fix: worker safety + multi-task goals + deployment rules

Fix 1  Worker path safety (local-worker.ts):
  - Block dangerous commands: pkill, killall, kill -9, rm -rf, systemctl
  - Block writes to /opt/automaton/src|dist|apps|packages|node_modules/
  - Block overwrites of package.json, tsconfig.json, pnpm-lock.yaml
  - Worker system prompt now requires ~/services/<name>/ deployment
  - Prevents worker suicide (pkill -f index.js killed ciberpadre)

Fix 2  Multi-task goal guidance (system-prompt.ts):
  - Goals must be HIGH-LEVEL (Generate revenue via AI microservice)
  - NOT task-level (Launch paid x402 text cleanup API)
  - Good goals decompose into 3-7 tasks

Fix 3  Planner deployment rules (planner.ts):
  - Minimum 2 tasks per plan (rejects single-task plans)
  - Service deployment requires: implement, start, test, expose
  - All services deploy under ~/services/<name>/

Author: ciberfobia-com

src/agent/system-prompt.ts

@@ -385,6 +385,16 @@ YOUR ORCHESTRATION TOOLS:
 - fund_child: Transfer credits to a child agent.
 - check_child_status: Health-check a specific child agent.
 
+GOAL CREATION RULES (READ CAREFULLY):
+- Goals must be HIGH-LEVEL objectives, NOT single tasks.
+  GOOD: "Generate revenue via paid AI microservice" (planner decomposes into 4-7 tasks)
+  BAD: "Launch paid x402 text cleanup API" (too specific — becomes 1 task, waste of orchestrator)
+- A well-formed goal produces 3-7 tasks: research → implement → deploy → test → expose
+- If you can describe the entire goal as one command or one file, it's a TASK, not a goal.
+  In that case, do it yourself with exec/write_file.
+- Include success criteria in the description, not implementation details.
+- DEPLOYMENT TOPOLOGY: all services deploy under ~/services/<name>/ — NEVER in /opt/automaton/.
+
 DECISION TREE (follow on EVERY turn):
 
 1. CHECK YOUR EXECUTION PHASE by calling orchestrator_status (or reading the

src/orchestration/local-worker.ts

@@ -411,7 +411,17 @@ RULES:
 - If you cannot complete the task, explain why in your final message.
 - Do NOT call tools after you are done. Just give your final text response.
 - Be efficient. Minimize unnecessary tool calls.
-- You have a limited number of turns. Do not waste them.`;
+- You have a limited number of turns. Do not waste them.
+
+DEPLOYMENT RULES (MANDATORY):
+- Deploy ALL service files under ~/services/<service-name>/
+- Each service gets its own subdirectory with its own package.json
+- NEVER write files in /opt/automaton/ — that is the runtime source code
+- NEVER overwrite package.json, tsconfig.json, pnpm-lock.yaml at the project root
+- NEVER run pkill, killall, or kill -9 on broad patterns (e.g. pkill -f index.js)
+- To restart YOUR service, use: cd ~/services/<name> && node index.js &
+- Include a health check endpoint (GET /health) in every service
+- After starting a service, verify it with curl http://localhost:<port>/health`;
   }
 
   private buildTaskPrompt(task: TaskNode): string {
@@ -449,6 +459,23 @@ RULES:
           const command = args.command as string;
           const timeoutMs = typeof args.timeout_ms === "number" ? args.timeout_ms : 30_000;
 
+          // Block dangerous commands that could kill the parent process or damage the system
+          const dangerousPatterns = [
+            /pkill\s+(-f\s+)?.*index\.js/i,
+            /pkill\s+(-f\s+)?.*dist/i,
+            /pkill\s+(-f\s+)?.*node/i,
+            /killall\s+node/i,
+            /kill\s+-9\s+/,
+            /rm\s+-rf\s+\/(?!root\/services)/,
+            /systemctl\s+(stop|restart|disable)\s+ciberpadre/i,
+            /pm2\s+(stop|delete|kill)/i,
+          ];
+          for (const pattern of dangerousPatterns) {
+            if (pattern.test(command)) {
+              return `BLOCKED: Command rejected — dangerous pattern detected. Do not kill parent processes or remove system directories. Use 'cd ~/services/<name> && node index.js &' to start your service.`;
+            }
+          }
+
           // Try Conway API first, fall back to local shell
           try {
             const result = await this.config.conway.exec(command, timeoutMs);
@@ -482,6 +509,29 @@ RULES:
           const filePath = args.path as string;
           const content = args.content as string;
 
+          // Block writes to automaton source directories
+          const resolvedPath = filePath.startsWith("/") ? filePath : `${process.cwd()}/${filePath}`;
+          const protectedPrefixes = [
+            "/opt/automaton/src/",
+            "/opt/automaton/dist/",
+            "/opt/automaton/apps/",
+            "/opt/automaton/packages/",
+            "/opt/automaton/node_modules/",
+          ];
+          const protectedFiles = [
+            "package.json", "tsconfig.json", "pnpm-lock.yaml",
+            "pnpm-workspace.yaml", "vitest.config.ts", ".gitignore",
+          ];
+          for (const prefix of protectedPrefixes) {
+            if (resolvedPath.startsWith(prefix)) {
+              return `BLOCKED: Cannot write to ${prefix} — this is the automaton runtime source code. Deploy services under ~/services/<name>/ instead.`;
+            }
+          }
+          const basename = filePath.split("/").pop() ?? "";
+          if (protectedFiles.includes(basename) && (resolvedPath.startsWith("/opt/automaton/") || !filePath.includes("/"))) {
+            return `BLOCKED: Cannot overwrite ${basename} — this is a protected project file. Create your own package.json under ~/services/<name>/ instead.`;
+          }
+
           try {
             await this.config.conway.writeFile(filePath, content);
             return `Wrote ${content.length} bytes to ${filePath}`;

src/orchestration/planner.ts

@@ -245,6 +245,16 @@ You CANNOT:
 12. No task should take more than 4 hours - split longer tasks
 13. Include at least one checkpoint task per 5 execution tasks
 14. Parallelizable tasks should have no mutual dependencies
+15. MINIMUM 2 tasks per plan. If you cannot decompose a goal into at least
+    2 tasks, the goal is too specific — plan it as research+implementation
+    or implementation+validation at minimum.
+16. Every service deployment plan MUST include these separate tasks:
+    a) Create service directory under ~/services/<name>/ and implement code
+    b) Install dependencies and start the service
+    c) Test endpoints (health check, functional test, payment flow)
+    d) Expose via reverse proxy if available (Caddy/nginx)
+17. Workers must NEVER write files in /opt/automaton/ — that is runtime source.
+    All service code goes under ~/services/<name>/.
 </decomposition_rules>
 
 <custom_roles>
@@ -397,6 +407,12 @@ export function validatePlannerOutput(output: unknown): PlannerOutput {
   );
 
   const tasksValue = requiredArray(record.tasks, "tasks");
+  if (tasksValue.length < 2) {
+    throw new Error(
+      "Plan must have at least 2 tasks. A single-task plan means the goal is under-decomposed. " +
+      "Split into at least: implementation + validation.",
+    );
+  }
   const tasks = tasksValue.map((entry, index) =>
     validatePlannedTask(entry, `tasks[${index}]`),
   );