agent-tempo 1.3.1 → 1.4.1

package/dashboard/dist/index.html

@@ -12,7 +12,7 @@
       rel="stylesheet"
       href="https://fonts.googleapis.com/css2?family=Instrument+Sans:wght@400;500;600;700&family=Instrument+Serif:ital@0;1&family=JetBrains+Mono:wght@400;500&display=swap"
     />
-    <script type="module" crossorigin src="/dashboard/assets/index-D6Xyje_n.js"></script>
+    <script type="module" crossorigin src="/dashboard/assets/index-jmYe6rmS.js"></script>
     <link rel="stylesheet" crossorigin href="/dashboard/assets/index-CB78ToNE.css">
   </head>
   <body>

package/dashboard/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-tempo-dashboard",
   "private": true,
-  "version": "1.3.1",
+  "version": "1.4.1",
   "type": "module",
   "description": "Web dashboard for agent-tempo. Bundled into the npm package; served by the daemon at /dashboard/*.",
   "scripts": {

package/dist/activities/outbox.d.ts

@@ -2,6 +2,8 @@ import { Client } from '@temporalio/client';
 import { Config } from '../config';
 import { AgentType, MockMode, DetachReason } from '../types';
 import type { ClaudeCodeHeadlessPermissionMode } from '../adapters/claude-code-headless/types';
+import type { IngestTokenRegistry } from '../http/ingest-registry';
+import type { GateRegistry } from '../http/gate-registry';
 import { type HardTerminateInput, type HardTerminateResult } from './hard-terminate';
 export interface DeliverCueInput {
     ensemble: string;
@@ -76,6 +78,17 @@ export interface DeliverDestroyInput {
     terminatedBy: string;
     notifyConductor?: boolean;
 }
+export interface DeliverResetInput {
+    ensemble: string;
+    targetPlayerId: string;
+    /** Correlation id (the originating outbox entry id) — the extension acks with it. */
+    resetId: string;
+    /** Clean-wipe (D14 default true). */
+    fresh: boolean;
+    reason?: string;
+    /** Who requested the reset (audit). */
+    requestedBy?: string;
+}
 export interface DeliverRestartInput {
     ensemble: string;
     targetPlayerId: string;
@@ -155,6 +168,14 @@ export interface SpawnProcessInput {
      * exclusive with {@link permissionMode}.
      */
     dangerouslySkipPermissions?: boolean;
+    /**
+     * Phase 3a / MD-C — headless Pi tool-class policy. Forwarded as
+     * `AGENT_TEMPO_TOOL_ACCESS`. Only meaningful when `agent === 'pi'`. One of
+     * `'restricted'` (default; Bash hard-blocked) | `'standard'` | `'full'`.
+     * Inline literal — kept off the workflow-sandbox import path (see the
+     * RecruitOutboxEntry note in src/types.ts).
+     */
+    toolAccess?: 'restricted' | 'standard' | 'full';
 }
 export interface OutboxActivityResult {
     success: boolean;
@@ -174,6 +195,7 @@ export interface OutboxActivities {
     deliverDetach(input: DeliverDetachInput): Promise<OutboxActivityResult>;
     deliverDestroy(input: DeliverDestroyInput): Promise<OutboxActivityResult>;
     deliverRestart(input: DeliverRestartInput): Promise<OutboxActivityResult>;
+    deliverReset(input: DeliverResetInput): Promise<OutboxActivityResult>;
     /**
      * OS-level child-process-tree kill for the target session. Runs on the per-host
      * task queue (`agent-tempo-{hostname}`) so the kill happens where the process
@@ -184,5 +206,12 @@ export interface OutboxActivities {
 /**
  * Create outbox delivery activities bound to a Temporal client and config.
  * The returned object is registered with the worker as activities.
+ *
+ * @param ingestTokens 3c Tier-2 ingest-auth registry (daemon-owned singleton,
+ *   shared with the HTTP `/inner/ingest` + `/inner/presence` validators). The pi
+ *   spawn branch MINTS a per-player token here (single-token-per-workflowId —
+ *   re-mint REPLACES, so a restart naturally revokes the stale token); the
+ *   destroy path REVOKES it. Optional: undefined disables ingest-token minting
+ *   (e.g. the dev test harness that constructs activities without the daemon).
  */
-export declare function createOutboxActivities(client: Client, config: Config): OutboxActivities;
+export declare function createOutboxActivities(client: Client, config: Config, ingestTokens?: IngestTokenRegistry, gate?: GateRegistry): OutboxActivities;

package/dist/activities/outbox.js

@@ -136,8 +136,15 @@ function classifyAndRethrow(err, contextPrefix) {
 /**
  * Create outbox delivery activities bound to a Temporal client and config.
  * The returned object is registered with the worker as activities.
+ *
+ * @param ingestTokens 3c Tier-2 ingest-auth registry (daemon-owned singleton,
+ *   shared with the HTTP `/inner/ingest` + `/inner/presence` validators). The pi
+ *   spawn branch MINTS a per-player token here (single-token-per-workflowId —
+ *   re-mint REPLACES, so a restart naturally revokes the stale token); the
+ *   destroy path REVOKES it. Optional: undefined disables ingest-token minting
+ *   (e.g. the dev test harness that constructs activities without the daemon).
  */
-function createOutboxActivities(client, config) {
+function createOutboxActivities(client, config, ingestTokens, gate) {
     return {
         async deliverCue(input) {
             const { ensemble, fromPlayerId, targetPlayerId, message, broadcastId, attachmentTicket } = input;
@@ -247,7 +254,7 @@ function createOutboxActivities(client, config) {
                         // across CAN. Both adapters use the same `model` metadata field
                         // (different value shapes — bare vs `provider/model`) — the spawn
                         // path inspects `metadata.agentType` to know which env var to set.
-                        ...((agent === 'claude-api' || agent === 'opencode') && model ? { model } : {}),
+                        ...((agent === 'claude-api' || agent === 'opencode' || agent === 'pi') && model ? { model } : {}),
                         ...(agentDefinition ? { playerType: agentDefinition } : {}),
                         ...(agentDefinitionDescription ? { playerTypeDescription: agentDefinitionDescription } : {}),
                         recruitedBy: fromPlayerId,
@@ -305,7 +312,7 @@ function createOutboxActivities(client, config) {
             }
         },
         async spawnProcess(input) {
-            const { targetName, workDir, isConductor, agent, systemPrompt, ensemble, temporalAddress, temporalNamespace, agentDefinition, agentDefinitionPath, nativeResolvable, resume, sessionId, allowedTools, claudeBin, attachmentId, attachmentRunId, adapterId, mockMode, mockScenario, model, permissionMode, dangerouslySkipPermissions } = input;
+            const { targetName, workDir, isConductor, agent, systemPrompt, ensemble, temporalAddress, temporalNamespace, agentDefinition, agentDefinitionPath, nativeResolvable, resume, sessionId, allowedTools, claudeBin, attachmentId, attachmentRunId, adapterId, mockMode, mockScenario, model, permissionMode, dangerouslySkipPermissions, toolAccess } = input;
             // Read secrets from the worker's config closure — never from workflow state
             const { temporalApiKey, temporalTlsCertPath, temporalTlsKeyPath } = config;
             try {
@@ -436,6 +443,43 @@ function createOutboxActivities(client, config) {
                     });
                     log(`Spawned claude-code-headless adapter (pid ${pid}) in ${workDir} as "${targetName}"${permissionMode ? ` (permissionMode=${permissionMode})` : ''}${dangerouslySkipPermissions ? ' (dangerouslySkipPermissions=true)' : ''}${attachmentId ? ` (attachmentId=${attachmentId})` : ''}`);
                 }
+                else if (agent === 'pi') {
+                    // Phase 3a — headless Pi runtime. Injects the src/pi extension into
+                    // Pi's createAgentSession; the module-scope singleton owns the
+                    // lifecycle (claim/heartbeat/tools/cue-pump). Tool access is governed
+                    // by the MD-C `toolAccess` policy (restricted hard-blocks Bash via the
+                    // extension's tool_call gate), NOT per-tool allowlists.
+                    if (allowedTools && allowedTools.length > 0) {
+                        log(`Warning: allowedTools [${allowedTools.join(', ')}] specified for pi agent "${targetName}" — Pi tool access is governed by toolAccess (MD-C), skipping allowedTools`);
+                    }
+                    // 3c Tier-2 — mint a per-player ingest token scoped to this player's
+                    // session workflowId so the headless Pi subprocess can authenticate its
+                    // `POST /inner/ingest` frames. Single-token-per-workflowId (mint
+                    // REPLACES) means a restart re-mints and naturally revokes the stale
+                    // token. Injected into the subprocess env as AGENT_TEMPO_INGEST_TOKEN.
+                    const ingestToken = ingestTokens?.mint((0, config_1.sessionWorkflowId)(ensemble, targetName));
+                    const { pid } = (0, spawn_1.spawnPiHeadless)({
+                        name: targetName,
+                        ensemble,
+                        temporalAddress,
+                        temporalNamespace,
+                        temporalApiKey,
+                        temporalTlsCertPath,
+                        temporalTlsKeyPath,
+                        isConductor,
+                        workDir,
+                        model,
+                        // Restart-resume: continue the prior Pi conversation only on a
+                        // restart (resume=true); a fresh recruit starts a new Pi session.
+                        continueSessionId: resume ? sessionId : undefined,
+                        toolAccess,
+                        attachmentId,
+                        attachmentRunId,
+                        adapterId,
+                        ingestToken,
+                    });
+                    log(`Spawned pi headless adapter (pid ${pid}) in ${workDir} as "${targetName}" (toolAccess=${toolAccess ?? 'restricted'})${model ? ` (model=${model})` : ''}${resume && sessionId ? ` (continue=${sessionId})` : ''}${attachmentId ? ` (attachmentId=${attachmentId})` : ''}`);
+                }
                 else {
                     // Resolve agent flags: --agent (native) > --system-prompt (shipped/legacy)
                     let agentFlags = [];
@@ -551,6 +595,14 @@ function createOutboxActivities(client, config) {
                     throw activity_1.ApplicationFailure.nonRetryable(`Cannot detach "${targetPlayerId}" — session is destroyed`);
                 }
                 await handle.signal(signals_1.requestDetachSignal, { reason, deadlineMs });
+                // 3c Tier-2 — revoke the player's ingest token on detach so a dead
+                // holder's loopback POST /inner/ingest can no longer authenticate once
+                // the player goes away. Mirrors the destroy-side revoke; idempotent and a
+                // no-op for non-Pi players (they never minted one). Re-attach re-mints.
+                ingestTokens?.revoke((0, config_1.sessionWorkflowId)(ensemble, targetPlayerId));
+                // 3d MD-G — auto-disarm the gate on detach (the operator's gate posture
+                // shouldn't survive the player going away; re-attach re-arms). Idempotent.
+                gate?.clearPlayer((0, config_1.sessionWorkflowId)(ensemble, targetPlayerId));
                 log(`Detach signaled for "${targetPlayerId}" (deadline=${deadlineMs}ms)`);
                 return { success: true };
             }
@@ -580,6 +632,21 @@ function createOutboxActivities(client, config) {
                         }],
                 });
                 log(`Destroyed "${targetPlayerId}"${reason ? ` (reason: ${reason})` : ''}`);
+                // 3c Tier-2 — revoke the player's ingest token on destroy so a dead
+                // holder's loopback POST /inner/ingest can no longer authenticate.
+                // Idempotent; a no-op for non-Pi players (they never minted one).
+                // NOTE (security cond. 2): the ingest endpoint authenticates on TOKEN
+                // ALONE — it does not inspect workflow phase (neither rejects nor
+                // buffers detached-phase players). So the residual surface is bounded
+                // not by phase-checking but by (a) this destroy-revoke and (b) the
+                // single-token-per-workflowId replacement on re-attach/restart.
+                // TODO(Phase 4): wire aggregate player-gone detection →
+                // revokeIngestToken(workflowId) on detach — deferred; residual surface
+                // negligible (dead holder + loopback-only + single-token replacement).
+                ingestTokens?.revoke((0, config_1.sessionWorkflowId)(ensemble, targetPlayerId));
+                // 3d MD-G — auto-disarm: drop the gate's armed-state + any pending
+                // requests for the destroyed player (idempotent; no-op for non-Pi).
+                gate?.clearPlayer((0, config_1.sessionWorkflowId)(ensemble, targetPlayerId));
                 if (notifyConductor) {
                     try {
                         const condId = (0, config_1.conductorWorkflowId)(ensemble);
@@ -603,6 +670,32 @@ function createOutboxActivities(client, config) {
                 classifyAndRethrow(err, `Destroy failed for "${targetPlayerId}"`);
             }
         },
+        /**
+         * D14 `deliverReset` — set a `pendingReset` flag on the target via
+         * `setPendingResetSignal` (a signal, like deliverCue — NOT a direct
+         * subprocess call). The Pi extension polls `pendingResetQuery`, performs the
+         * clean-wipe (`newSession`), then clears it via `ackResetSignal(resetId)`.
+         */
+        async deliverReset(input) {
+            const { ensemble, targetPlayerId, resetId, fresh, reason, requestedBy } = input;
+            try {
+                const handle = await (0, resolve_1.resolveSession)(client, ensemble, targetPlayerId);
+                if (!handle) {
+                    throw activity_1.ApplicationFailure.nonRetryable(`No session found for "${targetPlayerId}"`);
+                }
+                await handle.signal(signals_1.setPendingResetSignal, {
+                    resetId,
+                    fresh,
+                    ...(reason !== undefined ? { reason } : {}),
+                    ...(requestedBy !== undefined ? { requestedBy } : {}),
+                });
+                log(`Reset queued for "${targetPlayerId}"${reason ? ` (reason: ${reason})` : ''}`);
+                return { success: true };
+            }
+            catch (err) {
+                classifyAndRethrow(err, `Reset failed for "${targetPlayerId}"`);
+            }
+        },
         /**
          * PR-D `deliverRestart` — owns the §8.2 restart algorithm on the target.
          * Graceful `requestDetach` → re-query phase → `forceDetach` (if --force

package/dist/adapters/base.js

@@ -1264,6 +1264,11 @@ class AdapterRegistry {
         // Claude Code OAuth login so turns bill against subscription extra-usage.
         if (agent === 'claude-code-headless')
             return 'claude-code-headless';
+        // Phase 3a — headless Pi runtime. The 'pi' descriptor is registry/identity
+        // ONLY: the module-scope Pi extension singleton owns claim/heartbeat/phase
+        // (no BaseAttachment subprocess driver). Opt-in via `recruit({ agent: 'pi' })`.
+        if (agent === 'pi')
+            return 'pi';
         return 'claude-code';
     }
 }

package/dist/adapters/index.d.ts

@@ -31,7 +31,7 @@ export declare const registry: AdapterRegistry;
  * Mock adapter is intentionally excluded — it's dev-mode-only and stripped
  * from the npm tarball at prepack time (ADR 0014 §7 gate 1).
  */
-export declare const CANONICAL_ADAPTER_IDS: readonly ["claude-code", "copilot", "claude-api", "opencode", "claude-code-headless"];
+export declare const CANONICAL_ADAPTER_IDS: readonly ["claude-code", "copilot", "claude-api", "opencode", "claude-code-headless", "pi"];
 export { BaseAttachment, AdapterRegistry } from './base';
 export { SdkAttachment } from './sdk/base';
 export { InteractiveAttachment } from './claude-code';

package/dist/adapters/index.js

@@ -24,6 +24,7 @@ const copilot_1 = require("./copilot");
 const claude_api_1 = require("./claude-api");
 const opencode_1 = require("./opencode");
 const claude_code_headless_1 = require("./claude-code-headless");
+const pi_1 = require("./pi");
 const config_1 = require("../config");
 exports.registry = new base_1.AdapterRegistry();
 exports.registry.register(claude_code_1.claudeCodeDescriptor);
@@ -45,6 +46,11 @@ exports.registry.register(opencode_1.opencodeDescriptor);
 // `claude` binary is a system binary, not an npm dep; recruit pre-flight
 // probes for installation + login state via `pre-flight.ts`.
 exports.registry.register(claude_code_headless_1.claudeCodeHeadlessDescriptor);
+// Phase 3a — headless Pi runtime. Registry/identity descriptor ONLY: the Pi
+// extension singleton (Phase 2) owns the lifecycle, not a BaseAttachment driver
+// (MD-D). Always-registered — the optional `@earendil-works/pi-coding-agent` SDK
+// only matters at spawn time; recruit pre-flight gates on it (or `force: true`).
+exports.registry.register(pi_1.piDescriptor);
 /**
  * Canonical list of production adapters registered at module-import time.
  *
@@ -65,6 +71,7 @@ exports.CANONICAL_ADAPTER_IDS = [
     'claude-api',
     'opencode',
     'claude-code-headless',
+    'pi',
 ];
 // ADR 0014 §7 gate 2 — import-time registration gate. The mock adapter's
 // descriptor only enters the registry when `isDevMode()` is true.

package/dist/adapters/pi/adapter.d.ts

@@ -0,0 +1,2 @@
+/** Parse the spawn-provided env into options and run. Exported for testing. */
+export declare function main(): Promise<void>;

package/dist/adapters/pi/adapter.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.main = main;
+/**
+ * Headless Pi adapter entry point (Phase 3a). Spawned as a detached subprocess
+ * by `spawnPiHeadless` (src/spawn.ts) on a recruited `agent: 'pi'`. Reads its
+ * config from the env the spawn set, then delegates to `runHeadlessPi`, which
+ * injects the agent-tempo extension into Pi's `createAgentSession`.
+ *
+ * Unlike the other headless adapters, there is NO `BaseAttachment` driver here:
+ * the module-scope Pi extension singleton (Phase 2) owns claim / heartbeat /
+ * phase / tool registration / cue pump (MD-D). This file is purely the process
+ * entry + env→options wiring.
+ *
+ * Dual-purpose: importing this module is inert; only running it as the process
+ * entry (`require.main === module`) boots the runtime.
+ */
+const config_1 = require("../../config");
+const headless_1 = require("../../pi/headless");
+const log = (...args) => {
+    // eslint-disable-next-line no-console
+    console.error('[agent-tempo:pi]', ...args);
+};
+/** Normalize the env tool-access value to the MD-C policy (default 'restricted'). */
+function readToolAccess() {
+    const raw = process.env[config_1.ENV.TOOL_ACCESS];
+    return raw === 'standard' || raw === 'full' ? raw : 'restricted';
+}
+/** Parse the spawn-provided env into options and run. Exported for testing. */
+async function main() {
+    await (0, headless_1.runHeadlessPi)({
+        toolAccess: readToolAccess(),
+        model: process.env[config_1.ENV.PI_MODEL] || undefined,
+        continueSessionId: process.env[config_1.ENV.PI_CONTINUE_SESSION] || undefined,
+    });
+}
+if (require.main === module) {
+    main().catch((err) => {
+        log('FATAL — headless Pi adapter crashed:', err instanceof Error ? (err.stack ?? err.message) : err);
+        // eslint-disable-next-line no-process-exit
+        process.exit(1);
+    });
+}

package/dist/adapters/pi/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Pi adapter — registry/identity descriptor ONLY (Phase 3a).
+ *
+ * Unlike the other headless adapters (copilot / opencode / claude-api /
+ * claude-code-headless), Pi does NOT have a `BaseAttachment` subprocess driver.
+ * The headless Pi runtime injects the Phase 2 `src/pi` EXTENSION into Pi's
+ * `createAgentSession` as an inline factory; the module-scope extension singleton
+ * owns claim / heartbeat / phase / tool registration / cue pump (MD-D). This
+ * descriptor exists purely for adapter identity, registry resolution, spawn
+ * routing, and heartbeat-cadence config (MD-A: 30s heartbeat, lease = 3×).
+ *
+ * Spawn entry: `src/adapters/pi/adapter.ts` (A2) → `src/pi/headless.ts`.
+ */
+import type { AdapterDescriptor } from '../../types';
+/** Pi headless adapter descriptor. `sdk` class (blocks on the LLM turn); 30s heartbeat. */
+export declare const piDescriptor: AdapterDescriptor;

package/dist/adapters/pi/index.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.piDescriptor = void 0;
+/** Pi headless adapter descriptor. `sdk` class (blocks on the LLM turn); 30s heartbeat. */
+exports.piDescriptor = {
+    adapterId: 'pi',
+    adapterClass: 'sdk',
+    blocksOnLLMTurn: true,
+    heartbeatMs: 30_000,
+};

package/dist/client/core.js

@@ -432,16 +432,21 @@ function createTempoClientCore(client, opts = {}) {
             // queries reject as `QueryTimeoutError`, `Promise.allSettled` sees
             // three rejections and the existing all-rejected branch returns
             // `null` — caller treats this player's wireMeta as missing.
-            const [runIdR, messagingR, leaseR] = await Promise.allSettled([
+            const [runIdR, messagingR, leaseR, coarseR] = await Promise.allSettled([
                 (0, query_timeout_1.queryHandleWithTimeout)(h, signals_1.getRunIdQuery),
                 (0, query_timeout_1.queryHandleWithTimeout)(h, signals_1.getMessagingStateQuery),
                 (0, query_timeout_1.queryHandleWithTimeout)(h, signals_1.getLeaseStateQuery),
+                // 3c Tier-1 — coarse activity (currentTool + context usage). Bounded like
+                // the others; an older session workflow without the handler rejects and
+                // is simply absent (additive/non-breaking).
+                (0, query_timeout_1.queryHandleWithTimeout)(h, signals_1.getCoarseActivityQuery),
             ]);
             // If every query rejected, treat this as "session unreachable" —
             // the caller renders no wire-meta rather than partial sentinels.
             if (runIdR.status === 'rejected' &&
                 messagingR.status === 'rejected' &&
-                leaseR.status === 'rejected') {
+                leaseR.status === 'rejected' &&
+                coarseR.status === 'rejected') {
                 return null;
             }
             const out = {};
@@ -451,6 +456,8 @@ function createTempoClientCore(client, opts = {}) {
                 out.messaging = messagingR.value;
             if (leaseR.status === 'fulfilled')
                 out.lease = leaseR.value;
+            if (coarseR.status === 'fulfilled')
+                out.coarse = coarseR.value;
             return out;
         },
         async getMessages(ensemble, limit) {

package/dist/client/interface.d.ts

@@ -253,6 +253,12 @@ export interface TempoClientCore {
             expiresAt: number | null;
             leaseMs: number | null;
         };
+        /** 3c Tier-1 — coarse activity (currentTool + context usage) from `getCoarseActivityQuery`. */
+        coarse?: {
+            currentTool: string | null;
+            contextTokens?: number;
+            contextPercent?: number;
+        };
     } | null>;
     /** Get recent messages for an ensemble. */
     getMessages(ensemble: string, limit?: number): Promise<MaestroRelayMessage[]>;

package/dist/config.d.ts

@@ -48,6 +48,37 @@ export declare const ENV: {
      * sandboxed contexts. Mutually exclusive with {@link PERMISSION_MODE}.
      */
     readonly DANGEROUSLY_SKIP_PERMISSIONS: "AGENT_TEMPO_DANGEROUSLY_SKIP_PERMISSIONS";
+    /**
+     * Phase 3a — headless Pi runtime model selector. Pi takes a `provider/model`
+     * string (e.g. `anthropic/claude-opus-4-7`); absent → Pi's own default
+     * provider/model (the 3a anthropic-default path). Recruit `model` arg →
+     * this env → Pi default.
+     */
+    readonly PI_MODEL: "AGENT_TEMPO_PI_MODEL";
+    /**
+     * Phase 3a — headless Pi restart-resume. The daemon reads `metadata.sessionId`
+     * (the Pi conversation id the player was in when it died) and passes it here;
+     * the headless entry resumes via Pi `continueSession(<id>)`. Absent on a fresh
+     * recruit → a new Pi session.
+     */
+    readonly PI_CONTINUE_SESSION: "AGENT_TEMPO_PI_CONTINUE_SESSION";
+    /**
+     * Phase 3a / MD-C — headless Pi tool-access policy. One of
+     * `restricted` (default; Bash/shell/exec HARD-BLOCKED) | `standard` (scoped
+     * Bash) | `full` (unsandboxed; admin-gated at recruit). Read by the Pi
+     * extension's `tool_call` gate (mode='headless' only). Mirrors
+     * {@link PERMISSION_MODE}'s threading.
+     */
+    readonly TOOL_ACCESS: "AGENT_TEMPO_TOOL_ACCESS";
+    /**
+     * 3c Tier-2 ingest auth. The daemon mints a per-player ingest token (scoped to
+     * the session workflowId) BEFORE spawning a headless Pi player and threads it
+     * into the subprocess env here. The player's inner-loop publisher presents it
+     * on `POST /inner/ingest` + `GET /inner/presence` (loopback), where the daemon
+     * validates it against the URL-derived workflowId (cross-player-spoof guard).
+     * Absent → the publisher's HTTP client is a no-op (no fine-tail forwarding).
+     */
+    readonly INGEST_TOKEN: "AGENT_TEMPO_INGEST_TOKEN";
     /**
      * v0.25 PR-D attachment resume plumbing. When `restart` / `migrate`
      * enqueues a spawn outbox entry, the workflow passes the pre-claimed
@@ -72,6 +103,16 @@ export declare const ENV: {
     readonly DAEMON_PORT: "AGENT_TEMPO_DAEMON_PORT";
     readonly CORS_ORIGINS: "AGENT_TEMPO_CORS_ORIGINS";
     readonly SSE_MAX_CONNECTIONS: "AGENT_TEMPO_SSE_MAX_CONNECTIONS";
+    /**
+     * 3e RBAC (MD-E). Two-token model: the READ token (T1 — observe) may live in
+     * env or config.json and auto-generates; the ADMIN token (T1+T2+T3 — mutate +
+     * supervisory gate/inner) is ENV-VAR-ONLY (never config.json/disk, never
+     * auto-generated). `TLS_ACKNOWLEDGED=1` suppresses the non-loopback-bind
+     * plaintext-HTTP startup warning.
+     */
+    readonly HTTP_READ_TOKEN: "AGENT_TEMPO_HTTP_READ_TOKEN";
+    readonly HTTP_ADMIN_TOKEN: "AGENT_TEMPO_HTTP_ADMIN_TOKEN";
+    readonly TLS_ACKNOWLEDGED: "AGENT_TEMPO_TLS_ACKNOWLEDGED";
     /**
      * Dev profile gate (ADR 0014 §5.2). One source of truth — every layer
      * (paths, namespace, port, task queue, banner, registry gating) consults
@@ -115,8 +156,19 @@ export interface PersistedConfig {
      * a request with a non-loopback `Origin`) and no token is set:
      * `crypto.randomBytes(32).toString('base64url')`, 0600 on POSIX.
      * Rotation = delete this field; next daemon boot regenerates.
+     *
+     * 3e: this LEGACY single token is migrated to the READ tier (T1) — a daemon
+     * with only `httpToken` set keeps read access and emits a one-time startup
+     * warning to set an admin token for writes/gate/inner. Prefer `readToken`.
      */
     httpToken?: string;
+    /**
+     * 3e RBAC — the READ-tier (T1) bearer token. Env `AGENT_TEMPO_HTTP_READ_TOKEN`
+     * takes precedence over this; auto-generated here on first bearer-mode boot if
+     * neither is set. The ADMIN token is deliberately ABSENT from this file (it is
+     * env-var-only, never persisted).
+     */
+    readToken?: string;
 }
 /**
  * Dev profile defaults — one switch (`--dev` top-level flag, or
@@ -278,6 +330,33 @@ export declare function parseTemporalYaml(content: string): PersistedConfig;
  * for empty/unset values so callers can use it as a source-aware default.
  */
 export declare function parseAgent(value: string | undefined, source: ConfigSource): AgentType;
+/**
+ * Result of {@link parsePiProviderModel}: the parsed parts, OR an `{ error }`
+ * describing why the selector is malformed. Non-throwing by design — a pure
+ * mapper returning a discriminated union (the recruit wiring branches
+ * `if ('error' in r) return fail(r.error)`, no try/catch).
+ */
+export type ProviderModel = {
+    provider: string;
+    model: string;
+} | {
+    error: string;
+};
+/**
+ * Parse a Pi provider/model selector (e.g. `"github-copilot/gpt-4o"`) into its
+ * `{ provider, model }` parts for Pi's `createAgentSession` model option.
+ *
+ * Provider-agnostic: the segment before the FIRST `/` is the provider id,
+ * passed through VERBATIM (Copilot's pi-ai provider id is literally
+ * `github-copilot` — no normalization needed); everything after is the model
+ * id, which may itself contain `/` (e.g. `openrouter/anthropic/claude`).
+ *
+ * Fail-loud (no silent default): returns `{ error }` — never a fallback model —
+ * when the selector has no `/`, an empty provider, or an empty model. A bare
+ * provider with no model is rejected here; omitting the recruit `model` arg
+ * ENTIRELY is a different path (Pi's own default), handled upstream, not here.
+ */
+export declare function parsePiProviderModel(model: string): ProviderModel;
 /** CLI flag overrides — passed down from the arg parser. */
 export interface CliOverrides {
     temporalAddress?: string;

package/dist/config.js

@@ -11,6 +11,7 @@ exports.saveConfigFile = saveConfigFile;
 exports.loadTemporalCliConfig = loadTemporalCliConfig;
 exports.parseTemporalYaml = parseTemporalYaml;
 exports.parseAgent = parseAgent;
+exports.parsePiProviderModel = parsePiProviderModel;
 exports.getConfig = getConfig;
 exports.getConfigWithSources = getConfigWithSources;
 exports.hostTaskQueue = hostTaskQueue;
@@ -78,6 +79,37 @@ exports.ENV = {
      * sandboxed contexts. Mutually exclusive with {@link PERMISSION_MODE}.
      */
     DANGEROUSLY_SKIP_PERMISSIONS: 'AGENT_TEMPO_DANGEROUSLY_SKIP_PERMISSIONS',
+    /**
+     * Phase 3a — headless Pi runtime model selector. Pi takes a `provider/model`
+     * string (e.g. `anthropic/claude-opus-4-7`); absent → Pi's own default
+     * provider/model (the 3a anthropic-default path). Recruit `model` arg →
+     * this env → Pi default.
+     */
+    PI_MODEL: 'AGENT_TEMPO_PI_MODEL',
+    /**
+     * Phase 3a — headless Pi restart-resume. The daemon reads `metadata.sessionId`
+     * (the Pi conversation id the player was in when it died) and passes it here;
+     * the headless entry resumes via Pi `continueSession(<id>)`. Absent on a fresh
+     * recruit → a new Pi session.
+     */
+    PI_CONTINUE_SESSION: 'AGENT_TEMPO_PI_CONTINUE_SESSION',
+    /**
+     * Phase 3a / MD-C — headless Pi tool-access policy. One of
+     * `restricted` (default; Bash/shell/exec HARD-BLOCKED) | `standard` (scoped
+     * Bash) | `full` (unsandboxed; admin-gated at recruit). Read by the Pi
+     * extension's `tool_call` gate (mode='headless' only). Mirrors
+     * {@link PERMISSION_MODE}'s threading.
+     */
+    TOOL_ACCESS: 'AGENT_TEMPO_TOOL_ACCESS',
+    /**
+     * 3c Tier-2 ingest auth. The daemon mints a per-player ingest token (scoped to
+     * the session workflowId) BEFORE spawning a headless Pi player and threads it
+     * into the subprocess env here. The player's inner-loop publisher presents it
+     * on `POST /inner/ingest` + `GET /inner/presence` (loopback), where the daemon
+     * validates it against the URL-derived workflowId (cross-player-spoof guard).
+     * Absent → the publisher's HTTP client is a no-op (no fine-tail forwarding).
+     */
+    INGEST_TOKEN: 'AGENT_TEMPO_INGEST_TOKEN',
     /**
      * v0.25 PR-D attachment resume plumbing. When `restart` / `migrate`
      * enqueues a spawn outbox entry, the workflow passes the pre-claimed
@@ -102,6 +134,16 @@ exports.ENV = {
     DAEMON_PORT: 'AGENT_TEMPO_DAEMON_PORT',
     CORS_ORIGINS: 'AGENT_TEMPO_CORS_ORIGINS',
     SSE_MAX_CONNECTIONS: 'AGENT_TEMPO_SSE_MAX_CONNECTIONS',
+    /**
+     * 3e RBAC (MD-E). Two-token model: the READ token (T1 — observe) may live in
+     * env or config.json and auto-generates; the ADMIN token (T1+T2+T3 — mutate +
+     * supervisory gate/inner) is ENV-VAR-ONLY (never config.json/disk, never
+     * auto-generated). `TLS_ACKNOWLEDGED=1` suppresses the non-loopback-bind
+     * plaintext-HTTP startup warning.
+     */
+    HTTP_READ_TOKEN: 'AGENT_TEMPO_HTTP_READ_TOKEN',
+    HTTP_ADMIN_TOKEN: 'AGENT_TEMPO_HTTP_ADMIN_TOKEN',
+    TLS_ACKNOWLEDGED: 'AGENT_TEMPO_TLS_ACKNOWLEDGED',
     /**
      * Dev profile gate (ADR 0014 §5.2). One source of truth — every layer
      * (paths, namespace, port, task queue, banner, registry gating) consults
@@ -420,6 +462,38 @@ function parseAgent(value, source) {
     }
     return value;
 }
+/**
+ * Parse a Pi provider/model selector (e.g. `"github-copilot/gpt-4o"`) into its
+ * `{ provider, model }` parts for Pi's `createAgentSession` model option.
+ *
+ * Provider-agnostic: the segment before the FIRST `/` is the provider id,
+ * passed through VERBATIM (Copilot's pi-ai provider id is literally
+ * `github-copilot` — no normalization needed); everything after is the model
+ * id, which may itself contain `/` (e.g. `openrouter/anthropic/claude`).
+ *
+ * Fail-loud (no silent default): returns `{ error }` — never a fallback model —
+ * when the selector has no `/`, an empty provider, or an empty model. A bare
+ * provider with no model is rejected here; omitting the recruit `model` arg
+ * ENTIRELY is a different path (Pi's own default), handled upstream, not here.
+ */
+function parsePiProviderModel(model) {
+    const raw = model.trim();
+    const slash = raw.indexOf('/');
+    if (slash < 0) {
+        return {
+            error: `model "${model}" must be a "provider/model" selector (e.g. "github-copilot/gpt-4o") — no "/" found.`,
+        };
+    }
+    const provider = raw.slice(0, slash).trim();
+    const modelId = raw.slice(slash + 1).trim();
+    if (!provider) {
+        return { error: `model "${model}" has an empty provider before "/" — expected e.g. "github-copilot/gpt-4o".` };
+    }
+    if (!modelId) {
+        return { error: `model "${model}" has an empty model after "/" — specify a model, e.g. "github-copilot/gpt-4o".` };
+    }
+    return { provider, model: modelId };
+}
 /**
  * Resolve `defaultAgent` through the standard precedence chain and validate
  * against the {@link AgentType} union. Each step passes its own source tag