agent-tempo 1.7.0-beta.7 → 1.7.0-beta.8

package/CLAUDE.md

@@ -21,10 +21,12 @@ src/
 ├── daemon.ts          # Daemon entry point — runs Temporal workers as a detached background process
 ├── cli/
 │   ├── commands.ts    # CLI command implementations (up, start, conduct, status, stop, …)
+│   ├── command-center-command.ts # command-center subcommand — crash-proof; launches Pi mission-control board; sets AGENT_TEMPO_MISSION_CONTROL=1 (#729)
 │   ├── config-command.ts # config subcommand (interactive + set/show) — crash-proof for show/set
 │   ├── daemon.ts      # Daemon management utilities (start, stop, status, heartbeat, isDaemonRunning)
 │   ├── daemon-command.ts # daemon subcommand handler — crash-proof, no Temporal deps
 │   ├── dashboard-command.ts # dashboard subcommand — crash-proof; opens the web dashboard, optionally minting a QR-code pairing token (#340)
+│   ├── ensure-infra.ts # shared infra bootstrap (`ensureInfra()`) — brings up Temporal, SAs, daemon; shared by `up` and the Pi extension `/ensemble-up` (#700 P1)
 │   ├── dev-banner.ts  # [DEV MODE] banner formatter (ADR 0014 §5.4) — gate 4 production-safety line
 │   ├── dev-mode-bootstrap.ts # pre-import side-effect: promotes top-level `--dev` flag to `CLAUDE_TEMPO_DEV_MODE=1` before any other module loads
 │   ├── dev-verbs.ts   # dev-mode scriptable CLI verbs (#432) — shell-scriptable wrappers over MCP tools for E2E validation; stripped from production surface
@@ -35,6 +37,7 @@ src/
 │   ├── output.ts      # Shared CLI output formatting helpers
 │   ├── preflight.ts   # Environment preflight checks
 │   ├── removed-verbs.ts # lookup table for the 10 CLI verbs removed in #288 — dispatches migration hints before loading Temporal surface
+│   ├── resolve-ensemble.ts # canonical ensemble-name resolver — `--ensemble` flag > positional > env > 'default' (#685)
 │   ├── sa-preflight.ts # search-attribute preflight — REQUIRED_SEARCH_ATTRIBUTES list (single source of truth), registerSearchAttribute, verifySearchAttributes, assertSearchAttributesOrExit
 │   ├── scenarios-command.ts # scenarios subcommand (dev mode only) — list/show shipped YAML scenario library (ADR 0014 §4.8)
 │   ├── startup.ts     # auto-provisioning bootstrap state machine (#289) — six-step idempotent sequence used by bare `agent-tempo` invocation
@@ -82,9 +85,6 @@ src/
 │   ├── inner-loop.ts  # InnerLoopRegistry + InnerSubscription — daemon-local fine-tail sink (3c MD-F); drop-oldest bounded queue (256) + `compacted{dropped,sinceTs}` marker; NOT on Temporal/bus, ephemeral no-replay
 │   ├── ingest-registry.ts # IngestTokenRegistry — per-player ingest token (mint-on-pi-spawn / revoke-on-destroy / revokeAll-on-shutdown); timing-safe validation; cross-player-spoof guard
 │   ├── inner-loop-routes.ts # 3 inner-loop HTTP routes: POST /inner/ingest + GET /inner/presence (INGRESS, loopback + X-Ingest-Token, uniform 403); GET /inner (EGRESS operator SSE, requireTier(3))
-│   ├── gate-registry.ts   # GateRegistry (3d MD-G) — per-player armed-gate + pending-request store; 45s lazy auto-allow (R3 locked); arm/disarm/decide/getResolution; injected auditSink + publishToInner callback
-│   ├── gate-routes.ts     # Gate HTTP routes: POST /gate-arm + /gate-disarm + /gate/:requestId (OPERATOR, Tier 3); GET /gate/:requestId/resolution (SOURCE, loopback + X-Ingest-Token); uniform 403 no-leak
-│   ├── gate-audit.ts      # createGateAuditSink — append-only JSONL at ~/.agent-tempo/gate-audit/<ensemble>/<workflowId>.jsonl; sync write (R5 durable-before-return); whitelisted path segments; swallows I/O errors
 │   ├── auth.ts        # 3e MD-E RBAC: two-token model (readToken T1 / adminToken T1+T2+T3 env-var-only); loadRbacTokens; requireTier(tier, input) → TierGuardResult; tierForToken; loadReadToken (env>config>legacy httpToken>auto-gen); loadAdminToken (env-only); TLS/legacy startup warnings in startHttpServer
 │   ├── cors.ts / responses.ts / event-id.ts / port-file.ts / index.ts
 ├── reconcile/
@@ -108,21 +108,18 @@ src/
 │   └── descriptor.ts  # Transport-neutral tool descriptor (TempoToolDescriptor) + renderToMcp; per-tool `build*Tool` factories live in each tool file (MD-B, Phase 1)
 ├── pi/                # Pi-native integration — a Pi session as a first-class player over the Temporal core
 │   ├── extension.ts   # `export default function(pi)` — interactive runtime entry. Holds the MODULE-SCOPE singleton `Map<workflowId, PiPlayerRuntime>` that survives Pi's per-switch instance rebuild (rebind, not re-claim); full tool surface via renderToPi; Option-C reason-discriminated teardown
-│   ├── phase-driver.ts / workflow-client.ts / cue-pump.ts   # Pi-event→attachment-phase machine, thin client-side WorkflowClient (lease/heartbeat 90/30, handle getter), cue pump (D10 steer/followUp)
+│   ├── phase-driver.ts / workflow-client.ts / cue-pump.ts   # Pi-event→attachment-phase machine, thin client-side WorkflowClient (lease/heartbeat 90/30, handle getter), cue pump (D10 steer/followUp; one 1s loop with a second pendingReset intake — S3 merge, D14 clean-wipe + /tempo-reset operator notice)
 │   ├── lazy-proxy.ts  # D11 createLazyProxy — Client/WorkflowHandle proxy resolving the live module-scope target per call (survives instance rebuild)
 │   ├── headless.ts    # Headless Pi runtime (Phase 3a) — boots Pi's createAgentSession with inline extension; `noExtensions: true` closes S2 exec-tool bypass; SIGTERM/SIGINT shutdown → reliable detach + dispose
 │   ├── render-tools.ts # renderToPi — registers the shared tool descriptors on Pi's ExtensionAPI (TypeBox params via the converter)
 │   ├── zod-to-typebox.ts # zod→TypeBox tool-schema converter (fail-loud on unsupported constructs; Phase 1 / D1)
 │   ├── inner-loop-publisher.ts # InnerLoopPublisher (3c MD-F) — single Pi-source observer; Tier-1 coarse via heartbeat piggyback (currentTool + context pressure), Tier-2 fine presence-gated; source coalescing (100ms/2KB) + 2KB truncation
-│   ├── inner-loop-client.ts # InnerLoopHttpClient — production InnerLoopRegistry impl: thin loopback-HTTP calls (publish→POST ingest, subscriberCount→cached presence GET); no-ops without AGENT_TEMPO_INGEST_TOKEN; 3d: also caches gateArmed from presence response
-│   ├── gate-client.ts     # GateClient (3d MD-G) — Pi-subprocess poll client for operator gate resolution; awaitDecision(requestId) polls GET /gate/:id/resolution until resolved or timeout; fail-open (allow on timeout/error/auto-allow)
-│   ├── reset-pump.ts      # ResetPump (3d D14) — polls pendingReset query every 1s; on result calls session.newSession() (clean-wipe); sends system notice; acks via ackReset signal
-│   ├── tool-capability.ts # classify(toolName) → ToolCapability ('exec' | 'high-blast' | 'low-risk'); EXEC_TOOLS denylist (F1 locked: bash/shell/exec/sh/powershell/pwsh/cmd/…); unknown → 'high-blast' (fail-safe)
+│   ├── inner-loop-client.ts # InnerLoopHttpClient — production InnerLoopRegistry impl: thin loopback-HTTP calls (publish→POST ingest, subscriberCount→cached presence GET); no-ops without AGENT_TEMPO_INGEST_TOKEN
 │   ├── mission-control/   # 3f — observer-only Pi extension that turns one interactive Pi TUI into an ensemble mission-control board + operator controller. HTTP-driven (NOT MCP tools). Never claims attachment or registers as a player.
-│   │   ├── extension.ts   # Controller (testable command handlers) + Pi extension lifecycle: session_start opens coarse SSE + ~200ms render tick + registers /players /tail /cue /pause /play /restart /destroy /reset /arm /gate; session_shutdown tears down SSE + widget
+│   │   ├── extension.ts   # Controller (testable command handlers) + Pi extension lifecycle: session_start opens coarse SSE + ~200ms render tick + registers /players /tail /cue /pause /play /restart /destroy /reset; session_shutdown tears down SSE + widget
 │   │   ├── board.ts       # Pure BoardModel + reducers: applyTempoEvent (coarse /events SSE) + applyInnerFrame (selected-player inner tail); revision counter drives render throttle
-│   │   ├── render.ts      # Pure BoardModel → string[] renderer; phase glyphs, part, currentTool, context%, selected-player tail (12 lines), inner.gate_pending/gate_resolved frames
-│   │   ├── actions.ts     # Daemon HTTP write-surface client (T2 + T3 bearer): cue/pause/play/restart/destroy + gate arm/disarm/decide; reads AGENT_TEMPO_HTTP_ADMIN_TOKEN
+│   │   ├── render.ts      # Pure BoardModel → string[] renderer; phase glyphs, part, currentTool, context%, selected-player tail (12 lines)
+│   │   ├── actions.ts     # Daemon HTTP write-surface client (T2 + T3 bearer): cue/pause/play/restart/destroy; reads AGENT_TEMPO_HTTP_ADMIN_TOKEN
 │   │   ├── inner-tail.ts  # Operator-egress /inner SSE consumer (T3 bearer): pure parseInnerSse + injectable stream pump; cross-host note: baseUrl is the preferredHost seam
 │   │   ├── pi-ui.ts       # Local structural slice of Pi's ctx.ui / registerCommand / registerShortcut API (self-contained; tsc green without optional Pi dep)
 │   │   └── index.ts       # Barrel — re-exports Controller, BoardModel, renderBoard, MissionControlActions, and public types
@@ -211,17 +208,16 @@ daemon worker notes, `npx ts-node` dev runner).
 - **Claude API adapter** (`agent: 'claude-api'`, #131): Headless adapter that drives sessions via the Anthropic Messages API (`@anthropic-ai/sdk`) — no terminal, no Claude Code CLI. Requires `ANTHROPIC_API_KEY` env var and the `@anthropic-ai/sdk` optional dependency. Default model `claude-opus-4-7` (overridable via `model` recruit arg or `CLAUDE_TEMPO_API_MODEL` env). Claude-API players have access to agent-tempo MCP tools (cue, report, recall, ensemble, …) but not file-edit/shell/web tools. See `src/adapters/claude-api/`.
 - **OpenCode adapter** (`agent: 'opencode'`, #449): Headless multi-provider adapter that drives sessions via [SST OpenCode](https://opencode.ai) as a managed subprocess — supports Anthropic, OpenAI, Bedrock, Vertex, Ollama, and ~70 other providers via OpenCode's `provider/model` selector. Requires OpenCode CLI (`npm install -g opencode-ai`) and the `@opencode-ai/sdk` optional dependency. Recruit with `model: 'provider/name'` (e.g. `'anthropic/claude-opus-4-7'`). Tool bridging is MCP-native — OpenCode spawns `dist/server.js` as its own stdio MCP child. Session state is persisted server-side by OpenCode; the adapter stashes the session id on workflow metadata for reconnect across `opencode serve` restarts. See `src/adapters/opencode/`.
 - **Claude Code headless adapter** (`agent: 'claude-code-headless'`, #520): Headless adapter that drives sessions via the official `claude` CLI as a per-turn `claude -p --output-format stream-json` subprocess. The whole point: turns bill against the host's existing Claude Code subscription extra-usage credits (Pro / Max plans) rather than a Console workspace API key — the only ToS-clean way for a third-party tool to tap that pool. Requires the `claude` binary on PATH AND a logged-in Claude Code session (`claude auth login`); recruit pre-flight rejects with an actionable error otherwise. Tool surface is the union of full Claude Code built-ins (Bash / Read / Write / Edit / Glob / Grep / WebSearch / WebFetch) and the agent-tempo MCP surface — registered via inline `--mcp-config` so `claude` spawns `dist/server.js` as its own MCP child (no in-process bridge). Recruit knobs: `permissionMode` (default `'acceptEdits'`) or `dangerouslySkipPermissions: true` (mutually exclusive). Sessions resume across restart via the existing `sessionId` metadata field — the same UUID is shared with the interactive `claude-code` adapter (per-cwd JSONL is per-cwd, not per-adapter). See `src/adapters/claude-code-headless/` and `examples/ensembles/tempo-headless-jam.yaml`.
-- **Pi adapter** (`agent: 'pi'`, #632 / #666): Two modes. **(1) Interactive conductor** (#666): `agent-tempo up --agent pi --ensemble <name>` launches `pi` in a real terminal with the agent-tempo extension auto-loaded (`pi -e dist/pi/extension.js`); the Pi session self-bootstraps its Temporal workflow and attaches as a conductor/player — no separate recruiter step. From the TUI, `/recruit-conductor` relaunches the active ensemble's conductor — set `conductor.agent: pi` in that ensemble's lineup to make it a Pi conductor. Requires `@earendil-works/pi-coding-agent` on Node ≥ 22.19. Recommended: `ANTHROPIC_API_KEY` (without it the session falls back to Pi's own auth/default model). The `AGENT_TEMPO_*` env is auto-wired by `up`; power users can invoke the extension directly with `pi -e dist/pi/extension.js`. `--model provider/model` selector (e.g. `'github-copilot/gpt-4o'`) is a fast-follow. **(2) Headless player** (Phase 3a): `recruit` with `agent: 'pi'` — no terminal, no BaseAttachment; runs `createAgentSession` with an in-memory `SessionManager`; the module-scope singleton owns claim/heartbeat/tools/cue pump (MD-D). MD-C tool-access policy: `toolAccess: 'restricted'` (default — Bash/shell/exec HARD-BLOCKED) | `'standard'` (scoped Bash) | `'full'` (unsandboxed; requires `force: true`). `noExtensions: true` closes the S2 exec-tool-bypass gap. See `src/adapters/pi/` and `src/pi/headless.ts`.
-- **Mission-control / Command-center** (3f, #700 P2): An interactive Pi TUI that is both a live ensemble board + operator controller and an LLM planner. Board side: HTTP-drives the daemon — coarse ensemble view via `/v1/events/:ensemble` SSE + fine per-player tail via `/inner` (T3); operator controls (cue/pause/play/restart/destroy + gate arm/disarm/decide) POST to the daemon write surface using `AGENT_TEMPO_HTTP_ADMIN_TOKEN`. Planner side: registers LLM tools (`ask` / `handoff` / `cue` / `recruit` / `observe_board`) via `MissionControlActions` — HTTP-backed, distinct from the player extension's `renderToPi` MCP surface. **Never claims attachment or registers as a player** — invisible to the ensemble. Launch with **`agent-tempo command-center [ensemble]`** (aliases: `cc`, `board`) — sets `AGENT_TEMPO_MISSION_CONTROL=1`. **Role-gated and mutually exclusive** with the player extension (`resolvePiRole` discriminator: explicit `AGENT_TEMPO_PI_ROLE` → `PLAYER_NAME` present → `AGENT_TEMPO_MISSION_CONTROL` → `none`): a bare `pi` keeps both extensions dormant (plain coding session); a player session (`up --agent pi` / `recruit`) keeps the board dormant. Power users invoking `pi -e dist/pi/extension.js` directly without `PLAYER_NAME` also resolve to `none` (dormant) — set `AGENT_TEMPO_PI_ROLE=player` to force player mode. See `src/pi/mission-control/`.
+- **Pi adapter** (`agent: 'pi'`, #632 / #666): Two modes. **(1) Interactive conductor** (#666): `agent-tempo up --agent pi --ensemble <name>` launches `pi` in a real terminal with the agent-tempo extension auto-loaded (`pi -e dist/pi/extension.js`); the Pi session self-bootstraps its Temporal workflow and attaches as a conductor/player — no separate recruiter step. From the TUI, `/recruit-conductor` relaunches the active ensemble's conductor — set `conductor.agent: pi` in that ensemble's lineup to make it a Pi conductor. Requires `@earendil-works/pi-coding-agent` on Node ≥ 22.19. Recommended: `ANTHROPIC_API_KEY` (without it the session falls back to Pi's own auth/default model). The `AGENT_TEMPO_*` env is auto-wired by `up`; power users can invoke the extension directly with `pi -e dist/pi/extension.js`. `--model provider/model` selector (e.g. `'github-copilot/gpt-4o'`) is a fast-follow. **(2) Headless player** (Phase 3a): `recruit` with `agent: 'pi'` — no terminal, no BaseAttachment; runs `createAgentSession` with an in-memory `SessionManager`; the module-scope singleton owns claim/heartbeat/tools/cue pump (MD-D). Pi players run the full tool surface — incl. shell — with no permission layer, like the other adapters (the former `toolAccess`/`guardrailPolicy` knobs were removed). `noExtensions: true` stays: it blocks third-party disk/package extensions from loading into a recruited player (supply-chain hygiene). See `src/adapters/pi/` and `src/pi/headless.ts`.
+- **Mission-control / Command-center** (3f, #700 P2): An interactive Pi TUI that is both a live ensemble board + operator controller and an LLM planner. Board side: HTTP-drives the daemon — coarse ensemble view via `/v1/events/:ensemble` SSE + fine per-player tail via `/inner` (T3); operator controls (cue/pause/play/restart/destroy) POST to the daemon write surface using `AGENT_TEMPO_HTTP_ADMIN_TOKEN`. Planner side: registers LLM tools (`ask` / `handoff` / `cue` / `recruit` / `observe_board`) via `MissionControlActions` — HTTP-backed, distinct from the player extension's `renderToPi` MCP surface. **Never claims attachment or registers as a player** — invisible to the ensemble. Launch with **`agent-tempo command-center [ensemble]`** (aliases: `cc`, `board`) — sets `AGENT_TEMPO_MISSION_CONTROL=1`. **Loopback auto-token** (#736): a local (loopback) daemon grants full trust without `AGENT_TEMPO_HTTP_ADMIN_TOKEN`; only a remote daemon requires explicit token configuration. **Role-gated and mutually exclusive** with the player extension (`resolvePiRole` discriminator: explicit `AGENT_TEMPO_PI_ROLE` → `PLAYER_NAME` present → `AGENT_TEMPO_MISSION_CONTROL` → `none`): a bare `pi` keeps both extensions dormant (plain coding session); a player session (`up --agent pi` / `recruit`) keeps the board dormant. Power users invoking `pi -e dist/pi/extension.js` directly without `PLAYER_NAME` also resolve to `none` (dormant) — set `AGENT_TEMPO_PI_ROLE=player` to force player mode. See `src/pi/mission-control/`.
 - **Command-center planner** (#700 P2): An inbox-less interactive Pi session (the operator's planning seat) that routes questions to players via correlated `cue` tags (`[Q <questionId>]`). Players answer with the `respond` MCP tool, which parks the answer on the per-ensemble maestro Q&A mailbox (TTL 1h, 20-slot cap). The planner is woken by an `answer` SSE event when the answer lands (`docs/SSE-PROTOCOL.md` §6). `/handoff` cues hand active work to a conductor (a registered player with a Temporal inbox). See `docs/concepts.md` for the Q&A mechanics.
-- **Guardrail policy** (`guardrailPolicy` recruit arg, #700 P2): Per-player posture for the operator gate on headless Pi players. Four values — `'autonomous'` (default; no gate), `'monitored'` (gate engaged; fail-open: auto-allow after 45 s), `'supervised'` (gate engaged; fail-closed: auto-deny after 300 s; **client-cooperative in P2, not tamper-proof**; daemon-side enforcement is P2.1 #44), `'observe-only'` (non-`low-risk` tools hard-blocked outright). Persisted on `SessionMetadata`; re-sourced at each `(re)attach` from `getMetadata`. See `docs/concepts.md` for operator gate mechanics.
 - **Mock adapter** (`agent: 'mock'`, dev mode only): Four modes: `echo` (echoes input), `scripted` (replays YAML scenario rules), `silent` (drains messages without replying — heartbeat-stale validation), `chaos` (probabilistic fail/crash injection via seeded PRNG). Only registered when `isDevMode()` is true; stripped from the npm tarball by `prepack`. See `src/adapters/mock/`.
 - **Saveable state** (#334, ADR 0011): Per-player curated state slots — the player itself decides what context survives a restart. Three MCP tools: `save_state` (owner-only write, max 4 slots × 32 KiB), `fetch_state` (read self or peer; audit identity recorded on each entry's `savedBy`), `clear_state` (owner-only). `restart` accepts `loadFromState: true | 'someKey'` to seed the new session from a saved-state slot instead of (or, with `transcript: 'replay'`, alongside) transcript replay. Saved-state delivery uses `from: 'self-restart'` as a stable system identity. Empty-slot fallback: graceful — falls through to transcript replay with a log line. See [docs/design/334-player-saveable-state.md](docs/design/334-player-saveable-state.md).
 - **Coat-check** (#318, ADR 0008): Per-ensemble transient content store on Maestro state. Solves the 100 KB cue body cap — stash a large artifact with `coat_check_put` (returns a ticket id) and attach the ticket to a `cue` via `attachmentTicket`; the recipient calls `coat_check_get` to pull the full body. Four MCP tools: `coat_check_put` (any player; max 32 KiB per entry, 20 slots per ensemble, TTL 7d default), `coat_check_get` (any player; bumps fetch-audit counters), `coat_check_list` (read-only survey; headers only, content omitted), `coat_check_evict` (owner or conductor). Saturation rejects with `CoatCheckSlotsFull` (no LRU eviction). See `src/tools/coat-check-*.ts` and [docs/adr/0008-coat-check-pattern.md](docs/adr/0008-coat-check-pattern.md).
 - **Lineup examples**: Six pre-built ensemble YAML files in `examples/ensembles/` — `tempo-big-band`, `tempo-dev-team`, `tempo-review-squad`, `tempo-jam-session`, `tempo-mock-jam` (dev-mode all-mock ensemble), `tempo-headless-jam` (#520 — all-`claude-code-headless` subscription-billed ensemble). Load with `agent-tempo up --lineup <name>` or the `load_lineup` tool.
 - **GitHub App identity** (`agent-tempo[bot]`): When a player writes to GitHub — issue comments, PR creation/merge, commits, labels, check runs — **use `./scripts/ensemble-gh`** instead of `gh`. The wrapper mints a short-lived installation token so the action is attributed to `agent-tempo[bot]`, not to the human maintainer, making the AI authorship visible. Plain `gh` is still correct for read-only local dev (`gh pr view`, `gh repo clone`, `gh auth status`). Every bot-authored comment/PR body must include the AI attribution footer documented in [docs/github-app.md](docs/github-app.md).
 
-See [docs/concepts.md](docs/concepts.md) for the full glossary (Adapter, Attachment phases, Restart, Detach/Destroy, Migrate, Broadcast, Recall, Schedule, Lineup, Quality Gate, Worktree, Stage, Hold/Release, Pause/Resume, Maestro, TempoClient, Guardrail policy, Command-center planner, and more).
+See [docs/concepts.md](docs/concepts.md) for the full glossary (Adapter, Attachment phases, Restart, Detach/Destroy, Migrate, Broadcast, Recall, Schedule, Lineup, Quality Gate, Worktree, Stage, Hold/Release, Pause/Resume, Maestro, TempoClient, Command-center planner, and more).
 
 ## Commit Convention
 

package/README.md

@@ -277,7 +277,16 @@ From the TUI, `/recruit-conductor` relaunches the active ensemble's conductor
 
 **Prerequisites:** `@earendil-works/pi-coding-agent` on Node ≥ 22.19. Recommended: `ANTHROPIC_API_KEY` (without it the session falls back to Pi's own auth/default model).
 
-**Headless Pi players** — recruit as a background agent slot using `agent: 'pi'`. Pass `guardrailPolicy: 'monitored' | 'supervised' | 'observe-only'` to control the operator gate (default `'autonomous'` — no gate). See [docs/concepts.md](docs/concepts.md#command-center-and-player-supervision) for the gate mechanics and the supervised caveat.
+**Headless Pi players** — recruit as a background agent slot using `agent: 'pi'`. Pi players run the full tool surface — including shell — without an approval layer, exactly like the other adapters. Observe them live via the mission-control board (coarse SSE + fine `/inner` tail); control via `cue`/`pause`/`restart`/`destroy`/`reset`. See [docs/concepts.md](docs/concepts.md#command-center-and-player-supervision).
+
+**Mission-control board** — operator-only view that observes the ensemble and sends operator actions (cue, pause, restart, destroy) without joining as a player:
+
+```bash
+agent-tempo install-pi        # install Pi extensions (once per machine)
+agent-tempo command-center    # launch the board (aliases: cc, board)
+```
+
+The admin token is injected automatically for loopback daemons — no manual token setup required locally (#736).
 
 📖 [Pi integration reference → docs/design/pi-hardening-h1-h2-h3.md](docs/design/pi-hardening-h1-h2-h3.md)
 

package/dashboard/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-tempo-dashboard",
   "private": true,
-  "version": "1.7.0-beta.7",
+  "version": "1.7.0-beta.8",
   "type": "module",
   "description": "Web dashboard for agent-tempo. Bundled into the npm package; served by the daemon at /dashboard/*.",
   "scripts": {

package/dist/activities/outbox.d.ts

@@ -1,9 +1,8 @@
 import { Client } from '@temporalio/client';
 import { Config } from '../config';
-import { AgentType, AttachmentPhase, MockMode, DetachReason, GuardrailPolicy } from '../types';
+import { AgentType, AttachmentPhase, MockMode, DetachReason } from '../types';
 import type { ClaudeCodeHeadlessPermissionMode } from '../adapters/claude-code-headless/types';
 import type { IngestTokenRegistry } from '../http/ingest-registry';
-import type { GateRegistry } from '../http/gate-registry';
 import { type HardTerminateInput, type HardTerminateResult } from './hard-terminate';
 export interface DeliverCueInput {
     ensemble: string;
@@ -60,12 +59,6 @@ export interface StartRecruitedSessionInput {
      * can recover the original choice. Ignored when `agent !== 'claude-api'`.
      */
     model?: string;
-    /**
-     * #700 (P2 / G) — guardrail posture. Persisted onto
-     * `SessionMetadata.guardrailPolicy` so restart recovers it. Ignored when
-     * `agent !== 'pi'`. Absent ⇒ autonomous.
-     */
-    guardrailPolicy?: GuardrailPolicy;
 }
 export interface ReleasePlayerInput {
     ensemble: string;
@@ -174,21 +167,6 @@ export interface SpawnProcessInput {
      * exclusive with {@link permissionMode}.
      */
     dangerouslySkipPermissions?: boolean;
-    /**
-     * Phase 3a / MD-C — headless Pi tool-class policy. Forwarded as
-     * `AGENT_TEMPO_TOOL_ACCESS`. Only meaningful when `agent === 'pi'`. One of
-     * `'restricted'` (default; Bash hard-blocked) | `'standard'` | `'full'`.
-     * Inline literal — kept off the workflow-sandbox import path (see the
-     * RecruitOutboxEntry note in src/types.ts).
-     */
-    toolAccess?: 'restricted' | 'standard' | 'full';
-    /**
-     * #700 (P2 / G) — headless Pi guardrail posture. Forwarded as
-     * `AGENT_TEMPO_GUARDRAIL_POLICY`. Sourced from durable
-     * `SessionMetadata.guardrailPolicy` on (re)spawn. Only meaningful when
-     * `agent === 'pi'`. Absent ⇒ autonomous (the extension default).
-     */
-    guardrailPolicy?: GuardrailPolicy;
 }
 export interface OutboxActivityResult {
     success: boolean;
@@ -240,4 +218,4 @@ export interface OutboxActivities {
  * claim — phase is legitimately live) → never skipped. Pure + exported for tests.
  */
 export declare function shouldSkipDuplicateSpawn(attachmentId: string | undefined, phase: AttachmentPhase): boolean;
-export declare function createOutboxActivities(client: Client, config: Config, ingestTokens?: IngestTokenRegistry, gate?: GateRegistry): OutboxActivities;
+export declare function createOutboxActivities(client: Client, config: Config, ingestTokens?: IngestTokenRegistry): OutboxActivities;

package/dist/activities/outbox.js

@@ -156,7 +156,7 @@ function shouldSkipDuplicateSpawn(attachmentId, phase) {
         return false; // restart/migrate handoff — must spawn
     return phase === 'attached' || phase === 'processing' || phase === 'awaiting';
 }
-function createOutboxActivities(client, config, ingestTokens, gate) {
+function createOutboxActivities(client, config, ingestTokens) {
     return {
         async deliverCue(input) {
             const { ensemble, fromPlayerId, targetPlayerId, message, broadcastId, attachmentTicket } = input;
@@ -233,7 +233,7 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
             }
         },
         async startRecruitedSession(input) {
-            const { ensemble, targetName, workDir, isConductor, initialMessage, fromPlayerId, agent, systemPrompt, taskQueue, agentDefinition, agentDefinitionDescription, held, model, guardrailPolicy } = input;
+            const { ensemble, targetName, workDir, isConductor, initialMessage, fromPlayerId, agent, systemPrompt, taskQueue, agentDefinition, agentDefinitionDescription, held, model } = input;
             try {
                 const workflowId = isConductor
                     ? (0, config_1.conductorWorkflowId)(ensemble)
@@ -267,11 +267,6 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
                         // (different value shapes — bare vs `provider/model`) — the spawn
                         // path inspects `metadata.agentType` to know which env var to set.
                         ...((agent === 'claude-api' || agent === 'opencode' || agent === 'pi') && model ? { model } : {}),
-                        // #700 (P2 / G) — persist the guardrail posture on DURABLE metadata so
-                        // arm-at-boot reads the real posture on every (re)attach; a restart
-                        // can't silently downgrade a supervised player. Only when explicitly
-                        // set (absent ⇒ autonomous). Pi-only for P2.
-                        ...(agent === 'pi' && guardrailPolicy ? { guardrailPolicy } : {}),
                         ...(agentDefinition ? { playerType: agentDefinition } : {}),
                         ...(agentDefinitionDescription ? { playerTypeDescription: agentDefinitionDescription } : {}),
                         recruitedBy: fromPlayerId,
@@ -329,7 +324,7 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
             }
         },
         async spawnProcess(input) {
-            const { targetName, workDir, isConductor, agent, systemPrompt, ensemble, temporalAddress, temporalNamespace, agentDefinition, agentDefinitionPath, nativeResolvable, resume, sessionId, allowedTools, claudeBin, attachmentId, attachmentRunId, adapterId, mockMode, mockScenario, model, permissionMode, dangerouslySkipPermissions, toolAccess, guardrailPolicy } = input;
+            const { targetName, workDir, isConductor, agent, systemPrompt, ensemble, temporalAddress, temporalNamespace, agentDefinition, agentDefinitionPath, nativeResolvable, resume, sessionId, allowedTools, claudeBin, attachmentId, attachmentRunId, adapterId, mockMode, mockScenario, model, permissionMode, dangerouslySkipPermissions } = input;
             // Read secrets from the worker's config closure — never from workflow state
             const { temporalApiKey, temporalTlsCertPath, temporalTlsKeyPath } = config;
             // #676 FIX-3 — double-dispatch backstop (ACTIVITY-level; no workflow/bundle
@@ -492,11 +487,10 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
                 else if (agent === 'pi') {
                     // Phase 3a — headless Pi runtime. Injects the src/pi extension into
                     // Pi's createAgentSession; the module-scope singleton owns the
-                    // lifecycle (claim/heartbeat/tools/cue-pump). Tool access is governed
-                    // by the MD-C `toolAccess` policy (restricted hard-blocks Bash via the
-                    // extension's tool_call gate), NOT per-tool allowlists.
+                    // lifecycle (claim/heartbeat/tools/cue-pump). Pi players run the full
+                    // Pi tool surface — per-tool allowlists are not supported.
                     if (allowedTools && allowedTools.length > 0) {
-                        log(`Warning: allowedTools [${allowedTools.join(', ')}] specified for pi agent "${targetName}" — Pi tool access is governed by toolAccess (MD-C), skipping allowedTools`);
+                        log(`Warning: allowedTools [${allowedTools.join(', ')}] specified for pi agent "${targetName}" — Pi players run the full tool surface, skipping allowedTools`);
                     }
                     // 3c Tier-2 — mint a per-player ingest token scoped to this player's
                     // session workflowId so the headless Pi subprocess can authenticate its
@@ -504,13 +498,6 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
                     // REPLACES) means a restart re-mints and naturally revokes the stale
                     // token. Injected into the subprocess env as AGENT_TEMPO_INGEST_TOKEN.
                     const ingestToken = ingestTokens?.mint((0, config_1.sessionWorkflowId)(ensemble, targetName));
-                    // #712 — record the DURABLE guardrail policy on the daemon gate at spawn
-                    // (beside the ingest-token mint, same daemon process + lifecycle) so the
-                    // gate's failMode cross-check is daemon-authoritative from the FIRST
-                    // engagement — no lazy metadata query on the common path. Absent ⇒
-                    // autonomous (the extension default). Mint REPLACES on restart; setPolicy
-                    // likewise re-stamps the current durable posture (no silent downgrade).
-                    gate?.setPolicy((0, config_1.sessionWorkflowId)(ensemble, targetName), guardrailPolicy ?? 'autonomous');
                     const { pid } = (0, spawn_1.spawnPiHeadless)({
                         name: targetName,
                         ensemble,
@@ -525,14 +512,12 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
                         // Restart-resume: continue the prior Pi conversation only on a
                         // restart (resume=true); a fresh recruit starts a new Pi session.
                         continueSessionId: resume ? sessionId : undefined,
-                        toolAccess,
-                        guardrailPolicy,
                         attachmentId,
                         attachmentRunId,
                         adapterId,
                         ingestToken,
                     });
-                    log(`Spawned pi headless adapter (pid ${pid}) in ${workDir} as "${targetName}" (toolAccess=${toolAccess ?? 'restricted'})${guardrailPolicy ? ` (guardrailPolicy=${guardrailPolicy})` : ''}${model ? ` (model=${model})` : ''}${resume && sessionId ? ` (continue=${sessionId})` : ''}${attachmentId ? ` (attachmentId=${attachmentId})` : ''}`);
+                    log(`Spawned pi headless adapter (pid ${pid}) in ${workDir} as "${targetName}"${model ? ` (model=${model})` : ''}${resume && sessionId ? ` (continue=${sessionId})` : ''}${attachmentId ? ` (attachmentId=${attachmentId})` : ''}`);
                 }
                 else {
                     // Resolve agent flags: --agent (native) > --system-prompt (shipped/legacy)
@@ -654,9 +639,6 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
                 // the player goes away. Mirrors the destroy-side revoke; idempotent and a
                 // no-op for non-Pi players (they never minted one). Re-attach re-mints.
                 ingestTokens?.revoke((0, config_1.sessionWorkflowId)(ensemble, targetPlayerId));
-                // 3d MD-G — auto-disarm the gate on detach (the operator's gate posture
-                // shouldn't survive the player going away; re-attach re-arms). Idempotent.
-                gate?.clearPlayer((0, config_1.sessionWorkflowId)(ensemble, targetPlayerId));
                 log(`Detach signaled for "${targetPlayerId}" (deadline=${deadlineMs}ms)`);
                 return { success: true };
             }
@@ -698,9 +680,6 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
                 // revokeIngestToken(workflowId) on detach — deferred; residual surface
                 // negligible (dead holder + loopback-only + single-token replacement).
                 ingestTokens?.revoke((0, config_1.sessionWorkflowId)(ensemble, targetPlayerId));
-                // 3d MD-G — auto-disarm: drop the gate's armed-state + any pending
-                // requests for the destroyed player (idempotent; no-op for non-Pi).
-                gate?.clearPlayer((0, config_1.sessionWorkflowId)(ensemble, targetPlayerId));
                 if (notifyConductor) {
                     try {
                         const condId = (0, config_1.conductorWorkflowId)(ensemble);
@@ -965,10 +944,6 @@ function createOutboxActivities(client, config, ingestTokens, gate) {
                             // metadata.model field landed (which fall back to the env / default
                             // chain inside the adapter).
                             ...(metadata.model !== undefined ? { model: metadata.model } : {}),
-                            // #700 (P2 / G) — guardrail posture carried across restart, read from
-                            // DURABLE SessionMetadata so the restarted player re-arms the SAME
-                            // posture (no silent downgrade). Absent ⇒ autonomous.
-                            ...(metadata.guardrailPolicy !== undefined ? { guardrailPolicy: metadata.guardrailPolicy } : {}),
                             ...(resolved ? {
                                 agentDefinition: resolved.name,
                                 agentDefinitionPath: resolved.path,

package/dist/adapters/pi/adapter.js

@@ -21,27 +21,9 @@ const log = (...args) => {
     // eslint-disable-next-line no-console
     console.error('[agent-tempo:pi]', ...args);
 };
-/** Normalize the env tool-access value to the MD-C policy (default 'restricted'). */
-function readToolAccess() {
-    const raw = process.env[config_1.ENV.TOOL_ACCESS];
-    return raw === 'standard' || raw === 'full' ? raw : 'restricted';
-}
-/**
- * #700 (P2 / G) — normalize the env guardrail posture. Unknown / absent ⇒
- * undefined (the extension defaults to 'autonomous'). The durable source is
- * SessionMetadata; this env is re-derived from it on every (re)spawn.
- */
-function readGuardrailPolicy() {
-    const raw = process.env[config_1.ENV.GUARDRAIL_POLICY];
-    return raw === 'autonomous' || raw === 'monitored' || raw === 'supervised' || raw === 'observe-only'
-        ? raw
-        : undefined;
-}
 /** Parse the spawn-provided env into options and run. Exported for testing. */
 async function main() {
     await (0, headless_1.runHeadlessPi)({
-        toolAccess: readToolAccess(),
-        guardrailPolicy: readGuardrailPolicy(),
         model: process.env[config_1.ENV.PI_MODEL] || undefined,
         continueSessionId: process.env[config_1.ENV.PI_CONTINUE_SESSION] || undefined,
     });

package/dist/cli.js

@@ -638,7 +638,7 @@ async function main() {
             const { installPiExtensions } = await Promise.resolve().then(() => __importStar(require('./pi/install')));
             const result = installPiExtensions({ project: args.project });
             out.success(`Pi extensions installed → ${result.settingsPath}`);
-            // #52 — show pruned stale/old-version entries so an upgrade is legible.
+            // #738 — show pruned stale/old-version entries so an upgrade is legible.
             for (const p of result.removed)
                 out.log(`  ${out.yellow('-')} ${p} ${out.dim('(removed stale/old-version entry)')}`);
             for (const p of result.added)

package/dist/config.d.ts

@@ -62,26 +62,6 @@ export declare const ENV: {
      * recruit → a new Pi session.
      */
     readonly PI_CONTINUE_SESSION: "AGENT_TEMPO_PI_CONTINUE_SESSION";
-    /**
-     * Phase 3a / MD-C — headless Pi tool-access policy. One of
-     * `restricted` (default; Bash/shell/exec HARD-BLOCKED) | `standard` (scoped
-     * Bash) | `full` (unsandboxed; admin-gated at recruit). Read by the Pi
-     * extension's `tool_call` gate (mode='headless' only). Mirrors
-     * {@link PERMISSION_MODE}'s threading.
-     */
-    readonly TOOL_ACCESS: "AGENT_TEMPO_TOOL_ACCESS";
-    /**
-     * #700 (P2 / G) — headless Pi guardrail posture. One of `autonomous`
-     * (default; no gate) | `monitored` (operator-armed, fail-OPEN) | `supervised`
-     * (fail-CLOSED, self-arming) | `observe-only` (no-act). Read by the Pi
-     * extension's `tool_call` gate (mode='headless'). The DURABLE source of truth
-     * is {@link SessionMetadata.guardrailPolicy}; this env var is just the per-boot
-     * transport — the (re)spawn always re-derives it from metadata, so a restart
-     * can never silently downgrade a supervised player (mirrors how `model` is
-     * re-threaded from durable metadata across restart, NOT the ephemeral
-     * `TOOL_ACCESS` env-only path).
-     */
-    readonly GUARDRAIL_POLICY: "AGENT_TEMPO_GUARDRAIL_POLICY";
     /**
      * 3c Tier-2 ingest auth. The daemon mints a per-player ingest token (scoped to
      * the session workflowId) BEFORE spawning a headless Pi player and threads it

package/dist/config.js

@@ -91,26 +91,6 @@ exports.ENV = {
      * recruit → a new Pi session.
      */
     PI_CONTINUE_SESSION: 'AGENT_TEMPO_PI_CONTINUE_SESSION',
-    /**
-     * Phase 3a / MD-C — headless Pi tool-access policy. One of
-     * `restricted` (default; Bash/shell/exec HARD-BLOCKED) | `standard` (scoped
-     * Bash) | `full` (unsandboxed; admin-gated at recruit). Read by the Pi
-     * extension's `tool_call` gate (mode='headless' only). Mirrors
-     * {@link PERMISSION_MODE}'s threading.
-     */
-    TOOL_ACCESS: 'AGENT_TEMPO_TOOL_ACCESS',
-    /**
-     * #700 (P2 / G) — headless Pi guardrail posture. One of `autonomous`
-     * (default; no gate) | `monitored` (operator-armed, fail-OPEN) | `supervised`
-     * (fail-CLOSED, self-arming) | `observe-only` (no-act). Read by the Pi
-     * extension's `tool_call` gate (mode='headless'). The DURABLE source of truth
-     * is {@link SessionMetadata.guardrailPolicy}; this env var is just the per-boot
-     * transport — the (re)spawn always re-derives it from metadata, so a restart
-     * can never silently downgrade a supervised player (mirrors how `model` is
-     * re-threaded from durable metadata across restart, NOT the ephemeral
-     * `TOOL_ACCESS` env-only path).
-     */
-    GUARDRAIL_POLICY: 'AGENT_TEMPO_GUARDRAIL_POLICY',
     /**
      * 3c Tier-2 ingest auth. The daemon mints a per-player ingest token (scoped to
      * the session workflowId) BEFORE spawning a headless Pi player and threads it

package/dist/daemon.js

@@ -68,14 +68,10 @@ const worker_1 = require("./worker");
 const connection_1 = require("./connection");
 const inner_loop_1 = require("./http/inner-loop");
 const ingest_registry_1 = require("./http/ingest-registry");
-const gate_registry_1 = require("./http/gate-registry");
-const gate_audit_1 = require("./http/gate-audit");
 const grpc_shutdown_guard_1 = require("./utils/grpc-shutdown-guard");
 const daemon_1 = require("./cli/daemon");
 const client_3 = require("./client");
 const orphans_1 = require("./reconcile/orphans");
-const query_timeout_1 = require("./utils/query-timeout");
-const signals_1 = require("./workflows/signals");
 const agent_types_1 = require("./ensemble/agent-types");
 const pre_flight_1 = require("./adapters/claude-code-headless/pre-flight");
 const daemon_adapter_versions_1 = require("./daemon-adapter-versions");
@@ -841,12 +837,6 @@ async function main() {
     // so the shutdown handler — declared just below — can drain them.
     const innerLoop = new inner_loop_1.InnerLoopRegistry();
     const ingestTokens = new ingest_registry_1.IngestTokenRegistry();
-    // 3d MD-G — the operator-gate registry, same daemon-owned-singleton pattern.
-    // Audit sink = the append-only JSONL writer; publishToInner = innerLoop.publish
-    // (the DI that emits gate_resolved on the player's /inner stream without a
-    // GateRegistry↔inner-loop circular import).
-    const gate = new gate_registry_1.GateRegistry((0, gate_audit_1.createGateAuditSink)(), Date.now, undefined, // default 45s auto-allow
-    (workflowId, frame) => innerLoop.publish(workflowId, frame));
     const shutdown = () => {
         if (shuttingDown)
             return;
@@ -885,7 +875,6 @@ async function main() {
         // (streams end cleanly rather than dangling).
         ingestTokens.revokeAll();
         innerLoop.close();
-        gate.clear();
         sharedWorker?.shutdown();
         hostWorker?.shutdown();
     };
@@ -893,7 +882,7 @@ async function main() {
     process.on('SIGINT', shutdown);
     // Create workers (signal handlers already active via mutable refs)
     log(`Connecting to Temporal at ${config.temporalAddress} (namespace: ${config.temporalNamespace})`);
-    const workers = await (0, worker_1.createWorkers)(config, ingestTokens, gate);
+    const workers = await (0, worker_1.createWorkers)(config, ingestTokens);
     sharedWorker = workers.sharedWorker;
     hostWorker = workers.hostWorker;
     log('Workers created — processing tasks');
@@ -972,24 +961,6 @@ async function main() {
             const bootEpoch = Date.now();
             aggregateRunner = new AggregateRunner({ client: httpClient, bootEpoch });
             aggregateRunner.start();
-            // #712 — BOUNDED durable-policy resolver for the gate failMode cross-check.
-            // The gate is normally policy-populated at spawn (sync, no query); this is
-            // the rare-cache-miss fallback the ingest gate_pending path awaits. It MUST
-            // be bounded (utils/query-timeout) so it can never hang gate engagement. A
-            // successful query with an absent metadata field ⇒ 'autonomous' (a real,
-            // open posture). Timeout / error / workflow-gone ⇒ undefined ⇒ the route
-            // leaves the policy unresolved ⇒ open() enforces 'closed' (NO-FAIL-OPEN).
-            const reconcileClientForPolicy = reconcileClient;
-            const resolveGuardrailPolicy = async (workflowId) => {
-                try {
-                    const handle = reconcileClientForPolicy.workflow.getHandle(workflowId);
-                    const md = await (0, query_timeout_1.queryHandleWithTimeout)(handle, signals_1.getMetadataQuery);
-                    return md?.guardrailPolicy ?? 'autonomous';
-                }
-                catch {
-                    return undefined; // timeout / error / gone → indeterminate → open() enforces closed
-                }
-            };
             httpServerHandle = await startHttpServer({
                 client: httpClient,
                 namespace: config.temporalNamespace,
@@ -1001,11 +972,6 @@ async function main() {
                 // and /inner/ingest validates against the tokens the spawn path minted.
                 innerLoop,
                 ingestTokens,
-                // 3d MD-G — the same gate registry the worker's outbox auto-disarms on
-                // detach/destroy; the HTTP server serves arm/disarm/decide + resolution.
-                gate,
-                // #712 — bounded durable-policy resolver for the failMode cross-check.
-                resolveGuardrailPolicy,
             });
             log(`HTTP listening on http://${httpServerHandle.bindAddr}:${httpServerHandle.port}`);
             log(`Aggregate poll loop running (bootEpoch=${bootEpoch})`);

package/dist/http/auth.d.ts

@@ -95,7 +95,7 @@ export declare function loadRbacTokens(opts: {
     load?: () => PersistedConfig;
     save?: (cfg: PersistedConfig) => void;
 }): RbacTokens;
-/** Access tiers (MD-E): 1 = read/observe, 2 = write/mutate, 3 = supervisory (gate/inner). */
+/** Access tiers (MD-E): 1 = read/observe, 2 = write/mutate, 3 = supervisory (inner-tail). */
 export type Tier = 1 | 2 | 3;
 /**
  * Granted tier for a presented bearer, given the RBAC tokens (timing-safe).

package/dist/http/auth.js

@@ -222,8 +222,8 @@ function tierForToken(presented, tokens) {
     return 0;
 }
 /** Migration hint surfaced in the 403 body so a read-token holder knows what's missing. */
-const INSUFFICIENT_TIER_HINT = 'This token is read-tier. Writes, the operator gate, and the inner-tail require the admin token (set AGENT_TEMPO_HTTP_ADMIN_TOKEN).';
-const ADMIN_UNSET_HINT = 'Set AGENT_TEMPO_HTTP_ADMIN_TOKEN (env-var only) to enable writes / gate / inner-tail.';
+const INSUFFICIENT_TIER_HINT = 'This token is read-tier. Writes and the inner-tail require the admin token (set AGENT_TEMPO_HTTP_ADMIN_TOKEN).';
+const ADMIN_UNSET_HINT = 'Set AGENT_TEMPO_HTTP_ADMIN_TOKEN (env-var only) to enable writes / inner-tail.';
 /**
  * Authorization guard (3e MD-E). Assumes the shared upstream pass already settled
  * AUTHENTICATION + CORS + the DNS-rebind/Origin defense (architect's Layer 2);

package/dist/http/inner-loop-routes.d.ts

@@ -23,35 +23,11 @@
 import type { IncomingMessage, ServerResponse } from 'http';
 import type { InnerLoopRegistry } from './inner-loop';
 import type { IngestTokenRegistry } from './ingest-registry';
-import type { GateRegistry } from './gate-registry';
-import type { GuardrailPolicy } from '../types';
 /** Header carrying the per-player ingest token (the source-plane credential). */
 export declare const INGEST_TOKEN_HEADER = "x-ingest-token";
 export interface InnerLoopDeps {
     innerLoop: InnerLoopRegistry;
     ingestTokens: IngestTokenRegistry;
-    /**
-     * 3d MD-G — the operator-gate registry, when wired. Two narrow couplings:
-     *   - ingest: an `inner.gate_pending` frame ALSO registers the pending request
-     *     in the gate (`open()`) — atomic register-and-surface from one POST (the
-     *     "engagement IS registration" path; no separate open-route).
-     *   - presence: the response carries `gateArmed` so the polling subprocess
-     *     evaluates engagement (armed + present) from one fetch.
-     * The coupling is one-directional (inner-routes → GateRegistry); the gate's
-     * `gate_resolved` emission flows back via its injected publishToInner.
-     */
-    gate?: GateRegistry;
-    /**
-     * #712 — BOUNDED resolver for a player's DURABLE `guardrailPolicy` (daemon
-     * wires it to a `getMetadataQuery` behind `utils/query-timeout`). Used by the
-     * ingest gate_pending path ONLY on a {@link GateRegistry.getPolicy} cache-miss
-     * (the common path is spawn/reconcile-populated → sync, no query). Returns the
-     * resolved policy (absent metadata field ⇒ `'autonomous'`), or `undefined` when
-     * the query TIMES OUT / ERRORS / the workflow is gone — the caller then leaves
-     * the gate policy unresolved so `open()` enforces `closed` (NO-FAIL-OPEN). The
-     * resolver MUST be bounded so it can never hang gate engagement.
-     */
-    resolveGuardrailPolicy?: (workflowId: string) => Promise<GuardrailPolicy | undefined>;
 }
 /** True when the request originates from the same host (loopback). */
 export declare function isLoopbackRemote(req: IncomingMessage): boolean;

package/dist/http/inner-loop-routes.js

@@ -78,36 +78,6 @@ async function handleInnerIngest(req, res, deps, ensemble, playerId) {
     // Trust the authenticated publisher's frame shape (it owns the schema +
     // truncation). Publish to local subscribers and ack with no body.
     deps.innerLoop.publish(workflowId, body);
-    // 3d MD-G — a gate_pending frame ALSO registers the pending request in the
-    // gate (atomic register-and-surface from one POST; the "engagement IS
-    // registration" path, no separate open-route). Narrow, one-directional
-    // coupling: inner-routes → GateRegistry.open(). Guarded on the type so it
-    // never fires for ordinary inner frames. `open` is idempotent on requestId.
-    if (type === 'inner.gate_pending' && deps.gate) {
-        const f = body;
-        if (typeof f.requestId === 'string' && typeof f.tool === 'string') {
-            // #712 — ensure the gate knows the player's DURABLE guardrailPolicy BEFORE
-            // registering, so open() enforces failMode from policy (daemon-authoritative),
-            // not the frame's advisory claim. Fast path: already populated at spawn /
-            // reconcile (sync, no query). Miss (post-restart pre-reconcile): a BOUNDED
-            // getMetadataQuery; on success populate the gate. On timeout/error/gone the
-            // resolver returns undefined → we leave it unresolved → open() enforces
-            // 'closed' (NO-FAIL-OPEN).
-            if (deps.resolveGuardrailPolicy && deps.gate.getPolicy(workflowId) === undefined) {
-                const resolved = await deps.resolveGuardrailPolicy(workflowId);
-                if (resolved !== undefined)
-                    deps.gate.setPolicy(workflowId, resolved);
-            }
-            deps.gate.open(workflowId, f.requestId, {
-                tool: f.tool,
-                argsSummary: typeof f.argsSummary === 'string' ? f.argsSummary : '',
-                ensemble,
-                // #712 — ADVISORY claim only (open() enforces from policy); retained so a
-                // self-downgrade (frame 'open' vs policy-enforced 'closed') is auditable.
-                failMode: f.failMode === 'closed' ? 'closed' : 'open',
-            });
-        }
-    }
     res.writeHead(204);
     res.end();
 }
@@ -120,13 +90,8 @@ function handleInnerPresence(req, res, deps, ensemble, playerId) {
     const workflowId = gateIngress(req, res, deps, ensemble, playerId);
     if (workflowId === null)
         return;
-    // 3d MD-G — fold `gateArmed` into the presence response so the polling
-    // subprocess reads BOTH engagement inputs (operator-present + armed) from one
-    // fetch (avoids a stale-armed / fresh-present mismatch). `false` when the gate
-    // is unwired or unarmed.
     (0, responses_1.jsonResponse)(res, 200, {
         subscribers: deps.innerLoop.subscriberCount(workflowId),
-        gateArmed: deps.gate?.isArmed(workflowId) ?? false,
     });
 }
 /**