@dmsdc-ai/aigentry-telepty 0.3.5 → 0.4.0

package/docs/superpowers/specs/2026-05-02-submit-force-and-retry.md

@@ -1,139 +0,0 @@
-# 2026-05-02 — `inject --submit-force` + idempotent client retry
-
-Closes task #347 (telepty 0.3.2 `--submit` prompt-symbol gate reliability —
-context-ref inject arrived at orchestrator but Enter was skipped when the
-input area had a transient render mismatch: autocomplete dropdown open,
-cursor moved, mid-render race).
-
-## Problem
-
-`telepty inject --submit` runs three layers of gating before pressing
-Enter:
-
-| Layer | File | Trigger | Skip behavior |
-|---|---|---|---|
-| 3. Prompt-symbol (0.3.2) | `src/submit-gate.js` `awaitPromptSymbol` | `cmux read-screen` does not show the per-CLI prompt symbol stably for ≥200 ms within 8 s | Falls through to Layer 1 (`no_prompt_symbol_seen`) |
-| 1. State-gated (0.3.1) | `src/submit-gate.js` `awaitReplReady` | `sessionStateManager` is not in `idle`/`waiting` with conf ≥ 0.5 within 10 s | Best-effort dispatch on `timeout`; hard-fail short-circuits to 504 on `session_dead`/`error`/`restarting`/`no_state` |
-| Verify | `src/submit-gate.js` `verifyBodyConsumed` | Injected body still visible in `outputRing` after dispatch | One bounded retry; if still visible, 504 with `reason: 'gated_dispatch_unconsumed'` |
-
-In production this still produces a residual failure rate when the
-orchestrator session has a transient render mismatch (autocomplete drop-down,
-cursor outside input area, mid-paste). The body is injected, the gate times
-out, the dispatch fires Enter into a "wrong" focus, and `verifyBodyConsumed`
-correctly sees the body still in the input box → 504. Sub-sessions then
-print `⚠️ Submit gated-timeout` and the human user has to press Enter
-manually for the orchestrator to consume the inject.
-
-## Constraints
-
-- **Article 1 (경량)**: minimum-touch fix. No new modules, no new daemon
-  endpoint, no new helper module.
-- **Article 17 (무의존)**: no new runtime dependency.
-- **Article 9 (독립)**: telepty must keep working standalone (no cmux/kitty
-  required for the new flags).
-- **Backward compat**: existing `--submit` semantics unchanged. Default
-  `--submit-retry` value MUST be 0-effect on the happy path (which is the
-  vast majority of calls, currently shipping reliably).
-- **Idempotency**: a retry must never double-press Enter.
-
-## Approach
-
-Two opt-in CLI knobs on `telepty inject`, both implemented client-side
-in `cli.js`. Daemon `/submit` endpoint is untouched — `force: true` is
-already supported (introduced in 0.3.1 for `telepty send-key`); we just
-plumb it through from the inject path.
-
-### `--submit-force`
-
-Adds `force: true` to the `/submit` POST body. Daemon-side this skips
-both Layer 3 (prompt-symbol) and Layer 1 (state-gate) and dispatches Enter
-once via the existing `terminalLevelSubmit` chain (kitty → cmux → PTY).
-
-Use case: caller is confident the target REPL is ready (e.g., orchestrator
-visibly idle, or Phase-6 cascade where sub-session has just verified the
-orchestrator's last bus event). Mirrors the existing `telepty send-key`
-escape hatch but at the inject level so a single command does both.
-
-### `--submit-retry N` (default 1, clamp [0, 3])
-
-After a 504 from `/submit` with a **retry-safe** reason, wait 300 ms and
-re-issue the same `/submit` request up to N times. Retry-safe reasons:
-
-| Reason | Source | Why retry is idempotent |
-|---|---|---|
-| `gated_dispatch_unconsumed` | `daemon.js:1680` | The verify path saw the body STILL in the input box after best-effort dispatch. Re-firing Enter when the body is visibly un-consumed cannot double-submit. |
-| `gate_timeout` | `awaitReplReady` returning `timeout` (no longer reaches 504 directly in 0.3.1, but kept for forward-compat) | Same: body has not been consumed if we're still on the gated path. |
-| `no_prompt_symbol_seen` | `awaitPromptSymbol` Layer 3 timeout (also not currently a 504 source, but kept for forward-compat) | Layer 3 alone never emits 504 today. Listed for completeness. |
-
-Retry is **explicitly NOT** safe for hard-fail reasons — `session_dead`,
-`session_error`, `session_restarting`, `no_state`, `no_state_manager`. Those
-short-circuit the loop immediately because re-firing won't recover. Same
-for any non-504 status (4xx) — no point retrying a malformed request.
-
-The retry preserves the original flag set (`force` stays `force`, etc.).
-The `attemptsMade` counter is rendered into the success line as
-`[retry K/N]` so operators can see when the retry path actually fired.
-
-### Why client-side (not daemon-side)?
-
-- Server-side already retries once internally inside `verifyBodyConsumed`
-  (`daemon.js:1663-1672`). Adding a second loop server-side conflates two
-  feedback signals (the inner verify retry vs. the outer client retry) in
-  one response shape.
-- Per-call client control is more flexible — sub-sessions that have
-  cheap evidence of orchestrator readiness can pass `--submit-retry 0`
-  to avoid the extra round-trip; ones that don't can pass `--submit-retry 2`.
-- Keeps the daemon stable. 0.3.0 cluster (memory:
-  `feedback_telepty_send_key_regression.md`) was a daemon-side change that
-  rippled into manual-override breakage. Client-side change has a strictly
-  smaller blast radius.
-
-## File map
-
-| File | Change | LoC delta |
-|---|---|---|
-| `cli.js` (inject command) | Parse `--submit-force` + `--submit-retry`. Wrap existing `useSubmit` block in idempotent retry loop on 504-with-safe-reason. | +~55, -~25 |
-| `test/cli.test.js` | Three new tests: --submit-force passes force=true; --submit-retry retries on safe-reason 504; --submit-retry does NOT retry on hard-fail 504. | +~120 |
-| `CHANGELOG.md` | 0.3.3 entry. | +~30 |
-| `package.json` | 0.3.2 → 0.3.3. | +1, -1 |
-| `test/enforce-report.test.js:280` | Update stale version assertion 0.2.0 → 0.3.3. | +1, -1 |
-| `README.md` | Mention new flags in inject summary. | +~6 |
-
-No new files outside `test/` and `docs/`. No daemon changes. No new
-dependencies. Total surface ≪ 200 LoC including tests.
-
-## Tests
-
-### Unit / integration (`test/cli.test.js`)
-
-1. **`--submit-force` passes `force: true` to /submit**
-   Spawn a session, intercept `/submit` (use existing harness method or
-   inspect bus event), invoke `telepty inject --submit --submit-force <id>
-   "x"`, assert daemon received `{ force: true }` in the request body.
-
-2. **`--submit-retry N` retries on safe-reason 504**
-   Mock the daemon to return 504 `{reason: 'gated_dispatch_unconsumed'}`
-   on the first call and 200 on the second. Assert the CLI made exactly
-   2 POST /submit calls and exited 0. Assert `[retry 1/N]` is present
-   in stdout.
-
-3. **`--submit-retry N` does NOT retry on hard-fail 504**
-   Mock the daemon to return 504 `{reason: 'session_dead'}`. Assert the
-   CLI made exactly 1 POST /submit call (no retry).
-
-### Regression — full suite
-
-`npm test` — 229 tests, all should pass after updating the stale
-`enforce-report.test.js:280` version assertion.
-
-## Future-proofing notes
-
-- If the daemon adds new 504 reasons, they are by default **NOT** retry-
-  safe (the safe set is an explicit allowlist). Adding a new safe reason
-  is a one-line `RETRY_SAFE_REASONS.add(...)` change in `cli.js`.
-- The flag pair composes: `--submit-force --submit-retry 0` (force-once),
-  `--submit-force --submit-retry 2` (force, with idempotent retry on the
-  rare 503 — though force never returns 504 today).
-- The 300 ms retry delay is a constant, not a flag, to keep the surface
-  small. Empirically chosen at the upper end of the architect's
-  100–300 ms window for the autocomplete-dropdown-close case.

package/protocol/mailbox.md

@@ -1,244 +0,0 @@
-# Aigentry Mailbox Protocol — SSOT
-
-**Version**: 1.0-draft  
-**Status**: Design  
-**Scope**: Transport-agnostic protocol spec (message format, ACK semantics, state machine)  
-**Date**: 2026-04-07
-
-This document is the single source of truth for the aigentry mailbox protocol.
-Implementation details (storage backend, locking, transport) are in `aigentry-mailbox` crate spec.
-
----
-
-## 1. Purpose
-
-The mailbox protocol defines guaranteed, ordered, ACK-able message delivery between aigentry sessions (aterm workspaces, telepty sessions, orchestrators). It is transport-agnostic: the same protocol runs over files, Unix sockets, HTTP, or WebSocket.
-
----
-
-## 2. Message Format
-
-All messages are JSON objects. Field names use snake_case (Rust) / camelCase (TypeScript/Node.js) — both representations are valid; implementations must accept both via alias.
-
-```json
-{
-  "msg_id":    "orchestrator:1743999600123456789",
-  "from":      "aigentry-orchestrator-claude",
-  "to":        "aigentry-analyst-claude",
-  "payload":   "analyze the auth module",
-  "created_at": 1743999600,
-  "attempt":   0
-}
-```
-
-| Field | Type | Required | Description |
-|-------|------|----------|-------------|
-| `msg_id` | string | yes | Globally unique message ID. Format: `{from}:{nanoseconds}` or UUID. Used for idempotency and ACK. |
-| `from` | string | yes | Sender session ID or alias. |
-| `to` | string | yes | Target session ID or alias. |
-| `payload` | string | yes | Message body. Arbitrary UTF-8. Typically a CLI command string. |
-| `created_at` | uint64 | yes | Unix timestamp (seconds) when message was first created by sender. Immutable across retries. |
-| `attempt` | uint32 | yes | Delivery attempt count. 0 = first attempt. Incremented by mailbox on NACK+retry. |
-
-### msg_id Requirements
-- MUST be unique per logical message (not per delivery attempt)
-- MUST remain the same across retries
-- MUST be stable: same logical send operation always produces the same msg_id
-- Recommended format: `"{from}:{created_at_nanos}"` — deterministic, no UUID library needed
-
----
-
-## 3. Message State Machine
-
-```
-          ┌─────────────────────────────────────────────┐
-          │                  enqueue()                   │
-          ▼                                              │
-       PENDING ──────── dequeue() ──────► IN_FLIGHT      │  (idempotent: duplicate
-          ▲                                   │           │   enqueue → PENDING skip)
-          │                         ack() ───┤
-          │                                   ▼
-          │                               ACKED (terminal)
-          │
-          │              nack(reason) ────► NACKED
-          │                                   │
-          │              attempt < max ────────┘──── re-enqueue ──► PENDING
-          │              attempt ≥ max ──────────────────────────► DEAD_LETTER (terminal)
-          │
-          └──── TTL exceeded ───────────────────────────────────► EXPIRED (terminal)
-```
-
-### States
-
-| State | Terminal | Description |
-|-------|----------|-------------|
-| `pending` | no | Awaiting dequeue by receiver |
-| `in_flight` | no | Dequeued, receiver processing, awaiting ACK |
-| `acked` | yes | Delivery confirmed by receiver |
-| `nacked` | no | Delivery failed, scheduled for retry |
-| `dead_letter` | yes | Exhausted retry count |
-| `expired` | yes | TTL exceeded before delivery |
-
-### State Transition Rules
-1. Only `pending` → `in_flight` (via `dequeue`)
-2. Only `in_flight` → `acked` or `nacked` (via `ack`/`nack`)
-3. `nacked` with `attempt < max_retries` → new `pending` entry (same msg_id, attempt+1)
-4. `nacked` with `attempt >= max_retries` → `dead_letter`
-5. `pending` or `in_flight` past TTL → `expired` (by DeliveryEngine sweep)
-6. Terminal states are immutable
-
----
-
-## 4. ACK Semantics
-
-### enqueue → EnqueueAck
-```
-enqueue(msg) → { msg_id, queued: bool, pending: usize }
-```
-- `queued: true` — message newly added
-- `queued: false` — msg_id already seen (idempotent, no-op). Safe to call multiple times.
-
-### dequeue
-```
-dequeue(session_id) → Option<Message>
-```
-- Returns oldest `pending` message
-- Transitions it to `in_flight`
-- Returns `None` if no pending messages
-
-### ack
-```
-ack(session_id, msg_id) → Result<()>
-```
-- Transitions `in_flight` → `acked`
-- MUST be called after successful delivery to PTY or host
-
-### nack
-```
-nack(session_id, msg_id, reason: string) → Result<()>
-```
-- Transitions `in_flight` → `nacked`
-- Mailbox schedules retry with backoff: `retry_delay = base_backoff_secs × 2^attempt`
-- After `max_retries` NACKs: transitions to `dead_letter`
-
----
-
-## 5. Retry Policy
-
-| Parameter | Default | Description |
-|-----------|---------|-------------|
-| `max_retries` | 3 | NACK count before dead-lettering |
-| `base_backoff_secs` | 5 | First retry delay (seconds) |
-| Backoff strategy | Exponential | `delay = base × 2^attempt`: 5s, 10s, 20s |
-| `inflight_timeout_secs` | 30 | Auto-nack if ACK not received within this window |
-
----
-
-## 6. Dead Letter Queue
-
-Messages in `dead_letter` state are preserved indefinitely (no TTL). Dead letter entries contain:
-
-```json
-{
-  "msg_id": "orchestrator:...",
-  "from": "...",
-  "to": "...",
-  "payload": "...",
-  "reason": "max_retries exhausted",
-  "failed_at": 1744086000,
-  "attempts": 3
-}
-```
-
-Dead letter queue is inspectable (`peek_dead_letter(session_id)`) and purgeable (`purge_dead_letter(session_id)`).
-
----
-
-## 7. Ordering Guarantee
-
-- Messages are delivered FIFO per `(from, to)` pair
-- Messages from different senders to the same receiver are interleaved by `created_at`
-- No total ordering across all receivers
-
----
-
-## 8. Idempotency
-
-- `enqueue` with duplicate `msg_id` is a no-op (returns `queued: false`)
-- `ack` with already-acked `msg_id` is a no-op (returns `Ok(())`)
-- `nack` with already-dead-lettered `msg_id` is a no-op
-- Implementations MUST enforce idempotency at the storage layer, not the caller
-
----
-
-## 9. Protocol Versioning
-
-Messages MAY include `"protocol_version": "1.0"` field. Receivers MUST ignore unknown fields (forward compatibility). Senders SHOULD include version for diagnostics.
-
----
-
-## 10. TypeScript Interface (Node.js / telepty)
-
-```typescript
-// message.ts
-
-export interface Message {
-  msg_id: string;       // or msgId (both accepted)
-  from: string;
-  to: string;
-  payload: string;
-  created_at: number;   // or createdAt (Unix seconds)
-  attempt: number;
-}
-
-export interface MessageSummary {
-  msg_id: string;
-  from: string;
-  created_at: number;
-  attempt: number;
-  state: MessageState;
-}
-
-export type MessageState =
-  | 'pending'
-  | 'in_flight'
-  | 'acked'
-  | 'nacked'
-  | 'dead_letter'
-  | 'expired';
-
-export interface EnqueueAck {
-  msg_id: string;
-  queued: boolean;
-  pending: number;
-}
-
-export interface DeadLetterEntry extends Message {
-  reason: string;
-  failed_at: number;    // Unix seconds
-  attempts: number;
-}
-```
-
-```typescript
-// mailbox.ts — transport-agnostic interface
-
-export interface MailboxProtocol {
-  enqueue(msg: Message): Promise<EnqueueAck>;
-  dequeue(sessionId: string): Promise<Message | null>;
-  ack(sessionId: string, msgId: string): Promise<void>;
-  nack(sessionId: string, msgId: string, reason: string): Promise<void>;
-  peek(sessionId: string): Promise<MessageSummary[]>;
-  purge(sessionId: string): Promise<void>;
-  peekDeadLetter(sessionId: string): Promise<DeadLetterEntry[]>;
-  purgeDeadLetter(sessionId: string): Promise<void>;
-}
-```
-
----
-
-## 11. Changelog
-
-| Version | Date | Change |
-|---------|------|--------|
-| 1.0-draft | 2026-04-07 | Initial protocol definition |

package/scripts/regen-snippet-fixtures.js

@@ -1,42 +0,0 @@
-'use strict';
-
-const fs = require('node:fs');
-const path = require('node:path');
-const { buildOutput } = require('../src/init/print-snippet');
-
-const projectRoot = path.resolve(__dirname, '..');
-const fixtureDir = path.join(projectRoot, 'tests', 'snippet-protocol', 'v1');
-const targets = ['claude', 'agents', 'gemini', 'all'];
-const formats = [
-  { name: 'markdown', ext: 'md' },
-  { name: 'json', ext: 'json' }
-];
-
-function createCaptureStream() {
-  return {
-    value: '',
-    write(chunk) {
-      this.value += chunk;
-    }
-  };
-}
-
-fs.mkdirSync(fixtureDir, { recursive: true });
-
-for (const target of targets) {
-  for (const format of formats) {
-    const stdout = createCaptureStream();
-    const stderr = createCaptureStream();
-    const code = buildOutput(['--print-snippet', '--target', target, '--format', format.name], {
-      stdout,
-      stderr
-    });
-
-    if (code !== 0) {
-      throw new Error(`failed to generate ${target} ${format.name}: ${stderr.value}`);
-    }
-
-    const fixturePath = path.join(fixtureDir, `golden-${target}.${format.ext}`);
-    fs.writeFileSync(fixturePath, stdout.value, 'utf8');
-  }
-}

package/specs/codex-inject-spec.md

@@ -1,201 +0,0 @@
-# SPEC: Codex inject reliability — 4 issues
-
-**Bug source:** orchestrator inject e9f41301...
-**Session:** aigentry-telepty
-**Status:** SPEC — awaiting orchestrator approval
-
----
-
-## Goal
-
-Make `telepty inject` work reliably with codex sessions. Currently 4 failure
-modes: Enter not pressed, active work overwrite, REPORT not sent, multi-task
-partial processing.
-
----
-
-## Root Cause Analysis
-
-### Issue 1: inject succeeds but Enter NOT pressed
-
-**Flow:** daemon `deliverInjectionToSession()` → mailbox → `tick()` →
-`writeDataToSession()` sends text via WS → allow-bridge → `child.write(text)`.
-Then 500ms later, `writeDataToSession(id, session, '\r')` → WS → allow-bridge →
-`child.write('\r')`.
-
-**Root cause:** codex CLI puts terminal in raw mode with custom input handling.
-PTY-level `\r` via `child.write('\r')` is NOT equivalent to pressing Enter in
-codex's input model. codex reads PTY input character by character in raw mode
-and interprets `\r` differently than a keyboard Enter event.
-
-**Evidence:** Project memory: "PTY `\r` 직접 의존 금지" — don't depend on PTY
-`\r` directly. "inject submit은 항상 osascript/kitty terminal-level submit 우선".
-
-The `--submit` flag exists in CLI but POST /submit also uses `submitViaPty()` →
-same `\r` via WS. It does NOT use terminal-level submit (kitty/cmux).
-
-### Issue 2: New inject overwrites active work
-
-**Flow:** `deliverInjectionToSession()` enqueues to mailbox and calls
-`mailboxDelivery.tick()` immediately. Text goes via WS → allow-bridge.
-
-Allow-bridge has queuing: if `isIdle()` is false, text goes to
-`enqueueBridgeMessage()`. The safety timer flushes after 5s regardless. But the
-daemon doesn't check session state — it pushes immediately.
-
-**Root cause:** Two layers of the problem:
-1. Daemon sends inject regardless of session state (working/thinking/idle)
-2. Allow-bridge 5s safety flush writes queued text to PTY even if session is
-   still working, which interrupts codex's current task
-
-### Issue 3: REPORT not sent after completion
-
-**Flow:** Auto-report mechanism (`pendingReports`) triggers when allow-bridge
-sends `{ type: 'ready' }` WS message. The `ready` signal fires when
-`promptPattern.test(data)` matches in the PTY output.
-
-**Root cause:** codex prompt pattern `codex: /[❯>]\s*$/` doesn't reliably match
-codex's actual prompt output. If prompt is never detected → `ready` never sent →
-`pendingReports` never cleared → auto-report never fires.
-
-The new session state machine (#185) detects `idle` via OSC 133 + silence
-timeout, but auto-report still uses the legacy `ready` WS signal (daemon.js
-line 2290-2315), not the `session_auto_state` transitions.
-
-### Issue 4: Multiple tasks in one inject — partial processing
-
-**Root cause:** AI behavior, not telepty bug. When a --ref file contains Task A
-+ Task B, codex processes Task A and returns to prompt. This is standard LLM
-behavior — no telepty fix needed.
-
-**Mitigation:** Orchestrator should split multi-task injects into separate
-sequential calls with idle-gating between them (orchestrator-side logic).
-
----
-
-## Scope
-
-**Phase 1 (this spec):** Fix Issues 1 and 3 (guaranteed Enter + guaranteed
-REPORT). These are telepty-side fixes.
-
-**Phase 2 (separate task):** Fix Issue 2 (inject queuing during active work).
-Requires daemon-side session state awareness.
-
-**Out of scope:** Issue 4 (orchestrator-level task splitting).
-
----
-
-## Files to Modify
-
-| File | Change |
-|---|---|
-| `daemon.js` | Fix 1: `deliverInjectionToSession()` — use `sendViaKitty()` for CR instead of PTY `\r`. Fix 3: Wire auto-report to session state `idle` transition instead of legacy `ready` signal. |
-| `daemon.js` | Fix 1: POST `/submit` endpoint — use kitty send-text with cmux fallback instead of `submitViaPty()`. |
-
----
-
-## Approach
-
-### Fix 1: Terminal-level submit for wrapped sessions
-
-Replace PTY `\r` with `sendViaKitty()` in `deliverInjectionToSession()`:
-
-```js
-// BEFORE (daemon.js ~line 590):
-if (!options.noEnter && session.type !== 'aterm') {
-  const submitDelay = session.type === 'wrapped' ? 500 : 300;
-  setTimeout(async () => {
-    const submitResult = await writeDataToSession(id, session, '\r');
-    // ...
-  }, submitDelay);
-}
-
-// AFTER:
-if (!options.noEnter && session.type !== 'aterm') {
-  const submitDelay = session.type === 'wrapped' ? 500 : 300;
-  setTimeout(async () => {
-    let submitted = false;
-    // Priority 1: kitty send-text (terminal-level, bypasses PTY quirks)
-    if (session.type === 'wrapped') {
-      submitted = sendViaKitty(id, '\r');
-    }
-    // Priority 2: cmux send-key (for cmux-managed sessions)
-    if (!submitted && session.backend === 'cmux' && session.cmuxWorkspaceId) {
-      submitted = submitViaCmux(id);
-    }
-    // Priority 3: PTY fallback (spawned sessions without kitty)
-    if (!submitted) {
-      const submitResult = await writeDataToSession(id, session, '\r');
-      if (!submitResult.success) {
-        emitInjectFailureEvent(id, submitResult.code, submitResult.error, {
-          phase: 'submit', source: options.source || 'inject'
-        }, session);
-      }
-    }
-  }, submitDelay);
-}
-```
-
-Also update POST `/submit` endpoint to use same priority chain instead of
-always calling `submitViaPty()`.
-
-### Fix 3: Auto-report via session state machine
-
-Wire auto-report to the `session_auto_state` transition event (already emitted
-by `sessionStateManager.onTransition()`). When a session transitions to `idle`
-and has a pending report, fire the auto-report.
-
-```js
-// In the existing sessionStateManager.onTransition callback (daemon.js ~line 37):
-sessionStateManager.onTransition((sessionId, from, to, detail) => {
-  const session = sessions[sessionId];
-  if (!session) return;
-  broadcastSessionEvent('session_auto_state', sessionId, session, {
-    extra: { auto_state: to, auto_state_from: from, auto_detail: detail }
-  });
-
-  // Auto-report: fire when session transitions to idle after inject
-  if (to === 'idle' && pendingReports[sessionId]) {
-    const pendingReport = pendingReports[sessionId];
-    delete pendingReports[sessionId];
-    const elapsed = ((Date.now() - new Date(pendingReport.injectedAt).getTime()) / 1000).toFixed(1);
-    const reportMsg = `TASK_COMPLETE: ${sessionId} is now idle after processing inject (${elapsed}s)`;
-    const srcId = resolveSessionAlias(pendingReport.source) || pendingReport.source;
-    const srcSession = sessions[srcId];
-    if (srcSession) {
-      deliverInjectionToSession(srcId, srcSession, reportMsg, { noEnter: false, source: 'auto_report' });
-      console.log(`[AUTO-REPORT] ${sessionId} → ${srcId}: idle after ${elapsed}s`);
-    }
-  }
-});
-```
-
-Keep the legacy `ready`-based auto-report as fallback (don't remove it).
-
----
-
-## Verification
-
-1. **Test:** `telepty inject xtem-rtm "echo hello"` → codex processes it
-   (Enter pressed via kitty send-text)
-2. **Test:** `telepty inject --ref --from orchestrator xtem-rtm 'task'` → after
-   codex completes → auto-report fires via idle state transition
-3. **Test:** Sessions without kitty (spawned) → PTY `\r` fallback still works
-4. **Test:** Existing 131 tests still pass
-
----
-
-## Risks
-
-1. **kitty not available.** Mitigated: 3-tier fallback (kitty → cmux → PTY).
-   PTY path preserved as last resort.
-2. **`sendViaKitty()` needs kitty socket + window ID match.** Already
-   implemented and working for other features. If kitty window not found,
-   falls through to PTY.
-3. **Auto-report via state machine may fire too early.** The idle detection
-   uses 5s silence timeout. If codex pauses >5s mid-task, it may fire
-   prematurely. Mitigated: auto-report has `AUTO_REPORT_IDLE_SECONDS` (10s)
-   threshold. Can add a minimum elapsed time guard.
-4. **Dual auto-report paths (state machine + legacy ready).** Could fire
-   twice. Mitigated: `delete pendingReports[sessionId]` in both paths —
-   whichever fires first consumes the pending report.