agent-tempo 1.7.0-beta.6 → 1.7.0-beta.7

package/CLAUDE.md

@@ -104,6 +104,7 @@ src/
 │   ├── hosts.ts / set-ensemble-description.ts
 │   ├── save-state.ts / fetch-state.ts / clear-state.ts
 │   ├── coat-check-put.ts / coat-check-get.ts / coat-check-list.ts / coat-check-evict.ts
+│   ├── respond.ts
 │   └── descriptor.ts  # Transport-neutral tool descriptor (TempoToolDescriptor) + renderToMcp; per-tool `build*Tool` factories live in each tool file (MD-B, Phase 1)
 ├── pi/                # Pi-native integration — a Pi session as a first-class player over the Temporal core
 │   ├── extension.ts   # `export default function(pi)` — interactive runtime entry. Holds the MODULE-SCOPE singleton `Map<workflowId, PiPlayerRuntime>` that survives Pi's per-switch instance rebuild (rebind, not re-claim); full tool surface via renderToPi; Option-C reason-discriminated teardown

package/dashboard/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-tempo-dashboard",
   "private": true,
-  "version": "1.7.0-beta.6",
+  "version": "1.7.0-beta.7",
   "type": "module",
   "description": "Web dashboard for agent-tempo. Bundled into the npm package; served by the daemon at /dashboard/*.",
   "scripts": {

package/dist/cli/command-center-command.js

@@ -72,12 +72,14 @@ async function commandCenterCommand(args) {
         process.exit(1);
     }
     // Admin (T3) token — mission-control's operator write/gate surface reads it.
-    // Without it the board still OBSERVES (coarse SSE), but operator actions return
-    // 401; warn rather than block so a read-only board is still useful.
+    // #54: a LOCAL (loopback) daemon grants full trust tokenless, so a tokenless
+    // board is fully functional locally; only a REMOTE / 0.0.0.0 daemon requires the
+    // token. Informational (not a warning, not a block) — accurate to the daemon's
+    // own auth posture.
     const adminToken = process.env[config_1.ENV.HTTP_ADMIN_TOKEN];
     if (!adminToken) {
-        out.warn(`${config_1.ENV.HTTP_ADMIN_TOKEN} is not set — the board will observe read-only; operator ` +
-            'actions (cue/pause/restart/gate) need the admin token. Export it before launching for full control.');
+        out.log(out.dim(`  ${config_1.ENV.HTTP_ADMIN_TOKEN} not set — fine for a local (loopback) daemon (full trust). ` +
+            'Set it only if this board drives a remote / 0.0.0.0 daemon.'));
     }
     if (!process.env.ANTHROPIC_API_KEY) {
         out.warn('ANTHROPIC_API_KEY is not set — the Pi command-center will fall back to Pi\'s own auth/default model.');

package/dist/cli.js

@@ -638,6 +638,9 @@ async function main() {
             const { installPiExtensions } = await Promise.resolve().then(() => __importStar(require('./pi/install')));
             const result = installPiExtensions({ project: args.project });
             out.success(`Pi extensions installed → ${result.settingsPath}`);
+            // #52 — show pruned stale/old-version entries so an upgrade is legible.
+            for (const p of result.removed)
+                out.log(`  ${out.yellow('-')} ${p} ${out.dim('(removed stale/old-version entry)')}`);
             for (const p of result.added)
                 out.log(`  ${out.green('+')} ${p}`);
             for (const p of result.alreadyPresent)

package/dist/pi/install.d.ts

@@ -26,9 +26,34 @@ export interface InstallPiResult {
     added: string[];
     /** Extension paths already present before this run. */
     alreadyPresent: string[];
+    /**
+     * #52 — STALE agent-tempo extension paths PRUNED by this run (old-version /
+     * moved-install entries that pointed at an agent-tempo extension but are no
+     * longer the current path). Empty on a clean re-run.
+     */
+    removed: string[];
     /** The final `extensions` array written to settings.json. */
     extensions: string[];
 }
+/**
+ * #52 — does this settings `extensions` entry point at an agent-tempo Pi
+ * extension (player or command-center), of ANY version / install location?
+ *
+ * The motivating bug: a `pnpm` global install version-hashes the package dir
+ * (`.../.pnpm/agent-tempo@<version>_<hash>/node_modules/agent-tempo/...`), so on
+ * UPGRADE the recorded absolute path goes stale — and a naive add-only install
+ * leaves BOTH the old and new paths in `settings.json`, which makes `pi` fail on
+ * the now-missing stale entry. {@link installPiExtensions} prunes every match of
+ * this predicate (except the current paths) before re-adding, so a re-run
+ * REPLACES rather than duplicates.
+ *
+ * Match = an agent-tempo package marker (`/agent-tempo@…` version dir, or the
+ * `/node_modules/agent-tempo/` package dir) AND an agent-tempo extension suffix
+ * (`dist/pi/extension.js` or `dist/pi/mission-control/extension.js`). Both halves
+ * are required so a user's own unrelated extension is never pruned. Separators
+ * are normalised so the predicate holds on Windows paths too.
+ */
+export declare function isAgentTempoExtensionPath(p: string): boolean;
 /** Resolve the Pi settings.json path for the chosen scope. */
 export declare function piSettingsPath(opts?: InstallPiOptions): string;
 /**
@@ -37,6 +62,13 @@ export declare function piSettingsPath(opts?: InstallPiOptions): string;
  * write when nothing changed). Never copies any extension file — install by
  * reference only (see file header).
  *
+ * #52 — REPLACE, don't accumulate: before adding the current paths, PRUNE any
+ * STALE agent-tempo extension entries ({@link isAgentTempoExtensionPath}, minus
+ * the current paths). On a `pnpm` upgrade the package dir is version-hashed, so
+ * the recorded absolute path changes — without pruning, `settings.json` would
+ * list both the old (now-missing) and new paths and `pi` would fail on the stale
+ * one. A user's own unrelated extensions and other settings keys are preserved.
+ *
  * Tolerates a missing / empty / corrupt settings file: a missing file is
  * created; an unparseable one is replaced with a fresh object carrying just the
  * extensions (we can only safely merge a valid object). Other recognised keys in

package/dist/pi/install.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.piExtensionPaths = piExtensionPaths;
+exports.isAgentTempoExtensionPath = isAgentTempoExtensionPath;
 exports.piSettingsPath = piSettingsPath;
 exports.installPiExtensions = installPiExtensions;
 /**
@@ -45,6 +46,30 @@ function piExtensionPaths() {
         missionControl: (0, path_1.resolve)(__dirname, 'mission-control', 'extension.js'),
     };
 }
+/**
+ * #52 — does this settings `extensions` entry point at an agent-tempo Pi
+ * extension (player or command-center), of ANY version / install location?
+ *
+ * The motivating bug: a `pnpm` global install version-hashes the package dir
+ * (`.../.pnpm/agent-tempo@<version>_<hash>/node_modules/agent-tempo/...`), so on
+ * UPGRADE the recorded absolute path goes stale — and a naive add-only install
+ * leaves BOTH the old and new paths in `settings.json`, which makes `pi` fail on
+ * the now-missing stale entry. {@link installPiExtensions} prunes every match of
+ * this predicate (except the current paths) before re-adding, so a re-run
+ * REPLACES rather than duplicates.
+ *
+ * Match = an agent-tempo package marker (`/agent-tempo@…` version dir, or the
+ * `/node_modules/agent-tempo/` package dir) AND an agent-tempo extension suffix
+ * (`dist/pi/extension.js` or `dist/pi/mission-control/extension.js`). Both halves
+ * are required so a user's own unrelated extension is never pruned. Separators
+ * are normalised so the predicate holds on Windows paths too.
+ */
+function isAgentTempoExtensionPath(p) {
+    const n = p.replace(/\\/g, '/');
+    const fromAgentTempo = n.includes('/agent-tempo@') || n.includes('/node_modules/agent-tempo/');
+    const isExtensionEntry = n.endsWith('/dist/pi/extension.js') || n.endsWith('/dist/pi/mission-control/extension.js');
+    return fromAgentTempo && isExtensionEntry;
+}
 /** Resolve the Pi settings.json path for the chosen scope. */
 function piSettingsPath(opts = {}) {
     if (opts.project)
@@ -57,6 +82,13 @@ function piSettingsPath(opts = {}) {
  * write when nothing changed). Never copies any extension file — install by
  * reference only (see file header).
  *
+ * #52 — REPLACE, don't accumulate: before adding the current paths, PRUNE any
+ * STALE agent-tempo extension entries ({@link isAgentTempoExtensionPath}, minus
+ * the current paths). On a `pnpm` upgrade the package dir is version-hashed, so
+ * the recorded absolute path changes — without pruning, `settings.json` would
+ * list both the old (now-missing) and new paths and `pi` would fail on the stale
+ * one. A user's own unrelated extensions and other settings keys are preserved.
+ *
  * Tolerates a missing / empty / corrupt settings file: a missing file is
  * created; an unparseable one is replaced with a fresh object carrying just the
  * extensions (we can only safely merge a valid object). Other recognised keys in
@@ -84,9 +116,15 @@ function installPiExtensions(opts = {}) {
     const current = Array.isArray(settings.extensions)
         ? settings.extensions.filter((x) => typeof x === 'string')
         : [];
+    // #52 — prune STALE agent-tempo extension entries (an agent-tempo extension
+    // path that is NOT one of the current `want` paths — e.g. an old version-hashed
+    // pnpm dir). The current paths and all non-agent-tempo entries keep their
+    // original positions.
+    const removed = current.filter((p) => !want.includes(p) && isAgentTempoExtensionPath(p));
+    const removedSet = new Set(removed);
     const added = [];
     const alreadyPresent = [];
-    const merged = [...current];
+    const merged = current.filter((p) => !removedSet.has(p));
     for (const p of want) {
         if (merged.includes(p)) {
             alreadyPresent.push(p);
@@ -97,11 +135,11 @@ function installPiExtensions(opts = {}) {
         }
     }
     settings.extensions = merged;
-    // Idempotent: only write when something actually changed (or the file is
-    // absent and must be created). A clean repeat run touches nothing.
-    if (added.length > 0 || !fileExists) {
+    // Idempotent: only write when something actually changed (added, pruned, or the
+    // file is absent and must be created). A clean repeat run touches nothing.
+    if (added.length > 0 || removed.length > 0 || !fileExists) {
         (0, fs_1.mkdirSync)((0, path_1.dirname)(settingsPath), { recursive: true });
         (0, fs_1.writeFileSync)(settingsPath, `${JSON.stringify(settings, null, 2)}\n`, 'utf8');
     }
-    return { settingsPath, added, alreadyPresent, extensions: merged };
+    return { settingsPath, added, alreadyPresent, removed, extensions: merged };
 }

package/dist/pi/mission-control/actions.d.ts

@@ -32,14 +32,35 @@ export declare class MissionControlActions {
     private readonly baseUrlOverride;
     private readonly fetchFn;
     constructor(opts: MissionControlActionsOptions);
-    /** Whether the client is usable (token + transport present). */
+    /**
+     * Whether the client has a usable transport. (#54) NO LONGER gates on the admin
+     * token: a loopback daemon grants full trust tokenless, so token presence does
+     * NOT determine usability — the daemon decides per request. Token-required is
+     * enforced by the daemon (it 401s a remote/0.0.0.0 caller), not pre-empted here.
+     */
     get ready(): boolean;
     private baseUrl;
+    /**
+     * Request headers — include the admin bearer ONLY when a token is set (#54). A
+     * loopback daemon grants full trust tokenless (it short-circuits all tiers), so
+     * we attempt tokenless and never send a literal "Bearer undefined". Mirrors how
+     * `createSubscribe` already spreads its token only when present.
+     */
+    private authHeaders;
+    /**
+     * Map a non-2xx daemon response to an error string (#54). When NO token was sent
+     * and the daemon rejected on auth (401/403) or admin-unset (503), the cause is a
+     * remote / `0.0.0.0` daemon that requires the admin token — surface that
+     * actionably (a local loopback daemon needs none). Token-present failures keep
+     * the daemon's own body detail (it already returns good 403/503 hints).
+     */
+    private httpError;
     private post;
-    /** POST and parse a JSON response body (bearer-authed). Used when the caller
-     *  needs the response payload, not just success — e.g. the coat-check ticket. */
+    /** POST and parse a JSON response body. Used when the caller needs the response
+     *  payload, not just success — e.g. the coat-check ticket. Bearer iff token set (#54). */
     private postJson;
-    /** GET a JSON body from the daemon (bearer-authed). Used by the read surface (#700 readAnswer). */
+    /** GET a JSON body from the daemon. Used by the read surface (#700 readAnswer).
+     *  Bearer iff token set (#54). */
     private getJson;
     private ens;
     private player;

package/dist/pi/mission-control/actions.js

@@ -29,9 +29,14 @@ class MissionControlActions {
         this.baseUrlOverride = opts.baseUrl;
         this.fetchFn = opts.fetchFn ?? resolveFetch();
     }
-    /** Whether the client is usable (token + transport present). */
+    /**
+     * Whether the client has a usable transport. (#54) NO LONGER gates on the admin
+     * token: a loopback daemon grants full trust tokenless, so token presence does
+     * NOT determine usability — the daemon decides per request. Token-required is
+     * enforced by the daemon (it 401s a remote/0.0.0.0 caller), not pre-empted here.
+     */
     get ready() {
-        return Boolean(this.adminToken) && this.fetchFn !== null;
+        return this.fetchFn !== null;
     }
     baseUrl() {
         if (this.baseUrlOverride)
@@ -39,9 +44,32 @@ class MissionControlActions {
         const port = (0, port_file_1.readPortFile)() ?? DEFAULT_PORT;
         return `http://127.0.0.1:${port}`;
     }
+    /**
+     * Request headers — include the admin bearer ONLY when a token is set (#54). A
+     * loopback daemon grants full trust tokenless (it short-circuits all tiers), so
+     * we attempt tokenless and never send a literal "Bearer undefined". Mirrors how
+     * `createSubscribe` already spreads its token only when present.
+     */
+    authHeaders(extra = {}) {
+        return { ...extra, ...(this.adminToken ? { Authorization: `Bearer ${this.adminToken}` } : {}) };
+    }
+    /**
+     * Map a non-2xx daemon response to an error string (#54). When NO token was sent
+     * and the daemon rejected on auth (401/403) or admin-unset (503), the cause is a
+     * remote / `0.0.0.0` daemon that requires the admin token — surface that
+     * actionably (a local loopback daemon needs none). Token-present failures keep
+     * the daemon's own body detail (it already returns good 403/503 hints).
+     */
+    httpError(status, detail) {
+        if (!this.adminToken && (status === 401 || status === 403 || status === 503)) {
+            return (`HTTP ${status}: operator actions need ${exports.ADMIN_TOKEN_ENV} for a remote / 0.0.0.0 daemon ` +
+                `(a local loopback daemon needs none)${detail ? ` — ${detail}` : ''}`);
+        }
+        return `HTTP ${status}${detail ? `: ${detail}` : ''}`;
+    }
     async post(pathSuffix, body) {
-        if (!this.adminToken)
-            return { ok: false, error: `no admin token (set ${exports.ADMIN_TOKEN_ENV})` };
+        // #54 — do NOT pre-block on a missing token: attempt the request and let the
+        // daemon decide (loopback grants full trust tokenless; remote/0.0.0.0 401s).
         if (!this.fetchFn)
             return { ok: false, error: 'no fetch transport available' };
         const base = this.baseUrl();
@@ -50,23 +78,21 @@ class MissionControlActions {
         try {
             const res = await this.fetchFn(`${base}${pathSuffix}`, {
                 method: 'POST',
-                headers: { Authorization: `Bearer ${this.adminToken}`, 'Content-Type': 'application/json' },
+                headers: this.authHeaders({ 'Content-Type': 'application/json' }),
                 body: JSON.stringify(body ?? {}),
             });
             if (res.status >= 200 && res.status < 300)
                 return { ok: true, status: res.status };
             const detail = (await res.text().catch(() => '')).slice(0, 200);
-            return { ok: false, error: `HTTP ${res.status}${detail ? `: ${detail}` : ''}` };
+            return { ok: false, error: this.httpError(res.status, detail) };
         }
         catch (err) {
             return { ok: false, error: err instanceof Error ? err.message : String(err) };
         }
     }
-    /** POST and parse a JSON response body (bearer-authed). Used when the caller
-     *  needs the response payload, not just success — e.g. the coat-check ticket. */
+    /** POST and parse a JSON response body. Used when the caller needs the response
+     *  payload, not just success — e.g. the coat-check ticket. Bearer iff token set (#54). */
     async postJson(pathSuffix, body) {
-        if (!this.adminToken)
-            return { ok: false, error: `no admin token (set ${exports.ADMIN_TOKEN_ENV})` };
         if (!this.fetchFn)
             return { ok: false, error: 'no fetch transport available' };
         const base = this.baseUrl();
@@ -75,22 +101,21 @@ class MissionControlActions {
         try {
             const res = await this.fetchFn(`${base}${pathSuffix}`, {
                 method: 'POST',
-                headers: { Authorization: `Bearer ${this.adminToken}`, 'Content-Type': 'application/json' },
+                headers: this.authHeaders({ 'Content-Type': 'application/json' }),
                 body: JSON.stringify(body ?? {}),
             });
             const text = await res.text().catch(() => '');
             if (res.status < 200 || res.status >= 300)
-                return { ok: false, error: `HTTP ${res.status}${text ? `: ${text.slice(0, 200)}` : ''}` };
+                return { ok: false, error: this.httpError(res.status, text.slice(0, 200)) };
             return { ok: true, data: JSON.parse(text) };
         }
         catch (err) {
             return { ok: false, error: err instanceof Error ? err.message : String(err) };
         }
     }
-    /** GET a JSON body from the daemon (bearer-authed). Used by the read surface (#700 readAnswer). */
+    /** GET a JSON body from the daemon. Used by the read surface (#700 readAnswer).
+     *  Bearer iff token set (#54). */
     async getJson(pathSuffix) {
-        if (!this.adminToken)
-            return { ok: false, error: `no admin token (set ${exports.ADMIN_TOKEN_ENV})` };
         if (!this.fetchFn)
             return { ok: false, error: 'no fetch transport available' };
         const base = this.baseUrl();
@@ -99,11 +124,11 @@ class MissionControlActions {
         try {
             const res = await this.fetchFn(`${base}${pathSuffix}`, {
                 method: 'GET',
-                headers: { Authorization: `Bearer ${this.adminToken}` },
+                headers: this.authHeaders(),
             });
             const text = await res.text().catch(() => '');
             if (res.status < 200 || res.status >= 300)
-                return { ok: false, error: `HTTP ${res.status}${text ? `: ${text.slice(0, 200)}` : ''}` };
+                return { ok: false, error: this.httpError(res.status, text.slice(0, 200)) };
             return { ok: true, data: JSON.parse(text) };
         }
         catch (err) {

package/dist/pi/mission-control/extension.js

@@ -564,8 +564,11 @@ function createMissionControlExtension(deps = {}) {
             activeCtx.ui.setWidget(WIDGET_KEY, (0, render_1.renderBoard)(ctrl.model, ctrl.localHost), { placement: 'aboveEditor' });
         };
         const startCoarse = () => {
+            // #54 — accurate posture: a tokenless board is FULLY functional against a
+            // local (loopback) daemon, which grants full trust. Only a REMOTE / 0.0.0.0
+            // daemon requires the admin token (it 401s tokenless reads + actions).
             if (!adminToken) {
-                log(`no admin token (${actions_1.ADMIN_TOKEN_ENV}) — board limited / disabled`);
+                log(`no ${actions_1.ADMIN_TOKEN_ENV} — OK for a local loopback daemon (full trust); a remote / 0.0.0.0 daemon will require it`);
             }
             // H5: capture the controller locally. teardown nulls the outer `coarseAbort`,
             // so the catch must check THIS signal — checking the nulled outer ref made an
@@ -604,7 +607,9 @@ function createMissionControlExtension(deps = {}) {
         const openTail = (playerId) => {
             tailAbort?.abort();
             tailAbort = null;
-            if (playerId === null || !adminToken)
+            // #54 — do NOT gate on the token: the loopback daemon serves /inner tokenless.
+            // openInnerTail sends the bearer iff present; a remote/0.0.0.0 daemon 401s → onError.
+            if (playerId === null)
                 return;
             tailAbort = new AbortController();
             // H5: resolve the daemon base URL HERE (per /tail) so a port change is

package/dist/pi/mission-control/inner-tail.d.ts

@@ -32,7 +32,13 @@ export type TailFetch = (url: string, init: {
 }>;
 export interface OpenInnerTailOptions {
     baseUrl: string;
-    adminToken: string;
+    /**
+     * Admin (T3) token. OPTIONAL (#54): a loopback daemon serves the `/inner`
+     * egress tokenless (full-trust short-circuit). When absent, no `Authorization`
+     * header is sent and the daemon decides — a remote / `0.0.0.0` daemon 401s
+     * (surfaced via `onError`).
+     */
+    adminToken?: string;
     ensemble: string;
     playerId: string;
     onFrame: (frame: InnerFrame) => void;

package/dist/pi/mission-control/inner-tail.js

@@ -44,7 +44,11 @@ async function openInnerTail(opts) {
     try {
         res = await opts.fetchFn(url, {
             method: 'GET',
-            headers: { Authorization: `Bearer ${opts.adminToken}`, Accept: 'text/event-stream' },
+            headers: {
+                Accept: 'text/event-stream',
+                // #54 — bearer ONLY when a token is set; loopback serves tokenless.
+                ...(opts.adminToken ? { Authorization: `Bearer ${opts.adminToken}` } : {}),
+            },
             signal: opts.signal,
         });
     }
@@ -54,7 +58,11 @@ async function openInnerTail(opts) {
         return;
     }
     if (res.status !== 200 || !res.body) {
-        opts.onError?.(`inner tail HTTP ${res.status}`);
+        // #54 — a tokenless 401/403 means a remote / 0.0.0.0 daemon that needs the token.
+        const hint = !opts.adminToken && (res.status === 401 || res.status === 403)
+            ? ' (set AGENT_TEMPO_HTTP_ADMIN_TOKEN for a remote/0.0.0.0 daemon; loopback needs none)'
+            : '';
+        opts.onError?.(`inner tail HTTP ${res.status}${hint}`);
         return;
     }
     const decoder = new TextDecoder();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-tempo",
-  "version": "1.7.0-beta.6",
+  "version": "1.7.0-beta.7",
   "description": "Many agents, one tempo. Durable coordination for multi-agent work via Temporal.",
   "keywords": [
     "mcp",