@aitne/daemon 0.1.9 → 0.1.11

package/dist/api/routes/dashboard/cost-approvals.js

@@ -143,6 +143,10 @@ export function aggregateByBilledModel(rows) {
         .map(([model, v]) => ({ model, ...v }))
         .sort((a, b) => b.total_cost - a.total_cost);
 }
+// Today's spend-driver list is intentionally capped: beyond the top 15 the
+// rows are long-tail noise (the by-process panel covers aggregate share),
+// and an uncapped list would grow unbounded on chatty days.
+const TODAY_TOP_ACTIONS_LIMIT = 15;
 // `bucketExpr` takes a single shift-modifier parameter (e.g. "+300 minutes")
 // so each query binds it explicitly — see COST_QUERIES for the rationale.
 const COST_PERIOD_SPECS = {
@@ -211,6 +215,61 @@ export function registerCostApprovalsRoutes(app, deps) {
          WHERE datetime(started_at) >= ? AND datetime(started_at) < ?
            AND cost_usd IS NOT NULL`)
             .get(bounds.start, bounds.end);
+        // ── Today's spend drivers ──
+        // All scoped to the same agent-day bounds as the Today card so the
+        // numbers reconcile: Σ byEventType.total_cost === today.costUsd.
+        // The windowed byEventType above answers "what cost money this month";
+        // these answer "what is costing money *right now*" — the question the
+        // owner asks when the Today card looks unexpectedly high.
+        const todayTopActions = db
+            .prepare(`SELECT id, event_id, action_type, trigger, model_used, model_usage_json, cost_usd,
+                tokens_input, tokens_output,
+                cache_creation_tokens, cache_read_tokens,
+                duration_ms, num_turns,
+                result, detail, started_at, completed_at, error
+           FROM agent_actions
+          WHERE datetime(started_at) >= ? AND datetime(started_at) < ?
+            AND cost_usd IS NOT NULL AND cost_usd > 0
+          ORDER BY cost_usd DESC, datetime(started_at) DESC
+          LIMIT ${TODAY_TOP_ACTIONS_LIMIT}`)
+            .all(bounds.start, bounds.end);
+        const todayByEventType = db
+            .prepare(`SELECT action_type as event_type,
+                SUM(cost_usd) as total_cost,
+                COUNT(*) as session_count
+           FROM agent_actions
+          WHERE datetime(started_at) >= ? AND datetime(started_at) < ?
+            AND cost_usd IS NOT NULL
+          GROUP BY action_type
+          ORDER BY total_cost DESC`)
+            .all(bounds.start, bounds.end);
+        const todayByTrigger = db
+            .prepare(`SELECT COALESCE(trigger, 'unknown') as trigger,
+                SUM(cost_usd) as total_cost,
+                COUNT(*) as session_count
+           FROM agent_actions
+          WHERE datetime(started_at) >= ? AND datetime(started_at) < ?
+            AND cost_usd IS NOT NULL
+          GROUP BY 1
+          ORDER BY total_cost DESC`)
+            .all(bounds.start, bounds.end);
+        const todayTokens = db
+            .prepare(`SELECT COALESCE(SUM(tokens_input), 0) as input,
+                COALESCE(SUM(tokens_output), 0) as output,
+                COALESCE(SUM(cache_read_tokens), 0) as cacheRead,
+                COALESCE(SUM(cache_creation_tokens), 0) as cacheCreation
+           FROM agent_actions
+          WHERE datetime(started_at) >= ? AND datetime(started_at) < ?
+            AND cost_usd IS NOT NULL`)
+            .get(bounds.start, bounds.end);
+        const todayFailed = db
+            .prepare(`SELECT COALESCE(SUM(cost_usd), 0) as cost,
+                COUNT(*) as sessions
+           FROM agent_actions
+          WHERE datetime(started_at) >= ? AND datetime(started_at) < ?
+            AND cost_usd IS NOT NULL
+            AND result = 'failed'`)
+            .get(bounds.start, bounds.end);
         return c.json({
             period,
             today: { costUsd: today.cost, sessions: today.sessions },
@@ -219,6 +278,13 @@ export function registerCostApprovalsRoutes(app, deps) {
             byEventType,
             byBackend,
             byBackendPeriod,
+            todayBreakdown: {
+                topActions: todayTopActions,
+                byEventType: todayByEventType,
+                byTrigger: todayByTrigger,
+                tokens: todayTokens,
+                failed: { costUsd: todayFailed.cost, sessions: todayFailed.sessions },
+            },
         });
     });
     // ── Approvals API ──

package/dist/api/routes/dashboard/notifications.js

@@ -11,28 +11,28 @@ function getLocalHourMinute(date, timeZone) {
     const minute = Number(parts.find((part) => part.type === "minute")?.value ?? "0");
     return { hour, minute };
 }
-function isHourlyCheckSlot(date, config) {
-    if (!config.hourlyCheckEnabled)
+function isActivityScanSlot(date, config) {
+    if (!config.activityScanEnabled)
         return false;
     const { hour, minute } = getLocalHourMinute(date, config.timezone || undefined);
     if (hour === config.dayBoundaryHour)
         return false;
-    if (hour < config.hourlyCheckActiveStartHour || hour >= config.hourlyCheckActiveEndHour) {
+    if (hour < config.activityScanActiveStartHour || hour >= config.activityScanActiveEndHour) {
         return false;
     }
-    return minute % config.hourlyCheckIntervalMinutes === 0;
+    return minute % config.activityScanIntervalMinutes === 0;
 }
-function getNextHourlyCheck(config) {
-    if (!config.hourlyCheckEnabled) {
+function getNextActivityScan(config) {
+    if (!config.activityScanEnabled) {
         return { active: false, nextRunAt: null };
     }
     const now = new Date();
-    const active = isHourlyCheckSlot(now, config);
+    const active = isActivityScanSlot(now, config);
     const start = new Date(now.getTime() + 60_000);
     start.setSeconds(0, 0);
     for (let offset = 0; offset < 48 * 60; offset++) {
         const candidate = new Date(start.getTime() + offset * 60_000);
-        if (isHourlyCheckSlot(candidate, config)) {
+        if (isActivityScanSlot(candidate, config)) {
             return { active, nextRunAt: candidate.toISOString() };
         }
     }
@@ -41,7 +41,7 @@ function getNextHourlyCheck(config) {
 export function registerNotificationsRoutes(app, deps) {
     const { db, config } = deps;
     app.get("/dashboard/next-check", (c) => {
-        return c.json(getNextHourlyCheck(config));
+        return c.json(getNextActivityScan(config));
     });
     // STAGE-C-DM-FRESHNESS-PLAN §Task 4 — DM freshness aggregate. Powered
     // by `agent_actions.detail.dm_freshness.*` rows the DM dispatch path

package/dist/api/routes/dashboard/oauth-google.js

@@ -168,8 +168,9 @@ export function registerOauthGoogleRoutes(app, deps) {
         catch {
             return c.json({ error: "googleapis package not installed" }, 500);
         }
-        // Use daemon's own port for the OAuth callback
-        const redirectUri = `http://localhost:${config.apiPort}/api/config/google-auth/callback`;
+        // Use daemon's own port for the OAuth callback.
+        // Use 127.0.0.1, not localhost: daemon binds IPv4 loopback only; on Windows localhost resolves to ::1 first and the callback would ECONNREFUSED. Google special-cases loopback redirects for installed-app clients.
+        const redirectUri = `http://127.0.0.1:${config.apiPort}/api/config/google-auth/callback`;
         const oauth2Client = new google.auth.OAuth2(clientConfig.client_id, clientConfig.client_secret, redirectUri);
         // Request scopes for Calendar + Gmail
         const scopes = [
@@ -255,7 +256,8 @@ export function registerOauthGoogleRoutes(app, deps) {
                 throw new Error("Invalid credentials");
             const mod = await import("googleapis");
             const google = mod.google;
-            const redirectUri = `http://localhost:${config.apiPort}/api/config/google-auth/callback`;
+            // Use 127.0.0.1, not localhost: must byte-match the auth-start redirect_uri (Google re-validates an exact string at getToken); daemon binds IPv4 loopback only, and on Windows localhost resolves to ::1 first.
+            const redirectUri = `http://127.0.0.1:${config.apiPort}/api/config/google-auth/callback`;
             const oauth2Client = new google.auth.OAuth2(clientConfig.client_id, clientConfig.client_secret, redirectUri);
             // Exchange authorization code for tokens
             const { tokens } = await oauth2Client.getToken(code);

package/dist/api/routes/feedback.d.ts

@@ -0,0 +1,3 @@
+import { Hono } from "hono";
+import type { ApiDependencies } from "../server.js";
+export declare function createFeedbackRoutes(deps: ApiDependencies): Hono;

package/dist/api/routes/feedback.js

@@ -0,0 +1,349 @@
+import { Hono } from "hono";
+import { existsSync, readdirSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { redactSensitiveString } from "@aitne/shared";
+import { readJsonBody } from "../json-body.js";
+import { getAgent } from "../../db/agents-store.js";
+import { consumeFeedbackSignals, countPendingFeedbackSignals, findRecentFeedbackSignal, recordFeedbackSignal, } from "../../db/feedback-signals-store.js";
+import { getContextDir } from "../../config.js";
+import { CONTEXT_RELATIVE_PATHS, agentLessonsPath, } from "../../core/context-paths.js";
+import { GLOBAL_LESSON_ENTRY_CAP, PER_AGENT_LESSON_ENTRY_CAP, } from "../../core/feedback/consolidation-prep.js";
+import { summarizeLessonStore } from "../../core/feedback/lesson-store-overview.js";
+import { isSafeAgentSlug } from "../../core/feedback/scope-parser.js";
+import { createLogger } from "../../logging.js";
+const logger = createLogger("feedback-api");
+const DEDUP_TTL_SECONDS = 10 * 60;
+const MAX_SUMMARY_CHARS = 280;
+const MAX_SCOPE_REF_CHARS = 120;
+const MAX_ACTION_REF_CHARS = 160;
+const MAX_EVIDENCE_STRING_CHARS = 500;
+const ALLOWED_SOURCES = new Set([
+    "explicit",
+    "self_critique",
+]);
+const ALL_SOURCES = new Set([
+    "behavioral",
+    "explicit",
+    "self_critique",
+]);
+const VALENCES = new Set([
+    "positive",
+    "negative",
+    "neutral",
+    "correction",
+]);
+const API_SCOPE_TYPES = new Set([
+    "user",
+    "agent",
+    "agent_slug",
+]);
+const ACTION_KINDS = new Set([
+    "notification",
+    "agent_execution",
+    "vault_write",
+    "dm_reply",
+]);
+const KINDS = new Set([
+    "preference",
+    "correction",
+    "do-more",
+    "do-less",
+    "constraint",
+]);
+function isRecord(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function truncate(value, maxChars) {
+    return value.length <= maxChars ? value : value.slice(0, maxChars);
+}
+function sanitizeString(value, maxChars = MAX_EVIDENCE_STRING_CHARS) {
+    return redactSensitiveString(truncate(value.replace(/[\u0000-\u001f\u007f]/g, " "), maxChars)).trim();
+}
+function sanitizeEvidence(value, depth = 0) {
+    if (depth > 4)
+        return "[truncated]";
+    if (typeof value === "string")
+        return sanitizeString(value);
+    if (typeof value === "number" || typeof value === "boolean" || value === null)
+        return value;
+    if (Array.isArray(value)) {
+        return value.slice(0, 20).map((entry) => sanitizeEvidence(entry, depth + 1));
+    }
+    if (!isRecord(value))
+        return null;
+    const out = {};
+    for (const [key, entry] of Object.entries(value).slice(0, 50)) {
+        out[sanitizeString(key, 80)] = sanitizeEvidence(entry, depth + 1);
+    }
+    return out;
+}
+function describeType(value) {
+    if (value === undefined)
+        return "missing";
+    if (value === null)
+        return "null";
+    if (Array.isArray(value))
+        return "array";
+    return typeof value;
+}
+function buildLessonStoreEntry(contextDir, scope, relPath, caps) {
+    const full = join(contextDir, relPath);
+    if (!existsSync(full)) {
+        return {
+            scope,
+            path: relPath,
+            exists: false,
+            lastModified: null,
+            bytes: 0,
+            capBytes: caps.capBytes,
+            entries: 0,
+            maxEntries: caps.maxEntries,
+            active: 0,
+            provisional: 0,
+            overCap: false,
+        };
+    }
+    const summary = summarizeLessonStore(readFileSync(full, "utf-8"), caps);
+    return {
+        scope,
+        path: relPath,
+        exists: true,
+        lastModified: statSync(full).mtime.toISOString(),
+        ...summary,
+    };
+}
+export function createFeedbackRoutes(deps) {
+    const app = new Hono();
+    const { db, config } = deps;
+    /**
+     * GET /feedback/lessons — read-only overview of the consolidated lesson
+     * stores for the dashboard "view/edit lessons and tune caps/threshold"
+     * surface (FEEDBACK_LEARNING_LOOP_DESIGN.md §9 Phase 5). Lists the global
+     * `agent` store (always, so its cap shows even before first write) plus every
+     * per-agent `agent:<slug>` store that exists on disk, each with cap-utilisation
+     * metrics. The file bodies are read/edited through the existing
+     * `GET/PUT /api/context/<path>` chokepoint — this endpoint only enumerates +
+     * summarises. `RiskTier.Autonomous` (read-only, no secrets — lesson prose was
+     * redaction-scrubbed at capture).
+     */
+    app.get("/feedback/lessons", (c) => {
+        const contextDir = getContextDir(config, db);
+        const globalCaps = {
+            capBytes: config.feedbackLessonMaxBytesGlobal,
+            maxEntries: GLOBAL_LESSON_ENTRY_CAP,
+        };
+        const perAgentCaps = {
+            capBytes: config.feedbackLessonMaxBytesPerAgent,
+            maxEntries: PER_AGENT_LESSON_ENTRY_CAP,
+        };
+        const stores = [
+            buildLessonStoreEntry(contextDir, "agent", CONTEXT_RELATIVE_PATHS.agentLessons, globalCaps),
+        ];
+        const agentsDir = join(contextDir, "policies", "agents");
+        if (existsSync(agentsDir)) {
+            const slugs = readdirSync(agentsDir, { withFileTypes: true })
+                .filter((entry) => entry.isDirectory() && isSafeAgentSlug(entry.name))
+                .map((entry) => entry.name)
+                .sort();
+            for (const slug of slugs) {
+                const rel = agentLessonsPath(slug);
+                if (!existsSync(join(contextDir, rel)))
+                    continue;
+                stores.push(buildLessonStoreEntry(contextDir, `agent:${slug}`, rel, perAgentCaps));
+            }
+        }
+        return c.json({
+            enabled: config.feedbackLearningEnabled !== false,
+            promotionThreshold: config.feedbackPromotionThreshold,
+            pendingSignals: countPendingFeedbackSignals(db),
+            stores,
+        });
+    });
+    app.post("/feedback", async (c) => {
+        // Master kill-switch (FEEDBACK_LEARNING_LOOP_DESIGN.md §7). When the loop is
+        // disabled the daemon-side behavioral sink already short-circuits
+        // (`SignalDetector`); mirror that here so explicit / self_critique captures
+        // from the always-included DM + review task-flows are dropped too. Otherwise
+        // unconsumed rows would accumulate unbounded — the nightly consolidation that
+        // would consume them is gated off, and the retention sweep only deletes
+        // already-consumed rows. Returns 200 so the calling turn neither errors nor
+        // retries. `config` is optional in some test harnesses → default-on.
+        if (config?.feedbackLearningEnabled === false) {
+            return c.json({ disabled: true });
+        }
+        const parsedBody = await readJsonBody(c);
+        if (!parsedBody.ok)
+            return parsedBody.response;
+        const body = parsedBody.body;
+        if (!isRecord(body)) {
+            return c.json({
+                error: "validation_error",
+                message: "Body must be a JSON object",
+            }, 400);
+        }
+        const issues = [];
+        const rawSource = body.source;
+        const source = typeof rawSource === "string" ? rawSource : "";
+        if (!ALL_SOURCES.has(source)) {
+            issues.push({
+                field: "source",
+                expected: "'explicit' | 'self_critique'",
+                got: describeType(rawSource),
+            });
+        }
+        else if (!ALLOWED_SOURCES.has(source)) {
+            issues.push({
+                field: "source",
+                expected: "'explicit' | 'self_critique'",
+                got: "'behavioral'",
+                hint: "Behavioral feedback is daemon-only and is written by SignalDetector.",
+            });
+        }
+        const summary = typeof body.summary === "string"
+            ? sanitizeString(body.summary, MAX_SUMMARY_CHARS)
+            : "";
+        if (summary.length === 0) {
+            issues.push({
+                field: "summary",
+                expected: "non-empty string",
+                got: describeType(body.summary),
+            });
+        }
+        const rawValence = body.valence;
+        const valence = typeof rawValence === "string" ? rawValence : null;
+        if (valence === null || !VALENCES.has(valence)) {
+            issues.push({
+                field: "valence",
+                expected: "'positive' | 'negative' | 'neutral' | 'correction'",
+                got: describeType(rawValence),
+            });
+        }
+        const rawKind = body.kind;
+        const kind = typeof rawKind === "string" ? rawKind : null;
+        if (kind !== null && !KINDS.has(kind)) {
+            issues.push({
+                field: "kind",
+                expected: "'preference' | 'correction' | 'do-more' | 'do-less' | 'constraint' (optional)",
+                got: kind,
+            });
+        }
+        const rawScopeType = body.scope_type;
+        const scopeType = typeof rawScopeType === "string" ? rawScopeType : "";
+        if (!API_SCOPE_TYPES.has(scopeType)) {
+            issues.push({
+                field: "scope_type",
+                expected: "'user' | 'agent' | 'agent_slug'",
+                got: describeType(rawScopeType),
+            });
+        }
+        const scopeRef = typeof body.scope_ref === "string"
+            ? sanitizeString(body.scope_ref, MAX_SCOPE_REF_CHARS)
+            : null;
+        let agentId = null;
+        if (scopeType === "agent_slug") {
+            if (!scopeRef) {
+                issues.push({
+                    field: "scope_ref",
+                    expected: "existing agent slug when scope_type='agent_slug'",
+                    got: describeType(body.scope_ref),
+                });
+            }
+            else if (!getAgent(db, scopeRef)) {
+                issues.push({
+                    field: "scope_ref",
+                    expected: "existing agent slug",
+                    got: scopeRef,
+                });
+            }
+            else {
+                agentId = scopeRef;
+            }
+        }
+        const rawActionKind = body.action_kind;
+        const actionKind = typeof rawActionKind === "string" ? rawActionKind : null;
+        if (actionKind !== null
+            && !ACTION_KINDS.has(actionKind)) {
+            issues.push({
+                field: "action_kind",
+                expected: "'notification' | 'agent_execution' | 'vault_write' | 'dm_reply' (optional)",
+                got: actionKind,
+            });
+        }
+        const actionRef = typeof body.action_ref === "string"
+            ? sanitizeString(body.action_ref, MAX_ACTION_REF_CHARS)
+            : null;
+        if (issues.length > 0) {
+            return c.json({
+                error: "validation_error",
+                message: "Request body failed schema validation",
+                issues,
+            }, 400);
+        }
+        const normalizedScopeRef = scopeType === "agent_slug" ? scopeRef : null;
+        const deduped = findRecentFeedbackSignal(db, {
+            scopeType: scopeType,
+            scopeRef: normalizedScopeRef,
+            summary,
+            withinSeconds: DEDUP_TTL_SECONDS,
+        });
+        if (deduped) {
+            return c.json({ id: deduped.id, deduped: true });
+        }
+        const evidence = sanitizeEvidence(body.evidence);
+        const id = recordFeedbackSignal(db, {
+            source: source,
+            valence: valence,
+            scopeType: scopeType,
+            scopeRef: normalizedScopeRef,
+            actionKind: actionKind,
+            actionRef,
+            agentId,
+            summary,
+            evidence: {
+                ...(isRecord(evidence)
+                    ? evidence
+                    : evidence === null
+                        ? {}
+                        : { value: evidence }),
+                ...(kind ? { kind } : {}),
+            },
+        });
+        logger.info({ id, source, scopeType, scopeRef: normalizedScopeRef }, "Feedback signal recorded");
+        return c.json({ id });
+    });
+    app.post("/feedback/consume", async (c) => {
+        const parsedBody = await readJsonBody(c);
+        if (!parsedBody.ok)
+            return parsedBody.response;
+        const body = parsedBody.body;
+        if (!isRecord(body)) {
+            return c.json({
+                error: "validation_error",
+                message: "Body must be a JSON object",
+                expectedShape: '{"ids": number[], "lessonRef"?: string}',
+            }, 400);
+        }
+        if (!Array.isArray(body.ids)) {
+            return c.json({
+                error: "validation_error",
+                message: "'ids' must be an array of integer feedback signal ids",
+                expectedShape: '{"ids": number[], "lessonRef"?: string}',
+            }, 400);
+        }
+        const nonInt = body.ids.find((id) => typeof id !== "number" || !Number.isInteger(id));
+        if (nonInt !== undefined) {
+            return c.json({
+                error: "validation_error",
+                message: "'ids' must contain only integers",
+                got: JSON.stringify(nonInt),
+            }, 400);
+        }
+        const lessonRef = typeof body.lessonRef === "string"
+            ? sanitizeString(body.lessonRef, 240)
+            : null;
+        const result = consumeFeedbackSignals(db, body.ids, lessonRef);
+        logger.info({ consumed: result.consumed }, "Feedback signals consumed");
+        return c.json(result);
+    });
+    return app;
+}

package/dist/api/routes/git.js

@@ -113,8 +113,12 @@ export function createGitRoutes(deps) {
         }
         // Use || (not ??) so explicit ?ref= (empty string) falls back to default
         const ref = c.req.query("ref") || "HEAD~1..HEAD";
-        // Sanitize ref — reject shell metacharacters and flag-like arguments
-        if (/[;&|`$]/.test(ref) || ref.startsWith("-")) {
+        // Sanitize ref — reject shell metacharacters and flag-like arguments.
+        // Also reject `:` — `git diff <rev>:<path>` is blob/tree syntax that reads
+        // arbitrary committed file content, beyond this endpoint's commit-diff
+        // purpose. No legitimate commit/range ref (`HEAD~1..HEAD`, `origin/main`)
+        // contains a colon. (execFile already prevents shell injection.)
+        if (/[;&|`$]/.test(ref) || ref.startsWith("-") || ref.includes(":")) {
             return respondWithAgentError(c, 400, [
                 composeIssue("git.invalid_ref", {
                     field: "ref",
@@ -149,7 +153,10 @@ export function createGitRoutes(deps) {
             ], { legacyErrorCode: "invalid or missing repo" });
         }
         const hash = c.req.query("hash") || "HEAD";
-        if (/[;&|`$]/.test(hash) || hash.startsWith("-")) {
+        // Reject `:` for the same reason as /git/diff — `git show <rev>:<path>`
+        // prints arbitrary committed file content, beyond this endpoint's
+        // commit-show purpose. A commit hash / ref never contains a colon.
+        if (/[;&|`$]/.test(hash) || hash.startsWith("-") || hash.includes(":")) {
             return respondWithAgentError(c, 400, [
                 composeIssue("git.invalid_hash", {
                     field: "hash",

package/dist/api/routes/github.js

@@ -224,7 +224,11 @@ export function createGitHubRoutes(deps) {
         }
         const event = parseGitHubEvent(eventType, payload, resolved.repositoryId);
         if (event) {
-            eventBus.put(event);
+            // `EventBus.put` is async; awaiting it (like the repositories routes do)
+            // ensures the event is enqueued before the webhook returns `accepted`
+            // and surfaces any enqueue rejection instead of dropping it as an
+            // unhandled promise rejection.
+            await eventBus.put(event);
             logger.info({ eventType, action: payload.action, repositoryId: resolved.repositoryId }, "GitHub webhook event received");
         }
         // Notify GitWatcher that webhook is alive (adjusts polling frequency)

package/dist/api/routes/integrations/crud-patch.js

@@ -368,6 +368,9 @@ export async function handleIntegrationPatch(c, deps) {
     const finalNativeSyncEnabled = parsed.data.nativeSyncEnabled === undefined
         ? previous.nativeSyncEnabled
         : parsed.data.nativeSyncEnabled;
+    const finalFetchTargets = parsed.data.fetchTargets === undefined
+        ? (previous.fetchTargets ?? [])
+        : parsed.data.fetchTargets;
     // §14.7 — synchronously consult the cached probe before committing a
     // mode flip to delegated/native. Per §14.7 the PATCH response path
     // intentionally never spawns a live probe ("no blocking subprocess");
@@ -470,6 +473,7 @@ export async function handleIntegrationPatch(c, deps) {
             ...(finalNativeSyncEnabled === false
                 ? { nativeSyncEnabled: false }
                 : {}),
+            fetchTargets: finalFetchTargets,
             deniedTools: finalDeniedTools,
             lastChangedAt: stamped,
         });
@@ -501,7 +505,7 @@ export async function handleIntegrationPatch(c, deps) {
         // re-evaluation — the predicate
         // (`hasActiveDelegatedSyncIntegration`) ignores `nativeSyncEnabled`
         // because the worker has no role in native mode (see appendix
-        // §"Polling, observers, and the hourly-check threshold"). The
+        // §"Polling, observers, and the activity-scan threshold"). The
         // `nativeSyncEnabled` field is retained on the state row for
         // schema compatibility but toggling it is inert today.
         const syncChanged = (previous.delegatedSyncEnabled ?? true)

package/dist/api/routes/integrations-reconcile.js

@@ -174,7 +174,7 @@ export function createIntegrationReconcileRoutes(deps) {
  * callers bypass the route and write any window key directly. Plan §6.0
  * defense layer 2.
  *
- * Calendar-only by design (post-Phase-5 review): the LLM hourly_check
+ * Calendar-only by design (post-Phase-5 review): the LLM activity_scan
  * Step 0b fetches the same `[now-15min, now+60min)` and `[now, now+24h)`
  * windows the daemon's `delegated-sync-worker` uses for `primary:imminent`
  * and `primary:24h`, so an LLM POST and a worker POST land in the same
@@ -188,7 +188,7 @@ export function createIntegrationReconcileRoutes(deps) {
  * `reconcile.ts:319-345`). The fix is to keep gmail/notion authoring
  * inside the daemon worker only; the LLM consumes drift signals via
  * `GET /api/observations`. The corresponding Step 0a / 0c blocks of
- * `routine.hourly_check.delegated.<backend>.md` were rewritten to
+ * `routine.activity_scan.delegated.<backend>.md` were rewritten to
  * forbid the POST and document the rationale; this allowlist is the
  * defense-in-depth backstop that catches a future overlay rewrite that
  * silently re-introduces the LLM call.