agent-tempo 1.3.1 → 1.4.1

package/dist/http/gate-audit.js

@@ -0,0 +1,95 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gateAuditRoot = gateAuditRoot;
+exports.gateAuditPath = gateAuditPath;
+exports.createGateAuditSink = createGateAuditSink;
+/**
+ * Operator-gate audit writer (3d / MD-G, R5 — security-locked) — the daemon's
+ * append-only JSONL sink for {@link GateRegistry} events. One file per player at
+ *
+ *   <AGENT_TEMPO_HOME>/gate-audit/<ensemble>/<workflowId>.jsonl
+ *
+ * Each {@link GateAuditRecord} (arm | disarm | decision) is one JSON line,
+ * appended SYNCHRONOUSLY at the decision/posture-change point so the durable
+ * record lands before the daemon hands back control (no buffering window where a
+ * crash loses an allow/deny). The `ensemble` sidecar (not part of the locked
+ * record schema) only paths the file.
+ *
+ * Daemon-side ONLY. The writer is wired as the GateRegistry's audit sink in
+ * `daemon.ts`; failures are swallowed + logged (audit is best-effort durable —
+ * never let an append error break a live gate decision).
+ */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const config_1 = require("../config");
+const log = (...args) => console.error('[agent-tempo:gate-audit]', ...args);
+/** Root of the per-player gate-audit tree. */
+function gateAuditRoot() {
+    return path.join(config_1.AGENT_TEMPO_HOME, 'gate-audit');
+}
+/**
+ * Sanitize a single path segment (ensemble / workflowId) so a crafted name can't
+ * traverse out of the audit root. Ensemble + workflowId are already validated
+ * upstream (ENSEMBLE_NAME_REGEX / the workflowId is daemon-built), but defend the
+ * filesystem boundary anyway: strip anything outside `[A-Za-z0-9._-]`, collapse
+ * to a non-empty token.
+ */
+function safeSegment(seg) {
+    const cleaned = seg.replace(/[^A-Za-z0-9._-]/g, '_');
+    return cleaned.length > 0 ? cleaned : '_';
+}
+/** Absolute JSONL path for a (ensemble, workflowId) pair under `root`. */
+function gateAuditPath(ensemble, workflowId, root = gateAuditRoot()) {
+    return path.join(root, safeSegment(ensemble || '_'), `${safeSegment(workflowId)}.jsonl`);
+}
+/**
+ * Build the daemon's audit sink. Returns a {@link GateAuditSink} that appends one
+ * JSON line per record. Append + mkdir are synchronous (durable-before-return);
+ * any I/O error is logged + swallowed so a disk problem never wedges a gate
+ * decision. `root` is injectable for tests (defaults to {@link gateAuditRoot}).
+ */
+function createGateAuditSink(root = gateAuditRoot()) {
+    return (record, ensemble) => {
+        try {
+            const file = gateAuditPath(ensemble, record.workflowId, root);
+            fs.mkdirSync(path.dirname(file), { recursive: true });
+            fs.appendFileSync(file, JSON.stringify(record) + '\n', 'utf8');
+        }
+        catch (err) {
+            log('append failed (non-fatal):', err instanceof Error ? err.message : err);
+        }
+    };
+}

package/dist/http/gate-registry.d.ts

@@ -0,0 +1,167 @@
+/**
+ * Operator-gate registry (3d / MD-G) — the DAEMON-LOCAL state for the live
+ * tool-call approve/deny gate on a headless Pi player. Per-player (keyed by the
+ * fixed session `workflowId`), it holds two things:
+ *
+ *   1. ARMED state — whether an operator has armed the gate for this player.
+ *      When disarmed, the player's `tool_call` handler never engages the gate
+ *      (MD-C decides immediately); when armed, a non-`low-risk` tool routes here
+ *      for an operator decision.
+ *   2. PENDING requests — one entry per in-flight gated tool call, keyed by a
+ *      caller-supplied `requestId`. The operator resolves it (POST /gate/:id);
+ *      the Pi subprocess POLLS for the resolution (GET /gate/:id/resolution) and
+ *      resolves its awaited `tool_call` Promise on a non-pending answer.
+ *
+ * ── 45s auto-allow (R3, autonomous-first, maintainer-LOCKED) ──
+ * A pending request with no operator decision after {@link GATE_AUTO_ALLOW_MS}
+ * resolves to `auto-allow` so an unsupervised run never stalls (and Pi #2381 — a
+ * `tool_call` handler that never resolves hangs the loop — can't bite). Expiry is
+ * LAZY-ON-POLL (computed from `createdAt` vs the injected clock at
+ * {@link GateRegistry.getResolution} time) — no daemon timer, fully
+ * deterministic under test. The Pi-side poll loop additionally bounds itself +
+ * honors `ctx.signal`, so the loop is bounded on BOTH sides.
+ *
+ * ── Audit (R5, security-locked) ──
+ * Every posture change (arm / disarm) and every decision (operator allow|deny,
+ * timeout auto-allow) is handed to the injected {@link GateAuditSink} — the
+ * daemon wires the append-only JSONL writer
+ * (`~/.agent-tempo/gate-audit/<ensemble>/<workflowId>.jsonl`). The registry owns
+ * the auto-allow decision point, so it MUST audit that one; arm/disarm/operator
+ * decisions are audited here too for a single sink.
+ *
+ * ── gate_resolved on the /inner stream (architect-ruled DI) ──
+ * When a decision lands, the registry emits an `inner.gate_resolved` frame so the
+ * operator sees the outcome. To avoid a circular import (GateRegistry ↔ the
+ * inner-loop module), the publish path is an INJECTED {@link PublishToInner}
+ * callback — the daemon wires it to `innerLoop.publish`. The registry imports
+ * only the InnerFrame TYPE (erased at compile), never the inner-loop runtime.
+ *
+ * This module is daemon-side ONLY (loopback HTTP boundary, off Temporal, off the
+ * coordination bus). Nothing here is imported by `src/workflows/`.
+ */
+import type { InnerFrame } from '../pi/inner-loop-publisher';
+/** Operator-gate timeout: a pending request auto-ALLOWS after this long (R3, locked). */
+export declare const GATE_AUTO_ALLOW_MS = 45000;
+/** Terminal decision on a gated tool call. `auto-allow` = the R3 timeout fired. */
+export type GateDecision = 'allow' | 'deny' | 'auto-allow';
+/** Who/what produced a decision. */
+export type GateDecisionSource = 'operator' | 'timeout';
+/** Metadata the source attaches when opening a gate request (for operator display + audit). */
+export interface GateRequestMeta {
+    /** The tool being gated (already classified non-`low-risk`). */
+    tool: string;
+    /** A bounded summary of the tool args (source-truncated, ≤ a couple KB). */
+    argsSummary: string;
+    /** The player's Pi conversation id, if known (audit only). */
+    sessionId?: string;
+    /**
+     * The player's ensemble — stashed per-player so the audit sink can path the
+     * JSONL under `<ensemble>/<workflowId>.jsonl` (workflowId is not cleanly
+     * splittable since both ensemble + playerId may contain hyphens).
+     */
+    ensemble?: string;
+}
+/** The poll answer the Pi subprocess receives from GET /gate/:requestId/resolution. */
+export type GateResolution = {
+    status: 'pending';
+} | {
+    status: 'resolved';
+    decision: GateDecision;
+    source: GateDecisionSource;
+};
+/** One audited gate event (R5 schema, security-locked; `kind` discriminator per architect). */
+export type GateAuditRecord = {
+    kind: 'decision';
+    ts: string;
+    workflowId: string;
+    sessionId?: string;
+    requestId: string;
+    tool: string;
+    argsSummary: string;
+    decision: GateDecision;
+    source: GateDecisionSource;
+    operatorTokenHint?: string;
+} | {
+    kind: 'arm' | 'disarm';
+    ts: string;
+    workflowId: string;
+    source: 'operator';
+    operatorTokenHint?: string;
+};
+/**
+ * Append-only audit sink (daemon wires the JSONL writer; tests inject a spy).
+ * `ensemble` is a SIDECAR (not part of the locked record schema) the writer uses
+ * to path `<ensemble>/<workflowId>.jsonl`; `''` when unknown.
+ */
+export type GateAuditSink = (record: GateAuditRecord, ensemble: string) => void;
+/**
+ * Injected publish path for the `inner.gate_resolved` outcome frame (architect's
+ * DI to avoid a GateRegistry ↔ inner-loop circular import). Daemon wires it to
+ * `innerLoop.publish`; tests inject a spy; default is a no-op.
+ */
+export type PublishToInner = (workflowId: string, frame: InnerFrame) => void;
+/** Result of an operator decision attempt — drives the route's HTTP status. */
+export type DecideResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: 'not-found';
+} | {
+    ok: false;
+    reason: 'already-decided';
+};
+/**
+ * Per-daemon operator-gate registry, keyed by the player's fixed session
+ * `workflowId`. One instance is constructed in the daemon and shared between the
+ * Temporal worker (auto-disarm on detach/destroy) and the HTTP gate routes —
+ * the same singleton-sharing pattern as the 3c InnerLoop/IngestToken registries.
+ */
+export declare class GateRegistry {
+    private readonly audit;
+    private readonly now;
+    private readonly autoAllowMs;
+    private readonly publishToInner;
+    private readonly gates;
+    constructor(audit?: GateAuditSink, now?: () => number, autoAllowMs?: number, publishToInner?: PublishToInner);
+    /** Emit an `inner.gate_resolved` outcome frame on the player's /inner stream. */
+    private emitResolved;
+    private gate;
+    private nowIso;
+    /** Arm the gate for a player — subsequent non-`low-risk` tools route to the operator. */
+    arm(workflowId: string, ensemble: string, operatorTokenHint?: string): void;
+    /** Disarm the gate — new tools no longer engage it (in-flight pending still resolvable / auto-allow). */
+    disarm(workflowId: string, operatorTokenHint?: string): void;
+    /** Whether the gate is currently armed for a player (the engagement predicate reads this). */
+    isArmed(workflowId: string): boolean;
+    /**
+     * Open (or return the existing) pending request for a gated tool call.
+     * Idempotent on `requestId` — a retried open returns the existing entry so the
+     * source can safely re-register before polling. Does NOT audit (the request
+     * isn't a decision); the decision/auto-allow audit records carry tool+args.
+     */
+    open(workflowId: string, requestId: string, meta: GateRequestMeta): void;
+    /**
+     * Operator decision (allow|deny) on a pending request. Returns a result that
+     * the route maps to a status: unknown → 404, already-decided → 409 (idempotency
+     * guard so a double-POST or a post-timeout race can't flip a recorded answer).
+     */
+    decide(workflowId: string, requestId: string, decision: 'allow' | 'deny', operatorTokenHint?: string): DecideResult;
+    /**
+     * The Pi subprocess's poll answer. Returns `null` for an unknown request
+     * (route → 404). For a known request: an already-recorded decision, OR — if no
+     * decision and `now - createdAt >= autoAllowMs` — a freshly-recorded `auto-allow`
+     * (R3 timeout, source `timeout`, audited HERE since the registry owns the
+     * timeout clock), OR `pending`.
+     */
+    getResolution(workflowId: string, requestId: string): GateResolution | null;
+    /**
+     * Auto-disarm + drop all pending for a player (detach / destroy). The
+     * subprocess is going away, so abandoning its pending requests is correct — a
+     * still-polling client would just stop. Idempotent.
+     */
+    clearPlayer(workflowId: string): void;
+    /** Drop every player's gate state (daemon shutdown / clear-all). */
+    clear(): void;
+    /** Pending-request count for a player (diagnostics / tests). */
+    pendingCount(workflowId: string): number;
+}

package/dist/http/gate-registry.js

@@ -0,0 +1,163 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GateRegistry = exports.GATE_AUTO_ALLOW_MS = void 0;
+/** Operator-gate timeout: a pending request auto-ALLOWS after this long (R3, locked). */
+exports.GATE_AUTO_ALLOW_MS = 45_000;
+/**
+ * Per-daemon operator-gate registry, keyed by the player's fixed session
+ * `workflowId`. One instance is constructed in the daemon and shared between the
+ * Temporal worker (auto-disarm on detach/destroy) and the HTTP gate routes —
+ * the same singleton-sharing pattern as the 3c InnerLoop/IngestToken registries.
+ */
+class GateRegistry {
+    audit;
+    now;
+    autoAllowMs;
+    publishToInner;
+    gates = new Map();
+    constructor(audit = () => { }, now = Date.now, autoAllowMs = exports.GATE_AUTO_ALLOW_MS, publishToInner = () => { }) {
+        this.audit = audit;
+        this.now = now;
+        this.autoAllowMs = autoAllowMs;
+        this.publishToInner = publishToInner;
+    }
+    /** Emit an `inner.gate_resolved` outcome frame on the player's /inner stream. */
+    emitResolved(workflowId, requestId, decision, source) {
+        this.publishToInner(workflowId, { type: 'inner.gate_resolved', requestId, decision, source, ts: this.now() });
+    }
+    gate(workflowId) {
+        let g = this.gates.get(workflowId);
+        if (!g) {
+            g = { armed: false, ensemble: '', pending: new Map() };
+            this.gates.set(workflowId, g);
+        }
+        return g;
+    }
+    nowIso() {
+        // `now` is injectable; format the same epoch ms the registry reasons about so
+        // audit timestamps line up with the lazy-expiry clock under test.
+        return new Date(this.now()).toISOString();
+    }
+    // ── Arm / disarm (operator posture; audited) ───────────────────────────────
+    /** Arm the gate for a player — subsequent non-`low-risk` tools route to the operator. */
+    arm(workflowId, ensemble, operatorTokenHint) {
+        const g = this.gate(workflowId);
+        g.armed = true;
+        if (ensemble)
+            g.ensemble = ensemble;
+        this.audit({ kind: 'arm', ts: this.nowIso(), workflowId, source: 'operator', ...(operatorTokenHint ? { operatorTokenHint } : {}) }, g.ensemble);
+    }
+    /** Disarm the gate — new tools no longer engage it (in-flight pending still resolvable / auto-allow). */
+    disarm(workflowId, operatorTokenHint) {
+        const g = this.gate(workflowId);
+        g.armed = false;
+        this.audit({ kind: 'disarm', ts: this.nowIso(), workflowId, source: 'operator', ...(operatorTokenHint ? { operatorTokenHint } : {}) }, g.ensemble);
+    }
+    /** Whether the gate is currently armed for a player (the engagement predicate reads this). */
+    isArmed(workflowId) {
+        return this.gates.get(workflowId)?.armed ?? false;
+    }
+    // ── Pending requests (source opens; operator decides; source polls) ─────────
+    /**
+     * Open (or return the existing) pending request for a gated tool call.
+     * Idempotent on `requestId` — a retried open returns the existing entry so the
+     * source can safely re-register before polling. Does NOT audit (the request
+     * isn't a decision); the decision/auto-allow audit records carry tool+args.
+     */
+    open(workflowId, requestId, meta) {
+        const g = this.gate(workflowId);
+        if (meta.ensemble)
+            g.ensemble = meta.ensemble;
+        if (g.pending.has(requestId))
+            return;
+        g.pending.set(requestId, {
+            tool: meta.tool,
+            argsSummary: meta.argsSummary,
+            sessionId: meta.sessionId,
+            createdAt: this.now(),
+            decision: null,
+            source: null,
+        });
+    }
+    /**
+     * Operator decision (allow|deny) on a pending request. Returns a result that
+     * the route maps to a status: unknown → 404, already-decided → 409 (idempotency
+     * guard so a double-POST or a post-timeout race can't flip a recorded answer).
+     */
+    decide(workflowId, requestId, decision, operatorTokenHint) {
+        const g = this.gates.get(workflowId);
+        const req = g?.pending.get(requestId);
+        if (!req)
+            return { ok: false, reason: 'not-found' };
+        if (req.decision !== null)
+            return { ok: false, reason: 'already-decided' };
+        req.decision = decision;
+        req.source = 'operator';
+        this.audit({
+            kind: 'decision',
+            ts: this.nowIso(),
+            workflowId,
+            ...(req.sessionId ? { sessionId: req.sessionId } : {}),
+            requestId,
+            tool: req.tool,
+            argsSummary: req.argsSummary,
+            decision,
+            source: 'operator',
+            ...(operatorTokenHint ? { operatorTokenHint } : {}),
+        }, g?.ensemble ?? '');
+        this.emitResolved(workflowId, requestId, decision, 'operator');
+        return { ok: true };
+    }
+    /**
+     * The Pi subprocess's poll answer. Returns `null` for an unknown request
+     * (route → 404). For a known request: an already-recorded decision, OR — if no
+     * decision and `now - createdAt >= autoAllowMs` — a freshly-recorded `auto-allow`
+     * (R3 timeout, source `timeout`, audited HERE since the registry owns the
+     * timeout clock), OR `pending`.
+     */
+    getResolution(workflowId, requestId) {
+        const g = this.gates.get(workflowId);
+        const req = g?.pending.get(requestId);
+        if (!req)
+            return null;
+        if (req.decision !== null) {
+            return { status: 'resolved', decision: req.decision, source: req.source ?? 'operator' };
+        }
+        if (this.now() - req.createdAt >= this.autoAllowMs) {
+            req.decision = 'auto-allow';
+            req.source = 'timeout';
+            this.audit({
+                kind: 'decision',
+                ts: this.nowIso(),
+                workflowId,
+                ...(req.sessionId ? { sessionId: req.sessionId } : {}),
+                requestId,
+                tool: req.tool,
+                argsSummary: req.argsSummary,
+                decision: 'auto-allow',
+                source: 'timeout',
+            }, g?.ensemble ?? '');
+            this.emitResolved(workflowId, requestId, 'auto-allow', 'timeout');
+            return { status: 'resolved', decision: 'auto-allow', source: 'timeout' };
+        }
+        return { status: 'pending' };
+    }
+    // ── Lifecycle (auto-disarm on detach/destroy; daemon shutdown) ──────────────
+    /**
+     * Auto-disarm + drop all pending for a player (detach / destroy). The
+     * subprocess is going away, so abandoning its pending requests is correct — a
+     * still-polling client would just stop. Idempotent.
+     */
+    clearPlayer(workflowId) {
+        this.gates.delete(workflowId);
+    }
+    /** Drop every player's gate state (daemon shutdown / clear-all). */
+    clear() {
+        this.gates.clear();
+    }
+    /** Pending-request count for a player (diagnostics / tests). */
+    pendingCount(workflowId) {
+        return this.gates.get(workflowId)?.pending.size ?? 0;
+    }
+}
+exports.GateRegistry = GateRegistry;

package/dist/http/gate-routes.d.ts

@@ -0,0 +1,48 @@
+/**
+ * HTTP route handlers for the 3d operator gate (MD-G). server.ts dispatches to
+ * these; logic lives here so it stays testable.
+ *
+ * FOUR routes, TWO auth planes (mirrors the 3c inner-loop split):
+ *
+ *   OPERATOR plane (operator/dashboard → daemon). Mounted AFTER the outer bearer
+ *   gate with an explicit `requireTier(3)` (the highest RBAC tier, MD-E) — only
+ *   an admin-token holder may arm/disarm or decide:
+ *     - POST /v1/players/:e/:p/gate-arm           → arm the gate
+ *     - POST /v1/players/:e/:p/gate-disarm        → disarm the gate
+ *     - POST /v1/players/:e/:p/gate/:requestId    → decide { decision:'allow'|'deny' }
+ *
+ *   SOURCE plane (Pi subprocess → daemon; publisher-only). Same INGRESS gate as
+ *   the inner-loop ingest — loopback `remoteAddress` + `X-Ingest-Token` validated
+ *   against the URL-derived workflowId (cross-player-spoof guard), uniform 403:
+ *     - GET /v1/players/:e/:p/gate/:requestId/resolution → poll { status, … }
+ *
+ * The Pi subprocess's awaited `tool_call` handler polls the resolution route
+ * until it gets a non-`pending` answer (operator decision OR the registry's lazy
+ * 45s auto-allow) or its own bounded/ctx.signal-cancelled deadline.
+ *
+ * Daemon-side ONLY (loopback boundary, off Temporal). Not imported by workflows.
+ */
+import type { IncomingMessage, ServerResponse } from 'http';
+import type { GateRegistry } from './gate-registry';
+import type { IngestTokenRegistry } from './ingest-registry';
+export interface GateDeps {
+    gate: GateRegistry;
+    ingestTokens: IngestTokenRegistry;
+}
+/** POST /gate-arm — arm the operator gate for a player. 204. */
+export declare function handleGateArm(req: IncomingMessage, res: ServerResponse, deps: GateDeps, ensemble: string, playerId: string): void;
+/** POST /gate-disarm — disarm the operator gate for a player. 204. */
+export declare function handleGateDisarm(req: IncomingMessage, res: ServerResponse, deps: GateDeps, ensemble: string, playerId: string): void;
+/**
+ * POST /gate/:requestId — operator decision on a pending gated tool call.
+ * Body `{ decision: 'allow' | 'deny' }`. 204 on success; 404 unknown requestId;
+ * 409 already-decided (idempotency — a double-POST or post-timeout race can't
+ * flip a recorded answer); 400 malformed body / bad decision value.
+ */
+export declare function handleGateDecide(req: IncomingMessage, res: ServerResponse, deps: GateDeps, ensemble: string, playerId: string, requestId: string): Promise<void>;
+/**
+ * GET /gate/:requestId/resolution — the Pi subprocess polls for the decision.
+ * 200 `{ status:'pending' }` | `{ status:'resolved', decision, source }`; 404 for
+ * an unknown requestId; uniform 403 on any INGRESS gate failure (no leak).
+ */
+export declare function handleGateResolution(req: IncomingMessage, res: ServerResponse, deps: GateDeps, ensemble: string, playerId: string, requestId: string): void;

package/dist/http/gate-routes.js

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleGateArm = handleGateArm;
+exports.handleGateDisarm = handleGateDisarm;
+exports.handleGateDecide = handleGateDecide;
+exports.handleGateResolution = handleGateResolution;
+const config_1 = require("../config");
+const responses_1 = require("./responses");
+const body_1 = require("./body");
+const inner_loop_routes_1 = require("./inner-loop-routes");
+/** Decision body cap — the payload is a tiny `{decision}`; this is the DOS backstop. */
+const GATE_BODY_MAX = 4 * 1024;
+function headerValue(v) {
+    if (v === undefined)
+        return undefined;
+    return Array.isArray(v) ? v[0] : v;
+}
+/**
+ * SOURCE-plane INGRESS gate (loopback + ingest-token vs URL workflowId), shared
+ * with the inner-loop ingest contract. Returns the workflowId on success, or
+ * `null` after writing a uniform 403 (no info leak — callers just `return`).
+ */
+function gateIngress(req, res, deps, ensemble, playerId) {
+    const deny = () => { (0, responses_1.errorResponse)(res, 403, { error: 'forbidden' }); return null; };
+    if (!(0, inner_loop_routes_1.isLoopbackRemote)(req))
+        return deny();
+    const token = headerValue(req.headers[inner_loop_routes_1.INGEST_TOKEN_HEADER]);
+    if (!token)
+        return deny();
+    const workflowId = (0, config_1.sessionWorkflowId)(ensemble, playerId);
+    if (!deps.ingestTokens.validate(workflowId, token))
+        return deny();
+    return workflowId;
+}
+/**
+ * Best-effort short audit hint from the operator's bearer (last 6 chars) — never
+ * the full token. Absent on a loopback-trust request with no Authorization.
+ */
+function operatorTokenHint(req) {
+    const auth = headerValue(req.headers.authorization);
+    if (!auth)
+        return undefined;
+    const m = /^Bearer\s+(.+)$/i.exec(auth.trim());
+    const tok = m?.[1];
+    return tok && tok.length >= 6 ? `…${tok.slice(-6)}` : undefined;
+}
+// ── OPERATOR plane (server.ts applies requireTier(3) before dispatch) ──────────
+/** POST /gate-arm — arm the operator gate for a player. 204. */
+function handleGateArm(req, res, deps, ensemble, playerId) {
+    const workflowId = (0, config_1.sessionWorkflowId)(ensemble, playerId);
+    deps.gate.arm(workflowId, ensemble, operatorTokenHint(req));
+    res.writeHead(204);
+    res.end();
+}
+/** POST /gate-disarm — disarm the operator gate for a player. 204. */
+function handleGateDisarm(req, res, deps, ensemble, playerId) {
+    const workflowId = (0, config_1.sessionWorkflowId)(ensemble, playerId);
+    deps.gate.disarm(workflowId, operatorTokenHint(req));
+    res.writeHead(204);
+    res.end();
+}
+/**
+ * POST /gate/:requestId — operator decision on a pending gated tool call.
+ * Body `{ decision: 'allow' | 'deny' }`. 204 on success; 404 unknown requestId;
+ * 409 already-decided (idempotency — a double-POST or post-timeout race can't
+ * flip a recorded answer); 400 malformed body / bad decision value.
+ */
+async function handleGateDecide(req, res, deps, ensemble, playerId, requestId) {
+    const workflowId = (0, config_1.sessionWorkflowId)(ensemble, playerId);
+    const body = await (0, body_1.readJsonBody)(req, GATE_BODY_MAX);
+    if (body === body_1.BODY_TOO_LARGE || body === body_1.BODY_INVALID_JSON) {
+        return (0, responses_1.errorResponse)(res, 400, { error: 'bad-request' });
+    }
+    const decision = body.decision;
+    if (decision !== 'allow' && decision !== 'deny') {
+        return (0, responses_1.errorResponse)(res, 400, { error: 'bad-request', detail: "decision must be 'allow' or 'deny'" });
+    }
+    const result = deps.gate.decide(workflowId, requestId, decision, operatorTokenHint(req));
+    if (result.ok) {
+        res.writeHead(204);
+        res.end();
+        return;
+    }
+    if (result.reason === 'not-found')
+        return (0, responses_1.errorResponse)(res, 404, { error: 'not-found' });
+    return (0, responses_1.errorResponse)(res, 409, { error: 'already-decided' });
+}
+// ── SOURCE plane (ingest-token; Pi subprocess polls) ───────────────────────────
+/**
+ * GET /gate/:requestId/resolution — the Pi subprocess polls for the decision.
+ * 200 `{ status:'pending' }` | `{ status:'resolved', decision, source }`; 404 for
+ * an unknown requestId; uniform 403 on any INGRESS gate failure (no leak).
+ */
+function handleGateResolution(req, res, deps, ensemble, playerId, requestId) {
+    const workflowId = gateIngress(req, res, deps, ensemble, playerId);
+    if (workflowId === null)
+        return;
+    const resolution = deps.gate.getResolution(workflowId, requestId);
+    if (resolution === null)
+        return (0, responses_1.errorResponse)(res, 404, { error: 'not-found' });
+    return (0, responses_1.jsonResponse)(res, 200, resolution);
+}

package/dist/http/ingest-registry.d.ts

@@ -0,0 +1,30 @@
+/**
+ * In-memory map of `workflowId → ingest token`, owned by the daemon (one
+ * instance shared between the outbox minter and the HTTP ingest/presence
+ * validators). Tokens never persist — they live only for the player's lifetime.
+ */
+export declare class IngestTokenRegistry {
+    private readonly tokens;
+    /**
+     * Mint a fresh ingest token for a player, replacing any prior one (a restart
+     * re-mints). Returns the token to inject into the subprocess env.
+     */
+    mint(workflowId: string): string;
+    /**
+     * Validate a presented token against the token minted for `workflowId`
+     * (timing-safe, via {@link tokensMatch}). Returns `false` for an unknown
+     * player or a mismatch — so a compromised player presenting its OWN token for
+     * another player's URL is rejected (cross-player-spoof guard). The workflowId
+     * is public (it's in the URL); the token is the secret, and only its
+     * comparison is constant-time.
+     */
+    validate(workflowId: string, presented: string): boolean;
+    /** Revoke a player's ingest token (detach / destroy). Idempotent. */
+    revoke(workflowId: string): void;
+    /** Revoke every token (daemon shutdown / clear-all). */
+    revokeAll(): void;
+    /** Whether a player currently holds a minted token. */
+    has(workflowId: string): boolean;
+    /** Active token count (diagnostics / tests). */
+    size(): number;
+}