From 083292d528baeaf3746e3b9c4ea8ab92a512b684 Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Thu, 14 May 2026 18:23:53 -0400
Subject: [PATCH 01/11] feat(redact): add OpenAI Privacy Filter as opt-in 8th
 layer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds OPF as an opt-in 8th region producer in the redaction pipeline.
Two public entry points (StringWithPrivacyFilter,
JSONLContentWithPrivacyFilter) gate the OPF call; the four plain entry
points (String, Bytes, JSONLBytes, JSONLContent) are unchanged so
per-turn temp writes never invoke OPF.

Single inference pass per scope via \x1e-joined batching — opf otherwise
runs a fresh inference pass per newline-delimited input, defeating the
batch. Process-scoped atomic circuit breaker disables OPF after the
first runtime failure so a broken opf install costs one warning instead
of N×30s timeouts.

Settings layer (redaction.openai_privacy_filter) accepts enabled +
categories + command + timeout_seconds. The on_failure field is
intentionally absent: warn-only is the only mode the runtime supports
today, and DisallowUnknownFields rejects users who try to opt into a
fail-closed mode that doesn't exist. Category names are validated
against the canonical map at parse time — silent zero-detection of a
privacy category is effectively a correctness bug.

Shell-out runtime, progress UX, and label mapping are all inlined in
redact/opf.go (no separate subpackage, no separate progress writer).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/entire/cli/settings/settings.go      |  92 +++++
 cmd/entire/cli/settings/settings_test.go | 112 ++++++
 redact/opf.go                            | 436 ++++++++++++++++++++
 redact/opf_test.go                       | 481 +++++++++++++++++++++++
 redact/redact.go                         | 163 +++++++-
 redact/redact_test.go                    |   8 +-
 6 files changed, 1280 insertions(+), 12 deletions(-)
 create mode 100644 redact/opf.go
 create mode 100644 redact/opf_test.go

diff --git a/cmd/entire/cli/settings/settings.go b/cmd/entire/cli/settings/settings.go
index cd1513df11..11ffd3de0c 100644
--- a/cmd/entire/cli/settings/settings.go
+++ b/cmd/entire/cli/settings/settings.go
@@ -20,6 +20,7 @@ import (
 	"github.com/entireio/cli/cmd/entire/cli/logging"
 	"github.com/entireio/cli/cmd/entire/cli/paths"
 	"github.com/entireio/cli/cmd/entire/cli/session"
+	"github.com/entireio/cli/redact"
 )
 
 const (
@@ -190,6 +191,10 @@ type RedactionSettings struct {
 	// "[REDACTED_<LABEL>]" token used by PII. Failed regex compilations are
 	// logged via slog.Warn and the rule is skipped.
 	CustomRedactions map[string]string `json:"custom_redactions,omitempty"`
+
+	// OpenAIPrivacyFilter is the optional 8th redaction layer (opt-in).
+	// See docs/security-and-privacy.md.
+	OpenAIPrivacyFilter *OPFSettings `json:"openai_privacy_filter,omitempty"`
 }
 
 // PIISettings configures PII detection categories.
@@ -202,6 +207,21 @@ type PIISettings struct {
 	CustomPatterns map[string]string `json:"custom_patterns,omitempty"`
 }
 
+// OPFSettings configures the optional OpenAI Privacy Filter detection layer.
+// Disabled by default. Runs only at condensation/export boundaries — see
+// docs/security-and-privacy.md.
+//
+// There is intentionally no "on_failure" field: warn-only is the only mode
+// the runtime currently supports, and DisallowUnknownFields will reject any
+// future user who tries to set it. Adding the field again should land in
+// lockstep with the runtime enforcement.
+type OPFSettings struct {
+	Enabled        bool            `json:"enabled,omitempty"`
+	Categories     map[string]bool `json:"categories,omitempty"`
+	Command        string          `json:"command,omitempty"`
+	TimeoutSeconds int             `json:"timeout_seconds,omitempty"`
+}
+
 // GetCommitLinking returns the effective commit linking mode.
 // Returns the explicit value if set, otherwise defaults to "prompt"
 // to preserve existing user behavior.
@@ -448,6 +468,11 @@ func LoadFromBytes(data []byte) (*EntireSettings, error) {
 	if err := dec.Decode(s); err != nil {
 		return nil, fmt.Errorf("parsing settings: %w", err)
 	}
+	if s.Redaction != nil {
+		if err := validateOPFSettings(s.Redaction.OpenAIPrivacyFilter); err != nil {
+			return nil, err
+		}
+	}
 	return s, nil
 }
 
@@ -481,6 +506,12 @@ func loadFromFile(filePath string) (*EntireSettings, error) {
 	// legitimately contain only a model (provider comes from another file).
 	// Validation happens after merge in Load().
 
+	if settings.Redaction != nil {
+		if err := validateOPFSettings(settings.Redaction.OpenAIPrivacyFilter); err != nil {
+			return nil, err
+		}
+	}
+
 	return settings, nil
 }
 
@@ -792,9 +823,70 @@ func mergeRedaction(dst *RedactionSettings, data json.RawMessage) error {
 			}
 		}
 	}
+	if opfRaw, ok := raw["openai_privacy_filter"]; ok {
+		if dst.OpenAIPrivacyFilter == nil {
+			dst.OpenAIPrivacyFilter = &OPFSettings{}
+		}
+		if err := mergeOPFSettings(dst.OpenAIPrivacyFilter, opfRaw); err != nil {
+			return err
+		}
+	}
 	return nil
 }
 
+// validateOPFSettings rejects unknown category names so typos surface at
+// parse time. Silent zero-detection of a privacy category is effectively
+// a correctness bug — the user thinks they're protected but they're not.
+func validateOPFSettings(opf *OPFSettings) error {
+	if opf == nil {
+		return nil
+	}
+	for name := range opf.Categories {
+		if !redact.IsKnownOPFCategory(name) {
+			return fmt.Errorf("openai_privacy_filter.categories has unknown key %q (see docs/security-and-privacy.md for the supported set)", name)
+		}
+	}
+	return nil
+}
+
+// mergeOPFSettings merges OPF overrides into existing OPFSettings. Only
+// fields present in the override JSON are applied; missing fields preserve
+// the base value.
+func mergeOPFSettings(dst *OPFSettings, data json.RawMessage) error {
+	var raw map[string]json.RawMessage
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return fmt.Errorf("parsing openai_privacy_filter: %w", err)
+	}
+	if v, ok := raw["enabled"]; ok {
+		if err := json.Unmarshal(v, &dst.Enabled); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.enabled: %w", err)
+		}
+	}
+	if v, ok := raw["categories"]; ok {
+		var cats map[string]bool
+		if err := json.Unmarshal(v, &cats); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.categories: %w", err)
+		}
+		if dst.Categories == nil {
+			dst.Categories = make(map[string]bool, len(cats))
+		}
+		for k, b := range cats {
+			dst.Categories[k] = b
+		}
+	}
+	if v, ok := raw["command"]; ok {
+		if err := json.Unmarshal(v, &dst.Command); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.command: %w", err)
+		}
+	}
+	if v, ok := raw["timeout_seconds"]; ok {
+		if err := json.Unmarshal(v, &dst.TimeoutSeconds); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.timeout_seconds: %w", err)
+		}
+	}
+	return validateOPFSettings(dst)
+}
+
 // mergePIISettings merges PII overrides into existing PIISettings.
 // Only fields present in the override JSON are applied; missing fields
 // are preserved from the base settings.
diff --git a/cmd/entire/cli/settings/settings_test.go b/cmd/entire/cli/settings/settings_test.go
index 27e7b22b90..df25c70192 100644
--- a/cmd/entire/cli/settings/settings_test.go
+++ b/cmd/entire/cli/settings/settings_test.go
@@ -1051,6 +1051,118 @@ func TestLoadFromBytes_CustomRedactions(t *testing.T) {
 	}
 }
 
+func TestLoadFromBytes_OPFSettings_RoundTrip(t *testing.T) {
+	t.Parallel()
+
+	data := []byte(`{
+  "redaction": {
+    "openai_privacy_filter": {
+      "enabled": true,
+      "categories": {"private_person": true, "secret": false},
+      "command": "/usr/local/bin/opf",
+      "timeout_seconds": 45
+    }
+  }
+}`)
+	got, err := LoadFromBytes(data)
+	if err != nil {
+		t.Fatalf("LoadFromBytes: %v", err)
+	}
+	opf := got.Redaction.OpenAIPrivacyFilter
+	if opf == nil {
+		t.Fatal("OpenAIPrivacyFilter is nil")
+	}
+	if !opf.Enabled {
+		t.Error("Enabled: want true")
+	}
+	if !opf.Categories["private_person"] {
+		t.Error("Categories[private_person]: want true")
+	}
+	if opf.Categories["secret"] {
+		t.Error("Categories[secret]: want false")
+	}
+	if opf.Command != "/usr/local/bin/opf" {
+		t.Errorf("Command: want /usr/local/bin/opf, got %q", opf.Command)
+	}
+	if opf.TimeoutSeconds != 45 {
+		t.Errorf("TimeoutSeconds: want 45, got %d", opf.TimeoutSeconds)
+	}
+}
+
+// TestLoadFromBytes_OPFSettings_RejectsUnknownCategory pins down that
+// category-name typos fail at parse time. Silent zero-detection of a
+// privacy category is effectively a correctness bug — the user thinks
+// they're protected but they're not. Runs on both load paths.
+func TestLoadFromBytes_OPFSettings_RejectsUnknownCategory(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name    string
+		key     string
+		wantErr bool
+	}{
+		{"known_person", "private_person", false},
+		{"known_email", "private_email", false},
+		{"known_secret", "secret", false},
+		{"typo_peerson", "private_peerson", true},
+		{"unknown", "social_security_number", true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			body := `{"redaction":{"openai_privacy_filter":{"categories":{"` + tc.key + `":true}}}}`
+			_, err := LoadFromBytes([]byte(body))
+			if tc.wantErr && err == nil {
+				t.Errorf("LoadFromBytes(%q): want error, got nil", tc.key)
+			}
+			if !tc.wantErr && err != nil {
+				t.Errorf("LoadFromBytes(%q): want nil, got %v", tc.key, err)
+			}
+		})
+	}
+}
+
+// TestLoadFromBytes_OPFSettings_RejectsOnFailureField pins down that the
+// dropped on_failure field is rejected by DisallowUnknownFields — there is
+// no warn-only fallback masquerading as fail-closed.
+func TestLoadFromBytes_OPFSettings_RejectsOnFailureField(t *testing.T) {
+	t.Parallel()
+	body := []byte(`{"redaction":{"openai_privacy_filter":{"enabled":true,"on_failure":"block"}}}`)
+	if _, err := LoadFromBytes(body); err == nil {
+		t.Error("LoadFromBytes with on_failure: want error from DisallowUnknownFields, got nil")
+	}
+}
+
+// TestLoadFromBytes_OPFSettings_Merge verifies override semantics for the
+// merge path (settings.local.json on top of settings.json): present fields
+// override, omitted fields preserve, categories merge per-key.
+func TestLoadFromBytes_OPFSettings_Merge(t *testing.T) {
+	t.Parallel()
+	base := []byte(`{"redaction":{"openai_privacy_filter":{"enabled":true,"categories":{"private_person":true,"secret":false}}}}`)
+	override := []byte(`{"redaction":{"openai_privacy_filter":{"categories":{"secret":true},"command":"/opt/opf"}}}`)
+
+	s, err := LoadFromBytes(base)
+	if err != nil {
+		t.Fatalf("base load: %v", err)
+	}
+	if err := mergeJSON(s, override); err != nil {
+		t.Fatalf("merge: %v", err)
+	}
+	opf := s.Redaction.OpenAIPrivacyFilter
+	if !opf.Enabled {
+		t.Error("Enabled: want preserved=true")
+	}
+	if !opf.Categories["private_person"] {
+		t.Error("Categories[private_person]: want preserved=true")
+	}
+	if !opf.Categories["secret"] {
+		t.Error("Categories[secret]: want override=true")
+	}
+	if opf.Command != "/opt/opf" {
+		t.Errorf("Command: want override /opt/opf, got %q", opf.Command)
+	}
+}
+
 func TestEntireSettings_ReviewRoundTrip(t *testing.T) {
 	t.Parallel()
 	raw := []byte(`{
diff --git a/redact/opf.go b/redact/opf.go
new file mode 100644
index 0000000000..c1a4db09d8
--- /dev/null
+++ b/redact/opf.go
@@ -0,0 +1,436 @@
+package redact
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"os/exec"
+	"sort"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+	"unicode/utf8"
+)
+
+// OPFConfig configures the optional OpenAI Privacy Filter detection layer.
+// Defaults are applied by ConfigurePrivacyFilter; callers should pass values
+// straight from settings without local normalization.
+type OPFConfig struct {
+	Enabled    bool
+	Categories map[string]bool
+	Command    string // path or name of the opf binary; "" defaults to "opf"
+	Timeout    int    // seconds; 0 defaults to 30
+
+	// runtime is private and constructed by ConfigurePrivacyFilter.
+	// Tests inject a fake via ConfigurePrivacyFilterWithRuntime.
+	runtime opfRuntime
+}
+
+var (
+	opfConfig   *OPFConfig
+	opfConfigMu sync.RWMutex
+
+	// opfBreakerTripped, once set, disables OPF for the rest of this process.
+	// The first detectOPF failure trips it via handleOPFFailure; subsequent
+	// detectOPF calls short-circuit before shelling out. Without this, a
+	// broken OPF install (binary missing, persistently timing out, etc.)
+	// makes every redaction call pay the full timeout — turning one
+	// condensation into N × 30s waits instead of a single warning plus
+	// graceful fallback. Process-scoped so a fresh CLI invocation re-attempts.
+	opfBreakerTripped atomic.Bool
+)
+
+// ConfigurePrivacyFilter sets the global OPF configuration and constructs
+// the default shell-out runtime. Call once at process startup after loading
+// settings. Thread-safe. Subsequent calls replace the previous configuration
+// and reset the circuit breaker (a new config might fix what broke the prior
+// one).
+func ConfigurePrivacyFilter(cfg OPFConfig) {
+	cfgCopy := cfg
+	if cfgCopy.Timeout <= 0 {
+		cfgCopy.Timeout = 30
+	}
+	if cfgCopy.Command == "" {
+		cfgCopy.Command = "opf"
+	}
+	cfgCopy.runtime = newShellOut(cfgCopy.Command, cfgCopy.Timeout)
+	opfConfigMu.Lock()
+	opfConfig = &cfgCopy
+	opfConfigMu.Unlock()
+	opfBreakerTripped.Store(false)
+}
+
+// ConfigurePrivacyFilterWithRuntime is the test-only variant that takes an
+// explicit runtime instead of constructing one.
+func ConfigurePrivacyFilterWithRuntime(cfg OPFConfig, rt opfRuntime) {
+	cfgCopy := cfg
+	if cfgCopy.Timeout <= 0 {
+		cfgCopy.Timeout = 30
+	}
+	cfgCopy.runtime = rt
+	opfConfigMu.Lock()
+	opfConfig = &cfgCopy
+	opfConfigMu.Unlock()
+	opfBreakerTripped.Store(false)
+}
+
+func getOPFConfig() *OPFConfig {
+	opfConfigMu.RLock()
+	defer opfConfigMu.RUnlock()
+	return opfConfig
+}
+
+// GetOPFConfigForTest returns the current OPF configuration, or nil if
+// never configured. The "ForTest" suffix signals test-only intent — callers
+// must be limited to test files in other packages.
+func GetOPFConfigForTest() *OPFConfig {
+	return getOPFConfig()
+}
+
+// ResetOPFConfigForTest clears configuration and the circuit breaker. Used
+// by tests in other packages to return to a "never configured" state.
+func ResetOPFConfigForTest() {
+	resetOPFConfig()
+}
+
+func resetOPFConfig() {
+	opfConfigMu.Lock()
+	opfConfig = nil
+	opfConfigMu.Unlock()
+	opfBreakerTripped.Store(false)
+}
+
+// opfLabelMap maps OPF native labels to our taggedRegion.label values.
+// Empty mapped value renders as the bare "REDACTED" token; non-empty values
+// render as "[REDACTED_<LABEL>]" via the replacementToken helper.
+var opfLabelMap = map[string]string{
+	"private_person":  "PERSON",
+	"private_email":   "EMAIL",
+	"private_phone":   "PHONE",
+	"private_address": "ADDRESS",
+	"private_url":     "URL",
+	"private_date":    "DATE",
+	"account_number":  "ACCOUNT_NUMBER",
+	"secret":          "", // -> bare REDACTED
+}
+
+// IsKnownOPFCategory reports whether name is one of the OPF native labels
+// the CLI knows how to tag and render. Exported so the settings layer can
+// reject typos at parse time — silent zero-detection of a privacy category
+// would leave users thinking they're protected when they're not.
+func IsKnownOPFCategory(name string) bool {
+	_, ok := opfLabelMap[name]
+	return ok
+}
+
+func mapOPFLabel(opfLabel string) string {
+	if mapped, ok := opfLabelMap[opfLabel]; ok {
+		return mapped
+	}
+	return ""
+}
+
+func enabledCategories(cfg *OPFConfig) []string {
+	if cfg == nil {
+		return nil
+	}
+	out := make([]string, 0, len(cfg.Categories))
+	for label, enabled := range cfg.Categories {
+		if !enabled {
+			continue
+		}
+		if _, known := opfLabelMap[label]; !known {
+			continue
+		}
+		out = append(out, label)
+	}
+	sort.Strings(out) // deterministic order for tests + logs
+	return out
+}
+
+// opfStderr is where progress and failure UX is written. Defaults to
+// /dev/tty so messages survive the post-commit hook's stderr redirect
+// (the hook runs `entire hooks git post-commit 2>/dev/null` to suppress
+// unrelated logging). Tests override this directly.
+var opfStderr = openTTYOrDiscard()
+
+func openTTYOrDiscard() io.Writer {
+	f, err := os.OpenFile("/dev/tty", os.O_WRONLY, 0)
+	if err != nil {
+		return io.Discard
+	}
+	return f
+}
+
+// detectOPF runs OPF on a single text and returns tagged regions for any
+// spans whose category is enabled in cfg. Returns nil when OPF is disabled,
+// unconfigured, the breaker is tripped, the input is too short to be prose,
+// the input has no enabled categories, or the runtime returns an error.
+//
+// The has-space gate eliminates structural strings (paths, IDs, snake_case
+// keys) that would otherwise pay the OPF cold-start with zero benefit.
+// Single-token PII shapes (e.g. an isolated email) are caught by the regex
+// layers.
+func detectOPF(ctx context.Context, cfg *OPFConfig, s string) []taggedRegion {
+	if cfg == nil || !cfg.Enabled || cfg.runtime == nil || s == "" {
+		return nil
+	}
+	if opfBreakerTripped.Load() {
+		return nil
+	}
+	if !strings.ContainsRune(s, ' ') {
+		return nil
+	}
+	cats := enabledCategories(cfg)
+	if len(cats) == 0 {
+		return nil
+	}
+
+	fmt.Fprintln(opfStderr, "→ OpenAI Privacy Filter: scanning transcript…")
+	start := time.Now()
+	spans, err := cfg.runtime.Redact(ctx, s, cats)
+	if err != nil {
+		handleOPFFailure(ctx, cfg, err)
+		return nil
+	}
+	fmt.Fprintf(opfStderr, "✓ OpenAI Privacy Filter: done (%.1fs)\n", time.Since(start).Seconds())
+
+	out := make([]taggedRegion, 0, len(spans))
+	for _, sp := range spans {
+		if !cfg.Categories[sp.Label] {
+			continue
+		}
+		if sp.Start < 0 || sp.End > len(s) || sp.Start >= sp.End {
+			continue
+		}
+		out = append(out, taggedRegion{
+			region: region{sp.Start, sp.End},
+			label:  mapOPFLabel(sp.Label),
+		})
+	}
+	return out
+}
+
+// handleOPFFailure trips the circuit breaker and emits one user-facing
+// warning. CompareAndSwap ensures only the FIRST failure produces output;
+// subsequent detectOPF calls short-circuit before reaching here, so the
+// swap is mostly a guard against concurrent first-call races.
+func handleOPFFailure(ctx context.Context, cfg *OPFConfig, err error) {
+	if !opfBreakerTripped.CompareAndSwap(false, true) {
+		return
+	}
+	slog.WarnContext(ctx, "OpenAI Privacy Filter call failed; disabling for the rest of this process",
+		slog.String("component", "redaction"),
+		slog.String("command", cfg.Command),
+		slog.String("error", err.Error()),
+	)
+	fmt.Fprintf(opfStderr, "× OpenAI Privacy Filter unavailable (%s); falling back to regex layers for the rest of this commit. Install with 'pip install opf'.\n", cfg.Command)
+}
+
+// Span is a redaction region returned by an opfRuntime, with BYTE-offset
+// boundaries against the input text. OPF itself reports character (rune)
+// offsets via its JSON output; the shell-out adapter translates those to
+// byte offsets before returning Spans so callers can slice []byte input
+// directly without re-walking runes.
+type Span struct {
+	Start int
+	End   int
+	Label string // OPF native label, e.g. "private_person"
+}
+
+// opfRuntime is the abstraction over the OpenAI Privacy Filter binary or
+// (future) daemon. Implementations must be safe for concurrent use.
+type opfRuntime interface {
+	Redact(ctx context.Context, text string, categories []string) ([]Span, error)
+	RedactBatch(ctx context.Context, inputs []string, categories []string) ([][]Span, error)
+}
+
+// shellOut runs the user-installed `opf` binary per call. Cold-start every
+// invocation is intentional for v1 — daemon mode is a planned follow-up
+// that implements the same opfRuntime interface so callers don't change.
+type shellOut struct {
+	command        string
+	timeoutSeconds int
+
+	// commandRunner builds the *exec.Cmd run for each Redact call. Tests
+	// override this with a closure returning a Cmd wrapping a shell snippet.
+	commandRunner func(ctx context.Context, name string, args ...string) *exec.Cmd
+}
+
+func newShellOut(command string, timeoutSeconds int) *shellOut {
+	return &shellOut{
+		command:        command,
+		timeoutSeconds: timeoutSeconds,
+		commandRunner:  exec.CommandContext,
+	}
+}
+
+// opfBatchSeparator joins inputs into a single opf invocation. opf treats
+// '\n' as a per-input delimiter and runs a fresh inference pass per line,
+// which is no faster than per-call shell-out. Joining with a non-newline
+// separator instead causes opf to treat the concatenation as ONE input and
+// do ONE inference pass, amortizing the model load across all inputs.
+//
+// ASCII RECORD SEPARATOR (U+001E) satisfies both requirements:
+//  1. Doesn't appear in real text (so no collision with content)
+//  2. Looks like whitespace to opf's tokenizer (so it doesn't confuse
+//     span boundaries)
+const opfBatchSeparator = "\x1e"
+
+// Redact runs OPF on a single text input.
+func (s *shellOut) Redact(ctx context.Context, text string, categories []string) ([]Span, error) {
+	if len(categories) == 0 {
+		return nil, nil
+	}
+	batch, err := s.RedactBatch(ctx, []string{text}, categories)
+	if err != nil || len(batch) == 0 {
+		return nil, err
+	}
+	return batch[0], nil
+}
+
+// RedactBatch sends multiple inputs to opf as a single shell-out, joined
+// with opfBatchSeparator. Internal newlines in inputs are flattened to
+// spaces (1-byte → 1-byte, offsets stay valid). opf emits one JSON object
+// covering the whole concatenated text; spans are partitioned back per
+// input via partitionIndex. Spans crossing a separator boundary are dropped.
+//
+// Errors deliberately do NOT include stdout or stderr content — OPF can
+// echo input fragments to either stream when misconfigured, and the error
+// is later logged + printed to TTY by handleOPFFailure. Byte counts are
+// sufficient for diagnostics.
+func (s *shellOut) RedactBatch(ctx context.Context, inputs []string, categories []string) ([][]Span, error) {
+	if len(inputs) == 0 || len(categories) == 0 {
+		return nil, nil
+	}
+	timeout := time.Duration(s.timeoutSeconds) * time.Second
+	callCtx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	var buf strings.Builder
+	starts := make([]int, len(inputs))
+	for i, in := range inputs {
+		if i > 0 {
+			buf.WriteString(opfBatchSeparator)
+		}
+		starts[i] = buf.Len()
+		buf.WriteString(strings.ReplaceAll(in, "\n", " "))
+	}
+	batched := buf.String()
+
+	cmd := s.commandRunner(callCtx, s.command,
+		"--device", "cpu",
+		"--output-mode", "typed",
+		"--format", "json",
+		"--no-print-color-coded-text",
+	)
+	cmd.Stdin = strings.NewReader(batched)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	// WaitDelay forces cmd.Wait() to return promptly after context
+	// cancellation/timeout even when the killed process leaves descendants
+	// holding the stdout/stderr pipes (e.g. `sh -c "sleep 5"` — killing sh
+	// doesn't reap sleep). Without this, timeout tests on Linux CI block
+	// for the full sleep duration.
+	cmd.WaitDelay = 500 * time.Millisecond
+
+	if err := cmd.Run(); err != nil {
+		switch {
+		case errors.Is(callCtx.Err(), context.DeadlineExceeded):
+			return nil, fmt.Errorf("opf timeout after %s: %w", timeout, callCtx.Err())
+		case errors.Is(ctx.Err(), context.Canceled):
+			return nil, fmt.Errorf("opf canceled: %w", ctx.Err())
+		}
+		if stderr.Len() == 0 {
+			return nil, fmt.Errorf("opf exited with error: %w", err)
+		}
+		return nil, fmt.Errorf("opf exited with error (%d bytes on stderr): %w", stderr.Len(), err)
+	}
+
+	var parsed struct {
+		DetectedSpans []struct {
+			Label string `json:"label"`
+			Start int    `json:"start"`
+			End   int    `json:"end"`
+		} `json:"detected_spans"`
+	}
+	if err := json.Unmarshal(stdout.Bytes(), &parsed); err != nil {
+		return nil, fmt.Errorf("opf output not parseable as JSON (%d bytes): %w", stdout.Len(), err)
+	}
+
+	out := make([][]Span, len(inputs))
+	for _, p := range parsed.DetectedSpans {
+		byteStart := charToByteOffset(batched, p.Start)
+		byteEnd := charToByteOffset(batched, p.End)
+		if byteStart < 0 || byteEnd < 0 {
+			continue
+		}
+		idx := partitionIndex(starts, byteStart, byteEnd, opfBatchSeparator)
+		if idx < 0 {
+			continue
+		}
+		base := starts[idx]
+		out[idx] = append(out[idx], Span{
+			Start: byteStart - base,
+			End:   byteEnd - base,
+			Label: p.Label,
+		})
+	}
+	return out, nil
+}
+
+// charToByteOffset converts a 0-based rune offset into a byte offset within
+// s. Returns -1 for negative offsets or offsets past the rune count.
+// charOff == 0 returns 0; charOff == utf8.RuneCountInString(s) returns
+// len(s) (the exclusive end position used as a slice bound).
+func charToByteOffset(s string, charOff int) int {
+	if charOff < 0 {
+		return -1
+	}
+	byteOff := 0
+	for range charOff {
+		if byteOff >= len(s) {
+			return -1
+		}
+		_, size := utf8.DecodeRuneInString(s[byteOff:])
+		byteOff += size
+	}
+	return byteOff
+}
+
+// partitionIndex returns the input index that contains [spanStart, spanEnd)
+// within the concatenated batch, or -1 if the region crosses a separator
+// boundary or is outside any input. starts[i] is the byte offset where
+// inputs[i] begins; each input ends at starts[i+1] - len(sep), or at the
+// end of the batched string for the last input.
+func partitionIndex(starts []int, spanStart, spanEnd int, sep string) int {
+	if spanStart < 0 || spanEnd <= spanStart {
+		return -1
+	}
+	for i := range starts {
+		base := starts[i]
+		var end int
+		if i+1 < len(starts) {
+			end = starts[i+1] - len(sep)
+		} else {
+			// Last input — no upper bound tracked. Accept any span that
+			// starts >= base; the caller's bounds-check on the returned
+			// span's byte offsets covers the runaway case.
+			end = 1 << 31
+		}
+		if spanStart >= base && spanEnd <= end {
+			return i
+		}
+		if spanStart < base {
+			return -1
+		}
+	}
+	return -1
+}
diff --git a/redact/opf_test.go b/redact/opf_test.go
new file mode 100644
index 0000000000..c9e8168521
--- /dev/null
+++ b/redact/opf_test.go
@@ -0,0 +1,481 @@
+package redact
+
+import (
+	"context"
+	"errors"
+	"io"
+	"os/exec"
+	"strings"
+	"sync"
+	"testing"
+)
+
+// shCmd returns a Cmd that runs the given shell snippet via `sh -c`. Used
+// by tests to simulate the `opf` binary's behavior without needing it
+// installed.
+func shCmd(ctx context.Context, script string) *exec.Cmd {
+	return exec.CommandContext(ctx, "sh", "-c", script)
+}
+
+// fakeRuntime is the standard test double for opfRuntime. Records call
+// counts so tests can assert "single batched call, not N per-leaf" contracts.
+type fakeRuntime struct {
+	mu         sync.Mutex
+	spans      []Span
+	err        error
+	calls      int
+	batchCalls int
+}
+
+func (f *fakeRuntime) Redact(_ context.Context, _ string, _ []string) ([]Span, error) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	f.calls++
+	return f.spans, f.err
+}
+
+func (f *fakeRuntime) RedactBatch(_ context.Context, inputs []string, _ []string) ([][]Span, error) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	f.batchCalls++
+	if f.err != nil {
+		return nil, f.err
+	}
+	out := make([][]Span, len(inputs))
+	for i := range inputs {
+		out[i] = f.spans
+	}
+	return out, nil
+}
+
+func TestConfigurePrivacyFilter_StoresConfig(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	ConfigurePrivacyFilter(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+		Command:    "/usr/local/bin/opf",
+		Timeout:    45,
+	})
+
+	got := getOPFConfig()
+	if got == nil {
+		t.Fatal("getOPFConfig returned nil")
+	}
+	if !got.Enabled || !got.Categories["private_person"] || got.Command != "/usr/local/bin/opf" || got.Timeout != 45 {
+		t.Errorf("config not stored verbatim: %+v", got)
+	}
+	if got.runtime == nil {
+		t.Error("runtime was not constructed")
+	}
+}
+
+func TestConfigurePrivacyFilter_AppliesDefaults(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	ConfigurePrivacyFilter(OPFConfig{Enabled: true})
+	got := getOPFConfig()
+	if got.Command != "opf" {
+		t.Errorf("default Command: want \"opf\", got %q", got.Command)
+	}
+	if got.Timeout != 30 {
+		t.Errorf("default Timeout: want 30, got %d", got.Timeout)
+	}
+}
+
+func TestIsKnownOPFCategory(t *testing.T) {
+	t.Parallel()
+	cases := map[string]bool{
+		"private_person":  true,
+		"private_email":   true,
+		"secret":          true,
+		"account_number":  true,
+		"private_peerson": false,
+		"":                false,
+		"PII":             false,
+	}
+	for name, want := range cases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			if got := IsKnownOPFCategory(name); got != want {
+				t.Errorf("IsKnownOPFCategory(%q) = %v, want %v", name, got, want)
+			}
+		})
+	}
+}
+
+func TestDetectOPF_DisabledReturnsNil(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    false,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	if got := detectOPF(context.Background(), getOPFConfig(), "Alice met Bob"); got != nil {
+		t.Errorf("disabled OPF should return nil, got %v", got)
+	}
+	if fake.calls != 0 {
+		t.Errorf("disabled OPF invoked runtime %d times, want 0", fake.calls)
+	}
+}
+
+func TestDetectOPF_MapsLabelsCorrectly(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{
+		spans: []Span{
+			{Start: 0, End: 5, Label: "private_person"},
+			{Start: 6, End: 9, Label: "private_email"},
+		},
+	}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled: true,
+		Categories: map[string]bool{
+			"private_person": true,
+			"private_email":  true,
+		},
+	}, fake)
+
+	regions := detectOPF(context.Background(), getOPFConfig(), "Alice a@b.io test")
+	if len(regions) != 2 {
+		t.Fatalf("want 2 regions, got %d: %v", len(regions), regions)
+	}
+	if regions[0].label != "PERSON" {
+		t.Errorf("region[0].label: want PERSON, got %q", regions[0].label)
+	}
+	if regions[1].label != "EMAIL" {
+		t.Errorf("region[1].label: want EMAIL, got %q", regions[1].label)
+	}
+}
+
+func TestDetectOPF_SkipsCategoriesNotEnabled(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{
+		spans: []Span{
+			{Start: 0, End: 5, Label: "private_person"},
+			{Start: 6, End: 9, Label: "private_email"}, // not enabled
+		},
+	}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	regions := detectOPF(context.Background(), getOPFConfig(), "Alice a@b.io test")
+	if len(regions) != 1 || regions[0].label != "PERSON" {
+		t.Errorf("want only PERSON region, got %v", regions)
+	}
+}
+
+func TestDetectOPF_SkipsNonProseStrings(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	cases := []string{
+		"src/main.go",
+		"user_prompt_submit",
+		"tool-use-id",
+		"a3b2c4d5e6f7",
+		"Alice", // single token, no space
+	}
+	for _, tc := range cases {
+		t.Run(tc, func(t *testing.T) {
+			callsBefore := fake.calls
+			if got := detectOPF(context.Background(), getOPFConfig(), tc); got != nil {
+				t.Errorf("non-prose %q: want nil, got %v", tc, got)
+			}
+			if fake.calls != callsBefore {
+				t.Errorf("non-prose %q: runtime invoked (calls %d → %d)", tc, callsBefore, fake.calls)
+			}
+		})
+	}
+}
+
+func TestDetectOPF_CircuitBreaker(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{err: errors.New("simulated opf failure")}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	// First call hits the runtime and observes the failure.
+	if got := detectOPF(context.Background(), getOPFConfig(), "Alice met Bob"); got != nil {
+		t.Fatalf("first call: want nil, got %v", got)
+	}
+	if fake.calls != 1 {
+		t.Fatalf("first call: want 1 invocation, got %d", fake.calls)
+	}
+
+	// Subsequent calls short-circuit before invoking the runtime.
+	for i := range 5 {
+		if got := detectOPF(context.Background(), getOPFConfig(), "Charlie sat next to Diane"); got != nil {
+			t.Errorf("call %d after breaker: want nil, got %v", i+2, got)
+		}
+	}
+	if fake.calls != 1 {
+		t.Errorf("breaker did not engage: %d invocations, want 1", fake.calls)
+	}
+
+	// Reconfiguring resets the breaker.
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+	if got := detectOPF(context.Background(), getOPFConfig(), "Eve walked home"); got != nil {
+		t.Fatal("after reconfigure: want nil (still failing fake), got non-nil")
+	}
+	if fake.calls != 2 {
+		t.Errorf("after reconfigure: want 2 total invocations, got %d", fake.calls)
+	}
+}
+
+func TestShellOut_BatchSingleInferencePass(t *testing.T) {
+	t.Parallel()
+	var calls int
+	var mu sync.Mutex
+	rt := &shellOut{
+		command:        "opf",
+		timeoutSeconds: 5,
+		commandRunner: func(ctx context.Context, _ string, _ ...string) *exec.Cmd {
+			mu.Lock()
+			calls++
+			mu.Unlock()
+			return shCmd(ctx, `printf '{"detected_spans":[]}'`)
+		},
+	}
+	_, err := rt.RedactBatch(context.Background(), []string{"hello world", "foo bar baz"}, []string{"private_person"})
+	if err != nil {
+		t.Fatalf("RedactBatch: %v", err)
+	}
+	mu.Lock()
+	defer mu.Unlock()
+	if calls != 1 {
+		t.Errorf("want 1 shell-out for 2 inputs, got %d", calls)
+	}
+}
+
+func TestShellOut_ExitError_DoesNotLeakStderr(t *testing.T) {
+	t.Parallel()
+	const secret = "Alice met Bob at 555-867-5309"
+	rt := &shellOut{
+		command:        "opf",
+		timeoutSeconds: 5,
+		commandRunner: func(ctx context.Context, _ string, _ ...string) *exec.Cmd {
+			// Echo input to stderr, then exit non-zero — simulates a
+			// hostile or misconfigured opf wrapper.
+			return shCmd(ctx, "printf '%s' '"+secret+"' >&2; exit 7")
+		},
+	}
+	_, err := rt.Redact(context.Background(), secret, []string{"private_person"})
+	if err == nil {
+		t.Fatal("Redact: want error, got nil")
+	}
+	if strings.Contains(err.Error(), secret) {
+		t.Errorf("error leaks stderr content: %v", err)
+	}
+	if !strings.Contains(err.Error(), "bytes on stderr") {
+		t.Errorf("error should mention stderr byte count: %v", err)
+	}
+}
+
+func TestShellOut_ParseError_DoesNotLeakStdout(t *testing.T) {
+	t.Parallel()
+	const secret = "Alice met Bob"
+	rt := &shellOut{
+		command:        "opf",
+		timeoutSeconds: 5,
+		commandRunner: func(ctx context.Context, _ string, _ ...string) *exec.Cmd {
+			return shCmd(ctx, "printf '%s' 'not json: "+secret+"'")
+		},
+	}
+	_, err := rt.Redact(context.Background(), secret, []string{"private_person"})
+	if err == nil {
+		t.Fatal("Redact: want parse error, got nil")
+	}
+	if strings.Contains(err.Error(), secret) {
+		t.Errorf("parse error leaks stdout content: %v", err)
+	}
+}
+
+func TestCharToByteOffset(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name    string
+		s       string
+		charOff int
+		want    int
+	}{
+		// ASCII: 5 runes, 5 bytes.
+		{"ascii_start", "hello", 0, 0},
+		{"ascii_mid", "hello", 3, 3},
+		{"ascii_end_runecount", "hello", 5, 5},
+		{"ascii_past_end", "hello", 6, -1},
+		{"ascii_way_past", "hello", 100, -1},
+		{"negative", "hello", -1, -1},
+		// UTF-8: 3 runes, 9 bytes (3 × 3-byte box-drawing chars).
+		{"utf8_start", "───", 0, 0},
+		{"utf8_after_first", "───", 1, 3},
+		{"utf8_end_runecount", "───", 3, 9},
+		{"utf8_past_end", "───", 4, -1},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := charToByteOffset(tc.s, tc.charOff); got != tc.want {
+				t.Errorf("charToByteOffset(%q, %d) = %d, want %d", tc.s, tc.charOff, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestPartitionIndex(t *testing.T) {
+	t.Parallel()
+	// Three inputs joined by 1-byte separator: starts = [0, 11, 23]
+	//   "hello world"   bytes 0..11
+	//   "\x1e"          byte  11
+	//   "foo bar baz"   bytes 12..23
+	//   "\x1e"          byte  23
+	//   "the cat sat"   bytes 24..35
+	starts := []int{0, 12, 24}
+	cases := []struct {
+		name      string
+		spanStart int
+		spanEnd   int
+		want      int
+	}{
+		{"first_input", 0, 5, 0},
+		{"second_input", 12, 15, 1},
+		{"third_input", 24, 30, 2},
+		{"crosses_first_boundary", 5, 15, -1},
+		{"crosses_second_boundary", 15, 25, -1},
+		{"negative_start", -1, 5, -1},
+		{"zero_length", 5, 5, -1},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := partitionIndex(starts, tc.spanStart, tc.spanEnd, "\x1e"); got != tc.want {
+				t.Errorf("partitionIndex(%d,%d) = %d, want %d", tc.spanStart, tc.spanEnd, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestPlainEntryPointsNeverInvokeOPF(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	_ = String("Alice met Bob in the lobby")
+	_ = Bytes([]byte("Alice met Bob in the lobby"))
+	if _, err := JSONLContent(`{"role":"user","content":"Alice met Bob in the lobby"}`); err != nil {
+		t.Fatalf("JSONLContent: %v", err)
+	}
+	if _, err := JSONLBytes([]byte(`{"role":"user","content":"Alice met Bob in the lobby"}`)); err != nil {
+		t.Fatalf("JSONLBytes: %v", err)
+	}
+
+	if fake.calls+fake.batchCalls != 0 {
+		t.Errorf("plain entry points invoked OPF: calls=%d batchCalls=%d", fake.calls, fake.batchCalls)
+	}
+}
+
+func TestStringWithPrivacyFilter_AugmentsRegexLayers(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	got := StringWithPrivacyFilter(context.Background(), "Alice met Bob in the lobby")
+	if !strings.Contains(got, "[REDACTED_PERSON]") {
+		t.Errorf("StringWithPrivacyFilter output missing PERSON tag: %q", got)
+	}
+}
+
+func TestJSONLContentWithPrivacyFilter_BatchesSingleCall(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	// Three distinct prose-shaped leaves; should hit OPF in exactly one batch.
+	content := `{"a":"Alice met Bob","b":"Charlie sat down","c":"Eve walked home","id":"abc123"}`
+	if _, err := JSONLContentWithPrivacyFilter(context.Background(), content); err != nil {
+		t.Fatalf("JSONLContentWithPrivacyFilter: %v", err)
+	}
+	if fake.batchCalls != 1 {
+		t.Errorf("want exactly 1 RedactBatch call, got %d", fake.batchCalls)
+	}
+	if fake.calls != 0 {
+		t.Errorf("want 0 single-input Redact calls, got %d", fake.calls)
+	}
+}
+
+func TestJSONLContentWithPrivacyFilter_FallsBackOnBatchError(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+	origStderr := opfStderr
+	opfStderr = io.Discard
+	t.Cleanup(func() { opfStderr = origStderr })
+
+	fake := &fakeRuntime{err: errors.New("simulated opf failure")}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	content := `{"a":"Alice met Bob"}`
+	got, err := JSONLContentWithPrivacyFilter(context.Background(), content)
+	if err != nil {
+		t.Fatalf("want graceful fallback, got error: %v", err)
+	}
+	if got == "" {
+		t.Error("fallback should still return non-empty content")
+	}
+}
diff --git a/redact/redact.go b/redact/redact.go
index 8e743da4c7..e21eec67f9 100644
--- a/redact/redact.go
+++ b/redact/redact.go
@@ -2,15 +2,18 @@ package redact
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
+	"log/slog"
 	"math"
 	"net/url"
 	"regexp"
 	"sort"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/betterleaks/betterleaks/detect"
 )
@@ -164,6 +167,15 @@ var connectionStringRules = []connectionStringRule{
 // 7. PII detection: email, phone, address patterns (only when configured via ConfigurePII)
 // A string is redacted if ANY method flags it.
 func String(s string) string {
+	return applyRegions(s, detectAllLayers(s))
+}
+
+// detectAllLayers runs the seven always-on/opt-in regex-based redaction
+// layers and returns their tagged regions. The OpenAI Privacy Filter
+// (layer 8) is NOT included — callers that want it append detectOPF spans
+// to the result before passing to applyRegions. See StringWithPrivacyFilter
+// for the augmented flow.
+func detectAllLayers(s string) []taggedRegion {
 	var regions []taggedRegion
 
 	// 1. Entropy-based detection (secrets — always on).
@@ -227,11 +239,16 @@ func String(s string) string {
 	// 7. PII detection (opt-in — only runs when configured).
 	regions = append(regions, detectPII(getPIIConfig(), s)...)
 
+	return regions
+}
+
+// applyRegions sorts, merges, and replaces the given regions in s, returning
+// the redacted string. Returns s unchanged when regions is empty.
+func applyRegions(s string, regions []taggedRegion) string {
 	if len(regions) == 0 {
 		return s
 	}
 
-	// Merge overlapping regions and build result.
 	sort.Slice(regions, func(i, j int) bool {
 		if regions[i].start != regions[j].start {
 			return regions[i].start < regions[j].start
@@ -498,6 +515,33 @@ func JSONLBytes(b []byte) (RedactedBytes, error) {
 	return RedactedBytes{data: []byte(redacted)}, nil
 }
 
+// JSONLBytesWithPrivacyFilter augments JSONLBytes with the OpenAI Privacy
+// Filter. Use only at condensation/export boundaries; per-turn writes must
+// use JSONLBytes.
+func JSONLBytesWithPrivacyFilter(ctx context.Context, b []byte) (RedactedBytes, error) {
+	s := string(b)
+	redacted, err := JSONLContentWithPrivacyFilter(ctx, s)
+	if err != nil {
+		return RedactedBytes{}, err
+	}
+	if redacted == s {
+		return RedactedBytes{data: b}, nil
+	}
+	return RedactedBytes{data: []byte(redacted)}, nil
+}
+
+// BytesWithPrivacyFilter augments Bytes with the OpenAI Privacy Filter for
+// raw (non-JSONL) byte content. Used by checkpoint write paths that handle
+// metadata files which may or may not be JSONL.
+func BytesWithPrivacyFilter(ctx context.Context, b []byte) []byte {
+	s := string(b)
+	redacted := StringWithPrivacyFilter(ctx, s)
+	if redacted == s {
+		return b
+	}
+	return []byte(redacted)
+}
+
 // JSONLContent parses each line as JSON to determine which string values
 // need redaction, then performs targeted replacements on the raw JSON bytes.
 // Lines with no secrets are returned unchanged, preserving original formatting.
@@ -508,6 +552,15 @@ func JSONLBytes(b []byte) (RedactedBytes, error) {
 // is used instead of falling back to entropy-based detection on raw text lines,
 // which would corrupt high-entropy identifiers.
 func JSONLContent(content string) (string, error) {
+	return jsonlContentImpl(content, String)
+}
+
+// jsonlContentImpl is the body of JSONLContent parameterized by a per-leaf
+// redactor. JSONLContent passes String (regex layers only). The OPF-enabled
+// flow uses two passes: one with a collector that records leaves and returns
+// identity, one with a redactor that combines regex layers with cached OPF
+// spans for the recorded leaves.
+func jsonlContentImpl(content string, redactor func(string) string) (string, error) {
 	// Try parsing the entire content as a single JSON value first.
 	// Uses a streaming decoder to avoid copying the full content into []byte.
 	// After decoding, attempts a second Decode to confirm EOF — if it succeeds,
@@ -518,7 +571,7 @@ func JSONLContent(content string) (string, error) {
 		var parsed any
 		if err := dec.Decode(&parsed); err == nil && isSingleJSONValue(dec) {
 			// Content is a single JSON value (object/array) — redact field-aware.
-			result, err := applyJSONReplacements(content, collectJSONLReplacements(parsed))
+			result, err := applyJSONReplacements(content, collectJSONLReplacements(parsed, redactor))
 			if err != nil {
 				return "", err
 			}
@@ -540,10 +593,10 @@ func JSONLContent(content string) (string, error) {
 		}
 		var parsed any
 		if err := json.Unmarshal([]byte(lineTrimmed), &parsed); err != nil {
-			b.WriteString(String(line))
+			b.WriteString(redactor(line))
 			continue
 		}
-		result, err := applyJSONReplacements(line, collectJSONLReplacements(parsed))
+		result, err := applyJSONReplacements(line, collectJSONLReplacements(parsed, redactor))
 		if err != nil {
 			return "", err
 		}
@@ -552,6 +605,98 @@ func JSONLContent(content string) (string, error) {
 	return b.String(), nil
 }
 
+// StringWithPrivacyFilter augments String with the OpenAI Privacy Filter.
+// Use only at condensation/export boundaries; per-turn writes must use
+// String to avoid the OPF shell-out cost inside the agent loop.
+func StringWithPrivacyFilter(ctx context.Context, s string) string {
+	regions := detectAllLayers(s)
+	regions = append(regions, detectOPF(ctx, getOPFConfig(), s)...)
+	return applyRegions(s, regions)
+}
+
+// JSONLContentWithPrivacyFilter augments JSONLContent with the OpenAI
+// Privacy Filter via batched inference. Walks the content twice: pass 1
+// collects unique prose-shaped leaves into a single RedactBatch call;
+// pass 2 applies the seven regex layers per leaf plus the cached OPF spans
+// for that leaf. One OPF shell-out covers the whole transcript instead of
+// one per leaf — without batching, a typical 500-leaf transcript would
+// take many minutes per commit.
+//
+// Falls back to the plain JSONLContent flow when OPF is unconfigured, the
+// breaker is tripped, no categories are enabled, or the batch call errors.
+func JSONLContentWithPrivacyFilter(ctx context.Context, content string) (string, error) {
+	cfg := getOPFConfig()
+	if cfg == nil || !cfg.Enabled || cfg.runtime == nil || opfBreakerTripped.Load() {
+		return jsonlContentImpl(content, String)
+	}
+	cats := enabledCategories(cfg)
+	if len(cats) == 0 {
+		return jsonlContentImpl(content, String)
+	}
+
+	// Pass 1: collect eligible (has-space, deduped) leaves. The collector
+	// closure returns identity so the JSONL walker doesn't mutate content.
+	seen := make(map[string]struct{})
+	var inputs []string
+	if _, err := jsonlContentImpl(content, func(v string) string {
+		if strings.ContainsRune(v, ' ') {
+			if _, ok := seen[v]; !ok {
+				seen[v] = struct{}{}
+				inputs = append(inputs, v)
+			}
+		}
+		return v
+	}); err != nil {
+		return "", err
+	}
+
+	// Pass 2: single batched OPF call.
+	spansByInput := make(map[string][]Span, len(inputs))
+	if len(inputs) > 0 {
+		fmt.Fprintln(opfStderr, "→ OpenAI Privacy Filter: scanning transcript…")
+		start := time.Now()
+		batched, err := cfg.runtime.RedactBatch(ctx, inputs, cats)
+		if err != nil {
+			handleOPFFailure(ctx, cfg, err)
+			return jsonlContentImpl(content, String)
+		}
+		fmt.Fprintf(opfStderr, "✓ OpenAI Privacy Filter: done (%.1fs)\n", time.Since(start).Seconds())
+		if len(batched) < len(inputs) {
+			slog.Warn("OPF runtime returned fewer span slices than inputs",
+				slog.String("component", "redaction"),
+				slog.Int("inputs", len(inputs)),
+				slog.Int("returned", len(batched)),
+			)
+		}
+		for i, in := range inputs {
+			if i >= len(batched) {
+				break
+			}
+			spansByInput[in] = batched[i]
+		}
+	}
+
+	// Pass 3: per-leaf regex layers + cached OPF spans.
+	return jsonlContentImpl(content, func(v string) string {
+		regions := detectAllLayers(v)
+		if spans, ok := spansByInput[v]; ok {
+			for _, sp := range spans {
+				if !cfg.Categories[sp.Label] {
+					continue
+				}
+				if sp.Start < 0 || sp.End > len(v) || sp.Start >= sp.End {
+					continue
+				}
+				regions = append(regions, taggedRegion{
+					region: region{sp.Start, sp.End},
+					label:  mapOPFLabel(sp.Label),
+				})
+			}
+		}
+		return applyRegions(v, regions)
+	})
+}
+
 // applyJSONReplacements applies collected (original, redacted) string pairs
 // to the raw JSON text, replacing JSON-encoded originals with their redacted forms.
 // Returns s unchanged if repls is empty.
@@ -638,9 +783,11 @@ func isSingleJSONValue(dec *json.Decoder) bool {
 	return dec.Decode(&discard) == io.EOF
 }
 
-// collectJSONLReplacements walks a parsed JSON value and collects unique string
-// replacements for values that need redaction.
-func collectJSONLReplacements(v any) []jsonReplacement {
+// collectJSONLReplacements walks a parsed JSON value and collects unique
+// string replacements via the supplied per-leaf redactor. JSONLContent
+// passes String; the OPF-enabled flow passes a closure that combines the
+// regex layers with cached batched OPF spans.
+func collectJSONLReplacements(v any, redactor func(string) string) []jsonReplacement {
 	seen := make(map[string]bool)
 	var repls []jsonReplacement
 	var walk func(key string, credentialContext bool, v any)
@@ -662,7 +809,7 @@ func collectJSONLReplacements(v any) []jsonReplacement {
 				walk("", credentialContext, child)
 			}
 		case string:
-			redacted := String(val)
+			redacted := redactor(val)
 			if redacted == val && isCredentialJSONSecretKey(key, credentialContext) && hasNonPlaceholderPasswordValue(val) {
 				redacted = RedactedPlaceholder
 			}
diff --git a/redact/redact_test.go b/redact/redact_test.go
index 632535fc76..d883676eb1 100644
--- a/redact/redact_test.go
+++ b/redact/redact_test.go
@@ -200,7 +200,7 @@ func TestCollectJSONLReplacements_Succeeds(t *testing.T) {
 	obj := map[string]any{
 		"content": "token=" + highEntropySecret,
 	}
-	repls := collectJSONLReplacements(obj)
+	repls := collectJSONLReplacements(obj, String)
 	// expect one replacement for high-entropy secret
 	want := []jsonReplacement{{key: "content", original: "token=" + highEntropySecret, redacted: "REDACTED"}}
 	if !slices.Equal(repls, want) {
@@ -265,7 +265,7 @@ func TestShouldSkipJSONLField_RedactionBehavior(t *testing.T) {
 		"session_id": highEntropySecret,
 		"content":    highEntropySecret,
 	}
-	repls := collectJSONLReplacements(obj)
+	repls := collectJSONLReplacements(obj, String)
 	// Only "content" should produce a replacement; "session_id" should be skipped.
 	if len(repls) != 1 {
 		t.Fatalf("expected 1 replacement, got %d", len(repls))
@@ -913,7 +913,7 @@ func TestShouldSkipJSONLObject_RedactionBehavior(t *testing.T) {
 		"type": "image",
 		"data": highEntropySecret,
 	}
-	repls := collectJSONLReplacements(obj)
+	repls := collectJSONLReplacements(obj, String)
 
 	// expect no replacements, it's an image which is skipped.
 	var wantRepls []jsonReplacement
@@ -926,7 +926,7 @@ func TestShouldSkipJSONLObject_RedactionBehavior(t *testing.T) {
 		"type":    "text",
 		"content": highEntropySecret,
 	}
-	repls2 := collectJSONLReplacements(obj2)
+	repls2 := collectJSONLReplacements(obj2, String)
 	wantRepls2 := []jsonReplacement{{key: "content", original: highEntropySecret, redacted: "REDACTED"}}
 	if !slices.Equal(repls2, wantRepls2) {
 		t.Errorf("got %q, want %q", repls2, wantRepls2)

From 8123aef9196fb814e09566f49b9091b4e2b4ac44 Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Thu, 14 May 2026 18:39:35 -0400
Subject: [PATCH 02/11] feat(checkpoint): wire OPF into committed-checkpoint
 writes only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Splits createRedactedBlobFromFile so per-turn temp writes (shared via
addDirectoryToChanges) stay on the plain 7-layer pipeline, and committed
writes use the full 8-layer pipeline that includes OPF. Without the
split, OPF would leak into the agent loop and add the OPF cold-start
to every per-turn write.

Adds PromptsRedactedContent to Write/UpdateCommittedOptions so the
finalize hook + single-checkpoint condense pre-compute the joined-prompt
redaction once and pass it through. Without this, each checkpoint
within a turn re-runs StringWithPrivacyFilter over identical input
(N×OPF on a turn with N checkpoints), and the v1+v2 dual-write doubles
that to 2N.

The transcript redaction in finalizeAllTurnCheckpoints and
condenseSingleCheckpoint moves to JSONLBytesWithPrivacyFilter; the
existing redactSessionJSONLBytes test seam gains a context argument so
tests can still swap a deterministic stub.

Wires settings.OpenAIPrivacyFilter into redact.ConfigurePrivacyFilter
from EnsureRedactionConfigured at startup.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/entire/cli/checkpoint/checkpoint.go       | 13 +++
 cmd/entire/cli/checkpoint/checkpoint_test.go  |  4 +-
 cmd/entire/cli/checkpoint/committed.go        | 80 ++++++++++++++-----
 cmd/entire/cli/checkpoint/prompts.go          | 21 ++++-
 cmd/entire/cli/checkpoint/prompts_test.go     | 26 ++++++
 cmd/entire/cli/checkpoint/v2_committed.go     | 12 +--
 cmd/entire/cli/strategy/common.go             | 11 +++
 cmd/entire/cli/strategy/condense_skip_test.go |  2 +-
 .../strategy/manual_commit_condensation.go    | 20 ++++-
 .../manual_commit_condensation_test.go        |  4 +-
 .../cli/strategy/manual_commit_hooks.go       | 30 ++++---
 cmd/entire/cli/strategy/manual_commit_test.go |  2 +-
 12 files changed, 181 insertions(+), 44 deletions(-)

diff --git a/cmd/entire/cli/checkpoint/checkpoint.go b/cmd/entire/cli/checkpoint/checkpoint.go
index 35f3aaf073..c59b666339 100644
--- a/cmd/entire/cli/checkpoint/checkpoint.go
+++ b/cmd/entire/cli/checkpoint/checkpoint.go
@@ -225,6 +225,14 @@ type WriteCommittedOptions struct {
 	// Prompts contains user prompts from the session
 	Prompts []string
 
+	// PromptsRedactedContent, if non-empty, is the pre-redacted joined-prompts
+	// blob content (output of JoinPrompts(Prompts) after running the full
+	// 8-layer pipeline). When set, the writer skips its safety-net redaction
+	// and uses this content directly. Used by finalizeAllTurnCheckpoints to
+	// avoid running the OpenAI Privacy Filter once per checkpoint over
+	// identical joined-prompt strings.
+	PromptsRedactedContent string
+
 	// FilesTouched are files modified during the session
 	FilesTouched []string
 
@@ -356,6 +364,11 @@ type UpdateCommittedOptions struct {
 	// Prompts contains all user prompts (replaces existing)
 	Prompts []string
 
+	// PromptsRedactedContent, if non-empty, is the pre-redacted joined-prompts
+	// blob content. When set, the writer skips its safety-net redaction.
+	// See WriteCommittedOptions.PromptsRedactedContent for rationale.
+	PromptsRedactedContent string
+
 	// Agent identifies the agent type (needed for transcript chunking)
 	Agent types.AgentType
 
diff --git a/cmd/entire/cli/checkpoint/checkpoint_test.go b/cmd/entire/cli/checkpoint/checkpoint_test.go
index da249af176..b40e6a404b 100644
--- a/cmd/entire/cli/checkpoint/checkpoint_test.go
+++ b/cmd/entire/cli/checkpoint/checkpoint_test.go
@@ -81,7 +81,7 @@ func TestCopyMetadataDir_SkipsSymlinks(t *testing.T) {
 	store := NewGitStore(repo)
 	entries := make(map[string]object.TreeEntry)
 
-	err = store.copyMetadataDir(metadataDir, "checkpoint/", entries)
+	err = store.copyMetadataDir(context.Background(), metadataDir, "checkpoint/", entries)
 	if err != nil {
 		t.Fatalf("copyMetadataDir failed: %v", err)
 	}
@@ -3406,7 +3406,7 @@ func TestCopyMetadataDir_RedactsSecrets(t *testing.T) {
 	store := NewGitStore(repo)
 	entries := make(map[string]object.TreeEntry)
 
-	if err := store.copyMetadataDir(metadataDir, "cp/", entries); err != nil {
+	if err := store.copyMetadataDir(context.Background(), metadataDir, "cp/", entries); err != nil {
 		t.Fatalf("copyMetadataDir() error = %v", err)
 	}
 
diff --git a/cmd/entire/cli/checkpoint/committed.go b/cmd/entire/cli/checkpoint/committed.go
index 69a2f767ee..41f4c92fba 100644
--- a/cmd/entire/cli/checkpoint/committed.go
+++ b/cmd/entire/cli/checkpoint/committed.go
@@ -354,7 +354,7 @@ func (s *GitStore) writeStandardCheckpointEntries(ctx context.Context, opts Writ
 
 	// Copy additional metadata files from directory if specified (to session subdirectory)
 	if opts.MetadataDir != "" {
-		if err := s.copyMetadataDir(opts.MetadataDir, sessionPath, entries); err != nil {
+		if err := s.copyMetadataDir(ctx, opts.MetadataDir, sessionPath, entries); err != nil {
 			return fmt.Errorf("failed to copy metadata directory: %w", err)
 		}
 	}
@@ -417,9 +417,12 @@ func (s *GitStore) writeSessionToSubdirectory(ctx context.Context, opts WriteCom
 		filePaths.ContentHash = "/" + sessionPath + paths.ContentHashFileName
 	}
 
-	// Write prompts
+	// Write prompts. Uses the full 8-layer pipeline (including OPF) via
+	// redactedJoinedPrompts; the helper trusts opts.PromptsRedactedContent
+	// when present so callers (finalizeAllTurnCheckpoints) that pre-redact
+	// once across multiple checkpoint writes don't pay OPF per checkpoint.
 	if len(opts.Prompts) > 0 {
-		promptContent := redact.String(JoinPrompts(opts.Prompts))
+		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedactedContent)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return filePaths, err
@@ -1400,9 +1403,10 @@ func (s *GitStore) UpdateCommitted(ctx context.Context, opts UpdateCommittedOpti
 		}
 	}
 
-	// Replace prompts (apply redaction as safety net)
+	// Replace prompts (apply redaction as safety net; trusts
+	// opts.PromptsRedactedContent verbatim when set).
 	if len(opts.Prompts) > 0 {
-		promptContent := redact.String(JoinPrompts(opts.Prompts))
+		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedactedContent)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return fmt.Errorf("failed to create prompt blob: %w", err)
@@ -1682,7 +1686,7 @@ func CreateBlobFromContent(repo *git.Repository, content []byte) (plumbing.Hash,
 
 // copyMetadataDir copies all files from a directory to the checkpoint path.
 // Used to include additional metadata files like task checkpoints, subagent transcripts, etc.
-func (s *GitStore) copyMetadataDir(metadataDir, basePath string, entries map[string]object.TreeEntry) error {
+func (s *GitStore) copyMetadataDir(ctx context.Context, metadataDir, basePath string, entries map[string]object.TreeEntry) error {
 	err := filepath.Walk(metadataDir, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
@@ -1722,7 +1726,10 @@ func (s *GitStore) copyMetadataDir(metadataDir, basePath string, entries map[str
 		}
 
 		// Create blob from file with secrets redaction
-		blobHash, mode, err := createRedactedBlobFromFile(s.repo, path, relPath)
+		// Committed-checkpoint write — run the full 8-layer pipeline
+		// including OPF. The per-turn temp-write path stays on plain
+		// redactors via the sibling createRedactedBlobFromFile.
+		blobHash, mode, err := createRedactedBlobFromFileWithPrivacyFilter(ctx, s.repo, path, relPath)
 		if err != nil {
 			return fmt.Errorf("failed to create blob for %s: %w", path, err)
 		}
@@ -1743,9 +1750,23 @@ func (s *GitStore) copyMetadataDir(metadataDir, basePath string, entries map[str
 	return nil
 }
 
-// createRedactedBlobFromFile reads a file, applies secrets redaction, and creates a git blob.
-// JSONL files get JSONL-aware redaction; all other files get plain string redaction.
+// createRedactedBlobFromFile reads a file, applies the 7-layer redaction
+// pipeline, and creates a git blob. Used by per-turn temporary-checkpoint
+// writes — the OpenAI Privacy Filter is intentionally NOT run here to
+// keep per-turn latency inside the agent loop's budget.
+// JSONL files get JSONL-aware redaction; all other files get plain byte redaction.
 func createRedactedBlobFromFile(repo *git.Repository, filePath, treePath string) (plumbing.Hash, filemode.FileMode, error) {
+	return createRedactedBlobFromFileImpl(context.Background(), repo, filePath, treePath, false)
+}
+
+// createRedactedBlobFromFileWithPrivacyFilter reads a file, applies the full
+// 8-layer pipeline (including the OpenAI Privacy Filter), and creates a git
+// blob. Used by committed-checkpoint writes — slower but more thorough.
+func createRedactedBlobFromFileWithPrivacyFilter(ctx context.Context, repo *git.Repository, filePath, treePath string) (plumbing.Hash, filemode.FileMode, error) {
+	return createRedactedBlobFromFileImpl(ctx, repo, filePath, treePath, true)
+}
+
+func createRedactedBlobFromFileImpl(ctx context.Context, repo *git.Repository, filePath, treePath string, usePrivacyFilter bool) (plumbing.Hash, filemode.FileMode, error) {
 	info, err := os.Stat(filePath)
 	if err != nil {
 		return plumbing.ZeroHash, 0, fmt.Errorf("failed to stat file: %w", err)
@@ -1772,16 +1793,7 @@ func createRedactedBlobFromFile(repo *git.Repository, filePath, treePath string)
 		return hash, mode, nil
 	}
 
-	if strings.HasSuffix(treePath, ".jsonl") {
-		redacted, jsonlErr := redact.JSONLBytes(content)
-		if jsonlErr != nil {
-			content = redact.Bytes(content)
-		} else {
-			content = redacted.Bytes()
-		}
-	} else {
-		content = redact.Bytes(content)
-	}
+	content = redactBytesForBlob(ctx, content, treePath, usePrivacyFilter)
 
 	hash, err := CreateBlobFromContent(repo, content)
 	if err != nil {
@@ -1790,6 +1802,36 @@ func createRedactedBlobFromFile(repo *git.Repository, filePath, treePath string)
 	return hash, mode, nil
 }
 
+// redactBytesForBlob applies the appropriate redaction pipeline to file
+// content for a checkpoint blob. JSONL files get JSONL-aware redaction
+// (falling back to plain byte redaction on parse failure so the regex
+// layers still apply); other files get plain byte redaction.
+// usePrivacyFilter selects the lighter 7-layer pipeline (per-turn temp
+// writes) versus the full 8-layer pipeline including OPF (committed
+// writes).
+func redactBytesForBlob(ctx context.Context, content []byte, treePath string, usePrivacyFilter bool) []byte {
+	if strings.HasSuffix(treePath, ".jsonl") {
+		var (
+			redacted redact.RedactedBytes
+			err      error
+		)
+		if usePrivacyFilter {
+			redacted, err = redact.JSONLBytesWithPrivacyFilter(ctx, content)
+		} else {
+			redacted, err = redact.JSONLBytes(content)
+		}
+		if err == nil {
+			return redacted.Bytes()
+		}
+		// JSONL parse failed — fall through so regex/credential layers
+		// still apply via the plain byte path.
+	}
+	if usePrivacyFilter {
+		return redact.BytesWithPrivacyFilter(ctx, content)
+	}
+	return redact.Bytes(content)
+}
+
 // GetGitAuthorFromRepo retrieves the git user.name and user.email,
 // checking both the repository-local config and the global ~/.gitconfig.
 func GetGitAuthorFromRepo(repo *git.Repository) (name, email string) {
diff --git a/cmd/entire/cli/checkpoint/prompts.go b/cmd/entire/cli/checkpoint/prompts.go
index fc8d26d358..e9b5085769 100644
--- a/cmd/entire/cli/checkpoint/prompts.go
+++ b/cmd/entire/cli/checkpoint/prompts.go
@@ -1,6 +1,11 @@
 package checkpoint
 
-import "strings"
+import (
+	"context"
+	"strings"
+
+	"github.com/entireio/cli/redact"
+)
 
 // PromptSeparator is the canonical separator used in prompt.txt when multiple
 // prompts are stored in a single file.
@@ -23,3 +28,17 @@ func SplitPromptContent(content string) []string {
 	}
 	return prompts
 }
+
+// redactedJoinedPrompts returns the redacted prompt-blob content for the
+// supplied prompts. When preRedacted is non-empty it is trusted and returned
+// verbatim; otherwise the prompts are joined and run through the full
+// 8-layer pipeline as a safety net. Callers that share the same prompts
+// across multiple checkpoint writes (finalizeAllTurnCheckpoints) should
+// compute the redacted content once and pass it via preRedacted to avoid
+// running OPF repeatedly over identical input.
+func redactedJoinedPrompts(ctx context.Context, prompts []string, preRedacted string) string {
+	if preRedacted != "" {
+		return preRedacted
+	}
+	return redact.StringWithPrivacyFilter(ctx, JoinPrompts(prompts))
+}
diff --git a/cmd/entire/cli/checkpoint/prompts_test.go b/cmd/entire/cli/checkpoint/prompts_test.go
index 4b1119625c..f1eb9a2f1a 100644
--- a/cmd/entire/cli/checkpoint/prompts_test.go
+++ b/cmd/entire/cli/checkpoint/prompts_test.go
@@ -1,6 +1,8 @@
 package checkpoint
 
 import (
+	"context"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -27,3 +29,27 @@ func TestSplitPromptContent_EmptyContent(t *testing.T) {
 
 	assert.Nil(t, SplitPromptContent(""))
 }
+
+// TestRedactedJoinedPrompts_PreRedactedIsTrustedVerbatim verifies that when
+// the caller supplies a non-empty preRedacted string the helper returns it
+// untouched and never re-invokes the redaction pipeline. The pre-redacted
+// path is what finalizeAllTurnCheckpoints relies on to avoid running OPF
+// once per checkpoint over identical joined-prompt strings.
+func TestRedactedJoinedPrompts_PreRedactedIsTrustedVerbatim(t *testing.T) {
+	t.Parallel()
+
+	const preRedacted = "[REDACTED_PERSON] asked about [REDACTED_EMAIL]"
+	got := redactedJoinedPrompts(context.Background(), []string{"raw prompt text"}, preRedacted)
+	assert.Equal(t, preRedacted, got, "preRedacted should pass through verbatim")
+}
+
+// TestRedactedJoinedPrompts_EmptyFallsBackToRedaction verifies that when
+// preRedacted is empty the helper joins the prompts and runs the full
+// pipeline as a safety net.
+func TestRedactedJoinedPrompts_EmptyFallsBackToRedaction(t *testing.T) {
+	t.Parallel()
+
+	got := redactedJoinedPrompts(context.Background(), []string{"hello", "world"}, "")
+	assert.NotEmpty(t, got, "empty preRedacted should fall back to running the redaction pipeline")
+	assert.Contains(t, got, PromptSeparator, "fallback output should preserve the prompt separator")
+}
diff --git a/cmd/entire/cli/checkpoint/v2_committed.go b/cmd/entire/cli/checkpoint/v2_committed.go
index 35edf2273a..41a0779ce9 100644
--- a/cmd/entire/cli/checkpoint/v2_committed.go
+++ b/cmd/entire/cli/checkpoint/v2_committed.go
@@ -169,7 +169,7 @@ func (s *V2GitStore) buildFreshMainBatchGroupTree(ctx context.Context, cpID id.C
 
 	for sessionIndex, opts := range groupOpts {
 		sessionPath := fmt.Sprintf("%s%d/", basePath, sessionIndex)
-		filePaths, err := s.writeMainSessionToSubdirectory(opts, sessionPath, entries)
+		filePaths, err := s.writeMainSessionToSubdirectory(ctx, opts, sessionPath, entries)
 		if err != nil {
 			return plumbing.ZeroHash, err
 		}
@@ -283,7 +283,7 @@ func (s *V2GitStore) buildMainBatchGroupTree(ctx context.Context, rootTreeHash p
 		}
 
 		sessionPath := fmt.Sprintf("%s%d/", basePath, sessionIndex)
-		filePaths, err := s.writeMainSessionToSubdirectory(opts, sessionPath, entries)
+		filePaths, err := s.writeMainSessionToSubdirectory(ctx, opts, sessionPath, entries)
 		if err != nil {
 			return plumbing.ZeroHash, err
 		}
@@ -609,7 +609,7 @@ func (s *V2GitStore) updateCommittedMain(ctx context.Context, opts UpdateCommitt
 	sessionPath := fmt.Sprintf("%s%d/", basePath, sessionIndex)
 
 	if len(opts.Prompts) > 0 {
-		promptContent := redact.String(JoinPrompts(opts.Prompts))
+		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedactedContent)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return 0, fmt.Errorf("failed to create prompt blob: %w", err)
@@ -865,7 +865,7 @@ func (s *V2GitStore) writeMainCheckpointEntries(ctx context.Context, opts WriteC
 
 	// Write session files (metadata and prompts — no transcript or content hash)
 	sessionPath := fmt.Sprintf("%s%d/", basePath, sessionIndex)
-	sessionFilePaths, err := s.writeMainSessionToSubdirectory(opts, sessionPath, entries)
+	sessionFilePaths, err := s.writeMainSessionToSubdirectory(ctx, opts, sessionPath, entries)
 	if err != nil {
 		return 0, err
 	}
@@ -891,7 +891,7 @@ func (s *V2GitStore) writeMainCheckpointEntries(ctx context.Context, opts WriteC
 // and compact transcript to a session subdirectory (0/, 1/, 2/, … indexed by
 // session order within the checkpoint). The raw transcript (raw_transcript) and its
 // content hash (raw_transcript_hash.txt) go to /full/current, not here.
-func (s *V2GitStore) writeMainSessionToSubdirectory(opts WriteCommittedOptions, sessionPath string, entries map[string]object.TreeEntry) (SessionFilePaths, error) {
+func (s *V2GitStore) writeMainSessionToSubdirectory(ctx context.Context, opts WriteCommittedOptions, sessionPath string, entries map[string]object.TreeEntry) (SessionFilePaths, error) {
 	filePaths := SessionFilePaths{}
 
 	// Clear existing entries at this session path
@@ -903,7 +903,7 @@ func (s *V2GitStore) writeMainSessionToSubdirectory(opts WriteCommittedOptions,
 
 	// Write prompts
 	if len(opts.Prompts) > 0 {
-		promptContent := redact.String(JoinPrompts(opts.Prompts))
+		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedactedContent)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return filePaths, err
diff --git a/cmd/entire/cli/strategy/common.go b/cmd/entire/cli/strategy/common.go
index baa017e295..58883d07c9 100644
--- a/cmd/entire/cli/strategy/common.go
+++ b/cmd/entire/cli/strategy/common.go
@@ -402,6 +402,17 @@ func EnsureRedactionConfigured() {
 				Packs:  packs,
 			})
 		}
+
+		// OpenAI Privacy Filter (opt-in 8th layer).
+		if s.Redaction != nil && s.Redaction.OpenAIPrivacyFilter != nil {
+			opf := s.Redaction.OpenAIPrivacyFilter
+			redact.ConfigurePrivacyFilter(redact.OPFConfig{
+				Enabled:    opf.Enabled,
+				Categories: opf.Categories,
+				Command:    opf.Command,
+				Timeout:    opf.TimeoutSeconds,
+			})
+		}
 	})
 }
 
diff --git a/cmd/entire/cli/strategy/condense_skip_test.go b/cmd/entire/cli/strategy/condense_skip_test.go
index e9f2565183..fe59c6c4c4 100644
--- a/cmd/entire/cli/strategy/condense_skip_test.go
+++ b/cmd/entire/cli/strategy/condense_skip_test.go
@@ -153,7 +153,7 @@ func TestCondenseSession_SkipsWhenNoOverlapAndRedactionFails(t *testing.T) {
 
 	// Force the redactor to fail so redactedTranscript ends up empty.
 	originalRedactor := redactSessionJSONLBytes
-	redactSessionJSONLBytes = func(_ []byte) (redact.RedactedBytes, error) {
+	redactSessionJSONLBytes = func(_ context.Context, _ []byte) (redact.RedactedBytes, error) {
 		return redact.RedactedBytes{}, errors.New("simulated redaction failure")
 	}
 	t.Cleanup(func() { redactSessionJSONLBytes = originalRedactor })
diff --git a/cmd/entire/cli/strategy/manual_commit_condensation.go b/cmd/entire/cli/strategy/manual_commit_condensation.go
index 7f6ce16076..b369d50e93 100644
--- a/cmd/entire/cli/strategy/manual_commit_condensation.go
+++ b/cmd/entire/cli/strategy/manual_commit_condensation.go
@@ -111,7 +111,11 @@ type condenseOpts struct {
 	allAgentFiles    map[string]struct{} // Union of all sessions' FilesTouched for cross-session exclusion (nil = single-session)
 }
 
-var redactSessionJSONLBytes = redact.JSONLBytes
+// redactSessionJSONLBytes runs the full 8-layer redaction pipeline
+// (including the OpenAI Privacy Filter when configured) over a session
+// transcript. Exposed as a var so tests can inject deterministic
+// success/error returns without spinning up the runtime.
+var redactSessionJSONLBytes = redact.JSONLBytesWithPrivacyFilter
 
 // CondenseSession condenses a session's shadow branch to permanent storage.
 // checkpointID is the 12-hex-char value from the Entire-Checkpoint trailer.
@@ -223,6 +227,15 @@ func (s *ManualCommitStrategy) CondenseSession(ctx context.Context, repo *git.Re
 		summary = generateSummary(ctx, redactedTranscript, sessionData.FilesTouched, state)
 	}
 
+	// Pre-redact joined prompts once so v1 and v2 writers (plus any
+	// subsequent UpdateCommitted within the same finalize) reuse the same
+	// result instead of each running the 8-layer pipeline over identical
+	// input.
+	var redactedJoinedPromptContent string
+	if len(sessionData.Prompts) > 0 {
+		redactedJoinedPromptContent = redact.StringWithPrivacyFilter(ctx, cpkg.JoinPrompts(sessionData.Prompts))
+	}
+
 	// Build write options (shared by v1 and v2)
 	writeOpts := cpkg.WriteCommittedOptions{
 		CheckpointID:                checkpointID,
@@ -231,6 +244,7 @@ func (s *ManualCommitStrategy) CondenseSession(ctx context.Context, repo *git.Re
 		Branch:                      branchName,
 		Transcript:                  redactedTranscript,
 		Prompts:                     sessionData.Prompts,
+		PromptsRedactedContent:      redactedJoinedPromptContent,
 		FilesTouched:                sessionData.FilesTouched,
 		CheckpointsCount:            state.StepCount,
 		EphemeralBranch:             shadowBranchName,
@@ -376,7 +390,7 @@ func redactSessionTranscript(ctx context.Context, transcript []byte) (redact.Red
 		return redact.RedactedBytes{}, time.Since(start), nil
 	}
 
-	redacted, err := redactSessionJSONLBytes(transcript)
+	redacted, err := redactSessionJSONLBytes(ctx, transcript)
 	if err != nil {
 		span.RecordError(err)
 		return redact.RedactedBytes{}, time.Since(start), fmt.Errorf("failed to redact transcript secrets: %w", err)
@@ -505,7 +519,7 @@ func compactAndRedactExternalTranscript(ctx context.Context, ag agent.Agent, sta
 		return nil, true
 	}
 
-	redacted, err := redactSessionJSONLBytes(compacted.Transcript)
+	redacted, err := redactSessionJSONLBytes(ctx, compacted.Transcript)
 	if err != nil {
 		logging.Warn(ctx, "failed to redact external compact transcript, dropping",
 			slog.String("session_id", state.SessionID),
diff --git a/cmd/entire/cli/strategy/manual_commit_condensation_test.go b/cmd/entire/cli/strategy/manual_commit_condensation_test.go
index 4cdf265fac..fa3995b325 100644
--- a/cmd/entire/cli/strategy/manual_commit_condensation_test.go
+++ b/cmd/entire/cli/strategy/manual_commit_condensation_test.go
@@ -302,9 +302,9 @@ func TestBuildExternalCompactTranscript_RedactsTranscript(t *testing.T) { //noli
 
 	var redactCalled bool
 	originalRedact := redactSessionJSONLBytes
-	redactSessionJSONLBytes = func(data []byte) (redact.RedactedBytes, error) {
+	redactSessionJSONLBytes = func(ctx context.Context, data []byte) (redact.RedactedBytes, error) {
 		redactCalled = true
-		return originalRedact(data)
+		return originalRedact(ctx, data)
 	}
 	t.Cleanup(func() { redactSessionJSONLBytes = originalRedact })
 
diff --git a/cmd/entire/cli/strategy/manual_commit_hooks.go b/cmd/entire/cli/strategy/manual_commit_hooks.go
index c35a80260e..8214b7d68f 100644
--- a/cmd/entire/cli/strategy/manual_commit_hooks.go
+++ b/cmd/entire/cli/strategy/manual_commit_hooks.go
@@ -2745,8 +2745,11 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 	// (attribution, files touched, prompts). Hooks run without user interaction
 	// so there is no retry path — preserving partial metadata is better than
 	// losing everything. Persisting an unredacted transcript would be worse.
+	// Run the full 8-layer pipeline (including OPF when configured) over
+	// the transcript — this is the condensation boundary where bytes are
+	// about to leave the local machine via push to entire/checkpoints/v1.
 	_, redactSpan := perf.Start(logCtx, "redact_transcript")
-	redactedTranscript, redactErr := redact.JSONLBytes(fullTranscript)
+	redactedTranscript, redactErr := redact.JSONLBytesWithPrivacyFilter(logCtx, fullTranscript)
 	redactSpan.End()
 	if redactErr != nil {
 		logging.Warn(logCtx, "finalize: transcript redaction failed, dropping transcript",
@@ -2755,8 +2758,16 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 		)
 		redactedTranscript = redact.RedactedBytes{}
 	}
-	for i, p := range prompts {
-		prompts[i] = redact.String(p)
+
+	// Pre-redact joined prompts ONCE so the checkpoint loop reuses the
+	// result instead of each iteration re-running the 8-layer pipeline
+	// (including OPF shell-out) over identical input. The original code
+	// here ran redact.String per prompt, which produced a per-prompt
+	// OPF call once OPF was wired up; pre-joining + one call collapses
+	// that to a single OPF invocation per finalize.
+	var redactedJoinedPromptContent string
+	if len(prompts) > 0 {
+		redactedJoinedPromptContent = redact.StringWithPrivacyFilter(logCtx, checkpoint.JoinPrompts(prompts))
 	}
 
 	store := checkpoint.NewGitStore(repo)
@@ -2810,12 +2821,13 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 		}
 
 		updateOpts := checkpoint.UpdateCommittedOptions{
-			CheckpointID:     cpID,
-			SessionID:        state.SessionID,
-			Transcript:       redactedTranscript,
-			Prompts:          prompts,
-			Agent:            state.AgentType,
-			PrecomputedBlobs: precomputed,
+			CheckpointID:           cpID,
+			SessionID:              state.SessionID,
+			Transcript:             redactedTranscript,
+			Prompts:                prompts,
+			PromptsRedactedContent: redactedJoinedPromptContent,
+			Agent:                  state.AgentType,
+			PrecomputedBlobs:       precomputed,
 		}
 
 		// Generate compact transcript for v2 /main
diff --git a/cmd/entire/cli/strategy/manual_commit_test.go b/cmd/entire/cli/strategy/manual_commit_test.go
index fce5628193..083831406c 100644
--- a/cmd/entire/cli/strategy/manual_commit_test.go
+++ b/cmd/entire/cli/strategy/manual_commit_test.go
@@ -4583,7 +4583,7 @@ func TestCondenseSession_V2Disabled_NoV2Refs(t *testing.T) {
 
 func TestCondenseSession_RedactionFailure_DropsTranscriptButWritesMetadata(t *testing.T) {
 	originalRedact := redactSessionJSONLBytes
-	redactSessionJSONLBytes = func([]byte) (redact.RedactedBytes, error) {
+	redactSessionJSONLBytes = func(context.Context, []byte) (redact.RedactedBytes, error) {
 		return redact.RedactedBytes{}, errors.New("forced redaction failure")
 	}
 	t.Cleanup(func() {

From 6008464ff1da7fd8ae4eb4e391f0692fcecafc2f Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Thu, 14 May 2026 18:43:37 -0400
Subject: [PATCH 03/11] docs(redact): document Optional OpenAI Privacy Filter
 setup

Adds an "Optional OpenAI Privacy Filter (opf)" section to
docs/security-and-privacy.md parallel to the existing "Optional PII
redaction" section: prerequisites (pip install opf), enable example,
per-category replacement-token table, full settings reference, failure
behavior (warn + circuit breaker), realistic cost (~25-30s on CPU), and
a "Verifying it's working" recipe.

Also updates the layer-count summary in the intro to mention the new
opt-in eighth pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/security-and-privacy.md | 87 +++++++++++++++++++++++++++++++++++-
 1 file changed, 86 insertions(+), 1 deletion(-)

diff --git a/docs/security-and-privacy.md b/docs/security-and-privacy.md
index 284b370197..74cdc393b8 100644
--- a/docs/security-and-privacy.md
+++ b/docs/security-and-privacy.md
@@ -16,7 +16,7 @@ If your repository is **public**, this data is visible to the entire internet.
 
 ### What Entire redacts automatically
 
-Entire automatically scans transcript and metadata content before writing it to the `entire/checkpoints/v1` branch. Five always-on secret detection methods run during condensation, plus a conditional sixth pass for user-defined secret rules (see [Customizing redaction](#customizing-redaction) below) and an opt-in seventh pass for PII (see [Optional PII redaction](#optional-pii-redaction) below):
+Entire automatically scans transcript and metadata content before writing it to the `entire/checkpoints/v1` branch. Five always-on secret detection methods run during condensation, plus a conditional sixth pass for user-defined secret rules (see [Customizing redaction](#customizing-redaction) below), an opt-in seventh pass for PII (see [Optional PII redaction](#optional-pii-redaction) below), and an opt-in eighth pass that shells out to the OpenAI Privacy Filter model (see [Optional OpenAI Privacy Filter](#optional-openai-privacy-filter-opf) below):
 
 1. **Entropy scoring** — Identifies high-entropy strings (Shannon entropy > 4.5) that look like randomly generated secrets, even if they don't match a known pattern.
 2. **Pattern matching** — Uses [Betterleaks](https://github.com/betterleaks/betterleaks) built-in rules to detect known secret formats.
@@ -60,6 +60,91 @@ Teams can add their own regex patterns via `custom_patterns`. Each key is a labe
 
 If a custom pattern itself reveals sensitive structure (e.g. an internal ID format), put it in `.entire/settings.local.json` (gitignored) instead of `.entire/settings.json`.
 
+### Optional OpenAI Privacy Filter (`opf`)
+
+A separate, **opt-in** layer that shells out to the [OpenAI Privacy Filter](https://github.com/openai/privacy-filter) (`opf`) — a 1.5B-parameter token-classification model that finds names, emails, phone numbers, addresses, dates, URLs, account numbers, and secrets that pure regex can miss. Disabled by default. Runs *in addition to* the seven built-in layers, only at the condensation and export boundaries (never per-turn), so the agent loop's hot path stays on the fast pipeline.
+
+Prerequisites:
+
+```bash
+pip install opf
+```
+
+Verify `opf --help` works; the CLI defaults to resolving the binary via `$PATH`. Override with the `command` setting if you need a specific path.
+
+Enable in `.entire/settings.json`:
+
+```json
+{
+  "redaction": {
+    "openai_privacy_filter": {
+      "enabled": true,
+      "categories": {
+        "private_person": true
+      }
+    }
+  }
+}
+```
+
+Available categories (set to `true` to enable, `false` or omit to skip):
+
+| Category | Replacement token | Notes |
+|---|---|---|
+| `private_person` | `[REDACTED_PERSON]` | Person names |
+| `private_email` | `[REDACTED_EMAIL]` | Email addresses |
+| `private_phone` | `[REDACTED_PHONE]` | Phone numbers |
+| `private_address` | `[REDACTED_ADDRESS]` | Street addresses |
+| `private_url` | `[REDACTED_URL]` | URLs that may identify a person/account |
+| `private_date` | `[REDACTED_DATE]` | Dates (DOB, etc.) |
+| `account_number` | `[REDACTED_ACCOUNT_NUMBER]` | Account / card / SSN-shaped numbers |
+| `secret` | `REDACTED` | Generic credential-shaped values |
+
+Unknown category names are rejected at settings load time so typos surface immediately instead of silently disabling a category.
+
+Full settings reference:
+
+```json
+{
+  "redaction": {
+    "openai_privacy_filter": {
+      "enabled": true,
+      "categories": {
+        "private_person": true,
+        "private_email": true,
+        "private_phone": true,
+        "private_address": false,
+        "private_url": false,
+        "private_date": false,
+        "account_number": false,
+        "secret": false
+      },
+      "command": "opf",
+      "timeout_seconds": 30
+    }
+  }
+}
+```
+
+- `command` — path or PATH-resolvable name of the `opf` binary. Defaults to `opf`.
+- `timeout_seconds` — per-invocation timeout. Defaults to `30`.
+
+There is no `on_failure` setting; warn-on-failure is the only mode supported today. If OPF is not on PATH, fails to start, or times out, Entire prints a one-line `× OpenAI Privacy Filter unavailable …` notice and continues with the seven built-in layers. A per-process circuit breaker disables OPF for the remainder of the invocation after the first failure, so a broken install costs one warning rather than one timeout per redaction call.
+
+Cost note: each shell-out loads the OPF model (~1.5B parameters on CPU). Condensation batches all eligible leaf strings into a single inference pass per scope (transcript + joined prompts), so a typical real-world commit adds ~25–30s of OPF inference rather than the multi-minute cost a per-leaf flow would incur.
+
+Verifying it's working:
+
+```fish
+# After enabling OPF, run an agent turn that includes a name in the prompt,
+# e.g. "Create notes.txt with: Alice Johnson reviewed the proposal."
+# Then commit and inspect the latest checkpoint:
+git log --oneline entire/checkpoints/v1 | head -2
+entire checkpoint explain HEAD | grep -i 'REDACTED_PERSON'
+```
+
+If `[REDACTED_PERSON]` appears in the prompt or transcript section, OPF is active.
+
 ### Recommendations
 
 If your AI sessions will touch sensitive data:

From 672044c2ff0b52724e32f3e59de04ae6bd90208b Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Thu, 14 May 2026 18:48:05 -0400
Subject: [PATCH 04/11] fix(checkpoint): drop unused strings import in
 prompts_test.go

Leftover from when assert.Contains replaced an earlier strings.Contains
call. The test build failed in test:ci with "strings" imported and not
used; this change is just removing the dead import.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/entire/cli/checkpoint/prompts_test.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cmd/entire/cli/checkpoint/prompts_test.go b/cmd/entire/cli/checkpoint/prompts_test.go
index f1eb9a2f1a..8bb0dae470 100644
--- a/cmd/entire/cli/checkpoint/prompts_test.go
+++ b/cmd/entire/cli/checkpoint/prompts_test.go
@@ -2,7 +2,6 @@ package checkpoint
 
 import (
 	"context"
-	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"

From 295d7be4e0c0e44038c22f3a5f0f9c959309a7e6 Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Fri, 15 May 2026 11:35:46 -0400
Subject: [PATCH 05/11] refactor(redact): type-wrap pre-redacted prompts; move
 OPF test helpers

Move GetOPFConfigForTest and ResetOPFConfigForTest from opf.go to
redact/export_test.go so the redact package's public API no longer
exposes mutators for the global OPF config.

Introduce redact.RedactedJoinedPrompts as a typed wrapper around the
pre-redacted joined-prompts blob written to checkpoint prompt.txt.
Construct only via redact.JoinedPrompts (runs the full 8-layer pipeline
on the joined input) or AlreadyRedactedJoinedPrompts (trusted-source
escape hatch). Rename WriteCommittedOptions.PromptsRedactedContent
(string) and the matching field on UpdateCommittedOptions to
PromptsRedacted (RedactedJoinedPrompts) so the "this content was
produced by the redaction pipeline" claim becomes a compile-time
invariant: callers cannot assign an arbitrary string. The raw
Prompts []string field gets a docstring warning that it must be
consumed only via redactJoinedPrompts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/entire/cli/checkpoint/checkpoint.go       | 33 ++++++++------
 cmd/entire/cli/checkpoint/committed.go        | 14 +++---
 cmd/entire/cli/checkpoint/prompts.go          | 20 ++++-----
 cmd/entire/cli/checkpoint/prompts_test.go     | 21 +++++----
 cmd/entire/cli/checkpoint/v2_committed.go     |  4 +-
 .../strategy/manual_commit_condensation.go    | 10 ++---
 .../cli/strategy/manual_commit_hooks.go       | 23 +++++-----
 redact/export_test.go                         | 21 +++++++++
 redact/opf.go                                 | 13 ------
 redact/redact.go                              | 43 +++++++++++++++++++
 10 files changed, 131 insertions(+), 71 deletions(-)
 create mode 100644 redact/export_test.go

diff --git a/cmd/entire/cli/checkpoint/checkpoint.go b/cmd/entire/cli/checkpoint/checkpoint.go
index c59b666339..4d9d007cca 100644
--- a/cmd/entire/cli/checkpoint/checkpoint.go
+++ b/cmd/entire/cli/checkpoint/checkpoint.go
@@ -222,16 +222,21 @@ type WriteCommittedOptions struct {
 	// Must be pre-redacted (via redact.JSONLBytes or redact.AlreadyRedacted for trusted sources).
 	Transcript redact.RedactedBytes
 
-	// Prompts contains user prompts from the session
+	// Prompts contains the raw user prompts from the session. These are NOT
+	// guaranteed to be redacted on entry — the writer always emits the typed
+	// PromptsRedacted blob below (running the safety-net pipeline if it is
+	// the zero value). Do not read Prompts independently for persistence; go
+	// through redactJoinedPrompts so the redaction guarantee is preserved.
 	Prompts []string
 
-	// PromptsRedactedContent, if non-empty, is the pre-redacted joined-prompts
-	// blob content (output of JoinPrompts(Prompts) after running the full
-	// 8-layer pipeline). When set, the writer skips its safety-net redaction
-	// and uses this content directly. Used by finalizeAllTurnCheckpoints to
-	// avoid running the OpenAI Privacy Filter once per checkpoint over
-	// identical joined-prompt strings.
-	PromptsRedactedContent string
+	// PromptsRedacted, when set, is the pre-redacted joined-prompts blob the
+	// writer uses verbatim instead of re-running the safety-net pipeline.
+	// Used by finalizeAllTurnCheckpoints to avoid running the OpenAI
+	// Privacy Filter once per checkpoint over identical joined-prompt
+	// strings. The typed wrapper makes the "this content was produced by
+	// the redaction pipeline" claim a compile-time invariant — callers
+	// cannot assign an arbitrary string.
+	PromptsRedacted redact.RedactedJoinedPrompts
 
 	// FilesTouched are files modified during the session
 	FilesTouched []string
@@ -361,13 +366,15 @@ type UpdateCommittedOptions struct {
 	// Must be pre-redacted (via redact.JSONLBytes or redact.AlreadyRedacted for trusted sources).
 	Transcript redact.RedactedBytes
 
-	// Prompts contains all user prompts (replaces existing)
+	// Prompts contains the raw user prompts (replaces existing). NOT
+	// guaranteed to be redacted on entry — see WriteCommittedOptions.Prompts
+	// for the relationship to PromptsRedacted.
 	Prompts []string
 
-	// PromptsRedactedContent, if non-empty, is the pre-redacted joined-prompts
-	// blob content. When set, the writer skips its safety-net redaction.
-	// See WriteCommittedOptions.PromptsRedactedContent for rationale.
-	PromptsRedactedContent string
+	// PromptsRedacted, when set, is the pre-redacted joined-prompts blob
+	// the writer uses verbatim instead of re-running the safety-net
+	// pipeline. See WriteCommittedOptions.PromptsRedacted for rationale.
+	PromptsRedacted redact.RedactedJoinedPrompts
 
 	// Agent identifies the agent type (needed for transcript chunking)
 	Agent types.AgentType
diff --git a/cmd/entire/cli/checkpoint/committed.go b/cmd/entire/cli/checkpoint/committed.go
index 41f4c92fba..0c91fa91e8 100644
--- a/cmd/entire/cli/checkpoint/committed.go
+++ b/cmd/entire/cli/checkpoint/committed.go
@@ -418,11 +418,11 @@ func (s *GitStore) writeSessionToSubdirectory(ctx context.Context, opts WriteCom
 	}
 
 	// Write prompts. Uses the full 8-layer pipeline (including OPF) via
-	// redactedJoinedPrompts; the helper trusts opts.PromptsRedactedContent
-	// when present so callers (finalizeAllTurnCheckpoints) that pre-redact
-	// once across multiple checkpoint writes don't pay OPF per checkpoint.
+	// redactedJoinedPrompts; the helper unwraps opts.PromptsRedacted when
+	// set so callers (finalizeAllTurnCheckpoints) that pre-redact once
+	// across multiple checkpoint writes don't pay OPF per checkpoint.
 	if len(opts.Prompts) > 0 {
-		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedactedContent)
+		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedacted)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return filePaths, err
@@ -1403,10 +1403,10 @@ func (s *GitStore) UpdateCommitted(ctx context.Context, opts UpdateCommittedOpti
 		}
 	}
 
-	// Replace prompts (apply redaction as safety net; trusts
-	// opts.PromptsRedactedContent verbatim when set).
+	// Replace prompts (apply redaction as safety net; unwraps
+	// opts.PromptsRedacted when set).
 	if len(opts.Prompts) > 0 {
-		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedactedContent)
+		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedacted)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return fmt.Errorf("failed to create prompt blob: %w", err)
diff --git a/cmd/entire/cli/checkpoint/prompts.go b/cmd/entire/cli/checkpoint/prompts.go
index e9b5085769..83112ff2ce 100644
--- a/cmd/entire/cli/checkpoint/prompts.go
+++ b/cmd/entire/cli/checkpoint/prompts.go
@@ -30,15 +30,15 @@ func SplitPromptContent(content string) []string {
 }
 
 // redactedJoinedPrompts returns the redacted prompt-blob content for the
-// supplied prompts. When preRedacted is non-empty it is trusted and returned
-// verbatim; otherwise the prompts are joined and run through the full
-// 8-layer pipeline as a safety net. Callers that share the same prompts
-// across multiple checkpoint writes (finalizeAllTurnCheckpoints) should
-// compute the redacted content once and pass it via preRedacted to avoid
-// running OPF repeatedly over identical input.
-func redactedJoinedPrompts(ctx context.Context, prompts []string, preRedacted string) string {
-	if preRedacted != "" {
-		return preRedacted
+// supplied prompts. When preRedacted is set it is unwrapped verbatim;
+// otherwise the prompts are joined and run through the full 8-layer
+// pipeline as a safety net. Callers that share the same prompts across
+// multiple checkpoint writes (finalizeAllTurnCheckpoints) should compute
+// the redacted blob once via redact.JoinedPrompts and pass it through to
+// avoid running OPF repeatedly over identical input.
+func redactedJoinedPrompts(ctx context.Context, prompts []string, preRedacted redact.RedactedJoinedPrompts) string {
+	if preRedacted.IsSet() {
+		return preRedacted.String()
 	}
-	return redact.StringWithPrivacyFilter(ctx, JoinPrompts(prompts))
+	return redact.JoinedPrompts(ctx, prompts, PromptSeparator).String()
 }
diff --git a/cmd/entire/cli/checkpoint/prompts_test.go b/cmd/entire/cli/checkpoint/prompts_test.go
index 8bb0dae470..e4f6f4db91 100644
--- a/cmd/entire/cli/checkpoint/prompts_test.go
+++ b/cmd/entire/cli/checkpoint/prompts_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	"github.com/entireio/cli/redact"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -30,7 +31,7 @@ func TestSplitPromptContent_EmptyContent(t *testing.T) {
 }
 
 // TestRedactedJoinedPrompts_PreRedactedIsTrustedVerbatim verifies that when
-// the caller supplies a non-empty preRedacted string the helper returns it
+// the caller supplies a set RedactedJoinedPrompts the helper unwraps it
 // untouched and never re-invokes the redaction pipeline. The pre-redacted
 // path is what finalizeAllTurnCheckpoints relies on to avoid running OPF
 // once per checkpoint over identical joined-prompt strings.
@@ -38,17 +39,21 @@ func TestRedactedJoinedPrompts_PreRedactedIsTrustedVerbatim(t *testing.T) {
 	t.Parallel()
 
 	const preRedacted = "[REDACTED_PERSON] asked about [REDACTED_EMAIL]"
-	got := redactedJoinedPrompts(context.Background(), []string{"raw prompt text"}, preRedacted)
+	got := redactedJoinedPrompts(
+		context.Background(),
+		[]string{"raw prompt text"},
+		redact.AlreadyRedactedJoinedPrompts(preRedacted),
+	)
 	assert.Equal(t, preRedacted, got, "preRedacted should pass through verbatim")
 }
 
-// TestRedactedJoinedPrompts_EmptyFallsBackToRedaction verifies that when
-// preRedacted is empty the helper joins the prompts and runs the full
-// pipeline as a safety net.
-func TestRedactedJoinedPrompts_EmptyFallsBackToRedaction(t *testing.T) {
+// TestRedactedJoinedPrompts_ZeroValueFallsBackToRedaction verifies that
+// when the typed preRedacted is the zero value the helper joins the
+// prompts and runs the full pipeline as a safety net.
+func TestRedactedJoinedPrompts_ZeroValueFallsBackToRedaction(t *testing.T) {
 	t.Parallel()
 
-	got := redactedJoinedPrompts(context.Background(), []string{"hello", "world"}, "")
-	assert.NotEmpty(t, got, "empty preRedacted should fall back to running the redaction pipeline")
+	got := redactedJoinedPrompts(context.Background(), []string{"hello", "world"}, redact.RedactedJoinedPrompts{})
+	assert.NotEmpty(t, got, "zero-value preRedacted should fall back to running the redaction pipeline")
 	assert.Contains(t, got, PromptSeparator, "fallback output should preserve the prompt separator")
 }
diff --git a/cmd/entire/cli/checkpoint/v2_committed.go b/cmd/entire/cli/checkpoint/v2_committed.go
index 41a0779ce9..7f04471168 100644
--- a/cmd/entire/cli/checkpoint/v2_committed.go
+++ b/cmd/entire/cli/checkpoint/v2_committed.go
@@ -609,7 +609,7 @@ func (s *V2GitStore) updateCommittedMain(ctx context.Context, opts UpdateCommitt
 	sessionPath := fmt.Sprintf("%s%d/", basePath, sessionIndex)
 
 	if len(opts.Prompts) > 0 {
-		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedactedContent)
+		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedacted)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return 0, fmt.Errorf("failed to create prompt blob: %w", err)
@@ -903,7 +903,7 @@ func (s *V2GitStore) writeMainSessionToSubdirectory(ctx context.Context, opts Wr
 
 	// Write prompts
 	if len(opts.Prompts) > 0 {
-		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedactedContent)
+		promptContent := redactedJoinedPrompts(ctx, opts.Prompts, opts.PromptsRedacted)
 		blobHash, err := CreateBlobFromContent(s.repo, []byte(promptContent))
 		if err != nil {
 			return filePaths, err
diff --git a/cmd/entire/cli/strategy/manual_commit_condensation.go b/cmd/entire/cli/strategy/manual_commit_condensation.go
index b369d50e93..adc0214adc 100644
--- a/cmd/entire/cli/strategy/manual_commit_condensation.go
+++ b/cmd/entire/cli/strategy/manual_commit_condensation.go
@@ -230,11 +230,9 @@ func (s *ManualCommitStrategy) CondenseSession(ctx context.Context, repo *git.Re
 	// Pre-redact joined prompts once so v1 and v2 writers (plus any
 	// subsequent UpdateCommitted within the same finalize) reuse the same
 	// result instead of each running the 8-layer pipeline over identical
-	// input.
-	var redactedJoinedPromptContent string
-	if len(sessionData.Prompts) > 0 {
-		redactedJoinedPromptContent = redact.StringWithPrivacyFilter(ctx, cpkg.JoinPrompts(sessionData.Prompts))
-	}
+	// input. The typed return value carries a compile-time claim that the
+	// content has been through the pipeline.
+	redactedPrompts := redact.JoinedPrompts(ctx, sessionData.Prompts, cpkg.PromptSeparator)
 
 	// Build write options (shared by v1 and v2)
 	writeOpts := cpkg.WriteCommittedOptions{
@@ -244,7 +242,7 @@ func (s *ManualCommitStrategy) CondenseSession(ctx context.Context, repo *git.Re
 		Branch:                      branchName,
 		Transcript:                  redactedTranscript,
 		Prompts:                     sessionData.Prompts,
-		PromptsRedactedContent:      redactedJoinedPromptContent,
+		PromptsRedacted:             redactedPrompts,
 		FilesTouched:                sessionData.FilesTouched,
 		CheckpointsCount:            state.StepCount,
 		EphemeralBranch:             shadowBranchName,
diff --git a/cmd/entire/cli/strategy/manual_commit_hooks.go b/cmd/entire/cli/strategy/manual_commit_hooks.go
index 8214b7d68f..279ec3ce5d 100644
--- a/cmd/entire/cli/strategy/manual_commit_hooks.go
+++ b/cmd/entire/cli/strategy/manual_commit_hooks.go
@@ -2764,11 +2764,10 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 	// (including OPF shell-out) over identical input. The original code
 	// here ran redact.String per prompt, which produced a per-prompt
 	// OPF call once OPF was wired up; pre-joining + one call collapses
-	// that to a single OPF invocation per finalize.
-	var redactedJoinedPromptContent string
-	if len(prompts) > 0 {
-		redactedJoinedPromptContent = redact.StringWithPrivacyFilter(logCtx, checkpoint.JoinPrompts(prompts))
-	}
+	// that to a single OPF invocation per finalize. The typed return
+	// value carries a compile-time claim that the content has been
+	// through the pipeline.
+	redactedPrompts := redact.JoinedPrompts(logCtx, prompts, checkpoint.PromptSeparator)
 
 	store := checkpoint.NewGitStore(repo)
 	v2 := settings.CheckpointsVersion(logCtx) == 2
@@ -2821,13 +2820,13 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 		}
 
 		updateOpts := checkpoint.UpdateCommittedOptions{
-			CheckpointID:           cpID,
-			SessionID:              state.SessionID,
-			Transcript:             redactedTranscript,
-			Prompts:                prompts,
-			PromptsRedactedContent: redactedJoinedPromptContent,
-			Agent:                  state.AgentType,
-			PrecomputedBlobs:       precomputed,
+			CheckpointID:     cpID,
+			SessionID:        state.SessionID,
+			Transcript:       redactedTranscript,
+			Prompts:          prompts,
+			PromptsRedacted:  redactedPrompts,
+			Agent:            state.AgentType,
+			PrecomputedBlobs: precomputed,
 		}
 
 		// Generate compact transcript for v2 /main
diff --git a/redact/export_test.go b/redact/export_test.go
new file mode 100644
index 0000000000..98bc31c120
--- /dev/null
+++ b/redact/export_test.go
@@ -0,0 +1,21 @@
+package redact
+
+// This file exposes internal helpers to redact-package tests only.
+// It is excluded from regular builds (the _test.go suffix is invisible to
+// importers), so production code outside this package cannot reach the
+// global OPF config. Tests in other packages that need to manipulate the
+// global state can do so via thin re-exports declared in their own
+// _test.go files, but those re-exports stay this side of the package
+// boundary.
+
+// GetOPFConfigForTest returns the current OPF configuration, or nil if
+// never configured.
+func GetOPFConfigForTest() *OPFConfig {
+	return getOPFConfig()
+}
+
+// ResetOPFConfigForTest clears configuration and the circuit breaker.
+// Used to return to a "never configured" state between test cases.
+func ResetOPFConfigForTest() {
+	resetOPFConfig()
+}
diff --git a/redact/opf.go b/redact/opf.go
index c1a4db09d8..8b80fa0822 100644
--- a/redact/opf.go
+++ b/redact/opf.go
@@ -86,19 +86,6 @@ func getOPFConfig() *OPFConfig {
 	return opfConfig
 }
 
-// GetOPFConfigForTest returns the current OPF configuration, or nil if
-// never configured. The "ForTest" suffix signals test-only intent — callers
-// must be limited to test files in other packages.
-func GetOPFConfigForTest() *OPFConfig {
-	return getOPFConfig()
-}
-
-// ResetOPFConfigForTest clears configuration and the circuit breaker. Used
-// by tests in other packages to return to a "never configured" state.
-func ResetOPFConfigForTest() {
-	resetOPFConfig()
-}
-
 func resetOPFConfig() {
 	opfConfigMu.Lock()
 	opfConfig = nil
diff --git a/redact/redact.go b/redact/redact.go
index e21eec67f9..4d32f8e057 100644
--- a/redact/redact.go
+++ b/redact/redact.go
@@ -112,6 +112,49 @@ func AlreadyRedacted(data []byte) RedactedBytes {
 	return RedactedBytes{data: data}
 }
 
+// RedactedJoinedPrompts is the pre-redacted joined-prompts blob written to
+// a checkpoint's prompt.txt. The private field can only be populated by
+// RedactJoinedPrompts (which runs the full 8-layer pipeline) or
+// AlreadyRedactedJoinedPrompts (trusted source) — callers cannot bypass
+// redaction by assigning an arbitrary string to the field. The zero value
+// signals "not pre-redacted" so writers fall back to the safety-net pass.
+type RedactedJoinedPrompts struct {
+	content string
+}
+
+// String returns the redacted blob content. Empty when the value is the
+// zero value (no pre-redaction was performed).
+func (r RedactedJoinedPrompts) String() string {
+	return r.content
+}
+
+// IsSet reports whether a redaction pass actually populated this value.
+// An empty content string is treated as "not set" so the writer's safety
+// net can re-run rather than persist an empty prompt.txt.
+func (r RedactedJoinedPrompts) IsSet() bool {
+	return r.content != ""
+}
+
+// JoinedPrompts joins prompts with sep and runs the full 8-layer pipeline
+// (including the OpenAI Privacy Filter when configured) over the result.
+// This is the only standard way to produce a RedactedJoinedPrompts from
+// raw prompt input — the resulting type carries a compile-time claim
+// that the content has been through the pipeline. Mirrors the
+// noun-named String/Bytes/JSONLBytes constructors in this package.
+func JoinedPrompts(ctx context.Context, prompts []string, sep string) RedactedJoinedPrompts {
+	if len(prompts) == 0 {
+		return RedactedJoinedPrompts{}
+	}
+	return RedactedJoinedPrompts{content: StringWithPrivacyFilter(ctx, strings.Join(prompts, sep))}
+}
+
+// AlreadyRedactedJoinedPrompts wraps content known to already be redacted
+// by a prior write path or controlled test fixture. Use only for trusted
+// sources; for fresh prompt input, use RedactJoinedPrompts.
+func AlreadyRedactedJoinedPrompts(content string) RedactedJoinedPrompts {
+	return RedactedJoinedPrompts{content: content}
+}
+
 var (
 	betterleaksDetector     *detect.Detector
 	betterleaksDetectorOnce sync.Once

From cd4d87312b5fd730a067ebad964444e5ce23e0f5 Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Fri, 15 May 2026 11:37:43 -0400
Subject: [PATCH 06/11] fix(review): make manifest_test session-state tests
 time-relative
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three tests in manifest_test.go hardcoded `started := time.Date(2026, 5, 8, ...)`
as the session.State.StartedAt anchor. session.StateStore.Load auto-deletes
sessions whose StartedAt is older than StaleSessionThreshold (7 days) and
returns nil, so the hardcoded date silently rots: tests pass while the
calendar is inside the 7-day window, then fail forever once it crosses.

CI on PR #964 caught this — same SHA passed yesterday (6 days after the
hardcoded date) and failed today (7 days after). Unrelated to the
streaming/diagnostic work in this PR; the manifest_test.go file isn't
touched by any other commit on this branch.

Switch all three tests to `time.Now().UTC().Add(-time.Hour)` so the
session is always one hour old at test time. Still exercises the
5-second jitter check inside matchReviewSessionState; stays well inside
the staleness window.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/entire/cli/review/manifest_test.go | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/cmd/entire/cli/review/manifest_test.go b/cmd/entire/cli/review/manifest_test.go
index b66697eb55..31a15880b2 100644
--- a/cmd/entire/cli/review/manifest_test.go
+++ b/cmd/entire/cli/review/manifest_test.go
@@ -23,7 +23,13 @@ const manifestTokenTestAgentType agenttypes.AgentType = "Review Token Test"
 
 func TestHydrateReviewSummaryTokensFromStates_PopulatesTokensFromSessionState(t *testing.T) {
 	t.Parallel()
-	started := time.Date(2026, 5, 8, 10, 0, 0, 0, time.UTC)
+	// Time-relative so this test doesn't go stale: session.StateStore.Load
+	// auto-deletes sessions whose StartedAt is older than 7 days
+	// (StaleSessionThreshold), and a hardcoded fixed date silently starts
+	// failing once the calendar clock crosses that threshold. Use "an hour
+	// ago" so we exercise the 5-second jitter check inside
+	// matchReviewSessionState while staying well inside the staleness window.
+	started := time.Now().UTC().Add(-time.Hour)
 	summary := reviewtypes.RunSummary{
 		StartedAt: started,
 		AgentRuns: []reviewtypes.AgentRun{
@@ -67,7 +73,13 @@ func TestHydrateReviewSummaryTokensFromStates_FallsBackToTranscript(t *testing.T
 		return manifestTokenTestAgent{}, nil
 	}
 
-	started := time.Date(2026, 5, 8, 10, 0, 0, 0, time.UTC)
+	// Time-relative so this test doesn't go stale: session.StateStore.Load
+	// auto-deletes sessions whose StartedAt is older than 7 days
+	// (StaleSessionThreshold), and a hardcoded fixed date silently starts
+	// failing once the calendar clock crosses that threshold. Use "an hour
+	// ago" so we exercise the 5-second jitter check inside
+	// matchReviewSessionState while staying well inside the staleness window.
+	started := time.Now().UTC().Add(-time.Hour)
 	tmp := t.TempDir()
 	transcriptPath := filepath.Join(tmp, "review.jsonl")
 	transcript := "review transcript\n"
@@ -112,7 +124,13 @@ func TestReviewSummaryTokenEnricher_LoadsCurrentSessionState(t *testing.T) {
 	if err != nil {
 		t.Fatalf("NewStateStore: %v", err)
 	}
-	started := time.Date(2026, 5, 8, 10, 0, 0, 0, time.UTC)
+	// Time-relative so this test doesn't go stale: session.StateStore.Load
+	// auto-deletes sessions whose StartedAt is older than 7 days
+	// (StaleSessionThreshold), and a hardcoded fixed date silently starts
+	// failing once the calendar clock crosses that threshold. Use "an hour
+	// ago" so we exercise the 5-second jitter check inside
+	// matchReviewSessionState while staying well inside the staleness window.
+	started := time.Now().UTC().Add(-time.Hour)
 	if err := store.Save(ctx, &session.State{
 		SessionID:    "codex-session-token",
 		Kind:         session.KindAgentReview,

From 42a09272021c17ef5c6f72be206e5d18e34517fa Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Fri, 15 May 2026 15:39:07 -0400
Subject: [PATCH 07/11] feat(redact): OPF runs at pre-push, not commit time
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Move the OpenAI Privacy Filter from per-commit condensation to a
pre-push rewrite step. Local commits stay on the fast 7-layer pipeline;
OPF re-redacts unpushed entire/checkpoints/v1 commits right before they
leave the machine via git push.

Why: OPF inference takes ~30s per scope on CPU. Running it on every
commit interrupts the agent loop unnecessarily — most commits are
mid-session iteration. Pre-push is a much rarer event and the natural
boundary where the user has consciously decided to share content.

Architecture:
- Post-commit writes 7-layer blobs to entire/checkpoints/v1 (no OPF).
- Pre-push (when redaction.openai_privacy_filter.enabled = true):
  1. Read each unpushed v1 commit lacking Entire-OPF-Applied: true
  2. Run OPF over its blobs (full.jsonl, prompt.txt, agent-*.jsonl)
  3. Recompute content_hash.txt against the new transcript
  4. Build new commits carrying the OPF-Applied trailer
  5. Verify OPF didn't silently fall back (circuit breaker check)
  6. CAS-update the local v1 ref atomically
  7. Push the new (8-layer) commits
- Already-applied commits are re-parented without re-running OPF
  (idempotent — trailer never duplicates).
- Sentinel errors (V1DivergedError, BootstrapTooLargeError,
  V1RefMovedError, OPFRuntimeFailedError) abort the entire git push
  via non-zero hook exit. Transient checkpoint-push failures are
  logged at the CLI level and never reach the hook script, so the
  user's actual git push isn't blocked by infrastructure hiccups.

Fail-closed contract: if the OPF circuit breaker trips mid-rewrite
(runtime missing, crashed, timed out), the redact package silently
falls back to 7-layer. Without an explicit check, the rewrite would
still tag the new commits with Entire-OPF-Applied: true — future
pushes would skip them as "already done" and ship 7-layer content to
the remote forever. The rewrite now checks redact.OPFBreakerTripped()
after the rewrite loop and returns OPFRuntimeFailedError before CAS;
orphan rewritten commits sit in the object DB until git gc.

Key changes:
- redact: JoinedPromptsLegacy (no-ctx, no-OPF) for the writer safety
  net; OPFEnabled(), OPFBreakerTripped(), OPFCommand() exported
  accessors; test helpers moved out of export_test.go so cross-package
  tests can configure OPF state.
- checkpoint: redactBytesForBlob and createRedactedBlobFromFile
  collapsed to 7-layer-only (their OPF branches were dead after the
  refactor); standard WriteCommitted no longer emits the OPF-Applied
  trailer (regression-tested).
- strategy: new manual_commit_opf_rewrite.go owns the pre-push
  rewrite logic with full sentinel-error coverage. PrePush invokes it
  before pushBranchIfNeeded when OPF is enabled, logs transient
  checkpoint-push errors instead of propagating them, and returns OPF
  errors verbatim so they reach the hook exit code.
- trailers: new OPFAppliedTrailerKey constant, HasOPFApplied reader,
  and AppendOPFAppliedTrailer (idempotent) writer.
- hooks_git_cmd: pre-push command returns the strategy's error so git
  push aborts on privacy-critical failures.
- hooks.go: pre-push hook script no longer swallows non-zero exits
  (the || true was removed for pre-push specifically; other hooks
  retain their best-effort semantics).

Tests added:
- redact: JoinedPromptsLegacy parity vs pre-PR behavior; OPF never
  invoked from the legacy path.
- trailers: HasOPFApplied / AppendOPFAppliedTrailer round-trip and
  idempotency matrix.
- checkpoint: standard WriteCommitted does NOT emit OPF-Applied
  (regression guard against accidental skip of the rewrite).
- strategy: rewrite happy path (tags applied, redacts sentinel
  content), idempotent second run (no trailer duplication, tree
  preserved), missing v1 branch (no-op), diverged-remote returns
  V1DivergedError, bootstrap cap over limit returns
  BootstrapTooLargeError, bootstrap unlimited override allows
  arbitrary size, OPF runtime failure trips breaker + returns
  OPFRuntimeFailedError + leaves local ref unchanged (the fail-closed
  regression guard caught end-to-end during manual testing).

Docs:
- docs/security-and-privacy.md: pre-push flow explanation,
  persistence window for unreachable git objects (~2wk), raw
  .entire/ session-file caveat, manual scrub command, force-push
  divergence guidance, bootstrap env var.
- CLAUDE.md: strategy section notes the pre-push OPF rewrite and
  the new manual_commit_opf_rewrite.go file.

Out of scope (follow-ups):
- Interactive prompt + ENTIRE_OPF env-var gating (next commit).
- Shadow-branch cleanup post-push (commit after).
- entire doctor --recover-v1 helper referenced by the divergence
  error hint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CLAUDE.md                                     |   2 +
 cmd/entire/cli/checkpoint/committed.go        |  53 +--
 .../checkpoint/committed_opf_trailer_test.go  |  70 +++
 cmd/entire/cli/checkpoint/prompts.go          |  21 +-
 cmd/entire/cli/checkpoint/prompts_test.go     |  12 +-
 cmd/entire/cli/hooks_git_cmd.go               |  20 +-
 cmd/entire/cli/strategy/hooks.go              |   9 +-
 .../strategy/manual_commit_condensation.go    |  29 +-
 .../cli/strategy/manual_commit_hooks.go       |  22 +-
 .../cli/strategy/manual_commit_opf_rewrite.go | 410 ++++++++++++++++++
 .../manual_commit_opf_rewrite_test.go         | 330 ++++++++++++++
 cmd/entire/cli/strategy/manual_commit_push.go |  49 ++-
 cmd/entire/cli/trailers/trailers.go           |  41 ++
 cmd/entire/cli/trailers/trailers_test.go      |  67 +++
 docs/security-and-privacy.md                  |  63 ++-
 redact/export_test.go                         |  21 -
 redact/joined_prompts_test.go                 |  74 ++++
 redact/opf.go                                 |  42 +-
 redact/redact.go                              |  17 +
 redact/testhelpers.go                         |  25 ++
 20 files changed, 1277 insertions(+), 100 deletions(-)
 create mode 100644 cmd/entire/cli/checkpoint/committed_opf_trailer_test.go
 create mode 100644 cmd/entire/cli/strategy/manual_commit_opf_rewrite.go
 create mode 100644 cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go
 delete mode 100644 redact/export_test.go
 create mode 100644 redact/joined_prompts_test.go
 create mode 100644 redact/testhelpers.go

diff --git a/CLAUDE.md b/CLAUDE.md
index 01d7bb37a4..bfa94635d6 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -442,6 +442,7 @@ The manual-commit strategy (`manual_commit*.go`) does not modify the active bran
 - **Shadow branch migration** - if user does stash/pull/rebase (HEAD changes without commit), shadow branch is automatically moved to new base commit
 - **Orphaned branch cleanup** - if a shadow branch exists without a corresponding session state file, it is automatically reset when a new session starts
 - PrePush hook can push `entire/checkpoints/v1` branch alongside user pushes
+- **OPF (OpenAI Privacy Filter) runs at pre-push, not post-commit**: when `redaction.openai_privacy_filter.enabled` is true, the PrePush hook re-redacts unpushed `entire/checkpoints/v1` commits with the OPF 8th layer, builds new commits carrying an `Entire-OPF-Applied: true` trailer, and atomically updates the local v1 ref before pushing. Per-commit condensation stays on the fast 7-layer pipeline. See `strategy/manual_commit_opf_rewrite.go` and `docs/security-and-privacy.md` for the full flow, including divergence detection, bootstrap caps, and CAS-on-conflict semantics.
 - Safe to use on main/master since it never modifies commit history
 
 #### Key Files
@@ -450,6 +451,7 @@ The manual-commit strategy (`manual_commit*.go`) does not modify the active bran
 - `common.go` - Helpers for metadata extraction, tree building, rewind validation, `ListCheckpoints()`
 - `session.go` - Session/checkpoint data structures
 - `push_common.go` - PrePush logic for pushing `entire/checkpoints/v1` branch
+- `manual_commit_opf_rewrite.go` - Pre-push OPF re-redaction: walks unpushed v1 commits, runs OPF over their blobs, rebuilds commits with `Entire-OPF-Applied: true` trailer, CAS-updates the local ref. Sentinel errors: `ErrV1Diverged`, `ErrBootstrapTooLarge`, `ErrV1RefMoved`.
 - `manual_commit.go` - Manual-commit strategy main implementation
 - `manual_commit_types.go` - Type definitions: `SessionState`, `CheckpointInfo`, `CondenseResult`
 - `manual_commit_session.go` - Session state management (load/save/list session states)
diff --git a/cmd/entire/cli/checkpoint/committed.go b/cmd/entire/cli/checkpoint/committed.go
index 0c91fa91e8..50f9c26486 100644
--- a/cmd/entire/cli/checkpoint/committed.go
+++ b/cmd/entire/cli/checkpoint/committed.go
@@ -1725,11 +1725,13 @@ func (s *GitStore) copyMetadataDir(ctx context.Context, metadataDir, basePath st
 			return fmt.Errorf("path traversal detected: %s", relPath)
 		}
 
-		// Create blob from file with secrets redaction
-		// Committed-checkpoint write — run the full 8-layer pipeline
-		// including OPF. The per-turn temp-write path stays on plain
-		// redactors via the sibling createRedactedBlobFromFile.
-		blobHash, mode, err := createRedactedBlobFromFileWithPrivacyFilter(ctx, s.repo, path, relPath)
+		// Create blob from file with 7-layer secrets redaction.
+		// Post-commit emits 7-layer-only blobs; the OPF-capable variant
+		// (createRedactedBlobFromFileWithPrivacyFilter) is used later by
+		// the pre-push rewrite path, which re-redacts these blobs into
+		// 8-layer commits before they leave the local machine.
+		_ = ctx // ctx not needed by the 7-layer path; kept on caller signature for future use
+		blobHash, mode, err := createRedactedBlobFromFile(s.repo, path, relPath)
 		if err != nil {
 			return fmt.Errorf("failed to create blob for %s: %w", path, err)
 		}
@@ -1751,22 +1753,13 @@ func (s *GitStore) copyMetadataDir(ctx context.Context, metadataDir, basePath st
 }
 
 // createRedactedBlobFromFile reads a file, applies the 7-layer redaction
-// pipeline, and creates a git blob. Used by per-turn temporary-checkpoint
-// writes — the OpenAI Privacy Filter is intentionally NOT run here to
-// keep per-turn latency inside the agent loop's budget.
+// pipeline, and creates a git blob. Used by committed-checkpoint writes
+// at post-commit time. The OpenAI Privacy Filter is intentionally NOT
+// run here — OPF lives in the pre-push rewrite path
+// (strategy/manual_commit_opf_rewrite.go), which re-redacts the 7-layer
+// blobs into 8-layer commits before they leave the local machine.
 // JSONL files get JSONL-aware redaction; all other files get plain byte redaction.
 func createRedactedBlobFromFile(repo *git.Repository, filePath, treePath string) (plumbing.Hash, filemode.FileMode, error) {
-	return createRedactedBlobFromFileImpl(context.Background(), repo, filePath, treePath, false)
-}
-
-// createRedactedBlobFromFileWithPrivacyFilter reads a file, applies the full
-// 8-layer pipeline (including the OpenAI Privacy Filter), and creates a git
-// blob. Used by committed-checkpoint writes — slower but more thorough.
-func createRedactedBlobFromFileWithPrivacyFilter(ctx context.Context, repo *git.Repository, filePath, treePath string) (plumbing.Hash, filemode.FileMode, error) {
-	return createRedactedBlobFromFileImpl(ctx, repo, filePath, treePath, true)
-}
-
-func createRedactedBlobFromFileImpl(ctx context.Context, repo *git.Repository, filePath, treePath string, usePrivacyFilter bool) (plumbing.Hash, filemode.FileMode, error) {
 	info, err := os.Stat(filePath)
 	if err != nil {
 		return plumbing.ZeroHash, 0, fmt.Errorf("failed to stat file: %w", err)
@@ -1793,7 +1786,7 @@ func createRedactedBlobFromFileImpl(ctx context.Context, repo *git.Repository, f
 		return hash, mode, nil
 	}
 
-	content = redactBytesForBlob(ctx, content, treePath, usePrivacyFilter)
+	content = RedactBlobBytes(context.Background(), content, treePath, false)
 
 	hash, err := CreateBlobFromContent(repo, content)
 	if err != nil {
@@ -1802,14 +1795,15 @@ func createRedactedBlobFromFileImpl(ctx context.Context, repo *git.Repository, f
 	return hash, mode, nil
 }
 
-// redactBytesForBlob applies the appropriate redaction pipeline to file
-// content for a checkpoint blob. JSONL files get JSONL-aware redaction
-// (falling back to plain byte redaction on parse failure so the regex
-// layers still apply); other files get plain byte redaction.
-// usePrivacyFilter selects the lighter 7-layer pipeline (per-turn temp
-// writes) versus the full 8-layer pipeline including OPF (committed
-// writes).
-func redactBytesForBlob(ctx context.Context, content []byte, treePath string, usePrivacyFilter bool) []byte {
+// RedactBlobBytes redacts a single blob's content given its tree path.
+// JSONL files get JSONL-aware redaction (falling back to plain bytes on
+// parse failure so regex/credential layers still apply); other files
+// get plain byte redaction. When usePrivacyFilter is true the full
+// 8-layer pipeline (including OPF) runs; otherwise the 7-layer pipeline.
+//
+// Post-commit condensation uses false (fast path). The pre-push rewrite
+// (strategy/manual_commit_opf_rewrite.go) uses true.
+func RedactBlobBytes(ctx context.Context, content []byte, treePath string, usePrivacyFilter bool) []byte {
 	if strings.HasSuffix(treePath, ".jsonl") {
 		var (
 			redacted redact.RedactedBytes
@@ -1823,8 +1817,7 @@ func redactBytesForBlob(ctx context.Context, content []byte, treePath string, us
 		if err == nil {
 			return redacted.Bytes()
 		}
-		// JSONL parse failed — fall through so regex/credential layers
-		// still apply via the plain byte path.
+		// JSONL parse failed — fall through to plain bytes.
 	}
 	if usePrivacyFilter {
 		return redact.BytesWithPrivacyFilter(ctx, content)
diff --git a/cmd/entire/cli/checkpoint/committed_opf_trailer_test.go b/cmd/entire/cli/checkpoint/committed_opf_trailer_test.go
new file mode 100644
index 0000000000..b731455374
--- /dev/null
+++ b/cmd/entire/cli/checkpoint/committed_opf_trailer_test.go
@@ -0,0 +1,70 @@
+package checkpoint
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint/id"
+	"github.com/entireio/cli/cmd/entire/cli/testutil"
+	"github.com/entireio/cli/cmd/entire/cli/trailers"
+	"github.com/entireio/cli/redact"
+	"github.com/go-git/go-git/v6"
+	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/go-git/go-git/v6/plumbing/object"
+	"github.com/stretchr/testify/require"
+)
+
+// TestWriteCommitted_DoesNotEmitOPFAppliedTrailer is the regression guard
+// for the architectural promise: standard post-commit condensation writes
+// 7-layer-only blobs and MUST NOT mark them with the Entire-OPF-Applied
+// trailer. The trailer is emitted exclusively by the pre-push rewrite
+// path; if a future change accidentally added it to the standard writer,
+// the pre-push rewrite would skip those commits (HasOPFApplied true →
+// reparent-only, no actual OPF run) and ship 7-layer content as if it
+// were 8-layer. This test pins down that contract.
+func TestWriteCommitted_DoesNotEmitOPFAppliedTrailer(t *testing.T) {
+	t.Parallel()
+
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	wt, err := repo.Worktree()
+	require.NoError(t, err)
+	readmeFile := filepath.Join(tempDir, "README.md")
+	require.NoError(t, os.WriteFile(readmeFile, []byte("# Test"), 0o644))
+	_, err = wt.Add("README.md")
+	require.NoError(t, err)
+	_, err = wt.Commit("Initial commit", &git.CommitOptions{
+		Author: &object.Signature{Name: "Test", Email: "test@test.com"},
+	})
+	require.NoError(t, err)
+
+	store := NewGitStore(repo)
+	cpID := id.MustCheckpointID("a1b2c3d4e5f6")
+
+	err = store.WriteCommitted(context.Background(), WriteCommittedOptions{
+		CheckpointID: cpID,
+		SessionID:    "regression-no-opf-trailer",
+		Strategy:     "manual-commit",
+		Transcript:   redact.AlreadyRedacted([]byte(`{"role":"user","content":"hello"}` + "\n")),
+		AuthorName:   "Test",
+		AuthorEmail:  "test@test.com",
+	})
+	require.NoError(t, err)
+
+	// Read the latest commit message on entire/checkpoints/v1 and assert
+	// HasOPFApplied is false. We resolve via the ref then walk back the
+	// single commit the writer just produced.
+	ref, err := repo.Reference(plumbing.NewBranchReferenceName("entire/checkpoints/v1"), true)
+	require.NoError(t, err, "writer should have created entire/checkpoints/v1")
+	commit, err := repo.CommitObject(ref.Hash())
+	require.NoError(t, err)
+
+	if trailers.HasOPFApplied(commit.Message) {
+		t.Errorf("standard WriteCommitted emitted Entire-OPF-Applied trailer; commit message:\n%s", commit.Message)
+	}
+}
diff --git a/cmd/entire/cli/checkpoint/prompts.go b/cmd/entire/cli/checkpoint/prompts.go
index 83112ff2ce..f5896bf8b0 100644
--- a/cmd/entire/cli/checkpoint/prompts.go
+++ b/cmd/entire/cli/checkpoint/prompts.go
@@ -31,14 +31,21 @@ func SplitPromptContent(content string) []string {
 
 // redactedJoinedPrompts returns the redacted prompt-blob content for the
 // supplied prompts. When preRedacted is set it is unwrapped verbatim;
-// otherwise the prompts are joined and run through the full 8-layer
-// pipeline as a safety net. Callers that share the same prompts across
-// multiple checkpoint writes (finalizeAllTurnCheckpoints) should compute
-// the redacted blob once via redact.JoinedPrompts and pass it through to
-// avoid running OPF repeatedly over identical input.
-func redactedJoinedPrompts(ctx context.Context, prompts []string, preRedacted redact.RedactedJoinedPrompts) string {
+// otherwise the prompts are joined and run through the 7-layer pipeline
+// as a safety net.
+//
+// The safety net is intentionally 7-layer-only (no OPF), even when OPF
+// is enabled globally. OPF runs exclusively in the pre-push rewrite
+// path so per-commit condensation stays fast and predictable; the
+// safety net never drags OPF into a hot path. Callers that have
+// already produced an 8-layer blob (e.g. the pre-push rewrite itself)
+// pass it as preRedacted so this function returns it verbatim.
+//
+// ctx is retained on the signature for future extensions; the 7-layer
+// pipeline doesn't consume it today.
+func redactedJoinedPrompts(_ context.Context, prompts []string, preRedacted redact.RedactedJoinedPrompts) string {
 	if preRedacted.IsSet() {
 		return preRedacted.String()
 	}
-	return redact.JoinedPrompts(ctx, prompts, PromptSeparator).String()
+	return redact.JoinedPromptsLegacy(prompts, PromptSeparator).String()
 }
diff --git a/cmd/entire/cli/checkpoint/prompts_test.go b/cmd/entire/cli/checkpoint/prompts_test.go
index e4f6f4db91..4637cebcf9 100644
--- a/cmd/entire/cli/checkpoint/prompts_test.go
+++ b/cmd/entire/cli/checkpoint/prompts_test.go
@@ -47,13 +47,15 @@ func TestRedactedJoinedPrompts_PreRedactedIsTrustedVerbatim(t *testing.T) {
 	assert.Equal(t, preRedacted, got, "preRedacted should pass through verbatim")
 }
 
-// TestRedactedJoinedPrompts_ZeroValueFallsBackToRedaction verifies that
-// when the typed preRedacted is the zero value the helper joins the
-// prompts and runs the full pipeline as a safety net.
-func TestRedactedJoinedPrompts_ZeroValueFallsBackToRedaction(t *testing.T) {
+// TestRedactedJoinedPrompts_ZeroValueFallsBackToLegacyRedaction verifies
+// that when the typed preRedacted is the zero value the helper joins the
+// prompts and runs the 7-layer pipeline as a safety net. Critically, the
+// fallback is JoinedPromptsLegacy (no OPF) — OPF runs exclusively in the
+// pre-push rewrite path, never here in the writer's hot path.
+func TestRedactedJoinedPrompts_ZeroValueFallsBackToLegacyRedaction(t *testing.T) {
 	t.Parallel()
 
 	got := redactedJoinedPrompts(context.Background(), []string{"hello", "world"}, redact.RedactedJoinedPrompts{})
-	assert.NotEmpty(t, got, "zero-value preRedacted should fall back to running the redaction pipeline")
+	assert.NotEmpty(t, got, "zero-value preRedacted should fall back to running the legacy 7-layer pipeline")
 	assert.Contains(t, got, PromptSeparator, "fallback output should preserve the prompt separator")
 }
diff --git a/cmd/entire/cli/hooks_git_cmd.go b/cmd/entire/cli/hooks_git_cmd.go
index 27ef45f281..703169e591 100644
--- a/cmd/entire/cli/hooks_git_cmd.go
+++ b/cmd/entire/cli/hooks_git_cmd.go
@@ -2,6 +2,7 @@ package cli
 
 import (
 	"context"
+	"fmt"
 	"log/slog"
 	"time"
 
@@ -231,6 +232,13 @@ func newHooksGitPrePushCmd() *cobra.Command {
 		Use:   "pre-push <remote>",
 		Short: "Handle pre-push git hook",
 		Args:  cobra.ExactArgs(1),
+		// SilenceUsage/Errors so non-zero exits from privacy-critical
+		// failures (OPF rewrite errors) print only the error message,
+		// not cobra's usage banner. The error message itself already
+		// includes user guidance (see ErrV1Diverged / ErrBootstrapTooLarge /
+		// ErrV1RefMoved in strategy/manual_commit_opf_rewrite.go).
+		SilenceUsage:  true,
+		SilenceErrors: false,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if gitHooksDisabled {
 				return nil
@@ -245,7 +253,17 @@ func newHooksGitPrePushCmd() *cobra.Command {
 			hookErr := g.strategy.PrePush(g.ctx, remote)
 			g.logCompleted(hookErr)
 
-			return nil
+			// Propagate the error so the hook script exits non-zero and
+			// git push aborts the entire batch. PrePush itself only
+			// returns errors for privacy-critical failures (OPF rewrite);
+			// transient checkpoint-push failures are logged and swallowed
+			// before reaching this point. See strategy/manual_commit_push.go
+			// for the contract. The error type already includes user
+			// guidance, so wrapping would only add noise.
+			if hookErr == nil {
+				return nil
+			}
+			return fmt.Errorf("pre-push: %w", hookErr)
 		},
 	}
 }
diff --git a/cmd/entire/cli/strategy/hooks.go b/cmd/entire/cli/strategy/hooks.go
index 394a45b65c..dd2ec49c40 100644
--- a/cmd/entire/cli/strategy/hooks.go
+++ b/cmd/entire/cli/strategy/hooks.go
@@ -171,7 +171,14 @@ func buildHookSpecs(cmdPrefix string) []hookSpec {
 	commitMsgCmd := gitHookCommand(cmdPrefix, `commit-msg "$1" || true`, true)
 	postCommitCmd := gitHookCommand(cmdPrefix, `post-commit 2>/dev/null || true`, false)
 	postRewriteCmd := gitHookCommand(cmdPrefix, `post-rewrite "$1" 2>/dev/null || true`, false)
-	prePushCmd := gitHookCommand(cmdPrefix, `pre-push "$1" || true`, false)
+	// pre-push intentionally does NOT swallow exit codes — the OPF
+	// rewrite returns errors when it detects a privacy-critical
+	// condition (diverged remote, oversized bootstrap, CAS conflict)
+	// and the user's git push must abort. Transient checkpoint-push
+	// failures (e.g. the entire/checkpoints/v1 push itself failing)
+	// are NOT returned from PrePush — they're logged and swallowed at
+	// the CLI level so they never reach this point as non-zero exits.
+	prePushCmd := gitHookCommand(cmdPrefix, `pre-push "$1"`, false)
 
 	return []hookSpec{
 		{
diff --git a/cmd/entire/cli/strategy/manual_commit_condensation.go b/cmd/entire/cli/strategy/manual_commit_condensation.go
index adc0214adc..c408f86688 100644
--- a/cmd/entire/cli/strategy/manual_commit_condensation.go
+++ b/cmd/entire/cli/strategy/manual_commit_condensation.go
@@ -111,11 +111,18 @@ type condenseOpts struct {
 	allAgentFiles    map[string]struct{} // Union of all sessions' FilesTouched for cross-session exclusion (nil = single-session)
 }
 
-// redactSessionJSONLBytes runs the full 8-layer redaction pipeline
-// (including the OpenAI Privacy Filter when configured) over a session
-// transcript. Exposed as a var so tests can inject deterministic
-// success/error returns without spinning up the runtime.
-var redactSessionJSONLBytes = redact.JSONLBytesWithPrivacyFilter
+// redactSessionJSONLBytes runs the 7-layer redaction pipeline over a
+// session transcript at post-commit condensation. OPF is intentionally
+// NOT included here — it runs exclusively in the pre-push rewrite path
+// (strategy/manual_commit_opf_rewrite.go), which re-redacts the
+// 7-layer blobs and produces 8-layer commits before the push.
+//
+// Exposed as a var so tests can inject deterministic success/error
+// returns. The signature still takes a context so the var can be
+// re-wired to JSONLBytesWithPrivacyFilter from tests that need OPF.
+var redactSessionJSONLBytes = func(_ context.Context, b []byte) (redact.RedactedBytes, error) {
+	return redact.JSONLBytes(b)
+}
 
 // CondenseSession condenses a session's shadow branch to permanent storage.
 // checkpointID is the 12-hex-char value from the Entire-Checkpoint trailer.
@@ -227,12 +234,10 @@ func (s *ManualCommitStrategy) CondenseSession(ctx context.Context, repo *git.Re
 		summary = generateSummary(ctx, redactedTranscript, sessionData.FilesTouched, state)
 	}
 
-	// Pre-redact joined prompts once so v1 and v2 writers (plus any
-	// subsequent UpdateCommitted within the same finalize) reuse the same
-	// result instead of each running the 8-layer pipeline over identical
-	// input. The typed return value carries a compile-time claim that the
-	// content has been through the pipeline.
-	redactedPrompts := redact.JoinedPrompts(ctx, sessionData.Prompts, cpkg.PromptSeparator)
+	// Post-commit emits 7-layer-only blobs. We pass an empty
+	// PromptsRedacted so the writer's safety net (redactedJoinedPrompts)
+	// applies the legacy 7-layer pipeline. OPF runs later in the
+	// pre-push rewrite path, never here.
 
 	// Build write options (shared by v1 and v2)
 	writeOpts := cpkg.WriteCommittedOptions{
@@ -242,7 +247,7 @@ func (s *ManualCommitStrategy) CondenseSession(ctx context.Context, repo *git.Re
 		Branch:                      branchName,
 		Transcript:                  redactedTranscript,
 		Prompts:                     sessionData.Prompts,
-		PromptsRedacted:             redactedPrompts,
+		PromptsRedacted:             redact.RedactedJoinedPrompts{},
 		FilesTouched:                sessionData.FilesTouched,
 		CheckpointsCount:            state.StepCount,
 		EphemeralBranch:             shadowBranchName,
diff --git a/cmd/entire/cli/strategy/manual_commit_hooks.go b/cmd/entire/cli/strategy/manual_commit_hooks.go
index 279ec3ce5d..63b489415e 100644
--- a/cmd/entire/cli/strategy/manual_commit_hooks.go
+++ b/cmd/entire/cli/strategy/manual_commit_hooks.go
@@ -2745,11 +2745,11 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 	// (attribution, files touched, prompts). Hooks run without user interaction
 	// so there is no retry path — preserving partial metadata is better than
 	// losing everything. Persisting an unredacted transcript would be worse.
-	// Run the full 8-layer pipeline (including OPF when configured) over
-	// the transcript — this is the condensation boundary where bytes are
-	// about to leave the local machine via push to entire/checkpoints/v1.
+	// Run the 7-layer pipeline over the transcript — OPF runs later in
+	// the pre-push rewrite path, which re-redacts these 7-layer blobs
+	// and produces 8-layer commits before the push goes out.
 	_, redactSpan := perf.Start(logCtx, "redact_transcript")
-	redactedTranscript, redactErr := redact.JSONLBytesWithPrivacyFilter(logCtx, fullTranscript)
+	redactedTranscript, redactErr := redact.JSONLBytes(fullTranscript)
 	redactSpan.End()
 	if redactErr != nil {
 		logging.Warn(logCtx, "finalize: transcript redaction failed, dropping transcript",
@@ -2759,15 +2759,11 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 		redactedTranscript = redact.RedactedBytes{}
 	}
 
-	// Pre-redact joined prompts ONCE so the checkpoint loop reuses the
-	// result instead of each iteration re-running the 8-layer pipeline
-	// (including OPF shell-out) over identical input. The original code
-	// here ran redact.String per prompt, which produced a per-prompt
-	// OPF call once OPF was wired up; pre-joining + one call collapses
-	// that to a single OPF invocation per finalize. The typed return
-	// value carries a compile-time claim that the content has been
-	// through the pipeline.
-	redactedPrompts := redact.JoinedPrompts(logCtx, prompts, checkpoint.PromptSeparator)
+	// Post-commit emits 7-layer-only blobs; the writer's safety net
+	// (checkpoint.redactedJoinedPrompts via JoinedPromptsLegacy) handles
+	// joining + 7-layer redaction. OPF is applied later, once per push,
+	// by the pre-push rewrite path.
+	redactedPrompts := redact.RedactedJoinedPrompts{}
 
 	store := checkpoint.NewGitStore(repo)
 	v2 := settings.CheckpointsVersion(logCtx) == 2
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go b/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go
new file mode 100644
index 0000000000..76c79da42a
--- /dev/null
+++ b/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go
@@ -0,0 +1,410 @@
+// Pre-push OPF rewrite for entire/checkpoints/v1.
+//
+// This is the ONLY production code path that runs the OPF-augmented
+// redaction entry points. Post-commit condensation stays on 7-layer
+// for predictable latency; OPF runs here, once per push, after the
+// user opted in via settings.
+package strategy
+
+import (
+	"context"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+	"math"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint"
+	"github.com/entireio/cli/cmd/entire/cli/paths"
+	"github.com/entireio/cli/cmd/entire/cli/trailers"
+	"github.com/entireio/cli/redact"
+	"github.com/go-git/go-git/v6"
+	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/go-git/go-git/v6/plumbing/filemode"
+	"github.com/go-git/go-git/v6/plumbing/object"
+)
+
+// V1DivergedError: local entire/checkpoints/v1 has commits that aren't
+// ancestors of the remote tip (force-push or another machine pushed).
+// Rewriting under divergence would silently rebase rejected work, so
+// we refuse.
+type V1DivergedError struct {
+	Local, Remote, MergeBase plumbing.Hash
+}
+
+func (e *V1DivergedError) Error() string {
+	return fmt.Sprintf("entire/checkpoints/v1 has diverged from remote (local=%s remote=%s merge_base=%s); "+
+		"fetch the remote and either reset entire/checkpoints/v1 to <remote>/entire/checkpoints/v1 "+
+		"or run `entire doctor --recover-v1` before pushing",
+		e.Local.String()[:7], e.Remote.String()[:7], e.MergeBase.String()[:7])
+}
+
+// BootstrapTooLargeError: first push to a remote with no v1 yet, but
+// more unpushed commits than the safety cap. OPF inference is ~30s per
+// commit, so unbounded bootstraps could take hours.
+type BootstrapTooLargeError struct {
+	Count, Limit int
+}
+
+func (e *BootstrapTooLargeError) Error() string {
+	return fmt.Sprintf("OPF bootstrap would rewrite %d entire/checkpoints/v1 commits "+
+		"(limit %d). Set ENTIRE_OPF_BOOTSTRAP_LIMIT=<N> or =unlimited to override, "+
+		"or push without OPF (ENTIRE_OPF=no git push) to bring the remote into sync first",
+		e.Count, e.Limit)
+}
+
+// V1RefMovedError: another worktree advanced the local ref during our
+// rewrite (CAS conflict). Orphan rewritten objects sit in .git/objects
+// until git gc --prune; no manual cleanup needed.
+type V1RefMovedError struct {
+	Expected, Actual plumbing.Hash
+}
+
+func (e *V1RefMovedError) Error() string {
+	return fmt.Sprintf("entire/checkpoints/v1 moved during OPF rewrite "+
+		"(expected %s, found %s); concurrent push detected — re-run `git push` after fetching",
+		e.Expected.String()[:7], e.Actual.String()[:7])
+}
+
+// OPFRuntimeFailedError: the OPF circuit breaker tripped mid-rewrite.
+// Some blobs were silently downgraded to 7-layer; tagging those commits
+// as Entire-OPF-Applied would be a privacy regression (future pushes
+// would skip them while their content is 7-layer-only). Abort before
+// CAS so the user fixes their OPF install and retries.
+type OPFRuntimeFailedError struct {
+	OPFCommand string
+}
+
+func (e *OPFRuntimeFailedError) Error() string {
+	return fmt.Sprintf("OPF runtime failed during pre-push rewrite (command=%q); "+
+		"aborting push so 7-layer content isn't tagged as 8-layer-applied. "+
+		"Run `%s --help` to verify your OPF install, then retry. Or set "+
+		"ENTIRE_OPF=no on the push to skip OPF for this push only.",
+		e.OPFCommand, e.OPFCommand)
+}
+
+const (
+	// bootstrapDefaultLimit caps first-push history rewrites. Picked
+	// to bound worst-case wall-clock at ~50min @ 30s/commit.
+	bootstrapDefaultLimit = 100
+	bootstrapEnvVar       = "ENTIRE_OPF_BOOTSTRAP_LIMIT"
+)
+
+func resolveBootstrapLimit() int {
+	v := strings.TrimSpace(os.Getenv(bootstrapEnvVar))
+	switch {
+	case v == "":
+		return bootstrapDefaultLimit
+	case strings.EqualFold(v, "unlimited"):
+		return math.MaxInt32
+	}
+	if n, err := strconv.Atoi(v); err == nil && n > 0 {
+		return n
+	}
+	return bootstrapDefaultLimit
+}
+
+// RewriteUnpushedV1WithOPF re-redacts unpushed entire/checkpoints/v1
+// commits with OPF, builds new commits carrying Entire-OPF-Applied:
+// true, and CAS-updates the local ref. Idempotent: already-applied
+// commits are re-parented without re-running OPF.
+//
+// Caller checks redact.OPFEnabled() and skips this when OPF is off.
+// Returns one of {V1DivergedError, BootstrapTooLargeError,
+// V1RefMovedError, OPFRuntimeFailedError} for privacy-critical
+// failures — the pre-push hook propagates these so git push aborts.
+func RewriteUnpushedV1WithOPF(ctx context.Context, repo *git.Repository, remoteName string) (plumbing.Hash, error) {
+	localTip, err := readV1Tip(repo, plumbing.NewBranchReferenceName(paths.MetadataBranchName))
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("read local v1: %w", err)
+	}
+	if localTip.IsZero() {
+		return plumbing.ZeroHash, nil // no checkpoints yet
+	}
+	remoteTip, err := readV1Tip(repo, plumbing.NewRemoteReferenceName(remoteName, paths.MetadataBranchName))
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("read remote v1: %w", err)
+	}
+
+	if !remoteTip.IsZero() {
+		mergeBase, mbErr := computeMergeBase(repo, localTip, remoteTip)
+		if mbErr != nil {
+			return plumbing.ZeroHash, fmt.Errorf("compute merge-base: %w", mbErr)
+		}
+		if mergeBase != remoteTip {
+			return plumbing.ZeroHash, &V1DivergedError{Local: localTip, Remote: remoteTip, MergeBase: mergeBase}
+		}
+	}
+
+	unpushed, err := listUnpushedV1Commits(repo, localTip, remoteTip)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("list unpushed v1 commits: %w", err)
+	}
+	if len(unpushed) == 0 {
+		return localTip, nil
+	}
+	if remoteTip.IsZero() {
+		if limit := resolveBootstrapLimit(); len(unpushed) > limit {
+			return plumbing.ZeroHash, &BootstrapTooLargeError{Count: len(unpushed), Limit: limit}
+		}
+	}
+
+	parent := remoteTip
+	for _, c := range unpushed {
+		newHash, err := rebuildV1Commit(ctx, repo, c, parent)
+		if err != nil {
+			return plumbing.ZeroHash, fmt.Errorf("rebuild commit %s: %w", c.Hash.String()[:7], err)
+		}
+		parent = newHash
+	}
+
+	// Fail-closed: if OPF tripped its breaker mid-rewrite, some blobs
+	// got 7-layer fallback. Don't CAS — the orphan commits get GC'd.
+	if redact.OPFBreakerTripped() {
+		return plumbing.ZeroHash, &OPFRuntimeFailedError{OPFCommand: redact.OPFCommand()}
+	}
+	if err := atomicSetV1Ref(repo, localTip, parent); err != nil {
+		return plumbing.ZeroHash, err
+	}
+	return parent, nil
+}
+
+func readV1Tip(repo *git.Repository, refName plumbing.ReferenceName) (plumbing.Hash, error) {
+	ref, err := repo.Reference(refName, true)
+	if err != nil {
+		if errors.Is(err, plumbing.ErrReferenceNotFound) {
+			return plumbing.ZeroHash, nil
+		}
+		return plumbing.ZeroHash, fmt.Errorf("resolve ref %s: %w", refName, err)
+	}
+	return ref.Hash(), nil
+}
+
+// computeMergeBase returns the merge-base commit hash. Multi-base
+// (criss-cross) and unrelated-histories both return ZeroHash —
+// caller treats those as diverged.
+func computeMergeBase(repo *git.Repository, local, remote plumbing.Hash) (plumbing.Hash, error) {
+	lc, err := repo.CommitObject(local)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("load local commit: %w", err)
+	}
+	rc, err := repo.CommitObject(remote)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("load remote commit: %w", err)
+	}
+	bases, err := lc.MergeBase(rc)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("merge-base: %w", err)
+	}
+	if len(bases) != 1 {
+		return plumbing.ZeroHash, nil
+	}
+	return bases[0].Hash, nil
+}
+
+// listUnpushedV1Commits returns commits reachable from localTip but not
+// remoteTip, in graph order (oldest-first). Graph order matters more
+// than timestamp order — commits made in rapid succession can share
+// Author.When; the parent chain is the unambiguous truth.
+func listUnpushedV1Commits(repo *git.Repository, localTip, remoteTip plumbing.Hash) ([]*object.Commit, error) {
+	remoteReachable := map[plumbing.Hash]struct{}{}
+	if !remoteTip.IsZero() {
+		iter, err := repo.Log(&git.LogOptions{From: remoteTip})
+		if err != nil {
+			return nil, fmt.Errorf("log remote tip: %w", err)
+		}
+		if walkErr := iter.ForEach(func(c *object.Commit) error {
+			remoteReachable[c.Hash] = struct{}{}
+			return nil
+		}); walkErr != nil {
+			return nil, fmt.Errorf("walk remote ancestry: %w", walkErr)
+		}
+	}
+
+	var unpushed []*object.Commit
+	iter, err := repo.Log(&git.LogOptions{From: localTip})
+	if err != nil {
+		return nil, fmt.Errorf("log local tip: %w", err)
+	}
+	if walkErr := iter.ForEach(func(c *object.Commit) error {
+		if _, ok := remoteReachable[c.Hash]; ok {
+			return errStop
+		}
+		unpushed = append(unpushed, c)
+		return nil
+	}); walkErr != nil && !errors.Is(walkErr, errStop) {
+		return nil, fmt.Errorf("walk local v1 history: %w", walkErr)
+	}
+	// reverse for oldest-first
+	for i, j := 0, len(unpushed)-1; i < j; i, j = i+1, j-1 {
+		unpushed[i], unpushed[j] = unpushed[j], unpushed[i]
+	}
+	return unpushed, nil
+}
+
+// rebuildV1Commit re-parents the commit onto parent. Already-applied
+// commits keep their tree (idempotent); unapplied commits get an
+// OPF-redacted tree + Entire-OPF-Applied: true trailer.
+func rebuildV1Commit(ctx context.Context, repo *git.Repository, oldCommit *object.Commit, parent plumbing.Hash) (plumbing.Hash, error) {
+	newTree := oldCommit.TreeHash
+	if !trailers.HasOPFApplied(oldCommit.Message) {
+		tree, err := repo.TreeObject(oldCommit.TreeHash)
+		if err != nil {
+			return plumbing.ZeroHash, fmt.Errorf("load tree: %w", err)
+		}
+		newTree, err = rebuildTreeWithOPF(ctx, repo, tree, "")
+		if err != nil {
+			return plumbing.ZeroHash, err
+		}
+	}
+
+	parents := []plumbing.Hash{}
+	if !parent.IsZero() {
+		parents = append(parents, parent)
+	}
+	c := &object.Commit{
+		Author:       oldCommit.Author,
+		Committer:    oldCommit.Committer,
+		Message:      trailers.AppendOPFAppliedTrailer(oldCommit.Message),
+		TreeHash:     newTree,
+		ParentHashes: parents,
+	}
+	obj := repo.Storer.NewEncodedObject()
+	if err := c.Encode(obj); err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("encode commit: %w", err)
+	}
+	hash, err := repo.Storer.SetEncodedObject(obj)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("store commit: %w", err)
+	}
+	return hash, nil
+}
+
+// rebuildTreeWithOPF walks a tree and produces a new tree with
+// OPF-redacted file blobs. content_hash.txt files are recomputed in a
+// second pass against the new full.jsonl in the same directory.
+//
+// Path-specific behavior:
+//   - *.jsonl, *.txt → redacted via checkpoint.RedactBlobBytes (OPF on)
+//   - content_hash.txt → SHA256 of the sibling full.jsonl's new bytes
+//   - other files (metadata.json, *.json) → copied verbatim (no user text)
+func rebuildTreeWithOPF(ctx context.Context, repo *git.Repository, tree *object.Tree, pathPrefix string) (plumbing.Hash, error) {
+	entries := make([]object.TreeEntry, 0, len(tree.Entries))
+	// deferredHashes records indexes of content_hash.txt entries we
+	// need to recompute after the full.jsonl in the same dir is built.
+	type deferred struct {
+		idx       int
+		entryName string
+		entryMode filemode.FileMode
+	}
+	var deferredHashes []deferred
+	var newFullJSONLHash plumbing.Hash
+
+	for _, e := range tree.Entries {
+		switch e.Mode { //nolint:exhaustive // non-tree/blob modes fall through to copy
+		case filemode.Dir:
+			subTree, err := repo.TreeObject(e.Hash)
+			if err != nil {
+				return plumbing.ZeroHash, fmt.Errorf("load subtree %s/%s: %w", pathPrefix, e.Name, err)
+			}
+			subPath := e.Name
+			if pathPrefix != "" {
+				subPath = pathPrefix + "/" + e.Name
+			}
+			newSub, err := rebuildTreeWithOPF(ctx, repo, subTree, subPath)
+			if err != nil {
+				return plumbing.ZeroHash, err
+			}
+			entries = append(entries, object.TreeEntry{Name: e.Name, Mode: e.Mode, Hash: newSub})
+
+		case filemode.Regular, filemode.Executable:
+			switch {
+			case e.Name == paths.ContentHashFileName:
+				deferredHashes = append(deferredHashes, deferred{idx: len(entries), entryName: e.Name, entryMode: e.Mode})
+				entries = append(entries, e) // placeholder; fixed in second pass
+			case strings.HasSuffix(e.Name, ".jsonl"), strings.HasSuffix(e.Name, ".txt"):
+				content, err := readBlob(repo, e.Hash)
+				if err != nil {
+					return plumbing.ZeroHash, fmt.Errorf("read blob %s/%s: %w", pathPrefix, e.Name, err)
+				}
+				newBytes := checkpoint.RedactBlobBytes(ctx, content, e.Name, true)
+				newHash, err := checkpoint.CreateBlobFromContent(repo, newBytes)
+				if err != nil {
+					return plumbing.ZeroHash, fmt.Errorf("write redacted blob %s/%s: %w", pathPrefix, e.Name, err)
+				}
+				entries = append(entries, object.TreeEntry{Name: e.Name, Mode: e.Mode, Hash: newHash})
+				if e.Name == paths.TranscriptFileName {
+					newFullJSONLHash = newHash
+				}
+			default:
+				entries = append(entries, e)
+			}
+		default:
+			entries = append(entries, e)
+		}
+	}
+
+	for _, d := range deferredHashes {
+		if newFullJSONLHash.IsZero() {
+			continue // no transcript in this dir; keep original hash
+		}
+		jsonlBytes, err := readBlob(repo, newFullJSONLHash)
+		if err != nil {
+			return plumbing.ZeroHash, fmt.Errorf("read new transcript for content_hash: %w", err)
+		}
+		sum := sha256.Sum256(jsonlBytes)
+		hashBlob, err := checkpoint.CreateBlobFromContent(repo, []byte(fmt.Sprintf("sha256:%x", sum)))
+		if err != nil {
+			return plumbing.ZeroHash, fmt.Errorf("write content_hash: %w", err)
+		}
+		entries[d.idx] = object.TreeEntry{Name: d.entryName, Mode: d.entryMode, Hash: hashBlob}
+	}
+
+	newTree := &object.Tree{Entries: entries}
+	obj := repo.Storer.NewEncodedObject()
+	if err := newTree.Encode(obj); err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("encode tree: %w", err)
+	}
+	hash, err := repo.Storer.SetEncodedObject(obj)
+	if err != nil {
+		return plumbing.ZeroHash, fmt.Errorf("store tree: %w", err)
+	}
+	return hash, nil
+}
+
+func readBlob(repo *git.Repository, hash plumbing.Hash) ([]byte, error) {
+	blob, err := repo.BlobObject(hash)
+	if err != nil {
+		return nil, fmt.Errorf("blob: %w", err)
+	}
+	r, err := blob.Reader()
+	if err != nil {
+		return nil, fmt.Errorf("blob reader: %w", err)
+	}
+	defer func() { _ = r.Close() }()
+	data, err := io.ReadAll(r)
+	if err != nil {
+		return nil, fmt.Errorf("blob read: %w", err)
+	}
+	return data, nil
+}
+
+// atomicSetV1Ref CAS-updates the local v1 ref. On conflict returns
+// V1RefMovedError so the hook aborts the push.
+func atomicSetV1Ref(repo *git.Repository, expectedOld, newHash plumbing.Hash) error {
+	refName := plumbing.NewBranchReferenceName(paths.MetadataBranchName)
+	if err := repo.Storer.CheckAndSetReference(
+		plumbing.NewHashReference(refName, newHash),
+		plumbing.NewHashReference(refName, expectedOld),
+	); err != nil {
+		actual := plumbing.ZeroHash
+		if cur, refErr := repo.Reference(refName, true); refErr == nil {
+			actual = cur.Hash()
+		}
+		return &V1RefMovedError{Expected: expectedOld, Actual: actual}
+	}
+	return nil
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go b/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go
new file mode 100644
index 0000000000..99f1f3dd29
--- /dev/null
+++ b/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go
@@ -0,0 +1,330 @@
+package strategy
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint"
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint/id"
+	"github.com/entireio/cli/cmd/entire/cli/paths"
+	"github.com/entireio/cli/cmd/entire/cli/testutil"
+	"github.com/entireio/cli/cmd/entire/cli/trailers"
+	"github.com/entireio/cli/redact"
+	"github.com/go-git/go-git/v6"
+	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/go-git/go-git/v6/plumbing/object"
+	"github.com/stretchr/testify/require"
+)
+
+// fakeOPFForRewrite tags any occurrence of "PERSONABC" as private_person.
+// Deterministic + offline; real OPF inference is not needed to exercise
+// the rewrite plumbing.
+type fakeOPFForRewrite struct{}
+
+func (f *fakeOPFForRewrite) Redact(_ context.Context, text string, _ []string) ([]redact.Span, error) {
+	return findSentinelSpans(text), nil
+}
+
+func (f *fakeOPFForRewrite) RedactBatch(_ context.Context, inputs []string, _ []string) ([][]redact.Span, error) {
+	out := make([][]redact.Span, len(inputs))
+	for i, in := range inputs {
+		out[i] = findSentinelSpans(in)
+	}
+	return out, nil
+}
+
+func findSentinelSpans(s string) []redact.Span {
+	const sentinel = "PERSONABC"
+	var spans []redact.Span
+	for idx := 0; ; {
+		hit := strings.Index(s[idx:], sentinel)
+		if hit < 0 {
+			break
+		}
+		start := idx + hit
+		end := start + len(sentinel)
+		spans = append(spans, redact.Span{Start: start, End: end, Label: "private_person"})
+		idx = end
+	}
+	return spans
+}
+
+// fakeRuntimeAlwaysFails trips the OPF circuit breaker on first call.
+// Used to test the fail-closed assertion that breaker-trip during
+// rewrite aborts before CAS.
+type fakeRuntimeAlwaysFails struct{}
+
+func (f *fakeRuntimeAlwaysFails) Redact(_ context.Context, _ string, _ []string) ([]redact.Span, error) {
+	return nil, errors.New("simulated OPF runtime failure")
+}
+func (f *fakeRuntimeAlwaysFails) RedactBatch(_ context.Context, _ []string, _ []string) ([][]redact.Span, error) {
+	return nil, errors.New("simulated OPF runtime failure")
+}
+
+// testOPFRuntime is the structural interface the redact package's
+// ConfigurePrivacyFilterWithRuntime accepts. Mirrors redact.opfRuntime
+// (unexported, can't be named directly from this package).
+type testOPFRuntime interface {
+	Redact(ctx context.Context, text string, categories []string) ([]redact.Span, error)
+	RedactBatch(ctx context.Context, inputs []string, categories []string) ([][]redact.Span, error)
+}
+
+// configureFakeOPF resets state and wires the given runtime as the
+// process-global OPF.
+func configureFakeOPF(t *testing.T, rt testOPFRuntime) {
+	t.Helper()
+	redact.ResetOPFConfigForTest()
+	t.Cleanup(redact.ResetOPFConfigForTest)
+	redact.ConfigurePrivacyFilterWithRuntime(redact.OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+		Command:    "/tmp/test-opf",
+	}, rt)
+}
+
+// setupV1Repo creates a repo + one v1 checkpoint with "PERSONABC" in
+// both the transcript and prompt. Returns the repo and the v1 tip.
+func setupV1Repo(t *testing.T) (*git.Repository, plumbing.Hash) {
+	t.Helper()
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	wt, err := repo.Worktree()
+	require.NoError(t, err)
+	require.NoError(t, os.WriteFile(filepath.Join(tempDir, "README.md"), []byte("# Test"), 0o644))
+	_, err = wt.Add("README.md")
+	require.NoError(t, err)
+	_, err = wt.Commit("Initial commit", &git.CommitOptions{
+		Author: &object.Signature{Name: "Test", Email: "test@test.com"},
+	})
+	require.NoError(t, err)
+
+	store := checkpoint.NewGitStore(repo)
+	cpID := id.MustCheckpointID("a1b2c3d4e5f6")
+	require.NoError(t, store.WriteCommitted(context.Background(), checkpoint.WriteCommittedOptions{
+		CheckpointID: cpID,
+		SessionID:    "test-session",
+		Strategy:     "manual-commit",
+		Transcript:   redact.AlreadyRedacted([]byte(`{"role":"user","content":"Hello, PERSONABC asked"}` + "\n")),
+		Prompts:      []string{"Look up PERSONABC"},
+		AuthorName:   "Test",
+		AuthorEmail:  "test@test.com",
+	}))
+	ref, err := repo.Reference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), true)
+	require.NoError(t, err)
+	return repo, ref.Hash()
+}
+
+// makeOrphanCommit writes a single v1 commit (no parents = orphan).
+// Used by edge-case tests that need many cheap commits or commits
+// with unrelated histories.
+func makeOrphanCommit(t *testing.T, repo *git.Repository, treeHash plumbing.Hash, parents []plumbing.Hash, message string) plumbing.Hash {
+	t.Helper()
+	sig := &object.Signature{Name: "Test", Email: "test@test.com"}
+	c := &object.Commit{Author: *sig, Committer: *sig, Message: message, TreeHash: treeHash, ParentHashes: parents}
+	obj := repo.Storer.NewEncodedObject()
+	require.NoError(t, c.Encode(obj))
+	hash, err := repo.Storer.SetEncodedObject(obj)
+	require.NoError(t, err)
+	return hash
+}
+
+// emptyTreeHash writes (or resolves) git's well-known empty tree.
+func emptyTreeHash(t *testing.T, repo *git.Repository) plumbing.Hash {
+	t.Helper()
+	obj := repo.Storer.NewEncodedObject()
+	require.NoError(t, (&object.Tree{}).Encode(obj))
+	hash, err := repo.Storer.SetEncodedObject(obj)
+	require.NoError(t, err)
+	return hash
+}
+
+// buildOrphanChain builds n linear orphan commits on v1 with the
+// empty tree. Returns the tip. Useful for testing bootstrap/limit paths
+// where the only thing that matters is commit count.
+func buildOrphanChain(t *testing.T, repo *git.Repository, n int) plumbing.Hash {
+	t.Helper()
+	tree := emptyTreeHash(t, repo)
+	var parent, tip plumbing.Hash
+	for i := range n {
+		var parents []plumbing.Hash
+		if !parent.IsZero() {
+			parents = []plumbing.Hash{parent}
+		}
+		tip = makeOrphanCommit(t, repo, tree, parents, fmt.Sprintf("commit %d", i))
+		parent = tip
+	}
+	require.NoError(t, repo.Storer.SetReference(
+		plumbing.NewHashReference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), tip)))
+	return tip
+}
+
+// Happy path: a single unpushed unapplied commit gets rewritten, tagged
+// applied, and its sentinel-bearing blobs no longer contain the sentinel.
+func TestRewriteUnpushedV1WithOPF_HappyPath_RewritesAndTagsApplied(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	repo, originalTip := setupV1Repo(t)
+
+	newTip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	require.NoError(t, err)
+	if newTip == originalTip {
+		t.Fatalf("rewrite returned same tip %s; expected new tip", newTip.String()[:7])
+	}
+
+	newCommit, err := repo.CommitObject(newTip)
+	require.NoError(t, err)
+	if !trailers.HasOPFApplied(newCommit.Message) {
+		t.Errorf("new commit missing Entire-OPF-Applied trailer:\n%s", newCommit.Message)
+	}
+
+	ref, err := repo.Reference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), true)
+	require.NoError(t, err)
+	require.Equal(t, newTip, ref.Hash(), "local v1 ref should point to new tip")
+
+	tree, err := newCommit.Tree()
+	require.NoError(t, err)
+	require.NoError(t, tree.Files().ForEach(func(f *object.File) error {
+		if !strings.HasSuffix(f.Name, ".jsonl") && !strings.HasSuffix(f.Name, ".txt") {
+			return nil
+		}
+		content, err := f.Contents()
+		if err != nil {
+			return err
+		}
+		if strings.Contains(content, "PERSONABC") {
+			t.Errorf("rewritten %s still contains sentinel 'PERSONABC'", f.Name)
+		}
+		return nil
+	}))
+}
+
+// Idempotent re-run: a commit already tagged Entire-OPF-Applied is
+// re-parented without re-redacting the tree and without duplicating
+// the trailer.
+func TestRewriteUnpushedV1WithOPF_SecondRun_IdempotentNoDuplicateTrailer(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	repo, _ := setupV1Repo(t)
+
+	firstTip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	require.NoError(t, err)
+	firstCommit, err := repo.CommitObject(firstTip)
+	require.NoError(t, err)
+	require.True(t, trailers.HasOPFApplied(firstCommit.Message))
+	firstTreeHash := firstCommit.TreeHash
+
+	secondTip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	require.NoError(t, err)
+
+	secondCommit, err := repo.CommitObject(secondTip)
+	require.NoError(t, err)
+
+	wantTrailer := trailers.OPFAppliedTrailerKey + ": " + trailers.OPFAppliedTrailerValue
+	if count := strings.Count(secondCommit.Message, wantTrailer); count != 1 {
+		t.Errorf("trailer count = %d, want exactly 1\n%s", count, secondCommit.Message)
+	}
+	require.Equal(t, firstTreeHash, secondCommit.TreeHash, "applied commit tree should be preserved")
+}
+
+// No v1 branch → no-op, no error.
+func TestRewriteUnpushedV1WithOPF_NoV1Branch_ReturnsZeroHashNoError(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	tip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	require.NoError(t, err)
+	require.True(t, tip.IsZero(), "expected zero hash for missing v1 ref")
+}
+
+// Diverged remote: local has commits unreachable from remote. Refusal
+// prevents silent rebase of work the remote already rejected.
+func TestRewriteUnpushedV1WithOPF_DivergedRemote_ReturnsV1DivergedError(t *testing.T) {
+	configureFakeOPF(t, &fakeOPFForRewrite{})
+	tempDir := t.TempDir()
+	testutil.InitRepo(t, tempDir)
+	repo, err := git.PlainOpen(tempDir)
+	require.NoError(t, err)
+
+	tree := emptyTreeHash(t, repo)
+	localTip := makeOrphanCommit(t, repo, tree, nil, "local only")
+	remoteTip := makeOrphanCommit(t, repo, tree, nil, "remote only")
+	require.NoError(t, repo.Storer.SetReference(
+		plumbing.NewHashReference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), localTip)))
+	require.NoError(t, repo.Storer.SetReference(
+		plumbing.NewHashReference(plumbing.NewRemoteReferenceName("origin", paths.MetadataBranchName), remoteTip)))
+
+	_, err = RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	var diverged *V1DivergedError
+	require.ErrorAs(t, err, &diverged)
+	require.Equal(t, localTip, diverged.Local)
+	require.Equal(t, remoteTip, diverged.Remote)
+}
+
+// Bootstrap cap: a single table-driven test covers both the over-limit
+// rejection and the unlimited-override pass paths since they share
+// 90% of setup.
+func TestRewriteUnpushedV1WithOPF_BootstrapCap(t *testing.T) {
+	cases := []struct {
+		name      string
+		envLimit  string
+		commits   int
+		wantErr   bool
+		wantCount int
+		wantLimit int
+	}{
+		{name: "over_limit_rejected", envLimit: "2", commits: 3, wantErr: true, wantCount: 3, wantLimit: 2},
+		{name: "unlimited_allows_any_size", envLimit: "unlimited", commits: 3, wantErr: false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			configureFakeOPF(t, &fakeOPFForRewrite{})
+			t.Setenv("ENTIRE_OPF_BOOTSTRAP_LIMIT", tc.envLimit)
+
+			tempDir := t.TempDir()
+			testutil.InitRepo(t, tempDir)
+			repo, err := git.PlainOpen(tempDir)
+			require.NoError(t, err)
+			tip := buildOrphanChain(t, repo, tc.commits)
+
+			newTip, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+			if !tc.wantErr {
+				require.NoError(t, err)
+				require.False(t, newTip.IsZero(), "expected new tip on success")
+				return
+			}
+			var tooLarge *BootstrapTooLargeError
+			require.ErrorAs(t, err, &tooLarge)
+			require.Equal(t, tc.wantCount, tooLarge.Count)
+			require.Equal(t, tc.wantLimit, tooLarge.Limit)
+			_ = tip // tip is the local v1 tip; on error we don't move the ref but we also don't assert here
+		})
+	}
+}
+
+// Fail-closed regression: when the OPF runtime fails and the breaker
+// trips, the rewrite must NOT CAS the ref. Otherwise the new commits
+// would carry Entire-OPF-Applied: true while their content is 7-layer
+// only, and future pushes would skip them — silently shipping unredacted
+// content to the remote.
+func TestRewriteUnpushedV1WithOPF_BreakerTrippedMidRewrite_AbortsBeforeCAS(t *testing.T) {
+	configureFakeOPF(t, &fakeRuntimeAlwaysFails{})
+	repo, originalTip := setupV1Repo(t)
+
+	_, err := RewriteUnpushedV1WithOPF(context.Background(), repo, "origin")
+	var runtimeFail *OPFRuntimeFailedError
+	require.ErrorAs(t, err, &runtimeFail)
+	require.Contains(t, runtimeFail.OPFCommand, "test-opf", "OPFCommand should reflect configured command")
+
+	ref, err := repo.Reference(plumbing.NewBranchReferenceName(paths.MetadataBranchName), true)
+	require.NoError(t, err)
+	require.Equal(t, originalTip, ref.Hash(), "local v1 ref must not move on OPF failure")
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_push.go b/cmd/entire/cli/strategy/manual_commit_push.go
index b80fce476c..a8fe78428d 100644
--- a/cmd/entire/cli/strategy/manual_commit_push.go
+++ b/cmd/entire/cli/strategy/manual_commit_push.go
@@ -2,10 +2,13 @@ package strategy
 
 import (
 	"context"
+	"log/slog"
 
+	"github.com/entireio/cli/cmd/entire/cli/logging"
 	"github.com/entireio/cli/cmd/entire/cli/paths"
 	"github.com/entireio/cli/cmd/entire/cli/settings"
 	"github.com/entireio/cli/perf"
+	"github.com/entireio/cli/redact"
 )
 
 // PrePush is called by the git pre-push hook before pushing to a remote.
@@ -30,12 +33,48 @@ func (s *ManualCommitStrategy) PrePush(ctx context.Context, remote string) error
 		return nil
 	}
 
-	var err error
 	if settings.CheckpointsVersion(ctx) != 2 {
+		// OPF pre-push rewrite: if OPF is configured, re-redact unpushed
+		// v1 commits with the 8-layer pipeline before pushing. Skipped
+		// entirely when OPF is off, so the common-case fast path is
+		// unchanged. The rewrite returns sentinel errors for diverged
+		// remote, oversized bootstrap, and CAS conflict — these MUST
+		// abort the user's git push, otherwise the remote would receive
+		// 7-layer content when the user enabled OPF expecting 8-layer.
+		// Return them up so the hook command exits non-zero and the
+		// hook script propagates the exit code; see hooks.go's prePushCmd.
+		if redact.OPFEnabled() {
+			_, opfSpan := perf.Start(ctx, "opf_pre_push_rewrite")
+			repo, repoErr := OpenRepository(ctx)
+			if repoErr != nil {
+				opfSpan.RecordError(repoErr)
+				opfSpan.End()
+				logging.Warn(ctx, "OPF pre-push: failed to open repo; aborting push",
+					slog.String("error", repoErr.Error()),
+				)
+				return repoErr
+			}
+			if _, rewriteErr := RewriteUnpushedV1WithOPF(ctx, repo, ps.pushTarget()); rewriteErr != nil {
+				opfSpan.RecordError(rewriteErr)
+				opfSpan.End()
+				logging.Warn(ctx, "OPF pre-push rewrite failed; aborting push",
+					slog.String("error", rewriteErr.Error()),
+				)
+				return rewriteErr
+			}
+			opfSpan.End()
+		}
+
+		// Push the checkpoint branch. This is best-effort — failures here
+		// are logged but NOT propagated, so a transient checkpoint-push
+		// problem doesn't break the user's git push of their actual work.
+		// (OPF failures above are the exception — they're privacy-critical.)
 		_, pushCheckpointsSpan := perf.Start(ctx, "push_checkpoints_branch")
-		err = pushBranchIfNeeded(ctx, ps.pushTarget(), paths.MetadataBranchName)
-		if err != nil {
-			pushCheckpointsSpan.RecordError(err)
+		if pushErr := pushBranchIfNeeded(ctx, ps.pushTarget(), paths.MetadataBranchName); pushErr != nil {
+			pushCheckpointsSpan.RecordError(pushErr)
+			logging.Warn(ctx, "checkpoint branch push failed; user push continues",
+				slog.String("error", pushErr.Error()),
+			)
 		}
 		pushCheckpointsSpan.End()
 	}
@@ -47,5 +86,5 @@ func (s *ManualCommitStrategy) PrePush(ctx context.Context, remote string) error
 		pushV2Span.End()
 	}
 
-	return err
+	return nil
 }
diff --git a/cmd/entire/cli/trailers/trailers.go b/cmd/entire/cli/trailers/trailers.go
index a3c1b44036..93e4fe592d 100644
--- a/cmd/entire/cli/trailers/trailers.go
+++ b/cmd/entire/cli/trailers/trailers.go
@@ -48,6 +48,18 @@ const (
 	// AgentTrailerKey identifies the agent that created a checkpoint.
 	// Format: human-readable agent name e.g. "Claude Code", "Cursor"
 	AgentTrailerKey = "Entire-Agent"
+
+	// OPFAppliedTrailerKey marks an entire/checkpoints/v1 commit whose blobs
+	// have been redacted by the OpenAI Privacy Filter (8-layer pipeline).
+	// Format: literal "true"; the trailer is omitted entirely when OPF was
+	// not applied. The pre-push rewrite path treats commits lacking this
+	// trailer as candidates to OPF-redact before they reach the remote.
+	OPFAppliedTrailerKey = "Entire-OPF-Applied"
+
+	// OPFAppliedTrailerValue is the only value that means "OPF ran." Any
+	// other value (or trailer absence) is treated as "not applied" so a
+	// future "false" / "skipped" value never accidentally enables OPF.
+	OPFAppliedTrailerValue = "true"
 )
 
 // Pre-compiled regexes for trailer parsing.
@@ -59,6 +71,7 @@ var (
 	condensationTrailerRegex = regexp.MustCompile(CondensationTrailerKey + `:\s*(.+)`)
 	sessionTrailerRegex      = regexp.MustCompile(SessionTrailerKey + `:\s*(.+)`)
 	checkpointTrailerRegex   = regexp.MustCompile(CheckpointTrailerKey + `:\s*(` + checkpointID.Pattern + `)(?:\s|$)`)
+	opfAppliedTrailerRegex   = regexp.MustCompile(OPFAppliedTrailerKey + `:\s*(\S+)`)
 )
 
 // ParseStrategy extracts strategy from commit message.
@@ -307,3 +320,31 @@ func AppendCheckpointTrailer(message, checkpointID string) string {
 	trailer := fmt.Sprintf("%s: %s", CheckpointTrailerKey, checkpointID)
 	return appendTrailerLine(message, trailer)
 }
+
+// HasOPFApplied reports whether the commit message carries an
+// `Entire-OPF-Applied: true` trailer. Any other value (or absence) is
+// treated as "OPF not applied" so the pre-push rewrite considers the
+// commit a candidate for OPF redaction. Pinning the value to literal
+// "true" — rather than just trailer presence — prevents a future
+// "Entire-OPF-Applied: false" or "skipped" from accidentally meaning
+// "yes, applied."
+func HasOPFApplied(commitMessage string) bool {
+	matches := opfAppliedTrailerRegex.FindStringSubmatch(commitMessage)
+	if len(matches) < 2 {
+		return false
+	}
+	return strings.TrimSpace(matches[1]) == OPFAppliedTrailerValue
+}
+
+// AppendOPFAppliedTrailer appends `Entire-OPF-Applied: true` in
+// trailer-aware format. Idempotent: if the message already carries
+// the trailer with value "true", the original message is returned
+// unchanged so re-parenting an already-applied commit doesn't
+// duplicate the trailer.
+func AppendOPFAppliedTrailer(message string) string {
+	if HasOPFApplied(message) {
+		return message
+	}
+	trailer := fmt.Sprintf("%s: %s", OPFAppliedTrailerKey, OPFAppliedTrailerValue)
+	return appendTrailerLine(message, trailer)
+}
diff --git a/cmd/entire/cli/trailers/trailers_test.go b/cmd/entire/cli/trailers/trailers_test.go
index 2fd0e89613..c50de8cfef 100644
--- a/cmd/entire/cli/trailers/trailers_test.go
+++ b/cmd/entire/cli/trailers/trailers_test.go
@@ -450,3 +450,70 @@ func TestParseCheckpoint(t *testing.T) {
 		})
 	}
 }
+
+// TestHasOPFApplied covers the Entire-OPF-Applied trailer reader. The
+// trailer marks a v1 commit whose blobs have been redacted by the
+// OpenAI Privacy Filter (8-layer); commits without it carry 7-layer
+// content and are eligible for the pre-push rewrite to add OPF.
+func TestHasOPFApplied(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name    string
+		message string
+		want    bool
+	}{
+		{"present_lowercase_true", "Checkpoint: a1b2c3d4e5f6\n\nEntire-OPF-Applied: true\n", true},
+		{"absent", "Checkpoint: a1b2c3d4e5f6\n", false},
+		{"present_among_other_trailers", "msg\n\nEntire-Session: 2026-01\nEntire-OPF-Applied: true\nEntire-Strategy: manual-commit\n", true},
+		{"value_false_not_applied", "msg\n\nEntire-OPF-Applied: false\n", false},
+		{"value_other_not_applied", "msg\n\nEntire-OPF-Applied: yes\n", false},
+		{"empty_message", "", false},
+		{"trailer_with_extra_spaces", "msg\n\nEntire-OPF-Applied:   true   \n", true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := HasOPFApplied(tc.message); got != tc.want {
+				t.Errorf("HasOPFApplied(%q) = %v, want %v", tc.message, got, tc.want)
+			}
+		})
+	}
+}
+
+// TestAppendOPFAppliedTrailer covers the formatter. Appending to a
+// message without a trailer block inserts a blank line; appending to
+// one with a trailer block joins directly. Idempotent — appending to
+// a message that already has the trailer must not duplicate it.
+func TestAppendOPFAppliedTrailer(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name string
+		msg  string
+		want string
+	}{
+		{
+			name: "no_existing_trailers",
+			msg:  "Checkpoint: a1b2c3d4e5f6\n",
+			want: "Checkpoint: a1b2c3d4e5f6\n\nEntire-OPF-Applied: true\n",
+		},
+		{
+			name: "existing_trailer_block",
+			msg:  "Checkpoint: a1\n\nEntire-Session: s\nEntire-Strategy: manual-commit\n",
+			want: "Checkpoint: a1\n\nEntire-Session: s\nEntire-Strategy: manual-commit\nEntire-OPF-Applied: true\n",
+		},
+		{
+			name: "idempotent_when_already_applied",
+			msg:  "Checkpoint: a1\n\nEntire-OPF-Applied: true\n",
+			want: "Checkpoint: a1\n\nEntire-OPF-Applied: true\n",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := AppendOPFAppliedTrailer(tt.msg)
+			if got != tt.want {
+				t.Errorf("AppendOPFAppliedTrailer():\n got=%q\nwant=%q", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/docs/security-and-privacy.md b/docs/security-and-privacy.md
index 74cdc393b8..b0b47f1ebb 100644
--- a/docs/security-and-privacy.md
+++ b/docs/security-and-privacy.md
@@ -62,7 +62,7 @@ If a custom pattern itself reveals sensitive structure (e.g. an internal ID form
 
 ### Optional OpenAI Privacy Filter (`opf`)
 
-A separate, **opt-in** layer that shells out to the [OpenAI Privacy Filter](https://github.com/openai/privacy-filter) (`opf`) — a 1.5B-parameter token-classification model that finds names, emails, phone numbers, addresses, dates, URLs, account numbers, and secrets that pure regex can miss. Disabled by default. Runs *in addition to* the seven built-in layers, only at the condensation and export boundaries (never per-turn), so the agent loop's hot path stays on the fast pipeline.
+A separate, **opt-in** layer that shells out to the [OpenAI Privacy Filter](https://github.com/openai/privacy-filter) (`opf`) — a 1.5B-parameter token-classification model that finds names, emails, phone numbers, addresses, dates, URLs, account numbers, and secrets that pure regex can miss. Disabled by default. Runs *in addition to* the seven built-in layers, **only at push time** — never per-turn and never at commit time. Local commits stay on the fast 7-layer pipeline so per-commit latency is unchanged; OPF only re-redacts checkpoints right before they leave the machine via `git push`.
 
 Prerequisites:
 
@@ -131,19 +131,74 @@ Full settings reference:
 
 There is no `on_failure` setting; warn-on-failure is the only mode supported today. If OPF is not on PATH, fails to start, or times out, Entire prints a one-line `× OpenAI Privacy Filter unavailable …` notice and continues with the seven built-in layers. A per-process circuit breaker disables OPF for the remainder of the invocation after the first failure, so a broken install costs one warning rather than one timeout per redaction call.
 
-Cost note: each shell-out loads the OPF model (~1.5B parameters on CPU). Condensation batches all eligible leaf strings into a single inference pass per scope (transcript + joined prompts), so a typical real-world commit adds ~25–30s of OPF inference rather than the multi-minute cost a per-leaf flow would incur.
+Cost note: each shell-out loads the OPF model (~1.5B parameters on CPU). The pre-push rewrite batches all eligible leaf strings into a single inference pass per scope (transcript + joined prompts), so a typical real-world push adds ~25–30s of OPF inference rather than the multi-minute cost a per-leaf flow would incur. Per-commit latency is unaffected because OPF doesn't run at commit time.
+
+#### When OPF actually runs
+
+OPF execution lives in the pre-push hook. The flow:
+
+1. **Post-commit** writes the checkpoint with **7-layer-only** redaction to your local `entire/checkpoints/v1` branch. Fast, predictable, no OPF cost on the hot path.
+2. **Pre-push** (`git push`): if OPF is enabled, the hook re-reads each unpushed `entire/checkpoints/v1` commit, runs the OpenAI Privacy Filter over its blobs to add the categories the regex layers don't catch (person names, addresses, etc.), and builds **new commits** carrying an `Entire-OPF-Applied: true` trailer. The local v1 ref fast-forwards atomically to the new tip, and the (now 8-layer-redacted) commits are what get pushed.
+3. The original 7-layer-only commits become **unreachable** in the local git object database and eventually get swept by `git gc`.
+
+This means:
+
+- **The remote only ever sees 8-layer-redacted content** when OPF is enabled.
+- **Local-only commits are 7-layer-redacted** until the moment you push. If you never push, OPF never runs.
+- **Re-running pre-push is idempotent** — commits already carrying the trailer get re-parented into the chain but are not re-redacted.
+
+#### Force-pushed remote, bootstrap, and concurrent pushes
+
+The rewrite refuses to proceed and aborts the push when it detects a divergent state, so checkpoints on the remote are never silently rebased:
+
+- **Diverged remote**: if local `entire/checkpoints/v1` has commits that aren't ancestors of `<remote>/entire/checkpoints/v1`, the hook exits with a `entire/checkpoints/v1 has diverged from remote` error. Fetch the remote and either reset local v1 to the remote tip or resolve manually before pushing.
+- **Bootstrap** (remote has no `entire/checkpoints/v1` yet, e.g. first push): the cap is `100` unpushed commits by default. Override via the env var on the push invocation:
+
+  ```fish
+  set -x ENTIRE_OPF_BOOTSTRAP_LIMIT 500; git push
+  # or fully unbounded:
+  set -x ENTIRE_OPF_BOOTSTRAP_LIMIT unlimited; git push
+  ```
+
+- **Concurrent push** from another worktree: the rewrite uses a CAS to update the local v1 ref. If another process moved the ref while OPF was running, the hook exits with a "concurrent push detected" error and `git push` aborts the whole batch. Fetch and retry.
+
+#### Persistence of un-redacted-by-OPF content
+
+Three places retain content that OPF *didn't* redact, with different lifetimes. Understanding them matters if your threat model goes beyond "what reaches the remote":
+
+| Location | Redaction level | Lifetime | Reaches remote? |
+|---|---|---|---|
+| `.entire/<session>.jsonl` | **None — raw** | Until session is deleted (managed by the agent) | No |
+| Shadow branch `entire/<commit>-<worktree>` | 7-layer | Until session is condensed (and post-push cleanup, if enabled) | No |
+| Unreachable git objects after pre-push rewrite | 7-layer | Until `git gc --prune` (default `gc.pruneExpire` is 2 weeks) | No |
+| Reflog `git reflog show entire/checkpoints/v1` | 7-layer tips | Default `gc.reflogExpire` is 90 days | No |
+| `<remote>/entire/checkpoints/v1` | 8-layer (after OPF rewrite) | Until you delete the branch on the remote | Yes |
+
+The `.entire/<session>.jsonl` files are raw working state owned by the agent (Claude Code, etc.) — Entire reads from them but does not redact them in place, because the agent is reading and writing them continuously and editing under the agent's feet would corrupt the session.
+
+To aggressively scrub the unreachable git objects from the pre-push rewrite (instead of waiting for the 2-week GC window):
+
+```fish
+git reflog expire --expire-unreachable=now refs/heads/entire/checkpoints/v1
+git gc --prune=now
+```
+
+This is I/O-heavy on large repositories; it's not run automatically. If you want it as part of your push workflow, wrap `git push` in a script that invokes it after a successful push.
 
 Verifying it's working:
 
 ```fish
 # After enabling OPF, run an agent turn that includes a name in the prompt,
 # e.g. "Create notes.txt with: Alice Johnson reviewed the proposal."
-# Then commit and inspect the latest checkpoint:
+# Commit (this stays on the fast 7-layer pipeline), then push. OPF runs
+# during the pre-push step:
+git commit -m "demo"
+git push   # → "→ OpenAI Privacy Filter: scanning N checkpoints (~30s)…"
 git log --oneline entire/checkpoints/v1 | head -2
 entire checkpoint explain HEAD | grep -i 'REDACTED_PERSON'
 ```
 
-If `[REDACTED_PERSON]` appears in the prompt or transcript section, OPF is active.
+If `[REDACTED_PERSON]` appears in the prompt or transcript section and the latest `entire/checkpoints/v1` commit carries `Entire-OPF-Applied: true`, OPF is active.
 
 ### Recommendations
 
diff --git a/redact/export_test.go b/redact/export_test.go
deleted file mode 100644
index 98bc31c120..0000000000
--- a/redact/export_test.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package redact
-
-// This file exposes internal helpers to redact-package tests only.
-// It is excluded from regular builds (the _test.go suffix is invisible to
-// importers), so production code outside this package cannot reach the
-// global OPF config. Tests in other packages that need to manipulate the
-// global state can do so via thin re-exports declared in their own
-// _test.go files, but those re-exports stay this side of the package
-// boundary.
-
-// GetOPFConfigForTest returns the current OPF configuration, or nil if
-// never configured.
-func GetOPFConfigForTest() *OPFConfig {
-	return getOPFConfig()
-}
-
-// ResetOPFConfigForTest clears configuration and the circuit breaker.
-// Used to return to a "never configured" state between test cases.
-func ResetOPFConfigForTest() {
-	resetOPFConfig()
-}
diff --git a/redact/joined_prompts_test.go b/redact/joined_prompts_test.go
new file mode 100644
index 0000000000..ff1a9cfd66
--- /dev/null
+++ b/redact/joined_prompts_test.go
@@ -0,0 +1,74 @@
+package redact
+
+import (
+	"strings"
+	"testing"
+)
+
+// TestJoinedPromptsLegacy_ParityWithStringPlusJoin pins down that the legacy
+// (7-layer, no-OPF) constructor produces the same content as the pre-PR
+// behavior of `redact.String(strings.Join(prompts, sep))`. The writer's
+// safety net switched from running OPF-augmented redaction to the legacy
+// variant; this parity check is what keeps existing post-commit checkpoint
+// blobs byte-identical to the pre-PR output once OPF is gated to pre-push.
+func TestJoinedPromptsLegacy_ParityWithStringPlusJoin(t *testing.T) {
+	t.Parallel()
+	const sep = "\n\n---\n\n"
+	cases := []struct {
+		name    string
+		prompts []string
+	}{
+		{"single_simple", []string{"hello world"}},
+		{"multi_simple", []string{"first prompt", "second prompt", "third prompt"}},
+		{"with_high_entropy_secret", []string{"set API_KEY=" + highEntropySecret, "ok"}},
+		{"with_db_password", []string{"connect to postgres://app:pwd123@db.example.com:5432/app", "done"}},
+		{"single_with_email_no_pii_config", []string{"contact alice@example.com please"}},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			joined := strings.Join(tc.prompts, sep)
+			want := String(joined)
+			got := JoinedPromptsLegacy(tc.prompts, sep).String()
+			if got != want {
+				t.Errorf("parity mismatch:\n got=%q\nwant=%q", got, want)
+			}
+		})
+	}
+}
+
+// TestJoinedPromptsLegacy_EmptyReturnsZeroValue verifies the constructor
+// short-circuits an empty input to the zero value, so IsSet() reports
+// false and the writer's safety net can re-run rather than persist an
+// empty prompt.txt blob.
+func TestJoinedPromptsLegacy_EmptyReturnsZeroValue(t *testing.T) {
+	t.Parallel()
+	if got := JoinedPromptsLegacy(nil, "sep"); got.IsSet() {
+		t.Errorf("nil prompts: IsSet() = true, want false (content=%q)", got.String())
+	}
+	if got := JoinedPromptsLegacy([]string{}, "sep"); got.IsSet() {
+		t.Errorf("empty prompts: IsSet() = true, want false (content=%q)", got.String())
+	}
+}
+
+// TestJoinedPromptsLegacy_DoesNotInvokeOPF is the regression guard for the
+// architectural promise: even with OPF configured globally, the legacy
+// constructor MUST run only the 7-layer pipeline. Pairs with
+// TestPlainEntryPointsNeverInvokeOPF in opf_test.go — that test pins
+// String/Bytes/JSONLBytes; this one pins JoinedPromptsLegacy.
+func TestJoinedPromptsLegacy_DoesNotInvokeOPF(t *testing.T) {
+	resetOPFConfig()
+	t.Cleanup(resetOPFConfig)
+
+	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
+	ConfigurePrivacyFilterWithRuntime(OPFConfig{
+		Enabled:    true,
+		Categories: map[string]bool{"private_person": true},
+	}, fake)
+
+	_ = JoinedPromptsLegacy([]string{"Alice met Bob in the lobby", "Charlie was there too"}, "\n---\n")
+
+	if fake.calls+fake.batchCalls != 0 {
+		t.Errorf("legacy constructor invoked OPF: calls=%d batchCalls=%d", fake.calls, fake.batchCalls)
+	}
+}
diff --git a/redact/opf.go b/redact/opf.go
index 8b80fa0822..8b7fbf1d23 100644
--- a/redact/opf.go
+++ b/redact/opf.go
@@ -57,7 +57,7 @@ func ConfigurePrivacyFilter(cfg OPFConfig) {
 		cfgCopy.Timeout = 30
 	}
 	if cfgCopy.Command == "" {
-		cfgCopy.Command = "opf"
+		cfgCopy.Command = defaultOPFCommand
 	}
 	cfgCopy.runtime = newShellOut(cfgCopy.Command, cfgCopy.Timeout)
 	opfConfigMu.Lock()
@@ -86,6 +86,46 @@ func getOPFConfig() *OPFConfig {
 	return opfConfig
 }
 
+// OPFEnabled reports whether the OpenAI Privacy Filter is configured
+// and turned on for this process. Callers gate pre-push rewrite work
+// on this: when false, the pre-push hook pushes the local 7-layer
+// checkpoint branch verbatim with no extra processing. Independent of
+// the circuit breaker — a tripped breaker still reports Enabled=true
+// because the runtime config didn't change; the rewrite logic itself
+// handles the breaker by short-circuiting per-commit OPF calls.
+func OPFEnabled() bool {
+	cfg := getOPFConfig()
+	return cfg != nil && cfg.Enabled
+}
+
+// OPFBreakerTripped reports whether the per-process OPF circuit breaker
+// has been tripped — i.e. an OPF invocation failed at some point during
+// this process's lifetime. The pre-push rewrite uses this to detect
+// when OPF silently fell back to 7-layer mid-rewrite and abort before
+// CAS-ing the new ref; otherwise the rewritten commits would carry the
+// Entire-OPF-Applied: true trailer despite containing only 7-layer
+// content, and the next push would skip them.
+func OPFBreakerTripped() bool {
+	return opfBreakerTripped.Load()
+}
+
+// defaultOPFCommand is the binary name we resolve via $PATH when the
+// user hasn't pinned a specific path in settings. Used as the fallback
+// inside ConfigurePrivacyFilter and as the OPFCommand() default for
+// error messages.
+const defaultOPFCommand = "opf"
+
+// OPFCommand returns the configured OPF binary command, or the default
+// when OPF is unconfigured. Used by error messages so the user sees the
+// exact command they need to fix.
+func OPFCommand() string {
+	cfg := getOPFConfig()
+	if cfg == nil || cfg.Command == "" {
+		return defaultOPFCommand
+	}
+	return cfg.Command
+}
+
 func resetOPFConfig() {
 	opfConfigMu.Lock()
 	opfConfig = nil
diff --git a/redact/redact.go b/redact/redact.go
index 4d32f8e057..e10151cdd3 100644
--- a/redact/redact.go
+++ b/redact/redact.go
@@ -155,6 +155,23 @@ func AlreadyRedactedJoinedPrompts(content string) RedactedJoinedPrompts {
 	return RedactedJoinedPrompts{content: content}
 }
 
+// JoinedPromptsLegacy joins prompts with sep and runs only the seven
+// always-on/opt-in regex layers — never the OpenAI Privacy Filter, even
+// when OPF is configured globally. Used by the checkpoint writer's
+// safety net so post-commit blobs stay on the fast 7-layer pipeline; OPF
+// is applied exclusively by the pre-push rewrite path (see
+// strategy/manual_commit_opf_rewrite.go), which calls JoinedPrompts.
+//
+// Mirrors JoinedPrompts in return type so callers can use either
+// constructor and feed the result to WriteCommittedOptions.PromptsRedacted
+// without changing the type contract.
+func JoinedPromptsLegacy(prompts []string, sep string) RedactedJoinedPrompts {
+	if len(prompts) == 0 {
+		return RedactedJoinedPrompts{}
+	}
+	return RedactedJoinedPrompts{content: String(strings.Join(prompts, sep))}
+}
+
 var (
 	betterleaksDetector     *detect.Detector
 	betterleaksDetectorOnce sync.Once
diff --git a/redact/testhelpers.go b/redact/testhelpers.go
new file mode 100644
index 0000000000..6f6d1360dd
--- /dev/null
+++ b/redact/testhelpers.go
@@ -0,0 +1,25 @@
+package redact
+
+// This file exposes internal helpers needed by tests in OTHER packages
+// (e.g. cmd/entire/cli/strategy) that exercise OPF behavior end-to-end.
+// They cannot live in export_test.go because that file is invisible to
+// importers — only redact's own tests would be able to call them.
+//
+// The "ForTest" suffix is a convention signal: production code MUST NOT
+// call these. A future lint rule (e.g. forbidigo on the "ForTest"
+// suffix) could enforce that statically; today it relies on reviewer
+// discipline.
+
+// GetOPFConfigForTest returns the current OPF configuration, or nil if
+// never configured. Test-only — production code should never need to
+// introspect the global config; gate behavior on OPFEnabled() instead.
+func GetOPFConfigForTest() *OPFConfig {
+	return getOPFConfig()
+}
+
+// ResetOPFConfigForTest clears configuration and the circuit breaker.
+// Used to return to a "never configured" state between test cases.
+// Test-only — production code should never need to reset OPF state.
+func ResetOPFConfigForTest() {
+	resetOPFConfig()
+}

From 36ced062796bba9a4f4dc67322f4ac1e2d39c267 Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Fri, 15 May 2026 16:50:17 -0400
Subject: [PATCH 08/11] feat(redact): interactive prompt + ENTIRE_OPF env var
 before pre-push rewrite
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a 3-option prompt (Yes/No/Always) plus env-var override so users
can decide per-push whether to pay the ~30s OPF cost. Ctrl-C aborts the
push entirely.

Decision precedence (highest first):
1. ENTIRE_OPF=yes|no   — per-push override on the git push invocation
2. redaction.openai_privacy_filter.prompt_default = always|never
3. Interactive prompt (TTY + ask mode, the default)
4. Non-interactive fallback (no TTY) — auto-run with stderr progress

The "Always" choice persists prompt_default=always to
.entire/settings.local.json so future pushes don't ask. The settings
file is updated via a JSON-map round-trip so unrelated fields survive.

Architecture:
- resolveOPFDecision is pure (env, setting, hasTTY, prompter) → decision.
  Tests inject a fake prompter; production path uses the huh form.
- resolveOPFDecisionForPrePush is the production wiring: reads env,
  reads settings, checks TTY via interactive.CanPromptInteractively(),
  invokes askOPFPrompt only when needed, emits stderr progress on the
  non-TTY auto-run path.
- PrePush integrates the decision: Run → invoke rewrite; Skip → push
  7-layer as-is; Abort → return errOPFAbortedByUser (hook propagates
  non-zero, git push aborts).

Settings:
- OPFSettings.PromptDefault: "" | "ask" | "always" | "never"
- Constants exported: OPFPromptAsk, OPFPromptAlways, OPFPromptNever
- Validator rejects unknown values at parse time (matches existing
  on_failure precedent — typos surface immediately).

Tests:
- 15-case table-driven precedence (env > setting > prompt > non-TTY).
- Persistence round-trip preserves unrelated settings.
- Fresh-install path creates settings.local.json.
- Settings validator accepts ask/always/never/empty, rejects bogus.

Docs:
- security-and-privacy.md describes the prompt UX, env-var overrides,
  and non-TTY behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/entire/cli/settings/settings.go           |  26 +++
 cmd/entire/cli/settings/settings_test.go      |  41 ++++
 .../cli/strategy/manual_commit_opf_prompt.go  | 186 ++++++++++++++++++
 .../strategy/manual_commit_opf_prompt_test.go | 150 ++++++++++++++
 cmd/entire/cli/strategy/manual_commit_push.go |  72 ++++---
 docs/security-and-privacy.md                  |  20 ++
 6 files changed, 471 insertions(+), 24 deletions(-)
 create mode 100644 cmd/entire/cli/strategy/manual_commit_opf_prompt.go
 create mode 100644 cmd/entire/cli/strategy/manual_commit_opf_prompt_test.go

diff --git a/cmd/entire/cli/settings/settings.go b/cmd/entire/cli/settings/settings.go
index 11ffd3de0c..e9d134e05c 100644
--- a/cmd/entire/cli/settings/settings.go
+++ b/cmd/entire/cli/settings/settings.go
@@ -220,8 +220,22 @@ type OPFSettings struct {
 	Categories     map[string]bool `json:"categories,omitempty"`
 	Command        string          `json:"command,omitempty"`
 	TimeoutSeconds int             `json:"timeout_seconds,omitempty"`
+
+	// PromptDefault controls whether the pre-push hook asks the user
+	// before running OPF. "" (default) and "ask" both surface the
+	// interactive prompt; "always" runs without asking; "never" skips
+	// OPF and pushes 7-layer content. ENTIRE_OPF=yes|no on the push
+	// invocation overrides this setting per-push.
+	PromptDefault string `json:"prompt_default,omitempty"`
 }
 
+// Valid PromptDefault values. Empty == OPFPromptAsk.
+const (
+	OPFPromptAsk    = "ask"
+	OPFPromptAlways = "always"
+	OPFPromptNever  = "never"
+)
+
 // GetCommitLinking returns the effective commit linking mode.
 // Returns the explicit value if set, otherwise defaults to "prompt"
 // to preserve existing user behavior.
@@ -846,6 +860,13 @@ func validateOPFSettings(opf *OPFSettings) error {
 			return fmt.Errorf("openai_privacy_filter.categories has unknown key %q (see docs/security-and-privacy.md for the supported set)", name)
 		}
 	}
+	switch opf.PromptDefault {
+	case "", OPFPromptAsk, OPFPromptAlways, OPFPromptNever:
+		// ok
+	default:
+		return fmt.Errorf("openai_privacy_filter.prompt_default must be one of %q, %q, %q (got %q)",
+			OPFPromptAsk, OPFPromptAlways, OPFPromptNever, opf.PromptDefault)
+	}
 	return nil
 }
 
@@ -884,6 +905,11 @@ func mergeOPFSettings(dst *OPFSettings, data json.RawMessage) error {
 			return fmt.Errorf("parsing openai_privacy_filter.timeout_seconds: %w", err)
 		}
 	}
+	if v, ok := raw["prompt_default"]; ok {
+		if err := json.Unmarshal(v, &dst.PromptDefault); err != nil {
+			return fmt.Errorf("parsing openai_privacy_filter.prompt_default: %w", err)
+		}
+	}
 	return validateOPFSettings(dst)
 }
 
diff --git a/cmd/entire/cli/settings/settings_test.go b/cmd/entire/cli/settings/settings_test.go
index df25c70192..377f818b8e 100644
--- a/cmd/entire/cli/settings/settings_test.go
+++ b/cmd/entire/cli/settings/settings_test.go
@@ -1133,6 +1133,47 @@ func TestLoadFromBytes_OPFSettings_RejectsOnFailureField(t *testing.T) {
 	}
 }
 
+// TestLoadFromBytes_OPFSettings_PromptDefault covers parsing + validation
+// of the prompt_default field added for the pre-push prompt UX. Empty is
+// allowed (treated as "ask"); ask/always/never are the only valid values.
+func TestLoadFromBytes_OPFSettings_PromptDefault(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name    string
+		value   string
+		wantErr bool
+		wantVal string
+	}{
+		{name: "ask", value: `"ask"`, wantVal: "ask"},
+		{name: "always", value: `"always"`, wantVal: "always"},
+		{name: "never", value: `"never"`, wantVal: "never"},
+		{name: "empty_string_allowed_as_ask", value: `""`, wantVal: ""},
+		{name: "bogus_value_rejected", value: `"sometimes"`, wantErr: true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			body := []byte(`{"redaction":{"openai_privacy_filter":{"prompt_default":` + tc.value + `}}}`)
+			s, err := LoadFromBytes(body)
+			if tc.wantErr {
+				if err == nil {
+					t.Fatalf("expected error for %q, got nil", tc.value)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if s.Redaction == nil || s.Redaction.OpenAIPrivacyFilter == nil {
+				t.Fatal("OPF settings not parsed")
+			}
+			if got := s.Redaction.OpenAIPrivacyFilter.PromptDefault; got != tc.wantVal {
+				t.Errorf("PromptDefault = %q, want %q", got, tc.wantVal)
+			}
+		})
+	}
+}
+
 // TestLoadFromBytes_OPFSettings_Merge verifies override semantics for the
 // merge path (settings.local.json on top of settings.json): present fields
 // override, omitted fields preserve, categories merge per-key.
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_prompt.go b/cmd/entire/cli/strategy/manual_commit_opf_prompt.go
new file mode 100644
index 0000000000..983f254474
--- /dev/null
+++ b/cmd/entire/cli/strategy/manual_commit_opf_prompt.go
@@ -0,0 +1,186 @@
+package strategy
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"strings"
+
+	"charm.land/huh/v2"
+	"github.com/entireio/cli/cmd/entire/cli/interactive"
+	"github.com/entireio/cli/cmd/entire/cli/logging"
+	"github.com/entireio/cli/cmd/entire/cli/settings"
+)
+
+// OPFDecision is the resolved gate for a single pre-push OPF run.
+type OPFDecision int
+
+const (
+	OPFRun   OPFDecision = iota // run the rewrite, push 8-layer
+	OPFSkip                     // skip the rewrite, push 7-layer
+	OPFAbort                    // cancel the push entirely (Ctrl-C / non-TTY abort)
+)
+
+const envOPF = "ENTIRE_OPF"
+
+// resolveOPFDecision picks the run/skip/abort gate. Precedence (highest
+// first): ENTIRE_OPF env var → settings.PromptDefault → interactive
+// prompt → non-TTY fallback (run).
+//
+// Pure logic — prompter is only called when the user needs to decide.
+// Tests inject a fake.
+func resolveOPFDecision(env, promptDefault string, hasTTY bool, prompter func() (OPFDecision, error)) (OPFDecision, error) {
+	switch strings.ToLower(strings.TrimSpace(env)) {
+	case "yes":
+		return OPFRun, nil
+	case "no":
+		return OPFSkip, nil
+	}
+	switch strings.ToLower(strings.TrimSpace(promptDefault)) {
+	case settings.OPFPromptAlways:
+		return OPFRun, nil
+	case settings.OPFPromptNever:
+		return OPFSkip, nil
+	}
+	if !hasTTY {
+		// Non-interactive context: run OPF (matches the user's "if
+		// enabled, just run" preference). The caller emits a progress
+		// line at run time so scripted output isn't silent.
+		return OPFRun, nil
+	}
+	return prompter()
+}
+
+// resolveOPFDecisionForPrePush is the production wiring: reads env +
+// settings + TTY, calls askOPFPrompt when interactive, emits a stderr
+// progress line on the non-TTY auto-run path. errOut receives the
+// progress line (only printed when we'll actually run + the caller is
+// non-interactive).
+func resolveOPFDecisionForPrePush(ctx context.Context, opf *settings.OPFSettings, errOut io.Writer) (OPFDecision, error) {
+	hasTTY := interactive.CanPromptInteractively()
+	promptDefault := ""
+	if opf != nil {
+		promptDefault = opf.PromptDefault
+	}
+	d, err := resolveOPFDecision(
+		os.Getenv(envOPF),
+		promptDefault,
+		hasTTY,
+		func() (OPFDecision, error) { return askOPFPrompt(ctx, isAccessibleMode()) },
+	)
+	if err != nil {
+		return OPFAbort, err
+	}
+	if d == OPFRun && !hasTTY {
+		fmt.Fprintln(errOut, "→ OpenAI Privacy Filter: scanning checkpoints before push (may take ~30s)…")
+	}
+	return d, nil
+}
+
+// askOPFPrompt shows the 3-option huh form. Ctrl-C / SIGINT returns
+// OPFAbort. Selecting "Always" persists prompt_default=always to
+// .entire/settings.local.json so future pushes don't ask.
+//
+// Style matches other entire CLI prompts: Dracula theme via
+// huh.ThemeDracula (the same theme cli.NewAccessibleForm applies for
+// callers in the cli package). Strategy can't import cli (cycle), so
+// we apply the theme inline.
+func askOPFPrompt(ctx context.Context, accessible bool) (OPFDecision, error) {
+	const (
+		choiceYes    = "yes"
+		choiceNo     = "no"
+		choiceAlways = "always"
+	)
+	choice := choiceYes
+	form := huh.NewForm(
+		huh.NewGroup(
+			huh.NewSelect[string]().
+				Title("Run OpenAI Privacy Filter on these checkpoints?").
+				Description("Adds ~30s but redacts names/PII the regex layers can't catch. Ctrl-C to cancel the push.").
+				Options(
+					huh.NewOption("Yes — run OPF this push", choiceYes),
+					huh.NewOption("No — skip OPF, push as-is", choiceNo),
+					huh.NewOption("Always — run OPF on every push from now on", choiceAlways),
+				).
+				Value(&choice),
+		),
+	).WithTheme(huh.ThemeFunc(huh.ThemeDracula))
+	if accessible {
+		form = form.WithAccessible(true)
+	}
+	if err := form.Run(); err != nil {
+		if errors.Is(err, huh.ErrUserAborted) {
+			return OPFAbort, nil
+		}
+		return OPFAbort, fmt.Errorf("opf prompt: %w", err)
+	}
+	if choice == choiceAlways {
+		if err := persistOPFPromptDefaultAlways(ctx); err != nil {
+			logging.Warn(ctx, "failed to persist OPF prompt_default=always",
+				slog.String("error", err.Error()))
+		}
+	}
+	if choice == choiceNo {
+		return OPFSkip, nil
+	}
+	return OPFRun, nil
+}
+
+// persistOPFPromptDefaultAlways writes
+// redaction.openai_privacy_filter.prompt_default = "always" to
+// .entire/settings.local.json, preserving any unrelated fields by
+// using a generic JSON-map round-trip.
+func persistOPFPromptDefaultAlways(ctx context.Context) error {
+	path, raw, _, err := settings.LoadLocalRaw(ctx)
+	if err != nil {
+		return fmt.Errorf("load local settings: %w", err)
+	}
+	if raw == nil {
+		raw = map[string]json.RawMessage{}
+	}
+	redactionRaw := readSubObject(raw, "redaction")
+	opfRaw := readSubObject(redactionRaw, "openai_privacy_filter")
+
+	val, err := json.Marshal(settings.OPFPromptAlways)
+	if err != nil {
+		return fmt.Errorf("marshal prompt_default: %w", err)
+	}
+	opfRaw["prompt_default"] = val
+
+	if err := writeSubObject(redactionRaw, "openai_privacy_filter", opfRaw); err != nil {
+		return err
+	}
+	if err := writeSubObject(raw, "redaction", redactionRaw); err != nil {
+		return err
+	}
+	if err := settings.SaveProjectRaw(path, raw); err != nil {
+		return fmt.Errorf("save local settings: %w", err)
+	}
+	return nil
+}
+
+func readSubObject(parent map[string]json.RawMessage, key string) map[string]json.RawMessage {
+	sub := map[string]json.RawMessage{}
+	data, ok := parent[key]
+	if !ok {
+		return sub
+	}
+	// Malformed sub-object → fresh map (we'll overwrite the slot).
+	if err := json.Unmarshal(data, &sub); err != nil {
+		return map[string]json.RawMessage{}
+	}
+	return sub
+}
+
+func writeSubObject(parent map[string]json.RawMessage, key string, sub map[string]json.RawMessage) error {
+	data, err := json.Marshal(sub)
+	if err != nil {
+		return fmt.Errorf("marshal %s: %w", key, err)
+	}
+	parent[key] = data
+	return nil
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_prompt_test.go b/cmd/entire/cli/strategy/manual_commit_opf_prompt_test.go
new file mode 100644
index 0000000000..38fb76a045
--- /dev/null
+++ b/cmd/entire/cli/strategy/manual_commit_opf_prompt_test.go
@@ -0,0 +1,150 @@
+package strategy
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/entireio/cli/cmd/entire/cli/paths"
+	"github.com/entireio/cli/cmd/entire/cli/settings"
+	"github.com/stretchr/testify/require"
+)
+
+// resolveOPFDecision is the pure-logic core: env > settings > prompt >
+// non-TTY auto-run. Table-driven because every case is just a different
+// (env, setting, tty, prompter) input combination.
+func TestResolveOPFDecision_Precedence(t *testing.T) {
+	t.Parallel()
+
+	const promptCalled = OPFDecision(-1) // sentinel; only used when prompter fires
+	promptYes := func() (OPFDecision, error) { return OPFRun, nil }
+	promptNo := func() (OPFDecision, error) { return OPFSkip, nil }
+	promptAbort := func() (OPFDecision, error) { return OPFAbort, nil }
+	promptErr := func() (OPFDecision, error) { return OPFAbort, errors.New("boom") }
+	promptNever := func() (OPFDecision, error) {
+		t.Helper()
+		t.Fatal("prompter must not be called")
+		return promptCalled, nil
+	}
+
+	cases := []struct {
+		name           string
+		env            string
+		promptDefault  string
+		hasTTY         bool
+		prompter       func() (OPFDecision, error)
+		want           OPFDecision
+		wantErr        bool
+		wantErrMessage string
+	}{
+		// Env wins everywhere
+		{name: "env_yes_wins_over_setting_never", env: "yes", promptDefault: settings.OPFPromptNever, hasTTY: true, prompter: promptNever, want: OPFRun},
+		{name: "env_no_wins_over_setting_always", env: "no", promptDefault: settings.OPFPromptAlways, hasTTY: true, prompter: promptNever, want: OPFSkip},
+		{name: "env_yes_case_insensitive", env: "YES", promptDefault: "", hasTTY: false, prompter: promptNever, want: OPFRun},
+		{name: "env_no_with_whitespace", env: "  no  ", promptDefault: "", hasTTY: false, prompter: promptNever, want: OPFSkip},
+		// Setting wins over prompt
+		{name: "setting_always_skips_prompt", env: "", promptDefault: settings.OPFPromptAlways, hasTTY: true, prompter: promptNever, want: OPFRun},
+		{name: "setting_never_skips_prompt", env: "", promptDefault: settings.OPFPromptNever, hasTTY: true, prompter: promptNever, want: OPFSkip},
+		// Non-TTY fallback: run (matches the "if enabled, just run" semantics)
+		{name: "no_tty_auto_runs", env: "", promptDefault: "", hasTTY: false, prompter: promptNever, want: OPFRun},
+		{name: "no_tty_ignores_ask_setting", env: "", promptDefault: settings.OPFPromptAsk, hasTTY: false, prompter: promptNever, want: OPFRun},
+		// TTY + ask → prompter is called
+		{name: "tty_ask_user_chose_yes", env: "", promptDefault: settings.OPFPromptAsk, hasTTY: true, prompter: promptYes, want: OPFRun},
+		{name: "tty_ask_user_chose_no", env: "", promptDefault: settings.OPFPromptAsk, hasTTY: true, prompter: promptNo, want: OPFSkip},
+		{name: "tty_ask_user_aborted", env: "", promptDefault: settings.OPFPromptAsk, hasTTY: true, prompter: promptAbort, want: OPFAbort},
+		// TTY + empty setting == ask
+		{name: "tty_empty_setting_treated_as_ask", env: "", promptDefault: "", hasTTY: true, prompter: promptYes, want: OPFRun},
+		// Prompter errors propagate
+		{name: "prompter_error", env: "", promptDefault: "", hasTTY: true, prompter: promptErr, want: OPFAbort, wantErr: true, wantErrMessage: "boom"},
+		// Unrecognized env values fall through to next layer
+		{name: "env_bogus_falls_through_to_setting", env: "maybe", promptDefault: settings.OPFPromptAlways, hasTTY: true, prompter: promptNever, want: OPFRun},
+		{name: "env_empty_falls_through_to_setting", env: "", promptDefault: settings.OPFPromptAlways, hasTTY: true, prompter: promptNever, want: OPFRun},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := resolveOPFDecision(tc.env, tc.promptDefault, tc.hasTTY, tc.prompter)
+			if tc.wantErr {
+				require.Error(t, err)
+				if tc.wantErrMessage != "" {
+					require.Contains(t, err.Error(), tc.wantErrMessage)
+				}
+			} else {
+				require.NoError(t, err)
+			}
+			require.Equal(t, tc.want, got, "decision")
+		})
+	}
+}
+
+// TestPersistOPFPromptDefaultAlways_WritesNestedField verifies that the
+// "Always" branch updates redaction.openai_privacy_filter.prompt_default
+// in .entire/settings.local.json without disturbing other fields.
+//
+// Modifies process cwd (no t.Parallel), but uses t.Chdir so subsequent
+// tests see the reverted cwd.
+func TestPersistOPFPromptDefaultAlways_WritesNestedField(t *testing.T) {
+	tempDir := t.TempDir()
+	require.NoError(t, os.MkdirAll(filepath.Join(tempDir, paths.EntireDir), 0o755))
+	// Seed an existing settings.local.json with some unrelated content
+	// so we can verify it survives the write.
+	existing := `{
+  "enabled": true,
+  "redaction": {
+    "openai_privacy_filter": {
+      "categories": {"private_person": true}
+    }
+  }
+}`
+	localPath := filepath.Join(tempDir, paths.EntireDir, "settings.local.json")
+	require.NoError(t, os.WriteFile(localPath, []byte(existing), 0o644))
+	t.Chdir(tempDir)
+
+	require.NoError(t, persistOPFPromptDefaultAlways(context.Background()))
+
+	got, err := os.ReadFile(localPath)
+	require.NoError(t, err)
+
+	// Parse and verify structure: enabled stays true, categories stay,
+	// new prompt_default key present with "always".
+	var parsed struct {
+		Enabled   bool `json:"enabled"`
+		Redaction struct {
+			OPF struct {
+				Categories    map[string]bool `json:"categories"`
+				PromptDefault string          `json:"prompt_default"`
+			} `json:"openai_privacy_filter"`
+		} `json:"redaction"`
+	}
+	require.NoError(t, json.Unmarshal(got, &parsed))
+	require.True(t, parsed.Enabled, "existing enabled field must survive")
+	require.True(t, parsed.Redaction.OPF.Categories["private_person"], "existing categories must survive")
+	require.Equal(t, settings.OPFPromptAlways, parsed.Redaction.OPF.PromptDefault)
+}
+
+// TestPersistOPFPromptDefaultAlways_CreatesFileFromScratch covers the
+// fresh-install path where .entire/settings.local.json doesn't exist yet.
+func TestPersistOPFPromptDefaultAlways_CreatesFileFromScratch(t *testing.T) {
+	tempDir := t.TempDir()
+	require.NoError(t, os.MkdirAll(filepath.Join(tempDir, paths.EntireDir), 0o755))
+	t.Chdir(tempDir)
+
+	require.NoError(t, persistOPFPromptDefaultAlways(context.Background()))
+
+	localPath := filepath.Join(tempDir, paths.EntireDir, "settings.local.json")
+	got, err := os.ReadFile(localPath)
+	require.NoError(t, err, "settings.local.json should be created")
+
+	var parsed struct {
+		Redaction struct {
+			OPF struct {
+				PromptDefault string `json:"prompt_default"`
+			} `json:"openai_privacy_filter"`
+		} `json:"redaction"`
+	}
+	require.NoError(t, json.Unmarshal(got, &parsed))
+	require.Equal(t, settings.OPFPromptAlways, parsed.Redaction.OPF.PromptDefault)
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_push.go b/cmd/entire/cli/strategy/manual_commit_push.go
index a8fe78428d..f52793827b 100644
--- a/cmd/entire/cli/strategy/manual_commit_push.go
+++ b/cmd/entire/cli/strategy/manual_commit_push.go
@@ -2,7 +2,9 @@ package strategy
 
 import (
 	"context"
+	"errors"
 	"log/slog"
+	"os"
 
 	"github.com/entireio/cli/cmd/entire/cli/logging"
 	"github.com/entireio/cli/cmd/entire/cli/paths"
@@ -11,6 +13,11 @@ import (
 	"github.com/entireio/cli/redact"
 )
 
+// errOPFAbortedByUser is returned when the user chose Abort (or pressed
+// Ctrl-C) at the OPF prompt. PrePush returns it verbatim; the hook
+// command propagates the non-zero exit code so git push aborts.
+var errOPFAbortedByUser = errors.New("OPF prompt aborted by user; push cancelled")
+
 // PrePush is called by the git pre-push hook before pushing to a remote.
 // It pushes the entire/checkpoints/v1 branch alongside the user's push (unless
 // v1 writes are disabled by checkpoints_version: 2), and pushes v2 refs whenever
@@ -34,35 +41,52 @@ func (s *ManualCommitStrategy) PrePush(ctx context.Context, remote string) error
 	}
 
 	if settings.CheckpointsVersion(ctx) != 2 {
-		// OPF pre-push rewrite: if OPF is configured, re-redact unpushed
-		// v1 commits with the 8-layer pipeline before pushing. Skipped
-		// entirely when OPF is off, so the common-case fast path is
-		// unchanged. The rewrite returns sentinel errors for diverged
-		// remote, oversized bootstrap, and CAS conflict — these MUST
-		// abort the user's git push, otherwise the remote would receive
-		// 7-layer content when the user enabled OPF expecting 8-layer.
-		// Return them up so the hook command exits non-zero and the
-		// hook script propagates the exit code; see hooks.go's prePushCmd.
+		// OPF pre-push rewrite: if OPF is configured, resolve the
+		// user's decision (env > settings > prompt > non-TTY auto-run),
+		// then re-redact unpushed v1 commits with the 8-layer pipeline
+		// before pushing. Skipped entirely when OPF is off, so the
+		// common-case fast path is unchanged.
 		if redact.OPFEnabled() {
-			_, opfSpan := perf.Start(ctx, "opf_pre_push_rewrite")
-			repo, repoErr := OpenRepository(ctx)
-			if repoErr != nil {
-				opfSpan.RecordError(repoErr)
-				opfSpan.End()
-				logging.Warn(ctx, "OPF pre-push: failed to open repo; aborting push",
-					slog.String("error", repoErr.Error()),
+			s, _ := settings.Load(ctx) //nolint:errcheck // Load already failed at hook init; fall back to nil
+			var opfCfg *settings.OPFSettings
+			if s != nil && s.Redaction != nil {
+				opfCfg = s.Redaction.OpenAIPrivacyFilter
+			}
+			decision, decisionErr := resolveOPFDecisionForPrePush(ctx, opfCfg, os.Stderr)
+			if decisionErr != nil {
+				logging.Warn(ctx, "OPF pre-push decision failed; aborting push",
+					slog.String("error", decisionErr.Error()),
 				)
-				return repoErr
+				return decisionErr
 			}
-			if _, rewriteErr := RewriteUnpushedV1WithOPF(ctx, repo, ps.pushTarget()); rewriteErr != nil {
-				opfSpan.RecordError(rewriteErr)
+			switch decision {
+			case OPFAbort:
+				return errOPFAbortedByUser
+			case OPFSkip:
+				// User opted out for this push (or settings/env say
+				// "never"). Push 7-layer content as-is.
+				logging.Info(ctx, "OPF skipped for this push (user choice or settings)")
+			case OPFRun:
+				_, opfSpan := perf.Start(ctx, "opf_pre_push_rewrite")
+				repo, repoErr := OpenRepository(ctx)
+				if repoErr != nil {
+					opfSpan.RecordError(repoErr)
+					opfSpan.End()
+					logging.Warn(ctx, "OPF pre-push: failed to open repo; aborting push",
+						slog.String("error", repoErr.Error()),
+					)
+					return repoErr
+				}
+				if _, rewriteErr := RewriteUnpushedV1WithOPF(ctx, repo, ps.pushTarget()); rewriteErr != nil {
+					opfSpan.RecordError(rewriteErr)
+					opfSpan.End()
+					logging.Warn(ctx, "OPF pre-push rewrite failed; aborting push",
+						slog.String("error", rewriteErr.Error()),
+					)
+					return rewriteErr
+				}
 				opfSpan.End()
-				logging.Warn(ctx, "OPF pre-push rewrite failed; aborting push",
-					slog.String("error", rewriteErr.Error()),
-				)
-				return rewriteErr
 			}
-			opfSpan.End()
 		}
 
 		// Push the checkpoint branch. This is best-effort — failures here
diff --git a/docs/security-and-privacy.md b/docs/security-and-privacy.md
index b0b47f1ebb..8f6e4fd6e2 100644
--- a/docs/security-and-privacy.md
+++ b/docs/security-and-privacy.md
@@ -128,6 +128,26 @@ Full settings reference:
 
 - `command` — path or PATH-resolvable name of the `opf` binary. Defaults to `opf`.
 - `timeout_seconds` — per-invocation timeout. Defaults to `30`.
+- `prompt_default` — `"ask"` (default), `"always"`, or `"never"`. Controls whether the pre-push hook surfaces an interactive prompt before running OPF. `ENTIRE_OPF=yes` or `ENTIRE_OPF=no` on a single `git push` invocation overrides this for that push only.
+
+The interactive prompt offers three options and reacts to **Ctrl-C** for cancellation:
+
+```
+Run OpenAI Privacy Filter on these checkpoints?
+Adds ~30s but redacts names/PII the regex layers can't catch.
+Ctrl-C to cancel the push.
+
+  ▸ Yes — run OPF this push
+    No — skip OPF, push as-is
+    Always — run OPF on every push from now on
+```
+
+- **Yes** runs OPF for this push only.
+- **No** skips OPF for this push only; the 7-layer-redacted content reaches the remote.
+- **Always** runs OPF this push AND writes `prompt_default: "always"` to `.entire/settings.local.json` so future pushes don't ask.
+- **Ctrl-C** aborts the push entirely — `git push` exits non-zero, no refs go to the remote.
+
+Non-interactive contexts (CI, scripted pipes with no TTY) skip the prompt and run OPF automatically when enabled, printing `→ OpenAI Privacy Filter: scanning checkpoints…` to stderr so the wait isn't silent. Set `ENTIRE_OPF=no` to skip OPF in those contexts without disabling the feature globally.
 
 There is no `on_failure` setting; warn-on-failure is the only mode supported today. If OPF is not on PATH, fails to start, or times out, Entire prints a one-line `× OpenAI Privacy Filter unavailable …` notice and continues with the seven built-in layers. A per-process circuit breaker disables OPF for the remainder of the invocation after the first failure, so a broken install costs one warning rather than one timeout per redaction call.
 

From 6d54ea44fa1e36943d4b207331f6d8af1db2d0f7 Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Fri, 15 May 2026 17:09:30 -0400
Subject: [PATCH 09/11] perf(redact): scope OPF rewrite to the commit's own
 shard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The tree walker was redacting every .jsonl/.txt blob in the cumulative
v1 tree of each rewritten commit, including files belonging to shards
that were pushed in prior commits (and may or may not have been
OPF-applied already). Empirically: 1 new commit with 3 pre-existing
shards in the tree → 12 OPF calls instead of 2.

With real OPF at ~30s cold start per shell-out, a typical push with
10 prior shards would burn ~5 minutes of inference time re-redacting
content that was already on the remote.

Fix: parse the checkpoint ID from the commit's "Checkpoint: <id>"
subject and only redact files at paths under the target shard
(<id[:2]>/<id[2:]>/*). Other shards in the tree are copied verbatim
into the new tree — their bytes are unchanged, so they reuse existing
blobs (and the corresponding tree nodes) without any OPF cost.

The conservative fallback (walk-everything) is preserved for commits
without a recognizable Checkpoint: subject — e.g., the
"Initialize sessions branch" bootstrap commit has an empty tree
anyway, so the fallback costs zero OPF calls.

End-to-end measurement (fake opf logs each call):
- Before: 12 calls for 1 new commit on a tree with 3 prior shards
- After: 2 calls (the commit's own full.jsonl + prompt.txt)

Tests added:
- TestParseShardPathFromCommitMessage covers the subject parser
  (valid hex id, missing prefix, wrong length, non-hex, uppercase
  rejected, empty message).
- TestShouldDescendAndInsideShard pins the recursion predicates:
  descend into ancestors/target/descendants, copy siblings; redact
  files inside the shard, copy files outside.
- TestShardScopeEmptyShardPathIsPermissive locks down the
  walk-everything fallback for bootstrap commits.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../cli/strategy/manual_commit_opf_rewrite.go | 104 ++++++++++++++++--
 .../manual_commit_opf_rewrite_test.go         |  64 +++++++++++
 2 files changed, 160 insertions(+), 8 deletions(-)

diff --git a/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go b/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go
index 76c79da42a..39826057d2 100644
--- a/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go
+++ b/cmd/entire/cli/strategy/manual_commit_opf_rewrite.go
@@ -248,6 +248,13 @@ func listUnpushedV1Commits(repo *git.Repository, localTip, remoteTip plumbing.Ha
 // rebuildV1Commit re-parents the commit onto parent. Already-applied
 // commits keep their tree (idempotent); unapplied commits get an
 // OPF-redacted tree + Entire-OPF-Applied: true trailer.
+//
+// Performance: we only redact files inside THIS commit's shard
+// (sharded layout: <id[:2]>/<id[2:]>/*). Files outside that shard live
+// at the same tree because git trees accumulate parent content — they
+// belong to other commits and either are already redacted (prior
+// OPF-applied push) or never will be (this user opted out then in).
+// Walking them every push is O(N×commits) work for no privacy gain.
 func rebuildV1Commit(ctx context.Context, repo *git.Repository, oldCommit *object.Commit, parent plumbing.Hash) (plumbing.Hash, error) {
 	newTree := oldCommit.TreeHash
 	if !trailers.HasOPFApplied(oldCommit.Message) {
@@ -255,7 +262,12 @@ func rebuildV1Commit(ctx context.Context, repo *git.Repository, oldCommit *objec
 		if err != nil {
 			return plumbing.ZeroHash, fmt.Errorf("load tree: %w", err)
 		}
-		newTree, err = rebuildTreeWithOPF(ctx, repo, tree, "")
+		// Parse the shard path from the commit subject. Falls back to
+		// "" (walk everything) for bootstrap commits and unrecognized
+		// subjects — the conservative default still produces correct
+		// output, just slower.
+		shardPath := parseShardPathFromCommitMessage(oldCommit.Message)
+		newTree, err = rebuildTreeWithOPF(ctx, repo, tree, "", shardPath)
 		if err != nil {
 			return plumbing.ZeroHash, err
 		}
@@ -283,15 +295,43 @@ func rebuildV1Commit(ctx context.Context, repo *git.Repository, oldCommit *objec
 	return hash, nil
 }
 
+// parseShardPathFromCommitMessage extracts the sharded path
+// "<id[:2]>/<id[2:]>" from a "Checkpoint: <id>" subject line.
+// Returns "" when the subject doesn't match (bootstrap commits, or
+// historical commits with a different format) — callers walk the
+// whole tree in that case.
+func parseShardPathFromCommitMessage(message string) string {
+	firstLine, _, _ := strings.Cut(message, "\n")
+	const prefix = "Checkpoint: "
+	if !strings.HasPrefix(firstLine, prefix) {
+		return ""
+	}
+	id := strings.TrimSpace(firstLine[len(prefix):])
+	if len(id) != 12 {
+		return ""
+	}
+	for _, c := range id {
+		if (c < '0' || c > '9') && (c < 'a' || c > 'f') {
+			return ""
+		}
+	}
+	return id[:2] + "/" + id[2:]
+}
+
 // rebuildTreeWithOPF walks a tree and produces a new tree with
 // OPF-redacted file blobs. content_hash.txt files are recomputed in a
 // second pass against the new full.jsonl in the same directory.
 //
-// Path-specific behavior:
+// shardPath scopes the walk: only files at paths starting with
+// shardPath get redacted; other shards (and the root-level entries
+// outside the shard) are copied verbatim. Empty shardPath means walk
+// everything (used for bootstrap/unknown-subject commits).
+//
+// Path-specific behavior (when in the target shard):
 //   - *.jsonl, *.txt → redacted via checkpoint.RedactBlobBytes (OPF on)
 //   - content_hash.txt → SHA256 of the sibling full.jsonl's new bytes
 //   - other files (metadata.json, *.json) → copied verbatim (no user text)
-func rebuildTreeWithOPF(ctx context.Context, repo *git.Repository, tree *object.Tree, pathPrefix string) (plumbing.Hash, error) {
+func rebuildTreeWithOPF(ctx context.Context, repo *git.Repository, tree *object.Tree, pathPrefix, shardPath string) (plumbing.Hash, error) {
 	entries := make([]object.TreeEntry, 0, len(tree.Entries))
 	// deferredHashes records indexes of content_hash.txt entries we
 	// need to recompute after the full.jsonl in the same dir is built.
@@ -306,21 +346,35 @@ func rebuildTreeWithOPF(ctx context.Context, repo *git.Repository, tree *object.
 	for _, e := range tree.Entries {
 		switch e.Mode { //nolint:exhaustive // non-tree/blob modes fall through to copy
 		case filemode.Dir:
-			subTree, err := repo.TreeObject(e.Hash)
-			if err != nil {
-				return plumbing.ZeroHash, fmt.Errorf("load subtree %s/%s: %w", pathPrefix, e.Name, err)
-			}
 			subPath := e.Name
 			if pathPrefix != "" {
 				subPath = pathPrefix + "/" + e.Name
 			}
-			newSub, err := rebuildTreeWithOPF(ctx, repo, subTree, subPath)
+			// Shard-scoping: only descend into directories that lead
+			// to the target shard, the shard itself, or its
+			// descendants. Other shard subtrees stay byte-identical.
+			if !shouldDescend(subPath, shardPath) {
+				entries = append(entries, e)
+				continue
+			}
+			subTree, err := repo.TreeObject(e.Hash)
+			if err != nil {
+				return plumbing.ZeroHash, fmt.Errorf("load subtree %s/%s: %w", pathPrefix, e.Name, err)
+			}
+			newSub, err := rebuildTreeWithOPF(ctx, repo, subTree, subPath, shardPath)
 			if err != nil {
 				return plumbing.ZeroHash, err
 			}
 			entries = append(entries, object.TreeEntry{Name: e.Name, Mode: e.Mode, Hash: newSub})
 
 		case filemode.Regular, filemode.Executable:
+			// Outside the target shard: copy verbatim. Inside (or when
+			// shardPath is empty for the bootstrap fallback): redact
+			// per file type.
+			if !insideShard(pathPrefix, shardPath) {
+				entries = append(entries, e)
+				continue
+			}
 			switch {
 			case e.Name == paths.ContentHashFileName:
 				deferredHashes = append(deferredHashes, deferred{idx: len(entries), entryName: e.Name, entryMode: e.Mode})
@@ -375,6 +429,40 @@ func rebuildTreeWithOPF(ctx context.Context, repo *git.Repository, tree *object.
 	return hash, nil
 }
 
+// shouldDescend reports whether the walker should recurse into a
+// directory at path. With an empty shardPath we descend everywhere
+// (bootstrap fallback). Otherwise we descend only into the target
+// shard, its ancestors (so we can reach it), and its descendants.
+func shouldDescend(path, shardPath string) bool {
+	if shardPath == "" || path == "" {
+		// shardPath="" means "no scoping" (bootstrap fallback);
+		// path=="" is the root, which is the ancestor of every shard.
+		return true
+	}
+	if path == shardPath {
+		return true
+	}
+	// ancestor of shardPath: shardPath starts with path + "/"
+	if strings.HasPrefix(shardPath+"/", path+"/") {
+		return true
+	}
+	// descendant of shardPath: path starts with shardPath + "/"
+	return strings.HasPrefix(path+"/", shardPath+"/")
+}
+
+// insideShard reports whether file blobs at pathPrefix should be
+// redacted. Empty shardPath means "redact everywhere"; otherwise the
+// path must equal shardPath or be a descendant of it.
+func insideShard(pathPrefix, shardPath string) bool {
+	if shardPath == "" {
+		return true
+	}
+	if pathPrefix == shardPath {
+		return true
+	}
+	return strings.HasPrefix(pathPrefix+"/", shardPath+"/")
+}
+
 func readBlob(repo *git.Repository, hash plumbing.Hash) ([]byte, error) {
 	blob, err := repo.BlobObject(hash)
 	if err != nil {
diff --git a/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go b/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go
index 99f1f3dd29..572c69bfdc 100644
--- a/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go
+++ b/cmd/entire/cli/strategy/manual_commit_opf_rewrite_test.go
@@ -310,6 +310,70 @@ func TestRewriteUnpushedV1WithOPF_BootstrapCap(t *testing.T) {
 	}
 }
 
+// Shard scoping: the rewrite only touches files inside the current
+// commit's own shard. Files belonging to other shards (sitting in the
+// cumulative tree because git trees accumulate) are copied verbatim,
+// so a push doesn't pay O(N) OPF cold-starts per commit.
+func TestParseShardPathFromCommitMessage(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name, msg, want string
+	}{
+		{name: "valid", msg: "Checkpoint: a1b2c3d4e5f6\n\nEntire-Session: s\n", want: "a1/b2c3d4e5f6"},
+		{name: "trailing_space", msg: "Checkpoint: a1b2c3d4e5f6   \n", want: "a1/b2c3d4e5f6"},
+		{name: "missing_prefix", msg: "Initialize sessions branch\n", want: ""},
+		{name: "too_short", msg: "Checkpoint: abc123\n", want: ""},
+		{name: "uppercase_rejected", msg: "Checkpoint: A1B2C3D4E5F6\n", want: ""},
+		{name: "non_hex", msg: "Checkpoint: gghhiijjkkll\n", want: ""},
+		{name: "empty_message", msg: "", want: ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.want, parseShardPathFromCommitMessage(tc.msg))
+		})
+	}
+}
+
+// Shard-scoping invariants: descend into ancestors-of, the target, and
+// descendants-of the target shard; copy everything else verbatim.
+func TestShouldDescendAndInsideShard(t *testing.T) {
+	t.Parallel()
+	const shard = "a1/b2c3d4e5f6"
+	cases := []struct {
+		name    string
+		path    string
+		descend bool
+		inside  bool
+	}{
+		{name: "root_is_ancestor", path: "", descend: true, inside: false},
+		{name: "shard_prefix_is_ancestor", path: "a1", descend: true, inside: false},
+		{name: "shard_root_is_target", path: shard, descend: true, inside: true},
+		{name: "session_subdir_is_descendant", path: shard + "/0", descend: true, inside: true},
+		{name: "deeper_descendant", path: shard + "/0/tasks", descend: true, inside: true},
+		{name: "sibling_shard_prefix", path: "b2", descend: false, inside: false},
+		{name: "sibling_shard_full", path: "b2/c3d4e5f6a1a2", descend: false, inside: false},
+		{name: "partial_overlap_not_ancestor", path: "a1/zzz", descend: false, inside: false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.descend, shouldDescend(tc.path, shard), "shouldDescend")
+			require.Equal(t, tc.inside, insideShard(tc.path, shard), "insideShard")
+		})
+	}
+}
+
+// Empty shardPath = no scoping (bootstrap / unrecognized-subject
+// fallback): descend everywhere, redact everywhere.
+func TestShardScopeEmptyShardPathIsPermissive(t *testing.T) {
+	t.Parallel()
+	require.True(t, shouldDescend("anything/anywhere", ""))
+	require.True(t, insideShard("anything/anywhere", ""))
+	require.True(t, shouldDescend("", ""))
+	require.True(t, insideShard("", ""))
+}
+
 // Fail-closed regression: when the OPF runtime fails and the breaker
 // trips, the rewrite must NOT CAS the ref. Otherwise the new commits
 // would carry Entire-OPF-Applied: true while their content is 7-layer

From e1a0ce0c1c4267c537f3a2944716049e0583928e Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Tue, 19 May 2026 11:57:02 -0400
Subject: [PATCH 10/11] feat(strategy): delete shadow branches once their
 checkpoints are pushed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After a successful push of entire/checkpoints/v1, delete shadow
branches (entire/<commit>-<worktree>) whose sessions have all ended
cleanly. Previously these accumulated until the user ran `entire clean`
manually.

Safety properties (conservative — risk-asymmetric):
- A shadow branch is deleted ONLY when every session state file
  referencing it has EndedAt != nil AND TurnCheckpointIDs is empty.
- Active session (EndedAt == nil) protects its shadow branch.
- Mid-finalize race (ended but TurnCheckpointIDs pending) preserves
  the branch — finalize may still need it.
- Multiple sessions sharing the same shadow branch (same base commit
  + worktree) must ALL satisfy the criteria.
- Orphaned shadow branches (no associated session state file) are
  deleted — no session to lose data from.
- Cleanup only runs after pushBranchIfNeeded returns nil (v1 push
  succeeded). If push failed, shadow branches are left alone so the
  user's next push attempt can still leverage their data.
- DeleteShadowBranches failures (e.g., stale lock) are logged and
  don't abort the push — branches just remain for the next push.

Files:
- cleanup.go: new CleanupPushedShadowBranches(ctx) (~50 LOC reusing
  ListShadowBranches + ListSessionStates + DeleteShadowBranches).
- manual_commit_push.go: invoke from PrePush after successful
  pushBranchIfNeeded.
- cleanup_pushed_shadow_test.go: 6 cases covering the full predicate
  matrix (fully-ended, active-session, pending-checkpoints, orphaned,
  mixed-branches, no-branches).
- docs/security-and-privacy.md: persistence table updated to reflect
  the new auto-cleanup.

End-to-end verified: a manually-created shadow branch with a matching
ended session state file gets deleted after the next successful push;
entire/checkpoints/v1 stays (correctly excluded by IsShadowBranch).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/entire/cli/strategy/cleanup.go            |  71 ++++++++
 .../strategy/cleanup_pushed_shadow_test.go    | 152 ++++++++++++++++++
 cmd/entire/cli/strategy/manual_commit_push.go |  19 ++-
 docs/security-and-privacy.md                  |   2 +-
 4 files changed, 242 insertions(+), 2 deletions(-)
 create mode 100644 cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go

diff --git a/cmd/entire/cli/strategy/cleanup.go b/cmd/entire/cli/strategy/cleanup.go
index 8e43ef794f..7c234c5fa3 100644
--- a/cmd/entire/cli/strategy/cleanup.go
+++ b/cmd/entire/cli/strategy/cleanup.go
@@ -127,6 +127,77 @@ func ListShadowBranches(ctx context.Context) ([]string, error) {
 	return shadowBranches, nil
 }
 
+// CleanupPushedShadowBranches deletes shadow branches whose sessions
+// have all ended cleanly (no active session referencing them, no
+// pending turn-checkpoints awaiting finalization). Intended to be
+// called only after a successful push so the caller knows any
+// condensed checkpoint data already reached the remote.
+//
+// Returns the count of branches deleted. Failures (e.g., one branch
+// fails to delete due to a stale lock) are logged but don't abort
+// the operation — remaining branches are still attempted.
+//
+// Safety properties:
+//   - Skips any shadow branch referenced by a session with EndedAt
+//     == nil (still active).
+//   - Skips any shadow branch whose session has TurnCheckpointIDs
+//     pending (mid-finalize race window).
+//   - Multiple sessions can share the same shadow branch (same base
+//     commit + worktree); ALL must satisfy the criteria above.
+//   - Shadow branches with no associated session state are deleted
+//     (no session to lose data from).
+func CleanupPushedShadowBranches(ctx context.Context) (int, error) {
+	branches, err := ListShadowBranches(ctx)
+	if err != nil {
+		return 0, fmt.Errorf("list shadow branches: %w", err)
+	}
+	if len(branches) == 0 {
+		return 0, nil
+	}
+
+	states, err := ListSessionStates(ctx)
+	if err != nil {
+		return 0, fmt.Errorf("list session states: %w", err)
+	}
+
+	// Build a set of shadow branch names that must be preserved
+	// because at least one session still depends on them.
+	protected := map[string]bool{}
+	for _, s := range states {
+		if s.EndedAt != nil && len(s.TurnCheckpointIDs) == 0 {
+			continue // safe — session ended cleanly and finalized
+		}
+		shadow := getShadowBranchNameForCommit(s.BaseCommit, s.WorktreeID)
+		protected[shadow] = true
+	}
+
+	var toDelete []string
+	for _, b := range branches {
+		if !protected[b] {
+			toDelete = append(toDelete, b)
+		}
+	}
+	if len(toDelete) == 0 {
+		return 0, nil
+	}
+
+	deleted, failed, delErr := DeleteShadowBranches(ctx, toDelete)
+	if delErr != nil {
+		// DeleteShadowBranches signature returns an error for future
+		// extensibility but currently always returns nil; log defensively.
+		logging.Warn(ctx, "shadow branch deletion reported error",
+			slog.String("error", delErr.Error()),
+		)
+	}
+	if len(failed) > 0 {
+		logging.Warn(ctx, "some shadow branches failed to delete during post-push cleanup",
+			slog.Int("failed_count", len(failed)),
+			slog.Int("deleted_count", len(deleted)),
+		)
+	}
+	return len(deleted), nil
+}
+
 // DeleteShadowBranches deletes the specified branches from the repository.
 // Returns two slices: successfully deleted branches and branches that failed to delete.
 // Individual branch deletion failures do not stop the operation - all branches are attempted.
diff --git a/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go b/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go
new file mode 100644
index 0000000000..512517a68c
--- /dev/null
+++ b/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go
@@ -0,0 +1,152 @@
+package strategy
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/entireio/cli/cmd/entire/cli/checkpoint"
+	"github.com/entireio/cli/cmd/entire/cli/testutil"
+	"github.com/go-git/go-git/v6"
+	"github.com/go-git/go-git/v6/plumbing"
+	"github.com/stretchr/testify/require"
+)
+
+// shadowCleanupEnv bundles the setup needed for testing post-push shadow
+// branch cleanup: a git repo, a known base commit, and helpers to
+// create shadow refs + matching session states.
+type shadowCleanupEnv struct {
+	t        *testing.T
+	repo     *git.Repository
+	dir      string
+	baseHash plumbing.Hash
+}
+
+func newShadowCleanupEnv(t *testing.T) *shadowCleanupEnv {
+	t.Helper()
+	dir := t.TempDir()
+	testutil.InitRepo(t, dir)
+	repo, err := git.PlainOpen(dir)
+	require.NoError(t, err)
+	t.Chdir(dir)
+
+	emptyTree := plumbing.NewHash("4b825dc642cb6eb9a060e54bf8d69288fbee4904")
+	baseHash, err := checkpoint.CreateCommit(context.Background(), repo, emptyTree, plumbing.ZeroHash, "initial commit", "test", "test@test.com")
+	require.NoError(t, err)
+	headRef := plumbing.NewSymbolicReference(plumbing.HEAD, plumbing.NewBranchReferenceName("main"))
+	require.NoError(t, repo.Storer.SetReference(headRef))
+	require.NoError(t, repo.Storer.SetReference(plumbing.NewHashReference(plumbing.NewBranchReferenceName("main"), baseHash)))
+	return &shadowCleanupEnv{t: t, repo: repo, dir: dir, baseHash: baseHash}
+}
+
+// addShadowBranch creates a shadow branch for the given (base, worktreeID)
+// pair and returns its derived name.
+func (e *shadowCleanupEnv) addShadowBranch(baseCommit, worktreeID string) string {
+	e.t.Helper()
+	name := getShadowBranchNameForCommit(baseCommit, worktreeID)
+	require.NoError(e.t, e.repo.Storer.SetReference(
+		plumbing.NewHashReference(plumbing.NewBranchReferenceName(name), e.baseHash)))
+	return name
+}
+
+// addSessionState writes a session state file. If ended is non-nil the
+// session is treated as ended; pendingCheckpoints simulates the
+// mid-finalize race window.
+func (e *shadowCleanupEnv) addSessionState(sessionID, baseCommit, worktreeID string, ended *time.Time, pendingCheckpoints []string) {
+	e.t.Helper()
+	state := &SessionState{
+		SessionID:         sessionID,
+		BaseCommit:        baseCommit,
+		WorktreeID:        worktreeID,
+		StartedAt:         time.Now().Add(-time.Hour),
+		EndedAt:           ended,
+		TurnCheckpointIDs: pendingCheckpoints,
+	}
+	require.NoError(e.t, SaveSessionState(context.Background(), state))
+}
+
+func (e *shadowCleanupEnv) branchExists(name string) bool {
+	e.t.Helper()
+	_, err := e.repo.Reference(plumbing.NewBranchReferenceName(name), false)
+	return err == nil
+}
+
+// Happy case: ended session with no pending checkpoints → shadow gone.
+func TestCleanupPushedShadowBranches_FullyEndedDeleted(t *testing.T) {
+	env := newShadowCleanupEnv(t)
+	shadow := env.addShadowBranch(env.baseHash.String(), "")
+	ended := time.Now().Add(-time.Minute)
+	env.addSessionState("s1", env.baseHash.String(), "", &ended, nil)
+
+	deleted, err := CleanupPushedShadowBranches(context.Background())
+	require.NoError(t, err)
+	require.Equal(t, 1, deleted)
+	require.False(t, env.branchExists(shadow))
+}
+
+// Active session (EndedAt == nil) protects the shadow even if another
+// session on the same branch already ended.
+func TestCleanupPushedShadowBranches_ActiveSessionPreserved(t *testing.T) {
+	env := newShadowCleanupEnv(t)
+	shadow := env.addShadowBranch(env.baseHash.String(), "")
+	ended := time.Now().Add(-time.Minute)
+	env.addSessionState("s1-ended", env.baseHash.String(), "", &ended, nil)
+	env.addSessionState("s2-active", env.baseHash.String(), "", nil, nil)
+
+	deleted, err := CleanupPushedShadowBranches(context.Background())
+	require.NoError(t, err)
+	require.Equal(t, 0, deleted)
+	require.True(t, env.branchExists(shadow))
+}
+
+// Mid-finalize race window: ended session with TurnCheckpointIDs still
+// pending → preserve.
+func TestCleanupPushedShadowBranches_PendingTurnCheckpointsPreserved(t *testing.T) {
+	env := newShadowCleanupEnv(t)
+	shadow := env.addShadowBranch(env.baseHash.String(), "")
+	ended := time.Now().Add(-time.Minute)
+	env.addSessionState("s1", env.baseHash.String(), "", &ended, []string{"a1b2c3d4e5f6"})
+
+	deleted, err := CleanupPushedShadowBranches(context.Background())
+	require.NoError(t, err)
+	require.Equal(t, 0, deleted)
+	require.True(t, env.branchExists(shadow))
+}
+
+// Orphaned shadow branch (no matching session state) gets cleaned up.
+func TestCleanupPushedShadowBranches_OrphanedBranchDeleted(t *testing.T) {
+	env := newShadowCleanupEnv(t)
+	shadow := env.addShadowBranch(env.baseHash.String(), "")
+
+	deleted, err := CleanupPushedShadowBranches(context.Background())
+	require.NoError(t, err)
+	require.Equal(t, 1, deleted)
+	require.False(t, env.branchExists(shadow))
+}
+
+// Mixed: two shadow branches with different worktree IDs and different
+// session statuses. The cleanup must delete only the safe one.
+func TestCleanupPushedShadowBranches_MixedBranchesPartialDelete(t *testing.T) {
+	env := newShadowCleanupEnv(t)
+	preserved := env.addShadowBranch(env.baseHash.String(), "wt1")
+	deletable := env.addShadowBranch(env.baseHash.String(), "wt2")
+	ended := time.Now().Add(-time.Minute)
+	env.addSessionState("s-active", env.baseHash.String(), "wt1", nil, nil)
+	env.addSessionState("s-ended", env.baseHash.String(), "wt2", &ended, nil)
+
+	deleted, err := CleanupPushedShadowBranches(context.Background())
+	require.NoError(t, err)
+	require.Equal(t, 1, deleted)
+	require.True(t, env.branchExists(preserved))
+	require.False(t, env.branchExists(deletable))
+}
+
+// No shadow branches → no-op, no error.
+func TestCleanupPushedShadowBranches_NoBranches_NoOp(t *testing.T) {
+	env := newShadowCleanupEnv(t)
+	_ = env
+
+	deleted, err := CleanupPushedShadowBranches(context.Background())
+	require.NoError(t, err)
+	require.Equal(t, 0, deleted)
+}
diff --git a/cmd/entire/cli/strategy/manual_commit_push.go b/cmd/entire/cli/strategy/manual_commit_push.go
index f52793827b..625565deee 100644
--- a/cmd/entire/cli/strategy/manual_commit_push.go
+++ b/cmd/entire/cli/strategy/manual_commit_push.go
@@ -94,13 +94,30 @@ func (s *ManualCommitStrategy) PrePush(ctx context.Context, remote string) error
 		// problem doesn't break the user's git push of their actual work.
 		// (OPF failures above are the exception — they're privacy-critical.)
 		_, pushCheckpointsSpan := perf.Start(ctx, "push_checkpoints_branch")
-		if pushErr := pushBranchIfNeeded(ctx, ps.pushTarget(), paths.MetadataBranchName); pushErr != nil {
+		pushErr := pushBranchIfNeeded(ctx, ps.pushTarget(), paths.MetadataBranchName)
+		if pushErr != nil {
 			pushCheckpointsSpan.RecordError(pushErr)
 			logging.Warn(ctx, "checkpoint branch push failed; user push continues",
 				slog.String("error", pushErr.Error()),
 			)
 		}
 		pushCheckpointsSpan.End()
+
+		// Post-push cleanup: only when the v1 push succeeded, so we
+		// know the condensed checkpoint data is on the remote. Failures
+		// here are non-fatal — shadow branches just accumulate until
+		// `entire clean` or the next successful push.
+		if pushErr == nil {
+			if deleted, cleanupErr := CleanupPushedShadowBranches(ctx); cleanupErr != nil {
+				logging.Warn(ctx, "post-push shadow branch cleanup failed",
+					slog.String("error", cleanupErr.Error()),
+				)
+			} else if deleted > 0 {
+				logging.Info(ctx, "cleaned up vestigial shadow branches",
+					slog.Int("count", deleted),
+				)
+			}
+		}
 	}
 
 	// Push v2 refs when enabled.
diff --git a/docs/security-and-privacy.md b/docs/security-and-privacy.md
index 8f6e4fd6e2..e8f259ec90 100644
--- a/docs/security-and-privacy.md
+++ b/docs/security-and-privacy.md
@@ -189,7 +189,7 @@ Three places retain content that OPF *didn't* redact, with different lifetimes.
 | Location | Redaction level | Lifetime | Reaches remote? |
 |---|---|---|---|
 | `.entire/<session>.jsonl` | **None — raw** | Until session is deleted (managed by the agent) | No |
-| Shadow branch `entire/<commit>-<worktree>` | 7-layer | Until session is condensed (and post-push cleanup, if enabled) | No |
+| Shadow branch `entire/<commit>-<worktree>` | 7-layer | Auto-deleted after the next successful push (only when its session has ended cleanly) | No |
 | Unreachable git objects after pre-push rewrite | 7-layer | Until `git gc --prune` (default `gc.pruneExpire` is 2 weeks) | No |
 | Reflog `git reflog show entire/checkpoints/v1` | 7-layer tips | Default `gc.reflogExpire` is 90 days | No |
 | `<remote>/entire/checkpoints/v1` | 8-layer (after OPF rewrite) | Until you delete the branch on the remote | Yes |

From 734e8eeb129aaa2a75d975af2fa88bf758fbb8c6 Mon Sep 17 00:00:00 2001
From: Peyton Montei <peyton@entire.io>
Date: Tue, 19 May 2026 16:32:28 -0400
Subject: [PATCH 11/11] refactor(redact): drop unused OPF helpers, table-drive
 cleanup tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two trim-and-simplify changes from a self-review of the PR's surface:

1. Drop redact.JoinedPromptsLegacy + its dedicated test file.
   The function was added to keep the writer's safety net 7-layer-only
   while signaling the distinction via the type system. With pre-push
   rewrite owning all OPF execution, the writer is now unambiguously
   7-layer-only — the typed-wrapper signal is no longer earning its
   weight. checkpoint.redactedJoinedPrompts now inlines
   redact.String(strings.Join(prompts, PromptSeparator)) for the same
   behavior with less ceremony.

2. Drop redact.GetOPFConfigForTest. The "ForTest" helper was exported
   for cross-package tests but never had any callers — production code
   should never introspect the OPF config directly (use OPFEnabled()),
   and our tests already use ConfigurePrivacyFilterWithRuntime +
   ResetOPFConfigForTest to manage state.

3. Table-drive the four single-shadow-branch cleanup tests into one
   TestCleanupPushedShadowBranches_Predicate. The four cases shared
   ~90% of setup; the table-driven form keeps each scenario as a named
   sub-test while collapsing the boilerplate. The two non-single-shadow
   cases (mixed branches, no branches at all) stay standalone because
   their setups are structurally different.

Net diff: -7 tests (collapsed into 4 sub-tests in 1 function), -100
lines of helpers, no behavior change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/entire/cli/checkpoint/prompts.go          | 17 +---
 cmd/entire/cli/checkpoint/prompts_test.go     | 13 ++-
 .../strategy/cleanup_pushed_shadow_test.go    | 88 ++++++++-----------
 .../cli/strategy/manual_commit_hooks.go       |  2 +-
 redact/joined_prompts_test.go                 | 74 ----------------
 redact/redact.go                              | 17 ----
 redact/testhelpers.go                         | 24 ++---
 7 files changed, 54 insertions(+), 181 deletions(-)
 delete mode 100644 redact/joined_prompts_test.go

diff --git a/cmd/entire/cli/checkpoint/prompts.go b/cmd/entire/cli/checkpoint/prompts.go
index f5896bf8b0..3e2d1b6662 100644
--- a/cmd/entire/cli/checkpoint/prompts.go
+++ b/cmd/entire/cli/checkpoint/prompts.go
@@ -31,21 +31,12 @@ func SplitPromptContent(content string) []string {
 
 // redactedJoinedPrompts returns the redacted prompt-blob content for the
 // supplied prompts. When preRedacted is set it is unwrapped verbatim;
-// otherwise the prompts are joined and run through the 7-layer pipeline
-// as a safety net.
-//
-// The safety net is intentionally 7-layer-only (no OPF), even when OPF
-// is enabled globally. OPF runs exclusively in the pre-push rewrite
-// path so per-commit condensation stays fast and predictable; the
-// safety net never drags OPF into a hot path. Callers that have
-// already produced an 8-layer blob (e.g. the pre-push rewrite itself)
-// pass it as preRedacted so this function returns it verbatim.
-//
-// ctx is retained on the signature for future extensions; the 7-layer
-// pipeline doesn't consume it today.
+// otherwise the prompts are joined and run through the 7-layer pipeline.
+// OPF runs exclusively in the pre-push rewrite (not here), so the
+// writer's hot path stays predictable.
 func redactedJoinedPrompts(_ context.Context, prompts []string, preRedacted redact.RedactedJoinedPrompts) string {
 	if preRedacted.IsSet() {
 		return preRedacted.String()
 	}
-	return redact.JoinedPromptsLegacy(prompts, PromptSeparator).String()
+	return redact.String(strings.Join(prompts, PromptSeparator))
 }
diff --git a/cmd/entire/cli/checkpoint/prompts_test.go b/cmd/entire/cli/checkpoint/prompts_test.go
index 4637cebcf9..25bf6751b4 100644
--- a/cmd/entire/cli/checkpoint/prompts_test.go
+++ b/cmd/entire/cli/checkpoint/prompts_test.go
@@ -47,15 +47,14 @@ func TestRedactedJoinedPrompts_PreRedactedIsTrustedVerbatim(t *testing.T) {
 	assert.Equal(t, preRedacted, got, "preRedacted should pass through verbatim")
 }
 
-// TestRedactedJoinedPrompts_ZeroValueFallsBackToLegacyRedaction verifies
-// that when the typed preRedacted is the zero value the helper joins the
-// prompts and runs the 7-layer pipeline as a safety net. Critically, the
-// fallback is JoinedPromptsLegacy (no OPF) — OPF runs exclusively in the
-// pre-push rewrite path, never here in the writer's hot path.
-func TestRedactedJoinedPrompts_ZeroValueFallsBackToLegacyRedaction(t *testing.T) {
+// TestRedactedJoinedPrompts_ZeroValueFallsBackToSafetyNet verifies
+// that when the typed preRedacted is the zero value the helper joins
+// the prompts and runs the 7-layer pipeline as a safety net. OPF runs
+// exclusively in the pre-push rewrite path, never here.
+func TestRedactedJoinedPrompts_ZeroValueFallsBackToSafetyNet(t *testing.T) {
 	t.Parallel()
 
 	got := redactedJoinedPrompts(context.Background(), []string{"hello", "world"}, redact.RedactedJoinedPrompts{})
-	assert.NotEmpty(t, got, "zero-value preRedacted should fall back to running the legacy 7-layer pipeline")
+	assert.NotEmpty(t, got, "zero-value preRedacted should fall back to running the 7-layer pipeline")
 	assert.Contains(t, got, PromptSeparator, "fallback output should preserve the prompt separator")
 }
diff --git a/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go b/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go
index 512517a68c..c088440d4b 100644
--- a/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go
+++ b/cmd/entire/cli/strategy/cleanup_pushed_shadow_test.go
@@ -71,57 +71,45 @@ func (e *shadowCleanupEnv) branchExists(name string) bool {
 	return err == nil
 }
 
-// Happy case: ended session with no pending checkpoints → shadow gone.
-func TestCleanupPushedShadowBranches_FullyEndedDeleted(t *testing.T) {
-	env := newShadowCleanupEnv(t)
-	shadow := env.addShadowBranch(env.baseHash.String(), "")
-	ended := time.Now().Add(-time.Minute)
-	env.addSessionState("s1", env.baseHash.String(), "", &ended, nil)
-
-	deleted, err := CleanupPushedShadowBranches(context.Background())
-	require.NoError(t, err)
-	require.Equal(t, 1, deleted)
-	require.False(t, env.branchExists(shadow))
-}
-
-// Active session (EndedAt == nil) protects the shadow even if another
-// session on the same branch already ended.
-func TestCleanupPushedShadowBranches_ActiveSessionPreserved(t *testing.T) {
-	env := newShadowCleanupEnv(t)
-	shadow := env.addShadowBranch(env.baseHash.String(), "")
+// Predicate matrix: each shadow branch is paired with zero or more
+// session states; the cleanup must respect the safety rules (active
+// session OR pending turn checkpoints protect the branch; ended-clean
+// or orphaned branches are deleted).
+func TestCleanupPushedShadowBranches_Predicate(t *testing.T) {
 	ended := time.Now().Add(-time.Minute)
-	env.addSessionState("s1-ended", env.baseHash.String(), "", &ended, nil)
-	env.addSessionState("s2-active", env.baseHash.String(), "", nil, nil)
-
-	deleted, err := CleanupPushedShadowBranches(context.Background())
-	require.NoError(t, err)
-	require.Equal(t, 0, deleted)
-	require.True(t, env.branchExists(shadow))
-}
-
-// Mid-finalize race window: ended session with TurnCheckpointIDs still
-// pending → preserve.
-func TestCleanupPushedShadowBranches_PendingTurnCheckpointsPreserved(t *testing.T) {
-	env := newShadowCleanupEnv(t)
-	shadow := env.addShadowBranch(env.baseHash.String(), "")
-	ended := time.Now().Add(-time.Minute)
-	env.addSessionState("s1", env.baseHash.String(), "", &ended, []string{"a1b2c3d4e5f6"})
-
-	deleted, err := CleanupPushedShadowBranches(context.Background())
-	require.NoError(t, err)
-	require.Equal(t, 0, deleted)
-	require.True(t, env.branchExists(shadow))
-}
-
-// Orphaned shadow branch (no matching session state) gets cleaned up.
-func TestCleanupPushedShadowBranches_OrphanedBranchDeleted(t *testing.T) {
-	env := newShadowCleanupEnv(t)
-	shadow := env.addShadowBranch(env.baseHash.String(), "")
-
-	deleted, err := CleanupPushedShadowBranches(context.Background())
-	require.NoError(t, err)
-	require.Equal(t, 1, deleted)
-	require.False(t, env.branchExists(shadow))
+	type sessionFixture struct {
+		id                string
+		ended             *time.Time
+		pendingCheckpoint []string
+	}
+	cases := []struct {
+		name        string
+		sessions    []sessionFixture
+		wantDeleted bool
+	}{
+		{name: "ended_no_pending_deleted", sessions: []sessionFixture{{id: "s1", ended: &ended}}, wantDeleted: true},
+		{name: "active_session_preserved", sessions: []sessionFixture{{id: "s1", ended: &ended}, {id: "s2", ended: nil}}, wantDeleted: false},
+		{name: "pending_turn_checkpoints_preserved", sessions: []sessionFixture{{id: "s1", ended: &ended, pendingCheckpoint: []string{"a1b2c3d4e5f6"}}}, wantDeleted: false},
+		{name: "orphaned_branch_no_sessions_deleted", sessions: nil, wantDeleted: true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			env := newShadowCleanupEnv(t)
+			shadow := env.addShadowBranch(env.baseHash.String(), "")
+			for _, s := range tc.sessions {
+				env.addSessionState(s.id, env.baseHash.String(), "", s.ended, s.pendingCheckpoint)
+			}
+			deleted, err := CleanupPushedShadowBranches(context.Background())
+			require.NoError(t, err)
+			if tc.wantDeleted {
+				require.Equal(t, 1, deleted)
+				require.False(t, env.branchExists(shadow))
+			} else {
+				require.Equal(t, 0, deleted)
+				require.True(t, env.branchExists(shadow))
+			}
+		})
+	}
 }
 
 // Mixed: two shadow branches with different worktree IDs and different
diff --git a/cmd/entire/cli/strategy/manual_commit_hooks.go b/cmd/entire/cli/strategy/manual_commit_hooks.go
index 63b489415e..01685d42fb 100644
--- a/cmd/entire/cli/strategy/manual_commit_hooks.go
+++ b/cmd/entire/cli/strategy/manual_commit_hooks.go
@@ -2760,7 +2760,7 @@ func (s *ManualCommitStrategy) finalizeAllTurnCheckpoints(ctx context.Context, s
 	}
 
 	// Post-commit emits 7-layer-only blobs; the writer's safety net
-	// (checkpoint.redactedJoinedPrompts via JoinedPromptsLegacy) handles
+	// (checkpoint.redactedJoinedPrompts via redact.String) handles
 	// joining + 7-layer redaction. OPF is applied later, once per push,
 	// by the pre-push rewrite path.
 	redactedPrompts := redact.RedactedJoinedPrompts{}
diff --git a/redact/joined_prompts_test.go b/redact/joined_prompts_test.go
deleted file mode 100644
index ff1a9cfd66..0000000000
--- a/redact/joined_prompts_test.go
+++ /dev/null
@@ -1,74 +0,0 @@
-package redact
-
-import (
-	"strings"
-	"testing"
-)
-
-// TestJoinedPromptsLegacy_ParityWithStringPlusJoin pins down that the legacy
-// (7-layer, no-OPF) constructor produces the same content as the pre-PR
-// behavior of `redact.String(strings.Join(prompts, sep))`. The writer's
-// safety net switched from running OPF-augmented redaction to the legacy
-// variant; this parity check is what keeps existing post-commit checkpoint
-// blobs byte-identical to the pre-PR output once OPF is gated to pre-push.
-func TestJoinedPromptsLegacy_ParityWithStringPlusJoin(t *testing.T) {
-	t.Parallel()
-	const sep = "\n\n---\n\n"
-	cases := []struct {
-		name    string
-		prompts []string
-	}{
-		{"single_simple", []string{"hello world"}},
-		{"multi_simple", []string{"first prompt", "second prompt", "third prompt"}},
-		{"with_high_entropy_secret", []string{"set API_KEY=" + highEntropySecret, "ok"}},
-		{"with_db_password", []string{"connect to postgres://app:pwd123@db.example.com:5432/app", "done"}},
-		{"single_with_email_no_pii_config", []string{"contact alice@example.com please"}},
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			joined := strings.Join(tc.prompts, sep)
-			want := String(joined)
-			got := JoinedPromptsLegacy(tc.prompts, sep).String()
-			if got != want {
-				t.Errorf("parity mismatch:\n got=%q\nwant=%q", got, want)
-			}
-		})
-	}
-}
-
-// TestJoinedPromptsLegacy_EmptyReturnsZeroValue verifies the constructor
-// short-circuits an empty input to the zero value, so IsSet() reports
-// false and the writer's safety net can re-run rather than persist an
-// empty prompt.txt blob.
-func TestJoinedPromptsLegacy_EmptyReturnsZeroValue(t *testing.T) {
-	t.Parallel()
-	if got := JoinedPromptsLegacy(nil, "sep"); got.IsSet() {
-		t.Errorf("nil prompts: IsSet() = true, want false (content=%q)", got.String())
-	}
-	if got := JoinedPromptsLegacy([]string{}, "sep"); got.IsSet() {
-		t.Errorf("empty prompts: IsSet() = true, want false (content=%q)", got.String())
-	}
-}
-
-// TestJoinedPromptsLegacy_DoesNotInvokeOPF is the regression guard for the
-// architectural promise: even with OPF configured globally, the legacy
-// constructor MUST run only the 7-layer pipeline. Pairs with
-// TestPlainEntryPointsNeverInvokeOPF in opf_test.go — that test pins
-// String/Bytes/JSONLBytes; this one pins JoinedPromptsLegacy.
-func TestJoinedPromptsLegacy_DoesNotInvokeOPF(t *testing.T) {
-	resetOPFConfig()
-	t.Cleanup(resetOPFConfig)
-
-	fake := &fakeRuntime{spans: []Span{{Start: 0, End: 5, Label: "private_person"}}}
-	ConfigurePrivacyFilterWithRuntime(OPFConfig{
-		Enabled:    true,
-		Categories: map[string]bool{"private_person": true},
-	}, fake)
-
-	_ = JoinedPromptsLegacy([]string{"Alice met Bob in the lobby", "Charlie was there too"}, "\n---\n")
-
-	if fake.calls+fake.batchCalls != 0 {
-		t.Errorf("legacy constructor invoked OPF: calls=%d batchCalls=%d", fake.calls, fake.batchCalls)
-	}
-}
diff --git a/redact/redact.go b/redact/redact.go
index e10151cdd3..4d32f8e057 100644
--- a/redact/redact.go
+++ b/redact/redact.go
@@ -155,23 +155,6 @@ func AlreadyRedactedJoinedPrompts(content string) RedactedJoinedPrompts {
 	return RedactedJoinedPrompts{content: content}
 }
 
-// JoinedPromptsLegacy joins prompts with sep and runs only the seven
-// always-on/opt-in regex layers — never the OpenAI Privacy Filter, even
-// when OPF is configured globally. Used by the checkpoint writer's
-// safety net so post-commit blobs stay on the fast 7-layer pipeline; OPF
-// is applied exclusively by the pre-push rewrite path (see
-// strategy/manual_commit_opf_rewrite.go), which calls JoinedPrompts.
-//
-// Mirrors JoinedPrompts in return type so callers can use either
-// constructor and feed the result to WriteCommittedOptions.PromptsRedacted
-// without changing the type contract.
-func JoinedPromptsLegacy(prompts []string, sep string) RedactedJoinedPrompts {
-	if len(prompts) == 0 {
-		return RedactedJoinedPrompts{}
-	}
-	return RedactedJoinedPrompts{content: String(strings.Join(prompts, sep))}
-}
-
 var (
 	betterleaksDetector     *detect.Detector
 	betterleaksDetectorOnce sync.Once
diff --git a/redact/testhelpers.go b/redact/testhelpers.go
index 6f6d1360dd..af375fcb19 100644
--- a/redact/testhelpers.go
+++ b/redact/testhelpers.go
@@ -1,25 +1,11 @@
 package redact
 
-// This file exposes internal helpers needed by tests in OTHER packages
-// (e.g. cmd/entire/cli/strategy) that exercise OPF behavior end-to-end.
-// They cannot live in export_test.go because that file is invisible to
-// importers — only redact's own tests would be able to call them.
-//
-// The "ForTest" suffix is a convention signal: production code MUST NOT
-// call these. A future lint rule (e.g. forbidigo on the "ForTest"
-// suffix) could enforce that statically; today it relies on reviewer
-// discipline.
+// Cross-package test helpers. Lives in a regular .go file (not
+// export_test.go) so tests in cmd/entire/cli/strategy can call it.
+// The "ForTest" suffix is the production-code-must-not-call signal.
 
-// GetOPFConfigForTest returns the current OPF configuration, or nil if
-// never configured. Test-only — production code should never need to
-// introspect the global config; gate behavior on OPFEnabled() instead.
-func GetOPFConfigForTest() *OPFConfig {
-	return getOPFConfig()
-}
-
-// ResetOPFConfigForTest clears configuration and the circuit breaker.
-// Used to return to a "never configured" state between test cases.
-// Test-only — production code should never need to reset OPF state.
+// ResetOPFConfigForTest clears OPF configuration and the circuit
+// breaker. Test-only.
 func ResetOPFConfigForTest() {
 	resetOPFConfig()
 }