agent-relay-server 0.11.8 → 0.11.9

package/src/routes.ts

@@ -85,8 +85,6 @@ import {
   getWorkspace,
   listWorkspaces,
   updateWorkspaceStatus,
-  acquireMergeLease,
-  setMergeLeaseCommand,
   releaseMergeLease,
   listRepoStewards,
   listMergeLeases,
@@ -107,11 +105,13 @@ import {
   getAgentProfile,
   getManagedAgentState,
   getSpawnPolicy,
+  getStewardConfigEntry,
   listAgentProfiles,
   listSpawnPolicies,
   listConfig,
   setAgentProfile,
   setConfig,
+  setStewardConfig,
   upsertManagedAgentState,
   updateManagedAgentState,
 } from "./config-store";
@@ -140,7 +140,7 @@ import {
   updateAutomation,
   type AutomationDispatchResult,
 } from "./automations";
-import type { ActivityEventInput, ActivityKind, AgentCard, AgentKind, AgentProfile, AgentSessionGuard, ChannelBinding, ChannelBindingMode, ChannelDirection, ChannelRouteTarget, ChannelSummary, Command, CommandStatus, CreateCommandInput, CreatePairInput, IntegrationEventInput, IntegrationSummary, ManagedAgent, ManagedSessionExitDiagnostics, Message, OrchestratorRuntimeInput, PairActionInput, PairMessageInput, PairStatus, RegisterAgentInput, RegisterOrchestratorInput, SendMessageInput, SpawnApprovalMode, SpawnPolicy, SpawnProvider, TaskStatus, TaskStatusInput, WorkspaceMetadata, WorkspaceMode, WorkspaceOrphan, WorkspaceProbe, WorkspaceStatus } from "./types";
+import type { ActivityEventInput, ActivityKind, AgentCard, AgentKind, AgentProfile, AgentSessionGuard, ChannelBinding, ChannelBindingMode, ChannelDirection, ChannelRouteTarget, ChannelSummary, Command, CommandStatus, CreateCommandInput, CreatePairInput, IntegrationEventInput, IntegrationSummary, ManagedAgent, ManagedSessionExitDiagnostics, Message, OrchestratorRuntimeInput, PairActionInput, PairMessageInput, PairStatus, RegisterAgentInput, RegisterOrchestratorInput, SendMessageInput, SpawnApprovalMode, SpawnPolicy, SpawnProvider, TaskStatus, TaskStatusInput, WorkspaceMergeStrategy, WorkspaceMetadata, WorkspaceMode, WorkspaceOrphan, WorkspaceProbe, WorkspaceStatus } from "./types";
 import { getIntegrationTokens, INTEGRATION_RATE_LIMIT_PER_MINUTE, MAX_BODY_BYTES, VERSION, type IntegrationTokenConfig } from "./config";
 import { CONTRACT_VERSIONS, parseRuntimeCapabilities, parseRuntimeContracts, parseRuntimePackage, type RuntimeCapabilities, type RuntimeContracts, type RuntimePackageMetadata } from "./contracts";
 import { listHostDirectories } from "./agent-spawn";
@@ -149,6 +149,7 @@ import type { ProviderConfig } from "../runner/src/adapter";
 import { resolveProviderSelection, type ProviderEffort } from "agent-relay-sdk/provider-catalog";
 import { effectiveProviderCatalogList } from "./provider-catalog-store";
 import { buildManagedSpawnParams, effectiveManagedPolicyWorkspaceMode } from "./managed-policy";
+import { requestWorkspaceMerge } from "./workspace-merge";
 import {
   getComponentAuth,
   getIntegrationAuth,
@@ -187,7 +188,7 @@ import { postMcp } from "./mcp";
 import { readFileSync } from "node:fs";
 import { isAbsolute, relative, resolve } from "node:path";
 import type { ArtifactKind, ArtifactSensitivity, AttachmentRef, ContextBudget, CreateMemoryInput, MemoryBrokerContext, MemoryConfidence, MemoryQuery, MemoryRedactionState, MemorySensitivity, MemoryType, MemoryVisibility, TaskRoutingHints, TokenConstraints, UpdateMemoryInput } from "./types";
-import { issueIntegrationRuntimeToken, issueInteractiveRunnerRuntimeToken, issueMcpRuntimeToken, issueOrchestratorRuntimeToken, runnerRuntimeTokenEnv } from "./runtime-tokens";
+import { issueIntegrationRuntimeToken, issueInteractiveRunnerRuntimeToken, issueMcpRuntimeToken, issueOrchestratorRuntimeToken, reissueRunnerRuntimeToken, runnerRuntimeTokenEnv } from "./runtime-tokens";
 import { listMaintenanceJobs, runLegacyMaintenanceReaper, runMaintenanceJobNow } from "./maintenance";
 
 type Handler = (
@@ -319,7 +320,8 @@ const VALID_CHANNEL_BINDING_TARGET_TYPES = ["agent", "label", "tag", "capability
 const VALID_WORKSPACE_MODES = ["isolated", "shared", "inherit"] as const;
 const VALID_WORKSPACE_STATUSES = ["active", "ready", "conflict", "review_requested", "merge_planned", "merged", "abandoned", "cleanup_requested", "cleaned"] as const;
 const VALID_CHANNEL_BINDING_MODES = ["exclusive", "broadcast"] as const;
-const VALID_AGENT_ACTIONS = ["restart", "shutdown", "reconnect", "compact", "clearContext"] as const;
+const VALID_AGENT_ACTIONS = ["restart", "shutdown", "reconnect", "compact", "clearContext", "resume"] as const;
+const CLAUDE_RESUME_ID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 const VALID_AGENT_SPAWN_PROVIDERS = ["codex"] as const;
 const VALID_CODEX_SPAWN_APPROVALS = ["open", "guarded", "read-only"] as const;
 const VALID_PROVIDER_EFFORTS = ["low", "medium", "high", "xhigh", "max"] as const;
@@ -1248,7 +1250,10 @@ function auditEvent(input: ActivityEventInput): void {
 function auditCommandOutcome(command: Command): void {
   if (command.status !== "succeeded" && command.status !== "failed") return;
   if (command.type !== "agent.restart" && command.type !== "agent.shutdown" && command.type !== "agent.reconnect") return;
-  const action = agentControlActionFromCommandType(command.type);
+  const paramAction = typeof command.params?.action === "string" && (VALID_AGENT_ACTIONS as readonly string[]).includes(command.params.action)
+    ? command.params.action as AgentControlAction
+    : null;
+  const action = paramAction ?? agentControlActionFromCommandType(command.type);
   if (!action) return;
   const agentId = typeof command.params?.agentId === "string" ? command.params.agentId : command.target;
   const succeeded = command.status === "succeeded";
@@ -2143,7 +2148,7 @@ const deleteAgentById: Handler = (_req, params) => {
 type AgentControlAction = (typeof VALID_AGENT_ACTIONS)[number];
 
 function agentControlActionCommandType(action: AgentControlAction): "agent.restart" | "agent.shutdown" | "agent.reconnect" | "agent.compact" | "agent.clearContext" {
-  if (action === "restart") return "agent.restart";
+  if (action === "restart" || action === "resume") return "agent.restart";
   if (action === "shutdown") return "agent.shutdown";
   if (action === "compact") return "agent.compact";
   if (action === "clearContext") return "agent.clearContext";
@@ -2161,6 +2166,7 @@ function agentControlActionFromCommandType(type: string): AgentControlAction | n
 
 function agentControlActionRequestedTitle(action: AgentControlAction): string {
   if (action === "restart") return "Agent restart requested";
+  if (action === "resume") return "Agent resume requested";
   if (action === "shutdown") return "Agent shutdown requested";
   if (action === "compact") return "Agent compaction requested";
   if (action === "clearContext") return "Agent context clear requested";
@@ -2169,6 +2175,7 @@ function agentControlActionRequestedTitle(action: AgentControlAction): string {
 
 function agentControlActionCompletedTitle(action: AgentControlAction): string {
   if (action === "restart") return "Agent restarted";
+  if (action === "resume") return "Agent resumed";
   if (action === "shutdown") return "Agent shut down";
   if (action === "compact") return "Agent compacted";
   if (action === "clearContext") return "Agent context cleared";
@@ -2179,6 +2186,7 @@ function agentControlActionIcon(action: AgentControlAction): string {
   if (action === "shutdown") return "ti-power";
   if (action === "compact") return "ti-compress";
   if (action === "clearContext") return "ti-eraser";
+  if (action === "resume") return "ti-player-play";
   return "ti-refresh";
 }
 
@@ -2191,6 +2199,7 @@ function agentIsControlEligible(agent: AgentCard): boolean {
 
 function agentCanReceiveControlAction(agent: AgentCard, action: AgentControlAction): boolean {
   if (!agentIsControlEligible(agent)) return false;
+  if (action === "resume") return agentRuntimeProvider(agent) === "claude" && (agent.status === "offline" || agent.status === "stale");
   const lifecycle = agent.providerCapabilities?.lifecycle;
   if (lifecycle) {
     if (action === "restart") return lifecycle.restartHard === true;
@@ -2202,6 +2211,10 @@ function agentCanReceiveControlAction(agent: AgentCard, action: AgentControlActi
   return agent.meta?.runnerManaged === true && (action === "restart" || action === "shutdown");
 }
 
+function agentRuntimeProvider(agent: AgentCard): string | undefined {
+  return metaString(agent.meta, "provider") ?? agent.providerCapabilities?.model?.provider;
+}
+
 function managedControlOrchestrator(agent: AgentCard): NonNullable<ReturnType<typeof getOrchestrator>> | null {
   if (agent.meta?.runnerManaged !== true) return null;
   const metaSessionName = typeof agent.meta.sessionName === "string" ? agent.meta.sessionName : "";
@@ -2226,11 +2239,16 @@ function restartSpawnParamsForAgent(
   orchestrator: NonNullable<ReturnType<typeof getOrchestrator>> | null,
   policyName?: string,
   spawnRequestId?: string,
+  opts: { resumeId?: string } = {},
 ): Record<string, unknown> | undefined {
   if (!orchestrator) return undefined;
   const requestId = spawnRequestId ?? spawnRequestIdForRestart();
   const policy = policyName ? getSpawnPolicy(policyName) : null;
-  if (policy) return { ...managedSpawnParams(policy.value, requestId), agentId: agent.id, requestedBy: "dashboard-restart" };
+  const requestedBy = opts.resumeId ? "dashboard-resume" : "dashboard-restart";
+  if (policy) {
+    const params = { ...managedSpawnParams(policy.value, requestId), agentId: agent.id, requestedBy };
+    return opts.resumeId ? withClaudeResumeParams(params, opts.resumeId, agent.id) : params;
+  }
 
   const provider = metaString(agent.meta, "provider");
   if (provider !== "claude" && provider !== "codex") return undefined;
@@ -2259,7 +2277,7 @@ function restartSpawnParamsForAgent(
       };
     }
   }
-  return {
+  const params = {
     action: "spawn",
     provider,
     ...resolvedModel,
@@ -2284,17 +2302,57 @@ function restartSpawnParamsForAgent(
       label,
       policyName,
       spawnRequestId: requestId,
-      createdBy: "dashboard-restart",
+      createdBy: requestedBy,
     }),
-    requestedBy: "dashboard-restart",
+    requestedBy,
     requestedAt: Date.now(),
   };
+  return opts.resumeId ? withClaudeResumeParams(params, opts.resumeId, agent.id) : params;
 }
 
 function spawnRequestIdForRestart(): string {
   return `sp_${crypto.randomUUID()}`;
 }
 
+function withClaudeResumeParams(params: Record<string, unknown>, resumeId: string, agentId: string): Record<string, unknown> {
+  return {
+    ...params,
+    providerArgs: providerArgsWithClaudeResume(recordStringArray(params.providerArgs), resumeId),
+    resumeOfAgentId: agentId,
+    claudeResumeId: resumeId,
+  };
+}
+
+function providerArgsWithClaudeResume(args: string[], resumeId: string): string[] {
+  const cleaned: string[] = [];
+  for (let i = 0; i < args.length; i += 1) {
+    const arg = args[i];
+    if (!arg) continue;
+    if (arg === "--resume") {
+      i += 1;
+      continue;
+    }
+    if (arg.startsWith("--resume=")) continue;
+    cleaned.push(arg);
+  }
+  return [...cleaned, "--resume", resumeId];
+}
+
+function recordStringArray(value: unknown): string[] {
+  return Array.isArray(value) ? value.filter((item): item is string => typeof item === "string" && item.trim().length > 0) : [];
+}
+
+function latestClaudeResumeIdForAgent(agent: AgentCard): string | undefined {
+  for (const entry of getAgentTimeline(agent.id, { limit: 50 })) {
+    const metadata = entry.metadata;
+    if (!metadata) continue;
+    const provider = metaString(metadata, "provider");
+    const resumeId = metaString(metadata, "claudeResumeId");
+    if (provider === "claude" && resumeId && CLAUDE_RESUME_ID_RE.test(resumeId)) return resumeId;
+  }
+  return undefined;
+}
+
 function compactMemoryParams(agent: AgentCard): Record<string, unknown> {
   const alwaysReload = agent.tags
     .filter((tag) => tag.startsWith("memory-reload:"))
@@ -2315,11 +2373,14 @@ const postAgentAction: Handler = async (req, params) => {
     if (!agent) return error("agent not found", 404);
     if (!agentCanReceiveControlAction(agent, action)) return error(`agent does not support ${action}`, 400);
 
-    const orchestrator = (action === "restart" || action === "shutdown") ? managedControlOrchestrator(agent) : null;
+    const orchestrator = (action === "restart" || action === "shutdown" || action === "resume") ? managedControlOrchestrator(agent) : null;
     const metaSessionName = typeof agent.meta?.sessionName === "string" ? agent.meta.sessionName : undefined;
     const metaTmuxSession = typeof agent.meta?.tmuxSession === "string" ? agent.meta.tmuxSession : undefined;
     const metaPolicyName = typeof agent.meta?.policyName === "string" ? agent.meta.policyName : undefined;
     const metaSpawnRequestId = typeof agent.meta?.spawnRequestId === "string" ? agent.meta.spawnRequestId : undefined;
+    const resumeId = action === "resume" ? latestClaudeResumeIdForAgent(agent) : undefined;
+    if (action === "resume" && !orchestrator) return error("no online orchestrator available to resume agent", 409);
+    if (action === "resume" && !resumeId) return error("no Claude resume id recorded for agent", 422);
     const denied = authorizeRoute(req, {
       scope: "agent:write",
       resource: { agentId: agent.id, orchestratorId: orchestrator?.id, policyName: metaPolicyName, spawnRequestId: metaSpawnRequestId },
@@ -2338,14 +2399,15 @@ const postAgentAction: Handler = async (req, params) => {
         ...(metaTmuxSession ? { tmuxSession: metaTmuxSession } : {}),
         ...(metaPolicyName ? { policyName: metaPolicyName } : {}),
         ...(metaSpawnRequestId ? { spawnRequestId: metaSpawnRequestId } : {}),
-        ...(action === "restart" ? { restartSpawn: restartSpawnParamsForAgent(agent, orchestrator, metaPolicyName, metaSpawnRequestId) } : {}),
+        ...(action === "restart" || action === "resume" ? { restartSpawn: restartSpawnParamsForAgent(agent, orchestrator, metaPolicyName, metaSpawnRequestId, { resumeId }) } : {}),
         ...(action === "compact" ? compactMemoryParams(agent) : {}),
+        ...(resumeId ? { claudeResumeId: resumeId } : {}),
         requestedBy: "dashboard",
         requestedAt: Date.now(),
       },
     });
-    if (action === "shutdown" || action === "restart") {
-      const lifecycleAction = action === "shutdown" ? "shutting-down" : "restarting";
+    if (action === "shutdown" || action === "restart" || action === "resume") {
+      const lifecycleAction = action === "shutdown" ? "shutting-down" : action === "resume" ? "resuming" : "restarting";
       markReady(agent.id, false);
       mergeAgentMeta(agent.id, { lifecycleAction, lifecycleActionAt: Date.now(), lifecycleCommandId: command.id });
       emitAgentStatus(agent.id);
@@ -2826,6 +2888,40 @@ const postRuntimeTokenRenew: Handler = async (req) => {
   }, 201);
 };
 
+// Orchestrator-mediated runner-token re-mint. A live runner whose runtime token
+// has expired (e.g. the relay was unreachable across the renewal window) cannot
+// self-renew — its dead token can't authenticate. Its orchestrator, which holds
+// a long-lived credential, proxies the runner's expired token here. We verify the
+// token is a genuine, non-revoked runner token owned by THIS orchestrator and
+// mint a fresh one cloning its scope, so the session self-heals without a restart.
+const postOrchestratorRunnerToken: Handler = async (req, params) => {
+  const orch = getOrchestrator(params.id!);
+  if (!orch) return error("orchestrator not found", 404);
+  const denied = authorizeRoute(req, { scope: "command:write", resource: { orchestratorId: orch.id } });
+  if (denied) return denied;
+  const parsed = await parseBody<unknown>(req);
+  if (!parsed.ok) return error(parsed.error, parsed.status);
+  if (!isRecord(parsed.body)) return error("body required");
+  const token = cleanString(parsed.body.token, "token", { required: true, max: 8192 })!;
+  const result = reissueRunnerRuntimeToken({
+    expiredToken: token,
+    orchestratorId: orch.id,
+    createdBy: `orchestrator-remint:${orch.id}`,
+  });
+  if ("error" in result) return error(result.error, 403);
+  auditEvent({
+    clientId: "server-runner-token-remint-" + result.record.jti + "-" + Date.now(),
+    kind: "state",
+    title: "Runner token re-minted",
+    body: result.record.sub,
+    meta: result.record.jti,
+    icon: "ti-key",
+    view: "security",
+    metadata: { orchestratorId: orch.id, jti: result.record.jti, sub: result.record.sub, ...authAuditMetadata(req) },
+  });
+  return json(result, 201);
+};
+
 const postInteractiveRunnerRuntimeToken: Handler = async (req) => {
   if (!isRootCredentialRequest(req)) return error("root credential required for runtime token exchange", 403);
   const parsed = await parseBody<unknown>(req);
@@ -3940,7 +4036,6 @@ const postWorkspaceOrphanReclaim: Handler = async (req) => {
 const postWorkspaceAction: Handler = async (req, params) => {
   const parsed = await parseBody<unknown>(req);
   if (!parsed.ok) return error(parsed.error, parsed.status);
-  let mergeLeaseRepo: string | undefined;
   try {
     if (!isRecord(parsed.body)) return error("body required");
     const workspace = getWorkspace(params.id!);
@@ -3959,17 +4054,32 @@ const postWorkspaceAction: Handler = async (req, params) => {
     const denied = authorizeRoute(req, { scope: requiresCommand ? "command:write" : "agent:write", resource: { agentId, cwd: workspace.worktreePath } });
     if (denied) return denied;
     if (action === "status") return json(workspace);
-    // Serialize base merges per repo: acquire the merge lease BEFORE mutating
-    // status so a losing request leaves the workspace untouched (issue #157).
+    // Base merges go through the shared helper (lease + command + bind), the same
+    // path the auto-merge job uses, so both serialize per repo (issue #157).
     if (action === "merge") {
-      const lease = acquireMergeLease(workspace.repoRoot, workspace.id, agentId ?? "dashboard");
-      if (!lease.ok) {
-        return error(
-          `a merge is already in progress for ${workspace.repoRoot} (workspace ${lease.lease.workspaceId}); retry after it settles`,
-          409,
-        );
-      }
-      mergeLeaseRepo = workspace.repoRoot;
+      const strategy = cleanEnum(parsed.body.strategy, "strategy", ["pr", "rebase-ff", "auto"] as const, "auto") as WorkspaceMergeStrategy;
+      const result = requestWorkspaceMerge(workspace, {
+        requestedBy: agentId ?? "dashboard",
+        strategy,
+        deleteBranch: parsed.body.deleteBranch !== false,
+        prTitle: cleanString(parsed.body.prTitle, "prTitle", { max: 240 }),
+        prBody: cleanString(parsed.body.prBody, "prBody", { max: 8000 }),
+        metadata: { ...metadata, ...(detail ? { detail } : {}), ...(agentId ? { updatedByAgentId: agentId } : {}) },
+      });
+      if (!result.ok) return error(result.error, result.status);
+      emitCommand(result.command);
+      auditEvent({
+        clientId: `workspace-merge-${workspace.id}-${Date.now()}`,
+        kind: "state",
+        title: "Workspace merge",
+        body: detail ?? workspace.worktreePath,
+        meta: workspace.branch ?? workspace.id,
+        icon: "ti-git-merge",
+        view: "orchestrators",
+        agentId,
+        metadata: { action: "merge", workspaceId: workspace.id, repoRoot: workspace.repoRoot, worktreePath: workspace.worktreePath, status: result.workspace.status, commandId: result.command.id, ...authAuditMetadata(req) },
+      });
+      return json({ workspace: result.workspace, command: result.command }, 202);
     }
     const statusByAction: Record<string, WorkspaceStatus | undefined> = {
       status: undefined,
@@ -3977,7 +4087,6 @@ const postWorkspaceAction: Handler = async (req, params) => {
       "conflict-found": "conflict",
       "request-review": "review_requested",
       "merge-plan": "merge_planned",
-      merge: "merge_planned",
       abandon: "abandoned",
       cleanup: "cleanup_requested",
     };
@@ -3991,58 +4100,31 @@ const postWorkspaceAction: Handler = async (req, params) => {
     if (!updated) return error("workspace not found", 404);
     let command: Command | undefined;
     if (requiresCommand) {
-      // All orchestrators whose baseDir contains the workspace; prefer an online one.
+      // Only `cleanup` reaches here — `merge` returned early via the shared helper.
+      // Cleanup may queue: if the owning orchestrator is offline, the command (no
+      // TTL) waits and reconciles when it reconnects. Only hard-fail when no
+      // orchestrator owns the path at all — then DELETE is the escape.
       const owners = listOrchestrators().filter((candidate) => pathWithinBase(workspace.sourceCwd, candidate.baseDir));
       const onlineOwner = owners.find((candidate) => candidate.status === "online");
-      const baseParams = {
-        workspaceId: workspace.id,
-        repoRoot: workspace.repoRoot,
-        worktreePath: workspace.worktreePath,
-        branch: workspace.branch,
-        requestedBy: agentId ?? "dashboard",
-        requestedAt: Date.now(),
-      };
-      if (action === "merge") {
-        // Merge needs a live host: rebasing against a stale base later is unsafe.
-        if (!onlineOwner) {
-          releaseMergeLease({ repoRoot: workspace.repoRoot, workspaceId: workspace.id });
-          mergeLeaseRepo = undefined;
-          return error("no online orchestrator available for workspace merge", 409);
-        }
-        const strategy = cleanEnum(parsed.body.strategy, "strategy", ["pr", "rebase-ff", "auto"] as const, "auto");
-        command = createCommand({
-          type: "workspace.merge",
-          source: "system",
-          target: onlineOwner.agentId,
-          correlationId: workspace.id,
-          params: {
-            action: "merge",
-            ...baseParams,
-            baseRef: workspace.baseRef,
-            baseSha: workspace.baseSha,
-            strategy,
-            deleteBranch: parsed.body.deleteBranch !== false,
-            prTitle: cleanString(parsed.body.prTitle, "prTitle", { max: 240 }),
-            prBody: cleanString(parsed.body.prBody, "prBody", { max: 8000 }),
-          },
-        });
-      } else {
-        // Cleanup may queue: if the owning orchestrator is offline, the command
-        // (no TTL) waits and reconciles when it reconnects. Only hard-fail when
-        // no orchestrator owns the path at all — then DELETE is the escape.
-        const owner = onlineOwner ?? owners[0];
-        if (!owner) return error("no orchestrator owns this workspace path; use DELETE /api/workspaces/:id to purge the record", 409);
-        command = createCommand({
-          type: "workspace.cleanup",
-          source: "system",
-          target: owner.agentId,
-          correlationId: workspace.id,
-          params: { action: "cleanup", ...baseParams, deleteBranch: true, queued: owner.status !== "online" },
-        });
-      }
-      // Bind the lease to the dispatched merge command so it's released by id
-      // when the command settles (postCommandResult).
-      if (action === "merge" && mergeLeaseRepo) setMergeLeaseCommand(mergeLeaseRepo, command.id);
+      const owner = onlineOwner ?? owners[0];
+      if (!owner) return error("no orchestrator owns this workspace path; use DELETE /api/workspaces/:id to purge the record", 409);
+      command = createCommand({
+        type: "workspace.cleanup",
+        source: "system",
+        target: owner.agentId,
+        correlationId: workspace.id,
+        params: {
+          action: "cleanup",
+          workspaceId: workspace.id,
+          repoRoot: workspace.repoRoot,
+          worktreePath: workspace.worktreePath,
+          branch: workspace.branch,
+          requestedBy: agentId ?? "dashboard",
+          requestedAt: Date.now(),
+          deleteBranch: true,
+          queued: owner.status !== "online",
+        },
+      });
       emitCommand(command);
     }
     auditEvent({
@@ -4051,16 +4133,13 @@ const postWorkspaceAction: Handler = async (req, params) => {
       title: `Workspace ${action}`,
       body: detail ?? workspace.worktreePath,
       meta: workspace.branch ?? workspace.id,
-      icon: action === "cleanup" ? "ti-trash" : action === "merge" ? "ti-git-merge" : action === "conflict-found" ? "ti-alert-triangle" : "ti-git-branch",
+      icon: action === "cleanup" ? "ti-trash" : action === "conflict-found" ? "ti-alert-triangle" : "ti-git-branch",
       view: "orchestrators",
       agentId,
       metadata: { action, workspaceId: workspace.id, repoRoot: workspace.repoRoot, worktreePath: workspace.worktreePath, status: updated.status, commandId: command?.id, ...authAuditMetadata(req) },
     });
     return json({ workspace: updated, command }, requiresCommand ? 202 : 200);
   } catch (e) {
-    // A merge that acquired the lease but failed before dispatch must release it,
-    // or the repo stays blocked until the TTL expires.
-    if (mergeLeaseRepo) releaseMergeLease({ repoRoot: mergeLeaseRepo });
     if (e instanceof ValidationError) return error(e.message, 400);
     throw e;
   }
@@ -4397,16 +4476,35 @@ const patchCommand: Handler = async (req, params) => {
     if (command.type === "workspace.reconcile" && command.status === "succeeded" && isRecord(command.result)) {
       const workspaceId = cleanString(command.result.workspaceId, "result.workspaceId", { max: 160 });
       const resultStatus = cleanEnum(command.result.status, "result.status", VALID_WORKSPACE_STATUSES) as WorkspaceStatus | undefined;
+      const removed = command.result.removed === true;
       if (workspaceId && resultStatus) {
         // Only act on workspaces the agent left in a live state; never overwrite
         // a status a human/agent has since moved on (merge_planned, abandoned, …).
         const current = getWorkspace(workspaceId);
         if (current && (current.status === "active" || current.status === "ready")) {
-          updateWorkspaceStatus(workspaceId, resultStatus, {
-            reconcileResult: command.result,
-            reconcileCommandId: command.id,
-            reconciledAt: Date.now(),
-          });
+          if (removed) {
+            // The owner exited and the worktree had no work — the orchestrator
+            // already deleted it on disk. Drop the DB row immediately instead of
+            // parking it at `cleaned` for 24h: a no-change session is pure junk
+            // from the user's view, so it should leave the Workspaces panel now.
+            deleteWorkspace(workspaceId);
+            auditEvent({
+              clientId: `workspace-reconcile-removed-${workspaceId}-${Date.now()}`,
+              kind: "state",
+              title: "Workspace removed (no changes)",
+              body: current.worktreePath,
+              meta: current.branch ?? workspaceId,
+              icon: "ti-trash",
+              view: "orchestrators",
+              metadata: { reconcileCommandId: command.id, workspaceId, repoRoot: current.repoRoot },
+            });
+          } else {
+            updateWorkspaceStatus(workspaceId, resultStatus, {
+              reconcileResult: command.result,
+              reconcileCommandId: command.id,
+              reconciledAt: Date.now(),
+            });
+          }
         }
       }
     }
@@ -4469,6 +4567,27 @@ const deleteAgentProfileRoute: Handler = (req, params) => {
   }
 };
 
+// --- Steward config (global, provider-independent — issue #167) ---
+
+const getStewardConfigRoute: Handler = () => json(getStewardConfigEntry());
+
+const putStewardConfigRoute: Handler = async (req) => {
+  const parsed = await parseBody<unknown>(req);
+  if (!parsed.ok) return error(parsed.error, parsed.status);
+  try {
+    const value = isRecord(parsed.body) && Object.prototype.hasOwnProperty.call(parsed.body, "value")
+      ? parsed.body.value
+      : parsed.body;
+    const updatedBy = isRecord(parsed.body) ? cleanString(parsed.body.updatedBy, "updatedBy", { max: 200 }) : undefined;
+    const entry = setStewardConfig(value, updatedBy);
+    emitConfigChanged(entry.namespace, entry.key, entry.version);
+    return json(entry, entry.version === 1 ? 201 : 200);
+  } catch (e) {
+    if (e instanceof ValidationError) return error(e.message, 400);
+    throw e;
+  }
+};
+
 // --- Config routes ---
 
 function normalizeConfigPathParam(raw: string | undefined, field: string): string {
@@ -6276,6 +6395,7 @@ const routes: Route[] = [
   route("POST", "/api/orchestrators/:id/heartbeat", postOrchestratorHeartbeat),
   route("PATCH", "/api/orchestrators/:id/agents", patchOrchestratorAgents),
   route("POST", "/api/orchestrators/:id/spawn", postOrchestratorSpawn),
+  route("POST", "/api/orchestrators/:id/runner-token", postOrchestratorRunnerToken),
   route("POST", "/api/orchestrators/:id/actions", postOrchestratorAction),
   route("GET", "/api/orchestrators/:id/directories", getOrchestratorDirectories),
   route("POST", "/api/orchestrators/:id/directories", postOrchestratorCreateDirectory),
@@ -6334,6 +6454,8 @@ const routes: Route[] = [
   route("GET", "/api/agent-profiles/:name", getAgentProfileRoute),
   route("PUT", "/api/agent-profiles/:name", putAgentProfileRoute),
   route("DELETE", "/api/agent-profiles/:name", deleteAgentProfileRoute),
+  route("GET", "/api/steward-config", getStewardConfigRoute),
+  route("PUT", "/api/steward-config", putStewardConfigRoute),
   route("GET", "/api/config/:namespace", getConfigNamespace),
   route("GET", "/api/config/:namespace/:key/history", getConfigKeyHistory),
   route("GET", "/api/config/:namespace/:key", getConfigKey),

package/src/runtime-tokens.ts

@@ -1,4 +1,5 @@
-import { createToken } from "./token-db";
+import { createToken, revokeToken } from "./token-db";
+import { verifyComponentTokenAllowExpired } from "./security";
 import type { TokenRecord } from "./types";
 
 interface RuntimeTokenResult {
@@ -6,6 +7,48 @@ interface RuntimeTokenResult {
   record: TokenRecord;
 }
 
+// How long after expiry a runner token may still be re-minted. Bounds replay of
+// a long-dead token to a sane window — a live session re-mints well within this.
+const REMINT_MAX_EXPIRED_AGE_SECONDS = 30 * 24 * 60 * 60; // 30 days
+
+// Orchestrator-mediated re-mint: given a runner's current (possibly expired) token
+// and the calling orchestrator's id, verify the token belongs to a runner of THIS
+// orchestrator and issue a fresh provider-agent token cloning its scope. The old
+// token is revoked. The caller MUST already be authenticated/authorized as the
+// orchestrator — this only establishes that the presented token is a genuine,
+// non-revoked runner token owned by that orchestrator. See approach #1 in the
+// runner self-heal design: the relay stays strict, the orchestrator's standing
+// privilege is the authorization, the signed token is the identity.
+export function reissueRunnerRuntimeToken(input: {
+  expiredToken: string;
+  orchestratorId: string;
+  createdBy?: string;
+}): RuntimeTokenResult | { error: string } {
+  const payload = verifyComponentTokenAllowExpired(input.expiredToken);
+  if (!payload) return { error: "invalid or revoked runner token" };
+  if (payload.role !== "provider" || !payload.sub.startsWith("runner:")) {
+    return { error: "not a runner token" };
+  }
+  const orchestrators = payload.constraints?.orchestrators;
+  if (!Array.isArray(orchestrators) || !orchestrators.includes(input.orchestratorId)) {
+    return { error: "runner token not owned by this orchestrator" };
+  }
+  if (payload.exp !== undefined) {
+    const ageSeconds = Math.floor(Date.now() / 1000) - payload.exp;
+    if (ageSeconds > REMINT_MAX_EXPIRED_AGE_SECONDS) return { error: "runner token expired too long ago" };
+  }
+  const reissued = createToken({
+    profileId: "provider-agent",
+    sub: payload.sub,
+    role: "provider",
+    scope: payload.scope,
+    constraints: payload.constraints,
+    createdBy: input.createdBy ?? `remint:${payload.jti ?? "unknown"}`,
+  });
+  if (payload.jti) revokeToken(payload.jti);
+  return reissued;
+}
+
 export function issueOrchestratorRuntimeToken(input: {
   orchestratorId: string;
   baseDir: string;

package/src/security.ts

@@ -294,6 +294,23 @@ export function verifyComponentToken(token: string, nowSeconds = Math.floor(Date
   return payload;
 }
 
+// Verify a component token's signature and revocation WITHOUT enforcing expiry.
+// Used only for orchestrator-mediated runner-token re-minting: an expired runner
+// token is unforgeable proof of identity (it is HMAC-signed by this relay), even
+// though it can no longer authenticate a request. The caller (an authenticated
+// orchestrator) supplies the authorization; this just establishes which runner.
+// Revoked tokens are still rejected — revocation is a hard kill.
+export function verifyComponentTokenAllowExpired(token: string): ComponentToken | null {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  const [headerRaw, payloadRaw, signature] = parts as [string, string, string];
+  if (!safeEqual(signature, hmac(`${headerRaw}.${payloadRaw}`))) return null;
+  const payload = parseBase64urlJson(payloadRaw);
+  if (!isComponentToken(payload)) return null;
+  if (payload.jti && isTokenRevoked(payload.jti)) return null;
+  return payload;
+}
+
 export function forbidden(req: Request): Response {
   return applyCors(req, Response.json({ error: "forbidden" }, { status: 403 }));
 }