diff --git a/CLAUDE.md b/CLAUDE.md
index 769f4c8e6..4b3e3d0a4 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -437,6 +437,7 @@ The manual-commit strategy (`manual_commit*.go`) does not modify the active bran
 - **Shadow branch migration** - if user does stash/pull/rebase (HEAD changes without commit), shadow branch is automatically moved to new base commit
 - **Orphaned branch cleanup** - if a shadow branch exists without a corresponding session state file, it is automatically reset when a new session starts
 - PrePush hook can push `entire/checkpoints/v1` branch alongside user pushes
+- **OPF (OpenAI Privacy Filter) runs at pre-push, not post-commit**: when `redaction.openai_privacy_filter.enabled` is true, the PrePush hook re-redacts unpushed `entire/checkpoints/v1` commits with the OPF 8th layer, builds new commits carrying an `Entire-OPF-Applied: true` trailer, and atomically updates the local v1 ref before pushing. Per-commit condensation stays on the fast 7-layer pipeline. See `strategy/manual_commit_opf_rewrite.go` and `docs/security-and-privacy.md` for the full flow, including divergence detection, bootstrap caps, and CAS-on-conflict semantics.
 - Safe to use on main/master since it never modifies commit history
 
 #### Key Files
@@ -444,6 +445,7 @@ The manual-commit strategy (`manual_commit*.go`) does not modify the active bran
 - `strategy.go` - Interface definition and context structs (`StepContext`, `TaskStepContext`, `RewindPoint`, etc.)
 - `common.go` - Helpers for metadata extraction, tree building, rewind validation, `ListCheckpoints()`
 - `manual_commit*.go` - Manual-commit strategy: main impl, types, session state, condensation, rewind, git ops, logs, hook handlers (prepare-commit-msg, post-commit, post-rewrite, pre-push), reset
+- `manual_commit_opf_rewrite.go` - Pre-push OPF re-redaction: walks unpushed v1 commits, runs OPF over their blobs, rebuilds commits with `Entire-OPF-Applied: true` trailer, CAS-updates the local ref. Sentinel error types (use `errors.As`): `V1DivergedError`, `BootstrapTooLargeError`, `V1RefMovedError`, `OPFRuntimeFailedError`.
 - `cleanup.go` - Cleanup discovery/deletion for shadow branches, session states, and checkpoint metadata
 - `session_state.go` - Package-level session state functions
 - `hooks.go` - Git hook installation
diff --git a/cmd/entire/cli/checkpoint/checkpoint.go b/cmd/entire/cli/checkpoint/checkpoint.go
index 5bf71e886..6fb79bf3b 100644
--- a/cmd/entire/cli/checkpoint/checkpoint.go
+++ b/cmd/entire/cli/checkpoint/checkpoint.go
@@ -221,7 +221,9 @@ type WriteCommittedOptions struct {
 	// Must be pre-redacted (via redact.JSONLBytes or redact.AlreadyRedacted for trusted sources).
 	Transcript redact.RedactedBytes
 
-	// Prompts contains user prompts from the session
+	// Prompts contains the raw user prompts from the session. Run through
+	// redactedJoinedPrompts before persisting — the writer does this
+	// inside writeSessionToSubdirectory.
 	Prompts []string
 
 	// FilesTouched are files modified during the session
@@ -360,7 +362,8 @@ type UpdateCommittedOptions struct {
 	// Must be pre-redacted (via redact.JSONLBytes or redact.AlreadyRedacted for trusted sources).
 	Transcript redact.RedactedBytes
 
-	// Prompts contains all user prompts (replaces existing)
+	// Prompts contains the raw user prompts (replaces existing).
+	// See WriteCommittedOptions.Prompts.
 	Prompts []string
 
 	// Agent identifies the agent type (needed for transcript chunking)
diff --git a/cmd/entire/cli/checkpoint/checkpoint_test.go b/cmd/entire/cli/checkpoint/checkpoint_test.go
index d97220c5f..a6629b47f 100644
--- a/cmd/entire/cli/checkpoint/checkpoint_test.go
+++ b/cmd/entire/cli/checkpoint/checkpoint_test.go
@@ -81,7 +81,7 @@ func TestCopyMetadataDir_SkipsSymlinks(t *testing.T) {
 	store := NewGitStore(repo)
 	entries := make(map[string]object.TreeEntry)
 
-	err = store.copyMetadataDir(metadataDir, "checkpoint/", entries)
+	err = store.copyMetadataDir(context.Background(), metadataDir, "checkpoint/", entries)
 	if err != nil {
 		t.Fatalf("copyMetadataDir failed: %v", err)
 	}
@@ -3409,7 +3409,7 @@ func TestCopyMetadataDir_RedactsSecrets(t *testing.T) {
 	store := NewGitStore(repo)
 	entries := make(map[string]object.TreeEntry)
 
-	if err := store.copyMetadataDir(metadataDir, "cp/", entries); err != nil {
+	if err := store.copyMetadataDir(context.Background(), metadataDir, "cp/", entries); err != nil {
 		t.Fatalf("copyMetadataDir() error = %v", err)
 	}
 
@@ -4410,6 +4410,45 @@ func TestCheckpointSummary_HasReview(t *testing.T) {
 	}
 }
 
+// TestRedactBlobBytes_JSONMetadata pins the .json branch of RedactBlobBytes:
+// checkpoint metadata files (metadata.json) carry free-form fields like
+// Summary.Intent and ReviewPrompt that previously bypassed redaction because
+// the dispatcher only matched .jsonl. The PR 1236 fix extended the JSON-aware
+// branch to .json. We assert via a low-entropy AWS-key shaped secret (catches
+// the 7-layer pipeline) so the test stays deterministic without the OPF binary.
+func TestRedactBlobBytes_JSONMetadata(t *testing.T) {
+	t.Parallel()
+
+	meta := CommittedMetadata{
+		Kind:         "agent_review",
+		ReviewPrompt: "credential leak: key=AKIAYRWQG5EJLPZLBYNP",
+		Summary: &Summary{
+			Intent: "leak: key=AKIAYRWQG5EJLPZLBYNP",
+		},
+	}
+	b, err := json.Marshal(meta)
+	if err != nil {
+		t.Fatalf("marshal: %v", err)
+	}
+
+	got := RedactBlobBytes(context.Background(), b, "metadata.json", false)
+	if strings.Contains(string(got), "AKIAYRWQG5EJLPZLBYNP") {
+		t.Errorf("expected AWS key redacted in metadata.json blob, got %s", string(got))
+	}
+	if !strings.Contains(string(got), "REDACTED") {
+		t.Errorf("expected REDACTED placeholder in metadata.json blob, got %s", string(got))
+	}
+	// JSON structure must survive — Kind is not redactable content, so it
+	// should round-trip through the JSON-aware redactor.
+	var roundTripped map[string]any
+	if err := json.Unmarshal(got, &roundTripped); err != nil {
+		t.Errorf("redacted .json blob must remain valid JSON, got parse err %v (content: %s)", err, string(got))
+	}
+	if roundTripped["kind"] != "agent_review" {
+		t.Errorf(`expected "kind":"agent_review" preserved after redaction, got %v`, roundTripped["kind"])
+	}
+}
+
 // TestCheckpointSummary_HasInvestigation pins the JSON wire format for the
 // HasInvestigation umbrella flag on CheckpointSummary. Mirrors the
 // HasReview test: callers depend on the on-disk shape, so this asserts on
diff --git a/cmd/entire/cli/checkpoint/committed.go b/cmd/entire/cli/checkpoint/committed.go
index 68f7bfb87..387598b60 100644
--- a/cmd/entire/cli/checkpoint/committed.go
+++ b/cmd/entire/cli/checkpoint/committed.go
@@ -355,7 +355,7 @@ func (s *GitStore) writeStandardCheckpointEntries(ctx context.Context, opts Writ
 
 	// Copy additional metadata files from directory if specified (to session subdirectory)
 	if opts.MetadataDir != "" {
-		if err := s.copyMetadataDir(opts.MetadataDir, sessionPath, entries); err != nil {
+		if err := s.copyMetadataDir(ctx, opts.MetadataDir, sessionPath, entries); err != nil {
 			return fmt.Errorf("failed to copy metadata directory: %w", err)
 		}
 	}
@@ -418,9 +418,10 @@ func (s *GitStore) writeSessionToSubdirectory(ctx context.Context, opts WriteCom
 		filePaths.ContentHash = "/" + sessionPath + paths.ContentHashFileName
 	}
 
-	// Write prompts
+	// Write prompts via the 7-layer pipeline. OPF runs only in the
+	// pre-push rewrite path (manual_commit_opf_rewrite.go).
 	if len(opts.Prompts) > 0 {
-		promptContent := redact.String(JoinPrompts(opts.Prompts))
+		promptContent := redactedJoinedPrompts(opts.Prompts)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return filePaths, err
@@ -1521,9 +1522,9 @@ func (s *GitStore) UpdateCommitted(ctx context.Context, opts UpdateCommittedOpti
 		}
 	}
 
-	// Replace prompts (apply redaction as safety net)
+	// Replace prompts with 7-layer-redacted content.
 	if len(opts.Prompts) > 0 {
-		promptContent := redact.String(JoinPrompts(opts.Prompts))
+		promptContent := redactedJoinedPrompts(opts.Prompts)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return fmt.Errorf("failed to create prompt blob: %w", err)
@@ -1843,7 +1844,7 @@ func CreateBlobFromContent(repo *git.Repository, content []byte) (plumbing.Hash,
 
 // copyMetadataDir copies all files from a directory to the checkpoint path.
 // Used to include additional metadata files like task checkpoints, subagent transcripts, etc.
-func (s *GitStore) copyMetadataDir(metadataDir, basePath string, entries map[string]object.TreeEntry) error {
+func (s *GitStore) copyMetadataDir(ctx context.Context, metadataDir, basePath string, entries map[string]object.TreeEntry) error {
 	err := filepath.Walk(metadataDir, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
@@ -1882,7 +1883,13 @@ func (s *GitStore) copyMetadataDir(metadataDir, basePath string, entries map[str
 			return fmt.Errorf("path traversal detected: %s", relPath)
 		}
 
-		// Create blob from file with secrets redaction
+		// Create blob from file with 7-layer secrets redaction.
+		// Post-commit emits 7-layer-only blobs; the pre-push rewrite
+		// (strategy/manual_commit_opf_rewrite.go) walks the resulting
+		// tree, re-redacts these blobs with OPF when enabled, and
+		// rewrites entire/checkpoints/v1 into 8-layer commits before
+		// they leave the local machine.
+		_ = ctx // ctx not needed by the 7-layer path; kept on caller signature for future use
 		blobHash, mode, err := createRedactedBlobFromFile(s.repo, path, relPath)
 		if err != nil {
 			return fmt.Errorf("failed to create blob for %s: %w", path, err)
@@ -1904,8 +1911,13 @@ func (s *GitStore) copyMetadataDir(metadataDir, basePath string, entries map[str
 	return nil
 }
 
-// createRedactedBlobFromFile reads a file, applies secrets redaction, and creates a git blob.
-// JSONL files get JSONL-aware redaction; all other files get plain string redaction.
+// createRedactedBlobFromFile reads a file, applies the 7-layer redaction
+// pipeline, and creates a git blob. Used by committed-checkpoint writes
+// at post-commit time. The OpenAI Privacy Filter is intentionally NOT
+// run here — OPF lives in the pre-push rewrite path
+// (strategy/manual_commit_opf_rewrite.go), which re-redacts the 7-layer
+// blobs into 8-layer commits before they leave the local machine.
+// JSONL files get JSONL-aware redaction; all other files get plain byte redaction.
 func createRedactedBlobFromFile(repo *git.Repository, filePath, treePath string) (plumbing.Hash, filemode.FileMode, error) {
 	info, err := os.Stat(filePath)
 	if err != nil {
@@ -1933,16 +1945,7 @@ func createRedactedBlobFromFile(repo *git.Repository, filePath, treePath string)
 		return hash, mode, nil
 	}
 
-	if strings.HasSuffix(treePath, ".jsonl") {
-		redacted, jsonlErr := redact.JSONLBytes(content)
-		if jsonlErr != nil {
-			content = redact.Bytes(content)
-		} else {
-			content = redacted.Bytes()
-		}
-	} else {
-		content = redact.Bytes(content)
-	}
+	content = RedactBlobBytes(context.Background(), content, treePath, false)
 
 	hash, err := CreateBlobFromContent(repo, content)
 	if err != nil {
@@ -1951,6 +1954,44 @@ func createRedactedBlobFromFile(repo *git.Repository, filePath, treePath string)
 	return hash, mode, nil
 }
 
+// RedactBlobBytes redacts a single blob's content given its tree path.
+// JSON-shaped files (.jsonl or .json) get JSON-aware redaction (falling
+// back to plain bytes on parse failure so regex/credential layers
+// still apply); other files get plain byte redaction. When
+// usePrivacyFilter is true the full 8-layer pipeline (including OPF)
+// runs; otherwise the 7-layer pipeline.
+//
+// .json is handled alongside .jsonl because checkpoint metadata files
+// (metadata.json, per-session metadata.json) carry free-form fields
+// like Summary.Intent / Summary.Outcome / ReviewPrompt that can
+// contain PII the regex layers miss. The JSON-aware redactor extracts
+// string leaves and applies OPF only to those, preserving the JSON
+// structure.
+//
+// Post-commit condensation uses false (fast path). The pre-push rewrite
+// (strategy/manual_commit_opf_rewrite.go) uses true.
+func RedactBlobBytes(ctx context.Context, content []byte, treePath string, usePrivacyFilter bool) []byte {
+	if strings.HasSuffix(treePath, ".jsonl") || strings.HasSuffix(treePath, ".json") {
+		var (
+			redacted redact.RedactedBytes
+			err      error
+		)
+		if usePrivacyFilter {
+			redacted, err = redact.JSONLBytesWithPrivacyFilter(ctx, content)
+		} else {
+			redacted, err = redact.JSONLBytes(content)
+		}
+		if err == nil {
+			return redacted.Bytes()
+		}
+		// JSONL parse failed — fall through to plain bytes.
+	}
+	if usePrivacyFilter {
+		return redact.BytesWithPrivacyFilter(ctx, content)
+	}
+	return redact.Bytes(content)
+}
+
 // GetGitAuthorFromRepo retrieves the git user.name and user.email,
 // checking both the repository-local config and the global ~/.gitconfig.
 func GetGitAuthorFromRepo(repo *git.Repository) (name, email string) {
diff --git a/cmd/entire/cli/checkpoint/committed_opf_trailer_test.go b/cmd/entire/cli/checkpoint/committed_opf_trailer_test.go
new file mode 100644
index 000000000..b73145537
--- /dev/null
+++ b/cmd/entire/cli/checkpoint/committed_opf_trailer_test.go
@@ -0,0 +1,70 @@
+package checkpoint
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint/id"
+	"github.com/entireio/cli/cmd/entire/cli/testutil"
+	"github.com/entireio/cli/cmd/entire/cli/trailers"
+	"github.com/entireio/cli/redact"
+	"github.com/go-git/go-git/v6"
+	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/go-git/go-git/v6/plumbing/object"
+	"github.com/stretchr/testify/require"
+)
+
+// TestWriteCommitted_DoesNotEmitOPFAppliedTrailer is the regression guard
+// for the architectural promise: standard post-commit condensation writes
+// 7-layer-only blobs and MUST NOT mark them with the Entire-OPF-Applied
+// trailer. The trailer is emitted exclusively by the pre-push rewrite
+// path; if a future change accidentally added it to the standard writer,
+// the pre-push rewrite would skip those commits (HasOPFApplied true →
+// reparent-only, no actual OPF run) and ship 7-layer content as if it
+// were 8-layer. This test pins down that contract.
+func TestWriteCommitted_DoesNotEmitOPFAppliedTrailer(t *testing.T) {
+	t.Parallel()
+
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	wt, err := repo.Worktree()
+	require.NoError(t, err)
+	readmeFile := filepath.Join(tempDir, "README.md")
+	require.NoError(t, os.WriteFile(readmeFile, []byte("# Test"), 0o644))
+	_, err = wt.Add("README.md")
+	require.NoError(t, err)
+	_, err = wt.Commit("Initial commit", &git.CommitOptions{
+		Author: &object.Signature{Name: "Test", Email: "test@test.com"},
+	})
+	require.NoError(t, err)
+
+	store := NewGitStore(repo)
+	cpID := id.MustCheckpointID("a1b2c3d4e5f6")
+
+	err = store.WriteCommitted(context.Background(), WriteCommittedOptions{
+		CheckpointID: cpID,
+		SessionID:    "regression-no-opf-trailer",
+		Strategy:     "manual-commit",
+		Transcript:   redact.AlreadyRedacted([]byte(`{"role":"user","content":"hello"}` + "\n")),
+		AuthorName:   "Test",
+		AuthorEmail:  "test@test.com",
+	})
+	require.NoError(t, err)
+
+	// Read the latest commit message on entire/checkpoints/v1 and assert
+	// HasOPFApplied is false. We resolve via the ref then walk back the
+	// single commit the writer just produced.
+	ref, err := repo.Reference(plumbing.NewBranchReferenceName("entire/checkpoints/v1"), true)
+	require.NoError(t, err, "writer should have created entire/checkpoints/v1")
+	commit, err := repo.CommitObject(ref.Hash())
+	require.NoError(t, err)
+
+	if trailers.HasOPFApplied(commit.Message) {
+		t.Errorf("standard WriteCommitted emitted Entire-OPF-Applied trailer; commit message:\n%s", commit.Message)
+	}
+}
diff --git a/cmd/entire/cli/checkpoint/prompts.go b/cmd/entire/cli/checkpoint/prompts.go
index fc8d26d35..6df096ce3 100644
--- a/cmd/entire/cli/checkpoint/prompts.go
+++ b/cmd/entire/cli/checkpoint/prompts.go
@@ -1,6 +1,10 @@
 package checkpoint
 
-import "strings"
+import (
+	"strings"
+
+	"github.com/entireio/cli/redact"
+)
 
 // PromptSeparator is the canonical separator used in prompt.txt when multiple
 // prompts are stored in a single file.
@@ -23,3 +27,10 @@ func SplitPromptContent(content string) []string {
 	}
 	return prompts
 }
+
+// redactedJoinedPrompts joins prompts and runs the 7-layer redaction
+// pipeline. OPF runs exclusively in the pre-push rewrite (not here),
+// so the writer's hot path stays predictable.
+func redactedJoinedPrompts(prompts []string) string {
+	return redact.String(strings.Join(prompts, PromptSeparator))
+}
diff --git a/cmd/entire/cli/checkpoint/prompts_test.go b/cmd/entire/cli/checkpoint/prompts_test.go
index 4b1119625..93f4f3179 100644
--- a/cmd/entire/cli/checkpoint/prompts_test.go
+++ b/cmd/entire/cli/checkpoint/prompts_test.go
@@ -14,7 +14,6 @@ func TestJoinAndSplitPrompts_RoundTrip(t *testing.T) {
 		"first line\nwith newline",
 		"second prompt",
 	}
-
 	joined := JoinPrompts(original)
 	split := SplitPromptContent(joined)
 
@@ -24,6 +23,15 @@ func TestJoinAndSplitPrompts_RoundTrip(t *testing.T) {
 
 func TestSplitPromptContent_EmptyContent(t *testing.T) {
 	t.Parallel()
-
 	assert.Nil(t, SplitPromptContent(""))
 }
+
+// TestRedactedJoinedPrompts_AppliesSafetyNet verifies the helper joins
+// prompts with the canonical separator and runs them through the 7-layer
+// pipeline. OPF runs only in the pre-push rewrite path, never here.
+func TestRedactedJoinedPrompts_AppliesSafetyNet(t *testing.T) {
+	t.Parallel()
+	got := redactedJoinedPrompts([]string{"hello", "world"})
+	assert.NotEmpty(t, got)
+	assert.Contains(t, got, PromptSeparator)
+}
diff --git a/cmd/entire/cli/hooks_git_cmd.go b/cmd/entire/cli/hooks_git_cmd.go
index 27ef45f28..f8729b94c 100644
--- a/cmd/entire/cli/hooks_git_cmd.go
+++ b/cmd/entire/cli/hooks_git_cmd.go
@@ -2,6 +2,7 @@ package cli
 
 import (
 	"context"
+	"fmt"
 	"log/slog"
 	"time"
 
@@ -231,6 +232,13 @@ func newHooksGitPrePushCmd() *cobra.Command {
 		Use:   "pre-push <remote>",
 		Short: "Handle pre-push git hook",
 		Args:  cobra.ExactArgs(1),
+		// SilenceUsage/Errors so non-zero exits from privacy-critical
+		// failures (OPF rewrite errors) print only the error message,
+		// not cobra's usage banner. The error message itself already
+		// includes user guidance (see ErrV1Diverged / ErrBootstrapTooLarge /
+		// ErrV1RefMoved in strategy/manual_commit_opf_rewrite.go).
+		SilenceUsage:  true,
+		SilenceErrors: false,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if gitHooksDisabled {
 				return nil
@@ -245,7 +253,20 @@ func newHooksGitPrePushCmd() *cobra.Command {
 			hookErr := g.strategy.PrePush(g.ctx, remote)
 			g.logCompleted(hookErr)
 
-			return nil
+			// Propagate the error so the hook script exits non-zero and
+			// git push aborts the entire batch. PrePush itself only
+			// returns errors for privacy-critical failures (OPF rewrite —
+			// e.g., V1DivergedError, BootstrapTooLargeError,
+			// V1RefMovedError, OPFRuntimeFailedError); transient
+			// checkpoint-push failures are logged and swallowed before
+			// reaching this point. See strategy/manual_commit_push.go
+			// for the contract. We wrap with a short "pre-push:" prefix
+			// so the user sees the source of the abort without losing
+			// the underlying type (errors.As still finds the sentinels).
+			if hookErr == nil {
+				return nil
+			}
+			return fmt.Errorf("pre-push: %w", hookErr)
 		},
 	}
 }
diff --git a/cmd/entire/cli/settings/settings.go b/cmd/entire/cli/settings/settings.go
index fe2bef0a9..ddc44f125 100644
--- a/cmd/entire/cli/settings/settings.go
+++ b/cmd/entire/cli/settings/settings.go
@@ -19,6 +19,7 @@ import (
 	"github.com/entireio/cli/cmd/entire/cli/logging"
 	"github.com/entireio/cli/cmd/entire/cli/paths"
 	"github.com/entireio/cli/cmd/entire/cli/session"
+	"github.com/entireio/cli/redact"
 )
 
 const (
@@ -204,6 +205,10 @@ type RedactionSettings struct {
 	// "[REDACTED_<LABEL>]" token used by PII. Failed regex compilations are
 	// logged via slog.Warn and the rule is skipped.
 	CustomRedactions map[string]string `json:"custom_redactions,omitempty"`
+
+	// OpenAIPrivacyFilter is the optional 8th redaction layer (opt-in).
+	// See docs/security-and-privacy.md.
+	OpenAIPrivacyFilter *OPFSettings `json:"openai_privacy_filter,omitempty"`
 }
 
 // PIISettings configures PII detection categories.
@@ -216,6 +221,35 @@ type PIISettings struct {
 	CustomPatterns map[string]string `json:"custom_patterns,omitempty"`
 }
 
+// OPFSettings configures the optional OpenAI Privacy Filter detection layer.
+// Disabled by default. Runs only at condensation/export boundaries — see
+// docs/security-and-privacy.md.
+//
+// There is intentionally no "on_failure" field: warn-only is the only mode
+// the runtime currently supports, and DisallowUnknownFields will reject any
+// future user who tries to set it. Adding the field again should land in
+// lockstep with the runtime enforcement.
+type OPFSettings struct {
+	Enabled        bool            `json:"enabled,omitempty"`
+	Categories     map[string]bool `json:"categories,omitempty"`
+	Command        string          `json:"command,omitempty"`
+	TimeoutSeconds int             `json:"timeout_seconds,omitempty"`
+
+	// PromptDefault controls whether the pre-push hook asks the user
+	// before running OPF. "" (default) and "ask" both surface the
+	// interactive prompt; "always" runs without asking; "never" skips
+	// OPF and pushes 7-layer content. ENTIRE_OPF=yes|no on the push
+	// invocation overrides this setting per-push.
+	PromptDefault string `json:"prompt_default,omitempty"`
+}
+
+// Valid PromptDefault values. Empty == OPFPromptAsk.
+const (
+	OPFPromptAsk    = "ask"
+	OPFPromptAlways = "always"
+	OPFPromptNever  = "never"
+)
+
 // GetCommitLinking returns the effective commit linking mode.
 // Returns the explicit value if set, otherwise defaults to "prompt"
 // to preserve existing user behavior.
@@ -496,6 +530,25 @@ func SaveProjectRaw(path string, raw map[string]json.RawMessage) error {
 	return nil
 }
 
+// SaveLocalRaw writes a generic JSON object back to .entire/settings.local.json
+// atomically (temp file + rename). Mirrors SaveProjectRaw for the per-developer
+// overrides file; the only difference is the error wording, which says "local
+// settings" so failure messages match the file actually being written.
+//
+// Pair with LoadLocalRaw for read-modify-write flows that target the local
+// override (e.g. persisting an interactive prompt's "always" choice without
+// touching the project-wide settings file).
+func SaveLocalRaw(path string, raw map[string]json.RawMessage) error {
+	data, err := jsonutil.MarshalIndentWithNewline(raw, "", "  ")
+	if err != nil {
+		return fmt.Errorf("marshal local settings: %w", err)
+	}
+	if err := jsonutil.WriteFileAtomic(path, data, 0o644); err != nil {
+		return fmt.Errorf("writing local settings: %w", err)
+	}
+	return nil
+}
+
 // ClonePreferencesPath returns the clone-local preferences path in the git common dir.
 func ClonePreferencesPath(ctx context.Context) (string, error) {
 	commonDir, err := session.GetGitCommonDir(ctx)
@@ -532,6 +585,11 @@ func LoadFromBytes(data []byte) (*EntireSettings, error) {
 	if err := dec.Decode(s); err != nil {
 		return nil, fmt.Errorf("parsing settings: %w", err)
 	}
+	if s.Redaction != nil {
+		if err := validateOPFSettings(s.Redaction.OpenAIPrivacyFilter); err != nil {
+			return nil, err
+		}
+	}
 	return s, nil
 }
 
@@ -565,6 +623,12 @@ func loadFromFile(filePath string) (*EntireSettings, error) {
 	// legitimately contain only a model (provider comes from another file).
 	// Validation happens after merge in Load().
 
+	if settings.Redaction != nil {
+		if err := validateOPFSettings(settings.Redaction.OpenAIPrivacyFilter); err != nil {
+			return nil, err
+		}
+	}
+
 	return settings, nil
 }
 
@@ -896,9 +960,82 @@ func mergeRedaction(dst *RedactionSettings, data json.RawMessage) error {
 			}
 		}
 	}
+	if opfRaw, ok := raw["openai_privacy_filter"]; ok {
+		if dst.OpenAIPrivacyFilter == nil {
+			dst.OpenAIPrivacyFilter = &OPFSettings{}
+		}
+		if err := mergeOPFSettings(dst.OpenAIPrivacyFilter, opfRaw); err != nil {
+			return err
+		}
+	}
 	return nil
 }
 
+// validateOPFSettings rejects unknown category names so typos surface at
+// parse time. Silent zero-detection of a privacy category is effectively
+// a correctness bug — the user thinks they're protected but they're not.
+func validateOPFSettings(opf *OPFSettings) error {
+	if opf == nil {
+		return nil
+	}
+	for name := range opf.Categories {
+		if !redact.IsKnownOPFCategory(name) {
+			return fmt.Errorf("openai_privacy_filter.categories has unknown key %q (see docs/security-and-privacy.md for the supported set)", name)
+		}
+	}
+	switch opf.PromptDefault {
+	case "", OPFPromptAsk, OPFPromptAlways, OPFPromptNever:
+		// ok
+	default:
+		return fmt.Errorf("openai_privacy_filter.prompt_default must be one of %q, %q, %q (got %q)",
+			OPFPromptAsk, OPFPromptAlways, OPFPromptNever, opf.PromptDefault)
+	}
+	return nil
+}
+
+// mergeOPFSettings merges OPF overrides into existing OPFSettings. Only
+// fields present in the override JSON are applied; missing fields preserve
+// the base value.
+func mergeOPFSettings(dst *OPFSettings, data json.RawMessage) error {
+	var raw map[string]json.RawMessage
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return fmt.Errorf("parsing openai_privacy_filter: %w", err)
+	}
+	if v, ok := raw["enabled"]; ok {
+		if err := json.Unmarshal(v, &dst.Enabled); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.enabled: %w", err)
+		}
+	}
+	if v, ok := raw["categories"]; ok {
+		var cats map[string]bool
+		if err := json.Unmarshal(v, &cats); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.categories: %w", err)
+		}
+		if dst.Categories == nil {
+			dst.Categories = make(map[string]bool, len(cats))
+		}
+		for k, b := range cats {
+			dst.Categories[k] = b
+		}
+	}
+	if v, ok := raw["command"]; ok {
+		if err := json.Unmarshal(v, &dst.Command); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.command: %w", err)
+		}
+	}
+	if v, ok := raw["timeout_seconds"]; ok {
+		if err := json.Unmarshal(v, &dst.TimeoutSeconds); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.timeout_seconds: %w", err)
+		}
+	}
+	if v, ok := raw["prompt_default"]; ok {
+		if err := json.Unmarshal(v, &dst.PromptDefault); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.prompt_default: %w", err)
+		}
+	}
+	return validateOPFSettings(dst)
+}
+
 // mergePIISettings merges PII overrides into existing PIISettings.
 // Only fields present in the override JSON are applied; missing fields
 // are preserved from the base settings.
diff --git a/cmd/entire/cli/settings/settings_test.go b/cmd/entire/cli/settings/settings_test.go
index ca5e4626e..e4ac48d6f 100644
--- a/cmd/entire/cli/settings/settings_test.go
+++ b/cmd/entire/cli/settings/settings_test.go
@@ -870,6 +870,159 @@ func TestLoadFromBytes_CustomRedactions(t *testing.T) {
 	}
 }
 
+func TestLoadFromBytes_OPFSettings_RoundTrip(t *testing.T) {
+	t.Parallel()
+
+	data := []byte(`{
+  "redaction": {
+    "openai_privacy_filter": {
+      "enabled": true,
+      "categories": {"private_person": true, "secret": false},
+      "command": "/usr/local/bin/opf",
+      "timeout_seconds": 45
+    }
+  }
+}`)
+	got, err := LoadFromBytes(data)
+	if err != nil {
+		t.Fatalf("LoadFromBytes: %v", err)
+	}
+	opf := got.Redaction.OpenAIPrivacyFilter
+	if opf == nil {
+		t.Fatal("OpenAIPrivacyFilter is nil")
+	}
+	if !opf.Enabled {
+		t.Error("Enabled: want true")
+	}
+	if !opf.Categories["private_person"] {
+		t.Error("Categories[private_person]: want true")
+	}
+	if opf.Categories["secret"] {
+		t.Error("Categories[secret]: want false")
+	}
+	if opf.Command != "/usr/local/bin/opf" {
+		t.Errorf("Command: want /usr/local/bin/opf, got %q", opf.Command)
+	}
+	if opf.TimeoutSeconds != 45 {
+		t.Errorf("TimeoutSeconds: want 45, got %d", opf.TimeoutSeconds)
+	}
+}
+
+// TestLoadFromBytes_OPFSettings_RejectsUnknownCategory pins down that
+// category-name typos fail at parse time. Silent zero-detection of a
+// privacy category is effectively a correctness bug — the user thinks
+// they're protected but they're not. Runs on both load paths.
+func TestLoadFromBytes_OPFSettings_RejectsUnknownCategory(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name    string
+		key     string
+		wantErr bool
+	}{
+		{"known_person", "private_person", false},
+		{"known_email", "private_email", false},
+		{"known_secret", "secret", false},
+		{"typo_peerson", "private_peerson", true},
+		{"unknown", "social_security_number", true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			body := `{"redaction":{"openai_privacy_filter":{"categories":{"` + tc.key + `":true}}}}`
+			_, err := LoadFromBytes([]byte(body))
+			if tc.wantErr && err == nil {
+				t.Errorf("LoadFromBytes(%q): want error, got nil", tc.key)
+			}
+			if !tc.wantErr && err != nil {
+				t.Errorf("LoadFromBytes(%q): want nil, got %v", tc.key, err)
+			}
+		})
+	}
+}
+
+// TestLoadFromBytes_OPFSettings_RejectsOnFailureField pins down that the
+// dropped on_failure field is rejected by DisallowUnknownFields — there is
+// no warn-only fallback masquerading as fail-closed.
+func TestLoadFromBytes_OPFSettings_RejectsOnFailureField(t *testing.T) {
+	t.Parallel()
+	body := []byte(`{"redaction":{"openai_privacy_filter":{"enabled":true,"on_failure":"block"}}}`)
+	if _, err := LoadFromBytes(body); err == nil {
+		t.Error("LoadFromBytes with on_failure: want error from DisallowUnknownFields, got nil")
+	}
+}
+
+// TestLoadFromBytes_OPFSettings_PromptDefault covers parsing + validation
+// of the prompt_default field added for the pre-push prompt UX. Empty is
+// allowed (treated as "ask"); ask/always/never are the only valid values.
+func TestLoadFromBytes_OPFSettings_PromptDefault(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name    string
+		value   string
+		wantErr bool
+		wantVal string
+	}{
+		{name: "ask", value: `"ask"`, wantVal: "ask"},
+		{name: "always", value: `"always"`, wantVal: "always"},
+		{name: "never", value: `"never"`, wantVal: "never"},
+		{name: "empty_string_allowed_as_ask", value: `""`, wantVal: ""},
+		{name: "bogus_value_rejected", value: `"sometimes"`, wantErr: true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			body := []byte(`{"redaction":{"openai_privacy_filter":{"prompt_default":` + tc.value + `}}}`)
+			s, err := LoadFromBytes(body)
+			if tc.wantErr {
+				if err == nil {
+					t.Fatalf("expected error for %q, got nil", tc.value)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if s.Redaction == nil || s.Redaction.OpenAIPrivacyFilter == nil {
+				t.Fatal("OPF settings not parsed")
+			}
+			if got := s.Redaction.OpenAIPrivacyFilter.PromptDefault; got != tc.wantVal {
+				t.Errorf("PromptDefault = %q, want %q", got, tc.wantVal)
+			}
+		})
+	}
+}
+
+// TestLoadFromBytes_OPFSettings_Merge verifies override semantics for the
+// merge path (settings.local.json on top of settings.json): present fields
+// override, omitted fields preserve, categories merge per-key.
+func TestLoadFromBytes_OPFSettings_Merge(t *testing.T) {
+	t.Parallel()
+	base := []byte(`{"redaction":{"openai_privacy_filter":{"enabled":true,"categories":{"private_person":true,"secret":false}}}}`)
+	override := []byte(`{"redaction":{"openai_privacy_filter":{"categories":{"secret":true},"command":"/opt/opf"}}}`)
+
+	s, err := LoadFromBytes(base)
+	if err != nil {
+		t.Fatalf("base load: %v", err)
+	}
+	if err := mergeJSON(s, override); err != nil {
+		t.Fatalf("merge: %v", err)
+	}
+	opf := s.Redaction.OpenAIPrivacyFilter
+	if !opf.Enabled {
+		t.Error("Enabled: want preserved=true")
+	}
+	if !opf.Categories["private_person"] {
+		t.Error("Categories[private_person]: want preserved=true")
+	}
+	if !opf.Categories["secret"] {
+		t.Error("Categories[secret]: want override=true")
+	}
+	if opf.Command != "/opt/opf" {
+		t.Errorf("Command: want override /opt/opf, got %q", opf.Command)
+	}
+}
+
 func TestEntireSettings_ReviewRoundTrip(t *testing.T) {
 	t.Parallel()
 	raw := []byte(`{
diff --git a/cmd/entire/cli/strategy/cleanup.go b/cmd/entire/cli/strategy/cleanup.go
index 7284110e8..9aa6bca8a 100644
--- a/cmd/entire/cli/strategy/cleanup.go
+++ b/cmd/entire/cli/strategy/cleanup.go
@@ -118,6 +118,77 @@ func ListShadowBranches(ctx context.Context) ([]string, error) {
 	return shadowBranches, nil
 }
 
+// CleanupPushedShadowBranches deletes shadow branches whose sessions
+// have all ended cleanly (no active session referencing them, no
+// pending turn-checkpoints awaiting finalization). Intended to be
+// called only after a successful push so the caller knows any
+// condensed checkpoint data already reached the remote.
+//
+// Returns the count of branches deleted. Failures (e.g., one branch
+// fails to delete due to a stale lock) are logged but don't abort
+// the operation — remaining branches are still attempted.
+//
+// Safety properties:
+//   - Skips any shadow branch referenced by a session with EndedAt
+//     == nil (still active).
+//   - Skips any shadow branch whose session has TurnCheckpointIDs
+//     pending (mid-finalize race window).
+//   - Multiple sessions can share the same shadow branch (same base
+//     commit + worktree); ALL must satisfy the criteria above.
+//   - Shadow branches with no associated session state are deleted
+//     (no session to lose data from).
+func CleanupPushedShadowBranches(ctx context.Context) (int, error) {
+	branches, err := ListShadowBranches(ctx)
+	if err != nil {
+		return 0, fmt.Errorf("list shadow branches: %w", err)
+	}
+	if len(branches) == 0 {
+		return 0, nil
+	}
+
+	states, err := ListSessionStates(ctx)
+	if err != nil {
+		return 0, fmt.Errorf("list session states: %w", err)
+	}
+
+	// Build a set of shadow branch names that must be preserved
+	// because at least one session still depends on them.
+	protected := map[string]bool{}
+	for _, s := range states {
+		if s.EndedAt != nil && len(s.TurnCheckpointIDs) == 0 {
+			continue // safe — session ended cleanly and finalized
+		}
+		shadow := getShadowBranchNameForCommit(s.BaseCommit, s.WorktreeID)
+		protected[shadow] = true
+	}
+
+	var toDelete []string
+	for _, b := range branches {
+		if !protected[b] {
+			toDelete = append(toDelete, b)
+		}
+	}
+	if len(toDelete) == 0 {
+		return 0, nil
+	}
+
+	deleted, failed, delErr := DeleteShadowBranches(ctx, toDelete)
+	if delErr != nil {
+		// DeleteShadowBranches signature returns an error for future
+		// extensibility but currently always returns nil; log defensively.
+		logging.Warn(ctx, "shadow branch deletion reported error",
+			slog.String("error", delErr.Error()),
+		)
+	}
+	if len(failed) > 0 {
+		logging.Warn(ctx, "some shadow branches failed to delete during post-push cleanup",
+			slog.Int("failed_count", len(failed)),
+			slog.Int("deleted_count", len(deleted)),
+		)
+	}
+	return len(deleted), nil
+}
+
 // DeleteShadowBranches deletes the specified branches from the repository.
 // Returns two slices: successfully deleted branches and branches that failed to delete.
 // Individual branch deletion failures do not stop the operation - all branches are attempted.
diff --git a/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go b/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go
new file mode 100644
index 000000000..c088440d4
--- /dev/null
+++ b/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go
@@ -0,0 +1,140 @@
+package strategy
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint"
+	"github.com/entireio/cli/cmd/entire/cli/testutil"
+	"github.com/go-git/go-git/v6"
+	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/stretchr/testify/require"
+)
+
+// shadowCleanupEnv bundles the setup needed for testing post-push shadow
+// branch cleanup: a git repo, a known base commit, and helpers to
+// create shadow refs + matching session states.
+type shadowCleanupEnv struct {
+	t        *testing.T
+	repo     *git.Repository
+	dir      string
+	baseHash plumbing.Hash
+}
+
+func newShadowCleanupEnv(t *testing.T) *shadowCleanupEnv {
+	t.Helper()
+	dir := t.TempDir()
+	testutil.InitRepo(t, dir)
+	repo, err := git.PlainOpen(dir)
+	require.NoError(t, err)
+	t.Chdir(dir)
+
+	emptyTree := plumbing.NewHash("4b825dc642cb6eb9a060e54bf8d69288fbee4904")
+	baseHash, err := checkpoint.CreateCommit(context.Background(), repo, emptyTree, plumbing.ZeroHash, "initial commit", "test", "test@test.com")
+	require.NoError(t, err)
+	headRef := plumbing.NewSymbolicReference(plumbing.HEAD, plumbing.NewBranchReferenceName("main"))
+	require.NoError(t, repo.Storer.SetReference(headRef))
+	require.NoError(t, repo.Storer.SetReference(plumbing.NewHashReference(plumbing.NewBranchReferenceName("main"), baseHash)))
+	return &shadowCleanupEnv{t: t, repo: repo, dir: dir, baseHash: baseHash}
+}
+
+// addShadowBranch creates a shadow branch for the given (base, worktreeID)
+// pair and returns its derived name.
+func (e *shadowCleanupEnv) addShadowBranch(baseCommit, worktreeID string) string {
+	e.t.Helper()
+	name := getShadowBranchNameForCommit(baseCommit, worktreeID)
+	require.NoError(e.t, e.repo.Storer.SetReference(
+		plumbing.NewHashReference(plumbing.NewBranchReferenceName(name), e.baseHash)))
+	return name
+}
+
+// addSessionState writes a session state file. If ended is non-nil the
+// session is treated as ended; pendingCheckpoints simulates the
+// mid-finalize race window.
+func (e *shadowCleanupEnv) addSessionState(sessionID, baseCommit, worktreeID string, ended *time.Time, pendingCheckpoints []string) {
+	e.t.Helper()
+	state := &SessionState{
+		SessionID:         sessionID,
+		BaseCommit:        baseCommit,
+		WorktreeID:        worktreeID,
+		StartedAt:         time.Now().Add(-time.Hour),
+		EndedAt:           ended,
+		TurnCheckpointIDs: pendingCheckpoints,
+	}
+	require.NoError(e.t, SaveSessionState(context.Background(), state))
+}
+
+func (e *shadowCleanupEnv) branchExists(name string) bool {
+	e.t.Helper()
+	_, err := e.repo.Reference(plumbing.NewBranchReferenceName(name), false)
+	return err == nil
+}
+
+// Predicate matrix: each shadow branch is paired with zero or more
+// session states; the cleanup must respect the safety rules (active
+// session OR pending turn checkpoints protect the branch; ended-clean
+// or orphaned branches are deleted).
+func TestCleanupPushedShadowBranches_Predicate(t *testing.T) {
+	ended := time.Now().Add(-time.Minute)
+	type sessionFixture struct {
+		id                string
+		ended             *time.Time
+		pendingCheckpoint []string
+	}
+	cases := []struct {
+		name        string
+		sessions    []sessionFixture
+		wantDeleted bool
+	}{
+		{name: "ended_no_pending_deleted", sessions: []sessionFixture{{id: "s1", ended: &ended}}, wantDeleted: true},
+		{name: "active_session_preserved", sessions: []sessionFixture{{id: "s1", ended: &ended}, {id: "s2", ended: nil}}, wantDeleted: false},
+		{name: "pending_turn_checkpoints_preserved", sessions: []sessionFixture{{id: "s1", ended: &ended, pendingCheckpoint: []string{"a1b2c3d4e5f6"}}}, wantDeleted: false},
+		{name: "orphaned_branch_no_sessions_deleted", sessions: nil, wantDeleted: true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			env := newShadowCleanupEnv(t)
+			shadow := env.addShadowBranch(env.baseHash.String(), "")
+			for _, s := range tc.sessions {
+				env.addSessionState(s.id, env.baseHash.String(), "", s.ended, s.pendingCheckpoint)
+			}
+			deleted, err := CleanupPushedShadowBranches(context.Background())
+			require.NoError(t, err)
+			if tc.wantDeleted {
+				require.Equal(t, 1, deleted)
+				require.False(t, env.branchExists(shadow))
+			} else {
+				require.Equal(t, 0, deleted)
+				require.True(t, env.branchExists(shadow))
+			}
+		})
+	}
+}
+
+// Mixed: two shadow branches with different worktree IDs and different
+// session statuses. The cleanup must delete only the safe one.
+func TestCleanupPushedShadowBranches_MixedBranchesPartialDelete(t *testing.T) {
+	env := newShadowCleanupEnv(t)
+	preserved := env.addShadowBranch(env.baseHash.String(), "wt1")
+	deletable := env.addShadowBranch(env.baseHash.String(), "wt2")
+	ended := time.Now().Add(-time.Minute)
+	env.addSessionState("s-active", env.baseHash.String(), "wt1", nil, nil)
+	env.addSessionState("s-ended", env.baseHash.String(), "wt2", &ended, nil)
+
+	deleted, err := CleanupPushedShadowBranches(context.Background())
+	require.NoError(t, err)
+	require.Equal(t, 1, deleted)
+	require.True(t, env.branchExists(preserved))
+	require.False(t, env.branchExists(deletable))
+}
+
+// No shadow branches → no-op, no error.
+func TestCleanupPushedShadowBranches_NoBranches_NoOp(t *testing.T) {
+	env := newShadowCleanupEnv(t)
+	_ = env
+
+	deleted, err := CleanupPushedShadowBranches(context.Background())
+	require.NoError(t, err)
+	require.Equal(t, 0, deleted)
+}
diff --git a/cmd/entire/cli/strategy/common.go b/cmd/entire/cli/strategy/common.go
index f116ea09a..1cc2002b2 100644
--- a/cmd/entire/cli/strategy/common.go
+++ b/cmd/entire/cli/strategy/common.go
@@ -437,6 +437,17 @@ func EnsureRedactionConfigured() {
 				Packs:  packs,
 			})
 		}
+
+		// OpenAI Privacy Filter (opt-in 8th layer).
+		if s.Redaction != nil && s.Redaction.OpenAIPrivacyFilter != nil {
+			opf := s.Redaction.OpenAIPrivacyFilter
+			redact.ConfigurePrivacyFilter(redact.OPFConfig{
+				Enabled:    opf.Enabled,
+				Categories: opf.Categories,
+				Command:    opf.Command,
+				Timeout:    opf.TimeoutSeconds,
+			})
+		}
 	})
 }
 
diff --git a/cmd/entire/cli/strategy/condense_skip_test.go b/cmd/entire/cli/strategy/condense_skip_test.go
index e9f256518..fe59c6c4c 100644
--- a/cmd/entire/cli/strategy/condense_skip_test.go
+++ b/cmd/entire/cli/strategy/condense_skip_test.go
@@ -153,7 +153,7 @@ func TestCondenseSession_SkipsWhenNoOverlapAndRedactionFails(t *testing.T) {
 
 	// Force the redactor to fail so redactedTranscript ends up empty.
 	originalRedactor := redactSessionJSONLBytes
-	redactSessionJSONLBytes = func(_ []byte) (redact.RedactedBytes, error) {
+	redactSessionJSONLBytes = func(_ context.Context, _ []byte) (redact.RedactedBytes, error) {
 		return redact.RedactedBytes{}, errors.New("simulated redaction failure")
 	}
 	t.Cleanup(func() { redactSessionJSONLBytes = originalRedactor })
diff --git a/cmd/entire/cli/strategy/hooks.go b/cmd/entire/cli/strategy/hooks.go
index 415d04a9a..c6797d4f9 100644
--- a/cmd/entire/cli/strategy/hooks.go
+++ b/cmd/entire/cli/strategy/hooks.go
@@ -178,7 +178,25 @@ func buildHookSpecs(cmdPrefix string) []hookSpec {
 	commitMsgCmd := gitHookCommand(cmdPrefix, `commit-msg "$1" || true`, true)
 	postCommitCmd := gitHookCommand(cmdPrefix, `post-commit 2>/dev/null || true`, false)
 	postRewriteCmd := gitHookCommand(cmdPrefix, `post-rewrite "$1" 2>/dev/null || true`, false)
-	prePushCmd := gitHookCommand(cmdPrefix, `pre-push "$1" || true`, false)
+	// pre-push intentionally does NOT swallow exit codes — the OPF
+	// rewrite returns errors when it detects a privacy-critical
+	// condition (diverged remote, oversized bootstrap, CAS conflict,
+	// OPF runtime failure) and the user's git push must abort.
+	// Transient checkpoint-push failures (e.g. the
+	// entire/checkpoints/v1 push itself failing) are NOT returned
+	// from PrePush — they're logged and swallowed at the CLI level
+	// so they never reach this point as non-zero exits.
+	//
+	// Trade-off: an unrelated `entire` crash (segfault, panic in
+	// non-OPF code) ALSO aborts the user's push. This is the safer
+	// failure mode — we cannot distinguish from the shell's point of
+	// view whether a non-zero exit means "OPF declined to redact" or
+	// "entire crashed mid-rewrite", and silently letting potentially-
+	// unredacted content reach the remote would violate the contract
+	// the user opted into by enabling OPF. Users hit by unrelated
+	// bugs can `ENTIRE_OPF=no git push` for a one-off bypass while
+	// the bug is fixed.
+	prePushCmd := gitHookCommand(cmdPrefix, `pre-push "$1"`, false)
 
 	return []hookSpec{
 		{
diff --git a/cmd/entire/cli/strategy/manual_commit_condensation.go b/cmd/entire/cli/strategy/manual_commit_condensation.go
index 3ac3a81dd..32ee059e2 100644
--- a/cmd/entire/cli/strategy/manual_commit_condensation.go
+++ b/cmd/entire/cli/strategy/manual_commit_condensation.go
@@ -99,7 +99,18 @@ type condenseOpts struct {
 	allAgentFiles    map[string]struct{} // Union of all sessions' FilesTouched for cross-session exclusion (nil = single-session)
 }
 
-var redactSessionJSONLBytes = redact.JSONLBytes
+// redactSessionJSONLBytes runs the 7-layer redaction pipeline over a
+// session transcript at post-commit condensation. OPF is intentionally
+// NOT included here — it runs exclusively in the pre-push rewrite path
+// (strategy/manual_commit_opf_rewrite.go), which re-redacts the
+// 7-layer blobs and produces 8-layer commits before the push.
+//
+// Exposed as a var so tests can inject deterministic success/error
+// returns. The signature still takes a context so the var can be
+// re-wired to JSONLBytesWithPrivacyFilter from tests that need OPF.
+var redactSessionJSONLBytes = func(_ context.Context, b []byte) (redact.RedactedBytes, error) {
+	return redact.JSONLBytes(b)
+}
 
 // CondenseSession condenses a session's shadow branch to permanent storage.
 // checkpointID is the 12-hex-char value from the Entire-Checkpoint trailer.
@@ -217,6 +228,8 @@ func (s *ManualCommitStrategy) CondenseSession(ctx context.Context, repo *git.Re
 		summary = generateSummary(ctx, redactedTranscript, sessionData.FilesTouched, state)
 	}
 
+	// Post-commit emits 7-layer-only blobs. OPF runs later in the
+	// pre-push rewrite path, never here.
 	skillEvents := mergeSkillEvents(state.SkillEvents, withSkillEventTurnID(sessionData.SkillEvents, state.TurnID))
 
 	writeOpts := cpkg.WriteCommittedOptions{
@@ -340,7 +353,7 @@ func redactSessionTranscript(ctx context.Context, transcript []byte) (redact.Red
 		return redact.RedactedBytes{}, time.Since(start), nil
 	}
 
-	redacted, err := redactSessionJSONLBytes(transcript)
+	redacted, err := redactSessionJSONLBytes(ctx, transcript)
 	if err != nil {
 		span.RecordError(err)
 		return redact.RedactedBytes{}, time.Since(start), fmt.Errorf("failed to redact transcript secrets: %w", err)
diff --git a/cmd/entire/cli/strategy/manual_commit_hooks.go b/cmd/entire/cli/strategy/manual_commit_hooks.go
index 9d08a397a..a681931b4 100644
--- a/cmd/entire/cli/strategy/manual_commit_hooks.go
+++ b/cmd/entire/cli/strategy/manual_commit_hooks.go
@@ -2756,6 +2756,9 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 	// (attribution, files touched, prompts). Hooks run without user interaction
 	// so there is no retry path — preserving partial metadata is better than
 	// losing everything. Persisting an unredacted transcript would be worse.
+	// Run the 7-layer pipeline over the transcript — OPF runs later in
+	// the pre-push rewrite path, which re-redacts these 7-layer blobs
+	// and produces 8-layer commits before the push goes out.
 	_, redactSpan := perf.Start(logCtx, "redact_transcript")
 	redactedTranscript, redactErr := redact.JSONLBytes(fullTranscript)
 	redactSpan.End()
@@ -2766,10 +2769,10 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 		)
 		redactedTranscript = redact.RedactedBytes{}
 	}
-	for i, p := range prompts {
-		prompts[i] = redact.String(p)
-	}
 
+	// Post-commit emits 7-layer-only blobs; the writer joins + redacts
+	// via checkpoint.redactedJoinedPrompts. OPF runs later, once per
+	// push, in the pre-push rewrite path.
 	store := checkpoint.NewGitStore(repo)
 
 	precomputed := precomputeTranscriptBlobsForFinalize(logCtx, repo, redactedTranscript, state)
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_prompt.go b/cmd/entire/cli/strategy/manual_commit_opf_prompt.go
new file mode 100644
index 000000000..c7d12cd77
--- /dev/null
+++ b/cmd/entire/cli/strategy/manual_commit_opf_prompt.go
@@ -0,0 +1,186 @@
+package strategy
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"strings"
+
+	"charm.land/huh/v2"
+	"github.com/entireio/cli/cmd/entire/cli/interactive"
+	"github.com/entireio/cli/cmd/entire/cli/logging"
+	"github.com/entireio/cli/cmd/entire/cli/settings"
+)
+
+// OPFDecision is the resolved gate for a single pre-push OPF run.
+type OPFDecision int
+
+const (
+	OPFRun   OPFDecision = iota // run the rewrite, push 8-layer
+	OPFSkip                     // skip the rewrite, push 7-layer
+	OPFAbort                    // cancel the push entirely (Ctrl-C / non-TTY abort)
+)
+
+const envOPF = "ENTIRE_OPF"
+
+// resolveOPFDecision picks the run/skip/abort gate. Precedence (highest
+// first): ENTIRE_OPF env var → settings.PromptDefault → interactive
+// prompt → non-TTY fallback (run).
+//
+// Pure logic — prompter is only called when the user needs to decide.
+// Tests inject a fake.
+func resolveOPFDecision(env, promptDefault string, hasTTY bool, prompter func() (OPFDecision, error)) (OPFDecision, error) {
+	switch strings.ToLower(strings.TrimSpace(env)) {
+	case "yes":
+		return OPFRun, nil
+	case "no":
+		return OPFSkip, nil
+	}
+	switch strings.ToLower(strings.TrimSpace(promptDefault)) {
+	case settings.OPFPromptAlways:
+		return OPFRun, nil
+	case settings.OPFPromptNever:
+		return OPFSkip, nil
+	}
+	if !hasTTY {
+		// Non-interactive context: run OPF (matches the user's "if
+		// enabled, just run" preference). The caller emits a progress
+		// line at run time so scripted output isn't silent.
+		return OPFRun, nil
+	}
+	return prompter()
+}
+
+// resolveOPFDecisionForPrePush is the production wiring: reads env +
+// settings + TTY, calls askOPFPrompt when interactive, emits a stderr
+// progress line on the non-TTY auto-run path. errOut receives the
+// progress line (only printed when we'll actually run + the caller is
+// non-interactive).
+func resolveOPFDecisionForPrePush(ctx context.Context, opf *settings.OPFSettings, errOut io.Writer) (OPFDecision, error) {
+	hasTTY := interactive.CanPromptInteractively()
+	promptDefault := ""
+	if opf != nil {
+		promptDefault = opf.PromptDefault
+	}
+	d, err := resolveOPFDecision(
+		os.Getenv(envOPF),
+		promptDefault,
+		hasTTY,
+		func() (OPFDecision, error) { return askOPFPrompt(ctx, isAccessibleMode()) },
+	)
+	if err != nil {
+		return OPFAbort, err
+	}
+	if d == OPFRun && !hasTTY {
+		fmt.Fprintln(errOut, "→ OpenAI Privacy Filter: scanning checkpoints before push (may take ~30s)…")
+	}
+	return d, nil
+}
+
+// askOPFPrompt shows the 3-option huh form. Ctrl-C / SIGINT returns
+// OPFAbort. Selecting "Always" persists prompt_default=always to
+// .entire/settings.local.json so future pushes don't ask.
+//
+// Style matches other entire CLI prompts: Dracula theme via
+// huh.ThemeDracula (the same theme cli.NewAccessibleForm applies for
+// callers in the cli package). Strategy can't import cli (cycle), so
+// we apply the theme inline.
+func askOPFPrompt(ctx context.Context, accessible bool) (OPFDecision, error) {
+	const (
+		choiceYes    = "yes"
+		choiceNo     = "no"
+		choiceAlways = "always"
+	)
+	choice := choiceYes
+	form := huh.NewForm(
+		huh.NewGroup(
+			huh.NewSelect[string]().
+				Title("Run OpenAI Privacy Filter on these checkpoints?").
+				Description("Adds ~30s but redacts names/PII the regex layers can't catch. Ctrl-C to cancel the push.").
+				Options(
+					huh.NewOption("Yes — run OPF this push", choiceYes),
+					huh.NewOption("No — skip OPF, push as-is", choiceNo),
+					huh.NewOption("Always — run OPF on every push from now on", choiceAlways),
+				).
+				Value(&choice),
+		),
+	).WithTheme(huh.ThemeFunc(huh.ThemeDracula))
+	if accessible {
+		form = form.WithAccessible(true)
+	}
+	if err := form.RunWithContext(ctx); err != nil {
+		if errors.Is(err, huh.ErrUserAborted) {
+			return OPFAbort, nil
+		}
+		return OPFAbort, fmt.Errorf("opf prompt: %w", err)
+	}
+	if choice == choiceAlways {
+		if err := persistOPFPromptDefaultAlways(ctx); err != nil {
+			logging.Warn(ctx, "failed to persist OPF prompt_default=always",
+				slog.String("error", err.Error()))
+		}
+	}
+	if choice == choiceNo {
+		return OPFSkip, nil
+	}
+	return OPFRun, nil
+}
+
+// persistOPFPromptDefaultAlways writes
+// redaction.openai_privacy_filter.prompt_default = "always" to
+// .entire/settings.local.json, preserving any unrelated fields by
+// using a generic JSON-map round-trip.
+func persistOPFPromptDefaultAlways(ctx context.Context) error {
+	path, raw, _, err := settings.LoadLocalRaw(ctx)
+	if err != nil {
+		return fmt.Errorf("load local settings: %w", err)
+	}
+	if raw == nil {
+		raw = map[string]json.RawMessage{}
+	}
+	redactionRaw := readSubObject(raw, "redaction")
+	opfRaw := readSubObject(redactionRaw, "openai_privacy_filter")
+
+	val, err := json.Marshal(settings.OPFPromptAlways)
+	if err != nil {
+		return fmt.Errorf("marshal prompt_default: %w", err)
+	}
+	opfRaw["prompt_default"] = val
+
+	if err := writeSubObject(redactionRaw, "openai_privacy_filter", opfRaw); err != nil {
+		return err
+	}
+	if err := writeSubObject(raw, "redaction", redactionRaw); err != nil {
+		return err
+	}
+	if err := settings.SaveLocalRaw(path, raw); err != nil {
+		return fmt.Errorf("save local settings: %w", err)
+	}
+	return nil
+}
+
+func readSubObject(parent map[string]json.RawMessage, key string) map[string]json.RawMessage {
+	sub := map[string]json.RawMessage{}
+	data, ok := parent[key]
+	if !ok {
+		return sub
+	}
+	// Malformed sub-object → fresh map (we'll overwrite the slot).
+	if err := json.Unmarshal(data, &sub); err != nil {
+		return map[string]json.RawMessage{}
+	}
+	return sub
+}
+
+func writeSubObject(parent map[string]json.RawMessage, key string, sub map[string]json.RawMessage) error {
+	data, err := json.Marshal(sub)
+	if err != nil {
+		return fmt.Errorf("marshal %s: %w", key, err)
+	}
+	parent[key] = data
+	return nil
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_prompt_test.go b/cmd/entire/cli/strategy/manual_commit_opf_prompt_test.go
new file mode 100644
index 000000000..38fb76a04
--- /dev/null
+++ b/cmd/entire/cli/strategy/manual_commit_opf_prompt_test.go
@@ -0,0 +1,150 @@
+package strategy
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/entireio/cli/cmd/entire/cli/paths"
+	"github.com/entireio/cli/cmd/entire/cli/settings"
+	"github.com/stretchr/testify/require"
+)
+
+// resolveOPFDecision is the pure-logic core: env > settings > prompt >
+// non-TTY auto-run. Table-driven because every case is just a different
+// (env, setting, tty, prompter) input combination.
+func TestResolveOPFDecision_Precedence(t *testing.T) {
+	t.Parallel()
+
+	const promptCalled = OPFDecision(-1) // sentinel; only used when prompter fires
+	promptYes := func() (OPFDecision, error) { return OPFRun, nil }
+	promptNo := func() (OPFDecision, error) { return OPFSkip, nil }
+	promptAbort := func() (OPFDecision, error) { return OPFAbort, nil }
+	promptErr := func() (OPFDecision, error) { return OPFAbort, errors.New("boom") }
+	promptNever := func() (OPFDecision, error) {
+		t.Helper()
+		t.Fatal("prompter must not be called")
+		return promptCalled, nil
+	}
+
+	cases := []struct {
+		name           string
+		env            string
+		promptDefault  string
+		hasTTY         bool
+		prompter       func() (OPFDecision, error)
+		want           OPFDecision
+		wantErr        bool
+		wantErrMessage string
+	}{
+		// Env wins everywhere
+		{name: "env_yes_wins_over_setting_never", env: "yes", promptDefault: settings.OPFPromptNever, hasTTY: true, prompter: promptNever, want: OPFRun},
+		{name: "env_no_wins_over_setting_always", env: "no", promptDefault: settings.OPFPromptAlways, hasTTY: true, prompter: promptNever, want: OPFSkip},
+		{name: "env_yes_case_insensitive", env: "YES", promptDefault: "", hasTTY: false, prompter: promptNever, want: OPFRun},
+		{name: "env_no_with_whitespace", env: "  no  ", promptDefault: "", hasTTY: false, prompter: promptNever, want: OPFSkip},
+		// Setting wins over prompt
+		{name: "setting_always_skips_prompt", env: "", promptDefault: settings.OPFPromptAlways, hasTTY: true, prompter: promptNever, want: OPFRun},
+		{name: "setting_never_skips_prompt", env: "", promptDefault: settings.OPFPromptNever, hasTTY: true, prompter: promptNever, want: OPFSkip},
+		// Non-TTY fallback: run (matches the "if enabled, just run" semantics)
+		{name: "no_tty_auto_runs", env: "", promptDefault: "", hasTTY: false, prompter: promptNever, want: OPFRun},
+		{name: "no_tty_ignores_ask_setting", env: "", promptDefault: settings.OPFPromptAsk, hasTTY: false, prompter: promptNever, want: OPFRun},
+		// TTY + ask → prompter is called
+		{name: "tty_ask_user_chose_yes", env: "", promptDefault: settings.OPFPromptAsk, hasTTY: true, prompter: promptYes, want: OPFRun},
+		{name: "tty_ask_user_chose_no", env: "", promptDefault: settings.OPFPromptAsk, hasTTY: true, prompter: promptNo, want: OPFSkip},
+		{name: "tty_ask_user_aborted", env: "", promptDefault: settings.OPFPromptAsk, hasTTY: true, prompter: promptAbort, want: OPFAbort},
+		// TTY + empty setting == ask
+		{name: "tty_empty_setting_treated_as_ask", env: "", promptDefault: "", hasTTY: true, prompter: promptYes, want: OPFRun},
+		// Prompter errors propagate
+		{name: "prompter_error", env: "", promptDefault: "", hasTTY: true, prompter: promptErr, want: OPFAbort, wantErr: true, wantErrMessage: "boom"},
+		// Unrecognized env values fall through to next layer
+		{name: "env_bogus_falls_through_to_setting", env: "maybe", promptDefault: settings.OPFPromptAlways, hasTTY: true, prompter: promptNever, want: OPFRun},
+		{name: "env_empty_falls_through_to_setting", env: "", promptDefault: settings.OPFPromptAlways, hasTTY: true, prompter: promptNever, want: OPFRun},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := resolveOPFDecision(tc.env, tc.promptDefault, tc.hasTTY, tc.prompter)
+			if tc.wantErr {
+				require.Error(t, err)
+				if tc.wantErrMessage != "" {
+					require.Contains(t, err.Error(), tc.wantErrMessage)
+				}
+			} else {
+				require.NoError(t, err)
+			}
+			require.Equal(t, tc.want, got, "decision")
+		})
+	}
+}
+
+// TestPersistOPFPromptDefaultAlways_WritesNestedField verifies that the
+// "Always" branch updates redaction.openai_privacy_filter.prompt_default
+// in .entire/settings.local.json without disturbing other fields.
+//
+// Modifies process cwd (no t.Parallel), but uses t.Chdir so subsequent
+// tests see the reverted cwd.
+func TestPersistOPFPromptDefaultAlways_WritesNestedField(t *testing.T) {
+	tempDir := t.TempDir()
+	require.NoError(t, os.MkdirAll(filepath.Join(tempDir, paths.EntireDir), 0o755))
+	// Seed an existing settings.local.json with some unrelated content
+	// so we can verify it survives the write.
+	existing := `{
+  "enabled": true,
+  "redaction": {
+    "openai_privacy_filter": {
+      "categories": {"private_person": true}
+    }
+  }
+}`
+	localPath := filepath.Join(tempDir, paths.EntireDir, "settings.local.json")
+	require.NoError(t, os.WriteFile(localPath, []byte(existing), 0o644))
+	t.Chdir(tempDir)
+
+	require.NoError(t, persistOPFPromptDefaultAlways(context.Background()))
+
+	got, err := os.ReadFile(localPath)
+	require.NoError(t, err)
+
+	// Parse and verify structure: enabled stays true, categories stay,
+	// new prompt_default key present with "always".
+	var parsed struct {
+		Enabled   bool `json:"enabled"`
+		Redaction struct {
+			OPF struct {
+				Categories    map[string]bool `json:"categories"`
+				PromptDefault string          `json:"prompt_default"`
+			} `json:"openai_privacy_filter"`
+		} `json:"redaction"`
+	}
+	require.NoError(t, json.Unmarshal(got, &parsed))
+	require.True(t, parsed.Enabled, "existing enabled field must survive")
+	require.True(t, parsed.Redaction.OPF.Categories["private_person"], "existing categories must survive")
+	require.Equal(t, settings.OPFPromptAlways, parsed.Redaction.OPF.PromptDefault)
+}
+
+// TestPersistOPFPromptDefaultAlways_CreatesFileFromScratch covers the
+// fresh-install path where .entire/settings.local.json doesn't exist yet.
+func TestPersistOPFPromptDefaultAlways_CreatesFileFromScratch(t *testing.T) {
+	tempDir := t.TempDir()
+	require.NoError(t, os.MkdirAll(filepath.Join(tempDir, paths.EntireDir), 0o755))
+	t.Chdir(tempDir)
+
+	require.NoError(t, persistOPFPromptDefaultAlways(context.Background()))
+
+	localPath := filepath.Join(tempDir, paths.EntireDir, "settings.local.json")
+	got, err := os.ReadFile(localPath)
+	require.NoError(t, err, "settings.local.json should be created")
+
+	var parsed struct {
+		Redaction struct {
+			OPF struct {
+				PromptDefault string `json:"prompt_default"`
+			} `json:"openai_privacy_filter"`
+		} `json:"redaction"`
+	}
+	require.NoError(t, json.Unmarshal(got, &parsed))
+	require.Equal(t, settings.OPFPromptAlways, parsed.Redaction.OPF.PromptDefault)
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go b/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go
new file mode 100644
index 000000000..a03b85713
--- /dev/null
+++ b/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go
@@ -0,0 +1,568 @@
+// Pre-push OPF rewrite for entire/checkpoints/v1.
+//
+// This is the ONLY production code path that runs the OPF-augmented
+// redaction entry points. Post-commit condensation stays on 7-layer
+// for predictable latency; OPF runs here, once per push, after the
+// user opted in via settings.
+package strategy
+
+import (
+	"context"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"math"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint"
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint/remote"
+	"github.com/entireio/cli/cmd/entire/cli/logging"
+	"github.com/entireio/cli/cmd/entire/cli/paths"
+	"github.com/entireio/cli/cmd/entire/cli/trailers"
+	"github.com/entireio/cli/redact"
+	"github.com/go-git/go-git/v6"
+	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/go-git/go-git/v6/plumbing/filemode"
+	"github.com/go-git/go-git/v6/plumbing/object"
+	"github.com/go-git/go-git/v6/storage"
+)
+
+// V1DivergedError: local entire/checkpoints/v1 has commits that aren't
+// ancestors of the remote tip (force-push or another machine pushed).
+// Rewriting under divergence would silently rebase rejected work, so
+// we refuse.
+type V1DivergedError struct {
+	Local, Remote, MergeBase plumbing.Hash
+}
+
+func (e *V1DivergedError) Error() string {
+	return fmt.Sprintf("entire/checkpoints/v1 has diverged from remote (local=%s remote=%s merge_base=%s); "+
+		"fetch the remote and either reset entire/checkpoints/v1 to <remote>/entire/checkpoints/v1 "+
+		"or run `entire doctor --recover-v1` before pushing",
+		e.Local.String()[:7], e.Remote.String()[:7], e.MergeBase.String()[:7])
+}
+
+// BootstrapTooLargeError: first push to a remote with no v1 yet, but
+// more unpushed commits than the safety cap. OPF inference is ~30s per
+// commit, so unbounded bootstraps could take hours.
+type BootstrapTooLargeError struct {
+	Count, Limit int
+}
+
+func (e *BootstrapTooLargeError) Error() string {
+	return fmt.Sprintf("OPF bootstrap would rewrite %d entire/checkpoints/v1 commits "+
+		"(limit %d). Set ENTIRE_OPF_BOOTSTRAP_LIMIT=<N> or =unlimited to override, "+
+		"or push without OPF (ENTIRE_OPF=no git push) to bring the remote into sync first",
+		e.Count, e.Limit)
+}
+
+// V1RefMovedError: another worktree advanced the local ref during our
+// rewrite (CAS conflict). Orphan rewritten objects sit in .git/objects
+// until git gc --prune; no manual cleanup needed.
+type V1RefMovedError struct {
+	Expected, Actual plumbing.Hash
+}
+
+func (e *V1RefMovedError) Error() string {
+	return fmt.Sprintf("entire/checkpoints/v1 moved during OPF rewrite "+
+		"(expected %s, found %s); another local worktree advanced the ref "+
+		"mid-rewrite — re-run `git push` (no fetch needed; the move was local)",
+		e.Expected.String()[:7], e.Actual.String()[:7])
+}
+
+// OPFRuntimeFailedError: the OPF circuit breaker tripped mid-rewrite.
+// Some blobs were silently downgraded to 7-layer; tagging those commits
+// as Entire-OPF-Applied would be a privacy regression (future pushes
+// would skip them while their content is 7-layer-only). Abort before
+// CAS so the user fixes their OPF install and retries.
+type OPFRuntimeFailedError struct {
+	OPFCommand string
+}
+
+func (e *OPFRuntimeFailedError) Error() string {
+	return fmt.Sprintf("OPF runtime failed during pre-push rewrite (command=%q); "+
+		"aborting push so 7-layer content isn't tagged as 8-layer-applied. "+
+		"Run `%s --help` to verify your OPF install, then retry. Or set "+
+		"ENTIRE_OPF=no on the push to skip OPF for this push only.",
+		e.OPFCommand, e.OPFCommand)
+}
+
+const (
+	// bootstrapDefaultLimit caps first-push history rewrites. Picked
+	// to bound worst-case wall-clock at ~50min @ 30s/commit.
+	bootstrapDefaultLimit = 100
+	bootstrapEnvVar       = "ENTIRE_OPF_BOOTSTRAP_LIMIT"
+)
+
+func resolveBootstrapLimit() int {
+	v := strings.TrimSpace(os.Getenv(bootstrapEnvVar))
+	switch {
+	case v == "":
+		return bootstrapDefaultLimit
+	case strings.EqualFold(v, "unlimited"):
+		return math.MaxInt32
+	}
+	if n, err := strconv.Atoi(v); err == nil && n > 0 {
+		return n
+	}
+	return bootstrapDefaultLimit
+}
+
+// RewriteUnpushedV1WithOPF re-redacts unpushed entire/checkpoints/v1
+// commits with OPF, builds new commits carrying Entire-OPF-Applied:
+// true, and CAS-updates the local ref. Idempotent: already-applied
+// commits are re-parented without re-running OPF.
+//
+// Caller checks redact.OPFEnabled() and skips this when OPF is off.
+// Returns one of {V1DivergedError, BootstrapTooLargeError,
+// V1RefMovedError, OPFRuntimeFailedError} for privacy-critical
+// failures — the pre-push hook propagates these so git push aborts.
+func RewriteUnpushedV1WithOPF(ctx context.Context, repo *git.Repository, target string) (plumbing.Hash, error) {
+	localTip, err := readV1Tip(repo, plumbing.NewBranchReferenceName(paths.MetadataBranchName))
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("read local v1: %w", err)
+	}
+	if localTip.IsZero() {
+		return plumbing.ZeroHash, nil // no checkpoints yet
+	}
+	remoteTip, err := resolveRemoteV1Tip(ctx, repo, target)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("read remote v1: %w", err)
+	}
+
+	if !remoteTip.IsZero() {
+		mergeBase, mbErr := computeMergeBase(repo, localTip, remoteTip)
+		if mbErr != nil {
+			return plumbing.ZeroHash, fmt.Errorf("compute merge-base: %w", mbErr)
+		}
+		if mergeBase != remoteTip {
+			return plumbing.ZeroHash, &V1DivergedError{Local: localTip, Remote: remoteTip, MergeBase: mergeBase}
+		}
+	}
+
+	unpushed, err := listUnpushedV1Commits(repo, localTip, remoteTip)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("list unpushed v1 commits: %w", err)
+	}
+	if len(unpushed) == 0 {
+		return localTip, nil
+	}
+	if remoteTip.IsZero() {
+		if limit := resolveBootstrapLimit(); len(unpushed) > limit {
+			return plumbing.ZeroHash, &BootstrapTooLargeError{Count: len(unpushed), Limit: limit}
+		}
+	}
+
+	parent := remoteTip
+	for _, c := range unpushed {
+		newHash, err := rebuildV1Commit(ctx, repo, c, parent)
+		if err != nil {
+			return plumbing.ZeroHash, fmt.Errorf("rebuild commit %s: %w", c.Hash.String()[:7], err)
+		}
+		parent = newHash
+	}
+
+	// Fail-closed: if OPF tripped its breaker mid-rewrite, some blobs
+	// got 7-layer fallback. Don't CAS — the orphan commits get GC'd.
+	if redact.OPFBreakerTripped() {
+		return plumbing.ZeroHash, &OPFRuntimeFailedError{OPFCommand: redact.OPFCommand()}
+	}
+	if err := atomicSetV1Ref(repo, localTip, parent); err != nil {
+		return plumbing.ZeroHash, err
+	}
+	return parent, nil
+}
+
+func readV1Tip(repo *git.Repository, refName plumbing.ReferenceName) (plumbing.Hash, error) {
+	ref, err := repo.Reference(refName, true)
+	if err != nil {
+		if errors.Is(err, plumbing.ErrReferenceNotFound) {
+			return plumbing.ZeroHash, nil
+		}
+		return plumbing.ZeroHash, fmt.Errorf("resolve ref %s: %w", refName, err)
+	}
+	return ref.Hash(), nil
+}
+
+// opfRewriteFetchTmpRef is the temp ref used to stage the URL-fetched
+// remote v1 tip during OPF rewrite. Cleaned up at the end of each
+// resolveRemoteV1Tip call so the tracking is invisible to the user.
+const opfRewriteFetchTmpRef = FetchTmpRefPrefix + "opf-rewrite-v1"
+
+// resolveRemoteV1Tip returns the hash of the remote's
+// entire/checkpoints/v1 tip.
+//
+// When target is a remote name (e.g., "origin"), looks up the local
+// tracking ref `refs/remotes/<target>/entire/checkpoints/v1`. When
+// target is a URL (checkpoint_remote configured), fetches the v1 ref
+// from the URL into a temporary local ref so the rewrite can see what's
+// already on the remote — otherwise every push would re-redact the
+// entire history as a "bootstrap" since URL-based remotes have no
+// tracking refs locally.
+//
+// Returns ZeroHash with no error when the remote has no v1 yet (genuine
+// bootstrap case). Fetch failures fall back to ZeroHash + a warning
+// log; the rewrite then treats the push as bootstrap rather than
+// blocking the user on a transient network issue.
+func resolveRemoteV1Tip(ctx context.Context, repo *git.Repository, target string) (plumbing.Hash, error) {
+	if !remote.IsURL(target) {
+		return readV1Tip(repo, plumbing.NewRemoteReferenceName(target, paths.MetadataBranchName))
+	}
+	srcRef := "refs/heads/" + paths.MetadataBranchName
+	if err := fetchURLIntoTmpRef(ctx, target, srcRef, opfRewriteFetchTmpRef, "v1 for OPF rewrite", true); err != nil {
+		logging.Warn(ctx, "OPF rewrite: failed to fetch remote v1 from URL; treating push as bootstrap",
+			slog.String("error", err.Error()),
+		)
+		return plumbing.ZeroHash, nil
+	}
+	defer func() {
+		if err := repo.Storer.RemoveReference(plumbing.ReferenceName(opfRewriteFetchTmpRef)); err != nil {
+			logging.Debug(ctx, "OPF rewrite: failed to clean up temp ref",
+				slog.String("error", err.Error()),
+			)
+		}
+	}()
+	ref, err := repo.Reference(plumbing.ReferenceName(opfRewriteFetchTmpRef), true)
+	if err != nil {
+		if errors.Is(err, plumbing.ErrReferenceNotFound) {
+			return plumbing.ZeroHash, nil
+		}
+		return plumbing.ZeroHash, fmt.Errorf("resolve fetched v1 ref: %w", err)
+	}
+	return ref.Hash(), nil
+}
+
+// computeMergeBase returns the merge-base commit hash. Multi-base
+// (criss-cross) and unrelated-histories both return ZeroHash —
+// caller treats those as diverged.
+func computeMergeBase(repo *git.Repository, local, remote plumbing.Hash) (plumbing.Hash, error) {
+	lc, err := repo.CommitObject(local)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("load local commit: %w", err)
+	}
+	rc, err := repo.CommitObject(remote)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("load remote commit: %w", err)
+	}
+	bases, err := lc.MergeBase(rc)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("merge-base: %w", err)
+	}
+	if len(bases) != 1 {
+		return plumbing.ZeroHash, nil
+	}
+	return bases[0].Hash, nil
+}
+
+// listUnpushedV1Commits returns commits reachable from localTip but not
+// remoteTip, in graph order (oldest-first). Graph order matters more
+// than timestamp order — commits made in rapid succession can share
+// Author.When; the parent chain is the unambiguous truth.
+//
+// Optimization: the caller (RewriteUnpushedV1WithOPF) has already
+// validated that remoteTip is the unique merge-base of local and
+// remote, which means v1 is linear and remoteTip is an ancestor of
+// localTip. So walking back from localTip, the FIRST commit we hit
+// whose hash equals remoteTip is the boundary — no need to pre-build
+// a full remote-reachability set. This drops the cost from
+// O(local + remote history) to O(unpushed) per call.
+func listUnpushedV1Commits(repo *git.Repository, localTip, remoteTip plumbing.Hash) ([]*object.Commit, error) {
+	iter, err := repo.Log(&git.LogOptions{From: localTip})
+	if err != nil {
+		return nil, fmt.Errorf("log local tip: %w", err)
+	}
+	defer iter.Close()
+
+	var unpushed []*object.Commit
+	if walkErr := iter.ForEach(func(c *object.Commit) error {
+		if !remoteTip.IsZero() && c.Hash == remoteTip {
+			return errStop
+		}
+		unpushed = append(unpushed, c)
+		return nil
+	}); walkErr != nil && !errors.Is(walkErr, errStop) {
+		return nil, fmt.Errorf("walk local v1 history: %w", walkErr)
+	}
+	// reverse for oldest-first
+	for i, j := 0, len(unpushed)-1; i < j; i, j = i+1, j-1 {
+		unpushed[i], unpushed[j] = unpushed[j], unpushed[i]
+	}
+	return unpushed, nil
+}
+
+// rebuildV1Commit re-parents the commit onto parent. Already-applied
+// commits keep their tree (idempotent); unapplied commits get an
+// OPF-redacted tree + Entire-OPF-Applied: true trailer.
+//
+// Performance: we only redact files inside THIS commit's shard
+// (sharded layout: <id[:2]>/<id[2:]>/*). Files outside that shard live
+// at the same tree because git trees accumulate parent content — they
+// belong to other commits and either are already redacted (prior
+// OPF-applied push) or never will be (this user opted out then in).
+// Walking them every push is O(N×commits) work for no privacy gain.
+func rebuildV1Commit(ctx context.Context, repo *git.Repository, oldCommit *object.Commit, parent plumbing.Hash) (plumbing.Hash, error) {
+	newTree := oldCommit.TreeHash
+	if !trailers.HasOPFApplied(oldCommit.Message) {
+		tree, err := repo.TreeObject(oldCommit.TreeHash)
+		if err != nil {
+			return plumbing.ZeroHash, fmt.Errorf("load tree: %w", err)
+		}
+		// Parse the shard path from the commit subject. Falls back to
+		// "" (walk everything) for bootstrap commits and unrecognized
+		// subjects — the conservative default still produces correct
+		// output, just slower.
+		shardPath := parseShardPathFromCommitMessage(oldCommit.Message)
+		newTree, err = rebuildTreeWithOPF(ctx, repo, tree, "", shardPath)
+		if err != nil {
+			return plumbing.ZeroHash, err
+		}
+	}
+
+	parents := []plumbing.Hash{}
+	if !parent.IsZero() {
+		parents = append(parents, parent)
+	}
+	c := &object.Commit{
+		Author:       oldCommit.Author,
+		Committer:    oldCommit.Committer,
+		Message:      trailers.AppendOPFAppliedTrailer(oldCommit.Message),
+		TreeHash:     newTree,
+		ParentHashes: parents,
+	}
+	// Sign the rewritten commit when commit signing is enabled, matching
+	// every other commit-construction site in this package (common.go,
+	// metadata_reconcile.go, push_common.go). Without this, a user who
+	// has signed checkpoint commits would see the rewrite produce
+	// unsigned commits — silently degrading their integrity story.
+	checkpoint.SignCommitBestEffort(ctx, c)
+	obj := repo.Storer.NewEncodedObject()
+	if err := c.Encode(obj); err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("encode commit: %w", err)
+	}
+	hash, err := repo.Storer.SetEncodedObject(obj)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("store commit: %w", err)
+	}
+	return hash, nil
+}
+
+// parseShardPathFromCommitMessage extracts the sharded path
+// "<id[:2]>/<id[2:]>" from a "Checkpoint: <id>" subject line.
+// Returns "" when the subject doesn't match (bootstrap commits, or
+// historical commits with a different format) — callers walk the
+// whole tree in that case.
+func parseShardPathFromCommitMessage(message string) string {
+	firstLine, _, _ := strings.Cut(message, "\n")
+	const prefix = "Checkpoint: "
+	if !strings.HasPrefix(firstLine, prefix) {
+		return ""
+	}
+	id := strings.TrimSpace(firstLine[len(prefix):])
+	if len(id) != 12 {
+		return ""
+	}
+	for _, c := range id {
+		if (c < '0' || c > '9') && (c < 'a' || c > 'f') {
+			return ""
+		}
+	}
+	return id[:2] + "/" + id[2:]
+}
+
+// rebuildTreeWithOPF walks a tree and produces a new tree with
+// OPF-redacted file blobs. content_hash.txt files are recomputed in a
+// second pass against the new full.jsonl in the same directory.
+//
+// shardPath scopes the walk: only files at paths starting with
+// shardPath get redacted; other shards (and the root-level entries
+// outside the shard) are copied verbatim. Empty shardPath means walk
+// everything (used for bootstrap/unknown-subject commits).
+//
+// Path-specific behavior (when in the target shard):
+//   - content_hash.txt → SHA256 of the sibling full.jsonl's new bytes
+//     (deferred; not redacted itself)
+//   - everything else → redacted via checkpoint.RedactBlobBytes (OPF on).
+//     The fail-closed policy intentionally redacts ANY regular file
+//     inside the shard, not just a closed allowlist of suffixes — a
+//     future blob type (e.g. .md prose, agent dumps, no-extension
+//     transcript blobs) is redacted by default rather than slipping
+//     through. RedactBlobBytes itself dispatches: .jsonl/.json get
+//     JSON-aware leaf redaction (so free-form fields like Summary.Intent
+//     / ReviewPrompt are scrubbed); other files get byte redaction. The
+//     has-space gate inside OPF naturally excludes binary blobs from
+//     paying the model cost.
+func rebuildTreeWithOPF(ctx context.Context, repo *git.Repository, tree *object.Tree, pathPrefix, shardPath string) (plumbing.Hash, error) {
+	entries := make([]object.TreeEntry, 0, len(tree.Entries))
+	// deferredHashes records indexes of content_hash.txt entries we
+	// need to recompute after the full.jsonl in the same dir is built.
+	type deferred struct {
+		idx       int
+		entryName string
+		entryMode filemode.FileMode
+	}
+	var deferredHashes []deferred
+	var newFullJSONLHash plumbing.Hash
+
+	for _, e := range tree.Entries {
+		switch e.Mode { //nolint:exhaustive // non-tree/blob modes fall through to copy
+		case filemode.Dir:
+			subPath := e.Name
+			if pathPrefix != "" {
+				subPath = pathPrefix + "/" + e.Name
+			}
+			// Shard-scoping: only descend into directories that lead
+			// to the target shard, the shard itself, or its
+			// descendants. Other shard subtrees stay byte-identical.
+			if !shouldDescend(subPath, shardPath) {
+				entries = append(entries, e)
+				continue
+			}
+			subTree, err := repo.TreeObject(e.Hash)
+			if err != nil {
+				return plumbing.ZeroHash, fmt.Errorf("load subtree %s/%s: %w", pathPrefix, e.Name, err)
+			}
+			newSub, err := rebuildTreeWithOPF(ctx, repo, subTree, subPath, shardPath)
+			if err != nil {
+				return plumbing.ZeroHash, err
+			}
+			entries = append(entries, object.TreeEntry{Name: e.Name, Mode: e.Mode, Hash: newSub})
+
+		case filemode.Regular, filemode.Executable:
+			// Outside the target shard: copy verbatim. Inside (or when
+			// shardPath is empty for the bootstrap fallback): redact
+			// per file type.
+			if !insideShard(pathPrefix, shardPath) {
+				entries = append(entries, e)
+				continue
+			}
+			switch e.Name {
+			case paths.ContentHashFileName:
+				deferredHashes = append(deferredHashes, deferred{idx: len(entries), entryName: e.Name, entryMode: e.Mode})
+				entries = append(entries, e) // placeholder; fixed in second pass
+			default:
+				content, err := readBlob(repo, e.Hash)
+				if err != nil {
+					return plumbing.ZeroHash, fmt.Errorf("read blob %s/%s: %w", pathPrefix, e.Name, err)
+				}
+				newBytes := checkpoint.RedactBlobBytes(ctx, content, e.Name, true)
+				newHash, err := checkpoint.CreateBlobFromContent(repo, newBytes)
+				if err != nil {
+					return plumbing.ZeroHash, fmt.Errorf("write redacted blob %s/%s: %w", pathPrefix, e.Name, err)
+				}
+				entries = append(entries, object.TreeEntry{Name: e.Name, Mode: e.Mode, Hash: newHash})
+				if e.Name == paths.TranscriptFileName {
+					newFullJSONLHash = newHash
+				}
+			}
+		default:
+			entries = append(entries, e)
+		}
+	}
+
+	for _, d := range deferredHashes {
+		if newFullJSONLHash.IsZero() {
+			continue // no transcript in this dir; keep original hash
+		}
+		jsonlBytes, err := readBlob(repo, newFullJSONLHash)
+		if err != nil {
+			return plumbing.ZeroHash, fmt.Errorf("read new transcript for content_hash: %w", err)
+		}
+		sum := sha256.Sum256(jsonlBytes)
+		hashBlob, err := checkpoint.CreateBlobFromContent(repo, []byte(fmt.Sprintf("sha256:%x", sum)))
+		if err != nil {
+			return plumbing.ZeroHash, fmt.Errorf("write content_hash: %w", err)
+		}
+		entries[d.idx] = object.TreeEntry{Name: d.entryName, Mode: d.entryMode, Hash: hashBlob}
+	}
+
+	newTree := &object.Tree{Entries: entries}
+	obj := repo.Storer.NewEncodedObject()
+	if err := newTree.Encode(obj); err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("encode tree: %w", err)
+	}
+	hash, err := repo.Storer.SetEncodedObject(obj)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("store tree: %w", err)
+	}
+	return hash, nil
+}
+
+// shouldDescend reports whether the walker should recurse into a
+// directory at path. With an empty shardPath we descend everywhere
+// (bootstrap fallback). Otherwise we descend only into the target
+// shard, its ancestors (so we can reach it), and its descendants.
+func shouldDescend(path, shardPath string) bool {
+	if shardPath == "" || path == "" {
+		// shardPath="" means "no scoping" (bootstrap fallback);
+		// path=="" is the root, which is the ancestor of every shard.
+		return true
+	}
+	if path == shardPath {
+		return true
+	}
+	// ancestor of shardPath: shardPath starts with path + "/"
+	if strings.HasPrefix(shardPath+"/", path+"/") {
+		return true
+	}
+	// descendant of shardPath: path starts with shardPath + "/"
+	return strings.HasPrefix(path+"/", shardPath+"/")
+}
+
+// insideShard reports whether file blobs at pathPrefix should be
+// redacted. Empty shardPath means "redact everywhere"; otherwise the
+// path must equal shardPath or be a descendant of it.
+func insideShard(pathPrefix, shardPath string) bool {
+	if shardPath == "" {
+		return true
+	}
+	if pathPrefix == shardPath {
+		return true
+	}
+	return strings.HasPrefix(pathPrefix+"/", shardPath+"/")
+}
+
+func readBlob(repo *git.Repository, hash plumbing.Hash) ([]byte, error) {
+	blob, err := repo.BlobObject(hash)
+	if err != nil {
+		return nil, fmt.Errorf("blob: %w", err)
+	}
+	r, err := blob.Reader()
+	if err != nil {
+		return nil, fmt.Errorf("blob reader: %w", err)
+	}
+	defer func() { _ = r.Close() }()
+	data, err := io.ReadAll(r)
+	if err != nil {
+		return nil, fmt.Errorf("blob read: %w", err)
+	}
+	return data, nil
+}
+
+// atomicSetV1Ref CAS-updates the local v1 ref. A concrete
+// ErrReferenceHasChanged from the storer means another worktree
+// advanced the ref during our rewrite — return V1RefMovedError so the
+// hook aborts the push. Other errors (I/O, packed-ref locks, storage
+// bugs) get wrapped as-is so they aren't misreported as concurrency
+// failures.
+func atomicSetV1Ref(repo *git.Repository, expectedOld, newHash plumbing.Hash) error {
+	refName := plumbing.NewBranchReferenceName(paths.MetadataBranchName)
+	err := repo.Storer.CheckAndSetReference(
+		plumbing.NewHashReference(refName, newHash),
+		plumbing.NewHashReference(refName, expectedOld),
+	)
+	if err == nil {
+		return nil
+	}
+	if errors.Is(err, storage.ErrReferenceHasChanged) {
+		actual := plumbing.ZeroHash
+		if cur, refErr := repo.Reference(refName, true); refErr == nil {
+			actual = cur.Hash()
+		}
+		return &V1RefMovedError{Expected: expectedOld, Actual: actual}
+	}
+	return fmt.Errorf("set v1 ref: %w", err)
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go b/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go
new file mode 100644
index 000000000..358f4771c
--- /dev/null
+++ b/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go
@@ -0,0 +1,477 @@
+package strategy
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint"
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint/id"
+	"github.com/entireio/cli/cmd/entire/cli/paths"
+	"github.com/entireio/cli/cmd/entire/cli/testutil"
+	"github.com/entireio/cli/cmd/entire/cli/trailers"
+	"github.com/entireio/cli/redact"
+	"github.com/go-git/go-git/v6"
+	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/go-git/go-git/v6/plumbing/filemode"
+	"github.com/go-git/go-git/v6/plumbing/object"
+	"github.com/stretchr/testify/require"
+)
+
+// fakeOPFForRewrite tags any occurrence of "PERSONABC" as private_person.
+// Deterministic + offline; real OPF inference is not needed to exercise
+// the rewrite plumbing.
+type fakeOPFForRewrite struct{}
+
+func (f *fakeOPFForRewrite) Redact(_ context.Context, text string, _ []string) ([]redact.Span, error) {
+	return findSentinelSpans(text), nil
+}
+
+func (f *fakeOPFForRewrite) RedactBatch(_ context.Context, inputs []string, _ []string) ([][]redact.Span, error) {
+	out := make([][]redact.Span, len(inputs))
+	for i, in := range inputs {
+		out[i] = findSentinelSpans(in)
+	}
+	return out, nil
+}
+
+func findSentinelSpans(s string) []redact.Span {
+	const sentinel = "PERSONABC"
+	var spans []redact.Span
+	for idx := 0; ; {
+		hit := strings.Index(s[idx:], sentinel)
+		if hit < 0 {
+			break
+		}
+		start := idx + hit
+		end := start + len(sentinel)
+		spans = append(spans, redact.Span{Start: start, End: end, Label: "private_person"})
+		idx = end
+	}
+	return spans
+}
+
+// fakeRuntimeAlwaysFails trips the OPF circuit breaker on first call.
+// Used to test the fail-closed assertion that breaker-trip during
+// rewrite aborts before CAS.
+type fakeRuntimeAlwaysFails struct{}
+
+func (f *fakeRuntimeAlwaysFails) Redact(_ context.Context, _ string, _ []string) ([]redact.Span, error) {
+	return nil, errors.New("simulated OPF runtime failure")
+}
+func (f *fakeRuntimeAlwaysFails) RedactBatch(_ context.Context, _ []string, _ []string) ([][]redact.Span, error) {
+	return nil, errors.New("simulated OPF runtime failure")
+}
+
+// testOPFRuntime is the structural interface the redact package's
+// ConfigurePrivacyFilterWithRuntime accepts. Mirrors redact.opfRuntime
+// (unexported, can't be named directly from this package).
+type testOPFRuntime interface {
+	Redact(ctx context.Context, text string, categories []string) ([]redact.Span, error)
+	RedactBatch(ctx context.Context, inputs []string, categories []string) ([][]redact.Span, error)
+}
+
+// configureFakeOPF resets state and wires the given runtime as the
+// process-global OPF.
+func configureFakeOPF(t *testing.T, rt testOPFRuntime) {
+	t.Helper()
+	redact.ResetOPFConfigForTest()
+	t.Cleanup(redact.ResetOPFConfigForTest)
+	redact.ConfigurePrivacyFilterWithRuntime(redact.OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+		Command:    "/tmp/test-opf",
+	}, rt)
+}
+
+// setupV1Repo creates a repo + one v1 checkpoint with "PERSONABC" in
+// both the transcript and prompt. Returns the repo and the v1 tip.
+func setupV1Repo(t *testing.T) (*git.Repository, plumbing.Hash) {
+	t.Helper()
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	wt, err := repo.Worktree()
+	require.NoError(t, err)
+	require.NoError(t, os.WriteFile(filepath.Join(tempDir, "README.md"), []byte("# Test"), 0o644))
+	_, err = wt.Add("README.md")
+	require.NoError(t, err)
+	_, err = wt.Commit("Initial commit", &git.CommitOptions{
+		Author: &object.Signature{Name: "Test", Email: "test@test.com"},
+	})
+	require.NoError(t, err)
+
+	store := checkpoint.NewGitStore(repo)
+	cpID := id.MustCheckpointID("a1b2c3d4e5f6")
+	require.NoError(t, store.WriteCommitted(context.Background(), checkpoint.WriteCommittedOptions{
+		CheckpointID: cpID,
+		SessionID:    "test-session",
+		Strategy:     "manual-commit",
+		Transcript:   redact.AlreadyRedacted([]byte(`{"role":"user","content":"Hello, PERSONABC asked"}` + "\n")),
+		Prompts:      []string{"Look up PERSONABC"},
+		AuthorName:   "Test",
+		AuthorEmail:  "test@test.com",
+	}))
+	ref, err := repo.Reference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), true)
+	require.NoError(t, err)
+	return repo, ref.Hash()
+}
+
+// makeOrphanCommit writes a single v1 commit (no parents = orphan).
+// Used by edge-case tests that need many cheap commits or commits
+// with unrelated histories.
+func makeOrphanCommit(t *testing.T, repo *git.Repository, treeHash plumbing.Hash, parents []plumbing.Hash, message string) plumbing.Hash {
+	t.Helper()
+	sig := &object.Signature{Name: "Test", Email: "test@test.com"}
+	c := &object.Commit{Author: *sig, Committer: *sig, Message: message, TreeHash: treeHash, ParentHashes: parents}
+	obj := repo.Storer.NewEncodedObject()
+	require.NoError(t, c.Encode(obj))
+	hash, err := repo.Storer.SetEncodedObject(obj)
+	require.NoError(t, err)
+	return hash
+}
+
+// emptyTreeHash writes (or resolves) git's well-known empty tree.
+func emptyTreeHash(t *testing.T, repo *git.Repository) plumbing.Hash {
+	t.Helper()
+	obj := repo.Storer.NewEncodedObject()
+	require.NoError(t, (&object.Tree{}).Encode(obj))
+	hash, err := repo.Storer.SetEncodedObject(obj)
+	require.NoError(t, err)
+	return hash
+}
+
+// buildOrphanChain builds n linear orphan commits on v1 with the
+// empty tree. Returns the tip. Useful for testing bootstrap/limit paths
+// where the only thing that matters is commit count.
+func buildOrphanChain(t *testing.T, repo *git.Repository, n int) plumbing.Hash {
+	t.Helper()
+	tree := emptyTreeHash(t, repo)
+	var parent, tip plumbing.Hash
+	for i := range n {
+		var parents []plumbing.Hash
+		if !parent.IsZero() {
+			parents = []plumbing.Hash{parent}
+		}
+		tip = makeOrphanCommit(t, repo, tree, parents, fmt.Sprintf("commit %d", i))
+		parent = tip
+	}
+	require.NoError(t, repo.Storer.SetReference(
+		plumbing.NewHashReference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), tip)))
+	return tip
+}
+
+// Happy path: a single unpushed unapplied commit gets rewritten, tagged
+// applied, and its sentinel-bearing blobs no longer contain the sentinel.
+func TestRewriteUnpushedV1WithOPF_HappyPath_RewritesAndTagsApplied(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	repo, originalTip := setupV1Repo(t)
+
+	newTip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	require.NoError(t, err)
+	if newTip == originalTip {
+		t.Fatalf("rewrite returned same tip %s; expected new tip", newTip.String()[:7])
+	}
+
+	newCommit, err := repo.CommitObject(newTip)
+	require.NoError(t, err)
+	if !trailers.HasOPFApplied(newCommit.Message) {
+		t.Errorf("new commit missing Entire-OPF-Applied trailer:\n%s", newCommit.Message)
+	}
+
+	ref, err := repo.Reference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), true)
+	require.NoError(t, err)
+	require.Equal(t, newTip, ref.Hash(), "local v1 ref should point to new tip")
+
+	tree, err := newCommit.Tree()
+	require.NoError(t, err)
+	require.NoError(t, tree.Files().ForEach(func(f *object.File) error {
+		if !strings.HasSuffix(f.Name, ".jsonl") && !strings.HasSuffix(f.Name, ".txt") {
+			return nil
+		}
+		content, err := f.Contents()
+		if err != nil {
+			return err
+		}
+		if strings.Contains(content, "PERSONABC") {
+			t.Errorf("rewritten %s still contains sentinel 'PERSONABC'", f.Name)
+		}
+		return nil
+	}))
+}
+
+// Idempotent re-run: a commit already tagged Entire-OPF-Applied is
+// re-parented without re-redacting the tree and without duplicating
+// the trailer.
+func TestRewriteUnpushedV1WithOPF_SecondRun_IdempotentNoDuplicateTrailer(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	repo, _ := setupV1Repo(t)
+
+	firstTip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	require.NoError(t, err)
+	firstCommit, err := repo.CommitObject(firstTip)
+	require.NoError(t, err)
+	require.True(t, trailers.HasOPFApplied(firstCommit.Message))
+	firstTreeHash := firstCommit.TreeHash
+
+	secondTip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	require.NoError(t, err)
+
+	secondCommit, err := repo.CommitObject(secondTip)
+	require.NoError(t, err)
+
+	wantTrailer := trailers.OPFAppliedTrailerKey + ": " + trailers.OPFAppliedTrailerValue
+	if count := strings.Count(secondCommit.Message, wantTrailer); count != 1 {
+		t.Errorf("trailer count = %d, want exactly 1\n%s", count, secondCommit.Message)
+	}
+	require.Equal(t, firstTreeHash, secondCommit.TreeHash, "applied commit tree should be preserved")
+}
+
+// No v1 branch → no-op, no error.
+func TestRewriteUnpushedV1WithOPF_NoV1Branch_ReturnsZeroHashNoError(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	tip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	require.NoError(t, err)
+	require.True(t, tip.IsZero(), "expected zero hash for missing v1 ref")
+}
+
+// Diverged remote: local has commits unreachable from remote. Refusal
+// prevents silent rebase of work the remote already rejected.
+func TestRewriteUnpushedV1WithOPF_DivergedRemote_ReturnsV1DivergedError(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	tree := emptyTreeHash(t, repo)
+	localTip := makeOrphanCommit(t, repo, tree, nil, "local only")
+	remoteTip := makeOrphanCommit(t, repo, tree, nil, "remote only")
+	require.NoError(t, repo.Storer.SetReference(
+		plumbing.NewHashReference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), localTip)))
+	require.NoError(t, repo.Storer.SetReference(
+		plumbing.NewHashReference(plumbing.NewRemoteReferenceName("origin", paths.MetadataBranchName), remoteTip)))
+
+	_, err = RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	var diverged *V1DivergedError
+	require.ErrorAs(t, err, &diverged)
+	require.Equal(t, localTip, diverged.Local)
+	require.Equal(t, remoteTip, diverged.Remote)
+}
+
+// Bootstrap cap: a single table-driven test covers both the over-limit
+// rejection and the unlimited-override pass paths since they share
+// 90% of setup.
+func TestRewriteUnpushedV1WithOPF_BootstrapCap(t *testing.T) {
+	cases := []struct {
+		name      string
+		envLimit  string
+		commits   int
+		wantErr   bool
+		wantCount int
+		wantLimit int
+	}{
+		{name: "over_limit_rejected", envLimit: "2", commits: 3, wantErr: true, wantCount: 3, wantLimit: 2},
+		{name: "unlimited_allows_any_size", envLimit: "unlimited", commits: 3, wantErr: false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			configureFakeOPF(t, &fakeOPFForRewrite{})
+			t.Setenv("ENTIRE_OPF_BOOTSTRAP_LIMIT", tc.envLimit)
+
+			tempDir := t.TempDir()
+			testutil.InitRepo(t, tempDir)
+			repo, err := git.PlainOpen(tempDir)
+			require.NoError(t, err)
+			tip := buildOrphanChain(t, repo, tc.commits)
+
+			newTip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+			if !tc.wantErr {
+				require.NoError(t, err)
+				require.False(t, newTip.IsZero(), "expected new tip on success")
+				return
+			}
+			var tooLarge *BootstrapTooLargeError
+			require.ErrorAs(t, err, &tooLarge)
+			require.Equal(t, tc.wantCount, tooLarge.Count)
+			require.Equal(t, tc.wantLimit, tooLarge.Limit)
+			_ = tip // tip is the local v1 tip; on error we don't move the ref but we also don't assert here
+		})
+	}
+}
+
+// Shard scoping: the rewrite only touches files inside the current
+// commit's own shard. Files belonging to other shards (sitting in the
+// cumulative tree because git trees accumulate) are copied verbatim,
+// so a push doesn't pay O(N) OPF cold-starts per commit.
+func TestParseShardPathFromCommitMessage(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name, msg, want string
+	}{
+		{name: "valid", msg: "Checkpoint: a1b2c3d4e5f6\n\nEntire-Session: s\n", want: "a1/b2c3d4e5f6"},
+		{name: "trailing_space", msg: "Checkpoint: a1b2c3d4e5f6   \n", want: "a1/b2c3d4e5f6"},
+		{name: "missing_prefix", msg: "Initialize sessions branch\n", want: ""},
+		{name: "too_short", msg: "Checkpoint: abc123\n", want: ""},
+		{name: "uppercase_rejected", msg: "Checkpoint: A1B2C3D4E5F6\n", want: ""},
+		{name: "non_hex", msg: "Checkpoint: gghhiijjkkll\n", want: ""},
+		{name: "empty_message", msg: "", want: ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.want, parseShardPathFromCommitMessage(tc.msg))
+		})
+	}
+}
+
+// Shard-scoping invariants: descend into ancestors-of, the target, and
+// descendants-of the target shard; copy everything else verbatim.
+func TestShouldDescendAndInsideShard(t *testing.T) {
+	t.Parallel()
+	const shard = "a1/b2c3d4e5f6"
+	cases := []struct {
+		name    string
+		path    string
+		descend bool
+		inside  bool
+	}{
+		{name: "root_is_ancestor", path: "", descend: true, inside: false},
+		{name: "shard_prefix_is_ancestor", path: "a1", descend: true, inside: false},
+		{name: "shard_root_is_target", path: shard, descend: true, inside: true},
+		{name: "session_subdir_is_descendant", path: shard + "/0", descend: true, inside: true},
+		{name: "deeper_descendant", path: shard + "/0/tasks", descend: true, inside: true},
+		{name: "sibling_shard_prefix", path: "b2", descend: false, inside: false},
+		{name: "sibling_shard_full", path: "b2/c3d4e5f6a1a2", descend: false, inside: false},
+		{name: "partial_overlap_not_ancestor", path: "a1/zzz", descend: false, inside: false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.descend, shouldDescend(tc.path, shard), "shouldDescend")
+			require.Equal(t, tc.inside, insideShard(tc.path, shard), "insideShard")
+		})
+	}
+}
+
+// TestRebuildTreeWithOPF_RedactsAllFileTypesInsideShard pins the
+// fail-closed file-type policy. Previously the walker only redacted
+// .jsonl / .txt / .json suffixes and copied everything else verbatim
+// inside the shard — a privacy hole for any future blob type (.md
+// prose, agent dumps, no-extension transcript files) that landed in a
+// checkpoint shard. After P3 the policy is inverted: every regular
+// file inside the shard except content_hash.txt flows through OPF.
+//
+// This test stands up a synthetic tree containing one .md and one
+// no-extension file with the OPF sentinel, runs the walker, and
+// asserts both files come out redacted.
+func TestRebuildTreeWithOPF_RedactsAllFileTypesInsideShard(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	writeBlob := func(content string) plumbing.Hash {
+		obj := repo.Storer.NewEncodedObject()
+		obj.SetType(plumbing.BlobObject)
+		w, err := obj.Writer()
+		require.NoError(t, err)
+		_, err = w.Write([]byte(content))
+		require.NoError(t, err)
+		require.NoError(t, w.Close())
+		hash, err := repo.Storer.SetEncodedObject(obj)
+		require.NoError(t, err)
+		return hash
+	}
+	mdHash := writeBlob("Agent transcript: PERSONABC reported the issue")
+	rawHash := writeBlob("PERSONABC also appeared in this no-extension blob")
+	hashTxtHash := writeBlob("sha256:abcd")
+
+	// Entries must be sorted lexicographically per git's tree format.
+	tree := &object.Tree{Entries: []object.TreeEntry{
+		{Name: paths.ContentHashFileName, Mode: filemode.Regular, Hash: hashTxtHash},
+		{Name: "notes.md", Mode: filemode.Regular, Hash: mdHash},
+		{Name: "transcript", Mode: filemode.Regular, Hash: rawHash},
+	}}
+
+	// Empty shardPath = "walk everything" (bootstrap fallback). With the
+	// inverted policy, both notes.md and transcript get redacted.
+	newTreeHash, err := rebuildTreeWithOPF(context.Background(), repo, tree, "", "")
+	require.NoError(t, err)
+
+	newTree, err := repo.TreeObject(newTreeHash)
+	require.NoError(t, err)
+
+	readEntry := func(name string) string {
+		for _, e := range newTree.Entries {
+			if e.Name != name {
+				continue
+			}
+			blob, err := repo.BlobObject(e.Hash)
+			require.NoError(t, err)
+			r, err := blob.Reader()
+			require.NoError(t, err)
+			defer func() { _ = r.Close() }()
+			data, err := io.ReadAll(r)
+			require.NoError(t, err)
+			return string(data)
+		}
+		t.Fatalf("entry %q not in rebuilt tree", name)
+		return ""
+	}
+
+	if strings.Contains(readEntry("notes.md"), "PERSONABC") {
+		t.Error(".md blob inside the shard must be redacted — slipped through verbatim")
+	}
+	if strings.Contains(readEntry("transcript"), "PERSONABC") {
+		t.Error("no-extension blob inside the shard must be redacted — slipped through verbatim")
+	}
+	// content_hash.txt is on the deferred path: since there's no
+	// transcript file (named full.jsonl) in this synthetic tree, the
+	// deferred recomputation keeps the original hash.
+	if got := readEntry(paths.ContentHashFileName); got != "sha256:abcd" {
+		t.Errorf("content_hash.txt should be preserved when no transcript exists, got %q", got)
+	}
+}
+
+// Empty shardPath = no scoping (bootstrap / unrecognized-subject
+// fallback): descend everywhere, redact everywhere.
+func TestShardScopeEmptyShardPathIsPermissive(t *testing.T) {
+	t.Parallel()
+	require.True(t, shouldDescend("anything/anywhere", ""))
+	require.True(t, insideShard("anything/anywhere", ""))
+	require.True(t, shouldDescend("", ""))
+	require.True(t, insideShard("", ""))
+}
+
+// Fail-closed regression: when the OPF runtime fails and the breaker
+// trips, the rewrite must NOT CAS the ref. Otherwise the new commits
+// would carry Entire-OPF-Applied: true while their content is 7-layer
+// only, and future pushes would skip them — silently shipping unredacted
+// content to the remote.
+func TestRewriteUnpushedV1WithOPF_BreakerTrippedMidRewrite_AbortsBeforeCAS(t *testing.T) {
+	configureFakeOPF(t, &fakeRuntimeAlwaysFails{})
+	repo, originalTip := setupV1Repo(t)
+
+	_, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	var runtimeFail *OPFRuntimeFailedError
+	require.ErrorAs(t, err, &runtimeFail)
+	require.Contains(t, runtimeFail.OPFCommand, "test-opf", "OPFCommand should reflect configured command")
+
+	ref, err := repo.Reference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), true)
+	require.NoError(t, err)
+	require.Equal(t, originalTip, ref.Hash(), "local v1 ref must not move on OPF failure")
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_push.go b/cmd/entire/cli/strategy/manual_commit_push.go
index 91813da04..8621139b5 100644
--- a/cmd/entire/cli/strategy/manual_commit_push.go
+++ b/cmd/entire/cli/strategy/manual_commit_push.go
@@ -2,11 +2,22 @@ package strategy
 
 import (
 	"context"
+	"errors"
+	"log/slog"
+	"os"
 
+	"github.com/entireio/cli/cmd/entire/cli/logging"
 	"github.com/entireio/cli/cmd/entire/cli/paths"
+	"github.com/entireio/cli/cmd/entire/cli/settings"
 	"github.com/entireio/cli/perf"
+	"github.com/entireio/cli/redact"
 )
 
+// errOPFAbortedByUser is returned when the user chose Abort (or pressed
+// Ctrl-C) at the OPF prompt. PrePush returns it verbatim; the hook
+// command propagates the non-zero exit code so git push aborts.
+var errOPFAbortedByUser = errors.New("OPF prompt aborted by user; push cancelled")
+
 // PrePush is called by the git pre-push hook before pushing to a remote.
 // It pushes the entire/checkpoints/v1 branch alongside the user's push.
 //
@@ -29,6 +40,54 @@ func (s *ManualCommitStrategy) PrePush(ctx context.Context, remote string) error
 		return nil
 	}
 
+	// OPF pre-push rewrite: if OPF is configured, resolve the user's
+	// decision (env > settings > prompt > non-TTY auto-run), then
+	// re-redact unpushed v1 commits with the 8-layer pipeline before
+	// pushing. Skipped entirely when OPF is off, so the common-case
+	// fast path is unchanged.
+	if redact.OPFEnabled() {
+		cfg, _ := settings.Load(ctx) //nolint:errcheck // Load already failed at hook init; fall back to nil
+		var opfCfg *settings.OPFSettings
+		if cfg != nil && cfg.Redaction != nil {
+			opfCfg = cfg.Redaction.OpenAIPrivacyFilter
+		}
+		decision, decisionErr := resolveOPFDecisionForPrePush(ctx, opfCfg, os.Stderr)
+		if decisionErr != nil {
+			logging.Warn(ctx, "OPF pre-push decision failed; aborting push",
+				slog.String("error", decisionErr.Error()),
+			)
+			return decisionErr
+		}
+		switch decision {
+		case OPFAbort:
+			return errOPFAbortedByUser
+		case OPFSkip:
+			// User opted out for this push (or settings/env say
+			// "never"). Push 7-layer content as-is.
+			logging.Info(ctx, "OPF skipped for this push (user choice or settings)")
+		case OPFRun:
+			_, opfSpan := perf.Start(ctx, "opf_pre_push_rewrite")
+			repo, repoErr := OpenRepository(ctx)
+			if repoErr != nil {
+				opfSpan.RecordError(repoErr)
+				opfSpan.End()
+				logging.Warn(ctx, "OPF pre-push: failed to open repo; aborting push",
+					slog.String("error", repoErr.Error()),
+				)
+				return repoErr
+			}
+			if _, rewriteErr := RewriteUnpushedV1WithOPF(ctx, repo, ps.pushTarget()); rewriteErr != nil {
+				opfSpan.RecordError(rewriteErr)
+				opfSpan.End()
+				logging.Warn(ctx, "OPF pre-push rewrite failed; aborting push",
+					slog.String("error", rewriteErr.Error()),
+				)
+				return rewriteErr
+			}
+			opfSpan.End()
+		}
+	}
+
 	// Thread the span's context into the push so the network push and any
 	// fetch+rebase recovery nest beneath it as child steps in the perf trace.
 	pushCtx, pushCheckpointsSpan := perf.Start(ctx, "push_checkpoints_branch")
@@ -36,5 +95,21 @@ func (s *ManualCommitStrategy) PrePush(ctx context.Context, remote string) error
 	pushCheckpointsSpan.RecordError(err)
 	pushCheckpointsSpan.End()
 
+	// Post-push cleanup: only when the v1 push succeeded, so we know
+	// the condensed checkpoint data is on the remote. Failures here are
+	// non-fatal — shadow branches just accumulate until `entire clean`
+	// or the next successful push.
+	if err == nil {
+		if deleted, cleanupErr := CleanupPushedShadowBranches(ctx); cleanupErr != nil {
+			logging.Warn(ctx, "post-push shadow branch cleanup failed",
+				slog.String("error", cleanupErr.Error()),
+			)
+		} else if deleted > 0 {
+			logging.Info(ctx, "cleaned up vestigial shadow branches",
+				slog.Int("count", deleted),
+			)
+		}
+	}
+
 	return err
 }
diff --git a/cmd/entire/cli/strategy/manual_commit_test.go b/cmd/entire/cli/strategy/manual_commit_test.go
index b1702d487..f8a5cb614 100644
--- a/cmd/entire/cli/strategy/manual_commit_test.go
+++ b/cmd/entire/cli/strategy/manual_commit_test.go
@@ -4127,7 +4127,7 @@ func TestResolveFilesTouched_PrefersStateFallsBackToTranscript(t *testing.T) {
 
 func TestCondenseSession_RedactionFailure_DropsTranscriptButWritesMetadata(t *testing.T) {
 	originalRedact := redactSessionJSONLBytes
-	redactSessionJSONLBytes = func([]byte) (redact.RedactedBytes, error) {
+	redactSessionJSONLBytes = func(context.Context, []byte) (redact.RedactedBytes, error) {
 		return redact.RedactedBytes{}, errors.New("forced redaction failure")
 	}
 	t.Cleanup(func() {
diff --git a/cmd/entire/cli/trailers/trailers.go b/cmd/entire/cli/trailers/trailers.go
index f1b390994..48ca45fa7 100644
--- a/cmd/entire/cli/trailers/trailers.go
+++ b/cmd/entire/cli/trailers/trailers.go
@@ -48,6 +48,18 @@ const (
 	// AgentTrailerKey identifies the agent that created a checkpoint.
 	// Format: human-readable agent name e.g. "Claude Code", "Cursor"
 	AgentTrailerKey = "Entire-Agent"
+
+	// OPFAppliedTrailerKey marks an entire/checkpoints/v1 commit whose blobs
+	// have been redacted by the OpenAI Privacy Filter (8-layer pipeline).
+	// Format: literal "true"; the trailer is omitted entirely when OPF was
+	// not applied. The pre-push rewrite path treats commits lacking this
+	// trailer as candidates to OPF-redact before they reach the remote.
+	OPFAppliedTrailerKey = "Entire-OPF-Applied"
+
+	// OPFAppliedTrailerValue is the only value that means "OPF ran." Any
+	// other value (or trailer absence) is treated as "not applied" so a
+	// future "false" / "skipped" value never accidentally enables OPF.
+	OPFAppliedTrailerValue = "true"
 )
 
 // Pre-compiled regexes for trailer parsing.
@@ -57,6 +69,7 @@ var (
 	baseCommitTrailerRegex   = regexp.MustCompile(BaseCommitTrailerKey + `:\s*([a-f0-9]{40})`)
 	sessionTrailerRegex      = regexp.MustCompile(SessionTrailerKey + `:\s*(.+)`)
 	checkpointTrailerRegex   = regexp.MustCompile(CheckpointTrailerKey + `:\s*(` + checkpointID.Pattern + `)(?:\s|$)`)
+	opfAppliedTrailerRegex   = regexp.MustCompile(OPFAppliedTrailerKey + `:\s*(\S+)`)
 )
 
 // ParseMetadata extracts metadata dir from commit message.
@@ -270,3 +283,31 @@ func AppendCheckpointTrailer(message, checkpointID string) string {
 	trailer := fmt.Sprintf("%s: %s", CheckpointTrailerKey, checkpointID)
 	return appendTrailerLine(message, trailer)
 }
+
+// HasOPFApplied reports whether the commit message carries an
+// `Entire-OPF-Applied: true` trailer. Any other value (or absence) is
+// treated as "OPF not applied" so the pre-push rewrite considers the
+// commit a candidate for OPF redaction. Pinning the value to literal
+// "true" — rather than just trailer presence — prevents a future
+// "Entire-OPF-Applied: false" or "skipped" from accidentally meaning
+// "yes, applied."
+func HasOPFApplied(commitMessage string) bool {
+	matches := opfAppliedTrailerRegex.FindStringSubmatch(commitMessage)
+	if len(matches) < 2 {
+		return false
+	}
+	return strings.TrimSpace(matches[1]) == OPFAppliedTrailerValue
+}
+
+// AppendOPFAppliedTrailer appends `Entire-OPF-Applied: true` in
+// trailer-aware format. Idempotent: if the message already carries
+// the trailer with value "true", the original message is returned
+// unchanged so re-parenting an already-applied commit doesn't
+// duplicate the trailer.
+func AppendOPFAppliedTrailer(message string) string {
+	if HasOPFApplied(message) {
+		return message
+	}
+	trailer := fmt.Sprintf("%s: %s", OPFAppliedTrailerKey, OPFAppliedTrailerValue)
+	return appendTrailerLine(message, trailer)
+}
diff --git a/cmd/entire/cli/trailers/trailers_test.go b/cmd/entire/cli/trailers/trailers_test.go
index 2fd0e8961..c50de8cfe 100644
--- a/cmd/entire/cli/trailers/trailers_test.go
+++ b/cmd/entire/cli/trailers/trailers_test.go
@@ -450,3 +450,70 @@ func TestParseCheckpoint(t *testing.T) {
 		})
 	}
 }
+
+// TestHasOPFApplied covers the Entire-OPF-Applied trailer reader. The
+// trailer marks a v1 commit whose blobs have been redacted by the
+// OpenAI Privacy Filter (8-layer); commits without it carry 7-layer
+// content and are eligible for the pre-push rewrite to add OPF.
+func TestHasOPFApplied(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name    string
+		message string
+		want    bool
+	}{
+		{"present_lowercase_true", "Checkpoint: a1b2c3d4e5f6\n\nEntire-OPF-Applied: true\n", true},
+		{"absent", "Checkpoint: a1b2c3d4e5f6\n", false},
+		{"present_among_other_trailers", "msg\n\nEntire-Session: 2026-01\nEntire-OPF-Applied: true\nEntire-Strategy: manual-commit\n", true},
+		{"value_false_not_applied", "msg\n\nEntire-OPF-Applied: false\n", false},
+		{"value_other_not_applied", "msg\n\nEntire-OPF-Applied: yes\n", false},
+		{"empty_message", "", false},
+		{"trailer_with_extra_spaces", "msg\n\nEntire-OPF-Applied:   true   \n", true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := HasOPFApplied(tc.message); got != tc.want {
+				t.Errorf("HasOPFApplied(%q) = %v, want %v", tc.message, got, tc.want)
+			}
+		})
+	}
+}
+
+// TestAppendOPFAppliedTrailer covers the formatter. Appending to a
+// message without a trailer block inserts a blank line; appending to
+// one with a trailer block joins directly. Idempotent — appending to
+// a message that already has the trailer must not duplicate it.
+func TestAppendOPFAppliedTrailer(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name string
+		msg  string
+		want string
+	}{
+		{
+			name: "no_existing_trailers",
+			msg:  "Checkpoint: a1b2c3d4e5f6\n",
+			want: "Checkpoint: a1b2c3d4e5f6\n\nEntire-OPF-Applied: true\n",
+		},
+		{
+			name: "existing_trailer_block",
+			msg:  "Checkpoint: a1\n\nEntire-Session: s\nEntire-Strategy: manual-commit\n",
+			want: "Checkpoint: a1\n\nEntire-Session: s\nEntire-Strategy: manual-commit\nEntire-OPF-Applied: true\n",
+		},
+		{
+			name: "idempotent_when_already_applied",
+			msg:  "Checkpoint: a1\n\nEntire-OPF-Applied: true\n",
+			want: "Checkpoint: a1\n\nEntire-OPF-Applied: true\n",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := AppendOPFAppliedTrailer(tt.msg)
+			if got != tt.want {
+				t.Errorf("AppendOPFAppliedTrailer():\n got=%q\nwant=%q", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/docs/security-and-privacy.md b/docs/security-and-privacy.md
index 5b901d6cc..b0eb41911 100644
--- a/docs/security-and-privacy.md
+++ b/docs/security-and-privacy.md
@@ -16,7 +16,7 @@ If your repository is **public**, this data is visible to the entire internet.
 
 ### What Entire redacts automatically
 
-Entire automatically scans transcript and metadata content before writing it to the `entire/checkpoints/v1` branch. Five always-on secret detection methods run during condensation, plus a conditional sixth pass for user-defined secret rules (see [Customizing redaction](#customizing-redaction) below) and an opt-in seventh pass for PII (see [Optional PII redaction](#optional-pii-redaction) below):
+Entire automatically scans transcript and metadata content before writing it to the `entire/checkpoints/v1` branch. Five always-on secret detection methods run during condensation, plus a conditional sixth pass for user-defined secret rules (see [Customizing redaction](#customizing-redaction) below), an opt-in seventh pass for PII (see [Optional PII redaction](#optional-pii-redaction) below), and an opt-in eighth pass that shells out to the OpenAI Privacy Filter model (see [Optional OpenAI Privacy Filter](#optional-openai-privacy-filter-opf) below):
 
 1. **Entropy scoring** — Identifies high-entropy strings (Shannon entropy > 4.5) that look like randomly generated secrets, even if they don't match a known pattern.
 2. **Pattern matching** — Uses [Betterleaks](https://github.com/betterleaks/betterleaks) built-in rules to detect known secret formats.
@@ -60,6 +60,170 @@ Teams can add their own regex patterns via `custom_patterns`. Each key is a labe
 
 If a custom pattern itself reveals sensitive structure (e.g. an internal ID format), put it in `.entire/settings.local.json` (gitignored) instead of `.entire/settings.json`.
 
+### Optional OpenAI Privacy Filter (`opf`)
+
+A separate, **opt-in** layer that shells out to the [OpenAI Privacy Filter](https://github.com/openai/privacy-filter) (`opf`) — a 1.5B-parameter token-classification model that finds names, emails, phone numbers, addresses, dates, URLs, account numbers, and secrets that pure regex can miss. Disabled by default. Runs *in addition to* the seven built-in layers, **only at push time** — never per-turn and never at commit time. Local commits stay on the fast 7-layer pipeline so per-commit latency is unchanged; OPF only re-redacts checkpoints right before they leave the machine via `git push`.
+
+Prerequisites:
+
+```bash
+pip install opf
+```
+
+Verify `opf --help` works; the CLI defaults to resolving the binary via `$PATH`. Override with the `command` setting if you need a specific path.
+
+Enable in `.entire/settings.json`:
+
+```json
+{
+  "redaction": {
+    "openai_privacy_filter": {
+      "enabled": true,
+      "categories": {
+        "private_person": true
+      }
+    }
+  }
+}
+```
+
+Available categories (set to `true` to enable, `false` or omit to skip):
+
+| Category | Replacement token | Notes |
+|---|---|---|
+| `private_person` | `[REDACTED_PERSON]` | Person names |
+| `private_email` | `[REDACTED_EMAIL]` | Email addresses |
+| `private_phone` | `[REDACTED_PHONE]` | Phone numbers |
+| `private_address` | `[REDACTED_ADDRESS]` | Street addresses |
+| `private_url` | `[REDACTED_URL]` | URLs that may identify a person/account |
+| `private_date` | `[REDACTED_DATE]` | Dates (DOB, etc.) |
+| `account_number` | `[REDACTED_ACCOUNT_NUMBER]` | Account / card / SSN-shaped numbers |
+| `secret` | `REDACTED` | Generic credential-shaped values |
+
+Unknown category names are rejected at settings load time so typos surface immediately instead of silently disabling a category.
+
+Full settings reference:
+
+```json
+{
+  "redaction": {
+    "openai_privacy_filter": {
+      "enabled": true,
+      "categories": {
+        "private_person": true,
+        "private_email": true,
+        "private_phone": true,
+        "private_address": false,
+        "private_url": false,
+        "private_date": false,
+        "account_number": false,
+        "secret": false
+      },
+      "command": "opf",
+      "timeout_seconds": 30
+    }
+  }
+}
+```
+
+- `command` — path or PATH-resolvable name of the `opf` binary. Defaults to `opf`.
+- `timeout_seconds` — per-invocation timeout. Defaults to `30`.
+- `prompt_default` — `"ask"` (default), `"always"`, or `"never"`. Controls whether the pre-push hook surfaces an interactive prompt before running OPF. `ENTIRE_OPF=yes` or `ENTIRE_OPF=no` on a single `git push` invocation overrides this for that push only.
+
+The interactive prompt offers three options and reacts to **Ctrl-C** for cancellation:
+
+```
+Run OpenAI Privacy Filter on these checkpoints?
+Adds ~30s but redacts names/PII the regex layers can't catch.
+Ctrl-C to cancel the push.
+
+  ▸ Yes — run OPF this push
+    No — skip OPF, push as-is
+    Always — run OPF on every push from now on
+```
+
+- **Yes** runs OPF for this push only.
+- **No** skips OPF for this push only; the 7-layer-redacted content reaches the remote.
+- **Always** runs OPF this push AND writes `prompt_default: "always"` to `.entire/settings.local.json` so future pushes don't ask.
+- **Ctrl-C** aborts the push entirely — `git push` exits non-zero, no refs go to the remote.
+
+Non-interactive contexts (CI, scripted pipes with no TTY) skip the prompt and run OPF automatically when enabled, printing `→ OpenAI Privacy Filter: scanning checkpoints…` to stderr so the wait isn't silent. Set `ENTIRE_OPF=no` to skip OPF in those contexts without disabling the feature globally.
+
+**CI consideration**: if you've enabled OPF locally and your CI runs `git push` (e.g. an agent-driven workflow), the CI push will attempt to run OPF too. If the `opf` binary isn't installed in CI, the push will abort with `OPFRuntimeFailedError` rather than silently shipping under-redacted content — by design, since "I enabled OPF" should mean "no content leaves my machines without OPF." The remedies are (a) install `opf` in CI, (b) set `ENTIRE_OPF=no` for CI pushes, or (c) set `prompt_default: "never"` if you only want OPF on interactive pushes.
+
+OPF failures at push time are **fail-closed**: if OPF is not on PATH, fails to start, or times out during the pre-push rewrite, the per-process circuit breaker trips and the rewrite aborts the push with `OPF runtime failed; aborting push`. Nothing reaches the remote. The intent is that "the user enabled OPF" means "I do not want unredacted content leaving this machine" — falling back to 7-layer silently on the push path would violate that contract. Fix the install or set `ENTIRE_OPF=no` for a one-off push.
+
+(The circuit breaker is per-process, so a broken install costs one warning instead of one timeout per blob — but the push still aborts.)
+
+Cost note: each shell-out loads the OPF model (~1.5B parameters on CPU). The pre-push rewrite batches all eligible leaf strings into a single inference pass per scope (transcript + joined prompts), so a typical real-world push adds ~25–30s of OPF inference rather than the multi-minute cost a per-leaf flow would incur. Per-commit latency is unaffected because OPF doesn't run at commit time.
+
+#### When OPF actually runs
+
+OPF execution lives in the pre-push hook. The flow:
+
+1. **Post-commit** writes the checkpoint with **7-layer-only** redaction to your local `entire/checkpoints/v1` branch. Fast, predictable, no OPF cost on the hot path.
+2. **Pre-push** (`git push`): if OPF is enabled, the hook re-reads each unpushed `entire/checkpoints/v1` commit, runs the OpenAI Privacy Filter over its blobs to add the categories the regex layers don't catch (person names, addresses, etc.), and builds **new commits** carrying an `Entire-OPF-Applied: true` trailer. The local v1 ref fast-forwards atomically to the new tip, and the (now 8-layer-redacted) commits are what get pushed.
+3. The original 7-layer-only commits become **unreachable** in the local git object database and eventually get swept by `git gc`.
+
+This means:
+
+- **The remote only ever sees 8-layer-redacted content** when OPF is enabled.
+- **Local-only commits are 7-layer-redacted** until the moment you push. If you never push, OPF never runs.
+- **Re-running pre-push is idempotent** — commits already carrying the trailer get re-parented into the chain but are not re-redacted.
+
+#### Force-pushed remote, bootstrap, and concurrent pushes
+
+The rewrite refuses to proceed and aborts the push when it detects a divergent state, so checkpoints on the remote are never silently rebased:
+
+- **Diverged remote**: if local `entire/checkpoints/v1` has commits that aren't ancestors of `<remote>/entire/checkpoints/v1`, the hook exits with a `entire/checkpoints/v1 has diverged from remote` error. Fetch the remote and either reset local v1 to the remote tip or resolve manually before pushing.
+- **Bootstrap** (remote has no `entire/checkpoints/v1` yet, e.g. first push): the cap is `100` unpushed commits by default. Override via the env var on the push invocation:
+
+  ```fish
+  set -x ENTIRE_OPF_BOOTSTRAP_LIMIT 500; git push
+  # or fully unbounded:
+  set -x ENTIRE_OPF_BOOTSTRAP_LIMIT unlimited; git push
+  ```
+
+- **Concurrent push** from another worktree: the rewrite uses a CAS to update the local v1 ref. If another process moved the ref while OPF was running, the hook exits with a "concurrent push detected" error and `git push` aborts the whole batch. Fetch and retry.
+
+#### Persistence of un-redacted-by-OPF content
+
+Three places retain content that OPF *didn't* redact, with different lifetimes. Understanding them matters if your threat model goes beyond "what reaches the remote":
+
+| Location | Redaction level | Lifetime | Reaches remote? |
+|---|---|---|---|
+| `.entire/<session>.jsonl` | **None — raw** | Until session is deleted (managed by the agent) | No |
+| Shadow branch `entire/<commit>-<worktree>` | 7-layer | Auto-deleted after the next successful push (only when its session has ended cleanly) | No |
+| Unreachable git objects after pre-push rewrite | 7-layer | Until `git gc --prune` (default `gc.pruneExpire` is 2 weeks) | No |
+| Reflog `git reflog show entire/checkpoints/v1` | 7-layer tips | Default `gc.reflogExpire` is 90 days | No |
+| `<remote>/entire/checkpoints/v1` | 8-layer (after OPF rewrite) | Until you delete the branch on the remote | Yes |
+
+The `.entire/<session>.jsonl` files are raw working state owned by the agent (Claude Code, etc.) — Entire reads from them but does not redact them in place, because the agent is reading and writing them continuously and editing under the agent's feet would corrupt the session.
+
+To aggressively scrub the unreachable git objects from the pre-push rewrite (instead of waiting for the 2-week GC window):
+
+```fish
+git reflog expire --expire-unreachable=now refs/heads/entire/checkpoints/v1
+git gc --prune=now
+```
+
+This is I/O-heavy on large repositories; it's not run automatically. If you want it as part of your push workflow, wrap `git push` in a script that invokes it after a successful push.
+
+Verifying it's working:
+
+```fish
+# After enabling OPF, run an agent turn that includes a name in the prompt,
+# e.g. "Create notes.txt with: Alice Johnson reviewed the proposal."
+# Commit (this stays on the fast 7-layer pipeline), then push. OPF runs
+# during the pre-push step:
+git commit -m "demo"
+git push   # → "→ OpenAI Privacy Filter: scanning N checkpoints (~30s)…"
+git log --oneline entire/checkpoints/v1 | head -2
+entire checkpoint explain HEAD | grep -i 'REDACTED_PERSON'
+```
+
+If `[REDACTED_PERSON]` appears in the prompt or transcript section and the latest `entire/checkpoints/v1` commit carries `Entire-OPF-Applied: true`, OPF is active.
+
 ### Recommendations
 
 If your AI sessions will touch sensitive data:
diff --git a/redact/opf.go b/redact/opf.go
new file mode 100644
index 000000000..8b7fbf1d2
--- /dev/null
+++ b/redact/opf.go
@@ -0,0 +1,463 @@
+package redact
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"os/exec"
+	"sort"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+	"unicode/utf8"
+)
+
+// OPFConfig configures the optional OpenAI Privacy Filter detection layer.
+// Defaults are applied by ConfigurePrivacyFilter; callers should pass values
+// straight from settings without local normalization.
+type OPFConfig struct {
+	Enabled    bool
+	Categories map[string]bool
+	Command    string // path or name of the opf binary; "" defaults to "opf"
+	Timeout    int    // seconds; 0 defaults to 30
+
+	// runtime is private and constructed by ConfigurePrivacyFilter.
+	// Tests inject a fake via ConfigurePrivacyFilterWithRuntime.
+	runtime opfRuntime
+}
+
+var (
+	opfConfig   *OPFConfig
+	opfConfigMu sync.RWMutex
+
+	// opfBreakerTripped, once set, disables OPF for the rest of this process.
+	// The first detectOPF failure trips it via handleOPFFailure; subsequent
+	// detectOPF calls short-circuit before shelling out. Without this, a
+	// broken OPF install (binary missing, persistently timing out, etc.)
+	// makes every redaction call pay the full timeout — turning one
+	// condensation into N × 30s waits instead of a single warning plus
+	// graceful fallback. Process-scoped so a fresh CLI invocation re-attempts.
+	opfBreakerTripped atomic.Bool
+)
+
+// ConfigurePrivacyFilter sets the global OPF configuration and constructs
+// the default shell-out runtime. Call once at process startup after loading
+// settings. Thread-safe. Subsequent calls replace the previous configuration
+// and reset the circuit breaker (a new config might fix what broke the prior
+// one).
+func ConfigurePrivacyFilter(cfg OPFConfig) {
+	cfgCopy := cfg
+	if cfgCopy.Timeout <= 0 {
+		cfgCopy.Timeout = 30
+	}
+	if cfgCopy.Command == "" {
+		cfgCopy.Command = defaultOPFCommand
+	}
+	cfgCopy.runtime = newShellOut(cfgCopy.Command, cfgCopy.Timeout)
+	opfConfigMu.Lock()
+	opfConfig = &cfgCopy
+	opfConfigMu.Unlock()
+	opfBreakerTripped.Store(false)
+}
+
+// ConfigurePrivacyFilterWithRuntime is the test-only variant that takes an
+// explicit runtime instead of constructing one.
+func ConfigurePrivacyFilterWithRuntime(cfg OPFConfig, rt opfRuntime) {
+	cfgCopy := cfg
+	if cfgCopy.Timeout <= 0 {
+		cfgCopy.Timeout = 30
+	}
+	cfgCopy.runtime = rt
+	opfConfigMu.Lock()
+	opfConfig = &cfgCopy
+	opfConfigMu.Unlock()
+	opfBreakerTripped.Store(false)
+}
+
+func getOPFConfig() *OPFConfig {
+	opfConfigMu.RLock()
+	defer opfConfigMu.RUnlock()
+	return opfConfig
+}
+
+// OPFEnabled reports whether the OpenAI Privacy Filter is configured
+// and turned on for this process. Callers gate pre-push rewrite work
+// on this: when false, the pre-push hook pushes the local 7-layer
+// checkpoint branch verbatim with no extra processing. Independent of
+// the circuit breaker — a tripped breaker still reports Enabled=true
+// because the runtime config didn't change; the rewrite logic itself
+// handles the breaker by short-circuiting per-commit OPF calls.
+func OPFEnabled() bool {
+	cfg := getOPFConfig()
+	return cfg != nil && cfg.Enabled
+}
+
+// OPFBreakerTripped reports whether the per-process OPF circuit breaker
+// has been tripped — i.e. an OPF invocation failed at some point during
+// this process's lifetime. The pre-push rewrite uses this to detect
+// when OPF silently fell back to 7-layer mid-rewrite and abort before
+// CAS-ing the new ref; otherwise the rewritten commits would carry the
+// Entire-OPF-Applied: true trailer despite containing only 7-layer
+// content, and the next push would skip them.
+func OPFBreakerTripped() bool {
+	return opfBreakerTripped.Load()
+}
+
+// defaultOPFCommand is the binary name we resolve via $PATH when the
+// user hasn't pinned a specific path in settings. Used as the fallback
+// inside ConfigurePrivacyFilter and as the OPFCommand() default for
+// error messages.
+const defaultOPFCommand = "opf"
+
+// OPFCommand returns the configured OPF binary command, or the default
+// when OPF is unconfigured. Used by error messages so the user sees the
+// exact command they need to fix.
+func OPFCommand() string {
+	cfg := getOPFConfig()
+	if cfg == nil || cfg.Command == "" {
+		return defaultOPFCommand
+	}
+	return cfg.Command
+}
+
+func resetOPFConfig() {
+	opfConfigMu.Lock()
+	opfConfig = nil
+	opfConfigMu.Unlock()
+	opfBreakerTripped.Store(false)
+}
+
+// opfLabelMap maps OPF native labels to our taggedRegion.label values.
+// Empty mapped value renders as the bare "REDACTED" token; non-empty values
+// render as "[REDACTED_<LABEL>]" via the replacementToken helper.
+var opfLabelMap = map[string]string{
+	"private_person":  "PERSON",
+	"private_email":   "EMAIL",
+	"private_phone":   "PHONE",
+	"private_address": "ADDRESS",
+	"private_url":     "URL",
+	"private_date":    "DATE",
+	"account_number":  "ACCOUNT_NUMBER",
+	"secret":          "", // -> bare REDACTED
+}
+
+// IsKnownOPFCategory reports whether name is one of the OPF native labels
+// the CLI knows how to tag and render. Exported so the settings layer can
+// reject typos at parse time — silent zero-detection of a privacy category
+// would leave users thinking they're protected when they're not.
+func IsKnownOPFCategory(name string) bool {
+	_, ok := opfLabelMap[name]
+	return ok
+}
+
+func mapOPFLabel(opfLabel string) string {
+	if mapped, ok := opfLabelMap[opfLabel]; ok {
+		return mapped
+	}
+	return ""
+}
+
+func enabledCategories(cfg *OPFConfig) []string {
+	if cfg == nil {
+		return nil
+	}
+	out := make([]string, 0, len(cfg.Categories))
+	for label, enabled := range cfg.Categories {
+		if !enabled {
+			continue
+		}
+		if _, known := opfLabelMap[label]; !known {
+			continue
+		}
+		out = append(out, label)
+	}
+	sort.Strings(out) // deterministic order for tests + logs
+	return out
+}
+
+// opfStderr is where progress and failure UX is written. Defaults to
+// /dev/tty so messages survive the post-commit hook's stderr redirect
+// (the hook runs `entire hooks git post-commit 2>/dev/null` to suppress
+// unrelated logging). Tests override this directly.
+var opfStderr = openTTYOrDiscard()
+
+func openTTYOrDiscard() io.Writer {
+	f, err := os.OpenFile("/dev/tty", os.O_WRONLY, 0)
+	if err != nil {
+		return io.Discard
+	}
+	return f
+}
+
+// detectOPF runs OPF on a single text and returns tagged regions for any
+// spans whose category is enabled in cfg. Returns nil when OPF is disabled,
+// unconfigured, the breaker is tripped, the input is too short to be prose,
+// the input has no enabled categories, or the runtime returns an error.
+//
+// The has-space gate eliminates structural strings (paths, IDs, snake_case
+// keys) that would otherwise pay the OPF cold-start with zero benefit.
+// Single-token PII shapes (e.g. an isolated email) are caught by the regex
+// layers.
+func detectOPF(ctx context.Context, cfg *OPFConfig, s string) []taggedRegion {
+	if cfg == nil || !cfg.Enabled || cfg.runtime == nil || s == "" {
+		return nil
+	}
+	if opfBreakerTripped.Load() {
+		return nil
+	}
+	if !strings.ContainsRune(s, ' ') {
+		return nil
+	}
+	cats := enabledCategories(cfg)
+	if len(cats) == 0 {
+		return nil
+	}
+
+	fmt.Fprintln(opfStderr, "→ OpenAI Privacy Filter: scanning transcript…")
+	start := time.Now()
+	spans, err := cfg.runtime.Redact(ctx, s, cats)
+	if err != nil {
+		handleOPFFailure(ctx, cfg, err)
+		return nil
+	}
+	fmt.Fprintf(opfStderr, "✓ OpenAI Privacy Filter: done (%.1fs)\n", time.Since(start).Seconds())
+
+	out := make([]taggedRegion, 0, len(spans))
+	for _, sp := range spans {
+		if !cfg.Categories[sp.Label] {
+			continue
+		}
+		if sp.Start < 0 || sp.End > len(s) || sp.Start >= sp.End {
+			continue
+		}
+		out = append(out, taggedRegion{
+			region: region{sp.Start, sp.End},
+			label:  mapOPFLabel(sp.Label),
+		})
+	}
+	return out
+}
+
+// handleOPFFailure trips the circuit breaker and emits one user-facing
+// warning. CompareAndSwap ensures only the FIRST failure produces output;
+// subsequent detectOPF calls short-circuit before reaching here, so the
+// swap is mostly a guard against concurrent first-call races.
+func handleOPFFailure(ctx context.Context, cfg *OPFConfig, err error) {
+	if !opfBreakerTripped.CompareAndSwap(false, true) {
+		return
+	}
+	slog.WarnContext(ctx, "OpenAI Privacy Filter call failed; disabling for the rest of this process",
+		slog.String("component", "redaction"),
+		slog.String("command", cfg.Command),
+		slog.String("error", err.Error()),
+	)
+	fmt.Fprintf(opfStderr, "× OpenAI Privacy Filter unavailable (%s); falling back to regex layers for the rest of this commit. Install with 'pip install opf'.\n", cfg.Command)
+}
+
+// Span is a redaction region returned by an opfRuntime, with BYTE-offset
+// boundaries against the input text. OPF itself reports character (rune)
+// offsets via its JSON output; the shell-out adapter translates those to
+// byte offsets before returning Spans so callers can slice []byte input
+// directly without re-walking runes.
+type Span struct {
+	Start int
+	End   int
+	Label string // OPF native label, e.g. "private_person"
+}
+
+// opfRuntime is the abstraction over the OpenAI Privacy Filter binary or
+// (future) daemon. Implementations must be safe for concurrent use.
+type opfRuntime interface {
+	Redact(ctx context.Context, text string, categories []string) ([]Span, error)
+	RedactBatch(ctx context.Context, inputs []string, categories []string) ([][]Span, error)
+}
+
+// shellOut runs the user-installed `opf` binary per call. Cold-start every
+// invocation is intentional for v1 — daemon mode is a planned follow-up
+// that implements the same opfRuntime interface so callers don't change.
+type shellOut struct {
+	command        string
+	timeoutSeconds int
+
+	// commandRunner builds the *exec.Cmd run for each Redact call. Tests
+	// override this with a closure returning a Cmd wrapping a shell snippet.
+	commandRunner func(ctx context.Context, name string, args ...string) *exec.Cmd
+}
+
+func newShellOut(command string, timeoutSeconds int) *shellOut {
+	return &shellOut{
+		command:        command,
+		timeoutSeconds: timeoutSeconds,
+		commandRunner:  exec.CommandContext,
+	}
+}
+
+// opfBatchSeparator joins inputs into a single opf invocation. opf treats
+// '\n' as a per-input delimiter and runs a fresh inference pass per line,
+// which is no faster than per-call shell-out. Joining with a non-newline
+// separator instead causes opf to treat the concatenation as ONE input and
+// do ONE inference pass, amortizing the model load across all inputs.
+//
+// ASCII RECORD SEPARATOR (U+001E) satisfies both requirements:
+//  1. Doesn't appear in real text (so no collision with content)
+//  2. Looks like whitespace to opf's tokenizer (so it doesn't confuse
+//     span boundaries)
+const opfBatchSeparator = "\x1e"
+
+// Redact runs OPF on a single text input.
+func (s *shellOut) Redact(ctx context.Context, text string, categories []string) ([]Span, error) {
+	if len(categories) == 0 {
+		return nil, nil
+	}
+	batch, err := s.RedactBatch(ctx, []string{text}, categories)
+	if err != nil || len(batch) == 0 {
+		return nil, err
+	}
+	return batch[0], nil
+}
+
+// RedactBatch sends multiple inputs to opf as a single shell-out, joined
+// with opfBatchSeparator. Internal newlines in inputs are flattened to
+// spaces (1-byte → 1-byte, offsets stay valid). opf emits one JSON object
+// covering the whole concatenated text; spans are partitioned back per
+// input via partitionIndex. Spans crossing a separator boundary are dropped.
+//
+// Errors deliberately do NOT include stdout or stderr content — OPF can
+// echo input fragments to either stream when misconfigured, and the error
+// is later logged + printed to TTY by handleOPFFailure. Byte counts are
+// sufficient for diagnostics.
+func (s *shellOut) RedactBatch(ctx context.Context, inputs []string, categories []string) ([][]Span, error) {
+	if len(inputs) == 0 || len(categories) == 0 {
+		return nil, nil
+	}
+	timeout := time.Duration(s.timeoutSeconds) * time.Second
+	callCtx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	var buf strings.Builder
+	starts := make([]int, len(inputs))
+	for i, in := range inputs {
+		if i > 0 {
+			buf.WriteString(opfBatchSeparator)
+		}
+		starts[i] = buf.Len()
+		buf.WriteString(strings.ReplaceAll(in, "\n", " "))
+	}
+	batched := buf.String()
+
+	cmd := s.commandRunner(callCtx, s.command,
+		"--device", "cpu",
+		"--output-mode", "typed",
+		"--format", "json",
+		"--no-print-color-coded-text",
+	)
+	cmd.Stdin = strings.NewReader(batched)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	// WaitDelay forces cmd.Wait() to return promptly after context
+	// cancellation/timeout even when the killed process leaves descendants
+	// holding the stdout/stderr pipes (e.g. `sh -c "sleep 5"` — killing sh
+	// doesn't reap sleep). Without this, timeout tests on Linux CI block
+	// for the full sleep duration.
+	cmd.WaitDelay = 500 * time.Millisecond
+
+	if err := cmd.Run(); err != nil {
+		switch {
+		case errors.Is(callCtx.Err(), context.DeadlineExceeded):
+			return nil, fmt.Errorf("opf timeout after %s: %w", timeout, callCtx.Err())
+		case errors.Is(ctx.Err(), context.Canceled):
+			return nil, fmt.Errorf("opf canceled: %w", ctx.Err())
+		}
+		if stderr.Len() == 0 {
+			return nil, fmt.Errorf("opf exited with error: %w", err)
+		}
+		return nil, fmt.Errorf("opf exited with error (%d bytes on stderr): %w", stderr.Len(), err)
+	}
+
+	var parsed struct {
+		DetectedSpans []struct {
+			Label string `json:"label"`
+			Start int    `json:"start"`
+			End   int    `json:"end"`
+		} `json:"detected_spans"`
+	}
+	if err := json.Unmarshal(stdout.Bytes(), &parsed); err != nil {
+		return nil, fmt.Errorf("opf output not parseable as JSON (%d bytes): %w", stdout.Len(), err)
+	}
+
+	out := make([][]Span, len(inputs))
+	for _, p := range parsed.DetectedSpans {
+		byteStart := charToByteOffset(batched, p.Start)
+		byteEnd := charToByteOffset(batched, p.End)
+		if byteStart < 0 || byteEnd < 0 {
+			continue
+		}
+		idx := partitionIndex(starts, byteStart, byteEnd, opfBatchSeparator)
+		if idx < 0 {
+			continue
+		}
+		base := starts[idx]
+		out[idx] = append(out[idx], Span{
+			Start: byteStart - base,
+			End:   byteEnd - base,
+			Label: p.Label,
+		})
+	}
+	return out, nil
+}
+
+// charToByteOffset converts a 0-based rune offset into a byte offset within
+// s. Returns -1 for negative offsets or offsets past the rune count.
+// charOff == 0 returns 0; charOff == utf8.RuneCountInString(s) returns
+// len(s) (the exclusive end position used as a slice bound).
+func charToByteOffset(s string, charOff int) int {
+	if charOff < 0 {
+		return -1
+	}
+	byteOff := 0
+	for range charOff {
+		if byteOff >= len(s) {
+			return -1
+		}
+		_, size := utf8.DecodeRuneInString(s[byteOff:])
+		byteOff += size
+	}
+	return byteOff
+}
+
+// partitionIndex returns the input index that contains [spanStart, spanEnd)
+// within the concatenated batch, or -1 if the region crosses a separator
+// boundary or is outside any input. starts[i] is the byte offset where
+// inputs[i] begins; each input ends at starts[i+1] - len(sep), or at the
+// end of the batched string for the last input.
+func partitionIndex(starts []int, spanStart, spanEnd int, sep string) int {
+	if spanStart < 0 || spanEnd <= spanStart {
+		return -1
+	}
+	for i := range starts {
+		base := starts[i]
+		var end int
+		if i+1 < len(starts) {
+			end = starts[i+1] - len(sep)
+		} else {
+			// Last input — no upper bound tracked. Accept any span that
+			// starts >= base; the caller's bounds-check on the returned
+			// span's byte offsets covers the runaway case.
+			end = 1 << 31
+		}
+		if spanStart >= base && spanEnd <= end {
+			return i
+		}
+		if spanStart < base {
+			return -1
+		}
+	}
+	return -1
+}
diff --git a/redact/opf_test.go b/redact/opf_test.go
new file mode 100644
index 000000000..98b7452c9
--- /dev/null
+++ b/redact/opf_test.go
@@ -0,0 +1,531 @@
+package redact
+
+import (
+	"context"
+	"errors"
+	"io"
+	"os/exec"
+	"strings"
+	"sync"
+	"testing"
+)
+
+// shCmd returns a Cmd that runs the given shell snippet via `sh -c`. Used
+// by tests to simulate the `opf` binary's behavior without needing it
+// installed.
+func shCmd(ctx context.Context, script string) *exec.Cmd {
+	return exec.CommandContext(ctx, "sh", "-c", script)
+}
+
+// fakeRuntime is the standard test double for opfRuntime. Records call
+// counts so tests can assert "single batched call, not N per-leaf" contracts.
+type fakeRuntime struct {
+	mu         sync.Mutex
+	spans      []Span
+	err        error
+	calls      int
+	batchCalls int
+}
+
+func (f *fakeRuntime) Redact(_ context.Context, _ string, _ []string) ([]Span, error) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	f.calls++
+	return f.spans, f.err
+}
+
+func (f *fakeRuntime) RedactBatch(_ context.Context, inputs []string, _ []string) ([][]Span, error) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	f.batchCalls++
+	if f.err != nil {
+		return nil, f.err
+	}
+	out := make([][]Span, len(inputs))
+	for i := range inputs {
+		out[i] = f.spans
+	}
+	return out, nil
+}
+
+func TestConfigurePrivacyFilter_StoresConfig(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	ConfigurePrivacyFilter(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+		Command:    "/usr/local/bin/opf",
+		Timeout:    45,
+	})
+
+	got := getOPFConfig()
+	if got == nil {
+		t.Fatal("getOPFConfig returned nil")
+	}
+	if !got.Enabled || !got.Categories["private_person"] || got.Command != "/usr/local/bin/opf" || got.Timeout != 45 {
+		t.Errorf("config not stored verbatim: %+v", got)
+	}
+	if got.runtime == nil {
+		t.Error("runtime was not constructed")
+	}
+}
+
+func TestConfigurePrivacyFilter_AppliesDefaults(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	ConfigurePrivacyFilter(OPFConfig{Enabled: true})
+	got := getOPFConfig()
+	if got.Command != "opf" {
+		t.Errorf("default Command: want \"opf\", got %q", got.Command)
+	}
+	if got.Timeout != 30 {
+		t.Errorf("default Timeout: want 30, got %d", got.Timeout)
+	}
+}
+
+func TestIsKnownOPFCategory(t *testing.T) {
+	t.Parallel()
+	cases := map[string]bool{
+		"private_person":  true,
+		"private_email":   true,
+		"secret":          true,
+		"account_number":  true,
+		"private_peerson": false,
+		"":                false,
+		"PII":             false,
+	}
+	for name, want := range cases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			if got := IsKnownOPFCategory(name); got != want {
+				t.Errorf("IsKnownOPFCategory(%q) = %v, want %v", name, got, want)
+			}
+		})
+	}
+}
+
+func TestDetectOPF_DisabledReturnsNil(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    false,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	if got := detectOPF(context.Background(), getOPFConfig(), "Alice met Bob"); got != nil {
+		t.Errorf("disabled OPF should return nil, got %v", got)
+	}
+	if fake.calls != 0 {
+		t.Errorf("disabled OPF invoked runtime %d times, want 0", fake.calls)
+	}
+}
+
+func TestDetectOPF_MapsLabelsCorrectly(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{
+		spans: []Span{
+			{Start: 0, End: 5, Label: "private_person"},
+			{Start: 6, End: 9, Label: "private_email"},
+		},
+	}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled: true,
+		Categories: map[string]bool{
+			"private_person": true,
+			"private_email":  true,
+		},
+	}, fake)
+
+	regions := detectOPF(context.Background(), getOPFConfig(), "Alice a@b.io test")
+	if len(regions) != 2 {
+		t.Fatalf("want 2 regions, got %d: %v", len(regions), regions)
+	}
+	if regions[0].label != "PERSON" {
+		t.Errorf("region[0].label: want PERSON, got %q", regions[0].label)
+	}
+	if regions[1].label != "EMAIL" {
+		t.Errorf("region[1].label: want EMAIL, got %q", regions[1].label)
+	}
+}
+
+func TestDetectOPF_SkipsCategoriesNotEnabled(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{
+		spans: []Span{
+			{Start: 0, End: 5, Label: "private_person"},
+			{Start: 6, End: 9, Label: "private_email"}, // not enabled
+		},
+	}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	regions := detectOPF(context.Background(), getOPFConfig(), "Alice a@b.io test")
+	if len(regions) != 1 || regions[0].label != "PERSON" {
+		t.Errorf("want only PERSON region, got %v", regions)
+	}
+}
+
+func TestDetectOPF_SkipsNonProseStrings(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	cases := []string{
+		"src/main.go",
+		"user_prompt_submit",
+		"tool-use-id",
+		"a3b2c4d5e6f7",
+		"Alice", // single token, no space
+	}
+	for _, tc := range cases {
+		t.Run(tc, func(t *testing.T) {
+			callsBefore := fake.calls
+			if got := detectOPF(context.Background(), getOPFConfig(), tc); got != nil {
+				t.Errorf("non-prose %q: want nil, got %v", tc, got)
+			}
+			if fake.calls != callsBefore {
+				t.Errorf("non-prose %q: runtime invoked (calls %d → %d)", tc, callsBefore, fake.calls)
+			}
+		})
+	}
+}
+
+func TestDetectOPF_CircuitBreaker(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{err: errors.New("simulated opf failure")}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	// First call hits the runtime and observes the failure.
+	if got := detectOPF(context.Background(), getOPFConfig(), "Alice met Bob"); got != nil {
+		t.Fatalf("first call: want nil, got %v", got)
+	}
+	if fake.calls != 1 {
+		t.Fatalf("first call: want 1 invocation, got %d", fake.calls)
+	}
+
+	// Subsequent calls short-circuit before invoking the runtime.
+	for i := range 5 {
+		if got := detectOPF(context.Background(), getOPFConfig(), "Charlie sat next to Diane"); got != nil {
+			t.Errorf("call %d after breaker: want nil, got %v", i+2, got)
+		}
+	}
+	if fake.calls != 1 {
+		t.Errorf("breaker did not engage: %d invocations, want 1", fake.calls)
+	}
+
+	// Reconfiguring resets the breaker.
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+	if got := detectOPF(context.Background(), getOPFConfig(), "Eve walked home"); got != nil {
+		t.Fatal("after reconfigure: want nil (still failing fake), got non-nil")
+	}
+	if fake.calls != 2 {
+		t.Errorf("after reconfigure: want 2 total invocations, got %d", fake.calls)
+	}
+}
+
+func TestShellOut_BatchSingleInferencePass(t *testing.T) {
+	t.Parallel()
+	var calls int
+	var mu sync.Mutex
+	rt := &shellOut{
+		command:        "opf",
+		timeoutSeconds: 5,
+		commandRunner: func(ctx context.Context, _ string, _ ...string) *exec.Cmd {
+			mu.Lock()
+			calls++
+			mu.Unlock()
+			return shCmd(ctx, `printf '{"detected_spans":[]}'`)
+		},
+	}
+	_, err := rt.RedactBatch(context.Background(), []string{"hello world", "foo bar baz"}, []string{"private_person"})
+	if err != nil {
+		t.Fatalf("RedactBatch: %v", err)
+	}
+	mu.Lock()
+	defer mu.Unlock()
+	if calls != 1 {
+		t.Errorf("want 1 shell-out for 2 inputs, got %d", calls)
+	}
+}
+
+func TestShellOut_ExitError_DoesNotLeakStderr(t *testing.T) {
+	t.Parallel()
+	const secret = "Alice met Bob at 555-867-5309"
+	rt := &shellOut{
+		command:        "opf",
+		timeoutSeconds: 5,
+		commandRunner: func(ctx context.Context, _ string, _ ...string) *exec.Cmd {
+			// Echo input to stderr, then exit non-zero — simulates a
+			// hostile or misconfigured opf wrapper.
+			return shCmd(ctx, "printf '%s' '"+secret+"' >&2; exit 7")
+		},
+	}
+	_, err := rt.Redact(context.Background(), secret, []string{"private_person"})
+	if err == nil {
+		t.Fatal("Redact: want error, got nil")
+	}
+	if strings.Contains(err.Error(), secret) {
+		t.Errorf("error leaks stderr content: %v", err)
+	}
+	if !strings.Contains(err.Error(), "bytes on stderr") {
+		t.Errorf("error should mention stderr byte count: %v", err)
+	}
+}
+
+func TestShellOut_ParseError_DoesNotLeakStdout(t *testing.T) {
+	t.Parallel()
+	const secret = "Alice met Bob"
+	rt := &shellOut{
+		command:        "opf",
+		timeoutSeconds: 5,
+		commandRunner: func(ctx context.Context, _ string, _ ...string) *exec.Cmd {
+			return shCmd(ctx, "printf '%s' 'not json: "+secret+"'")
+		},
+	}
+	_, err := rt.Redact(context.Background(), secret, []string{"private_person"})
+	if err == nil {
+		t.Fatal("Redact: want parse error, got nil")
+	}
+	if strings.Contains(err.Error(), secret) {
+		t.Errorf("parse error leaks stdout content: %v", err)
+	}
+}
+
+func TestCharToByteOffset(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name    string
+		s       string
+		charOff int
+		want    int
+	}{
+		// ASCII: 5 runes, 5 bytes.
+		{"ascii_start", "hello", 0, 0},
+		{"ascii_mid", "hello", 3, 3},
+		{"ascii_end_runecount", "hello", 5, 5},
+		{"ascii_past_end", "hello", 6, -1},
+		{"ascii_way_past", "hello", 100, -1},
+		{"negative", "hello", -1, -1},
+		// UTF-8: 3 runes, 9 bytes (3 × 3-byte box-drawing chars).
+		{"utf8_start", "───", 0, 0},
+		{"utf8_after_first", "───", 1, 3},
+		{"utf8_end_runecount", "───", 3, 9},
+		{"utf8_past_end", "───", 4, -1},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := charToByteOffset(tc.s, tc.charOff); got != tc.want {
+				t.Errorf("charToByteOffset(%q, %d) = %d, want %d", tc.s, tc.charOff, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestPartitionIndex(t *testing.T) {
+	t.Parallel()
+	// Three inputs joined by 1-byte separator: starts = [0, 11, 23]
+	//   "hello world"   bytes 0..11
+	//   "\x1e"          byte  11
+	//   "foo bar baz"   bytes 12..23
+	//   "\x1e"          byte  23
+	//   "the cat sat"   bytes 24..35
+	starts := []int{0, 12, 24}
+	cases := []struct {
+		name      string
+		spanStart int
+		spanEnd   int
+		want      int
+	}{
+		{"first_input", 0, 5, 0},
+		{"second_input", 12, 15, 1},
+		{"third_input", 24, 30, 2},
+		{"crosses_first_boundary", 5, 15, -1},
+		{"crosses_second_boundary", 15, 25, -1},
+		{"negative_start", -1, 5, -1},
+		{"zero_length", 5, 5, -1},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := partitionIndex(starts, tc.spanStart, tc.spanEnd, "\x1e"); got != tc.want {
+				t.Errorf("partitionIndex(%d,%d) = %d, want %d", tc.spanStart, tc.spanEnd, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestPlainEntryPointsNeverInvokeOPF(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	_ = String("Alice met Bob in the lobby")
+	_ = Bytes([]byte("Alice met Bob in the lobby"))
+	if _, err := JSONLContent(`{"role":"user","content":"Alice met Bob in the lobby"}`); err != nil {
+		t.Fatalf("JSONLContent: %v", err)
+	}
+	if _, err := JSONLBytes([]byte(`{"role":"user","content":"Alice met Bob in the lobby"}`)); err != nil {
+		t.Fatalf("JSONLBytes: %v", err)
+	}
+
+	if fake.calls+fake.batchCalls != 0 {
+		t.Errorf("plain entry points invoked OPF: calls=%d batchCalls=%d", fake.calls, fake.batchCalls)
+	}
+}
+
+func TestStringWithPrivacyFilter_AugmentsRegexLayers(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	got := StringWithPrivacyFilter(context.Background(), "Alice met Bob in the lobby")
+	if !strings.Contains(got, "[REDACTED_PERSON]") {
+		t.Errorf("StringWithPrivacyFilter output missing PERSON tag: %q", got)
+	}
+}
+
+func TestJSONLContentWithPrivacyFilter_BatchesSingleCall(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	// Three distinct prose-shaped leaves; should hit OPF in exactly one batch.
+	content := `{"a":"Alice met Bob","b":"Charlie sat down","c":"Eve walked home","id":"abc123"}`
+	if _, err := JSONLContentWithPrivacyFilter(context.Background(), content); err != nil {
+		t.Fatalf("JSONLContentWithPrivacyFilter: %v", err)
+	}
+	if fake.batchCalls != 1 {
+		t.Errorf("want exactly 1 RedactBatch call, got %d", fake.batchCalls)
+	}
+	if fake.calls != 0 {
+		t.Errorf("want 0 single-input Redact calls, got %d", fake.calls)
+	}
+}
+
+func TestJSONLContentWithPrivacyFilter_FallsBackOnBatchError(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{err: errors.New("simulated opf failure")}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	content := `{"a":"Alice met Bob"}`
+	got, err := JSONLContentWithPrivacyFilter(context.Background(), content)
+	if err != nil {
+		t.Fatalf("want graceful fallback, got error: %v", err)
+	}
+	if got == "" {
+		t.Error("fallback should still return non-empty content")
+	}
+}
+
+// shortReturnRuntime returns FEWER span slices than inputs — a runtime
+// contract violation that would silently leave the tail leaves
+// un-redacted under the old "log warning + proceed" behavior. The fix
+// trips the circuit breaker so the pre-push rewrite aborts before
+// commits are tagged Entire-OPF-Applied: true.
+type shortReturnRuntime struct{}
+
+func (r *shortReturnRuntime) Redact(_ context.Context, _ string, _ []string) ([]Span, error) {
+	return nil, nil
+}
+
+func (r *shortReturnRuntime) RedactBatch(_ context.Context, inputs []string, _ []string) ([][]Span, error) {
+	if len(inputs) == 0 {
+		return nil, nil
+	}
+	// Return exactly ONE span slice regardless of input count — the
+	// violation we're testing for.
+	return [][]Span{nil}, nil
+}
+
+// TestJSONLContentWithPrivacyFilter_ShortReturnTripsBreaker pins the
+// privacy contract: if the OPF runtime returns fewer span slices than
+// inputs, we treat it as a runtime failure (trip the breaker + 7-layer
+// fallback) rather than silently produce under-redacted output. The
+// per-blob caller in the pre-push rewrite then catches the tripped
+// breaker via OPFBreakerTripped() and aborts before CAS.
+func TestJSONLContentWithPrivacyFilter_ShortReturnTripsBreaker(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, &shortReturnRuntime{})
+
+	// Three distinct leaves — the fake will return ONE span slice instead
+	// of three, triggering the short-return path.
+	content := `{"a":"Alice met Bob","b":"Charlie sat down","c":"Eve walked home"}`
+	_, err := JSONLContentWithPrivacyFilter(context.Background(), content)
+	if err != nil {
+		t.Fatalf("short return should fall back to 7-layer (no error), got %v", err)
+	}
+	if !opfBreakerTripped.Load() {
+		t.Error("short return must trip the OPF breaker so the rewrite's post-loop check aborts the push")
+	}
+}
diff --git a/redact/redact.go b/redact/redact.go
index 8e743da4c..aed74330f 100644
--- a/redact/redact.go
+++ b/redact/redact.go
@@ -2,6 +2,7 @@ package redact
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -11,6 +12,7 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/betterleaks/betterleaks/detect"
 )
@@ -164,6 +166,15 @@ var connectionStringRules = []connectionStringRule{
 // 7. PII detection: email, phone, address patterns (only when configured via ConfigurePII)
 // A string is redacted if ANY method flags it.
 func String(s string) string {
+	return applyRegions(s, detectAllLayers(s))
+}
+
+// detectAllLayers runs the seven always-on/opt-in regex-based redaction
+// layers and returns their tagged regions. The OpenAI Privacy Filter
+// (layer 8) is NOT included — callers that want it append detectOPF spans
+// to the result before passing to applyRegions. See StringWithPrivacyFilter
+// for the augmented flow.
+func detectAllLayers(s string) []taggedRegion {
 	var regions []taggedRegion
 
 	// 1. Entropy-based detection (secrets — always on).
@@ -227,11 +238,16 @@ func String(s string) string {
 	// 7. PII detection (opt-in — only runs when configured).
 	regions = append(regions, detectPII(getPIIConfig(), s)...)
 
+	return regions
+}
+
+// applyRegions sorts, merges, and replaces the given regions in s, returning
+// the redacted string. Returns s unchanged when regions is empty.
+func applyRegions(s string, regions []taggedRegion) string {
 	if len(regions) == 0 {
 		return s
 	}
 
-	// Merge overlapping regions and build result.
 	sort.Slice(regions, func(i, j int) bool {
 		if regions[i].start != regions[j].start {
 			return regions[i].start < regions[j].start
@@ -498,6 +514,33 @@ func JSONLBytes(b []byte) (RedactedBytes, error) {
 	return RedactedBytes{data: []byte(redacted)}, nil
 }
 
+// JSONLBytesWithPrivacyFilter augments JSONLBytes with the OpenAI Privacy
+// Filter. Use only at condensation/export boundaries; per-turn writes must
+// use JSONLBytes.
+func JSONLBytesWithPrivacyFilter(ctx context.Context, b []byte) (RedactedBytes, error) {
+	s := string(b)
+	redacted, err := JSONLContentWithPrivacyFilter(ctx, s)
+	if err != nil {
+		return RedactedBytes{}, err
+	}
+	if redacted == s {
+		return RedactedBytes{data: b}, nil
+	}
+	return RedactedBytes{data: []byte(redacted)}, nil
+}
+
+// BytesWithPrivacyFilter augments Bytes with the OpenAI Privacy Filter for
+// raw (non-JSONL) byte content. Used by checkpoint write paths that handle
+// metadata files which may or may not be JSONL.
+func BytesWithPrivacyFilter(ctx context.Context, b []byte) []byte {
+	s := string(b)
+	redacted := StringWithPrivacyFilter(ctx, s)
+	if redacted == s {
+		return b
+	}
+	return []byte(redacted)
+}
+
 // JSONLContent parses each line as JSON to determine which string values
 // need redaction, then performs targeted replacements on the raw JSON bytes.
 // Lines with no secrets are returned unchanged, preserving original formatting.
@@ -508,6 +551,15 @@ func JSONLBytes(b []byte) (RedactedBytes, error) {
 // is used instead of falling back to entropy-based detection on raw text lines,
 // which would corrupt high-entropy identifiers.
 func JSONLContent(content string) (string, error) {
+	return jsonlContentImpl(content, String)
+}
+
+// jsonlContentImpl is the body of JSONLContent parameterized by a per-leaf
+// redactor. JSONLContent passes String (regex layers only). The OPF-enabled
+// flow uses two passes: one with a collector that records leaves and returns
+// identity, one with a redactor that combines regex layers with cached OPF
+// spans for the recorded leaves.
+func jsonlContentImpl(content string, redactor func(string) string) (string, error) {
 	// Try parsing the entire content as a single JSON value first.
 	// Uses a streaming decoder to avoid copying the full content into []byte.
 	// After decoding, attempts a second Decode to confirm EOF — if it succeeds,
@@ -518,7 +570,7 @@ func JSONLContent(content string) (string, error) {
 		var parsed any
 		if err := dec.Decode(&parsed); err == nil && isSingleJSONValue(dec) {
 			// Content is a single JSON value (object/array) — redact field-aware.
-			result, err := applyJSONReplacements(content, collectJSONLReplacements(parsed))
+			result, err := applyJSONReplacements(content, collectJSONLReplacements(parsed, redactor))
 			if err != nil {
 				return "", err
 			}
@@ -540,10 +592,10 @@ func JSONLContent(content string) (string, error) {
 		}
 		var parsed any
 		if err := json.Unmarshal([]byte(lineTrimmed), &parsed); err != nil {
-			b.WriteString(String(line))
+			b.WriteString(redactor(line))
 			continue
 		}
-		result, err := applyJSONReplacements(line, collectJSONLReplacements(parsed))
+		result, err := applyJSONReplacements(line, collectJSONLReplacements(parsed, redactor))
 		if err != nil {
 			return "", err
 		}
@@ -552,6 +604,104 @@ func JSONLContent(content string) (string, error) {
 	return b.String(), nil
 }
 
+// StringWithPrivacyFilter augments String with the OpenAI Privacy Filter.
+// Use only at condensation/export boundaries; per-turn writes must use
+// String to avoid the OPF shell-out cost inside the agent loop.
+func StringWithPrivacyFilter(ctx context.Context, s string) string {
+	regions := detectAllLayers(s)
+	regions = append(regions, detectOPF(ctx, getOPFConfig(), s)...)
+	return applyRegions(s, regions)
+}
+
+// JSONLContentWithPrivacyFilter augments JSONLContent with the OpenAI
+// Privacy Filter via batched inference. Walks the content twice: pass 1
+// collects unique prose-shaped leaves into a single RedactBatch call;
+// pass 2 applies the seven regex layers per leaf plus the cached OPF spans
+// for that leaf. One OPF shell-out covers the whole transcript instead of
+// one per leaf — without batching, a typical 500-leaf transcript would
+// take many minutes per commit.
+//
+// Falls back to the plain JSONLContent flow when OPF is unconfigured, the
+// breaker is tripped, no categories are enabled, or the batch call errors.
+func JSONLContentWithPrivacyFilter(ctx context.Context, content string) (string, error) {
+	cfg := getOPFConfig()
+	if cfg == nil || !cfg.Enabled || cfg.runtime == nil || opfBreakerTripped.Load() {
+		return jsonlContentImpl(content, String)
+	}
+	cats := enabledCategories(cfg)
+	if len(cats) == 0 {
+		return jsonlContentImpl(content, String)
+	}
+
+	// Pass 1: collect eligible (has-space, deduped) leaves. The collector
+	// closure returns identity so the JSONL walker doesn't mutate content.
+	seen := make(map[string]struct{})
+	var inputs []string
+	if _, err := jsonlContentImpl(content, func(v string) string {
+		if strings.ContainsRune(v, ' ') {
+			if _, ok := seen[v]; !ok {
+				seen[v] = struct{}{}
+				inputs = append(inputs, v)
+			}
+		}
+		return v
+	}); err != nil {
+		return "", err
+	}
+
+	// Pass 2: single batched OPF call.
+	spansByInput := make(map[string][]Span, len(inputs))
+	if len(inputs) > 0 {
+		fmt.Fprintln(opfStderr, "→ OpenAI Privacy Filter: scanning transcript…")
+		start := time.Now()
+		batched, err := cfg.runtime.RedactBatch(ctx, inputs, cats)
+		if err != nil {
+			handleOPFFailure(ctx, cfg, err)
+			return jsonlContentImpl(content, String)
+		}
+		fmt.Fprintf(opfStderr, "✓ OpenAI Privacy Filter: done (%.1fs)\n", time.Since(start).Seconds())
+		// A short return means the runtime gave us fewer span slices than
+		// inputs — the tail leaves would receive zero OPF spans and the
+		// caller would proceed as if OPF had found nothing. That silently
+		// produces under-redacted output and is indistinguishable from a
+		// "no PII present" result. Treat as a runtime contract violation:
+		// trip the breaker so the pre-push rewrite's post-loop
+		// OPFBreakerTripped() check aborts before the Entire-OPF-Applied
+		// trailer can be attached to under-redacted commits. The production
+		// shell-out always returns len(inputs), so this only fires for a
+		// misbehaving custom runtime — but the cost of leaving it dormant
+		// is too high for a privacy contract.
+		if len(batched) != len(inputs) {
+			shortErr := fmt.Errorf("opf runtime returned %d span slices for %d inputs", len(batched), len(inputs))
+			handleOPFFailure(ctx, cfg, shortErr)
+			return jsonlContentImpl(content, String)
+		}
+		for i, in := range inputs {
+			spansByInput[in] = batched[i]
+		}
+	}
+
+	// Pass 3: per-leaf regex layers + cached OPF spans.
+	return jsonlContentImpl(content, func(v string) string {
+		regions := detectAllLayers(v)
+		if spans, ok := spansByInput[v]; ok {
+			for _, sp := range spans {
+				if !cfg.Categories[sp.Label] {
+					continue
+				}
+				if sp.Start < 0 || sp.End > len(v) || sp.Start >= sp.End {
+					continue
+				}
+				regions = append(regions, taggedRegion{
+					region: region{sp.Start, sp.End},
+					label:  mapOPFLabel(sp.Label),
+				})
+			}
+		}
+		return applyRegions(v, regions)
+	})
+}
+
 // applyJSONReplacements applies collected (original, redacted) string pairs
 // to the raw JSON text, replacing JSON-encoded originals with their redacted forms.
 // Returns s unchanged if repls is empty.
@@ -638,9 +788,11 @@ func isSingleJSONValue(dec *json.Decoder) bool {
 	return dec.Decode(&discard) == io.EOF
 }
 
-// collectJSONLReplacements walks a parsed JSON value and collects unique string
-// replacements for values that need redaction.
-func collectJSONLReplacements(v any) []jsonReplacement {
+// collectJSONLReplacements walks a parsed JSON value and collects unique
+// string replacements via the supplied per-leaf redactor. JSONLContent
+// passes String; the OPF-enabled flow passes a closure that combines the
+// regex layers with cached batched OPF spans.
+func collectJSONLReplacements(v any, redactor func(string) string) []jsonReplacement {
 	seen := make(map[string]bool)
 	var repls []jsonReplacement
 	var walk func(key string, credentialContext bool, v any)
@@ -662,7 +814,7 @@ func collectJSONLReplacements(v any) []jsonReplacement {
 				walk("", credentialContext, child)
 			}
 		case string:
-			redacted := String(val)
+			redacted := redactor(val)
 			if redacted == val && isCredentialJSONSecretKey(key, credentialContext) && hasNonPlaceholderPasswordValue(val) {
 				redacted = RedactedPlaceholder
 			}
diff --git a/redact/redact_test.go b/redact/redact_test.go
index 632535fc7..d883676eb 100644
--- a/redact/redact_test.go
+++ b/redact/redact_test.go
@@ -200,7 +200,7 @@ func TestCollectJSONLReplacements_Succeeds(t *testing.T) {
 	obj := map[string]any{
 		"content": "token=" + highEntropySecret,
 	}
-	repls := collectJSONLReplacements(obj)
+	repls := collectJSONLReplacements(obj, String)
 	// expect one replacement for high-entropy secret
 	want := []jsonReplacement{{key: "content", original: "token=" + highEntropySecret, redacted: "REDACTED"}}
 	if !slices.Equal(repls, want) {
@@ -265,7 +265,7 @@ func TestShouldSkipJSONLField_RedactionBehavior(t *testing.T) {
 		"session_id": highEntropySecret,
 		"content":    highEntropySecret,
 	}
-	repls := collectJSONLReplacements(obj)
+	repls := collectJSONLReplacements(obj, String)
 	// Only "content" should produce a replacement; "session_id" should be skipped.
 	if len(repls) != 1 {
 		t.Fatalf("expected 1 replacement, got %d", len(repls))
@@ -913,7 +913,7 @@ func TestShouldSkipJSONLObject_RedactionBehavior(t *testing.T) {
 		"type": "image",
 		"data": highEntropySecret,
 	}
-	repls := collectJSONLReplacements(obj)
+	repls := collectJSONLReplacements(obj, String)
 
 	// expect no replacements, it's an image which is skipped.
 	var wantRepls []jsonReplacement
@@ -926,7 +926,7 @@ func TestShouldSkipJSONLObject_RedactionBehavior(t *testing.T) {
 		"type":    "text",
 		"content": highEntropySecret,
 	}
-	repls2 := collectJSONLReplacements(obj2)
+	repls2 := collectJSONLReplacements(obj2, String)
 	wantRepls2 := []jsonReplacement{{key: "content", original: highEntropySecret, redacted: "REDACTED"}}
 	if !slices.Equal(repls2, wantRepls2) {
 		t.Errorf("got %q, want %q", repls2, wantRepls2)
diff --git a/redact/testhelpers.go b/redact/testhelpers.go
new file mode 100644
index 000000000..af375fcb1
--- /dev/null
+++ b/redact/testhelpers.go
@@ -0,0 +1,11 @@
+package redact
+
+// Cross-package test helpers. Lives in a regular .go file (not
+// export_test.go) so tests in cmd/entire/cli/strategy can call it.
+// The "ForTest" suffix is the production-code-must-not-call signal.
+
+// ResetOPFConfigForTest clears OPF configuration and the circuit
+// breaker. Test-only.
+func ResetOPFConfigForTest() {
+	resetOPFConfig()
+}