agent-tempo 1.2.0 → 1.4.0

package/dist/http/body.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ALLOWED_AGENTS_PROD = exports.ALLOWED_AGENTS_DEV = exports.BODY_INVALID_JSON = exports.BODY_TOO_LARGE = exports.WRITE_BODY_MAX = void 0;
+exports.ALLOWED_AGENTS_PROD = exports.ALLOWED_AGENTS_DEV = exports.BODY_INVALID_JSON = exports.BODY_TOO_LARGE = exports.INGEST_BODY_MAX = exports.WRITE_BODY_MAX = void 0;
 exports.readJsonBody = readJsonBody;
 exports.stringField = stringField;
 exports.allowedAgentsForCurrentMode = allowedAgentsForCurrentMode;
@@ -12,6 +12,9 @@ const responses_1 = require("./responses");
 const validation_1 = require("../utils/validation");
 /** Hard cap on incoming JSON body size (1 MiB). */
 exports.WRITE_BODY_MAX = 1024 * 1024;
+/** 3c Tier-2 ingest cap (32 KiB) — the DOS backstop for `/inner/ingest`; the
+ *  source already ~2KB-truncates summaries, so real frames are far smaller. */
+exports.INGEST_BODY_MAX = 32 * 1024;
 exports.BODY_TOO_LARGE = Symbol('body-too-large');
 exports.BODY_INVALID_JSON = Symbol('body-invalid-json');
 /**
@@ -24,13 +27,13 @@ exports.BODY_INVALID_JSON = Symbol('body-invalid-json');
  * handler ends. Explicit `req.destroy()` would race the response
  * write — left alone.
  */
-async function readJsonBody(req) {
+async function readJsonBody(req, maxBytes = exports.WRITE_BODY_MAX) {
     const chunks = [];
     let total = 0;
     for await (const chunk of req) {
         const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
         total += buf.length;
-        if (total > exports.WRITE_BODY_MAX)
+        if (total > maxBytes)
             return exports.BODY_TOO_LARGE;
         chunks.push(buf);
     }

package/dist/http/event-bus.js

@@ -64,6 +64,7 @@ const NON_ESSENTIAL_AFTER_THROTTLE = new Set([
 function topicOf(kind) {
     switch (kind) {
         case 'player.phase_changed': return 'phase';
+        case 'player.activity': return 'phase';
         case 'chat.appended':
         case 'chat.compressed': return 'chat';
         case 'flags.changed': return 'flags';

package/dist/http/event-types.d.ts

@@ -152,7 +152,7 @@ export interface PlayerSummaryV1 {
      * stability rule at §6 — adding new adapters in future versions remains
      * non-breaking, removing one requires `/v2/`. See #535.
      */
-    agentType: 'claude' | 'copilot' | 'mock' | 'claude-api' | 'opencode' | 'claude-code-headless';
+    agentType: 'claude' | 'copilot' | 'mock' | 'claude-api' | 'opencode' | 'claude-code-headless' | 'pi';
     playerType?: string;
     /** Authoritative attachment phase (post-v0.26 — see WIRE-PROTOCOL.md). */
     phase?: AttachmentPhase;
@@ -194,6 +194,20 @@ export interface PlayerSummaryV1 {
     /** Q5.6 — ISO timestamp of the most recent activity. Already on
      * `MaestroPlayerInfo`; passed through verbatim by `toPlayerSummaryV1`. */
     lastActivityAt?: string;
+    /**
+     * 3c Tier-1 coarse observability — the tool the player is currently
+     * executing, or `null` when idle/between tools. Sourced from session
+     * metadata via the heartbeat piggyback (~30s freshness); the live,
+     * fine-grained tail is the off-wire `/inner` side-channel (MD-F). Additive.
+     */
+    currentTool?: string | null;
+    /**
+     * 3c Tier-1 coarse — estimated context tokens in use (pull-only, from Pi's
+     * `getContextUsage()`; `null`/absent right after compaction). Additive.
+     */
+    contextTokens?: number;
+    /** 3c Tier-1 coarse — context usage as a percentage of the model window. Additive. */
+    contextPercent?: number;
 }
 /**
  * The eventId token used in the `id:` line of the SSE frame and as the
@@ -269,7 +283,7 @@ export declare const PR1_SENTINEL_EVENT_ID: EventIdToken;
  * **Append-only**. Do not remove. New event types ship as additive `/v1/`
  * additions; removals require `/v2/`.
  */
-export declare const SSE_EVENT_KINDS: readonly ["snapshot", "gap", "throttled", "heartbeat", "ensemble.created", "ensemble.destroyed", "player.added", "player.removed", "player.phase_changed", "chat.appended", "chat.compressed", "flags.changed", "schedules.changed", "host_profile.changed"];
+export declare const SSE_EVENT_KINDS: readonly ["snapshot", "gap", "throttled", "heartbeat", "ensemble.created", "ensemble.destroyed", "player.added", "player.removed", "player.phase_changed", "chat.appended", "chat.compressed", "flags.changed", "schedules.changed", "host_profile.changed", "player.activity"];
 export type SseEventKind = (typeof SSE_EVENT_KINDS)[number];
 /** Common envelope for every event. */
 export interface SseEventBase {
@@ -364,6 +378,24 @@ export type TempoEvent = (SseEventBase & {
 }) | (SseEventBase & {
     type: 'host_profile.changed';
     payload: HostProfile;
+}) | (SseEventBase & {
+    type: 'player.activity';
+    /**
+     * 3c Tier-1 coarse activity (MD-F). Emitted by the aggregate poll/diff
+     * when a player's `currentTool` or context usage changes between polls.
+     * `busy/idle` is DERIVED consumer-side from the player's phase
+     * (busy = phase==='processing'); `activityCount`/`lastActivityAt` already
+     * ride `PlayerSummaryV1`. This is the ON-wire coarse tier; the fine,
+     * live inner tail is the off-wire `/inner` side-channel.
+     */
+    payload: {
+        playerId: string;
+        ensemble: string;
+        currentTool: string | null;
+        contextTokens?: number;
+        contextPercent?: number;
+        at: string;
+    };
 });
 /**
  * Subset of event categories the server can pre-filter on `?topics=...`.

package/dist/http/event-types.js

@@ -33,4 +33,5 @@ exports.SSE_EVENT_KINDS = [
     'flags.changed',
     'schedules.changed',
     'host_profile.changed',
+    'player.activity',
 ];

package/dist/http/gate-audit.d.ts

@@ -0,0 +1,12 @@
+import type { GateAuditSink } from './gate-registry';
+/** Root of the per-player gate-audit tree. */
+export declare function gateAuditRoot(): string;
+/** Absolute JSONL path for a (ensemble, workflowId) pair under `root`. */
+export declare function gateAuditPath(ensemble: string, workflowId: string, root?: string): string;
+/**
+ * Build the daemon's audit sink. Returns a {@link GateAuditSink} that appends one
+ * JSON line per record. Append + mkdir are synchronous (durable-before-return);
+ * any I/O error is logged + swallowed so a disk problem never wedges a gate
+ * decision. `root` is injectable for tests (defaults to {@link gateAuditRoot}).
+ */
+export declare function createGateAuditSink(root?: string): GateAuditSink;

package/dist/http/gate-audit.js

@@ -0,0 +1,95 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gateAuditRoot = gateAuditRoot;
+exports.gateAuditPath = gateAuditPath;
+exports.createGateAuditSink = createGateAuditSink;
+/**
+ * Operator-gate audit writer (3d / MD-G, R5 — security-locked) — the daemon's
+ * append-only JSONL sink for {@link GateRegistry} events. One file per player at
+ *
+ *   <AGENT_TEMPO_HOME>/gate-audit/<ensemble>/<workflowId>.jsonl
+ *
+ * Each {@link GateAuditRecord} (arm | disarm | decision) is one JSON line,
+ * appended SYNCHRONOUSLY at the decision/posture-change point so the durable
+ * record lands before the daemon hands back control (no buffering window where a
+ * crash loses an allow/deny). The `ensemble` sidecar (not part of the locked
+ * record schema) only paths the file.
+ *
+ * Daemon-side ONLY. The writer is wired as the GateRegistry's audit sink in
+ * `daemon.ts`; failures are swallowed + logged (audit is best-effort durable —
+ * never let an append error break a live gate decision).
+ */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const config_1 = require("../config");
+const log = (...args) => console.error('[agent-tempo:gate-audit]', ...args);
+/** Root of the per-player gate-audit tree. */
+function gateAuditRoot() {
+    return path.join(config_1.AGENT_TEMPO_HOME, 'gate-audit');
+}
+/**
+ * Sanitize a single path segment (ensemble / workflowId) so a crafted name can't
+ * traverse out of the audit root. Ensemble + workflowId are already validated
+ * upstream (ENSEMBLE_NAME_REGEX / the workflowId is daemon-built), but defend the
+ * filesystem boundary anyway: strip anything outside `[A-Za-z0-9._-]`, collapse
+ * to a non-empty token.
+ */
+function safeSegment(seg) {
+    const cleaned = seg.replace(/[^A-Za-z0-9._-]/g, '_');
+    return cleaned.length > 0 ? cleaned : '_';
+}
+/** Absolute JSONL path for a (ensemble, workflowId) pair under `root`. */
+function gateAuditPath(ensemble, workflowId, root = gateAuditRoot()) {
+    return path.join(root, safeSegment(ensemble || '_'), `${safeSegment(workflowId)}.jsonl`);
+}
+/**
+ * Build the daemon's audit sink. Returns a {@link GateAuditSink} that appends one
+ * JSON line per record. Append + mkdir are synchronous (durable-before-return);
+ * any I/O error is logged + swallowed so a disk problem never wedges a gate
+ * decision. `root` is injectable for tests (defaults to {@link gateAuditRoot}).
+ */
+function createGateAuditSink(root = gateAuditRoot()) {
+    return (record, ensemble) => {
+        try {
+            const file = gateAuditPath(ensemble, record.workflowId, root);
+            fs.mkdirSync(path.dirname(file), { recursive: true });
+            fs.appendFileSync(file, JSON.stringify(record) + '\n', 'utf8');
+        }
+        catch (err) {
+            log('append failed (non-fatal):', err instanceof Error ? err.message : err);
+        }
+    };
+}

package/dist/http/gate-registry.d.ts

@@ -0,0 +1,167 @@
+/**
+ * Operator-gate registry (3d / MD-G) — the DAEMON-LOCAL state for the live
+ * tool-call approve/deny gate on a headless Pi player. Per-player (keyed by the
+ * fixed session `workflowId`), it holds two things:
+ *
+ *   1. ARMED state — whether an operator has armed the gate for this player.
+ *      When disarmed, the player's `tool_call` handler never engages the gate
+ *      (MD-C decides immediately); when armed, a non-`low-risk` tool routes here
+ *      for an operator decision.
+ *   2. PENDING requests — one entry per in-flight gated tool call, keyed by a
+ *      caller-supplied `requestId`. The operator resolves it (POST /gate/:id);
+ *      the Pi subprocess POLLS for the resolution (GET /gate/:id/resolution) and
+ *      resolves its awaited `tool_call` Promise on a non-pending answer.
+ *
+ * ── 45s auto-allow (R3, autonomous-first, maintainer-LOCKED) ──
+ * A pending request with no operator decision after {@link GATE_AUTO_ALLOW_MS}
+ * resolves to `auto-allow` so an unsupervised run never stalls (and Pi #2381 — a
+ * `tool_call` handler that never resolves hangs the loop — can't bite). Expiry is
+ * LAZY-ON-POLL (computed from `createdAt` vs the injected clock at
+ * {@link GateRegistry.getResolution} time) — no daemon timer, fully
+ * deterministic under test. The Pi-side poll loop additionally bounds itself +
+ * honors `ctx.signal`, so the loop is bounded on BOTH sides.
+ *
+ * ── Audit (R5, security-locked) ──
+ * Every posture change (arm / disarm) and every decision (operator allow|deny,
+ * timeout auto-allow) is handed to the injected {@link GateAuditSink} — the
+ * daemon wires the append-only JSONL writer
+ * (`~/.agent-tempo/gate-audit/<ensemble>/<workflowId>.jsonl`). The registry owns
+ * the auto-allow decision point, so it MUST audit that one; arm/disarm/operator
+ * decisions are audited here too for a single sink.
+ *
+ * ── gate_resolved on the /inner stream (architect-ruled DI) ──
+ * When a decision lands, the registry emits an `inner.gate_resolved` frame so the
+ * operator sees the outcome. To avoid a circular import (GateRegistry ↔ the
+ * inner-loop module), the publish path is an INJECTED {@link PublishToInner}
+ * callback — the daemon wires it to `innerLoop.publish`. The registry imports
+ * only the InnerFrame TYPE (erased at compile), never the inner-loop runtime.
+ *
+ * This module is daemon-side ONLY (loopback HTTP boundary, off Temporal, off the
+ * coordination bus). Nothing here is imported by `src/workflows/`.
+ */
+import type { InnerFrame } from '../pi/inner-loop-publisher';
+/** Operator-gate timeout: a pending request auto-ALLOWS after this long (R3, locked). */
+export declare const GATE_AUTO_ALLOW_MS = 45000;
+/** Terminal decision on a gated tool call. `auto-allow` = the R3 timeout fired. */
+export type GateDecision = 'allow' | 'deny' | 'auto-allow';
+/** Who/what produced a decision. */
+export type GateDecisionSource = 'operator' | 'timeout';
+/** Metadata the source attaches when opening a gate request (for operator display + audit). */
+export interface GateRequestMeta {
+    /** The tool being gated (already classified non-`low-risk`). */
+    tool: string;
+    /** A bounded summary of the tool args (source-truncated, ≤ a couple KB). */
+    argsSummary: string;
+    /** The player's Pi conversation id, if known (audit only). */
+    sessionId?: string;
+    /**
+     * The player's ensemble — stashed per-player so the audit sink can path the
+     * JSONL under `<ensemble>/<workflowId>.jsonl` (workflowId is not cleanly
+     * splittable since both ensemble + playerId may contain hyphens).
+     */
+    ensemble?: string;
+}
+/** The poll answer the Pi subprocess receives from GET /gate/:requestId/resolution. */
+export type GateResolution = {
+    status: 'pending';
+} | {
+    status: 'resolved';
+    decision: GateDecision;
+    source: GateDecisionSource;
+};
+/** One audited gate event (R5 schema, security-locked; `kind` discriminator per architect). */
+export type GateAuditRecord = {
+    kind: 'decision';
+    ts: string;
+    workflowId: string;
+    sessionId?: string;
+    requestId: string;
+    tool: string;
+    argsSummary: string;
+    decision: GateDecision;
+    source: GateDecisionSource;
+    operatorTokenHint?: string;
+} | {
+    kind: 'arm' | 'disarm';
+    ts: string;
+    workflowId: string;
+    source: 'operator';
+    operatorTokenHint?: string;
+};
+/**
+ * Append-only audit sink (daemon wires the JSONL writer; tests inject a spy).
+ * `ensemble` is a SIDECAR (not part of the locked record schema) the writer uses
+ * to path `<ensemble>/<workflowId>.jsonl`; `''` when unknown.
+ */
+export type GateAuditSink = (record: GateAuditRecord, ensemble: string) => void;
+/**
+ * Injected publish path for the `inner.gate_resolved` outcome frame (architect's
+ * DI to avoid a GateRegistry ↔ inner-loop circular import). Daemon wires it to
+ * `innerLoop.publish`; tests inject a spy; default is a no-op.
+ */
+export type PublishToInner = (workflowId: string, frame: InnerFrame) => void;
+/** Result of an operator decision attempt — drives the route's HTTP status. */
+export type DecideResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: 'not-found';
+} | {
+    ok: false;
+    reason: 'already-decided';
+};
+/**
+ * Per-daemon operator-gate registry, keyed by the player's fixed session
+ * `workflowId`. One instance is constructed in the daemon and shared between the
+ * Temporal worker (auto-disarm on detach/destroy) and the HTTP gate routes —
+ * the same singleton-sharing pattern as the 3c InnerLoop/IngestToken registries.
+ */
+export declare class GateRegistry {
+    private readonly audit;
+    private readonly now;
+    private readonly autoAllowMs;
+    private readonly publishToInner;
+    private readonly gates;
+    constructor(audit?: GateAuditSink, now?: () => number, autoAllowMs?: number, publishToInner?: PublishToInner);
+    /** Emit an `inner.gate_resolved` outcome frame on the player's /inner stream. */
+    private emitResolved;
+    private gate;
+    private nowIso;
+    /** Arm the gate for a player — subsequent non-`low-risk` tools route to the operator. */
+    arm(workflowId: string, ensemble: string, operatorTokenHint?: string): void;
+    /** Disarm the gate — new tools no longer engage it (in-flight pending still resolvable / auto-allow). */
+    disarm(workflowId: string, operatorTokenHint?: string): void;
+    /** Whether the gate is currently armed for a player (the engagement predicate reads this). */
+    isArmed(workflowId: string): boolean;
+    /**
+     * Open (or return the existing) pending request for a gated tool call.
+     * Idempotent on `requestId` — a retried open returns the existing entry so the
+     * source can safely re-register before polling. Does NOT audit (the request
+     * isn't a decision); the decision/auto-allow audit records carry tool+args.
+     */
+    open(workflowId: string, requestId: string, meta: GateRequestMeta): void;
+    /**
+     * Operator decision (allow|deny) on a pending request. Returns a result that
+     * the route maps to a status: unknown → 404, already-decided → 409 (idempotency
+     * guard so a double-POST or a post-timeout race can't flip a recorded answer).
+     */
+    decide(workflowId: string, requestId: string, decision: 'allow' | 'deny', operatorTokenHint?: string): DecideResult;
+    /**
+     * The Pi subprocess's poll answer. Returns `null` for an unknown request
+     * (route → 404). For a known request: an already-recorded decision, OR — if no
+     * decision and `now - createdAt >= autoAllowMs` — a freshly-recorded `auto-allow`
+     * (R3 timeout, source `timeout`, audited HERE since the registry owns the
+     * timeout clock), OR `pending`.
+     */
+    getResolution(workflowId: string, requestId: string): GateResolution | null;
+    /**
+     * Auto-disarm + drop all pending for a player (detach / destroy). The
+     * subprocess is going away, so abandoning its pending requests is correct — a
+     * still-polling client would just stop. Idempotent.
+     */
+    clearPlayer(workflowId: string): void;
+    /** Drop every player's gate state (daemon shutdown / clear-all). */
+    clear(): void;
+    /** Pending-request count for a player (diagnostics / tests). */
+    pendingCount(workflowId: string): number;
+}

package/dist/http/gate-registry.js

@@ -0,0 +1,163 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GateRegistry = exports.GATE_AUTO_ALLOW_MS = void 0;
+/** Operator-gate timeout: a pending request auto-ALLOWS after this long (R3, locked). */
+exports.GATE_AUTO_ALLOW_MS = 45_000;
+/**
+ * Per-daemon operator-gate registry, keyed by the player's fixed session
+ * `workflowId`. One instance is constructed in the daemon and shared between the
+ * Temporal worker (auto-disarm on detach/destroy) and the HTTP gate routes —
+ * the same singleton-sharing pattern as the 3c InnerLoop/IngestToken registries.
+ */
+class GateRegistry {
+    audit;
+    now;
+    autoAllowMs;
+    publishToInner;
+    gates = new Map();
+    constructor(audit = () => { }, now = Date.now, autoAllowMs = exports.GATE_AUTO_ALLOW_MS, publishToInner = () => { }) {
+        this.audit = audit;
+        this.now = now;
+        this.autoAllowMs = autoAllowMs;
+        this.publishToInner = publishToInner;
+    }
+    /** Emit an `inner.gate_resolved` outcome frame on the player's /inner stream. */
+    emitResolved(workflowId, requestId, decision, source) {
+        this.publishToInner(workflowId, { type: 'inner.gate_resolved', requestId, decision, source, ts: this.now() });
+    }
+    gate(workflowId) {
+        let g = this.gates.get(workflowId);
+        if (!g) {
+            g = { armed: false, ensemble: '', pending: new Map() };
+            this.gates.set(workflowId, g);
+        }
+        return g;
+    }
+    nowIso() {
+        // `now` is injectable; format the same epoch ms the registry reasons about so
+        // audit timestamps line up with the lazy-expiry clock under test.
+        return new Date(this.now()).toISOString();
+    }
+    // ── Arm / disarm (operator posture; audited) ───────────────────────────────
+    /** Arm the gate for a player — subsequent non-`low-risk` tools route to the operator. */
+    arm(workflowId, ensemble, operatorTokenHint) {
+        const g = this.gate(workflowId);
+        g.armed = true;
+        if (ensemble)
+            g.ensemble = ensemble;
+        this.audit({ kind: 'arm', ts: this.nowIso(), workflowId, source: 'operator', ...(operatorTokenHint ? { operatorTokenHint } : {}) }, g.ensemble);
+    }
+    /** Disarm the gate — new tools no longer engage it (in-flight pending still resolvable / auto-allow). */
+    disarm(workflowId, operatorTokenHint) {
+        const g = this.gate(workflowId);
+        g.armed = false;
+        this.audit({ kind: 'disarm', ts: this.nowIso(), workflowId, source: 'operator', ...(operatorTokenHint ? { operatorTokenHint } : {}) }, g.ensemble);
+    }
+    /** Whether the gate is currently armed for a player (the engagement predicate reads this). */
+    isArmed(workflowId) {
+        return this.gates.get(workflowId)?.armed ?? false;
+    }
+    // ── Pending requests (source opens; operator decides; source polls) ─────────
+    /**
+     * Open (or return the existing) pending request for a gated tool call.
+     * Idempotent on `requestId` — a retried open returns the existing entry so the
+     * source can safely re-register before polling. Does NOT audit (the request
+     * isn't a decision); the decision/auto-allow audit records carry tool+args.
+     */
+    open(workflowId, requestId, meta) {
+        const g = this.gate(workflowId);
+        if (meta.ensemble)
+            g.ensemble = meta.ensemble;
+        if (g.pending.has(requestId))
+            return;
+        g.pending.set(requestId, {
+            tool: meta.tool,
+            argsSummary: meta.argsSummary,
+            sessionId: meta.sessionId,
+            createdAt: this.now(),
+            decision: null,
+            source: null,
+        });
+    }
+    /**
+     * Operator decision (allow|deny) on a pending request. Returns a result that
+     * the route maps to a status: unknown → 404, already-decided → 409 (idempotency
+     * guard so a double-POST or a post-timeout race can't flip a recorded answer).
+     */
+    decide(workflowId, requestId, decision, operatorTokenHint) {
+        const g = this.gates.get(workflowId);
+        const req = g?.pending.get(requestId);
+        if (!req)
+            return { ok: false, reason: 'not-found' };
+        if (req.decision !== null)
+            return { ok: false, reason: 'already-decided' };
+        req.decision = decision;
+        req.source = 'operator';
+        this.audit({
+            kind: 'decision',
+            ts: this.nowIso(),
+            workflowId,
+            ...(req.sessionId ? { sessionId: req.sessionId } : {}),
+            requestId,
+            tool: req.tool,
+            argsSummary: req.argsSummary,
+            decision,
+            source: 'operator',
+            ...(operatorTokenHint ? { operatorTokenHint } : {}),
+        }, g?.ensemble ?? '');
+        this.emitResolved(workflowId, requestId, decision, 'operator');
+        return { ok: true };
+    }
+    /**
+     * The Pi subprocess's poll answer. Returns `null` for an unknown request
+     * (route → 404). For a known request: an already-recorded decision, OR — if no
+     * decision and `now - createdAt >= autoAllowMs` — a freshly-recorded `auto-allow`
+     * (R3 timeout, source `timeout`, audited HERE since the registry owns the
+     * timeout clock), OR `pending`.
+     */
+    getResolution(workflowId, requestId) {
+        const g = this.gates.get(workflowId);
+        const req = g?.pending.get(requestId);
+        if (!req)
+            return null;
+        if (req.decision !== null) {
+            return { status: 'resolved', decision: req.decision, source: req.source ?? 'operator' };
+        }
+        if (this.now() - req.createdAt >= this.autoAllowMs) {
+            req.decision = 'auto-allow';
+            req.source = 'timeout';
+            this.audit({
+                kind: 'decision',
+                ts: this.nowIso(),
+                workflowId,
+                ...(req.sessionId ? { sessionId: req.sessionId } : {}),
+                requestId,
+                tool: req.tool,
+                argsSummary: req.argsSummary,
+                decision: 'auto-allow',
+                source: 'timeout',
+            }, g?.ensemble ?? '');
+            this.emitResolved(workflowId, requestId, 'auto-allow', 'timeout');
+            return { status: 'resolved', decision: 'auto-allow', source: 'timeout' };
+        }
+        return { status: 'pending' };
+    }
+    // ── Lifecycle (auto-disarm on detach/destroy; daemon shutdown) ──────────────
+    /**
+     * Auto-disarm + drop all pending for a player (detach / destroy). The
+     * subprocess is going away, so abandoning its pending requests is correct — a
+     * still-polling client would just stop. Idempotent.
+     */
+    clearPlayer(workflowId) {
+        this.gates.delete(workflowId);
+    }
+    /** Drop every player's gate state (daemon shutdown / clear-all). */
+    clear() {
+        this.gates.clear();
+    }
+    /** Pending-request count for a player (diagnostics / tests). */
+    pendingCount(workflowId) {
+        return this.gates.get(workflowId)?.pending.size ?? 0;
+    }
+}
+exports.GateRegistry = GateRegistry;

package/dist/http/gate-routes.d.ts

@@ -0,0 +1,48 @@
+/**
+ * HTTP route handlers for the 3d operator gate (MD-G). server.ts dispatches to
+ * these; logic lives here so it stays testable.
+ *
+ * FOUR routes, TWO auth planes (mirrors the 3c inner-loop split):
+ *
+ *   OPERATOR plane (operator/dashboard → daemon). Mounted AFTER the outer bearer
+ *   gate with an explicit `requireTier(3)` (the highest RBAC tier, MD-E) — only
+ *   an admin-token holder may arm/disarm or decide:
+ *     - POST /v1/players/:e/:p/gate-arm           → arm the gate
+ *     - POST /v1/players/:e/:p/gate-disarm        → disarm the gate
+ *     - POST /v1/players/:e/:p/gate/:requestId    → decide { decision:'allow'|'deny' }
+ *
+ *   SOURCE plane (Pi subprocess → daemon; publisher-only). Same INGRESS gate as
+ *   the inner-loop ingest — loopback `remoteAddress` + `X-Ingest-Token` validated
+ *   against the URL-derived workflowId (cross-player-spoof guard), uniform 403:
+ *     - GET /v1/players/:e/:p/gate/:requestId/resolution → poll { status, … }
+ *
+ * The Pi subprocess's awaited `tool_call` handler polls the resolution route
+ * until it gets a non-`pending` answer (operator decision OR the registry's lazy
+ * 45s auto-allow) or its own bounded/ctx.signal-cancelled deadline.
+ *
+ * Daemon-side ONLY (loopback boundary, off Temporal). Not imported by workflows.
+ */
+import type { IncomingMessage, ServerResponse } from 'http';
+import type { GateRegistry } from './gate-registry';
+import type { IngestTokenRegistry } from './ingest-registry';
+export interface GateDeps {
+    gate: GateRegistry;
+    ingestTokens: IngestTokenRegistry;
+}
+/** POST /gate-arm — arm the operator gate for a player. 204. */
+export declare function handleGateArm(req: IncomingMessage, res: ServerResponse, deps: GateDeps, ensemble: string, playerId: string): void;
+/** POST /gate-disarm — disarm the operator gate for a player. 204. */
+export declare function handleGateDisarm(req: IncomingMessage, res: ServerResponse, deps: GateDeps, ensemble: string, playerId: string): void;
+/**
+ * POST /gate/:requestId — operator decision on a pending gated tool call.
+ * Body `{ decision: 'allow' | 'deny' }`. 204 on success; 404 unknown requestId;
+ * 409 already-decided (idempotency — a double-POST or post-timeout race can't
+ * flip a recorded answer); 400 malformed body / bad decision value.
+ */
+export declare function handleGateDecide(req: IncomingMessage, res: ServerResponse, deps: GateDeps, ensemble: string, playerId: string, requestId: string): Promise<void>;
+/**
+ * GET /gate/:requestId/resolution — the Pi subprocess polls for the decision.
+ * 200 `{ status:'pending' }` | `{ status:'resolved', decision, source }`; 404 for
+ * an unknown requestId; uniform 403 on any INGRESS gate failure (no leak).
+ */
+export declare function handleGateResolution(req: IncomingMessage, res: ServerResponse, deps: GateDeps, ensemble: string, playerId: string, requestId: string): void;