agent-tempo 1.3.1 → 1.4.1

package/dist/daemon.js

@@ -66,6 +66,10 @@ const config_1 = require("./config");
 const dev_banner_1 = require("./cli/dev-banner");
 const worker_1 = require("./worker");
 const connection_1 = require("./connection");
+const inner_loop_1 = require("./http/inner-loop");
+const ingest_registry_1 = require("./http/ingest-registry");
+const gate_registry_1 = require("./http/gate-registry");
+const gate_audit_1 = require("./http/gate-audit");
 const grpc_shutdown_guard_1 = require("./utils/grpc-shutdown-guard");
 const daemon_1 = require("./cli/daemon");
 const client_3 = require("./client");
@@ -828,6 +832,19 @@ async function main() {
     // #94/#95 PR-2 — aggregate poll loop + per-ensemble buses. Owned by
     // the daemon process; `close()` drains every per-ensemble bus.
     let aggregateRunner = null;
+    // 3c Tier-2 — daemon-owned singletons shared between the Temporal worker
+    // (outbox pi-spawn mints / destroy revokes) and the HTTP server (/inner SSE
+    // + /inner/ingest validation). Both the worker and startHttpServer run in
+    // THIS process, so one instance each suffices. Constructed eagerly (no I/O)
+    // so the shutdown handler — declared just below — can drain them.
+    const innerLoop = new inner_loop_1.InnerLoopRegistry();
+    const ingestTokens = new ingest_registry_1.IngestTokenRegistry();
+    // 3d MD-G — the operator-gate registry, same daemon-owned-singleton pattern.
+    // Audit sink = the append-only JSONL writer; publishToInner = innerLoop.publish
+    // (the DI that emits gate_resolved on the player's /inner stream without a
+    // GateRegistry↔inner-loop circular import).
+    const gate = new gate_registry_1.GateRegistry((0, gate_audit_1.createGateAuditSink)(), Date.now, undefined, // default 45s auto-allow
+    (workflowId, frame) => innerLoop.publish(workflowId, frame));
     const shutdown = () => {
         if (shuttingDown)
             return;
@@ -861,6 +878,12 @@ async function main() {
         // sockets — preventing wasted work in the drain window.
         aggregateRunner?.close();
         httpServerHandle?.close().catch((err) => log('http close error (non-fatal):', err instanceof Error ? err.message : err));
+        // 3c Tier-2 — clear-all on shutdown: drop every minted ingest token (no
+        // dead token outlives the daemon) and close every open /inner subscriber
+        // (streams end cleanly rather than dangling).
+        ingestTokens.revokeAll();
+        innerLoop.close();
+        gate.clear();
         sharedWorker?.shutdown();
         hostWorker?.shutdown();
     };
@@ -868,7 +891,7 @@ async function main() {
     process.on('SIGINT', shutdown);
     // Create workers (signal handlers already active via mutable refs)
     log(`Connecting to Temporal at ${config.temporalAddress} (namespace: ${config.temporalNamespace})`);
-    const workers = await (0, worker_1.createWorkers)(config);
+    const workers = await (0, worker_1.createWorkers)(config, ingestTokens, gate);
     sharedWorker = workers.sharedWorker;
     hostWorker = workers.hostWorker;
     log('Workers created — processing tasks');
@@ -953,6 +976,14 @@ async function main() {
                 taskQueue: config.taskQueue,
                 version: daemonVersion(),
                 aggregate: aggregateRunner,
+                // 3c Tier-2 — same singletons the worker's outbox activities use, so
+                // the operator /inner SSE reads the registry the publisher POSTs into
+                // and /inner/ingest validates against the tokens the spawn path minted.
+                innerLoop,
+                ingestTokens,
+                // 3d MD-G — the same gate registry the worker's outbox auto-disarms on
+                // detach/destroy; the HTTP server serves arm/disarm/decide + resolution.
+                gate,
             });
             log(`HTTP listening on http://${httpServerHandle.bindAddr}:${httpServerHandle.port}`);
             log(`Aggregate poll loop running (bootEpoch=${bootEpoch})`);

package/dist/http/aggregate.d.ts

@@ -41,6 +41,21 @@ export declare class TickSkipped extends Error {
     readonly name = "TickSkipped";
     constructor(reason: string);
 }
+/**
+ * 3c Tier-1 coarse activity snapshot for a single player — the bits the
+ * aggregate diffs to decide whether to emit `player.activity`. `currentTool`
+ * is normalized to `null` when idle/absent; the context fields are `undefined`
+ * when Pi can't report usage (e.g. right after compaction).
+ */
+export interface PlayerCoarse {
+    currentTool: string | null;
+    contextTokens?: number;
+    contextPercent?: number;
+}
+/** Extract the coarse-activity tuple from a player summary, normalizing idle → null. */
+export declare function coarseOf(p: PlayerSummaryV1): PlayerCoarse;
+/** True when two coarse snapshots differ in any field. */
+export declare function coarseChanged(a: PlayerCoarse | undefined, b: PlayerCoarse): boolean;
 /** Per-ensemble tracking state across ticks. */
 interface EnsembleTrack {
     bus: EnsembleEventBus;
@@ -56,6 +71,12 @@ interface EnsembleTrack {
     consecutiveFailures: number;
     /** Last seen player phase, keyed by playerId. */
     playerPhases: Map<string, string | undefined>;
+    /**
+     * 3c Tier-1 — last-seen coarse activity per playerId (currentTool + context
+     * usage). Diffed each poll to emit `player.activity` on change. Seeded on
+     * `player.added`, dropped on `player.removed` — lockstep with `playerPhases`.
+     */
+    playerCoarse: Map<string, PlayerCoarse>;
     /**
      * Adapter family per playerId — used to faithfully reconstruct the
      * prior `AggregateEnsembleSnapshot` view at tick boundaries (see #535).
@@ -175,7 +196,7 @@ export interface DiffEvent {
     type: import('./event-types').SseEventKind;
     payload: unknown;
 }
-export declare function diffEnsembleSnapshot(prev: AggregateEnsembleSnapshot | null, next: AggregateEnsembleSnapshot, track: Pick<EnsembleTrack, 'playerPhases' | 'playerAgentTypes' | 'flags' | 'schedulesHash' | 'chatIds' | 'chatIdOrder'>, capturedAt: string): DiffEvent[];
+export declare function diffEnsembleSnapshot(prev: AggregateEnsembleSnapshot | null, next: AggregateEnsembleSnapshot, track: Pick<EnsembleTrack, 'playerPhases' | 'playerCoarse' | 'playerAgentTypes' | 'flags' | 'schedulesHash' | 'chatIds' | 'chatIdOrder'>, capturedAt: string): DiffEvent[];
 /**
  * Diff host profiles map → per-host events. Pure function.
  */

package/dist/http/aggregate.js

@@ -1,6 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AggregateRunner = exports.TickSkipped = exports.MAX_CONSECUTIVE_FAILURES = exports.AGGREGATE_LIST_DEADLINE_MS = exports.DEFAULT_POLL_INTERVAL_MS = void 0;
+exports.coarseOf = coarseOf;
+exports.coarseChanged = coarseChanged;
 exports.canonicalize = canonicalize;
 exports.hashOf = hashOf;
 exports.diffEnsembleSnapshot = diffEnsembleSnapshot;
@@ -84,6 +86,21 @@ class TickSkipped extends Error {
     constructor(reason) { super(reason); }
 }
 exports.TickSkipped = TickSkipped;
+/** Extract the coarse-activity tuple from a player summary, normalizing idle → null. */
+function coarseOf(p) {
+    return {
+        currentTool: p.currentTool ?? null,
+        ...(p.contextTokens !== undefined ? { contextTokens: p.contextTokens } : {}),
+        ...(p.contextPercent !== undefined ? { contextPercent: p.contextPercent } : {}),
+    };
+}
+/** True when two coarse snapshots differ in any field. */
+function coarseChanged(a, b) {
+    return (!a ||
+        a.currentTool !== b.currentTool ||
+        a.contextTokens !== b.contextTokens ||
+        a.contextPercent !== b.contextPercent);
+}
 /**
  * Stable JSON canonicalization — keys sorted, no extraneous whitespace.
  * Used for SHA-256 diff suppression so reordered key emits don't
@@ -118,6 +135,9 @@ function diffEnsembleSnapshot(prev, next, track, capturedAt) {
         if (!prevPlayers.has(p.playerId)) {
             events.push({ type: 'player.added', payload: p });
             track.playerPhases.set(p.playerId, p.phase);
+            // 3c — seed coarse so the first real change (not the add itself, whose
+            // payload already carries currentTool/context) emits player.activity.
+            track.playerCoarse.set(p.playerId, coarseOf(p));
             // #535 — record the adapter family so the prior reconstruction at
             // the next tick (aggregate.ts ~L600) carries the real agentType
             // instead of a hardcoded `'claude'` stand-in. Treated as immutable
@@ -140,6 +160,25 @@ function diffEnsembleSnapshot(prev, next, track, capturedAt) {
             });
             track.playerPhases.set(p.playerId, p.phase);
         }
+        // player.activity (3c Tier-1) — emit when coarse currentTool/context
+        // changes between polls. Distinct from phase_changed (phase vs activity).
+        // Source freshness ~30s (heartbeat metadata piggyback); the live, fine
+        // tail is the off-wire /inner side-channel.
+        const nextCoarse = coarseOf(p);
+        if (coarseChanged(track.playerCoarse.get(p.playerId), nextCoarse)) {
+            events.push({
+                type: 'player.activity',
+                payload: {
+                    playerId: p.playerId,
+                    ensemble,
+                    currentTool: nextCoarse.currentTool,
+                    ...(nextCoarse.contextTokens !== undefined ? { contextTokens: nextCoarse.contextTokens } : {}),
+                    ...(nextCoarse.contextPercent !== undefined ? { contextPercent: nextCoarse.contextPercent } : {}),
+                    at: capturedAt,
+                },
+            });
+            track.playerCoarse.set(p.playerId, nextCoarse);
+        }
     }
     // player.removed — iterate prev.
     if (prev) {
@@ -159,6 +198,7 @@ function diffEnsembleSnapshot(prev, next, track, capturedAt) {
                     },
                 });
                 track.playerPhases.delete(p.playerId);
+                track.playerCoarse.delete(p.playerId);
                 track.playerAgentTypes.delete(p.playerId);
             }
         }
@@ -377,6 +417,7 @@ class AggregateRunner {
                 bus,
                 consecutiveFailures: 0,
                 playerPhases: new Map(),
+                playerCoarse: new Map(),
                 playerAgentTypes: new Map(),
                 flags: null,
                 schedulesHash: null,

package/dist/http/auth.d.ts

@@ -51,17 +51,103 @@ export declare function extractBearerToken(authHeader: string | undefined): stri
  */
 export declare function tokensMatch(received: string, expected: string): boolean;
 /**
- * Load (or auto-generate) the daemon's HTTP bearer token.
- *
- * - When `bearerRequired` is true and the persisted config has no
- *   `httpToken`, generate one (`crypto.randomBytes(32).toString('base64url')`)
- *   and persist it via `saveConfigFile` (which sets 0600 on POSIX).
- * - When `bearerRequired` is false, return whatever is in the config
- *   without generating — operators may still want a token saved for
- *   future use, and we shouldn't write secrets the user didn't request.
+ * @deprecated 3e — superseded by {@link loadRbacTokens} (read + admin split).
+ * Kept only until every caller migrates; do NOT add new callers. Resolves the
+ * legacy single `httpToken` (env-less) for back-compat shims.
  */
 export declare function loadOrGenerateHttpToken(opts: {
     bearerRequired: boolean;
     load?: () => PersistedConfig;
     save?: (cfg: PersistedConfig) => void;
 }): string | null;
+/** Resolved RBAC tokens for the daemon HTTP surface (3e). */
+export interface RbacTokens {
+    /** T1 read token (env > config.json > auto-gen), or `null` when none + not required. */
+    readToken: string | null;
+    /** T1+T2+T3 admin token — ENV-VAR-ONLY, or `null` when unset (→ 503 on T≥2). */
+    adminToken: string | null;
+    /**
+     * True when a LEGACY `httpToken` (no `readToken`) was adopted as the read token.
+     * The daemon emits a one-time startup warning so the operator sets an admin token.
+     */
+    legacyMigrated: boolean;
+}
+/** Admin token — ENV-VAR-ONLY (never config.json/disk, never auto-generated). */
+export declare function loadAdminToken(env?: NodeJS.ProcessEnv): string | null;
+/**
+ * Read token (T1). Priority: env `AGENT_TEMPO_HTTP_READ_TOKEN` > config.json
+ * `readToken` > LEGACY config.json `httpToken` (adopted → `legacy:true`) >
+ * auto-generate when bearer mode is required (persisted as `readToken`).
+ */
+export declare function loadReadToken(opts: {
+    bearerRequired: boolean;
+    env?: NodeJS.ProcessEnv;
+    load?: () => PersistedConfig;
+    save?: (cfg: PersistedConfig) => void;
+}): {
+    token: string | null;
+    legacy: boolean;
+};
+/** Load both RBAC tokens. The daemon calls this once at startup. */
+export declare function loadRbacTokens(opts: {
+    bearerRequired: boolean;
+    env?: NodeJS.ProcessEnv;
+    load?: () => PersistedConfig;
+    save?: (cfg: PersistedConfig) => void;
+}): RbacTokens;
+/** Access tiers (MD-E): 1 = read/observe, 2 = write/mutate, 3 = supervisory (gate/inner). */
+export type Tier = 1 | 2 | 3;
+/**
+ * Granted tier for a presented bearer, given the RBAC tokens (timing-safe).
+ * Admin grants the FULL ladder (3 ⊇ 2 ⊇ 1); read grants T1 only; no match → 0.
+ * There is no T2-only token — T2 and T3 are both "admin required".
+ */
+export declare function tierForToken(presented: string, tokens: {
+    readToken: string | null;
+    adminToken: string | null;
+}): 0 | 1 | 3;
+export interface TierGuardInput {
+    /** Daemon bind address — decides loopback trust. */
+    bindAddr: string;
+    /** Request `Origin` header (may be absent for a non-browser client). */
+    originHeader: string | undefined;
+    /** Request `Authorization` header. */
+    authHeader: string | undefined;
+    /** Read-tier token, or `null`. */
+    readToken: string | null;
+    /** Admin token, or `null` when unset (→ 503 on T≥2). */
+    adminToken: string | null;
+}
+export type TierGuardResult = {
+    ok: true;
+} | {
+    ok: false;
+    status: 401;
+    error: 'unauthorized';
+} | {
+    ok: false;
+    status: 403;
+    error: 'insufficient-tier';
+    detail: string;
+} | {
+    ok: false;
+    status: 503;
+    error: 'admin-token-not-configured';
+    detail: string;
+};
+/**
+ * Authorization guard (3e MD-E). Assumes the shared upstream pass already settled
+ * AUTHENTICATION + CORS + the DNS-rebind/Origin defense (architect's Layer 2);
+ * this is Layer-3 authZ — it ONLY decides tier ≥ N and emits 503/403/401.
+ *
+ * Matrix (bearer mode):
+ *   - loopback (`!bearerRequired`)        → PASS all tiers (local-trust short-circuit).
+ *   - N ≥ 2 AND adminToken unset          → 503 admin-token-not-configured.
+ *   - no/invalid bearer (granted 0)       → 401 unauthorized.
+ *   - granted < N (read token on T≥2)     → 403 insufficient-tier (+ migration hint).
+ *   - granted ≥ N (admin, or read on T1)  → PASS.
+ *
+ * Keyed off the `Authorization` bearer only (no `Origin`/cookie requirement) so a
+ * headless Node client passes once its token validates. View-agnostic by design.
+ */
+export declare function requireTier(tier: Tier, input: TierGuardInput): TierGuardResult;

package/dist/http/auth.js

@@ -39,6 +39,11 @@ exports.bearerRequired = bearerRequired;
 exports.extractBearerToken = extractBearerToken;
 exports.tokensMatch = tokensMatch;
 exports.loadOrGenerateHttpToken = loadOrGenerateHttpToken;
+exports.loadAdminToken = loadAdminToken;
+exports.loadReadToken = loadReadToken;
+exports.loadRbacTokens = loadRbacTokens;
+exports.tierForToken = tierForToken;
+exports.requireTier = requireTier;
 /**
  * Authentication for the daemon HTTP surface (SSE-PROTOCOL.md §3).
  *
@@ -152,14 +157,9 @@ function tokensMatch(received, expected) {
     return crypto.timingSafeEqual(a, b);
 }
 /**
- * Load (or auto-generate) the daemon's HTTP bearer token.
- *
- * - When `bearerRequired` is true and the persisted config has no
- *   `httpToken`, generate one (`crypto.randomBytes(32).toString('base64url')`)
- *   and persist it via `saveConfigFile` (which sets 0600 on POSIX).
- * - When `bearerRequired` is false, return whatever is in the config
- *   without generating — operators may still want a token saved for
- *   future use, and we shouldn't write secrets the user didn't request.
+ * @deprecated 3e — superseded by {@link loadRbacTokens} (read + admin split).
+ * Kept only until every caller migrates; do NOT add new callers. Resolves the
+ * legacy single `httpToken` (env-less) for back-compat shims.
  */
 function loadOrGenerateHttpToken(opts) {
     const load = opts.load ?? config_1.loadConfigFile;
@@ -170,8 +170,92 @@ function loadOrGenerateHttpToken(opts) {
     }
     if (!opts.bearerRequired)
         return null;
-    // Auto-generate. base64url chars are safe inside Authorization values.
     const token = crypto.randomBytes(32).toString('base64url');
     save({ ...cfg, httpToken: token });
     return token;
 }
+/** Admin token — ENV-VAR-ONLY (never config.json/disk, never auto-generated). */
+function loadAdminToken(env = process.env) {
+    const t = env[config_1.ENV.HTTP_ADMIN_TOKEN];
+    return t && t.length > 0 ? t : null;
+}
+/**
+ * Read token (T1). Priority: env `AGENT_TEMPO_HTTP_READ_TOKEN` > config.json
+ * `readToken` > LEGACY config.json `httpToken` (adopted → `legacy:true`) >
+ * auto-generate when bearer mode is required (persisted as `readToken`).
+ */
+function loadReadToken(opts) {
+    const env = opts.env ?? process.env;
+    const load = opts.load ?? config_1.loadConfigFile;
+    const save = opts.save ?? config_1.saveConfigFile;
+    const envTok = env[config_1.ENV.HTTP_READ_TOKEN];
+    if (envTok && envTok.length > 0)
+        return { token: envTok, legacy: false };
+    const cfg = load();
+    if (cfg.readToken && cfg.readToken.length > 0)
+        return { token: cfg.readToken, legacy: false };
+    // LEGACY: a pre-3e single `httpToken` becomes the READ token (T1) — NOT admin.
+    if (cfg.httpToken && cfg.httpToken.length > 0)
+        return { token: cfg.httpToken, legacy: true };
+    if (!opts.bearerRequired)
+        return { token: null, legacy: false };
+    const token = crypto.randomBytes(32).toString('base64url');
+    save({ ...cfg, readToken: token });
+    return { token, legacy: false };
+}
+/** Load both RBAC tokens. The daemon calls this once at startup. */
+function loadRbacTokens(opts) {
+    const { token: readToken, legacy } = loadReadToken(opts);
+    const adminToken = loadAdminToken(opts.env);
+    return { readToken, adminToken, legacyMigrated: legacy };
+}
+/**
+ * Granted tier for a presented bearer, given the RBAC tokens (timing-safe).
+ * Admin grants the FULL ladder (3 ⊇ 2 ⊇ 1); read grants T1 only; no match → 0.
+ * There is no T2-only token — T2 and T3 are both "admin required".
+ */
+function tierForToken(presented, tokens) {
+    if (tokens.adminToken && tokensMatch(presented, tokens.adminToken))
+        return 3;
+    if (tokens.readToken && tokensMatch(presented, tokens.readToken))
+        return 1;
+    return 0;
+}
+/** Migration hint surfaced in the 403 body so a read-token holder knows what's missing. */
+const INSUFFICIENT_TIER_HINT = 'This token is read-tier. Writes, the operator gate, and the inner-tail require the admin token (set AGENT_TEMPO_HTTP_ADMIN_TOKEN).';
+const ADMIN_UNSET_HINT = 'Set AGENT_TEMPO_HTTP_ADMIN_TOKEN (env-var only) to enable writes / gate / inner-tail.';
+/**
+ * Authorization guard (3e MD-E). Assumes the shared upstream pass already settled
+ * AUTHENTICATION + CORS + the DNS-rebind/Origin defense (architect's Layer 2);
+ * this is Layer-3 authZ — it ONLY decides tier ≥ N and emits 503/403/401.
+ *
+ * Matrix (bearer mode):
+ *   - loopback (`!bearerRequired`)        → PASS all tiers (local-trust short-circuit).
+ *   - N ≥ 2 AND adminToken unset          → 503 admin-token-not-configured.
+ *   - no/invalid bearer (granted 0)       → 401 unauthorized.
+ *   - granted < N (read token on T≥2)     → 403 insufficient-tier (+ migration hint).
+ *   - granted ≥ N (admin, or read on T1)  → PASS.
+ *
+ * Keyed off the `Authorization` bearer only (no `Origin`/cookie requirement) so a
+ * headless Node client passes once its token validates. View-agnostic by design.
+ */
+function requireTier(tier, input) {
+    // Loopback trust: local clients (TUI / CLI / future Pi widget) get full access.
+    if (!bearerRequired(input.bindAddr, input.originHeader))
+        return { ok: true };
+    // A tier that needs admin is UNAVAILABLE when no admin token is configured —
+    // the honest answer is 503, regardless of what the caller presents.
+    if (tier >= 2 && input.adminToken === null) {
+        return { ok: false, status: 503, error: 'admin-token-not-configured', detail: ADMIN_UNSET_HINT };
+    }
+    const provided = extractBearerToken(input.authHeader);
+    if (!provided)
+        return { ok: false, status: 401, error: 'unauthorized' };
+    const granted = tierForToken(provided, input);
+    if (granted === 0)
+        return { ok: false, status: 401, error: 'unauthorized' };
+    if (granted < tier) {
+        return { ok: false, status: 403, error: 'insufficient-tier', detail: INSUFFICIENT_TIER_HINT };
+    }
+    return { ok: true };
+}

package/dist/http/body.d.ts

@@ -13,6 +13,9 @@ import type { IncomingMessage, ServerResponse } from 'http';
 import { type AgentType } from '../types';
 /** Hard cap on incoming JSON body size (1 MiB). */
 export declare const WRITE_BODY_MAX: number;
+/** 3c Tier-2 ingest cap (32 KiB) — the DOS backstop for `/inner/ingest`; the
+ *  source already ~2KB-truncates summaries, so real frames are far smaller. */
+export declare const INGEST_BODY_MAX: number;
 export declare const BODY_TOO_LARGE: unique symbol;
 export declare const BODY_INVALID_JSON: unique symbol;
 export type ReadJsonBodyResult = Record<string, unknown> | typeof BODY_TOO_LARGE | typeof BODY_INVALID_JSON;
@@ -26,7 +29,7 @@ export type ReadJsonBodyResult = Record<string, unknown> | typeof BODY_TOO_LARGE
  * handler ends. Explicit `req.destroy()` would race the response
  * write — left alone.
  */
-export declare function readJsonBody(req: IncomingMessage): Promise<ReadJsonBodyResult>;
+export declare function readJsonBody(req: IncomingMessage, maxBytes?: number): Promise<ReadJsonBodyResult>;
 /**
  * Pluck a string field from a parsed JSON body. Returns `undefined`
  * for absent or non-string values; with `requireNonEmpty: true`, also

package/dist/http/body.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ALLOWED_AGENTS_PROD = exports.ALLOWED_AGENTS_DEV = exports.BODY_INVALID_JSON = exports.BODY_TOO_LARGE = exports.WRITE_BODY_MAX = void 0;
+exports.ALLOWED_AGENTS_PROD = exports.ALLOWED_AGENTS_DEV = exports.BODY_INVALID_JSON = exports.BODY_TOO_LARGE = exports.INGEST_BODY_MAX = exports.WRITE_BODY_MAX = void 0;
 exports.readJsonBody = readJsonBody;
 exports.stringField = stringField;
 exports.allowedAgentsForCurrentMode = allowedAgentsForCurrentMode;
@@ -12,6 +12,9 @@ const responses_1 = require("./responses");
 const validation_1 = require("../utils/validation");
 /** Hard cap on incoming JSON body size (1 MiB). */
 exports.WRITE_BODY_MAX = 1024 * 1024;
+/** 3c Tier-2 ingest cap (32 KiB) — the DOS backstop for `/inner/ingest`; the
+ *  source already ~2KB-truncates summaries, so real frames are far smaller. */
+exports.INGEST_BODY_MAX = 32 * 1024;
 exports.BODY_TOO_LARGE = Symbol('body-too-large');
 exports.BODY_INVALID_JSON = Symbol('body-invalid-json');
 /**
@@ -24,13 +27,13 @@ exports.BODY_INVALID_JSON = Symbol('body-invalid-json');
  * handler ends. Explicit `req.destroy()` would race the response
  * write — left alone.
  */
-async function readJsonBody(req) {
+async function readJsonBody(req, maxBytes = exports.WRITE_BODY_MAX) {
     const chunks = [];
     let total = 0;
     for await (const chunk of req) {
         const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
         total += buf.length;
-        if (total > exports.WRITE_BODY_MAX)
+        if (total > maxBytes)
             return exports.BODY_TOO_LARGE;
         chunks.push(buf);
     }

package/dist/http/event-bus.js

@@ -64,6 +64,7 @@ const NON_ESSENTIAL_AFTER_THROTTLE = new Set([
 function topicOf(kind) {
     switch (kind) {
         case 'player.phase_changed': return 'phase';
+        case 'player.activity': return 'phase';
         case 'chat.appended':
         case 'chat.compressed': return 'chat';
         case 'flags.changed': return 'flags';

package/dist/http/event-types.d.ts

@@ -152,7 +152,7 @@ export interface PlayerSummaryV1 {
      * stability rule at §6 — adding new adapters in future versions remains
      * non-breaking, removing one requires `/v2/`. See #535.
      */
-    agentType: 'claude' | 'copilot' | 'mock' | 'claude-api' | 'opencode' | 'claude-code-headless';
+    agentType: 'claude' | 'copilot' | 'mock' | 'claude-api' | 'opencode' | 'claude-code-headless' | 'pi';
     playerType?: string;
     /** Authoritative attachment phase (post-v0.26 — see WIRE-PROTOCOL.md). */
     phase?: AttachmentPhase;
@@ -194,6 +194,20 @@ export interface PlayerSummaryV1 {
     /** Q5.6 — ISO timestamp of the most recent activity. Already on
      * `MaestroPlayerInfo`; passed through verbatim by `toPlayerSummaryV1`. */
     lastActivityAt?: string;
+    /**
+     * 3c Tier-1 coarse observability — the tool the player is currently
+     * executing, or `null` when idle/between tools. Sourced from session
+     * metadata via the heartbeat piggyback (~30s freshness); the live,
+     * fine-grained tail is the off-wire `/inner` side-channel (MD-F). Additive.
+     */
+    currentTool?: string | null;
+    /**
+     * 3c Tier-1 coarse — estimated context tokens in use (pull-only, from Pi's
+     * `getContextUsage()`; `null`/absent right after compaction). Additive.
+     */
+    contextTokens?: number;
+    /** 3c Tier-1 coarse — context usage as a percentage of the model window. Additive. */
+    contextPercent?: number;
 }
 /**
  * The eventId token used in the `id:` line of the SSE frame and as the
@@ -269,7 +283,7 @@ export declare const PR1_SENTINEL_EVENT_ID: EventIdToken;
  * **Append-only**. Do not remove. New event types ship as additive `/v1/`
  * additions; removals require `/v2/`.
  */
-export declare const SSE_EVENT_KINDS: readonly ["snapshot", "gap", "throttled", "heartbeat", "ensemble.created", "ensemble.destroyed", "player.added", "player.removed", "player.phase_changed", "chat.appended", "chat.compressed", "flags.changed", "schedules.changed", "host_profile.changed"];
+export declare const SSE_EVENT_KINDS: readonly ["snapshot", "gap", "throttled", "heartbeat", "ensemble.created", "ensemble.destroyed", "player.added", "player.removed", "player.phase_changed", "chat.appended", "chat.compressed", "flags.changed", "schedules.changed", "host_profile.changed", "player.activity"];
 export type SseEventKind = (typeof SSE_EVENT_KINDS)[number];
 /** Common envelope for every event. */
 export interface SseEventBase {
@@ -364,6 +378,24 @@ export type TempoEvent = (SseEventBase & {
 }) | (SseEventBase & {
     type: 'host_profile.changed';
     payload: HostProfile;
+}) | (SseEventBase & {
+    type: 'player.activity';
+    /**
+     * 3c Tier-1 coarse activity (MD-F). Emitted by the aggregate poll/diff
+     * when a player's `currentTool` or context usage changes between polls.
+     * `busy/idle` is DERIVED consumer-side from the player's phase
+     * (busy = phase==='processing'); `activityCount`/`lastActivityAt` already
+     * ride `PlayerSummaryV1`. This is the ON-wire coarse tier; the fine,
+     * live inner tail is the off-wire `/inner` side-channel.
+     */
+    payload: {
+        playerId: string;
+        ensemble: string;
+        currentTool: string | null;
+        contextTokens?: number;
+        contextPercent?: number;
+        at: string;
+    };
 });
 /**
  * Subset of event categories the server can pre-filter on `?topics=...`.

package/dist/http/event-types.js

@@ -33,4 +33,5 @@ exports.SSE_EVENT_KINDS = [
     'flags.changed',
     'schedules.changed',
     'host_profile.changed',
+    'player.activity',
 ];

package/dist/http/gate-audit.d.ts

@@ -0,0 +1,12 @@
+import type { GateAuditSink } from './gate-registry';
+/** Root of the per-player gate-audit tree. */
+export declare function gateAuditRoot(): string;
+/** Absolute JSONL path for a (ensemble, workflowId) pair under `root`. */
+export declare function gateAuditPath(ensemble: string, workflowId: string, root?: string): string;
+/**
+ * Build the daemon's audit sink. Returns a {@link GateAuditSink} that appends one
+ * JSON line per record. Append + mkdir are synchronous (durable-before-return);
+ * any I/O error is logged + swallowed so a disk problem never wedges a gate
+ * decision. `root` is injectable for tests (defaults to {@link gateAuditRoot}).
+ */
+export declare function createGateAuditSink(root?: string): GateAuditSink;