groove-dev 0.27.25 → 0.27.27

package/CLAUDE.md

@@ -263,10 +263,3 @@ Audit-driven release. Multi-agent orchestration system with 7 coordination layer
 - Dashboard: routing donut, cache panel, context health gauges
 - Monitor/QC agent mode (stay active, loop)
 - Distribution: demo video, HN launch, Twitter content
-
-<!-- GROOVE:START -->
-## GROOVE Orchestration (auto-injected)
-Active agents: 0
-See AGENTS_REGISTRY.md for full agent state.
-**Memory policy:** GROOVE manages project memory automatically. Do not read or write MEMORY.md or .groove/memory/ files directly.
-<!-- GROOVE:END -->

package/SECURITY_SWEEP.md

@@ -0,0 +1,228 @@
+# Security Sweep Report
+
+Date: 2026-04-16
+Assessor: Security audit
+Scope reviewed: `../packages/desktop`, `../packages/gui`, `../packages/daemon`, root dependency graph in `../package-lock.json`
+Note: the working directory `./` only contained handoff artifacts, so the actual Electron app code audited lives in the parent monorepo `../`.
+
+## Executive Summary
+
+Overall risk: **High**
+
+The desktop app has several solid baseline controls in place — Electron windows run with `contextIsolation`, `sandbox`, and `nodeIntegration: false`; provider API keys are encrypted at rest; and file path handling includes symlink checks. However, I found **three high-impact architectural issues** that materially raise compromise risk:
+
+1. **Project-controlled active content is served from the app's trusted origin**, creating a same-origin path to the daemon API.
+2. **The daemon control plane is effectively unauthenticated**, with broad localhost trust and optional non-loopback binds.
+3. **Browser-mode marketplace tokens can be persisted in plaintext config and then exposed by `/api/config`**.
+
+These issues mean that a malicious repository, a hostile local webpage on `localhost`, or a reachable peer when bound to Tailscale/LAN can potentially read project data, mutate files, spawn processes/agents, and access local app state.
+
+## Methodology
+
+- Static review of Electron main/preload, renderer, and daemon code
+- Targeted grep for OWASP-style sinks: XSS, injection, SSRF, auth bypass, unsafe file access, shell/process execution
+- Review of secret storage and config persistence behavior
+- Dependency check with `npm audit --json` and dependency resolution via `npm ls`
+- Verification of packaging and ignore rules for runtime secrets/artifacts
+
+## Findings
+
+### 1) Critical — Untrusted project HTML/JS can execute with daemon origin
+
+**Severity:** Critical  
+**Category:** XSS / trusted-origin content execution / privilege escalation  
+**Primary locations:**
+- `../packages/gui/src/views/editor.jsx:165`
+- `../packages/daemon/src/api.js:2274`
+- `../packages/daemon/src/mimetypes.js:15`
+- `../packages/daemon/src/mimetypes.js:17`
+
+**What I found**
+- The editor intentionally previews HTML files by loading `/api/files/raw?path=...` into an iframe: `../packages/gui/src/views/editor.jsx:165`.
+- The daemon serves raw project files directly from the app origin and preserves executable MIME types such as `text/javascript` and `text/html`: `../packages/daemon/src/api.js:2274`, `../packages/daemon/src/mimetypes.js:15`, `../packages/daemon/src/mimetypes.js:17`.
+- Because this content is delivered from the same origin as `/api/*`, any project-controlled HTML that gets rendered can execute JavaScript against the daemon API using the app's trusted origin.
+
+**Why this matters**
+A malicious repository can plant an `index.html` + `payload.js` pair. If the HTML preview path is reached, or if the raw file is otherwise navigated to from the trusted origin, the payload can:
+- read or modify project files,
+- spawn/kill agents,
+- change daemon config,
+- abuse local-only features exposed over HTTP/WS.
+
+This is a classic Electron/browser trust-boundary failure: **workspace content should never run with the same origin as the privileged app UI**.
+
+**Recommended fix**
+- Do **not** serve active workspace content (`.html`, `.js`, `.mjs`, `.svg`, etc.) from the daemon's privileged origin.
+- For previews, use one of these safer patterns:
+  - render sanitized HTML only,
+  - serve previews from a **separate origin** with no access to `/api/*`,
+  - use a dedicated isolated `BrowserWindow`/partition with no preload, no shared cookies/storage, and no privileged bridge,
+  - force dangerous types to download or be served as `text/plain`.
+- Remove `allow-same-origin` from any preview iframe unless the content is fully trusted.
+- Add regression tests that verify active content cannot call privileged API routes.
+
+**Priority:** P0
+
+### 2) High — Daemon HTTP/WebSocket control plane has no real authentication
+
+**Severity:** High  
+**Category:** Authentication / access control / CSRF-adjacent localhost trust  
+**Primary locations:**
+- `../packages/daemon/src/api.js:68`
+- `../packages/daemon/src/api.js:120`
+- `../packages/daemon/src/api.js:2223`
+- `../packages/daemon/src/index.js:155`
+- `../packages/daemon/src/index.js:169`
+- `../packages/daemon/src/index.js:250`
+- `../packages/daemon/src/index.js:451`
+
+**What I found**
+- The REST API trusts requests with **no `Origin` header** and also allows **any localhost origin**: `../packages/daemon/src/api.js:68`.
+- Sensitive routes such as agent spawning and file deletion are exposed without any per-request auth token: `../packages/daemon/src/api.js:120`, `../packages/daemon/src/api.js:2223`.
+- WebSocket upgrades also allow missing `Origin`, and accepted clients can request terminal spawns/input: `../packages/daemon/src/index.js:155`, `../packages/daemon/src/index.js:169`, `../packages/daemon/src/index.js:250`.
+- The daemon can bind to non-loopback hosts, including Tailscale/LAN addresses: `../packages/daemon/src/index.js:451`.
+
+**Why this matters**
+This turns the daemon into a local control plane with weak trust assumptions:
+- Any hostile local webpage served from `http://localhost:*` can make authenticated-by-origin reads/writes against the daemon.
+- Any non-browser client can omit `Origin` entirely and still connect.
+- If the daemon is started on a reachable interface (for example Tailscale/LAN), remote peers can hit powerful endpoints unless another network control blocks them.
+
+Impact includes agent/process control, file mutation, editor/terminal access, config changes, and broader project compromise.
+
+**Recommended fix**
+- Require a **random per-instance bearer token** (or equivalent secret) for **all** HTTP and WebSocket traffic.
+- Reject requests lacking that token, even from localhost.
+- Narrow CORS to the exact GUI origin instead of `any localhost port`.
+- Treat missing `Origin` as untrusted for browser-like endpoints.
+- For non-loopback binds, require explicit auth plus network ACLs/TLS.
+- Consider Unix domain sockets or loopback-only ephemeral tokens for desktop mode.
+
+**Priority:** P0
+
+### 3) High — Marketplace token can be stored plaintext and leaked through `/api/config`
+
+**Severity:** High  
+**Category:** Secrets management / sensitive data exposure  
+**Primary locations:**
+- `../packages/daemon/src/skills.js:47`
+- `../packages/daemon/src/skills.js:80`
+- `../packages/daemon/src/firstrun.js:145`
+- `../packages/daemon/src/api.js:3438`
+- `../packages/daemon/src/api.js:1115`
+
+**What I found**
+- The browser-style auth callback stores `marketplace.token` inside `daemon.config`: `../packages/daemon/src/api.js:1115`, `../packages/daemon/src/skills.js:80`.
+- `saveConfig()` writes that config directly to `config.json` without encryption: `../packages/daemon/src/firstrun.js:145`.
+- `/api/config` returns the full config object without redaction: `../packages/daemon/src/api.js:3438`.
+
+**Why this matters**
+Even though the Electron main process uses encrypted `safeStorage` for its own desktop token path, the daemon still contains a second browser-oriented auth flow that can persist a bearer token in plaintext config and then expose it over the local API.
+
+If an attacker can hit the daemon API or read the `.groove` directory, they may recover the marketplace token and impersonate the user against Groove services.
+
+**Recommended fix**
+- Never persist auth/session tokens in `config.json`.
+- Store marketplace/session tokens only in OS-backed secure storage.
+- Redact sensitive config keys from `/api/config` before returning any response.
+- Add a migration that strips existing `marketplace.token` values from historical configs.
+
+**Priority:** P1
+
+### 4) Medium — Renderer can trigger arbitrary external URLs for integration OAuth
+
+**Severity:** Medium  
+**Category:** URL handling / privilege amplification  
+**Primary location:**
+- `../packages/desktop/main.js:1004`
+
+**What I found**
+`integration-oauth-start` accepts an arbitrary `oauthUrl` from the renderer and passes it straight to `shell.openExternal()`.
+
+**Why this matters**
+By itself this requires renderer compromise, but in Electron this is still an important defense-in-depth boundary. If the renderer is ever compromised, an attacker can launch:
+- arbitrary external websites,
+- custom protocol handlers,
+- local application handlers registered on the OS.
+
+**Recommended fix**
+- Validate `oauthUrl` against a strict allowlist derived from the integration registry.
+- Allow only `https:` and known IdP domains.
+- Deny custom schemes and `file:`/`javascript:`/unexpected handlers.
+
+**Priority:** P2
+
+### 5) Medium — Electron auto-approves all permissions for localhost content
+
+**Severity:** Medium  
+**Category:** Least privilege / hardening gap  
+**Primary location:**
+- `../packages/desktop/main.js:245`
+
+**What I found**
+The permission handlers explicitly allow microphone/media, but then also return `true` for any other permission as long as the requesting page is `localhost`/`127.0.0.1`.
+
+**Why this matters**
+Once renderer trust is broken, this widens impact by silently approving extra capabilities that were never intended for routine app operation.
+
+**Recommended fix**
+- Replace the implicit `allow all localhost permissions` behavior with an explicit allowlist.
+- Deny by default.
+- Log and review any denied permission requests during development.
+
+**Priority:** P2
+
+### 6) Moderate dependency advisory — `follow-redirects` header leak
+
+**Severity:** Moderate  
+**Category:** Dependency / third-party risk  
+**Location:** transitive dependency path `@groove-dev/daemon -> @slack/bolt -> axios -> follow-redirects@1.15.11`
+
+**What I found**
+A fresh `npm audit --json` run on 2026-04-16 reported one advisory:
+- `follow-redirects <= 1.15.11` — leaks custom authentication headers to cross-domain redirect targets.
+
+Dependency resolution shows this arrives through:
+- `@slack/bolt@4.7.0`
+- `axios@1.15.0`
+- `follow-redirects@1.15.11`
+
+**Recommended fix**
+- Upgrade to a dependency chain that pulls a fixed `follow-redirects` release.
+- If immediate upgrade is blocked, audit all Slack/axios usage for redirect-following with sensitive headers.
+
+**Priority:** P2
+
+## Positive Controls Observed
+
+These are good and worth keeping:
+
+- Electron windows use `contextIsolation: true`, `nodeIntegration: false`, and `sandbox: true`: `../packages/desktop/main.js:227`
+- Provider credentials are encrypted at rest with AES-256-GCM and `0600` file permissions: `../packages/daemon/src/credentials.js:1`
+- File path validation checks traversal and resolves symlinks before access: `../packages/daemon/src/api.js:2021`
+- The root ignore policy excludes `.env`, `.groove`, runtime bundles, and build artifacts from git: `../.gitignore:1`
+- I did **not** find hardcoded secrets in tracked source during pattern scans.
+
+## Remediation Plan
+
+### Immediate (this week)
+- Disable HTML preview or force dangerous file types to render as plain text/download.
+- Add an auth token requirement to all daemon HTTP/WS endpoints.
+- Redact `/api/config` and remove token persistence from daemon config.
+- Patch the `follow-redirects` dependency chain.
+
+### Short term
+- Serve untrusted previews from a separate origin/partition.
+- Tighten `shell.openExternal()` to strict allowlists only.
+- Replace localhost-wide CORS trust with an exact-origin model.
+- Lock Electron permission handling to a minimal explicit list.
+
+### Verification to add after fixes
+- Test that opening a repo-controlled HTML file cannot call `/api/agents`, `/api/files/*`, or `/api/config`.
+- Test that requests without the daemon auth token fail for both REST and WS.
+- Test that `/api/config` never returns secret-bearing fields.
+- Re-run `npm audit --json` after dependency upgrades.
+
+## Bottom Line
+
+The app already has several good Electron hardening defaults, but the **same-origin preview design** and the **unauthenticated daemon control surface** currently dominate the risk profile. I would treat Findings 1 and 2 as release-blocking for environments where untrusted repositories or shared/local-network access are realistic.

package/node_modules/@groove-dev/cli/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@groove-dev/cli",
-  "version": "0.27.7",
-  "description": "GROOVE CLI \u2014 manage AI coding agents from your terminal",
+  "version": "0.27.27",
+  "description": "GROOVE CLI — manage AI coding agents from your terminal",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",
   "bin": {
@@ -13,4 +13,4 @@
     "chalk": "^5.3.0"
   },
   "private": true
-}
+}

package/node_modules/@groove-dev/daemon/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/daemon",
-  "version": "0.27.7",
+  "version": "0.27.27",
   "description": "GROOVE daemon — agent orchestration engine",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",

package/node_modules/@groove-dev/daemon/src/introducer.js

@@ -14,7 +14,7 @@ export class Introducer {
   }
 
   generateContext(newAgent, options = {}) {
-    const { taskNegotiation, hasTask } = options;
+    const { taskNegotiation, hasTask, isRotation } = options;
     const agents = this.daemon.registry.getAll();
     // Only include ACTIVE agents — not completed/killed ones from previous sessions
     // Completed agents' work is captured in the journalist's project map, not here
@@ -353,13 +353,13 @@ export class Introducer {
           parts.push(`### Constraints (read carefully)\n${constraints}`);
         }
 
-        if (hasTask) {
-          const discoveries = this.daemon.memory.getDiscoveriesMarkdown(newAgent.role, 15, 1000);
+        if (hasTask || isRotation) {
+          const discoveries = this.daemon.memory.getDiscoveriesMarkdown(newAgent.role, 8, 600, newAgent.scope);
           if (discoveries) {
             parts.push(`### Known Fixes for ${newAgent.role} Role\n${discoveries}`);
           }
 
-          const handoffs = this.daemon.memory.getRecentHandoffMarkdown(newAgent.role, 2, 1000, newAgent.workingDir);
+          const handoffs = this.daemon.memory.getRecentHandoffMarkdown(newAgent.role, 2, 1000, newAgent.workingDir, newAgent.teamId);
           if (handoffs) {
             parts.push(`### Recent Handoff History\n${handoffs}`);
           }
@@ -367,9 +367,9 @@ export class Introducer {
 
         if (parts.length > 0) {
           memorySection = `\n## Project Memory (auto-generated)\n\n${parts.join('\n\n')}\n`;
-          // Hard budget: 4K chars total
-          if (memorySection.length > 4000) {
-            memorySection = memorySection.slice(0, 3997) + '...';
+          // Hard budget: 3K chars total
+          if (memorySection.length > 3000) {
+            memorySection = memorySection.slice(0, 2997) + '...';
           }
         }
       }

package/node_modules/@groove-dev/daemon/src/journalist.js

@@ -6,8 +6,9 @@ import { resolve } from 'path';
 import { execFile, spawn as cpSpawn } from 'child_process';
 import { getProvider, getInstalledProviders } from './providers/index.js';
 
-const DEFAULT_INTERVAL = 120_000; // 2 minutes
+const DEFAULT_INTERVAL = 300_000; // 5 minutes (safety-net fallback; event-driven triggers handle the normal case)
 const MAX_LOG_CHARS = 100_000; // ~25k tokens budget for synthesis input (captures 80-90% of recent activity)
+const DEBOUNCE_MS = 10_000; // requestSynthesis debounce window
 
 export class Journalist {
   constructor(daemon) {
@@ -19,6 +20,8 @@ export class Journalist {
     this.synthesizing = false;
     this.lastSynthesis = null; // last synthesis result text
     this.history = []; // recent synthesis summaries
+    this._debounceTimer = null;
+    this._debounceReason = null;
   }
 
   start(intervalMs = DEFAULT_INTERVAL) {
@@ -51,6 +54,33 @@ export class Journalist {
       clearInterval(this.interval);
       this.interval = null;
     }
+    if (this._debounceTimer) {
+      clearTimeout(this._debounceTimer);
+      this._debounceTimer = null;
+    }
+  }
+
+  requestSynthesis(reason = 'unknown') {
+    if (this._debounceTimer) {
+      this._debounceReason = reason;
+      return;
+    }
+    this._debounceReason = reason;
+    this._debounceTimer = setTimeout(() => {
+      const r = this._debounceReason;
+      this._debounceTimer = null;
+      this._debounceReason = null;
+      this.cycle().catch((err) => {
+        console.error(`  Journalist requestSynthesis(${r}) failed:`, err.message);
+      });
+    }, DEBOUNCE_MS);
+  }
+
+  async ensureFresh(maxAgeMs = 30000) {
+    if (this.lastCycleAt && (Date.now() - this.lastCycleAt) < maxAgeMs) {
+      return;
+    }
+    await this.cycle();
   }
 
   async cycle() {
@@ -454,11 +484,11 @@ export class Journalist {
     }
     const provider = getProvider(providerId);
 
-    // Pick the lightest model for synthesis (cheapest/fastest)
-    const lightModel = provider.constructor.models?.find((m) => m.tier === 'light')
-      || provider.constructor.models?.find((m) => m.tier === 'medium')
+    // Pick medium tier for higher-quality synthesis (fewer but better cycles)
+    const selectedModel = provider.constructor.models?.find((m) => m.tier === 'medium')
+      || provider.constructor.models?.find((m) => m.tier === 'light')
       || provider.constructor.models?.[0];
-    const modelId = lightModel?.id || null;
+    const modelId = selectedModel?.id || null;
 
     const headlessCmd = provider.buildHeadlessCommand(prompt, modelId);
     const { command, args, env, stdin: stdinData } = headlessCmd;
@@ -749,7 +779,7 @@ export class Journalist {
     // Pull recent rotation history from persistent memory (Layer 7).
     // Gives the new agent causal continuity: what the last 3 agents struggled
     // with, decided, and solved — not just what the current session did.
-    const recentChain = this.daemon.memory?.getRecentHandoffMarkdown(agent.role, 3, 3000, agent.workingDir) || '';
+    const recentChain = this.daemon.memory?.getRecentHandoffMarkdown(agent.role, 3, 3000, agent.workingDir, agent.teamId) || '';
 
     // Pull the user's recent messages scoped to this agent
     const agentFeedback = this.getUserFeedback(agent.id).slice(-5);

package/node_modules/@groove-dev/daemon/src/memory.js

@@ -12,6 +12,7 @@
 import { readFileSync, writeFileSync, existsSync, mkdirSync, readdirSync, appendFileSync, statSync } from 'fs';
 import { resolve, relative } from 'path';
 import { createHash } from 'crypto';
+import { minimatch } from 'minimatch';
 
 const MAX_CONSTRAINTS = 50;
 const MAX_HANDOFF_ROTATIONS = 25;
@@ -141,7 +142,12 @@ export class MemoryStore {
     return safeName(rel);
   }
 
-  _chainPath(role, workingDir) {
+  _chainPath(role, workingDir, teamId) {
+    if (teamId) {
+      const dir = resolve(this.handoffDir, safeName(teamId));
+      mkdirSync(dir, { recursive: true });
+      return resolve(dir, `${safeName(role)}.md`);
+    }
     const slug = this._workspaceSlug(workingDir);
     if (slug) {
       const dir = resolve(this.handoffDir, slug);
@@ -151,8 +157,8 @@ export class MemoryStore {
     return resolve(this.handoffDir, `${safeName(role)}.md`);
   }
 
-  getHandoffChain(role, workingDir) {
-    const path = this._chainPath(role, workingDir);
+  getHandoffChain(role, workingDir, teamId) {
+    const path = this._chainPath(role, workingDir, teamId);
     if (!existsSync(path)) return [];
     try {
       const content = readFileSync(path, 'utf8');
@@ -173,9 +179,9 @@ export class MemoryStore {
     }
   }
 
-  appendHandoffBrief(role, entry, workingDir) {
+  appendHandoffBrief(role, entry, workingDir, teamId) {
     if (!role || !entry) return false;
-    const chain = this.getHandoffChain(role, workingDir);
+    const chain = this.getHandoffChain(role, workingDir, teamId);
     const nextN = (chain[0]?.rotationN || 0) + 1;
 
     const block = [
@@ -203,15 +209,15 @@ export class MemoryStore {
     }
 
     try {
-      writeFileSync(this._chainPath(role, workingDir), lines.join('\n'));
+      writeFileSync(this._chainPath(role, workingDir, teamId), lines.join('\n'));
       return true;
     } catch {
       return false;
     }
   }
 
-  getRecentHandoffMarkdown(role, count = 3, maxChars = 4000, workingDir) {
-    const chain = this.getHandoffChain(role, workingDir);
+  getRecentHandoffMarkdown(role, count = 3, maxChars = 4000, workingDir, teamId) {
+    const chain = this.getHandoffChain(role, workingDir, teamId);
     if (chain.length === 0) return '';
     const recent = chain.slice(0, count);
     const out = recent.map((e) => e.body || '').join('\n\n---\n\n');
@@ -300,9 +306,22 @@ export class MemoryStore {
     } catch { /* best-effort */ }
   }
 
-  getDiscoveriesMarkdown(role, limit = 20, maxChars = 4000) {
-    const entries = this.listDiscoveries({ role, limit });
+  getDiscoveriesMarkdown(role, limit = 20, maxChars = 4000, scope) {
+    let entries = this.listDiscoveries({ role, limit: limit * 3 });
     if (entries.length === 0) return '';
+
+    if (scope && Array.isArray(scope) && scope.length > 0) {
+      const filtered = entries.filter((d) => {
+        const file = d.fix || '';
+        const rel = file.startsWith(this.projectDir + '/') ? file.slice(this.projectDir.length + 1) : file;
+        return scope.some((pattern) => minimatch(rel, pattern, { dot: true }));
+      });
+      if (filtered.length >= 3) {
+        entries = filtered;
+      }
+    }
+
+    entries = entries.slice(0, limit);
     const lines = entries.map((d) => `- When \`${d.trigger}\` → fix: ${d.fix}`);
     return truncate(lines.join('\n'), maxChars);
   }

package/node_modules/@groove-dev/daemon/src/process.js

@@ -427,12 +427,18 @@ export class ProcessManager {
       taskNegotiation = await this.negotiateTaskSplit(agent, sameRole);
     }
 
-    // Generate introduction context (team awareness + negotiation)
-    // Always pass hasTask: true so Layer 7 discoveries and handoff history
-    // are injected for ALL agents, not just those with explicit prompts.
-    // Without this, first-generation agents spawned with just a role never
-    // receive prior discoveries and repeat mistakes Layer 7 already captured.
-    const introContext = introducer.generateContext(agent, { taskNegotiation, hasTask: true });
+    // Compute hasTask from actual prompt content — agents spawned without a
+    // prompt should NOT receive handoff history (prevents cross-team contamination).
+    // Discoveries + constraints are always injected (project knowledge).
+    // Handoffs are injected only when the agent has a real task or is a rotation.
+    const hasTask = !!(config.prompt && config.prompt.trim().length > 0);
+    const isRotation = !!(config.isRotation);
+    const introContext = introducer.generateContext(agent, { taskNegotiation, hasTask, isRotation });
+
+    // Ensure the project map is fresh before the new agent reads CLAUDE.md
+    if (this.daemon.journalist) {
+      await this.daemon.journalist.ensureFresh(30000);
+    }
 
     // Track cold-start savings — agent gets context from planner/journalist/team
     // instead of exploring the codebase from scratch
@@ -597,7 +603,7 @@ For normal file edits within your scope, proceed without review.
 
         this.daemon.broadcast({ type: 'agent:exit', agentId: agent.id, code: code || 0, signal, status });
         if (this.daemon.integrations) this.daemon.integrations.refreshMcpJson();
-        if (status === 'completed' && this.daemon.journalist) this.daemon.journalist.cycle().catch(() => {});
+        if (status === 'completed' && this.daemon.journalist) this.daemon.journalist.requestSynthesis('completion');
         this._checkPhase2(agent.id);
 
         // Auto-trigger idle QC + process cross-scope handoffs
@@ -783,10 +789,9 @@ For normal file edits within your scope, proceed without review.
         }
       }
 
-      // Trigger journalist synthesis immediately on completion so the project
-      // map is fresh for the next agent that spawns (don't wait for 120s cycle)
+      // Trigger journalist synthesis on completion (event-driven, debounced)
       if (finalStatus === 'completed' && this.daemon.journalist) {
-        this.daemon.journalist.cycle().catch(() => {});
+        this.daemon.journalist.requestSynthesis('completion');
       }
 
       // Phase 2 auto-spawn: check if all phase 1 agents for a team are done
@@ -1168,7 +1173,7 @@ For normal file edits within your scope, proceed without review.
         oldTokens: agentData?.tokensUsed || 0,
         contextUsage: agentData?.contextUsage || 0,
         brief: brief.slice(0, 4000),
-      }, agent.workingDir);
+      }, agent.workingDir, agent.teamId);
     } catch { /* best-effort */ }
   }
 
@@ -1369,7 +1374,7 @@ For normal file edits within your scope, proceed without review.
       registry.update(newAgent.id, { status: finalStatus, pid: null });
       this.daemon.broadcast({ type: 'agent:exit', agentId: newAgent.id, code, signal, status: finalStatus });
       if (finalStatus === 'completed' && this.daemon.journalist) {
-        this.daemon.journalist.cycle().catch(() => {});
+        this.daemon.journalist.requestSynthesis('completion');
       }
     });
 

package/node_modules/@groove-dev/daemon/src/providers/codex.js

@@ -95,6 +95,7 @@ export class CodexProvider extends Provider {
     if (agent.prompt) args.push(agent.prompt);
 
     this._currentModel = agent.model;
+    this._sessionInputTokens = 0;
 
     return {
       command: 'codex',
@@ -109,6 +110,11 @@ export class CodexProvider extends Provider {
     return { command: 'codex', args, env: {} };
   }
 
+  _getMaxContext() {
+    const model = CodexProvider.models.find((m) => m.id === this._currentModel);
+    return model?.maxContext || 200000;
+  }
+
   switchModel(agent, newModel) {
     return false; // Codex doesn't support mid-session model switch
   }
@@ -175,36 +181,48 @@ export class CodexProvider extends Provider {
 
       case 'item.completed': {
         const item = event.item || {};
+
+        // Accumulate usage for intermediate context estimation.
+        // Codex only reports full contextUsage at turn.completed — without this,
+        // the rotator sees stale contextUsage between turns and never triggers.
+        if (event.usage) {
+          this._sessionInputTokens += event.usage.input_tokens || 0;
+        }
+
+        let result = null;
         if (item.type === 'agent_message') {
-          return {
+          result = {
             type: 'activity', subtype: 'assistant',
             data: [{ type: 'text', text: item.text || '' }],
           };
-        }
-        if (item.type === 'command_execution') {
+        } else if (item.type === 'command_execution') {
           const output = (item.aggregated_output || '').slice(0, 2000);
-          return {
+          result = {
             type: 'activity', subtype: 'assistant',
             data: [
               { type: 'tool_use', id: item.id || 'exec', name: 'Bash', input: { command: item.command } },
               ...(output ? [{ type: 'text', text: output }] : []),
             ],
           };
-        }
-        if (item.type === 'todo_list') {
+        } else if (item.type === 'todo_list') {
           const steps = (item.items || []).map((s) => `${s.completed ? '✓' : '○'} ${s.text}`).join('\n');
-          return {
+          result = {
             type: 'activity', subtype: 'assistant',
             data: [{ type: 'text', text: steps }],
           };
-        }
-        if (item.type === 'file_edit' || item.type === 'file_write' || item.type === 'file_read') {
-          return {
+        } else if (item.type === 'file_edit' || item.type === 'file_write' || item.type === 'file_read') {
+          result = {
             type: 'activity', subtype: 'assistant',
             data: [{ type: 'tool_use', id: item.id || 'file', name: item.type === 'file_read' ? 'Read' : item.type === 'file_write' ? 'Write' : 'Edit', input: { path: item.path || item.file || '' } }],
           };
         }
-        return null;
+
+        // Attach intermediate context estimate so all 7 layers see Codex progress
+        if (result && this._sessionInputTokens > 0) {
+          result.contextUsage = this._sessionInputTokens / this._getMaxContext();
+        }
+
+        return result;
       }
 
       case 'turn.completed': {
@@ -215,11 +233,15 @@ export class CodexProvider extends Provider {
         const outputTokens = usage.output_tokens || 0;
         const cachedTokens = usage.cached_input_tokens || 0;
         const totalTokens = inputTokens + outputTokens;
+        const cacheCreationTokens = cachedTokens > 0 ? Math.max(0, inputTokens - cachedTokens) : 0;
 
         const model = CodexProvider.models.find((m) => m.id === this._currentModel);
         const pricing = model?.pricing;
         const maxContext = model?.maxContext || 200000;
 
+        // Sync accumulator to actual cumulative value from turn completion
+        this._sessionInputTokens = inputTokens;
+
         let estimatedCostUsd = 0;
         if (pricing) {
           const newInput = inputTokens - cachedTokens;
@@ -235,6 +257,7 @@ export class CodexProvider extends Provider {
           inputTokens,
           outputTokens,
           cacheReadTokens: cachedTokens,
+          cacheCreationTokens,
           contextUsage: inputTokens / maxContext,
           estimatedCostUsd,
           costSource: pricing ? 'calculated' : 'estimated',