agent-tempo 1.7.0-beta.4 → 1.7.0-beta.6

package/CLAUDE.md

@@ -211,7 +211,7 @@ daemon worker notes, `npx ts-node` dev runner).
 - **OpenCode adapter** (`agent: 'opencode'`, #449): Headless multi-provider adapter that drives sessions via [SST OpenCode](https://opencode.ai) as a managed subprocess — supports Anthropic, OpenAI, Bedrock, Vertex, Ollama, and ~70 other providers via OpenCode's `provider/model` selector. Requires OpenCode CLI (`npm install -g opencode-ai`) and the `@opencode-ai/sdk` optional dependency. Recruit with `model: 'provider/name'` (e.g. `'anthropic/claude-opus-4-7'`). Tool bridging is MCP-native — OpenCode spawns `dist/server.js` as its own stdio MCP child. Session state is persisted server-side by OpenCode; the adapter stashes the session id on workflow metadata for reconnect across `opencode serve` restarts. See `src/adapters/opencode/`.
 - **Claude Code headless adapter** (`agent: 'claude-code-headless'`, #520): Headless adapter that drives sessions via the official `claude` CLI as a per-turn `claude -p --output-format stream-json` subprocess. The whole point: turns bill against the host's existing Claude Code subscription extra-usage credits (Pro / Max plans) rather than a Console workspace API key — the only ToS-clean way for a third-party tool to tap that pool. Requires the `claude` binary on PATH AND a logged-in Claude Code session (`claude auth login`); recruit pre-flight rejects with an actionable error otherwise. Tool surface is the union of full Claude Code built-ins (Bash / Read / Write / Edit / Glob / Grep / WebSearch / WebFetch) and the agent-tempo MCP surface — registered via inline `--mcp-config` so `claude` spawns `dist/server.js` as its own MCP child (no in-process bridge). Recruit knobs: `permissionMode` (default `'acceptEdits'`) or `dangerouslySkipPermissions: true` (mutually exclusive). Sessions resume across restart via the existing `sessionId` metadata field — the same UUID is shared with the interactive `claude-code` adapter (per-cwd JSONL is per-cwd, not per-adapter). See `src/adapters/claude-code-headless/` and `examples/ensembles/tempo-headless-jam.yaml`.
 - **Pi adapter** (`agent: 'pi'`, #632 / #666): Two modes. **(1) Interactive conductor** (#666): `agent-tempo up --agent pi --ensemble <name>` launches `pi` in a real terminal with the agent-tempo extension auto-loaded (`pi -e dist/pi/extension.js`); the Pi session self-bootstraps its Temporal workflow and attaches as a conductor/player — no separate recruiter step. From the TUI, `/recruit-conductor` relaunches the active ensemble's conductor — set `conductor.agent: pi` in that ensemble's lineup to make it a Pi conductor. Requires `@earendil-works/pi-coding-agent` on Node ≥ 22.19. Recommended: `ANTHROPIC_API_KEY` (without it the session falls back to Pi's own auth/default model). The `AGENT_TEMPO_*` env is auto-wired by `up`; power users can invoke the extension directly with `pi -e dist/pi/extension.js`. `--model provider/model` selector (e.g. `'github-copilot/gpt-4o'`) is a fast-follow. **(2) Headless player** (Phase 3a): `recruit` with `agent: 'pi'` — no terminal, no BaseAttachment; runs `createAgentSession` with an in-memory `SessionManager`; the module-scope singleton owns claim/heartbeat/tools/cue pump (MD-D). MD-C tool-access policy: `toolAccess: 'restricted'` (default — Bash/shell/exec HARD-BLOCKED) | `'standard'` (scoped Bash) | `'full'` (unsandboxed; requires `force: true`). `noExtensions: true` closes the S2 exec-tool-bypass gap. See `src/adapters/pi/` and `src/pi/headless.ts`.
-- **Mission-control Pi extension** (3f): An observer-only Pi extension that turns one interactive Pi TUI into a live ensemble board + operator controller. HTTP-drives the daemon — coarse ensemble view via `/v1/events/:ensemble` SSE + fine per-player tail via `/inner` (T3); operator controls (cue/pause/play/restart/destroy + gate arm/disarm/decide) POST to the daemon write surface using `AGENT_TEMPO_HTTP_ADMIN_TOKEN`. **Never claims attachment or registers as a player** — invisible to the ensemble. ~200ms render throttle from an in-memory `BoardModel`. Requires an interactive Pi session with `ctx.hasUI`. See `src/pi/mission-control/`.
+- **Mission-control / Command-center** (3f, #700 P2): An interactive Pi TUI that is both a live ensemble board + operator controller and an LLM planner. Board side: HTTP-drives the daemon — coarse ensemble view via `/v1/events/:ensemble` SSE + fine per-player tail via `/inner` (T3); operator controls (cue/pause/play/restart/destroy + gate arm/disarm/decide) POST to the daemon write surface using `AGENT_TEMPO_HTTP_ADMIN_TOKEN`. Planner side: registers LLM tools (`ask` / `handoff` / `cue` / `recruit` / `observe_board`) via `MissionControlActions` — HTTP-backed, distinct from the player extension's `renderToPi` MCP surface. **Never claims attachment or registers as a player** — invisible to the ensemble. Launch with **`agent-tempo command-center [ensemble]`** (aliases: `cc`, `board`) — sets `AGENT_TEMPO_MISSION_CONTROL=1`. **Role-gated and mutually exclusive** with the player extension (`resolvePiRole` discriminator: explicit `AGENT_TEMPO_PI_ROLE` → `PLAYER_NAME` present → `AGENT_TEMPO_MISSION_CONTROL` → `none`): a bare `pi` keeps both extensions dormant (plain coding session); a player session (`up --agent pi` / `recruit`) keeps the board dormant. Power users invoking `pi -e dist/pi/extension.js` directly without `PLAYER_NAME` also resolve to `none` (dormant) — set `AGENT_TEMPO_PI_ROLE=player` to force player mode. See `src/pi/mission-control/`.
 - **Command-center planner** (#700 P2): An inbox-less interactive Pi session (the operator's planning seat) that routes questions to players via correlated `cue` tags (`[Q <questionId>]`). Players answer with the `respond` MCP tool, which parks the answer on the per-ensemble maestro Q&A mailbox (TTL 1h, 20-slot cap). The planner is woken by an `answer` SSE event when the answer lands (`docs/SSE-PROTOCOL.md` §6). `/handoff` cues hand active work to a conductor (a registered player with a Temporal inbox). See `docs/concepts.md` for the Q&A mechanics.
 - **Guardrail policy** (`guardrailPolicy` recruit arg, #700 P2): Per-player posture for the operator gate on headless Pi players. Four values — `'autonomous'` (default; no gate), `'monitored'` (gate engaged; fail-open: auto-allow after 45 s), `'supervised'` (gate engaged; fail-closed: auto-deny after 300 s; **client-cooperative in P2, not tamper-proof**; daemon-side enforcement is P2.1 #44), `'observe-only'` (non-`low-risk` tools hard-blocked outright). Persisted on `SessionMetadata`; re-sourced at each `(re)attach` from `getMetadata`. See `docs/concepts.md` for operator gate mechanics.
 - **Mock adapter** (`agent: 'mock'`, dev mode only): Four modes: `echo` (echoes input), `scripted` (replays YAML scenario rules), `silent` (drains messages without replying — heartbeat-stale validation), `chaos` (probabilistic fail/crash injection via seeded PRNG). Only registered when `isDevMode()` is true; stripped from the npm tarball by `prepack`. See `src/adapters/mock/`.

package/dashboard/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-tempo-dashboard",
   "private": true,
-  "version": "1.7.0-beta.4",
+  "version": "1.7.0-beta.6",
   "type": "module",
   "description": "Web dashboard for agent-tempo. Bundled into the npm package; served by the daemon at /dashboard/*.",
   "scripts": {

package/dist/cli/command-center-command.d.ts

@@ -0,0 +1,28 @@
+/**
+ * `agent-tempo command-center` (#729) — launch an interactive Pi mission-control
+ * board for an ensemble.
+ *
+ * The board is the OPERATOR seat: it observes the ensemble (coarse SSE) and POSTs
+ * operator actions (cue/pause/restart/gate/…) to the daemon's write/gate surface.
+ * It is NOT a player — it never claims attachment or registers as an ensemble
+ * member.
+ *
+ * The deliberate launch path (#729 A2): this sets `AGENT_TEMPO_MISSION_CONTROL=1`
+ * so {@link resolvePiRole} resolves `'command-center'`, which activates the
+ * mission-control extension and keeps the player extension dormant — exactly one
+ * of the two auto-loaded Pi extensions registers tools, so their `cue`/`recruit`
+ * names can't collide. It MUST NOT set `PLAYER_NAME`/`CONDUCTOR` (those flip the
+ * role to player). A bare `pi` (neither signal) keeps BOTH dormant — plain coding
+ * sessions stay pristine.
+ */
+import { CliOverrides } from '../config';
+export interface CommandCenterArgs extends CliOverrides {
+    /** Ensemble to observe (positional / `--ensemble`); falls back to config default. */
+    ensemble?: string;
+}
+/**
+ * Public entry point — invoked by the CLI dispatcher. Launches the board in a
+ * real terminal (Pi only attaches its UI in a TTY) and returns; exits 1 on a
+ * fail-clean preflight error.
+ */
+export declare function commandCenterCommand(args: CommandCenterArgs): Promise<void>;

package/dist/cli/command-center-command.js

@@ -0,0 +1,114 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.commandCenterCommand = commandCenterCommand;
+/**
+ * `agent-tempo command-center` (#729) — launch an interactive Pi mission-control
+ * board for an ensemble.
+ *
+ * The board is the OPERATOR seat: it observes the ensemble (coarse SSE) and POSTs
+ * operator actions (cue/pause/restart/gate/…) to the daemon's write/gate surface.
+ * It is NOT a player — it never claims attachment or registers as an ensemble
+ * member.
+ *
+ * The deliberate launch path (#729 A2): this sets `AGENT_TEMPO_MISSION_CONTROL=1`
+ * so {@link resolvePiRole} resolves `'command-center'`, which activates the
+ * mission-control extension and keeps the player extension dormant — exactly one
+ * of the two auto-loaded Pi extensions registers tools, so their `cue`/`recruit`
+ * names can't collide. It MUST NOT set `PLAYER_NAME`/`CONDUCTOR` (those flip the
+ * role to player). A bare `pi` (neither signal) keeps BOTH dormant — plain coding
+ * sessions stay pristine.
+ */
+const config_1 = require("../config");
+const spawn_1 = require("../spawn");
+const probe_1 = require("../pi/probe");
+const out = __importStar(require("./output"));
+/**
+ * Public entry point — invoked by the CLI dispatcher. Launches the board in a
+ * real terminal (Pi only attaches its UI in a TTY) and returns; exits 1 on a
+ * fail-clean preflight error.
+ */
+async function commandCenterCommand(args) {
+    const config = (0, config_1.getConfig)(args);
+    const ensemble = config.ensemble;
+    // Preflight — fail BEFORE launching a terminal that would die. checkPiNodeFloor
+    // is a best-effort Node-version proxy; buildPiCommandCenterSpawn's default
+    // resolver throws fail-clean when the Pi CLI is missing.
+    const nodeFloor = (0, probe_1.checkPiNodeFloor)();
+    if (!nodeFloor.ok) {
+        out.error(`Cannot start command-center — ${nodeFloor.reason}`);
+        process.exit(1);
+    }
+    // Admin (T3) token — mission-control's operator write/gate surface reads it.
+    // Without it the board still OBSERVES (coarse SSE), but operator actions return
+    // 401; warn rather than block so a read-only board is still useful.
+    const adminToken = process.env[config_1.ENV.HTTP_ADMIN_TOKEN];
+    if (!adminToken) {
+        out.warn(`${config_1.ENV.HTTP_ADMIN_TOKEN} is not set — the board will observe read-only; operator ` +
+            'actions (cue/pause/restart/gate) need the admin token. Export it before launching for full control.');
+    }
+    if (!process.env.ANTHROPIC_API_KEY) {
+        out.warn('ANTHROPIC_API_KEY is not set — the Pi command-center will fall back to Pi\'s own auth/default model.');
+    }
+    const temporalEnvVars = {
+        [config_1.ENV.TEMPORAL_ADDRESS]: config.temporalAddress,
+        [config_1.ENV.TEMPORAL_NAMESPACE]: config.temporalNamespace,
+    };
+    if (config.temporalApiKey)
+        temporalEnvVars[config_1.ENV.TEMPORAL_API_KEY] = config.temporalApiKey;
+    if (config.temporalTlsCertPath)
+        temporalEnvVars[config_1.ENV.TEMPORAL_TLS_CERT_PATH] = config.temporalTlsCertPath;
+    if (config.temporalTlsKeyPath)
+        temporalEnvVars[config_1.ENV.TEMPORAL_TLS_KEY_PATH] = config.temporalTlsKeyPath;
+    let spawn;
+    try {
+        spawn = (0, spawn_1.buildPiCommandCenterSpawn)({
+            ensemble,
+            temporalEnvVars,
+            taskQueue: config.taskQueue,
+            devMode: (0, config_1.isDevMode)(),
+            ...(adminToken ? { adminToken } : {}),
+            ...(process.env.ANTHROPIC_API_KEY ? { anthropicApiKey: process.env.ANTHROPIC_API_KEY } : {}),
+        });
+    }
+    catch (err) {
+        out.error(`Cannot start command-center — ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+    }
+    const { pid } = (0, spawn_1.launchInTerminal)(spawn.cmd, spawn.args, process.cwd(), spawn.env);
+    out.success(`Command-center launched for ensemble ${out.cyan(ensemble)} (pid ${pid ?? 'unknown'})`);
+    out.log(`  ${out.dim('Observer-only Pi board — the player extension stays dormant in this session.')}`);
+    out.log(`  ${out.dim('Requires `agent-tempo install-pi` to have registered the extensions.')}`);
+}

package/dist/cli/help-text.js

@@ -86,6 +86,7 @@ ${out.bold('Commands:')}
   ${out.cyan('agent-types')} <sub>        Manage player type definitions (list/show/init)
   ${out.cyan('daemon')}    <sub>          Manage the worker daemon (start/stop/status/logs)
   ${out.cyan('dashboard')}                Open the web dashboard (--no-open / --pair / --json)
+  ${out.cyan('command-center')} [ensemble] Launch the interactive Pi mission-control board (operator seat; alias: cc/board)
   ${out.cyan('upgrade')}  [version]       Upgrade agent-tempo to latest (or specific version)
   ${out.cyan('config')}                   Configure Temporal connection settings
   ${out.cyan('init')}                     Register MCP server globally (or --project for .mcp.json)

package/dist/cli.js

@@ -416,6 +416,18 @@ async function main() {
         });
         return;
     }
+    if (args.command === 'command-center' || args.command === 'cc' || args.command === 'board') {
+        // #729 — launch the interactive Pi mission-control board. Lightweight + does
+        // NOT touch Temporal (it spawns `pi` with the operator opt-in env and drives
+        // the daemon over HTTP), so it stays out of the Temporal-loading `./cli/commands`
+        // import — an operator can open the board even when the Temporal SDK is broken.
+        const { commandCenterCommand } = await Promise.resolve().then(() => __importStar(require('./cli/command-center-command')));
+        await commandCenterCommand({
+            ensemble: args.positional[1],
+            ...overrides,
+        });
+        return;
+    }
     // Dev-mode scriptable verbs (#432). Gated on `isDevMode()` AND an explicit
     // allowlist (`DEV_VERBS`); intercepts BEFORE the removed-verbs check so
     // verbs like `pause` (collapsed by #288) can act on the live ensemble in
@@ -631,7 +643,13 @@ async function main() {
             for (const p of result.alreadyPresent)
                 out.log(out.dim(`  · ${p} (already installed)`));
             out.log('');
-            out.log('  Restart `pi` to load the agent-tempo extensions.');
+            // #729 — the extensions are role-gated: exactly one activates per session.
+            // Point operators at the DELIBERATE launches, not a bare `pi` (which now
+            // intentionally keeps BOTH dormant so plain coding sessions stay pristine).
+            out.log('  Launch a session with one of:');
+            out.log(`    ${out.cyan('agent-tempo up --agent pi')}        a conductor/player in this ensemble`);
+            out.log(`    ${out.cyan('agent-tempo command-center')}       the operator mission-control board`);
+            out.log(out.dim('  A bare `pi` stays a plain coding session (neither extension activates).'));
             break;
         }
         case 'migrate-from-claude-tempo': {

package/dist/config.d.ts

@@ -158,7 +158,54 @@ export declare const ENV: {
      * coordinate three or more parallel agent-tempo profiles on one box.
      */
     readonly DEV_HOME_OVERRIDE: "AGENT_TEMPO_HOME_OVERRIDE";
+    /**
+     * #729 — explicit Pi session-role override for {@link resolvePiRole}. Accepts
+     * `'player'` | `'command-center'`. A future escape hatch: the heuristic
+     * (PLAYER_NAME presence) already classifies every current launch correctly, so
+     * this is intentionally NOT wired into any spawn site — it exists so an operator
+     * can force a role if a new launch path ever defeats the heuristic.
+     */
+    readonly PI_ROLE: "AGENT_TEMPO_PI_ROLE";
+    /**
+     * #729 (A2) — affirmative opt-in for the mission-control command-center board.
+     * Set by the `agent-tempo command-center` launcher (NOT by bare `pi`), so a
+     * plain coding `pi` stays pristine (both extensions dormant). Lower precedence
+     * than {@link PLAYER_NAME} in {@link resolvePiRole} — a session that must CLAIM
+     * never silently degrades to a passive board.
+     */
+    readonly MISSION_CONTROL: "AGENT_TEMPO_MISSION_CONTROL";
 };
+/**
+ * The role of a Pi session (#729). A session is at most ONE of these — the two
+ * auto-loaded Pi extensions gate on it so they're mutually exclusive:
+ * - `player` — the player extension's full MCP surface (cue/recruit/report/…).
+ * - `command-center` — mission-control's operator board + planner tools.
+ * - `none` — neither (a bare `pi` used for plain coding); both stay dormant.
+ *
+ * `player` and `command-center` both register `cue`/`recruit` by name, so loading
+ * both in one session collides and the command-center never starts (#729).
+ */
+export type PiRole = 'player' | 'command-center' | 'none';
+/**
+ * Resolve the role of a Pi session (#729) — the single discriminator both
+ * auto-loaded Pi extensions gate on.
+ *
+ * Precedence (deterministic, #729 A2):
+ * 1. Explicit {@link ENV.PI_ROLE} (`'player'` | `'command-center'`) wins — a future
+ *    escape hatch, intentionally NOT wired into any spawn site.
+ * 2. {@link ENV.PLAYER_NAME} present (every `up`/`recruit` player spawn) → `'player'`.
+ *    Checked BEFORE the board opt-in ON PURPOSE: a session that must CLAIM must
+ *    never silently degrade to a passive board.
+ * 3. {@link ENV.MISSION_CONTROL} opt-in (set by `agent-tempo command-center`) →
+ *    `'command-center'`.
+ * 4. Otherwise `'none'` — a bare `pi` for plain coding: BOTH extensions stay
+ *    dormant (the A2 clean-pi guarantee).
+ *
+ * Pure (env injectable) so the dormancy matrix is unit-testable without spawning.
+ * NOTE: headless Pi is definitionally a recruited player and must NOT rely on this
+ * heuristic — its caller forces `'player'` directly (env-weirdness immune).
+ */
+export declare function resolvePiRole(env?: NodeJS.ProcessEnv): PiRole;
 export interface Config {
     temporalAddress: string;
     temporalNamespace: string;

package/dist/config.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.GLOBAL_MAESTRO_WORKFLOW_ID = exports.DaemonConfigSchema = exports.CleanupPolicySchema = exports.CONFIG_FILE_PATH = exports.AGENT_TEMPO_HOME = exports.PROD_DAEMON_PORT = exports.DEV_DAEMON_PORT = exports.PROD_TASK_QUEUE = exports.DEV_TASK_QUEUE = exports.PROD_TEMPORAL_NAMESPACE = exports.DEV_TEMPORAL_NAMESPACE = exports.PROD_HOME_DIR_NAME = exports.DEV_HOME_DIR_NAME = exports.ENV = void 0;
+exports.resolvePiRole = resolvePiRole;
 exports.isDevMode = isDevMode;
 exports.resolveTempoHome = resolveTempoHome;
 exports.bridgeLogsRoot = bridgeLogsRoot;
@@ -186,7 +187,52 @@ exports.ENV = {
      * coordinate three or more parallel agent-tempo profiles on one box.
      */
     DEV_HOME_OVERRIDE: 'AGENT_TEMPO_HOME_OVERRIDE',
+    /**
+     * #729 — explicit Pi session-role override for {@link resolvePiRole}. Accepts
+     * `'player'` | `'command-center'`. A future escape hatch: the heuristic
+     * (PLAYER_NAME presence) already classifies every current launch correctly, so
+     * this is intentionally NOT wired into any spawn site — it exists so an operator
+     * can force a role if a new launch path ever defeats the heuristic.
+     */
+    PI_ROLE: 'AGENT_TEMPO_PI_ROLE',
+    /**
+     * #729 (A2) — affirmative opt-in for the mission-control command-center board.
+     * Set by the `agent-tempo command-center` launcher (NOT by bare `pi`), so a
+     * plain coding `pi` stays pristine (both extensions dormant). Lower precedence
+     * than {@link PLAYER_NAME} in {@link resolvePiRole} — a session that must CLAIM
+     * never silently degrades to a passive board.
+     */
+    MISSION_CONTROL: 'AGENT_TEMPO_MISSION_CONTROL',
 };
+/**
+ * Resolve the role of a Pi session (#729) — the single discriminator both
+ * auto-loaded Pi extensions gate on.
+ *
+ * Precedence (deterministic, #729 A2):
+ * 1. Explicit {@link ENV.PI_ROLE} (`'player'` | `'command-center'`) wins — a future
+ *    escape hatch, intentionally NOT wired into any spawn site.
+ * 2. {@link ENV.PLAYER_NAME} present (every `up`/`recruit` player spawn) → `'player'`.
+ *    Checked BEFORE the board opt-in ON PURPOSE: a session that must CLAIM must
+ *    never silently degrade to a passive board.
+ * 3. {@link ENV.MISSION_CONTROL} opt-in (set by `agent-tempo command-center`) →
+ *    `'command-center'`.
+ * 4. Otherwise `'none'` — a bare `pi` for plain coding: BOTH extensions stay
+ *    dormant (the A2 clean-pi guarantee).
+ *
+ * Pure (env injectable) so the dormancy matrix is unit-testable without spawning.
+ * NOTE: headless Pi is definitionally a recruited player and must NOT rely on this
+ * heuristic — its caller forces `'player'` directly (env-weirdness immune).
+ */
+function resolvePiRole(env = process.env) {
+    const explicit = env[exports.ENV.PI_ROLE];
+    if (explicit === 'player' || explicit === 'command-center')
+        return explicit;
+    if (env[exports.ENV.PLAYER_NAME])
+        return 'player';
+    if (env[exports.ENV.MISSION_CONTROL])
+        return 'command-center';
+    return 'none';
+}
 // ── Dev profile (ADR 0014 §5) ──
 /**
  * Dev profile defaults — one switch (`--dev` top-level flag, or

package/dist/pi/extension.js

@@ -158,6 +158,27 @@ function createPiExtension(options = {}) {
     // #700 (P2 / G) — guardrail posture; absent ⇒ autonomous (no gate).
     const guardrailPolicy = options.guardrailPolicy ?? 'autonomous';
     return function piExtension(pi) {
+        // ── #729 role gate (MUST stay first — before probePi / getConfig /
+        // clientFactory / renderToPi / before_agent_start / any session_start claim) ──
+        //
+        // Headless Pi is definitionally a recruited player, so force 'player' on it —
+        // never trust the env heuristic there (env-weirdness immune). Every INTERACTIVE
+        // player spawn (conductor `up --agent pi`, `recruit`) sets PLAYER_NAME; a bare
+        // `pi` does not. When this session is NOT a player, the player extension goes
+        // FULLY DORMANT: it registers NO tools, opens NO Temporal connection (the
+        // `clientFactory(config)` kickoff below is skipped), and starts NO workflow.
+        //
+        // This is load-bearing for two things at once: (1) it resolves the cue/recruit
+        // tool-name COLLISION with mission-control (exactly one extension registers
+        // tools per session), and (2) it kills the phantom `pi-${process.pid}` orphan
+        // workflow a bare `pi` used to self-bootstrap (the `pi-${pid}` fallback id below
+        // is now never reached in a non-player session).
+        const role = mode === 'headless' ? 'player' : (0, config_1.resolvePiRole)();
+        if (role !== 'player') {
+            log(`dormant — session role is '${role}', not a player: registering no player ` +
+                'surface (no tools, no Temporal connection, no workflow).');
+            return;
+        }
         const probe = (0, probe_1.probePi)();
         if (!probe.available)
             log('WARNING:', probe.reason);

package/dist/pi/headless.d.ts

@@ -38,42 +38,37 @@ export interface RunHeadlessPiOptions {
     continueSessionId?: string;
 }
 /**
- * Build the `DefaultResourceLoader` options for a headless Pi player.
+ * #715 — compute the registration-level `excludeTools` denylist for
+ * `createAgentSession`. Excluded tools are never registered → ABSENT from the
+ * model's toolset AND system prompt: the LLM cannot request what it never sees.
  *
- * SECURITY — S2 (MD-C deny-list soundness). The `restricted` tool gate is a
- * DENY-LIST over shell/exec tool *names* (tool-capability.ts EXEC_TOOLS, via
- * `classify(name) === 'exec'` — F1 replaced extension.ts's former local set). That
- * guarantee — "restricted = no host execution" — holds ONLY IF no third-party
- * extension can register an un-blacklisted execution tool (e.g. a custom
- * `python` / `npm` / `run` tool). It therefore depends on a hard structural
- * fact: which extensions Pi loads.
+ * This is a registration-level FLOOR beneath the call-time MD-C handler + #712
+ * gate. It is tamper-RESISTANT, NOT tamper-PROOF: it defends a PROMPT-INJECTED
+ * agent (and holds even if the call-time gate had a bug — the tool simply isn't
+ * there), but it does NOT defend against PROCESS COMPROMISE — a tampered /
+ * modified extension can re-register or un-exclude tools (this is OUR code
+ * passing a denylist; an attacker who modifies the code/process bypasses it).
+ * That residual is OS-sandbox + supply-chain integrity, tracked as #724.
  *
- * Verified against the installed Pi SDK 0.78 source (NOT assumed):
- *   - `DefaultResourceLoader.reload()` (resource-loader.js:271-276) builds
- *     `extensionPaths = noExtensions ? cliEnabledExtensions
- *                                     : merge(cliEnabledExtensions, enabledExtensions)`
- *     where `enabledExtensions` (line 229) are the DISK/package extensions from
- *     `packageManager.resolve()` (`~/.pi/agent/extensions/`, `<cwd>/.pi/extensions/`,
- *     installed packages). `loadExtensions(extensionPaths)` then loads them and
- *     MERGES with our inline factories (lines 274-276).
- *   - `noExtensions` defaults to `false` (constructor, line 132) — so the naive
- *     loader DOES load disk extensions. That is the S2 gap.
+ * `excludeTools` is matched by NAME against BOTH Pi built-ins AND
+ * extension-registered tools (incl. agent-tempo's MCP tools via `renderToPi`), so
+ * this list contains ONLY Pi-built-in / exec names — never agent-tempo tool names
+ * (`cue`/`report`/`recruit`/…). Posture:
+ *   - `toolAccess === 'restricted'` → exclude {@link EXEC_TOOLS} (exec/bash
+ *     registration-absent; a strict upgrade of the prior call-time block, and the
+ *     headless default → the model never even sees exec).
+ *   - `guardrailPolicy === 'observe-only'` → also exclude the Pi built-in act
+ *     tools ({@link PI_BUILTIN_ACT_TOOLS}); read/grep/glob stay. The agent-tempo
+ *     MCP act tools (recruit/destroy/…) stay covered by the client-side no-act
+ *     handler (commit 5) — excludeTools handles the Pi built-ins only.
+ *   - `monitored` / `supervised` / `autonomous` → NO exec exclusion: those tools
+ *     stay REGISTERED so they can be gated/approved per-use (#712). (`supervised`
+ *     = approve-and-run, NOT exec-absent.)
  *
- * Fix (= security's "exclude the extensions dir", done structurally):
- *   - `noExtensions: true` → `extensionPaths` collapses to `cliEnabledExtensions`,
- *     which is empty because we pass NO `additionalExtensionPaths`. So
- *     `loadExtensions([])` registers nothing from disk/packages.
- *   - Inline `extensionFactories` load UNCONDITIONALLY (reload() line 275 is not
- *     gated by `noExtensions`), so our agent-tempo extension still attaches.
- * Net: the ONLY tools present are Pi's built-ins (bash/read/edit/write/grep —
- * all covered by the deny-list) + our agent-tempo MCP tools (no exec). No
- * third-party tool can slip past the deny-list. Skills/prompts/themes cannot
- * register tools, so they are not a vector and are left at defaults.
- *
- * Kept as a pure, exported helper so the `noExtensions: true` invariant has a
- * unit regression test (test/pi-headless-loader.test.ts) without needing the Pi
- * SDK installed.
+ * Pure + exported so the registration-absence invariant has a unit regression
+ * test without the Pi SDK (mirrors {@link buildPiResourceLoaderOptions}).
  */
+export declare function computeExcludeTools(toolAccess: PiToolAccess, guardrailPolicy: GuardrailPolicy | undefined): string[];
 export declare function buildPiResourceLoaderOptions(params: {
     cwd: string;
     agentDir: string;

package/dist/pi/headless.js

@@ -1,5 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeExcludeTools = computeExcludeTools;
 exports.buildPiResourceLoaderOptions = buildPiResourceLoaderOptions;
 exports.runHeadlessPi = runHeadlessPi;
 /**
@@ -31,6 +32,7 @@ exports.runHeadlessPi = runHeadlessPi;
 const config_1 = require("../config");
 const sdk_probe_1 = require("../utils/sdk-probe");
 const extension_1 = require("./extension");
+const tool_capability_1 = require("../security/tool-capability");
 const probe_1 = require("./probe");
 const session_seed_1 = require("./session-seed");
 const log = (...args) => {
@@ -114,6 +116,61 @@ async function resolveModel(modelStr) {
  * unit regression test (test/pi-headless-loader.test.ts) without needing the Pi
  * SDK installed.
  */
+/**
+ * Pi BUILT-IN mutating ("act") tool names, excluded at registration for the
+ * `observe-only` no-act posture (#715). Pi's default built-ins are
+ * read/bash/edit/write; `multiedit` is listed defensively (a no-op if Pi doesn't
+ * register it). `bash`/exec are covered by {@link EXEC_TOOLS}. We keep the READ
+ * built-ins (read/grep/glob/ls). These are Pi BUILT-IN names — deliberately NOT
+ * agent-tempo MCP tool names, so excluding them never removes an agent-tempo
+ * coordination tool (those stay handler-gated, commit 5).
+ */
+const PI_BUILTIN_ACT_TOOLS = ['write', 'edit', 'multiedit'];
+/**
+ * #715 — compute the registration-level `excludeTools` denylist for
+ * `createAgentSession`. Excluded tools are never registered → ABSENT from the
+ * model's toolset AND system prompt: the LLM cannot request what it never sees.
+ *
+ * This is a registration-level FLOOR beneath the call-time MD-C handler + #712
+ * gate. It is tamper-RESISTANT, NOT tamper-PROOF: it defends a PROMPT-INJECTED
+ * agent (and holds even if the call-time gate had a bug — the tool simply isn't
+ * there), but it does NOT defend against PROCESS COMPROMISE — a tampered /
+ * modified extension can re-register or un-exclude tools (this is OUR code
+ * passing a denylist; an attacker who modifies the code/process bypasses it).
+ * That residual is OS-sandbox + supply-chain integrity, tracked as #724.
+ *
+ * `excludeTools` is matched by NAME against BOTH Pi built-ins AND
+ * extension-registered tools (incl. agent-tempo's MCP tools via `renderToPi`), so
+ * this list contains ONLY Pi-built-in / exec names — never agent-tempo tool names
+ * (`cue`/`report`/`recruit`/…). Posture:
+ *   - `toolAccess === 'restricted'` → exclude {@link EXEC_TOOLS} (exec/bash
+ *     registration-absent; a strict upgrade of the prior call-time block, and the
+ *     headless default → the model never even sees exec).
+ *   - `guardrailPolicy === 'observe-only'` → also exclude the Pi built-in act
+ *     tools ({@link PI_BUILTIN_ACT_TOOLS}); read/grep/glob stay. The agent-tempo
+ *     MCP act tools (recruit/destroy/…) stay covered by the client-side no-act
+ *     handler (commit 5) — excludeTools handles the Pi built-ins only.
+ *   - `monitored` / `supervised` / `autonomous` → NO exec exclusion: those tools
+ *     stay REGISTERED so they can be gated/approved per-use (#712). (`supervised`
+ *     = approve-and-run, NOT exec-absent.)
+ *
+ * Pure + exported so the registration-absence invariant has a unit regression
+ * test without the Pi SDK (mirrors {@link buildPiResourceLoaderOptions}).
+ */
+function computeExcludeTools(toolAccess, guardrailPolicy) {
+    const exclude = new Set();
+    if (toolAccess === 'restricted') {
+        for (const t of tool_capability_1.EXEC_TOOLS)
+            exclude.add(t);
+    }
+    if (guardrailPolicy === 'observe-only') {
+        for (const t of tool_capability_1.EXEC_TOOLS)
+            exclude.add(t); // no-act ⊇ no-exec
+        for (const t of PI_BUILTIN_ACT_TOOLS)
+            exclude.add(t);
+    }
+    return [...exclude];
+}
 function buildPiResourceLoaderOptions(params) {
     return {
         cwd: params.cwd,
@@ -192,10 +249,20 @@ async function runHeadlessPi(opts = {}) {
     // heartbeat). The SDK's own doc comment (sdk.js:74-83) prescribes this exact
     // construct → reload() → pass-as-resourceLoader sequence.
     await resourceLoader.reload();
+    // #715 — registration-level exec/act exclusion (the true "agent physically
+    // lacks the tools" boundary; see computeExcludeTools). Excluded tools are never
+    // registered, so they're absent from the model's toolset + system prompt — a
+    // hard layer beyond the call-time MD-C handler + #712 gate (kept as
+    // belt-and-suspenders). Empty for monitored/supervised/autonomous+standard.
+    const excludeTools = computeExcludeTools(toolAccess, opts.guardrailPolicy);
+    if (excludeTools.length > 0) {
+        log(`#715: excluding ${excludeTools.length} tool(s) at registration (toolAccess=${toolAccess}, guardrailPolicy=${opts.guardrailPolicy ?? 'autonomous'}): ${excludeTools.join(', ')}`);
+    }
     const { session } = await createAgentSession({
         cwd: process.cwd(),
         agentDir,
         ...(model ? { model } : {}),
+        ...(excludeTools.length > 0 ? { excludeTools } : {}),
         resourceLoader,
         // H1 (#645): in-memory session (seeded above via the session-seed chokepoint).
         // H2 will seed it from agent-tempo durable state (ENV.PI_CONTINUE_SESSION

package/dist/pi/mission-control/extension.d.ts

@@ -1,3 +1,4 @@
+import { type PiRole } from '../../config';
 import { type BoardModel } from './board';
 import { MissionControlActions, type ActionResult } from './actions';
 import { type InfraProgress } from '../../cli/ensure-infra';
@@ -25,6 +26,12 @@ export interface MissionControlDeps {
     renderThrottleMs?: number;
     /** Local daemon host for tailability (test override; defaults to `os.hostname()`). */
     localHost?: string;
+    /**
+     * #729 — session-role override for the dormancy gate (test seam). Defaults to
+     * {@link resolvePiRole}. The board activates ONLY for `'command-center'`;
+     * `'player'` and `'none'` both keep it dormant.
+     */
+    role?: PiRole;
 }
 /**
  * Infra-bootstrap seam (#700 P1). Defaults to the real {@link ensureInfra}; the

package/dist/pi/mission-control/extension.js

@@ -517,6 +517,21 @@ const log = (...args) => {
  */
 function createMissionControlExtension(deps = {}) {
     return (pi) => {
+        // ── #729 role gate (MUST stay first — before any registerCommand /
+        // registerTool / session_start SSE) ──
+        //
+        // The board activates ONLY in the command-center role (the operator's
+        // `agent-tempo command-center` seat, which sets AGENT_TEMPO_MISSION_CONTROL).
+        // A player session ('player') AND a bare coding `pi` ('none') both keep the
+        // board DORMANT — no commands/tools registered, no coarse SSE opened. This is
+        // the other half of #729 mutual exclusion: exactly one extension registers
+        // tools per session (no cue/recruit name collision with the player surface),
+        // and a plain `pi` stays pristine (A2 — affirmative opt-in only).
+        const role = deps.role ?? (0, config_1.resolvePiRole)();
+        if (role !== 'command-center') {
+            log(`dormant — session role is '${role}', not command-center: board not activated.`);
+            return;
+        }
         const ensemble = deps.ensemble ?? (0, config_1.getConfig)().ensemble;
         const adminToken = deps.adminToken ?? process.env[actions_1.ADMIN_TOKEN_ENV];
         const throttleMs = deps.renderThrottleMs ?? DEFAULT_RENDER_THROTTLE_MS;

package/dist/spawn.d.ts

@@ -174,6 +174,45 @@ export declare function buildPiConductorSpawn(opts: PiConductorSpawnOpts): {
     args: string[];
     env: Record<string, string>;
 };
+/** Inputs for {@link buildPiCommandCenterSpawn} (pure — unit-tested without spawning). */
+export interface PiCommandCenterSpawnOpts {
+    ensemble: string;
+    /** Temporal env (address/namespace/api-key/tls) built by the caller. */
+    temporalEnvVars: Record<string, string>;
+    /** Temporal task queue (forwarded for config parity; the board drives the daemon via HTTP). */
+    taskQueue: string;
+    devMode: boolean;
+    /** Daemon admin (T3) token → `AGENT_TEMPO_HTTP_ADMIN_TOKEN` (mission-control's write/gate surface). */
+    adminToken?: string;
+    /** Forwarded if set (Pi's own model auth). */
+    anthropicApiKey?: string;
+    /** Injectable resolver (defaults to the real one, which fails clean on miss). */
+    resolveBinary?: () => {
+        cmd: string;
+        args: string[];
+    };
+}
+/**
+ * Build the interactive Pi COMMAND-CENTER (mission-control) spawn spec —
+ * `{ cmd, args, env }` for {@link launchInTerminal} (#729). PURE + injectable.
+ *
+ * Unlike {@link buildPiConductorSpawn}, this passes NO `-e <ext>`: install-pi
+ * registers BOTH Pi extensions in `~/.pi/agent/settings.json`, so a plain `pi`
+ * auto-loads them and {@link resolvePiRole} (via the env below) picks exactly one.
+ * Passing `-e` here would DOUBLE-LOAD mission-control (settings.json + `-e`) → a
+ * command re-registration error. The env carries the OPERATOR subset only:
+ *   - `AGENT_TEMPO_MISSION_CONTROL=1` → the role opt-in (resolver → `command-center`).
+ *   - `AGENT_TEMPO_ENSEMBLE` → which ensemble the board observes.
+ *   - `AGENT_TEMPO_HTTP_ADMIN_TOKEN` → the daemon write/gate surface the board POSTs to.
+ *
+ * ★ It MUST NOT set `PLAYER_NAME` or `CONDUCTOR` — either flips {@link resolvePiRole}
+ * to `'player'`, which would keep the board dormant (and self-bootstrap a player).
+ */
+export declare function buildPiCommandCenterSpawn(opts: PiCommandCenterSpawnOpts): {
+    cmd: string;
+    args: string[];
+    env: Record<string, string>;
+};
 export interface CopilotBridgeOpts {
     name: string;
     ensemble: string;

package/dist/spawn.js

@@ -16,6 +16,7 @@ exports.spawnInTerminal = spawnInTerminal;
 exports.resolvePiInteractiveBinary = resolvePiInteractiveBinary;
 exports.resolvePiExtensionPath = resolvePiExtensionPath;
 exports.buildPiConductorSpawn = buildPiConductorSpawn;
+exports.buildPiCommandCenterSpawn = buildPiCommandCenterSpawn;
 exports.spawnCopilotBridge = spawnCopilotBridge;
 exports.spawnMockAdapter = spawnMockAdapter;
 exports.spawnClaudeApiAdapter = spawnClaudeApiAdapter;
@@ -673,6 +674,37 @@ function buildPiConductorSpawn(opts) {
     };
     return { cmd, args, env };
 }
+/**
+ * Build the interactive Pi COMMAND-CENTER (mission-control) spawn spec —
+ * `{ cmd, args, env }` for {@link launchInTerminal} (#729). PURE + injectable.
+ *
+ * Unlike {@link buildPiConductorSpawn}, this passes NO `-e <ext>`: install-pi
+ * registers BOTH Pi extensions in `~/.pi/agent/settings.json`, so a plain `pi`
+ * auto-loads them and {@link resolvePiRole} (via the env below) picks exactly one.
+ * Passing `-e` here would DOUBLE-LOAD mission-control (settings.json + `-e`) → a
+ * command re-registration error. The env carries the OPERATOR subset only:
+ *   - `AGENT_TEMPO_MISSION_CONTROL=1` → the role opt-in (resolver → `command-center`).
+ *   - `AGENT_TEMPO_ENSEMBLE` → which ensemble the board observes.
+ *   - `AGENT_TEMPO_HTTP_ADMIN_TOKEN` → the daemon write/gate surface the board POSTs to.
+ *
+ * ★ It MUST NOT set `PLAYER_NAME` or `CONDUCTOR` — either flips {@link resolvePiRole}
+ * to `'player'`, which would keep the board dormant (and self-bootstrap a player).
+ */
+function buildPiCommandCenterSpawn(opts) {
+    const { cmd, args } = (opts.resolveBinary ?? resolvePiInteractiveBinary)();
+    const env = {
+        ...opts.temporalEnvVars,
+        [config_1.ENV.TASK_QUEUE]: opts.taskQueue,
+        [config_1.ENV.ENSEMBLE]: opts.ensemble,
+        [config_1.ENV.MISSION_CONTROL]: '1', // #729 A2 role opt-in → resolver picks 'command-center'
+        [config_1.ENV.NO_PPID_WATCHDOG]: '1', // launched detached by the transient CLI (mirrors the conductor)
+        ...(opts.devMode ? { [config_1.ENV.DEV_MODE]: '1' } : {}),
+        ...(opts.adminToken ? { [config_1.ENV.HTTP_ADMIN_TOKEN]: opts.adminToken } : {}),
+        ...(opts.anthropicApiKey ? { ANTHROPIC_API_KEY: opts.anthropicApiKey } : {}),
+    };
+    // Deliberately NO ENV.PLAYER_NAME / ENV.CONDUCTOR — they'd flip the role to player.
+    return { cmd, args, env };
+}
 /**
  * Resolve the path to the compiled copilot bridge adapter entry point.
  * In dev (ts-node), returns a ts-node command; in production, returns the dist path.

package/dist/types.d.ts

@@ -238,22 +238,33 @@ export interface SessionMetadata {
      * the real posture on EVERY attach (across restart / migrate / re-attach), so
      * a previously-`supervised` agent stays supervised. (tempo-architect ruling.)
      *
-     * **★ Enforcement scope (#715).** `supervised` is the daemon-enforced approval
-     * boundary for the realistic threat: a prompt-injected agent. A manipulated LLM
-     * can only *emit* tool-call requests — Pi routes every one to agent-tempo's
-     * `tool_call` handler, which engages the gate (non-`low-risk`) or hard-blocks
-     * (exec tools at `toolAccess: 'restricted'`). The agent **cannot** skip the gate
-     * or run a dangerous tool directly — it doesn't control the hook. The daemon also
-     * derives `failMode` from this durable policy (populated at spawn, falling
-     * `closed` on any lookup failure — no-fail-open), so an engaging agent can't
-     * self-downgrade a supervised player out of fail-closed.
+     * **★ Enforcement scope (#712/#715).** `supervised` is the daemon-enforced
+     * approval boundary for the realistic threat: a prompt-injected agent. A
+     * manipulated LLM can only *emit* tool-call requests — Pi routes every one to
+     * agent-tempo's `tool_call` handler, which engages the gate (non-`low-risk`;
+     * #712 daemon-computes `failMode` from this durable policy, falling `closed` on
+     * any lookup failure — no-fail-open, so an engaging agent can't self-downgrade).
+     * The agent **cannot** skip the gate — it doesn't control the hook.
      *
-     * The **residual** is *process compromise*: code execution **inside** the Pi
-     * process (host RCE bypassing the handler entirely). No client-side gate defends
-     * that — it requires OS-level process sandboxing, tracked as a separate future
-     * `'sandboxed'` posture (#724). That is **not a gap in `supervised`'s scope**:
-     * supervised targets prompt-injection, and against that threat it **is** a real
-     * enforcement boundary.
+     * **#715 adds a registration-level floor.** For `toolAccess: 'restricted'` (and
+     * `observe-only`'s act tools) the exec/act tools are EXCLUDED at
+     * `createAgentSession` (`excludeTools`) → **absent** from the model's toolset and
+     * system prompt entirely; the LLM cannot request what it never sees. That is
+     * stronger than a call-time block — it holds even if the call-time gate had a bug
+     * (the tool simply isn't there). `supervised` with exec present keeps exec
+     * **present + gated** (approve-per-use), so this floor applies to the exec/no-act
+     * postures, not to a `supervised`+`standard` player.
+     *
+     * **Residual (all postures): process compromise** — code execution *inside* the
+     * Pi process (in-process syscalls; host RCE bypassing the handler), OR a
+     * tampered / modified extension that un-excludes or re-registers tools.
+     * `excludeTools` is OUR code passing a denylist; an attacker who modifies that
+     * code or the process bypasses it. The only defense is OS-level sandboxing +
+     * supply-chain integrity, a separate future `'sandboxed'` posture (#724). So:
+     * **tamper-RESISTANT** vs prompt-injection + an honest gate bug; **NOT
+     * tamper-PROOF** vs a compromised process. Against prompt-injection — the
+     * realistic threat — it **is** a real enforcement boundary; #724 is not a gap in
+     * that scope.
      *
      * **Post-restart window:** on daemon restart the in-memory ingest tokens are
      * invalidated, so existing players' gate engagements are rejected (403) until a

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-tempo",
-  "version": "1.7.0-beta.4",
+  "version": "1.7.0-beta.6",
   "description": "Many agents, one tempo. Durable coordination for multi-agent work via Temporal.",
   "keywords": [
     "mcp",