code-ai-installer 4.0.1 → 4.3.0

package/dist/mcp_setup.js

@@ -1,9 +1,7 @@
 import { spawn } from "node:child_process";
-import { mkdir, writeFile } from "node:fs/promises";
+import { copyFile, mkdir, readFile, rename, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
 import { join } from "node:path";
-const defaultClaudeCli = {
-    run: (args) => spawnCapture("claude", args),
-};
 /**
  * Try `mempalace-mcp --help` — the dedicated MCP-server bin, which is exactly
  * what we register. Resolves true on exit code 0, false otherwise (including
@@ -14,11 +12,6 @@ const defaultClaudeCli = {
 export async function detectMemPalace() {
     return spawnExitZero("mempalace-mcp", ["--help"]);
 }
-/** True when the `claude` CLI is on PATH (probed via `claude --version`). */
-export async function detectClaudeCli(cli = defaultClaudeCli) {
-    const res = await cli.run(["--version"]);
-    return res.ok;
-}
 /**
  * Find the first available Python install runtime, in preference order:
  * uv → pipx → pip. Returns null if none available.
@@ -56,55 +49,118 @@ function installCommandArgs(runtime) {
     }
 }
 /**
- * Build the argv for `claude mcp add --scope user <name> -- <command> [args]`.
- * Pure — exported for testing. Env vars become `-e KEY=VALUE` flags placed
- * before the server name (as `claude mcp add` expects options first).
+ * Resolve the Claude user config path. Honours `CLAUDE_CONFIG_DIR` when set,
+ * else `~/.claude.json`.
  */
-export function buildClaudeAddArgs(name, entry) {
-    const envFlags = entry.env
-        ? Object.entries(entry.env).flatMap(([k, v]) => ["-e", `${k}=${v}`])
-        : [];
-    return ["mcp", "add", ...envFlags, "--scope", "user", name, "--", entry.command, ...entry.args];
+export function userConfigPath() {
+    const dir = process.env.CLAUDE_CONFIG_DIR?.trim();
+    return dir ? join(dir, ".claude.json") : join(homedir(), ".claude.json");
+}
+/** Real filesystem-backed UserConfigIO. Factory so tests can target a temp file. */
+export function createUserConfigIO(configPath) {
+    return {
+        configPath,
+        async read() {
+            let raw;
+            try {
+                raw = await readFile(configPath, "utf8");
+            }
+            catch (err) {
+                const e = err;
+                return { ok: false, error: e.code === "ENOENT" ? "file not found" : e.message };
+            }
+            try {
+                const data = JSON.parse(raw);
+                if (data === null || typeof data !== "object" || Array.isArray(data)) {
+                    return { ok: false, error: "config is not a JSON object" };
+                }
+                return { ok: true, data: data };
+            }
+            catch (err) {
+                return { ok: false, error: `JSON parse error: ${err.message}` };
+            }
+        },
+        async writeWithBackup(data) {
+            const backupPath = `${configPath}.bak`;
+            try {
+                try {
+                    await copyFile(configPath, backupPath);
+                }
+                catch (err) {
+                    // Only tolerate "original did not exist"; surface anything else.
+                    if (err.code !== "ENOENT")
+                        throw err;
+                }
+                const tmpPath = `${configPath}.code-ai.tmp`;
+                await writeFile(tmpPath, JSON.stringify(data, null, 2) + "\n", "utf8");
+                await rename(tmpPath, configPath);
+                return { ok: true, backupPath };
+            }
+            catch (err) {
+                return { ok: false, error: err.message };
+            }
+        },
+    };
 }
-/** Build the argv for `claude mcp remove --scope user <name>`. Pure — exported for testing. */
-export function buildClaudeRemoveArgs(name) {
-    return ["mcp", "remove", "--scope", "user", name];
+const defaultUserConfigIO = createUserConfigIO(userConfigPath());
+/** Shape a server entry the way Claude stores user-scope stdio servers. */
+function toUserScopeEntry(entry) {
+    return {
+        type: "stdio",
+        command: entry.command,
+        args: [...entry.args],
+        env: entry.env ?? {},
+    };
 }
-/** Human-readable manual command, for the no-CLI fallback notice. */
-function manualAddCommand(name, entry) {
-    return `claude ${buildClaudeAddArgs(name, entry).join(" ")}`;
+function readMcpServers(config) {
+    const existing = config.mcpServers;
+    return existing && typeof existing === "object" && !Array.isArray(existing)
+        ? { ...existing }
+        : {};
 }
 /**
- * Is `name` already registered in Claude's USER scope? Uses `claude mcp get`,
- * whose output prints `Scope: User config` for user-scope servers. A server in
- * a different scope (local/project) returns false here — we still want it in
- * user scope.
+ * Idempotently merge `servers` into the config's top-level `mcpServers`. Pure —
+ * returns a new config object plus which names were freshly added vs already
+ * present. An existing key is NEVER overwritten (so a pre-existing global
+ * `mempalace` is preserved untouched). Exported for unit testing.
  */
-export async function isRegisteredInUserScope(cli, name) {
-    const res = await cli.run(["mcp", "get", name]);
-    return res.ok && /Scope:\s*User config/i.test(res.output);
+export function mergeUserScopeServers(config, servers) {
+    const next = { ...config };
+    const mcpServers = readMcpServers(config);
+    const registered = [];
+    const alreadyPresent = [];
+    for (const [name, entry] of Object.entries(servers)) {
+        if (Object.prototype.hasOwnProperty.call(mcpServers, name)) {
+            alreadyPresent.push(name);
+            continue;
+        }
+        mcpServers[name] = toUserScopeEntry(entry);
+        registered.push(name);
+    }
+    next.mcpServers = mcpServers;
+    return { config: next, registered, alreadyPresent };
 }
 /**
- * Register one server in user scope, idempotently. Skips if already present in
- * user scope. Never throws — returns the outcome + a notice for the report.
+ * Idempotently remove `names` from the config's `mcpServers`. Pure — returns a
+ * new config object plus which names were removed vs were not present. Exported
+ * for unit testing.
  */
-async function addServerToUserScope(cli, name, entry) {
-    if (await isRegisteredInUserScope(cli, name)) {
-        return {
-            outcome: "already-present",
-            notice: `MCP server '${name}' already registered in user scope — left untouched.`,
-        };
-    }
-    const res = await cli.run(buildClaudeAddArgs(name, entry));
-    if (res.ok) {
-        return { outcome: "registered", notice: `Registered MCP server '${name}' in user scope (global).` };
+export function removeUserScopeServers(config, names) {
+    const next = { ...config };
+    const mcpServers = readMcpServers(config);
+    const removed = [];
+    const notPresent = [];
+    for (const name of names) {
+        if (Object.prototype.hasOwnProperty.call(mcpServers, name)) {
+            delete mcpServers[name];
+            removed.push(name);
+        }
+        else {
+            notPresent.push(name);
+        }
     }
-    return {
-        outcome: "failed",
-        notice: `Failed to register '${name}' in user scope. Run it manually:\n` +
-            `    ${manualAddCommand(name, entry)}\n` +
-            `  Output:\n${res.output}`,
-    };
+    next.mcpServers = mcpServers;
+    return { config: next, removed, notPresent };
 }
 /**
  * Write `<destinationDir>/.code-ai/config.json` with the chosen backend.
@@ -142,21 +198,25 @@ function buildServerEntries(mempalaceUsed) {
     }
     return servers;
 }
+/** Format a single "name: entry-json" line for the manual-fallback notice. */
+function manualEntryLine(name, entry) {
+    return `    "${name}": ${JSON.stringify(toUserScopeEntry(entry))}`;
+}
 /**
  * End-to-end orchestrator. Called from the install flow when `target=claude`.
  *
  * Order:
  *   1. If user wants MemPalace: detect → install if absent → fall back if install fails.
  *   2. Build server entries (code-ai-mcp always; mempalace only when usable).
- *   3. Register them in Claude USER scope via `claude mcp add --scope user`
- *      (idempotent; skip if already present). If `claude` CLI is absent, emit
- *      manual commands instead of touching the config by hand.
+ *   3. Merge them into the Claude user config's `mcpServers` (idempotent; skip
+ *      already-present). If the config can't be read/written, print the exact
+ *      JSON to add by hand instead of guessing.
  *   4. Write project-local `.code-ai/config.json` with the backend choice.
  *
  * Reports all decisions in `McpSetupReport.notices` so callers can surface
- * them to the user verbatim. `cli` is injectable for testing.
+ * them to the user verbatim. `io` is injectable for testing.
  */
-export async function setupMcp(opts, cli = defaultClaudeCli) {
+export async function setupMcp(opts, io = defaultUserConfigIO) {
     const notices = [];
     let mempalaceUsed = false;
     let mempalaceInstallAttempted = false;
@@ -191,33 +251,49 @@ export async function setupMcp(opts, cli = defaultClaudeCli) {
     const serversRegistered = [];
     const serversAlreadyPresent = [];
     const serversFailed = [];
-    const claudeCliAvailable = !opts.dryRun && (await detectClaudeCli(cli));
     let registration;
     if (opts.dryRun) {
         registration = "user-scope";
         for (const [name, entry] of Object.entries(servers)) {
-            notices.push(`Would register MCP server '${name}' in user scope: ${manualAddCommand(name, entry)}`);
-        }
-    }
-    else if (claudeCliAvailable) {
-        registration = "user-scope";
-        for (const [name, entry] of Object.entries(servers)) {
-            const { outcome, notice } = await addServerToUserScope(cli, name, entry);
-            notices.push(notice);
-            if (outcome === "registered")
-                serversRegistered.push(name);
-            else if (outcome === "already-present")
-                serversAlreadyPresent.push(name);
-            else
-                serversFailed.push(name);
+            notices.push(`Would register MCP server '${name}' in Claude user config (${io.configPath}): ${JSON.stringify(toUserScopeEntry(entry))}`);
         }
     }
     else {
-        registration = "manual-fallback";
-        notices.push("The `claude` CLI was not found on PATH — not modifying your global config automatically. " +
-            "Register the MCP server(s) in user scope by running:");
-        for (const [name, entry] of Object.entries(servers)) {
-            notices.push(`    ${manualAddCommand(name, entry)}`);
+        const read = await io.read();
+        if (!read.ok || !read.data) {
+            registration = "manual-fallback";
+            notices.push(`Could not read Claude user config at ${io.configPath} (${read.error ?? "unknown error"}). ` +
+                `Not modifying it automatically — add these entries to its "mcpServers" object by hand:`);
+            for (const [name, entry] of Object.entries(servers))
+                notices.push(manualEntryLine(name, entry));
+        }
+        else {
+            const merged = mergeUserScopeServers(read.data, servers);
+            serversAlreadyPresent.push(...merged.alreadyPresent);
+            for (const name of merged.alreadyPresent) {
+                notices.push(`MCP server '${name}' already in user config — left untouched.`);
+            }
+            if (merged.registered.length === 0) {
+                registration = "user-scope";
+            }
+            else {
+                const written = await io.writeWithBackup(merged.config);
+                if (written.ok) {
+                    registration = "user-scope";
+                    serversRegistered.push(...merged.registered);
+                    notices.push(`Registered MCP server(s) [${merged.registered.join(", ")}] in Claude user config ${io.configPath}` +
+                        (written.backupPath ? ` (backup: ${written.backupPath})` : "") +
+                        ". Restart your Claude Code session to load them.");
+                }
+                else {
+                    registration = "manual-fallback";
+                    serversFailed.push(...merged.registered);
+                    notices.push(`Failed to write Claude user config at ${io.configPath} (${written.error ?? "unknown error"}). ` +
+                        `No changes made — add these entries to its "mcpServers" object by hand:`);
+                    for (const name of merged.registered)
+                        notices.push(manualEntryLine(name, servers[name]));
+                }
+            }
         }
     }
     const cfg = await writeCodeAiConfig(opts.destinationDir, {
@@ -229,7 +305,7 @@ export async function setupMcp(opts, cli = defaultClaudeCli) {
         mempalaceInstallAttempted,
         mempalaceInstallSucceeded,
         pythonRuntime,
-        claudeCliAvailable,
+        userConfigPath: io.configPath,
         registration,
         serversRegistered,
         serversAlreadyPresent,
@@ -246,54 +322,86 @@ export async function setupMcp(opts, cli = defaultClaudeCli) {
  */
 const INSTALLER_OWNED_SERVERS = ["code-ai-mcp"];
 /**
- * Remove the installer-owned MCP server(s) from Claude's USER scope via
- * `claude mcp remove --scope user`. Idempotent — a server that isn't registered
- * is reported as "nothing to remove". If the `claude` CLI is absent, prints the
- * manual commands instead of touching the config. `cli` is injectable for tests.
+ * Remove the installer-owned MCP server(s) from the Claude user config's
+ * `mcpServers`. Idempotent — a server that isn't present is reported as
+ * "nothing to remove". If the config can't be read/written, prints guidance
+ * instead of guessing. `mempalace` is never touched. `io` is injectable.
  *
  * NOTE: the registration is global (shared across all projects), so this removes
  * code-ai-mcp for every project. That is the chosen behaviour (symmetric with
  * install); a multi-project user re-runs the installer to restore it.
  */
-export async function teardownMcp(opts, cli = defaultClaudeCli) {
+export async function teardownMcp(opts, io = defaultUserConfigIO) {
     const notices = [];
     const serversRemoved = [];
     const serversNotPresent = [];
     const serversFailed = [];
     if (opts.dryRun) {
         for (const name of INSTALLER_OWNED_SERVERS) {
-            notices.push(`Would remove MCP server '${name}' from user scope: claude ${buildClaudeRemoveArgs(name).join(" ")}`);
+            notices.push(`Would remove MCP server '${name}' from Claude user config (${io.configPath}).`);
         }
-        return { claudeCliAvailable: false, removal: "user-scope", serversRemoved, serversNotPresent, serversFailed, notices };
+        return {
+            userConfigPath: io.configPath,
+            removal: "user-scope",
+            serversRemoved,
+            serversNotPresent,
+            serversFailed,
+            notices,
+        };
     }
-    const claudeCliAvailable = await detectClaudeCli(cli);
-    if (!claudeCliAvailable) {
-        notices.push("The `claude` CLI was not found on PATH — not modifying your global config automatically. " +
-            "Remove the MCP server(s) from user scope by running:");
-        for (const name of INSTALLER_OWNED_SERVERS) {
-            notices.push(`    claude ${buildClaudeRemoveArgs(name).join(" ")}`);
-        }
-        return { claudeCliAvailable, removal: "manual-fallback", serversRemoved, serversNotPresent, serversFailed, notices };
+    const read = await io.read();
+    if (!read.ok || !read.data) {
+        notices.push(`Could not read Claude user config at ${io.configPath} (${read.error ?? "unknown error"}). ` +
+            `Remove the server(s) [${INSTALLER_OWNED_SERVERS.join(", ")}] from its "mcpServers" object by hand.`);
+        return {
+            userConfigPath: io.configPath,
+            removal: "manual-fallback",
+            serversRemoved,
+            serversNotPresent,
+            serversFailed,
+            notices,
+        };
     }
-    for (const name of INSTALLER_OWNED_SERVERS) {
-        if (!(await isRegisteredInUserScope(cli, name))) {
-            serversNotPresent.push(name);
-            notices.push(`MCP server '${name}' is not registered in user scope — nothing to remove.`);
-            continue;
-        }
-        const res = await cli.run(buildClaudeRemoveArgs(name));
-        if (res.ok) {
-            serversRemoved.push(name);
-            notices.push(`Removed MCP server '${name}' from user scope.`);
-        }
-        else {
-            serversFailed.push(name);
-            notices.push(`Failed to remove '${name}' from user scope. Run it manually:\n` +
-                `    claude ${buildClaudeRemoveArgs(name).join(" ")}\n` +
-                `  Output:\n${res.output}`);
-        }
+    const result = removeUserScopeServers(read.data, INSTALLER_OWNED_SERVERS);
+    serversNotPresent.push(...result.notPresent);
+    for (const name of result.notPresent) {
+        notices.push(`MCP server '${name}' is not in user config — nothing to remove.`);
+    }
+    if (result.removed.length === 0) {
+        return {
+            userConfigPath: io.configPath,
+            removal: "user-scope",
+            serversRemoved,
+            serversNotPresent,
+            serversFailed,
+            notices,
+        };
+    }
+    const written = await io.writeWithBackup(result.config);
+    if (written.ok) {
+        serversRemoved.push(...result.removed);
+        notices.push(`Removed MCP server(s) [${result.removed.join(", ")}] from Claude user config ${io.configPath}` +
+            (written.backupPath ? ` (backup: ${written.backupPath})` : "") +
+            ".");
+        return {
+            userConfigPath: io.configPath,
+            removal: "user-scope",
+            serversRemoved,
+            serversNotPresent,
+            serversFailed,
+            notices,
+        };
     }
-    return { claudeCliAvailable, removal: "user-scope", serversRemoved, serversNotPresent, serversFailed, notices };
+    serversFailed.push(...result.removed);
+    notices.push(`Failed to write Claude user config at ${io.configPath} (${written.error ?? "unknown error"}). No changes made.`);
+    return {
+        userConfigPath: io.configPath,
+        removal: "manual-fallback",
+        serversRemoved,
+        serversNotPresent,
+        serversFailed,
+        notices,
+    };
 }
 // ─── Subprocess helpers ─────────────────────────────────────────────────────
 async function spawnExitZero(command, args) {

package/dist/shared/tools.d.ts

@@ -687,6 +687,10 @@ export declare const SignOffInput: z.ZodObject<{
     }>;
     evidence: z.ZodOptional<z.ZodUnknown>;
 }, z.core.$strip>;
+/** Surfacing-only Auditor reminder, emitted when completed runs hit the A1 cadence (every 3rd). */
+export declare const AuditNudge: z.ZodObject<{
+    runs_total: z.ZodNumber;
+}, z.core.$strip>;
 export declare const SignOffOutput: z.ZodObject<{
     signed: z.ZodLiteral<true>;
     signer: z.ZodEnum<{
@@ -695,6 +699,9 @@ export declare const SignOffOutput: z.ZodObject<{
         system: "system";
     }>;
     timestamp: z.ZodString;
+    audit_nudge: z.ZodOptional<z.ZodObject<{
+        runs_total: z.ZodNumber;
+    }, z.core.$strip>>;
 }, z.core.$strip>;
 export type SignOffInput = z.infer<typeof SignOffInput>;
 export type SignOffOutput = z.infer<typeof SignOffOutput>;
@@ -1578,6 +1585,20 @@ export declare const E2EPlaywrightOutput: z.ZodObject<{
 }, z.core.$strip>;
 export type E2EPlaywrightInput = z.infer<typeof E2EPlaywrightInput>;
 export type E2EPlaywrightOutput = z.infer<typeof E2EPlaywrightOutput>;
+export declare const RenderDiffInput: z.ZodObject<{
+    diff: z.ZodString;
+    title: z.ZodOptional<z.ZodString>;
+    task_id: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export declare const RenderDiffOutput: z.ZodObject<{
+    path: z.ZodString;
+    file_url: z.ZodString;
+    files: z.ZodNumber;
+    added: z.ZodNumber;
+    removed: z.ZodNumber;
+}, z.core.$strip>;
+export type RenderDiffInput = z.infer<typeof RenderDiffInput>;
+export type RenderDiffOutput = z.infer<typeof RenderDiffOutput>;
 export declare const TOOL_REGISTRY: {
     readonly load_role: {
         readonly input: z.ZodObject<{
@@ -2245,6 +2266,9 @@ export declare const TOOL_REGISTRY: {
                 system: "system";
             }>;
             timestamp: z.ZodString;
+            audit_nudge: z.ZodOptional<z.ZodObject<{
+                runs_total: z.ZodNumber;
+            }, z.core.$strip>>;
         }, z.core.$strip>;
     };
     readonly submit_artifact: {
@@ -3017,5 +3041,19 @@ export declare const TOOL_REGISTRY: {
             }, z.core.$strip>>>;
         }, z.core.$strip>;
     };
+    readonly render_diff: {
+        readonly input: z.ZodObject<{
+            diff: z.ZodString;
+            title: z.ZodOptional<z.ZodString>;
+            task_id: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>;
+        readonly output: z.ZodObject<{
+            path: z.ZodString;
+            file_url: z.ZodString;
+            files: z.ZodNumber;
+            added: z.ZodNumber;
+            removed: z.ZodNumber;
+        }, z.core.$strip>;
+    };
 };
 export type ToolName = keyof typeof TOOL_REGISTRY;

package/dist/shared/tools.js

@@ -159,10 +159,16 @@ export const SignOffInput = z.object({
     /** Evidence — for mcp signer this is the auto_check tool output; for user it's free-form. */
     evidence: z.unknown().optional(),
 });
+/** Surfacing-only Auditor reminder, emitted when completed runs hit the A1 cadence (every 3rd). */
+export const AuditNudge = z.object({
+    runs_total: z.number().int().nonnegative(),
+});
 export const SignOffOutput = z.object({
     signed: z.literal(true),
     signer: Signer,
     timestamp: z.string(),
+    /** Present only when RG is signed AND the run count hits the cadence. Best-effort; never load-bearing. */
+    audit_nudge: AuditNudge.optional(),
 });
 // ─── submit_artifact ─────────────────────────────────────────────────────────
 export const SubmitArtifactInput = z.object({
@@ -598,6 +604,23 @@ export const E2EPlaywrightOutput = z.object({
     failed: z.number().int().nonnegative(),
     failures: z.array(ExceptionItem).default([]),
 });
+export const RenderDiffInput = z.object({
+    /** A unified diff (e.g. the output of `git diff`). */
+    diff: z.string().min(1),
+    /** Heading shown at the top of the review page. */
+    title: z.string().optional(),
+    /** Optional task id — only used to label the output filename. */
+    task_id: TaskId.optional(),
+});
+export const RenderDiffOutput = z.object({
+    /** Absolute path of the written HTML file (in the OS temp dir). */
+    path: z.string(),
+    /** file:// URL the user can open in a browser. */
+    file_url: z.string(),
+    files: z.number().int().nonnegative(),
+    added: z.number().int().nonnegative(),
+    removed: z.number().int().nonnegative(),
+});
 // ════════════════════════════════════════════════════════════════════════════
 // TOOL REGISTRY — name → { input, output } for runtime dispatch
 // ════════════════════════════════════════════════════════════════════════════
@@ -639,4 +662,5 @@ export const TOOL_REGISTRY = {
     },
     docker_compose: { input: DockerComposeInput, output: DockerComposeOutput },
     e2e_playwright: { input: E2EPlaywrightInput, output: E2EPlaywrightOutput },
+    render_diff: { input: RenderDiffInput, output: RenderDiffOutput },
 };

package/domains/analytics/agents/conductor.md

@@ -5,7 +5,7 @@ domain: analytics
 signs_off_at:
   - RELEASE_GATE
 tool_allowlist: role:conductor
-budget_lines: 459
+budget_lines: 473
 schema_version: 1
 ---
 
@@ -360,6 +360,20 @@ $handoff → RES-02 (Researcher Beta).
 
 ---
 
+## MCP-интеграция и операционные гарантии
+
+Дирижёр оркестрирует весь поток гейтов через машину состояний `code-ai` MCP — общий поток см. в `analytics-pipeline-rules.md` § «Машина гейтов (code-ai MCP)». Conductor-specific операционные гарантии:
+
+- **Оркестрация гейтов** — Дирижёр ведёт последовательность гейтов выбранного режима через MCP: `classify_gate` (на какой гейт ложится задача), `current_gate` (где сейчас), `advance_gate` (переход к следующему гейту только после deliverable + Handoff Envelope). Переход без полного Handoff Envelope → `advance_gate` блокирует.
+- **`sign_off` — все гейты `user`, Дирижёр не подписывает за пользователя** — в аналитике каждый гейт закрывает ПОЛЬЗОВАТЕЛЬ. Дирижёр ОСТАНАВЛИВАЕТСЯ, показывает артефакт гейта и запрашивает `sign_off(signer="user")` — по одному гейту, без батчинга нескольких подтверждений, и не начинает работу следующего гейта, пока текущий не подписан. Авто-пас на зелёном не применяется (домен суждения, детерминированных авто-чеков нет).
+- **RELEASE_GATE** фиксируется как `sign_off(gate="RELEASE_GATE", signer="user", decision=..., evidence=<RG checklist>)` — не «прозой».
+- **`request_decision` для эскалаций** — конфликты между агентами и waiver'ы обязательных пунктов: `request_decision(...)` → решает пользователь → `record_decision`. См. § Conflict Resolution Protocol.
+- **`record_decision` для ADR-достойных решений** — зафиксированные конфликты и отклонения от брифа, согласованные с пользователем: `record_decision(signer="user", domain="analytics", task_id, decision_text)`.
+- **Circuit breaker отключён** — в аналитике нет полосы откатов в стиле development (DEV/REV/OPS/TEST); возвраты идут через reverse `$handoff` (см. Reverse Handoff).
+- **Degraded mode** — если MCP-поток недоступен: Дирижёр ведёт Master Checklist (`$board`) и статусы Handoff Envelope вручную, sign-off фиксируется явным "Approved" пользователя, эскалации — вручную.
+
+---
+
 ## Формат ответа агента
 
 ### Full Pipeline

package/domains/analytics/locales/en/agents/conductor.md

@@ -5,7 +5,7 @@ domain: analytics
 signs_off_at:
   - RELEASE_GATE
 tool_allowlist: role:conductor
-budget_lines: 457
+budget_lines: 471
 schema_version: 1
 ---
 
@@ -358,6 +358,20 @@ If an agent's submission encounters `$gates` failure:
 
 ---
 
+## MCP integration & operational guardrails
+
+The Conductor orchestrates the whole gate-flow through the `code-ai` MCP state machine — for the general flow see `analytics-pipeline-rules.md` § "Gate machine (code-ai MCP)". Conductor-specific operational guardrails:
+
+- **Gate-flow orchestration** — the Conductor drives the active mode's gate sequence through MCP: `classify_gate` (which gate the task lands on), `current_gate` (where we are now), `advance_gate` (move to the next gate only after the deliverable + Handoff Envelope). A transition without a complete Handoff Envelope → `advance_gate` blocks.
+- **`sign_off` — all gates are `user`; the Conductor does not sign for the user** — in analytics every gate is closed by the USER. The Conductor STOPS, presents the gate artifact, and requests `sign_off(signer="user")` — one gate at a time, with no batching of approvals, and does NOT start next-gate work until the current one is signed. No auto-pass on green (a judgment domain, no deterministic auto-checks).
+- **RELEASE_GATE** is recorded as `sign_off(gate="RELEASE_GATE", signer="user", decision=..., evidence=<RG checklist>)` — not prose approval.
+- **`request_decision` for escalations** — conflicts between agents and waivers of mandatory items: `request_decision(...)` → the user decides → `record_decision`. See § Conflict Resolution Protocol.
+- **`record_decision` for ADR-worthy outcomes** — recorded conflicts and brief deviations approved by the user: `record_decision(signer="user", domain="analytics", task_id, decision_text)`.
+- **Circuit breaker disabled** — analytics has no development-style rollback lane (DEV/REV/OPS/TEST); returns go through reverse `$handoff` (see Reverse Handoff).
+- **Degraded mode** — if the MCP flow is unavailable: the Conductor keeps the Master Checklist (`$board`) and Handoff Envelope statuses by hand, sign-off is recorded by the user's explicit "Approved", and escalations are manual.
+
+---
+
 ## Agent Response Template Format
 
 ### Full Pipeline Sequence

package/domains/content/agents/conductor.md

@@ -5,7 +5,7 @@ domain: content
 signs_off_at:
   - RELEASE_GATE
 tool_allowlist: role:conductor
-budget_lines: 393
+budget_lines: 407
 schema_version: 1
 ---
 
@@ -267,6 +267,20 @@ Conductor отслеживает соответствие контента ис
 
 ---
 
+## MCP-интеграция и операционные гарантии
+
+Дирижёр оркестрирует весь поток гейтов через машину состояний `code-ai` MCP — общий поток см. в `content-pipeline-rules.md` § «Машина гейтов (code-ai MCP)». Conductor-specific операционные гарантии:
+
+- **Оркестрация гейтов** — Дирижёр ведёт последовательность гейтов выбранного режима через MCP: `classify_gate` (на какой гейт ложится задача), `current_gate` (где сейчас), `advance_gate` (переход к следующему гейту только после deliverable + Handoff Envelope). Переход без полного Handoff Envelope → `advance_gate` блокирует.
+- **`sign_off` — все гейты `user`, Дирижёр не подписывает за пользователя** — в контенте каждый гейт закрывает ПОЛЬЗОВАТЕЛЬ. Дирижёр ОСТАНАВЛИВАЕТСЯ, показывает артефакт гейта и запрашивает `sign_off(signer="user")` — по одному гейту, без батчинга нескольких подтверждений, и не начинает работу следующего гейта, пока текущий не подписан. Авто-пас на зелёном не применяется (домен суждения, детерминированных авто-чеков нет).
+- **RELEASE_GATE** фиксируется как `sign_off(gate="RELEASE_GATE", signer="user", decision=..., evidence=<RG checklist>)` — не «прозой».
+- **`request_decision` для эскалаций** — конфликты между агентами и waiver'ы обязательных пунктов: `request_decision(...)` → решает пользователь → `record_decision`. См. § Conflict Resolution Protocol.
+- **`record_decision` для ADR-достойных решений** — зафиксированные конфликты и отклонения от брифа, согласованные с пользователем: `record_decision(signer="user", domain="content", task_id, decision_text)`.
+- **Circuit breaker отключён** — в контенте нет полосы откатов в стиле development (DEV/REV/OPS/TEST); возвраты идут через reverse `$handoff` (см. Reverse Handoff).
+- **Degraded mode** — если MCP-поток недоступен: Дирижёр ведёт Master Checklist (`$board`) и статусы Handoff Envelope вручную, sign-off фиксируется явным "Approved" пользователя, эскалации — вручную.
+
+---
+
 ## Формат ответа Conductor (строго)
 
 ### Инициализация