claude-tempo 0.26.0-beta.7 → 0.26.0

package/CLAUDE.md

@@ -70,6 +70,7 @@ src/
 │   ├── load-lineup.ts / save-lineup.ts / agent-types.ts / resolve.ts
 │   ├── set-name.ts / set-part.ts / who-am-i.ts / release.ts
 │   ├── pause-ensemble.ts / resume-ensemble.ts
+│   ├── hosts.ts
 │   └── helpers.ts     # Zod/MCP tool registration wrapper
 ├── tui/
 │   ├── App.tsx / store.ts / commands.ts   # TUI root, state, slash commands
@@ -78,6 +79,8 @@ src/
 │   └── utils/         # format, platform, theme, fullscreen, history
 ├── utils/
 │   ├── validation.ts / worktree.ts / safe-path.ts / duration.ts / search-attributes.ts
+│   ├── attachment-format.ts / recall-format.ts   # Shared display formatters (attachment-info, recall)
+│   ├── hosts.ts / format-hosts.ts                # Host enumeration + shared hosts display formatter (#274)
 ├── types.ts           # Shared type definitions
 ├── git-info.ts        # Git repository detection helper
 └── config.ts          # Env var handling
@@ -118,11 +121,12 @@ daemon worker notes, `npx ts-node` dev runner).
 - **Outbox**: Outbound requests (cue, report, recruit, restart, detach, destroy, …) go through the session's workflow outbox instead of directly signaling other workflows. The dispatch loop processes entries via activities, decoupling tools from cross-workflow signaling.
 - **Attachment phase** (v0.26): Seven phases tracked on the session workflow — `booting → attached → processing | awaiting → draining → detached → gone`. The phase is authoritative for lifecycle truth: adapters drive it via `claimAttachment` / `adapterExited` / `forceDetach` / `destroy`, and the workflow publishes it on the `ClaudeTempoAttachmentState` search attribute. Replaced the v0.25 `ClaudeTempoStatus` heuristic (removed in v0.26). See [docs/concepts.md](docs/concepts.md) for the phase table and [docs/ops/v0.26-migration.md](docs/ops/v0.26-migration.md) for the upgrade path.
 - **Adapter heartbeat observability** (#249): After `claimAttachment`, the base adapter logs `first heartbeat scheduled in Xms` then `heartbeat#1 delivered` on the first tick. Every 10 ticks it emits `heartbeats-delivered=N / phase-ticks=N` breadcrumbs. Any silent guard trip in `tickHeartbeat` / `tickPhaseWatcher` now emits a structured `guard tripped: {stopped, reconnecting, …}` log instead of silently orphaning the timer. The phase-watcher emits `WARNING: heartbeat staleness` when `lastHeartbeatAt` falls more than 2× `heartbeatMs` behind `now`. Grep `[claude-tempo:adapter]` to confirm loop health without parsing Temporal history.
-- **Per-host task queues**: `host` param on `recruit`/`restart`/`migrate` routes to `claude-tempo-{hostname}` task queue. See [docs/concepts.md](docs/concepts.md) for cross-machine recruiting details.
+- **Per-host task queues**: `host` param on `recruit`/`restart`/`migrate` routes to `claude-tempo-{hostname}` task queue. When `host` is set on `recruit`, a pre-flight check validates the target daemon is live and supports the requested agent type (`force: true` bypasses). Daemon boot profiles (hostname, platform, available player types) are advertised via the `hostProfile` signal and maintained in the global maestro's `hostProfiles` map — surfaced by the `hosts` MCP tool, `claude-tempo hosts` CLI, and `/hosts` TUI command (#274). See [docs/concepts.md](docs/concepts.md) for cross-machine recruiting details.
 - **Wire protocol**: All signal/query/update names are documented in [`docs/WIRE-PROTOCOL.md`](docs/WIRE-PROTOCOL.md) and are stable — renaming or removing any is a breaking change. **Process**: update `docs/WIRE-PROTOCOL.md` in the same commit as any new signal, query, or update.
 - **Daemon**: Standalone background process (`src/daemon.ts`) that runs all Temporal workers. Auto-started by any `claude-tempo` command. PID at `~/.claude-tempo/daemon.pid`; logs at `~/.claude-tempo/daemon.log`.
 - **Player types**: Reusable agent definitions in Claude Code's subagent format (`.md` files with YAML frontmatter). Three-tier lookup: project `.claude/agents/` → user `~/.claude/agents/` → shipped `examples/agents/`. Discover via `agent_types` tool or `claude-tempo agent-types` CLI. Shipped types: tempo-conductor, tempo-composer, tempo-soloist, tempo-tuner, tempo-critic, tempo-roadie, tempo-improv, tempo-liner.
 - **Lineup examples**: Four pre-built ensemble YAML files in `examples/ensembles/` — `tempo-big-band`, `tempo-dev-team`, `tempo-review-squad`, `tempo-jam-session`. Load with `claude-tempo up --lineup <name>` or the `load_lineup` tool.
+- **GitHub App identity** (`claude-tempo[bot]`): When a player writes to GitHub — issue comments, PR creation/merge, commits, labels, check runs — **use `./scripts/ensemble-gh`** instead of `gh`. The wrapper mints a short-lived installation token so the action is attributed to `claude-tempo[bot]`, not to the human maintainer, making the AI authorship visible. Plain `gh` is still correct for read-only local dev (`gh pr view`, `gh repo clone`, `gh auth status`). Every bot-authored comment/PR body must include the AI attribution footer documented in [docs/github-app.md](docs/github-app.md).
 
 See [docs/concepts.md](docs/concepts.md) for the full glossary (Adapter, Attachment phases, Restart, Detach/Destroy, Migrate, Broadcast, Recall, Schedule, Lineup, Quality Gate, Worktree, Stage, Hold/Release, Pause/Resume, Maestro, TempoClient, and more).
 

package/README.md

@@ -143,6 +143,7 @@ claude-tempo up [ensemble]      # first-time setup
 claude-tempo conduct [ensemble] # start a conductor
 claude-tempo start [ensemble]   # start a player
 claude-tempo status [ensemble]  # list active sessions
+claude-tempo hosts              # list daemons polling this Temporal namespace (--all/--json)
 claude-tempo recall <name>      # read a player's message history (--limit/--offset/--preview/--from/--since/--include-sent/--json)
 claude-tempo attachment-info <name> # inspect a session's phase, holder, lease, and heartbeat age
 claude-tempo release [ensemble] # release held players (unlock + deliver tasks)

package/dist/cli/commands.d.ts

@@ -106,6 +106,30 @@ export declare function detach(opts: DetachCliOpts): Promise<void>;
 export declare function destroy(opts: DestroyCliOpts): Promise<void>;
 export declare function migrate(opts: MigrateCliOpts): Promise<void>;
 export declare function attachmentInfo(opts: VerbOpts): Promise<void>;
+export interface HostsCliOpts extends CliOverrides {
+    ensemble?: string;
+    /** Include stale hosts (those not seen in the last minute). CLI default: false. */
+    all?: boolean;
+    /** Emit raw `HostInfo[]` JSON instead of the formatted table. */
+    json?: boolean;
+}
+export declare function hosts(opts: HostsCliOpts): Promise<void>;
+export interface RefreshHostProfileCliOpts extends CliOverrides {
+    ensemble?: string;
+    /** Max wait for the new profile to appear in the maestro `hostProfiles` map. Default 10s. */
+    confirmTimeoutMs?: number;
+}
+/**
+ * #274 AC5d (M12) — manual re-signal of this host's profile to the
+ * global maestro. The daemon otherwise only re-signals on boot; this
+ * subcommand re-computes the profile + signals fresh.
+ *
+ * Exit semantics (per my implementation-time call to the conductor,
+ * approved): await ensureGlobalMaestro → signal → short poll on
+ * `hostProfiles()` to confirm the new version is visible → exit 0.
+ * Exits nonzero if the poll timeout elapses without confirmation.
+ */
+export declare function refreshHostProfile(opts: RefreshHostProfileCliOpts): Promise<void>;
 export interface RecallCliOpts extends VerbOpts {
     limit?: number;
     offset?: number;

package/dist/cli/commands.js

@@ -47,6 +47,8 @@ exports.detach = detach;
 exports.destroy = destroy;
 exports.migrate = migrate;
 exports.attachmentInfo = attachmentInfo;
+exports.hosts = hosts;
+exports.refreshHostProfile = refreshHostProfile;
 exports.recall = recall;
 exports.restore = restore;
 exports.ensembleCommand = ensembleCommand;
@@ -2128,6 +2130,83 @@ async function attachmentInfo(opts) {
         await connection.close();
     }
 }
+async function hosts(opts) {
+    const { config, connection, client } = await verbClient(opts);
+    try {
+        const { listHosts } = await Promise.resolve().then(() => __importStar(require('../utils/hosts')));
+        const { formatHostList } = await Promise.resolve().then(() => __importStar(require('../utils/format-hosts')));
+        const list = await listHosts(client, {
+            force: true, // CLI always bypasses the cache — freshness expectation is "right now".
+            namespace: config.temporalNamespace,
+            taskQueue: config.taskQueue,
+        });
+        if (opts.json) {
+            process.stdout.write(JSON.stringify(list, null, 2) + '\n');
+        }
+        else {
+            out.log(formatHostList(list, { includeStale: opts.all }));
+        }
+    }
+    catch (err) {
+        out.error(err?.message || String(err));
+        process.exit(1);
+    }
+    finally {
+        await connection.close();
+    }
+}
+/**
+ * #274 AC5d (M12) — manual re-signal of this host's profile to the
+ * global maestro. The daemon otherwise only re-signals on boot; this
+ * subcommand re-computes the profile + signals fresh.
+ *
+ * Exit semantics (per my implementation-time call to the conductor,
+ * approved): await ensureGlobalMaestro → signal → short poll on
+ * `hostProfiles()` to confirm the new version is visible → exit 0.
+ * Exits nonzero if the poll timeout elapses without confirmation.
+ */
+async function refreshHostProfile(opts) {
+    const { config, connection, client } = await verbClient(opts);
+    try {
+        const { computeHostProfile, scrubHostProfile, advertiseHostProfile } = await Promise.resolve().then(() => __importStar(require('../daemon')));
+        const { GLOBAL_MAESTRO_WORKFLOW_ID } = await Promise.resolve().then(() => __importStar(require('../config')));
+        const profile = scrubHostProfile(computeHostProfile(config));
+        const result = await advertiseHostProfile(client, profile, { log: (...a) => out.log(a.map(String).join(' ')) });
+        if (!result.ok) {
+            out.error(`hostProfile signal failed after ${result.attempts} attempts. Global Maestro may be unreachable.`);
+            process.exit(1);
+        }
+        // Short confirmation poll — give the workflow a moment to apply the
+        // signal and respond to the query with the fresh version. If the
+        // maestro is absent entirely, the query will throw and we exit 1.
+        const deadline = Date.now() + (opts.confirmTimeoutMs ?? 10_000);
+        const target = profile.version;
+        const handle = client.workflow.getHandle(GLOBAL_MAESTRO_WORKFLOW_ID);
+        while (Date.now() < deadline) {
+            try {
+                const profiles = (await handle.query('hostProfiles'));
+                const live = profiles[profile.hostname];
+                if (live && live.version === target) {
+                    out.success(`Host profile for "${profile.hostname}" refreshed (version ${target}).`);
+                    return;
+                }
+            }
+            catch {
+                // retry until deadline
+            }
+            await new Promise((r) => setTimeout(r, 500));
+        }
+        out.error(`Signal sent but not yet reflected in hostProfiles() query after ${opts.confirmTimeoutMs ?? 10_000}ms. May succeed shortly; re-run to confirm.`);
+        process.exit(1);
+    }
+    catch (err) {
+        out.error(err?.message || String(err));
+        process.exit(1);
+    }
+    finally {
+        await connection.close();
+    }
+}
 async function recall(opts) {
     const { config, connection, client } = await verbClient(opts);
     const ensemble = opts.ensemble || config.ensemble;

package/dist/cli/help-text.js

@@ -76,6 +76,8 @@ ${out.bold('Commands:')}
   ${out.cyan('migrate')} <name> --host Move a session to a different host
   ${out.cyan('attachment-info')} <name> Inspect the V2 attachment phase + current holder
   ${out.cyan('recall')} <name>          Read a player's message history (--limit/--offset/--preview/--from/--since/--include-sent/--json)
+  ${out.cyan('hosts')}                  List daemons polling this Temporal namespace with advertised capabilities (--all/--json)
+  ${out.cyan('refresh-host-profile')}   Re-advertise this daemon's capability profile to the global Maestro
   ${out.cyan('restore')} [name]         Restore orphaned session(s) — interactive picker, or --all / --from-host / --dry-run
   ${out.cyan('release')} [ensemble]   Release all held players (unlock outbox, deliver messages)
   ${out.cyan('pause')}   [ensemble]   Pause an ensemble (sessions, scheduler, maestro)

package/dist/cli.js

@@ -326,7 +326,7 @@ async function main() {
         return;
     }
     // All other commands: lazy-load the full command surface now.
-    const { start, status, init, server, up, down, stop, ensembleCommand, agentTypesCommand, broadcast, release, pause, resume, restart, detach, destroy, migrate, attachmentInfo, recall, restore, } = await Promise.resolve().then(() => __importStar(require('./cli/commands')));
+    const { start, status, init, server, up, down, stop, ensembleCommand, agentTypesCommand, broadcast, release, pause, resume, restart, detach, destroy, migrate, attachmentInfo, recall, hosts, refreshHostProfile, restore, } = await Promise.resolve().then(() => __importStar(require('./cli/commands')));
     const ensemble = args.positional[1] || process.env[config_1.ENV.ENSEMBLE] || 'default';
     // Resolve the default agent from config (only needed for commands that use it)
     const resolvedAgent = () => args.agent ?? (0, config_1.getConfig)(overrides).defaultAgent;
@@ -505,6 +505,22 @@ async function main() {
             });
             break;
         }
+        case 'hosts': {
+            await hosts({
+                ensemble: args.ensemble || ensemble,
+                ...(args.all ? { all: true } : {}),
+                ...(args.json ? { json: true } : {}),
+                ...overrides,
+            });
+            break;
+        }
+        case 'refresh-host-profile': {
+            await refreshHostProfile({
+                ensemble: args.ensemble || ensemble,
+                ...overrides,
+            });
+            break;
+        }
         case 'recall': {
             // Positional player is required — matches the #128 design.
             const name = args.positional[1] || args.name;

package/dist/client/index.js

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createTempoClient = createTempoClient;
 /**
@@ -311,6 +344,15 @@ function createTempoClient(client) {
                 throw new Error(`No session found with name "${playerId}" in ensemble "${ensemble}".`);
             return target.query(signals_1.attachmentInfoQuery);
         },
+        async listHosts(opts = {}) {
+            // Lazy import so this doesn't drag utils/hosts into every
+            // consumer of TempoClient at module-load time.
+            const { listHosts } = await Promise.resolve().then(() => __importStar(require('../utils/hosts')));
+            return listHosts(client, {
+                force: Boolean(opts.force),
+                namespace: client.options.namespace,
+            });
+        },
         async recall(ensemble, playerId) {
             // #128: direct session queries, no maestro round-trip. Throws rather
             // than returning empties so the CLI / TUI wrappers can surface a

package/dist/client/interface.d.ts

@@ -4,7 +4,7 @@
  * Extracted from `src/tui/client.ts` so that non-TUI consumers (CLI, tests,
  * external integrations) can depend on the interface without pulling in Ink/React.
  */
-import type { MaestroPlayerInfo, MaestroRelayMessage, HistoryEntry, Message, SentMessage, SessionMetadata, ScheduleEntry, QualityGate, StageEntry, WorktreeEntry, EnsembleChatResult, AttachmentInfo } from '../types';
+import type { MaestroPlayerInfo, MaestroRelayMessage, HistoryEntry, Message, SentMessage, SessionMetadata, ScheduleEntry, QualityGate, StageEntry, WorktreeEntry, EnsembleChatResult, AttachmentInfo, HostInfo } from '../types';
 /**
  * Raw (unfiltered, unsorted, unsliced) output of `TempoClient.recall`.
  * The shared formatter at `src/utils/recall-format.ts` turns this into a
@@ -79,6 +79,15 @@ export interface TempoClient {
      * slice / render; the client stays presentation-free.
      */
     recall(ensemble: string, playerId: string): Promise<RecallClientResult>;
+    /**
+     * #274: List all daemons polling this Temporal namespace, joined with
+     * their boot-signaled capability profiles. Consumers typically feed
+     * the result through `formatHostList` for a consistent UX across
+     * CLI / TUI / MCP. `force: true` bypasses the 3-second result cache.
+     */
+    listHosts(opts?: {
+        force?: boolean;
+    }): Promise<HostInfo[]>;
     /** Get active schedules for an ensemble. */
     getSchedules(ensemble: string): Promise<ScheduleEntry[]>;
     /** Cancel a named schedule in an ensemble. */

package/dist/daemon.d.ts

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 import { Client } from '@temporalio/client';
-import { type DaemonConfig } from './config';
+import { type Config, type DaemonConfig } from './config';
 import { type OrphanCandidate } from './reconcile/orphans';
+import type { HostProfile } from './types';
 /**
  * Atomically write the daemon PID file via `writeFile(tmp) + rename(tmp, final)`.
  *
@@ -15,6 +16,105 @@ import { type OrphanCandidate } from './reconcile/orphans';
  * Exported for unit testing.
  */
 export declare function writePidFileAtomic(pidFilePath: string, pid: number): Promise<void>;
+/**
+ * Build the daemon's capability profile from its config + runtime env.
+ * Result is NOT scrubbed — call `scrubHostProfile` before signaling.
+ *
+ * Exported for testability; production callers go through
+ * `runDaemonBoot(client, deps)` which provides this as the default
+ * `computeHostProfile` dep.
+ */
+export declare function computeHostProfile(config: Config): HostProfile;
+/**
+ * #274 AC5c / M10 — HARD REQUIREMENT privacy scrub.
+ *
+ * Strips absolute paths and file extensions from every `HostProfile` field
+ * before the payload crosses the signal boundary. The global maestro is
+ * namespace-wide; a multi-tenant or multi-ensemble corporate setup would
+ * leak username-containing paths across ensembles if this is ever
+ * violated. Unit-tested in `test/daemon-boot.test.ts` with a dedicated
+ * "no `/` or `\\` in any string" invariant assertion against pathological
+ * inputs.
+ *
+ * Contract per architect AC5c:
+ * - `claudeBin` — basename only (e.g. `claude`), never absolute
+ * - `availableAgentTypes` — names only, never paths
+ * - `availablePlayerTypes` — names only, never paths
+ * - No env var values, no `workDir`, no user directories in any field
+ *
+ * The scrub is defense-in-depth: production callers (`computeHostProfile`)
+ * already produce clean inputs from `listAgentTypes().map(a => a.name)`.
+ * If a future code path accidentally passes a path, this function catches
+ * it before the workflow handler ever sees it.
+ */
+export declare function scrubHostProfile(raw: HostProfile): HostProfile;
+/**
+ * Signal `hostProfile` with bounded retry (AC5b / M11).
+ *
+ * Default backoff: `[0, 5000, 15000]` ms → 3 attempts, ≤20 s wall-clock,
+ * well under the 30 s budget. Tests override to `[0, 0, 0]` for fast
+ * execution. On total failure, logs a warning and returns — the daemon
+ * stays alive without its profile advertised.
+ *
+ * Exported for reuse by the Phase 5 `claude-tempo refresh-host-profile`
+ * CLI subcommand, which re-signals without needing the full
+ * `runDaemonBoot` sequence (the global maestro is already up).
+ */
+export declare function advertiseHostProfile(client: Client, profile: HostProfile, opts?: {
+    retryBackoffsMs?: number[];
+    log?: (...args: unknown[]) => void;
+    sendSignal?: (client: Client, profile: HostProfile) => Promise<void>;
+}): Promise<{
+    ok: boolean;
+    attempts: number;
+    lastError?: unknown;
+}>;
+/**
+ * #274 M14 — boot-sequence deps. Injected at `runDaemonBoot` so the
+ * ordering + retry + scrub invariants are all unit-testable without
+ * subprocess fixtures. Production callers pass the default impls
+ * already exported from this module.
+ */
+export interface DaemonBootDeps {
+    /** Ensure the global maestro workflow is running. Awaited before any signal. */
+    ensureGlobalMaestro: () => Promise<void>;
+    /** Signal the global maestro with the scrubbed host profile. */
+    sendHostProfileSignal: (client: Client, profile: HostProfile) => Promise<void>;
+    /**
+     * Compute the daemon's capability profile. Output is fed into
+     * `scrubHostProfile` before signaling — computeHostProfile itself does
+     * not need to scrub, the dep-swap pattern makes the pipeline testable.
+     */
+    computeHostProfile: () => HostProfile;
+    /**
+     * Retry backoffs for the `hostProfile` signal (ms). Production uses
+     * `[0, 5000, 15000]`; tests override to `[0, 0, 0]` for speed.
+     */
+    retryBackoffsMs?: number[];
+    /** Log sink. Tests stub to capture output. Defaults to module-level `log`. */
+    log?: (...args: unknown[]) => void;
+}
+/**
+ * #274 M14 — daemon boot sequence: ensure global maestro is running,
+ * then advertise the (scrubbed) capability profile with bounded retry.
+ *
+ * Ordering is load-bearing (AC5a / M11): the `hostProfile` signal MUST
+ * NOT fire until `ensureGlobalMaestro` has resolved. Otherwise the
+ * signal races the workflow-start and gets silently dropped by Temporal
+ * (WorkflowNotFound on an unknown workflow id).
+ *
+ * Hard-failure behavior (AC5b): if `ensureGlobalMaestro` rejects, the
+ * daemon stays alive WITHOUT advertising its profile. Next opportunity
+ * is the next daemon restart OR a manual `claude-tempo refresh-host-profile`
+ * invocation (Phase 5).
+ *
+ * Tests in `test/daemon-boot.test.ts` exercise:
+ *   - ensure-before-signal ordering via deferred promises
+ *   - retry success on 3rd attempt
+ *   - all-retries-exhausted stays alive
+ *   - ensure-fails-stays-alive
+ */
+export declare function runDaemonBoot(client: Client, deps: DaemonBootDeps): Promise<void>;
 /**
  * PR-E reconcile-on-boot — design §10.1.
  *

package/dist/daemon.js

@@ -35,6 +35,10 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.writePidFileAtomic = writePidFileAtomic;
+exports.computeHostProfile = computeHostProfile;
+exports.scrubHostProfile = scrubHostProfile;
+exports.advertiseHostProfile = advertiseHostProfile;
+exports.runDaemonBoot = runDaemonBoot;
 exports.reconcileOnBoot = reconcileOnBoot;
 exports.selectStaleDetachedOrphans = selectStaleDetachedOrphans;
 exports.cleanupLoop = cleanupLoop;
@@ -50,6 +54,7 @@ exports.startCleanupLoop = startCleanupLoop;
  */
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
+const path = __importStar(require("path"));
 const promises_1 = require("timers/promises");
 const client_1 = require("@temporalio/client");
 const client_2 = require("@temporalio/client");
@@ -59,6 +64,7 @@ const connection_1 = require("./connection");
 const daemon_1 = require("./cli/daemon");
 const client_3 = require("./client");
 const orphans_1 = require("./reconcile/orphans");
+const agent_types_1 = require("./ensemble/agent-types");
 const log = (...args) => console.error(`[claude-tempo:daemon ${new Date().toISOString()}]`, ...args);
 /**
  * Atomically write the daemon PID file via `writeFile(tmp) + rename(tmp, final)`.
@@ -121,6 +127,186 @@ async function ensureGlobalMaestro(config) {
         log('Failed to ensure global Maestro (non-fatal):', err instanceof Error ? err.message : String(err));
     }
 }
+// ────────────────────────────────────────────────────────────────────────
+// #274 — host capability profile: compute → scrub → signal
+// ────────────────────────────────────────────────────────────────────────
+/**
+ * Daemon package version, lazily read from `package.json` so the test
+ * build (which compiles daemon.ts into `dist-test/src/` where
+ * `../package.json` doesn't resolve) can exercise daemon-boot logic
+ * without MODULE_NOT_FOUND. Tests that exercise `computeHostProfile`
+ * pass a stubbed version via `HostProfile.version` on the input.
+ */
+function daemonVersion() {
+    try {
+        const { version } = require('../package.json');
+        return version;
+    }
+    catch {
+        return 'unknown';
+    }
+}
+/**
+ * Build the daemon's capability profile from its config + runtime env.
+ * Result is NOT scrubbed — call `scrubHostProfile` before signaling.
+ *
+ * Exported for testability; production callers go through
+ * `runDaemonBoot(client, deps)` which provides this as the default
+ * `computeHostProfile` dep.
+ */
+function computeHostProfile(config) {
+    const agentTypes = (() => {
+        try {
+            return (0, agent_types_1.listAgentTypes)().map((a) => a.name);
+        }
+        catch {
+            // listAgentTypes reads the filesystem; treat any failure as "no
+            // discoverable types" rather than crashing boot.
+            return [];
+        }
+    })();
+    return {
+        hostname: os.hostname(),
+        version: daemonVersion(),
+        defaultAgent: config.defaultAgent,
+        // Currently the daemon advertises only the configured default as an
+        // "available runtime"; future work can probe for Copilot bridge via
+        // `require.resolve('@github/copilot-sdk')`. Recording as an array
+        // keeps the wire shape forward-compatible.
+        availableAgentTypes: [config.defaultAgent],
+        availablePlayerTypes: agentTypes,
+        claudeBin: config.claudeBin,
+        platform: process.platform,
+        capabilities: [],
+    };
+}
+/**
+ * #274 AC5c / M10 — HARD REQUIREMENT privacy scrub.
+ *
+ * Strips absolute paths and file extensions from every `HostProfile` field
+ * before the payload crosses the signal boundary. The global maestro is
+ * namespace-wide; a multi-tenant or multi-ensemble corporate setup would
+ * leak username-containing paths across ensembles if this is ever
+ * violated. Unit-tested in `test/daemon-boot.test.ts` with a dedicated
+ * "no `/` or `\\` in any string" invariant assertion against pathological
+ * inputs.
+ *
+ * Contract per architect AC5c:
+ * - `claudeBin` — basename only (e.g. `claude`), never absolute
+ * - `availableAgentTypes` — names only, never paths
+ * - `availablePlayerTypes` — names only, never paths
+ * - No env var values, no `workDir`, no user directories in any field
+ *
+ * The scrub is defense-in-depth: production callers (`computeHostProfile`)
+ * already produce clean inputs from `listAgentTypes().map(a => a.name)`.
+ * If a future code path accidentally passes a path, this function catches
+ * it before the workflow handler ever sees it.
+ */
+function scrubHostProfile(raw) {
+    const stripPath = (s) => {
+        // Platform-independent basename: `path.basename` is runtime-bound —
+        // on POSIX it doesn't recognise `\` as a separator, so a Windows
+        // daemon's signal leaking `'C:\Users\alice\bin\claude.exe'` into
+        // a Linux-hosted global maestro would bypass the scrub entirely
+        // (CI caught exactly this on Ubuntu shard-2). Normalize first,
+        // then use `path.posix.basename` explicitly so the scrub is
+        // deterministic regardless of where the daemon or maestro runs.
+        //
+        // Also strip a single trailing `.md` — player-type files are
+        // shipped as e.g. `tempo-soloist.md` but the name should be just
+        // `tempo-soloist` on the wire.
+        const normalized = s.replace(/\\/g, '/');
+        const base = path.posix.basename(normalized);
+        return base.endsWith('.md') ? base.slice(0, -3) : base;
+    };
+    const scrubList = (list) => list?.map(stripPath);
+    return {
+        hostname: raw.hostname,
+        version: raw.version,
+        defaultAgent: raw.defaultAgent,
+        availableAgentTypes: scrubList(raw.availableAgentTypes),
+        availablePlayerTypes: scrubList(raw.availablePlayerTypes),
+        claudeBin: raw.claudeBin ? stripPath(raw.claudeBin) : undefined,
+        platform: raw.platform,
+        capabilities: raw.capabilities,
+    };
+}
+/** Production default: signal the global maestro with the profile. */
+async function realSendHostProfileSignal(client, profile) {
+    const handle = client.workflow.getHandle(config_1.GLOBAL_MAESTRO_WORKFLOW_ID);
+    await handle.signal('hostProfile', profile);
+}
+/**
+ * Signal `hostProfile` with bounded retry (AC5b / M11).
+ *
+ * Default backoff: `[0, 5000, 15000]` ms → 3 attempts, ≤20 s wall-clock,
+ * well under the 30 s budget. Tests override to `[0, 0, 0]` for fast
+ * execution. On total failure, logs a warning and returns — the daemon
+ * stays alive without its profile advertised.
+ *
+ * Exported for reuse by the Phase 5 `claude-tempo refresh-host-profile`
+ * CLI subcommand, which re-signals without needing the full
+ * `runDaemonBoot` sequence (the global maestro is already up).
+ */
+async function advertiseHostProfile(client, profile, opts = {}) {
+    const backoffs = opts.retryBackoffsMs ?? [0, 5000, 15000];
+    const logFn = opts.log ?? log;
+    const send = opts.sendSignal ?? realSendHostProfileSignal;
+    let lastError;
+    for (let attempt = 0; attempt < backoffs.length; attempt++) {
+        const delay = backoffs[attempt];
+        if (delay > 0)
+            await (0, promises_1.setTimeout)(delay);
+        try {
+            await send(client, profile);
+            logFn(`Advertised host profile for "${profile.hostname}" (attempt ${attempt + 1}/${backoffs.length})`);
+            return { ok: true, attempts: attempt + 1 };
+        }
+        catch (err) {
+            lastError = err;
+            logFn(`hostProfile signal attempt ${attempt + 1}/${backoffs.length} failed:`, err instanceof Error ? err.message : err);
+        }
+    }
+    logFn(`Failed to advertise host profile after ${backoffs.length} attempts (non-fatal; daemon stays alive):`, lastError instanceof Error ? lastError.message : lastError);
+    return { ok: false, attempts: backoffs.length, lastError };
+}
+/**
+ * #274 M14 — daemon boot sequence: ensure global maestro is running,
+ * then advertise the (scrubbed) capability profile with bounded retry.
+ *
+ * Ordering is load-bearing (AC5a / M11): the `hostProfile` signal MUST
+ * NOT fire until `ensureGlobalMaestro` has resolved. Otherwise the
+ * signal races the workflow-start and gets silently dropped by Temporal
+ * (WorkflowNotFound on an unknown workflow id).
+ *
+ * Hard-failure behavior (AC5b): if `ensureGlobalMaestro` rejects, the
+ * daemon stays alive WITHOUT advertising its profile. Next opportunity
+ * is the next daemon restart OR a manual `claude-tempo refresh-host-profile`
+ * invocation (Phase 5).
+ *
+ * Tests in `test/daemon-boot.test.ts` exercise:
+ *   - ensure-before-signal ordering via deferred promises
+ *   - retry success on 3rd attempt
+ *   - all-retries-exhausted stays alive
+ *   - ensure-fails-stays-alive
+ */
+async function runDaemonBoot(client, deps) {
+    const logFn = deps.log ?? log;
+    const raw = deps.computeHostProfile();
+    const profile = scrubHostProfile(raw);
+    try {
+        await deps.ensureGlobalMaestro();
+    }
+    catch (err) {
+        logFn('ensureGlobalMaestro failed (non-fatal); host profile not advertised this boot:', err instanceof Error ? err.message : err);
+        return;
+    }
+    await advertiseHostProfile(client, profile, {
+        retryBackoffsMs: deps.retryBackoffsMs,
+        log: logFn,
+        sendSignal: deps.sendHostProfileSignal,
+    });
+}
 // ── Reconcile-on-boot (PR-E §10.1) ──
 /**
  * PR-E reconcile-on-boot — design §10.1.
@@ -404,10 +590,28 @@ async function main() {
     sharedWorker = workers.sharedWorker;
     hostWorker = workers.hostWorker;
     log('Workers created — processing tasks');
-    // Auto-start the global Maestro workflow (non-blocking, non-fatal)
-    ensureGlobalMaestro(config).catch((err) => {
-        log('ensureGlobalMaestro background error:', err);
-    });
+    // #274 — daemon boot sequence: ensure the global maestro is running,
+    // then advertise this host's capability profile with bounded retry.
+    // Fire-and-forget from main's perspective (the workers above are
+    // already polling tasks; we don't block the run loop on maestro
+    // ensure + profile signaling). Ordering INSIDE runDaemonBoot is
+    // load-bearing — see M11 / AC5a — so the outer `.catch` only
+    // handles unexpected throws (both ensure and signal paths log +
+    // return gracefully on their own).
+    (async () => {
+        try {
+            const bootConnection = await (0, connection_1.createTemporalConnection)(config);
+            const bootClient = new client_1.Client({ connection: bootConnection, namespace: config.temporalNamespace });
+            await runDaemonBoot(bootClient, {
+                ensureGlobalMaestro: () => ensureGlobalMaestro(config),
+                sendHostProfileSignal: realSendHostProfileSignal,
+                computeHostProfile: () => computeHostProfile(config),
+            });
+        }
+        catch (err) {
+            log('runDaemonBoot background error:', err);
+        }
+    })();
     // PR-E reconcile-on-boot + cleanup loop (design §10, §13.4). Both run
     // against their own Temporal Client, not the worker connection — they
     // call `workflow.list` + `workflow.getHandle().query(...)` which are