@aitne-sh/aitne 0.1.9 → 0.1.10

package/README.md

@@ -30,7 +30,7 @@ Aitne is a daemon on your laptop, connected to your calendar, mail (Gmail / Outl
 
 - **04:00 — Morning routine.** Aitne reads everything that landed overnight (mail, GitHub activity, calendar changes, vault updates) and writes `today.md` — sample below.
 - **Morning — Brief.** The plan lands in your DMs as a short summary.
-- **Through the day — Nudges.** Meeting reminders with travel time, hourly background checks for the things you care about (eval results, PR review requests, new mail). DMs only when there's something worth your attention.
+- **Through the day — Nudges.** Meeting reminders, hourly background checks for the things you care about (eval results, PR review requests, new mail). DMs only when there's something worth your attention.
 - **Evening — Review.** Aitne writes a daily journal: what got done, what slipped, one observation about the week.
 
 You steer it through natural-language DMs ("skip morning routine on Sundays", "ping me when the overnight job finishes") and bang commands (`!cost`, `!ask`, `!ingest`).
@@ -226,10 +226,10 @@ The router fails over to a configured fallback automatically on `BackendQuotaErr
 |---|---|
 | **Messaging** | Slack (Socket Mode), Telegram, Discord, WhatsApp (Baileys), Web dashboard |
 | **Mail** | Gmail, Outlook, Yahoo, iCloud — unified API, classifier, local FTS5 search, IMAP IDLE |
-| **Calendar** | Google Calendar, Outlook Calendar, iCloud (CalDAV), Google Maps for travel time |
+| **Calendar** | Google Calendar, Outlook Calendar, iCloud (CalDAV) — free/busy slot-finding across accounts |
 | **Knowledge** | Obsidian (CLI + vault watch), Notion (REST), custom MCP servers |
 | **Code** | Local Git, GitHub (Octokit + webhooks) |
-| **Lifestyle** | Auto-extracted receipts · travel bookings · Kindle highlights · voice transcription (Whisper, opt-in) |
+| **Lifestyle** | Auto-extracted receipts · travel bookings · Kindle highlights · browser-history research clusters · voice transcription (Whisper, opt-in) |
 
 Each integration runs in one of four modes:
 
@@ -250,7 +250,7 @@ Every mode change goes through a live capability probe and a per-key flip lock.
 <summary><b>Time, calendar, travel</b></summary>
 
 - Auto-generate `today.md` every morning with your real schedule
-- 15-min approach reminders for every event, with travel time pre-computed via Google Maps
+- 15-min approach reminders for every event
 - Find a 30-min slot across multiple calendars — Aitne checks freebusy and replies with options
 - Auto-extract flight, hotel, train confirmations from email into a structured travel timeline
 </details>
@@ -265,6 +265,24 @@ Every mode change goes through a live capability probe and a per-key flip lock.
 - IMAP IDLE for near-real-time delivery; PDF/image attachments are extracted and indexed
 </details>
 
+<details open>
+<summary><b>Agents you can define and schedule</b></summary>
+
+- Every routine is a first-class **Agent** — an identity with a YAML config + Markdown brief, editable at `:8322/agents`
+- The built-in routines (morning routine, evening review, hourly check, …) ship as **System** agents — can't be deleted, but can be stopped with a warning
+- Define your own recurring **work** agents (daily / weekly / monthly) — from the dashboard form or just by DMing the agent ("summarize my open PRs every Monday at 9")
+- Pin a backend, model, and tier per agent; see per-agent cost, success rate, and run history; fire any agent on demand
+- One-shot wake-ups ("remind me at 3pm"), pre-composed scheduled DMs, and recurring briefings — all quiet-hours-aware
+</details>
+
+<details>
+<summary><b>Browser automation (managed Chromium)</b></summary>
+
+- DM an open-ended browser task ("check my order status", "fill out this form") — a scoped sub-agent drives a managed Chromium session turn-by-turn, asking you to clarify mid-task and DMing back results + screenshots
+- Egress guards stay on: RFC1918 / loopback / cloud-metadata IP blocking, a form-submit payment-path blocker, and single-owner scoping
+- Purchase confirmation (the B-4 flow — DM-delivered single-use token + screenshot-first consent) is **experimental and default-off**; it requires explicit per-site dashboard opt-in
+</details>
+
 <details>
 <summary><b>Knowledge: Obsidian, Notion, your own wiki</b></summary>
 
@@ -295,6 +313,7 @@ Every mode change goes through a live capability probe and a per-key flip lock.
 - "I prefer concise replies — no preamble" — updates the agent's `character` field
 - "Email me a summary every Friday at 5pm" — creates a recurring schedule
 - "Switch to Codex for code reviews" — flips the per-process backend mapping
+- Bang commands for instant control: `!stop` / `!start` (pause/resume autonomous work), `!close` (reset the DM session), `!cost`, `!report`, `!help` — and define your own `!commands` at `:8322/settings/commands`
 - Every change is journaled to `agent_actions` — audit anything via `aitne audit`
 </details>
 
@@ -358,7 +377,7 @@ Plus: localhost-only API, webhook HMAC verification, no automated financial tran
 | `maxConcurrentSessions` (autonomous) | 3 | Hard semaphore |
 | `maxReactiveSessions` (DMs) | 2 | Hard semaphore |
 | `executeTimeoutMinutes` | 60 | Per-execute watchdog |
-| `autonomousDailyCostCapUsd` | `null` | Priority-based skipping: `hourly_check` at 100%, `evening_review` at 150%, `morning_routine` at 200%. Reactive DMs are not gated. |
+| `autonomousDailyCostCapUsd` | `null` | Priority-based skipping: `hourly_check` at 100%, `roadmap_refresh` at 120%, `evening_review` at 150%, `morning_routine` at 200%. Reactive DMs are not gated. |
 | `autonomousMonthlyCostCapUsd` | `null` | Alert + warn surface |
 | Per-ProcessKey `maxBudgetUsd` | per-row | Hard cap per execute |
 
@@ -368,6 +387,17 @@ Typical day for an active user: **~$0.50** (morning routine + briefing + 2× hou
 
 ## Operating Aitne
 
+### Dashboard
+
+The dashboard at `:8322` is a full local app, not just a settings panel:
+
+- **`/chat`** — talk to any backend/model right in the browser, with per-session overrides
+- **`/agents`** — define, schedule, and inspect your agents (above)
+- **`/schedule`** + **`/activity`** — upcoming runs and the full conversation/action history
+- **`/analytics`** + **`/health`** — cost/usage trends and integration-mode health
+- **`/connections/*`** — wire up calendar, mail, repositories, messaging, MCP, routines
+- **`/settings/*`** — `models`, `backends`, `schedule`, `routines`, `processes`, `messaging`, `commands` (custom bang commands), `management`, and the experimental browser-history surfaces
+
 ### Lifecycle
 
 | Command | What it does |
@@ -395,7 +425,7 @@ Typical day for an active user: **~$0.50** (morning routine + briefing + 2× hou
 
 ### Configuration
 
-`.env` is **bootstrap-only** (`PA_DATA_DIR`, `PA_API_PORT`, `PA_DASHBOARD_PORT`, `PA_LOG_LEVEL`). Everything else — ~100 runtime keys covering schedule, notifications, models, character, mail, voice, delegated mode — is editable from the dashboard at `:8322`, or via natural-language DMs to the agent.
+`.env` is **bootstrap-only** (`PA_DATA_DIR`, `PA_API_PORT`, `PA_DASHBOARD_PORT`, `PA_LOG_LEVEL`). Everything else — ~130 runtime keys covering schedule, notifications, models, character, mail, voice, delegated mode — is editable from the dashboard at `:8322`, or via natural-language DMs to the agent.
 
 ---
 

package/agent-assets/docs/concepts/agent-day.md

@@ -26,7 +26,7 @@ ask_examples:
   - What is dayBoundaryHour?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - day boundary
   - 04:00
@@ -71,7 +71,7 @@ clean boundary before they start.
 
 - **Agent day**: the 24-hour window starting at the configured day-boundary hour and ending at the same hour the next calendar day.
 - **Day boundary**: the hour-of-day that starts the agent day. Configured via the `dayBoundaryHour` setting (default `4`, valid range `0`–`9`). Values above 9 are rejected — the boundary is intended for the small hours, not mid-day.
-- **Day-stamped file**: any file whose name includes `YYYY-MM-DD` (e.g. `journal/daily/2026-04-25.md`, `journal/weekly/2026-04-20.md`). The date stamp uses the agent-day boundary, not the calendar day.
+- **Day-stamped file**: any file whose name carries a date (e.g. `journal/daily/2026-04-25.md` with a `YYYY-MM-DD` stamp, `journal/weekly/2026-W17.md` with an ISO `YYYY-Www` week slug). The stamp uses the agent-day boundary, not the calendar day.
 
 ## Concrete Examples
 

package/agent-assets/docs/concepts/costs-and-quotas.md

@@ -31,7 +31,7 @@ ask_examples:
   - How does Gemini's per-day quota work?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - cost
   - budget
@@ -196,8 +196,9 @@ register an API key on `/settings/models`.
 
 In the dashboard:
 
-- **Analytics** (`/analytics`) rolls today's cost by backend, by
-  ProcessKey, and by hour. When a backend is running on the
+- **Analytics** (`/analytics`) rolls cost by backend, by ProcessKey
+  (event type), by model, and over daily / weekly / monthly periods,
+  plus a today total. When a backend is running on the
   subscription fallback, remaining-window math is shown there too.
 - **Sidebar footer** shows the day's running total.
 - **Activity** event details include the per-execute cost.

package/agent-assets/docs/concepts/delegated-mode.md

@@ -36,7 +36,7 @@ ask_examples:
   - Why don't I see a SKILL.md for Gmail in my Codex session?
 locale: en-US
 created: 2026-04-26
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - delegated mode
   - direct mode
@@ -100,8 +100,8 @@ backend is the same as the integration's `delegatedBackend`:
   for the task-mode body shape.
 
 `native` has no sub-cases. The integration's `nativeBackend` must equal
-the main DM backend — `BackendRouter.setMainBackend` cascades unmatched
-`native` rows to `disabled`. From the agent's call-site view, `native`
+the main DM backend — `cascadeNativeBindingsOnMainSwitch` cascades
+unmatched `native` rows to `disabled`. From the agent's call-site view, `native`
 is indistinguishable from `delegated` same-backend (both are in-session
 MCP); the difference is who polls (no one, for `native`).
 
@@ -152,8 +152,8 @@ that case the daemon spawns the other backend per call.
 - **`nativeBackend`** — when native, which backend's connector is
   expected. Must equal the main DM backend; changing the main backend
   cascades unmatched `native` rows to `disabled` (the cascade is
-  triggered by `BackendRouter.setMainBackend` /
-  `PUT /api/backends/main`).
+  performed by `cascadeNativeBindingsOnMainSwitch` from the
+  `PUT /api/backends/main` handler).
 - **Same-backend** — DM session backend matches `delegatedBackend` /
   `nativeBackend`. The daemon is not in the loop; the agent calls
   native MCP directly. No skill body is materialized for the

package/agent-assets/docs/concepts/memory-model.md

@@ -29,7 +29,7 @@ ask_examples:
   - How does the daemon prevent the agent from writing to disk directly?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - context
   - markdown
@@ -153,8 +153,11 @@ curl -X PATCH http://localhost:8321/api/context/state/today.md \
   synthesized by the morning routine.
 - `plans/projects/<slug>.md` — one file per active project.
 - `policies/management.md` — the umbrella registry: Source-of-Truth
-  bindings, Managed Tasks, an Active Policies summary. Always
-  injected into every flow.
+  bindings, Managed Tasks, an Active Policies summary. Injected as
+  `<management_rules>` on the wide-path flows (DMs, mentions, the
+  morning routine); a few narrow routines (the journal stage, hourly
+  check, today refresh, observer events, scheduled tasks) opt out to
+  save budget.
 - `policies/management-captures/<slug>.md` — one file per durable management rule
   ("from now on, do X"). The daemon auto-maintains a slug index at
   `policies/management-captures/_index.md`.

package/agent-assets/docs/concepts/safety-model.md

@@ -34,7 +34,7 @@ ask_examples:
   - Where do I see what the agent has been doing?
 locale: en-US
 created: 2026-04-26
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - deniedTools
   - safety floor
@@ -74,8 +74,8 @@ The risk classifier has two write tiers, not three:
   delete event, …) and for normal context writes.
 - **Approve** — agent must present a Bearer token issued through the
   dashboard. Reserved for posture-changing daemon configuration:
-  flipping integration modes, swapping the main backend, deleting
-  backends, wiping config.
+  flipping integration modes, swapping the main backend, enabling/
+  disabling backends, wiping config.
 - (`ReadSensitive` is the third tier, but it gates *reads* of personal
   data — orthogonal to write notifications. It is unchanged.)
 
@@ -134,20 +134,22 @@ of "report to me" events. Information about what the agent did is
   `deniedTools` server-side — see the *Where the Defenses Apply* table
   below for the exact mechanism.
 - **`agent_actions`** — SQLite table of every agent action. Direct +
-  cross-backend rows are full-fidelity (current cross-backend writes
+  cross-backend rows are full-fidelity (cross-backend task-mode writes
   emit `delegated_task.run` / `delegated_task.exec` /
-  `delegated_task.tool_step`; legacy rows from before 2026-05-01 carry
-  `delegated_proxy.invoke`). Same-backend native MCP rolls up to
+  `delegated_task.tool_step`; the `delegated_proxy.invoke` row type
+  carries both legacy rows from the retired RPC `/invoke` route and
+  the hourly drift-detection probes still written by the
+  delegated-sync worker). Same-backend native MCP rolls up to
   `mcp_tool_calls` + the parent session row.
 
 ## Where the Defenses Apply
 
 | Path | Enforcement |
 |---|---|
-| Direct mode (`/api/mail/*`, `/api/calendar/*`) | Route handler middleware checks `deniedTools` against the materialized skill body's `allowed-tools` list (frontmatter). |
+| Direct mode (`/api/mail/*`, `/api/calendar/*`) | `deniedTools` is **inert** — the daemon runs the poller and the agent calls the daemon API through its direct-mode skill, so there is no per-tool deny surface. The list only persists for a future flip to delegated mode. Direct-mode safety comes from the route-level risk tiers (Approve gates posture-changing writes) and the always-disallowed layer, not `deniedTools`. |
 | Cross-backend (`/api/integrations/:key/exec`) | Invoker filters the integration's `capabilityTools` through `deniedTools` before spawning the delegated backend so the task-mode planner can only pick from the allowed surface. A fully-denied surface short-circuits with `errorClass: "denied_tool"`; individual tool denials surface as the same error from the invoker's `resolveAllowedToolPatterns`. |
 | Same-backend / native MCP — Claude | `collectSessionDeniedTools` merges the deny patterns into the SDK's `disallowedTools` array at `query()` time. Same code path covers both delegated same-backend and native — they share the in-session MCP surface. |
-| Same-backend / native MCP — Gemini | Patterns are folded into `generateAdminPolicy`'s TOML deny rules (priority 1000). |
+| Same-backend / native MCP — Gemini | Patterns are folded into `generateAdminPolicy`'s TOML deny rules (priority 936 — above the registry-driven native allows, below the absolute-block layer). |
 | Same-backend / native MCP — Codex | **Prose-only.** Codex bundles its connector apps into the binary; there is no per-tool deny config and the workspace-write sandbox does not match MCP tool calls. Skill prose lists the denied tools explicitly. Operators who require strict deny on Gmail / Calendar should pick a non-Codex DM backend or route those integrations through `delegated` cross-backend mode (which IS deny-enforced at `/exec`). |
 
 ## Recommended Starter Denylists
@@ -224,7 +226,7 @@ When the operator asks "what did you do yesterday?" / "have you sent
 anything from Gmail this week?" the agent calls:
 
 ```bash
-curl 'http://localhost:8321/api/agent/actions?since=2026-04-25T00:00:00Z&kind=delegated_task.run&kind=delegated_task.tool_step&limit=50'
+curl 'http://localhost:8321/api/agent/actions?since=2026-04-25T00:00:00Z&kind=delegated_task.exec&kind=delegated_task.tool_step&limit=50'
 ```
 
 and answers in conversation. The endpoint:
@@ -241,12 +243,12 @@ and answers in conversation. The endpoint:
   the per-call detail lives in `mcp_tool_calls`, which this endpoint
   does not join — query it separately if you need step-level fidelity.
 
-Common `kind` values for the cross-backend proxy: `delegated_task.run`
-(one row per `/exec` call), `delegated_task.exec` (the planner's
-chosen tool), `delegated_task.tool_step` (each individual tool call
-inside the task). The legacy `delegated_proxy.invoke` rows persist
-from before 2026-05-01 — include them if the `since` window crosses
-that date.
+Common `kind` values for the cross-backend proxy: `delegated_task.exec`
+(one header row per `/exec` call), `delegated_task.run` (one header row
+per generic `/run` call), `delegated_task.tool_step` (each individual
+tool call inside the task). The `delegated_proxy.invoke` rows cover the
+retired RPC `/invoke` route plus the delegated-sync worker's hourly
+drift-detection probes — include them when you want that surface too.
 
 This **replaces** the rejected daily-digest pattern. Reasons:
 
@@ -269,7 +271,8 @@ Approve still gates:
 
 - `PATCH /api/integrations/:key` — mode / `delegatedBackend` /
   `deniedTools` changes.
-- `PUT /api/backends/main`, `DELETE /api/backends/:id`.
+- `PUT /api/backends/main`, `POST /api/backends/:id/enable`,
+  `POST /api/backends/:id/disable`.
 - `PATCH /api/config` for fields that wipe protections.
 - `/api/system/*` — config reset, history purge, factory reset.
 

package/agent-assets/docs/concepts/skills.md

@@ -28,7 +28,7 @@ ask_examples:
   - Where do skill overlays live?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - SKILL.md
   - allowed-tools
@@ -74,7 +74,7 @@ The agent runs against a real machine. Without scoped permissions, a
 "please summarize my mail" turn could in principle invoke `Bash(rm)`,
 post to your social accounts, or rewrite arbitrary files. Skills fix
 that by making the available toolset task-shaped: the morning routine
-loads the routines/observations/today/schedule skills; a docs question
+loads the context/today/observations/schedule skills; a docs question
 loads only `docs-search`. Tools outside the allow-list aren't even
 visible to the model.
 

package/agent-assets/docs/features/integrations/browser-history.md

@@ -12,9 +12,10 @@ aliases:
 category: features
 summary: |
   Local-only poller that reads the browser's own SQLite databases
-  (Chrome / Safari / Firefox / Arc), records visits as observations,
-  derives research clusters from sustained reading patterns, and
-  surfaces what you keep refreshing. Nothing leaves the daemon.
+  (Chrome / Chromium / Edge / Brave / Comet / Atlas), records visits as
+  observations, derives research clusters from sustained reading
+  patterns, and surfaces what you keep refreshing. Nothing leaves the
+  daemon.
 section: integrations
 tags:
   - integrations
@@ -31,7 +32,7 @@ ask_examples:
   - How do I opt out of browser history?
 locale: en-US
 created: 2026-05-22
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - browser history
   - browser history poller
@@ -74,9 +75,9 @@ api_endpoints:
 
 # Browser History
 
-Aitne can read the SQLite history databases that Chrome, Safari,
-Firefox, and Arc already maintain on disk, classify visits into
-categories, and use the result to notice what you've been
+Aitne can read the SQLite history databases that Chrome, Chromium,
+Edge, Brave, Comet, and Atlas already maintain on disk, classify visits
+into categories, and use the result to notice what you've been
 researching, what you've been refreshing, and what comparison-shopping
 windows you're in. Everything stays local — no URLs, titles, or
 clicks leave the daemon.
@@ -122,7 +123,7 @@ clicks leave the daemon.
   enable / disable each detected browser independently and override
   the DB path for atypical installs.
 - **Per-category gate.** `browserHistoryCategories` controls which
-  visit categories (research / shopping / docs / media / …) get
+  visit categories (research / shopping / news / dev / entertainment / …) get
   ingested. Categories you exclude are dropped at ingest time, not
   filtered later.
 - **Retention.** `browserHistoryRetentionDays` (visits) and

package/agent-assets/docs/features/integrations/calendar.md

@@ -33,7 +33,7 @@ ask_examples:
   - Which model handles detected calendar changes?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - calendar
   - google calendar
@@ -68,9 +68,9 @@ process_keys:
 
 # Calendar
 
-Aitne pulls events from one or more calendars (Google Calendar today,
-more backends planned) so it can build today's plan around them and
-DM you ahead of meetings that matter.
+Aitne pulls events from one or more calendars (Google Calendar,
+Outlook Calendar, and Apple Calendar) so it can build today's plan
+around them and DM you ahead of meetings that matter.
 
 ## What It Does
 

package/agent-assets/docs/features/integrations/mail.md

@@ -27,7 +27,7 @@ ask_examples:
   - How do I add a second mail account?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - mail
   - gmail
@@ -118,7 +118,8 @@ mode lifecycle.
 
 ## What It Outputs
 
-- New threads land in the local `messages` table (FTS-indexed).
+- New threads land in the local `mail_messages_index` table
+  (FTS-indexed via `fts_mail_messages`).
 - Classification labels are written via the provider API.
 - A short "mail" section in `state/today.md` when items qualified.
 

package/agent-assets/docs/features/lifestyle/git.md

@@ -46,7 +46,7 @@ ask_examples:
   - How much does one Architecture refresh cost?
 locale: en-US
 created: 2026-05-05
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - my life
   - git
@@ -110,7 +110,7 @@ per repo (all open by default so the controls are visible at a glance):
 2. **Triggers** — fire when matching Git or GitHub events arrive on
    this repository. Triggers run **alongside** the project-wide
    task-flow defaults, not in place of them. Each trigger has a
-   workdir mode (`local-clone` or `ephemeral`); local-clone triggers
+   workdir mode (`local-clone` or `temp`); local-clone triggers
    require the repository to have a `localPath`.
 3. **Daily git management** — opt-in per repo. Enabling it does three
    distinct kinds of work, on different cadences:
@@ -272,7 +272,7 @@ repository has a `localPath`:
 - **Triggers** with `workdirMode: "local-clone"` require a `localPath`
   on the parent repository (enforced when the trigger is created and
   again if you try to clear `localPath` while such a trigger exists).
-  Triggers with `workdirMode: "ephemeral"` work without a local clone.
+  Triggers with `workdirMode: "temp"` work without a local clone.
 - **Daily git management** is **local-clone-bound for v1**. The
   toggle is disabled and the dashboard surfaces "No local clone — link
   one to enable this feature." Internally the

package/agent-assets/docs/features/lifestyle/reading.md

@@ -26,7 +26,7 @@ ask_examples:
   - Where do reading-list items get stored?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - reading
   - books
@@ -65,10 +65,13 @@ at `/reading`.
     "Export Notebook" email.
 - **List** the library on `/reading` or via `GET /api/books`
   (filterable by `status` and `source`, paginated to 200 rows per call).
-- **Mark complete or abandoned** — the agent updates an existing row via
-  `PATCH /api/books/:id`. Setting `status` to `completed` stamps
-  `completed_at` automatically; you can also set a 1–5 `rating` or
-  `notes`.
+- **Mark complete or abandoned** — an existing row is updated via
+  `PATCH /api/books/:id`. This is an **Approve-tier** write that requires
+  an operator `Authorization: Bearer` token, so it is driven from the
+  dashboard, not autonomously by the agent (an unauthenticated agent curl
+  is rejected with **401** before the handler runs). Setting `status` to
+  `completed` stamps `completed_at` automatically; you can also set a 1–5
+  `rating` or `notes`.
 - **Recommend** from the list during reactive turns, and refresh the
   reading-taste profile during weekly and monthly reviews.
 
@@ -111,9 +114,13 @@ drives the list shape. The reading skill loads in two situations:
   network error there surfaces in the audit log even when the chat reply
   looked fine. A common cause is pasting a partial or non-Kindle
   clippings file, which yields zero parsed books.
-- **An edit that didn't stick**: `PATCH /api/books/:id` returns 404 if
-  the id doesn't exist and 400 for an invalid `status` (only `reading`,
-  `completed`, `abandoned`) or an out-of-range `rating` (must be 1–5).
+- **An edit that didn't stick**: `PATCH /api/books/:id` is Approve-tier,
+  so a request without a valid operator Bearer token is rejected with 401
+  before the handler runs — book status/rating/notes corrections are made
+  from the dashboard, not by an autonomous agent. Once authenticated, it
+  returns 404 if the id doesn't exist and 400 for an invalid `status`
+  (only `reading`, `completed`, `abandoned`) or an out-of-range `rating`
+  (must be 1–5).
 
 ## Related
 

package/agent-assets/docs/features/lifestyle/travel-bookings.md

@@ -27,7 +27,7 @@ ask_examples:
   - Where are my travel bookings stored?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - flight
   - hotel
@@ -99,8 +99,9 @@ classifier do the rest. The flow is:
 
 ## API
 
-Read-only and status-update access (read endpoints are autonomous; the
-PATCH endpoint follows the standard write-safety tier):
+Read-only and status-update access (read endpoints are read-sensitive —
+they expose personal travel data; the PATCH endpoint follows the standard
+write-safety tier and requires approval):
 
 ```bash
 # All bookings (optionally filter by type/status/date range)

package/agent-assets/docs/features/memory-files/agent-journal.md

@@ -27,7 +27,7 @@ ask_examples:
   - Why did journal/agent.md stop growing?
 locale: en-US
 created: 2026-04-25
-updated: 2026-05-28
+updated: 2026-06-07
 keywords:
   - journal
   - retros
@@ -38,6 +38,7 @@ related:
   - features/routines/morning-routine
   - features/routines/evening-review
   - features/routines/weekly-review
+  - features/memory-files/agent-lessons
   - features/operations/activity-and-conversations
   - concepts/memory-model
 process_keys:
@@ -47,7 +48,7 @@ process_keys:
 context_files:
   - journal/agent.md
 ui_anchors:
-  - /connections/journal
+  - /knowledge?tab=context-files
   - /settings/journal
 ---
 
@@ -68,12 +69,17 @@ of *what happened* — the journal is reflection-shaped: it captures
 
 Each entry carries:
 
-- A timestamp (the routine stamps an `Appended at:` line).
+- A dated heading — the morning routine stamps a
+  `## YYYY-MM-DD morning routine` H2; the weekly and monthly retros add
+  a `> Appended at: YYYY-MM-DD HH:MM` line under their section header.
 - A short context line — which routine or conversation prompted it.
 - The reflection itself.
 
-The file lives at `~/.personal-agent/context/journal/agent.md` and
-grows forever. Later routines read it back to look for patterns.
+The file lives at `~/.personal-agent/context/journal/agent.md`. The
+day-to-day morning and ad-hoc entries accumulate indefinitely; the
+daily retention rollup keeps only a rolling window of the structured
+retros (the most recent 12 `## Weekly` and 24 `## Monthly` sections),
+pruning older ones. Later routines read it back to look for patterns.
 
 ## Who writes it, and when
 
@@ -127,10 +133,17 @@ cannot destroy history. Writes go through the daemon context API
 
 ## Where in the dashboard
 
-- **Connections → Journal** (`/connections/journal`) is the read view
-  of the file.
-- **Settings → Journal** (`/settings/journal`) controls retention and
-  which routines contribute.
+- **Knowledge → Context Files** (`/knowledge?tab=context-files`) is the
+  read view of the file — `journal/agent` is listed among the top-level
+  context files. It is flagged as sensitive: entering edit mode surfaces
+  a "deliberately pruning noise" warning before you change anything.
+- **Settings → Journal** (`/settings/journal`) does *not* edit this
+  file. It is a two-tab editor for the daily-journal rule files —
+  `policies/journal-format.md` (sections, voice, frontmatter) and
+  `policies/journal-export.md` (redaction / inclusion rules) — both of
+  which the morning routine reads when synthesizing `daily/YYYY-MM-DD.md`,
+  not `journal/agent.md`. `/connections/journal` is a compatibility alias
+  that redirects here.
 
 ## Configuration
 
@@ -147,9 +160,12 @@ agent's own writes, not to you editing the file on disk.
   [Evening Review](../routines/evening-review.md).
 - **Entries look duplicated.** This usually means a routine retried
   after a backend fallback. Because writes are append-only, a retry
-  can re-append rather than overwrite; the weekly review has an
-  idempotency check for its own section, but it is best-effort — a
-  manual prune is fine.
+  re-appends rather than overwrites — the weekly review deliberately
+  appends a fresh section instead of editing in place. The daemon's
+  daily retention rollup (`rollupAgentJournal`) collapses duplicate
+  `## Weekly YYYY-Www` / `## Monthly YYYY-MM` keys last-write-wins
+  within 24 hours, so duplicates self-heal; a manual prune is fine but
+  rarely needed.
 
 ## Related
 
@@ -162,5 +178,7 @@ agent's own writes, not to you editing the file on disk.
 - [Activity & Conversations](../operations/activity-and-conversations.md)
   — the action-shaped audit log, distinct from the reflection-shaped
   journal.
+- [agent lessons](agent-lessons.md) — the directive-shaped learned-behavior
+  stores, distinct from this reflection-shaped diary.
 - [Memory model](../../concepts/memory-model.md) — how the journal fits
   the wider context vault.