agent-tempo 1.7.0-beta.2 → 1.7.0-beta.4

package/CLAUDE.md

@@ -212,13 +212,15 @@ daemon worker notes, `npx ts-node` dev runner).
 - **Claude Code headless adapter** (`agent: 'claude-code-headless'`, #520): Headless adapter that drives sessions via the official `claude` CLI as a per-turn `claude -p --output-format stream-json` subprocess. The whole point: turns bill against the host's existing Claude Code subscription extra-usage credits (Pro / Max plans) rather than a Console workspace API key — the only ToS-clean way for a third-party tool to tap that pool. Requires the `claude` binary on PATH AND a logged-in Claude Code session (`claude auth login`); recruit pre-flight rejects with an actionable error otherwise. Tool surface is the union of full Claude Code built-ins (Bash / Read / Write / Edit / Glob / Grep / WebSearch / WebFetch) and the agent-tempo MCP surface — registered via inline `--mcp-config` so `claude` spawns `dist/server.js` as its own MCP child (no in-process bridge). Recruit knobs: `permissionMode` (default `'acceptEdits'`) or `dangerouslySkipPermissions: true` (mutually exclusive). Sessions resume across restart via the existing `sessionId` metadata field — the same UUID is shared with the interactive `claude-code` adapter (per-cwd JSONL is per-cwd, not per-adapter). See `src/adapters/claude-code-headless/` and `examples/ensembles/tempo-headless-jam.yaml`.
 - **Pi adapter** (`agent: 'pi'`, #632 / #666): Two modes. **(1) Interactive conductor** (#666): `agent-tempo up --agent pi --ensemble <name>` launches `pi` in a real terminal with the agent-tempo extension auto-loaded (`pi -e dist/pi/extension.js`); the Pi session self-bootstraps its Temporal workflow and attaches as a conductor/player — no separate recruiter step. From the TUI, `/recruit-conductor` relaunches the active ensemble's conductor — set `conductor.agent: pi` in that ensemble's lineup to make it a Pi conductor. Requires `@earendil-works/pi-coding-agent` on Node ≥ 22.19. Recommended: `ANTHROPIC_API_KEY` (without it the session falls back to Pi's own auth/default model). The `AGENT_TEMPO_*` env is auto-wired by `up`; power users can invoke the extension directly with `pi -e dist/pi/extension.js`. `--model provider/model` selector (e.g. `'github-copilot/gpt-4o'`) is a fast-follow. **(2) Headless player** (Phase 3a): `recruit` with `agent: 'pi'` — no terminal, no BaseAttachment; runs `createAgentSession` with an in-memory `SessionManager`; the module-scope singleton owns claim/heartbeat/tools/cue pump (MD-D). MD-C tool-access policy: `toolAccess: 'restricted'` (default — Bash/shell/exec HARD-BLOCKED) | `'standard'` (scoped Bash) | `'full'` (unsandboxed; requires `force: true`). `noExtensions: true` closes the S2 exec-tool-bypass gap. See `src/adapters/pi/` and `src/pi/headless.ts`.
 - **Mission-control Pi extension** (3f): An observer-only Pi extension that turns one interactive Pi TUI into a live ensemble board + operator controller. HTTP-drives the daemon — coarse ensemble view via `/v1/events/:ensemble` SSE + fine per-player tail via `/inner` (T3); operator controls (cue/pause/play/restart/destroy + gate arm/disarm/decide) POST to the daemon write surface using `AGENT_TEMPO_HTTP_ADMIN_TOKEN`. **Never claims attachment or registers as a player** — invisible to the ensemble. ~200ms render throttle from an in-memory `BoardModel`. Requires an interactive Pi session with `ctx.hasUI`. See `src/pi/mission-control/`.
+- **Command-center planner** (#700 P2): An inbox-less interactive Pi session (the operator's planning seat) that routes questions to players via correlated `cue` tags (`[Q <questionId>]`). Players answer with the `respond` MCP tool, which parks the answer on the per-ensemble maestro Q&A mailbox (TTL 1h, 20-slot cap). The planner is woken by an `answer` SSE event when the answer lands (`docs/SSE-PROTOCOL.md` §6). `/handoff` cues hand active work to a conductor (a registered player with a Temporal inbox). See `docs/concepts.md` for the Q&A mechanics.
+- **Guardrail policy** (`guardrailPolicy` recruit arg, #700 P2): Per-player posture for the operator gate on headless Pi players. Four values — `'autonomous'` (default; no gate), `'monitored'` (gate engaged; fail-open: auto-allow after 45 s), `'supervised'` (gate engaged; fail-closed: auto-deny after 300 s; **client-cooperative in P2, not tamper-proof**; daemon-side enforcement is P2.1 #44), `'observe-only'` (non-`low-risk` tools hard-blocked outright). Persisted on `SessionMetadata`; re-sourced at each `(re)attach` from `getMetadata`. See `docs/concepts.md` for operator gate mechanics.
 - **Mock adapter** (`agent: 'mock'`, dev mode only): Four modes: `echo` (echoes input), `scripted` (replays YAML scenario rules), `silent` (drains messages without replying — heartbeat-stale validation), `chaos` (probabilistic fail/crash injection via seeded PRNG). Only registered when `isDevMode()` is true; stripped from the npm tarball by `prepack`. See `src/adapters/mock/`.
 - **Saveable state** (#334, ADR 0011): Per-player curated state slots — the player itself decides what context survives a restart. Three MCP tools: `save_state` (owner-only write, max 4 slots × 32 KiB), `fetch_state` (read self or peer; audit identity recorded on each entry's `savedBy`), `clear_state` (owner-only). `restart` accepts `loadFromState: true | 'someKey'` to seed the new session from a saved-state slot instead of (or, with `transcript: 'replay'`, alongside) transcript replay. Saved-state delivery uses `from: 'self-restart'` as a stable system identity. Empty-slot fallback: graceful — falls through to transcript replay with a log line. See [docs/design/334-player-saveable-state.md](docs/design/334-player-saveable-state.md).
 - **Coat-check** (#318, ADR 0008): Per-ensemble transient content store on Maestro state. Solves the 100 KB cue body cap — stash a large artifact with `coat_check_put` (returns a ticket id) and attach the ticket to a `cue` via `attachmentTicket`; the recipient calls `coat_check_get` to pull the full body. Four MCP tools: `coat_check_put` (any player; max 32 KiB per entry, 20 slots per ensemble, TTL 7d default), `coat_check_get` (any player; bumps fetch-audit counters), `coat_check_list` (read-only survey; headers only, content omitted), `coat_check_evict` (owner or conductor). Saturation rejects with `CoatCheckSlotsFull` (no LRU eviction). See `src/tools/coat-check-*.ts` and [docs/adr/0008-coat-check-pattern.md](docs/adr/0008-coat-check-pattern.md).
 - **Lineup examples**: Six pre-built ensemble YAML files in `examples/ensembles/` — `tempo-big-band`, `tempo-dev-team`, `tempo-review-squad`, `tempo-jam-session`, `tempo-mock-jam` (dev-mode all-mock ensemble), `tempo-headless-jam` (#520 — all-`claude-code-headless` subscription-billed ensemble). Load with `agent-tempo up --lineup <name>` or the `load_lineup` tool.
 - **GitHub App identity** (`agent-tempo[bot]`): When a player writes to GitHub — issue comments, PR creation/merge, commits, labels, check runs — **use `./scripts/ensemble-gh`** instead of `gh`. The wrapper mints a short-lived installation token so the action is attributed to `agent-tempo[bot]`, not to the human maintainer, making the AI authorship visible. Plain `gh` is still correct for read-only local dev (`gh pr view`, `gh repo clone`, `gh auth status`). Every bot-authored comment/PR body must include the AI attribution footer documented in [docs/github-app.md](docs/github-app.md).
 
-See [docs/concepts.md](docs/concepts.md) for the full glossary (Adapter, Attachment phases, Restart, Detach/Destroy, Migrate, Broadcast, Recall, Schedule, Lineup, Quality Gate, Worktree, Stage, Hold/Release, Pause/Resume, Maestro, TempoClient, and more).
+See [docs/concepts.md](docs/concepts.md) for the full glossary (Adapter, Attachment phases, Restart, Detach/Destroy, Migrate, Broadcast, Recall, Schedule, Lineup, Quality Gate, Worktree, Stage, Hold/Release, Pause/Resume, Maestro, TempoClient, Guardrail policy, Command-center planner, and more).
 
 ## Commit Convention
 

package/README.md

@@ -277,7 +277,7 @@ From the TUI, `/recruit-conductor` relaunches the active ensemble's conductor
 
 **Prerequisites:** `@earendil-works/pi-coding-agent` on Node ≥ 22.19. Recommended: `ANTHROPIC_API_KEY` (without it the session falls back to Pi's own auth/default model).
 
-**Headless Pi players** — recruit as a background agent slot using `agent: 'pi'` (see [docs/design/pi-hardening-h1-h2-h3.md](docs/design/pi-hardening-h1-h2-h3.md)).
+**Headless Pi players** — recruit as a background agent slot using `agent: 'pi'`. Pass `guardrailPolicy: 'monitored' | 'supervised' | 'observe-only'` to control the operator gate (default `'autonomous'` — no gate). See [docs/concepts.md](docs/concepts.md#command-center-and-player-supervision) for the gate mechanics and the supervised caveat.
 
 📖 [Pi integration reference → docs/design/pi-hardening-h1-h2-h3.md](docs/design/pi-hardening-h1-h2-h3.md)
 

package/dashboard/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-tempo-dashboard",
   "private": true,
-  "version": "1.7.0-beta.2",
+  "version": "1.7.0-beta.4",
   "type": "module",
   "description": "Web dashboard for agent-tempo. Bundled into the npm package; served by the daemon at /dashboard/*.",
   "scripts": {

package/dist/activities/outbox.js

@@ -504,6 +504,13 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
                     // REPLACES) means a restart re-mints and naturally revokes the stale
                     // token. Injected into the subprocess env as AGENT_TEMPO_INGEST_TOKEN.
                     const ingestToken = ingestTokens?.mint((0, config_1.sessionWorkflowId)(ensemble, targetName));
+                    // #712 — record the DURABLE guardrail policy on the daemon gate at spawn
+                    // (beside the ingest-token mint, same daemon process + lifecycle) so the
+                    // gate's failMode cross-check is daemon-authoritative from the FIRST
+                    // engagement — no lazy metadata query on the common path. Absent ⇒
+                    // autonomous (the extension default). Mint REPLACES on restart; setPolicy
+                    // likewise re-stamps the current durable posture (no silent downgrade).
+                    gate?.setPolicy((0, config_1.sessionWorkflowId)(ensemble, targetName), guardrailPolicy ?? 'autonomous');
                     const { pid } = (0, spawn_1.spawnPiHeadless)({
                         name: targetName,
                         ensemble,

package/dist/cli/commands.js

@@ -1030,10 +1030,17 @@ async function up(opts) {
                     else if (p.detail)
                         out.dim(`  Agent types already installed (${p.detail})`);
                 }
+                else if (p.step === 'search-attributes') {
+                    // #46 — ensureInfra registers SAs with `quiet: true` (the per-attribute
+                    // success lines are suppressed for the extension TUI path). The CLI
+                    // restores visibility with a one-line summary here. `detail` is
+                    // "N failed" only when registration failed (errors/permission warnings
+                    // still print from registerSearchAttributes regardless of `quiet`).
+                    out.check('Search attributes registered', !p.detail, p.detail);
+                }
                 else if (p.step === 'daemon') {
                     out.check(p.status === 'ok' ? 'Worker daemon running' : 'Worker daemon started', true, p.detail);
                 }
-                // 'search-attributes' logs per-attribute internally via registerSearchAttributes.
             },
         });
     }

package/dist/client/core.js

@@ -1109,6 +1109,22 @@ function createTempoClientCore(client, opts = {}) {
                 return null;
             }
         },
+        async coatCheckPut(ensemble, input) {
+            // #713 — thin wrapper over the maestro `coatCheckPut` Update so the daemon
+            // HTTP route can stash on behalf of the inbox-less command-center planner.
+            // Errors PROPAGATE (unlike getAnswer's tolerant catch): the workflow's
+            // structured `CoatCheckSlotsFull` / `CoatCheckEntryTooLarge` failures must
+            // reach the HTTP layer so it can map them to a 4xx instead of swallowing.
+            const h = handle((0, config_1.maestroWorkflowId)(ensemble));
+            return await h.executeUpdate(maestro_signals_1.coatCheckPutUpdate, { args: [input] });
+        },
+        async coatCheckGet(ensemble, input) {
+            // #713 — redeem a ticket over the maestro `coatCheckGet` Update. `null` is
+            // the workflow's normal "missing / expired / evicted" return (not an
+            // error); genuine failures propagate to the HTTP layer.
+            const h = handle((0, config_1.maestroWorkflowId)(ensemble));
+            return await h.executeUpdate(maestro_signals_1.coatCheckGetUpdate, { args: [input] });
+        },
         async isAnySessionHeld(ensemble) {
             // Scan the ensemble's sessions and check the per-session
             // `outboxLocked` query. The maestro session is skipped — it's the

package/dist/client/interface.d.ts

@@ -4,7 +4,8 @@
  * Extracted from `src/tui/client.ts` so that non-TUI consumers (CLI, tests,
  * external integrations) can depend on the interface without pulling in Ink/React.
  */
-import type { AgentType, MaestroPlayerInfo, MaestroRelayMessage, HistoryEntry, Message, SentMessage, SessionMetadata, ScheduleEntry, QualityGate, StageEntry, WorktreeEntry, EnsembleChatResult, AttachmentInfo, HostInfo, AnswerEntry } from '../types';
+import type { AgentType, MaestroPlayerInfo, MaestroRelayMessage, HistoryEntry, Message, SentMessage, SessionMetadata, ScheduleEntry, QualityGate, StageEntry, WorktreeEntry, EnsembleChatResult, AttachmentInfo, HostInfo, AnswerEntry, CoatCheckEntry } from '../types';
+import type { CoatCheckPutInput, CoatCheckPutResult, CoatCheckGetInput } from '../workflows/maestro-signals';
 import type { RestoreOrphansSummary } from '../reconcile/orphans';
 import type { SubscribeOptions, TempoEvent } from '../http/event-types';
 /**
@@ -427,6 +428,23 @@ export interface TempoClientCore {
      * aggregate's outstanding-ask poll (which emits the `answer` SSE event).
      */
     getAnswer(ensemble: string, questionId: string): Promise<AnswerEntry | null>;
+    /**
+     * #713 — stash a large content body on the per-ensemble coat-check (#318) over
+     * a maestro Update. Thin client wrapper around `coatCheckPutUpdate` so the
+     * daemon HTTP route (`POST /v1/ensembles/:e/coat-check`) can let the inbox-less
+     * command-center planner park a plan and hand off a ticket. `putBy` is the
+     * audit identity (set by the caller — the HTTP layer stamps the operator).
+     * Throws the workflow's structured ApplicationFailure on saturation /
+     * oversize (`CoatCheckSlotsFull` / `CoatCheckEntryTooLarge`).
+     */
+    coatCheckPut(ensemble: string, input: CoatCheckPutInput): Promise<CoatCheckPutResult>;
+    /**
+     * #713 — redeem a coat-check ticket (#318) over a maestro Update. Returns the
+     * full entry (incl. content body) or `null` when the ticket is missing /
+     * expired / evicted. A successful redemption bumps the entry's fetch-audit
+     * counters (`fetchedBy` is the audit identity), so this is NOT a pure read.
+     */
+    coatCheckGet(ensemble: string, input: CoatCheckGetInput): Promise<CoatCheckEntry | null>;
     /** Disband an ensemble: terminate all sessions, scheduler, and maestro workflows. */
     disbandEnsemble(ensemble: string): Promise<{
         terminated: number;

package/dist/daemon.js

@@ -74,6 +74,8 @@ const grpc_shutdown_guard_1 = require("./utils/grpc-shutdown-guard");
 const daemon_1 = require("./cli/daemon");
 const client_3 = require("./client");
 const orphans_1 = require("./reconcile/orphans");
+const query_timeout_1 = require("./utils/query-timeout");
+const signals_1 = require("./workflows/signals");
 const agent_types_1 = require("./ensemble/agent-types");
 const pre_flight_1 = require("./adapters/claude-code-headless/pre-flight");
 const daemon_adapter_versions_1 = require("./daemon-adapter-versions");
@@ -970,6 +972,24 @@ async function main() {
             const bootEpoch = Date.now();
             aggregateRunner = new AggregateRunner({ client: httpClient, bootEpoch });
             aggregateRunner.start();
+            // #712 — BOUNDED durable-policy resolver for the gate failMode cross-check.
+            // The gate is normally policy-populated at spawn (sync, no query); this is
+            // the rare-cache-miss fallback the ingest gate_pending path awaits. It MUST
+            // be bounded (utils/query-timeout) so it can never hang gate engagement. A
+            // successful query with an absent metadata field ⇒ 'autonomous' (a real,
+            // open posture). Timeout / error / workflow-gone ⇒ undefined ⇒ the route
+            // leaves the policy unresolved ⇒ open() enforces 'closed' (NO-FAIL-OPEN).
+            const reconcileClientForPolicy = reconcileClient;
+            const resolveGuardrailPolicy = async (workflowId) => {
+                try {
+                    const handle = reconcileClientForPolicy.workflow.getHandle(workflowId);
+                    const md = await (0, query_timeout_1.queryHandleWithTimeout)(handle, signals_1.getMetadataQuery);
+                    return md?.guardrailPolicy ?? 'autonomous';
+                }
+                catch {
+                    return undefined; // timeout / error / gone → indeterminate → open() enforces closed
+                }
+            };
             httpServerHandle = await startHttpServer({
                 client: httpClient,
                 namespace: config.temporalNamespace,
@@ -984,6 +1004,8 @@ async function main() {
                 // 3d MD-G — the same gate registry the worker's outbox auto-disarms on
                 // detach/destroy; the HTTP server serves arm/disarm/decide + resolution.
                 gate,
+                // #712 — bounded durable-policy resolver for the failMode cross-check.
+                resolveGuardrailPolicy,
             });
             log(`HTTP listening on http://${httpServerHandle.bindAddr}:${httpServerHandle.port}`);
             log(`Aggregate poll loop running (bootEpoch=${bootEpoch})`);

package/dist/http/coat-check.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Daemon coat-check routes (#713 / #42) — HTTP surface over the per-ensemble
+ * coat-check store (#318, ADR 0008).
+ *
+ *   POST /v1/ensembles/:e/coat-check          { summary, content, contentType?, ttlMs? } → 200 { ticket, … }
+ *   GET  /v1/ensembles/:e/coat-check/:ticket                                              → 200 { found, entry }
+ *
+ * **Why**: `coat_check_put` was MCP/Temporal-only, so the command-center planner
+ * (a mission-control Pi extension with NO Temporal inbox — it drives the daemon
+ * over HTTP) could only hand off plans INLINE on a cue. This route lets the
+ * planner park a plan and hand off a ticket instead, keeping the cue body lean.
+ *
+ * **Audit identity** is stamped by this layer as the operator (`maestro`) — the
+ * HTTP caller cannot supply `putBy` / `fetchedBy` (same anti-spoof posture as the
+ * MCP tools, where audit identity comes from `getPlayerId()`, never a caller arg).
+ *
+ * **Auth** (gated by the caller in server.ts):
+ * - `put` is a WRITE → Tier 2 (admin), consistent with `/ask` and the write surface.
+ * - `get` REDEEMS via a maestro Update that bumps fetch-audit counters — it is NOT
+ *   a pure read, so it is also gated at Tier 2.
+ */
+import type { IncomingMessage, ServerResponse } from 'http';
+import type { TempoClient } from '../client/interface';
+/**
+ * Operator audit identity for HTTP-sourced coat-check ops. The command-center
+ * planner has no player id; like the `/cue` + `/ask` routes (which write as the
+ * maestro), stashes/redeems are attributed to the maestro. NOT caller-supplied —
+ * a fixed constant so the HTTP surface can't spoof a peer's audit identity.
+ */
+export declare const HTTP_COAT_CHECK_IDENTITY = "maestro";
+/** A ticket is non-empty, ≤ cap, and URL/path-safe (it rides a GET path segment). */
+export declare function isValidTicket(t: string | undefined): t is string;
+/** POST /v1/ensembles/:e/coat-check — stash a content body, return a ticket. */
+export declare function handleCoatCheckPut(req: IncomingMessage, res: ServerResponse, client: TempoClient, ensemble: string): Promise<void>;
+/** GET /v1/ensembles/:e/coat-check/:ticket — redeem a ticket + pull the content. */
+export declare function handleCoatCheckGet(res: ServerResponse, client: TempoClient, ensemble: string, ticket: string): Promise<void>;

package/dist/http/coat-check.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HTTP_COAT_CHECK_IDENTITY = void 0;
+exports.isValidTicket = isValidTicket;
+exports.handleCoatCheckPut = handleCoatCheckPut;
+exports.handleCoatCheckGet = handleCoatCheckGet;
+const responses_1 = require("./responses");
+const body_1 = require("./body");
+const validation_1 = require("../utils/validation");
+const validation_2 = require("../utils/validation");
+/**
+ * Operator audit identity for HTTP-sourced coat-check ops. The command-center
+ * planner has no player id; like the `/cue` + `/ask` routes (which write as the
+ * maestro), stashes/redeems are attributed to the maestro. NOT caller-supplied —
+ * a fixed constant so the HTTP surface can't spoof a peer's audit identity.
+ */
+exports.HTTP_COAT_CHECK_IDENTITY = 'maestro';
+/** A ticket is non-empty, ≤ cap, and URL/path-safe (it rides a GET path segment). */
+function isValidTicket(t) {
+    return typeof t === 'string' && t.length > 0 && t.length <= validation_2.COAT_CHECK_TICKET_MAX && validation_2.COAT_CHECK_TICKET_REGEX.test(t);
+}
+/** POST /v1/ensembles/:e/coat-check — stash a content body, return a ticket. */
+async function handleCoatCheckPut(req, res, client, ensemble) {
+    if ((0, validation_1.validateEnsembleName)(ensemble) !== null) {
+        return (0, responses_1.errorResponse)(res, 400, { error: 'invalid-ensemble-name', ensemble });
+    }
+    const body = await (0, body_1.readJsonBody)(req);
+    if (body === body_1.BODY_TOO_LARGE)
+        return (0, responses_1.errorResponse)(res, 413, { error: 'body-too-large', limit: body_1.WRITE_BODY_MAX });
+    if (body === body_1.BODY_INVALID_JSON)
+        return (0, responses_1.errorResponse)(res, 400, { error: 'invalid-json' });
+    const summary = (0, body_1.stringField)(body, 'summary');
+    const content = (0, body_1.stringField)(body, 'content');
+    if (!summary)
+        return (0, responses_1.errorResponse)(res, 400, { error: 'missing-field', field: 'summary' });
+    if (!content)
+        return (0, responses_1.errorResponse)(res, 400, { error: 'missing-field', field: 'content' });
+    if (summary.length > validation_2.COAT_CHECK_SUMMARY_MAX) {
+        return (0, responses_1.errorResponse)(res, 400, { error: 'summary-too-long', limit: validation_2.COAT_CHECK_SUMMARY_MAX });
+    }
+    // Byte length, not char length — the workflow validator caps on UTF-8 bytes.
+    if (Buffer.byteLength(content, 'utf8') > validation_2.COAT_CHECK_CONTENT_MAX) {
+        return (0, responses_1.errorResponse)(res, 413, { error: 'content-too-large', limit: validation_2.COAT_CHECK_CONTENT_MAX });
+    }
+    const contentType = (0, body_1.stringField)(body, 'contentType');
+    if (contentType !== undefined && contentType.length > validation_2.COAT_CHECK_CONTENT_TYPE_MAX) {
+        return (0, responses_1.errorResponse)(res, 400, { error: 'content-type-too-long', limit: validation_2.COAT_CHECK_CONTENT_TYPE_MAX });
+    }
+    let ttlMs;
+    if (body.ttlMs !== undefined) {
+        if (typeof body.ttlMs !== 'number' ||
+            !Number.isInteger(body.ttlMs) ||
+            body.ttlMs < validation_2.COAT_CHECK_TTL_MIN_MS ||
+            body.ttlMs > validation_2.COAT_CHECK_TTL_MAX_MS) {
+            return (0, responses_1.errorResponse)(res, 400, {
+                error: 'invalid-field', field: 'ttlMs', min: validation_2.COAT_CHECK_TTL_MIN_MS, max: validation_2.COAT_CHECK_TTL_MAX_MS,
+            });
+        }
+        ttlMs = body.ttlMs;
+    }
+    try {
+        const result = await client.coatCheckPut(ensemble, {
+            summary,
+            content,
+            ...(contentType !== undefined ? { contentType } : {}),
+            ...(ttlMs !== undefined ? { ttlMs } : {}),
+            putBy: exports.HTTP_COAT_CHECK_IDENTITY,
+        });
+        (0, responses_1.jsonResponse)(res, 200, { ok: true, ensemble, ...result });
+    }
+    catch (err) {
+        return mapCoatCheckError(res, ensemble, err);
+    }
+}
+/** GET /v1/ensembles/:e/coat-check/:ticket — redeem a ticket + pull the content. */
+async function handleCoatCheckGet(res, client, ensemble, ticket) {
+    if ((0, validation_1.validateEnsembleName)(ensemble) !== null) {
+        return (0, responses_1.errorResponse)(res, 400, { error: 'invalid-ensemble-name', ensemble });
+    }
+    if (!isValidTicket(ticket)) {
+        return (0, responses_1.errorResponse)(res, 400, { error: 'invalid-ticket', ticket });
+    }
+    try {
+        const entry = await client.coatCheckGet(ensemble, { ticket, fetchedBy: exports.HTTP_COAT_CHECK_IDENTITY });
+        // Mirror the sibling `/answer` route: 200 + `found:false` for the common
+        // "ticket already gone" case (missing / expired / evicted), rather than 404.
+        (0, responses_1.jsonResponse)(res, 200, { ok: true, ensemble, ticket, found: entry !== null, entry });
+    }
+    catch (err) {
+        return mapCoatCheckError(res, ensemble, err);
+    }
+}
+/**
+ * Map a thrown coat-check error to an HTTP response. Recognises the maestro
+ * hub-not-running errors (→ 404) and the workflow's structured saturation /
+ * oversize ApplicationFailures (→ 409 / 413); anything else → 500.
+ */
+function mapCoatCheckError(res, ensemble, err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (/no session found|no maestro|workflow not found/i.test(message)) {
+        return (0, responses_1.errorResponse)(res, 404, { error: 'session-not-found', ensemble, detail: message });
+    }
+    if (/CoatCheckSlotsFull/i.test(message)) {
+        return (0, responses_1.errorResponse)(res, 409, { error: 'coat-check-slots-full', ensemble, detail: message });
+    }
+    if (/CoatCheckEntryTooLarge/i.test(message)) {
+        return (0, responses_1.errorResponse)(res, 413, { error: 'coat-check-entry-too-large', ensemble, detail: message });
+    }
+    return (0, responses_1.errorResponse)(res, 500, { error: 'coat-check-failed', ensemble, detail: message });
+}

package/dist/http/gate-audit.js

@@ -42,7 +42,7 @@ exports.createGateAuditSink = createGateAuditSink;
  *
  *   <AGENT_TEMPO_HOME>/gate-audit/<ensemble>/<workflowId>.jsonl
  *
- * Each {@link GateAuditRecord} (arm | disarm | decision) is one JSON line,
+ * Each {@link GateAuditRecord} (arm | disarm | decision | failmode-override) is one JSON line,
  * appended SYNCHRONOUSLY at the decision/posture-change point so the durable
  * record lands before the daemon hands back control (no buffering window where a
  * crash loses an allow/deny). The `ensemble` sidecar (not part of the locked

package/dist/http/gate-registry.d.ts

@@ -47,6 +47,7 @@
  * coordination bus). Nothing here is imported by `src/workflows/`.
  */
 import type { InnerFrame } from '../pi/inner-loop-publisher';
+import type { GuardrailPolicy } from '../types';
 /**
  * MONITORED (fail-OPEN) timeout: a pending request auto-ALLOWS after this long
  * (R3, locked). The cheap-if-wrong fuse for an otherwise-autonomous agent the
@@ -75,6 +76,26 @@ export declare const GATE_CLOSED_DENY_MS = 300000;
  * (auto-ALLOW); `'closed'` = supervised (auto-DENY).
  */
 export type GateFailMode = 'open' | 'closed';
+/**
+ * #712 — the daemon-AUTHORITATIVE fail posture for a player, derived from its
+ * DURABLE `guardrailPolicy` (the source of truth on SessionMetadata). The
+ * `gate_pending` frame's `failMode` claim is ADVISORY only: the daemon enforces
+ * THIS regardless, so an engaging agent can't self-downgrade a supervised player
+ * out of fail-closed by stamping `'open'`.
+ *
+ * Posture — **fail-CLOSED except an EXPLICITLY `monitored`/`autonomous` player**:
+ *   - `monitored`  → `'open'`  (operator-armed observability gate; fail-OPEN is its point)
+ *   - `autonomous` → `'open'`  (never engages the gate on its own; if an operator
+ *                               arms it, it behaves as monitored → fail-open)
+ *   - `supervised`   → `'closed'`
+ *   - `observe-only` → `'closed'`  (most-restrictive no-act posture; if the client
+ *                                   no-act block is ever bypassed and it reaches the
+ *                                   gate, auto-ALLOW would be backwards — defense-in-depth)
+ *   - `undefined` (policy not yet resolved — e.g. post-daemon-restart pre-reconcile,
+ *                  or a bounded metadata query that timed out/errored) → `'closed'`
+ *                  (NO-FAIL-OPEN: uncertainty resolves to the safe posture).
+ */
+export declare function enforcedFailMode(policy: GuardrailPolicy | undefined): GateFailMode;
 /**
  * Terminal decision on a gated tool call. `auto-allow` = the open (monitored)
  * timeout fired; `auto-deny` = the closed (supervised) timeout fired. The two
@@ -100,10 +121,12 @@ export interface GateRequestMeta {
      */
     ensemble?: string;
     /**
-     * Per-request fail posture (#700 / G). `'closed'` (supervised) → auto-DENY
-     * after {@link GATE_CLOSED_DENY_MS}; `'open'` (monitored, **default**) →
-     * auto-ALLOW after {@link GATE_AUTO_ALLOW_MS}. Carried on the `gate_pending`
-     * frame from the agent's durable `guardrailPolicy`; omitted ⇒ `'open'`.
+     * The engaging agent's ADVISORY failMode claim from the `gate_pending` frame
+     * (#700). **#712: advisory only** — {@link GateRegistry.open} ENFORCES the
+     * failMode from the player's durable policy ({@link enforcedFailMode}), not
+     * from this field. It is retained solely to DETECT a self-downgrade (frame
+     * claimed the weaker `open` while the policy enforces `closed` → a
+     * `failmode-override` audit record). Omitted ⇒ treated as the claim `'open'`.
      */
     failMode?: GateFailMode;
 }
@@ -133,6 +156,26 @@ export type GateAuditRecord = {
     workflowId: string;
     source: 'operator';
     operatorTokenHint?: string;
+} | {
+    /**
+     * #712 — the daemon enforced a STRICTER failMode than the gate_pending
+     * frame claimed (frame `open`, policy-enforced `closed`). An
+     * override-detected OBSERVABILITY signal — NEUTRAL-FACTUAL: it could be a
+     * client bug, a stale client, or an injection self-downgrade attempt; the
+     * operator/security interprets. This is exactly the self-downgrade vector
+     * the #712 cross-check closes.
+     */
+    kind: 'failmode-override';
+    ts: string;
+    workflowId: string;
+    sessionId?: string;
+    requestId: string;
+    tool: string;
+    argsSummary: string;
+    claimedFailMode: GateFailMode;
+    enforcedFailMode: GateFailMode;
+    /** The durable policy that drove enforcement; `'unknown'` when unresolved. */
+    policy: GuardrailPolicy | 'unknown';
 };
 /**
  * Append-only audit sink (daemon wires the JSONL writer; tests inject a spy).
@@ -180,11 +223,28 @@ export declare class GateRegistry {
     disarm(workflowId: string, operatorTokenHint?: string): void;
     /** Whether the gate is currently armed for a player (the engagement predicate reads this). */
     isArmed(workflowId: string): boolean;
+    /**
+     * #712 — record the player's DURABLE `guardrailPolicy` so {@link open} can
+     * enforce its failMode authoritatively (frame claim ignored). Populated at
+     * spawn (beside the ingest-token mint), reconstructed at reconcile-on-boot, and
+     * lazily back-filled by the ingest route on a cache-miss. Cleared by
+     * {@link clearPlayer} (detach/destroy) like all per-player state.
+     */
+    setPolicy(workflowId: string, policy: GuardrailPolicy): void;
+    /** #712 — the recorded durable policy, or `undefined` if not yet resolved. */
+    getPolicy(workflowId: string): GuardrailPolicy | undefined;
     /**
      * Open (or return the existing) pending request for a gated tool call.
      * Idempotent on `requestId` — a retried open returns the existing entry so the
-     * source can safely re-register before polling. Does NOT audit (the request
-     * isn't a decision); the decision/auto-allow audit records carry tool+args.
+     * source can safely re-register before polling.
+     *
+     * #712 — DAEMON-AUTHORITATIVE failMode: the stored failMode is computed from the
+     * player's DURABLE policy ({@link enforcedFailMode}), NOT from `meta.failMode`
+     * (which is now an ADVISORY claim from the engaging agent). The route resolves +
+     * stores the policy (spawn / reconcile / lazy miss-resolve) before this call; an
+     * unresolved policy enforces `closed` (no-fail-open). When the frame claimed the
+     * weaker `open` but the policy enforces `closed`, a NEUTRAL-FACTUAL
+     * `failmode-override` audit record is emitted (the self-downgrade #712 closes).
      */
     open(workflowId: string, requestId: string, meta: GateRequestMeta): void;
     /**

package/dist/http/gate-registry.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.GateRegistry = exports.GATE_CLOSED_DENY_MS = exports.GATE_AUTO_ALLOW_MS = void 0;
+exports.enforcedFailMode = enforcedFailMode;
 /**
  * MONITORED (fail-OPEN) timeout: a pending request auto-ALLOWS after this long
  * (R3, locked). The cheap-if-wrong fuse for an otherwise-autonomous agent the
@@ -21,6 +22,28 @@ exports.GATE_AUTO_ALLOW_MS = 45_000;
  * constant for closed.
  */
 exports.GATE_CLOSED_DENY_MS = 300_000;
+/**
+ * #712 — the daemon-AUTHORITATIVE fail posture for a player, derived from its
+ * DURABLE `guardrailPolicy` (the source of truth on SessionMetadata). The
+ * `gate_pending` frame's `failMode` claim is ADVISORY only: the daemon enforces
+ * THIS regardless, so an engaging agent can't self-downgrade a supervised player
+ * out of fail-closed by stamping `'open'`.
+ *
+ * Posture — **fail-CLOSED except an EXPLICITLY `monitored`/`autonomous` player**:
+ *   - `monitored`  → `'open'`  (operator-armed observability gate; fail-OPEN is its point)
+ *   - `autonomous` → `'open'`  (never engages the gate on its own; if an operator
+ *                               arms it, it behaves as monitored → fail-open)
+ *   - `supervised`   → `'closed'`
+ *   - `observe-only` → `'closed'`  (most-restrictive no-act posture; if the client
+ *                                   no-act block is ever bypassed and it reaches the
+ *                                   gate, auto-ALLOW would be backwards — defense-in-depth)
+ *   - `undefined` (policy not yet resolved — e.g. post-daemon-restart pre-reconcile,
+ *                  or a bounded metadata query that timed out/errored) → `'closed'`
+ *                  (NO-FAIL-OPEN: uncertainty resolves to the safe posture).
+ */
+function enforcedFailMode(policy) {
+    return policy === 'monitored' || policy === 'autonomous' ? 'open' : 'closed';
+}
 /**
  * Per-daemon operator-gate registry, keyed by the player's fixed session
  * `workflowId`. One instance is constructed in the daemon and shared between the
@@ -77,12 +100,34 @@ class GateRegistry {
     isArmed(workflowId) {
         return this.gates.get(workflowId)?.armed ?? false;
     }
+    // ── #712 durable-policy source of truth (daemon-authoritative failMode) ──────
+    /**
+     * #712 — record the player's DURABLE `guardrailPolicy` so {@link open} can
+     * enforce its failMode authoritatively (frame claim ignored). Populated at
+     * spawn (beside the ingest-token mint), reconstructed at reconcile-on-boot, and
+     * lazily back-filled by the ingest route on a cache-miss. Cleared by
+     * {@link clearPlayer} (detach/destroy) like all per-player state.
+     */
+    setPolicy(workflowId, policy) {
+        this.gate(workflowId).policy = policy;
+    }
+    /** #712 — the recorded durable policy, or `undefined` if not yet resolved. */
+    getPolicy(workflowId) {
+        return this.gates.get(workflowId)?.policy;
+    }
     // ── Pending requests (source opens; operator decides; source polls) ─────────
     /**
      * Open (or return the existing) pending request for a gated tool call.
      * Idempotent on `requestId` — a retried open returns the existing entry so the
-     * source can safely re-register before polling. Does NOT audit (the request
-     * isn't a decision); the decision/auto-allow audit records carry tool+args.
+     * source can safely re-register before polling.
+     *
+     * #712 — DAEMON-AUTHORITATIVE failMode: the stored failMode is computed from the
+     * player's DURABLE policy ({@link enforcedFailMode}), NOT from `meta.failMode`
+     * (which is now an ADVISORY claim from the engaging agent). The route resolves +
+     * stores the policy (spawn / reconcile / lazy miss-resolve) before this call; an
+     * unresolved policy enforces `closed` (no-fail-open). When the frame claimed the
+     * weaker `open` but the policy enforces `closed`, a NEUTRAL-FACTUAL
+     * `failmode-override` audit record is emitted (the self-downgrade #712 closes).
      */
     open(workflowId, requestId, meta) {
         const g = this.gate(workflowId);
@@ -90,12 +135,28 @@ class GateRegistry {
             g.ensemble = meta.ensemble;
         if (g.pending.has(requestId))
             return;
+        const enforced = enforcedFailMode(g.policy);
+        const claimed = meta.failMode ?? 'open';
+        if (enforced === 'closed' && claimed === 'open') {
+            this.audit({
+                kind: 'failmode-override',
+                ts: this.nowIso(),
+                workflowId,
+                ...(meta.sessionId ? { sessionId: meta.sessionId } : {}),
+                requestId,
+                tool: meta.tool,
+                argsSummary: meta.argsSummary,
+                claimedFailMode: claimed,
+                enforcedFailMode: enforced,
+                policy: g.policy ?? 'unknown',
+            }, g.ensemble);
+        }
         g.pending.set(requestId, {
             tool: meta.tool,
             argsSummary: meta.argsSummary,
             sessionId: meta.sessionId,
             createdAt: this.now(),
-            failMode: meta.failMode ?? 'open',
+            failMode: enforced,
             decision: null,
             source: null,
         });

package/dist/http/inner-loop-routes.d.ts

@@ -24,6 +24,7 @@ import type { IncomingMessage, ServerResponse } from 'http';
 import type { InnerLoopRegistry } from './inner-loop';
 import type { IngestTokenRegistry } from './ingest-registry';
 import type { GateRegistry } from './gate-registry';
+import type { GuardrailPolicy } from '../types';
 /** Header carrying the per-player ingest token (the source-plane credential). */
 export declare const INGEST_TOKEN_HEADER = "x-ingest-token";
 export interface InnerLoopDeps {
@@ -40,6 +41,17 @@ export interface InnerLoopDeps {
      * `gate_resolved` emission flows back via its injected publishToInner.
      */
     gate?: GateRegistry;
+    /**
+     * #712 — BOUNDED resolver for a player's DURABLE `guardrailPolicy` (daemon
+     * wires it to a `getMetadataQuery` behind `utils/query-timeout`). Used by the
+     * ingest gate_pending path ONLY on a {@link GateRegistry.getPolicy} cache-miss
+     * (the common path is spawn/reconcile-populated → sync, no query). Returns the
+     * resolved policy (absent metadata field ⇒ `'autonomous'`), or `undefined` when
+     * the query TIMES OUT / ERRORS / the workflow is gone — the caller then leaves
+     * the gate policy unresolved so `open()` enforces `closed` (NO-FAIL-OPEN). The
+     * resolver MUST be bounded so it can never hang gate engagement.
+     */
+    resolveGuardrailPolicy?: (workflowId: string) => Promise<GuardrailPolicy | undefined>;
 }
 /** True when the request originates from the same host (loopback). */
 export declare function isLoopbackRemote(req: IncomingMessage): boolean;

package/dist/http/inner-loop-routes.js

@@ -86,12 +86,24 @@ async function handleInnerIngest(req, res, deps, ensemble, playerId) {
     if (type === 'inner.gate_pending' && deps.gate) {
         const f = body;
         if (typeof f.requestId === 'string' && typeof f.tool === 'string') {
+            // #712 — ensure the gate knows the player's DURABLE guardrailPolicy BEFORE
+            // registering, so open() enforces failMode from policy (daemon-authoritative),
+            // not the frame's advisory claim. Fast path: already populated at spawn /
+            // reconcile (sync, no query). Miss (post-restart pre-reconcile): a BOUNDED
+            // getMetadataQuery; on success populate the gate. On timeout/error/gone the
+            // resolver returns undefined → we leave it unresolved → open() enforces
+            // 'closed' (NO-FAIL-OPEN).
+            if (deps.resolveGuardrailPolicy && deps.gate.getPolicy(workflowId) === undefined) {
+                const resolved = await deps.resolveGuardrailPolicy(workflowId);
+                if (resolved !== undefined)
+                    deps.gate.setPolicy(workflowId, resolved);
+            }
             deps.gate.open(workflowId, f.requestId, {
                 tool: f.tool,
                 argsSummary: typeof f.argsSummary === 'string' ? f.argsSummary : '',
                 ensemble,
-                // #700 / G — per-request fail posture from the agent's guardrailPolicy.
-                // Only 'closed' is meaningful; anything else (incl. absent) ⇒ 'open'.
+                // #712 — ADVISORY claim only (open() enforces from policy); retained so a
+                // self-downgrade (frame 'open' vs policy-enforced 'closed') is auditable.
                 failMode: f.failMode === 'closed' ? 'closed' : 'open',
             });
         }

package/dist/http/server.d.ts

@@ -17,6 +17,7 @@
  */
 import * as http from 'http';
 import type { TempoClient } from '../client/interface';
+import type { GuardrailPolicy } from '../types';
 import type { AggregateRunner } from './aggregate';
 import type { InnerLoopRegistry } from './inner-loop';
 import type { IngestTokenRegistry } from './ingest-registry';
@@ -106,6 +107,14 @@ export interface HttpServerOptions {
      * detach/destroy) — same singleton pattern as the inner-loop registries.
      */
     gate?: GateRegistry;
+    /**
+     * #712 — bounded resolver for a player's durable `guardrailPolicy`, used by the
+     * ingest gate_pending path on a {@link GateRegistry.getPolicy} cache-miss to
+     * keep the failMode cross-check daemon-authoritative. The daemon wires it to a
+     * `getMetadataQuery` behind `utils/query-timeout`; absent → the route skips the
+     * miss-resolve (an unresolved policy then enforces `closed`, no-fail-open).
+     */
+    resolveGuardrailPolicy?: (workflowId: string) => Promise<GuardrailPolicy | undefined>;
 }
 export interface HttpServerHandle {
     /** The actual port the server is listening on (after `.listen()` resolves). */
@@ -148,6 +157,8 @@ interface HandleContext {
     ingestTokens: IngestTokenRegistry | null;
     /** 3d MD-G operator-gate registry — null when unwired. */
     gate: GateRegistry | null;
+    /** #712 — bounded durable-policy resolver for the failMode cross-check — null when unwired. */
+    resolveGuardrailPolicy: ((workflowId: string) => Promise<GuardrailPolicy | undefined>) | null;
 }
 /**
  * Top-level request dispatcher — exported for unit tests that want to

package/dist/http/server.js

@@ -65,6 +65,7 @@ const fixtures_1 = require("./fixtures");
 const writes_1 = require("./writes");
 const catalog_1 = require("./catalog");
 const qa_1 = require("./qa");
+const coat_check_1 = require("./coat-check");
 const port_file_1 = require("./port-file");
 const responses_1 = require("./responses");
 const snapshot_1 = require("./snapshot");
@@ -170,6 +171,7 @@ async function startHttpServer(opts) {
         innerLoop: opts.innerLoop ?? null,
         ingestTokens: opts.ingestTokens ?? null,
         gate: opts.gate ?? null,
+        resolveGuardrailPolicy: opts.resolveGuardrailPolicy ?? null,
     }).catch((err) => {
         log('unhandled handler error:', err instanceof Error ? err.message : err);
         if (!res.headersSent) {
@@ -282,7 +284,7 @@ async function handle(req, res, ctx) {
     // reaches them regardless of the daemon's bind address. Only live when the
     // daemon wired the registries; else they fall through to the 404/405 path.
     if (ctx.innerLoop && ctx.ingestTokens) {
-        const innerDeps = { innerLoop: ctx.innerLoop, ingestTokens: ctx.ingestTokens, ...(ctx.gate ? { gate: ctx.gate } : {}) };
+        const innerDeps = { innerLoop: ctx.innerLoop, ingestTokens: ctx.ingestTokens, ...(ctx.gate ? { gate: ctx.gate } : {}), ...(ctx.resolveGuardrailPolicy ? { resolveGuardrailPolicy: ctx.resolveGuardrailPolicy } : {}) };
         const ingestMatch = pathname.match(/^\/v1\/players\/([^/]+)\/([^/]+)\/inner\/ingest$/);
         if (ingestMatch) {
             if (method !== 'POST') {
@@ -405,6 +407,31 @@ async function handle(req, res, ctx) {
         }
         return (0, qa_1.handleAnswer)(res, ctx.client, ensemble, questionId);
     }
+    // #713 — coat-check HTTP routes. The POST (2-segment) MUST be matched BEFORE
+    // the generic writeMatch below, which would otherwise 404 `coat-check` as an
+    // unknown write action. Both are Tier 2 (admin): `put` is a write; `get`
+    // REDEEMS via a maestro Update that bumps fetch-audit counters (not a pure read).
+    const coatCheckPutMatch = pathname.match(/^\/v1\/ensembles\/([^/]+)\/coat-check$/);
+    if (coatCheckPutMatch) {
+        const ensemble = decodeURIComponent(coatCheckPutMatch[1]);
+        if (!gateTier(2))
+            return; // write
+        if (method !== 'POST') {
+            return (0, responses_1.errorResponse)(res, 405, { error: 'method-not-allowed' }, { Allow: 'POST, OPTIONS' });
+        }
+        return (0, coat_check_1.handleCoatCheckPut)(req, res, ctx.client, ensemble);
+    }
+    const coatCheckGetMatch = pathname.match(/^\/v1\/ensembles\/([^/]+)\/coat-check\/([^/]+)$/);
+    if (coatCheckGetMatch) {
+        const ensemble = decodeURIComponent(coatCheckGetMatch[1]);
+        const ticket = decodeURIComponent(coatCheckGetMatch[2]);
+        if (!gateTier(2))
+            return; // redeem mutates fetch-audit counters → Tier 2
+        if (method !== 'GET') {
+            return (0, responses_1.errorResponse)(res, 405, { error: 'method-not-allowed' }, { Allow: 'GET, OPTIONS' });
+        }
+        return (0, coat_check_1.handleCoatCheckGet)(res, ctx.client, ensemble, ticket);
+    }
     // Write surface (PR-7a of #340) — POST `/v1/ensembles/:ensemble/<action>`
     // Match BEFORE the GET-only method gate; everything else (POST to a
     // read endpoint, GET to a write endpoint) flows into the 405 fallback

package/dist/pi/mission-control/actions.d.ts

@@ -36,6 +36,9 @@ export declare class MissionControlActions {
     get ready(): boolean;
     private baseUrl;
     private post;
+    /** POST and parse a JSON response body (bearer-authed). Used when the caller
+     *  needs the response payload, not just success — e.g. the coat-check ticket. */
+    private postJson;
     /** GET a JSON body from the daemon (bearer-authed). Used by the read surface (#700 readAnswer). */
     private getJson;
     private ens;
@@ -90,6 +93,25 @@ export declare class MissionControlActions {
      * transport error) — the caller polls or waits for the SSE `answer` wake.
      */
     readAnswer(questionId: string): Promise<AnswerEntry | null>;
+    /**
+     * Stash a content body on the ensemble coat-check (`POST /v1/ensembles/:e/coat-check`)
+     * and return the ticket. Lets the inbox-less planner park a large plan and hand
+     * off a ticket instead of inlining it on a cue. NOTE (#713): the coat-check entry
+     * cap (32 KiB) is BELOW the 100 KB cue cap, so this keeps cues lean — it does NOT
+     * raise the handoff ceiling.
+     */
+    coatCheckPut(opts: {
+        summary: string;
+        content: string;
+        contentType?: string;
+        ttlMs?: number;
+    }): Promise<{
+        ok: true;
+        ticket: string;
+    } | {
+        ok: false;
+        error: string;
+    }>;
     gateArm(playerId: string): Promise<ActionResult>;
     gateDisarm(playerId: string): Promise<ActionResult>;
     gateDecide(playerId: string, requestId: string, decision: 'allow' | 'deny'): Promise<ActionResult>;

package/dist/pi/mission-control/actions.js

@@ -62,6 +62,31 @@ class MissionControlActions {
             return { ok: false, error: err instanceof Error ? err.message : String(err) };
         }
     }
+    /** POST and parse a JSON response body (bearer-authed). Used when the caller
+     *  needs the response payload, not just success — e.g. the coat-check ticket. */
+    async postJson(pathSuffix, body) {
+        if (!this.adminToken)
+            return { ok: false, error: `no admin token (set ${exports.ADMIN_TOKEN_ENV})` };
+        if (!this.fetchFn)
+            return { ok: false, error: 'no fetch transport available' };
+        const base = this.baseUrl();
+        if (base === null)
+            return { ok: false, error: 'daemon HTTP not reachable (no port)' };
+        try {
+            const res = await this.fetchFn(`${base}${pathSuffix}`, {
+                method: 'POST',
+                headers: { Authorization: `Bearer ${this.adminToken}`, 'Content-Type': 'application/json' },
+                body: JSON.stringify(body ?? {}),
+            });
+            const text = await res.text().catch(() => '');
+            if (res.status < 200 || res.status >= 300)
+                return { ok: false, error: `HTTP ${res.status}${text ? `: ${text.slice(0, 200)}` : ''}` };
+            return { ok: true, data: JSON.parse(text) };
+        }
+        catch (err) {
+            return { ok: false, error: err instanceof Error ? err.message : String(err) };
+        }
+    }
     /** GET a JSON body from the daemon (bearer-authed). Used by the read surface (#700 readAnswer). */
     async getJson(pathSuffix) {
         if (!this.adminToken)
@@ -151,6 +176,18 @@ class MissionControlActions {
         const res = await this.getJson(`/v1/ensembles/${this.ens()}/answer/${encodeURIComponent(questionId)}`);
         return res.ok ? (res.data.answer ?? null) : null;
     }
+    // ── Coat-check surface (#713) ──
+    /**
+     * Stash a content body on the ensemble coat-check (`POST /v1/ensembles/:e/coat-check`)
+     * and return the ticket. Lets the inbox-less planner park a large plan and hand
+     * off a ticket instead of inlining it on a cue. NOTE (#713): the coat-check entry
+     * cap (32 KiB) is BELOW the 100 KB cue cap, so this keeps cues lean — it does NOT
+     * raise the handoff ceiling.
+     */
+    async coatCheckPut(opts) {
+        const res = await this.postJson(`/v1/ensembles/${this.ens()}/coat-check`, opts);
+        return res.ok ? { ok: true, ticket: res.data.ticket } : res;
+    }
     // ── Operator gate plane (T3) ──
     gateArm(playerId) {
         return this.post(`/v1/players/${this.player(playerId)}/gate-arm`, {});

package/dist/pi/mission-control/extension.d.ts

@@ -1,5 +1,5 @@
 import { type BoardModel } from './board';
-import { MissionControlActions } from './actions';
+import { MissionControlActions, type ActionResult } from './actions';
 import { type InfraProgress } from '../../cli/ensure-infra';
 import type { McExtensionAPI, McExtensionContext, McOutboundMessage, McMessageOptions } from './pi-ui';
 /**
@@ -93,6 +93,18 @@ export declare class Controller {
     /** Bounded poll of the answer mailbox (human `/ask` path). Resolves null on timeout. */
     private pollAnswer;
     cmdHandoff(args: string, ctx: McExtensionContext): Promise<void>;
+    /**
+     * #713 — hand a plan to `target`. Plans in the stash band `(8 KiB, 32 KiB]`
+     * are parked on the coat-check (`coatCheckPut`) and the cue carries only a
+     * short summary + the redeem instruction, keeping the cue body lean. Smaller
+     * plans cue inline; larger ones (> 32 KiB) ALSO cue inline up to the 100 KB cue
+     * cap — the coat-check entry cap is below the cue cap, so it can't hold them.
+     *
+     * Public so both the `/handoff` slash command and the planner `handoff` tool
+     * share one path. If a stash fails (saturation / transport), falls back to an
+     * inline cue so the handoff still lands (a ≤ 32 KiB plan always fits a cue).
+     */
+    handoffPlan(target: string, plan: string): Promise<ActionResult>;
 }
 /**
  * #700 P2 — register the planner LLM tools (the "think with tools" half) on an

package/dist/pi/mission-control/extension.js

@@ -66,8 +66,22 @@ const actions_1 = require("./actions");
 const inner_tail_1 = require("./inner-tail");
 const ensure_infra_1 = require("../../cli/ensure-infra");
 const zod_to_typebox_1 = require("../zod-to-typebox");
+const validation_1 = require("../../utils/validation");
 /** The durable conductor a `/handoff` targets by default (matches catalog's conductorName default). */
 const DEFAULT_CONDUCTOR = 'conductor';
+/**
+ * #713 — handoff stash band (UTF-8 bytes). A plan in `(MIN, MAX]` stashes to the
+ * coat-check so the cue body stays lean; below MIN an inline cue is fine; above
+ * MAX (the coat-check entry cap) we stay inline up to the 100 KB cue cap.
+ *
+ * HONEST FRAMING (#713): MAX === the coat-check entry cap (32 KiB), which is
+ * BELOW the 100 KB cue cap. Coat-check stashing keeps cues lean and lets the
+ * inbox-less planner park artifacts — it does NOT raise the handoff ceiling. A
+ * plan over 100 KB still cannot be handed off; that would need a coat-check cap
+ * increase (a separate decision with Temporal continue-as-new state implications).
+ */
+const HANDOFF_STASH_MIN_BYTES = 8 * 1024;
+const HANDOFF_STASH_MAX_BYTES = validation_1.COAT_CHECK_CONTENT_MAX;
 /** Bounded human-`/ask` poll: total wait + interval. The LLM `ask` tool yields instead (SSE wake). */
 const ASK_POLL_TIMEOUT_MS = 30_000;
 const ASK_POLL_INTERVAL_MS = 1_000;
@@ -370,9 +384,35 @@ class Controller {
             this.notify(ctx, 'Usage: /handoff <plan> — pushes the plan to the durable conductor.');
             return;
         }
-        // Inline cue (a §5.4 brief is small markdown). Large-plan-via-coat-check is a
-        // P2.1 follow-up (coat_check_put has no HTTP route yet).
-        this.report(ctx, `handoff → ${DEFAULT_CONDUCTOR}`, await this.actions.cue(DEFAULT_CONDUCTOR, `[PLAN HANDOFF]\n${plan}`));
+        this.report(ctx, `handoff → ${DEFAULT_CONDUCTOR}`, await this.handoffPlan(DEFAULT_CONDUCTOR, plan));
+    }
+    /**
+     * #713 — hand a plan to `target`. Plans in the stash band `(8 KiB, 32 KiB]`
+     * are parked on the coat-check (`coatCheckPut`) and the cue carries only a
+     * short summary + the redeem instruction, keeping the cue body lean. Smaller
+     * plans cue inline; larger ones (> 32 KiB) ALSO cue inline up to the 100 KB cue
+     * cap — the coat-check entry cap is below the cue cap, so it can't hold them.
+     *
+     * Public so both the `/handoff` slash command and the planner `handoff` tool
+     * share one path. If a stash fails (saturation / transport), falls back to an
+     * inline cue so the handoff still lands (a ≤ 32 KiB plan always fits a cue).
+     */
+    async handoffPlan(target, plan) {
+        const bytes = Buffer.byteLength(plan, 'utf8');
+        if (bytes > HANDOFF_STASH_MIN_BYTES && bytes <= HANDOFF_STASH_MAX_BYTES) {
+            const preview = plan.replace(/\s+/g, ' ').trim().slice(0, 160);
+            const stash = await this.actions.coatCheckPut({
+                summary: `[PLAN HANDOFF] ${preview}`,
+                content: plan,
+                contentType: 'text/markdown',
+            });
+            if (stash.ok) {
+                return this.actions.cue(target, `[PLAN HANDOFF] Full plan stashed on the coat-check (${bytes} bytes) — redeem with the ` +
+                    `\`coat_check_get\` tool:\ncoat_check_get({ ticket: "${stash.ticket}" })`);
+            }
+            // Stash failed — fall through to inline (the plan fits the 100 KB cue cap).
+        }
+        return this.actions.cue(target, `[PLAN HANDOFF]\n${plan}`);
     }
 }
 exports.Controller = Controller;
@@ -413,7 +453,9 @@ function registerPlannerTools(pi, ctrl) {
         execute: async (_id, params) => {
             const { plan, to } = params;
             const target = to ?? DEFAULT_CONDUCTOR;
-            const r = await ctrl.actions.cue(target, `[PLAN HANDOFF]\n${plan}`);
+            // #713 — large plans stash to the coat-check (cue carries the ticket);
+            // small plans inline. Shared with the `/handoff` slash command.
+            const r = await ctrl.handoffPlan(target, plan);
             if (!r.ok)
                 throw new Error(`handoff failed: ${r.error}`);
             return ok(`Plan handed off to ${target}.`);

package/dist/tui/index.js

@@ -141,6 +141,8 @@ function createDummyClient() {
         isMaestroPaused: async () => false,
         isAnySessionHeld: async () => false,
         getAnswer: async () => null,
+        coatCheckPut: fail,
+        coatCheckGet: async () => null,
         getGates: async () => [],
         getStages: async () => [],
         getWorktrees: async () => [],

package/dist/types.d.ts

@@ -238,16 +238,28 @@ export interface SessionMetadata {
      * the real posture on EVERY attach (across restart / migrate / re-attach), so
      * a previously-`supervised` agent stays supervised. (tempo-architect ruling.)
      *
-     * **★ P2 scope — CLIENT-COOPERATIVE, not tamper-proof (conductor ruling).**
-     * The agent stamps the per-request `failMode` from THIS policy in its own
-     * extension (`src/pi/extension.ts`), so `supervised` is only as strong as the
-     * agent HONORING its own policy — exactly MD-C tool-access parity (also
-     * client-enforced). It is NOT a hard security boundary against a compromised /
-     * prompt-injected agent that stamps `'open'` to self-downgrade. The tamper-
-     * proof form (the daemon cross-checks the request's `failMode` against this
-     * durable policy and FORCES `closed` for a supervised player) is **P2.1**, and
-     * is additive — it reads `failMode` off the same per-request seam. Do not
-     * describe `supervised` as a hard guarantee until daemon-side enforcement lands.
+     * **★ Enforcement scope (#715).** `supervised` is the daemon-enforced approval
+     * boundary for the realistic threat: a prompt-injected agent. A manipulated LLM
+     * can only *emit* tool-call requests — Pi routes every one to agent-tempo's
+     * `tool_call` handler, which engages the gate (non-`low-risk`) or hard-blocks
+     * (exec tools at `toolAccess: 'restricted'`). The agent **cannot** skip the gate
+     * or run a dangerous tool directly — it doesn't control the hook. The daemon also
+     * derives `failMode` from this durable policy (populated at spawn, falling
+     * `closed` on any lookup failure — no-fail-open), so an engaging agent can't
+     * self-downgrade a supervised player out of fail-closed.
+     *
+     * The **residual** is *process compromise*: code execution **inside** the Pi
+     * process (host RCE bypassing the handler entirely). No client-side gate defends
+     * that — it requires OS-level process sandboxing, tracked as a separate future
+     * `'sandboxed'` posture (#724). That is **not a gap in `supervised`'s scope**:
+     * supervised targets prompt-injection, and against that threat it **is** a real
+     * enforcement boundary.
+     *
+     * **Post-restart window:** on daemon restart the in-memory ingest tokens are
+     * invalidated, so existing players' gate engagements are rejected (403) until a
+     * re-spawn re-mints. In that window a `supervised` player's gate-client
+     * fail-closes on its own derived deadline (client-side safety holds, not
+     * daemon-mediated) — same process-compromise residual, not a distinct gap.
      */
     guardrailPolicy?: GuardrailPolicy;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-tempo",
-  "version": "1.7.0-beta.2",
+  "version": "1.7.0-beta.4",
   "description": "Many agents, one tempo. Durable coordination for multi-agent work via Temporal.",
   "keywords": [
     "mcp",
@@ -72,12 +72,12 @@
     "copilot-bridge": "ts-node src/adapters/copilot/adapter.ts",
     "clean:test": "node -e \"require('fs').rmSync('dist-test',{recursive:true,force:true})\"",
     "build:test": "npm run clean:test && tsc -p test/tsconfig.json",
-    "pretest": "npm run build:test",
+    "pretest": "node scripts/check-bundle-present.js && npm run build:test",
     "test:tui": "vitest run",
     "test:conformance": "npm run build:test && mocha --config .mocharc.conformance.yml",
-    "pretest:shard-1": "npm run build:test && npm run build:scripts",
+    "pretest:shard-1": "node scripts/check-bundle-present.js && npm run build:test && npm run build:scripts",
     "test:shard-1": "node dist/scripts/run-shard.js 1",
-    "pretest:shard-2": "npm run build:test && npm run build:scripts",
+    "pretest:shard-2": "node scripts/check-bundle-present.js && npm run build:test && npm run build:scripts",
     "test:shard-2": "node dist/scripts/run-shard.js 2",
     "test": "mocha && vitest run",
     "lint:surface-drift": "node scripts/check-surface-drift.js",