@aitne/daemon 0.1.10 → 0.1.11

package/dist/core/feedback/tuning-revert-monitor.js

@@ -0,0 +1,213 @@
+/**
+ * Self-Tuning Review Cycle — Verify stage / auto-revert monitor
+ * (SELF_TUNING_REVIEW_CYCLE_DESIGN.md §3.4, Phase 3).
+ *
+ * Piggybacks the existing hourly cron tick (scheduler.ts — same
+ * fire-and-forget slot as the auth probe; no new scheduled session, P2) and
+ * throttles itself to one pass per UTC day via
+ * {@link REVERT_MONITOR_STATE_KEY}. Seven days after an applied config
+ * change, it recomputes the rule's target metric over the verify window
+ * `[applied_at, applied_at + 7d)` and:
+ *
+ *   - **regression past the rule's margin** → revert through the shared
+ *     {@link revertAppliedTuningChange} (config restored via the
+ *     `applyConfigUpdates` chokepoint, ledger stamped `reverted_at` — which
+ *     triggers the 28-day re-proposal cool-down — audit
+ *     `self_tuning.reverted`, `self_critique` signal so the failure becomes
+ *     a lesson) and DM the owner;
+ *   - **no regression** → stamp `verified_at` + audit
+ *     `self_tuning.verified` so the entry is never re-examined.
+ *
+ * Per-rule margins (D3/D4 — named constants, deliberately not settings
+ * keys):
+ *   - R1 reverts if daily novelty≥2 observation arrivals fall >30% below
+ *     the pre-change baseline (stale pre-pass suppressing signal) OR the
+ *     cautious-escalate tick share rises >10 pt.
+ *   - R3 reverts if >10% of `stage0_silent` ticks in the window carried
+ *     `maxNoveltyScore ≥ 2` in their audited snapshot — harm only the
+ *     raised ceiling can introduce (today's gate never silences novelty≥2).
+ *   - R5 reverts on the explicit-correction proxy: any negative explicit /
+ *     self_critique signal citing a lesson within the window.
+ *
+ * The monitor runs regardless of `selfTuningEnabled`: entries only exist
+ * once actuation has run, and a safety rollback must keep working even if
+ * the owner turns the loop off afterwards. Only `config`-actuator entries
+ * are verified — lesson/schedule entries carry no machine state.
+ */
+import { TUNING_METRIC_WINDOW_DAYS, auditSelfTuning, computeR1Metric, computeR3Metric, countLessonRegressionSignals, ledgerStateKey, listLedgerEntries, revertAppliedTuningChange, } from "./tuning-actuator.js";
+import { readRuntimeState, writeRuntimeState } from "../../db/runtime-state.js";
+import { createLogger } from "../../logging.js";
+const logger = createLogger("tuning-revert-monitor");
+const DAY_MS = 24 * 60 * 60 * 1000;
+/**
+ * Daily-throttle state key. Dot-separated namespace on purpose — the
+ * Measure stage's `gatherLedger` scans `self_tuning:%` and must never pick
+ * monitor state up as a phantom ledger entry (same rule as the pending
+ * cycle key).
+ */
+export const REVERT_MONITOR_STATE_KEY = "self_tuning.revert_monitor";
+/** §3.4 — days between apply and the verify pass. */
+export const TUNING_VERIFY_WINDOW_DAYS = TUNING_METRIC_WINDOW_DAYS;
+/** D4 — R1 reverts when novelty≥2 arrivals fall >30% below baseline. */
+export const R1_NOVELTY_ARRIVALS_MAX_DROP = 0.3;
+/** D4 — R1 reverts when the cautious-escalate share rises >10 pt. */
+export const R1_CAUTIOUS_ESCALATE_MAX_RISE = 0.1;
+/** D3 — R3 reverts when >10% of silent ticks carried novelty≥2 snapshots. */
+export const R3_SILENT_NOVELTY_GE2_MAX_SHARE = 0.1;
+function isR1Metric(value) {
+    return (typeof value === "object" &&
+        value !== null &&
+        typeof value.noveltyGe2PerDay === "number" &&
+        typeof value.cautiousEscalateShare === "number");
+}
+function pct(value) {
+    return `${Math.round(value * 100)}%`;
+}
+/**
+ * Decide one applied entry's fate. Pure given the DB rows: every margin is
+ * compared against telemetry that already exists (D3 — no recomputation of
+ * live signals). An entry whose `applied_at` cannot be parsed, or whose
+ * rule has no metric, settles as verified with an explanatory result — the
+ * conservative direction is "leave the change in place", never "revert
+ * without evidence".
+ */
+export function evaluateAppliedEntry(db, entry, now) {
+    const appliedMs = Date.parse(entry.blob.applied_at);
+    if (Number.isNaN(appliedMs)) {
+        return { action: "verify", result: "invalid_applied_at" };
+    }
+    const windowEndMs = appliedMs + TUNING_VERIFY_WINDOW_DAYS * DAY_MS;
+    if (now.getTime() < windowEndMs)
+        return { action: "wait" };
+    const from = new Date(appliedMs);
+    const to = new Date(windowEndMs);
+    if (entry.blob.rule === "R1") {
+        if (!isR1Metric(entry.blob.baselineMetric)) {
+            return { action: "verify", result: "no_baseline" };
+        }
+        const baseline = entry.blob.baselineMetric;
+        const current = computeR1Metric(db, from, to);
+        if (baseline.noveltyGe2PerDay > 0 &&
+            current.noveltyGe2PerDay <
+                baseline.noveltyGe2PerDay * (1 - R1_NOVELTY_ARRIVALS_MAX_DROP)) {
+            return {
+                action: "revert",
+                reason: `novelty>=2 observation arrivals fell to ` +
+                    `${current.noveltyGe2PerDay.toFixed(2)}/day vs baseline ` +
+                    `${baseline.noveltyGe2PerDay.toFixed(2)}/day (>30% drop)`,
+            };
+        }
+        if (current.cautiousEscalateShare >
+            baseline.cautiousEscalateShare + R1_CAUTIOUS_ESCALATE_MAX_RISE) {
+            return {
+                action: "revert",
+                reason: `cautious-escalate tick share rose to ` +
+                    `${pct(current.cautiousEscalateShare)} vs baseline ` +
+                    `${pct(baseline.cautiousEscalateShare)} (>10 pt rise)`,
+            };
+        }
+        return { action: "verify", result: "pass" };
+    }
+    if (entry.blob.rule === "R3") {
+        const metric = computeR3Metric(db, from, to);
+        if (metric.stage0Ticks > 0 &&
+            metric.noveltyGe2 / metric.stage0Ticks > R3_SILENT_NOVELTY_GE2_MAX_SHARE) {
+            return {
+                action: "revert",
+                reason: `${metric.noveltyGe2}/${metric.stage0Ticks} silent ticks carried ` +
+                    `maxNoveltyScore>=2 (>10% — harm from the raised ceiling)`,
+            };
+        }
+        return { action: "verify", result: "pass" };
+    }
+    if (entry.blob.rule === "R5") {
+        const signals = countLessonRegressionSignals(db, from, to);
+        if (signals > 0) {
+            return {
+                action: "revert",
+                reason: `${signals} explicit-correction signal(s) cited a lesson within ` +
+                    "the verify window (forgotten-lesson proxy)",
+            };
+        }
+        return { action: "verify", result: "pass" };
+    }
+    return { action: "verify", result: "no_metric" };
+}
+/** §3.4 — the one-line owner DM for an auto-revert. */
+export function buildAutoRevertDmMessage(entry, reason) {
+    return (`Self-tuning auto-revert: restored ${entry.key} to ` +
+        `${String(entry.blob.prev)} — ${reason}. The key is now in a 28-day ` +
+        "re-proposal cool-down.");
+}
+/**
+ * The cron-tick entry point. Throttled to one pass per UTC day; the state
+ * write happens before the scan so a mid-pass failure waits for tomorrow
+ * instead of retrying every tick. Each entry is processed in isolation —
+ * one broken entry never blocks the rest.
+ */
+export async function runSelfTuningRevertMonitor(deps, now = new Date()) {
+    const today = now.toISOString().slice(0, 10);
+    const state = readRuntimeState(deps.db, REVERT_MONITOR_STATE_KEY);
+    if (state?.lastRunDay === today) {
+        return { ran: false, reverted: [], verified: [] };
+    }
+    writeRuntimeState(deps.db, REVERT_MONITOR_STATE_KEY, { lastRunDay: today });
+    const run = { ran: true, reverted: [], verified: [] };
+    const due = listLedgerEntries(deps.db).filter((entry) => entry.blob.actuator === "config" &&
+        entry.blob.reverted_at === undefined &&
+        entry.blob.verified_at === undefined);
+    for (const entry of due) {
+        try {
+            const decision = evaluateAppliedEntry(deps.db, entry, now);
+            if (decision.action === "wait")
+                continue;
+            if (decision.action === "revert") {
+                const result = await revertAppliedTuningChange(deps, entry, {
+                    trigger: "auto",
+                    reason: decision.reason,
+                    now,
+                });
+                if (!result.ok) {
+                    logger.warn({ key: entry.key, error: result.error }, "Auto-revert failed at the config chokepoint");
+                    continue;
+                }
+                run.reverted.push(entry.key);
+                if (deps.sendDm) {
+                    try {
+                        await deps.sendDm(buildAutoRevertDmMessage(entry, decision.reason));
+                    }
+                    catch (err) {
+                        logger.warn({ err, key: entry.key }, "Auto-revert DM failed");
+                    }
+                }
+                else {
+                    logger.warn({ key: entry.key }, "Auto-revert applied without DM path — owner not notified");
+                }
+                continue;
+            }
+            // decision.action === "verify" — clean window (or no metric): stamp
+            // so the entry is never re-examined; revertability via
+            // `!revert tuning` is unaffected. Re-read before writing (same
+            // discipline as revertAppliedTuningChange): an `!revert tuning`
+            // landing between this pass's scan and this stamp must not have its
+            // `reverted_at` clobbered by the stale scanned blob — that would
+            // both resurrect the key as revertable and drop its 28d cool-down.
+            const current = readRuntimeState(deps.db, ledgerStateKey(entry.key)) ?? entry.blob;
+            writeRuntimeState(deps.db, ledgerStateKey(entry.key), {
+                ...current,
+                verified_at: now.toISOString(),
+                verify_result: decision.result,
+            });
+            auditSelfTuning(deps.db, "self_tuning.verified", "autonomous", "success", {
+                key: entry.key,
+                rule: entry.blob.rule,
+                verifyResult: decision.result,
+            });
+            run.verified.push(entry.key);
+        }
+        catch (err) {
+            logger.warn({ err, key: entry.key }, "Revert-monitor entry failed");
+        }
+    }
+    return run;
+}

package/dist/core/health-monitor.d.ts

@@ -4,6 +4,12 @@ import type { EventBus } from "./event-bus.js";
 import type { MessageHub } from "../adapters/message-hub.js";
 import type { ObserverManager } from "../observers/manager.js";
 export interface HealthStatus {
+    /**
+     * Seconds since daemon start. Every consumer of the `/health` `uptime`
+     * field (`bin/aitne.mjs formatUptime`, dashboard `formatUptime`)
+     * formats seconds — this was milliseconds until 2026-06-10, which made
+     * `aitne status` report a minutes-old daemon as days of uptime.
+     */
     daemonUptime: number;
     eventBusSize: number;
     activeSessions: number;

package/dist/core/health-monitor.js

@@ -89,7 +89,7 @@ export class HealthMonitor {
             dbConnected = false;
         }
         return {
-            daemonUptime: Date.now() - this.startedAt.getTime(),
+            daemonUptime: Math.floor((Date.now() - this.startedAt.getTime()) / 1000),
             eventBusSize: this.eventBus.size,
             activeSessions,
             dbConnected,

package/dist/core/injection-policy.d.ts

@@ -83,7 +83,7 @@ export interface InjectionPolicy {
  *    redaction-aware wikilinks. Also drops the `*` policy-file merge
  *    because the lite-tier skill bundle never invokes MCP; the redaction
  *    policy is re-declared inline.
- *  - **Hourly check** (`routine.hourly_check`) — task-flow §"Execution
+ *  - **Activity scan** (`routine.activity_scan`) — task-flow §"Execution
  *    budget" explicitly tells the agent NOT to read roadmap / projects /
  *    user files unless an observation warrants it.
  *  - **Today refresh** (`routine.today_refresh`) — dashboard-triggered
@@ -125,13 +125,13 @@ export declare function getInjectionPolicy(eventOrProcessKey: string): Injection
  *    global agent-operating behaviour — notification discipline, filter
  *    quality). Phase 3 consumer: `ContextBuilder`.
  *  - `slim`   — use the hard-2048-byte, top-N-by-score variant on the hourly
- *    notify turn (§6). Only `routine.hourly_check` sets it. Implies `global`.
+ *    notify turn (§6). Only `routine.activity_scan` sets it. Implies `global`.
  *  - `self`   — eligible for the per-agent `policies/agents/<slug>/lessons.md`
  *    block (scope `agent:<slug>`). **Phase 4 consumer.** The builder reads it
  *    next to `<agent_identity>` and gates it on a resolved, path-safe slug
  *    stamped onto `event.data.agentId` at the dispatch site — `self === true`
  *    here means "this surface *may* carry self lessons"; an actual injection
- *    additionally requires the run to be bound to an Agent. `hourly_check`
+ *    additionally requires the run to be bound to an Agent. `activity_scan`
  *    keeps `self: false` so the slim notify turn never carries a second block.
  *
  * **Surface keying is grounded in the real event-type strings build() sees,
@@ -146,7 +146,7 @@ export declare function getInjectionPolicy(eventOrProcessKey: string): Injection
  *    no notifications — injecting lessons there would be wasted bytes against
  *    the §0 cost constraint. So Stage A is keyed, the umbrella and Stage B are
  *    not.
- *  - `routine.hourly_check` is the escalated Stage-3 LLM/notify turn (gate
+ *  - `routine.activity_scan` is the escalated Stage-3 LLM/notify turn (gate
  *    Layers 1–3 are code and build no prompt), so the slim block bites exactly
  *    where the notify decision is made. The `.triage` lite classification is
  *    intentionally excluded.

package/dist/core/injection-policy.js

@@ -59,7 +59,7 @@ const DEFAULT_POLICY = {
  *    redaction-aware wikilinks. Also drops the `*` policy-file merge
  *    because the lite-tier skill bundle never invokes MCP; the redaction
  *    policy is re-declared inline.
- *  - **Hourly check** (`routine.hourly_check`) — task-flow §"Execution
+ *  - **Activity scan** (`routine.activity_scan`) — task-flow §"Execution
  *    budget" explicitly tells the agent NOT to read roadmap / projects /
  *    user files unless an observation warrants it.
  *  - **Today refresh** (`routine.today_refresh`) — dashboard-triggered
@@ -88,9 +88,9 @@ export function getInjectionPolicy(eventOrProcessKey) {
             policyFileGlobalMerge: false,
         };
     }
-    // Narrow routines (hourly check, today refresh) — drop both heavy
+    // Narrow routines (activity scan, today refresh) — drop both heavy
     // blocks. `*` policy merge is preserved (redaction.md is non-negotiable).
-    if (eventOrProcessKey === "routine.hourly_check" ||
+    if (eventOrProcessKey === "routine.activity_scan" ||
         eventOrProcessKey === "routine.today_refresh") {
         return {
             alwaysBlocks: NO_BLOCKS,
@@ -162,7 +162,7 @@ export function getAgentLessonsInjection(eventOrProcessKey, opts) {
         case "routine.monthly_review":
             return LESSONS_DM_REVIEW;
         // Hourly notify turn — slim, hard-capped notification-discipline variant.
-        case "routine.hourly_check":
+        case "routine.activity_scan":
             return LESSONS_HOURLY;
         // Defined-agent task execution (§5 "Defined-agent execution"). A bare
         // scheduled.task stays NONE (the §5 opt-out); one that resolves to an Agent

package/dist/core/integration-main-backend.js

@@ -131,6 +131,10 @@ export function cascadeNativeBindingsOnMainSwitch(db, newMainBackendId) {
             // against the same drift covered by the c8-ignored branch above.
             /* c8 ignore next */
             deniedTools: state.deniedTools ?? [],
+            // User configuration that must survive the disable/re-enable cycle —
+            // PATCH re-enables with `previous.fetchTargets`, so dropping it here
+            // would silently wipe the allowlist on a main-backend change.
+            fetchTargets: state.fetchTargets ?? [],
             lastChangedAt: now,
         });
         flipped.push({

package/dist/core/management-md.d.ts

@@ -58,7 +58,7 @@ export declare function renderNoteSourcesSection(integrations: IntegrationsRecor
 /**
  * INTEGRATION_NATIVE_MODE_DESIGN.md §7.3 — render the full per-session
  * routing table that the per-backend instruction file (`CLAUDE.md` /
- * `AGENTS.md` / `GEMINI.md`) and the hourly_check / DM task-flow files
+ * `AGENTS.md` / `GEMINI.md`) and the activity_scan / DM task-flow files
  * substitute in for the `<integration-routing-table>` placeholder.
  *
  * Always renders every registered integration, even when all rows are
@@ -77,7 +77,7 @@ export declare function renderIntegrationRoutingTable(integrations: Integrations
  * `native` rows; `disabled` rows are filtered out entirely so the
  * task-flow's "for each integration" loop has zero iterations for them.
  *
- * This is what the hourly_check and DM task-flow files iterate over;
+ * This is what the activity_scan and DM task-flow files iterate over;
  * the full {@link renderIntegrationRoutingTable} is for the instruction
  * file's read-only audit summary.
  */

package/dist/core/management-md.js

@@ -63,24 +63,53 @@ function consumeSelfWrite(absPath) {
     return pendingSelfWrites.delete(absPath);
 }
 // ── Render ─────────────────────────────────────────────────────────────────
-// Ownership note: this frontmatter emits `owner: daemon`. The file is a
-// daemon-rendered snapshot of `settings.integrations_json`; the Dashboard
-// (Settings → Connections) is the canonical edit surface. Hand-edits are
-// still parsed by chokidar as a break-glass path for resilience, but the
-// file is not advertised as user-editable. See §14.3 of
+// Frontmatter contract. `policies/integrations.md` lives inside the vault
+// under the `policies/` authority class, so it MUST satisfy the vault
+// frontmatter validator (`context-frontmatter.ts`): `type: rule`,
+// `owner ∈ {agent, shared, user}`, and an ISO `updated` date. Before the
+// CONTEXT_VAULT_REDESIGN restructure this file lived at the un-validated
+// `~/.personal-agent/integrations.md`, so it shipped a bespoke
+// daemon-snapshot frontmatter (`owner: daemon`, no `type`/`updated`). The
+// restructure moved it under `policies/` and added the generic `policies/`
+// validation, but this renderer was never reconciled — leaving every
+// install's file flagged "frontmatter requires `type`" by Vault Health.
+//
+// `owner` is `shared` because the file is a daemon-rendered snapshot of
+// `settings.integrations_json` that the user may also hand-edit (chokidar
+// reconciles edits back into the DB) — the same mixed authority as
+// `policies/management.md`. The Dashboard (Settings → Connections) remains
+// the canonical edit surface. See §14.3 of
 // docs/design/14-integration-delegation.md.
-const FRONTMATTER = `---
-file: integrations.md
-purpose: per-integration access-mode configuration
-owner: daemon
+//
+// `updated` is derived from the most recent `lastChangedAt` across all
+// integration rows (truncated to a calendar date) so the render stays a
+// pure function of DB state: booting re-renders byte-identical output until
+// a mode actually changes, preserving the idempotency contract above.
+const FRONTMATTER_FALLBACK_UPDATED = "2026-04-17";
+function renderFrontmatter(integrations) {
+    let latest = "";
+    for (const key of INTEGRATION_KEYS) {
+        const ts = integrations[key].lastChangedAt;
+        if (ts > latest)
+            latest = ts;
+    }
+    const updated = /^\d{4}-\d{2}-\d{2}/.test(latest)
+        ? latest.slice(0, 10)
+        : FRONTMATTER_FALLBACK_UPDATED;
+    return `---
+type: rule
+slug: integrations
+owner: shared
+updated: ${updated}
 schema_version: 1
 ---
 `;
+}
 const MODES_SECTION = `## Modes
 
 - **direct** — daemon holds credentials and polls; full feature set; setup required.
 - **delegated** — daemon proxies a separate backend connector on a cadence; reduced features; zero setup.
-- **native** — main backend's own native MCP / connector reaches the integration on-demand within the same DM / hourly_check turn; no daemon polling and no daemon-side proxy.
+- **native** — main backend's own native MCP / connector reaches the integration on-demand within the same DM / activity_scan turn; no daemon polling and no daemon-side proxy.
 - **disabled** — integration off.
 `;
 function renderCurrentStateTable(integrations) {
@@ -132,15 +161,23 @@ export function renderNoteSourcesSection(integrations, notes) {
     else if (notion.mode === "delegated" && notion.delegatedBackend) {
         notionLine = `enabled (delegated via ${notion.delegatedBackend})`;
     }
+    else if (notion.mode === "native" && notion.nativeBackend) {
+        notionLine = `enabled (native via ${notion.nativeBackend})`;
+    }
     else {
         notionLine = "enabled (direct)";
     }
+    const notionTargets = (notion.fetchTargets ?? []).map((target) => target.label);
+    const notionTargetsLine = notionTargets.length > 0
+        ? notionTargets.join(", ")
+        : "—";
     return [
         "## Note Sources",
         "",
         "<!-- Auto-generated. Edit settings via Dashboard → Settings → Note. Hand-edits are overwritten on next render. -->",
         `- Obsidian vault (personal): ${obsidianLine}`,
         `- Notion: ${notionLine}`,
+        `- Notion routine fetch targets: ${notionTargetsLine}`,
         "",
     ].join("\n");
 }
@@ -218,7 +255,7 @@ function renderToolDenySection(integrations) {
 /**
  * INTEGRATION_NATIVE_MODE_DESIGN.md §7.3 — render the full per-session
  * routing table that the per-backend instruction file (`CLAUDE.md` /
- * `AGENTS.md` / `GEMINI.md`) and the hourly_check / DM task-flow files
+ * `AGENTS.md` / `GEMINI.md`) and the activity_scan / DM task-flow files
  * substitute in for the `<integration-routing-table>` placeholder.
  *
  * Always renders every registered integration, even when all rows are
@@ -247,7 +284,7 @@ export function renderIntegrationRoutingTable(integrations) {
  * `native` rows; `disabled` rows are filtered out entirely so the
  * task-flow's "for each integration" loop has zero iterations for them.
  *
- * This is what the hourly_check and DM task-flow files iterate over;
+ * This is what the activity_scan and DM task-flow files iterate over;
  * the full {@link renderIntegrationRoutingTable} is for the instruction
  * file's read-only audit summary.
  */
@@ -381,7 +418,7 @@ export function renderManagementMd(integrations, notes = {
     externalObsidianWatch: true,
 }) {
     return [
-        FRONTMATTER,
+        renderFrontmatter(integrations),
         "# Integration Management\n",
         MODES_SECTION,
         renderCurrentStateTable(integrations),
@@ -666,6 +703,7 @@ function mergeParsedIntoDb(dbState, parsed) {
         if (semanticChange) {
             merged[key] = {
                 ...next,
+                fetchTargets: prev.fetchTargets ?? [],
                 lastChangedAt: new Date().toISOString(),
             };
         }

package/dist/core/morning/orchestrator.d.ts

@@ -110,7 +110,7 @@ export interface MorningPipelineOrchestratorDeps {
      * morning-routine-optimization.md Phase 6 — ⑥ AgentJournalAppender
      * needs the safety write-tracker so the journal's atomic write does
      * not get tagged as a user-actor change by the obsidian / git
-     * observers (which would re-trigger the hourly check on the agent's
+     * observers (which would re-trigger the activity scan on the agent's
      * own output). The context-index reconciler is intentionally NOT
      * threaded here: `journal/agent.md` is not in the indexable set, so
      * the chokidar fallback path covers it without an explicit hint.
@@ -254,7 +254,7 @@ export declare class MorningRoutinePipelineOrchestrator {
      * (audit's internal try/catch swallowed a real SQLite error AND
      * `processResult`'s notification path threw too), the parent-audit
      * emitter will return `stage_a_row_missing` and the pre-routine gate
-     * stays unfired for the day — that day's hourly_check / evening_review
+     * stays unfired for the day — that day's activity_scan / evening_review
      * are skipped with `morning_routine_pending_for_today`, but
      * `MAX_RETRIES`-bounded `scheduleMorningRetry` does NOT loop on this
      * shape because today.md health is independent. The day's automation

package/dist/core/morning/orchestrator.js

@@ -358,7 +358,7 @@ export class MorningRoutinePipelineOrchestrator {
      * (audit's internal try/catch swallowed a real SQLite error AND
      * `processResult`'s notification path threw too), the parent-audit
      * emitter will return `stage_a_row_missing` and the pre-routine gate
-     * stays unfired for the day — that day's hourly_check / evening_review
+     * stays unfired for the day — that day's activity_scan / evening_review
      * are skipped with `morning_routine_pending_for_today`, but
      * `MAX_RETRIES`-bounded `scheduleMorningRetry` does NOT loop on this
      * shape because today.md health is independent. The day's automation
@@ -993,7 +993,7 @@ export class MorningRoutinePipelineOrchestrator {
             // could still call `Write` on `daily/<date>.md` directly —
             // bypassing the daemon-side `DailyJournalComposer` chokepoint
             // and racing it. Mirrors the precedent at
-            // `dispatcher-hourly-check.ts:1003` (`routine.hourly_check.triage`).
+            // `dispatcher-activity-scan.ts:1003` (`routine.activity_scan.triage`).
             //
             // Activation requires the clamp gate in `claude-code-core.ts`
             // to honour an empty array as "no tools" — fixed in the same

package/dist/core/notification-gate.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Outbound-notification gate — QUIET_HOURS_HARDENING_PLAN.md Phase 1.
+ *
+ * Single decision function for the API-deps `sendNotification` chokepoint
+ * (`bootstrap/api.ts`), closing finding F1: `POST /api/notify` used to
+ * bypass quiet hours AND rate limits without the explicit-user-intent
+ * justification the other delivery paths encode. The intent rule —
+ * "explicit user-chosen time → deliver regardless of quiet hours; ambient
+ * autonomous output → suppress/defer" — now holds here too:
+ *
+ *   1. safety / critical → send immediately (mirrors NotificationManager);
+ *   2. inside quiet hours → defer to a `task_type='dm'` agent_schedule row
+ *      at the quiet-hours edge (durable, coalesced per origin — see
+ *      `db/deferred-dm.ts`), never silently dropped;
+ *   3. outside quiet hours → enforce the same hourly/daily rate limits the
+ *      proactive path enforces; the live session gets a `rate_limit`
+ *      verdict it can adapt to (write to today.md instead) rather than a
+ *      silent queue.
+ *
+ * Pure composition over covered helpers — keep glue out of bootstrap.
+ */
+import type Database from "better-sqlite3";
+/** Safety categories bypass quiet hours and user preferences. Owned here
+ *  so the NotificationManager and this gate share one list. */
+export declare const SAFETY_CATEGORIES: readonly ["security", "deadline", "error", "critical"];
+export interface OutboundGateConfig {
+    quietHoursStart: string;
+    quietHoursEnd: string;
+    /** IANA tz; empty string falls back to system timezone. */
+    timezone: string;
+    maxNotificationsPerHour: number;
+    maxNotificationsPerDay: number;
+    dayBoundaryHour: number;
+}
+export interface OutboundGateParams {
+    message: string;
+    platforms?: string[] | undefined;
+    priority?: string | undefined;
+    notificationType?: string | undefined;
+    originSessionId?: number | undefined;
+    agentId?: string | null | undefined;
+    /** Origin marker stamped into the deferred row, e.g. `"api.notify"`. */
+    deferredFrom: string;
+}
+export type OutboundGateResult = {
+    action: "send";
+} | {
+    action: "defer";
+    scheduleId: string;
+    /** SQLite-format UTC datetime the deferred DM fires at. */
+    deliverAfter: string;
+    coalesced: boolean;
+} | {
+    action: "rate_limit";
+    retryAfter: string | null;
+};
+/**
+ * Critical priority and safety-tagged notification types deliver
+ * immediately — same bypass set as `NotificationManager.isSafetyCategory`
+ * ("urgent" accepted defensively; the notify schema only emits
+ * critical/high/normal/low).
+ */
+export declare function bypassesOutboundGate(priority: string | undefined, notificationType: string | undefined): boolean;
+export declare function gateOutboundNotification(db: Database.Database, config: OutboundGateConfig, params: OutboundGateParams, now?: Date): OutboundGateResult;

package/dist/core/notification-gate.js

@@ -0,0 +1,51 @@
+import { deferDmToQuietHoursEnd } from "../db/deferred-dm.js";
+import { evaluateNotificationRateLimit, } from "./notification-rate-limit.js";
+/** Safety categories bypass quiet hours and user preferences. Owned here
+ *  so the NotificationManager and this gate share one list. */
+export const SAFETY_CATEGORIES = [
+    "security",
+    "deadline",
+    "error",
+    "critical",
+];
+/**
+ * Critical priority and safety-tagged notification types deliver
+ * immediately — same bypass set as `NotificationManager.isSafetyCategory`
+ * ("urgent" accepted defensively; the notify schema only emits
+ * critical/high/normal/low).
+ */
+export function bypassesOutboundGate(priority, notificationType) {
+    if (priority === "critical" || priority === "urgent")
+        return true;
+    return (notificationType !== undefined &&
+        SAFETY_CATEGORIES.includes(notificationType));
+}
+export function gateOutboundNotification(db, config, params, now = new Date()) {
+    if (bypassesOutboundGate(params.priority, params.notificationType)) {
+        return { action: "send" };
+    }
+    const deferred = deferDmToQuietHoursEnd(db, {
+        start: config.quietHoursStart,
+        end: config.quietHoursEnd,
+        timezone: config.timezone || undefined,
+    }, {
+        message: params.message,
+        platforms: params.platforms,
+        deferredFrom: params.deferredFrom,
+        originSessionId: params.originSessionId,
+        agentId: params.agentId,
+    }, now);
+    if (deferred !== null) {
+        return { action: "defer", ...deferred };
+    }
+    const rateLimit = evaluateNotificationRateLimit(db, {
+        maxNotificationsPerHour: config.maxNotificationsPerHour,
+        maxNotificationsPerDay: config.maxNotificationsPerDay,
+        timezone: config.timezone,
+        dayBoundaryHour: config.dayBoundaryHour,
+    }, now);
+    if (rateLimit.limited) {
+        return { action: "rate_limit", retryAfter: rateLimit.retryAfter };
+    }
+    return { action: "send" };
+}

package/dist/core/notification-rate-limit.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Outbound-notification rate-limit evaluation — pure(ish) helper shared by
+ * NotificationManager (proactive suppression) and the `/api/notify` gate
+ * (QUIET_HOURS_HARDENING_PLAN.md Phase 1). Extracted so the two call sites
+ * cannot drift on the counting semantics: distinct dispatches, delivered
+ * only, `message.received` replies excluded, hourly window + agent-day
+ * window both enforced.
+ *
+ * 100% covered. NotificationManager itself stays excluded from the
+ * coverage gate as I/O-heavy; this helper is the pure leg it shares with
+ * the notify-route gate.
+ */
+import type Database from "better-sqlite3";
+export interface NotificationRateLimitOptions {
+    maxNotificationsPerHour: number;
+    maxNotificationsPerDay: number;
+    /** IANA tz; empty/undefined falls back to system timezone. */
+    timezone?: string | undefined;
+    /** Agent day boundary hour (default config: 4). */
+    dayBoundaryHour: number;
+}
+export interface NotificationRateLimitState {
+    limited: boolean;
+    /**
+     * SQLite-format UTC datetime (`YYYY-MM-DD HH:MM:SS`) when a retry could
+     * succeed, or `null` when not limited. Hourly limit → the moment the
+     * oldest delivery in the trailing hour ages out of the window; daily
+     * limit → the agent-day end boundary. Advisory — the caller's retry can
+     * still lose to a concurrent delivery.
+     */
+    retryAfter: string | null;
+}
+/**
+ * Count semantics mirror the pre-extraction `NotificationManager`
+ * implementation byte-for-byte: a multi-channel dispatch counts once
+ * (DISTINCT on dispatch_id, falling back to the row id for legacy rows
+ * with an empty dispatch_id), only `delivered` rows count, and
+ * `message.received` reply forwards never count against proactive budget.
+ */
+export declare function evaluateNotificationRateLimit(db: Database.Database, opts: NotificationRateLimitOptions, now?: Date): NotificationRateLimitState;