agent-tempo 1.7.0-beta.5 → 1.7.0-beta.7

package/CLAUDE.md

@@ -104,6 +104,7 @@ src/
 │   ├── hosts.ts / set-ensemble-description.ts
 │   ├── save-state.ts / fetch-state.ts / clear-state.ts
 │   ├── coat-check-put.ts / coat-check-get.ts / coat-check-list.ts / coat-check-evict.ts
+│   ├── respond.ts
 │   └── descriptor.ts  # Transport-neutral tool descriptor (TempoToolDescriptor) + renderToMcp; per-tool `build*Tool` factories live in each tool file (MD-B, Phase 1)
 ├── pi/                # Pi-native integration — a Pi session as a first-class player over the Temporal core
 │   ├── extension.ts   # `export default function(pi)` — interactive runtime entry. Holds the MODULE-SCOPE singleton `Map<workflowId, PiPlayerRuntime>` that survives Pi's per-switch instance rebuild (rebind, not re-claim); full tool surface via renderToPi; Option-C reason-discriminated teardown
@@ -211,7 +212,7 @@ daemon worker notes, `npx ts-node` dev runner).
 - **OpenCode adapter** (`agent: 'opencode'`, #449): Headless multi-provider adapter that drives sessions via [SST OpenCode](https://opencode.ai) as a managed subprocess — supports Anthropic, OpenAI, Bedrock, Vertex, Ollama, and ~70 other providers via OpenCode's `provider/model` selector. Requires OpenCode CLI (`npm install -g opencode-ai`) and the `@opencode-ai/sdk` optional dependency. Recruit with `model: 'provider/name'` (e.g. `'anthropic/claude-opus-4-7'`). Tool bridging is MCP-native — OpenCode spawns `dist/server.js` as its own stdio MCP child. Session state is persisted server-side by OpenCode; the adapter stashes the session id on workflow metadata for reconnect across `opencode serve` restarts. See `src/adapters/opencode/`.
 - **Claude Code headless adapter** (`agent: 'claude-code-headless'`, #520): Headless adapter that drives sessions via the official `claude` CLI as a per-turn `claude -p --output-format stream-json` subprocess. The whole point: turns bill against the host's existing Claude Code subscription extra-usage credits (Pro / Max plans) rather than a Console workspace API key — the only ToS-clean way for a third-party tool to tap that pool. Requires the `claude` binary on PATH AND a logged-in Claude Code session (`claude auth login`); recruit pre-flight rejects with an actionable error otherwise. Tool surface is the union of full Claude Code built-ins (Bash / Read / Write / Edit / Glob / Grep / WebSearch / WebFetch) and the agent-tempo MCP surface — registered via inline `--mcp-config` so `claude` spawns `dist/server.js` as its own MCP child (no in-process bridge). Recruit knobs: `permissionMode` (default `'acceptEdits'`) or `dangerouslySkipPermissions: true` (mutually exclusive). Sessions resume across restart via the existing `sessionId` metadata field — the same UUID is shared with the interactive `claude-code` adapter (per-cwd JSONL is per-cwd, not per-adapter). See `src/adapters/claude-code-headless/` and `examples/ensembles/tempo-headless-jam.yaml`.
 - **Pi adapter** (`agent: 'pi'`, #632 / #666): Two modes. **(1) Interactive conductor** (#666): `agent-tempo up --agent pi --ensemble <name>` launches `pi` in a real terminal with the agent-tempo extension auto-loaded (`pi -e dist/pi/extension.js`); the Pi session self-bootstraps its Temporal workflow and attaches as a conductor/player — no separate recruiter step. From the TUI, `/recruit-conductor` relaunches the active ensemble's conductor — set `conductor.agent: pi` in that ensemble's lineup to make it a Pi conductor. Requires `@earendil-works/pi-coding-agent` on Node ≥ 22.19. Recommended: `ANTHROPIC_API_KEY` (without it the session falls back to Pi's own auth/default model). The `AGENT_TEMPO_*` env is auto-wired by `up`; power users can invoke the extension directly with `pi -e dist/pi/extension.js`. `--model provider/model` selector (e.g. `'github-copilot/gpt-4o'`) is a fast-follow. **(2) Headless player** (Phase 3a): `recruit` with `agent: 'pi'` — no terminal, no BaseAttachment; runs `createAgentSession` with an in-memory `SessionManager`; the module-scope singleton owns claim/heartbeat/tools/cue pump (MD-D). MD-C tool-access policy: `toolAccess: 'restricted'` (default — Bash/shell/exec HARD-BLOCKED) | `'standard'` (scoped Bash) | `'full'` (unsandboxed; requires `force: true`). `noExtensions: true` closes the S2 exec-tool-bypass gap. See `src/adapters/pi/` and `src/pi/headless.ts`.
-- **Mission-control Pi extension** (3f): An observer-only Pi extension that turns one interactive Pi TUI into a live ensemble board + operator controller. HTTP-drives the daemon — coarse ensemble view via `/v1/events/:ensemble` SSE + fine per-player tail via `/inner` (T3); operator controls (cue/pause/play/restart/destroy + gate arm/disarm/decide) POST to the daemon write surface using `AGENT_TEMPO_HTTP_ADMIN_TOKEN`. **Never claims attachment or registers as a player** — invisible to the ensemble. ~200ms render throttle from an in-memory `BoardModel`. Requires an interactive Pi session with `ctx.hasUI`. See `src/pi/mission-control/`.
+- **Mission-control / Command-center** (3f, #700 P2): An interactive Pi TUI that is both a live ensemble board + operator controller and an LLM planner. Board side: HTTP-drives the daemon — coarse ensemble view via `/v1/events/:ensemble` SSE + fine per-player tail via `/inner` (T3); operator controls (cue/pause/play/restart/destroy + gate arm/disarm/decide) POST to the daemon write surface using `AGENT_TEMPO_HTTP_ADMIN_TOKEN`. Planner side: registers LLM tools (`ask` / `handoff` / `cue` / `recruit` / `observe_board`) via `MissionControlActions` — HTTP-backed, distinct from the player extension's `renderToPi` MCP surface. **Never claims attachment or registers as a player** — invisible to the ensemble. Launch with **`agent-tempo command-center [ensemble]`** (aliases: `cc`, `board`) — sets `AGENT_TEMPO_MISSION_CONTROL=1`. **Role-gated and mutually exclusive** with the player extension (`resolvePiRole` discriminator: explicit `AGENT_TEMPO_PI_ROLE` → `PLAYER_NAME` present → `AGENT_TEMPO_MISSION_CONTROL` → `none`): a bare `pi` keeps both extensions dormant (plain coding session); a player session (`up --agent pi` / `recruit`) keeps the board dormant. Power users invoking `pi -e dist/pi/extension.js` directly without `PLAYER_NAME` also resolve to `none` (dormant) — set `AGENT_TEMPO_PI_ROLE=player` to force player mode. See `src/pi/mission-control/`.
 - **Command-center planner** (#700 P2): An inbox-less interactive Pi session (the operator's planning seat) that routes questions to players via correlated `cue` tags (`[Q <questionId>]`). Players answer with the `respond` MCP tool, which parks the answer on the per-ensemble maestro Q&A mailbox (TTL 1h, 20-slot cap). The planner is woken by an `answer` SSE event when the answer lands (`docs/SSE-PROTOCOL.md` §6). `/handoff` cues hand active work to a conductor (a registered player with a Temporal inbox). See `docs/concepts.md` for the Q&A mechanics.
 - **Guardrail policy** (`guardrailPolicy` recruit arg, #700 P2): Per-player posture for the operator gate on headless Pi players. Four values — `'autonomous'` (default; no gate), `'monitored'` (gate engaged; fail-open: auto-allow after 45 s), `'supervised'` (gate engaged; fail-closed: auto-deny after 300 s; **client-cooperative in P2, not tamper-proof**; daemon-side enforcement is P2.1 #44), `'observe-only'` (non-`low-risk` tools hard-blocked outright). Persisted on `SessionMetadata`; re-sourced at each `(re)attach` from `getMetadata`. See `docs/concepts.md` for operator gate mechanics.
 - **Mock adapter** (`agent: 'mock'`, dev mode only): Four modes: `echo` (echoes input), `scripted` (replays YAML scenario rules), `silent` (drains messages without replying — heartbeat-stale validation), `chaos` (probabilistic fail/crash injection via seeded PRNG). Only registered when `isDevMode()` is true; stripped from the npm tarball by `prepack`. See `src/adapters/mock/`.

package/dashboard/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-tempo-dashboard",
   "private": true,
-  "version": "1.7.0-beta.5",
+  "version": "1.7.0-beta.7",
   "type": "module",
   "description": "Web dashboard for agent-tempo. Bundled into the npm package; served by the daemon at /dashboard/*.",
   "scripts": {

package/dist/cli/command-center-command.d.ts

@@ -0,0 +1,28 @@
+/**
+ * `agent-tempo command-center` (#729) — launch an interactive Pi mission-control
+ * board for an ensemble.
+ *
+ * The board is the OPERATOR seat: it observes the ensemble (coarse SSE) and POSTs
+ * operator actions (cue/pause/restart/gate/…) to the daemon's write/gate surface.
+ * It is NOT a player — it never claims attachment or registers as an ensemble
+ * member.
+ *
+ * The deliberate launch path (#729 A2): this sets `AGENT_TEMPO_MISSION_CONTROL=1`
+ * so {@link resolvePiRole} resolves `'command-center'`, which activates the
+ * mission-control extension and keeps the player extension dormant — exactly one
+ * of the two auto-loaded Pi extensions registers tools, so their `cue`/`recruit`
+ * names can't collide. It MUST NOT set `PLAYER_NAME`/`CONDUCTOR` (those flip the
+ * role to player). A bare `pi` (neither signal) keeps BOTH dormant — plain coding
+ * sessions stay pristine.
+ */
+import { CliOverrides } from '../config';
+export interface CommandCenterArgs extends CliOverrides {
+    /** Ensemble to observe (positional / `--ensemble`); falls back to config default. */
+    ensemble?: string;
+}
+/**
+ * Public entry point — invoked by the CLI dispatcher. Launches the board in a
+ * real terminal (Pi only attaches its UI in a TTY) and returns; exits 1 on a
+ * fail-clean preflight error.
+ */
+export declare function commandCenterCommand(args: CommandCenterArgs): Promise<void>;

package/dist/cli/command-center-command.js

@@ -0,0 +1,116 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.commandCenterCommand = commandCenterCommand;
+/**
+ * `agent-tempo command-center` (#729) — launch an interactive Pi mission-control
+ * board for an ensemble.
+ *
+ * The board is the OPERATOR seat: it observes the ensemble (coarse SSE) and POSTs
+ * operator actions (cue/pause/restart/gate/…) to the daemon's write/gate surface.
+ * It is NOT a player — it never claims attachment or registers as an ensemble
+ * member.
+ *
+ * The deliberate launch path (#729 A2): this sets `AGENT_TEMPO_MISSION_CONTROL=1`
+ * so {@link resolvePiRole} resolves `'command-center'`, which activates the
+ * mission-control extension and keeps the player extension dormant — exactly one
+ * of the two auto-loaded Pi extensions registers tools, so their `cue`/`recruit`
+ * names can't collide. It MUST NOT set `PLAYER_NAME`/`CONDUCTOR` (those flip the
+ * role to player). A bare `pi` (neither signal) keeps BOTH dormant — plain coding
+ * sessions stay pristine.
+ */
+const config_1 = require("../config");
+const spawn_1 = require("../spawn");
+const probe_1 = require("../pi/probe");
+const out = __importStar(require("./output"));
+/**
+ * Public entry point — invoked by the CLI dispatcher. Launches the board in a
+ * real terminal (Pi only attaches its UI in a TTY) and returns; exits 1 on a
+ * fail-clean preflight error.
+ */
+async function commandCenterCommand(args) {
+    const config = (0, config_1.getConfig)(args);
+    const ensemble = config.ensemble;
+    // Preflight — fail BEFORE launching a terminal that would die. checkPiNodeFloor
+    // is a best-effort Node-version proxy; buildPiCommandCenterSpawn's default
+    // resolver throws fail-clean when the Pi CLI is missing.
+    const nodeFloor = (0, probe_1.checkPiNodeFloor)();
+    if (!nodeFloor.ok) {
+        out.error(`Cannot start command-center — ${nodeFloor.reason}`);
+        process.exit(1);
+    }
+    // Admin (T3) token — mission-control's operator write/gate surface reads it.
+    // #54: a LOCAL (loopback) daemon grants full trust tokenless, so a tokenless
+    // board is fully functional locally; only a REMOTE / 0.0.0.0 daemon requires the
+    // token. Informational (not a warning, not a block) — accurate to the daemon's
+    // own auth posture.
+    const adminToken = process.env[config_1.ENV.HTTP_ADMIN_TOKEN];
+    if (!adminToken) {
+        out.log(out.dim(`  ${config_1.ENV.HTTP_ADMIN_TOKEN} not set — fine for a local (loopback) daemon (full trust). ` +
+            'Set it only if this board drives a remote / 0.0.0.0 daemon.'));
+    }
+    if (!process.env.ANTHROPIC_API_KEY) {
+        out.warn('ANTHROPIC_API_KEY is not set — the Pi command-center will fall back to Pi\'s own auth/default model.');
+    }
+    const temporalEnvVars = {
+        [config_1.ENV.TEMPORAL_ADDRESS]: config.temporalAddress,
+        [config_1.ENV.TEMPORAL_NAMESPACE]: config.temporalNamespace,
+    };
+    if (config.temporalApiKey)
+        temporalEnvVars[config_1.ENV.TEMPORAL_API_KEY] = config.temporalApiKey;
+    if (config.temporalTlsCertPath)
+        temporalEnvVars[config_1.ENV.TEMPORAL_TLS_CERT_PATH] = config.temporalTlsCertPath;
+    if (config.temporalTlsKeyPath)
+        temporalEnvVars[config_1.ENV.TEMPORAL_TLS_KEY_PATH] = config.temporalTlsKeyPath;
+    let spawn;
+    try {
+        spawn = (0, spawn_1.buildPiCommandCenterSpawn)({
+            ensemble,
+            temporalEnvVars,
+            taskQueue: config.taskQueue,
+            devMode: (0, config_1.isDevMode)(),
+            ...(adminToken ? { adminToken } : {}),
+            ...(process.env.ANTHROPIC_API_KEY ? { anthropicApiKey: process.env.ANTHROPIC_API_KEY } : {}),
+        });
+    }
+    catch (err) {
+        out.error(`Cannot start command-center — ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+    }
+    const { pid } = (0, spawn_1.launchInTerminal)(spawn.cmd, spawn.args, process.cwd(), spawn.env);
+    out.success(`Command-center launched for ensemble ${out.cyan(ensemble)} (pid ${pid ?? 'unknown'})`);
+    out.log(`  ${out.dim('Observer-only Pi board — the player extension stays dormant in this session.')}`);
+    out.log(`  ${out.dim('Requires `agent-tempo install-pi` to have registered the extensions.')}`);
+}

package/dist/cli/help-text.js

@@ -86,6 +86,7 @@ ${out.bold('Commands:')}
   ${out.cyan('agent-types')} <sub>        Manage player type definitions (list/show/init)
   ${out.cyan('daemon')}    <sub>          Manage the worker daemon (start/stop/status/logs)
   ${out.cyan('dashboard')}                Open the web dashboard (--no-open / --pair / --json)
+  ${out.cyan('command-center')} [ensemble] Launch the interactive Pi mission-control board (operator seat; alias: cc/board)
   ${out.cyan('upgrade')}  [version]       Upgrade agent-tempo to latest (or specific version)
   ${out.cyan('config')}                   Configure Temporal connection settings
   ${out.cyan('init')}                     Register MCP server globally (or --project for .mcp.json)

package/dist/cli.js

@@ -416,6 +416,18 @@ async function main() {
         });
         return;
     }
+    if (args.command === 'command-center' || args.command === 'cc' || args.command === 'board') {
+        // #729 — launch the interactive Pi mission-control board. Lightweight + does
+        // NOT touch Temporal (it spawns `pi` with the operator opt-in env and drives
+        // the daemon over HTTP), so it stays out of the Temporal-loading `./cli/commands`
+        // import — an operator can open the board even when the Temporal SDK is broken.
+        const { commandCenterCommand } = await Promise.resolve().then(() => __importStar(require('./cli/command-center-command')));
+        await commandCenterCommand({
+            ensemble: args.positional[1],
+            ...overrides,
+        });
+        return;
+    }
     // Dev-mode scriptable verbs (#432). Gated on `isDevMode()` AND an explicit
     // allowlist (`DEV_VERBS`); intercepts BEFORE the removed-verbs check so
     // verbs like `pause` (collapsed by #288) can act on the live ensemble in
@@ -626,12 +638,21 @@ async function main() {
             const { installPiExtensions } = await Promise.resolve().then(() => __importStar(require('./pi/install')));
             const result = installPiExtensions({ project: args.project });
             out.success(`Pi extensions installed → ${result.settingsPath}`);
+            // #52 — show pruned stale/old-version entries so an upgrade is legible.
+            for (const p of result.removed)
+                out.log(`  ${out.yellow('-')} ${p} ${out.dim('(removed stale/old-version entry)')}`);
             for (const p of result.added)
                 out.log(`  ${out.green('+')} ${p}`);
             for (const p of result.alreadyPresent)
                 out.log(out.dim(`  · ${p} (already installed)`));
             out.log('');
-            out.log('  Restart `pi` to load the agent-tempo extensions.');
+            // #729 — the extensions are role-gated: exactly one activates per session.
+            // Point operators at the DELIBERATE launches, not a bare `pi` (which now
+            // intentionally keeps BOTH dormant so plain coding sessions stay pristine).
+            out.log('  Launch a session with one of:');
+            out.log(`    ${out.cyan('agent-tempo up --agent pi')}        a conductor/player in this ensemble`);
+            out.log(`    ${out.cyan('agent-tempo command-center')}       the operator mission-control board`);
+            out.log(out.dim('  A bare `pi` stays a plain coding session (neither extension activates).'));
             break;
         }
         case 'migrate-from-claude-tempo': {

package/dist/config.d.ts

@@ -158,7 +158,54 @@ export declare const ENV: {
      * coordinate three or more parallel agent-tempo profiles on one box.
      */
     readonly DEV_HOME_OVERRIDE: "AGENT_TEMPO_HOME_OVERRIDE";
+    /**
+     * #729 — explicit Pi session-role override for {@link resolvePiRole}. Accepts
+     * `'player'` | `'command-center'`. A future escape hatch: the heuristic
+     * (PLAYER_NAME presence) already classifies every current launch correctly, so
+     * this is intentionally NOT wired into any spawn site — it exists so an operator
+     * can force a role if a new launch path ever defeats the heuristic.
+     */
+    readonly PI_ROLE: "AGENT_TEMPO_PI_ROLE";
+    /**
+     * #729 (A2) — affirmative opt-in for the mission-control command-center board.
+     * Set by the `agent-tempo command-center` launcher (NOT by bare `pi`), so a
+     * plain coding `pi` stays pristine (both extensions dormant). Lower precedence
+     * than {@link PLAYER_NAME} in {@link resolvePiRole} — a session that must CLAIM
+     * never silently degrades to a passive board.
+     */
+    readonly MISSION_CONTROL: "AGENT_TEMPO_MISSION_CONTROL";
 };
+/**
+ * The role of a Pi session (#729). A session is at most ONE of these — the two
+ * auto-loaded Pi extensions gate on it so they're mutually exclusive:
+ * - `player` — the player extension's full MCP surface (cue/recruit/report/…).
+ * - `command-center` — mission-control's operator board + planner tools.
+ * - `none` — neither (a bare `pi` used for plain coding); both stay dormant.
+ *
+ * `player` and `command-center` both register `cue`/`recruit` by name, so loading
+ * both in one session collides and the command-center never starts (#729).
+ */
+export type PiRole = 'player' | 'command-center' | 'none';
+/**
+ * Resolve the role of a Pi session (#729) — the single discriminator both
+ * auto-loaded Pi extensions gate on.
+ *
+ * Precedence (deterministic, #729 A2):
+ * 1. Explicit {@link ENV.PI_ROLE} (`'player'` | `'command-center'`) wins — a future
+ *    escape hatch, intentionally NOT wired into any spawn site.
+ * 2. {@link ENV.PLAYER_NAME} present (every `up`/`recruit` player spawn) → `'player'`.
+ *    Checked BEFORE the board opt-in ON PURPOSE: a session that must CLAIM must
+ *    never silently degrade to a passive board.
+ * 3. {@link ENV.MISSION_CONTROL} opt-in (set by `agent-tempo command-center`) →
+ *    `'command-center'`.
+ * 4. Otherwise `'none'` — a bare `pi` for plain coding: BOTH extensions stay
+ *    dormant (the A2 clean-pi guarantee).
+ *
+ * Pure (env injectable) so the dormancy matrix is unit-testable without spawning.
+ * NOTE: headless Pi is definitionally a recruited player and must NOT rely on this
+ * heuristic — its caller forces `'player'` directly (env-weirdness immune).
+ */
+export declare function resolvePiRole(env?: NodeJS.ProcessEnv): PiRole;
 export interface Config {
     temporalAddress: string;
     temporalNamespace: string;

package/dist/config.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.GLOBAL_MAESTRO_WORKFLOW_ID = exports.DaemonConfigSchema = exports.CleanupPolicySchema = exports.CONFIG_FILE_PATH = exports.AGENT_TEMPO_HOME = exports.PROD_DAEMON_PORT = exports.DEV_DAEMON_PORT = exports.PROD_TASK_QUEUE = exports.DEV_TASK_QUEUE = exports.PROD_TEMPORAL_NAMESPACE = exports.DEV_TEMPORAL_NAMESPACE = exports.PROD_HOME_DIR_NAME = exports.DEV_HOME_DIR_NAME = exports.ENV = void 0;
+exports.resolvePiRole = resolvePiRole;
 exports.isDevMode = isDevMode;
 exports.resolveTempoHome = resolveTempoHome;
 exports.bridgeLogsRoot = bridgeLogsRoot;
@@ -186,7 +187,52 @@ exports.ENV = {
      * coordinate three or more parallel agent-tempo profiles on one box.
      */
     DEV_HOME_OVERRIDE: 'AGENT_TEMPO_HOME_OVERRIDE',
+    /**
+     * #729 — explicit Pi session-role override for {@link resolvePiRole}. Accepts
+     * `'player'` | `'command-center'`. A future escape hatch: the heuristic
+     * (PLAYER_NAME presence) already classifies every current launch correctly, so
+     * this is intentionally NOT wired into any spawn site — it exists so an operator
+     * can force a role if a new launch path ever defeats the heuristic.
+     */
+    PI_ROLE: 'AGENT_TEMPO_PI_ROLE',
+    /**
+     * #729 (A2) — affirmative opt-in for the mission-control command-center board.
+     * Set by the `agent-tempo command-center` launcher (NOT by bare `pi`), so a
+     * plain coding `pi` stays pristine (both extensions dormant). Lower precedence
+     * than {@link PLAYER_NAME} in {@link resolvePiRole} — a session that must CLAIM
+     * never silently degrades to a passive board.
+     */
+    MISSION_CONTROL: 'AGENT_TEMPO_MISSION_CONTROL',
 };
+/**
+ * Resolve the role of a Pi session (#729) — the single discriminator both
+ * auto-loaded Pi extensions gate on.
+ *
+ * Precedence (deterministic, #729 A2):
+ * 1. Explicit {@link ENV.PI_ROLE} (`'player'` | `'command-center'`) wins — a future
+ *    escape hatch, intentionally NOT wired into any spawn site.
+ * 2. {@link ENV.PLAYER_NAME} present (every `up`/`recruit` player spawn) → `'player'`.
+ *    Checked BEFORE the board opt-in ON PURPOSE: a session that must CLAIM must
+ *    never silently degrade to a passive board.
+ * 3. {@link ENV.MISSION_CONTROL} opt-in (set by `agent-tempo command-center`) →
+ *    `'command-center'`.
+ * 4. Otherwise `'none'` — a bare `pi` for plain coding: BOTH extensions stay
+ *    dormant (the A2 clean-pi guarantee).
+ *
+ * Pure (env injectable) so the dormancy matrix is unit-testable without spawning.
+ * NOTE: headless Pi is definitionally a recruited player and must NOT rely on this
+ * heuristic — its caller forces `'player'` directly (env-weirdness immune).
+ */
+function resolvePiRole(env = process.env) {
+    const explicit = env[exports.ENV.PI_ROLE];
+    if (explicit === 'player' || explicit === 'command-center')
+        return explicit;
+    if (env[exports.ENV.PLAYER_NAME])
+        return 'player';
+    if (env[exports.ENV.MISSION_CONTROL])
+        return 'command-center';
+    return 'none';
+}
 // ── Dev profile (ADR 0014 §5) ──
 /**
  * Dev profile defaults — one switch (`--dev` top-level flag, or

package/dist/pi/extension.js

@@ -158,6 +158,27 @@ function createPiExtension(options = {}) {
     // #700 (P2 / G) — guardrail posture; absent ⇒ autonomous (no gate).
     const guardrailPolicy = options.guardrailPolicy ?? 'autonomous';
     return function piExtension(pi) {
+        // ── #729 role gate (MUST stay first — before probePi / getConfig /
+        // clientFactory / renderToPi / before_agent_start / any session_start claim) ──
+        //
+        // Headless Pi is definitionally a recruited player, so force 'player' on it —
+        // never trust the env heuristic there (env-weirdness immune). Every INTERACTIVE
+        // player spawn (conductor `up --agent pi`, `recruit`) sets PLAYER_NAME; a bare
+        // `pi` does not. When this session is NOT a player, the player extension goes
+        // FULLY DORMANT: it registers NO tools, opens NO Temporal connection (the
+        // `clientFactory(config)` kickoff below is skipped), and starts NO workflow.
+        //
+        // This is load-bearing for two things at once: (1) it resolves the cue/recruit
+        // tool-name COLLISION with mission-control (exactly one extension registers
+        // tools per session), and (2) it kills the phantom `pi-${process.pid}` orphan
+        // workflow a bare `pi` used to self-bootstrap (the `pi-${pid}` fallback id below
+        // is now never reached in a non-player session).
+        const role = mode === 'headless' ? 'player' : (0, config_1.resolvePiRole)();
+        if (role !== 'player') {
+            log(`dormant — session role is '${role}', not a player: registering no player ` +
+                'surface (no tools, no Temporal connection, no workflow).');
+            return;
+        }
         const probe = (0, probe_1.probePi)();
         if (!probe.available)
             log('WARNING:', probe.reason);

package/dist/pi/install.d.ts

@@ -26,9 +26,34 @@ export interface InstallPiResult {
     added: string[];
     /** Extension paths already present before this run. */
     alreadyPresent: string[];
+    /**
+     * #52 — STALE agent-tempo extension paths PRUNED by this run (old-version /
+     * moved-install entries that pointed at an agent-tempo extension but are no
+     * longer the current path). Empty on a clean re-run.
+     */
+    removed: string[];
     /** The final `extensions` array written to settings.json. */
     extensions: string[];
 }
+/**
+ * #52 — does this settings `extensions` entry point at an agent-tempo Pi
+ * extension (player or command-center), of ANY version / install location?
+ *
+ * The motivating bug: a `pnpm` global install version-hashes the package dir
+ * (`.../.pnpm/agent-tempo@<version>_<hash>/node_modules/agent-tempo/...`), so on
+ * UPGRADE the recorded absolute path goes stale — and a naive add-only install
+ * leaves BOTH the old and new paths in `settings.json`, which makes `pi` fail on
+ * the now-missing stale entry. {@link installPiExtensions} prunes every match of
+ * this predicate (except the current paths) before re-adding, so a re-run
+ * REPLACES rather than duplicates.
+ *
+ * Match = an agent-tempo package marker (`/agent-tempo@…` version dir, or the
+ * `/node_modules/agent-tempo/` package dir) AND an agent-tempo extension suffix
+ * (`dist/pi/extension.js` or `dist/pi/mission-control/extension.js`). Both halves
+ * are required so a user's own unrelated extension is never pruned. Separators
+ * are normalised so the predicate holds on Windows paths too.
+ */
+export declare function isAgentTempoExtensionPath(p: string): boolean;
 /** Resolve the Pi settings.json path for the chosen scope. */
 export declare function piSettingsPath(opts?: InstallPiOptions): string;
 /**
@@ -37,6 +62,13 @@ export declare function piSettingsPath(opts?: InstallPiOptions): string;
  * write when nothing changed). Never copies any extension file — install by
  * reference only (see file header).
  *
+ * #52 — REPLACE, don't accumulate: before adding the current paths, PRUNE any
+ * STALE agent-tempo extension entries ({@link isAgentTempoExtensionPath}, minus
+ * the current paths). On a `pnpm` upgrade the package dir is version-hashed, so
+ * the recorded absolute path changes — without pruning, `settings.json` would
+ * list both the old (now-missing) and new paths and `pi` would fail on the stale
+ * one. A user's own unrelated extensions and other settings keys are preserved.
+ *
  * Tolerates a missing / empty / corrupt settings file: a missing file is
  * created; an unparseable one is replaced with a fresh object carrying just the
  * extensions (we can only safely merge a valid object). Other recognised keys in

package/dist/pi/install.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.piExtensionPaths = piExtensionPaths;
+exports.isAgentTempoExtensionPath = isAgentTempoExtensionPath;
 exports.piSettingsPath = piSettingsPath;
 exports.installPiExtensions = installPiExtensions;
 /**
@@ -45,6 +46,30 @@ function piExtensionPaths() {
         missionControl: (0, path_1.resolve)(__dirname, 'mission-control', 'extension.js'),
     };
 }
+/**
+ * #52 — does this settings `extensions` entry point at an agent-tempo Pi
+ * extension (player or command-center), of ANY version / install location?
+ *
+ * The motivating bug: a `pnpm` global install version-hashes the package dir
+ * (`.../.pnpm/agent-tempo@<version>_<hash>/node_modules/agent-tempo/...`), so on
+ * UPGRADE the recorded absolute path goes stale — and a naive add-only install
+ * leaves BOTH the old and new paths in `settings.json`, which makes `pi` fail on
+ * the now-missing stale entry. {@link installPiExtensions} prunes every match of
+ * this predicate (except the current paths) before re-adding, so a re-run
+ * REPLACES rather than duplicates.
+ *
+ * Match = an agent-tempo package marker (`/agent-tempo@…` version dir, or the
+ * `/node_modules/agent-tempo/` package dir) AND an agent-tempo extension suffix
+ * (`dist/pi/extension.js` or `dist/pi/mission-control/extension.js`). Both halves
+ * are required so a user's own unrelated extension is never pruned. Separators
+ * are normalised so the predicate holds on Windows paths too.
+ */
+function isAgentTempoExtensionPath(p) {
+    const n = p.replace(/\\/g, '/');
+    const fromAgentTempo = n.includes('/agent-tempo@') || n.includes('/node_modules/agent-tempo/');
+    const isExtensionEntry = n.endsWith('/dist/pi/extension.js') || n.endsWith('/dist/pi/mission-control/extension.js');
+    return fromAgentTempo && isExtensionEntry;
+}
 /** Resolve the Pi settings.json path for the chosen scope. */
 function piSettingsPath(opts = {}) {
     if (opts.project)
@@ -57,6 +82,13 @@ function piSettingsPath(opts = {}) {
  * write when nothing changed). Never copies any extension file — install by
  * reference only (see file header).
  *
+ * #52 — REPLACE, don't accumulate: before adding the current paths, PRUNE any
+ * STALE agent-tempo extension entries ({@link isAgentTempoExtensionPath}, minus
+ * the current paths). On a `pnpm` upgrade the package dir is version-hashed, so
+ * the recorded absolute path changes — without pruning, `settings.json` would
+ * list both the old (now-missing) and new paths and `pi` would fail on the stale
+ * one. A user's own unrelated extensions and other settings keys are preserved.
+ *
  * Tolerates a missing / empty / corrupt settings file: a missing file is
  * created; an unparseable one is replaced with a fresh object carrying just the
  * extensions (we can only safely merge a valid object). Other recognised keys in
@@ -84,9 +116,15 @@ function installPiExtensions(opts = {}) {
     const current = Array.isArray(settings.extensions)
         ? settings.extensions.filter((x) => typeof x === 'string')
         : [];
+    // #52 — prune STALE agent-tempo extension entries (an agent-tempo extension
+    // path that is NOT one of the current `want` paths — e.g. an old version-hashed
+    // pnpm dir). The current paths and all non-agent-tempo entries keep their
+    // original positions.
+    const removed = current.filter((p) => !want.includes(p) && isAgentTempoExtensionPath(p));
+    const removedSet = new Set(removed);
     const added = [];
     const alreadyPresent = [];
-    const merged = [...current];
+    const merged = current.filter((p) => !removedSet.has(p));
     for (const p of want) {
         if (merged.includes(p)) {
             alreadyPresent.push(p);
@@ -97,11 +135,11 @@ function installPiExtensions(opts = {}) {
         }
     }
     settings.extensions = merged;
-    // Idempotent: only write when something actually changed (or the file is
-    // absent and must be created). A clean repeat run touches nothing.
-    if (added.length > 0 || !fileExists) {
+    // Idempotent: only write when something actually changed (added, pruned, or the
+    // file is absent and must be created). A clean repeat run touches nothing.
+    if (added.length > 0 || removed.length > 0 || !fileExists) {
         (0, fs_1.mkdirSync)((0, path_1.dirname)(settingsPath), { recursive: true });
         (0, fs_1.writeFileSync)(settingsPath, `${JSON.stringify(settings, null, 2)}\n`, 'utf8');
     }
-    return { settingsPath, added, alreadyPresent, extensions: merged };
+    return { settingsPath, added, alreadyPresent, removed, extensions: merged };
 }

package/dist/pi/mission-control/actions.d.ts

@@ -32,14 +32,35 @@ export declare class MissionControlActions {
     private readonly baseUrlOverride;
     private readonly fetchFn;
     constructor(opts: MissionControlActionsOptions);
-    /** Whether the client is usable (token + transport present). */
+    /**
+     * Whether the client has a usable transport. (#54) NO LONGER gates on the admin
+     * token: a loopback daemon grants full trust tokenless, so token presence does
+     * NOT determine usability — the daemon decides per request. Token-required is
+     * enforced by the daemon (it 401s a remote/0.0.0.0 caller), not pre-empted here.
+     */
     get ready(): boolean;
     private baseUrl;
+    /**
+     * Request headers — include the admin bearer ONLY when a token is set (#54). A
+     * loopback daemon grants full trust tokenless (it short-circuits all tiers), so
+     * we attempt tokenless and never send a literal "Bearer undefined". Mirrors how
+     * `createSubscribe` already spreads its token only when present.
+     */
+    private authHeaders;
+    /**
+     * Map a non-2xx daemon response to an error string (#54). When NO token was sent
+     * and the daemon rejected on auth (401/403) or admin-unset (503), the cause is a
+     * remote / `0.0.0.0` daemon that requires the admin token — surface that
+     * actionably (a local loopback daemon needs none). Token-present failures keep
+     * the daemon's own body detail (it already returns good 403/503 hints).
+     */
+    private httpError;
     private post;
-    /** POST and parse a JSON response body (bearer-authed). Used when the caller
-     *  needs the response payload, not just success — e.g. the coat-check ticket. */
+    /** POST and parse a JSON response body. Used when the caller needs the response
+     *  payload, not just success — e.g. the coat-check ticket. Bearer iff token set (#54). */
     private postJson;
-    /** GET a JSON body from the daemon (bearer-authed). Used by the read surface (#700 readAnswer). */
+    /** GET a JSON body from the daemon. Used by the read surface (#700 readAnswer).
+     *  Bearer iff token set (#54). */
     private getJson;
     private ens;
     private player;

package/dist/pi/mission-control/actions.js

@@ -29,9 +29,14 @@ class MissionControlActions {
         this.baseUrlOverride = opts.baseUrl;
         this.fetchFn = opts.fetchFn ?? resolveFetch();
     }
-    /** Whether the client is usable (token + transport present). */
+    /**
+     * Whether the client has a usable transport. (#54) NO LONGER gates on the admin
+     * token: a loopback daemon grants full trust tokenless, so token presence does
+     * NOT determine usability — the daemon decides per request. Token-required is
+     * enforced by the daemon (it 401s a remote/0.0.0.0 caller), not pre-empted here.
+     */
     get ready() {
-        return Boolean(this.adminToken) && this.fetchFn !== null;
+        return this.fetchFn !== null;
     }
     baseUrl() {
         if (this.baseUrlOverride)
@@ -39,9 +44,32 @@ class MissionControlActions {
         const port = (0, port_file_1.readPortFile)() ?? DEFAULT_PORT;
         return `http://127.0.0.1:${port}`;
     }
+    /**
+     * Request headers — include the admin bearer ONLY when a token is set (#54). A
+     * loopback daemon grants full trust tokenless (it short-circuits all tiers), so
+     * we attempt tokenless and never send a literal "Bearer undefined". Mirrors how
+     * `createSubscribe` already spreads its token only when present.
+     */
+    authHeaders(extra = {}) {
+        return { ...extra, ...(this.adminToken ? { Authorization: `Bearer ${this.adminToken}` } : {}) };
+    }
+    /**
+     * Map a non-2xx daemon response to an error string (#54). When NO token was sent
+     * and the daemon rejected on auth (401/403) or admin-unset (503), the cause is a
+     * remote / `0.0.0.0` daemon that requires the admin token — surface that
+     * actionably (a local loopback daemon needs none). Token-present failures keep
+     * the daemon's own body detail (it already returns good 403/503 hints).
+     */
+    httpError(status, detail) {
+        if (!this.adminToken && (status === 401 || status === 403 || status === 503)) {
+            return (`HTTP ${status}: operator actions need ${exports.ADMIN_TOKEN_ENV} for a remote / 0.0.0.0 daemon ` +
+                `(a local loopback daemon needs none)${detail ? ` — ${detail}` : ''}`);
+        }
+        return `HTTP ${status}${detail ? `: ${detail}` : ''}`;
+    }
     async post(pathSuffix, body) {
-        if (!this.adminToken)
-            return { ok: false, error: `no admin token (set ${exports.ADMIN_TOKEN_ENV})` };
+        // #54 — do NOT pre-block on a missing token: attempt the request and let the
+        // daemon decide (loopback grants full trust tokenless; remote/0.0.0.0 401s).
         if (!this.fetchFn)
             return { ok: false, error: 'no fetch transport available' };
         const base = this.baseUrl();
@@ -50,23 +78,21 @@ class MissionControlActions {
         try {
             const res = await this.fetchFn(`${base}${pathSuffix}`, {
                 method: 'POST',
-                headers: { Authorization: `Bearer ${this.adminToken}`, 'Content-Type': 'application/json' },
+                headers: this.authHeaders({ 'Content-Type': 'application/json' }),
                 body: JSON.stringify(body ?? {}),
             });
             if (res.status >= 200 && res.status < 300)
                 return { ok: true, status: res.status };
             const detail = (await res.text().catch(() => '')).slice(0, 200);
-            return { ok: false, error: `HTTP ${res.status}${detail ? `: ${detail}` : ''}` };
+            return { ok: false, error: this.httpError(res.status, detail) };
         }
         catch (err) {
             return { ok: false, error: err instanceof Error ? err.message : String(err) };
         }
     }
-    /** POST and parse a JSON response body (bearer-authed). Used when the caller
-     *  needs the response payload, not just success — e.g. the coat-check ticket. */
+    /** POST and parse a JSON response body. Used when the caller needs the response
+     *  payload, not just success — e.g. the coat-check ticket. Bearer iff token set (#54). */
     async postJson(pathSuffix, body) {
-        if (!this.adminToken)
-            return { ok: false, error: `no admin token (set ${exports.ADMIN_TOKEN_ENV})` };
         if (!this.fetchFn)
             return { ok: false, error: 'no fetch transport available' };
         const base = this.baseUrl();
@@ -75,22 +101,21 @@ class MissionControlActions {
         try {
             const res = await this.fetchFn(`${base}${pathSuffix}`, {
                 method: 'POST',
-                headers: { Authorization: `Bearer ${this.adminToken}`, 'Content-Type': 'application/json' },
+                headers: this.authHeaders({ 'Content-Type': 'application/json' }),
                 body: JSON.stringify(body ?? {}),
             });
             const text = await res.text().catch(() => '');
             if (res.status < 200 || res.status >= 300)
-                return { ok: false, error: `HTTP ${res.status}${text ? `: ${text.slice(0, 200)}` : ''}` };
+                return { ok: false, error: this.httpError(res.status, text.slice(0, 200)) };
             return { ok: true, data: JSON.parse(text) };
         }
         catch (err) {
             return { ok: false, error: err instanceof Error ? err.message : String(err) };
         }
     }
-    /** GET a JSON body from the daemon (bearer-authed). Used by the read surface (#700 readAnswer). */
+    /** GET a JSON body from the daemon. Used by the read surface (#700 readAnswer).
+     *  Bearer iff token set (#54). */
     async getJson(pathSuffix) {
-        if (!this.adminToken)
-            return { ok: false, error: `no admin token (set ${exports.ADMIN_TOKEN_ENV})` };
         if (!this.fetchFn)
             return { ok: false, error: 'no fetch transport available' };
         const base = this.baseUrl();
@@ -99,11 +124,11 @@ class MissionControlActions {
         try {
             const res = await this.fetchFn(`${base}${pathSuffix}`, {
                 method: 'GET',
-                headers: { Authorization: `Bearer ${this.adminToken}` },
+                headers: this.authHeaders(),
             });
             const text = await res.text().catch(() => '');
             if (res.status < 200 || res.status >= 300)
-                return { ok: false, error: `HTTP ${res.status}${text ? `: ${text.slice(0, 200)}` : ''}` };
+                return { ok: false, error: this.httpError(res.status, text.slice(0, 200)) };
             return { ok: true, data: JSON.parse(text) };
         }
         catch (err) {

package/dist/pi/mission-control/extension.d.ts

@@ -1,3 +1,4 @@
+import { type PiRole } from '../../config';
 import { type BoardModel } from './board';
 import { MissionControlActions, type ActionResult } from './actions';
 import { type InfraProgress } from '../../cli/ensure-infra';
@@ -25,6 +26,12 @@ export interface MissionControlDeps {
     renderThrottleMs?: number;
     /** Local daemon host for tailability (test override; defaults to `os.hostname()`). */
     localHost?: string;
+    /**
+     * #729 — session-role override for the dormancy gate (test seam). Defaults to
+     * {@link resolvePiRole}. The board activates ONLY for `'command-center'`;
+     * `'player'` and `'none'` both keep it dormant.
+     */
+    role?: PiRole;
 }
 /**
  * Infra-bootstrap seam (#700 P1). Defaults to the real {@link ensureInfra}; the

package/dist/pi/mission-control/extension.js

@@ -517,6 +517,21 @@ const log = (...args) => {
  */
 function createMissionControlExtension(deps = {}) {
     return (pi) => {
+        // ── #729 role gate (MUST stay first — before any registerCommand /
+        // registerTool / session_start SSE) ──
+        //
+        // The board activates ONLY in the command-center role (the operator's
+        // `agent-tempo command-center` seat, which sets AGENT_TEMPO_MISSION_CONTROL).
+        // A player session ('player') AND a bare coding `pi` ('none') both keep the
+        // board DORMANT — no commands/tools registered, no coarse SSE opened. This is
+        // the other half of #729 mutual exclusion: exactly one extension registers
+        // tools per session (no cue/recruit name collision with the player surface),
+        // and a plain `pi` stays pristine (A2 — affirmative opt-in only).
+        const role = deps.role ?? (0, config_1.resolvePiRole)();
+        if (role !== 'command-center') {
+            log(`dormant — session role is '${role}', not command-center: board not activated.`);
+            return;
+        }
         const ensemble = deps.ensemble ?? (0, config_1.getConfig)().ensemble;
         const adminToken = deps.adminToken ?? process.env[actions_1.ADMIN_TOKEN_ENV];
         const throttleMs = deps.renderThrottleMs ?? DEFAULT_RENDER_THROTTLE_MS;
@@ -549,8 +564,11 @@ function createMissionControlExtension(deps = {}) {
             activeCtx.ui.setWidget(WIDGET_KEY, (0, render_1.renderBoard)(ctrl.model, ctrl.localHost), { placement: 'aboveEditor' });
         };
         const startCoarse = () => {
+            // #54 — accurate posture: a tokenless board is FULLY functional against a
+            // local (loopback) daemon, which grants full trust. Only a REMOTE / 0.0.0.0
+            // daemon requires the admin token (it 401s tokenless reads + actions).
             if (!adminToken) {
-                log(`no admin token (${actions_1.ADMIN_TOKEN_ENV}) — board limited / disabled`);
+                log(`no ${actions_1.ADMIN_TOKEN_ENV} — OK for a local loopback daemon (full trust); a remote / 0.0.0.0 daemon will require it`);
             }
             // H5: capture the controller locally. teardown nulls the outer `coarseAbort`,
             // so the catch must check THIS signal — checking the nulled outer ref made an
@@ -589,7 +607,9 @@ function createMissionControlExtension(deps = {}) {
         const openTail = (playerId) => {
             tailAbort?.abort();
             tailAbort = null;
-            if (playerId === null || !adminToken)
+            // #54 — do NOT gate on the token: the loopback daemon serves /inner tokenless.
+            // openInnerTail sends the bearer iff present; a remote/0.0.0.0 daemon 401s → onError.
+            if (playerId === null)
                 return;
             tailAbort = new AbortController();
             // H5: resolve the daemon base URL HERE (per /tail) so a port change is

package/dist/pi/mission-control/inner-tail.d.ts

@@ -32,7 +32,13 @@ export type TailFetch = (url: string, init: {
 }>;
 export interface OpenInnerTailOptions {
     baseUrl: string;
-    adminToken: string;
+    /**
+     * Admin (T3) token. OPTIONAL (#54): a loopback daemon serves the `/inner`
+     * egress tokenless (full-trust short-circuit). When absent, no `Authorization`
+     * header is sent and the daemon decides — a remote / `0.0.0.0` daemon 401s
+     * (surfaced via `onError`).
+     */
+    adminToken?: string;
     ensemble: string;
     playerId: string;
     onFrame: (frame: InnerFrame) => void;

package/dist/pi/mission-control/inner-tail.js

@@ -44,7 +44,11 @@ async function openInnerTail(opts) {
     try {
         res = await opts.fetchFn(url, {
             method: 'GET',
-            headers: { Authorization: `Bearer ${opts.adminToken}`, Accept: 'text/event-stream' },
+            headers: {
+                Accept: 'text/event-stream',
+                // #54 — bearer ONLY when a token is set; loopback serves tokenless.
+                ...(opts.adminToken ? { Authorization: `Bearer ${opts.adminToken}` } : {}),
+            },
             signal: opts.signal,
         });
     }
@@ -54,7 +58,11 @@ async function openInnerTail(opts) {
         return;
     }
     if (res.status !== 200 || !res.body) {
-        opts.onError?.(`inner tail HTTP ${res.status}`);
+        // #54 — a tokenless 401/403 means a remote / 0.0.0.0 daemon that needs the token.
+        const hint = !opts.adminToken && (res.status === 401 || res.status === 403)
+            ? ' (set AGENT_TEMPO_HTTP_ADMIN_TOKEN for a remote/0.0.0.0 daemon; loopback needs none)'
+            : '';
+        opts.onError?.(`inner tail HTTP ${res.status}${hint}`);
         return;
     }
     const decoder = new TextDecoder();

package/dist/spawn.d.ts

@@ -174,6 +174,45 @@ export declare function buildPiConductorSpawn(opts: PiConductorSpawnOpts): {
     args: string[];
     env: Record<string, string>;
 };
+/** Inputs for {@link buildPiCommandCenterSpawn} (pure — unit-tested without spawning). */
+export interface PiCommandCenterSpawnOpts {
+    ensemble: string;
+    /** Temporal env (address/namespace/api-key/tls) built by the caller. */
+    temporalEnvVars: Record<string, string>;
+    /** Temporal task queue (forwarded for config parity; the board drives the daemon via HTTP). */
+    taskQueue: string;
+    devMode: boolean;
+    /** Daemon admin (T3) token → `AGENT_TEMPO_HTTP_ADMIN_TOKEN` (mission-control's write/gate surface). */
+    adminToken?: string;
+    /** Forwarded if set (Pi's own model auth). */
+    anthropicApiKey?: string;
+    /** Injectable resolver (defaults to the real one, which fails clean on miss). */
+    resolveBinary?: () => {
+        cmd: string;
+        args: string[];
+    };
+}
+/**
+ * Build the interactive Pi COMMAND-CENTER (mission-control) spawn spec —
+ * `{ cmd, args, env }` for {@link launchInTerminal} (#729). PURE + injectable.
+ *
+ * Unlike {@link buildPiConductorSpawn}, this passes NO `-e <ext>`: install-pi
+ * registers BOTH Pi extensions in `~/.pi/agent/settings.json`, so a plain `pi`
+ * auto-loads them and {@link resolvePiRole} (via the env below) picks exactly one.
+ * Passing `-e` here would DOUBLE-LOAD mission-control (settings.json + `-e`) → a
+ * command re-registration error. The env carries the OPERATOR subset only:
+ *   - `AGENT_TEMPO_MISSION_CONTROL=1` → the role opt-in (resolver → `command-center`).
+ *   - `AGENT_TEMPO_ENSEMBLE` → which ensemble the board observes.
+ *   - `AGENT_TEMPO_HTTP_ADMIN_TOKEN` → the daemon write/gate surface the board POSTs to.
+ *
+ * ★ It MUST NOT set `PLAYER_NAME` or `CONDUCTOR` — either flips {@link resolvePiRole}
+ * to `'player'`, which would keep the board dormant (and self-bootstrap a player).
+ */
+export declare function buildPiCommandCenterSpawn(opts: PiCommandCenterSpawnOpts): {
+    cmd: string;
+    args: string[];
+    env: Record<string, string>;
+};
 export interface CopilotBridgeOpts {
     name: string;
     ensemble: string;

package/dist/spawn.js

@@ -16,6 +16,7 @@ exports.spawnInTerminal = spawnInTerminal;
 exports.resolvePiInteractiveBinary = resolvePiInteractiveBinary;
 exports.resolvePiExtensionPath = resolvePiExtensionPath;
 exports.buildPiConductorSpawn = buildPiConductorSpawn;
+exports.buildPiCommandCenterSpawn = buildPiCommandCenterSpawn;
 exports.spawnCopilotBridge = spawnCopilotBridge;
 exports.spawnMockAdapter = spawnMockAdapter;
 exports.spawnClaudeApiAdapter = spawnClaudeApiAdapter;
@@ -673,6 +674,37 @@ function buildPiConductorSpawn(opts) {
     };
     return { cmd, args, env };
 }
+/**
+ * Build the interactive Pi COMMAND-CENTER (mission-control) spawn spec —
+ * `{ cmd, args, env }` for {@link launchInTerminal} (#729). PURE + injectable.
+ *
+ * Unlike {@link buildPiConductorSpawn}, this passes NO `-e <ext>`: install-pi
+ * registers BOTH Pi extensions in `~/.pi/agent/settings.json`, so a plain `pi`
+ * auto-loads them and {@link resolvePiRole} (via the env below) picks exactly one.
+ * Passing `-e` here would DOUBLE-LOAD mission-control (settings.json + `-e`) → a
+ * command re-registration error. The env carries the OPERATOR subset only:
+ *   - `AGENT_TEMPO_MISSION_CONTROL=1` → the role opt-in (resolver → `command-center`).
+ *   - `AGENT_TEMPO_ENSEMBLE` → which ensemble the board observes.
+ *   - `AGENT_TEMPO_HTTP_ADMIN_TOKEN` → the daemon write/gate surface the board POSTs to.
+ *
+ * ★ It MUST NOT set `PLAYER_NAME` or `CONDUCTOR` — either flips {@link resolvePiRole}
+ * to `'player'`, which would keep the board dormant (and self-bootstrap a player).
+ */
+function buildPiCommandCenterSpawn(opts) {
+    const { cmd, args } = (opts.resolveBinary ?? resolvePiInteractiveBinary)();
+    const env = {
+        ...opts.temporalEnvVars,
+        [config_1.ENV.TASK_QUEUE]: opts.taskQueue,
+        [config_1.ENV.ENSEMBLE]: opts.ensemble,
+        [config_1.ENV.MISSION_CONTROL]: '1', // #729 A2 role opt-in → resolver picks 'command-center'
+        [config_1.ENV.NO_PPID_WATCHDOG]: '1', // launched detached by the transient CLI (mirrors the conductor)
+        ...(opts.devMode ? { [config_1.ENV.DEV_MODE]: '1' } : {}),
+        ...(opts.adminToken ? { [config_1.ENV.HTTP_ADMIN_TOKEN]: opts.adminToken } : {}),
+        ...(opts.anthropicApiKey ? { ANTHROPIC_API_KEY: opts.anthropicApiKey } : {}),
+    };
+    // Deliberately NO ENV.PLAYER_NAME / ENV.CONDUCTOR — they'd flip the role to player.
+    return { cmd, args, env };
+}
 /**
  * Resolve the path to the compiled copilot bridge adapter entry point.
  * In dev (ts-node), returns a ts-node command; in production, returns the dist path.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-tempo",
-  "version": "1.7.0-beta.5",
+  "version": "1.7.0-beta.7",
   "description": "Many agents, one tempo. Durable coordination for multi-agent work via Temporal.",
   "keywords": [
     "mcp",