if (origPlatform) Object.defineProperty(process, "platform", origPlatform);
+    else Object.defineProperty(process, "platform", { value: process.platform, configurable: true });
   }
 });
 
-test("resolveImage: skips Dockerfile when imageExplicit is true", () => {
-  const tmpDir = mkdtempSync(join(tmpdir(), "jaiph-resolve-image-"));
+test("buildDockerArgs: does not throw E_DOCKER_UID on macOS even without UID detection", () => {
+  const origPlatform = Object.getOwnPropertyDescriptor(process, "platform");
+  Object.defineProperty(process, "platform", { value: "darwin", configurable: true });
+  const origGetHostUidGid = _uidDetect.getHostUidGid;
+  _uidDetect.getHostUidGid = () => undefined;
+  try {
+    // Should not throw — macOS skips UID handling entirely
+    assert.doesNotThrow(() => buildDockerArgs(defaultOpts(), TEST_OVERLAY));
+  } finally {
+    _uidDetect.getHostUidGid = origGetHostUidGid;
+    if (origPlatform) Object.defineProperty(process, "platform", origPlatform);
+    else Object.defineProperty(process, "platform", { value: process.platform, configurable: true });
+  }
+});
+
+test("buildDockerArgs: throws when copy mode is selected without sandboxWorkspaceDir", () => {
+  assert.throws(
+    () => buildDockerArgs(defaultOpts({ sandboxMode: "copy", sandboxWorkspaceDir: undefined })),
+    /copy mode requires sandboxWorkspaceDir/,
+  );
+});
+
+// ---------------------------------------------------------------------------
+// selectSandboxMode
+// ---------------------------------------------------------------------------
+
+test("selectSandboxMode: JAIPH_DOCKER_NO_OVERLAY=1 forces copy", () => {
+  assert.equal(selectSandboxMode({ JAIPH_DOCKER_NO_OVERLAY: "1" }), "copy");
+  assert.equal(selectSandboxMode({ JAIPH_DOCKER_NO_OVERLAY: "true" }), "copy");
+});
+
+test("selectSandboxMode: returns overlay iff /dev/fuse exists on host (platform-correlated)", () => {
+  const expected = existsSync("/dev/fuse") ? "overlay" : "copy";
+  assert.equal(selectSandboxMode({}), expected);
+});
+
+// ---------------------------------------------------------------------------
+// cloneWorkspaceForSandbox + allocateSandboxWorkspaceDir
+// ---------------------------------------------------------------------------
+
+test("cloneWorkspaceForSandbox: copies entries and excludes .jaiph/runs", () => {
+  const src = mkdtempSync(join(tmpdir(), "jaiph-clone-src-"));
+  const dst = mkdtempSync(join(tmpdir(), "jaiph-clone-dst-"));
+  try {
+    writeFileSync(join(src, "file.txt"), "hello");
+    mkdirSync(join(src, "subdir"), { recursive: true });
+    writeFileSync(join(src, "subdir", "nested.txt"), "nested");
+    mkdirSync(join(src, ".jaiph"), { recursive: true });
+    writeFileSync(join(src, ".jaiph", "engineer.jh"), "wf");
+    mkdirSync(join(src, ".jaiph", "runs", "2026-01-01"), { recursive: true });
+    writeFileSync(join(src, ".jaiph", "runs", "2026-01-01", "log.txt"), "PII");
+
+    cloneWorkspaceForSandbox(src, dst);
+
+    assert.equal(readFileSync(join(dst, "file.txt"), "utf8"), "hello");
+    assert.equal(readFileSync(join(dst, "subdir", "nested.txt"), "utf8"), "nested");
+    assert.equal(readFileSync(join(dst, ".jaiph", "engineer.jh"), "utf8"), "wf");
+    assert.ok(!existsSync(join(dst, ".jaiph", "runs")), ".jaiph/runs must NOT be copied");
+  } finally {
+    rmSync(src, { recursive: true, force: true });
+    rmSync(dst, { recursive: true, force: true });
+  }
+});
+
+test("cloneWorkspaceForSandbox: produces independent file inodes (writes do not leak to source)", () => {
+  // Guards against the broken cp-rl/hardlink design we explicitly avoided.
+  const src = mkdtempSync(join(tmpdir(), "jaiph-clone-src-"));
+  const dst = mkdtempSync(join(tmpdir(), "jaiph-clone-dst-"));
+  try {
+    writeFileSync(join(src, "leak-check.txt"), "original");
+    cloneWorkspaceForSandbox(src, dst);
+    writeFileSync(join(dst, "leak-check.txt"), "mutated-by-container");
+    assert.equal(
+      readFileSync(join(src, "leak-check.txt"), "utf8"),
+      "original",
+      "host file must not be mutated by writes inside the cloned workspace",
+    );
+  } finally {
+    rmSync(src, { recursive: true, force: true });
+    rmSync(dst, { recursive: true, force: true });
+  }
+});
+
+test("cloneWorkspaceForSandbox: empty workspace produces empty clone", () => {
+  const src = mkdtempSync(join(tmpdir(), "jaiph-clone-src-"));
+  const dst = mkdtempSync(join(tmpdir(), "jaiph-clone-dst-"));
+  try {
+    cloneWorkspaceForSandbox(src, dst);
+    assert.deepStrictEqual(readdirSync(dst), []);
+  } finally {
+    rmSync(src, { recursive: true, force: true });
+    rmSync(dst, { recursive: true, force: true });
+  }
+});
+
+test("allocateSandboxWorkspaceDir: creates a fresh .sandbox-* dir under the runs root", () => {
+  const runsRoot = mkdtempSync(join(tmpdir(), "jaiph-runs-"));
+  try {
+    const a = allocateSandboxWorkspaceDir(runsRoot);
+    const b = allocateSandboxWorkspaceDir(runsRoot);
+    assert.notEqual(a, b);
+    assert.ok(a.startsWith(join(runsRoot, ".sandbox-")));
+    assert.ok(b.startsWith(join(runsRoot, ".sandbox-")));
+    assert.ok(existsSync(a) && existsSync(b));
+  } finally {
+    rmSync(runsRoot, { recursive: true, force: true });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// pullImageIfNeeded: shell metacharacter safety (execFileSync migration)
+// ---------------------------------------------------------------------------
+
+// ---------------------------------------------------------------------------
+// prepareImage: structured status output
+// ---------------------------------------------------------------------------
+
+test("prepareImage: writes pulling/pulled status to stderr on cold pull", () => {
+  const captured: string[][] = [];
+  const stderrWrites: string[] = [];
+  const original = _dockerExec.run;
+  const origWrite = process.stderr.write;
+  _dockerExec.run = (args: string[], _opts: object) => {
+    captured.push([...args]);
+    if (args[0] === "image" && args[1] === "inspect") throw new Error("not found");
+    if (args[0] === "pull") return; // pull succeeds
+    if (args[0] === "run") return; // imageHasJaiph check
+  };
+  process.stderr.write = ((chunk: string | Uint8Array) => {
+    stderrWrites.push(String(chunk));
+    return true;
+  }) as typeof process.stderr.write;
   try {
-    mkdirSync(join(tmpDir, ".jaiph"), { recursive: true });
-    writeFileSync(join(tmpDir, ".jaiph", "Dockerfile"), "FROM ubuntu:latest\n");
     const config: DockerRunConfig = {
       enabled: true,
-      image: "custom:image",
-      imageExplicit: true,
+      image: "test:latest",
+      imageExplicit: false,
       network: "default",
-      timeout: 300,
-      mounts: [{ hostPath: ".", containerPath: "/jaiph/workspace", mode: "rw" }],
+      timeoutSeconds: 300,
     };
-    assert.ok(existsSync(join(tmpDir, ".jaiph", "Dockerfile")));
-    assert.equal(config.imageExplicit, true);
+    prepareImage(config);
+    assert.ok(stderrWrites.some((s) => s.includes("pulling image test:latest")), "status line before pull");
+    assert.ok(stderrWrites.some((s) => s.includes("pulled")), "status line after pull");
+    assert.ok(captured.some((a) => a[0] === "pull" && a.includes("--quiet")), "pull uses --quiet");
   } finally {
-    rmSync(tmpDir, { recursive: true, force: true });
+    _dockerExec.run = original;
+    process.stderr.write = origWrite;
   }
 });
+
+test("prepareImage: no status output when image is already local", () => {
+  const stderrWrites: string[] = [];
+  const original = _dockerExec.run;
+  const origWrite = process.stderr.write;
+  _dockerExec.run = (args: string[], _opts: object) => {
+    if (args[0] === "image" && args[1] === "inspect") return; // image exists
+    if (args[0] === "run") return; // imageHasJaiph check
+  };
+  process.stderr.write = ((chunk: string | Uint8Array) => {
+    stderrWrites.push(String(chunk));
+    return true;
+  }) as typeof process.stderr.write;
+  try {
+    const config: DockerRunConfig = {
+      enabled: true,
+      image: "test:latest",
+      imageExplicit: false,
+      network: "default",
+      timeoutSeconds: 300,
+    };
+    prepareImage(config);
+    assert.ok(!stderrWrites.some((s) => s.includes("pulling")), "no pull status when image is local");
+  } finally {
+    _dockerExec.run = original;
+    process.stderr.write = origWrite;
+  }
+});
+
+// ---------------------------------------------------------------------------
+// pullImageIfNeeded: shell metacharacter safety (execFileSync migration)
+// ---------------------------------------------------------------------------
+
+test("pullImageIfNeeded: image with semicolon is passed verbatim, no shell expansion", () => {
+  const captured: string[][] = [];
+  const original = _dockerExec.run;
+  _dockerExec.run = (args: string[], _opts: object) => {
+    captured.push([...args]);
+    // Simulate "image inspect" succeeding (image already present)
+  };
+  try {
+    pullImageIfNeeded("alpine; echo pwned");
+    assert.equal(captured.length, 1, "exactly one docker call (image inspect)");
+    assert.deepStrictEqual(captured[0], ["image", "inspect", "alpine; echo pwned"]);
+  } finally {
+    _dockerExec.run = original;
+  }
+});
+
+test("pullImageIfNeeded: semicolon image passed verbatim to docker pull on inspect failure", () => {
+  const captured: string[][] = [];
+  const original = _dockerExec.run;
+  _dockerExec.run = (args: string[], _opts: object) => {
+    captured.push([...args]);
+    if (args[0] === "image") throw new Error("not found");
+    // docker pull succeeds
+  };
+  try {
+    pullImageIfNeeded("alpine; echo pwned");
+    assert.equal(captured.length, 2, "inspect + pull");
+    assert.deepStrictEqual(captured[0], ["image", "inspect", "alpine; echo pwned"]);
+    assert.deepStrictEqual(captured[1], ["pull", "--quiet", "alpine; echo pwned"]);
+  } finally {
+    _dockerExec.run = original;
+  }
+});
+
diff --git a/src/runtime/docker.ts b/src/runtime/docker.ts
index be76a754..723d2287 100644
--- a/src/runtime/docker.ts
+++ b/src/runtime/docker.ts
@@ -1,17 +1,10 @@
-import { execFileSync, execSync, spawn, ChildProcess } from "node:child_process";
-import { createHash } from "node:crypto";
-import { existsSync, mkdirSync, mkdtempSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { execFileSync, spawn, spawnSync, ChildProcess } from "node:child_process";
+import { chmodSync, existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, writeFileSync } from "node:fs";
+import { randomBytes } from "node:crypto";
 import { tmpdir } from "node:os";
 import { join, resolve, dirname, relative } from "node:path";
 import type { RuntimeConfig } from "../types";
 
-/** Parsed mount specification. */
-export interface MountSpec {
-  hostPath: string;
-  containerPath: string;
-  mode: "ro" | "rw";
-}
-
 /** Resolved Docker runtime config with defaults applied and env overrides merged. */
 export interface DockerRunConfig {
   enabled: boolean;
@@ -19,61 +12,39 @@ export interface DockerRunConfig {
   /** True when image was explicitly set via env or in-file config (not the default). */
   imageExplicit: boolean;
   network: string;
-  timeout: number;
-  mounts: MountSpec[];
+  timeoutSeconds: number;
 }
 
-// ---------------------------------------------------------------------------
-// Mount parsing
-// ---------------------------------------------------------------------------
-
 /**
- * Parse a single mount string.
- * - 3 segments: `"host:container:mode"`
- * - 2 segments: `"host:mode"` → mounts at `/jaiph/workspace/<host>`
- * - 1 segment → error
+ * Host paths that must never be bind-mounted into a container.
+ * Prevents accidental exposure of the Docker daemon, OS internals, or
+ * the entire root filesystem.
  */
-export function parseMount(spec: string): MountSpec {
-  const parts = spec.split(":");
-  if (parts.length === 3) {
-    const [hostPath, containerPath, mode] = parts;
-    if (mode !== "ro" && mode !== "rw") {
-      throw new Error(`E_PARSE mount mode must be "ro" or "rw", got "${mode}" in "${spec}"`);
-    }
-    return { hostPath, containerPath, mode };
-  }
-  if (parts.length === 2) {
-    const [hostPath, mode] = parts;
-    if (mode !== "ro" && mode !== "rw") {
-      throw new Error(`E_PARSE mount mode must be "ro" or "rw", got "${mode}" in "${spec}"`);
-    }
-    return { hostPath, containerPath: `/jaiph/workspace/${hostPath}`, mode };
-  }
-  throw new Error(`E_PARSE mount spec must have 2 or 3 colon-separated segments, got "${spec}"`);
-}
+const DENIED_HOST_PATHS = [
+  "/var/run/docker.sock",
+  "/run/docker.sock",
+  "/proc",
+  "/sys",
+  "/dev",
+] as const;
 
 /**
- * Parse and validate all mount specs.
- * Enforces: exactly one mount must target `/jaiph/workspace`.
+ * Validate a single mount's host path against the denylist.
+ * Rejects exact matches and child paths (e.g. `/proc/1/root`).
  */
-export function parseMounts(specs: string[]): MountSpec[] {
-  const mounts = specs.map(parseMount);
-  validateMounts(mounts);
-  return mounts;
-}
-
-/**
- * Validate mount list: exactly one mount must target `/jaiph/workspace`.
- */
-export function validateMounts(mounts: MountSpec[]): void {
-  const workspaceMounts = mounts.filter(
-    (m) => m.containerPath === "/jaiph/workspace" || m.containerPath.replace(/\/+$/, "") === "/jaiph/workspace",
-  );
-  if (workspaceMounts.length === 0) {
-    throw new Error("E_VALIDATE exactly one mount must target /jaiph/workspace");
+export function validateMountHostPath(hostAbsPath: string): void {
+  const normalized = hostAbsPath.replace(/\/+$/, "");
+  if (normalized === "" || normalized === "/") {
+    throw new Error(
+      `E_VALIDATE_MOUNT refusing to mount the host root filesystem ("/") into the container`,
+    );
   }
-  if (workspaceMounts.length > 1) {
-    throw new Error("E_VALIDATE exactly one mount must target /jaiph/workspace, found multiple");
+  for (const denied of DENIED_HOST_PATHS) {
+    if (normalized === denied || normalized.startsWith(denied + "/")) {
+      throw new Error(
+        `E_VALIDATE_MOUNT refusing to mount denied host path "${hostAbsPath}" into the container`,
+      );
+    }
   }
 }
 
@@ -81,33 +52,51 @@ export function validateMounts(mounts: MountSpec[]): void {
 // Config resolution (env > in-file > defaults)
 // ---------------------------------------------------------------------------
 
+/** Read the package version to derive the default GHCR image tag. */
+function resolveDefaultImageTag(): string {
+  try {
+    const pkgPath = resolve(__dirname, "..", "..", "..", "package.json");
+    const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+    if (pkg.version && typeof pkg.version === "string") {
+      return pkg.version;
+    }
+  } catch {
+    // Fall through to nightly.
+  }
+  return "nightly";
+}
+
+export const GHCR_IMAGE_REPO = "ghcr.io/jaiphlang/jaiph-runtime";
+
 const DEFAULTS: DockerRunConfig = {
   enabled: false,
-  /** Node + bash; required for JS kernel (run-step-exec) inside the container. */
-  image: "node:20-bookworm",
+  image: `${GHCR_IMAGE_REPO}:${resolveDefaultImageTag()}`,
   imageExplicit: false,
   network: "default",
-  timeout: 300,
-  mounts: [{ hostPath: ".", containerPath: "/jaiph/workspace", mode: "rw" }],
+  timeoutSeconds: 3600,
 };
 
 /**
  * Resolve effective Docker config.
- * Precedence: env vars (`JAIPH_DOCKER_*`) > in-file RuntimeConfig > defaults.
- * Docker is disabled by default; opt in via config or env.
+ * Precedence: env vars (`JAIPH_DOCKER_*`) > unsafe default rule.
+ *
+ * Default rule (when no explicit `JAIPH_DOCKER_ENABLED` is set):
+ *  - `JAIPH_UNSAFE=true` → Docker off (explicit "run on host" escape hatch)
+ *  - Otherwise → Docker on (including in CI; CI=true alone no longer disables Docker)
  */
 export function resolveDockerConfig(
   inFile: RuntimeConfig | undefined,
   env: Record<string, string | undefined>,
 ): DockerRunConfig {
-  // enabled: env > in-file > default (false)
+  // enabled: env JAIPH_DOCKER_ENABLED > unsafe default rule
   let enabled: boolean;
   if (env.JAIPH_DOCKER_ENABLED !== undefined) {
     enabled = env.JAIPH_DOCKER_ENABLED === "true";
-  } else if (inFile?.dockerEnabled !== undefined) {
-    enabled = inFile.dockerEnabled;
   } else {
-    enabled = DEFAULTS.enabled;
+    // Default: Docker on unless the user explicitly opts out via JAIPH_UNSAFE.
+    // CI=true is intentionally not consulted — CI runs (incl. landing-page e2e
+    // and docs sample tests) should exercise the same sandbox path users do.
+    enabled = env.JAIPH_UNSAFE !== "true";
   }
 
   // image: env > in-file > default
@@ -124,32 +113,69 @@ export function resolveDockerConfig(
     DEFAULTS.network;
 
   // timeout: env > in-file > default
-  let timeout: number;
+  let timeoutSeconds: number;
   if (env.JAIPH_DOCKER_TIMEOUT !== undefined) {
-    timeout = parseInt(env.JAIPH_DOCKER_TIMEOUT, 10);
-    if (isNaN(timeout)) timeout = DEFAULTS.timeout;
+    const raw = env.JAIPH_DOCKER_TIMEOUT;
+    if (!/^\d+$/.test(raw)) {
+      throw new Error(
+        `E_DOCKER_TIMEOUT JAIPH_DOCKER_TIMEOUT must be a non-negative integer (or 0 to disable), got "${raw}"`,
+      );
+    }
+    timeoutSeconds = parseInt(raw, 10);
   } else {
-    timeout = inFile?.dockerTimeout ?? DEFAULTS.timeout;
+    timeoutSeconds = inFile?.dockerTimeoutSeconds ?? DEFAULTS.timeoutSeconds;
+    if (timeoutSeconds < 0) {
+      throw new Error(
+        `E_DOCKER_TIMEOUT runtime.docker_timeout_seconds must be a non-negative integer (or 0 to disable), got "${timeoutSeconds}"`,
+      );
+    }
   }
 
-  // workspace mounts: in-file > default (not overridable via env)
-  const mountSpecs = inFile?.workspace ?? DEFAULTS.mounts.map((m) => `${m.hostPath}:${m.containerPath}:${m.mode}`);
-  const mounts = typeof mountSpecs[0] === "string"
-    ? parseMounts(mountSpecs as string[])
-    : (mountSpecs as unknown as MountSpec[]);
-
-  return { enabled, image, imageExplicit, network, timeout, mounts };
+  return { enabled, image, imageExplicit, network, timeoutSeconds };
 }
 
+// ---------------------------------------------------------------------------
+// Internal test seam — allows tests to intercept docker calls without DI.
+// ---------------------------------------------------------------------------
+
+export const _dockerExec = {
+  run(args: string[], opts: object): void {
+    execFileSync("docker", args, opts as any);
+  },
+};
+
+/** Test seam for host UID/GID detection — allows tests to simulate detection failure. */
+export const _uidDetect = {
+  getHostUidGid(): { uid: string; gid: string } | undefined {
+    let uid: string | undefined;
+    let gid: string | undefined;
+    try {
+      if (typeof process.getuid === "function") uid = String(process.getuid());
+      if (typeof process.getgid === "function") gid = String(process.getgid());
+    } catch {
+      // Fall through to shell fallback below.
+    }
+    if (!uid || !gid) {
+      try {
+        uid = execFileSync("id", ["-u"], { encoding: "utf8" }).trim();
+        gid = execFileSync("id", ["-g"], { encoding: "utf8" }).trim();
+      } catch {
+        // Both detection paths failed.
+      }
+    }
+    return uid && gid ? { uid, gid } : undefined;
+  },
+};
+
 // ---------------------------------------------------------------------------
 // Docker availability
 // ---------------------------------------------------------------------------
 
 export function checkDockerAvailable(): void {
   try {
-    execSync("docker info", { stdio: "ignore", timeout: 10_000 });
+    _dockerExec.run(["info"], { stdio: "ignore", timeout: 10_000 });
   } catch {
-    throw new Error("E_DOCKER_NOT_FOUND docker is not available. Install Docker and ensure the daemon is running.");
+    throw new Error("E_DOCKER_NOT_FOUND docker is not available. Install Docker and ensure the daemon is running, or set JAIPH_UNSAFE=true to run on the host (no sandbox).");
   }
 }
 
@@ -159,61 +185,20 @@ export function checkDockerAvailable(): void {
 
 export function pullImageIfNeeded(image: string): void {
   try {
-    execSync(`docker image inspect ${image}`, { stdio: "ignore", timeout: 30_000 });
+    _dockerExec.run(["image", "inspect", image], { stdio: "ignore", timeout: 30_000 });
   } catch {
-    // Image not present locally — pull it
+    // Image not present locally — pull it (--quiet suppresses layer progress)
     try {
-      execSync(`docker pull ${image}`, { stdio: "inherit", timeout: 300_000 });
+      _dockerExec.run(["pull", "--quiet", image], { stdio: "ignore", timeout: 300_000 });
     } catch {
       throw new Error(`E_DOCKER_PULL failed to pull image "${image}"`);
     }
   }
 }
 
-// ---------------------------------------------------------------------------
-// Dockerfile-based image build
-// ---------------------------------------------------------------------------
-
-const DOCKERFILE_IMAGE_TAG = "jaiph-runtime:latest";
-const AUTO_RUNTIME_IMAGE_REPO = "jaiph-runtime-auto";
-
-/**
- * Build a Docker image from a Dockerfile and tag it.
- * Throws on build failure.
- */
-export function buildImageFromDockerfile(dockerfilePath: string, tag: string = DOCKERFILE_IMAGE_TAG): string {
-  const contextDir = dirname(dockerfilePath);
-  try {
-    execSync(`docker build -t ${tag} -f ${dockerfilePath} ${contextDir}`, {
-      stdio: "inherit",
-      timeout: 600_000,
-    });
-  } catch {
-    throw new Error(`E_DOCKER_BUILD failed to build image from "${dockerfilePath}"`);
-  }
-  return tag;
-}
-
-function installedPackageRoot(): string {
-  return resolve(__dirname, "..", "..", "..");
-}
-
-function autoRuntimeImageTag(baseImage: string, packageRoot: string): string {
-  const packageJsonPath = join(packageRoot, "package.json");
-  const cliPath = join(packageRoot, "dist", "src", "cli.js");
-  const packageStamp = existsSync(packageJsonPath) ? statSync(packageJsonPath).mtimeMs : 0;
-  const cliStamp = existsSync(cliPath) ? statSync(cliPath).mtimeMs : 0;
-  const digest = createHash("sha256")
-    .update(`${baseImage}|${resolve(packageRoot)}|${packageStamp}|${cliStamp}`)
-    .digest("hex")
-    .slice(0, 12);
-  return `${AUTO_RUNTIME_IMAGE_REPO}:${digest}`;
-}
-
 function imageHasJaiph(image: string): boolean {
   try {
-    execFileSync(
-      "docker",
+    _dockerExec.run(
       ["run", "--rm", "--entrypoint", "sh", image, "-lc", "command -v jaiph >/dev/null 2>&1"],
       { stdio: "ignore", timeout: 30_000 },
     );
@@ -223,88 +208,77 @@ function imageHasJaiph(image: string): boolean {
   }
 }
 
-function buildRuntimeImageFromLocalPackage(baseImage: string, packageRoot: string, tag: string): string {
-  const contextDir = mkdtempSync(join(tmpdir(), "jaiph-runtime-image-"));
-  try {
-    const tarballName = execFileSync(
-      "npm",
-      ["pack", packageRoot, "--silent", "--pack-destination", contextDir],
-      { cwd: packageRoot, encoding: "utf8", timeout: 300_000 },
-    ).trim().split(/\r?\n/).pop()?.trim();
-    if (!tarballName) {
-      throw new Error("npm pack produced no tarball");
-    }
-    writeFileSync(
-      join(contextDir, "Dockerfile"),
-      [
-        `FROM ${baseImage}`,
-        `COPY ${tarballName} /tmp/${tarballName}`,
-        `RUN npm install -g /tmp/${tarballName} && rm -f /tmp/${tarballName}`,
-        "",
-      ].join("\n"),
+/**
+ * Verify that the selected Docker image contains `jaiph`.
+ * Fails fast with an actionable error when the binary is missing.
+ */
+export function verifyImageHasJaiph(image: string): void {
+  if (!imageHasJaiph(image)) {
+    throw new Error(
+      `E_DOCKER_NO_JAIPH the Docker image "${image}" does not contain a jaiph CLI. ` +
+      `Use the official runtime image (${GHCR_IMAGE_REPO}:<version>) or install jaiph ` +
+      `in your custom image. See https://jaiph.org/sandboxing for details.`,
     );
-    execFileSync("docker", ["build", "-t", tag, contextDir], {
-      stdio: "inherit",
-      timeout: 600_000,
-    });
-    return tag;
-  } catch {
-    throw new Error(`E_DOCKER_BUILD failed to build runtime image from base "${baseImage}"`);
-  } finally {
-    rmSync(contextDir, { recursive: true, force: true });
   }
 }
 
-function ensureImageHasJaiph(baseImage: string): string {
-  pullImageIfNeeded(baseImage);
-  if (imageHasJaiph(baseImage)) {
-    return baseImage;
-  }
-  const packageRoot = installedPackageRoot();
-  const tag = autoRuntimeImageTag(baseImage, packageRoot);
+/**
+ * Pre-pull the Docker image (if not local) and verify it contains `jaiph`.
+ *
+ * Intended to run **before** the CLI banner so Docker's pull overhead doesn't
+ * interleave with the progress tree. On a cold pull, writes a single
+ * `pulling image <name>…` status line to stderr; Docker's native progress is
+ * suppressed via `--quiet`.
+ */
+export function prepareImage(config: DockerRunConfig): string {
+  const image = config.image;
+
+  let needsPull = false;
   try {
-    execSync(`docker image inspect ${tag}`, { stdio: "ignore", timeout: 30_000 });
-    return tag;
+    _dockerExec.run(["image", "inspect", image], { stdio: "ignore", timeout: 30_000 });
   } catch {
-    return buildRuntimeImageFromLocalPackage(baseImage, packageRoot, tag);
+    needsPull = true;
   }
+
+  if (needsPull) {
+    process.stderr.write(`pulling image ${image}…\n`);
+    try {
+      _dockerExec.run(["pull", "--quiet", image], { stdio: "ignore", timeout: 300_000 });
+    } catch {
+      throw new Error(`E_DOCKER_PULL failed to pull image "${image}"`);
+    }
+    process.stderr.write(`pulled\n`);
+  }
+
+  verifyImageHasJaiph(image);
+  return image;
 }
 
 /**
  * Resolve the Docker image to use.
  *
- * When the image was not explicitly configured (`imageExplicit === false`),
- * checks for `.jaiph/Dockerfile` in the workspace root. If present, builds
- * from it and returns the built image tag. Otherwise falls back to the
- * configured (default) image and pulls it if needed.
+ * Thin wrapper around `prepareImage` — kept for back-compat in tests.
  */
-export function resolveImage(config: DockerRunConfig, workspaceRoot: string): string {
-  let baseImage = config.image;
-  if (!config.imageExplicit) {
-    const dockerfilePath = join(workspaceRoot, ".jaiph", "Dockerfile");
-    if (existsSync(dockerfilePath)) {
-      baseImage = buildImageFromDockerfile(dockerfilePath);
-    }
-  }
-  return ensureImageHasJaiph(baseImage);
+export function resolveImage(config: DockerRunConfig): string {
+  return prepareImage(config);
 }
 
 // ---------------------------------------------------------------------------
 // Overlay entrypoint script (written to temp file, mounted into container)
 // ---------------------------------------------------------------------------
 
-const OVERLAY_SCRIPT = `#!/usr/bin/env bash
-set -euo pipefail
-LOWER=/jaiph/workspace-ro
-UPPER=/tmp/overlay-upper
-WORK=/tmp/overlay-work
-MERGED=/jaiph/workspace
-mkdir -p "$UPPER" "$WORK"
-if command -v fuse-overlayfs >/dev/null 2>&1 && [ -e /dev/fuse ]; then
-  fuse-overlayfs -o "lowerdir=$LOWER,upperdir=$UPPER,workdir=$WORK" "$MERGED" 2>/dev/null || true
-fi
-exec "$@"
-`;
+/**
+ * Container-side fuse-overlayfs setup loaded from runtime/overlay-run.sh.
+ *
+ * Resolves the file relative to package root — works from both source and dist
+ * layouts, mirroring the approach used by `resolveDefaultImageTag`.
+ */
+const OVERLAY_SCRIPT = readFileSync(
+  existsSync(resolve(__dirname, "overlay-run.sh"))
+    ? resolve(__dirname, "overlay-run.sh")
+    : resolve(__dirname, "..", "..", "..", "runtime", "overlay-run.sh"),
+  "utf8",
+);
 
 /**
  * Write overlay-run.sh to a temp file and return its path.
@@ -317,6 +291,140 @@ export function writeOverlayScript(): string {
   return scriptPath;
 }
 
+// ---------------------------------------------------------------------------
+// Sandbox mode selection + host-side workspace clone
+// ---------------------------------------------------------------------------
+
+/** Selected sandbox primitive for a Docker run. */
+export type SandboxMode = "overlay" | "copy";
+
+/**
+ * Choose the sandbox mode for the upcoming run.
+ *
+ * Heuristic: presence of `/dev/fuse` on the host is a strong proxy for
+ * fuse-overlayfs viability inside the container. Linux dev/CI hosts typically
+ * have it; macOS Docker Desktop typically doesn't expose it. Override with
+ * `JAIPH_DOCKER_NO_OVERLAY=1` to force the host-copy path.
+ */
+export function selectSandboxMode(env: Record<string, string | undefined>): SandboxMode {
+  if (env.JAIPH_DOCKER_NO_OVERLAY === "1" || env.JAIPH_DOCKER_NO_OVERLAY === "true") {
+    return "copy";
+  }
+  return existsSync("/dev/fuse") ? "overlay" : "copy";
+}
+
+/** Run `cp` with the given flags. Returns true on success. */
+function tryCp(flags: string[], src: string, dst: string): { ok: boolean; stderr: string } {
+  const r = spawnSync("cp", [...flags, src, dst], { stdio: ["ignore", "ignore", "pipe"] });
+  return { ok: r.status === 0, stderr: r.stderr?.toString() ?? "" };
+}
+
+/**
+ * Handles workspace cloning with automatic clonefile detection and fallback.
+ *
+ * On macOS, the first `copy()` call probes `cp -cR` (APFS clonefile, O(1)).
+ * If it works, subsequent calls use clonefile directly. If it fails, all calls
+ * fall back to `cp -pR` and the reason is recorded for a one-time warning.
+ * On Linux/other platforms, always uses `cp -pR`.
+ */
+class WorkspaceCloner {
+  private cloneAttempted = false;
+  private cloneSupported = false;
+  private firstFallbackReason: string | null = null;
+
+  copy(src: string, dst: string): void {
+    if (process.platform !== "darwin") {
+      const r = tryCp(["-pR"], src, dst);
+      if (!r.ok) {
+        throw new Error(`E_DOCKER_SANDBOX_COPY failed to copy ${src} → ${dst}: ${r.stderr.trim()}`);
+      }
+      return;
+    }
+
+    if (!this.cloneAttempted) {
+      this.cloneAttempted = true;
+      const r = tryCp(["-cR"], src, dst);
+      if (r.ok) {
+        this.cloneSupported = true;
+        return;
+      }
+      this.firstFallbackReason = r.stderr.trim().split("\n")[0] || "cp -cR failed";
+      const fb = tryCp(["-pR"], src, dst);
+      if (!fb.ok) {
+        throw new Error(`E_DOCKER_SANDBOX_COPY failed to copy ${src} → ${dst}: ${fb.stderr.trim()}`);
+      }
+      return;
+    }
+
+    if (this.cloneSupported) {
+      const r = tryCp(["-cR"], src, dst);
+      if (r.ok) return;
+    }
+    const fb = tryCp(["-pR"], src, dst);
+    if (!fb.ok) {
+      throw new Error(`E_DOCKER_SANDBOX_COPY failed to copy ${src} → ${dst}: ${fb.stderr.trim()}`);
+    }
+  }
+
+  get fellBackToPlainCopy(): boolean {
+    return this.cloneAttempted && !this.cloneSupported;
+  }
+
+  get fallbackReason(): string {
+    return this.firstFallbackReason ?? "unknown reason";
+  }
+}
+
+/**
+ * Clone the host workspace into a sandbox directory.
+ *
+ * - macOS: tries `cp -cR` (APFS clonefile, O(1)); on failure, falls back to
+ *   `cp -pR` (real copy) with a single stderr warning noting the reason.
+ * - Linux/other: uses `cp -pR` directly. The slow case (no fuse-overlayfs +
+ *   non-COW filesystem) is documented; users on those hosts pay the copy cost.
+ *
+ * Excludes `.jaiph/runs` (mounted separately at `/jaiph/run`) and `.git/objects`
+ * is intentionally NOT excluded — workflows may need git history.
+ */
+export function cloneWorkspaceForSandbox(
+  srcRoot: string,
+  dstRoot: string,
+  warn: (msg: string) => void = (m) => process.stderr.write(`${m}\n`),
+): void {
+  mkdirSync(dstRoot, { recursive: true });
+  const cloner = new WorkspaceCloner();
+
+  for (const entry of readdirSync(srcRoot, { withFileTypes: true })) {
+    if (entry.name === ".jaiph") continue;
+    cloner.copy(join(srcRoot, entry.name), join(dstRoot, entry.name));
+  }
+
+  const jaiphSrc = join(srcRoot, ".jaiph");
+  if (existsSync(jaiphSrc)) {
+    const jaiphDst = join(dstRoot, ".jaiph");
+    mkdirSync(jaiphDst, { recursive: true });
+    for (const entry of readdirSync(jaiphSrc, { withFileTypes: true })) {
+      if (entry.name === "runs") continue;
+      cloner.copy(join(jaiphSrc, entry.name), join(jaiphDst, entry.name));
+    }
+  }
+
+  if (process.platform === "darwin" && cloner.fellBackToPlainCopy) {
+    warn(
+      `jaiph docker: clonefile (cp -cR) unavailable on this filesystem; using plain copy ` +
+      `(${cloner.fallbackReason}). Workspace clone may be slow for large trees.`,
+    );
+  }
+}
+
+/** Allocate a fresh sandbox workspace directory adjacent to the runs root. */
+export function allocateSandboxWorkspaceDir(runsRoot: string): string {
+  const id = randomBytes(4).toString("hex");
+  const dir = join(runsRoot, `.sandbox-${id}`);
+  mkdirSync(dir, { recursive: true });
+  return dir;
+}
+
 // ---------------------------------------------------------------------------
 // Docker command builder
 // ---------------------------------------------------------------------------
@@ -330,11 +438,37 @@ export interface DockerSpawnOptions {
   runArgs: string[];
   env: Record<string, string | undefined>;
   isTTY: boolean;
+  /**
+   * How to make the workspace appear writable inside the container.
+   *  - "overlay": bind workspace ro, set up fuse-overlayfs in-container.
+   *  - "copy":    pre-clone workspace on host, bind the clone rw.
+   * Defaults to `selectSandboxMode(env)` when omitted.
+   */
+  sandboxMode?: SandboxMode;
+  /**
+   * Required when `sandboxMode === "copy"`: the host path of the cloned
+   * workspace to bind at `/jaiph/workspace`. Caller owns its lifecycle.
+   */
+  sandboxWorkspaceDir?: string;
 }
 
 export const CONTAINER_WORKSPACE = "/jaiph/workspace";
 export const CONTAINER_RUN_DIR = "/jaiph/run";
-const AGENT_ENV_PREFIXES = ["CURSOR_", "ANTHROPIC_", "CLAUDE_"] as const;
+
+/**
+ * Explicit allowlist of environment variable prefixes forwarded into the
+ * container. Everything else is dropped — fail-closed by design.
+ */
+const ENV_ALLOW_PREFIXES = ["JAIPH_", "ANTHROPIC_", "CURSOR_", "CLAUDE_"] as const;
+
+/** Prefix excluded from the allowlist even though it starts with JAIPH_. */
+const ENV_ALLOW_EXCLUDE_PREFIX = "JAIPH_DOCKER_";
+
+/** Returns true if `key` is on the explicit allowlist for container forwarding. */
+export function isEnvAllowed(key: string): boolean {
+  if (key.startsWith(ENV_ALLOW_EXCLUDE_PREFIX)) return false;
+  return ENV_ALLOW_PREFIXES.some((prefix) => key.startsWith(prefix));
+}
 
 /** Resolve the host run-artifacts root for Docker-backed runs. */
 export function resolveDockerHostRunsRoot(
@@ -360,14 +494,37 @@ export function resolveDockerHostRunsRoot(
 
 /**
  * Remap environment variables for use inside the Docker container.
- * JAIPH_WORKSPACE → /jaiph/workspace, JAIPH_RUNS_DIR → /jaiph/run.
+ *
+ * Host-side `resolveRuntimeEnv` resolves several JAIPH_* keys to absolute
+ * host paths (the workspace root, agent trusted workspace, runs dir). Those
+ * paths do not exist inside the container — the workspace is bind-mounted at
+ * /jaiph/workspace and run artifacts at /jaiph/run. If we forwarded them
+ * unchanged the container would receive nonsense paths; worse, they reach
+ * agent CLIs (cursor-agent --trust <path>) and surface in model context,
+ * confusing the model into reporting it can't access "/tmp/jaiph-run-XXX".
+ *
+ * - JAIPH_WORKSPACE              → /jaiph/workspace (always)
+ * - JAIPH_RUNS_DIR               → /jaiph/run      (always)
+ * - JAIPH_AGENT_TRUSTED_WORKSPACE → remapped from <workspaceRoot>[/sub] to
+ *                                   /jaiph/workspace[/sub] when it points
+ *                                   inside the workspace; otherwise left as
+ *                                   the explicit absolute path the user set.
  */
 export function remapDockerEnv(
   env: Record<string, string | undefined>,
+  workspaceRoot?: string,
 ): Record<string, string | undefined> {
   const out = { ...env };
   out.JAIPH_WORKSPACE = CONTAINER_WORKSPACE;
   out.JAIPH_RUNS_DIR = CONTAINER_RUN_DIR;
+  if (workspaceRoot && out.JAIPH_AGENT_TRUSTED_WORKSPACE) {
+    const trusted = out.JAIPH_AGENT_TRUSTED_WORKSPACE;
+    if (trusted === workspaceRoot) {
+      out.JAIPH_AGENT_TRUSTED_WORKSPACE = CONTAINER_WORKSPACE;
+    } else if (trusted.startsWith(workspaceRoot + "/")) {
+      out.JAIPH_AGENT_TRUSTED_WORKSPACE = CONTAINER_WORKSPACE + trusted.slice(workspaceRoot.length);
+    }
+  }
   return out;
 }
 
@@ -385,29 +542,81 @@ export function overlayMountPath(containerPath: string): string {
 /**
  * Build the `docker run --rm` argument list.
  *
- * Mounts:
- *  1. workspace → /jaiph/workspace:ro  (fallback when overlay absent)
- *  2. workspace → /jaiph/workspace-ro:ro  (overlay lower layer)
- *  3. sandboxRunDir → /jaiph/run:rw  (single run artifacts)
- *
- * overlay-run.sh (baked in image) creates a fuse-overlayfs CoW at
- * /jaiph/workspace using -ro as lower.  /jaiph/run is outside the overlay
- * so writes go directly to the host mount — no symlink needed.
+ * Two sandbox shapes:
+ *  - "overlay": workspace bind-mounts ro at /jaiph/workspace-ro; entrypoint
+ *    script sets up fuse-overlayfs at /jaiph/workspace. Requires SYS_ADMIN
+ *    and /dev/fuse. Run artifacts mount at /jaiph/run (outside the overlay).
+ *  - "copy": host pre-clones workspace to `opts.sandboxWorkspaceDir`; that
+ *    dir bind-mounts rw at /jaiph/workspace. No overlay script, no fuse,
+ *    no SYS_ADMIN. Run artifacts mount at /jaiph/run as before.
  *
  * The container runs `jaiph run --raw <file>` using its own installed jaiph.
+ *
+ * `overlayScriptPath` is required for "overlay" mode and ignored for "copy".
  */
-export function buildDockerArgs(opts: DockerSpawnOptions, overlayScriptPath: string): string[] {
+export function buildDockerArgs(opts: DockerSpawnOptions, overlayScriptPath?: string): string[] {
+  const mode: SandboxMode = opts.sandboxMode ?? selectSandboxMode(opts.env);
+  if (mode === "overlay" && !overlayScriptPath) {
+    throw new Error("buildDockerArgs: overlay mode requires overlayScriptPath");
+  }
+  if (mode === "copy" && !opts.sandboxWorkspaceDir) {
+    throw new Error("buildDockerArgs: copy mode requires sandboxWorkspaceDir");
+  }
+
   const args: string[] = ["run", "--rm"];
 
-  args.push("--device", "/dev/fuse");
+  args.push("--cap-drop", "ALL");
+  if (mode === "overlay") {
+    // Overlay setup runs as root, then drops to host UID/GID via setpriv.
+    //   SYS_ADMIN: fuse-overlayfs mount
+    //   SETUID/SETGID: setpriv uid/gid switch
+    //   CHOWN: best-effort chown of /jaiph/run
+    //   DAC_READ_SEARCH: fuse-overlayfs daemon (running as root) needs to read
+    //     lower-layer files owned by host_uid with restrictive perms (e.g. 0600
+    //     workflow files, 0700 workspace dirs) so the kernel can serve them
+    //     through the merged view to the dropped-uid workflow process.
+    args.push("--cap-add", "SYS_ADMIN");
+    args.push("--cap-add", "SETUID");
+    args.push("--cap-add", "SETGID");
+    args.push("--cap-add", "CHOWN");
+    args.push("--cap-add", "DAC_READ_SEARCH");
+  }
+  args.push("--security-opt", "no-new-privileges");
+
+  if (mode === "overlay") {
+    args.push("--device", "/dev/fuse");
+    // Many Linux hosts (Ubuntu 22.04+, GitHub Actions runners, etc.) ship a
+    // default AppArmor profile that denies fuse mounts inside containers
+    // even when SYS_ADMIN + /dev/fuse are present. Unconfining apparmor for
+    // this single container restores the documented fuse-overlayfs
+    // behavior. Linux-only: macOS Docker Desktop has no AppArmor and
+    // rejects unknown security-opts on some versions.
+    if (process.platform === "linux") {
+      args.push("--security-opt", "apparmor=unconfined");
+    }
+  }
 
+  // UID/GID strategy (Linux):
+  //   copy mode    → --user host_uid:host_gid directly.
+  //   overlay mode → --user 0:0 so fuse-overlayfs can mount on /jaiph/workspace.
+  //                  The workflow runs as root inside the container in this mode.
+  // macOS Docker Desktop translates UIDs across the VM boundary, so we don't
+  // override --user there.
+  let hostUid: string | undefined;
+  let hostGid: string | undefined;
   if (process.platform === "linux") {
-    try {
-      const uid = execSync("id -u", { encoding: "utf8" }).trim();
-      const gid = execSync("id -g", { encoding: "utf8" }).trim();
-      args.push("--user", `${uid}:${gid}`);
-    } catch {
-      // Fall through without --user
+    const detected = _uidDetect.getHostUidGid();
+    if (!detected) {
+      throw new Error(
+        "E_DOCKER_UID failed to determine host UID/GID; refusing to run sandbox as root.",
+      );
+    }
+    hostUid = detected.uid;
+    hostGid = detected.gid;
+    if (mode === "overlay") {
+      args.push("--user", "0:0");
+    } else {
+      args.push("--user", `${hostUid}:${hostGid}`);
     }
   }
 
@@ -415,43 +624,52 @@ export function buildDockerArgs(opts: DockerSpawnOptions, overlayScriptPath: str
     args.push("--network", opts.config.network);
   }
 
-  // Workspace: ro at primary path (fallback) + overlay lower layer path
-  for (const mount of opts.config.mounts) {
-    const hostAbs = resolve(opts.workspaceRoot, mount.hostPath);
-    args.push("-v", `${hostAbs}:${mount.containerPath}:ro`);
-    args.push("-v", `${hostAbs}:${overlayMountPath(mount.containerPath)}:ro`);
+  // Single workspace mount — no user-configurable mounts.
+  if (mode === "overlay") {
+    const hostAbs = resolve(opts.workspaceRoot);
+    validateMountHostPath(hostAbs);
+    args.push("-v", `${hostAbs}:${overlayMountPath(CONTAINER_WORKSPACE)}:ro`);
+  } else {
+    const hostAbs = resolve(opts.sandboxWorkspaceDir!);
+    validateMountHostPath(hostAbs);
+    args.push("-v", `${hostAbs}:${CONTAINER_WORKSPACE}:rw`);
   }
 
-  // Single run directory: rw mount outside the overlay
   args.push("-v", `${opts.sandboxRunDir}:${CONTAINER_RUN_DIR}:rw`);
 
-  // Overlay entrypoint script (runtime-generated, mounted ro)
-  args.push("-v", `${overlayScriptPath}:/jaiph/overlay-run.sh:ro`);
-
-  // Environment
-  const containerEnv = remapDockerEnv(opts.env);
+  if (mode === "overlay") {
+    args.push("-v", `${overlayScriptPath}:/jaiph/overlay-run.sh:ro`);
+  }
 
+  const containerEnv = remapDockerEnv(opts.env, opts.workspaceRoot);
   for (const [key, value] of Object.entries(containerEnv)) {
     if (value === undefined) continue;
-    if (key.startsWith("JAIPH_") && !key.startsWith("JAIPH_DOCKER_")) {
-      args.push("-e", `${key}=${value}`);
-    }
-    if (AGENT_ENV_PREFIXES.some((prefix) => key.startsWith(prefix))) {
-      args.push("-e", `${key}=${value}`);
-    }
+    if (!isEnvAllowed(key)) continue;
+    args.push("-e", `${key}=${value}`);
+  }
+  if (mode === "overlay" && hostUid && hostGid) {
+    args.push("-e", `JAIPH_HOST_UID=${hostUid}`);
+    args.push("-e", `JAIPH_HOST_GID=${hostGid}`);
   }
 
   args.push("-w", CONTAINER_WORKSPACE);
   args.push(opts.config.image);
 
-  // Command: overlay wrapper → jaiph run --raw
   const relSource = relative(opts.workspaceRoot, opts.sourceAbs);
-  args.push(
-    "/jaiph/overlay-run.sh",
-    "jaiph", "run", "--raw",
-    `${CONTAINER_WORKSPACE}/${relSource}`,
-    ...opts.runArgs,
-  );
+  if (mode === "overlay") {
+    args.push(
+      "/jaiph/overlay-run.sh",
+      "jaiph", "run", "--raw",
+      `${CONTAINER_WORKSPACE}/${relSource}`,
+      ...opts.runArgs,
+    );
+  } else {
+    args.push(
+      "jaiph", "run", "--raw",
+      `${CONTAINER_WORKSPACE}/${relSource}`,
+      ...opts.runArgs,
+    );
+  }
 
   return args;
 }
@@ -464,9 +682,17 @@ export interface DockerSpawnResult {
   child: ChildProcess;
   /** Host directory mounted at /jaiph/run — scan for artifacts after exit. */
   sandboxRunDir: string;
-  /** Temp directory containing overlay-run.sh — cleaned up after exit. */
-  overlayScriptDir: string;
+  /** Selected sandbox primitive for this run. */
+  sandboxMode: SandboxMode;
+  /** Temp directory containing overlay-run.sh — cleaned up after exit (overlay mode). */
+  overlayScriptDir?: string;
+  /** Pre-cloned workspace dir mounted rw — removed on cleanup unless kept (copy mode). */
+  sandboxWorkspaceDir?: string;
+  /** When true, cleanup leaves `sandboxWorkspaceDir` on disk for debugging. */
+  keepSandboxWorkspace: boolean;
   timeoutTimer?: NodeJS.Timeout;
+  /** Set to true after cleanupDocker has run — prevents double-rmSync. */
+  cleaned?: boolean;
 }
 
 /**
@@ -474,15 +700,45 @@ export interface DockerSpawnResult {
  *
  * The container runs `jaiph run --raw <file>` using its own installed jaiph.
  * Events flow via stderr; stdout carries workflow output.
+ *
+ * Sandbox mode is picked from `opts.sandboxMode` if set, otherwise
+ * `selectSandboxMode(opts.env)`. In "copy" mode the workspace is cloned to a
+ * fresh `<runsRoot>/.sandbox-<id>/` directory (or the provided
+ * `opts.sandboxWorkspaceDir`) before launch.
  */
 export function spawnDockerProcess(opts: DockerSpawnOptions): DockerSpawnResult {
   checkDockerAvailable();
-  const resolvedImage = resolveImage(opts.config, opts.workspaceRoot);
-  opts = { ...opts, config: { ...opts.config, image: resolvedImage } };
 
+  const mode: SandboxMode = opts.sandboxMode ?? selectSandboxMode(opts.env);
   mkdirSync(opts.sandboxRunDir, { recursive: true });
-  const overlayScriptPath = writeOverlayScript();
-  const overlayScriptDir = dirname(overlayScriptPath);
+  // Linux overlay mode runs as container root. Some hosts run Docker with
+  // user-namespace remapping, where container root is not host root and cannot
+  // create entries in a 0755 host-owned bind mount. Make the run dir
+  // world-writable so artifacts remain writable regardless of UID mapping.
+  if (process.platform === "linux" && mode === "overlay") {
+    try {
+      chmodSync(opts.sandboxRunDir, 0o777);
+    } catch {
+      // Best effort: if chmod fails, docker run may still succeed on hosts
+      // without user-namespace remapping.
+    }
+  }
+
+  let overlayScriptPath: string | undefined;
+  let overlayScriptDir: string | undefined;
+  let sandboxWorkspaceDir: string | undefined;
+  const keepSandboxWorkspace =
+    opts.env.JAIPH_DOCKER_KEEP_SANDBOX === "1" || opts.env.JAIPH_DOCKER_KEEP_SANDBOX === "true";
+
+  if (mode === "overlay") {
+    overlayScriptPath = writeOverlayScript();
+    overlayScriptDir = dirname(overlayScriptPath);
+  } else {
+    sandboxWorkspaceDir = opts.sandboxWorkspaceDir ?? allocateSandboxWorkspaceDir(opts.sandboxRunDir);
+    cloneWorkspaceForSandbox(opts.workspaceRoot, sandboxWorkspaceDir);
+  }
+
+  opts = { ...opts, sandboxMode: mode, sandboxWorkspaceDir };
   const dockerArgs = buildDockerArgs(opts, overlayScriptPath);
 
   const child = spawn("docker", dockerArgs, {
@@ -492,7 +748,7 @@ export function spawnDockerProcess(opts: DockerSpawnOptions): DockerSpawnResult
   });
 
   let timeoutTimer: NodeJS.Timeout | undefined;
-  if (opts.config.timeout > 0) {
+  if (opts.config.timeoutSeconds > 0) {
     timeoutTimer = setTimeout(() => {
       try {
         child.kill("SIGTERM");
@@ -506,47 +762,46 @@ export function spawnDockerProcess(opts: DockerSpawnOptions): DockerSpawnResult
           // no-op
         }
       }, 5000);
-    }, opts.config.timeout * 1000);
+    }, opts.config.timeoutSeconds * 1000);
   }
 
-  return { child, sandboxRunDir: opts.sandboxRunDir, overlayScriptDir, timeoutTimer };
+  return {
+    child,
+    sandboxRunDir: opts.sandboxRunDir,
+    sandboxMode: mode,
+    overlayScriptDir,
+    sandboxWorkspaceDir,
+    keepSandboxWorkspace,
+    timeoutTimer,
+  };
 }
 
 /**
  * Clean up Docker resources after execution.
+ *
+ * Removes the overlay script tempdir (overlay mode) and the cloned workspace
+ * (copy mode), unless `JAIPH_DOCKER_KEEP_SANDBOX=1` was set.
  */
 export function cleanupDocker(result: DockerSpawnResult): void {
+  if (result.cleaned) return;
+  result.cleaned = true;
   if (result.timeoutTimer) {
     clearTimeout(result.timeoutTimer);
   }
-  try {
-    rmSync(result.overlayScriptDir, { recursive: true, force: true });
-  } catch {
-    // Best-effort cleanup
+  if (result.overlayScriptDir) {
+    try {
+      rmSync(result.overlayScriptDir, { recursive: true, force: true });
+    } catch {
+      // Best-effort cleanup
+    }
   }
-}
-
-export function findRunArtifacts(
-  sandboxRunDir: string,
-): { runDir?: string; summaryFile?: string } {
-  if (!existsSync(sandboxRunDir)) return {};
-  const candidates: string[] = [];
-  for (const dateDir of readdirSync(sandboxRunDir)) {
-    const datePath = join(sandboxRunDir, dateDir);
-    if (!statSync(datePath).isDirectory()) continue;
-    for (const runEntry of readdirSync(datePath)) {
-      const runPath = join(datePath, runEntry);
-      if (!statSync(runPath).isDirectory()) continue;
-      candidates.push(runPath);
+  if (result.sandboxWorkspaceDir && !result.keepSandboxWorkspace) {
+    try {
+      rmSync(result.sandboxWorkspaceDir, { recursive: true, force: true });
+    } catch {
+      // Best-effort cleanup
     }
   }
-  candidates.sort();
-  const runDir = candidates[candidates.length - 1];
-  if (!runDir) return {};
-  const summaryFile = join(runDir, "run_summary.jsonl");
-  return {
-    runDir,
-    summaryFile: existsSync(summaryFile) ? summaryFile : undefined,
-  };
 }
 
+
diff --git a/src/runtime/kernel/node-test-runner.test.ts b/src/runtime/kernel/node-test-runner.test.ts
index afd494f5..8f276006 100644
--- a/src/runtime/kernel/node-test-runner.test.ts
+++ b/src/runtime/kernel/node-test-runner.test.ts
@@ -51,3 +51,132 @@ test "block B" {
     rmSync(dir, { recursive: true, force: true });
   }
 });
+
+test("test runner resolves `const` bindings inside `mock prompt <ident>` and `expect_equal var <ident>`", async () => {
+  const dir = mkdtempSync(join(tmpdir(), "jaiph-const-binding-"));
+  const scriptsDir = join(dir, "scripts");
+  mkdirSync(scriptsDir, { recursive: true });
+
+  try {
+    const testFile = join(dir, "consts.test.jh");
+    writeFileSync(
+      testFile,
+      `workflow ask() {
+  const r = prompt "say hi"
+  return r
+}
+
+test "const drives mock and expect" {
+  const expected = "Hello Alice!"
+  mock prompt expected
+  const response = run ask()
+  expect_equal response expected
+}
+`,
+    );
+
+    const exitCode = await runTestFile(testFile, dir, scriptsDir, [
+      {
+        description: "const drives mock and expect", loc,
+        steps: [
+          { type: "test_const" as const, name: "expected", value: "Hello Alice!", loc },
+          { type: "test_mock_prompt" as const, response: "", responseVar: "expected", loc },
+          { type: "test_run_workflow" as const, captureName: "response", workflowRef: "ask", args: [], loc },
+          {
+            type: "test_expect_equal" as const,
+            variable: "response",
+            expected: "",
+            expectedVar: "expected",
+            loc,
+          },
+        ],
+      },
+    ]);
+
+    assert.equal(exitCode, 0, "test should pass when const value flows into mock and expect_equal");
+  } finally {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+test("test runner reports a clear error when an expect_* step references an undefined const", async () => {
+  const dir = mkdtempSync(join(tmpdir(), "jaiph-undefined-const-"));
+  const scriptsDir = join(dir, "scripts");
+  mkdirSync(scriptsDir, { recursive: true });
+
+  try {
+    const testFile = join(dir, "missing.test.jh");
+    writeFileSync(
+      testFile,
+      `workflow noop() {
+  return "v"
+}
+
+test "undefined const ref" {
+  const response = run noop()
+  expect_equal response missing
+}
+`,
+    );
+
+    const exitCode = await runTestFile(testFile, dir, scriptsDir, [
+      {
+        description: "undefined const ref", loc,
+        steps: [
+          { type: "test_run_workflow" as const, captureName: "response", workflowRef: "noop", args: [], loc },
+          {
+            type: "test_expect_equal" as const,
+            variable: "response",
+            expected: "",
+            expectedVar: "missing",
+            loc,
+          },
+        ],
+      },
+    ]);
+
+    assert.notEqual(exitCode, 0, "test should fail when referencing an undefined const");
+  } finally {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+test("test runner rejects bare `response` reference when `run` was not captured (no implicit binding)", async () => {
+  const dir = mkdtempSync(join(tmpdir(), "jaiph-no-implicit-response-"));
+  const scriptsDir = join(dir, "scripts");
+  mkdirSync(scriptsDir, { recursive: true });
+
+  try {
+    const testFile = join(dir, "no_implicit.test.jh");
+    writeFileSync(
+      testFile,
+      `workflow greet(name) {
+  return "hello \${name}"
+}
+
+test "no implicit response" {
+  run greet("world")
+  expect_equal response "hello world"
+}
+`,
+    );
+
+    const exitCode = await runTestFile(testFile, dir, scriptsDir, [
+      {
+        description: "no implicit response", loc,
+        steps: [
+          { type: "test_run_workflow" as const, workflowRef: "greet", args: ["world"], loc },
+          { type: "test_expect_equal" as const, variable: "response", expected: "hello world", loc },
+        ],
+      },
+    ]);
+
+    assert.notEqual(
+      exitCode,
+      0,
+      "test should fail because `response` was never captured — there is no implicit alias",
+    );
+  } finally {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
diff --git a/src/runtime/kernel/node-test-runner.ts b/src/runtime/kernel/node-test-runner.ts
index e78de88c..6860ae89 100644
--- a/src/runtime/kernel/node-test-runner.ts
+++ b/src/runtime/kernel/node-test-runner.ts
@@ -9,6 +9,25 @@ type TestResult = { pass: boolean; error?: string };
 
 type MockRefStep = Extract<TestStepDef, { type: "test_mock_workflow" | "test_mock_rule" | "test_mock_script" }>;
 
+/**
+ * Resolve the second argument of an `expect_*` step. Returns the literal value
+ * when the step was authored with a quoted string, or looks up `varName` in
+ * `vars` when the step was authored with a bare identifier referring to a
+ * `test_const`. Returns an `Error` (not throws) so callers can surface a clear
+ * test failure rather than crashing the run.
+ */
+function resolveExpectArg(
+  vars: Map<string, string>,
+  literal: string,
+  varName: string | undefined,
+): string | Error {
+  if (varName === undefined) return literal;
+  if (!vars.has(varName)) {
+    return new Error(`expect: undefined const "${varName}" (declare it earlier in the test block)`);
+  }
+  return vars.get(varName)!;
+}
+
 function resolveMockBodies(
   graph: RuntimeGraph,
   entryFile: string,
@@ -93,13 +112,28 @@ async function runTestBlock(
     const mockRefs: Array<Extract<TestStepDef, { type: "test_mock_workflow" | "test_mock_rule" | "test_mock_script" }>> = [];
     const vars = new Map<string, string>();
 
-    // Collect mock setup
+    // Collect mock setup. Walk in source order so that `const` bindings declared
+    // before a `mock prompt <ident>` are available when the response is resolved.
     for (const step of block.steps) {
       if (step.type === "comment" || step.type === "blank_line") {
         continue;
       }
+      if (step.type === "test_const") {
+        vars.set(step.name, step.value);
+        continue;
+      }
       if (step.type === "test_mock_prompt") {
-        mockResponses.push(step.response);
+        if (step.responseVar !== undefined) {
+          if (!vars.has(step.responseVar)) {
+            return {
+              pass: false,
+              error: `mock prompt: undefined const "${step.responseVar}" (declare it earlier in the test block)`,
+            };
+          }
+          mockResponses.push(vars.get(step.responseVar)!);
+        } else {
+          mockResponses.push(step.response);
+        }
       }
       if (step.type === "test_mock_prompt_block") {
         mockDispatchPath = writeMockDispatchScript(step, tmpDir);
@@ -123,7 +157,8 @@ async function runTestBlock(
       }
       if (step.type === "test_mock_prompt" || step.type === "test_mock_prompt_block" ||
           step.type === "test_mock_workflow" || step.type === "test_mock_rule" ||
-          step.type === "test_mock_script") {
+          step.type === "test_mock_script" ||
+          step.type === "test_const") {
         continue; // Already processed above
       }
 
@@ -149,28 +184,33 @@ async function runTestBlock(
           mockBodies,
         });
         const result = await runtime.runNamedWorkflow(step.workflowRef, step.args ?? []);
+        // Resolve the captured value following production `run_capture` semantics.
+        // Only an explicit `const X = run …` binding introduces a variable; there is no
+        // implicit alias — `expect_*` must reference an explicitly-captured name.
         if (step.captureName) {
-          // Match production run_capture semantics: prefer returnValue over raw output.
+          let runValue: string | undefined;
           if (result.status === 0 && result.returnValue) {
-            vars.set(step.captureName, result.returnValue);
+            runValue = result.returnValue;
           } else if (result.status !== 0 && result.error) {
-            // Failed workflow: capture error content (matches bash stderr capture)
-            vars.set(step.captureName, result.error.trim());
+            runValue = result.error.trim();
           } else {
-            // No explicit return — read all .out artifact files (matches bash harness semantics)
+            // No explicit return — read all .out artifact files (matches bash harness semantics).
             const runDir = runtime.getRunDir();
-            let captured = "";
             try {
               const outFiles = readdirSync(runDir)
                 .filter((f) => f.endsWith(".out"))
                 .sort();
+              let captured = "";
               for (const outFile of outFiles) {
                 captured += readFileSync(join(runDir, outFile), "utf8");
               }
+              runValue = captured;
             } catch {
-              captured = result.output;
+              runValue = result.output;
             }
-            vars.set(step.captureName, captured);
+          }
+          if (runValue !== undefined) {
+            vars.set(step.captureName, runValue);
           }
         }
         if (!step.allowFailure && result.status !== 0) {
@@ -180,33 +220,48 @@ async function runTestBlock(
       }
 
       if (step.type === "test_expect_contain") {
+        if (!vars.has(step.variable)) {
+          return { pass: false, error: `expect_contain: undefined variable "${step.variable}" (capture it first with: const ${step.variable} = run …)` };
+        }
         const value = vars.get(step.variable) ?? "";
-        if (!value.includes(step.substring)) {
+        const substring = resolveExpectArg(vars, step.substring, step.substringVar);
+        if (substring instanceof Error) return { pass: false, error: substring.message };
+        if (!value.includes(substring)) {
           return {
             pass: false,
-            error: `expect_contain failed: "${step.variable}" (${value.length} chars) does not contain "${step.substring}"`,
+            error: `expect_contain failed: "${step.variable}" (${value.length} chars) does not contain "${substring}"`,
           };
         }
         continue;
       }
 
       if (step.type === "test_expect_not_contain") {
+        if (!vars.has(step.variable)) {
+          return { pass: false, error: `expect_not_contain: undefined variable "${step.variable}" (capture it first with: const ${step.variable} = run …)` };
+        }
         const value = vars.get(step.variable) ?? "";
-        if (value.includes(step.substring)) {
+        const substring = resolveExpectArg(vars, step.substring, step.substringVar);
+        if (substring instanceof Error) return { pass: false, error: substring.message };
+        if (value.includes(substring)) {
           return {
             pass: false,
-            error: `expect_not_contain failed: "${step.variable}" contains "${step.substring}"`,
+            error: `expect_not_contain failed: "${step.variable}" contains "${substring}"`,
           };
         }
         continue;
       }
 
       if (step.type === "test_expect_equal") {
+        if (!vars.has(step.variable)) {
+          return { pass: false, error: `expect_equal: undefined variable "${step.variable}" (capture it first with: const ${step.variable} = run …)` };
+        }
         const value = vars.get(step.variable) ?? "";
-        if (value !== step.expected) {
+        const expected = resolveExpectArg(vars, step.expected, step.expectedVar);
+        if (expected instanceof Error) return { pass: false, error: expected.message };
+        if (value !== expected) {
           return {
             pass: false,
-            error: `expect_equal failed:\n    - ${step.expected}\n    + ${value}`,
+            error: `expect_equal failed:\n    - ${expected}\n    + ${value}`,
           };
         }
         continue;
diff --git a/src/runtime/kernel/node-workflow-runtime.artifacts.test.ts b/src/runtime/kernel/node-workflow-runtime.artifacts.test.ts
index 38fdc73b..0e0ac5a4 100644
--- a/src/runtime/kernel/node-workflow-runtime.artifacts.test.ts
+++ b/src/runtime/kernel/node-workflow-runtime.artifacts.test.ts
@@ -6,6 +6,121 @@ import { join } from "node:path";
 import { buildRuntimeGraph } from "./graph";
 import { NodeWorkflowRuntime } from "./node-workflow-runtime";
 
+test("NodeWorkflowRuntime: runDefault writes return_value.txt with the workflow's return value", async () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-node-wf-return-"));
+  try {
+    const jh = join(root, "returns.jh");
+    writeFileSync(
+      jh,
+      [
+        "workflow default(name) {",
+        '  return "hello ${name}"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const graph = buildRuntimeGraph(jh);
+    const env: NodeJS.ProcessEnv = {
+      ...process.env,
+      JAIPH_TEST_MODE: "1",
+      JAIPH_RUNS_DIR: join(root, ".jaiph", "runs"),
+    };
+    const runtime = new NodeWorkflowRuntime(graph, { env, cwd: root });
+    const status = await runtime.runDefault(["world"]);
+    assert.equal(status, 0);
+
+    const returnValueFile = join(runtime.getRunDir(), "return_value.txt");
+    assert.ok(existsSync(returnValueFile), `expected return_value.txt in ${runtime.getRunDir()}`);
+    assert.equal(readFileSync(returnValueFile, "utf8"), "hello world");
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("NodeWorkflowRuntime: runDefault does not write return_value.txt when workflow has no return", async () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-node-wf-noreturn-"));
+  try {
+    const jh = join(root, "noreturn.jh");
+    writeFileSync(
+      jh,
+      [
+        "workflow default() {",
+        '  log "side effect only"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const graph = buildRuntimeGraph(jh);
+    const env: NodeJS.ProcessEnv = {
+      ...process.env,
+      JAIPH_TEST_MODE: "1",
+      JAIPH_RUNS_DIR: join(root, ".jaiph", "runs"),
+    };
+    const runtime = new NodeWorkflowRuntime(graph, { env, cwd: root });
+    const status = await runtime.runDefault([]);
+    assert.equal(status, 0);
+
+    const returnValueFile = join(runtime.getRunDir(), "return_value.txt");
+    assert.ok(!existsSync(returnValueFile), "expected no return_value.txt for workflow without return");
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("NodeWorkflowRuntime: prompt step preview preserves authored ${var} placeholders (not interpolated)", async () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-prompt-preview-"));
+  try {
+    const jh = join(root, "prompt_preview.jh");
+    writeFileSync(
+      jh,
+      [
+        "workflow default(name) {",
+        '  prompt "Say hello to ${name} and stop."',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const mockFile = join(root, "mocks.txt");
+    writeFileSync(mockFile, "ok\n");
+
+    const graph = buildRuntimeGraph(jh);
+    const env: NodeJS.ProcessEnv = {
+      ...process.env,
+      JAIPH_TEST_MODE: "1",
+      JAIPH_MOCK_RESPONSES_FILE: mockFile,
+      JAIPH_RUNS_DIR: join(root, ".jaiph", "runs"),
+    };
+    const runtime = new NodeWorkflowRuntime(graph, { env, cwd: root });
+    const prevSummaryEnv = process.env.JAIPH_RUN_SUMMARY_FILE;
+    process.env.JAIPH_RUN_SUMMARY_FILE = runtime.getSummaryFile();
+    let status: number;
+    try {
+      status = await runtime.runDefault(["Adam"]);
+    } finally {
+      if (prevSummaryEnv === undefined) delete process.env.JAIPH_RUN_SUMMARY_FILE;
+      else process.env.JAIPH_RUN_SUMMARY_FILE = prevSummaryEnv;
+    }
+    assert.equal(status, 0);
+
+    const summary = readFileSync(runtime.getSummaryFile(), "utf8");
+    const promptStart = summary
+      .split("\n")
+      .filter(Boolean)
+      .map((l) => JSON.parse(l) as Record<string, unknown>)
+      .find((e) => e.type === "STEP_START" && e.kind === "prompt");
+    assert.ok(promptStart, "expected a prompt STEP_START in run summary");
+    const params = (promptStart as { params: Array<[string, string]> }).params;
+    const previewEntry = params.find(([k]) => k === "prompt_text");
+    assert.ok(previewEntry, "prompt STEP_START should include a prompt_text param");
+    assert.equal(previewEntry![1], "Say hello to ${name} and stop.");
+    const nameEntry = params.find(([k]) => k === "name");
+    assert.ok(nameEntry, "prompt STEP_START should include the resolved `name` param");
+    assert.equal(nameEntry![1], "Adam");
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
 test("NodeWorkflowRuntime: workflow step .out accumulates Command:/Prompt: and log (mocked prompt)", async () => {
   const root = mkdtempSync(join(tmpdir(), "jaiph-node-wf-artifacts-"));
   try {
@@ -452,6 +567,64 @@ test("NodeWorkflowRuntime: prompt STEP_START params include named vars reference
   }
 });
 
+test("NodeWorkflowRuntime: JAIPH_ARTIFACTS_DIR is set and points at writable artifacts/ subdir", async () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-node-wf-artifacts-dir-"));
+  try {
+    const jh = join(root, "artifacts_env.jh");
+    writeFileSync(jh, 'workflow default() {\n  log "ok"\n}\n');
+
+    const graph = buildRuntimeGraph(jh);
+    const runsDir = join(root, ".jaiph", "runs");
+    const env: NodeJS.ProcessEnv = {
+      ...process.env,
+      JAIPH_TEST_MODE: "1",
+      JAIPH_RUNS_DIR: runsDir,
+    };
+    const runtime = new NodeWorkflowRuntime(graph, { env, cwd: root });
+    const runDir = runtime.getRunDir();
+    const artifactsDir = env.JAIPH_ARTIFACTS_DIR;
+
+    // JAIPH_ARTIFACTS_DIR is set and points at <runDir>/artifacts
+    assert.ok(artifactsDir, "JAIPH_ARTIFACTS_DIR should be set");
+    assert.equal(artifactsDir, join(runDir, "artifacts"));
+
+    // The directory exists before any workflow step runs
+    assert.ok(existsSync(artifactsDir!), "artifacts dir should exist on disk");
+
+    // It is writable
+    const probe = join(artifactsDir!, "probe.txt");
+    writeFileSync(probe, "test");
+    assert.equal(readFileSync(probe, "utf8"), "test");
+
+    runtime.stopHeartbeat();
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("NodeWorkflowRuntime: JAIPH_ARTIFACTS_DIR resolves under .jaiph/runs when JAIPH_RUNS_DIR is unset", async () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-node-wf-artifacts-default-"));
+  try {
+    const jh = join(root, "artifacts_default.jh");
+    writeFileSync(jh, 'workflow default() {\n  log "ok"\n}\n');
+
+    const graph = buildRuntimeGraph(jh);
+    const env: NodeJS.ProcessEnv = { ...process.env, JAIPH_TEST_MODE: "1" };
+    delete env.JAIPH_RUNS_DIR;
+    const runtime = new NodeWorkflowRuntime(graph, { env, cwd: root });
+    const artifactsDir = env.JAIPH_ARTIFACTS_DIR;
+
+    assert.ok(artifactsDir, "JAIPH_ARTIFACTS_DIR should be set");
+    assert.ok(artifactsDir!.includes(join(".jaiph", "runs")), "should be under .jaiph/runs");
+    assert.ok(artifactsDir!.endsWith("/artifacts"), "should end with /artifacts");
+    assert.ok(existsSync(artifactsDir!), "artifacts dir should exist");
+
+    runtime.stopHeartbeat();
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
 test("NodeWorkflowRuntime: heartbeat file created at construction, removed on stop", async () => {
   const root = mkdtempSync(join(tmpdir(), "jaiph-node-wf-heartbeat-"));
   try {
diff --git a/src/runtime/kernel/node-workflow-runtime.ts b/src/runtime/kernel/node-workflow-runtime.ts
index abc01561..8138127b 100644
--- a/src/runtime/kernel/node-workflow-runtime.ts
+++ b/src/runtime/kernel/node-workflow-runtime.ts
@@ -12,6 +12,7 @@ import { buildStepDisplayParamPairs } from "../../cli/commands/format-params.js"
 import { resolveRuleRef, resolveScriptRef, resolveWorkflowRef, type RuntimeGraph } from "./graph";
 import type { WorkflowMetadata } from "../../types";
 import { extractJson, validateFields } from "./schema";
+import { parseCallRef } from "../../parse/core";
 import {
   plainMultilineOrchestrationForRuntime,
   tripleQuotedRawForRuntime,
@@ -21,6 +22,14 @@ const MAX_EMBED = 1024 * 1024;
 const MAX_RECURSION_DEPTH = 256;
 type EnsureRecover = Extract<WorkflowStepDef, { type: "ensure" }>["recover"];
 
+const HANDLE_PREFIX = "__JAIPH_HANDLE__";
+
+type AsyncHandle = {
+  ref: string;
+  promise: Promise<StepResult>;
+  resolved?: StepResult;
+};
+
 /** Mock body definition: shell for script mocks, Jaiph steps for workflow/rule mocks. */
 export type MockBodyDef =
   | { kind: "shell"; body: string; params: string[] }
@@ -159,6 +168,124 @@ function parseArgsRaw(raw: string, vars: Map<string, string>, env?: NodeJS.Proce
   return out;
 }
 
+type ParsedArgToken =
+  | { kind: "literal"; value: string }
+  | { kind: "managed"; managedKind: "run" | "ensure"; ref: string; argsRaw: string }
+  | { kind: "managed_inline_script"; body: string; lang?: string; argsRaw: string };
+
+/** Try to parse `\`body\`(args)` from a string at a given position. */
+function parseInlineScriptAt(s: string): { body: string; argsRaw: string; consumed: number } | null {
+  const t = s.trimStart();
+  const skippedWs = s.length - t.length;
+  if (!t.startsWith("`")) return null;
+  const closeIdx = t.indexOf("`", 1);
+  if (closeIdx === -1) return null;
+  const body = t.slice(1, closeIdx);
+  const afterClose = t.slice(closeIdx + 1);
+  if (!afterClose.startsWith("(")) return null;
+  let depth = 1;
+  let i = 1;
+  let inQuote: string | null = null;
+  while (i < afterClose.length && depth > 0) {
+    const ch = afterClose[i];
+    if (inQuote) {
+      if (ch === inQuote && afterClose[i - 1] !== "\\") inQuote = null;
+    } else {
+      if (ch === '"' || ch === "'") inQuote = ch;
+      else if (ch === "(") depth++;
+      else if (ch === ")") depth--;
+    }
+    i++;
+  }
+  if (depth !== 0) return null;
+  const argsContent = afterClose.slice(1, i - 1).trim();
+  return { body, argsRaw: argsContent, consumed: skippedWs + closeIdx + 1 + i };
+}
+
+function parseManagedArgAt(raw: string, start: number): { token: ParsedArgToken; next: number } | null {
+  const tail = raw.slice(start);
+  const keyword = tail.startsWith("run ")
+    ? "run"
+    : tail.startsWith("ensure ")
+      ? "ensure"
+      : null;
+  if (!keyword) return null;
+  const afterKeyword = raw.slice(start + keyword.length).trimStart();
+  const skipped = raw.slice(start + keyword.length).length - afterKeyword.length;
+  const call = parseCallRef(afterKeyword);
+  if (call && (call.rest.length === 0 || /^\s/.test(call.rest))) {
+    const consumed = afterKeyword.length - call.rest.length;
+    return {
+      token: {
+        kind: "managed",
+        managedKind: keyword,
+        ref: call.ref,
+        argsRaw: call.args ?? "",
+      },
+      next: start + keyword.length + skipped + consumed,
+    };
+  }
+  // Try inline script form: run `body`(args)
+  if (keyword === "run") {
+    const inlineResult = parseInlineScriptAt(afterKeyword);
+    if (inlineResult) {
+      return {
+        token: {
+          kind: "managed_inline_script",
+          body: inlineResult.body,
+          argsRaw: inlineResult.argsRaw,
+        },
+        next: start + keyword.length + skipped + inlineResult.consumed,
+      };
+    }
+  }
+  return null;
+}
+
+function parseArgTokens(raw: string): ParsedArgToken[] {
+  if (!raw.trim()) return [];
+  const out: ParsedArgToken[] = [];
+  let i = 0;
+  while (i < raw.length) {
+    while (i < raw.length && /\s/.test(raw[i]!)) i += 1;
+    if (i >= raw.length) break;
+    const managed = parseManagedArgAt(raw, i);
+    if (managed) {
+      out.push(managed.token);
+      i = managed.next;
+      continue;
+    }
+    let cur = "";
+    let quote: "'" | '"' | null = null;
+    while (i < raw.length) {
+      const ch = raw[i]!;
+      if (quote) {
+        if (ch === quote) {
+          quote = null;
+        } else {
+          cur += ch;
+        }
+        i += 1;
+        continue;
+      }
+      if (ch === "'" || ch === '"') {
+        quote = ch;
+        i += 1;
+        continue;
+      }
+      if (/\s/.test(ch)) {
+        break;
+      }
+      cur += ch;
+      i += 1;
+    }
+    if (cur.length > 0) {
+      out.push({ kind: "literal", value: cur });
+    }
+  }
+  return out;
+}
+
 function stripOuterQuotes(value: string): string {
   if (value.length >= 2) {
     const first = value[0];
@@ -210,6 +337,8 @@ export class NodeWorkflowRuntime {
   private promptSeq = 0;
   private workflowCtxStack: WorkflowContext[] = [];
   private readonly mockBodies: Map<string, MockBodyDef>;
+  private handleRegistry = new Map<string, AsyncHandle>();
+  private handleIdCounter = 0;
 
   private getFrameStack(): Frame[] {
     return this.asyncFrameStack.getStore() ?? this.stack;
@@ -219,12 +348,61 @@ export class NodeWorkflowRuntime {
     return this.asyncIndicesStorage.getStore() ?? [];
   }
 
+  private createHandle(ref: string, promise: Promise<StepResult>): string {
+    this.handleIdCounter += 1;
+    const handleId = `${HANDLE_PREFIX}${this.handleIdCounter}`;
+    this.handleRegistry.set(handleId, { ref, promise });
+    return handleId;
+  }
+
+  private isHandle(value: string): boolean {
+    return value.startsWith(HANDLE_PREFIX);
+  }
+
+  /** Resolve a handle to its StepResult. Caches the result for subsequent reads. */
+  private async resolveHandleResult(handleId: string): Promise<StepResult> {
+    const handle = this.handleRegistry.get(handleId);
+    if (!handle) return { status: 1, output: "", error: "invalid handle" };
+    if (handle.resolved) return handle.resolved;
+    const result = await handle.promise;
+    handle.resolved = result;
+    return result;
+  }
+
+  /** Resolve a handle value to the string it represents. Updates scope var in place. */
+  private async resolveHandleVar(scope: Scope, varName: string): Promise<StepResult> {
+    const val = scope.vars.get(varName);
+    if (!val || !this.isHandle(val)) return { status: 0, output: "", error: "" };
+    const result = await this.resolveHandleResult(val);
+    if (result.status === 0) {
+      scope.vars.set(varName, result.returnValue ?? result.output.trim());
+    } else {
+      scope.vars.set(varName, "");
+    }
+    return result;
+  }
+
+  /** Scan input for ${var} references and resolve any that are handles. */
+  private async resolveHandlesInInput(scope: Scope, input: string): Promise<StepResult | null> {
+    const re = /\$\{([a-zA-Z_][a-zA-Z0-9_]*)/g;
+    let m: RegExpExecArray | null;
+    while ((m = re.exec(input)) !== null) {
+      const varName = m[1];
+      const val = scope.vars.get(varName);
+      if (val && this.isHandle(val)) {
+        const r = await this.resolveHandleVar(scope, varName);
+        if (r.status !== 0) return r;
+      }
+    }
+    return null;
+  }
+
   constructor(graph: RuntimeGraph, opts: { env?: NodeJS.ProcessEnv; cwd?: string; mockBodies?: Map<string, MockBodyDef> }) {
     this.graph = graph;
     this.env = opts.env ?? process.env;
     this.cwd = opts.cwd ?? process.cwd();
     this.mockBodies = opts.mockBodies ?? new Map();
-    this.runId = randomUUID();
+    this.runId = this.env.JAIPH_RUN_ID || randomUUID();
     const source = this.env.JAIPH_SOURCE_FILE ?? basename(graph.entryFile);
     const date = new Date();
     const datePart = `${date.getUTCFullYear()}-${String(date.getUTCMonth() + 1).padStart(2, "0")}-${String(date.getUTCDate()).padStart(2, "0")}`;
@@ -232,11 +410,14 @@ export class NodeWorkflowRuntime {
     const runsRoot = this.resolveRunsRoot();
     this.runDir = join(runsRoot, datePart, `${timePart}-${source}`);
     mkdirSync(this.runDir, { recursive: true });
+    const artifactsDir = join(this.runDir, "artifacts");
+    mkdirSync(artifactsDir, { recursive: true });
     this.summaryFile = join(this.runDir, "run_summary.jsonl");
     writeFileSync(this.summaryFile, "");
     this.env.JAIPH_RUN_SUMMARY_FILE = this.summaryFile;
     this.env.JAIPH_RUN_ID = this.runId;
     this.env.JAIPH_RUN_DIR = this.runDir;
+    this.env.JAIPH_ARTIFACTS_DIR = artifactsDir;
     this.startHeartbeat();
   }
 
@@ -291,6 +472,16 @@ export class NodeWorkflowRuntime {
       if (i < args.length) rootScope.vars.set(name, args[i]);
     });
     const result = await this.executeWorkflow(resolved.filePath, resolved.workflow.name, rootScope, args, false);
+    // Persist the workflow's return value so the CLI can print it after the run tree.
+    // Empty/undefined values are written as an empty file so the consumer can distinguish
+    // "ran with no return" from "no run happened".
+    if (result.status === 0 && result.returnValue !== undefined) {
+      try {
+        writeFileSync(join(this.runDir, "return_value.txt"), result.returnValue, "utf8");
+      } catch {
+        // Best-effort capture; the run succeeded regardless.
+      }
+    }
     this.emitWorkflow("WORKFLOW_END", "default");
     this.stopHeartbeat();
     return result.status;
@@ -366,11 +557,9 @@ export class NodeWorkflowRuntime {
   }
 
   private emitPromptStepStart(
-    promptText: string,
     backend: string,
     scopeVars: Map<string, string>,
     rawPromptSource: string,
-    declaredParamNames?: string[],
   ): PromptStepHandle {
     this.promptSeq += 1;
     this.stepSeq += 1;
@@ -383,7 +572,9 @@ export class NodeWorkflowRuntime {
     const errFile = join(this.runDir, `${String(seq).padStart(6, "0")}-${safe}.err`);
     writeFileSync(outFile, "");
     writeFileSync(errFile, "");
-    const preview = stripOuterQuotes(promptText).replace(/\s+/g, " ").trim();
+    // Preview keeps the authored `${var}` placeholders rather than substituted values,
+    // so the tree shows what the user wrote; concrete values live alongside in params.
+    const preview = stripOuterQuotes(rawPromptSource).replace(/\s+/g, " ").trim();
     const params: Array<[string, string]> = [["prompt_text", preview]];
     const seen = new Set<string>(["prompt_text"]);
     // Include named vars referenced in the prompt text.
@@ -397,17 +588,6 @@ export class NodeWorkflowRuntime {
         if (val.length > 0) params.push([name, val]);
       }
     }
-    if (declaredParamNames) {
-      for (const pn of declaredParamNames) {
-        if (!seen.has(pn)) {
-          const val = scopeVars.get(pn) ?? "";
-          if (val.length > 0) {
-            seen.add(pn);
-            params.push([pn, val]);
-          }
-        }
-      }
-    }
     this.emitStep({
       type: "STEP_START",
       func: "prompt",
@@ -600,6 +780,9 @@ export class NodeWorkflowRuntime {
     input: string,
     scope: Scope,
   ): Promise<{ ok: true; value: string } | { ok: false; result: StepResult }> {
+    // Resolve any handle-valued vars referenced in the input before interpolating.
+    const handleErr = await this.resolveHandlesInInput(scope, input);
+    if (handleErr) return { ok: false, result: handleErr };
     const re = new RegExp(NodeWorkflowRuntime.INLINE_CAPTURE_RE.source, "g");
     if (!re.test(input)) {
       return { ok: true, value: interpolate(input, scope.vars, scope.env) };
@@ -626,6 +809,12 @@ export class NodeWorkflowRuntime {
     scope: Scope,
     expr: MatchExprDef,
   ): Promise<{ ok: true; value: string } | { ok: false; result: StepResult }> {
+    // Resolve handle if the subject variable is a handle.
+    const rawSubject = scope.vars.get(expr.subject);
+    if (rawSubject && this.isHandle(rawSubject)) {
+      const hr = await this.resolveHandleVar(scope, expr.subject);
+      if (hr.status !== 0) return { ok: false, result: hr };
+    }
     // Subject is a bare identifier — resolve against scope variables
     const subject = scope.vars.get(expr.subject) ?? scope.env?.[expr.subject] ?? "";
     for (const arm of expr.arms) {
@@ -667,6 +856,13 @@ export class NodeWorkflowRuntime {
           return { ok: true, value: result.returnValue ?? result.output.trim() };
         }
 
+        // Bare in-scope identifier (e.g. `=> name_arg`) — sugar for `=> "${name_arg}"`.
+        // Validator already ensures the identifier is in scope; runtime mirrors `return val`.
+        const bareIdent = body.match(/^([A-Za-z_][A-Za-z0-9_]*)\s*$/);
+        if (bareIdent && (scope.vars.has(bareIdent[1]!) || scope.env?.[bareIdent[1]!] !== undefined)) {
+          return { ok: true, value: scope.vars.get(bareIdent[1]!) ?? scope.env?.[bareIdent[1]!] ?? "" };
+        }
+
         // Default: string expression
         const bodyIr = await this.interpolateWithCaptures(body, scope);
         if (!bodyIr.ok) return bodyIr;
@@ -681,11 +877,23 @@ export class NodeWorkflowRuntime {
     let accOut = "";
     let accErr = "";
     let returnValue: string | undefined;
-    const pendingAsync: Array<{ ref: string; promise: Promise<StepResult> }> = [];
+    /** Handle IDs created by `run async` in this scope (for implicit join at exit). */
+    const localHandleIds: string[] = [];
     let asyncCounter = 0;
     for (const step of steps) {
       if (step.type === "comment" || step.type === "blank_line") continue;
       if (step.type === "log") {
+        if (step.managed?.kind === "run_inline_script") {
+          const shebang = step.managed.lang ? `#!/usr/bin/env ${step.managed.lang}` : undefined;
+          const result = await this.executeInlineScript(scope, step.managed.body, shebang, step.managed.args ?? "");
+          if (result.status !== 0) return this.mergeStepResult(accOut, accErr, result);
+          const message = result.returnValue ?? result.output.trim();
+          this.emitLog("LOG", message);
+          const chunk = `${message}\n`;
+          accOut += chunk;
+          io?.appendOut(chunk);
+          continue;
+        }
         const logMsg = step.tripleQuoted ? plainMultilineOrchestrationForRuntime(step.message) : step.message;
         const logIr = await this.interpolateWithCaptures(logMsg, scope);
         if (!logIr.ok) return this.mergeStepResult(accOut, accErr, logIr.result);
@@ -697,6 +905,17 @@ export class NodeWorkflowRuntime {
         continue;
       }
       if (step.type === "logerr") {
+        if (step.managed?.kind === "run_inline_script") {
+          const shebang = step.managed.lang ? `#!/usr/bin/env ${step.managed.lang}` : undefined;
+          const result = await this.executeInlineScript(scope, step.managed.body, shebang, step.managed.args ?? "");
+          if (result.status !== 0) return this.mergeStepResult(accOut, accErr, result);
+          const message = result.returnValue ?? result.output.trim();
+          this.emitLog("LOGERR", message);
+          const chunk = `${message}\n`;
+          accErr += chunk;
+          io?.appendErr(chunk);
+          continue;
+        }
         const logerrMsg = step.tripleQuoted ? plainMultilineOrchestrationForRuntime(step.message) : step.message;
         const logErrIr = await this.interpolateWithCaptures(logerrMsg, scope);
         if (!logErrIr.ok) return this.mergeStepResult(accOut, accErr, logErrIr.result);
@@ -729,6 +948,13 @@ export class NodeWorkflowRuntime {
             returnValue = matchResult.value;
             return this.mergeStepResult(accOut, accErr, { status: 0, output: "", error: "", returnValue });
           }
+          if (step.managed.kind === "run_inline_script") {
+            const shebang = step.managed.lang ? `#!/usr/bin/env ${step.managed.lang}` : undefined;
+            const result = await this.executeInlineScript(scope, step.managed.body, shebang, step.managed.args ?? "");
+            if (result.status !== 0) return this.mergeStepResult(accOut, accErr, result);
+            returnValue = result.returnValue ?? result.output.trim();
+            return this.mergeStepResult(accOut, accErr, { status: 0, output: "", error: "", returnValue });
+          }
           const result = step.managed.kind === "run"
             ? await this.executeRunRef(scope, step.managed.ref.value, step.managed.args ?? "")
             : await this.executeEnsureRef(scope, step.managed.ref.value, step.managed.args ?? "", undefined);
@@ -758,8 +984,10 @@ export class NodeWorkflowRuntime {
             step.rhs.tripleQuoted ? tripleQuotedRawForRuntime(step.rhs.token) : step.rhs.token;
           const sendIr = await this.interpolateWithCaptures(sendTok, scope);
           if (!sendIr.ok) return this.mergeStepResult(accOut, accErr, sendIr.result);
-          payload = sendIr.value;
+          payload = stripOuterQuotes(sendIr.value);
         } else if (step.rhs.kind === "var") {
+          const sendHandleErr = await this.resolveHandlesInInput(scope, step.rhs.bash);
+          if (sendHandleErr) return this.mergeStepResult(accOut, accErr, sendHandleErr);
           payload = interpolate(step.rhs.bash, scope.vars, scope.env);
         } else if (step.rhs.kind === "run") {
           const runValue = await this.executeRunRef(scope, step.rhs.ref.value, step.rhs.args ?? "");
@@ -817,7 +1045,7 @@ export class NodeWorkflowRuntime {
         const backend = promptConfig.backend || "cursor";
         const stepName = resolvePromptStepName(promptConfig);
         const modelRes = resolveModel(promptConfig);
-        const promptStep = this.emitPromptStepStart(promptText, stepName, scope.vars, step.raw, scope.declaredParamNames);
+        const promptStep = this.emitPromptStepStart(stepName, scope.vars, step.raw);
         this.emitPromptEvent("PROMPT_START", {
           backend,
           model: modelRes.model || undefined,
@@ -903,7 +1131,24 @@ export class NodeWorkflowRuntime {
           continue;
         }
         if (step.value.kind === "run_capture") {
-          const runResult = await this.executeRunRef(scope, step.value.ref.value, step.value.args ?? "");
+          const captureRef = step.value.ref.value;
+          const captureArgs = step.value.args ?? "";
+          if (step.value.async) {
+            // Async capture: create handle, store in scope, register for join.
+            asyncCounter += 1;
+            const branchStack = [...this.getFrameStack()];
+            const branchIndices = [...this.getAsyncIndices(), asyncCounter];
+            const promise = this.asyncFrameStack.run(branchStack, () =>
+              this.asyncIndicesStorage.run(branchIndices, () =>
+                this.executeRunRef(scope, captureRef, captureArgs),
+              ),
+            );
+            const handleId = this.createHandle(captureRef, promise);
+            localHandleIds.push(handleId);
+            scope.vars.set(step.name, handleId);
+            continue;
+          }
+          const runResult = await this.executeRunRef(scope, captureRef, captureArgs);
           if (runResult.status !== 0) return this.mergeStepResult(accOut, accErr, runResult);
           scope.vars.set(step.name, runResult.returnValue ?? runResult.output.trim());
           continue;
@@ -940,11 +1185,9 @@ export class NodeWorkflowRuntime {
           const stepName = resolvePromptStepName(promptConfig);
           const modelRes = resolveModel(promptConfig);
           const promptStep = this.emitPromptStepStart(
-            promptText,
             stepName,
             scope.vars,
             step.value.raw,
-            scope.declaredParamNames,
           );
           this.emitPromptEvent("PROMPT_START", {
             backend,
@@ -1017,12 +1260,76 @@ export class NodeWorkflowRuntime {
           asyncCounter += 1;
           const branchStack = [...this.getFrameStack()];
           const branchIndices = [...this.getAsyncIndices(), asyncCounter];
-          const promise = this.asyncFrameStack.run(branchStack, () =>
-            this.asyncIndicesStorage.run(branchIndices, () =>
-              this.executeRunRef(scope, step.workflow.value, step.args ?? ""),
-            ),
-          );
-          pendingAsync.push({ ref: step.workflow.value, promise });
+          let promise: Promise<StepResult>;
+          if (step.recoverLoop) {
+            // Async + recover loop: wrap retry logic in a single promise.
+            const recoverLimit = this.resolveRecoverLimit(scope.filePath);
+            const loopSteps = "single" in step.recoverLoop ? [step.recoverLoop.single] : step.recoverLoop.block;
+            const recoverBindings = step.recoverLoop.bindings;
+            promise = this.asyncFrameStack.run(branchStack, () =>
+              this.asyncIndicesStorage.run(branchIndices, async () => {
+                let lastResult = await this.executeRunRef(scope, step.workflow.value, step.args ?? "");
+                let attempt = 1;
+                while (lastResult.status !== 0 && attempt <= recoverLimit) {
+                  const loopVars = new Map(scope.vars);
+                  loopVars.set(recoverBindings.failure, `${lastResult.output}${lastResult.error}`);
+                  const rr = await this.executeSteps({ ...scope, vars: loopVars }, loopSteps);
+                  if (rr.status !== 0 || rr.returnValue !== undefined) return rr;
+                  lastResult = await this.executeRunRef(scope, step.workflow.value, step.args ?? "");
+                  attempt += 1;
+                }
+                return lastResult;
+              }),
+            );
+          } else if (step.recover) {
+            // Async + catch: single-shot recovery in the async branch.
+            const recoverSteps = "single" in step.recover ? [step.recover.single] : step.recover.block;
+            const recoverBindings = step.recover.bindings;
+            promise = this.asyncFrameStack.run(branchStack, () =>
+              this.asyncIndicesStorage.run(branchIndices, async () => {
+                const result = await this.executeRunRef(scope, step.workflow.value, step.args ?? "");
+                if (result.status === 0) return result;
+                const recoverVars = new Map(scope.vars);
+                recoverVars.set(recoverBindings.failure, `${result.output}${result.error}`);
+                const rr = await this.executeSteps({ ...scope, vars: recoverVars }, recoverSteps);
+                if (rr.status !== 0 || rr.returnValue !== undefined) return rr;
+                return { status: 0, output: result.output, error: result.error };
+              }),
+            );
+          } else {
+            promise = this.asyncFrameStack.run(branchStack, () =>
+              this.asyncIndicesStorage.run(branchIndices, () =>
+                this.executeRunRef(scope, step.workflow.value, step.args ?? ""),
+              ),
+            );
+          }
+          const handleId = this.createHandle(step.workflow.value, promise);
+          localHandleIds.push(handleId);
+          if (step.captureName) {
+            scope.vars.set(step.captureName, handleId);
+          }
+          continue;
+        }
+        if (step.recoverLoop) {
+          const limit = this.resolveRecoverLimit(scope.filePath);
+          const loopSteps = "single" in step.recoverLoop ? [step.recoverLoop.single] : step.recoverLoop.block;
+          let lastResult = await this.executeRunRef(scope, step.workflow.value, step.args ?? "");
+          let attempt = 1;
+          while (lastResult.status !== 0 && attempt <= limit) {
+            const loopVars = new Map(scope.vars);
+            loopVars.set(step.recoverLoop.bindings.failure, `${lastResult.output}${lastResult.error}`);
+            const rr = await this.executeSteps({ ...scope, vars: loopVars }, loopSteps);
+            if (rr.status !== 0 || rr.returnValue !== undefined) return this.mergeStepResult(accOut, accErr, rr);
+            lastResult = await this.executeRunRef(scope, step.workflow.value, step.args ?? "");
+            attempt += 1;
+          }
+          if (lastResult.status === 0) {
+            if (step.captureName) {
+              scope.vars.set(step.captureName, lastResult.returnValue ?? lastResult.output.trim());
+            }
+          } else {
+            return this.mergeStepResult(accOut, accErr, lastResult);
+          }
           continue;
         }
         const runResult = await this.executeRunRef(scope, step.workflow.value, step.args ?? "");
@@ -1061,6 +1368,12 @@ export class NodeWorkflowRuntime {
         continue;
       }
       if (step.type === "if") {
+        // Resolve handle if the subject variable is a handle.
+        const rawSubject = scope.vars.get(step.subject);
+        if (rawSubject && this.isHandle(rawSubject)) {
+          const hr = await this.resolveHandleVar(scope, step.subject);
+          if (hr.status !== 0) return this.mergeStepResult(accOut, accErr, hr);
+        }
         const subjectVal = scope.vars.get(step.subject) ?? scope.env?.[step.subject] ?? "";
         let condMet = false;
         if (step.operator === "==" && step.operand.kind === "string_literal") {
@@ -1089,20 +1402,34 @@ export class NodeWorkflowRuntime {
         continue;
       }
     }
-    // Implicit join: await all pending async steps before returning.
-    if (pendingAsync.length > 0) {
-      const settled = await Promise.allSettled(pendingAsync.map((p) => p.promise));
+    // Implicit join: await all unresolved handles created in this scope before returning.
+    if (localHandleIds.length > 0) {
       const failures: string[] = [];
-      for (let i = 0; i < settled.length; i += 1) {
-        const r = settled[i]!;
-        if (r.status === "rejected") {
-          failures.push(`run async ${pendingAsync[i]!.ref}: ${String(r.reason)}`);
-        } else if (r.value.status !== 0) {
-          failures.push(`run async ${pendingAsync[i]!.ref}: ${r.value.error}`);
-          accOut += r.value.output;
-          accErr += r.value.error;
-        } else {
-          accOut += r.value.output;
+      for (const handleId of localHandleIds) {
+        const handle = this.handleRegistry.get(handleId);
+        if (!handle) continue;
+        if (handle.resolved) {
+          // Already resolved (via a read earlier) — just check status.
+          if (handle.resolved.status !== 0) {
+            failures.push(`run async ${handle.ref}: ${handle.resolved.error}`);
+            accOut += handle.resolved.output;
+            accErr += handle.resolved.error;
+          } else {
+            accOut += handle.resolved.output;
+          }
+          continue;
+        }
+        try {
+          const result = await this.resolveHandleResult(handleId);
+          if (result.status !== 0) {
+            failures.push(`run async ${handle.ref}: ${result.error}`);
+            accOut += result.output;
+            accErr += result.error;
+          } else {
+            accOut += result.output;
+          }
+        } catch (err) {
+          failures.push(`run async ${handle.ref}: ${String(err)}`);
         }
       }
       if (failures.length > 0) {
@@ -1223,8 +1550,58 @@ export class NodeWorkflowRuntime {
     return `${filePath}::${name}`;
   }
 
+  /** Synchronous fast-path: resolve args when every token is a plain literal and no handles. */
+  private resolveArgsRawSync(scope: Scope, raw: string | string[]): string[] | null {
+    if (Array.isArray(raw)) return raw;
+    const tokens = parseArgTokens(raw);
+    for (const token of tokens) {
+      if (token.kind !== "literal") return null;
+      // Bail to async path if any referenced var is a handle.
+      const varRe = /\$\{([a-zA-Z_][a-zA-Z0-9_]*)/g;
+      let vm: RegExpExecArray | null;
+      while ((vm = varRe.exec(token.value)) !== null) {
+        const val = scope.vars.get(vm[1]);
+        if (val && this.isHandle(val)) return null;
+      }
+    }
+    return tokens.map((t) => interpolate((t as { kind: "literal"; value: string }).value, scope.vars, scope.env));
+  }
+
+  private async resolveArgsRaw(scope: Scope, raw: string | string[]): Promise<string[] | StepResult> {
+    if (Array.isArray(raw)) {
+      return raw;
+    }
+    const tokens = parseArgTokens(raw);
+    const resolved: string[] = [];
+    for (const token of tokens) {
+      if (token.kind === "literal") {
+        // Resolve handles before interpolating.
+        const handleErr = await this.resolveHandlesInInput(scope, token.value);
+        if (handleErr) return handleErr;
+        resolved.push(interpolate(token.value, scope.vars, scope.env));
+        continue;
+      }
+      if (token.kind === "managed_inline_script") {
+        const result = await this.executeInlineScript(scope, token.body, undefined, token.argsRaw);
+        if (result.status !== 0) return result;
+        resolved.push(result.returnValue ?? result.output.trim());
+        continue;
+      }
+      const result = token.managedKind === "run"
+        ? await this.executeRunRef(scope, token.ref, token.argsRaw)
+        : await this.executeEnsureRef(scope, token.ref, token.argsRaw, undefined);
+      if (result.status !== 0) {
+        return result;
+      }
+      resolved.push(result.returnValue ?? result.output.trim());
+    }
+    return resolved;
+  }
+
   private async executeRunRef(scope: Scope, ref: string, argsRaw: string | string[]): Promise<StepResult> {
-    const args = Array.isArray(argsRaw) ? argsRaw : parseArgsRaw(argsRaw, scope.vars, scope.env);
+    const resolvedArgs = this.resolveArgsRawSync(scope, argsRaw) ?? await this.resolveArgsRaw(scope, argsRaw);
+    if (!Array.isArray(resolvedArgs)) return resolvedArgs;
+    const args = resolvedArgs;
     const resolvedWorkflow = resolveWorkflowRef(this.graph, scope.filePath, { value: ref, loc: { line: 1, col: 1 } });
     if (resolvedWorkflow) {
       const mk = this.mockKey(resolvedWorkflow.filePath, resolvedWorkflow.workflow.name);
@@ -1263,7 +1640,9 @@ export class NodeWorkflowRuntime {
     argsRaw: string,
     recover: EnsureRecover | undefined,
   ): Promise<StepResult> {
-    const args = parseArgsRaw(argsRaw, scope.vars, scope.env);
+    const resolvedArgs = await this.resolveArgsRaw(scope, argsRaw);
+    if (!Array.isArray(resolvedArgs)) return resolvedArgs;
+    const args = resolvedArgs;
     const attempt = async (): Promise<StepResult> => {
       const resolvedRule = resolveRuleRef(this.graph, scope.filePath, { value: ref, loc: { line: 1, col: 1 } });
       if (!resolvedRule) return { status: 1, output: "", error: `Unknown ensure target: ${ref}` };
@@ -1353,7 +1732,9 @@ export class NodeWorkflowRuntime {
     shebang: string | undefined,
     argsRaw: string,
   ): Promise<StepResult> {
-    const args = parseArgsRaw(argsRaw, scope.vars, scope.env);
+    const resolvedArgs = await this.resolveArgsRaw(scope, argsRaw);
+    if (!Array.isArray(resolvedArgs)) return resolvedArgs;
+    const args = resolvedArgs;
     const scriptName = inlineScriptName(body, shebang);
     return this.executeManagedStep(
       "script",
@@ -1417,6 +1798,11 @@ export class NodeWorkflowRuntime {
     return nextEnv;
   }
 
+  private resolveRecoverLimit(filePath: string): number {
+    const moduleMeta = this.graph.modules.get(filePath)?.ast.metadata;
+    return moduleMeta?.run?.recoverLimit ?? 10;
+  }
+
   private async executeManagedStep(
     kind: "workflow" | "rule" | "script",
     name: string,
diff --git a/src/transpile/compiler-golden.test.ts b/src/transpile/compiler-golden.test.ts
index e569f5ab..99e52b5e 100644
--- a/src/transpile/compiler-golden.test.ts
+++ b/src/transpile/compiler-golden.test.ts
@@ -252,7 +252,7 @@ test("parser: duplicate config block throws E_PARSE", () => {
 test("parser: config integer value parses as number", () => {
   const source = [
     "config {",
-    "  runtime.docker_timeout = 300",
+    "  runtime.docker_timeout_seconds = 300",
     "}",
     "workflow default() {",
     "  log \"ok\"",
@@ -260,14 +260,14 @@ test("parser: config integer value parses as number", () => {
   ].join("\n");
   const mod = parsejaiph(source, "/fake/entry.jh");
   assert.ok(mod.metadata);
-  assert.strictEqual(mod.metadata!.runtime?.dockerTimeout, 300);
-  assert.strictEqual(typeof mod.metadata!.runtime?.dockerTimeout, "number");
+  assert.strictEqual(mod.metadata!.runtime?.dockerTimeoutSeconds, 300);
+  assert.strictEqual(typeof mod.metadata!.runtime?.dockerTimeoutSeconds, "number");
 });
 
 test("parser: config integer key rejects string value with E_PARSE", () => {
   const source = [
     "config {",
-    '  runtime.docker_timeout = "fast"',
+    '  runtime.docker_timeout_seconds = "fast"',
     "}",
     "workflow default() {",
     "  log \"ok\"",
@@ -275,11 +275,11 @@ test("parser: config integer key rejects string value with E_PARSE", () => {
   ].join("\n");
   assert.throws(
     () => parsejaiph(source, "/fake/entry.jh"),
-    /runtime\.docker_timeout must be an integer/,
+    /runtime\.docker_timeout_seconds must be an integer/,
   );
 });
 
-test("parser: config array value parses multi-line array", () => {
+test("parser: runtime.workspace produces E_PARSE (no longer supported)", () => {
   const source = [
     "config {",
     "  runtime.workspace = [",
@@ -291,52 +291,49 @@ test("parser: config array value parses multi-line array", () => {
     "  log \"ok\"",
     "}",
   ].join("\n");
-  const mod = parsejaiph(source, "/fake/entry.jh");
-  assert.ok(mod.metadata);
-  assert.deepStrictEqual(mod.metadata!.runtime?.workspace, [
-    ".:/jaiph/workspace:rw",
-    "config:config:ro",
-  ]);
+  assert.throws(
+    () => parsejaiph(source, "/fake/entry.jh"),
+    /runtime\.workspace is no longer supported/,
+  );
 });
 
-test("parser: config empty array parses as empty string[]", () => {
+test("parser: runtime.workspace with scalar value also produces E_PARSE", () => {
   const source = [
     "config {",
-    "  runtime.workspace = []",
+    '  runtime.workspace = "not-an-array"',
     "}",
     "workflow default() {",
     "  log \"ok\"",
     "}",
   ].join("\n");
-  const mod = parsejaiph(source, "/fake/entry.jh");
-  assert.ok(mod.metadata);
-  assert.deepStrictEqual(mod.metadata!.runtime?.workspace, []);
+  assert.throws(
+    () => parsejaiph(source, "/fake/entry.jh"),
+    /runtime\.workspace is no longer supported/,
+  );
 });
 
-test("parser: config array with trailing commas and comments", () => {
+test("parser: all runtime config keys are accepted (docker_enabled removed)", () => {
   const source = [
     "config {",
-    "  runtime.workspace = [",
-    '    ".:/jaiph/workspace:rw",  # main workspace',
-    '    "config:config:ro",',
-    "    # another comment",
-    "  ]",
+    '  runtime.docker_image = "ubuntu:24.04"',
+    '  runtime.docker_network = "host"',
+    "  runtime.docker_timeout_seconds = 600",
     "}",
     "workflow default() {",
     "  log \"ok\"",
     "}",
   ].join("\n");
   const mod = parsejaiph(source, "/fake/entry.jh");
-  assert.deepStrictEqual(mod.metadata!.runtime?.workspace, [
-    ".:/jaiph/workspace:rw",
-    "config:config:ro",
-  ]);
+  assert.ok(mod.metadata?.runtime);
+  assert.strictEqual(mod.metadata!.runtime!.dockerImage, "ubuntu:24.04");
+  assert.strictEqual(mod.metadata!.runtime!.dockerNetwork, "host");
+  assert.strictEqual(mod.metadata!.runtime!.dockerTimeoutSeconds, 600);
 });
 
-test("parser: config array key rejects non-array value with E_PARSE", () => {
+test("parser: runtime.docker_enabled produces E_PARSE with helpful message", () => {
   const source = [
     "config {",
-    '  runtime.workspace = "not-an-array"',
+    "  runtime.docker_enabled = true",
     "}",
     "workflow default() {",
     "  log \"ok\"",
@@ -344,34 +341,10 @@ test("parser: config array key rejects non-array value with E_PARSE", () => {
   ].join("\n");
   assert.throws(
     () => parsejaiph(source, "/fake/entry.jh"),
-    /runtime\.workspace must be an array of strings/,
+    /runtime\.docker_enabled is no longer supported/,
   );
 });
 
-test("parser: all runtime config keys are accepted", () => {
-  const source = [
-    "config {",
-    "  runtime.docker_enabled = true",
-    '  runtime.docker_image = "ubuntu:24.04"',
-    '  runtime.docker_network = "host"',
-    "  runtime.docker_timeout = 600",
-    "  runtime.workspace = [",
-    '    ".:/jaiph/workspace:rw"',
-    "  ]",
-    "}",
-    "workflow default() {",
-    "  log \"ok\"",
-    "}",
-  ].join("\n");
-  const mod = parsejaiph(source, "/fake/entry.jh");
-  assert.ok(mod.metadata?.runtime);
-  assert.strictEqual(mod.metadata!.runtime!.dockerEnabled, true);
-  assert.strictEqual(mod.metadata!.runtime!.dockerImage, "ubuntu:24.04");
-  assert.strictEqual(mod.metadata!.runtime!.dockerNetwork, "host");
-  assert.strictEqual(mod.metadata!.runtime!.dockerTimeout, 600);
-  assert.deepStrictEqual(mod.metadata!.runtime!.workspace, [".:/jaiph/workspace:rw"]);
-});
-
 test("parser: unknown runtime key throws E_PARSE", () => {
   const source = [
     "config {",
diff --git a/src/transpile/emit-script.ts b/src/transpile/emit-script.ts
index c86047a9..ea5792ce 100644
--- a/src/transpile/emit-script.ts
+++ b/src/transpile/emit-script.ts
@@ -82,6 +82,12 @@ function collectInlineScripts(
     } else if (s.type === "const" && s.value.kind === "run_inline_script_capture") {
       const shebang = s.value.lang ? langToShebang(s.value.lang) : undefined;
       emitInlineScriptArtifact(s.value.body, shebang, seen, out);
+    } else if (s.type === "return" && s.managed?.kind === "run_inline_script") {
+      const shebang = s.managed.lang ? langToShebang(s.managed.lang) : undefined;
+      emitInlineScriptArtifact(s.managed.body, shebang, seen, out);
+    } else if ((s.type === "log" || s.type === "logerr") && s.managed?.kind === "run_inline_script") {
+      const shebang = s.managed.lang ? langToShebang(s.managed.lang) : undefined;
+      emitInlineScriptArtifact(s.managed.body, shebang, seen, out);
     } else if ((s.type === "ensure" || s.type === "run") && s.recover) {
       const recoverSteps = "single" in s.recover ? [s.recover.single] : s.recover.block;
       collectInlineScripts(recoverSteps, seen, out);
diff --git a/src/transpile/validate-immutable-bindings.test.ts b/src/transpile/validate-immutable-bindings.test.ts
new file mode 100644
index 00000000..2bbcc50d
--- /dev/null
+++ b/src/transpile/validate-immutable-bindings.test.ts
@@ -0,0 +1,172 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { buildScripts } from "../transpiler";
+
+test("E_VALIDATE: const rebinding a workflow parameter is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-immut-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default(name_arg) {",
+        '  const name_arg = "rebind"',
+        '  return "${name_arg}"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /cannot rebind immutable name "name_arg".*parameter/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: const rebinding a rule parameter is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-immut-rule-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "rule check(x) {",
+        '  const x = "rebind"',
+        '  return "${x}"',
+        "}",
+        "workflow default() {",
+        '  ensure check("ok")',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /cannot rebind immutable name "x".*parameter/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: duplicate const declarations in the same scope are rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-immut-dup-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const x = "first"',
+        '  const x = "second"',
+        '  return "${x}"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /cannot rebind immutable name "x".*const/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_PARSE: script name colliding with top-level const is rejected at parse time", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-immut-script-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'const greet = "hello"',
+        "",
+        "script greet = `echo hi`",
+        "",
+        "workflow default() {",
+        '  return "${greet}"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /duplicate name "greet"/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_PARSE: duplicate script declarations are rejected at parse time", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-immut-dup-script-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "script greet = `echo hi`",
+        "",
+        "script greet = `echo hello`",
+        "",
+        "workflow default() {",
+        "  run greet()",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /duplicate name "greet"/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: const rebinding parameter via ensure is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-immut-ensure-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "rule valid(v) {",
+        '  return "${v}"',
+        "}",
+        "workflow default(name_arg) {",
+        "  const name_arg = ensure valid(name_arg)",
+        '  return "${name_arg}"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /cannot rebind immutable name "name_arg".*parameter/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("valid: distinct param and const names compile successfully", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-immut-ok-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default(input) {",
+        '  const result = "processed ${input}"',
+        '  return "${result}"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.doesNotThrow(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
diff --git a/src/transpile/validate-managed-calls.test.ts b/src/transpile/validate-managed-calls.test.ts
index 828a4890..baf91ec6 100644
--- a/src/transpile/validate-managed-calls.test.ts
+++ b/src/transpile/validate-managed-calls.test.ts
@@ -184,6 +184,29 @@ test("bare identifier arg: unknown name fails E_VALIDATE", () => {
   }
 });
 
+test("E_VALIDATE: nested call-like arg requires explicit run or ensure", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-nested-call-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'script mkdir_p_simple = `mkdir -p "$1"`',
+        'script jaiph_tmp_dir = `printf "%s\\n" "$JAIPH_WORKSPACE/.jaiph/tmp"`',
+        "workflow default() {",
+        "  run mkdir_p_simple(jaiph_tmp_dir())",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /nested managed calls in argument position must be explicit/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
 test("bare identifier arg: capture variable passes validation", () => {
   const root = mkdtempSync(join(tmpdir(), "jaiph-val-bare-cap-"));
   const out = join(root, "out");
@@ -441,3 +464,160 @@ test("E_VALIDATE: ${arg1} in log is unknown identifier", () => {
     rmSync(root, { recursive: true, force: true });
   }
 });
+
+// --- Explicit nested managed call tests ---
+
+test("buildScripts accepts run foo(run bar()) — explicit nested managed call", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-nested-run-run-"));
+  const out = join(root, "out");
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'script mkdir_p_simple = `mkdir -p "$1"`',
+        'script jaiph_tmp_dir = `printf "%s\\n" "/tmp/jaiph"`',
+        "workflow default() {",
+        "  run mkdir_p_simple(run jaiph_tmp_dir())",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    buildScripts(join(root, "m.jh"), out);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("buildScripts accepts run foo(ensure rule_bar()) — explicit nested ensure", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-nested-run-ensure-"));
+  const out = join(root, "out");
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'script do_work = `echo "$1"`',
+        "rule check_ok() {",
+        '  run do_work("ok")',
+        "}",
+        "workflow default() {",
+        "  run do_work(ensure check_ok())",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    buildScripts(join(root, "m.jh"), out);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("buildScripts accepts run foo(run `echo aaa`()) — explicit nested inline script", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-nested-run-inline-"));
+  const out = join(root, "out");
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'script do_work = `echo "$1"`',
+        "workflow default() {",
+        "  run do_work(run `echo aaa`())",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    buildScripts(join(root, "m.jh"), out);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("buildScripts accepts const x = run bar() followed by run foo(x)", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-capture-then-pass-"));
+  const out = join(root, "out");
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'script bar = `echo "hello"`',
+        'script foo = `echo "$1"`',
+        "workflow default() {",
+        "  const x = run bar()",
+        "  run foo(x)",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    buildScripts(join(root, "m.jh"), out);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: run foo(rule_bar()) — bare rule call in args is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-nested-bare-rule-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'script do_work = `echo "$1"`',
+        "rule rule_bar() {",
+        '  run do_work("ok")',
+        "}",
+        "workflow default() {",
+        "  run do_work(rule_bar())",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /nested managed calls in argument position must be explicit/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: run foo(`echo aaa`()) — bare inline script call in args is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-nested-bare-inline-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'script do_work = `echo "$1"`',
+        "workflow default() {",
+        "  run do_work(`echo aaa`())",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /nested inline script calls in argument position must be explicit/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: const x = bar() — bare call in const assignment is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-const-bare-call-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        'script bar = `echo "hello"`',
+        "workflow default() {",
+        "  const x = bar()",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /Script calls in const assignments must use run/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
diff --git a/src/transpile/validate-match.test.ts b/src/transpile/validate-match.test.ts
index 84994ea7..c644ce9e 100644
--- a/src/transpile/validate-match.test.ts
+++ b/src/transpile/validate-match.test.ts
@@ -128,6 +128,228 @@ test("match arm with run ref body is accepted", () => {
   }
 });
 
+test("match arm with unknown verb (e.g. error) is rejected with hint", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-unknown-verb-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const x = "ok"',
+        "  return match x {",
+        '    "" => error "missing"',
+        "    _ => true",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      { message: /unknown match arm verb "error".*did you mean "fail"/ },
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("match arm with bare function-call form (error(\"...\")) is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-bare-call-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const x = "ok"',
+        "  return match x {",
+        '    "" => error("missing")',
+        "    _ => true",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      { message: /unknown match arm verb "error"/ },
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: bare unknown word (true) in match arm body is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-bare-true-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const x = "ok"',
+        "  return match x {",
+        '    "" => fail "missing"',
+        "    _ => true",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      { message: /unknown identifier "true" in match arm body/ },
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: bare unknown word (blorp) in match arm body is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-bare-blorp-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const x = "ok"',
+        "  return match x {",
+        '    "" => fail "missing"',
+        "    _ => blorp",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      { message: /unknown identifier "blorp" in match arm body/ },
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("E_VALIDATE: bare unknown word (false) in match arm body is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-bare-false-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const x = "ok"',
+        "  return match x {",
+        '    "" => fail "missing"',
+        "    _ => false",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      { message: /unknown identifier "false" in match arm body/ },
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("match arm with bare in-scope identifier is accepted", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-bare-inscope-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const name = "alice"',
+        "  return match name {",
+        '    "" => fail "missing"',
+        "    _ => name",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.doesNotThrow(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("match arm with string literal continues to compile", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-string-lit-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const name = "alice"',
+        "  return match name {",
+        '    "" => fail "missing"',
+        '    _ => "ok"',
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.doesNotThrow(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("match arm with trailing comma after fail is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-comma-fail-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "rule valid_name(name_arg) {",
+        "  return match name_arg {",
+        '    "" => fail "You didn\'t provide your name :(",',
+        "    _  => name_arg",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /commas are not allowed in match arms; use one arm per line/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("match arm with trailing comma after string value is rejected", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-comma-str-"));
+  try {
+    writeFileSync(
+      join(root, "m.jh"),
+      [
+        "workflow default() {",
+        '  const x = "ok"',
+        "  return match x {",
+        '    "ok" => "yes",',
+        '    _ => "no"',
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    assert.throws(
+      () => buildScripts(join(root, "m.jh"), join(root, "out")),
+      /commas are not allowed in match arms; use one arm per line/,
+    );
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
 test("triple-quoted arm body parses and validates", () => {
   const root = mkdtempSync(join(tmpdir(), "jaiph-val-match-tq-"));
   try {
diff --git a/src/transpile/validate.ts b/src/transpile/validate.ts
index edb2b747..e4465d52 100644
--- a/src/transpile/validate.ts
+++ b/src/transpile/validate.ts
@@ -67,7 +67,7 @@ function validateNoShellRedirection(
   );
 }
 
-function validateMatchExpr(filePath: string, expr: MatchExprDef): void {
+function validateMatchExpr(filePath: string, expr: MatchExprDef, knownVars: Set<string>): void {
   if (expr.arms.length === 0) {
     throw jaiphError(filePath, expr.loc.line, expr.loc.col, "E_VALIDATE", "match must have at least one arm");
   }
@@ -110,6 +110,43 @@ function validateMatchExpr(filePath: string, expr: MatchExprDef): void {
         `inline scripts are not allowed in match arm bodies; use a named script with "run script_name(…)" instead`,
       );
     }
+    // Reject unknown verbs, bare function-call forms, and bare unknown identifiers in arm bodies.
+    // Allowed bodies: string literal ("..." or """..."""), $var/${var},
+    // bare in-scope identifier (param/const/capture), or a verb call: fail "...", run ref(...), ensure ref(...).
+    // A bare identifier followed by space+content (e.g. `error "msg"`) or by `(` (e.g. `error("msg")`)
+    // is a programming mistake — most likely a typo for `fail`. A bare identifier not in scope
+    // (e.g. `true`, `blorp`) is also rejected. Skip the check for triple-quoted bodies since those are literal text.
+    if (!arm.tripleQuotedBody) {
+      const idMatch = bodyTrimmed.match(/^([A-Za-z_][A-Za-z0-9_]*)/);
+      if (idMatch) {
+        const ident = idMatch[1]!;
+        const after = bodyTrimmed.slice(ident.length);
+        const startsCall = after.startsWith("(");
+        const startsArgs = /^\s+\S/.test(after);
+        if ((startsCall || startsArgs) && ident !== "fail" && ident !== "run" && ident !== "ensure") {
+          const hint = ident === "error" ? ` did you mean "fail"?` : "";
+          throw jaiphError(
+            filePath,
+            expr.loc.line,
+            expr.loc.col,
+            "E_VALIDATE",
+            `unknown match arm verb "${ident}"; allowed: fail "...", run ref(...), ensure ref(...).${hint}`,
+          );
+        }
+        // Reject bare unknown identifiers (e.g. `_ => true`, `_ => blorp`).
+        // Only bare words with no trailing content reach here — valid ones
+        // must be in-scope variables (params, consts, captures).
+        if (!startsCall && !startsArgs && after.trim() === "" && !knownVars.has(ident)) {
+          throw jaiphError(
+            filePath,
+            expr.loc.line,
+            expr.loc.col,
+            "E_VALIDATE",
+            `unknown identifier "${ident}" in match arm body; declare it with "const", use a capture, or add a parameter`,
+          );
+        }
+      }
+    }
   }
   if (wildcardCount === 0) {
     throw jaiphError(filePath, expr.loc.line, expr.loc.col, "E_VALIDATE", "match must have exactly one wildcard (_) arm");
@@ -149,6 +186,70 @@ function collectKnownVars(steps: WorkflowStepDef[], envDecls?: { name: string }[
   return vars;
 }
 
+/** Validate that no immutable binding (param, const, capture) is redefined in the same scope. */
+function validateImmutableBindings(
+  filePath: string,
+  steps: WorkflowStepDef[],
+  params: string[],
+  declLoc: { line: number; col: number },
+  envDecls?: { name: string; loc: { line: number; col: number } }[],
+  moduleScripts?: Set<string>,
+): void {
+  // Map from name → { kind, line } for the first binding site.
+  const bound = new Map<string, { kind: string; line: number }>();
+  for (const p of params) {
+    bound.set(p, { kind: "parameter", line: declLoc.line });
+  }
+
+  const check = (name: string, kind: string, loc: { line: number; col: number }): void => {
+    const prev = bound.get(name);
+    if (prev) {
+      throw jaiphError(
+        filePath,
+        loc.line,
+        loc.col,
+        "E_VALIDATE",
+        `cannot rebind immutable name "${name}"; already bound as ${prev.kind} at ${filePath}:${prev.line}`,
+      );
+    }
+    if (moduleScripts?.has(name)) {
+      throw jaiphError(
+        filePath,
+        loc.line,
+        loc.col,
+        "E_VALIDATE",
+        `cannot rebind immutable name "${name}"; already bound as script in this module`,
+      );
+    }
+    bound.set(name, { kind, line: loc.line });
+  };
+
+  const walk = (ss: WorkflowStepDef[]): void => {
+    for (const s of ss) {
+      if (s.type === "const") {
+        check(s.name, "const", s.loc);
+      }
+      if (s.type === "ensure" && s.captureName) {
+        check(s.captureName, "capture", s.ref.loc);
+      }
+      if (s.type === "run" && s.captureName) {
+        check(s.captureName, "capture", s.workflow.loc);
+      }
+      if ((s.type === "prompt" || s.type === "run_inline_script") && s.captureName) {
+        check(s.captureName, "capture", s.loc);
+      }
+      if ((s.type === "ensure" || s.type === "run") && s.recover) {
+        const recoverSteps = "single" in s.recover ? [s.recover.single] : s.recover.block;
+        walk(recoverSteps);
+      }
+      if (s.type === "if") {
+        walk(s.body);
+      }
+    }
+  };
+  walk(steps);
+}
+
 /** Count the number of call arguments from a space-separated args string (respects quotes). */
 function countCallArgs(argsStr: string | undefined): number {
   if (!argsStr || !argsStr.trim()) return 0;
@@ -257,6 +358,70 @@ function validateBareIdentifierArgs(
   }
 }
 
+function stripQuotedArgContent(args: string): string {
+  let out = "";
+  let quote: "'" | '"' | null = null;
+  for (let i = 0; i < args.length; i += 1) {
+    const ch = args[i]!;
+    if (quote) {
+      if (ch === quote && args[i - 1] !== "\\") {
+        quote = null;
+      }
+      out += " ";
+      continue;
+    }
+    if (ch === "'" || ch === '"') {
+      quote = ch;
+      out += " ";
+      continue;
+    }
+    out += ch;
+  }
+  return out;
+}
+
+function validateNestedManagedCallArgs(
+  filePath: string,
+  loc: { line: number; col: number },
+  args: string | undefined,
+): void {
+  if (!args) return;
+  const stripped = stripQuotedArgContent(args);
+  const re = /\b([A-Za-z_][A-Za-z0-9_.]*)\s*\(/g;
+  let match: RegExpExecArray | null;
+  while ((match = re.exec(stripped)) !== null) {
+    const before = stripped.slice(0, match.index).trimEnd();
+    const lastToken = before.length === 0 ? "" : before.slice(before.lastIndexOf(" ") + 1);
+    if (lastToken === "run" || lastToken === "ensure") {
+      continue;
+    }
+    throw jaiphError(
+      filePath,
+      loc.line,
+      loc.col,
+      "E_VALIDATE",
+      `nested managed calls in argument position must be explicit; use "run ${match[1]}(...)" or "ensure ${match[1]}(...)" inside the argument list`,
+    );
+  }
+  // Detect bare inline script calls: `body`() without preceding run/ensure
+  const btRe = /`[^`]*`\s*\(/g;
+  let btMatch: RegExpExecArray | null;
+  while ((btMatch = btRe.exec(stripped)) !== null) {
+    const before = stripped.slice(0, btMatch.index).trimEnd();
+    const lastToken = before.length === 0 ? "" : before.slice(before.lastIndexOf(" ") + 1);
+    if (lastToken === "run" || lastToken === "ensure") {
+      continue;
+    }
+    throw jaiphError(
+      filePath,
+      loc.line,
+      loc.col,
+      "E_VALIDATE",
+      `nested inline script calls in argument position must be explicit; use "run \`...\`(...)" inside the argument list`,
+    );
+  }
+}
+
 /** Resolve a route target workflow ref to its declared parameter count. Returns undefined if unresolvable. */
 function resolveRouteTargetParams(
   ref: string,
@@ -457,6 +622,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
   };
 
   for (const rule of ast.rules) {
+    validateImmutableBindings(ast.filePath, rule.steps, rule.params, rule.loc, ast.envDecls, localScripts);
     const ruleKnownVars = collectKnownVars(rule.steps, ast.envDecls, rule.params);
     // Named params are validated via knownVars; positional argN access was removed.
     const validateRuleStep = (s: WorkflowStepDef): void => {
@@ -474,6 +640,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
       }
       if (s.type === "ensure") {
         validateNoShellRedirection(ast.filePath, s.ref.loc, "ensure", s.args);
+        validateNestedManagedCallArgs(ast.filePath, s.ref.loc, s.args);
         validateRef(s.ref, ast, refCtx, expectRuleRef);
         validateArity(ast.filePath, s.ref.loc, s.ref.value, s.args, "rule", ast, refCtx);
 
@@ -488,6 +655,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
       }
       if (s.type === "run") {
         validateNoShellRedirection(ast.filePath, s.workflow.loc, "run", s.args);
+        validateNestedManagedCallArgs(ast.filePath, s.workflow.loc, s.args);
         if (s.async) {
           throw jaiphError(
             ast.filePath,
@@ -510,6 +678,12 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
           rb.add(s.recover.bindings.failure);
           for (const r of steps) validateRuleStep(r);
         }
+        if (s.recoverLoop) {
+          const steps = "single" in s.recoverLoop ? [s.recoverLoop.single] : s.recoverLoop.block;
+          const rb = new Set<string>();
+          rb.add(s.recoverLoop.bindings.failure);
+          for (const r of steps) validateRuleStep(r);
+        }
         return;
       }
       if (s.type === "fail") {
@@ -531,6 +705,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         return;
       }
       if (s.type === "log") {
+        if (s.managed?.kind === "run_inline_script") return; // inline script — no ref to validate
         validateLogString(s.message, ast.filePath, s.loc.line, s.loc.col, "log", { tripleQuoted: s.tripleQuoted });
         const logRuleInner = s.tripleQuoted ? dedentCommonLeadingWhitespace(s.message) : s.message;
         validateRuleStringCaptures(logRuleInner, s.loc);
@@ -549,6 +724,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         return;
       }
       if (s.type === "logerr") {
+        if (s.managed?.kind === "run_inline_script") return; // inline script — no ref to validate
         validateLogString(s.message, ast.filePath, s.loc.line, s.loc.col, "logerr", {
           tripleQuoted: s.tripleQuoted,
         });
@@ -572,19 +748,22 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         if (s.managed) {
           if (s.managed.kind === "run") {
             validateNoShellRedirection(ast.filePath, s.managed.ref.loc, "run", s.managed.args);
+            validateNestedManagedCallArgs(ast.filePath, s.managed.ref.loc, s.managed.args);
             validateRef(s.managed.ref, ast, refCtx, expectRunInRuleRef);
             validateArity(ast.filePath, s.managed.ref.loc, s.managed.ref.value, s.managed.args, "workflow", ast, refCtx);
 
             validateBareIdentifierArgs(ast.filePath, s.managed.ref.loc, s.managed.bareIdentifierArgs, ruleKnownVars);
           } else if (s.managed.kind === "ensure") {
             validateNoShellRedirection(ast.filePath, s.managed.ref.loc, "ensure", s.managed.args);
+            validateNestedManagedCallArgs(ast.filePath, s.managed.ref.loc, s.managed.args);
             validateRef(s.managed.ref, ast, refCtx, expectRuleRef);
             validateArity(ast.filePath, s.managed.ref.loc, s.managed.ref.value, s.managed.args, "rule", ast, refCtx);
 
             validateBareIdentifierArgs(ast.filePath, s.managed.ref.loc, s.managed.bareIdentifierArgs, ruleKnownVars);
           } else if (s.managed.kind === "match") {
-            validateMatchExpr(ast.filePath, s.managed.match);
+            validateMatchExpr(ast.filePath, s.managed.match, ruleKnownVars);
           }
+          // run_inline_script — no ref to validate
         } else {
           validateReturnString(s.value, ast.filePath, s.loc.line, s.loc.col, { tripleQuoted: s.tripleQuoted });
           if (s.value.startsWith('"')) {
@@ -610,6 +789,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         const v = s.value;
         if (v.kind === "run_capture") {
           validateNoShellRedirection(ast.filePath, v.ref.loc, "run", v.args);
+          validateNestedManagedCallArgs(ast.filePath, v.ref.loc, v.args);
           if (!v.ref.value.includes(".") && ruleKnownVars.has(v.ref.value) && !localScripts.has(v.ref.value)) {
             throw jaiphError(ast.filePath, v.ref.loc.line, v.ref.loc.col, "E_VALIDATE", `strings are not executable; "${v.ref.value}" is a string — use a script instead`);
           }
@@ -619,6 +799,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
           validateBareIdentifierArgs(ast.filePath, v.ref.loc, v.bareIdentifierArgs, ruleKnownVars);
         } else if (v.kind === "ensure_capture") {
           validateNoShellRedirection(ast.filePath, v.ref.loc, "ensure", v.args);
+          validateNestedManagedCallArgs(ast.filePath, v.ref.loc, v.args);
           validateRef(v.ref, ast, refCtx, expectRuleRef);
           validateArity(ast.filePath, v.ref.loc, v.ref.value, v.args, "rule", ast, refCtx);
 
@@ -628,7 +809,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         } else if (v.kind === "run_inline_script_capture") {
           // inline script capture — no ref to validate
         } else if (v.kind === "match_expr") {
-          validateMatchExpr(ast.filePath, v.match);
+          validateMatchExpr(ast.filePath, v.match, ruleKnownVars);
         } else if (v.kind === "expr") {
           const bareRhs = v.bashRhs.trim();
           if (/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(bareRhs) && localScripts.has(bareRhs)) {
@@ -651,7 +832,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         return;
       }
       if (s.type === "match") {
-        validateMatchExpr(ast.filePath, s.expr);
+        validateMatchExpr(ast.filePath, s.expr, ruleKnownVars);
         return;
       }
       if (s.type === "if") {
@@ -753,6 +934,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
   }
 
   for (const workflow of ast.workflows) {
+    validateImmutableBindings(ast.filePath, workflow.steps, workflow.params, workflow.loc, ast.envDecls, localScripts);
     const promptSchemas = collectPromptSchemas(workflow.steps);
     const wfKnownVars = collectKnownVars(workflow.steps, ast.envDecls, workflow.params);
     // Named params are validated via knownVars; positional argN access was removed.
@@ -765,6 +947,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         validateChannelRef(s.channel, s.loc);
         if (s.rhs.kind === "run") {
           validateNoShellRedirection(ast.filePath, s.rhs.ref.loc, "run", s.rhs.args);
+          validateNestedManagedCallArgs(ast.filePath, s.rhs.ref.loc, s.rhs.args);
           validateRef(s.rhs.ref, ast, refCtx, expectRunTargetRef);
           validateArity(ast.filePath, s.rhs.ref.loc, s.rhs.ref.value, s.rhs.args, "workflow", ast, refCtx);
 
@@ -799,6 +982,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
       }
       if (s.type === "ensure") {
         validateNoShellRedirection(ast.filePath, s.ref.loc, "ensure", s.args);
+        validateNestedManagedCallArgs(ast.filePath, s.ref.loc, s.args);
         validateRef(s.ref, ast, refCtx, expectRuleRef);
         validateArity(ast.filePath, s.ref.loc, s.ref.value, s.args, "rule", ast, refCtx);
 
@@ -813,6 +997,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
       }
       if (s.type === "run") {
         validateNoShellRedirection(ast.filePath, s.workflow.loc, "run", s.args);
+        validateNestedManagedCallArgs(ast.filePath, s.workflow.loc, s.args);
         if (!s.workflow.value.includes(".") && wfKnownVars.has(s.workflow.value) && !localScripts.has(s.workflow.value) && !localWorkflows.has(s.workflow.value)) {
           throw jaiphError(ast.filePath, s.workflow.loc.line, s.workflow.loc.col, "E_VALIDATE", `strings are not executable; "${s.workflow.value}" is a string — use a script instead`);
         }
@@ -826,6 +1011,12 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
           rb.add(s.recover.bindings.failure);
           for (const r of steps) validateStep(r, rb);
         }
+        if (s.recoverLoop) {
+          const steps = "single" in s.recoverLoop ? [s.recoverLoop.single] : s.recoverLoop.block;
+          const rb = new Set<string>();
+          rb.add(s.recoverLoop.bindings.failure);
+          for (const r of steps) validateStep(r, rb);
+        }
         return;
       }
       if (s.type === "prompt") {
@@ -854,6 +1045,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         return;
       }
       if (s.type === "log") {
+        if (s.managed?.kind === "run_inline_script") return; // inline script — no ref to validate
         validateLogString(s.message, ast.filePath, s.loc.line, s.loc.col, "log", {
           tripleQuoted: s.tripleQuoted,
         });
@@ -875,6 +1067,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         return;
       }
       if (s.type === "logerr") {
+        if (s.managed?.kind === "run_inline_script") return; // inline script — no ref to validate
         validateLogString(s.message, ast.filePath, s.loc.line, s.loc.col, "logerr", {
           tripleQuoted: s.tripleQuoted,
         });
@@ -899,18 +1092,20 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         if (s.managed) {
           if (s.managed.kind === "run") {
             validateNoShellRedirection(ast.filePath, s.managed.ref.loc, "run", s.managed.args);
+            validateNestedManagedCallArgs(ast.filePath, s.managed.ref.loc, s.managed.args);
             validateRef(s.managed.ref, ast, refCtx, expectRunTargetRef);
             validateArity(ast.filePath, s.managed.ref.loc, s.managed.ref.value, s.managed.args, "workflow", ast, refCtx);
 
             validateBareIdentifierArgs(ast.filePath, s.managed.ref.loc, s.managed.bareIdentifierArgs, wfKnownVars, recoverBindings);
           } else if (s.managed.kind === "ensure") {
             validateNoShellRedirection(ast.filePath, s.managed.ref.loc, "ensure", s.managed.args);
+            validateNestedManagedCallArgs(ast.filePath, s.managed.ref.loc, s.managed.args);
             validateRef(s.managed.ref, ast, refCtx, expectRuleRef);
             validateArity(ast.filePath, s.managed.ref.loc, s.managed.ref.value, s.managed.args, "rule", ast, refCtx);
 
             validateBareIdentifierArgs(ast.filePath, s.managed.ref.loc, s.managed.bareIdentifierArgs, wfKnownVars, recoverBindings);
           } else if (s.managed.kind === "match") {
-            validateMatchExpr(ast.filePath, s.managed.match);
+            validateMatchExpr(ast.filePath, s.managed.match, wfKnownVars);
           }
           return;
         }
@@ -957,6 +1152,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         const v = s.value;
         if (v.kind === "run_capture") {
           validateNoShellRedirection(ast.filePath, v.ref.loc, "run", v.args);
+          validateNestedManagedCallArgs(ast.filePath, v.ref.loc, v.args);
           if (!v.ref.value.includes(".") && wfKnownVars.has(v.ref.value) && !localScripts.has(v.ref.value) && !localWorkflows.has(v.ref.value)) {
             throw jaiphError(ast.filePath, v.ref.loc.line, v.ref.loc.col, "E_VALIDATE", `strings are not executable; "${v.ref.value}" is a string — use a script instead`);
           }
@@ -966,6 +1162,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
           validateBareIdentifierArgs(ast.filePath, v.ref.loc, v.bareIdentifierArgs, wfKnownVars, recoverBindings);
         } else if (v.kind === "ensure_capture") {
           validateNoShellRedirection(ast.filePath, v.ref.loc, "ensure", v.args);
+          validateNestedManagedCallArgs(ast.filePath, v.ref.loc, v.args);
           validateRef(v.ref, ast, refCtx, expectRuleRef);
           validateArity(ast.filePath, v.ref.loc, v.ref.value, v.args, "rule", ast, refCtx);
 
@@ -998,7 +1195,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         } else if (v.kind === "run_inline_script_capture") {
           // inline script capture — no ref to validate
         } else if (v.kind === "match_expr") {
-          validateMatchExpr(ast.filePath, v.match);
+          validateMatchExpr(ast.filePath, v.match, wfKnownVars);
         } else if (v.kind === "expr") {
           const bareRhs = v.bashRhs.trim();
           if (/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(bareRhs) && localScripts.has(bareRhs)) {
@@ -1023,7 +1220,7 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
         return;
       }
       if (s.type === "match") {
-        validateMatchExpr(ast.filePath, s.expr);
+        validateMatchExpr(ast.filePath, s.expr, wfKnownVars);
         return;
       }
       if (s.type === "if") {
@@ -1056,5 +1253,81 @@ export function validateReferences(ast: jaiphModule, ctx: ValidateContext): void
       validateStep(step);
     }
   }
+
+  if (ast.tests && ast.tests.length > 0) {
+    validateTestBlocks(ast, ast.tests);
+  }
+}
+
+/**
+ * Validate variable references inside `test` blocks. The only names in scope are
+ * those introduced by `const NAME = …` (literal or `run … capture`) earlier in
+ * the same block. There is no implicit `response`: an `expect_*` step that
+ * references an undeclared name is a compile-time error.
+ *
+ * Errors raised:
+ * - `mock prompt <ident>` where `<ident>` was not declared earlier
+ * - `expect_*` LHS variable not declared earlier
+ * - `expect_* var <ident>` RHS where `<ident>` was not declared earlier
+ */
+function validateTestBlocks(ast: jaiphModule, tests: import("../types").TestBlockDef[]): void {
+  for (const tb of tests) {
+    const inScope = new Set<string>();
+    for (const step of tb.steps) {
+      if (step.type === "test_const") {
+        inScope.add(step.name);
+        continue;
+      }
+      if (step.type === "test_run_workflow") {
+        if (step.captureName) inScope.add(step.captureName);
+        continue;
+      }
+      if (step.type === "test_mock_prompt" && step.responseVar) {
+        if (!inScope.has(step.responseVar)) {
+          throw jaiphError(
+            ast.filePath,
+            step.loc.line,
+            step.loc.col,
+            "E_VALIDATE",
+            `mock prompt: undefined name "${step.responseVar}" (declare it earlier with: const ${step.responseVar} = "…")`,
+          );
+        }
+        continue;
+      }
+      if (
+        step.type === "test_expect_contain" ||
+        step.type === "test_expect_not_contain" ||
+        step.type === "test_expect_equal"
+      ) {
+        if (!inScope.has(step.variable)) {
+          throw jaiphError(
+            ast.filePath,
+            step.loc.line,
+            step.loc.col,
+            "E_VALIDATE",
+            `${step.type.replace("test_", "")}: undefined name "${step.variable}" (capture it first with: const ${step.variable} = run …)`,
+          );
+        }
+        const refName =
+          step.type === "test_expect_equal"
+            ? step.expectedVar
+            : step.substringVar;
+        if (refName !== undefined && !inScope.has(refName)) {
+          throw jaiphError(
+            ast.filePath,
+            step.loc.line,
+            step.loc.col,
+            "E_VALIDATE",
+            `${step.type.replace("test_", "")}: undefined name "${refName}" (declare it earlier with: const ${refName} = "…")`,
+          );
+        }
+        continue;
+      }
+      // Other step types (mock_workflow/rule/script bodies, blank_line, comment) are
+      // out of scope for this pass: their bodies are validated as workflow/rule steps
+      // by the regular path when materialized, and they do not contribute to the
+      // test-level `vars` map.
+    }
+  }
 }
 
diff --git a/src/types.ts b/src/types.ts
index 05b48b64..0ed58920 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -53,7 +53,7 @@ export interface MatchExprDef {
 
 export type ConstRhs =
   | { kind: "expr"; bashRhs: string; /** `const x = """..."""` — runtime dedents margin. */ tripleQuoted?: boolean }
-  | { kind: "run_capture"; ref: WorkflowRefDef; args?: string; bareIdentifierArgs?: string[] }
+  | { kind: "run_capture"; ref: WorkflowRefDef; args?: string; bareIdentifierArgs?: string[]; async?: boolean }
   | { kind: "ensure_capture"; ref: RuleRefDef; args?: string; bareIdentifierArgs?: string[] }
   | {
       kind: "prompt_capture";
@@ -145,6 +145,10 @@ export type WorkflowStepDef =
       recover?:
         | { single: WorkflowStepDef; bindings: { failure: string } }
         | { block: WorkflowStepDef[]; bindings: { failure: string } };
+      /** When set, retry with repair loop semantics (try → fail → recover body → retry). */
+      recoverLoop?:
+        | { single: WorkflowStepDef; bindings: { failure: string } }
+        | { block: WorkflowStepDef[]; bindings: { failure: string } };
     }
   | {
       type: "prompt";
@@ -183,6 +187,8 @@ export type WorkflowStepDef =
       /** Set when `log """..."""`; runtime dedents margin. */
       tripleQuoted?: boolean;
       loc: SourceLoc;
+      /** When set, log message comes from a managed inline-script call. */
+      managed?: { kind: "run_inline_script"; body: string; lang?: string; args?: string; bareIdentifierArgs?: string[] };
     }
   | {
       type: "logerr";
@@ -190,6 +196,8 @@ export type WorkflowStepDef =
       /** Set when `logerr """..."""`; runtime dedents margin. */
       tripleQuoted?: boolean;
       loc: SourceLoc;
+      /** When set, logerr message comes from a managed inline-script call. */
+      managed?: { kind: "run_inline_script"; body: string; lang?: string; args?: string; bareIdentifierArgs?: string[] };
     }
   | {
       type: "send";
@@ -202,12 +210,19 @@ export type WorkflowStepDef =
       value: string;
       /** Set when `return """..."""`; runtime dedents margin. */
       tripleQuoted?: boolean;
+      /**
+       * Original source expression when `return <expr>` was bare-identifier
+       * sugar (`return response` → value `"${response}"`). Preserved so the
+       * formatter can emit the bare form authored by the user.
+       */
+      bareSource?: string;
       loc: SourceLoc;
       /** When set, return value comes from a managed run/ensure/match instead of the literal `value`. */
       managed?:
         | { kind: "run"; ref: WorkflowRefDef; args?: string; bareIdentifierArgs?: string[] }
         | { kind: "ensure"; ref: RuleRefDef; args?: string; bareIdentifierArgs?: string[] }
-        | { kind: "match"; match: MatchExprDef };
+        | { kind: "match"; match: MatchExprDef }
+        | { kind: "run_inline_script"; body: string; lang?: string; args?: string; bareIdentifierArgs?: string[] };
     }
   | {
       type: "run_inline_script";
@@ -283,11 +298,9 @@ export interface jaiphModule {
 
 /** Docker sandbox runtime configuration. */
 export interface RuntimeConfig {
-  dockerEnabled?: boolean;
   dockerImage?: string;
   dockerNetwork?: string;
-  dockerTimeout?: number;
-  workspace?: string[];
+  dockerTimeoutSeconds?: number;
 }
 
 /** One line inside `config { }`: comment or assignment (formatter round-trip order). */
@@ -305,8 +318,9 @@ export interface WorkflowMetadata {
     cursorFlags?: string;
     claudeFlags?: string;
   };
-  run?: { debug?: boolean; logsDir?: string; inboxParallel?: boolean };
+  run?: { debug?: boolean; logsDir?: string; inboxParallel?: boolean; recoverLimit?: number };
   runtime?: RuntimeConfig;
+  module?: { name?: string; version?: string; description?: string };
   /** Preserves `#` lines and assignment order inside `config { }` (formatter). */
   configBodySequence?: ConfigBodyPart[];
 }
@@ -315,7 +329,21 @@ export interface WorkflowMetadata {
 export type TestStepDef =
   | { type: "comment"; text: string; loc: SourceLoc }
   | { type: "blank_line" }
-  | { type: "test_mock_prompt"; response: string; loc: SourceLoc }
+  /**
+   * Literal string binding scoped to the enclosing test block:
+   * `const expected = "..."`. The runner seeds test-scope vars with these
+   * before mocks are collected, so subsequent `mock prompt <name>` and
+   * `expect_* var <name>` references resolve to this value.
+   */
+  | { type: "test_const"; name: string; value: string; loc: SourceLoc }
+  | {
+      type: "test_mock_prompt";
+      /** Literal response when authored as `mock prompt "..."`. Empty when responseVar is set. */
+      response: string;
+      /** Identifier when authored as `mock prompt <ident>` referring to a `test_const`. */
+      responseVar?: string;
+      loc: SourceLoc;
+    }
   | {
       type: "test_mock_prompt_block";
       arms: MatchArmDef[];
@@ -329,9 +357,30 @@ export type TestStepDef =
       allowFailure?: boolean;
       loc: SourceLoc;
     }
-  | { type: "test_expect_contain"; variable: string; substring: string; loc: SourceLoc }
-  | { type: "test_expect_not_contain"; variable: string; substring: string; loc: SourceLoc }
-  | { type: "test_expect_equal"; variable: string; expected: string; loc: SourceLoc }
+  | {
+      type: "test_expect_contain";
+      variable: string;
+      substring: string;
+      /** Set when authored as `expect_contain var <ident>`. */
+      substringVar?: string;
+      loc: SourceLoc;
+    }
+  | {
+      type: "test_expect_not_contain";
+      variable: string;
+      substring: string;
+      /** Set when authored as `expect_not_contain var <ident>`. */
+      substringVar?: string;
+      loc: SourceLoc;
+    }
+  | {
+      type: "test_expect_equal";
+      variable: string;
+      expected: string;
+      /** Set when authored as `expect_equal var <ident>`. */
+      expectedVar?: string;
+      loc: SourceLoc;
+    }
   | { type: "test_mock_workflow"; ref: string; params: string[]; steps: WorkflowStepDef[]; loc: SourceLoc }
   | { type: "test_mock_rule"; ref: string; params: string[]; steps: WorkflowStepDef[]; loc: SourceLoc }
   | { type: "test_mock_script"; ref: string; params: string[]; body: string; loc: SourceLoc };
diff --git a/test/sample-build.test.ts b/test/sample-build.test.ts
index 06d7f89e..2362ad43 100644
--- a/test/sample-build.test.ts
+++ b/test/sample-build.test.ts
@@ -173,6 +173,40 @@ test("jaiph run compiles and executes workflow with args", () => {
   }
 });
 
+test("jaiph run resolves nested managed call arguments", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-run-nested-args-"));
+  try {
+    const filePath = join(root, "nested_args.jh");
+    writeFileSync(
+      filePath,
+      [
+        "script mkdir_p_simple = ```",
+        'mkdir -p "$1"',
+        "```",
+        "script jaiph_tmp_dir = ```",
+        'printf "%s\\n" "$JAIPH_WORKSPACE/.jaiph/tmp"',
+        "```",
+        "workflow default() {",
+        "  run mkdir_p_simple(run jaiph_tmp_dir())",
+        "}",
+        "",
+      ].join("\n"),
+    );
+
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const runResult = spawnSync("node", [cliPath, "run", filePath], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+
+    assert.equal(runResult.status, 0, runResult.stderr);
+    assert.equal(existsSync(join(root, ".jaiph", "tmp")), true);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
 test("executable .jh invokes jaiph run semantics", () => {
   const root = mkdtempSync(join(tmpdir(), "jaiph-exec-jh-"));
   try {
@@ -2391,3 +2425,396 @@ test("walkTestFiles discovers *.test.jh in directory", () => {
   }
 });
 
+// --- recover loop semantics ---
+
+test("recover: success on first attempt skips recover body", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-recover-pass-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "script ok_impl = `echo ok`",
+        "workflow ok() {",
+        "  run ok_impl()",
+        "}",
+        "workflow default() {",
+        '  run ok() recover(err) {',
+        '    log "should not run"',
+        '  }',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("recover: one repair loop before success", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-recover-repair-"));
+  try {
+    // Script that fails unless a marker file exists (created by the recover body)
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "script check = `test -f .marker`",
+        "workflow check_wf() {",
+        "  run check()",
+        "}",
+        "script fix_impl = `touch .marker`",
+        "workflow fix() {",
+        "  run fix_impl()",
+        "}",
+        "workflow default() {",
+        "  run check_wf() recover(err) {",
+        "    run fix()",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+    assert.ok(existsSync(join(root, ".marker")), "repair body should have created marker");
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("recover: retry limit exhaustion fails the workflow", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-recover-exhaust-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "config {",
+        "  run.recover_limit = 2",
+        "}",
+        "",
+        "script always_fail = `exit 1`",
+        "workflow failing() {",
+        "  run always_fail()",
+        "}",
+        "workflow default() {",
+        '  run failing() recover(err) {',
+        '    log "repair attempt"',
+        '  }',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.notEqual(r.status, 0, "should fail after retry limit exhausted");
+    const combined = r.stdout + r.stderr;
+    assert.match(combined, /FAIL/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("recover: retry limit configurable via config", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-recover-limit-"));
+  try {
+    // Counter file incremented by recover body; check script reads and compares.
+    writeFileSync(join(root, ".counter"), "0");
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "config {",
+        "  run.recover_limit = 3",
+        "}",
+        "",
+        "script count_impl = ```",
+        'count=$(cat .counter)',
+        'if [ "$count" -ge 3 ]; then exit 0; fi',
+        "exit 1",
+        "```",
+        "workflow attempt_wf() {",
+        "  run count_impl()",
+        "}",
+        "script bump_impl = ```",
+        'count=$(cat .counter)',
+        'echo $(( count + 1 )) > .counter',
+        "```",
+        "workflow bump() {",
+        "  run bump_impl()",
+        "}",
+        "workflow default() {",
+        "  run attempt_wf() recover(err) {",
+        "    run bump()",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+// ── Handle<T> async model tests ──
+
+test("handle: const capture run async creates handle that resolves on read", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-handle-capture-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        'script echo_val = `echo "hello"`',
+        "workflow greet() {",
+        "  run echo_val()",
+        '  return "hello"',
+        "}",
+        "workflow default() {",
+        "  const h = run async greet()",
+        '  log "${h}"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("handle: passing handle as arg to run forces resolution", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-handle-resolve-arg-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "workflow producer() {",
+        '  return "produced"',
+        "}",
+        "workflow consumer(val) {",
+        '  log "${val}"',
+        "}",
+        "workflow default() {",
+        "  const h = run async producer()",
+        "  run consumer(h)",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("handle: multi-handle join — multiple async handles passed into another call", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-handle-multi-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "workflow make_a() {",
+        '  return "A"',
+        "}",
+        "workflow make_b() {",
+        '  return "B"',
+        "}",
+        "workflow combine(a, b) {",
+        '  log "${a}-${b}"',
+        "}",
+        "workflow default() {",
+        "  const ha = run async make_a()",
+        "  const hb = run async make_b()",
+        "  run combine(ha, hb)",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("handle: workflow exit joins unresolved handles without error", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-handle-join-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        'script noop = `echo "done"`',
+        "workflow bg() {",
+        "  run noop()",
+        "}",
+        "workflow default() {",
+        "  const h = run async bg()",
+        '  log "continuing"',
+        "  # h is never read — implicit join at exit",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("handle: handles stored in separate vars and resolved when read", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-handle-stored-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "workflow first() {",
+        '  return "1"',
+        "}",
+        "workflow second() {",
+        '  return "2"',
+        "}",
+        "workflow default() {",
+        "  const h1 = run async first()",
+        "  const h2 = run async second()",
+        "  # Both stored, not resolved yet",
+        '  log "${h1}"',
+        '  log "${h2}"',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("handle: run async foo() recover — handle resolves to success after repair", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-handle-recover-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "script check = `test -f .marker`",
+        "workflow check_wf() {",
+        "  run check()",
+        "}",
+        "script fix_impl = `touch .marker`",
+        "workflow fix() {",
+        "  run fix_impl()",
+        "}",
+        "workflow default() {",
+        "  run async check_wf() recover(err) {",
+        "    run fix()",
+        "  }",
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stdout, /PASS/);
+    assert.ok(existsSync(join(root, ".marker")), "repair body should have created marker");
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("handle: run async recover shares retry-limit semantics with non-async recover", () => {
+  const root = mkdtempSync(join(tmpdir(), "jaiph-handle-recover-limit-"));
+  try {
+    writeFileSync(
+      join(root, "main.jh"),
+      [
+        "config {",
+        "  run.recover_limit = 2",
+        "}",
+        "",
+        "script always_fail = `exit 1`",
+        "workflow failing() {",
+        "  run always_fail()",
+        "}",
+        "workflow default() {",
+        '  run async failing() recover(err) {',
+        '    log "repair attempt"',
+        '  }',
+        "}",
+        "",
+      ].join("\n"),
+    );
+    const cliPath = join(process.cwd(), "dist/src/cli.js");
+    const r = spawnSync("node", [cliPath, "run", join(root, "main.jh")], {
+      encoding: "utf8",
+      cwd: root,
+      env: { ...process.env, JAIPH_DOCKER_ENABLED: "false" },
+    });
+    assert.notEqual(r.status, 0, "should fail after retry limit exhausted");
+    const combined = r.stdout + r.stderr;
+    assert.match(combined, /FAIL/);
+  } finally {
+    rmSync(root, { recursive: true, force: true });
+  }
+});
+
diff --git a/test/signal-lifecycle.test.ts b/test/signal-lifecycle.test.ts
index e433a112..272f9dd2 100644
--- a/test/signal-lifecycle.test.ts
+++ b/test/signal-lifecycle.test.ts
@@ -146,7 +146,7 @@ async function runInterruptTest(
   const child = spawn("node", [cliPath, "run", workflowPath], {
     stdio: "pipe",
     cwd: root,
-    env: { ...process.env, CI: "true" }, // disable Docker so exit-within-5s assertion is reliable
+    env: { ...process.env, JAIPH_UNSAFE: "true" }, // disable Docker so exit-within-5s assertion is reliable (CI=true no longer disables)
   });
 
   const exitPromise = new Promise<{ code: number | null; signal: string | null }>((resolve) => {