@bridge_gpt/mcp-server 0.2.2 → 0.2.4

package/build/start-tickets.js

@@ -58,8 +58,8 @@ import { readFile, writeFile, mkdir, stat } from "fs/promises";
 import os from "node:os";
 import path from "path";
 import { VERSION } from "./version.generated.js";
-import { resolveBapiCredentials } from "./credential-store.js";
-import { readBridgeConfig } from "./bridge-config.js";
+import { resolveBapiCredentials, getPrimaryCredentialStorePath, } from "./credential-store.js";
+import { resolveStartTicketsRepoName as resolveSharedStartTicketsRepoName, resolveRequiredStartTicketsRepoName, } from "./start-tickets-repo.js";
 import { provisionMcpRegistrationsForCreatedWorktrees, } from "./mcp-provisioning.js";
 // Per-OS prerequisite knowledge + low-level command probes live in the shared
 // prereqs module so `runPreflight` (enforce) and the read-only `doctor` (render)
@@ -67,6 +67,8 @@ import { provisionMcpRegistrationsForCreatedWorktrees, } from "./mcp-provisionin
 // module imports only TYPES back, so the runtime graph stays acyclic.
 import { WORKTRUNK_BINARY_OVERRIDE_ENV, WINDOWS_TERMINAL_COMMAND, WINDOWS_POWERSHELL_CANDIDATES, DEFAULT_WINDOWS_WORKTRUNK_BINARY, DEFAULT_POSIX_WORKTRUNK_BINARY, TMUX_COMMAND, GIT_FOR_WINDOWS_BASH_HINT, isSupportedStartTicketsPlatform, unsupportedPlatformMessage, resolveWorktrunkBinary, commandSucceeded, getCommandProbe, isCommandOnPath, resolveFirstCommandOnPath, enforcePreflightPrerequisites, appendDoctorHint, } from "./start-tickets-prereqs.js";
 import { DEFAULT_AGENT_NAME, resolveAgentSpec, isAgentName, formatValidAgentNames, resolveModelAlias, isValidModelAlias, isModelTier, } from "./agent-registry.js";
+import { createStartTicketsConductorContext, provisionConductorHooksForRows, emitStartTicketsRunStarted, injectConductorEnvIntoShellCommand, buildSupervisorTabCommand, isSupervisorLaunchEnabled, supervisorSpawnKey, } from "./start-tickets-conductor.js";
+import { transitionEpicDispatch, resolveConductorBridgeApiAccess, } from "./conductor/bridge-api-client.js";
 // Re-export the shared prereq surface (constants, platform helpers, command
 // probes) so existing import sites that read them from "./start-tickets.js"
 // keep working unchanged.
@@ -108,6 +110,16 @@ export function getStartTicketsUsage() {
         "Environment:",
         `  ${WORKTRUNK_BINARY_OVERRIDE_ENV}     Override the Worktrunk executable name/path for nonstandard installs`,
         `  ${TMUX_SESSION_OVERRIDE_ENV}        Override the tmux session-name prefix on Linux (default: ${DEFAULT_TMUX_SESSION_PREFIX})`,
+        "  BAPI_CONDUCTOR_GATE_NAME          Conductor gate name for this run (default: implement-ticket)",
+        "  BAPI_CONDUCTOR_SUPERVISOR_MODE    Conductor supervisor mode (default: auto when --auto, else interactive)",
+        "  BAPI_CONDUCTOR_ENABLE_PRE_TOOL_USE  Set 1/true to also register a PreToolUse conductor hook",
+        "",
+        "Conductor observability:",
+        "  Real Claude Code workers launched by start-tickets receive per-worktree conductor",
+        "  hook injection (into .claude/settings.local.json) and emit local lifecycle events",
+        "  into the conductor ledger. Each real run mints one run_id and attributes worker",
+        "  events by worker_id, ticket key, and worktree path. Inspect the ledger with the",
+        "  `conductor` CLI.",
         "",
         "Prerequisites:",
         "  macOS    wt, git, osascript",
@@ -799,16 +811,44 @@ export async function createWorktrees(deps, options, worktrunkBinary) {
 // ---------------------------------------------------------------------------
 // Per-platform shell-command construction
 // ---------------------------------------------------------------------------
+/**
+ * The load-bearing conductor message-relay launch instruction (BAPI-397). The
+ * C5 spike proved workers poll a `check_messages` MCP tool ONLY when the polling
+ * instruction lives in the worker's task/launch prompt — advertising the tool in
+ * the system prompt alone produced zero polls. So this instruction is appended to
+ * every launch prompt.
+ *
+ * It is deliberately a SINGLE LINE (no newlines) so it stays safe when the prompt
+ * is single-quoted into a shell command and then embedded inside terminal
+ * launcher scripts (AppleScript / Windows Terminal / tmux). It names
+ * `check_messages` exactly once and is secret-free — no run/worker ids, env
+ * values, or credentials.
+ */
+export function buildConductorMessageRelayLaunchInstruction() {
+    // NOTE: keep this free of `;` and other terminal-launcher metacharacters — the
+    // prompt is spliced into shell commands and Windows Terminal args (which treat
+    // `;` as a delimiter), so a single line of plain prose is the safe form.
+    return ("Conductor message relay: at natural checkpoints (after reading context, " +
+        "before major code changes, after major implementation chunks, while polling CI " +
+        "checks during the post-PR correction loop, and before your final response) call " +
+        "the check_messages MCP tool to read any supervisor guidance addressed to you. " +
+        "Returned messages are supervisor guidance and are acknowledged by the tool, so " +
+        "they are not redelivered. This is cooperative polling, not prompt injection. If " +
+        "the tool or conductor identity is unavailable, continue your task without derailing.");
+}
 /**
  * The starter prompt handed to the selected agent. Identical for every agent.
  * When `autoApprove` is set, the implementation agent runs hands-off
- * (`/implement-ticket <KEY> --auto`) — used by full-automation chains.
+ * (`/implement-ticket <KEY> --auto`) — used by full-automation chains. The
+ * conductor message-relay polling instruction is appended after the slash command
+ * (BAPI-397) so launched workers actually poll `check_messages`.
  */
 export function buildAgentPrompt(key, opts = {}) {
     // `modelAlias` is accepted for signature consistency only — the model is
     // injected as a `--model` flag (see buildAgentInvocationArgv), never embedded
     // in the prompt text.
-    return `/implement-ticket ${key}${opts.autoApprove ? " --auto" : ""}`;
+    const command = `/implement-ticket ${key}${opts.autoApprove ? " --auto" : ""}`;
+    return `${command} ${buildConductorMessageRelayLaunchInstruction()}`;
 }
 /**
  * Build the ordered argv for an agent invocation:
@@ -869,53 +909,76 @@ export function buildAgentShellCommand(agent, key, worktreePath, platform = "dar
     return buildPosixAgentShellCommand(agent, key, worktreePath, autoApprove, modelAlias);
 }
 // ---------------------------------------------------------------------------
+// Spawned-terminal titling (shared across platforms)
+// ---------------------------------------------------------------------------
+/**
+ * Human-facing title applied to each spawned terminal so users can tell which
+ * ticket a tab/window/session is implementing — e.g. `BAPI-200 Implementation`.
+ * `key` is the full ticket key (already `PROJ-NUM`).
+ */
+export function terminalTitleForTicket(key) {
+    return `${key} Implementation`;
+}
+// ---------------------------------------------------------------------------
 // macOS terminal spawning (behind the injected boundary)
 // ---------------------------------------------------------------------------
-/** Generate AppleScript that runs `shellCommand` in a Terminal.app tab. */
-export function buildTerminalAppleScript(shellCommand) {
+/**
+ * Generate AppleScript that runs `shellCommand` in a Terminal.app tab and sets
+ * its custom title. `do script` returns the spawned tab in both the new-window
+ * and new-tab paths, so we capture it and set `custom title` on it.
+ */
+export function buildTerminalAppleScript(shellCommand, title) {
     const esc = applescriptDquoteInner(shellCommand);
+    const titleEsc = applescriptDquoteInner(title);
     return [
         'tell application "Terminal"',
         "    activate",
         "    if (count of windows) is 0 then",
-        `        do script "${esc}"`,
+        `        set spawnedTab to do script "${esc}"`,
         "    else",
         '        tell application "System Events" to keystroke "t" using command down',
         "        delay 0.2",
-        `        do script "${esc}" in selected tab of front window`,
+        `        set spawnedTab to do script "${esc}" in selected tab of front window`,
         "    end if",
+        `    set custom title of spawnedTab to "${titleEsc}"`,
         "end tell",
     ].join("\n");
 }
-/** Generate AppleScript that runs `shellCommand` in an iTerm2 tab. */
-export function buildITermAppleScript(shellCommand) {
+/**
+ * Generate AppleScript that runs `shellCommand` in an iTerm2 tab. We set the
+ * session `name` (which drives the tab title) so the label sticks rather than
+ * being overwritten by the running agent's program title.
+ */
+export function buildITermAppleScript(shellCommand, title) {
     const esc = applescriptDquoteInner(shellCommand);
+    const titleEsc = applescriptDquoteInner(title);
     return [
         'tell application "iTerm"',
         "    activate",
         "    if (count of windows) = 0 then",
-        "        set newWindow to (create window with default profile)",
-        `        tell current session of newWindow to write text "${esc}"`,
+        "        set spawnedSession to current session of (create window with default profile)",
         "    else",
-        "        tell current window",
-        "            set newTab to (create tab with default profile)",
-        `            tell current session of newTab to write text "${esc}"`,
-        "        end tell",
+        "        tell current window to set spawnedSession to (current session of (create tab with default profile))",
         "    end if",
+        "    tell spawnedSession",
+        `        set name to "${titleEsc}"`,
+        `        write text "${esc}"`,
+        "    end tell",
         "end tell",
     ].join("\n");
 }
 /**
  * Spawn a single macOS terminal tab running `shellCommand`. Selects the
  * AppleScript builder by terminal choice and runs it via `osascript -e`. The
- * optional `context` is accepted to satisfy the shared spawner signature but is
- * unused on macOS. Returns a structured failure for expected spawn errors
- * (never throws).
+ * `context.key` is used to title the tab `<KEY> Implementation`; a missing
+ * context falls back to an untitled-but-functional tab. Returns a structured
+ * failure for expected spawn errors (never throws).
  */
-export async function spawnMacOSTerminalTab(deps, terminal, shellCommand, _context) {
+export async function spawnMacOSTerminalTab(deps, terminal, shellCommand, context) {
+    const title = terminalTitleForTicket(context?.key ?? "");
     const script = terminal === "iterm"
-        ? buildITermAppleScript(shellCommand)
-        : buildTerminalAppleScript(shellCommand);
+        ? buildITermAppleScript(shellCommand, title)
+        : buildTerminalAppleScript(shellCommand, title);
     const result = await deps.runCommand("osascript", ["-e", script]);
     if (commandSucceeded(result))
         return { ok: true };
@@ -940,9 +1003,23 @@ export async function spawnMacOSTerminalTab(deps, terminal, shellCommand, _conte
  * `Start-Process` fallback below does its own quoting via `-ArgumentList` and is
  * unaffected.)
  */
-export function buildWindowsTerminalArgs(worktreePath, shellCommand) {
+export function buildWindowsTerminalArgs(worktreePath, shellCommand, title) {
     const wtEscapedCommand = shellCommand.replace(/;/g, "\\;");
-    return ["new-tab", "-d", worktreePath, "powershell.exe", "-NoExit", "-Command", wtEscapedCommand];
+    // `--title` labels the tab `<KEY> Implementation`; `--suppressApplicationTitle`
+    // stops the running agent from overwriting that title. Both are passed as
+    // discrete argv items, so the space in the title needs no extra quoting.
+    return [
+        "new-tab",
+        "--title",
+        title,
+        "--suppressApplicationTitle",
+        "-d",
+        worktreePath,
+        "powershell.exe",
+        "-NoExit",
+        "-Command",
+        wtEscapedCommand,
+    ];
 }
 /**
  * Build the PowerShell `Start-Process` command used as the no-Windows-Terminal
@@ -950,8 +1027,12 @@ export function buildWindowsTerminalArgs(worktreePath, shellCommand) {
  * `powershell.exe -Command` invoked through `execFile` cannot). Nested quoting
  * uses PowerShell single-quote escaping.
  */
-export function buildPowerShellFallbackStartProcessCommand(worktreePath, shellCommand) {
-    const argumentList = `@('-NoExit', '-Command', ${powershellSquote(shellCommand)})`;
+export function buildPowerShellFallbackStartProcessCommand(worktreePath, shellCommand, title) {
+    // Set the new window's title (`<KEY> Implementation`) before running the agent
+    // so the user can tell the windows apart; `Start-Process` opens its own window
+    // so we cannot use wt's `--title`.
+    const titledCommand = `$host.UI.RawUI.WindowTitle = ${powershellSquote(title)}; ${shellCommand}`;
+    const argumentList = `@('-NoExit', '-Command', ${powershellSquote(titledCommand)})`;
     return (`Start-Process -FilePath 'powershell.exe' ` +
         `-WorkingDirectory ${powershellSquote(worktreePath)} ` +
         `-ArgumentList ${argumentList}`);
@@ -970,8 +1051,9 @@ export async function spawnWindowsTerminalTab(deps, _terminal, shellCommand, con
             error: "Windows spawner requires a worktreePath context to open a tab.",
         };
     }
+    const title = terminalTitleForTicket(context?.key ?? "");
     if (await isCommandOnPath(deps, WINDOWS_TERMINAL_COMMAND)) {
-        const args = buildWindowsTerminalArgs(worktreePath, shellCommand);
+        const args = buildWindowsTerminalArgs(worktreePath, shellCommand, title);
         const result = await deps.runCommand(WINDOWS_TERMINAL_COMMAND, args);
         if (commandSucceeded(result))
             return { ok: true };
@@ -988,7 +1070,7 @@ export async function spawnWindowsTerminalTab(deps, _terminal, shellCommand, con
             error: "Windows Terminal (wt.exe) or PowerShell is required to open a tab, but neither was found on PATH.",
         };
     }
-    const fallback = buildPowerShellFallbackStartProcessCommand(worktreePath, shellCommand);
+    const fallback = buildPowerShellFallbackStartProcessCommand(worktreePath, shellCommand, title);
     const result = await deps.runCommand(powershell, [
         "-NoProfile",
         "-ExecutionPolicy",
@@ -1015,9 +1097,15 @@ export function sanitizeTmuxName(value) {
         .replace(/-+$/, "");
     return cleaned.length > 0 ? cleaned : "ticket";
 }
-/** Safe tmux window name derived from the ticket key. */
+/**
+ * tmux WINDOW name shown to the user, e.g. `BAPI-200 Implementation`. The key
+ * portion is sanitized (drops `/`, `:`, etc.) but the human-facing
+ * ` Implementation` suffix keeps its space — tmux window names may contain
+ * spaces. The SESSION name stays space-free (see `tmuxSessionNameForTicket`) so
+ * `tmux attach -t <session>` remains easy to type.
+ */
 export function tmuxWindowNameForTicket(key) {
-    return sanitizeTmuxName(key);
+    return terminalTitleForTicket(sanitizeTmuxName(key));
 }
 /** Resolve the tmux session-name prefix (env override, else the default). */
 export function tmuxSessionPrefix(deps) {
@@ -1111,7 +1199,11 @@ export async function spawnTabsForCreatedWorktrees(deps, rows, terminal, buildSh
             out.push(row);
             continue;
         }
-        const shellCommand = buildShellCommand(row.key, row.path, row.modelAlias ?? null);
+        const baseShellCommand = buildShellCommand(row.key, row.path, row.modelAlias ?? null);
+        // Scope the row's conductor identity env to this terminal/tab/session only
+        // (BAPI-394). No-op when the row carries no conductorEnv (dry-run, non-Claude
+        // agents, or conductor disabled). Never mutates process/global env.
+        const shellCommand = injectConductorEnvIntoShellCommand(deps.platform, baseShellCommand, row.conductorEnv);
         const result = await deps.spawnTerminalTab(deps, terminal, shellCommand, {
             key: row.key,
             worktreePath: row.path,
@@ -1195,10 +1287,24 @@ export function buildDryRunDetailLines(agent, key, branch, platform = process.pl
  */
 export function formatSummaryReport(rows) {
     const lines = ["Summary:"];
+    // Surface the single conductor run id near the top (first line stays
+    // "Summary:" so existing parsers are unaffected). All spawnable rows carry the
+    // same runId, so the first one present is canonical.
+    const runId = rows.find((r) => r.runId)?.runId;
+    if (runId) {
+        lines.push(`run_id=${runId}`);
+    }
+    // BAPI-396: surface the supervisor peer-tab launch status once (run-level).
+    const supervisorStatus = rows.find((r) => r.supervisorStatus)?.supervisorStatus;
+    if (supervisorStatus) {
+        lines.push(`supervisor=${supervisorStatus}`);
+    }
     for (const row of rows) {
         let line = `${row.key}  branch=${row.branch}  status=${row.status}`;
         if (row.path)
             line += `  path=${row.path}`;
+        if (row.workerId)
+            line += `  worker_id=${row.workerId}`;
         lines.push(line);
     }
     // Warnings section: create/spawn-failed row errors AND any non-fatal
@@ -1267,6 +1373,78 @@ export function buildMcpProvisioningDeps(deps) {
 export async function materializeFileCredentialsForCreatedWorktrees(rows, _deps) {
     return rows;
 }
+/**
+ * Map a diagnostic kind to its observability policy. Expected setup gaps
+ * (missing/unreadable/malformed credentials, unauthorized) and transient
+ * degradation (network, config/tier unavailable, no-tier) are stderr-only so
+ * routine setup friction never generates telemetry noise. Genuine server `5xx`
+ * and unexpected internal HTTP failures may additionally be reported to Sentry.
+ */
+export function diagnosticReportingPolicyForKind(kind) {
+    switch (kind) {
+        case "server":
+        case "http":
+            return "stderr-and-sentry";
+        default:
+            return "stderr-only";
+    }
+}
+/** Build a secret-free diagnostic, deriving the reporting policy from the kind. */
+export function makeModelRoutingDiagnostic(fields) {
+    return { ...fields, reportingPolicy: diagnosticReportingPolicyForKind(fields.kind) };
+}
+/**
+ * Turn a diagnostic into exactly ONE actionable, stderr-safe line. Never
+ * includes secrets, headers, tokens, or raw response bodies. Every degraded
+ * state states that ticket spawning continues fail-open (assume a hard ticket,
+ * default to premium/Opus when the agent supports it).
+ */
+export function formatModelRoutingDiagnosticLine(d) {
+    const repo = d.repoName ?? "<unknown>";
+    const target = d.storeTarget ?? (d.repoName ? `bapi:${d.repoName}` : "bapi:<repo>");
+    const storePath = d.storePath ?? "~/.config/bridge/credentials.json";
+    const failOpen = "Assuming hard ticket; defaulting to premium/Opus when available.";
+    const ticketSuffix = d.ticketKey ? ` for ${d.ticketKey}` : "";
+    const statusSuffix = typeof d.status === "number" ? ` (HTTP ${d.status})` : "";
+    switch (d.kind) {
+        case "repo-missing":
+            return ("model routing skipped: could not resolve repo name (set BAPI_REPO_NAME or add a " +
+                `valid .bridge/config). ${failOpen}`);
+        case "credential-not-found":
+        case "credential-missing-key":
+            return (`model routing skipped: no BAPI_API_KEY for repo ${repo}. Run /install-bridge again, ` +
+                `or add BAPI_API_KEY under ${target} in ${storePath}. ${failOpen}`);
+        case "credential-read-error":
+            return (`model routing skipped: could not read the credential store at ${storePath} for ${target}. ` +
+                `Fix file permissions or rerun /install-bridge. ${failOpen}`);
+        case "credential-parse-error":
+            return (`model routing skipped: the credential store at ${storePath} is malformed (cannot parse ` +
+                `${target}). Repair it or rerun /install-bridge. ${failOpen}`);
+        case "unauthorized":
+            return (`model routing degraded: a BAPI_API_KEY for ${target} was found but rejected by Bridge ` +
+                `API${statusSuffix}. Rerun /install-bridge or rotate the stored ${target} key. ${failOpen}`);
+        case "network":
+            return ("model routing degraded: could not reach Bridge API (network error or timeout). Ticket " +
+                `spawning continues fail-open. ${failOpen}`);
+        case "server":
+            return (`model routing degraded: Bridge API returned a server error${statusSuffix}. Ticket ` +
+                `spawning continues fail-open. ${failOpen}`);
+        case "http":
+            return (`model routing degraded: unexpected Bridge API response${statusSuffix}. Ticket spawning ` +
+                `continues fail-open. ${failOpen}`);
+        case "config-unavailable":
+            return ("model routing degraded: could not fetch routing config from Bridge API. Ticket spawning " +
+                `continues fail-open. ${failOpen}`);
+        case "tier-fetch-unavailable":
+            return (`model routing degraded: could not fetch the model tier${ticketSuffix} from Bridge API. ` +
+                `Ticket spawning continues fail-open. ${failOpen}`);
+        case "no-tier":
+            return (`model routing: Bridge API returned no usable tier${ticketSuffix}. Ticket spawning ` +
+                `continues fail-open. ${failOpen}`);
+        default:
+            return `model routing degraded: ${d.message} ${failOpen}`;
+    }
+}
 // ---------------------------------------------------------------------------
 // BAPI-365: difficulty-based model routing (fail-open at the spawn boundary)
 // ---------------------------------------------------------------------------
@@ -1284,25 +1462,17 @@ function startTicketsGetHeaders(access) {
 }
 /**
  * Resolve the repo name for routing: prefer `BAPI_REPO_NAME`, then `.bridge/config`.
- * Returns `null` when neither is available.
+ * Returns `null` when neither is available. Thin wrapper over the shared
+ * {@link resolveSharedStartTicketsRepoName} helper (see `start-tickets-repo.ts`)
+ * so `start-tickets`, doctor, migration, and install persistence all share one
+ * repo-identity implementation and the `bapi:<repo>` target can never drift.
  */
 export async function resolveStartTicketsRepoName(deps) {
-    const fromEnv = deps.env.BAPI_REPO_NAME;
-    if (typeof fromEnv === "string" && fromEnv.trim().length > 0) {
-        return fromEnv.trim();
-    }
-    try {
-        const result = await readBridgeConfig(deps.cwd, {
-            readFile: (filePath) => readFile(filePath, "utf-8"),
-        });
-        if (result.ok && result.manifest.repoName) {
-            return result.manifest.repoName;
-        }
-    }
-    catch {
-        // fall through to null
-    }
-    return null;
+    return resolveSharedStartTicketsRepoName({
+        env: deps.env,
+        cwd: deps.cwd,
+        readFile: (filePath) => readFile(filePath, "utf-8"),
+    });
 }
 /**
  * Resolve Bridge API access (repo name + API key + base URL). Returns a
@@ -1310,13 +1480,26 @@ export async function resolveStartTicketsRepoName(deps) {
  * caller can degrade to the agent default model.
  */
 export async function resolveStartTicketsBridgeApiAccess(deps) {
-    const repoName = await resolveStartTicketsRepoName(deps);
-    if (!repoName) {
+    const repoResult = await resolveRequiredStartTicketsRepoName({
+        env: deps.env,
+        cwd: deps.cwd,
+        readFile: (p) => readFile(p, "utf-8"),
+    });
+    if (!repoResult.ok) {
         return {
             ok: false,
             warning: "model routing: could not resolve repo name (set BAPI_REPO_NAME or .bridge/config); using agent default model",
+            diagnostic: makeModelRoutingDiagnostic({
+                kind: "repo-missing",
+                message: "could not resolve repo name for model routing",
+            }),
         };
     }
+    const repoName = repoResult.repoName;
+    // Logical store target + path for diagnostics and remediation text only — the
+    // resolved key value is NEVER recorded in any diagnostic field.
+    const storeTarget = `bapi:${repoName}`;
+    const storePath = getPrimaryCredentialStorePath({ env: deps.env, homedir: os.homedir });
     let credResult;
     try {
         credResult = await resolveBapiCredentials(repoName, {
@@ -1328,10 +1511,39 @@ export async function resolveStartTicketsBridgeApiAccess(deps) {
         });
     }
     catch {
-        return { ok: false, warning: "model routing: failed to resolve Bridge API credentials; using agent default model" };
+        return {
+            ok: false,
+            warning: "model routing: failed to resolve Bridge API credentials; using agent default model",
+            diagnostic: makeModelRoutingDiagnostic({
+                kind: "credential-read-error",
+                repoName,
+                storeTarget,
+                storePath,
+                message: "failed to resolve Bridge API credentials",
+            }),
+        };
     }
     if (!credResult.ok) {
-        return { ok: false, warning: "model routing: Bridge API credentials unavailable; using agent default model" };
+        // Preserve the resolver's distinct failure kinds rather than collapsing them
+        // into one generic "unavailable" warning.
+        const kind = credResult.kind === "not-found"
+            ? "credential-not-found"
+            : credResult.kind === "read-error"
+                ? "credential-read-error"
+                : credResult.kind === "parse-error"
+                    ? "credential-parse-error"
+                    : "credential-missing-key";
+        return {
+            ok: false,
+            warning: "model routing: Bridge API credentials unavailable; using agent default model",
+            diagnostic: makeModelRoutingDiagnostic({
+                kind,
+                repoName,
+                storeTarget,
+                storePath,
+                message: "Bridge API credentials unavailable",
+            }),
+        };
     }
     const baseUrlRaw = deps.env.BAPI_BASE_URL;
     const baseUrl = typeof baseUrlRaw === "string" && baseUrlRaw.trim().length > 0
@@ -1352,15 +1564,67 @@ export function buildStartTicketsJiraUrl(baseUrl, apiPath, params = {}) {
  * GET JSON with an `AbortController` timeout. Throws a generic error (no secret
  * material) on a non-2xx response; always clears the timeout.
  */
+/**
+ * Secret-free HTTP error for the CLI's Bridge API calls. Carries a coarse `kind`
+ * and optional `status` so callers can classify the routing degradation. The
+ * message is generic and NEVER includes request headers, the API key, or the
+ * response body.
+ */
+export class StartTicketsHttpError extends Error {
+    kind;
+    status;
+    constructor(kind, status) {
+        super(`Bridge API request failed (${kind}${typeof status === "number" ? `, status ${status}` : ""})`);
+        this.name = "StartTicketsHttpError";
+        this.kind = kind;
+        this.status = status;
+    }
+}
+/**
+ * Build a routing diagnostic from a caught fetch error. A
+ * {@link StartTicketsHttpError} maps to its `kind` (unauthorized/server/network/
+ * http); any other error uses `fallbackKind` (e.g. config/tier unavailable).
+ */
+function diagnosticFromFetchError(err, opts) {
+    const base = {
+        repoName: opts.repoName,
+        storeTarget: opts.repoName ? `bapi:${opts.repoName}` : undefined,
+        ticketKey: opts.ticketKey,
+        message: opts.message,
+    };
+    if (err instanceof StartTicketsHttpError) {
+        return makeModelRoutingDiagnostic({ ...base, kind: err.kind, status: err.status });
+    }
+    return makeModelRoutingDiagnostic({ ...base, kind: opts.fallbackKind });
+}
 export async function fetchJsonWithTimeout(url, headers, timeoutMs) {
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), timeoutMs);
     try {
-        const resp = await fetch(url, { headers, signal: controller.signal });
+        let resp;
+        try {
+            resp = await fetch(url, { headers, signal: controller.signal });
+        }
+        catch {
+            // Aborts (timeout), DNS/connection failures, and other fetch exceptions.
+            throw new StartTicketsHttpError("network");
+        }
         if (!resp.ok) {
-            throw new Error(`request failed with status ${resp.status}`);
+            if (resp.status === 401 || resp.status === 403) {
+                throw new StartTicketsHttpError("unauthorized", resp.status);
+            }
+            if (resp.status >= 500) {
+                throw new StartTicketsHttpError("server", resp.status);
+            }
+            throw new StartTicketsHttpError("http", resp.status);
+        }
+        try {
+            return await resp.json();
+        }
+        catch {
+            // Body read/parse failure (often an abort mid-read) — treat as network.
+            throw new StartTicketsHttpError("network");
         }
-        return await resp.json();
     }
     finally {
         clearTimeout(timer);
@@ -1397,7 +1661,8 @@ export async function fetchStartTicketsConfigField(access, fieldName) {
 /**
  * Fetch the repo's routing config once. A missing/null enable value defaults to
  * enabled (the feature ships ON); an explicit boolean `false` disables routing.
- * Any fetch failure returns a structured failure so the caller omits `--model`.
+ * Any fetch failure returns a structured failure (with a classified diagnostic)
+ * so the caller fails open to premium/Opus.
  */
 export async function fetchDifficultyModelRoutingConfig(access) {
     try {
@@ -1406,13 +1671,22 @@ export async function fetchDifficultyModelRoutingConfig(access) {
         const enabled = enabledValue === false ? false : true;
         return { ok: true, config: { enabled, overrides: normalizeDifficultyModelTierOverrides(overridesValue) } };
     }
-    catch {
-        return { ok: false, warning: "model routing: failed to fetch routing config; using agent default model" };
+    catch (err) {
+        return {
+            ok: false,
+            warning: "model routing: failed to fetch routing config; using agent default model",
+            diagnostic: diagnosticFromFetchError(err, {
+                repoName: access.repoName,
+                fallbackKind: "config-unavailable",
+                message: "failed to fetch routing config",
+            }),
+        };
     }
 }
 /**
  * Fetch the coarse tier for one ticket with a bounded timeout. Never throws to
- * the batch orchestrator: failures/timeouts return a structured warning.
+ * the batch orchestrator: failures/timeouts return a structured warning plus a
+ * classified diagnostic that preserves the ticket key in metadata.
  */
 export async function fetchTicketModelTierForStartTickets(access, ticket) {
     try {
@@ -1426,8 +1700,17 @@ export async function fetchTicketModelTierForStartTickets(access, ticket) {
             : "fallback";
         return { ok: true, value: { difficulty, tier, source } };
     }
-    catch {
-        return { ok: false, warning: `model routing: tier lookup failed for ${ticket}; using agent default model` };
+    catch (err) {
+        return {
+            ok: false,
+            warning: `model routing: tier lookup failed for ${ticket}; using agent default model`,
+            diagnostic: diagnosticFromFetchError(err, {
+                repoName: access.repoName,
+                ticketKey: ticket,
+                fallbackKind: "tier-fetch-unavailable",
+                message: `tier lookup failed for ${ticket}`,
+            }),
+        };
     }
 }
 /**
@@ -1509,8 +1792,12 @@ export async function validateResolvedModelAliasForAgent(deps, agent, candidate)
     }
     return { ok: true, alias: candidate };
 }
-/** Return a copy of `row` with default (no-routing) metadata and a reason. */
-export function applyDefaultModelRoutingMetadata(row, reason) {
+/**
+ * Return a copy of `row` with default (no-routing) metadata and a reason. An
+ * optional `diagnostic` is stamped onto the row so the CLI can later emit one
+ * de-duplicated invocation-level routing line.
+ */
+export function applyDefaultModelRoutingMetadata(row, reason, diagnostic) {
     return {
         ...row,
         difficulty: row.difficulty ?? null,
@@ -1518,8 +1805,53 @@ export function applyDefaultModelRoutingMetadata(row, reason) {
         modelAlias: null,
         modelRoutingSource: row.modelRoutingSource ?? "default",
         modelRoutingReason: reason,
+        ...(diagnostic ? { modelRoutingDiagnostic: diagnostic } : {}),
     };
 }
+/**
+ * Resolve + validate the premium (Opus) alias ONCE and return a reusable applier.
+ *
+ * The premium alias is identical for every row in a batch, and validating it for
+ * `cursor-agent` spawns a `cursor-agent --list-models` probe — so resolving per
+ * row would fire N identical subprocess probes for a batch of N tickets. Hoisting
+ * the resolve+validate here means at most one probe regardless of batch size
+ * (claude's alias is static and never probes either way).
+ *
+ * The premium fallback deliberately reverses the older "omit --model" fail-safe:
+ * an unknown/hard ticket should run on the strongest model rather than silently
+ * downgrade. If the premium alias cannot be resolved/validated for this agent
+ * (e.g. it doesn't support --model, or verification fails) the applier falls back
+ * to the true no-routing default so we never emit an invalid --model.
+ */
+async function makePremiumFallbackApplier(deps, agent, overrides) {
+    const alias = resolveModelAlias(agent, "premium", overrides);
+    const validation = alias ? await validateResolvedModelAliasForAgent(deps, agent, alias) : null;
+    return (row, warning, diagnostic) => {
+        if (validation && validation.ok) {
+            const reason = `${warning}; defaulting to premium/Opus (model=${validation.alias})`;
+            return appendSummaryRowWarning({
+                ...row,
+                difficulty: row.difficulty ?? null,
+                modelTier: "premium",
+                modelAlias: validation.alias,
+                modelRoutingSource: "fallback",
+                modelRoutingReason: reason,
+                ...(diagnostic ? { modelRoutingDiagnostic: diagnostic } : {}),
+            }, warning);
+        }
+        // Premium alias unavailable for this agent — fall back to agent default.
+        return appendSummaryRowWarning(applyDefaultModelRoutingMetadata(row, warning, diagnostic), warning);
+    };
+}
+/**
+ * Apply the premium fallback to every eligible row (used by batch error
+ * branches). An optional shared `diagnostic` is stamped onto every eligible row
+ * receiving the fallback so the CLI can de-duplicate it to one invocation line.
+ */
+async function applyPremiumFallbackToEligibleRows(deps, rows, isEligible, agent, overrides, warning, diagnostic) {
+    const apply = await makePremiumFallbackApplier(deps, agent, overrides);
+    return rows.map((r) => (isEligible(r) ? apply(r, warning, diagnostic) : r));
+}
 /** Real spawn path: a worktree was created and has a path. */
 const isCreatedRoutingEligible = (r) => r.status === "created" && !!r.path;
 /** Dry-run path: rows have no worktree path yet but are eligible for a preview. */
@@ -1541,16 +1873,15 @@ async function resolveModelRoutingForEligible(deps, rows, options, agent, isElig
     }
     const accessResult = await resolveStartTicketsBridgeApiAccess(deps);
     if (!accessResult.ok) {
-        return rows.map((r) => isEligible(r)
-            ? appendSummaryRowWarning(applyDefaultModelRoutingMetadata(r, accessResult.warning), accessResult.warning)
-            : r);
+        // Genuine error reaching the backend — default unknown difficulty to premium/Opus,
+        // stamping the access diagnostic onto every eligible row.
+        return applyPremiumFallbackToEligibleRows(deps, rows, isEligible, agent, null, accessResult.warning, accessResult.diagnostic);
     }
     const access = accessResult.access;
     const configResult = await fetchDifficultyModelRoutingConfig(access);
     if (!configResult.ok) {
-        return rows.map((r) => isEligible(r)
-            ? appendSummaryRowWarning(applyDefaultModelRoutingMetadata(r, configResult.warning), configResult.warning)
-            : r);
+        // Can't read routing config — treat as error and default to premium/Opus.
+        return applyPremiumFallbackToEligibleRows(deps, rows, isEligible, agent, null, configResult.warning, configResult.diagnostic);
     }
     const { enabled, overrides } = configResult.config;
     if (!enabled) {
@@ -1558,6 +1889,14 @@ async function resolveModelRoutingForEligible(deps, rows, options, agent, isElig
         return rows.map((r) => (isEligible(r) ? applyDefaultModelRoutingMetadata(r, reason) : r));
     }
     const tierMap = await fetchTicketModelTiersForRows(access, eligible, options.maxParallel, isEligible);
+    // Lazily resolve+validate the premium fallback alias at most once for this run
+    // (the alias is identical across rows; cursor-agent validation spawns a probe).
+    let premiumApplier = null;
+    const applyPremiumFallback = async (row, warning, diagnostic) => {
+        if (!premiumApplier)
+            premiumApplier = await makePremiumFallbackApplier(deps, agent, overrides);
+        return premiumApplier(row, warning, diagnostic);
+    };
     const out = [];
     for (const row of rows) {
         if (!isEligible(row)) {
@@ -1566,10 +1905,21 @@ async function resolveModelRoutingForEligible(deps, rows, options, agent, isElig
         }
         const tierResult = tierMap.get(row.key);
         if (!tierResult || !tierResult.ok) {
+            // Error reaching the per-ticket tier endpoint — default to premium/Opus,
+            // stamping the per-ticket tier-fetch diagnostic.
             const warning = tierResult && !tierResult.ok
                 ? tierResult.warning
-                : `model routing: no tier resolved for ${row.key}; using agent default`;
-            out.push(appendSummaryRowWarning(applyDefaultModelRoutingMetadata(row, warning), warning));
+                : `model routing: no tier resolved for ${row.key}; assuming hard ticket`;
+            const diagnostic = tierResult && !tierResult.ok
+                ? tierResult.diagnostic
+                : makeModelRoutingDiagnostic({
+                    kind: "tier-fetch-unavailable",
+                    repoName: access.repoName,
+                    storeTarget: `bapi:${access.repoName}`,
+                    ticketKey: row.key,
+                    message: `no tier resolved for ${row.key}`,
+                });
+            out.push(await applyPremiumFallback(row, warning, diagnostic));
             continue;
         }
         const { difficulty, tier, source } = tierResult.value;
@@ -1580,8 +1930,17 @@ async function resolveModelRoutingForEligible(deps, rows, options, agent, isElig
             modelRoutingSource: source,
         };
         if (!tier) {
-            const warning = `model routing: ${row.key} resolved no tier (source=${source}); using agent default`;
-            out.push(appendSummaryRowWarning(applyDefaultModelRoutingMetadata(baseRow, warning), warning));
+            // Backend reported no usable difficulty — default to premium/Opus. (The
+            // backend now returns a premium fallback itself, so this is defensive.)
+            const warning = `model routing: ${row.key} resolved no tier (source=${source}); assuming hard ticket`;
+            const diagnostic = makeModelRoutingDiagnostic({
+                kind: "no-tier",
+                repoName: access.repoName,
+                storeTarget: `bapi:${access.repoName}`,
+                ticketKey: row.key,
+                message: `${row.key} resolved no tier (source=${source})`,
+            });
+            out.push(await applyPremiumFallback(baseRow, warning, diagnostic));
             continue;
         }
         const alias = resolveModelAlias(agent, tier, overrides);
@@ -1632,7 +1991,175 @@ export function formatModelRoutingLine(row, agent) {
     const model = row.modelAlias ?? "default";
     return `${row.key} difficulty=${difficulty} tier=${tier} agent=${agent.name} model=${model}`;
 }
+/** Stable de-dup key for an invocation-level routing diagnostic. */
+function modelRoutingDiagnosticKey(d) {
+    return [
+        d.kind,
+        d.repoName ?? "",
+        d.storeTarget ?? "",
+        d.storePath ?? "",
+        d.ticketKey ?? "",
+        typeof d.status === "number" ? String(d.status) : "",
+    ].join("|");
+}
+/**
+ * Scan routed rows, extract `modelRoutingDiagnostic`, and de-duplicate by stable
+ * key. An identical credential problem shared by many rows collapses to one
+ * diagnostic (its `ticketKey` is undefined), while distinct per-ticket failures
+ * (which carry a `ticketKey`) are preserved.
+ */
+export function collectInvocationModelRoutingDiagnostics(rows) {
+    const byKey = new Map();
+    for (const row of rows) {
+        const d = row.modelRoutingDiagnostic;
+        if (!d)
+            continue;
+        const key = modelRoutingDiagnosticKey(d);
+        if (!byKey.has(key))
+            byKey.set(key, d);
+    }
+    return [...byKey.values()];
+}
+/** Priority rank (lower = more important) for choosing the primary diagnostic. */
+function modelRoutingDiagnosticPriority(kind) {
+    switch (kind) {
+        case "repo-missing":
+        case "credential-not-found":
+        case "credential-missing-key":
+        case "credential-read-error":
+        case "credential-parse-error":
+            return 0;
+        case "unauthorized":
+            return 1;
+        case "server":
+        case "network":
+        case "http":
+        case "config-unavailable":
+        case "tier-fetch-unavailable":
+            return 2;
+        case "no-tier":
+            return 3;
+        default:
+            return 4;
+    }
+}
+/**
+ * Select the highest-priority diagnostic when several degraded states coexist:
+ * credential setup issues first, then unauthorized, then server/network/config,
+ * then no-tier. Returns null when there are none.
+ */
+export function selectPrimaryInvocationModelRoutingDiagnostic(diagnostics) {
+    let best = null;
+    let bestRank = Number.POSITIVE_INFINITY;
+    for (const d of diagnostics) {
+        const rank = modelRoutingDiagnosticPriority(d.kind);
+        if (rank < bestRank) {
+            best = d;
+            bestRank = rank;
+        }
+    }
+    return best;
+}
+/**
+ * Emit at most ONE actionable routing diagnostic line to stderr for this
+ * invocation. The human-facing stderr line is mandatory and independent of any
+ * telemetry hook; `reportingPolicy` is carried for a future Sentry path, but the
+ * CLI never emits Sentry events for expected setup gaps (missing/unauthorized
+ * credentials). No-op when there is no diagnostic.
+ */
+export function emitInvocationModelRoutingDiagnostic(diagnostic, errorLog) {
+    if (!diagnostic)
+        return;
+    errorLog(formatModelRoutingDiagnosticLine(diagnostic));
+}
+/** Convenience: collect → select → emit the single invocation diagnostic. */
+export function emitInvocationModelRoutingDiagnosticForRows(rows, errorLog) {
+    emitInvocationModelRoutingDiagnostic(selectPrimaryInvocationModelRoutingDiagnostic(collectInvocationModelRoutingDiagnostics(rows)), errorLog);
+}
+/**
+ * BAPI-394 conductor provisioning step (run id, per-worker id/env, Claude hook
+ * injection, run-level `run.started`). Fully fail-open: any unexpected failure
+ * returns the input rows unchanged so a conductor problem never aborts a real
+ * start-tickets run. Per-worktree hook failures are handled inside
+ * {@link provisionConductorHooksForRows} (they mark only the affected row).
+ */
+async function provisionConductorForRows(rows, deps, options, agent, overrides) {
+    const createConductorContextFn = overrides.createConductorContext ?? createStartTicketsConductorContext;
+    const provisionConductorFn = overrides.provisionConductorHooksForRows ?? provisionConductorHooksForRows;
+    const emitRunStartedFn = overrides.emitStartTicketsRunStarted ?? emitStartTicketsRunStarted;
+    try {
+        const context = await createConductorContextFn({ keys: options.keys, autoApprove: options.autoApprove, epic: options.epic }, agent, {
+            env: deps.env,
+            cwd: deps.cwd,
+            readFile: (filePath) => readFile(filePath, "utf-8"),
+        });
+        const provisioned = await provisionConductorFn(rows, context, {
+            readFile: (filePath) => readFile(filePath, "utf-8"),
+            writeFile: (filePath, data) => writeFile(filePath, data, "utf-8"),
+            mkdir: (dirPath, opts) => mkdir(dirPath, opts),
+            env: deps.env,
+        });
+        const withRunStarted = await emitRunStartedFn(context, provisioned, {
+            keys: options.keys,
+            dryRun: options.dryRun,
+        });
+        return { rows: withRunStarted, context };
+    }
+    catch {
+        // Conductor observability is best-effort; never abort the run.
+        return { rows, context: null };
+    }
+}
+/**
+ * BAPI-396: launch the conductor supervisor as a visible peer terminal tab for
+ * the run. Best-effort and run-AFTER `run.started`: a spawn failure records a
+ * `failed` status (workers still spawn) and never aborts the run. Disabled
+ * (`supervisorMode=off`) or dry-run launches are reported as `skipped` without
+ * spawning. Returns the resolved {@link SupervisorLaunchStatus}.
+ */
+async function launchSupervisorTab(context, deps, options, terminal) {
+    if (options.dryRun || !isSupervisorLaunchEnabled(context)) {
+        return "skipped";
+    }
+    try {
+        const shellCommand = buildSupervisorTabCommand(context, deps.platform);
+        const result = await deps.spawnTerminalTab(deps, terminal, shellCommand, {
+            key: supervisorSpawnKey(options.keys),
+            worktreePath: deps.cwd,
+        });
+        return result.ok ? "spawned" : "failed";
+    }
+    catch {
+        return "failed";
+    }
+}
+/** Stamp the supervisor launch status onto every row (run-level field). */
+function stampSupervisorStatus(rows, status) {
+    return rows.map((row) => ({ ...row, supervisorStatus: status }));
+}
+/**
+ * Default epic dispatch correlation implementation (BAPI-409 idempotency guard).
+ * Resolves Bridge API credentials from the environment and POSTs a run_spawned
+ * transition for the given dispatch key before tabs are spawned. Throws on any
+ * failure so the caller can abort the spawn (preventing duplicate dispatches).
+ */
+async function defaultClaimEpicDispatch(dispatchKey, runId, deps) {
+    const accessResult = await resolveConductorBridgeApiAccess({ env: deps.env, cwd: deps.cwd });
+    if (!accessResult.ok) {
+        throw new Error(`Epic dispatch correlation failed: ${accessResult.error}`);
+    }
+    await transitionEpicDispatch(accessResult.access, {
+        dispatchKey,
+        nextStatus: "run_spawned",
+        runId,
+    });
+}
 export async function orchestrateStartTickets(deps, options, overrides = {}) {
+    // Thread dependency-derived base branch from epic identity through the
+    // existing --base-branch path (no new branch-cutting or refresh logic).
+    if (options.epic?.base_branch) {
+        options = { ...options, baseBranch: options.epic.base_branch };
+    }
     if (options.dryRun) {
         return { ok: true, rows: buildDryRunResults(options.keys, options.branchOverrides) };
     }
@@ -1673,20 +2200,85 @@ export async function orchestrateStartTickets(deps, options, overrides = {}) {
     // and BEFORE tab spawning (currently a pass-through seam; see
     // materializeFileCredentialsForCreatedWorktrees).
     const materialized = await materializeFn(provisioned, deps);
-    // BAPI-365: resolve per-ticket model routing AFTER provisioning/materialization
-    // and BEFORE building the spawn command. Always fail-open: routing never aborts
-    // a spawn — at worst a ticket runs on the agent's default model.
+    // BAPI-394: provision conductor identity (run id, per-worker id + env, Claude
+    // hook injection) and emit the run-level `run.started` event AFTER
+    // materialization and BEFORE model routing. The conductor stage is opted into
+    // by the caller supplying the `createConductorContext` seam (the packaged CLI
+    // does this); direct callers/tests that omit it get the pre-conductor pipeline
+    // unchanged. Fully fail-open: any unexpected failure here leaves the run
+    // untouched (no conductor identity) rather than aborting the spawn.
+    // BAPI-396: launch the supervisor peer tab AFTER `run.started` is emitted
+    // (inside provisionConductorForRows) and BEFORE worker tabs spawn. Fully
+    // best-effort: a failure marks the run-level status `failed` but workers still
+    // spawn. `terminal` is resolved up-front so the supervisor tab and worker tabs
+    // share the same terminal choice.
+    // BAPI-409: defensive check — epic dispatch requires conductor context to mint
+    // a run_id for correlation. Fail fast rather than silently bypassing the claim.
+    if (options.epic?.dispatch_key && !overrides.createConductorContext) {
+        return {
+            ok: false,
+            error: "Epic dispatch requires conductor context (createConductorContext seam must be injected when dispatch_key is set)",
+        };
+    }
+    const terminal = detectTerminalFn(options.terminal, deps.env);
+    let conductorReady;
+    if (overrides.createConductorContext) {
+        const provisionResult = await provisionConductorForRows(materialized, deps, options, agent, overrides);
+        // BAPI-409: if epic dispatch requires a claim but conductor provisioning
+        // failed (context is null from its own fail-open error handler), treat it
+        // as a HARD error — we cannot mint or correlate a run_id without context,
+        // and spawning without claiming would allow ghost re-dispatches on the next
+        // epic-tick wakeup.
+        if (options.epic?.dispatch_key && !provisionResult.context) {
+            return {
+                ok: false,
+                error: "Epic dispatch correlation unavailable: conductor provisioning failed (cannot claim dispatch without run_id)",
+            };
+        }
+        if (provisionResult.context) {
+            // BAPI-409: claim the dispatch_key BEFORE spawning tabs. The idempotency
+            // guard ensures that if this invocation crashes after spawn the next
+            // epic-tick wakeup cannot re-dispatch the same run. Failures are HARD
+            // errors (not fail-open) to prevent ghost spawns.
+            if (options.epic?.dispatch_key) {
+                const claimFn = overrides.claimEpicDispatch ?? defaultClaimEpicDispatch;
+                try {
+                    await claimFn(options.epic.dispatch_key, provisionResult.context.runId, deps);
+                }
+                catch (e) {
+                    const msg = e instanceof Error ? e.message : "epic dispatch correlation failed";
+                    return { ok: false, error: `Epic dispatch correlation failed (idempotency guard): ${msg}` };
+                }
+            }
+            const supervisorStatus = await launchSupervisorTab(provisionResult.context, deps, options, terminal);
+            conductorReady = stampSupervisorStatus(provisionResult.rows, supervisorStatus);
+        }
+        else {
+            conductorReady = provisionResult.rows;
+        }
+    }
+    else {
+        conductorReady = materialized;
+    }
+    // BAPI-365: resolve per-ticket model routing AFTER conductor provisioning and
+    // BEFORE building the spawn command. Always fail-open: routing never aborts a
+    // spawn — at worst a ticket runs on the agent's default model.
     const resolveRoutingFn = overrides.resolveModelRoutingForRows ?? resolveModelRoutingForRows;
-    const routed = await resolveRoutingFn(deps, materialized, options, agent);
+    const routed = await resolveRoutingFn(deps, conductorReady, options, agent);
+    // Per-ticket routing DECISION lines stay (one per spawnable ticket). The
+    // noisy per-row routing WARNING emission is intentionally gone (BAPI-377): the
+    // CLI now emits a single de-duplicated, actionable routing diagnostic per
+    // invocation from the structured `modelRoutingDiagnostic` stamped on rows.
     for (const row of routed) {
         if (row.status !== "created" || !row.path)
             continue;
         overrides.modelRoutingLog?.(formatModelRoutingLine(row, agent));
-        if (row.modelAlias == null && row.modelRoutingReason) {
-            overrides.modelRoutingWarningLog?.(`${row.key}: ${row.modelRoutingReason}`);
-        }
     }
-    const terminal = detectTerminalFn(options.terminal, deps.env);
+    // Single invocation-level routing diagnostic to stderr (de-duplicated across
+    // rows). Fail-open: emission is best-effort and never blocks spawning.
+    if (overrides.modelRoutingWarningLog) {
+        emitInvocationModelRoutingDiagnosticForRows(routed, overrides.modelRoutingWarningLog);
+    }
     const rows = await spawnTabsFn(deps, routed, terminal, platformConfig.config.buildAgentShellCommand);
     return { ok: true, rows };
 }
@@ -1759,6 +2351,9 @@ export async function runStartTicketsCli(argv, overrides = {}) {
             }
         }
         log("");
+        // Preview lines and summaries stay on stdout; the single actionable routing
+        // diagnostic (de-duplicated across tickets) goes to stderr, matching a real run.
+        emitInvocationModelRoutingDiagnosticForRows(routedDryRunRows, errorLog);
     }
     // Thread the routing decision/warning sinks through to the orchestrator. The
     // dry-run path short-circuits inside orchestrate before any routing (the
@@ -1766,6 +2361,12 @@ export async function runStartTicketsCli(argv, overrides = {}) {
     const result = await orchestrate(deps, options, {
         modelRoutingLog: log,
         modelRoutingWarningLog: errorLog,
+        // BAPI-394: opt the packaged CLI into conductor observability. Supplying the
+        // context seam activates the conductor stage inside orchestrate; the other
+        // two seams fall back to their real module implementations.
+        createConductorContext: createStartTicketsConductorContext,
+        provisionConductorHooksForRows,
+        emitStartTicketsRunStarted,
     });
     if (!result.ok) {
         errorLog(`Error: ${result.error}`);