@adaptic/maestro 1.1.7 → 1.4.1

package/scripts/daemon/responder.mjs

@@ -1,39 +1,211 @@
 /**
  * responder.mjs — Quick response layer
  *
- * Handles two scenarios without spawning claude --print sessions:
+ * Handles two scenarios with a single short-lived `claude --print` call:
  *
- * 1. SIMPLE REPLIES: Uses Anthropic Sonnet API to generate a response,
- *    then posts directly via Slack/Gmail API. ~4 seconds total.
+ * 1. SIMPLE REPLIES: Invokes the Claude Code CLI to generate a response,
+ *    then posts directly via Slack/Gmail API.
  *
  * 2. HOLDING MESSAGES: For complex items that need a full session,
  *    generates and sends an immediate acknowledgment so the sender
  *    knows it's being worked on.
  *
- * This eliminates CLI startup overhead for routine responses and
- * provides instant feedback for complex requests.
+ * Migrated off `@anthropic-ai/sdk` per CEO directive (Slack DM
+ * D099N1JGKRQ, 2026-04-27 09:38Z + 11:33Z): all agent daemon model
+ * calls must funnel through Claude Code CLI sessions (Max
+ * subscription), not the Anthropic API.
  */
 
-import Anthropic from "@anthropic-ai/sdk";
 import { readFileSync, writeFileSync, readdirSync, appendFileSync, mkdirSync } from "fs";
-import { execFileSync } from "child_process";
+import { execFileSync, spawn } from "child_process";
 import { join } from "path";
+import { randomUUID } from "crypto";
 import { checkRecentlySent, registerSent } from "./session-lock.mjs";
+import { routingKey as deriveRoutingKey, createRouter } from "./lib/session-router.mjs";
 
 const SOPHIE_AI_DIR = join(new URL(".", import.meta.url).pathname, "../..");
 const SONNET_MODEL = "claude-sonnet-4-6";
+const CLAUDE_BIN = process.env.CLAUDE_BIN || "/Users/sophie/.local/bin/claude";
+const CLAUDE_CLI_TIMEOUT_MS = 60_000;
+const SESSION_REGISTRY_PATH = join(SOPHIE_AI_DIR, "state", "daemon", "session-router-registry.json");
+
+// Singleton router — lazily created on first generateResponse() call. The
+// scaffold's createRouter is async (eager registry read), so we cache the
+// promise and await it inside generateResponse.
+let routerPromise = null;
+function getRouter() {
+  if (!routerPromise) {
+    routerPromise = createRouter({ registryPath: SESSION_REGISTRY_PATH });
+  }
+  return routerPromise;
+}
+
+/**
+ * Translate a daemon-shaped item into the source/channel/thread_ts shape
+ * that session-router's routingKey() expects.
+ *
+ * Daemon items use {service, channel, thread_id, sender_email, ...}; the
+ * router's pure key fn was specced against {source, channel, thread_ts,
+ * thread_id, ...} per memo §4.2. This adapter is the seam between them.
+ *
+ * Returns null for items the router can't key (e.g. service we don't yet
+ * support, or missing required fields). Caller falls back to a fresh
+ * pre-minted UUID + EPHEMERAL semantics.
+ */
+function deriveRouterItem(item) {
+  if (!item || typeof item !== "object") return null;
+
+  if (item.service === "slack") {
+    const channel = item.channel || item.channel_id;
+    if (!channel) return null;
+    return {
+      source: "slack",
+      channel,
+      thread_ts: item.thread_id || item.thread_ts || null,
+      ts: item.ts || item.timestamp || null,
+    };
+  }
+
+  if (item.service === "gmail") {
+    const tid = item.thread_id || item.threadId;
+    if (!tid) return null;
+    return { source: "gmail", thread_id: tid };
+  }
+
+  if (item.service === "calendar") {
+    const eid = item.event_id || item.eventId;
+    if (!eid) return null;
+    return { source: "calendar", event_id: eid };
+  }
+
+  return null;
+}
 
 // Lazy token access — dotenv loads in daemon main before these are called
 function getSlackToken() {
   return process.env.SLACK_USER_TOKEN || process.env.SLACK_BOT_TOKEN;
 }
 
-let anthropic = null;
 let cachedPreamble = null;
 
-function getClient() {
-  if (!anthropic) anthropic = new Anthropic();
-  return anthropic;
+// Spawn `claude --print` with the supplied system + user prompts and model.
+// Mirrors the pattern used in classifier.mjs:
+//   • child_process.spawn (not exec) — avoids shell-escape injection on
+//     potentially-hostile sender content.
+//   • System prompt rides on --append-system-prompt; user prompt is written
+//     to stdin and the pipe is closed.
+//   • Non-zero exit, timeout, spawn error or stdin write error all reject
+//     so the caller can surface the failure.
+//
+// Session-router wire-up (b2-b4, cycle 474): when the caller supplies a
+// `sessionId` (pre-minted UUID) and a `router` + `routingKey`, the spawn
+// adds `--session-id <uuid> --output-format json`, parses the one-line JSON
+// stdout into {session_id, result, is_error}, calls router.touch on success
+// and router.recordExit on close. Per b1 flag-verification report, NEVER
+// combine `--resume` with `--session-id` (not needed: pre-minting + reusing
+// the same UUID across spawns is the resume mechanism).
+//
+// @returns {Promise<{ text: string, jsonResult: object|null, exitCode: number }>}
+function runClaudeCLI(systemPrompt, userPrompt, model, opts = {}) {
+  const { sessionId = null, router = null, routingKey = null } = opts;
+
+  return new Promise((resolvePromise, rejectPromise) => {
+    const args = [
+      "--print",
+      "--dangerously-skip-permissions",
+      "--model", model,
+      "--append-system-prompt", systemPrompt,
+    ];
+    if (sessionId) {
+      // --output-format json is only valid in combination with --print (per
+      // b1 report). We always pass --print above, so this is safe.
+      args.push("--session-id", sessionId, "--output-format", "json");
+    }
+
+    const proc = spawn(CLAUDE_BIN, args, {
+      stdio: ["pipe", "pipe", "pipe"],
+      // Force claude CLI onto keychain OAuth (Max subscription); strip any
+      // stale ANTHROPIC_API_KEY/AUTH_TOKEN inherited from the daemon env.
+      env: { ...process.env, ANTHROPIC_API_KEY: "", ANTHROPIC_AUTH_TOKEN: "" },
+    });
+
+    let stdout = "";
+    let stderr = "";
+    let settled = false;
+
+    const timer = setTimeout(() => {
+      if (settled) return;
+      settled = true;
+      try { proc.kill("SIGTERM"); } catch (_) { /* noop */ }
+      setTimeout(() => { try { if (!proc.killed) proc.kill("SIGKILL"); } catch (_) { /* noop */ } }, 2000);
+      rejectPromise(new Error(`claude CLI timed out after ${CLAUDE_CLI_TIMEOUT_MS}ms`));
+    }, CLAUDE_CLI_TIMEOUT_MS);
+
+    proc.stdout.on("data", (chunk) => { stdout += chunk.toString(); });
+    proc.stderr.on("data", (chunk) => { stderr += chunk.toString(); });
+
+    proc.on("error", (err) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      rejectPromise(new Error(`claude CLI spawn error: ${err.message}`));
+    });
+
+    proc.on("close", (code) => {
+      // (b4) Always notify the router of the exit, regardless of whether
+      // the promise has already settled (timeout path) or not. recordExit
+      // is a no-op for keys the router has never touched, so the only
+      // cost is a registry write — which we want for non-zero exits so
+      // the next route() returns EPHEMERAL_REPLACE.
+      if (router && routingKey) {
+        // Fire-and-forget; recordExit is async but failure here must not
+        // mask the real result. Errors swallowed because the router has
+        // its own atomic-write semantics and bubbling here would crash
+        // the daemon over a non-critical bookkeeping write.
+        Promise.resolve(router.recordExit(routingKey, code)).catch((err) => {
+          console.warn(`[responder] router.recordExit failed for ${routingKey}: ${err.message}`);
+        });
+      }
+
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      if (code !== 0) {
+        const tail = (stderr || "").trim().slice(-500);
+        rejectPromise(new Error(`claude CLI exited ${code}: ${tail || "no stderr"}`));
+        return;
+      }
+
+      // (b3) If we asked for JSON, parse it. Otherwise return raw text.
+      if (sessionId) {
+        const trimmed = (stdout || "").trim();
+        try {
+          const parsed = JSON.parse(trimmed);
+          // Per b1 report: top-level `session_id` (snake_case UUID), `result`
+          // (text), `is_error` (bool). Top-level `uuid` is the message UUID,
+          // NOT the session id — do NOT use it.
+          resolvePromise({ text: parsed.result ?? "", jsonResult: parsed, exitCode: code });
+        } catch (parseErr) {
+          // Legacy fallback (rollout-safety): older CLIs or unexpected output
+          // shapes shouldn't crash the daemon. Log a warning, surface the raw
+          // text, and let the caller decide whether to call router.touch.
+          console.warn(`[responder] claude CLI JSON parse failed (sessionId=${sessionId}): ${parseErr.message} — falling back to raw stdout`);
+          resolvePromise({ text: trimmed, jsonResult: null, exitCode: code });
+        }
+      } else {
+        resolvePromise({ text: stdout, jsonResult: null, exitCode: code });
+      }
+    });
+
+    try {
+      proc.stdin.end(userPrompt, "utf8");
+    } catch (err) {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      rejectPromise(new Error(`claude CLI stdin write error: ${err.message}`));
+    }
+  });
 }
 
 function today() {
@@ -187,7 +359,7 @@ function loadConversationHistory(item) {
 }
 
 // ---------------------------------------------------------------------------
-// Generate response text via Anthropic Sonnet API
+// Generate response text via `claude --print` CLI
 // ---------------------------------------------------------------------------
 
 async function generateResponse(item, classResult, isHolding = false) {
@@ -234,15 +406,58 @@ ${profile ? `\nSender profile:\n${profile}` : ""}`;
     `\nClassification: ${classResult.summary}`,
   ].filter(Boolean).join("\n");
 
-  const client = getClient();
-  const response = await client.messages.create({
-    model,
-    max_tokens: 512,
-    system: systemPrompt,
-    messages: [{ role: "user", content: userContent }],
+  // (b2) Session-router decision. Compute the routing key from a daemon→router
+  // adapter view of the item. If the item can't be keyed (unknown service,
+  // missing channel/thread), fall back to pure ephemeral with no router calls.
+  const router = await getRouter();
+  const routerItem = deriveRouterItem(item);
+  let key = null;
+  let sessionId = null;
+  if (routerItem) {
+    try {
+      key = deriveRoutingKey(routerItem);
+      const decision = router.route(key);
+      if (decision.decision === "RESUME" && decision.resumeId) {
+        sessionId = decision.resumeId;
+      } else {
+        // EPHEMERAL or EPHEMERAL_REPLACE — pre-mint a fresh UUID. Reusing
+        // the same key on next call (with a different sessionId) is fine;
+        // touch() will overwrite the registry entry.
+        sessionId = randomUUID();
+      }
+    } catch (err) {
+      // routingKey() throws on malformed items. Don't crash — fall back to
+      // pure ephemeral with no session-router participation.
+      console.warn(`[responder] routingKey derivation failed: ${err.message} — falling back to non-routed ephemeral`);
+      key = null;
+      sessionId = null;
+    }
+  }
+
+  const cliResult = await runClaudeCLI(systemPrompt, userContent, model, {
+    sessionId,
+    router: key ? router : null,
+    routingKey: key,
   });
 
-  return response.content[0].text.trim();
+  const text = (cliResult.text || "").trim();
+  if (!text) {
+    throw new Error("claude CLI returned empty result text in generateResponse");
+  }
+
+  // (b3) On success, touch the registry with the CLI-resolved session_id so
+  // the next call routed to this key gets a RESUME decision. Skip touch on
+  // is_error responses or when JSON parsing failed (legacy fallback path).
+  if (key && cliResult.jsonResult && cliResult.jsonResult.is_error !== true) {
+    const claudeSessionId = cliResult.jsonResult.session_id || sessionId;
+    try {
+      await router.touch(key, { claudeSessionId, model });
+    } catch (err) {
+      console.warn(`[responder] router.touch failed for ${key}: ${err.message}`);
+    }
+  }
+
+  return text;
 }
 
 // ---------------------------------------------------------------------------

package/scripts/daemon/session-lock.mjs

@@ -518,3 +518,197 @@ export function releaseThreadLock(channel, threadTs) {
     // Lock already released or never existed — fine
   }
 }
+
+// ---------------------------------------------------------------------------
+// Item claims — prevents multiple parallel backlog sessions from picking up
+// the same queue item simultaneously. Designed per:
+// outputs/research/2026-04-18-session-coordination-design.md
+// ---------------------------------------------------------------------------
+
+const ITEM_CLAIM_DIR = join(SOPHIE_AI_DIR, "state", "locks", "item-claims");
+const DEFAULT_ITEM_CLAIM_TTL_MIN = 30; // Default TTL in minutes
+
+// Ensure directory exists
+mkdirSync(ITEM_CLAIM_DIR, { recursive: true });
+
+/**
+ * Check if a process is still running (macOS-compatible).
+ * Uses kill(pid, 0) — signal 0 checks existence without sending a signal.
+ *
+ * @param {number} pid - Process ID to check
+ * @returns {boolean} true if process is running
+ */
+function isProcessRunning(pid) {
+  try {
+    process.kill(pid, 0); // Signal 0 = existence check
+    return true;
+  } catch (err) {
+    return err.code === "EPERM"; // Process exists but we lack permission
+  }
+}
+
+/**
+ * Attempt to claim a queue item so only one session processes it.
+ * Uses exclusive file creation (wx flag) for POSIX-atomic acquisition.
+ *
+ * Fail-open design: claim system failures never block work. The worst case
+ * is duplicate work (the status quo), not blocked work.
+ *
+ * @param {string} itemId - Queue item ID (e.g. "ib-20260407-001b")
+ * @param {object} metadata - { session_id, agent_description, ttl_minutes, source, queue_file, pid }
+ * @returns {{ claimed: boolean, reason?: string, holder?: string }}
+ */
+export function claimItem(itemId, metadata = {}) {
+  const safeId = sanitiseItemId(itemId);
+  const claimPath = join(ITEM_CLAIM_DIR, `${safeId}.claim`);
+  const ttlMinutes = metadata.ttl_minutes || DEFAULT_ITEM_CLAIM_TTL_MIN;
+
+  // Check for existing claim
+  if (existsSync(claimPath)) {
+    try {
+      const existing = JSON.parse(readFileSync(claimPath, "utf-8"));
+      const ageMinutes = (Date.now() - new Date(existing.claimed_at).getTime()) / 60000;
+
+      if (ageMinutes < (existing.ttl_minutes || DEFAULT_ITEM_CLAIM_TTL_MIN)) {
+        // Claim is within TTL — check if the holding process is actually alive
+        if (existing.pid && isProcessRunning(existing.pid)) {
+          return { claimed: false, reason: "active_claim", holder: existing.session_id };
+        }
+        // Process is dead but claim not expired — override (orphaned claim)
+        console.log(`[session-lock] Overriding orphaned item claim for ${itemId}, pid ${existing.pid} is dead`);
+        // Fall through to write new claim
+      } else {
+        // TTL expired — override
+        console.log(`[session-lock] Overriding expired item claim for ${itemId}, age ${ageMinutes.toFixed(1)}m > ttl ${existing.ttl_minutes || DEFAULT_ITEM_CLAIM_TTL_MIN}m`);
+        // Fall through to write new claim
+      }
+    } catch {
+      // Corrupted claim file — treat as no existing claim (fail-open)
+    }
+  }
+
+  const claimData = {
+    session_id: metadata.session_id || `claim-${Date.now()}`,
+    claimed_at: new Date().toISOString(),
+    agent_description: metadata.agent_description || "",
+    ttl_minutes: ttlMinutes,
+    source: metadata.source || "backlog",
+    queue_file: metadata.queue_file || "",
+    pid: metadata.pid || process.pid,
+  };
+
+  try {
+    // Atomic exclusive create — identical pattern to acquireLock (line 90)
+    writeFileSync(claimPath, JSON.stringify(claimData, null, 2), { flag: "wx" });
+    return { claimed: true };
+  } catch (err) {
+    if (err.code === "EEXIST") {
+      // Race condition — another process won the claim
+      try {
+        const existing = JSON.parse(readFileSync(claimPath, "utf-8"));
+        const ageMinutes = (Date.now() - new Date(existing.claimed_at).getTime()) / 60000;
+        if (ageMinutes >= (existing.ttl_minutes || DEFAULT_ITEM_CLAIM_TTL_MIN)) {
+          // Stale — overwrite (non-atomic but acceptable)
+          writeFileSync(claimPath, JSON.stringify(claimData, null, 2));
+          return { claimed: true };
+        }
+        return { claimed: false, reason: "race_lost", holder: existing.session_id };
+      } catch {
+        return { claimed: false, reason: "race_lost" };
+      }
+    }
+    // Fail-open: if we can't write the claim for any other reason, allow processing
+    console.warn(`[session-lock] Item claim write failed for ${itemId} (fail-open): ${err.message}`);
+    return { claimed: true };
+  }
+}
+
+/**
+ * Release a claim for a queue item (on session completion or error).
+ *
+ * @param {string} itemId - Queue item ID
+ */
+export function releaseItemClaim(itemId) {
+  const safeId = sanitiseItemId(itemId);
+  const claimPath = join(ITEM_CLAIM_DIR, `${safeId}.claim`);
+  try {
+    unlinkSync(claimPath);
+  } catch {
+    // Claim already released, expired, or never existed — fine
+  }
+}
+
+/**
+ * Check if a queue item has an active (non-expired, live-process) claim.
+ * Used by sweepBacklog to skip items already being worked on.
+ *
+ * @param {string} itemId - Queue item ID
+ * @returns {boolean} true if there is an active claim on this item
+ */
+export function hasActiveClaim(itemId) {
+  const safeId = sanitiseItemId(itemId);
+  const claimPath = join(ITEM_CLAIM_DIR, `${safeId}.claim`);
+
+  try {
+    if (!existsSync(claimPath)) return false;
+
+    const claim = JSON.parse(readFileSync(claimPath, "utf-8"));
+    const ageMinutes = (Date.now() - new Date(claim.claimed_at).getTime()) / 60000;
+    const ttl = claim.ttl_minutes || DEFAULT_ITEM_CLAIM_TTL_MIN;
+
+    // Expired claim — not active
+    if (ageMinutes >= ttl) return false;
+
+    // If PID is recorded and process is dead — not active (orphaned)
+    if (claim.pid && !isProcessRunning(claim.pid)) return false;
+
+    return true;
+  } catch {
+    // Fail-open: if we can't read/parse the claim, treat as no claim
+    return false;
+  }
+}
+
+/**
+ * Sweep stale item claims. Called periodically from the daemon health interval.
+ *
+ * Two-tier cleanup:
+ *   - Past 2x TTL: unconditionally remove (well past expiry)
+ *   - Past 1x TTL but within 2x: remove only if PID is dead (orphaned)
+ *
+ * @returns {number} Number of stale claims removed
+ */
+export function sweepStaleItemClaims() {
+  let swept = 0;
+  try {
+    const files = readdirSync(ITEM_CLAIM_DIR).filter((f) => f.endsWith(".claim"));
+    for (const file of files) {
+      const claimPath = join(ITEM_CLAIM_DIR, file);
+      try {
+        const claim = JSON.parse(readFileSync(claimPath, "utf-8"));
+        const ageMinutes = (Date.now() - new Date(claim.claimed_at).getTime()) / 60000;
+        const ttl = claim.ttl_minutes || DEFAULT_ITEM_CLAIM_TTL_MIN;
+
+        if (ageMinutes > ttl * 2) {
+          // Well past TTL — remove unconditionally
+          unlinkSync(claimPath);
+          swept++;
+          console.log(`[session-lock] Swept stale item claim: ${claim.session_id}, age ${ageMinutes.toFixed(1)}m (2x TTL=${ttl * 2}m)`);
+        } else if (ageMinutes > ttl) {
+          // Past TTL but within 2x — check if PID is dead
+          if (claim.pid && !isProcessRunning(claim.pid)) {
+            unlinkSync(claimPath);
+            swept++;
+            console.log(`[session-lock] Swept orphaned item claim: ${claim.session_id}, pid ${claim.pid} dead`);
+          }
+        }
+      } catch {
+        // Corrupted claim file — remove it
+        try { unlinkSync(claimPath); swept++; } catch {}
+      }
+    }
+  } catch {
+    // ITEM_CLAIM_DIR doesn't exist or unreadable — nothing to sweep
+  }
+  return swept;
+}

package/scripts/daemon/sophie-daemon.mjs

@@ -34,7 +34,7 @@ import { dispatch, getStatus, availableSlots, canDispatchBacklog, resetActiveSes
 import { buildPrompt } from "./prompt-builder.mjs";
 import { sendQuickResponse, sendHoldingMessage, isQuickReply } from "./responder.mjs";
 import { recordPoll, recordClassification, recordSession, writeHealthDashboard } from "./health.mjs";
-import { acquireLock, updateLock, scanStaleLocks, acquireThreadLock, claimRequest } from "./session-lock.mjs";
+import { acquireLock, updateLock, scanStaleLocks, acquireThreadLock, claimRequest, hasActiveClaim, sweepStaleItemClaims } from "./session-lock.mjs";
 
 // ---------------------------------------------------------------------------
 // Configuration
@@ -401,6 +401,15 @@ async function sweepBacklog() {
         }
         return false;
       }
+
+      // File-based item claim check — survives daemon restart and is visible
+      // to concurrent launchd triggers. Complements in-memory activeBacklogKeys.
+      // (ib-20260407-001b: concurrent session coordination)
+      if (qi.id && hasActiveClaim(qi.id)) {
+        console.log(`[daemon] Backlog skip: "${qi.title}" — item claimed by another session`);
+        return false;
+      }
+
       return true;
     });
 
@@ -488,10 +497,15 @@ async function main() {
     }
   }, BACKLOG_INTERVAL);
 
-  // Health dashboard
+  // Health dashboard + stale claim sweep
   setInterval(() => {
     try {
       writeHealthDashboard();
+      // Sweep stale item claims (ib-20260407-001b: concurrent session coordination)
+      const claimsSwept = sweepStaleItemClaims();
+      if (claimsSwept > 0) {
+        console.log(`[daemon] Swept ${claimsSwept} stale item claims`);
+      }
     } catch (err) {
       console.error("[daemon] Health write error:", err.message);
     }

package/scripts/email-signature.html

@@ -1,3 +1,18 @@
+<!--
+  Email signature template — Maestro framework
+
+  This file is rewritten by /init-maestro Sub-agent 4 with the new agent's
+  identity. The placeholders below are replaced verbatim:
+
+    {{AGENT_NAME}}      e.g. "Lucas Ferreira"
+    {{AGENT_TITLE}}     e.g. "VP, Regulatory & Licensing"
+    {{AGENT_EMAIL}}     e.g. "lucas@adaptic.ai"
+    {{AGENT_PHONE}}     e.g. "+61 478 964 324" (pretty form)
+    {{COMPANY_ADDRESS}} e.g. "Level 1, Innovation One, DIFC, Dubai, UAE"
+
+  If you see this file unchanged in a deployed agent's repo, something went
+  wrong with init-maestro Sub-agent 4 — re-run the wizard or rewrite by hand.
+-->
 <div
   style="
     font-family: Arial, Helvetica, sans-serif;
@@ -5,8 +20,8 @@
     color: #333;
   "
 >
-  <p style="margin: 0; font-weight: bold; font-size: 14px">Sophie Nguyen</p>
-  <p style="margin: 0; color: #666">Chief of Staff</p>
+  <p style="margin: 0; font-weight: bold; font-size: 14px">{{AGENT_NAME}}</p>
+  <p style="margin: 0; color: #666">{{AGENT_TITLE}}</p>
   <br />
   <a href="https://adaptic.ai"
     ><img
@@ -16,10 +31,11 @@
       style="display: block; margin: 8px 0"
   /></a>
   <br />
-  <p style="margin: 0; font-size: 12px">sophie@adaptic.ai</p>
+  <p style="margin: 0; font-size: 12px">{{AGENT_EMAIL}}</p>
+  <p style="margin: 0; font-size: 12px">{{AGENT_PHONE}}</p>
   <br />
   <p style="margin: 0; font-size: 12px">
-    Level 1, Innovation One, Dubai International Financial Centre, Dubai, UAE
+    {{COMPANY_ADDRESS}}
   </p>
   <p
     style="