agent-tempo 1.6.0 → 1.6.2

package/dashboard/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-tempo-dashboard",
   "private": true,
-  "version": "1.6.0",
+  "version": "1.6.2",
   "type": "module",
   "description": "Web dashboard for agent-tempo. Bundled into the npm package; served by the daemon at /dashboard/*.",
   "scripts": {

package/dist/activities/hard-terminate.js

@@ -30,6 +30,7 @@ exports.hardTerminateAttachment = hardTerminateAttachment;
 const child_process_1 = require("child_process");
 const fs_1 = require("fs");
 const path_1 = require("path");
+const config_1 = require("../config");
 const constants_1 = require("../constants");
 const log = (...args) => console.error('[agent-tempo:hard-terminate]', ...args);
 /**
@@ -43,8 +44,13 @@ async function hardTerminateAttachment(input) {
     log(`hardTerminate start — ensemble=${ensemble} player=${playerName} agent=${agent}`);
     // ── Copilot bridge: PID file is authoritative ──
     if (agent === 'copilot') {
-        const pidDir = logDir || (0, path_1.join)(workDir, 'logs');
-        const pidPath = (0, path_1.join)(pidDir, `${playerName}.pid`);
+        // #690 — pid lives at the CENTRAL ~/.agent-tempo/logs/<ensemble>/ path now.
+        // Transitional (one version, v1.6.2) READ-ONLY fallback to the legacy per-cwd
+        // <workDir>/logs so we can still find+kill an orphan from a pre-upgrade spawn.
+        // TODO(v1.7): drop the legacy fallback.
+        const centralPid = (0, config_1.bridgeLogPaths)(ensemble, playerName, logDir).pidPath;
+        const legacyPid = (0, path_1.join)(logDir || (0, path_1.join)(workDir, 'logs'), `${playerName}.pid`);
+        const pidPath = (0, fs_1.existsSync)(centralPid) ? centralPid : legacyPid;
         if ((0, fs_1.existsSync)(pidPath)) {
             try {
                 const pidStr = (0, fs_1.readFileSync)(pidPath, 'utf8').trim();

package/dist/adapters/claude-api/adapter.js

@@ -332,10 +332,11 @@ class DirectApiAttachment extends base_1.SdkAttachment {
             process.exit(1);
         }
         // PID file so callers can find / kill orphaned adapter processes.
-        const pidDir = path.join(workDir, 'logs');
-        const pidFile = path.join(pidDir, `${playerIdForWorkflow}.pid`);
+        // #690 — write/unlink the EXACT path the spawner computed (ENV.PID_FILE) so the
+        // adapter pid can't diverge from the spawner's; helper fallback for a manual launch.
+        const pidFile = (0, config_1.resolveAdapterPidFile)(config.ensemble, playerIdForWorkflow);
         try {
-            fs.mkdirSync(pidDir, { recursive: true });
+            fs.mkdirSync(path.dirname(pidFile), { recursive: true });
             fs.writeFileSync(pidFile, String(process.pid));
         }
         catch (err) {

package/dist/adapters/claude-code-headless/adapter.js

@@ -353,10 +353,11 @@ class ClaudeCodeHeadlessAttachment extends base_1.SdkAttachment {
             process.exit(1);
         }
         // PID file so callers can find / kill orphaned adapter processes.
-        const pidDir = path.join(workDir, 'logs');
-        const pidFile = path.join(pidDir, `${playerIdForWorkflow}.pid`);
+        // #690 — write/unlink the EXACT path the spawner computed (ENV.PID_FILE) so the
+        // adapter pid can't diverge from the spawner's; helper fallback for a manual launch.
+        const pidFile = (0, config_1.resolveAdapterPidFile)(config.ensemble, playerIdForWorkflow);
         try {
-            fs.mkdirSync(pidDir, { recursive: true });
+            fs.mkdirSync(path.dirname(pidFile), { recursive: true });
             fs.writeFileSync(pidFile, String(process.pid));
         }
         catch (err) {

package/dist/adapters/copilot/adapter.js

@@ -386,8 +386,13 @@ class CopilotSdkAttachment extends base_1.SdkAttachment {
             log(`Initial prompt error after ${Date.now()}ms:`, err?.message, err?.stack?.substring(0, 300));
         }
         // PID file paths — computed early so early-exit paths can clean up
-        const pidDir = path.join(workDir, 'logs');
-        const pidFile = path.join(pidDir, `${playerName || playerIdForWorkflow}.pid`);
+        // #690 — write/unlink the EXACT path the spawner computed (ENV.PID_FILE), so this
+        // adapter's pid file can't diverge from the spawner's. The copilot split-brain was
+        // here: spawnCopilotBridge sets PLAYER_NAME='' + BRIDGE_NAME=name, so this
+        // re-derivation fell to `playerIdForWorkflow` (→ `copilot-${Date.now()}`) ≠ the
+        // spawner's logName. Consuming the passed path removes the re-derivation entirely.
+        // Helper fallback only for a manual launch with no env.
+        const pidFile = (0, config_1.resolveAdapterPidFile)(config.ensemble, playerName || playerIdForWorkflow);
         // Wait for the MCP server's workflow to register in Temporal.
         // We know the exact workflow ID because we pass AGENT_TEMPO_PLAYER_NAME to the
         // MCP server — no need for a time-window heuristic that could misidentify workflows.
@@ -485,7 +490,7 @@ class CopilotSdkAttachment extends base_1.SdkAttachment {
         // Imported at the top of this module.
         // Write PID file so callers can find/kill orphaned bridge processes
         try {
-            fs.mkdirSync(pidDir, { recursive: true });
+            fs.mkdirSync(path.dirname(pidFile), { recursive: true });
             fs.writeFileSync(pidFile, String(process.pid));
             log(`PID file written: ${pidFile}`);
         }

package/dist/adapters/opencode/adapter.js

@@ -239,7 +239,9 @@ class OpenCodeAttachment extends base_1.SdkAttachment {
         log(`Synthesized OPENCODE_CONFIG_CONTENT: ${(0, helpers_1.redactSecrets)(configContent)}`);
         // (3) Spawn opencode serve. Stdio redirected to a per-player log file
         // so terminal noise from opencode doesn't clutter the adapter's log.
-        const logDir = path.join(workDir, 'logs');
+        // #690 — central ~/.agent-tempo/logs/<ensemble>/ (the opencode serve subprocess
+        // log sits beside the adapter's own log, not in a per-cwd ./logs).
+        const logDir = (0, config_1.bridgeLogPaths)(config.ensemble, playerIdForWorkflow).dir;
         fs.mkdirSync(logDir, { recursive: true });
         const opencodeLogFile = path.join(logDir, `opencode-${playerIdForWorkflow}.log`);
         const logFd = fs.openSync(opencodeLogFile, 'a');

package/dist/cli/commands.js

@@ -805,7 +805,7 @@ async function status(opts) {
             const agent = s.agentType === 'copilot' ? out.dim(' [copilot]') : '';
             const statusLabel = phaseLabel(s.phase);
             // Show PID info for copilot bridge sessions
-            const pidInfo = s.agentType === 'copilot' ? getBridgePidInfo(s.name) : '';
+            const pidInfo = s.agentType === 'copilot' ? getBridgePidInfo(ensemble, s.name) : '';
             const name = out.bold(s.name);
             out.log(`  ${name}${role}${statusLabel}${agent}${pidInfo}`);
             if (s.part)
@@ -938,6 +938,7 @@ function temporalCliExists() {
 }
 function registerSearchAttributes(temporalAddress, namespace = 'default') {
     let failed = 0;
+    let permissionBlocked = 0;
     for (const attr of sa_preflight_1.REQUIRED_SEARCH_ATTRIBUTES) {
         const r = (0, sa_preflight_1.registerSearchAttribute)(attr, temporalAddress, namespace);
         switch (r.status) {
@@ -948,17 +949,33 @@ function registerSearchAttributes(temporalAddress, namespace = 'default') {
                 out.dim(`  ${attr.name} (already registered)`);
                 break;
             case 'failed':
-                // Surface the real error — pre-#605 this branch was silently
-                // labeled "already exists" and the operator only discovered the
-                // problem hours later when workflow start failed with
-                // INVALID_ARGUMENT. Most common cause on the SQLite dev server is
-                // the 10-Keyword-per-namespace cap (often hit when a namespace
-                // accumulates both old + new wire-rename attribute families).
-                failed++;
-                out.warn(`Failed to register ${attr.name}: ${r.detail}`);
+                // A PERMISSION error (Temporal Cloud namespace API keys can't reach the
+                // operator service) means we can't tell whether the SA exists — NOT that
+                // it's missing. Don't print a scary per-attr "Failed to register" or count
+                // it as a failure; collapse to ONE soft line below and PROCEED. Reserve
+                // the per-attr warning + hard "will fail" conclusion for DEFINITIVE
+                // failures (e.g. the SQLite dev server's 10-Keyword-per-namespace cap).
+                if ((0, sa_preflight_1.isPermissionError)(r.detail)) {
+                    permissionBlocked++;
+                }
+                else {
+                    failed++;
+                    out.warn(`Failed to register ${attr.name}: ${r.detail}`);
+                }
                 break;
         }
     }
+    // Permission-blocked (normal on Temporal Cloud): one accurate, non-alarming
+    // line — we couldn't manage the SAs, but that doesn't mean they're missing.
+    if (permissionBlocked > 0) {
+        const saList = sa_preflight_1.REQUIRED_SEARCH_ATTRIBUTES.map((a) => `${a.name}:${a.type}`).join(', ');
+        out.warn(`Couldn't verify search attributes — this credential lacks permission to manage them ` +
+            `(normal on Temporal Cloud, where search attributes are managed via the Cloud UI or tcld). ` +
+            `If workflow starts fail with "search attribute ... is not defined", create these ` +
+            `${sa_preflight_1.REQUIRED_SEARCH_ATTRIBUTES.length} via the Cloud UI / tcld: ${saList}. ` +
+            `Otherwise this is safe to ignore.`);
+    }
+    // DEFINITIVE failures genuinely block — keep the hard, actionable conclusion.
     if (failed > 0) {
         out.warn(`${failed} search attribute${failed === 1 ? '' : 's'} not registered — ` +
             `workflow starts will fail. Resolve the errors above before continuing.`);
@@ -1048,6 +1065,9 @@ async function server(opts) {
 }
 async function up(opts) {
     const config = (0, config_1.getConfig)(opts);
+    // #689 — best-effort sweep of stale 0600 secret env files (residual from a shell
+    // that died between `source` and `rm`). Owner-only, swallows errors.
+    (0, spawn_1.sweepStaleSecretEnvFiles)();
     out.heading('agent-tempo setup');
     // Step 1: Check temporal CLI
     if (!temporalCliExists()) {
@@ -1893,8 +1913,13 @@ async function down(opts) {
  * Read PID info for a copilot bridge session from its PID file.
  * Returns a formatted string like " (pid 12345)" or "" if no PID file found.
  */
-function getBridgePidInfo(name) {
-    const pidPath = (0, path_1.join)(process.cwd(), 'logs', `${name}.pid`);
+function getBridgePidInfo(ensemble, name) {
+    // #690 — pid lives at the CENTRAL ~/.agent-tempo/logs/<ensemble>/ path; transitional
+    // READ-ONLY fallback to the legacy per-cwd ./logs for a pre-upgrade bridge.
+    // TODO(v1.7): drop the legacy fallback.
+    const centralPid = (0, config_1.bridgeLogPaths)(ensemble, name).pidPath;
+    const legacyPid = (0, path_1.join)(process.cwd(), 'logs', `${name}.pid`);
+    const pidPath = (0, fs_1.existsSync)(centralPid) ? centralPid : legacyPid;
     if (!(0, fs_1.existsSync)(pidPath))
         return '';
     try {
@@ -1915,36 +1940,63 @@ function getBridgePidInfo(name) {
     }
 }
 /**
- * Kill all bridge processes found in logs/*.pid and clean up PID files.
+ * Kill all bridge processes found in `*.pid` files and clean up the pid files.
+ *
+ * #690 — bridge pid files moved to the CENTRAL `~/.agent-tempo/logs/<ensemble>/`
+ * dirs. `down` is a GLOBAL teardown (it stops the daemon + Temporal for EVERY
+ * ensemble), so this scans ALL central ensemble subdirs — NOT a single ensemble.
+ *
+ * ⚠️ GLOBAL-TEARDOWN ONLY. The sole caller is `down()`, which has no ensemble (it
+ * stops everything), so scanning all ensembles is correct HERE. A FUTURE
+ * ensemble-scoped teardown (e.g. `down --ensemble X` / a per-ensemble `destroy`)
+ * MUST add an `ensemble` param and scope this to `bridgeLogPaths(ensemble, '').dir`
+ * — do NOT reuse this global scan-all from a scoped op: it would kill OTHER live
+ * ensembles' bridges. The param is intentionally NOT added now (no caller needs it
+ * = speculative; backlogged per the architect's deviation ruling).
+ *
+ * Plus a transitional READ of the legacy per-cwd `./logs` for a pre-upgrade
+ * bridge. TODO(v1.7): drop the legacy `./logs` dir.
  */
 function killBridgeProcesses() {
-    const logsDir = (0, path_1.join)(process.cwd(), 'logs');
-    if (!(0, fs_1.existsSync)(logsDir))
-        return;
+    const centralRoot = (0, config_1.bridgeLogsRoot)();
+    const dirs = [(0, path_1.join)(process.cwd(), 'logs')]; // legacy (transitional)
     try {
-        const pidFiles = (0, fs_1.readdirSync)(logsDir).filter(f => f.endsWith('.pid'));
-        for (const pidFile of pidFiles) {
-            const pidPath = (0, path_1.join)(logsDir, pidFile);
-            try {
-                const pid = parseInt((0, fs_1.readFileSync)(pidPath, 'utf8').trim(), 10);
-                if (!isNaN(pid)) {
-                    try {
-                        process.kill(pid);
-                        out.log(`  ${out.dim(`Killed bridge process ${pidFile.replace('.pid', '')} (pid ${pid})`)}`);
-                    }
-                    catch {
-                        // already dead
+        for (const ent of (0, fs_1.readdirSync)(centralRoot, { withFileTypes: true })) {
+            if (ent.isDirectory())
+                dirs.push((0, path_1.join)(centralRoot, ent.name));
+        }
+    }
+    catch {
+        // no central logs root yet — nothing central to scan
+    }
+    for (const logsDir of dirs) {
+        if (!(0, fs_1.existsSync)(logsDir))
+            continue;
+        try {
+            const pidFiles = (0, fs_1.readdirSync)(logsDir).filter(f => f.endsWith('.pid'));
+            for (const pidFile of pidFiles) {
+                const pidPath = (0, path_1.join)(logsDir, pidFile);
+                try {
+                    const pid = parseInt((0, fs_1.readFileSync)(pidPath, 'utf8').trim(), 10);
+                    if (!isNaN(pid)) {
+                        try {
+                            process.kill(pid);
+                            out.log(`  ${out.dim(`Killed bridge process ${pidFile.replace('.pid', '')} (pid ${pid})`)}`);
+                        }
+                        catch {
+                            // already dead
+                        }
                     }
+                    (0, fs_1.unlinkSync)(pidPath);
+                }
+                catch {
+                    // unreadable — skip
                 }
-                (0, fs_1.unlinkSync)(pidPath);
-            }
-            catch {
-                // unreadable — skip
             }
         }
-    }
-    catch {
-        // logs dir unreadable
+        catch {
+            // logs dir unreadable
+        }
     }
 }
 async function agentTypesCommand(opts) {

package/dist/cli/config-command.d.ts

@@ -11,8 +11,22 @@ import type { AgentType } from '../types';
  *     are not offered here.
  * Single source of truth for the interactive selector + `config set` validation
  * (#666 — adds `pi` so the new interactive Pi conductor can be the default).
+ *
+ * DELIBERATE SUBSET of `AGENT_TYPES` (NOT derived from it): this is a CAPABILITY
+ * allowlist (conductor-capable production agents), distinct from `parseAgent`'s
+ * type-VALIDITY check, which accepts all of `AGENT_TYPES`. Keep the two separate —
+ * #683 was caused by a validity check (`config.ts`) that had been hardcoded to a
+ * stale subset; this one is intentionally narrow and must stay that way.
  */
 export declare const VALID_DEFAULT_AGENTS: readonly AgentType[];
+/**
+ * Render a secret for display: a short non-sensitive prefix (when the value is
+ * long enough that the prefix reveals only a small fraction) + a masked tail +
+ * the char count. NEVER returns the full value. Empty/unset → "(not set)".
+ *
+ * Examples: `sk-ant-…•••• (set, 47 chars)` · short secret → `•••• (set, 6 chars)`.
+ */
+export declare function maskSecret(value: string | undefined | null): string;
 /** Interactive config setup: `agent-tempo config` */
 export declare function configInteractive(): Promise<void>;
 /** Non-interactive: `agent-tempo config set <key> <value>` */

package/dist/cli/config-command.js

@@ -34,6 +34,7 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VALID_DEFAULT_AGENTS = void 0;
+exports.maskSecret = maskSecret;
 exports.configInteractive = configInteractive;
 exports.configSet = configSet;
 exports.configShow = configShow;
@@ -41,6 +42,7 @@ exports.configCommand = configCommand;
 const readline = __importStar(require("readline"));
 const config_1 = require("../config");
 const config_2 = require("../config");
+const secrets_1 = require("../utils/secrets");
 const out = __importStar(require("./output"));
 /**
  * Agents valid as a persistent `defaultAgent` — the conductor-capable PRODUCTION
@@ -54,6 +56,12 @@ const out = __importStar(require("./output"));
  *     are not offered here.
  * Single source of truth for the interactive selector + `config set` validation
  * (#666 — adds `pi` so the new interactive Pi conductor can be the default).
+ *
+ * DELIBERATE SUBSET of `AGENT_TYPES` (NOT derived from it): this is a CAPABILITY
+ * allowlist (conductor-capable production agents), distinct from `parseAgent`'s
+ * type-VALIDITY check, which accepts all of `AGENT_TYPES`. Keep the two separate —
+ * #683 was caused by a validity check (`config.ts`) that had been hardcoded to a
+ * stale subset; this one is intentionally narrow and must stay that way.
  */
 exports.VALID_DEFAULT_AGENTS = ['claude', 'copilot', 'pi'];
 // NOTE: `createTemporalConnection` is dynamic-imported inside `configInteractive`'s
@@ -61,7 +69,29 @@ exports.VALID_DEFAULT_AGENTS = ['claude', 'copilot', 'pi'];
 // `@temporalio/client`, defeating the crash-proof property of `config show` /
 // `config set` — both of which are pure fs operations and must remain operable
 // under a broken Temporal SDK install.
-const SECRET_KEYS = new Set(['temporalApiKey']);
+// #684 — secret-masking. Any config field whose name looks like a credential is
+// masked in EVERY display path (show / interactive default / set echo) so a key is
+// never printed raw (terminal scrollback, screen-share, logs). The classifier
+// (`isSecretKey`) was extracted to `utils/secrets.ts` in #689 so `spawn.ts` shares
+// it — a future secret masks AND stays off the command line everywhere at once.
+/**
+ * Render a secret for display: a short non-sensitive prefix (when the value is
+ * long enough that the prefix reveals only a small fraction) + a masked tail +
+ * the char count. NEVER returns the full value. Empty/unset → "(not set)".
+ *
+ * Examples: `sk-ant-…•••• (set, 47 chars)` · short secret → `•••• (set, 6 chars)`.
+ */
+function maskSecret(value) {
+    if (value == null || value === '')
+        return '(not set)';
+    const len = value.length;
+    // Reveal a prefix only when it's a small fraction of the whole; never for short
+    // secrets (so the output can never contain the full input — see the unit test).
+    const prefixLen = len >= 12 ? 6 : len >= 8 ? 3 : 0;
+    const prefix = value.slice(0, prefixLen);
+    const masked = prefixLen > 0 ? `${prefix}…••••` : '••••';
+    return `${masked} (set, ${len} chars)`;
+}
 /** Read a line from stdin with a prompt and optional default value. */
 function ask(prompt, defaultVal, mask = false) {
     return new Promise((resolve) => {
@@ -69,7 +99,11 @@ function ask(prompt, defaultVal, mask = false) {
             input: process.stdin,
             output: process.stdout,
         });
-        const display = defaultVal ? `${prompt} (${defaultVal}): ` : `${prompt}: `;
+        // #684 — for masked (secret) prompts NEVER echo the raw existing value as the
+        // shown default; render a masked hint instead. The real `defaultVal` is still
+        // returned on empty input, so an existing key is preserved without exposing it.
+        const shownDefault = mask ? maskSecret(defaultVal) : defaultVal;
+        const display = defaultVal ? `${prompt} (${shownDefault}): ` : `${prompt}: `;
         if (mask) {
             // For secret input: write prompt manually, mute output
             process.stdout.write(`? ${display}`);
@@ -212,7 +246,9 @@ function configSet(key, value) {
     }
     config[configKey] = value;
     (0, config_1.saveConfigFile)(config);
-    out.success(`Set ${configKey} = ${configKey.includes('Key') ? '****' : value}`);
+    // #684 — echo through the same secret-masking path so `config set temporalApiKey …`
+    // never prints the value back raw (and a *Path field still shows its location).
+    out.success(`Set ${configKey} = ${(0, secrets_1.isSecretKey)(configKey) ? maskSecret(value) : value}`);
 }
 /** Show current config: `agent-tempo config show` */
 function configShow() {
@@ -234,8 +270,9 @@ function configShow() {
     for (const { key, configKey } of keys) {
         const value = config[configKey];
         const source = sources[configKey];
-        const isSecret = SECRET_KEYS.has(key);
-        const display = !value ? '(not set)' : isSecret ? '****' : value;
+        // #684 — secret-like fields go through maskSecret (prefix + masked tail + char
+        // count); everything else shows its value or "(not set)".
+        const display = (0, secrets_1.isSecretKey)(key) ? maskSecret(value) : (!value ? '(not set)' : value);
         out.log(`  ${key.padEnd(22)} ${display.padEnd(30)} ${out.dim(source)}`);
     }
     console.log();

package/dist/cli/resolve-ensemble.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Resolve the target ensemble with the precedence every CLI command uses (#685):
+ *
+ *   `--ensemble` flag  >  positional arg  >  `AGENT_TEMPO_ENSEMBLE` env  >  `'default'`
+ *
+ * `up` previously passed a bare positional-derived value and IGNORED the
+ * `--ensemble` flag (so `agent-tempo up --ensemble pitest` silently launched in
+ * `default`). Centralizing the rule here makes it a single, unit-testable source
+ * of truth so it can't drift per-command again.
+ *
+ * Pure: `env` is injectable (defaults to the live `AGENT_TEMPO_ENSEMBLE`) so the
+ * precedence is testable without mutating `process.env`.
+ */
+export declare function resolveEnsemble(args: {
+    ensemble?: string;
+    positional: string[];
+}, env?: string | undefined): string;

package/dist/cli/resolve-ensemble.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveEnsemble = resolveEnsemble;
+const config_1 = require("../config");
+/**
+ * Resolve the target ensemble with the precedence every CLI command uses (#685):
+ *
+ *   `--ensemble` flag  >  positional arg  >  `AGENT_TEMPO_ENSEMBLE` env  >  `'default'`
+ *
+ * `up` previously passed a bare positional-derived value and IGNORED the
+ * `--ensemble` flag (so `agent-tempo up --ensemble pitest` silently launched in
+ * `default`). Centralizing the rule here makes it a single, unit-testable source
+ * of truth so it can't drift per-command again.
+ *
+ * Pure: `env` is injectable (defaults to the live `AGENT_TEMPO_ENSEMBLE`) so the
+ * precedence is testable without mutating `process.env`.
+ */
+function resolveEnsemble(args, env = process.env[config_1.ENV.ENSEMBLE]) {
+    return args.ensemble || args.positional[1] || env || 'default';
+}

package/dist/cli/sa-preflight.d.ts

@@ -88,6 +88,14 @@ export interface RegistrationResult {
     /** stderr from the temporal CLI, populated when `status === 'failed'`. */
     detail?: string;
 }
+/**
+ * True when a registration error means "this credential can't manage search
+ * attributes" (a permission/authorization failure) rather than a definitive
+ * registration failure (e.g. the SQLite dev server's 10-Keyword cap). Used to
+ * avoid the false "not registered → starts will fail" conclusion on Temporal
+ * Cloud, where SA management lives behind the Cloud UI / `tcld`.
+ */
+export declare function isPermissionError(detail: string | undefined): boolean;
 /**
  * Pure classifier — turn a temporal CLI exit into a {@link RegistrationStatus}.
  * Extracted from {@link registerSearchAttribute} so the matching rules can

package/dist/cli/sa-preflight.js

@@ -39,6 +39,7 @@ exports.isTemporalCloud = isTemporalCloud;
 exports.sdkProbeRegisteredAttributes = sdkProbeRegisteredAttributes;
 exports.formatPreflightError = formatPreflightError;
 exports.verifySearchAttributes = verifySearchAttributes;
+exports.isPermissionError = isPermissionError;
 exports.classifyRegistrationOutput = classifyRegistrationOutput;
 exports.registerSearchAttribute = registerSearchAttribute;
 exports.assertSearchAttributesOrExit = assertSearchAttributesOrExit;
@@ -284,6 +285,36 @@ async function verifySearchAttributes(opts) {
         message: formatPreflightError(missing, opts.temporalNamespace, probeError, cloud),
     };
 }
+/**
+ * Substrings signalling the credential lacks PERMISSION to manage search
+ * attributes — distinct from a definitive registration failure. Temporal Cloud
+ * namespace API keys can't reach the operator service (Cloud manages SAs via its
+ * UI / `tcld`), so `temporal operator search-attribute create/list` returns
+ * "Request unauthorized" / PermissionDenied. That means we CANNOT determine
+ * whether the SAs are registered — NOT that they're missing. Concluding
+ * "not registered → workflow starts will fail" from a permission error is a
+ * false alarm: on Cloud the SAs are typically already present and starts succeed.
+ */
+const PERMISSION_ERROR_MARKERS = [
+    'request unauthorized',
+    'permission denied',
+    'permissiondenied',
+    'unauthorized',
+    'not authorized',
+];
+/**
+ * True when a registration error means "this credential can't manage search
+ * attributes" (a permission/authorization failure) rather than a definitive
+ * registration failure (e.g. the SQLite dev server's 10-Keyword cap). Used to
+ * avoid the false "not registered → starts will fail" conclusion on Temporal
+ * Cloud, where SA management lives behind the Cloud UI / `tcld`.
+ */
+function isPermissionError(detail) {
+    if (!detail)
+        return false;
+    const d = detail.toLowerCase();
+    return PERMISSION_ERROR_MARKERS.some((m) => d.includes(m));
+}
 /**
  * Pure classifier — turn a temporal CLI exit into a {@link RegistrationStatus}.
  * Extracted from {@link registerSearchAttribute} so the matching rules can

package/dist/cli.js

@@ -62,6 +62,7 @@ const types_1 = require("./types");
 const config_1 = require("./config");
 const legacy_migration_1 = require("./cli/legacy-migration");
 const global_wrapper_1 = require("./cli/global-wrapper");
+const resolve_ensemble_1 = require("./cli/resolve-ensemble");
 const grpc_shutdown_guard_1 = require("./utils/grpc-shutdown-guard");
 /** Package root — cli.js compiles to dist/cli.js, so one level up. Used by the inline `version` handler. */
 const PACKAGE_ROOT = (0, path_1.resolve)(__dirname, '..');
@@ -473,7 +474,10 @@ async function main() {
             break;
         case 'up':
             await up({
-                ensemble,
+                // #685 — honor `--ensemble` (flag > positional > env > 'default'), via the
+                // shared resolver. Previously `up` passed the bare positional-derived
+                // `ensemble`, so `--ensemble <name>` was silently ignored → launched in `default`.
+                ensemble: (0, resolve_ensemble_1.resolveEnsemble)(args),
                 name: args.name,
                 lineup: args.lineup,
                 noHold: args.noHold,

package/dist/config.d.ts

@@ -130,6 +130,15 @@ export declare const ENV: {
      * spawns do NOT set it, so recruited adapters keep the #604 anti-leak ppid-poll.
      */
     readonly NO_PPID_WATCHDOG: "AGENT_TEMPO_NO_PPID_WATCHDOG";
+    /**
+     * #690 — absolute path to the bridge pid file, computed ONCE by the spawn
+     * helper (`bridgeLogPaths(ensemble, name).pidPath`) and passed to the adapter
+     * child. The adapter writes/unlinks THIS path rather than re-deriving its own
+     * (which diverged from the spawner's when PLAYER_NAME was empty — the
+     * split-brain orphan). PLAIN (non-secret): it's a file location, not a
+     * credential — must stay inline under #689's `partitionEnv`.
+     */
+    readonly PID_FILE: "AGENT_TEMPO_PID_FILE";
     /**
      * Escape hatch for triple-isolated environments (ADR 0014 §5.3). When
      * set, `resolveTempoHome()` returns this path verbatim — bypassing both
@@ -226,6 +235,48 @@ export declare function isDevMode(): boolean;
 export declare function resolveTempoHome(): string;
 export declare const AGENT_TEMPO_HOME: string;
 export declare const CONFIG_FILE_PATH: string;
+/** Resolved log + pid paths for a recruited bridge/adapter player (#690). */
+export interface BridgeLogPaths {
+    /** The directory holding the player's log + pid files. */
+    dir: string;
+    /** `<dir>/<player>.log`. */
+    logPath: string;
+    /** `<dir>/<player>.pid`. */
+    pidPath: string;
+}
+/**
+ * SINGLE source of truth for where a recruited bridge/adapter's `.log` + `.pid`
+ * live (#690). Default is CENTRAL — `~/.agent-tempo/logs/<ensemble>/<player>.*` —
+ * NOT the old per-cwd `<workDir>/logs` (which scattered pid files across every
+ * recruit directory and orphaned them on `down`). No call site should construct
+ * its own `join(..., 'logs', ...)`; route everything through here so the writer
+ * (spawn helper) and the readers (status / down / hard-terminate) compute the
+ * SAME path and can't split-brain.
+ *
+ * `overrideDir` is the existing per-spawn `opts.logDir` escape hatch (rarely set);
+ * when present it wins over the central default. `ensemble`/`player` are
+ * regex-validated upstream (ENSEMBLE_NAME_REGEX / PLAYER_NAME_REGEX — no slashes),
+ * but a defensive guard rejects path-traversal as insurance.
+ */
+/**
+ * Root of the central bridge-log tree: `~/.agent-tempo/logs`. Per-ensemble dirs
+ * live under it. Exposed so a cluster-wide reader (e.g. `down`'s
+ * killBridgeProcesses) can enumerate every ensemble's dir without re-constructing
+ * the `'logs'` segment itself — {@link bridgeLogPaths} is the only other place
+ * that names it.
+ */
+export declare function bridgeLogsRoot(): string;
+export declare function bridgeLogPaths(ensemble: string, player: string, overrideDir?: string): BridgeLogPaths;
+/**
+ * The pid path an ADAPTER subprocess should write/unlink (#690). The SPAWNER
+ * computes the path once via {@link bridgeLogPaths} and passes it as
+ * `ENV.PID_FILE`; the adapter consumes THAT — it does NOT re-derive its own from
+ * a (possibly divergent) player identifier. The `bridgeLogPaths` fallback is used
+ * ONLY when the env is absent (a manual adapter launch outside the spawner). This
+ * is the by-construction fix for the copilot split-brain (PLAYER_NAME='' →
+ * `copilot-${Date.now()}` ≠ the spawner's logName).
+ */
+export declare function resolveAdapterPidFile(ensemble: string, fallbackPlayer: string): string;
 /**
  * Daemon-level configuration persisted in `~/.agent-tempo/config.json`
  * alongside the existing `PersistedConfig` fields.
@@ -334,9 +385,18 @@ export declare function loadTemporalCliConfig(): PersistedConfig;
  */
 export declare function parseTemporalYaml(content: string): PersistedConfig;
 /**
- * Parse an agent value against the {@link AgentType} union.
- * Throws when `value` is present but not a valid agent; returns `'claude'`
- * for empty/unset values so callers can use it as a source-aware default.
+ * Parse an agent value against the canonical {@link AGENT_TYPES} union — the
+ * SINGLE SOURCE OF TRUTH for agent validity (shared with `cli.ts`'s `--agent`
+ * parser). Throws when `value` is present but not a known agent; returns
+ * `'claude'` for empty/unset values so callers can use it as a source-aware default.
+ *
+ * This is a pure type-VALIDITY check — it accepts EVERY `AgentType` (including
+ * `mock` and the headless adapters). Narrower CAPABILITY constraints are gated
+ * separately downstream: the recruit pre-flight rejects `mock` outside dev mode,
+ * and `config`'s `VALID_DEFAULT_AGENTS` restricts the persistent default to the
+ * conductor-capable subset. (#683: the former hardcoded `['claude','copilot']`
+ * list was stale — it rejected `defaultAgent=pi` at config LOAD, poisoning every
+ * command before the `--agent` flag was even read.)
  */
 export declare function parseAgent(value: string | undefined, source: ConfigSource): AgentType;
 /**