@agfpd/iapeer 0.1.0

package/src/init/index.ts

@@ -0,0 +1,408 @@
+// init — the per-peer onboarding verb (`iapeer init`, contract Примитивы §init +
+// Установка §INIT). DETERMINISTIC, non-interactive. Builds on provisionPeer (identity
+// + registry + infra plist) and adds the per-peer ECOSYSTEM wiring a peer needs to
+// talk: the HTTP-MCP transport config + the local doctrine template.
+//
+// THE BIG SIMPLIFICATION (install-gate snapped LIVE 08.06): a peer gets send_to_peer
+// purely from a project-scope `.mcp.json` pointing at the host-wide HTTP-MCP daemon —
+// NO plugin install, NO /reload-plugins, NO GC version-snapshots (the whole legacy
+// persistent-peer install-gate class is gone). Verified: a cold-start claude session
+// (--dangerously-skip-permissions, as the launch primitive runs it) auto-enables the
+// `.mcp.json` http server and send_to_peer is callable on its FIRST turn, no approve.
+//
+// claude side here. codex side (`[mcp_servers.<name>]` in ~/.codex/config.toml +
+// default_tools_approval_mode="approve") lands with its own live codex check.
+
+import { copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs'
+import { homedir } from 'os'
+import { join } from 'path'
+import { CODEX_BEARER_ENV_VAR, CODEX_DUMMY_BEARER, IAPEER_DIR, isInfraRuntime, type Runtime } from '../core/constants.ts'
+import {
+  ensureLocalIapScaffold,
+  pluginStateDir,
+  writeFileAtomic,
+  type StorageOptions,
+} from '../storage/index.ts'
+import { provisionPeer, type ProvisionResult } from '../provision/index.ts'
+import { launchctlBootstrap, launchdPlistPath, type BootstrapResult } from '../launch/launchd.ts'
+import { runtimeSelfConfig, type SelfConfigResult } from '../runtime/index.ts'
+import type { Intelligence } from '../core/constants.ts'
+
+/** The MCP-server name the peer's `.mcp.json` uses for the foundation daemon. */
+export const IAPEER_MCP_SERVER_NAME = 'iapeer'
+
+/** Fallback HTTP-MCP daemon port when no router.json is published yet (the daemon
+ *  binds this stable loopback port by default; init before daemon-start uses it). */
+export const DEFAULT_DAEMON_MCP_PORT = 8765
+
+const IAPEER_DOCTRINE_FILE = 'IAPEER.md'
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Daemon URL resolution (router.json published by the daemon, else the default)
+// ─────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Resolve the daemon HTTP-MCP URL to write into a peer's `.mcp.json`. Primary: the
+ * `tcp` field of the daemon's discovery file `~/.iapeer/state/iapeer/router.json`
+ * (published live by the daemon). Fallback: the well-known default loopback URL —
+ * so `iapeer init` works even before the daemon is started (the daemon binds the
+ * same stable port; IAPEER_PORT overrides it at the daemon, not here).
+ */
+export function resolveDaemonMcpUrl(options: StorageOptions = {}): string {
+  const routerJson = join(pluginStateDir('iapeer', options), 'router.json')
+  try {
+    const parsed = JSON.parse(readFileSync(routerJson, 'utf8')) as { tcp?: unknown }
+    if (typeof parsed.tcp === 'string' && parsed.tcp) return parsed.tcp
+  } catch {
+    /* no router.json (daemon not started) → the well-known default below */
+  }
+  const env = options.env ?? process.env
+  const port = env.IAPEER_PORT?.trim() || String(DEFAULT_DAEMON_MCP_PORT)
+  return `http://127.0.0.1:${port}/mcp`
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// claude `.mcp.json` wiring (project-scope; auto-enables on cold-start)
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface McpHttpServer {
+  type: 'http'
+  url: string
+  headers: Record<string, string>
+}
+
+/**
+ * Idempotently wire the foundation HTTP-MCP server into the peer's project-scope
+ * `<cwd>/.mcp.json` (claude-specific). MERGE, not clobber: existing mcpServers are
+ * preserved; only the `iapeer` entry is (re)written. The X-IAPeer-Identity header
+ * carries `claude-<personality>` so the daemon resolves the caller per request. The
+ * caller is authenticated by that header (the same proof live-verified at cold-start).
+ * Returns the written path. Re-running init is a no-op-equivalent (same bytes).
+ */
+export function writeClaudeMcpConfig(cwd: string, personality: string, daemonUrl: string): string {
+  const path = join(cwd, '.mcp.json')
+  let doc: { mcpServers?: Record<string, unknown> } = {}
+  if (existsSync(path)) {
+    try {
+      const parsed = JSON.parse(readFileSync(path, 'utf8'))
+      if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) doc = parsed
+    } catch {
+      // Malformed existing .mcp.json. Starting fresh would SILENTLY discard the
+      // operator's other mcpServers (audit #15/#22 — data loss). Back the original
+      // up VERBATIM first so re-init never loses foreign config; then proceed.
+      try {
+        copyFileSync(path, `${path}.corrupt.bak`)
+      } catch {
+        /* best-effort backup */
+      }
+    }
+  }
+  const server: McpHttpServer = {
+    type: 'http',
+    url: daemonUrl,
+    headers: { 'X-IAPeer-Identity': `claude-${personality}` },
+  }
+  doc.mcpServers = { ...(doc.mcpServers ?? {}), [IAPEER_MCP_SERVER_NAME]: server }
+  writeFileAtomic(path, `${JSON.stringify(doc, null, 2)}\n`, 0o644)
+  return path
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// codex MCP config (~/.codex/config.toml — HOST-WIDE; the token-free recipe)
+// ─────────────────────────────────────────────────────────────────────────────
+//
+// codex's CLI does NOT import tools from an OPEN streamable-HTTP MCP server — it marks
+// it authStatus=unsupported (and BLOCKS on startup) unless an auth scheme is configured
+// (codex bug #21532 / #4707). The token-free fix (PROVEN LIVE, codex 0.136, owner
+// decision 08.06 — Артур rejected a real host-wide bearer as a localhost crutch): set a
+// FIXED, NON-SECRET bearer (CODEX_DUMMY_BEARER). Setting `bearer_token_env_var` flips
+// authStatus to `bearer_token` purely from the config FACT — codex does NOT require the
+// server to validate the token. The daemon stays OPEN: it ignores `Authorization` and
+// resolves the caller from the X-IAPeer-Identity header (the SAME loopback same-uid +
+// per-peer-identity auth as the claude side). So NEITHER the daemon NOR the claude side
+// changes; only codex's config + the launch env do. The launch sets CODEX_BEARER_ENV_VAR
+// (=CODEX_DUMMY_BEARER) and PEER_IDENTITY; env_http_headers carries the latter per-peer.
+
+export { CODEX_BEARER_ENV_VAR } from '../core/constants.ts'
+
+/** `~/.codex/config.toml` (or $CODEX_HOME/config.toml). codex's config is HOST-WIDE,
+ *  not per-peer/project-scope like claude's `.mcp.json`. */
+export function codexConfigPath(options: StorageOptions = {}): string {
+  const env = options.env ?? process.env
+  const home = env.CODEX_HOME?.trim() || join(env.HOME?.trim() || homedir(), '.codex')
+  return join(home, 'config.toml')
+}
+
+/**
+ * Idempotently add the token-free `[mcp_servers.iapeer]` block to codex's host-wide
+ * config.toml (append-if-absent — never duplicates, never rewrites an existing block,
+ * never touches other servers/sections). The block (PROVEN LIVE — codex imports +
+ * calls send_to_peer with this exact shape):
+ *   - url = the daemon HTTP-MCP endpoint.
+ *   - default_tools_approval_mode = "approve" (no per-tool approval dialog; verified live).
+ *   - bearer_token_env_var = "IAPEER_BEARER" — codex reads its bearer from this env var
+ *     (the launch sets it to the NON-SECRET CODEX_DUMMY_BEARER). Its mere presence flips
+ *     authStatus unsupported→bearer_token, so codex imports the tools; the OPEN daemon
+ *     ignores the bearer (it authenticates by the identity header below).
+ *   - env_http_headers."X-IAPeer-Identity" = "PEER_IDENTITY" — the PER-PEER caller
+ *     identity, read from the PEER_IDENTITY env the launch sets, so ONE host-wide config
+ *     serves every codex peer with its own identity (env_http_headers, verified live).
+ * Returns {path, added} (added=false when the block already existed).
+ */
+export function writeCodexMcpConfig(daemonUrl: string, options: StorageOptions = {}): { path: string; added: boolean } {
+  const path = codexConfigPath(options)
+  let existing = ''
+  try {
+    existing = readFileSync(path, 'utf8')
+  } catch {
+    /* no config yet → create it */
+  }
+  if (/\[mcp_servers\.iapeer\]/.test(existing)) return { path, added: false } // idempotent
+  const block =
+    `\n[mcp_servers.${IAPEER_MCP_SERVER_NAME}]\n` +
+    `url = ${JSON.stringify(daemonUrl)}\n` +
+    `default_tools_approval_mode = "approve"\n` +
+    `bearer_token_env_var = "${CODEX_BEARER_ENV_VAR}"\n` +
+    `\n[mcp_servers.${IAPEER_MCP_SERVER_NAME}.env_http_headers]\n` +
+    `"X-IAPeer-Identity" = "PEER_IDENTITY"\n`
+  // Atomic write of the host-wide SHARED ~/.codex/config.toml (audit #12/#14): a torn
+  // writeFileSync could corrupt the operator's whole codex config. writeFileAtomic
+  // does tmp+fsync+rename and creates the dir.
+  writeFileAtomic(path, existing.replace(/\n*$/, '\n') + block, 0o644)
+  return { path, added: true }
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Local doctrine template (<cwd>/.iapeer/IAPEER.md — personality/role; human fills)
+// ─────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Create the local doctrine template `<cwd>/.iapeer/IAPEER.md` if absent (contract:
+ * "шаблон .iapeer/IAPEER.md — пустой, человек заполняет"). It is the file that marks
+ * "this is a configured peer" (the launch primitive's bare-session gate keys on it)
+ * and where the peer's role/personality lives (merged into the system prompt, Канал
+ * A). NEVER overwrites an existing doctrine. Returns {path, created}.
+ */
+export function ensureDoctrineTemplate(cwd: string): { path: string; created: boolean } {
+  const path = join(cwd, IAPEER_DIR, IAPEER_DOCTRINE_FILE)
+  if (existsSync(path)) return { path, created: false }
+  ensureLocalIapScaffold(cwd)
+  writeFileSync(
+    path,
+    [
+      '# Peer doctrine',
+      '',
+      '<!-- This is the local doctrine for this peer — its role, personality, and mandate.',
+      '     It is merged into the system prompt at launch (Канал A). Replace this with',
+      '     who this peer is and what it does. An empty doctrine launches a bare peer. -->',
+      '',
+    ].join('\n'),
+    { mode: 0o644 },
+  )
+  return { path, created: true }
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// initPeer — orchestrate: provision (identity + registry + infra plist) + per-peer
+// ecosystem wiring (MCP transport per agentic runtime + doctrine template)
+// ─────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Resolve the PRIMARY runtime for a peer cwd, runtime-aware and CONSISTENT with the
+ * contract (Примитивы §init): an explicit runtime wins; otherwise the runtime markers
+ * IN the cwd decide — `.claude` → claude, `.codex`-only → codex, both → claude primary
+ * (the agentic default order). No marker at all → claude (the default). This removes
+ * the old inconsistency where a `.codex`-only folder defaulted to claude as primary
+ * yet got a codex config — now the primary matches the markers, deterministically.
+ */
+export function resolvePrimaryRuntime(cwd: string, explicit?: Runtime): Runtime {
+  if (explicit) return explicit
+  if (existsSync(join(cwd, '.claude'))) return 'claude'
+  if (existsSync(join(cwd, '.codex'))) return 'codex'
+  return 'claude'
+}
+
+export interface InitPeerOptions {
+  cwd: string
+  /** Primary runtime. Default: resolved from the cwd's runtime markers
+   *  (resolvePrimaryRuntime) — `.claude` → claude, `.codex`-only → codex, else claude.
+   *  Agentic peers init claude/codex; an infra peer (telegram/notifier) is provisioned
+   *  but has no `.mcp.json` (it is a router, not an MCP client). */
+  runtime?: Runtime
+  personality?: string
+  description?: string
+  intelligence?: Intelligence
+  /** For an INFRA runtime: absolute path / PATH name of the runtime launcher, baked
+   *  into the always-on plist (so launchd's minimal PATH resolves it). */
+  runtimeBin?: string
+  /** AUTO-bootstrap a freshly-installed INFRA plist (launchctl bootstrap) instead of
+   *  write-and-wait (contract Фаза §5). Default true; only acts for an infra runtime
+   *  whose plist is foundation-owned. Sandbox/foreign cases are guarded inside
+   *  launchctlBootstrap. No-op for an agentic (warm-on-demand) runtime. */
+  bootstrap?: boolean
+  env?: NodeJS.ProcessEnv
+  warn?: (message: string) => void
+}
+
+export interface InitPeerResult extends ProvisionResult {
+  /** `.mcp.json` paths written (claude project-scope transport configs). */
+  mcpConfigPaths: string[]
+  /** codex config.toml path written with the token-free `[mcp_servers.iapeer]` block
+   *  (dummy bearer + env_http_headers identity), or undefined when the peer is not
+   *  codex. send_to_peer works immediately — see writeCodexMcpConfig. */
+  codexMcpConfigPath?: string
+  doctrinePath: string
+  doctrineCreated: boolean
+  daemonUrl: string
+  /** For an INFRA runtime: the per-peer self-config hook outcome (configured / failed /
+   *  absent when no runtime package declares one). Undefined for an agentic peer. */
+  selfConfig?: SelfConfigResult
+  /** For an INFRA runtime with bootstrap enabled: the launchctl bootstrap outcome
+   *  (loaded / already-loaded / skipped-sandbox / refused-foreign / failed). Undefined
+   *  for an agentic peer, when bootstrap was disabled, or when self-config failed (a
+   *  misconfigured always-on session is never loaded). */
+  bootstrapped?: BootstrapResult
+}
+
+/**
+ * Initialise a peer in one call: provision (identity + registry + infra plist) then
+ * the per-peer ecosystem wiring. For each AGENTIC runtime the peer declares, write
+ * the HTTP-MCP transport config (claude → project `.mcp.json`; codex → follow-up) so
+ * the peer has send_to_peer on cold-start. Always lay down the local doctrine
+ * template. Idempotent: re-running rewrites the same `.mcp.json` and never clobbers
+ * an existing doctrine.
+ */
+export async function initPeer(opts: InitPeerOptions): Promise<InitPeerResult> {
+  const env = opts.env ?? process.env
+  // Runtime-aware + CONSISTENT: an explicit runtime wins; else the cwd's markers
+  // decide the primary (resolvePrimaryRuntime), so the primary always matches the
+  // config that gets written (no `.codex`-only-but-primary-claude mismatch).
+  const runtime = resolvePrimaryRuntime(opts.cwd, opts.runtime)
+  const provisioned = await provisionPeer({
+    cwd: opts.cwd,
+    runtime,
+    personality: opts.personality,
+    description: opts.description,
+    intelligence: opts.intelligence,
+    runtimeBin: opts.runtimeBin,
+    env,
+    warn: opts.warn,
+  })
+
+  const daemonUrl = resolveDaemonMcpUrl({ env })
+  const mcpConfigPaths: string[] = []
+  // Wire claude when the peer is a claude peer — primary runtime claude OR a `.claude`
+  // marker in the cwd (a multi-runtime peer). codex (config.toml) is a separate
+  // follow-up (its own live approval-mode check); an infra runtime is a router (no
+  // MCP client), so it gets no `.mcp.json`.
+  if (provisioned.runtime === 'claude' || hasClaudeMarker(provisioned.cwd)) {
+    mcpConfigPaths.push(writeClaudeMcpConfig(provisioned.cwd, provisioned.personality, daemonUrl))
+  }
+  // codex: write the token-free host-wide config.toml block (dummy bearer flips codex's
+  // auth gate; the OPEN daemon authenticates by the identity header). send_to_peer works
+  // immediately. An infra runtime is a router → no MCP client → nothing written.
+  let codexMcpConfigPath: string | undefined
+  if (provisioned.runtime === 'codex' || hasCodexMarker(provisioned.cwd)) {
+    codexMcpConfigPath = writeCodexMcpConfig(daemonUrl, { env }).path
+  }
+
+  const doctrine = ensureDoctrineTemplate(provisioned.cwd)
+
+  // INFRA peer: per-peer runtime self-config, THEN auto-bootstrap. For an agentic
+  // (warm-on-demand) runtime neither applies — it is daemon-woken, never launchd-held,
+  // and gets its MCP wiring above instead.
+  let selfConfig: SelfConfigResult | undefined
+  let bootstrapped: BootstrapResult | undefined
+  if (isInfraRuntime(provisioned.runtime)) {
+    // (1) PER-PEER self-config (the shared contract both provision modes call): ask the
+    //     runtime package to "configure runtime state for this peer". A no-op when no
+    //     runtime package declares a hook (selfConfig.state='absent').
+    selfConfig = runtimeSelfConfig(
+      {
+        personality: provisioned.personality,
+        cwd: provisioned.cwd,
+        runtime: provisioned.runtime,
+        intelligence: provisioned.intelligence,
+      },
+      { env },
+    )
+    if (selfConfig.state === 'failed') {
+      // FAIL-CLOSED: never load an always-on session whose runtime state is not
+      // configured (it would crash-loop). The plist is written (idempotent re-run
+      // after a fix will bootstrap); we just do not load it now.
+      opts.warn?.(`runtime self-config failed for ${provisioned.personality}: ${selfConfig.detail ?? ''} — NOT bootstrapping`)
+    } else if (opts.bootstrap !== false) {
+      // (2) AUTO-bootstrap (contract Фаза §5): load the plist NOW instead of
+      //     write-and-wait. Fleet-safe / idempotent / sandbox-skipped inside.
+      bootstrapped = launchctlBootstrap(provisioned.personality, launchdPlistPath(provisioned.personality, env), env)
+      if (bootstrapped.state === 'failed' || bootstrapped.state === 'refused-foreign') {
+        opts.warn?.(`bootstrap ${bootstrapped.state}: ${bootstrapped.detail ?? ''}`)
+      }
+    }
+  }
+
+  return {
+    ...provisioned,
+    mcpConfigPaths,
+    codexMcpConfigPath,
+    doctrinePath: doctrine.path,
+    doctrineCreated: doctrine.created,
+    daemonUrl,
+    selfConfig,
+    bootstrapped,
+  }
+}
+
+/** A cwd is a claude/codex peer when it carries the runtime's marker dir (init scans
+ *  the same markers as discoverPeerRuntimes). */
+function hasClaudeMarker(cwd: string): boolean {
+  return existsSync(join(cwd, '.claude'))
+}
+function hasCodexMarker(cwd: string): boolean {
+  return existsSync(join(cwd, '.codex'))
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// CLI — `iapeer init` (run from the peer cwd) / `bun src/init/index.ts [cwd]`
+// ─────────────────────────────────────────────────────────────────────────────
+
+if (import.meta.main) {
+  const args = process.argv.slice(2)
+  const flags: Record<string, string> = {}
+  const positionals: string[] = []
+  for (let i = 0; i < args.length; i++) {
+    if (args[i].startsWith('--')) flags[args[i].slice(2)] = args[++i] ?? ''
+    else positionals.push(args[i])
+  }
+  const cwd = positionals[0] ?? process.cwd()
+  initPeer({
+    cwd,
+    runtime: (flags.runtime as Runtime) || undefined,
+    personality: flags.personality,
+    description: flags.description,
+    intelligence: flags.intelligence as Intelligence | undefined,
+    runtimeBin: flags.bin || undefined,
+    bootstrap: 'no-bootstrap' in flags ? false : undefined,
+    warn: m => process.stderr.write(`warn: ${m}\n`),
+  })
+    .then(r => {
+      process.stdout.write(
+        `initialized peer "${r.personality}" (${r.runtime}, ${r.intelligence})\n` +
+          `  profile:  ${r.profilePath}\n` +
+          `  registry: peers-profiles.json updated\n` +
+          (r.mcpConfigPaths.length
+            ? `  mcp:      ${r.mcpConfigPaths.join(', ')} → ${r.daemonUrl}\n`
+            : r.codexMcpConfigPath
+              ? `  mcp:      ${r.codexMcpConfigPath} (codex, token-free dummy-bearer — send_to_peer ready)\n`
+              : '  mcp:      (none — infra/router runtime)\n') +
+          `  doctrine: ${r.doctrinePath}${r.doctrineCreated ? ' (template created — fill it in)' : ' (kept)'}\n` +
+          (r.plistPath ? `  plist:    ${r.plistPath}\n` : '') +
+          `\nNext: fill in ${r.doctrinePath} and the peer's description, then launch with \`iapeer ${r.runtime}\`.\n`,
+      )
+      process.exit(0)
+    })
+    .catch(e => {
+      process.stderr.write(`init failed: ${e instanceof Error ? e.message : String(e)}\n`)
+      process.exit(1)
+    })
+}

package/src/init/init.test.ts

@@ -0,0 +1,171 @@
+// init — per-peer onboarding: HTTP-MCP .mcp.json wiring (the install-gate-proven
+// transport), doctrine template, and the initPeer orchestration over provisionPeer.
+
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test'
+import { existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'fs'
+import { tmpdir } from 'os'
+import { join } from 'path'
+import {
+  CODEX_BEARER_ENV_VAR,
+  IAPEER_MCP_SERVER_NAME,
+  codexConfigPath,
+  ensureDoctrineTemplate,
+  initPeer,
+  resolveDaemonMcpUrl,
+  writeClaudeMcpConfig,
+  writeCodexMcpConfig,
+} from './index.ts'
+import { readPeersIndex } from '../registry/index.ts'
+import { readPeerProfile } from '../identity/index.ts'
+
+let root: string
+let cwd: string
+function cleanEnv(extra: Record<string, string> = {}): NodeJS.ProcessEnv {
+  const env: NodeJS.ProcessEnv = { ...process.env, IAPEER_ROOT: root, ...extra }
+  delete env.PEER_PERSONALITY
+  delete env.PEER_IDENTITY
+  delete env.PEER_RUNTIME
+  return env
+}
+
+beforeEach(() => {
+  root = mkdtempSync(join(tmpdir(), 'iapeer-init-root-'))
+  cwd = mkdtempSync(join(tmpdir(), 'iapeer-init-cwd-'))
+})
+afterEach(() => {
+  rmSync(root, { recursive: true, force: true })
+  rmSync(cwd, { recursive: true, force: true })
+})
+
+describe('resolveDaemonMcpUrl', () => {
+  test('no router.json → well-known default loopback URL (IAPEER_PORT respected)', () => {
+    expect(resolveDaemonMcpUrl({ env: cleanEnv() })).toBe('http://127.0.0.1:8765/mcp')
+    expect(resolveDaemonMcpUrl({ env: cleanEnv({ IAPEER_PORT: '9999' }) })).toBe('http://127.0.0.1:9999/mcp')
+  })
+  test('router.json present → its tcp field (daemon-published endpoint)', () => {
+    const stateDir = join(root, 'state', 'iapeer')
+    mkdirSync(stateDir, { recursive: true })
+    writeFileSync(join(stateDir, 'router.json'), JSON.stringify({ sock: '/x.sock', tcp: 'http://127.0.0.1:8765/mcp' }))
+    expect(resolveDaemonMcpUrl({ env: cleanEnv() })).toBe('http://127.0.0.1:8765/mcp')
+  })
+})
+
+describe('writeClaudeMcpConfig', () => {
+  test('writes the iapeer http server with the X-IAPeer-Identity header', () => {
+    const path = writeClaudeMcpConfig(cwd, 'boris', 'http://127.0.0.1:8765/mcp')
+    const doc = JSON.parse(readFileSync(path, 'utf8'))
+    expect(doc.mcpServers[IAPEER_MCP_SERVER_NAME]).toEqual({
+      type: 'http',
+      url: 'http://127.0.0.1:8765/mcp',
+      headers: { 'X-IAPeer-Identity': 'claude-boris' },
+    })
+  })
+  test('MERGES — preserves other mcpServers, only (re)writes iapeer', () => {
+    writeFileSync(join(cwd, '.mcp.json'), JSON.stringify({ mcpServers: { other: { type: 'http', url: 'https://x/mcp' } } }))
+    writeClaudeMcpConfig(cwd, 'boris', 'http://127.0.0.1:8765/mcp')
+    const doc = JSON.parse(readFileSync(join(cwd, '.mcp.json'), 'utf8'))
+    expect(doc.mcpServers.other).toEqual({ type: 'http', url: 'https://x/mcp' })
+    expect(doc.mcpServers.iapeer.headers['X-IAPeer-Identity']).toBe('claude-boris')
+  })
+  test('idempotent — re-running yields the same bytes', () => {
+    const p = writeClaudeMcpConfig(cwd, 'boris', 'http://127.0.0.1:8765/mcp')
+    const first = readFileSync(p, 'utf8')
+    writeClaudeMcpConfig(cwd, 'boris', 'http://127.0.0.1:8765/mcp')
+    expect(readFileSync(p, 'utf8')).toBe(first)
+  })
+})
+
+describe('ensureDoctrineTemplate', () => {
+  test('creates the template when absent', () => {
+    const { path, created } = ensureDoctrineTemplate(cwd)
+    expect(created).toBe(true)
+    expect(existsSync(path)).toBe(true)
+    expect(readFileSync(path, 'utf8')).toContain('Peer doctrine')
+  })
+  test('never overwrites an existing doctrine', () => {
+    mkdirSync(join(cwd, '.iapeer'), { recursive: true })
+    writeFileSync(join(cwd, '.iapeer', 'IAPEER.md'), 'I am boris.')
+    const { created } = ensureDoctrineTemplate(cwd)
+    expect(created).toBe(false)
+    expect(readFileSync(join(cwd, '.iapeer', 'IAPEER.md'), 'utf8')).toBe('I am boris.')
+  })
+})
+
+describe('writeCodexMcpConfig (token-free recipe — dummy bearer + env_http_headers identity)', () => {
+  test('adds [mcp_servers.iapeer] with url + approve + bearer_token_env_var + env_http_headers', () => {
+    const codexHome = mkdtempSync(join(tmpdir(), 'iapeer-codexhome-'))
+    try {
+      const env: NodeJS.ProcessEnv = { ...process.env, CODEX_HOME: codexHome }
+      const { path, added } = writeCodexMcpConfig('http://127.0.0.1:8765/mcp', { env })
+      expect(added).toBe(true)
+      expect(path).toBe(codexConfigPath({ env }))
+      const toml = readFileSync(path, 'utf8')
+      expect(toml).toContain('[mcp_servers.iapeer]')
+      expect(toml).toContain('url = "http://127.0.0.1:8765/mcp"')
+      expect(toml).toContain('default_tools_approval_mode = "approve"')
+      expect(toml).toContain(`bearer_token_env_var = "${CODEX_BEARER_ENV_VAR}"`)
+      expect(toml).toContain('[mcp_servers.iapeer.env_http_headers]')
+      expect(toml).toContain('"X-IAPeer-Identity" = "PEER_IDENTITY"')
+    } finally {
+      rmSync(codexHome, { recursive: true, force: true })
+    }
+  })
+  test('idempotent — re-run does NOT duplicate the block, and preserves other config', () => {
+    const codexHome = mkdtempSync(join(tmpdir(), 'iapeer-codexhome2-'))
+    try {
+      const env: NodeJS.ProcessEnv = { ...process.env, CODEX_HOME: codexHome }
+      writeFileSync(codexConfigPath({ env }), '[other]\nkeep = true\n')
+      expect(writeCodexMcpConfig('http://x/mcp', { env }).added).toBe(true)
+      expect(writeCodexMcpConfig('http://x/mcp', { env }).added).toBe(false) // idempotent
+      const toml = readFileSync(codexConfigPath({ env }), 'utf8')
+      expect((toml.match(/\[mcp_servers\.iapeer\]/g) ?? []).length).toBe(1) // no duplicate
+      expect(toml).toContain('[other]') // other config preserved
+      expect(toml).toContain('keep = true')
+    } finally {
+      rmSync(codexHome, { recursive: true, force: true })
+    }
+  })
+})
+
+describe('initPeer orchestration', () => {
+  test('codex peer: profile + registry + token-free codex config + doctrine', async () => {
+    const codexHome = mkdtempSync(join(tmpdir(), 'iapeer-codexhome3-'))
+    try {
+      const env = cleanEnv({ CODEX_HOME: codexHome })
+      const r = await initPeer({ cwd, runtime: 'codex', personality: 'cpeer', env })
+      expect(readPeerProfile(cwd)?.personality).toBe('cpeer')
+      expect(r.mcpConfigPaths.length).toBe(0) // no claude .mcp.json for a codex peer
+      expect(r.codexMcpConfigPath).toBe(codexConfigPath({ env }))
+      const toml = readFileSync(r.codexMcpConfigPath!, 'utf8')
+      expect(toml).toContain('[mcp_servers.iapeer]')
+      expect(toml).toContain(`bearer_token_env_var = "${CODEX_BEARER_ENV_VAR}"`) // token-free recipe wired
+    } finally {
+      rmSync(codexHome, { recursive: true, force: true })
+    }
+  })
+
+  test('claude peer: profile + registry + .mcp.json + doctrine, all wired', async () => {
+    const env = cleanEnv()
+    const r = await initPeer({ cwd, runtime: 'claude', personality: 'mypeer', env })
+    // identity + registry (via provision)
+    expect(readPeerProfile(cwd)?.personality).toBe('mypeer')
+    expect(readPeersIndex({ env }).peers.some(p => p.personality === 'mypeer')).toBe(true)
+    // .mcp.json wired to the daemon with the per-peer identity header
+    expect(r.mcpConfigPaths.length).toBe(1)
+    const mcp = JSON.parse(readFileSync(join(cwd, '.mcp.json'), 'utf8'))
+    expect(mcp.mcpServers.iapeer.headers['X-IAPeer-Identity']).toBe('claude-mypeer')
+    expect(mcp.mcpServers.iapeer.url).toBe('http://127.0.0.1:8765/mcp')
+    // doctrine template created
+    expect(r.doctrineCreated).toBe(true)
+    expect(existsSync(r.doctrinePath)).toBe(true)
+  })
+
+  test('idempotent — re-init does not throw and keeps an existing doctrine', async () => {
+    const env = cleanEnv()
+    await initPeer({ cwd, runtime: 'claude', personality: 'mypeer', env })
+    writeFileSync(join(cwd, '.iapeer', 'IAPEER.md'), 'custom doctrine')
+    const r2 = await initPeer({ cwd, runtime: 'claude', personality: 'mypeer', env })
+    expect(r2.doctrineCreated).toBe(false)
+    expect(readFileSync(join(cwd, '.iapeer', 'IAPEER.md'), 'utf8')).toBe('custom doctrine')
+  })
+})

package/src/init/runtime-resolve.test.ts

@@ -0,0 +1,49 @@
+// resolvePrimaryRuntime — the runtime-aware, CONSISTENT primary-runtime resolution
+// for init/create. Pure (filesystem markers only); no registry / launchd touched.
+
+import { afterEach, describe, expect, test } from 'bun:test'
+import { mkdirSync, mkdtempSync, rmSync } from 'fs'
+import { tmpdir } from 'os'
+import { join } from 'path'
+import { resolvePrimaryRuntime } from './index.ts'
+
+const dirs: string[] = []
+function mkTmp(): string {
+  const d = mkdtempSync(join(tmpdir(), 'iapeer-rt-'))
+  dirs.push(d)
+  return d
+}
+afterEach(() => {
+  while (dirs.length) rmSync(dirs.pop()!, { recursive: true, force: true })
+})
+
+describe('resolvePrimaryRuntime', () => {
+  test('explicit runtime wins regardless of markers', () => {
+    const cwd = mkTmp()
+    mkdirSync(join(cwd, '.codex'))
+    expect(resolvePrimaryRuntime(cwd, 'telegram')).toBe('telegram')
+  })
+
+  test('no marker → claude (default)', () => {
+    expect(resolvePrimaryRuntime(mkTmp())).toBe('claude')
+  })
+
+  test('.codex-only folder → codex primary (was the inconsistency: defaulted to claude)', () => {
+    const cwd = mkTmp()
+    mkdirSync(join(cwd, '.codex'))
+    expect(resolvePrimaryRuntime(cwd)).toBe('codex')
+  })
+
+  test('.claude folder → claude', () => {
+    const cwd = mkTmp()
+    mkdirSync(join(cwd, '.claude'))
+    expect(resolvePrimaryRuntime(cwd)).toBe('claude')
+  })
+
+  test('both markers → claude primary (agentic default order)', () => {
+    const cwd = mkTmp()
+    mkdirSync(join(cwd, '.claude'))
+    mkdirSync(join(cwd, '.codex'))
+    expect(resolvePrimaryRuntime(cwd)).toBe('claude')
+  })
+})