@aitne/daemon 0.1.9 → 0.1.11

package/dist/api/routes/mcp.js

@@ -1,8 +1,6 @@
-import { execFile } from "node:child_process";
 import { existsSync, readFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
-import { promisify } from "node:util";
 import { Hono } from "hono";
 import { z } from "zod";
 import { BACKEND_IDS } from "@aitne/shared";
@@ -13,6 +11,7 @@ import { deleteAllMcpSecrets, deleteMcpServer, disableAllMcpServers, DuplicateMc
 import { McpServerIdSchema, MCP_RISK_TIERS, MCP_TRANSPORTS, } from "../../services/mcp/types.js";
 import { probeMcpServer } from "../../services/mcp/probe.js";
 import { listMcpToolCalls } from "../../services/mcp/tool-audit.js";
+import { runLineCommand } from "../../core/backends/cli-utils.js";
 const logger = createLogger("mcp-api");
 const BackendIdSchema = z.enum(BACKEND_IDS);
 const CreateInputSchema = z.object({
@@ -383,6 +382,24 @@ export function createMcpRoutes(deps) {
                 composeIssue("mcp.not_found", { field: "id", received: id }),
             ]);
         }
+        // Validate keyName against the server's declared keys, mirroring the PUT
+        // handler. Without this guard DELETE accepted any raw `keyName` from the
+        // URL and removed the corresponding `mcp:<id>:<keyName>` blob — an
+        // asymmetry that let a caller target blobs the server never declared.
+        const keys = new Set([...server.envKeys, ...server.headerKeys]);
+        if (!keys.has(keyName)) {
+            return respondWithAgentError(c, 400, [
+                composeIssue("mcp.unknown_key", {
+                    field: "keyName",
+                    received: keyName,
+                    expected: `one of ${[...keys].join(", ")}`,
+                }),
+            ], {
+                legacyFields: {
+                    message: `keyName must be declared in envKeys/headerKeys: ${keyName}`,
+                },
+            });
+        }
         await deleteAllMcpSecrets(blobStore, id, [keyName]);
         return c.json({ status: "deleted" });
     });
@@ -433,10 +450,44 @@ export function createMcpRoutes(deps) {
             });
         }
         try {
-            const { stdout, stderr } = await execFileAsync("gemini", args, {
-                timeout: 120_000,
-                maxBuffer: 1024 * 1024,
+            // Route through runLineCommand, not a bare execFile("gemini"): on
+            // Windows the npm-installed Gemini CLI is a `gemini.cmd` batch shim,
+            // which a shell:false spawn of the bare name cannot resolve (no PATHEXT)
+            // — so this dashboard install was 100% non-functional on Windows.
+            // runLineCommand's resolveWin32Invocation resolves the name via PATHEXT
+            // and launches the `.cmd` through an escaped cmd.exe wrapper (no
+            // shell:true, no metachar re-parse). The args are a static const, so
+            // there is no injection dimension regardless.
+            const result = await runLineCommand({
+                command: "gemini",
+                args: [...args],
+                cwd: homedir(),
+                timeoutMs: 120_000,
             });
+            const stdout = result.stdoutLines.join("\n");
+            const stderr = result.stderrLines.join("\n");
+            // Contract remap: execFile REJECTS on non-zero exit, but runLineCommand
+            // RESOLVES with exitCode !== 0 (it rejects only on a spawn-level error).
+            // Branch on exitCode/timedOut so an OAuth-required / version-mismatch
+            // failure still maps to the 502 install_failed path instead of being
+            // mis-reported as ok:true.
+            if (result.timedOut || (result.exitCode ?? 0) !== 0) {
+                const message = result.timedOut
+                    ? "gemini install command timed out after 120s"
+                    : stderr || stdout || `gemini exited with code ${result.exitCode}`;
+                logger.warn({ kind, args, exitCode: result.exitCode, timedOut: result.timedOut }, "gemini install command failed");
+                return respondWithAgentError(c, 502, [composeIssue("mcp.install_failed", { field: "gemini", received: message })], {
+                    legacyFields: {
+                        ok: false,
+                        kind,
+                        command: ["gemini", ...args].join(" "),
+                        message,
+                        stdout,
+                        stderr,
+                        exitCode: result.exitCode,
+                    },
+                });
+            }
             logger.info({ kind, args, stdoutLen: stdout.length }, "gemini install command completed");
             return c.json({
                 ok: true,
@@ -448,12 +499,14 @@ export function createMcpRoutes(deps) {
             });
         }
         catch (err) {
+            // Spawn-level failure only: runLineCommand rejects via child.once("error")
+            // with the raw spawn error (code:"ENOENT" when the bare/resolved name is
+            // unresolvable). On Windows, resolveWin32Invocation returns null for an
+            // unresolvable bare "gemini" so spawn still ENOENTs naturally — the 503
+            // gemini_cli_not_found path is preserved.
             const message = toSafeErrorMessage(err);
-            // execFile rejects with the spawn error AND attaches stdout/stderr
-            // / code on the rejection value. Surface them when present so the
-            // dashboard can show OAuth-required / version-mismatch hints.
             const e = err;
-            logger.warn({ kind, args, code: e.code, message }, "gemini install command failed");
+            logger.warn({ kind, args, code: e.code, message }, "gemini install command spawn failed");
             const code = e.code === "ENOENT" ? "mcp.gemini_cli_not_found" : "mcp.install_failed";
             const status = e.code === "ENOENT" ? 503 : 502;
             return respondWithAgentError(c, status, [composeIssue(code, { field: "gemini", received: message })], {
@@ -462,16 +515,15 @@ export function createMcpRoutes(deps) {
                     kind,
                     command: ["gemini", ...args].join(" "),
                     message,
-                    stdout: e.stdout ?? "",
-                    stderr: e.stderr ?? "",
-                    exitCode: typeof e.code === "number" ? e.code : null,
+                    stdout: "",
+                    stderr: "",
+                    exitCode: null,
                 },
             });
         }
     });
     return app;
 }
-const execFileAsync = promisify(execFile);
 /**
  * Pre-spawn idempotency check. Returns true when the target install is
  * already present on disk, so the route can short-circuit without

package/dist/api/routes/notion.d.ts

@@ -11,7 +11,7 @@ export interface NotionRouteDependencies {
     /**
      * Optional shared write tracker. All write endpoints pre-mark the target
      * page (`notion:<pageId>`) so NotionPoller attributes the resulting
-     * observation to `actor='agent'` and hourly_check's `?actor=user` filter
+     * observation to `actor='agent'` and activity_scan's `?actor=user` filter
      * excludes the echo. Without this the agent can observe its own writes
      * and loop.
      */

package/dist/api/routes/observations.js

@@ -80,7 +80,7 @@ function resolveSinceParam(rawSince, rawAlias) {
 /**
  * INTEGRATION_NATIVE_MODE_DESIGN.md §11.3.1 — map an observation `source`
  * string to the integration key whose flip lock would gate writes against
- * it. The agent's hourly_check / native-mode skill always uses one of the
+ * it. The agent's activity_scan / native-mode skill always uses one of the
  * registry's integration keys verbatim as the `source` value (e.g.
  * `"gmail"`, `"google_calendar"`, `"notion"`). Sources outside the
  * registry (Obsidian, Git, messaging adapter, system) are never locked
@@ -102,7 +102,7 @@ const normalizeMailObservationPayload = normalizeMailObservationPayloadShared;
  * cost-reduction-structural §A "Failure modes" — the summary may be
  * outdated when the worker lags far behind the observation moment (e.g.
  * laptop-sleep backlog reclaimed at startup, where the summarizer has
- * caught up by the time hourly_check runs but the underlying source
+ * caught up by the time activity_scan runs but the underlying source
  * may have shifted in between). Surface a `summaryStale` flag the
  * consumer skill can branch on, rather than asking the LLM to do
  * timestamp arithmetic.
@@ -201,10 +201,10 @@ export function createObservationRoutes(deps) {
     /**
      * POST /observations — record an agent-originated observation.
      *
-     * Used by `routine.hourly_check` to queue `roadmap_candidate` signals
+     * Used by `routine.activity_scan` to queue `roadmap_candidate` signals
      * (long-horizon intents too weak to write to roadmap.md directly;
      * ROADMAP-REDESIGN §3.4 RFC-C) AND by INTEGRATION_NATIVE_MODE_DESIGN.md
-     * §8.3 native-mode hourly_check turns to persist the materialised mail
+     * §8.3 native-mode activity_scan turns to persist the materialised mail
      * thread / calendar event list the agent just fetched via the main
      * backend's MCP. The DB layer UPSERTs on `(source, ref)` where
      * `consumed_at IS NULL`, so re-posting the same candidate across hourly
@@ -233,7 +233,7 @@ export function createObservationRoutes(deps) {
         // Peek at the raw body BEFORE delegating to `readJsonBody` so we can
         // turn a query-string-shaped body ("limit=30", "actor=user&limit=20")
         // into a method-confusion hint. Production telemetry showed the
-        // hourly_check agent sending `POST /api/observations` with body
+        // activity_scan agent sending `POST /api/observations` with body
         // `limit=30`, expecting it to fetch. Forwarding readJsonBody's
         // generic "Unexpected token 'l'" message gave the agent no signal
         // that the right call was `GET /api/observations?limit=30`.
@@ -554,7 +554,7 @@ export function createObservationRoutes(deps) {
     /**
      * Field-level validation contract for `POST /observations/consume`.
      *
-     * Without per-field error envelopes, a single Stage-3 hourly_check can
+     * Without per-field error envelopes, a single Stage-3 activity_scan can
      * burn turns retrying this endpoint with shape variants
      * (`correlation_id` snake_case, stringified ids, the angle-bracket
      * placeholder copied verbatim, per-id paths, etc.). The legacy
@@ -686,7 +686,7 @@ export function createObservationRoutes(deps) {
      * Helpful 405 for `GET /api/observations/consume`. The bulk consume is
      * POST-only — without this handler the request 404s with no actionable
      * detail, and the agent's recovery loop produced 8x retries in one
-     * routine.hourly_check session.
+     * routine.activity_scan session.
      */
     app.get("/observations/consume", (c) => c.json({
         error: "method_not_allowed",

package/dist/api/routes/obsidian.d.ts

@@ -6,7 +6,7 @@ export interface ObsidianRouteDependencies {
     /**
      * Optional shared tracker. When present, every write endpoint pre-marks
      * the target vault file so the obsidian-watcher attributes the resulting
-     * chokidar event to `actor='agent'` (and hourly_check's `?actor=user`
+     * chokidar event to `actor='agent'` (and activity_scan's `?actor=user`
      * filter excludes it). Without this the agent can observe its own
      * Obsidian writes and loop.
      */

package/dist/api/routes/receipts.js

@@ -147,7 +147,11 @@ export function createReceiptRoutes(deps) {
             ]);
         }
         c.header("Content-Type", row.mime_type);
-        c.header("Content-Disposition", `attachment; filename="${row.filename}"`);
+        // `row.filename` comes from email-attachment metadata (sender-controlled),
+        // so escape characters that could break out of the quoted header value or
+        // inject extra header lines — same discipline as the attachments route.
+        const safeFilename = row.filename.replace(/["\\\r\n]/g, "_");
+        c.header("Content-Disposition", `attachment; filename="${safeFilename}"`);
         return c.body(new Uint8Array(attachment.data));
     });
     /**

package/dist/api/routes/setup-migrate.js

@@ -14,7 +14,7 @@ const logger = createLogger("setup-migrate");
  * in-flight cron tick to settle (plan §6.2 step 4). Configurable so
  * tests can override to 0; production default 1s is sufficient because
  * all known cron handlers either stop immediately (observer pollers)
- * or enqueue to the paused EventBus (schedule watcher / hourly check).
+ * or enqueue to the paused EventBus (schedule watcher / activity scan).
  *
  * Plan says "up to 10s" but that's a ceiling; shorter is fine when no
  * cron handler is known to block for that long.

package/dist/api/routes/setup.js

@@ -296,7 +296,7 @@ export function createSetupRoutes(deps) {
         }
         // Engage the autonomous-work gate BEFORE enqueuing the greeting so any
         // concurrent cron tick / ScheduleWatcher poll observes the flag and
-        // yields. Without this, a hourly_check firing in the same tick could
+        // yields. Without this, a activity_scan firing in the same tick could
         // still race the setup conversation and patch today.md, which would
         // mark the owner-DM session stale and orphan the setup mode.
         deps.onSetupStart?.(mode);

package/dist/api/routes/task-flows.d.ts

@@ -14,7 +14,7 @@
  * that disallows `/`, `..`, leading dots, and anything outside
  * `[A-Za-z0-9._-]`. Length is capped at 80 characters — the longest
  * bundled key today is ~45 characters
- * (`routine.hourly_check.delegated.gemini`), so 80 leaves comfortable
+ * (`routine.activity_scan.delegated.gemini`), so 80 leaves comfortable
  * headroom without giving an attacker a path-bomb surface.
  *
  * Risk tier: Approve. The task-flow body is dispatcher prose that the

package/dist/api/routes/task-flows.js

@@ -14,7 +14,7 @@
  * that disallows `/`, `..`, leading dots, and anything outside
  * `[A-Za-z0-9._-]`. Length is capped at 80 characters — the longest
  * bundled key today is ~45 characters
- * (`routine.hourly_check.delegated.gemini`), so 80 leaves comfortable
+ * (`routine.activity_scan.delegated.gemini`), so 80 leaves comfortable
  * headroom without giving an attacker a path-bomb surface.
  *
  * Risk tier: Approve. The task-flow body is dispatcher prose that the

package/dist/api/routes/tuning.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Self-Tuning Review Cycle — verdict endpoint (SELF_TUNING_REVIEW_CYCLE_DESIGN.md
+ * §3.3 / §3.4, Phases 2–3).
+ *
+ * `POST /api/tuning/verdicts` is RiskTier.Autonomous by design — the
+ * abolished Notify tier's replacement pattern (Autonomous + mandatory owner
+ * DM on every applied change). Safety is carried by code, not tier (§3.4):
+ *   - verdicts may only reference recommendation ids the daemon itself
+ *     generated **this cycle** — no free-form key/value from the model;
+ *   - ids are single-use and expire when the next weekly cycle overwrites
+ *     the pending blob;
+ *   - the handler is idempotent per id — a retried POST cannot double-apply
+ *     (only verdicts *newly recorded by this POST* reach the actuator);
+ *   - config writes go through the `applyConfigUpdates` chokepoint, which
+ *     enforces the per-key bounds (P4).
+ *
+ * Verdicts are always recorded and audited
+ * (`agent_actions.action_type='self_tuning.verdict'`); rejection reasons
+ * become `self_critique` feedback signals (§3.3 — so repeated bad
+ * recommendations depress the rule via the existing lesson loop). While
+ * `selfTuningEnabled` is `false` (the shipped default — §7 shadow period)
+ * nothing is actuated regardless of verdict and every response carries
+ * `shadow: true` with an empty `applied` array. Once the owner flips the
+ * flag (the D1 sign-off), `apply` verdicts actuate per the D5 namespace
+ * semantics in `core/feedback/tuning-actuator.ts`.
+ */
+import { Hono } from "hono";
+import type { ApiDependencies } from "../server.js";
+export declare function createTuningRoutes(deps: ApiDependencies): Hono;

package/dist/api/routes/tuning.js

@@ -0,0 +1,304 @@
+/**
+ * Self-Tuning Review Cycle — verdict endpoint (SELF_TUNING_REVIEW_CYCLE_DESIGN.md
+ * §3.3 / §3.4, Phases 2–3).
+ *
+ * `POST /api/tuning/verdicts` is RiskTier.Autonomous by design — the
+ * abolished Notify tier's replacement pattern (Autonomous + mandatory owner
+ * DM on every applied change). Safety is carried by code, not tier (§3.4):
+ *   - verdicts may only reference recommendation ids the daemon itself
+ *     generated **this cycle** — no free-form key/value from the model;
+ *   - ids are single-use and expire when the next weekly cycle overwrites
+ *     the pending blob;
+ *   - the handler is idempotent per id — a retried POST cannot double-apply
+ *     (only verdicts *newly recorded by this POST* reach the actuator);
+ *   - config writes go through the `applyConfigUpdates` chokepoint, which
+ *     enforces the per-key bounds (P4).
+ *
+ * Verdicts are always recorded and audited
+ * (`agent_actions.action_type='self_tuning.verdict'`); rejection reasons
+ * become `self_critique` feedback signals (§3.3 — so repeated bad
+ * recommendations depress the rule via the existing lesson loop). While
+ * `selfTuningEnabled` is `false` (the shipped default — §7 shadow period)
+ * nothing is actuated regardless of verdict and every response carries
+ * `shadow: true` with an empty `applied` array. Once the owner flips the
+ * flag (the D1 sign-off), `apply` verdicts actuate per the D5 namespace
+ * semantics in `core/feedback/tuning-actuator.ts`.
+ */
+import { Hono } from "hono";
+import { redactSensitiveString } from "@aitne/shared";
+import { readJsonBody } from "../json-body.js";
+import { applyConfigUpdates } from "../env-writer.js";
+import { createSettingsStore } from "../../settings/settings-store.js";
+import { recordFeedbackSignal } from "../../db/feedback-signals-store.js";
+import { readRuntimeState, writeRuntimeState } from "../../db/runtime-state.js";
+import { SELF_TUNING_NOTIFICATION_TYPE, TUNING_PENDING_CYCLE_STATE_KEY, applyVerdictsToCycle, } from "../../core/feedback/tuning-recommender.js";
+import { actuateApplyVerdicts, } from "../../core/feedback/tuning-actuator.js";
+import { createLogger } from "../../logging.js";
+const logger = createLogger("tuning-api");
+const MAX_REASON_CHARS = 280;
+const VERDICTS = new Set(["apply", "reject", "defer"]);
+function isRecord(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function describeType(value) {
+    if (value === undefined)
+        return "missing";
+    if (value === null)
+        return "null";
+    if (Array.isArray(value))
+        return "array";
+    return typeof value;
+}
+function sanitizeReason(value) {
+    const flattened = value.replace(/[\u0000-\u001f\u007f]/g, " ");
+    const truncated = flattened.length <= MAX_REASON_CHARS
+        ? flattened
+        : flattened.slice(0, MAX_REASON_CHARS);
+    return redactSensitiveString(truncated).trim();
+}
+export function createTuningRoutes(deps) {
+    const app = new Hono();
+    const { db, config } = deps;
+    /**
+     * GET /tuning/pending — the current cycle's recommendations + recorded
+     * verdicts, for the owner's shadow-period validation and the dashboard.
+     * Autonomous: the blob holds knob names and telemetry counts only — no
+     * user prose, no secrets.
+     */
+    app.get("/tuning/pending", (c) => {
+        const cycle = readRuntimeState(db, TUNING_PENDING_CYCLE_STATE_KEY);
+        const live = config?.selfTuningEnabled === true;
+        return c.json({
+            cycle,
+            selfTuningEnabled: live,
+            shadow: !live,
+        });
+    });
+    app.post("/tuning/verdicts", async (c) => {
+        const parsedBody = await readJsonBody(c);
+        if (!parsedBody.ok)
+            return parsedBody.response;
+        const body = parsedBody.body;
+        if (!isRecord(body)) {
+            return c.json({
+                error: "validation_error",
+                message: "Body must be a JSON object",
+                expectedShape: '{"cycleId": string, "verdicts": [{"id": string, "verdict": "apply"|"reject"|"defer", "reason": string}]}',
+            }, 400);
+        }
+        const issues = [];
+        const cycleId = typeof body.cycleId === "string" ? body.cycleId : null;
+        if (!cycleId) {
+            issues.push({
+                field: "cycleId",
+                expected: "string (the cycle attribute of <tuning_recommendations>)",
+                got: describeType(body.cycleId),
+            });
+        }
+        if (!Array.isArray(body.verdicts) || body.verdicts.length === 0) {
+            issues.push({
+                field: "verdicts",
+                expected: "non-empty array",
+                got: describeType(body.verdicts),
+            });
+        }
+        const entries = [];
+        if (Array.isArray(body.verdicts)) {
+            body.verdicts.forEach((raw, index) => {
+                if (!isRecord(raw)) {
+                    issues.push({
+                        field: `verdicts[${index}]`,
+                        expected: "object",
+                        got: describeType(raw),
+                    });
+                    return;
+                }
+                const id = typeof raw.id === "string" ? raw.id : null;
+                const verdict = typeof raw.verdict === "string" ? raw.verdict : null;
+                const reason = typeof raw.reason === "string" ? sanitizeReason(raw.reason) : "";
+                if (!id) {
+                    issues.push({
+                        field: `verdicts[${index}].id`,
+                        expected: "string recommendation id",
+                        got: describeType(raw.id),
+                    });
+                }
+                if (verdict === null || !VERDICTS.has(verdict)) {
+                    issues.push({
+                        field: `verdicts[${index}].verdict`,
+                        expected: "'apply' | 'reject' | 'defer'",
+                        got: verdict ?? describeType(raw.verdict),
+                    });
+                }
+                if (reason.length === 0) {
+                    issues.push({
+                        field: `verdicts[${index}].reason`,
+                        expected: "non-empty one-line string (max 280 chars)",
+                        got: describeType(raw.reason),
+                    });
+                }
+                if (id && verdict !== null && VERDICTS.has(verdict) && reason) {
+                    entries.push({ id, verdict: verdict, reason });
+                }
+            });
+        }
+        if (issues.length > 0) {
+            return c.json({
+                error: "validation_error",
+                message: "Request body failed schema validation",
+                issues,
+            }, 400);
+        }
+        const cycle = readRuntimeState(db, TUNING_PENDING_CYCLE_STATE_KEY);
+        if (!cycle) {
+            return c.json({
+                error: "no_pending_cycle",
+                message: "No pending tuning cycle exists — recommendations are generated by the weekly review pre-step.",
+            }, 409);
+        }
+        if (cycle.cycleId !== cycleId) {
+            // §3.4 — single-use ids: the weekly pre-step overwrote the blob, so the
+            // referenced cycle's ids have expired. No replay.
+            return c.json({
+                error: "cycle_expired",
+                message: `Cycle '${cycleId}' is not the pending cycle — its ids have expired.`,
+                activeCycleId: cycle.cycleId,
+            }, 409);
+        }
+        const matched = entries.map((entry) => ({
+            entry,
+            rec: cycle.recommendations.find((rec) => rec.id === entry.id) ?? null,
+        }));
+        const known = matched.filter((m) => m.rec !== null);
+        const unknownIds = [
+            ...new Set(matched.filter((m) => m.rec === null).map((m) => m.entry.id)),
+        ];
+        if (unknownIds.length > 0) {
+            // §3.4 — verdicts may only reference daemon-generated ids from this
+            // cycle. Atomic reject: nothing is recorded on a partially-bad batch,
+            // so a corrected retry cannot double-record the valid half.
+            return c.json({
+                error: "unknown_recommendation_ids",
+                message: "Verdicts may only reference recommendation ids generated this cycle.",
+                unknownIds,
+                knownIds: cycle.recommendations.map((rec) => rec.id),
+            }, 400);
+        }
+        const { cycle: updated, results } = applyVerdictsToCycle(cycle, entries, new Date().toISOString());
+        writeRuntimeState(db, TUNING_PENDING_CYCLE_STATE_KEY, updated);
+        const recordedIds = new Set(results.filter((r) => r.status === "recorded").map((r) => r.id));
+        // §3.3 — rejection reasons become self_critique signals so the lesson
+        // loop learns which recommendations the judge keeps refusing. Recorded
+        // only (idempotency: a retried duplicate never double-posts), and only
+        // while the feedback loop is enabled — mirroring POST /api/feedback's
+        // kill-switch posture.
+        if (config?.feedbackLearningEnabled !== false) {
+            for (const { entry, rec } of known) {
+                if (entry.verdict !== "reject" || !recordedIds.has(entry.id))
+                    continue;
+                try {
+                    recordFeedbackSignal(db, {
+                        source: "self_critique",
+                        valence: "negative",
+                        scopeType: "agent",
+                        scopeRef: null,
+                        actionKind: "agent_execution",
+                        actionRef: entry.id,
+                        agentId: null,
+                        summary: sanitizeReason(`Tuning recommendation ${rec.rule} (${rec.key}) rejected: ${entry.reason}`),
+                        evidence: {
+                            kind: "do-less",
+                            recommendationId: entry.id,
+                            rule: rec.rule,
+                            key: rec.key,
+                        },
+                    });
+                }
+                catch (err) {
+                    logger.warn({ err, id: entry.id }, "Failed to record self_critique signal for rejected tuning recommendation");
+                }
+            }
+        }
+        const live = config?.selfTuningEnabled === true;
+        // Telemetry row — the record the owner reads to validate recommendation
+        // quality (§7). Failure here must not fail the verdict write: the blob
+        // is already persisted.
+        try {
+            db.prepare(`INSERT INTO agent_actions
+           (action_type, trigger, result, detail, started_at, completed_at)
+         VALUES ('self_tuning.verdict', 'autonomous', 'success', json(?), datetime('now'), datetime('now'))`).run(JSON.stringify({
+                cycleId: cycle.cycleId,
+                shadow: !live,
+                // `results` is index-aligned with `entries` — applyVerdictsToCycle
+                // emits exactly one result per entry, in order.
+                verdicts: entries.map((entry, index) => ({
+                    id: entry.id,
+                    verdict: entry.verdict,
+                    reason: entry.reason,
+                    status: results[index].status,
+                })),
+            }));
+        }
+        catch (err) {
+            logger.warn({ err }, "Failed to audit self_tuning.verdict");
+        }
+        // Phase 3 — Actuate (§3.4, D5 namespace semantics). Gated on the D1
+        // flag AND on per-id "recorded" status: duplicates/conflicts from a
+        // retried POST never reach the actuator, so a change cannot
+        // double-apply — including an `apply` recorded during the shadow period
+        // and re-POSTed after the flag flip. The actuator owns ledger writes,
+        // `self_tuning.applied` audit rows, and the mandatory owner DM; an
+        // actuation failure surfaces in `actuationFailures` without failing the
+        // verdict write (already persisted above).
+        let actuation = { applied: [], failures: [] };
+        if (live) {
+            const applyRecs = known
+                .filter(({ entry }) => entry.verdict === "apply" && recordedIds.has(entry.id))
+                .map(({ rec }) => rec);
+            if (applyRecs.length > 0) {
+                const settingsStore = createSettingsStore(db);
+                const agentConfig = config;
+                const sendNotification = deps.sendNotification;
+                actuation = await actuateApplyVerdicts({
+                    db,
+                    getCurrentValue: (key) => agentConfig[key],
+                    applyUpdates: (updates) => applyConfigUpdates(agentConfig, settingsStore, updates, { db }),
+                    ...(sendNotification
+                        ? {
+                            sendDm: async (message) => {
+                                await sendNotification({
+                                    message,
+                                    notificationType: SELF_TUNING_NOTIFICATION_TYPE,
+                                    priority: "normal",
+                                });
+                            },
+                        }
+                        : {}),
+                    feedbackLearningEnabled: config?.feedbackLearningEnabled,
+                }, applyRecs, new Date());
+            }
+        }
+        const counts = { recorded: 0, duplicate: 0, conflict: 0 };
+        for (const result of results)
+            counts[result.status] += 1;
+        logger.info({
+            cycleId: cycle.cycleId,
+            ...counts,
+            applied: actuation.applied.length,
+            actuationFailures: actuation.failures.length,
+            shadow: !live,
+        }, "Tuning verdicts recorded");
+        return c.json({
+            cycleId: cycle.cycleId,
+            results,
+            recorded: counts.recorded,
+            duplicates: counts.duplicate,
+            conflicts: counts.conflict,
+            shadow: !live,
+            applied: actuation.applied,
+            actuationFailures: actuation.failures,
+            selfTuningEnabled: live,
+        });
+    });
+    return app;
+}