Resolve merge conflicts across PRs #32, #35, #36, #37, #38 via targeted patch application

[Copilot]

Five open PRs from a fork diverged ~169 commits behind HarnessLab's main, making direct merge impossible. Changes were cherry-picked or manually ported, adapting for files that exist only in the fork (agent_state_machine.py, state_machine_operators.py, tui.py).

Changes by PR

PR #36 — Setup version override

run_setup() now accepts an optional current_version parameter, enabling test overrides without live version detection.

PR #35 — Delegate action key fix

_execute_delegate_agent metadata now emits 'action': 'delegate_agent' (was 'action': 'Agent').

PR #37 — Web-fetch binary refusal (src/agent_tools.py)

_web_fetch() inspects Content-Type and response bytes; refuses with a clear error rather than returning binary garbage to the model.

PR #38 — Reasoning-pattern guards (src/agent_tools.py)

Four guards targeting the tweak-and-rerun failure mode observed in the Latti S127 transcript:

• Edit-loop guard — _track_write_and_check_loop: hard-refuses after 5 writes/edits to the same resolved path per context lifetime
• Self-authored tagging — _read_file prepends [self-authored: ...] header when reading a file the agent wrote earlier in the session
• Bash self-authored banner — _bash_self_authored_banner: prepends the same skepticism header to stdout when the command references a self-authored file
• Markdown churn guard — _track_churn_and_check: refuses after 4 summary/findings-shaped .md writes (keyed off filename patterns; README/CHANGELOG/docs/ allowlisted)

ToolExecutionContext gains edit_history: dict[str, int] and self_authored_paths: set[str] fields (mutable containers inside a frozen=True dataclass — intentional).

PR #32 — Secret redaction at tool ingestion (src/agent_session.py, src/agent_tools.py)

redact_secrets() and _SECRET_PATTERNS (8 token families: Anthropic/OpenAI, Stripe, GitHub, AWS, Slack, Google API, JWT, PEM) inlined directly into agent_session.py since agent_state_machine.py doesn't exist in this repo. Called at all four ingestion points so a Read of a .env file doesn't poison message history:

def append_tool(self, name, tool_call_id, content):
    content = redact_secrets(content)   # ← new
    ...

def append_tool_delta(self, index, delta, ...):
    new_content = redact_secrets(message.content + delta)  # ← reassembled before redact

def finalize_tool(self, index, *, content, ...):
    content = redact_secrets(content)   # ← new

def update_message(self, index, *, content=None, ...):
    if content is not None and message.role == 'tool':
        content = redact_secrets(content)  # ← scoped to tool role only

_read_file, _edit_file, and _grep_search in agent_tools.py gain a pre-emptive _refuse_if_secret_bearing() check against known secret-file path patterns (.env, id_rsa, .aws/credentials, *.pem, etc.), resolving symlinks before matching.

Test files added

• tests/test_web_fetch_binary_refusal.py
• tests/test_edit_loop_and_self_authored.py
• tests/test_churn_and_bash_banner.py
• tests/test_secret_redaction_on_tool_ingestion.py
• tests/test_agent_tools_secret_path_guard.py

Tests from the fork that depended exclusively on agent_state_machine.State/Action/violates_constitutional_wall or state_machine_operators.ReadFileOperator were omitted as those abstractions don't exist here.