groove-dev 0.26.38 → 0.27.0

package/packages/daemon/src/index.js

@@ -32,8 +32,10 @@ import { IntegrationStore } from './integrations.js';
 import { Scheduler } from './scheduler.js';
 import { FileWatcher } from './filewatcher.js';
 import { TimelineTracker } from './timeline.js';
+import { MemoryStore } from './memory.js';
 import { TerminalManager } from './terminal-pty.js';
 import { GatewayManager } from './gateways/manager.js';
+import { McpManager } from './mcp-manager.js';
 import { ModelManager } from './model-manager.js';
 import { LlamaServerManager } from './llama-server.js';
 import { isFirstRun, runFirstTimeSetup, loadConfig, saveConfig, printWelcome } from './firstrun.js';
@@ -110,6 +112,7 @@ export class Daemon {
     this.registry = new Registry(this.state);
     this.locks = new LockManager(this.grooveDir);
     this.tokens = new TokenTracker(this.grooveDir);
+    this.memory = new MemoryStore(this.grooveDir);
     this.timeline = new TimelineTracker(this);
     this.processes = new ProcessManager(this);
     this.introducer = new Introducer(this);
@@ -119,7 +122,7 @@ export class Daemon {
     this.adaptive = new AdaptiveThresholds(this.grooveDir);
     this.teams = new Teams(this);
     this.credentials = new CredentialStore(this.grooveDir);
-    this.classifier = new TaskClassifier();
+    this.classifier = new TaskClassifier(this);
     this.router = new ModelRouter(this);
     this.pm = new ProjectManager(this);
     this.indexer = new CodebaseIndexer(this);
@@ -133,6 +136,7 @@ export class Daemon {
     this.gateways = new GatewayManager(this);
     this.modelManager = new ModelManager(this);
     this.llamaServer = new LlamaServerManager(this);
+    this.mcpManager = new McpManager(this);
 
     // HTTP + WebSocket server
     this.app = express();
@@ -158,16 +162,35 @@ export class Daemon {
     // Wire up API routes
     createApi(this.app, this);
 
+    // Enrich agent list with live quality + efficiency scores for GUI
+    const enrichAgents = (agents) => agents.map((a) => {
+      const enriched = { ...a };
+      try {
+        const events = this.classifier.agentWindows[a.id] || [];
+        if (events.length >= 6) {
+          const signals = this.adaptive.extractSignals(events, a.scope);
+          const score = signals ? this.adaptive.scoreSession(signals) : null;
+          if (score != null) enriched.qualityScore = score;
+        }
+      } catch { /* classifier/adaptive may not be ready */ }
+      try {
+        const td = this.tokens.getAgent(a.id);
+        const total = (td.cacheReadTokens || 0) + (td.cacheCreationTokens || 0) + (td.inputTokens || 0);
+        if (total > 0) enriched.efficiency = Math.round(((td.cacheReadTokens || 0) / total) * 100);
+      } catch { /* token tracker may not have data */ }
+      return enriched;
+    });
+
     // Broadcast registry changes over WebSocket
     this.registry.on('change', () => {
-      this.broadcast({ type: 'state', data: this.registry.getAll() });
+      this.broadcast({ type: 'state', data: enrichAgents(this.registry.getAll()) });
     });
 
     // Send full state to new WebSocket clients + handle editor messages
     this.wss.on('connection', (ws) => {
       ws.send(JSON.stringify({
         type: 'state',
-        data: this.registry.getAll(),
+        data: enrichAgents(this.registry.getAll()),
       }));
 
       // Track which files this client is watching (for cleanup on disconnect)
@@ -427,8 +450,9 @@ export class Daemon {
     this.fileWatcher.unwatchAll();
     this.terminalManager.killAll();
 
-    // Kill all agent processes and stop inference servers
+    // Kill all agent processes, stop MCP servers, and stop inference servers
     await this.processes.killAll();
+    this.mcpManager.stopAll();
     await this.llamaServer.stopAll();
 
     // Clean up PID and host files

package/packages/daemon/src/integrations.js

@@ -2,7 +2,7 @@
 // FSL-1.1-Apache-2.0 — see LICENSE
 
 import { existsSync, mkdirSync, writeFileSync, readFileSync, readdirSync, rmSync } from 'fs';
-import { resolve, dirname } from 'path';
+import { resolve, dirname, basename, extname } from 'path';
 import { fileURLToPath } from 'url';
 import { execFileSync, spawn as cpSpawn } from 'child_process';
 
@@ -229,7 +229,30 @@ export class IntegrationStore {
     }));
     const configured = envKeys.length === 0 || envKeys.every((ek) => !ek.required || ek.set);
 
-    return { id: integrationId, installed, configured, envKeys };
+    let authenticated = false;
+    if (entry.authType === 'google-autoauth' && entry.oauthKeysDir) {
+      const homedir = process.env.HOME || process.env.USERPROFILE || '~';
+      authenticated = existsSync(resolve(homedir, entry.oauthKeysDir, 'credentials.json'));
+    } else if (entry.authType === 'oauth-google') {
+      authenticated = !!this.getCredential(integrationId, 'GOOGLE_REFRESH_TOKEN');
+    } else if (entry.authType === 'api-key') {
+      authenticated = configured;
+    }
+
+    let needsReauth = false;
+    if (authenticated && entry.oauthScopes?.length) {
+      const raw = this.getCredential(integrationId, 'GOOGLE_AUTHORIZED_SCOPES');
+      if (raw) {
+        try {
+          const authorized = new Set(JSON.parse(raw));
+          needsReauth = entry.oauthScopes.some((s) => !authorized.has(s));
+        } catch {}
+      } else {
+        needsReauth = true;
+      }
+    }
+
+    return { id: integrationId, installed, configured, envKeys, authenticated, needsReauth };
   }
 
   /**
@@ -378,7 +401,9 @@ export class IntegrationStore {
   getOAuthUrl(integrationId) {
     const entry = this.registry.find((s) => s.id === integrationId);
     if (!entry) throw new Error(`Integration not found: ${integrationId}`);
-    if (entry.authType !== 'oauth-google') throw new Error('Integration does not use OAuth');
+    if (entry.authType !== 'oauth-google' && entry.authType !== 'google-autoauth') {
+      throw new Error('Integration does not use Google OAuth');
+    }
 
     const creds = this._getGoogleOAuthCredentials();
     if (!creds) {
@@ -405,15 +430,17 @@ export class IntegrationStore {
   /**
    * Handle OAuth callback — exchange code for tokens.
    */
-  async handleOAuthCallback(code, integrationId) {
+  async handleOAuthCallback(code, stateParam, redirectUri) {
     const creds = this._getGoogleOAuthCredentials();
     if (!creds) {
       throw new Error('Google OAuth credentials not found');
     }
     const { clientId, clientSecret } = creds;
 
-    const port = this.daemon.port || 31415;
-    const redirectUri = `http://localhost:${port}/api/integrations/oauth/callback`;
+    if (!redirectUri) {
+      const port = this.daemon.port || 31415;
+      redirectUri = `http://localhost:${port}/api/integrations/oauth/callback`;
+    }
 
     const res = await fetch('https://oauth2.googleapis.com/token', {
       method: 'POST',
@@ -434,16 +461,63 @@ export class IntegrationStore {
 
     const tokens = await res.json();
 
-    // Store the tokens for this integration
-    this.setCredential(integrationId, 'GOOGLE_CLIENT_ID', clientId);
-    this.setCredential(integrationId, 'GOOGLE_CLIENT_SECRET', clientSecret);
-    if (tokens.refresh_token) {
-      this.setCredential(integrationId, 'GOOGLE_REFRESH_TOKEN', tokens.refresh_token);
+    // State can be a single ID or comma-separated list for combined auth
+    const integrationIds = stateParam.split(',').filter(Boolean);
+
+    for (const integrationId of integrationIds) {
+      this.setCredential(integrationId, 'GOOGLE_CLIENT_ID', clientId);
+      this.setCredential(integrationId, 'GOOGLE_CLIENT_SECRET', clientSecret);
+      if (tokens.refresh_token) {
+        this.setCredential(integrationId, 'GOOGLE_REFRESH_TOKEN', tokens.refresh_token);
+      }
+
+      const entry = this.registry.find((s) => s.id === integrationId);
+      if (entry?.oauthScopes) {
+        this.setCredential(integrationId, 'GOOGLE_AUTHORIZED_SCOPES', JSON.stringify(entry.oauthScopes));
+      }
+
+      if (entry?.authType === 'google-autoauth' && entry.oauthKeysDir && tokens.refresh_token) {
+        this._writeAutoauthCredentials(entry, clientId, clientSecret, tokens.refresh_token);
+      }
+
+      this.daemon.audit.log('integration.oauth.complete', { id: integrationId });
     }
 
-    this.daemon.audit.log('integration.oauth.complete', { id: integrationId });
+    return { ok: true, integrationIds };
+  }
 
-    return { ok: true, integrationId };
+  /**
+   * Build a combined OAuth URL for multiple Google integrations at once.
+   * Aggregates scopes and uses comma-separated state.
+   */
+  getGoogleWorkspaceOAuthUrl(integrationIds) {
+    const creds = this._getGoogleOAuthCredentials();
+    if (!creds) {
+      throw new Error('Google OAuth not configured. Set up your Google Cloud project first.');
+    }
+
+    const allScopes = new Set();
+    for (const id of integrationIds) {
+      const entry = this.registry.find((s) => s.id === id);
+      if (entry?.oauthScopes) {
+        for (const scope of entry.oauthScopes) allScopes.add(scope);
+      }
+    }
+
+    const port = this.daemon.port || 31415;
+    const redirectUri = `http://localhost:${port}/api/integrations/oauth/callback`;
+
+    const params = new URLSearchParams({
+      client_id: creds.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: Array.from(allScopes).join(' '),
+      access_type: 'offline',
+      prompt: 'consent',
+      state: integrationIds.join(','),
+    });
+
+    return `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
   }
 
   /**
@@ -595,7 +669,6 @@ export class IntegrationStore {
       },
     }, null, 2);
 
-    // Write to the directory the MCP server expects (e.g., ~/.gmail-mcp/)
     const keysDir = entry.oauthKeysDir;
     if (keysDir) {
       const homedir = process.env.HOME || process.env.USERPROFILE || '~';
@@ -609,6 +682,134 @@ export class IntegrationStore {
     }
   }
 
+  /**
+   * Write credential files for google-autoauth MCP servers after OAuth completes.
+   * Writes both the keys file (client config) and credentials file (refresh token)
+   * so the MCP server finds valid auth at runtime without its own browser flow.
+   */
+  _writeAutoauthCredentials(entry, clientId, clientSecret, refreshToken) {
+    const homedir = process.env.HOME || process.env.USERPROFILE || '~';
+    const dirPath = resolve(homedir, entry.oauthKeysDir);
+    mkdirSync(dirPath, { recursive: true });
+
+    // Write the OAuth client config (gcp-oauth.keys.json)
+    const keysPath = resolve(dirPath, 'gcp-oauth.keys.json');
+    writeFileSync(keysPath, JSON.stringify({
+      installed: {
+        client_id: clientId,
+        client_secret: clientSecret,
+        auth_uri: 'https://accounts.google.com/o/oauth2/auth',
+        token_uri: 'https://oauth2.googleapis.com/token',
+        redirect_uris: ['http://localhost'],
+      },
+    }, null, 2), { mode: 0o600 });
+
+    // Write the user credentials (credentials.json) in Google authorized_user format
+    const credPath = resolve(dirPath, 'credentials.json');
+    writeFileSync(credPath, JSON.stringify({
+      type: 'authorized_user',
+      client_id: clientId,
+      client_secret: clientSecret,
+      refresh_token: refreshToken,
+    }, null, 2), { mode: 0o600 });
+
+    console.log(`[Groove:Integrations] Wrote OAuth keys + credentials to: ${dirPath}`);
+  }
+
+  // --- Google Drive Upload ---
+
+  static CONVERT_MAP = {
+    '.pptx': { source: 'application/vnd.openxmlformats-officedocument.presentationml.presentation', target: 'application/vnd.google-apps.presentation' },
+    '.docx': { source: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', target: 'application/vnd.google-apps.document' },
+    '.xlsx': { source: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', target: 'application/vnd.google-apps.spreadsheet' },
+    '.csv':  { source: 'text/csv', target: 'application/vnd.google-apps.spreadsheet' },
+    '.txt':  { source: 'text/plain', target: 'application/vnd.google-apps.document' },
+    '.html': { source: 'text/html', target: 'application/vnd.google-apps.document' },
+    '.pdf':  { source: 'application/pdf', target: null },
+  };
+
+  async getGoogleAccessToken() {
+    const creds = this._getGoogleOAuthCredentials();
+    if (!creds) throw new Error('Google OAuth not configured');
+
+    const googleIds = ['google-drive', 'google-docs', 'google-sheets', 'google-slides', 'google-calendar', 'gmail'];
+    let refreshToken = null;
+    for (const id of googleIds) {
+      refreshToken = this.getCredential(id, 'GOOGLE_REFRESH_TOKEN');
+      if (refreshToken) break;
+    }
+    if (!refreshToken) throw new Error('No Google refresh token found. Authenticate a Google integration first.');
+
+    const res = await fetch('https://oauth2.googleapis.com/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        client_id: creds.clientId,
+        client_secret: creds.clientSecret,
+      }),
+    });
+
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Google token refresh failed: ${err.error_description || err.error || 'unknown'}`);
+    }
+
+    const data = await res.json();
+    return data.access_token;
+  }
+
+  async uploadToGoogleDrive(filePath, options = {}) {
+    const { name, folderId, convert = true } = options;
+
+    if (!existsSync(filePath)) throw new Error(`File not found: ${filePath}`);
+
+    const accessToken = await this.getGoogleAccessToken();
+
+    const ext = extname(filePath).toLowerCase();
+    const fileName = name || basename(filePath);
+    const mapping = IntegrationStore.CONVERT_MAP[ext];
+    const contentType = mapping?.source || 'application/octet-stream';
+
+    const metadata = { name: fileName };
+    if (convert && mapping?.target) metadata.mimeType = mapping.target;
+    if (folderId) metadata.parents = [folderId];
+
+    const fileContent = readFileSync(filePath);
+    const boundary = `groove_upload_${Date.now()}`;
+    const metadataJson = JSON.stringify(metadata);
+
+    const header = Buffer.from(
+      `--${boundary}\r\nContent-Type: application/json; charset=UTF-8\r\n\r\n${metadataJson}\r\n--${boundary}\r\nContent-Type: ${contentType}\r\n\r\n`
+    );
+    const footer = Buffer.from(`\r\n--${boundary}--`);
+    const body = Buffer.concat([header, fileContent, footer]);
+
+    const res = await fetch(
+      'https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart&fields=id,name,webViewLink,mimeType',
+      {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          'Content-Type': `multipart/related; boundary=${boundary}`,
+        },
+        body,
+      },
+    );
+
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      const msg = err.error?.message || res.statusText;
+      if (res.status === 403 && msg.includes('insufficient')) {
+        throw new Error(`Google Drive upload failed: insufficient permissions. Re-authenticate Google Drive with write access.`);
+      }
+      throw new Error(`Google Drive upload failed: ${msg}`);
+    }
+
+    return res.json();
+  }
+
   // --- Internal ---
 
   _isInstalled(integrationId) {

package/packages/daemon/src/introducer.js

@@ -84,6 +84,15 @@ export class Introducer {
       lines.push(`  - Expected behavior after the change`);
       lines.push(`  GROOVE will automatically wake the target agent and deliver your request.`);
       lines.push(`- Check AGENTS_REGISTRY.md for the latest team state.`);
+      lines.push('');
+      lines.push(`## Daemon Safety (NEVER VIOLATE)`);
+      lines.push('');
+      lines.push(`You are running inside the Groove daemon. Other agents in other teams are running in parallel. Restarting or killing the daemon destroys ALL of their work.`);
+      lines.push(`- NEVER run "groove stop", "groove start", "groove restart", or "groove nuke"`);
+      lines.push(`- NEVER kill the daemon process ("kill <pid>", "pkill groove", "killall node")`);
+      lines.push(`- NEVER run "./promote.sh", "./promote-local.sh", or any publish/deploy script`);
+      lines.push(`- NEVER start long-running dev servers that block process exit (vite dev, npm start, next dev)`);
+      lines.push(`If code changes require a daemon restart to take effect, state that in your output so the user can restart manually. Do NOT restart it yourself.`);
 
       // User feedback from previous tasks — critical context about what the user
       // observed and what needs to change. Prevents agents from repeating mistakes.
@@ -98,6 +107,47 @@ export class Introducer {
         }
       }
 
+      // Project memory (Layer 7) — accumulated wisdom across all prior rotations.
+      // Constraints, recent role handoffs, known error→fix patterns. Total cap ~12K chars.
+      if (this.daemon.memory) {
+        const constraints = this.daemon.memory.getConstraintsMarkdown(4000);
+        const recentChain = this.daemon.memory.getRecentHandoffMarkdown(newAgent.role, 3, 4000);
+        const discoveries = this.daemon.memory.getDiscoveriesMarkdown(newAgent.role, 20, 4000);
+
+        if (constraints || recentChain || discoveries) {
+          lines.push('');
+          lines.push(`## Project Memory`);
+          lines.push('');
+          lines.push(`This is accumulated knowledge from prior agents working on this project. Read carefully — it will save you from rediscovering what others already learned.`);
+
+          if (constraints) {
+            lines.push('');
+            lines.push(`### Constraints`);
+            lines.push('');
+            lines.push(constraints);
+          }
+
+          if (recentChain) {
+            lines.push('');
+            lines.push(`### Recent ${newAgent.role} handoffs`);
+            lines.push('');
+            lines.push(recentChain);
+          }
+
+          if (discoveries) {
+            lines.push('');
+            lines.push(`### Known patterns (from prior ${newAgent.role} agents)`);
+            lines.push('');
+            lines.push(discoveries);
+          }
+
+          lines.push('');
+          lines.push(`You can contribute to this memory via:`);
+          lines.push(`- \`POST /api/memory/discoveries\` — share an error→fix you found`);
+          lines.push(`- \`POST /api/memory/constraints\` — declare a project rule you discovered`);
+        }
+      }
+
       // Project files section — tell the new agent what exists and what to read
       if (allTeamFiles.length > 0) {
         lines.push('');
@@ -140,11 +190,21 @@ export class Introducer {
       lines.push('');
       lines.push(`## Coordination Protocol`);
       lines.push('');
-      lines.push(`Before performing shared/destructive actions (restart server, npm install/build, modify package.json, modify shared config), coordinate with your team:`);
-      lines.push(`1. Read \`.groove/coordination.md\` to check for active operations`);
-      lines.push(`2. Write your intent to \`.groove/coordination.md\` (e.g., "backend-1: restarting server")`);
-      lines.push(`3. Proceed only if no conflicting operations are active`);
-      lines.push(`4. Clear your entry from \`.groove/coordination.md\` when done`);
+      lines.push(`Before performing shared/destructive actions (restart server, npm install/build, modify package.json, modify shared config), declare intent via the GROOVE daemon. Another agent holding the same resource will cause a 423 response — wait and retry.`);
+      lines.push('');
+      lines.push(`Declare:`);
+      lines.push('```');
+      lines.push(`POST http://127.0.0.1:31415/api/coordination/declare`);
+      lines.push(`{ "agentId": "${newAgent.id}", "operation": "npm install", "resources": ["package.json", "node_modules"] }`);
+      lines.push('```');
+      lines.push('');
+      lines.push(`Complete (always call this when done, even on failure):`);
+      lines.push('```');
+      lines.push(`POST http://127.0.0.1:31415/api/coordination/complete`);
+      lines.push(`{ "agentId": "${newAgent.id}" }`);
+      lines.push('```');
+      lines.push('');
+      lines.push(`Operations auto-expire after 10 minutes to prevent deadlock.`);
     }
 
     // File safety — prevent agents from deleting files they didn't create
@@ -220,26 +280,39 @@ export class Introducer {
       }
     }
 
-    // Integration context — list MCP tools available to this agent
+    // Integration context — inject playbooks for GROOVE exec API
     if (newAgent.integrations && newAgent.integrations.length > 0 && this.daemon.integrations) {
       const integrationSections = [];
       for (const integrationId of newAgent.integrations) {
         const entry = this.daemon.integrations.registry.find((s) => s.id === integrationId);
         if (entry) {
           const configured = this.daemon.integrations._isConfigured(entry);
-          const status = configured ? 'connected' : 'NOT CONFIGURED — credentials missing';
-          integrationSections.push(`- **${entry.name}** (${status}): ${entry.description}`);
+          if (!configured) {
+            integrationSections.push(`- **${entry.name}** — NOT CONFIGURED (credentials missing)`);
+          } else if (entry.agentInstructions) {
+            integrationSections.push(entry.agentInstructions);
+          } else {
+            integrationSections.push(`- **${entry.name}**: ${entry.description}\n  Exec: \`POST http://localhost:31415/api/integrations/${entry.id}/exec\` with \`{"tool": "...", "params": {...}}\``);
+          }
         }
       }
       if (integrationSections.length > 0) {
         lines.push('');
         lines.push(`## Integrations (${integrationSections.length} connected)`);
         lines.push('');
-        lines.push('You have MCP tools available from these integrations. Use them to interact with external services:');
+        lines.push('You have integrations connected via GROOVE. To use them, make HTTP POST requests:');
+        lines.push('```');
+        lines.push('POST http://localhost:31415/api/integrations/{id}/exec');
+        lines.push('Body: {"tool": "tool_name", "params": {...}}');
+        lines.push('```');
+        lines.push('To discover available tools: `GET http://localhost:31415/api/integrations/{id}/tools`');
         lines.push('');
-        lines.push(integrationSections.join('\n'));
+        lines.push('**Approval gates:** Some tools require human approval (e.g., sending emails, creating charges).');
+        lines.push('If you get a `requiresApproval: true` response with an `approvalId`, tell the user the action');
+        lines.push('needs approval in the GROOVE GUI. Do NOT retry until the user confirms it has been approved.');
+        lines.push('To retry: include `"approvalId": "<id>"` in your next exec request body.');
         lines.push('');
-        lines.push('Call these tools directly — they are available in your MCP tool list. Do not attempt to use curl or API calls for services that have an MCP integration attached.');
+        lines.push(integrationSections.join('\n\n'));
       }
     }
 

package/packages/daemon/src/journalist.js

@@ -355,7 +355,40 @@ export class Journalist {
     }
   }
 
-  async callHeadless(prompt) {
+  // Extract usage from stream-json stdout and record to token tracker.
+  // Reserved agent IDs (__journalist__, __pm__, etc.) capture overhead
+  // separately from user-facing agents. Silent no-op if provider doesn't
+  // emit usage data.
+  _recordHeadlessUsage(stdout, trackAs, modelId) {
+    if (!this.daemon?.tokens || !stdout) return;
+    const lines = stdout.split('\n');
+    for (const line of lines) {
+      try {
+        const data = JSON.parse(line);
+        if (data.type !== 'result') continue;
+        const usage = data.usage;
+        if (!usage) continue;
+        const inputTokens = usage.input_tokens || 0;
+        const outputTokens = usage.output_tokens || 0;
+        const cacheReadTokens = usage.cache_read_input_tokens || 0;
+        const cacheCreationTokens = usage.cache_creation_input_tokens || 0;
+        const total = inputTokens + outputTokens + cacheReadTokens + cacheCreationTokens;
+        if (total === 0) continue;
+        this.daemon.tokens.record(trackAs, {
+          tokens: total,
+          inputTokens,
+          outputTokens,
+          cacheReadTokens,
+          cacheCreationTokens,
+          model: modelId,
+          estimatedCostUsd: data.total_cost_usd || 0,
+        });
+        return;
+      } catch { /* skip non-JSON lines */ }
+    }
+  }
+
+  async callHeadless(prompt, { trackAs = '__journalist__' } = {}) {
     // Find the best available provider for headless synthesis
     // Priority: claude-code (cheapest via Haiku) > gemini > codex > ollama
     const priority = ['claude-code', 'gemini', 'codex', 'ollama'];
@@ -391,6 +424,7 @@ export class Journalist {
         proc.on('exit', (code) => {
           clearTimeout(timer);
           if (code !== 0) return reject(new Error(`Headless exited with code ${code}`));
+          this._recordHeadlessUsage(stdout, trackAs, modelId);
           // Process stdout same as execFile path below
           const lines = stdout.split('\n');
           for (const line of lines) {
@@ -413,6 +447,8 @@ export class Journalist {
       }, (err, stdout, stderr) => {
         if (err) return reject(err);
 
+        this._recordHeadlessUsage(stdout, trackAs, modelId);
+
         // Parse stream-json output to extract the result text
         const lines = stdout.split('\n');
         for (const line of lines) {
@@ -648,12 +684,18 @@ export class Journalist {
       .slice(-3)
       .join('\n');
 
+    // Pull recent rotation history from persistent memory (Layer 7).
+    // Gives the new agent causal continuity: what the last 3 agents struggled
+    // with, decided, and solved — not just what the current session did.
+    const recentChain = this.daemon.memory?.getRecentHandoffMarkdown(agent.role, 3, 3000) || '';
+
     return [
       `# Agent Handoff Brief`,
       ``,
       `You are continuing the work of **${agent.name}** (role: ${agent.role}).`,
       `This is a context rotation — the previous session is being replaced to keep context fresh.`,
       ``,
+      recentChain ? `## Rotation History (recent)\n\n${recentChain}\n` : '',
       `## Your Identity`,
       `- Role: ${agent.role}`,
       `- Scope: ${agent.scope?.join(', ') || 'unrestricted'}`,

package/packages/daemon/src/lockmanager.js

@@ -1,14 +1,25 @@
 // GROOVE — File Lock Manager
 // FSL-1.1-Apache-2.0 — see LICENSE
+//
+// Two lock namespaces:
+//   1. File-scope locks (register/release/check) — per-agent glob patterns
+//      registered at spawn time to enforce scope ownership
+//   2. Operation locks (declareOperation/completeOperation) — short-lived
+//      resource claims for coordinated actions (npm install, server restarts,
+//      shared config writes). Auto-expire to prevent deadlock if an agent
+//      crashes mid-operation.
 
 import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { resolve } from 'path';
 import { minimatch } from 'minimatch';
 
+const DEFAULT_OPERATION_TTL_MS = 10 * 60 * 1000; // 10 minutes
+
 export class LockManager {
   constructor(grooveDir) {
     this.path = resolve(grooveDir, 'locks.json');
     this.locks = new Map(); // agentId -> glob patterns[]
+    this.operations = new Map(); // agentId -> { name, resources, acquiredAt, expiresAt }
     this.load();
   }
 
@@ -37,6 +48,7 @@ export class LockManager {
 
   release(agentId) {
     this.locks.delete(agentId);
+    this.operations.delete(agentId);
     this.save();
   }
 
@@ -55,4 +67,52 @@ export class LockManager {
   getAll() {
     return Object.fromEntries(this.locks);
   }
+
+  // --- Operation locks (coordination protocol) ---
+
+  _expireOperations() {
+    const now = Date.now();
+    for (const [id, op] of this.operations) {
+      if (op.expiresAt <= now) this.operations.delete(id);
+    }
+  }
+
+  declareOperation(agentId, operation, resources, ttlMs = DEFAULT_OPERATION_TTL_MS) {
+    if (!agentId || !operation || !Array.isArray(resources) || resources.length === 0) {
+      return { conflict: false, error: 'agentId, operation, and resources[] required' };
+    }
+    this._expireOperations();
+
+    for (const [holderId, op] of this.operations) {
+      if (holderId === agentId) continue;
+      const overlap = op.resources.find((r) => resources.includes(r));
+      if (overlap) {
+        return {
+          conflict: true,
+          owner: holderId,
+          operation: op.name,
+          resource: overlap,
+          expiresAt: op.expiresAt,
+        };
+      }
+    }
+
+    const now = Date.now();
+    this.operations.set(agentId, {
+      name: operation,
+      resources,
+      acquiredAt: now,
+      expiresAt: now + ttlMs,
+    });
+    return { conflict: false };
+  }
+
+  completeOperation(agentId) {
+    return this.operations.delete(agentId);
+  }
+
+  getOperations() {
+    this._expireOperations();
+    return Object.fromEntries(this.operations);
+  }
 }