@aitne/daemon 0.1.10 → 0.1.11

package/dist/observers/mail-poller.js

@@ -7,7 +7,25 @@ import { createLogger } from "../logging.js";
 import { processMailBatch } from "../services/mail-classifier.js";
 import { isIntegrationPollerless } from "../core/integration-lifecycle.js";
 import { emptyIngestionStats, processClassifiedMailBatch, } from "../services/mail-ingestion.js";
+import { raceWithAbort } from "../core/abort-utils.js";
 const logger = createLogger("mail-poller");
+/**
+ * Wall-clock cap on the per-account `pollSince` paging loop. Matches the
+ * NotionPoller tick cap. Without it, a half-dead connection (typical after
+ * machine sleep kills the TCP socket but the server never RSTs) hangs the
+ * account's poll forever — the tick-level `inFlight` flag then blocks every
+ * subsequent tick for ALL accounts until daemon restart. The aborted call
+ * leaks per the {@link raceWithAbort} contract; the transport's own timeout
+ * eventually reaps it.
+ */
+const ACCOUNT_POLL_TIMEOUT_MS = 4 * 60 * 1000;
+/**
+ * Wall-clock cap on `startIdle` (connect + mailboxOpen round-trips). Shorter
+ * than the poll cap — IDLE setup is two cheap round-trips; if they don't
+ * complete in a minute the socket is dead and the next tick should retry
+ * with a fresh connection.
+ */
+const IDLE_START_TIMEOUT_MS = 60 * 1000;
 /**
  * Unified mail poller (§3.4). Iterates over `registry.listActiveAccounts()`
  * and calls `provider.pollSince()` per account, recording one aggregated
@@ -187,6 +205,19 @@ export class MailPoller {
         const provider = await this.registry.getProvider(account.id);
         if (!provider || !hasIdleSupport(provider))
             return;
+        const aborter = new AbortController();
+        const timer = setTimeout(() => {
+            aborter.abort(new Error(`mail_idle_start_timeout:${account.id}:${IDLE_START_TIMEOUT_MS}ms`));
+        }, IDLE_START_TIMEOUT_MS);
+        timer.unref?.();
+        try {
+            await raceWithAbort(this.startIdleForAccount(account, provider), aborter.signal);
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    async startIdleForAccount(account, provider) {
         await provider.startIdle({
             onDirty: () => {
                 // INTEGRATION_NATIVE_MODE_DESIGN.md §6.2 — the tick-level filter
@@ -335,9 +366,14 @@ export class MailPoller {
         // are immediately available; we walk them in this same tick (§3.4).
         let pages = 0;
         const maxPages = 5;
+        const aborter = new AbortController();
+        const timer = setTimeout(() => {
+            aborter.abort(new Error(`mail_poll_timeout:${account.id}:${ACCOUNT_POLL_TIMEOUT_MS}ms`));
+        }, ACCOUNT_POLL_TIMEOUT_MS);
+        timer.unref?.();
         try {
             while (!drained && pages < maxPages) {
-                const result = await provider.pollSince(cursor, this.maxMessagesPerPoll);
+                const result = await raceWithAbort(provider.pollSince(cursor, this.maxMessagesPerPoll), aborter.signal);
                 cursor = result.nextCursor;
                 drained = result.drained;
                 aggregated = aggregated.concat(result.messages);
@@ -353,6 +389,9 @@ export class MailPoller {
             });
             return;
         }
+        finally {
+            clearTimeout(timer);
+        }
         this.registry.recordPollTick(account.id, { success: true });
         // Forget prior re-consent DM cadence so a future failure can DM immediately
         // instead of silently waiting out `mailAuthFailureRetryHours` (§V3).
@@ -405,7 +444,7 @@ export class MailPoller {
         // Observe only what actually landed in local state. If upsert failed,
         // `mail_messages_index` has no row for the provider's reported
         // `userMessages` — emitting the observation anyway would tell the
-        // hourly-check signal compute (and downstream skill flows) that N new
+        // activity-scan signal compute (and downstream skill flows) that N new
         // mails exist, and the agent would then query the index and find
         // zero. Worse: when the next tick retries the upsert successfully it
         // emits a second observation, double-counting the same batch. Gate
@@ -420,7 +459,7 @@ export class MailPoller {
                 ref: `${account.id}-${Date.now()}`,
                 changeType: "created",
                 // External-sender mail is owner-relevant signal, not internal-system
-                // bookkeeping. The hourly-check threshold gate, the silent-gate
+                // bookkeeping. The activity-scan threshold gate, the silent-gate
                 // consumption path, and the `observations` skill all filter to
                 // `actor='user'` (see dispatcher.ts:1540, 1832 + skills/observations
                 // SKILL.md). Marking this `system` would invisibly excise mail from

package/dist/observers/observation-summarizer/summarizer-client.d.ts

@@ -3,10 +3,10 @@
  *
  * Today only Claude (Anthropic Messages API) is implemented. Codex and
  * Gemini fall back to `unsupported` — the worker translates that into a
- * `summary_status='skipped'` row so the hourly_check skill drops back to
+ * `summary_status='skipped'` row so the activity_scan skill drops back to
  * the legacy fetch-on-doubt pattern. This keeps the summarizer optional
  * — non-Claude operators don't pay for it but also don't get the
- * downstream hourly_check savings until per-backend support lands.
+ * downstream activity_scan savings until per-backend support lands.
  *
  * The client deliberately avoids the agent SDK's session machinery: a
  * one-shot summarizer with no tools doesn't need workdir + skills + MCP

package/dist/observers/observation-summarizer/summarizer-client.js

@@ -3,10 +3,10 @@
  *
  * Today only Claude (Anthropic Messages API) is implemented. Codex and
  * Gemini fall back to `unsupported` — the worker translates that into a
- * `summary_status='skipped'` row so the hourly_check skill drops back to
+ * `summary_status='skipped'` row so the activity_scan skill drops back to
  * the legacy fetch-on-doubt pattern. This keeps the summarizer optional
  * — non-Claude operators don't pay for it but also don't get the
- * downstream hourly_check savings until per-backend support lands.
+ * downstream activity_scan savings until per-backend support lands.
  *
  * The client deliberately avoids the agent SDK's session machinery: a
  * one-shot summarizer with no tools doesn't need workdir + skills + MCP

package/dist/observers/observation-summarizer/worker.d.ts

@@ -18,7 +18,7 @@
  *
  * Backpressure: when the queue depth exceeds `queueDepthLimit` the
  * worker drops new arrivals to `summary_status='skipped'` directly,
- * skipping the LLM call. The hourly_check skill falls back to legacy
+ * skipping the LLM call. The activity_scan skill falls back to legacy
  * fetch-on-doubt for those rows.
  */
 import type Database from "better-sqlite3";
@@ -77,7 +77,7 @@ export declare class ObservationSummarizerWorker implements Observer {
      * Public entry — invoked by the recordObservation hook. Drops new
      * arrivals to `summary_status='skipped'` directly when the in-memory
      * queue is over capacity. The DB row's `summary_status` reflects the
-     * actual state so hourly_check can route accordingly.
+     * actual state so activity_scan can route accordingly.
      *
      * `bypassBackpressure` is reserved for the startup reclaim sweep where
      * the rows are already in DB-pending state — applying backpressure

package/dist/observers/observation-summarizer/worker.js

@@ -18,7 +18,7 @@
  *
  * Backpressure: when the queue depth exceeds `queueDepthLimit` the
  * worker drops new arrivals to `summary_status='skipped'` directly,
- * skipping the LLM call. The hourly_check skill falls back to legacy
+ * skipping the LLM call. The activity_scan skill falls back to legacy
  * fetch-on-doubt for those rows.
  */
 import { getObservationForSummarization, listObservationsAwaitingSummary, setObservationEnqueueHook, updateObservationSummary, } from "../../db/observations.js";
@@ -117,7 +117,7 @@ export class ObservationSummarizerWorker {
      * Public entry — invoked by the recordObservation hook. Drops new
      * arrivals to `summary_status='skipped'` directly when the in-memory
      * queue is over capacity. The DB row's `summary_status` reflects the
-     * actual state so hourly_check can route accordingly.
+     * actual state so activity_scan can route accordingly.
      *
      * `bypassBackpressure` is reserved for the startup reclaim sweep where
      * the rows are already in DB-pending state — applying backpressure
@@ -229,7 +229,7 @@ export class ObservationSummarizerWorker {
         const result = await this.callLlm(prompt);
         if (!result.ok) {
             // auth_missing is a user-config issue, not a per-row failure. Mark
-            // the row 'skipped' so the hourly_check fallback path picks it up
+            // the row 'skipped' so the activity_scan fallback path picks it up
             // (same posture as `unsupported_backend`) and warn at most once
             // per cooldown window so a missing ANTHROPIC_API_KEY does not spam
             // the log with one entry per pending observation.
@@ -241,7 +241,7 @@ export class ObservationSummarizerWorker {
                         backend: this.client.backendId,
                         model: this.client.modelId,
                         cooldownMs: ObservationSummarizerWorker.AUTH_MISSING_WARN_COOLDOWN_MS,
-                        hint: "Set ANTHROPIC_API_KEY in env or store it via the dashboard. Pending rows are being marked 'skipped' and the hourly_check fallback path will read them directly.",
+                        hint: "Set ANTHROPIC_API_KEY in env or store it via the dashboard. Pending rows are being marked 'skipped' and the activity_scan fallback path will read them directly.",
                     }, "Summarizer LLM auth missing — falling back to skip, future warnings suppressed within cooldown");
                 }
                 this.persist(row.id, { status: "skipped", summaryText: null, novelty: null });

package/dist/observers/obsidian-watcher.d.ts

@@ -33,7 +33,7 @@ export interface ObsidianWatcherOptions {
  * **Agent-write suppression**: `AgentWriteTracker` pre-marks files the
  * agent writes via `/api/context/*`. When a watcher fires for one of
  * those, we silently drop the observation instead of recording it with
- * `actor='agent'`. Downstream consumers (hourly-check skill) already
+ * `actor='agent'`. Downstream consumers (activity-scan skill) already
  * filter by `actor='user'`, so an agent row has no consumer; leaving it
  * out of the table entirely prevents unbounded growth from the agent's
  * own write traffic.

package/dist/observers/obsidian-watcher.js

@@ -21,7 +21,7 @@ const DIFF_PREVIEW_CAP = 2000;
  * **Agent-write suppression**: `AgentWriteTracker` pre-marks files the
  * agent writes via `/api/context/*`. When a watcher fires for one of
  * those, we silently drop the observation instead of recording it with
- * `actor='agent'`. Downstream consumers (hourly-check skill) already
+ * `actor='agent'`. Downstream consumers (activity-scan skill) already
  * filter by `actor='user'`, so an agent row has no consumer; leaving it
  * out of the table entirely prevents unbounded growth from the agent's
  * own write traffic.

package/dist/safety/agent-write-tracker.d.ts

@@ -2,7 +2,7 @@
  * AgentWriteTracker — short-lived, in-memory record of paths the agent is
  * currently writing via the daemon API. Observers consult it to classify
  * file-change events as `actor='agent'` vs `actor='user'`, which gives the
- * hourly-check dispatcher a way to ignore its own writes.
+ * activity-scan dispatcher a way to ignore its own writes.
  *
  * Two marking modes:
  *  1. **Content-hash mode** — caller passes the exact bytes they wrote.
@@ -26,7 +26,7 @@
  * polled sources (Notion, Calendar) whose observation lag is measured in
  * minutes, the caller MUST pass `opts.ttlMs` large enough to outlive the
  * poll cadence — otherwise every agent write is seen as a fresh user
- * edit and the hourly_check can loop on its own output.
+ * edit and the activity_scan can loop on its own output.
  */
 export declare class AgentWriteTracker {
     private readonly ttlMs;
@@ -34,7 +34,7 @@ export declare class AgentWriteTracker {
     /**
      * Parallel commit-tracking map keyed by `<repoPath>::<sha-lower>`. Used by
      * `GitWatcher` to flip observations of agent-originated commits from
-     * `actor='user'` / `'unknown'` to `actor='agent'` so the hourly_check
+     * `actor='user'` / `'unknown'` to `actor='agent'` so the activity_scan
      * pending-floor does not count the daemon's own commits as user
      * activity (C1).
      */
@@ -64,7 +64,7 @@ export declare class AgentWriteTracker {
      * Register a git SHA the daemon just committed in `repoPath`. The next
      * `GitWatcher` observation of that SHA is flipped from `actor='user'` /
      * `'unknown'` to `actor='agent'` via `isAgentCommit`, which keeps the
-     * hourly_check pending-floor from counting the daemon's own commits as
+     * activity_scan pending-floor from counting the daemon's own commits as
      * user activity (the loop bug described in C1).
      *
      * Production callers pass the full 40-char SHA from `git rev-parse HEAD`.

package/dist/safety/agent-write-tracker.js

@@ -13,7 +13,7 @@ const DEFAULT_COMMIT_TTL_MS = 15 * 60_000;
  * AgentWriteTracker — short-lived, in-memory record of paths the agent is
  * currently writing via the daemon API. Observers consult it to classify
  * file-change events as `actor='agent'` vs `actor='user'`, which gives the
- * hourly-check dispatcher a way to ignore its own writes.
+ * activity-scan dispatcher a way to ignore its own writes.
  *
  * Two marking modes:
  *  1. **Content-hash mode** — caller passes the exact bytes they wrote.
@@ -37,7 +37,7 @@ const DEFAULT_COMMIT_TTL_MS = 15 * 60_000;
  * polled sources (Notion, Calendar) whose observation lag is measured in
  * minutes, the caller MUST pass `opts.ttlMs` large enough to outlive the
  * poll cadence — otherwise every agent write is seen as a fresh user
- * edit and the hourly_check can loop on its own output.
+ * edit and the activity_scan can loop on its own output.
  */
 export class AgentWriteTracker {
     ttlMs;
@@ -45,7 +45,7 @@ export class AgentWriteTracker {
     /**
      * Parallel commit-tracking map keyed by `<repoPath>::<sha-lower>`. Used by
      * `GitWatcher` to flip observations of agent-originated commits from
-     * `actor='user'` / `'unknown'` to `actor='agent'` so the hourly_check
+     * `actor='user'` / `'unknown'` to `actor='agent'` so the activity_scan
      * pending-floor does not count the daemon's own commits as user
      * activity (C1).
      */
@@ -114,7 +114,7 @@ export class AgentWriteTracker {
      * Register a git SHA the daemon just committed in `repoPath`. The next
      * `GitWatcher` observation of that SHA is flipped from `actor='user'` /
      * `'unknown'` to `actor='agent'` via `isAgentCommit`, which keeps the
-     * hourly_check pending-floor from counting the daemon's own commits as
+     * activity_scan pending-floor from counting the daemon's own commits as
      * user activity (the loop bug described in C1).
      *
      * Production callers pass the full 40-char SHA from `git rev-parse HEAD`.

package/dist/safety/audit.d.ts

@@ -58,6 +58,20 @@ export declare class AuditLogger implements IAuditLogger {
         trigger: "reactive" | "autonomous";
         backend?: AgentResult["backendId"];
         costSource?: AgentResult["costSource"];
+        /**
+         * Terminal result override (default `"success"`). `"partial"` records a
+         * session that ended cleanly but failed a post-run outcome check
+         * (RESEARCH_CLUSTER_COST_FIX_PLAN F5). `"partial"` is a legal
+         * `agent_actions.result` value (schema CHECK). Hard errors use
+         * `logError` instead.
+         */
+        result?: "success" | "partial";
+        /**
+         * Outcome-failure marker written to `agent_actions.error` when paired
+         * with `result:"partial"` (F5: `'journal_write_missing'`). Omitted on a
+         * plain success so the column stays NULL (legacy row shape).
+         */
+        error?: string;
         contextUpdated?: boolean;
         advisorCallCount?: number;
         /**
@@ -113,7 +127,15 @@ export declare class AuditLogger implements IAuditLogger {
         modelId?: string;
     }): number;
     private findInProgressRowId;
-    logSkip(event: Event, reason: string, trigger: "reactive" | "autonomous"): void;
+    logSkip(event: Event, reason: string, trigger: "reactive" | "autonomous", 
+    /**
+     * Optional structured context persisted to the `detail` JSON column.
+     * Used by the N2 spawn gates (`detail.spawnGate` — per-backend
+     * offline/auth verdicts) and the N3 pre-pass plan-assembly drop rows
+     * (`detail.prePass.skipReason`) so skip telemetry is queryable
+     * without parsing the `error` string. PREPASS_COST_REDUCTION_PLAN.md.
+     */
+    detail?: Record<string, unknown>): void;
     /**
      * Chat-attachments Phase 1 — log a successful upload (inbound or outbound)
      * to `agent_actions`. Shares the `agent_actions` table with agent-turn
@@ -143,10 +165,12 @@ export declare class AuditLogger implements IAuditLogger {
      * hit `max_budget_usd` because the row was written with no
      * timing/backend/model info.
      *
-     * Tokens / cost / num_turns are intentionally NOT passed: an aborted
-     * SDK stream doesn't surface a usable AgentResult, so any value here
-     * would be a guess. duration_ms + backend + failure shape are
-     * recoverable and that's what we record.
+     * Tokens / cost / num_turns are passed ONLY when the caller holds a
+     * real recovered spend figure (PREPASS_COST_REDUCTION_PLAN.md N1 —
+     * post-hoc budget kills, partial stream aborts). Callers without one
+     * must omit them: a fabricated value here would corrupt the cost
+     * dials. duration_ms + backend + failure shape are always
+     * recoverable and that's the baseline record.
      */
     context?: {
         durationMs?: number;
@@ -154,6 +178,20 @@ export declare class AuditLogger implements IAuditLogger {
         modelId?: string;
         failureKind?: string;
         failureCode?: string;
+        /**
+         * PREPASS_COST_REDUCTION_PLAN.md N1 — recovered spend for a failed
+         * turn the provider already billed. Pass ONLY a real recovered
+         * figure (BackendQuotaSpend / partial-usage snapshot), never a
+         * guess — the historical contract that failure rows carry no
+         * fabricated cost still holds for callers without one.
+         */
+        costUsd?: number;
+        costSource?: string;
+        tokensInput?: number;
+        tokensOutput?: number;
+        tokensCacheCreation?: number;
+        tokensCacheRead?: number;
+        numTurns?: number;
         /**
          * Pre-pass fan-out failure block. Mirrors the `prePass` payload on
          * `logAction` so `MetricsCollector.collectPrePassMetrics` can see

package/dist/safety/audit.js

@@ -52,7 +52,7 @@ export class AuditLogger {
         this.agentIdResolver = resolver;
     }
     logAction(params) {
-        const { event, model, costUsd, usage, modelUsage, durationMs, numTurns, trigger, backend, costSource, contextUpdated = false, advisorCallCount = 0, dmFreshness, prePass, dailyWrite, } = params;
+        const { event, model, costUsd, usage, modelUsage, durationMs, numTurns, trigger, backend, costSource, result = "success", error, contextUpdated = false, advisorCallCount = 0, dmFreshness, prePass, dailyWrite, } = params;
         try {
             const modelUsageJson = Object.keys(modelUsage).length > 0
                 ? JSON.stringify(modelUsage)
@@ -81,7 +81,7 @@ export class AuditLogger {
                 usage.outputTokens,
                 durationMs,
                 numTurns,
-                "success",
+                result,
             ];
             if (this.hasCacheCreationTokensColumn) {
                 columns.splice(7, 0, "cache_creation_tokens");
@@ -137,6 +137,16 @@ export class AuditLogger {
                 columns.splice(columns.length - 2, 0, "agent_id");
                 values.splice(values.length, 0, resolvedAgentId);
             }
+            // RESEARCH_CLUSTER_COST_FIX_PLAN F5 — persist the outcome-failure
+            // marker for a run downgraded to `result:"partial"`. Spliced like
+            // every other optional column (at `columns.length - 2`, appended to
+            // `values`) so the lockstep invariant the in_progress UPSERT loop
+            // relies on (`columns.length - 2 === values.length`) holds. A plain
+            // success omits it, leaving the column NULL (legacy row shape).
+            if (error !== undefined) {
+                columns.splice(columns.length - 2, 0, "error");
+                values.splice(values.length, 0, error);
+            }
             const detailPayload = {};
             // STAGE-C-DM-FRESHNESS-PLAN §Task 4 — persist DM freshness telemetry
             // into `detail`. Inserted only when supplied so non-DM rows stay
@@ -330,7 +340,15 @@ export class AuditLogger {
             return null;
         }
     }
-    logSkip(event, reason, trigger) {
+    logSkip(event, reason, trigger, 
+    /**
+     * Optional structured context persisted to the `detail` JSON column.
+     * Used by the N2 spawn gates (`detail.spawnGate` — per-backend
+     * offline/auth verdicts) and the N3 pre-pass plan-assembly drop rows
+     * (`detail.prePass.skipReason`) so skip telemetry is queryable
+     * without parsing the `error` string. PREPASS_COST_REDUCTION_PLAN.md.
+     */
+    detail) {
         try {
             // AGENT_DEFINITIONS_DESIGN.md §8.1 — stamp the owning Agent when the
             // in-flight firing resolved to one (e.g. a review routine skipped by the
@@ -338,17 +356,28 @@ export class AuditLogger {
             // skips (setup-mode / cost-cap) resolve to NULL — no execution context
             // exists yet — which is the legacy row shape.
             const resolvedAgentId = this.agentIdResolver?.(event) ?? null;
-            const insertResult = resolvedAgentId !== null
-                ? this.db
-                    .prepare(`INSERT INTO agent_actions
-               (event_id, action_type, trigger, result, error, agent_id, started_at)
-               VALUES (?, ?, ?, 'skipped', ?, ?, datetime('now'))`)
-                    .run(event.correlationId, event.type, trigger, reason, resolvedAgentId)
-                : this.db
-                    .prepare(`INSERT INTO agent_actions
-               (event_id, action_type, trigger, result, error, started_at)
-               VALUES (?, ?, ?, 'skipped', ?, datetime('now'))`)
-                    .run(event.correlationId, event.type, trigger, reason);
+            const columns = ["event_id", "action_type", "trigger", "result", "error"];
+            const values = [
+                event.correlationId,
+                event.type,
+                trigger,
+                "skipped",
+                reason,
+            ];
+            if (resolvedAgentId !== null) {
+                columns.push("agent_id");
+                values.push(resolvedAgentId);
+            }
+            if (detail !== undefined) {
+                columns.push("detail");
+                values.push(JSON.stringify(detail));
+            }
+            const placeholders = columns.map(() => "?").join(", ");
+            const insertResult = this.db
+                .prepare(`INSERT INTO agent_actions
+             (${columns.join(", ")}, started_at)
+           VALUES (${placeholders}, datetime('now'))`)
+                .run(...values);
             this.emitInsertedRow(Number(insertResult.lastInsertRowid), event.type);
         }
         catch (err) {
@@ -416,10 +445,12 @@ export class AuditLogger {
      * hit `max_budget_usd` because the row was written with no
      * timing/backend/model info.
      *
-     * Tokens / cost / num_turns are intentionally NOT passed: an aborted
-     * SDK stream doesn't surface a usable AgentResult, so any value here
-     * would be a guess. duration_ms + backend + failure shape are
-     * recoverable and that's what we record.
+     * Tokens / cost / num_turns are passed ONLY when the caller holds a
+     * real recovered spend figure (PREPASS_COST_REDUCTION_PLAN.md N1 —
+     * post-hoc budget kills, partial stream aborts). Callers without one
+     * must omit them: a fabricated value here would corrupt the cost
+     * dials. duration_ms + backend + failure shape are always
+     * recoverable and that's the baseline record.
      */
     context) {
         try {
@@ -464,6 +495,43 @@ export class AuditLogger {
                 columns.splice(columns.length - 2, 0, "backend");
                 values.splice(values.length, 0, context.backendId);
             }
+            // PREPASS_COST_REDUCTION_PLAN.md N1 — recovered spend for a failed
+            // turn the provider already billed (post-hoc budget kill, partial
+            // stream abort, timeout-with-usage). Only callers that hold a real
+            // recovered figure pass these; the historical "no guessed values"
+            // contract still applies to everyone else.
+            if (typeof context?.costUsd === "number" && context.costUsd >= 0) {
+                columns.splice(columns.length - 2, 0, "cost_usd");
+                values.splice(values.length, 0, context.costUsd);
+            }
+            if (this.hasCostSourceColumn && context?.costSource) {
+                columns.splice(columns.length - 2, 0, "cost_source");
+                values.splice(values.length, 0, context.costSource);
+            }
+            if (typeof context?.tokensInput === "number" && context.tokensInput >= 0) {
+                columns.splice(columns.length - 2, 0, "tokens_input");
+                values.splice(values.length, 0, context.tokensInput);
+            }
+            if (typeof context?.tokensOutput === "number" && context.tokensOutput >= 0) {
+                columns.splice(columns.length - 2, 0, "tokens_output");
+                values.splice(values.length, 0, context.tokensOutput);
+            }
+            if (this.hasCacheCreationTokensColumn
+                && typeof context?.tokensCacheCreation === "number"
+                && context.tokensCacheCreation >= 0) {
+                columns.splice(columns.length - 2, 0, "cache_creation_tokens");
+                values.splice(values.length, 0, context.tokensCacheCreation);
+            }
+            if (this.hasCacheReadTokensColumn
+                && typeof context?.tokensCacheRead === "number"
+                && context.tokensCacheRead >= 0) {
+                columns.splice(columns.length - 2, 0, "cache_read_tokens");
+                values.splice(values.length, 0, context.tokensCacheRead);
+            }
+            if (typeof context?.numTurns === "number" && context.numTurns > 0) {
+                columns.splice(columns.length - 2, 0, "num_turns");
+                values.splice(values.length, 0, context.numTurns);
+            }
             // AGENT_DEFINITIONS_DESIGN.md §8.1 — stamp the owning Agent when the
             // in-flight firing resolved to one, so a FAILED routine's audit row is
             // attributable to its Agent (the same resolver `logAction` uses). The

package/dist/safety/risk-classifier.d.ts

@@ -62,6 +62,12 @@ export interface AuditableRoute {
     path: string;
 }
 export declare function auditRiskClassifications(routes: ReadonlyArray<AuditableRoute>): AuditableRoute[];
+/** Extract the path portion of an `API_RISK` key: `"METHOD /path"` → `/path`,
+ *  or a bare `"/path"` path-only key unchanged. Ranking must compare the path
+ *  segment alone — the leading `"METHOD "` token (3–6 chars) would otherwise
+ *  inflate a shorter, less-specific method-keyed prefix above a longer
+ *  path-only one. */
+export declare function keyPathOf(key: string): string;
 /**
  * Return every `/api/*` path that `API_RISK` classifies as
  * `RiskTier.ReadSensitive` for GET requests, with `{*}` placeholders

package/dist/safety/risk-classifier.js

@@ -285,6 +285,30 @@ const API_RISK = {
     "GET /api/browser-task/{*}/screenshots/{*}": RiskTier.ReadSensitive,
     "POST /api/browser-task/{*}/clarify": RiskTier.Autonomous,
     "POST /api/browser-task/{*}/cancel": RiskTier.Autonomous,
+    // ── Background Task (BACKGROUND_TASK_RUNNER_DESIGN.md §7) ──
+    // Generic detached long-task surface, cloned from browser-task and
+    // classified to the same posture. The only production callers are the
+    // DM-agent `background-task` / `background-task-reply` skills and the
+    // morning-briefing session, whose curl shim carries `x-read-token`
+    // (sufficient for ReadSensitive, never enough for Approve). The same
+    // loopback / sec-fetch / channel-attestation defenses as browser-task
+    // apply, and every dispatched task surfaces to the user via DM — no
+    // covert dispatch path.
+    //   - POST (spawn) + clarify + cancel are Autonomous, matching the
+    //     sibling agent-driven write paths (design §7: "same posture as
+    //     /api/browser-task").
+    //   - The list + detail reads stay ReadSensitive (NOT Autonomous):
+    //     the artifact (`report` / `brief` / `draft` / `significance`)
+    //     carries personal research / audit content, exactly the reason
+    //     browser-task's reads are ReadSensitive. Reachable from the agent
+    //     sessions that need them because their curl carries the read
+    //     token (cf. GET /api/observations, also ReadSensitive, which the
+    //     briefing already calls).
+    "POST /api/background-task": RiskTier.Autonomous,
+    "GET /api/background-task": RiskTier.ReadSensitive,
+    "GET /api/background-task/{*}": RiskTier.ReadSensitive,
+    "POST /api/background-task/{*}/clarify": RiskTier.Autonomous,
+    "POST /api/background-task/{*}/cancel": RiskTier.Autonomous,
     "/api/setup": RiskTier.Approve,
     "POST /api/setup/redetect-browsers": RiskTier.Approve,
     // Management Mode Phase 2 — migration endpoint. Redundant with the
@@ -457,6 +481,16 @@ const API_RISK = {
     // (FEEDBACK_LEARNING_LOOP_DESIGN.md §9 Phase 5). Summarises cap utilisation
     // only — lesson prose was redaction-scrubbed at capture — so Autonomous.
     "GET /api/feedback/lessons": RiskTier.Autonomous,
+    // Self-tuning verdict endpoint (SELF_TUNING_REVIEW_CYCLE_DESIGN.md §3.4).
+    // Autonomous + (Phase 3) mandatory owner DM on apply — the exact pattern
+    // that replaced the abolished Notify tier; requiring the Approve bearer
+    // would put a human back in every loop iteration and defeat the design.
+    // Safety is carried by code, not tier: verdicts may only reference
+    // daemon-generated single-use recommendation ids from the current cycle,
+    // the handler is idempotent per id, and Phase 2 never actuates (shadow).
+    "POST /api/tuning/verdicts": RiskTier.Autonomous,
+    // Pending-cycle read — knob names + telemetry counts only, no user prose.
+    "GET /api/tuning/pending": RiskTier.Autonomous,
     // ── Notification ──
     "/api/notify": RiskTier.Autonomous,
     // ── External Service Proxy ──
@@ -668,7 +702,7 @@ const API_RISK = {
     "PATCH /api/delegated-sync/active-hours": RiskTier.Approve,
     "POST /api/delegated-sync/cadences/": RiskTier.Approve,
     // INTEGRATION-DRIFT-DETECTION-PLAN.md §6.0 — drift-detection chokepoint.
-    // Autonomous: the agent's hourly_check delegated variant POSTs the
+    // Autonomous: the agent's activity_scan delegated variant POSTs the
     // result of its connector fetch to compute a structural diff. Defense
     // layers (window-key allowlist + per-call audit row) live inside the
     // handler. Daemon-internal callers (CalendarPoller, DelegatedSyncWorker)
@@ -893,9 +927,14 @@ export function findExplicitRiskClassification(method, path) {
         /* c8 ignore stop */
         if (keyMethod && keyMethod !== method)
             return false;
-        return path.startsWith(keyPath);
+        return pathPrefixMatches(keyPath, path);
     })
-        .sort((a, b) => b[0].length - a[0].length);
+        // Rank by matched path-prefix length so the most-specific prefix wins.
+        // Must compare the path segment, NOT the raw key: the `"METHOD "` token
+        // would otherwise lift a shorter, less-specific method-keyed prefix
+        // (e.g. `DELETE /api/git`) above a longer path-only one (`/api/github`),
+        // silently downgrading the tier. Mirrors the step-3 pattern tiebreaker.
+        .sort((a, b) => keyPathOf(b[0]).length - keyPathOf(a[0]).length);
     if (candidates.length > 0)
         return candidates[0][1];
     return null;
@@ -975,16 +1014,41 @@ function matchesPattern(keyPath, actualPath) {
     }
     return true;
 }
-/** Count characters before the first `{*}` (or whole length if none) —
- *  used to rank pattern candidates by specificity. Defensive against future
- *  overlapping `{*}` keys: today no two `{*}` entries in `API_RISK` match
- *  the same `(method, path)` pair, so the sort comparator never invokes
- *  this helper. The function exists so the first overlapping pair added
- *  picks the more specific entry instead of relying on iteration order. */
+/** Extract the path portion of an `API_RISK` key: `"METHOD /path"` → `/path`,
+ *  or a bare `"/path"` path-only key unchanged. Ranking must compare the path
+ *  segment alone — the leading `"METHOD "` token (3–6 chars) would otherwise
+ *  inflate a shorter, less-specific method-keyed prefix above a longer
+ *  path-only one. */
+export function keyPathOf(key) {
+    return key.includes(" ") ? key.split(" ")[1] : key;
+}
+/** Segment-aware prefix test for step-4 (non-`{*}`) keys. A raw
+ *  `path.startsWith(keyPath)` matches a *string* prefix, so `/api/git`
+ *  would spuriously match the unrelated sibling `/api/git-accounts` (and,
+ *  worse, an unclassified future `/api/git-webhook` — silently inheriting
+ *  the sibling's tier instead of failing closed to Approve). A key that
+ *  ends in `/` is an explicit subtree catch-all, so a raw `startsWith` is
+ *  already the boundary; otherwise the match must be a strict
+ *  `/`-delimited descendant. Exact `path === keyPath` is pre-empted by the
+ *  step-1/step-2 exact lookups, so step 4 only ever matches descendants.
+ *  Mirrors the segment discipline of `matchesPattern` (step 3). */
+function pathPrefixMatches(keyPath, path) {
+    if (keyPath.endsWith("/"))
+        return path.startsWith(keyPath);
+    return path.startsWith(keyPath + "/");
+}
+/** Count characters of the path prefix before the first `{*}` (or the whole
+ *  path length if none) — used to rank pattern candidates by specificity.
+ *  Defensive against future overlapping `{*}` keys: today no two `{*}` entries
+ *  in `API_RISK` match the same `(method, path)` pair, so the sort comparator
+ *  never invokes this helper. The function exists so the first overlapping
+ *  pair added picks the more specific entry instead of relying on iteration
+ *  order. */
 /* c8 ignore start */
 function literalPrefixLength(key) {
-    const idx = key.indexOf("{*}");
-    return idx < 0 ? key.length : idx;
+    const keyPath = keyPathOf(key);
+    const idx = keyPath.indexOf("{*}");
+    return idx < 0 ? keyPath.length : idx;
 }
 /* c8 ignore stop */
 /** Strip a trailing `{*}` placeholder from `path` so callers can