agentxchain 2.145.0 → 2.147.0

package/dashboard/app.js

@@ -15,6 +15,7 @@ import { render as renderCrossRepo } from './components/cross-repo.js';
 import { render as renderDelegations } from './components/delegations.js';
 import { render as renderBlockers } from './components/blockers.js';
 import { render as renderArtifacts } from './components/artifacts.js';
+import { render as renderNotifications } from './components/notifications.js';
 import { render as renderMission } from './components/mission.js';
 import { render as renderChain } from './components/chain.js';
 import { render as renderRunHistory } from './components/run-history.js';
@@ -31,6 +32,7 @@ const VIEWS = {
   delegations: { fetch: ['state', 'history'], render: renderDelegations },
   ledger: { fetch: ['state', 'ledger', 'coordinatorState', 'coordinatorLedger', 'repoDecisionsSummary'], render: renderLedger },
   hooks: { fetch: ['audit', 'annotations', 'coordinatorAudit', 'coordinatorAnnotations'], render: renderHooks },
+  notifications: { fetch: ['notifications'], render: renderNotifications },
   blocked: { fetch: ['state', 'audit', 'coordinatorState', 'coordinatorAudit', 'coordinatorBlockers', 'coordinatorRepoStatusRows', 'gateActions'], render: renderBlocked },
   gate: { fetch: ['state', 'history', 'coordinatorState', 'coordinatorHistory', 'coordinatorBarriers', 'gateActions'], render: renderGate },
   initiative: { fetch: ['coordinatorState', 'coordinatorBarriers', 'barrierLedger', 'coordinatorBlockers', 'coordinatorRepoStatusRows'], render: renderInitiative },
@@ -62,6 +64,7 @@ const API_MAP = {
   coordinatorBlockers: '/api/coordinator/blockers',
   coordinatorRepoStatusRows: '/api/coordinator/repo-status',
   workflowKitArtifacts: '/api/workflow-kit-artifacts',
+  notifications: '/api/notifications',
   missions: '/api/missions',
   plans: '/api/plans',
   chainReports: '/api/chain-reports',

package/dashboard/components/notifications.js

@@ -0,0 +1,127 @@
+function esc(str) {
+  if (str == null) return '';
+  return String(str)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
+function badge(label, color = 'var(--text-dim)') {
+  return `<span class="badge" style="color:${color};border-color:${color}">${esc(label)}</span>`;
+}
+
+function formatResult(entry) {
+  if (entry?.delivered) return badge('delivered', 'var(--green)');
+  if (entry?.timed_out) return badge('timed out', 'var(--yellow)');
+  return badge('failed', 'var(--red)');
+}
+
+function renderWebhookRow(webhook) {
+  return `<tr>
+    <td class="mono">${esc(webhook.name)}</td>
+    <td>${esc(webhook.timeout_ms)}</td>
+    <td>${esc(webhook.event_count)}</td>
+    <td><span class="mono">${esc((webhook.events || []).join(', '))}</span></td>
+  </tr>`;
+}
+
+function renderAuditRow(entry) {
+  const rowStyle = entry?.delivered ? '' : ' style="border-left:3px solid var(--red)"';
+  const statusCode = entry?.status_code == null ? '—' : String(entry.status_code);
+  const duration = entry?.duration_ms == null ? '—' : `${entry.duration_ms}ms`;
+  return `<tr${rowStyle}>
+    <td class="mono">${esc(entry?.emitted_at || '—')}</td>
+    <td><span class="mono">${esc(entry?.event_type || '—')}</span></td>
+    <td class="mono">${esc(entry?.notification_name || '—')}</td>
+    <td>${formatResult(entry)}</td>
+    <td>${esc(statusCode)}</td>
+    <td>${esc(duration)}</td>
+    <td>${esc(entry?.message || '—')}</td>
+  </tr>`;
+}
+
+export function render({ notifications }) {
+  if (!notifications) {
+    return `<div class="placeholder"><h2>Notifications</h2><p>No notification data available.</p></div>`;
+  }
+
+  if (notifications.ok === false) {
+    const hint = notifications.code === 'config_missing'
+      ? ' Run <code>agentxchain init --governed</code> to get started.'
+      : '';
+    return `<div class="placeholder"><h2>Notifications</h2><p>${esc(notifications.error || 'Failed to load notification data.')}${hint}</p></div>`;
+  }
+
+  const recent = Array.isArray(notifications.recent) ? notifications.recent : [];
+  const webhooks = Array.isArray(notifications.webhooks) ? notifications.webhooks : [];
+  const summary = notifications.summary || {};
+
+  if (!notifications.configured && recent.length === 0) {
+    return `<div class="placeholder"><h2>Notifications</h2><p>No <code>notifications.webhooks</code> are configured and no delivery audit entries exist yet.</p></div>`;
+  }
+
+  let html = `<div class="notifications-view"><div class="run-header"><div class="run-meta">`;
+  html += notifications.configured
+    ? badge(`${webhooks.length} webhook${webhooks.length === 1 ? '' : 's'} configured`, 'var(--green)')
+    : badge('not currently configured', 'var(--yellow)');
+  html += badge(`${summary.total_attempts || 0} attempts`, 'var(--accent)');
+  if ((summary.failed || 0) > 0) {
+    html += badge(`${summary.failed} failed`, 'var(--red)');
+  }
+  if ((summary.timed_out || 0) > 0) {
+    html += badge(`${summary.timed_out} timed out`, 'var(--yellow)');
+  }
+  if (notifications.approval_sla?.enabled) {
+    html += badge(`approval SLA: ${(notifications.approval_sla.reminder_after_seconds || []).join(', ')}s`, 'var(--accent)');
+  }
+  html += `</div></div>`;
+
+  if (webhooks.length > 0) {
+    html += `<div class="section"><h3>Notification Targets</h3>
+      <table class="data-table">
+        <thead>
+          <tr>
+            <th>Name</th>
+            <th>Timeout</th>
+            <th>Events</th>
+            <th>Subscribed Event Types</th>
+          </tr>
+        </thead>
+        <tbody>${webhooks.map(renderWebhookRow).join('')}</tbody>
+      </table>
+    </div>`;
+  }
+
+  html += `<div class="section"><h3>Delivery Summary</h3>
+    <p><strong>Delivered:</strong> ${esc(summary.delivered || 0)}<br>
+    <strong>Failed:</strong> ${esc(summary.failed || 0)}<br>
+    <strong>Last emitted:</strong> ${esc(summary.last_emitted_at || '—')}<br>
+    <strong>Last failure:</strong> ${esc(summary.last_failure_at || '—')}</p>
+  </div>`;
+
+  if (recent.length === 0) {
+    html += `<div class="section"><h3>Recent Delivery Attempts</h3><p style="color:var(--text-dim)">No notification deliveries recorded yet.</p></div>`;
+  } else {
+    html += `<div class="section"><h3>Recent Delivery Attempts</h3>
+      <table class="data-table">
+        <thead>
+          <tr>
+            <th>Emitted</th>
+            <th>Event</th>
+            <th>Target</th>
+            <th>Result</th>
+            <th>Status</th>
+            <th>Duration</th>
+            <th>Message</th>
+          </tr>
+        </thead>
+        <tbody>${recent.map(renderAuditRow).join('')}</tbody>
+      </table>
+    </div>`;
+  }
+
+  html += `</div>`;
+  return html;
+}

package/dashboard/index.html

@@ -401,6 +401,7 @@
     <a href="#delegations">Delegations</a>
     <a href="#ledger">Decisions</a>
     <a href="#hooks">Hooks</a>
+    <a href="#notifications">Notifications</a>
     <a href="#blocked">Blocked</a>
     <a href="#gate">Gates</a>
     <a href="#blockers">Blockers</a>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentxchain",
-  "version": "2.145.0",
+  "version": "2.147.0",
   "description": "CLI for AgentXchain — governed multi-agent software delivery",
   "type": "module",
   "bin": {

package/scripts/publish-npm.sh

@@ -84,6 +84,22 @@ NEW_VERSION="$(node -e "console.log(JSON.parse(require('fs').readFileSync('packa
 echo "New version: ${NEW_VERSION}"
 echo ""
 
+# Publish-gate enforcement: WAYS-OF-WORKING section 9 prohibits bypassing the
+# publish gate with manual npm publish. Even though this script is a documented
+# non-canonical helper (see RELEASE_CUT_SPEC.md section 6), it must not drop
+# below the same release-boundary proof surface (claim-reality-preflight,
+# beta-tester scenarios, release-docs-content, release-preflight) that the
+# canonical publish-npm-on-tag.yml workflow runs via
+# `release-preflight.sh --publish-gate`. Set ALLOW_PUBLISH_GATE_BYPASS=1 only
+# for dry-run/debug paths that have manually established proof (for example,
+# a release-preflight.sh --publish-gate run the operator just watched pass).
+if [[ "${ALLOW_PUBLISH_GATE_BYPASS:-0}" != "1" ]]; then
+  echo "Running release-preflight.sh --publish-gate before npm publish..."
+  bash scripts/release-preflight.sh --publish-gate --target-version "${NEW_VERSION}"
+else
+  echo "WARNING: ALLOW_PUBLISH_GATE_BYPASS=1 set — skipping publish-gate. The operator owns claim-reality/beta-tester proof manually."
+fi
+
 echo "Publishing to npm..."
 if [[ -n "${NPM_TOKEN:-}" ]]; then
   npm publish --access public --//registry.npmjs.org/:_authToken="${NPM_TOKEN}"

package/scripts/release-downstream-truth.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # Release downstream truth — run after all downstream surfaces are updated.
-# Verifies: GitHub release exists, Homebrew tap SHA and URL match registry tarball.
+# Verifies: GitHub release is published on the expected tag URL, Homebrew tap SHA and URL match registry tarball.
 # Usage: bash scripts/release-downstream-truth.sh --target-version <semver>
 set -uo pipefail
 
@@ -91,22 +91,30 @@ echo "[1/3] GitHub release"
 if ! command -v gh >/dev/null 2>&1; then
   fail "gh CLI not available — cannot verify GitHub release"
 else
-  GH_FOUND=false
+  GH_READY=false
+  EXPECTED_GH_URL="https://github.com/shivamtiwari93/agentXchain.dev/releases/tag/v${TARGET_VERSION}"
   for attempt in $(seq 1 "$RETRY_ATTEMPTS"); do
     GH_TAG="$(gh release view "v${TARGET_VERSION}" --json tagName -q '.tagName' 2>/dev/null || true)"
-    if [[ "$GH_TAG" == "v${TARGET_VERSION}" ]]; then
-      GH_FOUND=true
+    GH_DRAFT="$(gh release view "v${TARGET_VERSION}" --json isDraft -q '.isDraft' 2>/dev/null || true)"
+    GH_URL="$(gh release view "v${TARGET_VERSION}" --json url -q '.url' 2>/dev/null || true)"
+    GH_PUBLISHED_AT="$(gh release view "v${TARGET_VERSION}" --json publishedAt -q '.publishedAt' 2>/dev/null || true)"
+    if [[ "$GH_TAG" == "v${TARGET_VERSION}" ]] \
+      && [[ "$GH_DRAFT" == "false" ]] \
+      && [[ "$GH_URL" == "$EXPECTED_GH_URL" ]] \
+      && [[ -n "$GH_PUBLISHED_AT" ]] \
+      && [[ "$GH_PUBLISHED_AT" != "null" ]]; then
+      GH_READY=true
       break
     fi
     if [[ "$attempt" -lt "$RETRY_ATTEMPTS" ]]; then
-      echo "  INFO: GitHub release not found (attempt ${attempt}/${RETRY_ATTEMPTS}); retrying in ${RETRY_DELAY_SECONDS}s..."
+      echo "  INFO: GitHub release not ready (attempt ${attempt}/${RETRY_ATTEMPTS}); retrying in ${RETRY_DELAY_SECONDS}s..."
       sleep "$RETRY_DELAY_SECONDS"
     fi
   done
-  if $GH_FOUND; then
-    pass "GitHub release v${TARGET_VERSION} exists"
+  if $GH_READY; then
+    pass "GitHub release v${TARGET_VERSION} is published on the tagged release URL"
   else
-    fail "GitHub release v${TARGET_VERSION} not found after ${RETRY_ATTEMPTS} attempts"
+    fail "GitHub release v${TARGET_VERSION} is not fully published (tag=${GH_TAG:-<missing>} draft=${GH_DRAFT:-<missing>} url=${GH_URL:-<missing>} publishedAt=${GH_PUBLISHED_AT:-<missing>})"
   fi
 fi
 

package/scripts/sync-homebrew.sh

@@ -244,5 +244,18 @@ fi
 
 echo ""
 echo "====================================="
-echo "SYNC COMPLETE — Homebrew formula updated to ${PACKAGE_NAME}@${TARGET_VERSION}."
+echo "SYNC STEP COMPLETE — Homebrew formula updated to ${PACKAGE_NAME}@${TARGET_VERSION}."
+echo ""
+echo "This is the Phase 2 -> Phase 3 transition step only. It does NOT prove"
+echo "the public npx install path resolves, and it does NOT prove the canonical"
+echo "tap / GitHub Release / repo-mirror downstream truth is consistent."
+echo ""
+echo "Do NOT declare the release complete from this script's exit code alone."
+echo "Complete the release by running ONE of:"
+echo "  - bash cli/scripts/verify-post-publish.sh --target-version ${TARGET_VERSION}"
+echo "    (manual/operator path; includes npx smoke + repo-mirror SHA proof + full test suite)"
+echo "  - bash cli/scripts/release-downstream-truth.sh --target-version ${TARGET_VERSION}"
+echo "    (CI-equivalent path; requires release-postflight.sh to have already run the npx smoke)"
+echo ""
+echo "See DEC-VERIFY-POST-PUBLISH-NPX-001 and DEC-HOMEBREW-SYNC-LOOPHOLE-CLOSE-001."
 exit 0

package/scripts/verify-post-publish.sh

@@ -20,6 +20,8 @@ cd "$CLI_DIR"
 TARGET_VERSION=""
 
 FORMULA_PATH="${CLI_DIR}/homebrew/agentxchain.rb"
+PACKAGE_NAME="$(node -e "console.log(JSON.parse(require('fs').readFileSync('package.json','utf8')).name)")"
+PACKAGE_BIN_NAME="$(node -e "const pkg = JSON.parse(require('fs').readFileSync('package.json','utf8')); if (typeof pkg.bin === 'string') { console.log(pkg.name); process.exit(0); } const names = Object.keys(pkg.bin || {}); if (names.length !== 1) { console.error('package.json bin must declare exactly one entry'); process.exit(1); } console.log(names[0]);")"
 
 formula_url() {
   local formula_path="$1"
@@ -31,6 +33,29 @@ formula_sha() {
   grep -E '^\s*sha256\s+"' "$formula_path" | sed 's/.*sha256 *"\([a-f0-9]*\)".*/\1/' || true
 }
 
+run_npx_smoke() {
+  local smoke_root
+  local smoke_npmrc
+
+  smoke_root="$(mktemp -d "${TMPDIR:-/tmp}/agentxchain-verify-post-publish.XXXXXX")"
+  mkdir -p "${smoke_root}/home" "${smoke_root}/cache" "${smoke_root}/npm-cache" "${smoke_root}/workspace"
+  smoke_npmrc="${smoke_root}/.npmrc"
+  echo "registry=https://registry.npmjs.org/" > "$smoke_npmrc"
+
+  (
+    cd "${smoke_root}/workspace" || exit 1
+    env -u NODE_AUTH_TOKEN \
+      HOME="${smoke_root}/home" \
+      XDG_CACHE_HOME="${smoke_root}/cache" \
+      NPM_CONFIG_CACHE="${smoke_root}/npm-cache" \
+      NPM_CONFIG_USERCONFIG="${smoke_npmrc}" \
+      npx --yes -p "${PACKAGE_NAME}@${TARGET_VERSION}" -c "${PACKAGE_BIN_NAME} --version"
+  )
+  local status=$?
+  rm -rf "$smoke_root"
+  return "$status"
+}
+
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --target-version)
@@ -57,7 +82,7 @@ echo "============================================="
 echo ""
 
 # Step 1: Verify npm serves the version
-echo "[1/4] Checking npm registry..."
+echo "[1/5] Checking npm registry..."
 NPM_VERSION="$(npm view "agentxchain@${TARGET_VERSION}" version 2>/dev/null || echo "")"
 if [[ "$NPM_VERSION" != "$TARGET_VERSION" ]]; then
   echo "  FAIL: npm does not serve agentxchain@${TARGET_VERSION} (got: '${NPM_VERSION}')"
@@ -67,7 +92,7 @@ fi
 echo "  OK: npm serves v${TARGET_VERSION}"
 
 # Step 2: Sync the repo mirror to the published tarball
-echo "[2/4] Syncing repo mirror to published tarball..."
+echo "[2/5] Syncing repo mirror to published tarball..."
 bash "${SCRIPT_DIR}/sync-homebrew.sh" --target-version "$TARGET_VERSION"
 echo "  OK: repo mirror synced"
 
@@ -109,8 +134,34 @@ if [[ "$FORMULA_SHA" != "$TARBALL_SHA" ]]; then
 fi
 echo "  OK: repo mirror formula SHA256 matches registry tarball"
 
-# Step 4: Run the full test suite WITHOUT the preflight skip
-echo "[4/5] Running full test suite (no preflight skip)..."
+# Step 4: Recheck the public npx path against the published registry version
+echo "[4/5] Verifying public npx install path..."
+NPX_OUTPUT="$(run_npx_smoke 2>&1 || true)"
+NPX_VERSION="$(printf '%s\n' "$NPX_OUTPUT" | awk -v expected="${TARGET_VERSION}" '
+  {
+    line=$0
+    gsub(/^[[:space:]]+|[[:space:]]+$/, "", line)
+    if (line == expected) {
+      print line
+      found=1
+      exit
+    }
+  }
+  END {
+    if (!found) {
+      exit 1
+    }
+  }
+ ' || true)"
+if [[ "$NPX_VERSION" != "$TARGET_VERSION" ]]; then
+  echo "  FAIL: public npx path did not report ${TARGET_VERSION}"
+  printf '%s\n' "$NPX_OUTPUT"
+  exit 1
+fi
+echo "  OK: public npx path resolves and reports v${TARGET_VERSION}"
+
+# Step 5: Run the full test suite WITHOUT the preflight skip
+echo "[5/5] Running full test suite (no preflight skip)..."
 echo "  This verifies the broader Homebrew mirror contract passes with the real SHA."
 npm test
 echo "  OK: full test suite green"

package/src/commands/init.js

@@ -103,6 +103,68 @@ const DEFAULT_GOVERNED_LOCAL_DEV_RUNTIME = Object.freeze({
   prompt_transport: 'stdin',
 });
 
+const GOVERNED_GITIGNORE_LINES = Object.freeze([
+  '.env',
+  '.agentxchain/staging/',
+  '.agentxchain/dispatch/',
+  '.agentxchain/transactions/',
+  '.agentxchain/state.json',
+  '.agentxchain/session.json',
+  '.agentxchain/history.jsonl',
+  '.agentxchain/decision-ledger.jsonl',
+  '.agentxchain/repo-decisions.jsonl',
+  '.agentxchain/lock.json',
+  '.agentxchain/hook-audit.jsonl',
+  '.agentxchain/hook-annotations.jsonl',
+  '.agentxchain/run-history.jsonl',
+  '.agentxchain/events.jsonl',
+  '.agentxchain/notification-audit.jsonl',
+  '.agentxchain/schedule-state.json',
+  '.agentxchain/schedule-daemon.json',
+  '.agentxchain/continuous-session.json',
+  '.agentxchain/human-escalations.jsonl',
+  '.agentxchain/sla-reminders.json',
+  '.agentxchain/SESSION_RECOVERY.md',
+  '.agentxchain/migration-report.md',
+  '.agentxchain/intake/',
+  '.agentxchain/missions/',
+  '.agentxchain/multirepo/',
+  '.agentxchain/reviews/',
+  '.agentxchain/reports/',
+  '.agentxchain/proposed/',
+  'TALK.md',
+  'HUMAN_TASKS.md',
+]);
+
+const GOVERNED_GITIGNORE_CONTENT = [
+  '# AgentXchain — secrets',
+  '.env',
+  '',
+  '# AgentXchain — transient execution artifacts (never commit)',
+  '.agentxchain/staging/',
+  '.agentxchain/dispatch/',
+  '.agentxchain/transactions/',
+  '',
+  '# AgentXchain — framework-owned state (gitignored by default in fresh scaffolds)',
+  '# These files remain durable on disk and in export/restore, but defaulting them',
+  '# out of raw `git status` reduces operator noise. Existing tracked copies still',
+  '# appear dirty until the repo explicitly untracks them.',
+  ...GOVERNED_GITIGNORE_LINES.slice(4),
+].join('\n') + '\n';
+
+function ensureGitignoreEntries(gitignorePath, content, requiredEntries) {
+  if (!existsSync(gitignorePath)) {
+    writeFileSync(gitignorePath, content);
+    return;
+  }
+  const existingIgnore = readFileSync(gitignorePath, 'utf8');
+  const existingLines = new Set(existingIgnore.split(/\r?\n/));
+  const missing = requiredEntries.filter(entry => !existingLines.has(entry));
+  if (missing.length === 0) return;
+  const prefix = existingIgnore.endsWith('\n') || existingIgnore.length === 0 ? '' : '\n';
+  writeFileSync(gitignorePath, existingIgnore + prefix + missing.join('\n') + '\n');
+}
+
 const GOVERNED_RUNTIMES = {
   'manual-pm': { type: 'manual' },
   'manual-dev': { type: 'manual' },
@@ -833,28 +895,10 @@ export function scaffoldGoverned(dir, projectName, projectId, templateId = 'gene
   // TALK.md
   writeFileSync(join(dir, 'TALK.md'), `# ${projectName} — Team Talk File\n\nCanonical human-readable handoff log for all agents.\n\n---\n\n`);
 
-  // .gitignore additions with inline comments so operators know what to commit vs. ignore
+  // .gitignore additions with inline comments so fresh governed repos keep
+  // framework-owned runtime state out of raw git status by default.
   const gitignorePath = join(dir, '.gitignore');
-  const gitignoreContent = [
-    '# AgentXchain — secrets',
-    '.env',
-    '',
-    '# AgentXchain — transient execution artifacts (never commit)',
-    '.agentxchain/staging/',
-    '.agentxchain/dispatch/',
-    '.agentxchain/transactions/',
-  ].join('\n') + '\n';
-  const requiredPaths = ['.env', '.agentxchain/staging/', '.agentxchain/dispatch/', '.agentxchain/transactions/'];
-  if (!existsSync(gitignorePath)) {
-    writeFileSync(gitignorePath, gitignoreContent);
-  } else {
-    const existingIgnore = readFileSync(gitignorePath, 'utf8');
-    const missing = requiredPaths.filter(entry => !existingIgnore.split(/\r?\n/).includes(entry));
-    if (missing.length > 0) {
-      const prefix = existingIgnore.endsWith('\n') ? '' : '\n';
-      writeFileSync(gitignorePath, existingIgnore + prefix + missing.join('\n') + '\n');
-    }
-  }
+  ensureGitignoreEntries(gitignorePath, GOVERNED_GITIGNORE_CONTENT, GOVERNED_GITIGNORE_LINES);
 
   return { config, state, scaffoldWorkflowKitConfig };
 }
@@ -1251,16 +1295,7 @@ export async function initCommand(opts) {
   writeFileSync(join(dir, 'HUMAN_TASKS.md'), '# Human Tasks\n\n(Agents append tasks here when they need human action.)\n');
   const gitignorePath = join(dir, '.gitignore');
   const requiredIgnores = ['.env', '.agentxchain-trigger.json', '.agentxchain-prompts/', '.agentxchain-workspaces/', '.agentxchain-watch.pid', '.agentxchain-autonudge.state'];
-  if (!existsSync(gitignorePath)) {
-    writeFileSync(gitignorePath, requiredIgnores.join('\n') + '\n');
-  } else {
-    const existingIgnore = readFileSync(gitignorePath, 'utf8');
-    const missing = requiredIgnores.filter(entry => !existingIgnore.split(/\r?\n/).includes(entry));
-    if (missing.length > 0) {
-      const prefix = existingIgnore.endsWith('\n') ? '' : '\n';
-      writeFileSync(gitignorePath, existingIgnore + prefix + missing.join('\n') + '\n');
-    }
-  }
+  ensureGitignoreEntries(gitignorePath, requiredIgnores.join('\n') + '\n', requiredIgnores);
 
   // .planning/ structure
   mkdirSync(join(dir, '.planning', 'research'), { recursive: true });

package/src/commands/reissue-turn.js

@@ -18,8 +18,10 @@ import {
   getActiveTurns,
   getActiveTurn,
   reissueTurn,
+  transitionActiveTurnLifecycle,
 } from '../lib/governed-state.js';
 import { writeDispatchBundle } from '../lib/dispatch-bundle.js';
+import { finalizeDispatchManifest } from '../lib/dispatch-manifest.js';
 
 export async function reissueTurnCommand(opts) {
   const context = loadProjectContext();
@@ -91,6 +93,20 @@ export async function reissueTurnCommand(opts) {
     console.log(chalk.red(`Turn reissued but dispatch bundle failed: ${bundleResult.error}`));
     process.exit(1);
   }
+  // BUG-51 follow-up: every command that writes a dispatch bundle for an
+  // active turn must finalize the manifest so adapter-side
+  // `verifyDispatchManifestForAdapter` enforcement matches fresh dispatches.
+  // Reissue does not run after_dispatch hooks, so finalization happens
+  // immediately after writeDispatchBundle.
+  const manifestResult = finalizeDispatchManifest(root, result.newTurn.turn_id, {
+    run_id: result.state.run_id,
+    role: result.newTurn.assigned_role,
+  });
+  if (!manifestResult.ok) {
+    console.log(chalk.red(`Turn reissued but dispatch manifest failed: ${manifestResult.error}`));
+    process.exit(1);
+  }
+  transitionActiveTurnLifecycle(root, result.newTurn.turn_id, 'dispatched');
 
   // Print summary
   console.log('');

package/src/commands/reject-turn.js

@@ -2,9 +2,10 @@ import chalk from 'chalk';
 import { existsSync } from 'fs';
 import { join } from 'path';
 import { loadProjectContext, loadProjectState } from '../lib/config.js';
-import { getActiveTurns, rejectGovernedTurn } from '../lib/governed-state.js';
+import { getActiveTurns, rejectGovernedTurn, transitionActiveTurnLifecycle } from '../lib/governed-state.js';
 import { validateStagedTurnResult } from '../lib/turn-result-validator.js';
 import { writeDispatchBundle } from '../lib/dispatch-bundle.js';
+import { finalizeDispatchManifest } from '../lib/dispatch-manifest.js';
 import { deriveRecoveryDescriptor } from '../lib/blocked-state.js';
 import { getDispatchTurnDir, getTurnStagingResultPath } from '../lib/turn-paths.js';
 
@@ -51,6 +52,18 @@ export async function rejectTurnCommand(opts) {
       console.log(chalk.red(`Turn rejected but dispatch bundle rewrite failed: ${bundleResult.error}`));
       process.exit(1);
     }
+    // BUG-51 follow-up: finalize the manifest so adapter verification matches
+    // fresh dispatches. reject-for-retry does not run after_dispatch hooks,
+    // so finalize immediately after writeDispatchBundle.
+    const manifestResult = finalizeDispatchManifest(root, validation.turn.turn_id, {
+      run_id: result.state.run_id,
+      role: validation.turn.assigned_role,
+    });
+    if (!manifestResult.ok) {
+      console.log(chalk.red(`Turn rejected but dispatch manifest failed: ${manifestResult.error}`));
+      process.exit(1);
+    }
+    transitionActiveTurnLifecycle(root, validation.turn.turn_id, 'dispatched');
     printDispatchBundleWarnings(bundleResult);
   }
 

package/src/commands/restart.js

@@ -13,21 +13,25 @@
 import chalk from 'chalk';
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
 import { join, dirname } from 'path';
-import { loadProjectContext } from '../lib/config.js';
+import { loadProjectContext, loadProjectState } from '../lib/config.js';
 import {
   assignGovernedTurn,
   getActiveTurns,
   getActiveTurnCount,
   reactivateGovernedRun,
   detectStateBundleDesync,
+  normalizeGovernedStateShape,
+  reconcileApprovalPausesWithConfig,
+  reconcileRecoveryActionsWithConfig,
+  transitionActiveTurnLifecycle,
   STATE_PATH,
   HISTORY_PATH,
   LEDGER_PATH,
 } from '../lib/governed-state.js';
 import { writeDispatchBundle } from '../lib/dispatch-bundle.js';
+import { finalizeDispatchManifest } from '../lib/dispatch-manifest.js';
 import { getDispatchTurnDir } from '../lib/turn-paths.js';
 import { consumeNextApprovedIntent } from '../lib/intake.js';
-import { loadProjectState } from '../lib/config.js';
 import { deriveRecoveryDescriptor } from '../lib/blocked-state.js';
 import { deriveRecommendedContinuityAction } from '../lib/continuity-status.js';
 import { readSessionCheckpoint, writeSessionCheckpoint, captureBaselineRef, SESSION_PATH } from '../lib/session-checkpoint.js';
@@ -178,7 +182,20 @@ export async function restartCommand(opts) {
     process.exit(1);
   }
 
-  const state = JSON.parse(readFileSync(statePath, 'utf8'));
+  let state;
+  try {
+    const parsed = JSON.parse(readFileSync(statePath, 'utf8'));
+    const normalized = normalizeGovernedStateShape(parsed);
+    const reconciledApprovals = reconcileApprovalPausesWithConfig(normalized.state, config);
+    const reconciledRecovery = reconcileRecoveryActionsWithConfig(reconciledApprovals.state, config);
+    state = reconciledRecovery.state;
+    if (normalized.changed || reconciledApprovals.changed || reconciledRecovery.changed) {
+      writeFileSync(statePath, JSON.stringify(state, null, 2));
+    }
+  } catch {
+    console.log(chalk.red('No valid governed state.json found.'));
+    process.exit(1);
+  }
 
   // Load checkpoint (optional — restart can work without it, just with less context)
   const checkpoint = readSessionCheckpoint(root);
@@ -389,6 +406,19 @@ export async function restartCommand(opts) {
         console.log(chalk.dim('Run `agentxchain reissue-turn` to reissue with a fresh bundle.'));
         process.exit(1);
       }
+      // BUG-51 follow-up: finalize the dispatch manifest so adapter-side
+      // verification matches fresh dispatches via `run`/`step`/`resume`.
+      // restart does not run after_dispatch hooks here, so finalize
+      // immediately after writeDispatchBundle.
+      const manifestResult = finalizeDispatchManifest(root, turnId, {
+        run_id: assignedState.run_id,
+        role: assignedRole,
+      });
+      if (!manifestResult.ok) {
+        console.log(chalk.red(`Turn assigned but dispatch manifest failed: ${manifestResult.error}`));
+        process.exit(1);
+      }
+      transitionActiveTurnLifecycle(root, turnId, 'dispatched');
       for (const bw of bundleResult.warnings || []) {
         console.log(chalk.yellow(`Dispatch bundle warning: ${bw}`));
       }