@pugi/cli 0.1.0-alpha.9 → 0.1.0-beta.2

package/dist/core/repl/session.js

@@ -27,18 +27,53 @@
  * verbatim - the brand gate on those happens at the controller.
  */
 import { randomUUID } from 'node:crypto';
+import { getPersona } from '@pugi/personas';
 import { listRoles, getPersonaForRole } from '../agents/registry.js';
 import { evaluateCap, describeVerdict } from './cap-warning.js';
 import { parseSlashCommand } from './slash-commands.js';
 import { webFetchTool } from '../../tools/web-fetch.js';
 import { loadSettings } from '../settings.js';
 import { getJobRegistry } from '../jobs/registry.js';
+import { extractAskTags, extractPlanReviewTags, signatureForAsk, } from './ask.js';
 import { existsSync, readdirSync, statSync } from 'node:fs';
 import { resolve as resolvePath } from 'node:path';
+import { CancellationToken } from './cancellation.js';
+import { DispatchFSM } from './dispatch-fsm.js';
 const MAX_TRANSCRIPT_ROWS = 500;
+const MAX_TOOL_CALLS = 200;
 const MAX_RECONNECT_ATTEMPTS = 10;
 const RECONNECT_BASE_MS = 250;
 const RECONNECT_MAX_MS = 5_000;
+/**
+ * α6.5 filewatch throttle: minimum gap between two file-change
+ * system lines surfaced in the conversation pane. Per the sprint
+ * spec, a noisy save burst should not flood the transcript - we
+ * coalesce all chokidar batches that arrive inside the window into
+ * a single "file changed: ..." line.
+ */
+const FILEWATCH_SYSTEM_LINE_GAP_MS = 5_000;
+/**
+ * Hard cap on the size of `pendingFilewatchBatches`. The throttle window
+ * is 5s, but a `tsc --watch` style tool can fire dozens of `change`
+ * events per second for hours on end if the operator leaves the REPL
+ * up. Without a cap, every batch arriving inside the throttle window
+ * would accumulate forever, holding refs to thousands of FilewatchBatch
+ * objects (each carrying its own events array). On overflow we drop
+ * the OLDEST batch and surface a one-shot system warning so the
+ * operator knows the buffer is shedding. triple-review P1 (PR #380).
+ */
+const PENDING_FILEWATCH_BATCH_CAP = 100;
+/**
+ * Cap on silent session-recreate attempts on HTTP 404 from the SSE
+ * stream. When admin-api restarts it drops its in-memory session
+ * store, so the saved sessionId returns 404 on every subscribe. The
+ * CLI mints a fresh server session, swaps the consumer over, and
+ * keeps running - but we cap the recovery to 3 attempts inside 60s
+ * so a truly down admin-api fails loud instead of spinning forever.
+ * (α6.14.2 wave 5 - CEO dogfood fix.)
+ */
+const MAX_SESSION_RECREATE_ATTEMPTS = 3;
+const SESSION_RECREATE_WINDOW_MS = 60_000;
 export class ReplSession {
     options;
     subscribers = new Set();
@@ -48,30 +83,257 @@ export class ReplSession {
     reconnectAttempt = 0;
     reconnectTimer;
     closed = false;
+    /**
+     * Rolling window of recent silent-recreate timestamps (epoch ms).
+     * The SSE stream returns HTTP 404 when admin-api has restarted and
+     * lost its in-memory session store; rather than spam the operator
+     * with "Stream interrupted (HTTP 404)" loops, we mint a fresh
+     * session and swap the consumer. Capped at MAX_SESSION_RECREATE_*
+     * inside SESSION_RECREATE_WINDOW_MS so a permanently down admin-api
+     * fails loud instead of looping silently. (α6.14.2 wave 5.)
+     */
+    recentRecreateAtMs = [];
+    /**
+     * True while a session-recreate POST is in flight. Guards against
+     * the SSE stream firing multiple `onError(404)` callbacks racing
+     * the in-flight createSession promise. (α6.14.2 wave 5.)
+     */
+    recreatingSession = false;
     /**
      * Last non-trivial step.detail recorded per taskId. The server streams
      * the persona reply incrementally via `agent.step` events whose
      * `detail` field carries the cumulative model output. `agent.completed`
      * arrives last and previously overwrote the visible detail to the
      * literal string `'shipped'` while the transcript line said only
-     * `shipped.` — the actual reply text was lost. By caching the last
+     * `shipped.` - the actual reply text was lost. By caching the last
      * non-trivial detail here, we can flush it into the transcript when
      * the agent completes so the operator sees what the persona actually
      * said. CEO wave-2 fix 2026-05-25.
      */
     lastStepDetail = new Map();
+    /**
+     * Optional local SessionStore - α6.4. When non-null, every
+     * appendRow() call mirrors the row into the JSONL log so the
+     * conversation can be restored via `/resume`. Errors from the store
+     * are swallowed to a single system line (degradation, not crash).
+     * The store is opened by the CLI bootstrap and closed via
+     * `ReplSession.close()`. The store ownership is shared - the
+     * SqliteSessionStore is process-wide singleton-ish under the
+     * lockfile, so close-on-quit is safe.
+     */
+    store;
+    /**
+     * Local session id used as the persistence key. Distinct from the
+     * server-side sessionId issued by admin-api in state.sessionId.
+     * When the operator runs `pugi resume <id>`, the CLI passes the id
+     * via `localSessionId` so the JSONL log keeps growing under the
+     * original id rather than fragmenting into a new one.
+     */
+    localSessionId;
+    /**
+     * One-shot guard so a store error only emits ONE system line per
+     * session - without this, a stuck filesystem would spam the operator
+     * with `[store]` errors on every keystroke.
+     */
+    storeErrorEmitted = false;
+    /**
+     * Privacy mode fetched on bootstrap from /api/admin/privacy/mode and
+     * surfaced via `renderPrivacyBanner` (one-line system message after
+     * splash). Cached on the session so the in-REPL `/privacy` slash
+     * command can render the live mode without a second round-trip on
+     * the input box's thread. Null means "not yet fetched" (still
+     * connecting) OR "fetch failed" (offline / unauthenticated). The
+     * `/privacy` slash falls back to the contract doc with an "unknown"
+     * banner when null.
+     *
+     * Triple-review P1 fix (2026-05-25): the prior build defined
+     * `renderPrivacyBanner` but never called it, and `/privacy` always
+     * rendered with `null` mode. The contract was advertised but the
+     * operator had no mode visibility.
+     */
+    privacyMode = null;
+    /**
+     * α6.5 Tier 0 / Tier 1 / chokidar wiring. The bootstrap builds the
+     * skeleton + working set + watcher once and hands them to the
+     * session. The session uses them to:
+     *
+     *   - render `/context` (count + cap + total bytes + skeleton size).
+     *   - emit throttled "file changed" system lines on watcher batches.
+     *   - forget removed files from the working set on `unlink`.
+     *
+     * All three are optional - tests and minimal callers pass null /
+     * undefined and the session degrades to "no three-tier integration"
+     * silently. The watcher's own lifecycle is owned by the bootstrap
+     * (we do NOT close it in `close()`).
+     */
+    repoSkeleton;
+    workingSet;
+    watcher;
+    /**
+     * Epoch ms of the last filewatch system line. Initialised to 0 so
+     * the FIRST batch always emits; subsequent batches inside the gap
+     * are coalesced into the next emit window.
+     */
+    lastFilewatchLineAtEpochMs = 0;
+    /**
+     * Buffer of batches whose emission was throttled. Drained on the
+     * next within-window batch by overwriting the throttled line with
+     * a summary that mentions how many additional files were touched.
+     * Capped at PENDING_FILEWATCH_BATCH_CAP to bound memory growth
+     * under long-running noisy filewatch sources (tsc --watch on a
+     * 200-file project hammering for hours). triple-review P1 (PR #380).
+     */
+    pendingFilewatchBatches = [];
+    /**
+     * One-shot guard so the overflow-warning system line emits only once
+     * per session rather than spamming the operator with `[filewatch]
+     * shedding` on every dropped batch.
+     */
+    pendingFilewatchOverflowWarned = false;
+    /**
+     * Bound subscriber refs so close() can detach the listeners from the
+     * shared watcher. The bootstrap owns the watcher lifecycle (it calls
+     * watcher.close() on REPL teardown), but the session MUST detach its
+     * own listeners on close() so any chokidar event landing between
+     * session.close() and watcher.close() does not run handlers on a
+     * dead session. Without detachment, recordFilewatchBatch would
+     * touch this.workingSet / this.transcript on a closed session.
+     * triple-review P1 (PR #380).
+     */
+    filewatchBatchHandler = (batch) => {
+        this.recordFilewatchBatch(batch);
+    };
+    filewatchCapHandler = (info) => {
+        this.recordFilewatchCapExceeded(info);
+    };
+    /**
+     * Rolling dedupe set for `<pugi-ask>` and `<pugi-plan-review>`
+     * signatures. The persona may emit the same envelope twice on network
+     * retry; we suppress the duplicate so the operator does not see two
+     * stacked modals. Capped at 32 entries - generous for a real session,
+     * defensive against a hostile flood. (α6.3.)
+     */
+    seenTagSignatures = [];
+    /**
+     * Per-task buffer for streaming tag detection. The persona's
+     * `<pugi-ask>` open and close tags may arrive in separate
+     * `agent.step` events when the upstream LLM token-streams output
+     * char-by-char. We accumulate the running detail per taskId until a
+     * complete envelope lands OR the turn ends. (α6.3.)
+     */
+    askBuffer = new Map();
+    /**
+     * α6.9 dispatch FSM. One instance owned by the session; transitions
+     * are mirrored into `state.dispatchState` via an onEnter listener so
+     * subscribers see every change. Resets to `idle` after a terminal
+     * transition (`completed` / `failed` / `aborted`) so the next brief
+     * starts clean. Idle is the start state.
+     */
+    // Not readonly: resetFsmToIdle swaps the instance in place on the
+    // next brief after a terminal transition (the FSM does not allow
+    // direct `completed -> awaiting_response`, so we mint a fresh
+    // machine). External read-only access stays via `getDispatchState()`
+    // accessor - callers cannot reach into this private field.
+    fsm = new DispatchFSM();
+    /**
+     * α6.9 cancellation token for the currently in-flight dispatch.
+     * Minted on `dispatchBrief()` and released on terminal transitions.
+     * When non-null, calling `cancel()` aborts the token, closes the SSE
+     * stream, and transitions the FSM to `aborting` → `aborted`.
+     *
+     * Null when `dispatchState === 'idle'` — no dispatch to cancel.
+     */
+    currentDispatchToken = null;
+    /**
+     * R2 P1 fix (Codex triple-review 2026-05-25): monotonic dispatch
+     * sequence id. Incremented on every `dispatchBrief()`. The
+     * agent.spawned handler stamps the current value into
+     * `taskDispatchSeq[event.taskId]`. Terminal handlers
+     * (agent.completed / blocked / failed) check the stamped value
+     * against `dispatchSeq` and short-circuit if the event belongs to
+     * a SUPERSEDED dispatch. Without this gate a stale terminal event
+     * from a prior dispatch would drive the new FSM to terminal and
+     * null the new dispatch's token, leaving brief #2 uncancellable.
+     */
+    dispatchSeq = 0;
+    /**
+     * Per-task dispatch-sequence stamp. Populated on agent.spawned with
+     * the live `dispatchSeq` value. Consulted by terminal handlers to
+     * decide whether the event belongs to the current dispatch (seq
+     * matches) or a superseded one (seq is stale). Entries are NOT
+     * removed on terminal events because a late event from the same
+     * task should still be classified correctly; the map is small
+     * (one entry per spawned subagent in the session lifetime) and
+     * cleared on close().
+     */
+    taskDispatchSeq = new Map();
+    /**
+     * R3 P1 fix (Codex triple-review 2026-05-25): wall-clock guard used to
+     * drop SSE events whose `event.timestamp` predates the current
+     * dispatch. The R2 seq gate alone fails when a LATE `agent.spawned`
+     * from brief #1 arrives AFTER brief #2 mints a new dispatch token:
+     * the late spawn would stamp the OLD taskId with the NEW dispatchSeq
+     * (because `this.dispatchSeq` already advanced), so any subsequent
+     * terminal event for that task would look like it belongs to the new
+     * dispatch and would null the new token.
+     *
+     * Recorded inside `dispatchBrief()` BEFORE bumping `dispatchSeq`, so
+     * any event with `event.timestamp` strictly before this value is
+     * guaranteed to belong to a superseded dispatch and is dropped silently.
+     * Zero means "no dispatch has started yet" and disables the gate.
+     */
+    currentDispatchStartTime = 0;
+    /**
+     * Tracks taskIds that had an `<pugi-ask>` or `<pugi-plan-review>`
+     * envelope mid-stream the last time the parser ran on the buffer. If
+     * the turn ends with this flag still set, we emit a system-line
+     * warning that the persona produced an incomplete tag - the partial
+     * XML is silently dropped (the parser already withheld it from the
+     * cleaned body). Codex triple-review P2 (PR #375).
+     */
+    askBufferPending = new Set();
     constructor(options) {
         this.options = options;
+        this.store = options.store ?? null;
+        this.localSessionId = options.localSessionId;
+        this.repoSkeleton = options.repoSkeleton ?? null;
+        this.workingSet = options.workingSet ?? null;
+        this.watcher = options.watcher ?? null;
+        // Subscribe to the chokidar watcher when present. Late-binding
+        // happens here so the bootstrap can construct the session and
+        // attach the watcher in one pass without re-validating shape.
+        if (this.watcher) {
+            this.watcher.on('batch', this.filewatchBatchHandler);
+            this.watcher.on('capExceeded', this.filewatchCapHandler);
+        }
         this.state = {
             sessionId: undefined,
             workspaceLabel: options.workspaceLabel,
             cliVersion: options.cliVersion,
             connection: 'connecting',
             agents: [],
+            toolCalls: [],
             transcript: [],
             tokensDownstreamTotal: 0,
             briefStartedAtEpochMs: undefined,
+            pendingAsk: null,
+            pendingAskSource: null,
+            pendingPlanReview: null,
+            pendingPlanReviewSource: null,
+            dispatchState: 'idle',
+            dispatchToolLabel: null,
         };
+        // α6.9: mirror every FSM transition into the public state so the
+        // status-bar surface can rerender on the next frame. Local listener
+        // is intentionally cheap — just a patch + clear the per-state tool
+        // label when leaving `tool_running`.
+        this.fsm.onEnter('idle', () => this.patch({ dispatchState: 'idle', dispatchToolLabel: null }));
+        this.fsm.onEnter('awaiting_response', () => this.patch({ dispatchState: 'awaiting_response', dispatchToolLabel: null }));
+        this.fsm.onEnter('tool_running', () => this.patch({ dispatchState: 'tool_running' }));
+        this.fsm.onEnter('aborting', () => this.patch({ dispatchState: 'aborting', dispatchToolLabel: null }));
+        this.fsm.onEnter('aborted', () => this.patch({ dispatchState: 'aborted', dispatchToolLabel: null }));
+        this.fsm.onEnter('completed', () => this.patch({ dispatchState: 'completed', dispatchToolLabel: null }));
+        this.fsm.onEnter('failed', () => this.patch({ dispatchState: 'failed', dispatchToolLabel: null }));
     }
     /* ------------- subscribe / state -------------- */
     subscribe(callback) {
@@ -100,18 +362,72 @@ export class ReplSession {
             });
             this.patch({ sessionId, connection: 'connecting' });
             this.openStream();
+            // alpha 6.13 privacy banner. Fire-and-forget - never blocks the
+            // input box on the network round-trip. The banner is a single
+            // system-line so the operator sees the active mode under the
+            // splash without an extra slash command. Mode is cached on the
+            // session so `/privacy` later renders the live value without a
+            // second fetch. Failure to fetch (offline, unauthenticated,
+            // admin-api down) is silent - the operator can still type
+            // `/privacy` to see the contract.
+            void this.fetchAndAnnouncePrivacyMode().catch(() => undefined);
         }
         catch (error) {
             this.appendSystemLine(`Could not open Pugi session: ${this.errorMessage(error)}`);
             this.patch({ connection: 'offline' });
         }
     }
+    /**
+     * Fetch the tenant's current privacy mode from
+     * `GET /api/admin/privacy/mode`, cache it on the session, and emit
+     * a one-line system banner so the operator sees their active mode
+     * right under the bootstrap splash. Failure is silent - missing
+     * banner is preferable to a noisy "could not fetch privacy mode"
+     * line on every login.
+     *
+     * Triple-review P1 fix (2026-05-25): without this call,
+     * `renderPrivacyBanner` was defined but never reached the wire, and
+     * `/privacy` always rendered with `null` mode.
+     */
+    async fetchAndAnnouncePrivacyMode() {
+        const { renderPrivacyBanner, isPrivacyMode } = await import('./privacy-banner.js');
+        try {
+            const url = `${this.options.apiUrl.replace(/\/+$/, '')}/api/admin/privacy/mode`;
+            const res = await fetch(url, {
+                headers: {
+                    authorization: `Bearer ${this.options.apiKey}`,
+                    accept: 'application/json',
+                },
+            });
+            if (!res.ok) {
+                // Silent fail - banner is decoration, not a blocking surface.
+                return;
+            }
+            const payload = (await res.json());
+            const mode = payload.mode;
+            if (typeof mode === 'string' && isPrivacyMode(mode)) {
+                this.privacyMode = mode;
+                this.appendSystemLine(renderPrivacyBanner(mode));
+            }
+        }
+        catch {
+            // Silent fail - offline / DNS / unauth all collapse to no banner.
+        }
+    }
     /**
      * Tear down the SSE stream and stop the reconnect timer. The session
      * id stays valid server-side; `pugi resume <id>` reopens later.
      */
     close() {
         this.closed = true;
+        // α6.9: fire the cancellation token before tearing down the stream
+        // so any in-flight tool sees the abort signal AND any pending
+        // PostBrief promise can short-circuit. Idempotent — token.abort()
+        // is a no-op when already aborted.
+        if (this.currentDispatchToken) {
+            this.currentDispatchToken.abort();
+            this.currentDispatchToken = null;
+        }
         if (this.streamHandle) {
             this.streamHandle.close();
             this.streamHandle = undefined;
@@ -120,6 +436,116 @@ export class ReplSession {
             clearTimeout(this.reconnectTimer);
             this.reconnectTimer = undefined;
         }
+        // R2 P1: drop the per-task seq stamps on close(). The map is
+        // small but clearing prevents accidental seq-comparison drift if
+        // a resurrected session reuses taskIds (admin-api currently mints
+        // unique ids, but the gate stays robust on either contract).
+        this.taskDispatchSeq.clear();
+        // Detach watcher listeners so any chokidar event landing between
+        // session.close() and the bootstrap-owned watcher.close() does NOT
+        // run a handler on a dead session. The handlers themselves also
+        // hard-guard on `this.closed`, but detaching is the load-bearing
+        // fix - it severs the strong reference the watcher held on the
+        // session callback, which otherwise blocks GC. triple-review P1 (PR #380).
+        if (this.watcher) {
+            this.watcher.off('batch', this.filewatchBatchHandler);
+            this.watcher.off('capExceeded', this.filewatchCapHandler);
+        }
+    }
+    /* ------------- α6.9 cancellation surface -------------- */
+    /**
+     * Operator-driven abort for the in-flight dispatch. Idempotent — a
+     * second call while already in `aborting` / `aborted` is a no-op.
+     *
+     * Steps (in order):
+     *
+     *   1. Snapshot the current state. If terminal or idle, no-op.
+     *   2. Transition the FSM to `aborting` so the bottom-bar shows the
+     *      pending shutdown immediately (the operator gets feedback
+     *      before any IO completes).
+     *   3. Abort the cancellation token. This fans out to every listener
+     *      that was attached during the dispatch — chiefly the SSE
+     *      stream wrapper (which calls `streamHandle.close()`) and any
+     *      mid-flight tool executor that polled `isAborted`.
+     *   4. Append a system line so the conversation reads "Aborted." at
+     *      the operator's last input position.
+     *   5. Transition to `aborted` (terminal). The next operator brief
+     *      mints a fresh token + transitions back to
+     *      `awaiting_response`.
+     *
+     * Returns `true` when an abort was actually issued (state was
+     * non-terminal + non-idle), `false` otherwise.
+     */
+    cancel() {
+        const current = this.fsm.current;
+        if (this.fsm.isTerminal || current === 'idle')
+            return false;
+        // Step 2: transient state (UI sees `aborting` between abort signal
+        // and full shutdown).
+        this.fsm.transition('aborting', 'operator_abort');
+        // Step 3: fire the token so any mid-flight tool executor that
+        // polled `isAborted` shuts down. Token is single-use — clear the
+        // ref AFTER both the abort fan-out AND the stream teardown so any
+        // onAbort listener calling getCurrentDispatchToken() during the
+        // teardown observes the (now-aborted) token rather than null.
+        // Contract: listeners fire first, stream closes second, token
+        // field nulls third. (P2 cancel-ordering fix.)
+        const token = this.currentDispatchToken;
+        if (token) {
+            token.abort();
+        }
+        // Step 3b: tear down the SSE stream so no further `agent.step`
+        // events update the agent tree under the aborted dispatch. The
+        // stream reopens on the NEXT brief via `openStream()` (driven by
+        // dispatchBrief's reset-to-idle path). The session id stays valid
+        // server-side; admin-api keeps the dispatch around for forensic
+        // replay but the client stops listening.
+        if (this.streamHandle) {
+            this.streamHandle.close();
+            this.streamHandle = undefined;
+        }
+        // P2 Codex: clear the SSE cursor on deliberate cancel. The
+        // admin-api Last-Event-ID replay would otherwise re-feed any
+        // buffered events from the cancelled dispatch into the next
+        // brief's stream, polluting the agent tree with ghosts of the
+        // aborted turn. The new brief mints a fresh server-side cursor
+        // anyway, so `undefined` is the correct subscribe arg.
+        this.lastEventId = undefined;
+        // Null the token AFTER stream teardown (see step 3 comment).
+        this.currentDispatchToken = null;
+        // Mark any agents that are still "running" as failed/aborted so
+        // the agent-tree pane reflects reality. We use the existing
+        // `failed` status (the tree pane already knows how to render it)
+        // with a clear detail string so the operator sees WHY.
+        this.patch({
+            agents: this.state.agents.map((a) => a.status === 'queued' || a.status === 'thinking'
+                ? { ...a, status: 'failed', detail: 'aborted by operator' }
+                : a),
+        });
+        // Step 4: visible operator-facing confirmation. Brand voice gate:
+        // single ASCII line, no em-dashes, no emoji.
+        this.appendSystemLine('Aborted.');
+        // Step 5: terminal transition. The FSM will accept a fresh
+        // dispatch on the next brief.
+        this.fsm.transition('aborted', 'operator_abort');
+        // Clear briefStartedAtEpochMs so the status-bar clock resets.
+        this.patch({ briefStartedAtEpochMs: undefined });
+        return true;
+    }
+    /**
+     * Current FSM state. Surfaced for the REPL UI to read on first paint
+     * (subscribe + initial state are decoupled).
+     */
+    getDispatchState() {
+        return this.fsm.current;
+    }
+    /**
+     * Current cancellation token. Returned for the tool execution path
+     * (file-tools.ts) so it can pass the token down into a ToolContext
+     * extension. Null when no dispatch is in flight.
+     */
+    getCurrentDispatchToken() {
+        return this.currentDispatchToken;
     }
     /* ------------- input handling -------------- */
     /**
@@ -183,12 +609,109 @@ export class ReplSession {
                 this.dispatchStatus();
                 return verdict;
             }
+            case 'consensus': {
+                // alpha 6.7: surface a deterministic deep-link so the operator
+                // knows the command exists in the REPL palette even though the
+                // full SSE renderer ships outside the Ink frame. Running the
+                // gate live inside the REPL needs the non-TTY emit path; for
+                // M1 we point the operator at the shell command.
+                const tail = verdict.ref ? ` ${verdict.ref}` : '';
+                this.appendSystemLine(`Run \`pugi review --consensus${tail}\` from a fresh shell to dispatch the 3-model gate.`);
+                return verdict;
+            }
+            case 'resume': {
+                await this.dispatchResume();
+                return verdict;
+            }
+            case 'context': {
+                this.dispatchContext();
+                return verdict;
+            }
+            case 'ask': {
+                // α6.3: synthesise a local yes/no `<pugi-ask>` modal so the
+                // operator can exercise the question UI without a persona-side
+                // round trip. The REPL UI mounts the modal from the resulting
+                // `pendingAsk` state; on resolution the encoded verdict lands
+                // in the transcript as a system line (no admin-api dispatch
+                // because the question is local).
+                const askTag = synthesiseLocalAskTag(verdict.question);
+                if (!askTag) {
+                    this.appendSystemLine('Could not synthesise local ask (question too long?). Cap is 80 chars.');
+                    return verdict;
+                }
+                this.patch({ pendingAsk: askTag, pendingAskSource: 'local' });
+                return verdict;
+            }
+            case 'privacy': {
+                // alpha 6.13: print the full mode contract + current banner
+                // inline. The current mode is resolved lazily by the helper -
+                // when unauthenticated or offline the banner falls back to
+                // "(unknown - mode lookup pending)" and the contract doc still
+                // renders so the operator can read the alternatives.
+                await this.dispatchPrivacy();
+                return verdict;
+            }
             case 'stub': {
                 this.appendSystemLine(verdict.message);
                 return verdict;
             }
         }
     }
+    /**
+     * In-REPL `/privacy` - alpha 6.13. Prints the full 3-mode contract
+     * doc + the current mode banner inline. The current mode is fetched
+     * via the admin-api /api/admin/privacy/mode endpoint when the
+     * operator is authenticated; otherwise the banner falls back to
+     * "(unknown)" and the contract doc still renders so the operator
+     * can compare modes without leaving the REPL.
+     */
+    async dispatchPrivacy() {
+        const { renderPrivacyContractDoc } = await import('./privacy-banner.js');
+        // Triple-review P1 fix (2026-05-25): use the bootstrap-cached mode
+        // so the operator sees the LIVE current mode in the banner header
+        // instead of "(unknown)". The fetch happens once on session start;
+        // if it failed (offline / unauth) the cache stays null and the
+        // banner falls back to "(unknown)" - same UX as before, just with
+        // the happy path actually delivering the mode.
+        const doc = renderPrivacyContractDoc(this.privacyMode);
+        this.appendSystemLine(doc);
+    }
+    /**
+     * In-REPL `/resume` - α6.4. Lists the 10 most recent sessions from
+     * the local SessionStore and prints them as a numbered system menu.
+     * The Ink-side picker UI is deferred to the next sprint; today the
+     * operator gets a deterministic list + the exact command to relaunch
+     * with: `pugi resume <id>`. Keeping the picker out of the REPL
+     * frame avoids re-architecting the conversation pane mid-sprint and
+     * keeps `/resume` testable without an Ink runtime.
+     */
+    async dispatchResume() {
+        if (!this.store) {
+            this.appendSystemLine('Local session store is disabled - /resume is unavailable.');
+            return;
+        }
+        let rows;
+        try {
+            rows = await this.store.listSessions({ limit: 10 });
+        }
+        catch (error) {
+            this.appendSystemLine(`Could not list sessions: ${this.errorMessage(error)}`);
+            return;
+        }
+        if (rows.length === 0) {
+            this.appendSystemLine('No stored sessions yet - keep dispatching to build history.');
+            return;
+        }
+        this.appendSystemLine(`Recent sessions (${rows.length}):`);
+        for (let i = 0; i < rows.length; i += 1) {
+            const row = rows[i];
+            const title = (row.title ?? '(untitled)').slice(0, 64);
+            const idShort = row.id.slice(0, 13);
+            const branch = row.branch ?? 'no-branch';
+            this.appendSystemLine(`  ${(i + 1).toString().padStart(2)}. ${idShort}  ${branch.padEnd(16)}  ${title}`);
+        }
+        this.appendSystemLine('Pick one with: pugi resume <id> (paste the 13-char id from above).');
+    }
     /**
      * Reset the conversation transcript. The agent registry stays intact
      * so the operator can `/clear` to declutter the chat pane without
@@ -197,6 +720,173 @@ export class ReplSession {
     clearTranscript() {
         this.patch({ transcript: [] });
     }
+    /* ------------- α6.3 office-hours surface -------------- */
+    /**
+     * Surface an `<pugi-ask>` modal manually. Returned promise resolves
+     * with the operator's verdict - used by the `pugi ask "<q>"` shell
+     * command and by the `/ask` slash. The resolver is wired into the
+     * session state via `pendingAsk` so the REPL UI can render the modal
+     * and forward `onResolve` back through `resolveAsk()`.
+     *
+     * NOTE: idempotent on a duplicate signature - a second presentAsk
+     * with the same question + option values returns the first
+     * outstanding promise rather than stacking two modals.
+     */
+    presentAsk(tag) {
+        if (this.outstandingAskPromise
+            && this.state.pendingAsk?.signature === tag.signature) {
+            // The operator is already looking at this exact ask; reuse the
+            // outstanding promise so the second caller sees the same answer
+            // when it eventually arrives.
+            return this.outstandingAskPromise;
+        }
+        // If a DIFFERENT ask is open, reject the new one with a clear
+        // error rather than silently queueing - the persona should never
+        // emit two concurrent asks, and surfacing the bug fails loud.
+        if (this.outstandingAskPromise) {
+            return Promise.reject(new Error('presentAsk: another ask is already pending. Resolve it first.'));
+        }
+        this.patch({ pendingAsk: tag, pendingAskSource: 'persona' });
+        const promise = new Promise((resolve) => {
+            this.outstandingAskResolver = resolve;
+        });
+        this.outstandingAskPromise = promise;
+        return promise;
+    }
+    /**
+     * Resolve the currently pending `<pugi-ask>` modal. Called by the
+     * REPL UI when the operator submits the modal. Appends an operator
+     * line to the transcript carrying the verdict, dispatches the
+     * verdict-encoded brief to admin-api as the next user turn (when the
+     * modal originated from a persona stream), and clears `pendingAsk`.
+     * Idempotent: a second call without a fresh `pendingAsk` is a no-op.
+     *
+     * The verdict is also forwarded to the resolver returned by
+     * `presentAsk()` if there is one outstanding, so the CLI's `pugi ask`
+     * command can await the answer.
+     *
+     * Cancellation contract (Claude triple-review P1): when the modal
+     * came from a persona stream, cancel ALSO dispatches a literal
+     * `[ASK-RESPONSE:cancelled]` to admin-api so the persona observes the
+     * cancellation rather than hanging indefinitely on the missing
+     * follow-up. The matching documentation in the Mira system prompt
+     * teaches the persona to acknowledge cancellation and offer a
+     * different path. Local-origin modals (synthesised via `/ask`) skip
+     * the dispatch entirely - the persona never saw the question.
+     *
+     * Free-text sanitisation (Claude triple-review P1): the operator's
+     * customInput is stripped of any leading `[ASK-RESPONSE:...]` /
+     * `[PLAN-VERDICT:...]` prefix before being encoded, so a malicious
+     * (or accidental) operator string cannot forge a verdict header that
+     * a prefix-greedy persona would misinterpret as a different choice.
+     */
+    async resolveAsk(verdict) {
+        if (!this.state.pendingAsk)
+            return;
+        const tag = this.state.pendingAsk;
+        const source = this.state.pendingAskSource;
+        const sanitisedVerdict = sanitiseAskVerdict(verdict);
+        this.patch({ pendingAsk: null, pendingAskSource: null });
+        const encoded = encodeAskVerdictLocal(sanitisedVerdict);
+        // Tell the outstanding presentAsk caller, if any. The sanitised
+        // verdict is forwarded so downstream consumers cannot be tricked
+        // by a forged verdict header either.
+        if (this.outstandingAskResolver) {
+            const resolver = this.outstandingAskResolver;
+            this.outstandingAskResolver = undefined;
+            this.outstandingAskPromise = undefined;
+            resolver(sanitisedVerdict);
+        }
+        // Surface the operator's choice as a transcript row so the
+        // conversation reads linearly. The label of the chosen option
+        // (or the literal custom input) is more readable than the bare
+        // value - Codex CLI's "you chose: Vercel" pattern.
+        const humanLabel = humanLabelForVerdict(tag, sanitisedVerdict);
+        this.appendOperatorLine(humanLabel);
+        // Local-origin modals (operator typed `/ask`) never need an
+        // admin-api round trip - the persona never observed the question.
+        // Codex triple-review P2.
+        if (source !== 'persona')
+            return;
+        // Persona-origin modals always dispatch, including on cancel:
+        // without the cancellation echo the persona's last turn stays open
+        // and the agent hangs. Claude triple-review P1.
+        await this.dispatchAskFollowup(encoded);
+    }
+    /**
+     * Same shape as `presentAsk` for the plan-review modal.
+     */
+    presentPlanReview(tag) {
+        if (this.outstandingPlanReviewPromise
+            && this.state.pendingPlanReview?.signature === tag.signature) {
+            return this.outstandingPlanReviewPromise;
+        }
+        if (this.outstandingPlanReviewPromise) {
+            return Promise.reject(new Error('presentPlanReview: another plan review is already pending.'));
+        }
+        this.patch({ pendingPlanReview: tag, pendingPlanReviewSource: 'persona' });
+        const promise = new Promise((resolve) => {
+            this.outstandingPlanReviewResolver = resolve;
+        });
+        this.outstandingPlanReviewPromise = promise;
+        return promise;
+    }
+    /**
+     * Resolve the currently pending `<pugi-plan-review>` modal. Same
+     * mechanics as `resolveAsk` - including the cancel-dispatch contract
+     * and modifyText sanitisation. The persona always sees a
+     * `[PLAN-VERDICT:...]` echo (even on cancel) so it never hangs
+     * waiting for the verdict that the operator declined to send.
+     */
+    async resolvePlanReview(result) {
+        if (!this.state.pendingPlanReview)
+            return;
+        const source = this.state.pendingPlanReviewSource;
+        const sanitisedResult = sanitisePlanReviewResult(result);
+        this.patch({ pendingPlanReview: null, pendingPlanReviewSource: null });
+        const encoded = encodePlanReviewVerdictLocal(sanitisedResult);
+        if (this.outstandingPlanReviewResolver) {
+            const resolver = this.outstandingPlanReviewResolver;
+            this.outstandingPlanReviewResolver = undefined;
+            this.outstandingPlanReviewPromise = undefined;
+            resolver(sanitisedResult);
+        }
+        this.appendOperatorLine(humanLabelForPlanReviewVerdict(sanitisedResult));
+        // Local-origin plan reviews skip the dispatch (Codex P2). Persona
+        // origin always dispatches, including on cancel (Claude P1).
+        if (source !== 'persona')
+            return;
+        await this.dispatchAskFollowup(encoded);
+    }
+    /**
+     * Internal: post the verdict-encoded brief WITHOUT going through the
+     * cap-warning gate. The follow-up is the natural continuation of the
+     * same conversation the persona started, so blocking it on capacity
+     * would strand the operator with no way to answer.
+     */
+    async dispatchAskFollowup(encodedBrief) {
+        const sessionId = this.state.sessionId;
+        if (!sessionId) {
+            this.appendSystemLine('No server session - response queued locally.');
+            return;
+        }
+        try {
+            await this.options.transport.postBrief({
+                apiUrl: this.options.apiUrl,
+                apiKey: this.options.apiKey,
+                sessionId,
+                brief: encodedBrief,
+            });
+        }
+        catch (error) {
+            this.appendSystemLine(`Could not forward response: ${this.errorMessage(error)}`);
+        }
+    }
+    // ----- Outstanding resolver bookkeeping for presentAsk / presentPlanReview -----
+    outstandingAskResolver;
+    outstandingAskPromise;
+    outstandingPlanReviewResolver;
+    outstandingPlanReviewPromise;
     /* ------------- Tier 1 / Tier 2 wired handlers -------------- */
     async dispatchJobs() {
         try {
@@ -265,6 +955,129 @@ export class ReplSession {
         this.appendSystemLine(`Workspace: ${this.state.workspaceLabel}.`);
         this.appendSystemLine(`CLI: pugi ${this.state.cliVersion}.`);
     }
+    /**
+     * α6.5 `/context` slash handler. Surfaces the three-tier context
+     * summary as a stack of system lines. Sections (in order):
+     *
+     *   1. Tier 0 (repo skeleton) - size in bytes, branch, package
+     *      manager, languages. Skipped when no skeleton was injected
+     *      (REPL launched outside a workspace or with --no-context).
+     *
+     *   2. Tier 1 (working set) - `count / capacity` plus the total
+     *      size in bytes plus the oldest entry's age in seconds.
+     *      Always emits even when empty so the operator can confirm
+     *      the tier is wired.
+     *
+     *   3. Tier 2 (RAG) - one-line heads-up that the Anvil-side
+     *      workspace lands in α6.5b.
+     *
+     * The renderer never mutates state.
+     */
+    dispatchContext() {
+        if (this.repoSkeleton) {
+            const parts = [`Tier 0 skeleton: ${this.repoSkeleton.totalSize} bytes`];
+            if (this.repoSkeleton.branch)
+                parts.push(`branch ${this.repoSkeleton.branch}`);
+            if (this.repoSkeleton.packageManager)
+                parts.push(this.repoSkeleton.packageManager);
+            if (this.repoSkeleton.primaryLanguages.length > 0) {
+                parts.push(`langs ${this.repoSkeleton.primaryLanguages.slice(0, 3).join('/')}`);
+            }
+            this.appendSystemLine(parts.join(' - '));
+        }
+        else {
+            this.appendSystemLine('Tier 0 skeleton: not loaded (run pugi init or launch in a workspace).');
+        }
+        if (this.workingSet) {
+            const summary = this.workingSet.summary();
+            const ageLine = summary.oldestTouchedAtEpochMs !== null
+                ? ` - oldest touch ${formatAgeSeconds(this.now() - summary.oldestTouchedAtEpochMs)} ago`
+                : '';
+            this.appendSystemLine(`Tier 1 working set: ${summary.count}/${summary.capacity} files, ${summary.totalSizeBytes} bytes${ageLine}.`);
+        }
+        else {
+            this.appendSystemLine('Tier 1 working set: not wired.');
+        }
+        this.appendSystemLine('Tier 2 RAG: deferred to α6.5b (Anvil-side per-tenant workspace).');
+    }
+    /**
+     * α6.5 chokidar batch handler. Forwards each event to the working
+     * set tracker (so `unlink` evicts and `add`/`change` bump the
+     * recency) and emits at most one throttled system line per
+     * `FILEWATCH_SYSTEM_LINE_GAP_MS` window.
+     *
+     * The transcript surface intentionally shows ONE filename + the
+     * count of additional changes (`file changed: src/foo.ts (+3 more)`).
+     * The full event list is preserved in the buffer for future
+     * `/context --files` deep-dive (not in α6.5 Phase 1).
+     */
+    recordFilewatchBatch(batch) {
+        // Hard-guard against post-close invocation. close() detaches the
+        // watcher listeners, but the EventEmitter contract allows the
+        // currently-dispatching emit() call to finish delivering to every
+        // listener captured at the start of emit(). If the session closes
+        // mid-emit, the handler can still fire on a dead session. Returning
+        // early keeps the working set + transcript untouched.
+        // triple-review P1 (PR #380).
+        if (this.closed)
+            return;
+        if (this.workingSet) {
+            for (const event of batch.events) {
+                if (event.kind === 'unlink') {
+                    this.workingSet.forget(event.absPath);
+                }
+                // Note: we do NOT auto-track add/change here. The working set
+                // reflects files the AGENT touched - filewatch is informational.
+                // Future wiring: bash/read/edit tools will call track() directly.
+            }
+        }
+        const nowMs = this.now();
+        const sinceLast = nowMs - this.lastFilewatchLineAtEpochMs;
+        if (sinceLast < FILEWATCH_SYSTEM_LINE_GAP_MS && this.lastFilewatchLineAtEpochMs !== 0) {
+            // Inside the throttle window - buffer for future deep-dive but
+            // do not emit a system line. Cap the buffer at
+            // PENDING_FILEWATCH_BATCH_CAP and drop the oldest on overflow so
+            // a noisy filewatch source cannot drive unbounded memory growth
+            // across a long REPL session. triple-review P1 (PR #380).
+            if (this.pendingFilewatchBatches.length >= PENDING_FILEWATCH_BATCH_CAP) {
+                this.pendingFilewatchBatches.shift();
+                if (!this.pendingFilewatchOverflowWarned) {
+                    this.pendingFilewatchOverflowWarned = true;
+                    this.appendSystemLine(`Filewatch buffer at cap (${PENDING_FILEWATCH_BATCH_CAP} batches) - shedding oldest. Source may be a build watcher in a tight loop.`);
+                }
+            }
+            this.pendingFilewatchBatches.push(batch);
+            return;
+        }
+        const totalEvents = this.pendingFilewatchBatches.reduce((acc, b) => acc + b.events.length, 0) + batch.events.length;
+        const head = batch.events[0];
+        if (!head) {
+            // Empty batch - should not happen given the watcher guards,
+            // but defensive.
+            this.pendingFilewatchBatches = [];
+            return;
+        }
+        const wsLine = this.workingSet
+            ? ` (working set: ${this.workingSet.size()}/${this.workingSet.capacityLimit()})`
+            : '';
+        const tail = totalEvents > 1 ? ` (+${totalEvents - 1} more)` : '';
+        this.appendSystemLine(`file ${head.kind}: ${head.path}${tail}${wsLine}`);
+        this.lastFilewatchLineAtEpochMs = nowMs;
+        this.pendingFilewatchBatches = [];
+    }
+    /**
+     * α6.5 chokidar cap-exceeded handler. The watcher closes itself
+     * when it crosses the watched-paths cap; the session surfaces a
+     * single system line so the operator knows live updates are off.
+     * The conversation stays usable - we just lose the file-changed
+     * badge for the rest of the session.
+     */
+    recordFilewatchCapExceeded(info) {
+        // Same post-close guard as recordFilewatchBatch. triple-review P1 (PR #380).
+        if (this.closed)
+            return;
+        this.appendSystemLine(`Filewatch off: ${info.watchedCount} watched paths exceeded cap (${info.cap}). Falling back to manual stat-on-read.`);
+    }
     /**
      * Fetch one URL via the web_fetch tool and inject the resulting
      * Markdown into the transcript as an operator-attributed brief. The
@@ -324,6 +1137,92 @@ export class ReplSession {
         }
         this.appendOperatorLine(brief);
         this.patch({ briefStartedAtEpochMs: this.now() });
+        // α6.9 + R3 P1 (Codex triple-review 2026-05-25): supersede the
+        // prior dispatch when one is in flight. Steps in order:
+        //
+        //   1. Abort the old CancellationToken so any in-flight tool
+        //      holding `ctx.cancellation` sees `isAborted = true` and bails
+        //      (the R2 fix; preserves the file-tools cancellation gate).
+        //   2. Drive the OLD FSM through `aborting -> aborted` terminal.
+        //      This is load-bearing for the R3 race: a LATE event arriving
+        //      on the old FSM (`agent.spawned`, `agent.step`, terminal,
+        //      etc.) before the timestamp gate trips would otherwise still
+        //      attempt to transition the new FSM. Driving the old FSM to a
+        //      terminal state means the FSM check in
+        //      `advanceFsmOnDispatchEnd` (`isTerminal`) short-circuits as a
+        //      defense-in-depth layer.
+        //   3. `resetFsmToIdle()` mints a fresh FSM so the new dispatch
+        //      starts clean. The FSM legal-transition matrix forbids
+        //      `aborted -> awaiting_response`, so the reset is required.
+        //   4. Record `currentDispatchStartTime` BEFORE bumping
+        //      `dispatchSeq` + clearing `taskDispatchSeq`. The timestamp
+        //      gate in `handleServerEvent` checks
+        //      `event.timestamp < currentDispatchStartTime` to drop late
+        //      events from any superseded dispatch (including the late
+        //      `agent.spawned` that the R2 seq gate could not catch).
+        //   5. Clear `taskDispatchSeq` so any stamp left over from the old
+        //      dispatch cannot influence seq comparisons for the new turn.
+        //   6. Bump `dispatchSeq` and mint a fresh `CancellationToken`.
+        //
+        // If no prior dispatch is in flight (clean idle / terminal entry),
+        // the supersede block is skipped; we only reset the FSM if it sits
+        // in a terminal state from the prior turn.
+        if (this.currentDispatchToken) {
+            // Step 1: abort the old token. Listeners (including the
+            // file-tools cancellation gate) fan out before we replace the
+            // field below.
+            this.currentDispatchToken.abort();
+            // Step 2: walk the old FSM to terminal. Guard against an FSM
+            // that already sits in `aborting` or a terminal state - the
+            // legal-transition matrix forbids `aborting -> aborting` and
+            // forbids any outgoing transition from terminal states.
+            if (!this.fsm.isTerminal) {
+                if (this.fsm.current !== 'aborting') {
+                    this.fsm.transition('aborting', 'superseded_by_new_brief');
+                }
+                this.fsm.transition('aborted', 'superseded_by_new_brief');
+            }
+            // Step 3: fresh FSM so the new dispatch can walk
+            // `idle -> awaiting_response` cleanly.
+            this.resetFsmToIdle();
+        }
+        else if (this.fsm.isTerminal) {
+            // Prior turn ended naturally (completed / failed / aborted) with
+            // no live token left around. Reset only the FSM.
+            this.resetFsmToIdle();
+        }
+        // Step 4: record the dispatch start time BEFORE bumping the seq.
+        // The timestamp gate in `handleServerEvent` reads this value to
+        // decide whether an inbound event predates the live dispatch and
+        // should be dropped. Recording before the seq bump is critical:
+        // any concurrent SSE event landing between this line and the seq
+        // bump must still see a strictly-monotonic timestamp boundary.
+        this.currentDispatchStartTime = this.now();
+        // Step 5: clear the per-task seq stamps. Any leftover stamp from a
+        // superseded dispatch would otherwise look like it matched the new
+        // dispatchSeq (because the late `agent.spawned` for that taskId
+        // could stamp the OLD taskId with the NEW seq), nulling the new
+        // token via a stale terminal event. The timestamp gate is the
+        // primary defense; the clear is belt-and-braces.
+        this.taskDispatchSeq.clear();
+        // Step 6: bump seq + mint fresh token.
+        this.dispatchSeq += 1;
+        this.currentDispatchToken = new CancellationToken();
+        // The FSM is now `idle` (either fresh-start or post-reset). Walk
+        // to `awaiting_response` so the bottom-bar surface picks up the
+        // new dispatch state immediately.
+        if (this.fsm.current === 'idle') {
+            this.fsm.transition('awaiting_response', 'brief_dispatched');
+        }
+        // α6.9: re-open the SSE stream if a prior `cancel()` tore it
+        // down. Without this, the new brief would dispatch on admin-api
+        // but the client would never observe `agent.spawned` / `step` /
+        // `completed` — the operator would see a stalled status bar
+        // forever. Idempotent: openStream() short-circuits when a handle
+        // already exists or the session is closed.
+        if (!this.streamHandle && !this.closed) {
+            this.openStream();
+        }
         try {
             await this.options.transport.postBrief({
                 apiUrl: this.options.apiUrl,
@@ -334,7 +1233,78 @@ export class ReplSession {
         }
         catch (error) {
             this.appendSystemLine(`Brief dispatch refused: ${this.errorMessage(error)}`);
+            // α6.9: a failed brief POST never produced a turn, so we move
+            // the FSM straight to `failed` so the bottom-bar surfaces the
+            // outcome and the next brief can mint a fresh token.
+            this.markDispatchFailed('post_brief_failed');
+        }
+    }
+    /**
+     * α6.9: reset the FSM to `idle` after a terminal transition so the
+     * next brief can start. The FSM does not allow direct
+     * `completed -> awaiting_response`, so we mint a fresh FSM by
+     * overwriting the field. Listeners on the old FSM are dropped (they
+     * cannot fire again — terminal states have no outgoing transitions).
+     * The state.dispatchState patch happens via the new FSM's listeners
+     * which we re-attach immediately.
+     */
+    resetFsmToIdle() {
+        // Re-attach the same listeners on a fresh FSM instance. We cannot
+        // mutate `this.fsm` because it is `readonly`; but we mark it as
+        // mutable for this single reset path.
+        const next = new DispatchFSM();
+        next.onEnter('idle', () => this.patch({ dispatchState: 'idle', dispatchToolLabel: null }));
+        next.onEnter('awaiting_response', () => this.patch({ dispatchState: 'awaiting_response', dispatchToolLabel: null }));
+        next.onEnter('tool_running', () => this.patch({ dispatchState: 'tool_running' }));
+        next.onEnter('aborting', () => this.patch({ dispatchState: 'aborting', dispatchToolLabel: null }));
+        next.onEnter('aborted', () => this.patch({ dispatchState: 'aborted', dispatchToolLabel: null }));
+        next.onEnter('completed', () => this.patch({ dispatchState: 'completed', dispatchToolLabel: null }));
+        next.onEnter('failed', () => this.patch({ dispatchState: 'failed', dispatchToolLabel: null }));
+        // Swap the instance - the FSM does not allow direct
+        // `<terminal> -> awaiting_response`, so the next brief needs a
+        // fresh machine to walk from `idle`. Clean assignment (no cast)
+        // because `fsm` is no longer declared readonly.
+        this.fsm = next;
+        // State patch so subscribers see the idle transition immediately.
+        this.patch({ dispatchState: 'idle', dispatchToolLabel: null });
+    }
+    /**
+     * α6.9: short-circuit the FSM to `failed` on a non-recoverable
+     * dispatch error (network refusal, malformed event, etc). Idempotent
+     * — a second call from a terminal state is a no-op.
+     */
+    markDispatchFailed(reason) {
+        if (this.fsm.isTerminal)
+            return;
+        if (this.fsm.current === 'idle')
+            return;
+        // From `awaiting_response` or `tool_running` we can transition to
+        // `failed` directly per the legal-transition matrix. From `aborting`
+        // the only legal move is `aborted`, so skip — the abort path is
+        // already in motion.
+        if (this.fsm.current === 'aborting')
+            return;
+        this.fsm.transition('failed', reason);
+        // α6.9 P1 fix (Claude triple-review): postBrief threw between
+        // openStream() and dispatch registration server-side. The local
+        // SSE handle is open but listening for events under a dispatchId
+        // the admin-api never created. If we leave it open, any inbound
+        // event for a future dispatch on the same session would drive
+        // the FSM from terminal `failed` -> illegal target and throw
+        // IllegalDispatchTransitionError. Tear down so the next brief
+        // re-opens cleanly via dispatchBrief's openStream() gate.
+        //
+        // R2 P2 fix (Claude triple-review 2026-05-25): tear down the
+        // stream BEFORE nulling the token. Same ordering contract as
+        // `cancel()`: any onAbort listener fired during teardown should
+        // observe the (now-aborted) token via getCurrentDispatchToken()
+        // rather than null. Nulling the token first would race the
+        // teardown's listener fan-out against a stale null read.
+        if (this.streamHandle) {
+            this.streamHandle.close();
+            this.streamHandle = undefined;
         }
+        this.currentDispatchToken = null;
     }
     async dispatchStop(persona) {
         const sessionId = this.state.sessionId;
@@ -382,12 +1352,131 @@ export class ReplSession {
             onError: (error) => {
                 if (this.closed)
                     return;
+                // α6.14.2 wave 5: when admin-api restarts it drops the in-memory
+                // session store, so subscribe returns HTTP 404 forever on the
+                // saved sessionId. Detect that case and mint a fresh server
+                // session silently rather than spamming the operator with
+                // "Stream interrupted (HTTP 404)" reconnect lines. Capped to
+                // MAX_SESSION_RECREATE_ATTEMPTS inside SESSION_RECREATE_WINDOW_MS
+                // so a permanently down admin-api fails loud.
+                //
+                // Race guard (triple-review P2 follow-up): the SSE transport can
+                // fire onError synchronously a second time while we are tearing
+                // down the dead stream inside recreateSessionSilently (the
+                // streamHandle.close() call there can flush a pending error
+                // synchronously in some transports). If that second 404 arrives
+                // with recreatingSession === true, we must SHORT-CIRCUIT it too
+                // rather than fall through to the legacy "Stream interrupted"
+                // path - otherwise the operator sees the exact 404 line the
+                // recreate is trying to suppress.
+                if (this.isSessionNotFoundError(error)) {
+                    if (this.recreatingSession) {
+                        // Recreate already in flight - drop the duplicate 404 on the
+                        // floor. The first recreate will either succeed (new stream
+                        // opens, this dead handle is gone) or fall through to the
+                        // loud "keeps dropping" / "session recreate refused" paths
+                        // already defined in recreateSessionSilently.
+                        return;
+                    }
+                    this.patch({ connection: 'reconnecting' });
+                    void this.recreateSessionSilently();
+                    return;
+                }
+                // α6.14.4 CEO dogfood 2026-05-25 (parity with Claude Code):
+                // collapse the repeated "Stream interrupted (fetch failed).
+                // Reconnecting." spam. The status bar already shows
+                // connection='reconnecting' AND the attempt counter; pushing
+                // a fresh transcript row per attempt fills the screen with
+                // noise. Only emit the system line for the FIRST drop of a
+                // run; subsequent reconnects update the status bar silently
+                // until either success (clears the connection state) or the
+                // give-up path in scheduleReconnect prints the final hint.
+                const wasOnline = this.state.connection === 'on_watch'
+                    || this.state.connection === 'connecting';
                 this.patch({ connection: 'reconnecting' });
-                this.appendSystemLine(`Stream interrupted (${this.errorMessage(error)}). Reconnecting.`);
+                if (wasOnline) {
+                    this.appendSystemLine(`Stream interrupted (${this.errorMessage(error)}). Reconnecting...`);
+                }
                 this.scheduleReconnect();
             },
         });
     }
+    /**
+     * Detect "session not found" from the SSE transport. The production
+     * transport in `repl-render.tsx` wraps non-2xx responses as
+     * `Error("HTTP 404 on SSE stream")`. We pattern-match on the status
+     * 404 so a different transport (e.g. a test fake or a future polling
+     * fallback) can surface the same intent with the same shape.
+     * (α6.14.2 wave 5.)
+     */
+    isSessionNotFoundError(error) {
+        const msg = this.errorMessage(error);
+        return /\b404\b/.test(msg);
+    }
+    /**
+     * Mint a fresh server-side session, swap the consumer to the new
+     * stream URL, keep the conversation flowing. Caps at
+     * MAX_SESSION_RECREATE_ATTEMPTS inside SESSION_RECREATE_WINDOW_MS so
+     * a permanently down admin-api fails loud after a few seconds of
+     * trying. Logged once per attempt at debug level (we surface a
+     * single visible line on first auto-recreate so the operator knows
+     * what happened, then stay quiet). (α6.14.2 wave 5.)
+     */
+    async recreateSessionSilently() {
+        if (this.closed)
+            return;
+        if (this.recreatingSession)
+            return;
+        const nowMs = this.now();
+        // Drop stale window entries so the cap is rolling, not cumulative.
+        while (this.recentRecreateAtMs.length > 0
+            && nowMs - (this.recentRecreateAtMs[0] ?? 0) > SESSION_RECREATE_WINDOW_MS) {
+            this.recentRecreateAtMs.shift();
+        }
+        if (this.recentRecreateAtMs.length >= MAX_SESSION_RECREATE_ATTEMPTS) {
+            // Cap exceeded - fall back to the loud "give up" path so the
+            // operator sees something is actually wrong.
+            this.appendSystemLine('Admin API session keeps dropping (HTTP 404 x3). Type /quit and `pugi resume` to retry.');
+            this.patch({ connection: 'offline' });
+            return;
+        }
+        this.recreatingSession = true;
+        this.recentRecreateAtMs.push(nowMs);
+        // Tear down the dead SSE handle so the next openStream() does not
+        // close-over the stale sessionId.
+        if (this.streamHandle) {
+            this.streamHandle.close();
+            this.streamHandle = undefined;
+        }
+        // Reset reconnect attempt + lastEventId - the new session is a
+        // fresh stream, not a continuation of the dead one.
+        this.reconnectAttempt = 0;
+        this.lastEventId = undefined;
+        // Single visible line on the FIRST auto-recreate of the window so
+        // the operator knows the CLI is recovering; later recreates in
+        // the same window stay silent.
+        if (this.recentRecreateAtMs.length === 1) {
+            this.appendSystemLine('Admin API restarted - minting a fresh session.');
+        }
+        try {
+            const { sessionId } = await this.options.transport.createSession({
+                apiUrl: this.options.apiUrl,
+                apiKey: this.options.apiKey,
+                workspace: this.options.workspace,
+            });
+            this.patch({ sessionId, connection: 'connecting' });
+            this.openStream();
+        }
+        catch (error) {
+            // The recreate POST itself failed - fall back to the existing
+            // backoff reconnect so the operator still sees retry progress.
+            this.appendSystemLine(`Session recreate refused (${this.errorMessage(error)}). Reconnecting.`);
+            this.scheduleReconnect();
+        }
+        finally {
+            this.recreatingSession = false;
+        }
+    }
     scheduleReconnect() {
         if (this.closed)
             return;
@@ -405,13 +1494,38 @@ export class ReplSession {
     }
     /* ------------- event reducer -------------- */
     handleServerEvent(event) {
+        // R3 P1 fix (Codex triple-review 2026-05-25): wall-clock gate that
+        // drops events from a SUPERSEDED dispatch. The R2 seq gate alone
+        // could not catch a LATE `agent.spawned` for an old taskId arriving
+        // AFTER `dispatchBrief` already bumped `dispatchSeq`. The late
+        // spawn would stamp the OLD taskId with the NEW seq, so the
+        // subsequent terminal event for that task looked current and
+        // nulled the freshly minted token. Comparing `event.timestamp`
+        // against `currentDispatchStartTime` (recorded BEFORE the seq
+        // bump) catches the late event before it can corrupt the seq map
+        // or drive the live FSM.
+        //
+        // `Date.parse` returns NaN on malformed input; we treat NaN as
+        // "unknown timestamp, do not drop" so a transport bug never
+        // silently swallows events. Zero `currentDispatchStartTime` means
+        // no dispatch has started yet (start() path) — same fail-open.
+        const eventTs = event.timestamp ? Date.parse(event.timestamp) : 0;
+        if (Number.isFinite(eventTs)
+            && eventTs > 0
+            && this.currentDispatchStartTime > 0
+            && eventTs < this.currentDispatchStartTime) {
+            // Late event from a superseded dispatch. Drop silently — the
+            // operator already saw the new brief land, and the new dispatch
+            // owns the surface now.
+            return;
+        }
         switch (event.type) {
             case 'agent.spawned': {
                 const persona = safePersonaName(event.role);
                 // Wave 4 fix 2026-05-25: the roster collapses to one row per
                 // persona slug. The α5.7 reducer pushed a fresh row on every
                 // spawn, so after three turns the bottom panel stacked
-                // "Mira orchestrator shipped" three times. The new contract:
+                // "Pugi orchestrator shipped" three times. The new contract:
                 //   - If a row already exists for this personaSlug, REUSE it.
                 //     Replace its taskId, reset status to 'queued', clear the
                 //     detail line, restart the duration clock, zero the token
@@ -441,26 +1555,64 @@ export class ReplSession {
                 else {
                     this.patch({ agents: [node, ...this.state.agents] });
                 }
+                // R2 P1 fix (Codex triple-review 2026-05-25): stamp the live
+                // dispatch sequence onto this taskId so terminal handlers can
+                // tell apart a "current dispatch" event from a "superseded
+                // dispatch" event. See `dispatchSeq` + `taskDispatchSeq`
+                // field comments.
+                this.taskDispatchSeq.set(event.taskId, this.dispatchSeq);
                 // The conversation pane already prefixes persona rows with the
                 // persona name in the persona's hue colour. Skip embedding the
                 // name in the body text to avoid the `Marcus Marcus dispatched`
                 // double-print. `void persona` keeps the resolved name in scope
                 // for the agent tree node above without leaking it into the
                 // transcript body.
+                // α6.14.3 CEO dogfood 2026-05-25: drop the "dispatched (X)"
+                // transcript echo. The agent tree pane already shows the
+                // spawned state; printing it as a persona row is pure noise
+                // between the operator's brief and the persona's real reply.
                 void persona;
-                this.appendPersonaLine(event.personaSlug, `dispatched (${event.role}).`);
                 return;
             }
             case 'agent.step': {
+                // α6.3 office-hours: scan the running buffer for `<pugi-ask>` /
+                // `<pugi-plan-review>` envelopes BEFORE we cache the detail.
+                // The parser returns the cleaned remainder with the raw XML
+                // stripped, so the operator never sees the envelope as prose.
+                // Streaming partial tags (open seen, close not yet streamed)
+                // are kept in the buffer; the next step event extends it.
+                const sanitised = this.consumeAskAndPlanReviewTags(event.taskId, event.detail);
                 // Cache the running detail per task so we can surface the
                 // model's actual reply when agent.completed lands (otherwise
                 // the reply disappears under the literal 'shipped' patch).
-                if (event.detail && event.detail.trim().length > 0) {
-                    this.lastStepDetail.set(event.taskId, event.detail);
+                if (sanitised && sanitised.trim().length > 0) {
+                    this.lastStepDetail.set(event.taskId, sanitised);
+                }
+                // α6.12: synthesise a tool call entry when the step detail
+                // matches a tool-invocation grammar. The pattern is generous
+                // (Read(path) / Edit(path:lines) / Bash(cmd) / Grep(pat) /
+                // Glob(pat) / WebFetch(url)) so the pane has rows to render
+                // before the admin-api side ships the proper tool.* SSE events.
+                // Use the sanitised detail (post-tag-strip) so a `<pugi-ask>`
+                // envelope never produces a phantom tool row.
+                const synthesised = synthesiseToolCall({
+                    taskId: event.taskId,
+                    detail: sanitised,
+                    agent: this.personaSlugForTask(event.taskId),
+                    now: this.now(),
+                });
+                if (synthesised) {
+                    this.appendToolCall(synthesised);
+                    // α6.9: a fresh tool call moves the FSM to `tool_running`
+                    // when the dispatch is still active. The status-bar surface
+                    // also gets a short label (`tool: read`, `tool: bash`, etc).
+                    // Aborting / terminal states are not allowed to transition
+                    // here — we silently skip rather than throw.
+                    this.advanceFsmOnToolStart(synthesised.tool);
                 }
                 this.patch({
                     agents: this.state.agents.map((a) => a.taskId === event.taskId
-                        ? { ...a, status: 'thinking', detail: event.detail }
+                        ? { ...a, status: 'thinking', detail: sanitised || event.detail }
                         : a),
                 });
                 return;
@@ -483,11 +1635,22 @@ export class ReplSession {
                 const target = this.state.agents.find((a) => a.taskId === event.taskId);
                 const finalDetail = this.lastStepDetail.get(event.taskId);
                 this.lastStepDetail.delete(event.taskId);
+                if (this.askBufferPending.has(event.taskId)) {
+                    this.appendSystemLine('Persona emitted incomplete <pugi-ask> or <pugi-plan-review> tag; dropped.');
+                }
+                this.askBuffer.delete(event.taskId);
+                this.askBufferPending.delete(event.taskId);
                 this.patch({
                     agents: this.state.agents.map((a) => a.taskId === event.taskId
                         ? { ...a, status: 'shipped', detail: 'shipped' }
                         : a),
                 });
+                // α6.9: transition the FSM to `completed` when no other
+                // dispatch is still in flight. The check uses the agents list
+                // POST-patch so any sibling task in `queued` / `thinking` keeps
+                // the dispatch alive; the FSM only goes terminal when the last
+                // agent ships.
+                this.advanceFsmOnDispatchEnd('completed', 'agent_completed', event.taskId);
                 if (target) {
                     // If the persona actually produced a reply via incremental
                     // agent.step events, render that reply in the transcript so
@@ -500,15 +1663,34 @@ export class ReplSession {
                     if (finalDetail
                         && finalDetail !== 'queued for dispatch'
                         && finalDetail.trim().length > 4) {
-                        for (const line of finalDetail.split('\n')) {
-                            const trimmed = line.trim();
-                            if (trimmed.length > 0) {
-                                this.appendPersonaLine(target.personaSlug, trimmed);
+                        // α6.12: ship the WHOLE body as one transcript row when the
+                        // reply contains ANY Markdown structure (code fence, bullet
+                        // list, numbered list, headings). The conversation pane
+                        // routes it through Markdown renderer в one pass, preserving
+                        // grouped bullets + heading hierarchy. Plain prose still
+                        // splits per line so word-wrap stays correct.
+                        //
+                        // Claude triple-review P1 (PR #369): the prior `includes('```')`
+                        // gate only caught fences - multi-line bullets fragmented
+                        // per row showed as `▸ Mira • read PUGI.md / ▸ Mira • patched
+                        // bug / ...` instead of a single grouped bullet block.
+                        if (looksLikeMarkdown(finalDetail)) {
+                            this.appendPersonaLine(target.personaSlug, finalDetail);
+                        }
+                        else {
+                            for (const line of finalDetail.split('\n')) {
+                                const trimmed = line.trim();
+                                if (trimmed.length > 0) {
+                                    this.appendPersonaLine(target.personaSlug, trimmed);
+                                }
                             }
                         }
                     }
                     else {
-                        this.appendPersonaLine(target.personaSlug, 'shipped.');
+                        // α6.14.3 CEO dogfood 2026-05-25: drop the literal
+                        // "shipped." fallback row. If we have no cached detail to
+                        // surface, stay silent. The agent tree pane already shows
+                        // the green check + duration.
                     }
                 }
                 return;
@@ -516,6 +1698,11 @@ export class ReplSession {
             case 'agent.blocked': {
                 const target = this.state.agents.find((a) => a.taskId === event.taskId);
                 this.lastStepDetail.delete(event.taskId);
+                if (this.askBufferPending.has(event.taskId)) {
+                    this.appendSystemLine('Persona emitted incomplete <pugi-ask> or <pugi-plan-review> tag; dropped.');
+                }
+                this.askBuffer.delete(event.taskId);
+                this.askBufferPending.delete(event.taskId);
                 this.patch({
                     agents: this.state.agents.map((a) => a.taskId === event.taskId
                         ? { ...a, status: 'blocked', detail: event.detail }
@@ -524,11 +1711,21 @@ export class ReplSession {
                 if (target) {
                     this.appendPersonaLine(target.personaSlug, `blocked: ${event.detail}`);
                 }
+                // α6.9: `blocked` is a graceful refusal, not a crash — treat it
+                // as a `completed` outcome from the FSM's perspective so the
+                // operator sees the bottom-bar settle back to `idle` after the
+                // last block clears.
+                this.advanceFsmOnDispatchEnd('completed', 'agent_blocked', event.taskId);
                 return;
             }
             case 'agent.failed': {
                 const target = this.state.agents.find((a) => a.taskId === event.taskId);
                 this.lastStepDetail.delete(event.taskId);
+                if (this.askBufferPending.has(event.taskId)) {
+                    this.appendSystemLine('Persona emitted incomplete <pugi-ask> or <pugi-plan-review> tag; dropped.');
+                }
+                this.askBuffer.delete(event.taskId);
+                this.askBufferPending.delete(event.taskId);
                 this.patch({
                     agents: this.state.agents.map((a) => a.taskId === event.taskId
                         ? { ...a, status: 'failed', detail: event.error }
@@ -537,11 +1734,121 @@ export class ReplSession {
                 if (target) {
                     this.appendPersonaLine(target.personaSlug, `failed: ${event.error}`);
                 }
+                // α6.9: terminal `failed` transition when no sibling task
+                // remains. Same defer-until-last-agent semantics as
+                // `completed` so the bottom-bar surface tracks the dispatch
+                // collectively.
+                this.advanceFsmOnDispatchEnd('failed', 'agent_failed', event.taskId);
                 return;
             }
         }
     }
+    /**
+     * α6.9 helper: advance the FSM to `tool_running` when a tool call
+     * lands mid-dispatch. Guarded against terminal / aborting states so
+     * a late tool event after `cancel()` does not throw on an illegal
+     * transition. The `tool` label drives the bottom-bar's
+     * `tool: <kind>` granularity.
+     */
+    advanceFsmOnToolStart(tool) {
+        const current = this.fsm.current;
+        if (this.fsm.isTerminal)
+            return;
+        if (current === 'aborting')
+            return;
+        if (current === 'idle')
+            return;
+        // Only `awaiting_response -> tool_running` is a hard move. From
+        // `tool_running` we patch the label without a state transition so
+        // a multi-tool turn shows the latest tool's label without churning
+        // the FSM through transient idle states.
+        if (current === 'awaiting_response') {
+            this.fsm.transition('tool_running', `tool_${tool}`);
+        }
+        this.patch({ dispatchToolLabel: `tool: ${tool}` });
+    }
+    /**
+     * α6.9 helper: advance the FSM toward a terminal outcome when the
+     * LAST in-flight agent's lifecycle ends. The dispatch is "still
+     * running" when any other agent in the tree is in `queued` /
+     * `thinking`; the FSM only goes terminal when the last one settles.
+     *
+     * Idempotent + guarded against illegal transitions: a late event
+     * after a manual `cancel()` finds the FSM already in `aborted` and
+     * is silently dropped.
+     */
+    advanceFsmOnDispatchEnd(outcome, reason, taskId) {
+        // R2 P1 fix (Codex triple-review 2026-05-25): a terminal event
+        // for a SUPERSEDED dispatch must NOT advance the live FSM or null
+        // the live token. If the event carries a taskId and the stamped
+        // dispatchSeq for that task is older than the current dispatchSeq,
+        // the event belongs to a prior dispatch that was replaced by a
+        // newer `dispatchBrief()`. Silently drop the FSM advance.
+        if (taskId !== undefined) {
+            const taskSeq = this.taskDispatchSeq.get(taskId);
+            if (taskSeq !== undefined && taskSeq < this.dispatchSeq) {
+                // Stale dispatch event - the live dispatch is a newer turn.
+                // Skip the FSM advance + token null so brief #N+1 stays
+                // cancellable and the new turn's lifecycle is not corrupted.
+                return;
+            }
+        }
+        if (this.fsm.isTerminal)
+            return;
+        if (this.fsm.current === 'aborting')
+            return;
+        if (this.fsm.current === 'idle')
+            return;
+        // Defer until every agent has settled so a multi-agent dispatch
+        // collectively transitions once on the LAST settle.
+        const stillActive = this.state.agents.some((a) => a.status === 'queued' || a.status === 'thinking');
+        if (stillActive)
+            return;
+        // From `tool_running` we must walk through `awaiting_response`
+        // first (the legal-transition matrix forbids
+        // tool_running -> completed). The intermediate step is a one-tick
+        // pass through and immediately settles to terminal.
+        if (this.fsm.current === 'tool_running') {
+            this.fsm.transition('awaiting_response', `${reason}_drained`);
+        }
+        this.fsm.transition(outcome, reason);
+        this.currentDispatchToken = null;
+        this.patch({ briefStartedAtEpochMs: undefined });
+    }
     /* ------------- transcript helpers -------------- */
+    /**
+     * Look up the persona slug for a running task. Used by the tool call
+     * synthesiser to colour the tool stream rows correctly. Falls back to
+     * the literal `unknown` slug when the task is not in the agent tree
+     * (the SSE wire can emit a step before the matching spawn under heavy
+     * load - rare in practice but the pane stays robust).
+     */
+    personaSlugForTask(taskId) {
+        const agent = this.state.agents.find((a) => a.taskId === taskId);
+        return agent?.personaSlug ?? 'unknown';
+    }
+    /**
+     * Fold a tool call entry into the rolling list. If the entry id
+     * already exists, replace it in-place (so a synthesised `running` →
+     * `ok` transition reuses the same row). Otherwise append. The list
+     * is capped at `MAX_TOOL_CALLS` so a long-running session does not
+     * leak memory.
+     */
+    appendToolCall(entry) {
+        const existingIndex = this.state.toolCalls.findIndex((c) => c.id === entry.id);
+        let next;
+        if (existingIndex >= 0) {
+            next = this.state.toolCalls.slice();
+            next[existingIndex] = entry;
+        }
+        else {
+            next = this.state.toolCalls.concat(entry);
+        }
+        if (next.length > MAX_TOOL_CALLS) {
+            next = next.slice(-MAX_TOOL_CALLS);
+        }
+        this.patch({ toolCalls: next });
+    }
     appendOperatorLine(text) {
         this.appendRow({ source: 'operator', text });
     }
@@ -549,7 +1856,19 @@ export class ReplSession {
         this.appendRow({ source: 'system', text });
     }
     appendPersonaLine(personaSlug, text) {
-        this.appendRow({ source: 'persona', text, personaSlug });
+        // α6.14.2 wave 5: dedup the persona display-name prefix. The
+        // conversation pane already renders `▸ <DisplayName> <text>` from
+        // the slug → name map; when the model's own reply begins with
+        // the same display name (CEO 2026-05-25 screenshot: "Pugi Pugi,
+        // координатор Pugi"), the operator sees the name twice. Strip
+        // the leading display-name token (with optional trailing comma /
+        // colon / whitespace) so the prefix the pane adds is the only one
+        // visible. We also drop any leaked `<workspace-context-NONCE>`
+        // wrapper the model sometimes echoes back at the head of its
+        // first turn - that envelope is for prompt scaffolding, not for
+        // the operator's eyes.
+        const stripped = stripPersonaPrefixEcho(personaSlug, text);
+        this.appendRow({ source: 'persona', text: stripped, personaSlug });
     }
     appendRow(input) {
         if (input.text.length === 0)
@@ -563,6 +1882,161 @@ export class ReplSession {
         };
         const next = this.state.transcript.concat(row).slice(-MAX_TRANSCRIPT_ROWS);
         this.patch({ transcript: next });
+        // Mirror into the local SessionStore so `/resume` can replay.
+        // Persistence is fail-safe: a single error becomes one system
+        // line, subsequent errors are silent so a stuck disk does not
+        // flood the operator. The mapping from row.source -> store kind:
+        //   operator -> 'user'   (drives turn_count + title)
+        //   persona  -> 'persona'
+        //   system   -> 'system'
+        this.persistRow(row);
+    }
+    /**
+     * Best-effort write of one transcript row into the local
+     * SessionStore. Swallows errors after emitting one system line so a
+     * broken store never blocks the conversation. Public callers go
+     * through `appendRow` - this method is private on purpose.
+     */
+    persistRow(row) {
+        if (!this.store)
+            return;
+        const kind = row.source === 'operator' ? 'user'
+            : row.source === 'persona' ? 'persona'
+                : 'system';
+        const payload = row.source === 'persona'
+            ? { text: row.text, personaSlug: row.personaSlug }
+            : row.source === 'operator'
+                ? { brief: row.text }
+                : { text: row.text };
+        const event = { t: row.timestampEpochMs, kind, payload };
+        void this.store.appendEvent(event).catch((error) => {
+            if (this.storeErrorEmitted)
+                return;
+            this.storeErrorEmitted = true;
+            const msg = error instanceof Error ? error.message : String(error);
+            // Use appendRow directly via state patch so we don't recurse
+            // into persistRow (which would loop on a stuck store).
+            const errRow = {
+                id: randomUUID(),
+                source: 'system',
+                text: `Local session persistence failed: ${msg}. Conversation continues in-memory only.`,
+                timestampEpochMs: this.now(),
+            };
+            const next = this.state.transcript.concat(errRow).slice(-MAX_TRANSCRIPT_ROWS);
+            this.patch({ transcript: next });
+        });
+    }
+    /**
+     * Restore a transcript from a stored event log - α6.4. Called by
+     * the CLI bootstrap when the operator runs `pugi resume <id>` or
+     * picks an entry from the `/resume` picker. Replays each event into
+     * the local transcript WITHOUT writing back to the store so the
+     * restore is idempotent.
+     *
+     * Implementation note: we briefly disable persistence by setting
+     * `storeErrorEmitted` BEFORE the replay and clearing it after - but
+     * the cleaner path is to bypass `appendRow` entirely and patch
+     * state directly. We do the latter so persistRow does not double-
+     * write the restored events.
+     */
+    restoreTranscript(events) {
+        const rows = [];
+        for (const event of events) {
+            const row = eventToTranscriptRow(event);
+            if (row)
+                rows.push(row);
+        }
+        // Cap at MAX_TRANSCRIPT_ROWS - the same cap appendRow uses so the
+        // window math stays consistent post-restore.
+        const capped = rows.slice(-MAX_TRANSCRIPT_ROWS);
+        this.patch({ transcript: capped });
+    }
+    /**
+     * Local session id used as the persistence key. Surfaced to the
+     * CLI bootstrap so `pugi resume` listings can pin the id without
+     * pulling it out of internal state.
+     */
+    getLocalSessionId() {
+        return this.localSessionId;
+    }
+    /* ------------- α6.3 buffered tag detection -------------- */
+    /**
+     * Scan the running `agent.step.detail` buffer for `<pugi-ask>` /
+     * `<pugi-plan-review>` envelopes. If a complete envelope is found,
+     * the parser strips it from the visible body and sets the matching
+     * `pendingAsk` / `pendingPlanReview` state so the REPL can render
+     * the modal. Streaming partial tags (open observed, close not yet
+     * arrived) are kept in the buffer so the next step event can extend
+     * them.
+     *
+     * Returns the sanitised body the caller should treat as the
+     * persona's prose. May be empty when the entire body was tag XML;
+     * the caller then leaves `lastStepDetail` untouched and the
+     * `agent.completed` fallback ("shipped.") fires.
+     */
+    consumeAskAndPlanReviewTags(taskId, detail) {
+        if (!detail || detail.length === 0) {
+            return this.askBuffer.get(taskId) ?? '';
+        }
+        // The persona emits the running detail as a cumulative string, so
+        // a fresh `agent.step` carries the full body up to the current
+        // token (matches the wave-2 caching contract above). We pass the
+        // raw detail through the extractors directly rather than keeping a
+        // separate buffer - but we still record the pre-extraction body so
+        // a partial open tag is preserved when the next chunk arrives.
+        this.askBuffer.set(taskId, detail);
+        const askResult = extractAskTags(detail);
+        let working = askResult.cleaned;
+        for (const tag of askResult.tags) {
+            if (this.seenTagSignatures.includes(tag.signature))
+                continue;
+            this.recordSeenTag(tag.signature);
+            // Only one pending ask at a time - drop additional tags in the
+            // same step into the cleaned body as a system warning. The
+            // persona's prompt forbids concurrent asks, so this branch is a
+            // defensive guard against a misbehaving model.
+            if (this.state.pendingAsk) {
+                this.appendSystemLine('Persona emitted a second <pugi-ask> while one was already open. Dropped.');
+                continue;
+            }
+            this.patch({ pendingAsk: tag, pendingAskSource: 'persona' });
+        }
+        if (askResult.hadMalformedTag) {
+            this.appendSystemLine('Malformed <pugi-ask> dropped (parser refusal).');
+        }
+        const planResult = extractPlanReviewTags(working);
+        working = planResult.cleaned;
+        for (const tag of planResult.tags) {
+            if (this.seenTagSignatures.includes(tag.signature))
+                continue;
+            this.recordSeenTag(tag.signature);
+            if (this.state.pendingPlanReview) {
+                this.appendSystemLine('Persona emitted a second <pugi-plan-review> while one was already open. Dropped.');
+                continue;
+            }
+            this.patch({ pendingPlanReview: tag, pendingPlanReviewSource: 'persona' });
+        }
+        if (planResult.hadMalformedTag) {
+            this.appendSystemLine('Malformed <pugi-plan-review> dropped (parser refusal).');
+        }
+        // Record / clear the "pending open tag" flag so agent.completed can
+        // emit a warning if the persona ends the turn with an unfinished
+        // envelope. The flag flips OFF when both parsers report no
+        // outstanding open tag - if either is still pending, we keep it on
+        // so the warning fires once at turn end.
+        if (askResult.pendingOpenTag || planResult.pendingOpenTag) {
+            this.askBufferPending.add(taskId);
+        }
+        else {
+            this.askBufferPending.delete(taskId);
+        }
+        return working;
+    }
+    recordSeenTag(signature) {
+        this.seenTagSignatures.push(signature);
+        while (this.seenTagSignatures.length > 32) {
+            this.seenTagSignatures.shift();
+        }
     }
     /* ------------- agent count + clock -------------- */
     activeAgentCount() {
@@ -599,6 +2073,89 @@ export class ReplSession {
  * does not recognise, the REPL still renders something usable rather
  * than crashing mid-frame.
  */
+/**
+ * Map a stored SessionEvent back into a TranscriptRow for `/resume`
+ * replay. Returns null when the event has no operator-visible body
+ * (e.g. tool.start without a text payload - those land back as
+ * tool stream rows, not transcript rows). The shape mirrors the
+ * `persistRow` mapping in reverse:
+ *
+ *   'user'    -> operator (brief)
+ *   'persona' -> persona  (text + personaSlug)
+ *   'system'  -> system   (text)
+ *
+ * Exported indirectly via `restoreTranscript`.
+ */
+function eventToTranscriptRow(event) {
+    const payload = (event.payload ?? null);
+    if (event.kind === 'user') {
+        const text = typeof payload?.brief === 'string'
+            ? payload.brief
+            : typeof payload?.text === 'string'
+                ? payload.text
+                : '';
+        if (text.length === 0)
+            return null;
+        return {
+            id: randomUUID(),
+            source: 'operator',
+            text,
+            timestampEpochMs: event.t,
+        };
+    }
+    if (event.kind === 'persona') {
+        const text = typeof payload?.text === 'string' ? payload.text : '';
+        if (text.length === 0)
+            return null;
+        const personaSlug = typeof payload?.personaSlug === 'string'
+            ? payload.personaSlug
+            : undefined;
+        return {
+            id: randomUUID(),
+            source: 'persona',
+            text,
+            personaSlug,
+            timestampEpochMs: event.t,
+        };
+    }
+    if (event.kind === 'system') {
+        const text = typeof payload?.text === 'string' ? payload.text : '';
+        if (text.length === 0)
+            return null;
+        return {
+            id: randomUUID(),
+            source: 'system',
+            text,
+            timestampEpochMs: event.t,
+        };
+    }
+    return null;
+}
+/**
+ * Heuristic: does this text contain Markdown structures that benefit
+ * from atomic grouping? Code fences, bullet lists, numbered lists,
+ * headings - anything where per-line splitting would fragment visual
+ * grouping (Claude triple-review P1 PR #369).
+ */
+function looksLikeMarkdown(text) {
+    if (text.includes('```'))
+        return true;
+    const lines = text.split('\n');
+    let bulletCount = 0;
+    let numberedCount = 0;
+    let headingCount = 0;
+    for (const raw of lines) {
+        const line = raw.trim();
+        if (/^[-*+]\s+\S/.test(line))
+            bulletCount += 1;
+        if (/^\d+\.\s+\S/.test(line))
+            numberedCount += 1;
+        if (/^#{1,6}\s+\S/.test(line))
+            headingCount += 1;
+    }
+    // 2+ bullets OR 2+ numbered OR any heading = group atomically.
+    return bulletCount >= 2 || numberedCount >= 2 || headingCount >= 1;
+}
 function safePersonaName(role) {
     try {
         return getPersonaForRole(role).name;
@@ -607,6 +2164,31 @@ function safePersonaName(role) {
         return role;
     }
 }
+/**
+ * Render a millisecond delta as a compact human-readable age. Used by
+ * `/context` to surface the oldest working-set entry's age:
+ *
+ *   < 60s        -> `45s`
+ *   < 1h         -> `4m`
+ *   < 24h        -> `2h`
+ *   >= 24h       -> `3d`
+ *
+ * Negative deltas (clock skew) clamp to `0s`.
+ */
+function formatAgeSeconds(deltaMs) {
+    const ms = Math.max(0, deltaMs);
+    const seconds = Math.floor(ms / 1000);
+    if (seconds < 60)
+        return `${seconds}s`;
+    const minutes = Math.floor(seconds / 60);
+    if (minutes < 60)
+        return `${minutes}m`;
+    const hours = Math.floor(minutes / 60);
+    if (hours < 24)
+        return `${hours}h`;
+    const days = Math.floor(hours / 24);
+    return `${days}d`;
+}
 /**
  * Convenience: list the legal role slugs the operator can target with
  * `/stop`. Surfaced in the slash command help overlay and in the
@@ -615,4 +2197,305 @@ function safePersonaName(role) {
 export function knownRoles() {
     return listRoles();
 }
+/* ------------------------------------------------------------------ */
+/* Tool call synthesiser - α6.12                                      */
+/* ------------------------------------------------------------------ */
+/**
+ * Match canonical tool invocation grammar in an `agent.step.detail`
+ * string and emit a synthesised `ToolCallEntry`. Returns null when no
+ * known tool pattern matches.
+ *
+ * The grammar mirrors the way Claude Code, Codex CLI, and Gemini CLI
+ * display tool calls in their tool stream panes:
+ *
+ *   Read(path)
+ *   Edit(path[:lines])
+ *   Bash(command)
+ *   Grep("pattern" [in path])
+ *   Glob(pattern)
+ *   WebFetch(url)
+ *
+ * The matcher is case-insensitive on the tool name so a persona that
+ * spells the tool as `READ(...)` or `web_fetch(...)` still lands in
+ * the pane. Args are capped at 80 characters; the pane will further
+ * truncate to 60 on render so the row stays single-line on a narrow
+ * terminal.
+ *
+ * Exported for unit testing - production code path is internal.
+ */
+export function synthesiseToolCall(input) {
+    const detail = input.detail.trim();
+    if (detail.length === 0)
+        return null;
+    // Pattern: ToolName(args) optionally suffixed with a result hint.
+    // We allow the canonical Claude Code casing AND the snake_case
+    // alias `web_fetch` so the synthesiser matches what personas write.
+    const match = /^(Read|Edit|Bash|Grep|Glob|WebFetch|web_fetch)\s*\(\s*([^)]*)\s*\)\s*(.*)$/i
+        .exec(detail);
+    if (!match)
+        return null;
+    const toolName = normaliseToolName(match[1]);
+    const args = (match[2] ?? '').trim().slice(0, 80);
+    const tail = (match[3] ?? '').trim();
+    const status = parseStatusFromTail(tail);
+    return {
+        id: `${input.taskId}:${toolName}:${args}`,
+        agent: input.agent,
+        tool: toolName,
+        args,
+        status: status.status,
+        detail: status.detail,
+        startedAtEpochMs: input.now,
+    };
+}
+function normaliseToolName(raw) {
+    const lower = raw.toLowerCase();
+    if (lower === 'webfetch' || lower === 'web_fetch')
+        return 'web_fetch';
+    if (lower === 'read')
+        return 'read';
+    if (lower === 'edit')
+        return 'edit';
+    if (lower === 'bash')
+        return 'bash';
+    if (lower === 'grep')
+        return 'grep';
+    if (lower === 'glob')
+        return 'glob';
+    // Unreachable - regex constrains the input. Fallback keeps types happy.
+    return 'read';
+}
+/**
+ * Cheap status inference from the tail string. We honour explicit
+ * `OK` / `error` / `running` prefixes the dispatcher may write, plus
+ * a `+/-` diff hint (treated as `ok`) and a `no match` (treated as
+ * `ok` because grep with no result is not an error condition).
+ */
+function parseStatusFromTail(tail) {
+    if (tail.length === 0)
+        return { status: 'running' };
+    const lower = tail.toLowerCase();
+    if (lower.startsWith('error') || lower.startsWith('failed')) {
+        return { status: 'error', detail: tail };
+    }
+    if (lower.startsWith('running')) {
+        return { status: 'running', detail: tail };
+    }
+    return { status: 'ok', detail: tail };
+}
+/* ------------------------------------------------------------------ */
+/* α6.3 office-hours encoders                                          */
+/*                                                                    */
+/* Mirrors `tui/ask-modal.tsx#encodeAskVerdict` so the session can     */
+/* synthesise the operator-side echo without dragging an Ink module    */
+/* into the test surface. The two encoders MUST agree byte-for-byte -  */
+/* a divergence would silently mis-prefix the persona's follow-up.    */
+/* ------------------------------------------------------------------ */
+function encodeAskVerdictLocal(verdict) {
+    if (verdict.cancelled)
+        return '[ASK-RESPONSE:cancelled]';
+    if (verdict.value.length > 0)
+        return `[ASK-RESPONSE:${verdict.value}]`;
+    if (verdict.customInput && verdict.customInput.length > 0) {
+        return `[ASK-RESPONSE:other] ${verdict.customInput}`;
+    }
+    return '[ASK-RESPONSE:cancelled]';
+}
+/**
+ * Strip any leading `[ASK-RESPONSE:...]` or `[PLAN-VERDICT:...]`
+ * pattern from free-text operator input so a malicious or accidental
+ * operator string cannot forge a verdict header. Stripping iterates
+ * because the operator could prepend several forged headers in a row;
+ * we keep peeling until the head is clean.
+ *
+ * Example: operator types `[ASK-RESPONSE:vercel] my real answer` -
+ * the leading `[ASK-RESPONSE:vercel] ` is stripped, leaving
+ * `my real answer`, so the encoded wire string becomes
+ * `[ASK-RESPONSE:other] my real answer` rather than
+ * `[ASK-RESPONSE:other] [ASK-RESPONSE:vercel] my real answer` which
+ * a prefix-greedy persona could read as "operator chose vercel".
+ *
+ * Claude triple-review P1 (PR #375).
+ */
+function sanitiseVerdictText(raw) {
+    let cleaned = raw;
+    // Bounded loop: each iteration must strip a non-empty pattern, so it
+    // terminates in O(input length). Hard cap as defence-in-depth in case
+    // the regex ever matches an empty span.
+    for (let i = 0; i < raw.length + 4; i += 1) {
+        const stripped = cleaned.replace(/^\s*\[(?:ASK-RESPONSE|PLAN-VERDICT):[^\]]*\]\s*/u, '');
+        if (stripped === cleaned)
+            break;
+        cleaned = stripped;
+    }
+    return cleaned.trim();
+}
+function sanitiseAskVerdict(verdict) {
+    if (verdict.customInput === undefined)
+        return verdict;
+    const sanitisedCustom = sanitiseVerdictText(verdict.customInput);
+    if (sanitisedCustom === verdict.customInput)
+        return verdict;
+    // If sanitisation emptied the buffer, treat the verdict as a
+    // cancellation rather than dispatching a meaningless "other" with no
+    // body. Preserves the dispatch invariant (no empty bodies) and
+    // matches the encoder's fallback.
+    if (sanitisedCustom.length === 0) {
+        return { value: '', cancelled: true };
+    }
+    return { ...verdict, customInput: sanitisedCustom };
+}
+function sanitisePlanReviewResult(result) {
+    if (result.verdict !== 'modify')
+        return result;
+    if (result.modifyText === undefined)
+        return result;
+    const sanitisedText = sanitiseVerdictText(result.modifyText);
+    if (sanitisedText === result.modifyText)
+        return result;
+    if (sanitisedText.length === 0) {
+        return { verdict: 'cancel' };
+    }
+    return { verdict: 'modify', modifyText: sanitisedText };
+}
+function encodePlanReviewVerdictLocal(result) {
+    switch (result.verdict) {
+        case 'approve':
+            return '[PLAN-VERDICT:approve]';
+        case 'cancel':
+            return '[PLAN-VERDICT:cancel]';
+        case 'modify':
+            if (result.modifyText && result.modifyText.length > 0) {
+                return `[PLAN-VERDICT:modify] ${result.modifyText}`;
+            }
+            return '[PLAN-VERDICT:cancel]';
+    }
+}
+/**
+ * Compose the human-readable transcript line that records the
+ * operator's ask verdict. Mirrors Codex CLI's "you chose: <label>"
+ * pattern so the conversation reads linearly.
+ */
+function humanLabelForVerdict(tag, verdict) {
+    if (verdict.cancelled)
+        return '(cancelled the question)';
+    if (verdict.value.length > 0) {
+        const opt = tag.options.find((o) => o.value === verdict.value);
+        return opt ? `chose: ${opt.label}` : `chose: ${verdict.value}`;
+    }
+    if (verdict.customInput && verdict.customInput.length > 0) {
+        return `chose: other - ${verdict.customInput}`;
+    }
+    return '(cancelled the question)';
+}
+function humanLabelForPlanReviewVerdict(result) {
+    switch (result.verdict) {
+        case 'approve':
+            return 'approved the plan';
+        case 'cancel':
+            return 'cancelled the plan';
+        case 'modify':
+            if (result.modifyText && result.modifyText.length > 0) {
+                return `modified the plan: ${result.modifyText}`;
+            }
+            return 'cancelled the plan';
+    }
+}
+/**
+ * Synthesise a 2-option yes/no `<pugi-ask>` tag from a raw question
+ * string. Used by the `/ask` slash command and by `pugi ask <question>`
+ * to give the operator a manual entrypoint into the office-hours UI
+ * without needing a persona-side emission.
+ *
+ * Returns null when the question fails the parser's length cap so the
+ * caller can surface a clear error rather than crashing the modal.
+ */
+export function synthesiseLocalAskTag(question) {
+    const trimmed = question.trim();
+    if (trimmed.length === 0 || trimmed.length > 80)
+        return null;
+    const options = [
+        { value: 'yes', label: 'Yes' },
+        { value: 'no', label: 'No' },
+    ];
+    // Use the single-source signature helper so a persona-emitted ask
+    // with the same question + same option values does not collide with
+    // this synthesised one under a divergent algorithm. Claude
+    // triple-review P1 (PR #375).
+    const signature = signatureForAsk(trimmed, options);
+    return {
+        question: trimmed,
+        options,
+        signature,
+        start: 0,
+        end: 0,
+    };
+}
+/**
+ * Strip the persona's own display name from the head of a streamed
+ * reply, plus any leaked `<workspace-context-...>` envelope the model
+ * may echo on its first turn. Exported for direct unit testing —
+ * production callers go through `appendPersonaLine`.
+ *
+ * Examples (display name = "Pugi"):
+ *   "Pugi, координатор Pugi. Брифую..."   -> "координатор Pugi. Брифую..."
+ *   "Pugi: вот результат"                 -> "вот результат"
+ *   "<workspace-context-abc>Pugi, привет" -> "привет"
+ *   "обычный ответ без префикса"          -> "обычный ответ без префикса"
+ *
+ * The strip is conservative - we only remove the display name when it
+ * is followed by a separator (comma, colon, dash, space) so a sentence
+ * that legitimately contains the name mid-text ("спроси у Pugi") is
+ * not mangled. (α6.14.2 wave 5 - CEO dogfood fix.)
+ */
+export function stripPersonaPrefixEcho(personaSlug, text) {
+    let working = text.trimStart();
+    // Drop any leaked `<workspace-context-...>` / `</workspace-context-...>`
+    // wrapper at the head. The Mira prompt v1.1 sometimes echoes the
+    // scaffolding envelope back when the model is warm-starting the
+    // first turn; cosmetic noise the operator never needs to see.
+    // We strip both opening tag and any text up to (and including) the
+    // matching closing tag if present, else just the opening tag.
+    const openMatch = /^<workspace-context[^>]*>/i.exec(working);
+    if (openMatch) {
+        working = working.slice(openMatch[0].length).trimStart();
+        const closeMatch = /^([\s\S]*?)<\/workspace-context[^>]*>/i.exec(working);
+        if (closeMatch) {
+            working = working.slice(closeMatch[0].length).trimStart();
+        }
+    }
+    // Resolve the display name from the canonical roster. Unknown slugs
+    // (forward-compat with future personas streamed by a newer server)
+    // skip the strip - better to leave the text alone than to mis-strip.
+    const persona = getPersona(personaSlug);
+    if (!persona)
+        return working;
+    const display = persona.name;
+    if (!display || display.length === 0)
+        return working;
+    // Match `<DisplayName>` followed by an end-of-string, or by a
+    // separator (comma, colon, dash, period followed by space, single
+    // space). The match is case-insensitive so "pugi" also strips.
+    // Escape regex specials in the display name even though THE_TEN
+    // names are alpha-only today (forward-defense).
+    const escaped = display.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const re = new RegExp(`^${escaped}(?:[\\s,:;\\-—–]+|$)`, 'i');
+    // Loop the strip so cascading echoes ("Pugi Pugi Pugi, координатор ...")
+    // collapse to a single name. The model occasionally emits the display
+    // name two or three times back-to-back when the pane prefix also
+    // injects "▸ Pugi"; without the loop, only the first token would be
+    // peeled and the operator would still see "▸ Pugi Pugi, координатор".
+    // Cap at 3 iterations - beyond that the text is either pathological
+    // or unrelated and we should not keep chewing it. Bail when an
+    // iteration makes no progress to avoid infinite loops on a regex that
+    // matches an empty string (defence-in-depth even though the current
+    // pattern guarantees at least one consumed char).
+    for (let i = 0; i < 3; i += 1) {
+        const m = re.exec(working);
+        if (!m || m[0].length === 0)
+            break;
+        working = working.slice(m[0].length).trimStart();
+    }
+    return working;
+}
 //# sourceMappingURL=session.js.map