@botcord/daemon 0.1.1

package/dist/control-channel.js

@@ -0,0 +1,388 @@
+/**
+ * Daemon ↔ Hub control-plane WebSocket.
+ *
+ * One long-lived connection, carrying JSON {@link ControlFrame} messages.
+ * Independent from the agent data-plane WS: different auth (user access
+ * token vs agent JWT), different endpoint (`/daemon/ws`), different
+ * lifecycle (alive even when zero agents are bound).
+ *
+ * See `docs/daemon-control-plane-plan.md` §4.1, §4.3, §8.
+ */
+import WebSocket from "ws";
+import { buildDaemonWebSocketUrl, CONTROL_FRAME_TYPES, jcsCanonicalize, resolveHubControlPublicKey, verifyEd25519, } from "@botcord/protocol-core";
+import { log as daemonLog } from "./log.js";
+import { writeAuthExpiredFlag, } from "./user-auth.js";
+/** Exponential backoff plan for transient disconnects. */
+const RECONNECT_BACKOFF_MS = [1000, 2000, 4000, 8000, 16000, 30000];
+const KEEPALIVE_INTERVAL_MS = 25_000;
+const REPLAY_DEDUPE_CAP = 256;
+/**
+ * Build the canonical signing input for a control frame: RFC 8785 (JCS)
+ * canonicalization of `{id, type, params, ts}`. Per
+ * `docs/daemon-control-plane-api-contract.md` §3.3 — the Hub uses Python
+ * `jcs.canonicalize` over the same object before signing.
+ *
+ * Excludes `sig` by definition. `params` defaults to `{}` (empty object)
+ * to match the Hub-side default for paramless types like `ping`.
+ */
+export function controlSigningInput(frame) {
+    const obj = {
+        id: frame.id,
+        type: frame.type,
+        params: (frame.params ?? {}),
+        ts: typeof frame.ts === "number" ? frame.ts : 0,
+    };
+    return jcsCanonicalize(obj) ?? "{}";
+}
+/**
+ * Long-lived, self-healing WS connection that carries control frames
+ * between the Hub and the local daemon. Owns reconnect/backoff and
+ * dedupe; delegates frame semantics to a caller-supplied handler.
+ */
+export class ControlChannel {
+    auth;
+    handle;
+    path;
+    label;
+    hubPublicKey;
+    webSocketCtor;
+    backoff;
+    keepaliveMs;
+    ws = null;
+    stopRequested = false;
+    reconnectAttempts = 0;
+    reconnectTimer = null;
+    keepaliveTimer = null;
+    seenFrameIds = [];
+    connectInflight = null;
+    connected = false;
+    constructor(opts) {
+        this.auth = opts.auth;
+        this.handle = opts.handle;
+        this.path = opts.path ?? "/daemon/ws";
+        // Prefer an explicit `label` from start-time; fall back to whatever
+        // was persisted on the user-auth record at login.
+        this.label = opts.label ?? opts.auth.current?.label;
+        this.hubPublicKey =
+            opts.hubPublicKey === undefined ? resolveHubControlPublicKey() : opts.hubPublicKey;
+        this.webSocketCtor = opts.webSocketCtor ?? WebSocket;
+        this.backoff = opts.backoffMs ?? RECONNECT_BACKOFF_MS;
+        this.keepaliveMs = opts.keepaliveIntervalMs ?? KEEPALIVE_INTERVAL_MS;
+    }
+    /** True once the initial WS handshake succeeded. Flipped back on close. */
+    get isConnected() {
+        return this.connected;
+    }
+    /**
+     * Open the WS. Resolves after the first `open` event — transient
+     * reconnects after that run in the background until `stop()` is
+     * called. Throws immediately if no user-auth record is loaded.
+     */
+    async start() {
+        if (!this.auth.current) {
+            throw new Error("control-channel requires user-auth; run `botcord-daemon start`");
+        }
+        if (this.connectInflight)
+            return this.connectInflight;
+        this.stopRequested = false;
+        daemonLog.info("control-channel starting", {
+            userId: this.auth.current.userId,
+            hubUrl: this.auth.current.hubUrl,
+            path: this.path,
+            label: this.label ?? null,
+            hubKeyConfigured: !!this.hubPublicKey,
+        });
+        this.connectInflight = this.connect().catch((err) => {
+            // Initial connect failure surfaces to the caller; subsequent
+            // reconnects are handled opaquely inside onClose.
+            this.scheduleReconnect(err);
+            throw err;
+        });
+        try {
+            await this.connectInflight;
+        }
+        finally {
+            this.connectInflight = null;
+        }
+    }
+    /** Close the WS and stop reconnecting. Idempotent. */
+    async stop() {
+        if (!this.stopRequested) {
+            daemonLog.info("control-channel stopping", { wasConnected: this.connected });
+        }
+        this.stopRequested = true;
+        if (this.reconnectTimer) {
+            clearTimeout(this.reconnectTimer);
+            this.reconnectTimer = null;
+        }
+        this.stopKeepalive();
+        const ws = this.ws;
+        this.ws = null;
+        this.connected = false;
+        if (ws) {
+            try {
+                ws.close(1000, "daemon stopping");
+            }
+            catch {
+                // ignore
+            }
+        }
+    }
+    /** Actively send a frame (used for event reports like `agent_provisioned`). */
+    send(frame) {
+        const ws = this.ws;
+        if (!ws || ws.readyState !== WebSocket.OPEN) {
+            daemonLog.debug("control-channel.send skipped (not open)", {
+                type: frame.type,
+                id: frame.id,
+                readyState: ws?.readyState ?? null,
+            });
+            return false;
+        }
+        try {
+            ws.send(JSON.stringify(frame));
+            daemonLog.debug("control-channel.send", { type: frame.type, id: frame.id });
+            return true;
+        }
+        catch (err) {
+            daemonLog.warn("control-channel.send failed", {
+                type: frame.type,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            return false;
+        }
+    }
+    async connect() {
+        const record = this.auth.current;
+        if (!record)
+            throw new Error("control-channel: no user-auth");
+        const accessToken = await this.auth.ensureAccessToken();
+        const url = buildDaemonWebSocketUrl(record.hubUrl, this.path, this.label ? { label: this.label } : undefined);
+        daemonLog.info("control-channel connecting", { url });
+        const ws = new this.webSocketCtor(url, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        this.ws = ws;
+        await new Promise((resolve, reject) => {
+            const onOpen = () => {
+                ws.removeListener("error", onError);
+                this.connected = true;
+                this.reconnectAttempts = 0;
+                daemonLog.info("control-channel connected", { url });
+                this.startKeepalive();
+                resolve();
+            };
+            const onError = (err) => {
+                ws.removeListener("open", onOpen);
+                reject(err);
+            };
+            ws.once("open", onOpen);
+            ws.once("error", onError);
+        });
+        ws.on("message", (data) => this.onMessage(data));
+        ws.on("close", (code, reason) => this.onClose(code, reason));
+        ws.on("error", (err) => daemonLog.warn("control-channel error", {
+            error: err instanceof Error ? err.message : String(err),
+        }));
+    }
+    startKeepalive() {
+        this.stopKeepalive();
+        this.keepaliveTimer = setInterval(() => {
+            const ws = this.ws;
+            if (!ws || ws.readyState !== WebSocket.OPEN)
+                return;
+            try {
+                ws.ping();
+            }
+            catch {
+                // ignore — next failed send will trigger close
+            }
+        }, this.keepaliveMs);
+    }
+    stopKeepalive() {
+        if (this.keepaliveTimer) {
+            clearInterval(this.keepaliveTimer);
+            this.keepaliveTimer = null;
+        }
+    }
+    onClose(code, reason) {
+        const reasonText = reason?.toString() || "";
+        this.connected = false;
+        this.stopKeepalive();
+        this.ws = null;
+        daemonLog.info("control-channel closed", { code, reason: reasonText });
+        // 4401 / 4403 = auth problem per the plan. Surface via the flag file
+        // and stop reconnecting; the daemon is now in a "needs re-login" state.
+        if (code === 4401 || code === 4403 || code === 1008) {
+            daemonLog.warn("control-channel auth rejected; marking auth expired", { code });
+            writeAuthExpiredFlag();
+            this.stopRequested = true;
+            return;
+        }
+        if (this.stopRequested)
+            return;
+        this.scheduleReconnect();
+    }
+    scheduleReconnect(err) {
+        if (this.stopRequested)
+            return;
+        const attempt = this.reconnectAttempts;
+        this.reconnectAttempts = attempt + 1;
+        const delay = this.backoff[Math.min(attempt, this.backoff.length - 1)];
+        if (err) {
+            daemonLog.warn("control-channel reconnect scheduled", {
+                delayMs: delay,
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+        else {
+            daemonLog.info("control-channel reconnect scheduled", { delayMs: delay });
+        }
+        this.reconnectTimer = setTimeout(() => {
+            this.reconnectTimer = null;
+            if (this.stopRequested)
+                return;
+            this.connect().catch((err) => this.scheduleReconnect(err));
+        }, delay);
+    }
+    async onMessage(data) {
+        let frame;
+        try {
+            frame = JSON.parse(data.toString());
+        }
+        catch (err) {
+            daemonLog.warn("control-channel: non-JSON frame", {
+                error: err instanceof Error ? err.message : String(err),
+            });
+            return;
+        }
+        if (!frame || typeof frame.id !== "string" || typeof frame.type !== "string") {
+            daemonLog.warn("control-channel: malformed frame", { frame });
+            return;
+        }
+        // Replay-window check: Hub-signed frames carry `ts`; absent on pong
+        // responses, so skip the check when not present.
+        if (typeof frame.ts === "number") {
+            const skewMs = Math.abs(Date.now() - frame.ts);
+            if (skewMs > 5 * 60 * 1000) {
+                daemonLog.warn("control-channel: rejecting frame with stale ts", {
+                    type: frame.type,
+                    id: frame.id,
+                    skewMs,
+                });
+                this.sendAck({
+                    id: frame.id,
+                    ok: false,
+                    error: { code: "stale_ts", message: `timestamp skew ${skewMs}ms exceeds window` },
+                });
+                return;
+            }
+        }
+        // Hub→daemon signature check. Plan §8.3 mandates rejection of unsigned
+        // frames once a Hub key is configured. When no key is available (P1
+        // dev / placeholder constant), we log a warning per frame and accept,
+        // so the daemon can still bring up the control plane against a Hub
+        // that hasn't published its key yet.
+        if (this.hubPublicKey) {
+            if (typeof frame.sig !== "string" || frame.sig.length === 0) {
+                daemonLog.warn("control-channel: rejecting unsigned frame", {
+                    type: frame.type,
+                    id: frame.id,
+                });
+                this.sendAck({
+                    id: frame.id,
+                    ok: false,
+                    error: { code: "unsigned", message: "hub signature required" },
+                });
+                return;
+            }
+            if (!verifyEd25519(this.hubPublicKey, controlSigningInput(frame), frame.sig)) {
+                daemonLog.warn("control-channel: rejecting frame with bad signature", {
+                    type: frame.type,
+                    id: frame.id,
+                });
+                this.sendAck({
+                    id: frame.id,
+                    ok: false,
+                    error: { code: "bad_signature", message: "hub signature did not verify" },
+                });
+                return;
+            }
+        }
+        else if (typeof frame.sig === "string") {
+            // Key not configured yet; skip verification but warn loudly.
+            daemonLog.warn("control-channel: skipping signature verification (no Hub public key configured)", { type: frame.type, id: frame.id });
+        }
+        // Idempotent dedupe: replay the cached result would require storing
+        // past results — for P0 we just ack the dup with a no-op ok. The
+        // provisioner itself is the authoritative dedupe boundary for
+        // stateful operations.
+        if (this.seenFrameIds.includes(frame.id)) {
+            daemonLog.debug("control-channel: duplicate frame, acking as no-op", {
+                type: frame.type,
+                id: frame.id,
+            });
+            this.sendAck({ id: frame.id, ok: true, result: { duplicate: true } });
+            return;
+        }
+        this.seenFrameIds.push(frame.id);
+        if (this.seenFrameIds.length > REPLAY_DEDUPE_CAP) {
+            this.seenFrameIds.splice(0, this.seenFrameIds.length - REPLAY_DEDUPE_CAP);
+        }
+        daemonLog.debug("control-channel frame received", {
+            type: frame.type,
+            id: frame.id,
+        });
+        // Plan §6.3 — instance-level revoke: write the expired flag, ack, and
+        // tear down the control plane. Agent gateway stays up so existing
+        // agent tokens keep working until the operator re-authorizes.
+        if (frame.type === CONTROL_FRAME_TYPES.REVOKE) {
+            writeAuthExpiredFlag();
+            const reason = frame.params && typeof frame.params.reason === "string"
+                ? frame.params.reason
+                : "revoked_by_hub";
+            daemonLog.warn("control-channel: instance revoked by hub", { reason });
+            this.sendAck({ id: frame.id, ok: true, result: { acknowledged: true } });
+            void this.stop();
+            return;
+        }
+        try {
+            const result = await this.handle(frame);
+            const ack = result
+                ? { id: frame.id, ...result }
+                : { id: frame.id, ok: true };
+            daemonLog.debug("control-channel handler done", {
+                type: frame.type,
+                id: frame.id,
+                ok: ack.ok !== false,
+            });
+            this.sendAck(ack);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            daemonLog.error("control-channel handler failed", {
+                type: frame.type,
+                error: message,
+            });
+            this.sendAck({
+                id: frame.id,
+                ok: false,
+                error: { code: "handler_error", message },
+            });
+        }
+    }
+    sendAck(ack) {
+        const ws = this.ws;
+        if (!ws || ws.readyState !== WebSocket.OPEN)
+            return;
+        try {
+            ws.send(JSON.stringify(ack));
+        }
+        catch (err) {
+            daemonLog.warn("control-channel.ack failed", {
+                id: ack.id,
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+}

package/dist/cross-room.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Cross-room digest — a short block listing other rooms the agent is
+ * actively talking in, so a single turn isn't blind to parallel
+ * conversations.
+ *
+ * Unlike the plugin version (which reads OpenClaw's per-session message
+ * history via `runtime.subagent.getSessionMessages()`), the daemon doesn't
+ * have access to the underlying CLI's transcript. We synthesize the digest
+ * from the ActivityTracker's last-inbound preview instead — lower fidelity,
+ * but works uniformly across Claude Code / Codex / Gemini.
+ */
+import type { ActivityTracker } from "./activity-tracker.js";
+export interface DigestOptions {
+    tracker: ActivityTracker;
+    agentId: string;
+    currentRoomId: string;
+    currentTopic?: string | null;
+    /** Time horizon for "active". Default 2 hours. */
+    windowMs?: number;
+    /** Cap on how many rooms appear in the digest. Default 5. */
+    maxEntries?: number;
+}
+export declare function buildCrossRoomDigest(opts: DigestOptions): string | null;

package/dist/cross-room.js

@@ -0,0 +1,55 @@
+const DEFAULT_MAX_ENTRIES = 5;
+const DEFAULT_WINDOW_MS = 2 * 60 * 60 * 1000;
+export function buildCrossRoomDigest(opts) {
+    const { tracker, agentId, currentRoomId, currentTopic = null, windowMs = DEFAULT_WINDOW_MS, maxEntries = DEFAULT_MAX_ENTRIES, } = opts;
+    const excludeKey = tracker.keyFor(agentId, currentRoomId, currentTopic ?? null);
+    const entries = tracker.listActive({ agentId, windowMs, excludeKey });
+    if (entries.length === 0)
+        return null;
+    const slice = entries.slice(0, maxEntries);
+    const total = entries.length + 1; // +1 for the current turn's room
+    const lines = [
+        "[BotCord Cross-Room Awareness]",
+        `You are currently active in ${total} BotCord sessions. Recent activity from other rooms:`,
+    ];
+    for (const e of slice) {
+        lines.push(formatEntry(e));
+    }
+    return lines.join("\n");
+}
+function formatEntry(e) {
+    const ago = formatTimeAgo(e.lastActivityAt);
+    const senderLabel = describeSender(e);
+    const roomLabel = e.roomName ? `${e.roomName} (${e.roomId})` : e.roomId;
+    const topicLabel = e.topic ? ` / topic ${e.topic}` : "";
+    const preview = e.lastInboundPreview.trim();
+    if (!preview) {
+        return `- ${roomLabel}${topicLabel} — last activity ${ago}, no preview`;
+    }
+    return [
+        `- ${roomLabel}${topicLabel} — last ${ago}`,
+        `  ${senderLabel}: ${preview}`,
+    ].join("\n");
+}
+function describeSender(e) {
+    switch (e.lastSenderKind) {
+        case "human":
+            return `human ${e.lastSender}`;
+        case "owner":
+            return `owner`;
+        default:
+            return `agent ${e.lastSender}`;
+    }
+}
+function formatTimeAgo(ts) {
+    const diffMs = Date.now() - ts;
+    if (diffMs < 0)
+        return "just now";
+    const diffMin = Math.floor(diffMs / 60_000);
+    if (diffMin < 1)
+        return "just now";
+    if (diffMin < 60)
+        return `${diffMin}m ago`;
+    const diffHr = Math.floor(diffMin / 60);
+    return `${diffHr}h ago`;
+}

package/dist/daemon-config-map.d.ts

@@ -0,0 +1,61 @@
+import type { GatewayConfig, GatewayRoute } from "./gateway/index.js";
+import type { DaemonConfig } from "./config.js";
+/** Options accepted by {@link toGatewayConfig}. */
+export interface ToGatewayConfigOptions {
+    /**
+     * Explicit list of agent ids to bind channels to. When provided, overrides
+     * anything derivable from the daemon config itself. P1 passes discovered
+     * credentials in via this field so `toGatewayConfig` stays pure.
+     */
+    agentIds?: string[];
+    /**
+     * Per-agent runtime/cwd cached from credentials (see
+     * `docs/agent-runtime-property-plan.md`). When present for an agent id,
+     * `toGatewayConfig` synthesizes a terminal route pinning that agent's
+     * turns to its runtime. Explicit `cfg.routes` entries still win because
+     * synthesized routes are appended after them.
+     */
+    agentRuntimes?: Record<string, {
+        runtime?: string;
+        cwd?: string;
+    }>;
+}
+/**
+ * Historical channel id used when the daemon bound a single agent. Kept as a
+ * named export for any downstream reader that still references it; no new
+ * code paths in the daemon emit this id — channels are now keyed by agentId.
+ *
+ * @deprecated Channel ids are now the agentId itself.
+ */
+export declare const DEFAULT_BOTCORD_CHANNEL_ID = "botcord-main";
+/** Channel `type` tag used by `createBotCordChannel`. */
+export declare const BOTCORD_CHANNEL_TYPE = "botcord";
+/**
+ * Convert the daemon's on-disk config into a gateway runtime config. Only
+ * used in-process at daemon boot; the daemon config file itself is the
+ * user-facing contract.
+ *
+ * When `opts.agentIds` is provided (discovery or explicit override), the
+ * mapper trusts that list verbatim. Otherwise it falls back to the legacy
+ * `resolveAgentIds(cfg)` path so callers that haven't been updated for P1
+ * keep working.
+ */
+export declare function toGatewayConfig(cfg: DaemonConfig, opts?: ToGatewayConfigOptions): GatewayConfig;
+/**
+ * Build the daemon's managed per-agent routes. Emits exactly one route per
+ * `agentId`, keyed by `accountId`. `runtime` comes from the agent's cached
+ * metadata when present (credentials file), otherwise falls back to
+ * `defaultRoute.runtime`. `cwd` prefers the cached value but falls back to
+ * the agent's workspace directory (see plan §10) so every agent runs inside
+ * its own dedicated tree by default.
+ *
+ * Iteration order of `agentIds` is preserved in the resulting Map for test
+ * determinism; the gateway router does not depend on map order.
+ *
+ * Exported so `reload_config` and `provisionAgent` hot-add can share the
+ * same synthesis logic (plan §10.5).
+ */
+export declare function buildManagedRoutes(agentIds: string[], agentRuntimes: Record<string, {
+    runtime?: string;
+    cwd?: string;
+}>, defaultRoute: GatewayRoute): Map<string, GatewayRoute>;

package/dist/daemon-config-map.js

@@ -0,0 +1,153 @@
+import { resolveAgentIds } from "./config.js";
+import { agentWorkspaceDir } from "./agent-workspace.js";
+import { log as daemonLog } from "./log.js";
+/**
+ * Historical channel id used when the daemon bound a single agent. Kept as a
+ * named export for any downstream reader that still references it; no new
+ * code paths in the daemon emit this id — channels are now keyed by agentId.
+ *
+ * @deprecated Channel ids are now the agentId itself.
+ */
+export const DEFAULT_BOTCORD_CHANNEL_ID = "botcord-main";
+/** Channel `type` tag used by `createBotCordChannel`. */
+export const BOTCORD_CHANNEL_TYPE = "botcord";
+/**
+ * Map daemon's historical narrower TrustLevel ("owner" | "untrusted") onto
+ * gateway's ("owner" | "trusted" | "public"). Matches the adapter-level
+ * mapping in `adapters/runtimes.ts`: "untrusted" collapses to "public".
+ * Accepts `undefined` → `undefined` so callers can pass through.
+ */
+function mapTrustLevel(level) {
+    if (level === undefined)
+        return undefined;
+    return level === "owner" ? "owner" : "public";
+}
+/**
+ * Translate a single daemon route rule into a gateway route. Gateway matches
+ * on the channel-agnostic fields; the daemon surface keeps the legacy
+ * `roomId`/`roomPrefix` aliases for backward compatibility. When both a
+ * legacy alias and its canonical field are present, the canonical field
+ * wins and a warning is logged.
+ */
+function mapRoute(r) {
+    const match = {};
+    if (r.match.channel)
+        match.channel = r.match.channel;
+    if (r.match.accountId)
+        match.accountId = r.match.accountId;
+    if (r.match.conversationId && r.match.roomId && r.match.conversationId !== r.match.roomId) {
+        daemonLog.warn("daemon.config.route.conflict", {
+            field: "conversationId",
+            roomId: r.match.roomId,
+            conversationId: r.match.conversationId,
+            resolution: "conversationId wins",
+        });
+    }
+    const conversationId = r.match.conversationId ?? r.match.roomId;
+    if (conversationId)
+        match.conversationId = conversationId;
+    if (r.match.conversationPrefix &&
+        r.match.roomPrefix &&
+        r.match.conversationPrefix !== r.match.roomPrefix) {
+        daemonLog.warn("daemon.config.route.conflict", {
+            field: "conversationPrefix",
+            roomPrefix: r.match.roomPrefix,
+            conversationPrefix: r.match.conversationPrefix,
+            resolution: "conversationPrefix wins",
+        });
+    }
+    const conversationPrefix = r.match.conversationPrefix ?? r.match.roomPrefix;
+    if (conversationPrefix)
+        match.conversationPrefix = conversationPrefix;
+    if (r.match.conversationKind)
+        match.conversationKind = r.match.conversationKind;
+    if (r.match.senderId)
+        match.senderId = r.match.senderId;
+    if (typeof r.match.mentioned === "boolean")
+        match.mentioned = r.match.mentioned;
+    const rawTrust = r.trustLevel;
+    return {
+        match,
+        runtime: r.adapter,
+        cwd: r.cwd,
+        extraArgs: r.extraArgs,
+        trustLevel: mapTrustLevel(rawTrust),
+    };
+}
+/**
+ * Convert the daemon's on-disk config into a gateway runtime config. Only
+ * used in-process at daemon boot; the daemon config file itself is the
+ * user-facing contract.
+ *
+ * When `opts.agentIds` is provided (discovery or explicit override), the
+ * mapper trusts that list verbatim. Otherwise it falls back to the legacy
+ * `resolveAgentIds(cfg)` path so callers that haven't been updated for P1
+ * keep working.
+ */
+export function toGatewayConfig(cfg, opts = {}) {
+    // One channel per configured agent. Channel id = agentId so session keys
+    // (`runtime:channel:accountId:kind:convId`) and activity records carry
+    // the agent identity end-to-end. Pre-multi-agent single-agent installs
+    // previously used the fixed id "botcord-main"; existing on-disk session
+    // entries keyed by that id are silently dropped on the first message
+    // after upgrade — a one-time reset, not a bug.
+    const agentIds = opts.agentIds ?? resolveAgentIds(cfg);
+    const channels = agentIds.map((agentId) => ({
+        id: agentId,
+        type: BOTCORD_CHANNEL_TYPE,
+        accountId: agentId,
+        agentId,
+    }));
+    // DaemonConfig's typed surface doesn't carry `trustLevel`, but we read it
+    // defensively so future config extensions can propagate without a shape bump.
+    const rawDefaultTrust = cfg.defaultRoute
+        .trustLevel;
+    const defaultRoute = {
+        runtime: cfg.defaultRoute.adapter,
+        cwd: cfg.defaultRoute.cwd,
+        extraArgs: cfg.defaultRoute.extraArgs,
+        // queueMode: omitted — dispatcher's kind-based default wins
+        // (direct → cancel-previous, group → serial).
+        trustLevel: mapTrustLevel(rawDefaultTrust),
+    };
+    const routes = (cfg.routes ?? []).map(mapRoute);
+    // Synthesize a per-agent route for every bound agent and hand it to the
+    // gateway via the managed-routes bucket (plan §10.1). User-authored
+    // `cfg.routes[]` stay untouched so an explicit operator override still
+    // wins on conflict — the gateway matches `routes[] → managedRoutes →
+    // defaultRoute` in that order.
+    const managedMap = buildManagedRoutes(agentIds, opts.agentRuntimes ?? {}, defaultRoute);
+    return {
+        channels,
+        defaultRoute,
+        routes,
+        managedRoutes: Array.from(managedMap.values()),
+        streamBlocks: cfg.streamBlocks,
+    };
+}
+/**
+ * Build the daemon's managed per-agent routes. Emits exactly one route per
+ * `agentId`, keyed by `accountId`. `runtime` comes from the agent's cached
+ * metadata when present (credentials file), otherwise falls back to
+ * `defaultRoute.runtime`. `cwd` prefers the cached value but falls back to
+ * the agent's workspace directory (see plan §10) so every agent runs inside
+ * its own dedicated tree by default.
+ *
+ * Iteration order of `agentIds` is preserved in the resulting Map for test
+ * determinism; the gateway router does not depend on map order.
+ *
+ * Exported so `reload_config` and `provisionAgent` hot-add can share the
+ * same synthesis logic (plan §10.5).
+ */
+export function buildManagedRoutes(agentIds, agentRuntimes, defaultRoute) {
+    const out = new Map();
+    for (const agentId of agentIds) {
+        const meta = agentRuntimes[agentId] ?? {};
+        out.set(agentId, {
+            match: { accountId: agentId },
+            runtime: meta.runtime ?? defaultRoute.runtime,
+            cwd: meta.cwd || agentWorkspaceDir(agentId),
+        });
+    }
+    return out;
+}