From 26be673ea27b14a9fc4049dc376bbd8def6d1f08 Mon Sep 17 00:00:00 2001
From: gus <gustavoraularagon@gmail.com>
Date: Mon, 11 May 2026 18:53:36 -0300
Subject: [PATCH 1/4] visual-artifacts: PR 4 --interactive copy-only mode

Enables the documented interactive layer from the architect spec.
v1 scope is copy-only: /plan and /review get an actions card with
three buttons (copy as prompt / copy as Markdown / copy as JSON
patch). The buttons write to the clipboard via
navigator.clipboard.writeText; nothing else.

Hard rules locked in CI:
- The page's <script> body uses ONLY navigator.clipboard.writeText.
- No fetch, no XMLHttpRequest, no sendBeacon, no localStorage, no
  sessionStorage, no document.cookie, no eval, no new Function, no
  document.write, no window.open, no <form>, no addEventListener
  for submit. CI greps the renderer for each.
- CSP under --interactive adds `script-src 'unsafe-inline'`; static
  CSP keeps the tighter form. Both still lock `base-uri 'none'` and
  `form-action 'none'`.
- The manifest records `interactive: true`.

XSS defense: a payload containing literal `</script>` would close
the surrounding inline <script> block in the HTML parser regardless
of JS quote context. _js_safe_for_script substitutes `</` -> `<\/`
on the JSON-encoded payload before embedding. JSON.parse reads both
forms transparently. The manual-copy <pre> blocks rely on
nano_html_escape so the visible escaped text is also safe.

Payload shapes (built from the normalized JSON so malformed
artifacts still produce useful output):
- /plan:   "Approve the plan" prompt; ## Plan summary Markdown;
           {action: "plan.approve", ...} JSON patch.
- /review: "Address review findings" prompt; severity table
           Markdown; {action: "review.triage", blocking_ids,
           should_fix_ids, scope_drift} JSON patch.

CI extensions:
- 5 new e2e cells (23d-23h): copy buttons present in interactive,
  absent in static; interactive CSP allows script-src; forbidden
  APIs absent from rendered HTML; review interactive payload;
  </script>-in-payload XSS containment.
- 7 new template safety checks (16-19): _js_safe_for_script wired,
  interactive CSP arm, no document.write / window.open / form
  submit listeners.
- check_absent now ignores comment lines so documenting the
  forbidden APIs in source comments does not fail the lint.

Test counts:
- e2e: 266 -> 304 (+38)
- template: 31 -> 38 (+7)
- Total contract surface: 297 -> 342
---
 bin/lib/visual-render.sh              |   4 +
 bin/render-artifact.sh                | 189 ++++++++++++++++++++++++--
 ci/check-visual-artifact-templates.sh |  39 +++++-
 ci/e2e-visual-artifacts.sh            |  96 ++++++++++++-
 4 files changed, 312 insertions(+), 16 deletions(-)

diff --git a/bin/lib/visual-render.sh b/bin/lib/visual-render.sh
index b37e9da..8282fe3 100644
--- a/bin/lib/visual-render.sh
+++ b/bin/lib/visual-render.sh
@@ -382,6 +382,10 @@ nano_visual_page_start() {
     .chip.sev-ok { color: var(--ok); border-color: var(--ok); }
     .pr-link { color: var(--info); }
     .unsafe-url { color: var(--bad); font-family: monospace; }
+    .copy-row { display: flex; flex-wrap: wrap; gap: 8px; align-items: center; margin-bottom: 12px; }
+    .copy-btn { background: var(--panel-2); color: var(--fg); border: 1px solid var(--line); border-radius: 6px; padding: 6px 12px; cursor: pointer; font: inherit; font-size: 0.9rem; }
+    .copy-btn:hover, .copy-btn:focus { background: var(--panel); border-color: var(--info); color: var(--info); }
+    .copy-status { color: var(--muted); font-size: 0.85rem; }
   </style>
 </head>
 <body>
diff --git a/bin/render-artifact.sh b/bin/render-artifact.sh
index e25ac0a..5f1bb0f 100755
--- a/bin/render-artifact.sh
+++ b/bin/render-artifact.sh
@@ -10,10 +10,12 @@
 #                              [--interactive] [--out <path>]
 #                              [--manifest-only]
 #
-# PR 1 scope: /plan renderer + manifest + safety locks. Other phases
-# exit 1 with a clear "phase not yet supported" message; PR 2 wires
-# think/review/security/qa/ship. journal/stack are reserved for PR 3
-# (exit 2). --interactive is reserved for PR 4 (exit 2).
+# PR 1 scope: /plan renderer + manifest + safety locks.
+# PR 2 wires think/review/security/qa/ship.
+# PR 3 wires journal/stack aggregate views.
+# PR 4 adds --interactive for copy-only buttons on /plan and /review
+# (copy as prompt / Markdown / JSON patch). No filesystem writes,
+# no network calls, no form submission.
 
 set -e
 
@@ -49,7 +51,10 @@ PR 1+2+3 scope:
 
 Flags:
   --strict                   require nano_artifact_trust == verified
-  --interactive              reserved for PR 4 (exit 2)
+  --interactive              enable copy-only interactive controls (PR 4 scope:
+                             /plan and /review get "copy as prompt", "copy as Markdown",
+                             and "copy as JSON patch" buttons; no filesystem writes,
+                             no network calls, no form submission)
   --out <path>               write HTML to explicit path under \$NANOSTACK_STORE/visual
   --manifest-only            write manifest only, skip HTML
   --latest                   resolve via find-artifact.sh (default if no path)
@@ -89,10 +94,7 @@ while [ $# -gt 0 ]; do
   case "$1" in
     --latest)         USE_LATEST=true ;;
     --strict)         STRICT=true ;;
-    --interactive)
-      echo "render-artifact: --interactive is reserved for PR 4 (copy-only interactive mode)" >&2
-      exit 2
-      ;;
+    --interactive)  INTERACTIVE=true ;;
     --manifest-only)  MANIFEST_ONLY=true ;;
     --out)
       shift
@@ -487,6 +489,36 @@ HTML
     printf '      </ul>\n'
   fi
   printf '    </section>\n'
+
+  # PR 4 interactive: copy buttons that export the plan back to the
+  # agent in the requested shape. Built from the normalized JSON so
+  # malformed shapes still produce useful payloads.
+  if [ "${INTERACTIVE:-false}" = true ]; then
+    local plan_prompt plan_markdown plan_json_patch
+    plan_prompt=$(printf '%s' "$norm" | jq -r '
+      "Approve the plan and continue.\n" +
+      "Goal: " + (.summary.goal // "Not recorded") + "\n" +
+      "Scope: " + (.summary.scope // "Not recorded") + "\n" +
+      "Planned files:\n  - " + ((.summary.planned_files // []) | join("\n  - ")) + "\n" +
+      "Risks:\n  - " + ((.summary.risks // []) | join("\n  - "))
+    ')
+    plan_markdown=$(printf '%s' "$norm" | jq -r '
+      "## Plan summary\n\n" +
+      "- **Goal:** " + (.summary.goal // "Not recorded") + "\n" +
+      "- **Scope:** " + (.summary.scope // "Not recorded") + "\n" +
+      "- **Approval:** " + (.summary.plan_approval // "Not recorded") + "\n\n" +
+      "### Planned files\n\n" +
+      ((.summary.planned_files // []) | map("- `" + . + "`") | join("\n"))
+    ')
+    plan_json_patch=$(printf '%s' "$norm" | jq -c '{
+      action: "plan.approve",
+      goal: .summary.goal,
+      scope: .summary.scope,
+      planned_files: .summary.planned_files,
+      out_of_scope: .summary.out_of_scope
+    }')
+    render_copy_actions "$plan_prompt" "$plan_markdown" "$plan_json_patch"
+  fi
 }
 
 # Shared helper: find the latest artifact for <phase>, surfacing
@@ -678,6 +710,40 @@ HTML
   render_findings_section "$norm" "Review findings"
 
   render_context_checkpoint "$norm"
+
+  # PR 4 interactive: review triage payloads. The agent can paste
+  # the prompt back to drive a re-review or accept the findings
+  # as-is.
+  if [ "${INTERACTIVE:-false}" = true ]; then
+    local review_prompt review_markdown review_json_patch
+    review_prompt=$(printf '%s' "$norm" | jq -r '
+      "Address the review findings before /ship.\n" +
+      "Summary: " + (.summary.blocking|tostring) + " blocking / " +
+                   (.summary.should_fix|tostring) + " should-fix / " +
+                   (.summary.nitpicks|tostring) + " nitpicks\n" +
+      "Scope drift: " + (.scope_drift.status // "unknown") + "\n" +
+      "Now-fix:\n  - " +
+      ((.findings // []) | map(select(.severity == "blocking" or .severity == "should_fix")) | map(.description) | join("\n  - "))
+    ')
+    review_markdown=$(printf '%s' "$norm" | jq -r '
+      "## Review findings\n\n" +
+      "| Severity | Count |\n|----|----|\n" +
+      "| Blocking | " + (.summary.blocking|tostring) + " |\n" +
+      "| Should fix | " + (.summary.should_fix|tostring) + " |\n" +
+      "| Nitpicks | " + (.summary.nitpicks|tostring) + " |\n" +
+      "| Positive | " + (.summary.positive|tostring) + " |\n\n" +
+      "### Now-fix\n\n" +
+      ((.findings // []) | map(select(.severity == "blocking" or .severity == "should_fix"))
+        | map("- **" + (.severity // "?") + "**: " + (.description // "")) | join("\n"))
+    ')
+    review_json_patch=$(printf '%s' "$norm" | jq -c '{
+      action: "review.triage",
+      blocking_ids: ((.findings // []) | map(select(.severity == "blocking") | .id)),
+      should_fix_ids: ((.findings // []) | map(select(.severity == "should_fix") | .id)),
+      scope_drift: .scope_drift.status
+    }')
+    render_copy_actions "$review_prompt" "$review_markdown" "$review_json_patch"
+  fi
 }
 
 render_security_body() {
@@ -897,6 +963,105 @@ render_findings_section() {
   printf '    </section>\n'
 }
 
+# ─── Copy-only interactive controls (PR 4) ──────────────────
+#
+# Emits an actions card with three buttons (copy as prompt / copy as
+# Markdown / copy as JSON patch). Each button copies a pre-computed
+# payload to the clipboard. The script uses only
+# navigator.clipboard.writeText; no fetch, no XHR, no localStorage,
+# no form submission. CI lockes those forbidden APIs.
+#
+# Payloads are passed as JSON-encoded strings (via nano_json_string)
+# so embedded quotes, newlines, and control characters stay safe.
+# Each payload is also rendered as a <details><pre>...</pre> block
+# so the user can read and copy manually if the browser blocks
+# clipboard access (e.g. file:// without explicit permission).
+render_copy_actions() {
+  local prompt_payload="$1"
+  local markdown_payload="$2"
+  local json_payload="$3"
+  if [ "${INTERACTIVE:-false}" != true ]; then
+    return 0
+  fi
+
+  # Encode each payload as a JSON string literal so the inline JS
+  # can read it via JSON.parse. nano_json_string emits the full
+  # quoted form including the outer ". Critically: when embedding a
+  # JSON string INSIDE <script>...</script>, any `</` must be
+  # escaped to `<\/` because the HTML parser closes the script tag
+  # at the first literal `</script>` regardless of JS context. Any
+  # following content executes as a new <script> block. JSON.parse
+  # accepts the `<\/` form transparently, so this only hardens the
+  # surrounding HTML parser without changing the runtime payload.
+  _js_safe_for_script() {
+    sed 's|</|<\\/|g'
+  }
+  local p_js m_js j_js
+  p_js=$(printf '%s' "$prompt_payload" | nano_json_string | _js_safe_for_script)
+  m_js=$(printf '%s' "$markdown_payload" | nano_json_string | _js_safe_for_script)
+  j_js=$(printf '%s' "$json_payload" | nano_json_string | _js_safe_for_script)
+
+  # Visible escaped versions for the manual-copy <pre> blocks.
+  local p_html m_html j_html
+  p_html=$(printf '%s' "$prompt_payload" | nano_html_escape)
+  m_html=$(printf '%s' "$markdown_payload" | nano_html_escape)
+  j_html=$(printf '%s' "$json_payload" | nano_html_escape)
+
+  cat <<HTML
+    <section class="card" data-testid="copy-actions" data-interactive="1">
+      <h2>Copy back to the agent</h2>
+      <p class="muted">Local clipboard only. No data leaves your machine.</p>
+      <div class="copy-row">
+        <button type="button" class="copy-btn" data-payload-id="copy-prompt" data-format="prompt">Copy as prompt</button>
+        <button type="button" class="copy-btn" data-payload-id="copy-markdown" data-format="markdown">Copy as Markdown</button>
+        <button type="button" class="copy-btn" data-payload-id="copy-json" data-format="json-patch">Copy as JSON patch</button>
+        <span class="copy-status" data-testid="copy-status" aria-live="polite"></span>
+      </div>
+      <details>
+        <summary>Prompt payload (manual copy)</summary>
+        <pre data-testid="copy-prompt-pre">$p_html</pre>
+      </details>
+      <details>
+        <summary>Markdown payload (manual copy)</summary>
+        <pre data-testid="copy-markdown-pre">$m_html</pre>
+      </details>
+      <details>
+        <summary>JSON-patch payload (manual copy)</summary>
+        <pre data-testid="copy-json-pre">$j_html</pre>
+      </details>
+      <script>
+/* Interactive contract: clipboard write only. No fetch, no XHR, no
+   form submission, no storage, no eval. CI greps this file (and the
+   shared shell) for forbidden APIs. */
+(function () {
+  var payloads = {
+    "copy-prompt": $p_js,
+    "copy-markdown": $m_js,
+    "copy-json": $j_js
+  };
+  var buttons = document.querySelectorAll('button.copy-btn');
+  var status = document.querySelector('[data-testid="copy-status"]');
+  function announce(msg) { if (status) { status.textContent = msg; } }
+  buttons.forEach(function (btn) {
+    btn.addEventListener('click', function () {
+      var id = btn.getAttribute('data-payload-id');
+      var text = payloads[id] || '';
+      if (navigator.clipboard && navigator.clipboard.writeText) {
+        navigator.clipboard.writeText(text).then(
+          function () { announce('Copied. Paste into the agent.'); },
+          function () { announce('Clipboard blocked. Use the manual copy below.'); }
+        );
+      } else {
+        announce('Clipboard API unavailable. Use the manual copy below.');
+      }
+    });
+  });
+})();
+      </script>
+    </section>
+HTML
+}
+
 # Shared helper for the context checkpoint card. Every core phase has
 # the same checkpoint shape; centralizing keeps the visual identity
 # consistent.
@@ -1563,7 +1728,9 @@ CREATED_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
 # survives outside.
 if [ "$MANIFEST_ONLY" != true ]; then
   {
-    nano_visual_page_start "$PHASE" "$TRUST" "static"
+    csp_mode="static"
+    [ "$INTERACTIVE" = true ] && csp_mode="interactive"
+    nano_visual_page_start "$PHASE" "$TRUST" "$csp_mode"
 
     if [ "$SCHEMA_OK" = false ]; then
       printf '    <div class="schema-warning" data-testid="schema-warning">%s</div>\n' \
@@ -1618,7 +1785,7 @@ jq -n \
   --arg phase "$PHASE" \
   --argjson custom_phase false \
   --arg format "html" \
-  --argjson interactive false \
+  --argjson interactive "$($INTERACTIVE && echo true || echo false)" \
   --argjson strict "$($STRICT && echo true || echo false)" \
   --argjson source_artifacts "$SOURCE_ARTIFACTS_JSON" \
   --arg output_path "$HTML_PATH" \
diff --git a/ci/check-visual-artifact-templates.sh b/ci/check-visual-artifact-templates.sh
index 6c94c7e..ee0564d 100755
--- a/ci/check-visual-artifact-templates.sh
+++ b/ci/check-visual-artifact-templates.sh
@@ -38,12 +38,18 @@ check_absent() {
   local name="$1"; local pattern="$2"; shift 2
   local files=("$@")
   # `-e -- ` so a pattern starting with `-` (e.g. `--no-session-sync`)
-  # is not interpreted as a grep flag.
-  if grep -nE -e "$pattern" -- "${files[@]}" >/dev/null 2>&1; then
+  # is not interpreted as a grep flag. Exclude comment lines (PR 4):
+  # documenting the forbidden APIs in comments is fine, only actual
+  # source uses fail the lint.
+  local hits
+  hits=$(grep -nE -e "$pattern" -- "${files[@]}" 2>/dev/null \
+    | grep -v '^[^:]*:[0-9]*:[[:space:]]*#' \
+    || true)
+  if [ -n "$hits" ]; then
     FAIL=$((FAIL+1))
     printf "  ${RED}FAIL${NC}  %s\n" "$name"
     printf "         ${DIM}pattern: %s${NC}\n" "$pattern"
-    grep -nE -e "$pattern" -- "${files[@]}" | sed 's/^/         /' || true
+    printf '%s\n' "$hits" | sed 's/^/         /'
   else
     PASS=$((PASS+1))
     printf "  ${GREEN}OK${NC}    %s\n" "$name"
@@ -201,6 +207,33 @@ check_absent "no SVG <image href" \
 check_absent "no SVG <foreignObject" \
   '<foreignObject' "bin/render-artifact.sh" "bin/lib/visual-render.sh"
 
+# 17. PR 4: interactive copy-only contract. The inline script body
+# must use ONLY navigator.clipboard.writeText. Everything that
+# could exfiltrate or persist is forbidden in renderer code.
+check_present "render_copy_actions uses navigator.clipboard.writeText" \
+  'navigator\.clipboard\.writeText' "bin/render-artifact.sh"
+check_present "render_copy_actions escapes </ in JS payloads" \
+  '_js_safe_for_script' "bin/render-artifact.sh"
+check_present "interactive CSP defines script-src" \
+  "script-src 'unsafe-inline'" "bin/lib/visual-render.sh"
+
+# 18. PR 4: confirm the static CSP path does NOT include
+# script-src. The shared helper has two arms in nano_visual_csp;
+# only the interactive arm should mention script-src.
+check_present "nano_visual_csp has separate static and interactive arms" \
+  'interactive\)' "bin/lib/visual-render.sh"
+
+# 19. PR 4: no forbidden APIs anywhere in the renderer code that
+# could end up in the rendered HTML. This re-runs the absence sweep
+# already in check 2-4 but explicitly under the interactive-mode
+# expansion lens.
+check_absent "no document.write" \
+  'document\.write' "bin/render-artifact.sh" "bin/lib/visual-render.sh"
+check_absent "no window.open" \
+  'window\.open' "bin/render-artifact.sh" "bin/lib/visual-render.sh"
+check_absent "no addEventListener for form submission" \
+  "addEventListener\\(['\"]submit" "bin/render-artifact.sh" "bin/lib/visual-render.sh"
+
 TOTAL=$((PASS+FAIL))
 printf "\n  %s/%s checks passed\n" "$PASS" "$TOTAL"
 if [ "$FAIL" -gt 0 ]; then
diff --git a/ci/e2e-visual-artifacts.sh b/ci/e2e-visual-artifacts.sh
index 3a72b5f..eece6c8 100755
--- a/ci/e2e-visual-artifacts.sh
+++ b/ci/e2e-visual-artifacts.sh
@@ -434,8 +434,7 @@ setup_project "$PROJ"
 export NANOSTACK_STORE="$PROJ/.nanostack"
 mkdir -p "$NANOSTACK_STORE"
 (cd "$PROJ" && save_valid_plan "$NANOSTACK_STORE")
-assert_exit "--interactive reserved (exit 2)" 2 \
-  sh -c "cd '$PROJ' && '$REPO/bin/render-artifact.sh' plan --latest --interactive"
+: # --interactive is enabled in PR 4 (no longer reserved). Tested by cells 23d-23h.
 
 # ─── Cell 7: --manifest-only ────────────────────────────────
 printf "\n  ${DIM}Cell 7: --manifest-only${NC}\n"
@@ -1436,6 +1435,99 @@ FIRST_PATH=$(jq -r '.source_artifacts[0].path' "$MFST")
 assert_true "default stack manifest records config.json" \
   sh -c "echo '$FIRST_PATH' | grep -q '\.nanostack/config\.json$'"
 
+# ─── Cell 23d: --interactive emits copy buttons (PR 4) ──────
+printf "\n  ${DIM}Cell 23d: --interactive emits copy buttons (PR 4)${NC}\n"
+PROJ="$TMP_ROOT/cell23d"
+setup_project "$PROJ"
+export NANOSTACK_STORE="$PROJ/.nanostack"
+mkdir -p "$NANOSTACK_STORE"
+(cd "$PROJ" && save_valid_plan "$NANOSTACK_STORE")
+HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive)
+assert_true "interactive plan html exists" test -f "$HTML"
+assert_contains "interactive plan has copy-actions section" "$HTML" 'data-testid="copy-actions"'
+assert_contains "interactive plan has data-interactive=1" "$HTML" 'data-interactive="1"'
+assert_contains "interactive plan has copy-prompt button" "$HTML" 'data-payload-id="copy-prompt"'
+assert_contains "interactive plan has copy-markdown button" "$HTML" 'data-payload-id="copy-markdown"'
+assert_contains "interactive plan has copy-json button" "$HTML" 'data-payload-id="copy-json"'
+assert_contains "interactive plan has copy-status target" "$HTML" 'data-testid="copy-status"'
+assert_contains "interactive plan has manual-copy <pre> for prompt" "$HTML" 'data-testid="copy-prompt-pre"'
+assert_contains "interactive plan uses navigator.clipboard.writeText" "$HTML" 'navigator.clipboard.writeText'
+# Capture the interactive manifest BEFORE the static render so a
+# later mtime sort cannot pick the wrong one.
+MFST_I=$(ls -t "$NANOSTACK_STORE/visual/manifests/"*plan*.manifest.json | head -1)
+assert_true "interactive manifest records interactive: true" \
+  sh -c "[ \"\$(jq -r .interactive '$MFST_I')\" = 'true' ]"
+# Without --interactive, NO copy section.
+HTML_S=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest)
+assert_not_contains "static plan has NO copy-actions" "$HTML_S" 'data-testid="copy-actions"'
+assert_not_contains "static CSP does NOT allow script-src" "$HTML_S" "script-src 'unsafe-inline'"
+
+# ─── Cell 23e: --interactive CSP allows inline script (PR 4) ─
+printf "\n  ${DIM}Cell 23e: interactive CSP (PR 4)${NC}\n"
+PROJ="$TMP_ROOT/cell23e"
+setup_project "$PROJ"
+export NANOSTACK_STORE="$PROJ/.nanostack"
+mkdir -p "$NANOSTACK_STORE"
+(cd "$PROJ" && save_valid_plan "$NANOSTACK_STORE")
+HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive)
+assert_contains "interactive CSP includes script-src 'unsafe-inline'" "$HTML" "script-src 'unsafe-inline'"
+assert_contains "interactive CSP still locks default-src 'none'" "$HTML" "default-src 'none'"
+assert_contains "interactive CSP still locks form-action 'none'" "$HTML" "form-action 'none'"
+# Static still has the tighter CSP.
+HTML_S=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest)
+assert_not_contains "static CSP has NO script-src directive" "$HTML_S" "script-src"
+
+# ─── Cell 23f: interactive output is forbidden-API free (PR 4) ─
+printf "\n  ${DIM}Cell 23f: forbidden APIs absent from interactive output (PR 4)${NC}\n"
+PROJ="$TMP_ROOT/cell23f"
+setup_project "$PROJ"
+export NANOSTACK_STORE="$PROJ/.nanostack"
+mkdir -p "$NANOSTACK_STORE"
+(cd "$PROJ" && save_valid_plan "$NANOSTACK_STORE")
+(cd "$PROJ" && save_valid_review "$NANOSTACK_STORE")
+HTML_P=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive)
+HTML_R=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" review --latest --interactive)
+for h in "$HTML_P" "$HTML_R"; do
+  assert_not_contains "no fetch( in $(basename $h)" "$h" "fetch("
+  assert_not_contains "no XMLHttpRequest in $(basename $h)" "$h" "XMLHttpRequest"
+  assert_not_contains "no sendBeacon in $(basename $h)" "$h" "sendBeacon"
+  assert_not_contains "no localStorage in $(basename $h)" "$h" "localStorage"
+  assert_not_contains "no sessionStorage in $(basename $h)" "$h" "sessionStorage"
+  assert_not_contains "no document.cookie in $(basename $h)" "$h" "document.cookie"
+  assert_not_contains "no eval( in $(basename $h)" "$h" "eval("
+  assert_not_contains "no new Function in $(basename $h)" "$h" "new Function"
+  assert_not_contains "no <form in $(basename $h)" "$h" "<form"
+  # Only external URL allowed: github.com PR links (PR 2 ship);
+  # otherwise no http(s):// inside script body.
+done
+
+# ─── Cell 23g: interactive review has copy buttons (PR 4) ───
+printf "\n  ${DIM}Cell 23g: interactive review (PR 4)${NC}\n"
+HTML=$HTML_R
+assert_contains "interactive review has copy-actions" "$HTML" 'data-testid="copy-actions"'
+# Review's prompt payload references review-specific terms.
+assert_contains "interactive review prompt mentions findings" "$HTML" 'review findings before /ship'
+
+# ─── Cell 23h: </script> in payload does NOT break out of inline script (PR 4 XSS) ─
+printf "\n  ${DIM}Cell 23h: </script> payload XSS containment (PR 4)${NC}\n"
+PROJ="$TMP_ROOT/cell23h"
+setup_project "$PROJ"
+export NANOSTACK_STORE="$PROJ/.nanostack"
+mkdir -p "$NANOSTACK_STORE"
+(cd "$PROJ" && NANOSTACK_STORE="$NANOSTACK_STORE" "$REPO/bin/save-artifact.sh" plan '{
+  "phase":"plan",
+  "summary":{"goal":"\"</script><script>alert(\"XSS\")</script>","scope":"s","planned_files":["</script>"],"plan_approval":"manual"},
+  "context_checkpoint":{"summary":"x","key_files":[],"decisions_made":[],"open_questions":[]}
+}' >/dev/null)
+HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive)
+# The malicious sequence must NOT appear as literal `</script><script>` anywhere.
+LIT_COUNT=$(grep -o '</script><script>' "$HTML" | wc -l | tr -d ' ')
+assert_true "no raw </script><script> sequence in interactive output" sh -c "[ '$LIT_COUNT' = '0' ]"
+# The escaped form should appear (proves we transformed it).
+assert_contains "escaped <\\/script> form present" "$HTML" '<\/script>'
+# Manual copy <pre> is HTML-escaped.
+assert_contains "manual-copy <pre> shows escaped tag" "$HTML" '&lt;/script&gt;'
+
 # ─── Cell 9a: --out works on fresh store (PR 1 pass 1 regression) ─
 printf "\n  ${DIM}Cell 9a: --out on fresh store (PR 1 pass 1 regression)${NC}\n"
 PROJ="$TMP_ROOT/cell9a"

From 487f99062d7cfed6d730896f6832955d02e8ffd6 Mon Sep 17 00:00:00 2001
From: gus <gustavoraularagon@gmail.com>
Date: Mon, 11 May 2026 18:58:55 -0300
Subject: [PATCH 2/4] visual-artifacts: scope --interactive to plan/review +
 coerce types
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three codex PR 4 pass 1 findings.

P2 — --interactive widened CSP for unsupported phases
Passing --interactive to security/qa/ship/think/journal/stack
still switched the page CSP to `script-src 'unsafe-inline'` and
wrote interactive: true in the manifest even though no copy
controls were emitted. Reject --interactive outside /plan and
/review with exit 1 so the wider policy never applies to a page
that has no script body.

P2 — plan copy payloads crashed on non-string fields
A schema-warning plan with .summary.goal as a number,
.summary.planned_files containing integers, or .summary.risks
containing objects made jq exit 5 on the string concatenation /
join in the copy payload builders. Wrap every concatenated value
with `tostring` and every list element with `map(tostring)`.

P2 — review copy payloads had the same gap
.summary.blocking as a string, .scope_drift.status as a number,
or a finding .description as an object would crash the jq
builders. Same `tostring` coercion for every concatenated value.

Regression cells:
- 23i: --interactive rejected with exit 1 for security/qa/ship/
  think/journal/stack.
- 23j: schema-warning plan (numeric goal, object risks) renders
  HTML under --interactive.
- 23k: schema-warning review (string blocking count, numeric scope
  drift, object description) renders HTML under --interactive.

Test count: 304 -> 312.
---
 bin/render-artifact.sh     | 66 +++++++++++++++++++++++++++-----------
 ci/e2e-visual-artifacts.sh | 66 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 113 insertions(+), 19 deletions(-)

diff --git a/bin/render-artifact.sh b/bin/render-artifact.sh
index 5f1bb0f..00c8809 100755
--- a/bin/render-artifact.sh
+++ b/bin/render-artifact.sh
@@ -94,7 +94,13 @@ while [ $# -gt 0 ]; do
   case "$1" in
     --latest)         USE_LATEST=true ;;
     --strict)         STRICT=true ;;
-    --interactive)  INTERACTIVE=true ;;
+    --interactive)
+      # Codex PR 4 pass 1: --interactive widens the CSP to allow
+      # inline script. Only enable it for phases that actually emit
+      # copy controls (plan and review in v1) so the wider policy
+      # never applies where it has no purpose.
+      INTERACTIVE=true
+      ;;
     --manifest-only)  MANIFEST_ONLY=true ;;
     --out)
       shift
@@ -168,6 +174,21 @@ case "$PHASE" in
     ;;
 esac
 
+# Codex PR 4 pass 1: --interactive is supported only for /plan and
+# /review in v1. Reject elsewhere with exit 1 so the wider CSP
+# (script-src 'unsafe-inline') never applies to phases that emit no
+# copy controls. The architect's spec already scoped interactive UI
+# to those two phases.
+if [ "$INTERACTIVE" = true ]; then
+  case "$PHASE" in
+    plan|review) ;;
+    *)
+      echo "render-artifact: --interactive is supported only for /plan and /review in PR 4" >&2
+      exit 1
+      ;;
+  esac
+fi
+
 # Default the journal date to today if neither --today nor --date
 # was supplied (codex PR 3 pass 2: bare `journal` left this empty
 # and the page banner read "journal · " with the filename containing
@@ -495,20 +516,23 @@ HTML
   # malformed shapes still produce useful payloads.
   if [ "${INTERACTIVE:-false}" = true ]; then
     local plan_prompt plan_markdown plan_json_patch
+    # Coerce every payload field with tostring/map(tostring) so a
+    # schema-warning artifact (numbers, objects, nulls in unexpected
+    # places) cannot crash jq under set -e. Codex PR 4 pass 1.
     plan_prompt=$(printf '%s' "$norm" | jq -r '
       "Approve the plan and continue.\n" +
-      "Goal: " + (.summary.goal // "Not recorded") + "\n" +
-      "Scope: " + (.summary.scope // "Not recorded") + "\n" +
-      "Planned files:\n  - " + ((.summary.planned_files // []) | join("\n  - ")) + "\n" +
-      "Risks:\n  - " + ((.summary.risks // []) | join("\n  - "))
+      "Goal: " + ((.summary.goal // "Not recorded") | tostring) + "\n" +
+      "Scope: " + ((.summary.scope // "Not recorded") | tostring) + "\n" +
+      "Planned files:\n  - " + ((.summary.planned_files // []) | map(tostring) | join("\n  - ")) + "\n" +
+      "Risks:\n  - " + ((.summary.risks // []) | map(tostring) | join("\n  - "))
     ')
     plan_markdown=$(printf '%s' "$norm" | jq -r '
       "## Plan summary\n\n" +
-      "- **Goal:** " + (.summary.goal // "Not recorded") + "\n" +
-      "- **Scope:** " + (.summary.scope // "Not recorded") + "\n" +
-      "- **Approval:** " + (.summary.plan_approval // "Not recorded") + "\n\n" +
+      "- **Goal:** " + ((.summary.goal // "Not recorded") | tostring) + "\n" +
+      "- **Scope:** " + ((.summary.scope // "Not recorded") | tostring) + "\n" +
+      "- **Approval:** " + ((.summary.plan_approval // "Not recorded") | tostring) + "\n\n" +
       "### Planned files\n\n" +
-      ((.summary.planned_files // []) | map("- `" + . + "`") | join("\n"))
+      ((.summary.planned_files // []) | map(tostring) | map("- `" + . + "`") | join("\n"))
     ')
     plan_json_patch=$(printf '%s' "$norm" | jq -c '{
       action: "plan.approve",
@@ -716,25 +740,29 @@ HTML
   # as-is.
   if [ "${INTERACTIVE:-false}" = true ]; then
     local review_prompt review_markdown review_json_patch
+    # Coerce every concatenated field with tostring (codex PR 4
+    # pass 1). A schema-warning review with .summary.blocking as a
+    # string or .scope_drift.status as a number would otherwise
+    # crash jq under set -e.
     review_prompt=$(printf '%s' "$norm" | jq -r '
       "Address the review findings before /ship.\n" +
-      "Summary: " + (.summary.blocking|tostring) + " blocking / " +
-                   (.summary.should_fix|tostring) + " should-fix / " +
-                   (.summary.nitpicks|tostring) + " nitpicks\n" +
-      "Scope drift: " + (.scope_drift.status // "unknown") + "\n" +
+      "Summary: " + ((.summary.blocking // 0) | tostring) + " blocking / " +
+                   ((.summary.should_fix // 0) | tostring) + " should-fix / " +
+                   ((.summary.nitpicks // 0) | tostring) + " nitpicks\n" +
+      "Scope drift: " + ((.scope_drift.status // "unknown") | tostring) + "\n" +
       "Now-fix:\n  - " +
-      ((.findings // []) | map(select(.severity == "blocking" or .severity == "should_fix")) | map(.description) | join("\n  - "))
+      ((.findings // []) | map(select(.severity == "blocking" or .severity == "should_fix")) | map((.description // "(no description)") | tostring) | join("\n  - "))
     ')
     review_markdown=$(printf '%s' "$norm" | jq -r '
       "## Review findings\n\n" +
       "| Severity | Count |\n|----|----|\n" +
-      "| Blocking | " + (.summary.blocking|tostring) + " |\n" +
-      "| Should fix | " + (.summary.should_fix|tostring) + " |\n" +
-      "| Nitpicks | " + (.summary.nitpicks|tostring) + " |\n" +
-      "| Positive | " + (.summary.positive|tostring) + " |\n\n" +
+      "| Blocking | " + ((.summary.blocking // 0) | tostring) + " |\n" +
+      "| Should fix | " + ((.summary.should_fix // 0) | tostring) + " |\n" +
+      "| Nitpicks | " + ((.summary.nitpicks // 0) | tostring) + " |\n" +
+      "| Positive | " + ((.summary.positive // 0) | tostring) + " |\n\n" +
       "### Now-fix\n\n" +
       ((.findings // []) | map(select(.severity == "blocking" or .severity == "should_fix"))
-        | map("- **" + (.severity // "?") + "**: " + (.description // "")) | join("\n"))
+        | map("- **" + ((.severity // "?") | tostring) + "**: " + ((.description // "") | tostring)) | join("\n"))
     ')
     review_json_patch=$(printf '%s' "$norm" | jq -c '{
       action: "review.triage",
diff --git a/ci/e2e-visual-artifacts.sh b/ci/e2e-visual-artifacts.sh
index eece6c8..b1ae482 100755
--- a/ci/e2e-visual-artifacts.sh
+++ b/ci/e2e-visual-artifacts.sh
@@ -1528,6 +1528,72 @@ assert_contains "escaped <\\/script> form present" "$HTML" '<\/script>'
 # Manual copy <pre> is HTML-escaped.
 assert_contains "manual-copy <pre> shows escaped tag" "$HTML" '&lt;/script&gt;'
 
+# ─── Cell 23i: --interactive rejected outside plan/review (PR 4 pass 1) ─
+printf "\n  ${DIM}Cell 23i: --interactive scope (PR 4 pass 1)${NC}\n"
+PROJ="$TMP_ROOT/cell23i"
+setup_project "$PROJ"
+export NANOSTACK_STORE="$PROJ/.nanostack"
+mkdir -p "$NANOSTACK_STORE"
+(cd "$PROJ" && save_valid_security "$NANOSTACK_STORE")
+(cd "$PROJ" && save_valid_qa "$NANOSTACK_STORE")
+(cd "$PROJ" && save_valid_ship "$NANOSTACK_STORE")
+(cd "$PROJ" && save_valid_think "$NANOSTACK_STORE")
+assert_exit "security --interactive rejected" 1 \
+  sh -c "cd '$PROJ' && '$REPO/bin/render-artifact.sh' security --latest --interactive"
+assert_exit "qa --interactive rejected" 1 \
+  sh -c "cd '$PROJ' && '$REPO/bin/render-artifact.sh' qa --latest --interactive"
+assert_exit "ship --interactive rejected" 1 \
+  sh -c "cd '$PROJ' && '$REPO/bin/render-artifact.sh' ship --latest --interactive"
+assert_exit "think --interactive rejected" 1 \
+  sh -c "cd '$PROJ' && '$REPO/bin/render-artifact.sh' think --latest --interactive"
+assert_exit "journal --interactive rejected" 1 \
+  sh -c "cd '$PROJ' && '$REPO/bin/render-artifact.sh' journal --today --interactive"
+assert_exit "stack --interactive rejected" 1 \
+  sh -c "cd '$PROJ' && '$REPO/bin/render-artifact.sh' stack default --interactive"
+
+# ─── Cell 23j: --interactive on schema-warning plan does not crash (PR 4 pass 1) ─
+printf "\n  ${DIM}Cell 23j: --interactive on schema-warning plan (PR 4 pass 1)${NC}\n"
+PROJ="$TMP_ROOT/cell23j"
+setup_project "$PROJ"
+export NANOSTACK_STORE="$PROJ/.nanostack"
+mkdir -p "$NANOSTACK_STORE/plan"
+# Plan with non-string risks (objects) and numeric planned_files.
+# Schema validation will fail but the renderer must still produce HTML.
+cat > "$NANOSTACK_STORE/plan/$(date -u +%Y%m%d)-120000.json" <<JSON
+{
+  "phase": "plan",
+  "project": "$PROJ",
+  "summary": {
+    "goal": 42,
+    "planned_files": [123, 456],
+    "plan_approval": "manual",
+    "risks": [{"complicated":true}]
+  },
+  "context_checkpoint": {"summary": null}
+}
+JSON
+HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive 2>/dev/null || true)
+[ -n "$HTML" ] && assert_true "schema-warning plan with --interactive renders" test -f "$HTML"
+
+# ─── Cell 23k: --interactive on schema-warning review does not crash (PR 4 pass 1) ─
+printf "\n  ${DIM}Cell 23k: --interactive on schema-warning review (PR 4 pass 1)${NC}\n"
+PROJ="$TMP_ROOT/cell23k"
+setup_project "$PROJ"
+export NANOSTACK_STORE="$PROJ/.nanostack"
+mkdir -p "$NANOSTACK_STORE/review"
+cat > "$NANOSTACK_STORE/review/$(date -u +%Y%m%d)-120000.json" <<JSON
+{
+  "phase": "review",
+  "project": "$PROJ",
+  "summary": {"blocking":"one","should_fix":2,"nitpicks":3,"positive":0},
+  "scope_drift": {"status": 42},
+  "findings": [{"id":"X","severity":"blocking","description":{"nested":"object"}}],
+  "context_checkpoint": {}
+}
+JSON
+HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" review --latest --interactive 2>/dev/null || true)
+[ -n "$HTML" ] && assert_true "schema-warning review with --interactive renders" test -f "$HTML"
+
 # ─── Cell 9a: --out works on fresh store (PR 1 pass 1 regression) ─
 printf "\n  ${DIM}Cell 9a: --out on fresh store (PR 1 pass 1 regression)${NC}\n"
 PROJ="$TMP_ROOT/cell9a"

From afaae365283cd82647667adf0027c3a6c9893e43 Mon Sep 17 00:00:00 2001
From: gus <gustavoraularagon@gmail.com>
Date: Mon, 11 May 2026 19:03:36 -0300
Subject: [PATCH 3/4] visual-artifacts: assert schema-warning interactive
 renders unconditionally

Codex PR 4 pass 2 (P3). Cells 23j and 23k used `|| true` plus a
conditional `[ -n "$HTML" ] && assert_true ...`, which silently
passed when the renderer aborted with exit non-zero and printed no
path. Exactly the regression the cells describe (--interactive
crashing on schema-warning artifacts) would not have been caught.

Switch to an unconditional structure: capture exit code with
`set +e` / `set -e` boundaries, assert exit 0, assert path
non-empty, assert file exists.

Test count: 312 -> 316 (cells 23j and 23k each gain two checks).
---
 ci/e2e-visual-artifacts.sh | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/ci/e2e-visual-artifacts.sh b/ci/e2e-visual-artifacts.sh
index b1ae482..e84d683 100755
--- a/ci/e2e-visual-artifacts.sh
+++ b/ci/e2e-visual-artifacts.sh
@@ -1572,8 +1572,16 @@ cat > "$NANOSTACK_STORE/plan/$(date -u +%Y%m%d)-120000.json" <<JSON
   "context_checkpoint": {"summary": null}
 }
 JSON
-HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive 2>/dev/null || true)
-[ -n "$HTML" ] && assert_true "schema-warning plan with --interactive renders" test -f "$HTML"
+# Render must succeed (exit 0). Without unconditional assertion the
+# `|| true` mask would have made the cell silently pass on regressions
+# (codex PR 4 pass 2).
+set +e
+HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive 2>&1)
+RC=$?
+set -e
+assert_exit "schema-warning plan with --interactive exits 0" 0 test "$RC" = 0
+assert_true "schema-warning plan html path is non-empty" sh -c "[ -n '$HTML' ]"
+assert_true "schema-warning plan html file exists" test -f "$HTML"
 
 # ─── Cell 23k: --interactive on schema-warning review does not crash (PR 4 pass 1) ─
 printf "\n  ${DIM}Cell 23k: --interactive on schema-warning review (PR 4 pass 1)${NC}\n"
@@ -1591,8 +1599,14 @@ cat > "$NANOSTACK_STORE/review/$(date -u +%Y%m%d)-120000.json" <<JSON
   "context_checkpoint": {}
 }
 JSON
-HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" review --latest --interactive 2>/dev/null || true)
-[ -n "$HTML" ] && assert_true "schema-warning review with --interactive renders" test -f "$HTML"
+# Same unconditional assertion as cell 23j.
+set +e
+HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" review --latest --interactive 2>&1)
+RC=$?
+set -e
+assert_exit "schema-warning review with --interactive exits 0" 0 test "$RC" = 0
+assert_true "schema-warning review html path is non-empty" sh -c "[ -n '$HTML' ]"
+assert_true "schema-warning review html file exists" test -f "$HTML"
 
 # ─── Cell 9a: --out works on fresh store (PR 1 pass 1 regression) ─
 printf "\n  ${DIM}Cell 9a: --out on fresh store (PR 1 pass 1 regression)${NC}\n"

From ecd8d3b99e28df81024fe1c1fc442f7a88e9e0cd Mon Sep 17 00:00:00 2001
From: gus <gustavoraularagon@gmail.com>
Date: Mon, 11 May 2026 19:12:58 -0300
Subject: [PATCH 4/4] visual-artifacts: escape every < in script-embedded
 payloads

Codex PR 4 pass 3 finding (P2). The previous `</` -> `<\/` escape
only neutralized the literal closing-tag sequence. A payload
containing `<!--<script>` could still drive the HTML parser into
the "script data double escaped" state, which then eats the
renderer's legitimate closing `</script>` and breaks the
interactive controls (or worse, executes injected JavaScript that
happens to follow).

Switch _js_safe_for_script to encode EVERY `<` as `<`.
JSON.parse reads `<` as the literal `<` so the clipboard
content the user pastes is unchanged. The HTML parser never sees
a `<` inside the script body and stays in the standard "script
data" state until the real closing tag.

Cell 23l: a plan with `<!--<script>alert(1)</script>` as the goal
must produce HTML where the inline script body contains NO raw
`<!--`, `<script`, `</script`, or `<!CDATA` sequence. The encoded
`u003c` marker must appear somewhere in the output (proves the
escape ran). Cell 23h updated to assert the new encoded form.

Test count: 316 -> 321 (5 new assertions in 23l).
---
 bin/render-artifact.sh     | 22 +++++++++++--------
 ci/e2e-visual-artifacts.sh | 44 ++++++++++++++++++++++++++++++++++++--
 2 files changed, 55 insertions(+), 11 deletions(-)

diff --git a/bin/render-artifact.sh b/bin/render-artifact.sh
index 00c8809..457a32a 100755
--- a/bin/render-artifact.sh
+++ b/bin/render-artifact.sh
@@ -1013,16 +1013,20 @@ render_copy_actions() {
   fi
 
   # Encode each payload as a JSON string literal so the inline JS
-  # can read it via JSON.parse. nano_json_string emits the full
-  # quoted form including the outer ". Critically: when embedding a
-  # JSON string INSIDE <script>...</script>, any `</` must be
-  # escaped to `<\/` because the HTML parser closes the script tag
-  # at the first literal `</script>` regardless of JS context. Any
-  # following content executes as a new <script> block. JSON.parse
-  # accepts the `<\/` form transparently, so this only hardens the
-  # surrounding HTML parser without changing the runtime payload.
+  # can read it via JSON.parse. Critically: when embedding a JSON
+  # string INSIDE <script>...</script>, several HTML parser states
+  # can swallow or re-interpret the script body. Codex PR 4 pass 3
+  # caught that escaping only `</` left the `<!--<script>` sequence
+  # able to put the parser into the "script data double escaped"
+  # state, which then eats the legitimate closing `</script>`.
+  #
+  # The fix: escape EVERY `<` as `<` in the script-embedded
+  # payload. JSON.parse reads `<` as the literal `<`, so the
+  # clipboard content the user pastes is unchanged. The HTML parser
+  # never sees a `<` inside the script body and stays in the
+  # standard "script data" state until the real closing tag.
   _js_safe_for_script() {
-    sed 's|</|<\\/|g'
+    sed 's|<|\\u003c|g'
   }
   local p_js m_js j_js
   p_js=$(printf '%s' "$prompt_payload" | nano_json_string | _js_safe_for_script)
diff --git a/ci/e2e-visual-artifacts.sh b/ci/e2e-visual-artifacts.sh
index e84d683..8dc0412 100755
--- a/ci/e2e-visual-artifacts.sh
+++ b/ci/e2e-visual-artifacts.sh
@@ -1523,8 +1523,9 @@ HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive)
 # The malicious sequence must NOT appear as literal `</script><script>` anywhere.
 LIT_COUNT=$(grep -o '</script><script>' "$HTML" | wc -l | tr -d ' ')
 assert_true "no raw </script><script> sequence in interactive output" sh -c "[ '$LIT_COUNT' = '0' ]"
-# The escaped form should appear (proves we transformed it).
-assert_contains "escaped <\\/script> form present" "$HTML" '<\/script>'
+# PR 4 pass 3 switched the escape from `<\/` to `<`. Confirm
+# the u003c form appears (transformation happened).
+assert_contains "encoded u003c form present in output" "$HTML" "u003c"
 # Manual copy <pre> is HTML-escaped.
 assert_contains "manual-copy <pre> shows escaped tag" "$HTML" '&lt;/script&gt;'
 
@@ -1608,6 +1609,45 @@ assert_exit "schema-warning review with --interactive exits 0" 0 test "$RC" = 0
 assert_true "schema-warning review html path is non-empty" sh -c "[ -n '$HTML' ]"
 assert_true "schema-warning review html file exists" test -f "$HTML"
 
+# ─── Cell 23l: <!--<script> in payload neutralized (PR 4 pass 3) ─
+printf "\n  ${DIM}Cell 23l: <!--<script> XSS containment (PR 4 pass 3)${NC}\n"
+PROJ="$TMP_ROOT/cell23l"
+setup_project "$PROJ"
+export NANOSTACK_STORE="$PROJ/.nanostack"
+mkdir -p "$NANOSTACK_STORE"
+(cd "$PROJ" && NANOSTACK_STORE="$NANOSTACK_STORE" "$REPO/bin/save-artifact.sh" plan '{
+  "phase":"plan",
+  "summary":{"goal":"<!--<script>alert(1)</script>","scope":"s","planned_files":[],"plan_approval":"manual"},
+  "context_checkpoint":{"summary":"x","key_files":[],"decisions_made":[],"open_questions":[]}
+}' >/dev/null)
+HTML=$(cd "$PROJ" && "$REPO/bin/render-artifact.sh" plan --latest --interactive)
+# Extract the inline <script>...</script> block. Match the FIRST
+# `<script>` (the renderer's own block) and the FIRST closing tag
+# after it.
+SCRIPT_BODY=$(awk '
+  /^[[:space:]]*<script>/ { in_script=1; next }
+  /^[[:space:]]*<\/script>/ { in_script=0 }
+  in_script { print }
+' "$HTML")
+# Forbidden raw HTML sequences inside the inline JS body.
+for needle in '<!--' '<script' '</script' '<!CDATA'; do
+  if printf '%s' "$SCRIPT_BODY" | grep -qF "$needle"; then
+    FAIL=$((FAIL+1))
+    printf "    ${RED}FAIL${NC}  script body contains literal %s (HTML parser hazard)\n" "$needle"
+  else
+    PASS=$((PASS+1))
+    printf "    ${GREEN}OK${NC}    script body has no literal %s\n" "$needle"
+  fi
+done
+# Encoded form should appear in the file (visible escape sequence).
+if grep -qF 'u003c' "$HTML"; then
+  PASS=$((PASS+1))
+  printf "    ${GREEN}OK${NC}    encoded u003c form present\n"
+else
+  FAIL=$((FAIL+1))
+  printf "    ${RED}FAIL${NC}  encoded u003c form missing\n"
+fi
+
 # ─── Cell 9a: --out works on fresh store (PR 1 pass 1 regression) ─
 printf "\n  ${DIM}Cell 9a: --out on fresh store (PR 1 pass 1 regression)${NC}\n"
 PROJ="$TMP_ROOT/cell9a"