@firatcand/roster 0.1.0 → 0.4.0

package/data/plan-ceilings.yaml

@@ -0,0 +1,57 @@
+# Plan-ceiling figures for `roster schedule estimate-usage` (ROS-44 / ADR-0001).
+#
+# Advisory estimates of interactive-session caps published by OpenAI and
+# Anthropic. The CLI never queries vendor APIs — these numbers are read from
+# this file at runtime and compared against projected schedule usage.
+#
+# Update this file as vendors publish new limits. Bump `as_of` per entry and
+# cite the public doc URL. Schema version is immutable at 1 — bump and migrate
+# if the shape ever changes.
+
+version: 1
+
+plans:
+  chatgpt-plus:
+    tool: codex
+    label: "ChatGPT Plus"
+    msgs_per_window: 250
+    window_hours: 5
+    msgs_per_week: 2100
+    source_url: "https://help.openai.com/en/articles/6643017-chatgpt-plus-faq"
+    as_of: "2026-05-18"
+
+  chatgpt-pro:
+    tool: codex
+    label: "ChatGPT Pro"
+    msgs_per_window: 1000
+    window_hours: 5
+    msgs_per_week: 8400
+    source_url: "https://help.openai.com/en/articles/8675309-chatgpt-pro"
+    as_of: "2026-05-18"
+
+  claude-pro:
+    tool: claude
+    label: "Claude Pro"
+    msgs_per_window: 45
+    window_hours: 5
+    msgs_per_week: 1200
+    source_url: "https://support.anthropic.com/en/articles/8324991-about-claude-pro-usage"
+    as_of: "2026-05-18"
+
+  claude-max-5x:
+    tool: claude
+    label: "Claude Max 5x"
+    msgs_per_window: 225
+    window_hours: 5
+    msgs_per_week: 6000
+    source_url: "https://support.anthropic.com/en/articles/9534406-about-claude-max-usage"
+    as_of: "2026-05-18"
+
+  claude-max-20x:
+    tool: claude
+    label: "Claude Max 20x"
+    msgs_per_window: 900
+    window_hours: 5
+    msgs_per_week: 24000
+    source_url: "https://support.anthropic.com/en/articles/9534406-about-claude-max-usage"
+    as_of: "2026-05-18"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@firatcand/roster",
-  "version": "0.1.0",
+  "version": "0.4.0",
   "description": "A CLI that scaffolds a structured multi-agent workspace on top of AI coding tools (Claude Code, Codex CLI, Gemini)",
   "type": "module",
   "bin": {
@@ -12,6 +12,7 @@
     "skills/",
     "agents/",
     "templates/",
+    "data/",
     "README.md",
     "LICENSE"
   ],
@@ -23,9 +24,14 @@
     "typecheck": "tsc --noEmit",
     "dev": "tsdown --watch",
     "test": "node --test --experimental-strip-types 'test/**/*.test.ts'",
+    "test:update-golden": "node --experimental-strip-types scripts/update-golden.ts",
+    "test:update-golden:stub": "node --experimental-strip-types scripts/update-golden-stub.ts",
     "smoke": "bash test/smoke.sh",
     "e2e": "bash test/e2e-sdr.sh",
-    "perf": "bash test/perf.sh"
+    "e2e:schedule": "bash test/e2e-schedule.sh",
+    "perf": "bash test/perf.sh",
+    "test:dogfood-scripts": "bash test/new-agent-slash-only.sh && bash test/scripts-parity.sh",
+    "probe:claude-url": "bash scripts/probe-claude-url-scheme.sh"
   },
   "keywords": [
     "claude-code",

package/skills/chief-of-staff/SKILL.md

@@ -139,7 +139,159 @@ Loop on `revise` until the user types `y` or `cancel`. There is no implicit "loo
 
 ### Phase 5 — Atomic write
 
-See P4-T04 for the atomic-write transaction (stage → invariant check → preview → write → rollback list). The pre-write check enforces the contracts and invariants defined in the next section. Summary: stage all files in a temp tree, validate against `conventions.md` plus the cross-file invariants below, then move into place in a single transaction. On any validation failure, the temp tree is discarded and no partial state is written to the workspace.
+Transitions from accepted Phase 4 preview (`y`) to files-on-disk. The **agent tree** at `<fn>/<agent>/` (Steps 4–5) is written as a single transaction — either every staged file in the tree lands, or nothing does. The **slash command** at `<repo-root>/.claude/commands/<agent>.md` (Step 6) is a separate post-tree write: it can fail or be interrupted independently and is recovered via `--slash-only` retry rather than rollback.
+
+#### Transaction state
+
+- `draft: Map<absolute_path, string>` — in-memory file map (every path the write will create, with final content). Built incrementally during Phase 2/3 as fields are populated.
+- `dirs: List<absolute_path>` — directories to create, enumerated explicitly (no implicit ancestors). Listed parent-before-child so the corresponding `rmdir` walk in Step 7 can go deepest-first.
+- `rollback: List<absolute_path>` — every newly-created path (file or directory), appended in creation order. Includes every directory in `dirs`, every file from `draft` once its write is attempted, and nothing else. Drives reverse-order cleanup on failure.
+
+#### Step 1 — Pre-write invariant check
+
+Run all five invariants from § "Cross-file invariants" against `draft`. On any failure:
+
+> Invariant N failed: <specific failure>. Revise the affected section, or `cancel` to abort without writing.
+
+Re-enter Phase 3 for the offending section. The atomic-write transaction NEVER proceeds with a tripped invariant — no partial state can leak onto disk.
+
+Invariant 2 (step ids match `plans/<plan>.yaml`) is vacuously satisfied when no starter plan was named during Phase 3 — per the Generated file contracts table, `plans/<plan>.yaml` is optional. The check applies only when at least one plan file is staged in `draft`.
+
+#### Step 2 — Final user preview
+
+Confirm once more: `Write this? (y/revise/cancel)`. Re-render the full Phase 4 preview only if the user typed `revise` since the last render. On `cancel` print `Cancelled. No files written.` and exit. On `y` proceed to Step 3.
+
+#### Step 3 — Install SIGINT trap
+
+Install a signal handler covering **Steps 4–5 only** (the agent-tree transaction). On Ctrl+C: run the rollback sequence (Step 7) best-effort, then append a Step 8 log entry with `outcome: interrupted` (best-effort — log failure is non-fatal), then exit non-zero. After cleanup, print either:
+
+> Interrupted. Rolled back N files. Workspace is clean.
+
+or, if cleanup itself partially fails:
+
+> Interrupted. Cleanup incomplete — these paths remain on disk:
+>   `<path>`
+>   `<path>`
+> Remove manually before retrying.
+
+Uninstall the trap **before** entering Step 6. Once the agent tree is canonical (i.e., `agent.md` has landed), a SIGINT during Step 6 is treated as a slash-command failure, not as cause for rollback — the agent tree is preserved and the user can recover with `--slash-only` (Step 6 retry guidance).
+
+#### Step 4 — Create directory tree
+
+Enumerate every directory the transaction creates **explicitly** (no `mkdir -p` shortcut that hides intermediate ancestors from the cleanup walker — Step 7 needs to remove them). Create them one at a time, parent-before-child, appending each to `rollback`:
+
+- `<fn>/<agent>/`
+- `<fn>/<agent>/subagents/`
+- `<fn>/<agent>/playbook/`
+- `<fn>/<agent>/logs/`
+- `<fn>/<agent>/.claude/`
+- `<fn>/<agent>/.claude/skills/`
+- `<fn>/<agent>/.claude/plugins/`
+- `<fn>/<agent>/plans/`
+- `<fn>/<agent>/projects/`
+- `<fn>/<agent>/projects/_template/`
+- `<fn>/<agent>/projects/_template/config/`
+- `<fn>/<agent>/projects/_template/playbook/`
+- `<fn>/<agent>/projects/_template/log/`
+- `<fn>/<agent>/projects/_template/log/runs/`
+- `<fn>/<agent>/projects/_template/log/feedback/`
+
+If a directory already exists at the moment we try to create it (e.g., racing process, or `<fn>/` exists from a prior function), do NOT append it to `rollback` — pre-existing paths are not ours to delete. Skip and continue. The parent `<fn>/` itself is never in `rollback` for the same reason (it predates this transaction or was created as `<fn>/<agent>/`'s implicit parent — see invariant: if `<fn>/` does not exist, abort the whole transaction before Step 4 and ask the user to register the function via `create-function` first).
+
+If a directory creation fails for any other reason (permissions, ENOSPC), skip to Step 7 with `rollback` populated up to the failure point.
+
+#### Step 5 — Write files in deterministic order
+
+Write each file from `draft`. Append every written path to `rollback` **before** the write begins, so a write-failure mid-byte still leaves the partial file in the cleanup set.
+
+Order:
+
+1.  `<fn>/<agent>/README.md`
+2.  `<fn>/<agent>/.mcp.json`
+3.  `<fn>/<agent>/.claude/settings.json`
+4.  `<fn>/<agent>/subagents/_template.md`
+5.  `<fn>/<agent>/subagents/<name>.md` (one per `agent.md ## Subagents` entry; zero files if none named)
+6.  `<fn>/<agent>/plans/.gitkeep`
+7.  `<fn>/<agent>/plans/<plan>.yaml` (one per plan named in Phase 3; absent in stub mode and when no plan named)
+8.  `<fn>/<agent>/projects/_template/config/default.yaml`
+9.  `<fn>/<agent>/projects/_template/asset-references.md`
+10. `<fn>/<agent>/playbook/.gitkeep`
+11. `<fn>/<agent>/logs/.gitkeep`
+12. `<fn>/<agent>/.claude/skills/.gitkeep`
+13. `<fn>/<agent>/.claude/plugins/.gitkeep`
+14. `<fn>/<agent>/projects/_template/playbook/.gitkeep`
+15. `<fn>/<agent>/projects/_template/log/runs/.gitkeep`
+16. `<fn>/<agent>/projects/_template/log/feedback/.gitkeep`
+17. `<fn>/<agent>/agent.md`  ← **LAST. Canonical contract.**
+
+**Why `agent.md` last:** It is the canonical orchestrator contract — the file roster's commands grep for to detect an agent's existence. Writing it last guarantees that any process **keyed off the existence of `agent.md`** observes either no agent or a complete one. A mid-Step-5 crash leaves either no `agent.md` at all, or — after Step 7 rollback — an empty `<fn>/<agent>/` parent that no contract-aware reader will treat as a valid agent.
+
+This is a **path-level / discovery-keyed** guarantee, not a process-isolation guarantee. A third party that opens a path mid-write retains an open file descriptor through rollback, and a directory listing of `<fn>/<agent>/` mid-Step-4/5 can show a partial tree (this is why discovery should always key off `agent.md`, never directory enumeration).
+
+On any write failure mid-Step-5, skip to Step 7. `rollback` already contains every path attempted, including the partially-written file at the failure point.
+
+**Note — divergence from stub mode:** `scripts/new-agent.sh` (stub mode) writes `agent.md` first as a single shell-script side effect; the script is not transactional. Guided mode adopts the safer LAST-ordering to make the canonical-contract invariant hold. The two paths are intentionally different — do not "fix" one to match the other.
+
+#### Step 6 — Write slash command (outside rollback root)
+
+The SIGINT trap from Step 3 is uninstalled before this step begins. Write `<repo-root>/.claude/commands/<agent>.md`. This path is **outside** `<fn>/<agent>/`, so it is **not** in the `rollback` list — neither a write failure nor a Ctrl+C during Step 6 triggers a rollback of the agent tree.
+
+On failure (or SIGINT during Step 6 leaves a partial file), print:
+
+> Agent tree at `<fn>/<agent>/` written successfully, but slash command `.claude/commands/<agent>.md` failed: `<error>`. Retry with:
+>   `bash scripts/new-agent.sh --slash-only <fn> <agent>`
+
+The `--slash-only` flag (added in P4-T05) accepts the same two positional args and writes ONLY the slash command — no other side effects, no prompts. Required because the agent tree is already canonical at this point; re-running the full plan would refuse on the existing directory. Caveats for retry:
+
+- If the slash command file already exists at retry time (e.g., partial write from Step 6 failure or SIGINT), `--slash-only` refuses to clobber per P4-T05 acceptance — remove the existing file first, then retry.
+- `--slash-only` does NOT verify that `<fn>/<agent>/agent.md` exists. If the agent tree was rolled back before retry, the slash command will be a dangling pointer. Re-run the full `create-agent` plan instead in that case.
+
+#### Step 7 — Rollback (failure path)
+
+Triggered by any error in Steps 4–5, or by SIGINT during Steps 4–5 (Step 3 trap). Step 6 failures and Step-6 SIGINT are **not** rollback triggers — they are surfaced for `--slash-only` retry instead.
+
+Sequence:
+
+1. Walk `rollback` in reverse order (newest first). For each path:
+   - If it is a file (or partially-written file), `unlink` it.
+   - If it is a directory, `rmdir` it (no `-r`). It will succeed because all of its children were created later than it and have already been removed by this walk. If `rmdir` fails because something unexpected exists (race, manual write), record the path as residual and continue.
+2. After the walk, `<fn>/<agent>/` itself is either gone (if `rollback` included it and the walk reached it) or remains with residual content. Do NOT attempt a recursive delete — if anything remains, it is either pre-existing (not ours) or unexpected (worth surfacing).
+3. Print:
+   > Write failed at `<path>`: `<error>`. Rolled back N paths (M files, K directories).
+
+   If `<fn>/<agent>/` was removed:
+   > Workspace is clean.
+
+   Else:
+   > Workspace still contains `<fn>/<agent>/` with N residual paths:
+   >   `<path>`
+   >   `<path>`
+   > Remove manually before retrying.
+4. Append a Step 8 log entry with `outcome: rollback` and the residual-paths list, then exit non-zero.
+
+#### Step 8 — Operation log
+
+Always append exactly one log entry per `create-agent` invocation to `chief-of-staff/logs/<YYYY-MM>/operations-<YYYY-MM-DD>.md`. Trigger points:
+
+| Operation outcome | When Step 8 fires | `outcome` value |
+| --- | --- | --- |
+| Steps 4–6 all succeed | end of Step 6 | `success` |
+| Step 5/4 write failure | end of Step 7 rollback walk | `rollback` |
+| Step 6 write failure (agent tree canonical, slash failed) | after the user-facing retry message in Step 6 | `partial-slash-failure` |
+| SIGINT during Steps 4–5 | inside the trap, after the Step 7 rollback walk | `interrupted` |
+| SIGINT during Step 6 (agent tree canonical, slash partial) | after Step 6 retry message | `partial-slash-failure` (with a note that the slash file may be partial) |
+
+Schema:
+
+- `timestamp` (UTC ISO-8601)
+- `plan: create-agent`
+- `mode: guided | stub`
+- `inputs: <fn>, <agent>`
+- `outcome: success | rollback | partial-slash-failure | interrupted`
+- `residual_paths:` (only present when outcome is `rollback` or `interrupted`; empty list if cleanup was complete)
+- `candidate_lessons:` (optional, per § "Lessons protocol")
+
+The log file is append-only. If `chief-of-staff/logs/<YYYY-MM>/` doesn't exist, create it during Step 8. This write is **outside** the transaction — a log-write failure does NOT trigger rollback of a successful agent creation; surface a stderr warning instead.
 
 ## Generated file contracts
 
@@ -149,7 +301,7 @@ Every file the guided plan writes has a per-file content contract. Stub mode pro
 | --- | --- | --- |
 | `agent.md` | See per-section disposition below. Populated and grounded fields filled from prose + Phase 3 answers; boilerplate fields filled from `_template/` and `conventions.md`. Zero literal `<placeholder>` strings remain (explicit `TODO: <gap>` markers allowed only where the user deferred during Phase 3). | Identical to `bash scripts/new-agent.sh` output: every grounded/uncertain field carries its `<placeholder>` text verbatim. |
 | `plans/<plan>.yaml` | Created only if the user named at least one plan during Phase 3. Step `id:` fields 1:1 with `agent.md ## Steps` — they cannot drift. Inputs / outputs schemas come from the user's plan description. | `plans/.gitkeep` only. No starter plan file. |
-| `subagents/<name>.md` | One file per name listed in `agent.md ## Subagents`. All **six** required sections present and populated: `Role`, `Inputs`, `Output`, `Tools`, `Boundaries`, `Quality bar`. **Never half-populate a subagent.** If a section cannot be populated from prose / follow-ups, either remove the subagent from `agent.md ## Subagents` entirely or Phase 3 re-asks. | `subagents/_template.md` only. No per-name files. |
+| `subagents/<name>.md` | One file per name listed in `agent.md ## Subagents`. All **six** required sections present and populated: `Role`, `Inputs`, `Output`, `Tools`, `Boundaries`, `Quality bar`. **Never half-populate a subagent.** If a section cannot be populated from prose / follow-ups, either remove the subagent from `agent.md ## Subagents` entirely or Phase 3 re-asks. `subagents/_template.md` is also written byte-for-byte from `_template/` (same as stub mode). | `subagents/_template.md` only. No per-name files. |
 | `.claude/commands/<agent>.md` | `description:` field is a real sentence: ≤ 80 chars, contains no `<` character, and contains no literal `TODO:` substring. The body matches the canonical routing-logic template from `_template/` with `<agent>` and `<function>` substituted. | `description: <function> agent — TODO: fill in description`. Canonical body otherwise unchanged. |
 | `README.md`, `.mcp.json`, `.claude/settings.json`, `projects/_template/**`, every `.gitkeep` | Identical to stub mode — byte-for-byte. These files do not vary by mode. | (canonical) |
 
@@ -209,6 +361,10 @@ Never write directly to `chief-of-staff/playbook/` during operations. The user m
 - **YAML/JSON parse error in audit** → report as failure with the line number from the audit script
 - **Confirmation gate denied** → abort cleanly, no changes
 - **Partial failure mid-operation** → scripts handle their own rollback. If a script reports partial state, surface exactly what state the repo is in and what to do next.
+- **Atomic write rollback ran** (guided mode, Steps 4–5 failure) → all `rollback` paths deleted, parent `<fn>/<agent>/` removed if empty. Surface residual paths if any deletion failed; exit non-zero.
+- **SIGINT during atomic write** → trap runs Step 7 best-effort; partial cleanup state disclosed. User must remove residual paths before retrying.
+- **Slash command failed after agent tree success** (Step 6) → agent tree is canonical and kept. Surface the failure with the `--slash-only <fn> <agent>` retry command. Not a rollback trigger.
+- **Operation log write failed after successful agent creation** (Step 8) → log a warning to stderr; do NOT roll back the agent. Logs are best-effort and outside the transaction.
 
 ## What this skill does NOT do
 

package/templates/hooks/banner.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+# roster:hitl-banner:v2 — SessionStart hook for Claude Code and Codex CLI.
+#
+# 1. (ROS-42) If `roster` is on PATH, run `roster pending sync --silent` with
+#    a 5s timeout to synthesize HITL items from any failed-fire signals
+#    (.exit non-zero + STALE detections). Silent on success, silent on
+#    skip-because-no-roster, silent on timeout.
+# 2. Count pending HITL items in $PWD/roster/<function>/pending/*.md and
+#    print one banner line if count > 0. Silent when count is 0.
+#
+# Self-contained POSIX shell — Step 1 is best-effort opt-in, never blocks
+# the session. Step 2 stays under the <200ms latency budget (p50 ~25ms).
+#
+# Installed by `roster hooks install` to:
+#   ~/.claude/hooks/roster-banner.sh
+#   ~/.codex/hooks/roster-banner.sh
+
+set -u
+
+# Run only inside roster workspaces. Quiet exit otherwise so non-roster
+# sessions get zero overhead beyond shell startup.
+[ -d "$PWD/roster" ] || exit 0
+
+# Step 1: failed-fire synthesis (best-effort).
+# Requires both `roster` on PATH AND a `timeout` binary. Skip silently
+# otherwise — better to miss a sync than to block SessionStart on a slow
+# workspace (codex review impl-pass: an unbounded fallback ran `roster
+# pending sync` with no time cap; if disk was slow the user's first Claude
+# Code message could be delayed seconds). Doctor remains the deterministic
+# way to surface failed fires for users without a timeout binary.
+if command -v roster >/dev/null 2>&1; then
+  if command -v timeout >/dev/null 2>&1; then
+    timeout 5 roster pending sync --silent --cwd "$PWD" >/dev/null 2>&1 || true
+  elif command -v gtimeout >/dev/null 2>&1; then
+    gtimeout 5 roster pending sync --silent --cwd "$PWD" >/dev/null 2>&1 || true
+  fi
+fi
+
+# Step 2: banner. `find … | wc -l` returns 0 on empty, never errors on
+# absent subdirs thanks to `-path` matching against a non-existent prefix
+# being a no-op (the explicit `2>/dev/null` covers any read-permission
+# edge case).
+count=$(find "$PWD/roster" -mindepth 3 -maxdepth 3 -type f -name '*.md' -path '*/pending/*.md' 2>/dev/null | wc -l | tr -d ' ')
+
+if [ "${count:-0}" -gt 0 ]; then
+  printf '⚠ %s pending HITL items — run `roster review`\n' "$count"
+fi

package/templates/scaffold/conventions.md

@@ -9,7 +9,7 @@ Full reference. CLAUDE.md is the short behavioral guide loaded at session start;
 3. **Tooling is scoped where it belongs.** Universal MCPs/skills/plugins at root. Agent-scoped at the agent. No per-project tooling — projects share the agent's tools.
 4. **Files are the memory layer.** No vector DB, no embedding store. Markdown + YAML + Git.
 5. **Project-scoped lessons override global on conflict.** Local always wins at runtime.
-6. **Schedules are stateless.** Cron invokes `claude -p` headlessly.
+6. **Schedules are stateless.** A native local scheduler (Claude Desktop Scheduled Tasks, Codex app Automations, or a Codex cron entry installed via `roster schedule install --via cron`) fires a fresh CLI session that loads `CONTEXT.md` and invokes the `roster-orchestrator` skill. All model usage draws from the user's interactive subscription — no Agent SDK, no headless API keys.
 7. **The dreamer learns; agents act.** Reinforcement is a separate, deliberate process. Live agents don't update playbooks.
 
 ## Directory map
@@ -565,15 +565,42 @@ Approval expires after 24h by default. Workflows specify own TTL if different.
 
 ## Schedules
 
-Cron jobs:
+Schedules fire from a native local desktop scheduler. Each fire spawns a fresh CLI session in the workspace that loads `CONTEXT.md` and invokes the `roster-orchestrator` skill; the orchestrator dispatches the agent's subagent via the tool's native primitive (Claude `Task` tool or Codex agent invocation). No `claude -p`, no Anthropic Agent SDK, no programmatic API keys — all model usage draws from the user's interactive Claude Pro/Max or ChatGPT Plus/Pro subscription. `roster doctor` enforces this.
 
-1. Live in `scripts/cron/crontab` (versioned)
-2. Invoke a wrapper at `scripts/cron/wrappers/<job>.sh`
-3. Wrapper sets up env, calls `claude -p "<prompt>"` with the right cwd (typically inside an agent's project instance)
-4. stdout/stderr → `logs/cron/<job>-<YYYY-MM-DD>.log`
-5. Run output → the agent's instance `log/runs/` as normal
+Canonical entry point:
 
-Install: `bash scripts/cron/install.sh`. Add a job: `bash scripts/new-cron.sh <job-name>`.
+```sh
+roster schedule install <function>/<agent> <plan> \
+  --cron "<expr>" --tool claude|codex [--via cron]
+```
+
+The first two positional arguments are `<function>/<agent>` (e.g., `gtm/sdr`) and the plan path within that agent. `--cron` and `--tool` are required; `--via` defaults to `ui-handoff`, `--name` defaults to `<agent>-<plan>`, `--project` defaults to `_demo`. The command writes one entry per schedule to `roster/<function>/schedules.yaml` and renders a tool-specific install artifact:
+
+- `--tool claude` — emits `.roster/schedule-specs/<name>.claude.fields.md` for paste-in to Claude Code's Desktop Scheduled Tasks UI. Programmatic install is tracked upstream at [anthropics/claude-code#41364](https://github.com/anthropics/claude-code/issues/41364); until it lands, hand-off is markdown, not JSON.
+- `--tool codex` (default `--via ui-handoff`) — emits `.roster/schedule-specs/<name>.codex.fields.md` for paste-in to the Codex desktop Automations UI.
+- `--tool codex --via cron` — installs a hardened crontab line directly (wrapped by `env -i` for environment scrubbing, with a subscription-attestation preflight). Codex-only; refused on Windows.
+
+Each run:
+
+1. Loads `CONTEXT.md` (via the `CLAUDE.md` or `AGENTS.md` symlink)
+2. Invokes the `roster-orchestrator` skill
+3. Orchestrator dispatches the agent subagent in isolated context (nested subagents allowed)
+4. Run output → the agent's instance `log/runs/` as normal
+5. HITL items → `roster/<function>/pending/` — chat sessions surface a banner on next start
+6. Exits
+
+### Failure observability
+
+Two complementary signals catch the cases where a fire doesn't complete cleanly:
+
+- **`roster/<function>/state.md`** — orchestrator skill appends one line per fire (`<utc-iso> | <function>/<agent>/<plan>/<project> | success|failed`). This is the *agent-level* signal: it requires the orchestrator to actually run to completion.
+- **`logs/cron/<name>.exit`** — for codex `--via cron` schedules, the wrapper records the process exit code (1-3 byte ASCII integer) independently of the agent. Non-zero here means cron fired but the codex process exited with an error.
+
+`roster doctor` (the `Scheduling fires` section) cross-references both. `roster pending sync` synthesizes `roster/<function>/pending/error-<id>.md` items from any non-zero `.exit` or STALE detection (last run older than expected next-fire + 2h grace). The SessionStart hook runs `pending sync` automatically before counting items, so a failed fire surfaces in the very next chat session — no manual step required.
+
+Optional: add `capture_events: true` to a codex via-cron entry to also capture the `codex exec --json` event stream at `logs/cron/<name>.events.jsonl` (stdout split from log).
+
+See [ADR-0001: Scheduling architecture](https://github.com/firatcand/roster/blob/main/docs/adr/0001-scheduling-architecture.md) for the rationale and rejected alternatives.
 
 ## External-action gates
 

package/templates/scaffold/dreamer/README.md

@@ -17,7 +17,7 @@ Cross-domain pattern detection matters. A lesson observed in Twitter automation
 
 ## Invocation
 
-Nightly via cron (`scripts/cron/wrappers/dreamer-nightly.sh`).
+Nightly via the native desktop scheduler. Register with `roster schedule install` — each fire spawns a fresh CLI session in the workspace, loads `CONTEXT.md`, invokes the `roster-orchestrator` skill, and dispatches the dreamer in isolated subagent context. See `conventions.md` § Schedules and [ADR-0001](../../docs/adr/0001-scheduling-architecture.md) for the model. Subscription-billed only; `claude -p` and the Anthropic Agent SDK are banned and enforced by `roster doctor`.
 
 On-demand from a session: "Run the dreamer on the last week's outreach runs across all projects."
 

package/templates/scaffold/gtm/sdr/README.md

@@ -24,12 +24,7 @@ claude
 
 Claude reads agent.md from the agent root, project guidelines from `projects/_demo/guidelines/`, and orchestrates.
 
-From cron, headlessly:
-
-```bash
-cd /path/to/agent-team
-claude -p "$(cat scripts/cron/wrappers/_demo-outreach-daily-prompt.txt)"
-```
+For scheduled runs, register the schedule with the native desktop scheduler via `roster schedule install` — see the Phase 2.5 scheduling guide. The subscription-only ban on `claude -p` and the Anthropic Agent SDK is enforced by `roster doctor`.
 
 ## Configuration
 

package/templates/scaffold/logs/cron/.gitkeep

@@ -0,0 +1 @@
+# Cron log directory

package/templates/scaffold/ops/EXPERT.md

@@ -11,7 +11,7 @@ Ops advisor for an early-stage solo founder running an agent team. Cover automat
 
 ## Scope
 
-- **Critique**: Audit `scripts/cron/crontab`, `scripts/cron/wrappers/*`, agent `config/default.yaml` files, `.env` patterns, and ops-related project guidelines when they exist. State the principle being violated. Score risk: data loss > silent failure > cost > polish.
+- **Critique**: Audit `roster/<function>/schedules.yaml`, `.roster/schedule-specs/`, agent `config/default.yaml` files, `.env` patterns, and ops-related project guidelines when they exist. State the principle being violated. Score risk: data loss > silent failure > cost > polish.
 - **Generate guidelines**: Produce or refine ops-related guideline files when a project demands them — `projects/<project>/guidelines/ops-runbook.md`, cron schedule specs, retry/idempotency contracts, secret-rotation procedures. Default to producing directly when context is sufficient; otherwise interview, then write.
 - **Guide**: Scheduling decisions, secrets management, deployment patterns, observability strategy, failure-mode reasoning. Strategic output — files only when the task asks for substrate.
 
@@ -22,16 +22,16 @@ You do **NOT** produce tactical artifacts (specific cron wrapper shell scripts,
 On invocation, read in this order:
 
 1. `projects/<project>/CLAUDE.md` — project identity and what runs against it
-2. `scripts/cron/crontab` and `scripts/cron/wrappers/` — current automation surface
+2. `roster/<function>/schedules.yaml` and `.roster/schedule-specs/` — current automation surface (Phase 2.5 native-scheduler model; see `conventions.md` § Schedules and [ADR-0001](../../docs/adr/0001-scheduling-architecture.md))
 3. The relevant agent's `agent.md` and `config/default.yaml` — tool bindings, schedules, caps
 4. `projects/<project>/state.md` — current focus
-5. `logs/cron/*` for recent failures, if a reliability question
+5. `logs/cron/*` for recent `roster schedule install --tool codex --via cron` failures, if a reliability question
 
 Identify gaps. Ask only about gaps. Don't re-ask what's already in substrate. If no project is named and the question is repo-wide, say so before proceeding.
 
 ## What you cover
 
-- Scheduling (cron, Claude Code `/schedule`, GitHub Actions scheduled workflows)
+- Scheduling (native desktop scheduler via `roster schedule install`, the `roster schedule install --tool codex --via cron` crontab path, GitHub Actions scheduled workflows)
 - Secrets management (`.env`, env-var conventions, rotation, SOPS or similar when justified)
 - Deployment patterns (script-based, GitHub Actions, manual checklists)
 - Observability (`logs/cron/`, structured logging, alerting thresholds, "did it run" verification)
@@ -62,7 +62,7 @@ When a task spans skills (e.g., "design the cron + monitoring + alert chain for
 ## Behavior rules
 
 - **Idempotency first.** Every operation must be safe to re-run. If it isn't, name the guard.
-- **Observability is non-negotiable.** If you can't tell whether it ran, it didn't. Logs land in `logs/cron/<job>-<YYYY-MM-DD>.log` per `conventions.md`.
+- **Observability is non-negotiable.** If you can't tell whether it ran, it didn't. For `--via cron` installs (Codex-only — `roster schedule install --tool codex --via cron`), stdout/stderr lands in `logs/cron/<job>.log` per `conventions.md` § Schedules. For UI-handoff installs (Claude Scheduled Tasks, Codex Automations), the scheduler owns the log surface — check the host app's run history.
 - **Cost-aware.** Name the cost of every recommendation — dollars, time, on-call burden.
 - **Name failure modes.** Don't ship a recommendation without stating what happens when it fails.
 - **Stay in your lane.** Reusable substrate and patterns. One-off incident response and per-run remediations are agent work, not expert work.

package/templates/scaffold/scripts/archive-project.sh

@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+# archive-project.sh — moves a project and all its agent instances to _archive/
+# Usage: bash scripts/archive-project.sh <project> [reason]
+
+set -euo pipefail
+
+if [ $# -lt 1 ]; then
+  echo "Usage: $0 <project> [reason]"
+  exit 1
+fi
+
+PROJECT="$1"
+REASON="${2:-}"
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+PROJECT_DIR="$ROOT/projects/$PROJECT"
+
+if [ ! -d "$PROJECT_DIR" ]; then
+  echo "ERROR: Project '$PROJECT' not found at $PROJECT_DIR"
+  exit 1
+fi
+
+DATE=$(date +%Y-%m-%d)
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+# Find all agent instances for this project
+INSTANCES=()
+while IFS= read -r path; do
+  INSTANCES+=("$path")
+done < <(find "$ROOT" -type d -path "*/projects/$PROJECT" -not -path "*/_template/*" -not -path "*/_archive/*" 2>/dev/null | grep -v "^$ROOT/projects/$PROJECT$" || true)
+
+# Determine archive suffix (handle same-day re-archiving)
+SUFFIX="$DATE"
+COUNTER=2
+while [ -d "$ROOT/_archive/projects/$PROJECT-$SUFFIX" ]; do
+  SUFFIX="$DATE-$COUNTER"
+  COUNTER=$((COUNTER + 1))
+done
+
+echo "Archiving project: $PROJECT (suffix: $SUFFIX)"
+
+# Create archive root
+mkdir -p "$ROOT/_archive/projects"
+
+# Move project root
+mv "$PROJECT_DIR" "$ROOT/_archive/projects/$PROJECT-$SUFFIX"
+echo "  Moved: projects/$PROJECT/  →  _archive/projects/$PROJECT-$SUFFIX/"
+
+# Move each instance
+for inst in "${INSTANCES[@]}"; do
+  REL="${inst#$ROOT/}"
+  PARENT_DIR=$(dirname "$REL")
+  ARCHIVE_PARENT="$ROOT/_archive/$PARENT_DIR"
+  mkdir -p "$ARCHIVE_PARENT"
+  mv "$inst" "$ARCHIVE_PARENT/$PROJECT-$SUFFIX"
+  echo "  Moved: $REL/  →  _archive/$PARENT_DIR/$PROJECT-$SUFFIX/"
+done
+
+# Write ARCHIVED.md
+cat > "$ROOT/_archive/projects/$PROJECT-$SUFFIX/ARCHIVED.md" << EOF
+---
+archived_at: $TIMESTAMP
+project: $PROJECT
+archive_suffix: $SUFFIX
+reason: ${REASON:-(not specified)}
+---
+
+# Archived: $PROJECT
+
+## Paths archived
+- _archive/projects/$PROJECT-$SUFFIX/  (project root)
+$(for inst in "${INSTANCES[@]}"; do
+  REL="${inst#$ROOT/}"
+  PARENT_DIR=$(dirname "$REL")
+  echo "- _archive/$PARENT_DIR/$PROJECT-$SUFFIX/  (instance)"
+done)
+
+## To restore
+\`\`\`bash
+bash scripts/unarchive-project.sh $PROJECT $SUFFIX
+\`\`\`
+EOF
+
+# Operation log
+LOG_DIR="$ROOT/chief-of-staff/logs/$(date +%Y-%m)"
+mkdir -p "$LOG_DIR"
+LOG_FILE="$LOG_DIR/operations-$(date +%Y-%m-%d).md"
+{
+  echo ""
+  echo "## $TIMESTAMP — archive-project: $PROJECT"
+  echo "Suffix: $SUFFIX"
+  echo "Instances archived: ${#INSTANCES[@]}"
+  [ -n "$REASON" ] && echo "Reason: $REASON"
+} >> "$LOG_FILE"
+
+echo ""
+echo "✓ Archive complete."
+echo "  ARCHIVED.md: $ROOT/_archive/projects/$PROJECT-$SUFFIX/ARCHIVED.md"
+echo "  Operation log: $LOG_FILE"