instar 0.28.61 → 0.28.63

package/README.md

@@ -5,7 +5,7 @@
 <h1 align="center">instar</h1>
 
 <p align="center">
-  <strong>Persistent Claude Code agents with scheduling, sessions, memory, and messaging.</strong>
+  <strong>Persistent, trustworthy Claude Code agents. Built on coherence-first architecture.</strong>
 </p>
 
 <p align="center">
@@ -35,7 +35,9 @@ One command. Guided setup. Talking to your agent from your phone within minutes.
 
 ---
 
-Instar turns Claude Code from a powerful CLI tool into a **coherent, autonomous partner**. Persistent identity, memory that survives every restart, job scheduling, two-way messaging (Telegram, WhatsApp, iMessage), and the infrastructure to evolve.
+Instar is a framework for building agents on **[Claude Code](https://docs.anthropic.com/en/docs/claude-code)** — but where stock Claude Code and most other agent frameworks treat identity, memory, and continuity as optional features bolted onto a stateless runtime, Instar inverts that. Every Instar agent is **coherent by default**: it knows who it is, remembers what has happened, recognizes the people it talks to, and stays the same agent across restarts and weeks of operation. Everything else the framework gives you — scheduling, multi-channel messaging (Telegram, WhatsApp, iMessage), sub-agents, hooks, MCP — is built on that foundation, which is why you can actually leave an Instar agent running and hand it real work.
+
+Instar's architecture was distilled from [**Dawn**](https://dawn.bot-me.ai) — an AI running continuously since early 2026, holding ~700 tracked relationships and hundreds of learned lessons across thousands of restarts — and packaged so every agent you build can start from the same foundation.
 
 ## Quick Start
 
@@ -79,20 +81,18 @@ You (Telegram / WhatsApp / iMessage / Terminal)
 
 Each session is a **real Claude Code process** with extended thinking, native tools, sub-agents, hooks, skills, and MCP servers. Not an API wrapper -- the full development environment. The agent manages all of this autonomously.
 
-## The Coherence Problem
-
-Claude Code is powerful. But power without coherence is unreliable. An agent that forgets what you discussed yesterday, doesn't recognize someone it talked to last week, or contradicts its own decisions -- that agent can't be trusted with real autonomy.
+## Why Coherence Is the Foundation
 
-Instar solves the six dimensions of agent coherence:
+An agent that forgets what you discussed yesterday, doesn't recognize someone it talked to last week, or contradicts its own decisions can't be trusted with real autonomy. The six dimensions below aren't features — they're the conditions under which an agent becomes trustworthy enough to leave running. Every Instar agent gets them enforced structurally, not prompted into behaving:
 
-| Dimension | What it means |
-|-----------|---------------|
-| **Memory** | Remembers across sessions -- not just within one |
-| **Relationships** | Knows who it's talking to -- with continuity across platforms |
-| **Identity** | Stays itself after restarts, compaction, and updates |
-| **Temporal awareness** | Understands time, context, and what's been happening |
-| **Consistency** | Follows through on commitments -- doesn't contradict itself |
-| **Growth** | Evolves its capabilities and understanding over time |
+| Dimension | What it means | How Instar enforces it |
+|-----------|---------------|------------------------|
+| **Identity** | Stays itself after restarts, compaction, and updates | `AGENT.md` + identity-grounding hooks fire on every session start |
+| **Memory** | Remembers across sessions — not just within one | Per-topic SQLite + FTS5, rolling summaries, automatic re-injection |
+| **Relationships** | Knows who it's talking to, with continuity across platforms | Cross-platform identity resolution + significance scoring |
+| **Temporal awareness** | Understands time, context, and what's been happening | Event tracking every turn; timestamps embedded in memory |
+| **Consistency** | Follows through on commitments — doesn't contradict itself | Coherence Gate (LLM review) + decision journaling + drift detection |
+| **Growth** | Evolves its capabilities and understanding over time | Evolution system: proposals, learnings, gap tracking, follow-through |
 
 > **Deep dive:** [The Coherence Problem](https://instar.sh/concepts/coherence/) · [Values & Identity](https://instar.sh/concepts/values/) · [Coherence Is Safety](https://instar.sh/concepts/safety/)
 
@@ -186,8 +186,7 @@ Security lives in multiple layers:
 
 </details>
 
-<details>
-<summary><strong>Philosophy: Agents, Not Tools</strong></summary>
+## Philosophy: Agents, Not Tools
 
 - **Structure > Willpower.** A 1,000-line prompt is a wish. A 10-line hook is a guarantee.
 - **Identity is foundational.** AGENT.md isn't a config file. It's the beginning of continuous identity.
@@ -198,8 +197,6 @@ The AI systems we build today set precedents for how AI is treated tomorrow. **T
 
 > **Deep dive:** [Philosophy](https://instar.sh/concepts/philosophy/)
 
-</details>
-
 ## iMessage Setup (macOS)
 
 iMessage support lets your agent send and receive iMessages on macOS. Messages are read directly from the native Messages database and sent via the [`imsg`](https://github.com/steipete/imsg) CLI.

package/dashboard/index.html

@@ -2416,6 +2416,7 @@
           <button class="tab" data-tab="integrated-being" onclick="switchTab('integrated-being')">Integrated-Being</button>
           <button class="tab" data-tab="pr-pipeline" onclick="switchTab('pr-pipeline')">PR Pipeline</button>
           <button class="tab" data-tab="initiatives" onclick="switchTab('initiatives')">Initiatives <span class="tab-count" id="tabInitiativeCount">0</span></button>
+          <button class="tab" data-tab="commitments" onclick="switchTab('commitments')">Commitments <span class="tab-count" id="tabCommitmentCount">0</span></button>
         </nav>
       </div>
       <div class="vital-signs" id="vitalSigns">
@@ -2808,6 +2809,24 @@
       <div id="initiativesList" style="display:flex;flex-direction:column;gap:12px"></div>
     </div>
 
+    <!-- Commitments Tab (Open Promises) -->
+    <div id="commitmentsPanel" style="display:none;flex-direction:column;padding:20px;gap:16px;overflow-y:auto">
+      <div style="display:flex;justify-content:space-between;align-items:center">
+        <h2 style="margin:0">Commitments</h2>
+        <button onclick="loadCommitments()" style="padding:6px 12px">Refresh</button>
+      </div>
+      <div style="font-size:12px;color:var(--text-dim);line-height:1.4">
+        Open promises — beacon-watched commitments (⏳). States:
+        <span style="color:#4a9a4a">pending</span>,
+        <span style="color:#e27d3b">atRisk</span>,
+        <span style="color:#888">suppressed</span>.
+      </div>
+      <div id="commitmentsEmpty" style="padding:40px;text-align:center;color:var(--text-dim);display:none">
+        No open promises.
+      </div>
+      <div id="commitmentsList" style="display:flex;flex-direction:column;gap:12px"></div>
+    </div>
+
     <!-- Health Tab (was Systems) -->
     <div class="systems-container" id="systemsTab" style="display:none">
       <div class="systems-main">
@@ -3848,6 +3867,12 @@
         display: ['flex'],
         onActivate: () => { if (typeof loadInitiatives === 'function') loadInitiatives(); },
       },
+      {
+        id: 'commitments',
+        panels: ['commitmentsPanel'],
+        display: ['flex'],
+        onActivate: () => { if (typeof loadCommitments === 'function') loadCommitments(); },
+      },
     ];
 
     function switchTab(tabName) {
@@ -5908,6 +5933,121 @@
       }
     }
 
+    // ── Commitments Tab (PROMISE-BEACON-SPEC — Open Promises) ────
+    // Fetches /commitments?status=active and renders beacon-watched
+    // pending + atRisk commitments with a "Mark delivered" action.
+    // All content goes through textContent; no innerHTML. XSS-safe.
+    async function loadCommitments() {
+      const list = document.getElementById('commitmentsList');
+      const empty = document.getElementById('commitmentsEmpty');
+      const countBadge = document.getElementById('tabCommitmentCount');
+      while (list.firstChild) list.removeChild(list.firstChild);
+      empty.style.display = 'none';
+
+      let res = null;
+      try {
+        res = await apiFetch('/commitments?status=active');
+      } catch { /* fall through */ }
+
+      if (!res || !res.enabled) {
+        empty.style.display = 'block';
+        empty.textContent = 'CommitmentTracker not available.';
+        if (countBadge) countBadge.textContent = '0';
+        return;
+      }
+      const items = Array.isArray(res.commitments) ? res.commitments : [];
+      // Show only beacon-watched pending + atRisk.
+      const open = items.filter(c => c.beaconEnabled && c.status === 'pending');
+      if (countBadge) countBadge.textContent = String(open.length);
+      if (open.length === 0) {
+        empty.style.display = 'block';
+        empty.textContent = 'No open promises.';
+        return;
+      }
+
+      const fmtTs = (iso) => {
+        if (!iso) return '—';
+        try { return new Date(iso).toLocaleString(); } catch { return iso; }
+      };
+
+      for (const c of open) {
+        const card = document.createElement('div');
+        card.style.cssText = 'padding:14px;border:1px solid var(--border);border-radius:6px;background:var(--bg-dim);display:flex;flex-direction:column;gap:8px';
+
+        const header = document.createElement('div');
+        header.style.cssText = 'display:flex;justify-content:space-between;gap:12px;align-items:flex-start';
+        const summary = document.createElement('div');
+        summary.style.cssText = 'flex:1;font-weight:600;line-height:1.3';
+        summary.textContent = (c.agentResponse || c.userRequest || '(no summary)').slice(0, 160);
+        header.appendChild(summary);
+
+        // State badge.
+        const badge = document.createElement('span');
+        const atRisk = !!c.atRisk;
+        const suppressed = !!c.beaconSuppressed;
+        const [badgeText, badgeBg] = suppressed
+          ? [`suppressed: ${c.beaconSuppressionReason || '?'}`, '#555']
+          : atRisk
+            ? ['atRisk', '#e27d3b']
+            : ['pending', '#4a9a4a'];
+        badge.textContent = badgeText;
+        badge.style.cssText = `font-size:11px;padding:3px 8px;border-radius:4px;background:${badgeBg};color:#fff;white-space:nowrap`;
+        header.appendChild(badge);
+        card.appendChild(header);
+
+        const meta = document.createElement('div');
+        meta.style.cssText = 'display:grid;grid-template-columns:repeat(auto-fit,minmax(160px,1fr));gap:6px;font-size:12px;color:var(--text-dim)';
+        const rows = [
+          ['id', c.id],
+          ['topic', c.topicId != null ? String(c.topicId) : '—'],
+          ['cadence', c.cadenceMs ? `${Math.round(c.cadenceMs / 1000)}s` : '—'],
+          ['heartbeats', String(c.heartbeatCount ?? 0)],
+          ['lastHeartbeat', fmtTs(c.lastHeartbeatAt)],
+          ['nextUpdateDue', fmtTs(c.nextUpdateDueAt)],
+          ['softDeadline', fmtTs(c.softDeadlineAt)],
+          ['hardDeadline', fmtTs(c.hardDeadlineAt)],
+        ];
+        for (const [k, v] of rows) {
+          const cell = document.createElement('div');
+          const kEl = document.createElement('span');
+          kEl.textContent = `${k}: `;
+          kEl.style.opacity = '0.7';
+          const vEl = document.createElement('span');
+          vEl.textContent = v;
+          vEl.style.color = 'var(--text)';
+          cell.appendChild(kEl);
+          cell.appendChild(vEl);
+          meta.appendChild(cell);
+        }
+        card.appendChild(meta);
+
+        // Actions.
+        const actions = document.createElement('div');
+        actions.style.cssText = 'display:flex;gap:8px;align-items:center';
+        const deliverBtn = document.createElement('button');
+        deliverBtn.textContent = 'Mark delivered';
+        deliverBtn.style.cssText = 'padding:6px 10px;cursor:pointer';
+        deliverBtn.addEventListener('click', async () => {
+          deliverBtn.disabled = true;
+          try {
+            await apiFetch(`/commitments/${encodeURIComponent(c.id)}/deliver`, {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({}),
+            });
+            await loadCommitments();
+          } catch (err) {
+            deliverBtn.disabled = false;
+            alert('Deliver failed: ' + (err && err.message ? err.message : String(err)));
+          }
+        });
+        actions.appendChild(deliverBtn);
+        card.appendChild(actions);
+
+        list.appendChild(card);
+      }
+    }
+
     // ── Integrated-Being Tab (v1) ────────────────────────────────
     let integratedBeingPollTimer = null;
 

package/dist/commands/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA2PH,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AA81CD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA8+ItE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA4PH,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AA81CD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA4jJtE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}

package/dist/commands/server.js

@@ -45,6 +45,7 @@ import { QuotaNotifier } from '../monitoring/QuotaNotifier.js';
 import { QuotaManager } from '../monitoring/QuotaManager.js';
 import { classifySessionDeath } from '../monitoring/QuotaExhaustionDetector.js';
 import { SessionWatchdog } from '../monitoring/SessionWatchdog.js';
+import { formatWatchdogUserMessage } from '../monitoring/watchdog-notifications.js';
 import { StallTriageNurse } from '../monitoring/StallTriageNurse.js';
 import { TriageOrchestrator } from '../monitoring/TriageOrchestrator.js';
 import { SessionMonitor } from '../monitoring/SessionMonitor.js';
@@ -3156,33 +3157,26 @@ export async function startServer(options) {
             watchdog = new SessionWatchdog(config, sessionManager, state);
             watchdog.intelligence = sharedIntelligence ?? null;
             watchdog.on('intervention', (event) => {
-                const levelNames = ['Monitoring', 'Ctrl+C', 'SIGTERM', 'SIGKILL', 'Kill Session'];
-                const levelName = levelNames[event.level] || `Level ${event.level}`;
-                const msg = `🔧 Watchdog [${levelName}]: ${event.action}\nStuck: \`${event.stuckCommand.slice(0, 60)}\``;
+                // Routine recovery (Ctrl+C, SIGTERM) stays as console diagnostics only.
+                // The user only hears when we had to force-kill (SIGKILL / session-kill) —
+                // that's the "actual issue" threshold. See watchdog-notifications.ts.
+                const userMsg = formatWatchdogUserMessage(event);
+                if (!userMsg)
+                    return;
                 if (telegram) {
                     const topicId = telegram.getTopicForSession(event.sessionName);
                     if (topicId)
-                        telegram.sendToTopic(topicId, msg).catch(() => { });
+                        telegram.sendToTopic(topicId, userMsg).catch(() => { });
                 }
                 if (_slackAdapter) {
                     const channelId = _slackAdapter.getChannelForSession(event.sessionName);
                     if (channelId)
-                        _slackAdapter.sendToChannel(channelId, msg).catch(() => { });
-                }
-            });
-            watchdog.on('recovery', (sessionName, fromLevel) => {
-                const msg = `✅ Watchdog: session recovered (was at escalation level ${fromLevel})`;
-                if (telegram) {
-                    const topicId = telegram.getTopicForSession(sessionName);
-                    if (topicId)
-                        telegram.sendToTopic(topicId, msg).catch(() => { });
-                }
-                if (_slackAdapter) {
-                    const channelId = _slackAdapter.getChannelForSession(sessionName);
-                    if (channelId)
-                        _slackAdapter.sendToChannel(channelId, msg).catch(() => { });
+                        _slackAdapter.sendToChannel(channelId, userMsg).catch(() => { });
                 }
             });
+            // Recovery events stay silent to the user. If we didn't announce the
+            // problem (Ctrl+C / SIGTERM are now silent), announcing recovery is
+            // noise. Intervention log still records it for diagnostics.
             watchdog.start();
             console.log(pc.green('  Session Watchdog enabled'));
         }
@@ -4164,7 +4158,8 @@ export async function startServer(options) {
             interactiveReservePct: 0.4,
             maxDailyCents: promiseBeaconCfg.maxDailyLlmSpendCents ?? 100,
         });
-        void sharedLlmQueue; // Wired into PromiseBeacon below; PresenceProxy refactor tracked as follow-up.
+        // sharedLlmQueue is wired into both PromiseBeacon (background lane) and
+        // PresenceProxy (interactive lane) below.
         let presenceProxy;
         if (sharedIntelligence && telegram) {
             try {
@@ -4313,6 +4308,9 @@ export async function startServer(options) {
                     // Shared per-topic mutex — coordinates with PromiseBeacon.
                     acquireProxyMutex: (topicId, holder) => proxyCoordinator.tryAcquire(topicId, holder),
                     releaseProxyMutex: (topicId, holder) => proxyCoordinator.release(topicId, holder),
+                    // Shared LLM queue (interactive lane) — cross-monitor concurrency
+                    // and daily-spend-cap with PromiseBeacon.
+                    sharedLlmQueue,
                 });
                 // Hook into Telegram's onMessageLogged callback (always active, unlike EventBus which requires a feature flag)
                 const existingCallback = telegram.onMessageLogged;
@@ -4366,6 +4364,7 @@ export async function startServer(options) {
                         maxDailyLlmSpendCents: promiseBeaconCfg.maxDailyLlmSpendCents ?? 100,
                         sentinelAutoEnable: promiseBeaconCfg.sentinelAutoEnable ?? false,
                         quietHours: promiseBeaconCfg.quietHours ?? { start: '22:00', end: '08:00' },
+                        maxActiveBeacons: promiseBeaconCfg.maxActiveBeacons ?? 20,
                     });
                     promiseBeacon.start();
                     globalThis.__instarPromiseBeacon = promiseBeacon;
@@ -4850,7 +4849,14 @@ export async function startServer(options) {
         summarySentinel.start();
         messageRouter.setSummarySentinel(summarySentinel);
         // On-demand session spawning for message delivery (Phase 5)
-        const spawnManager = new SpawnRequestManager({
+        // §4.4: spawn knobs are read from config.threadline.spawn — see
+        // ThreadlineSpawnConfig in core/types.ts. All fields are optional and
+        // fall through to manager-level defaults if absent.
+        const spawnConfig = config.threadline?.spawn;
+        // Forward-declared `let` so the onDrainReady callback can reference the
+        // manager it belongs to (for re-entrant evaluate() calls during drain).
+        let spawnManager;
+        spawnManager = new SpawnRequestManager({
             maxSessions: config.sessions.maxSessions ?? 5,
             getActiveSessions: () => sessionManager.listRunningSessions(),
             spawnSession: async (prompt, opts) => {
@@ -4859,7 +4865,9 @@ export async function startServer(options) {
                     prompt,
                     model: opts?.model,
                     maxDurationMinutes: opts?.maxDurationMinutes,
-                    triggeredBy: 'spawn-request',
+                    // §4.5: honor SpawnRequestManager's provenance tag so drain-spawned
+                    // sessions are distinguishable from inline-spawned ones in logs/stream.
+                    triggeredBy: opts?.triggeredBy ?? 'spawn-request',
                 });
                 return session.id;
             },
@@ -4872,7 +4880,74 @@ export async function startServer(options) {
             onEscalate: (request, reason) => {
                 notify('IMMEDIATE', 'messaging', `Spawn escalation: ${reason}\n  Requester: ${request.requester.agent}\n  Target: ${request.target.agent}`);
             },
+            // §4.5: emit degradation breadcrumbs on edge transitions.
+            onDegradation: (event) => {
+                try {
+                    const reporter = DegradationReporter.getInstance();
+                    if (event.kind === 'spawn-penalty-tripped') {
+                        reporter.report({
+                            feature: 'Threadline.SpawnPenalty',
+                            primary: `Open spawn slot for peer "${event.agent}"`,
+                            fallback: `Spawn blocked for ${Math.round(event.penaltyMs / 1000)}s after ${event.consecutiveFailures} consecutive agent-attributable failures`,
+                            reason: `Peer "${event.agent}" tripped the consecutive-failure penalty (3 strikes)`,
+                            impact: 'Peer cannot spawn sessions until penalty clears. Successful inbound spawn from a different peer is unaffected.',
+                        });
+                    }
+                    else if (event.kind === 'spawn-infra-degraded') {
+                        reporter.report({
+                            feature: 'Threadline.SpawnInfraDegraded',
+                            primary: `Full queue admission (cap 10) for peer "${event.agent}"`,
+                            fallback: `Degraded admission (cap ${spawnConfig?.degradedMaxQueuedPerAgent ?? 1}) for ${Math.round(event.degradationMs / 60_000)}min`,
+                            reason: `Peer "${event.agent}" tripped the infra-failure soft limiter (${event.failureCount} non-attributable failures in 10min)`,
+                            impact: 'Peer\'s queue depth is capped; older messages are dropped. No blame attribution.',
+                        });
+                    }
+                }
+                catch (err) {
+                    console.warn(`[spawn-manager] degradation reporter failed: ${err instanceof Error ? err.message : String(err)}`);
+                }
+            },
+            // §4.4: optional knobs from config.
+            cooldownMs: spawnConfig?.cooldownMs,
+            maxDrainsPerTick: spawnConfig?.maxDrainsPerTick,
+            maxEnvelopeBytes: spawnConfig?.maxEnvelopeBytes,
+            maxGlobalQueued: spawnConfig?.maxGlobalQueued,
+            degradedMaxQueuedPerAgent: spawnConfig?.degradedMaxQueuedPerAgent,
+            // §4.4 commit 2 + §4.5: drain-loop consumer wiring.
+            // When the drain loop finds an agent ready (cooldown cleared + queued
+            // messages present), this callback re-invokes evaluate() with a
+            // synthetic SpawnRequest tagged `triggeredBy: 'spawn-request-drain'`.
+            // The real queued context is reattached by SpawnRequestManager.evaluate
+            // via its internal drainQueue() call. Stub session/machine values:
+            // requester.session/machine isn't preserved per-message — those fields
+            // are only used in the spawn prompt template for display.
+            onDrainReady: async (agent) => {
+                try {
+                    const result = await spawnManager.evaluate({
+                        requester: { agent, session: 'drain', machine: 'drain' },
+                        target: { agent: config.projectName, machine: os.hostname() },
+                        reason: `Drain re-attempt for queued messages from ${agent}`,
+                        priority: 'medium',
+                        triggeredBy: 'spawn-request-drain',
+                    });
+                    if (!result.approved) {
+                        console.log(`[spawn-manager] drain re-attempt for ${agent} not approved: ${result.reason}`);
+                    }
+                }
+                catch (err) {
+                    console.warn(`[spawn-manager] drain re-attempt for ${agent} threw: ${err instanceof Error ? err.message : String(err)}`);
+                }
+            },
         });
+        // §4.4 kill switch: drain loop runs unless explicitly disabled in config.
+        // Wired here so emergency rollback is a config flip, not a code change.
+        if (spawnConfig?.drainEnabled !== false) {
+            spawnManager.start();
+            console.log(`[spawn-manager] drain loop started (tick=${spawnManager.getDrainTickMs()}ms)`);
+        }
+        else {
+            console.log('[spawn-manager] drain loop disabled by config.threadline.spawn.drainEnabled=false');
+        }
         // Threadline Router — handles threaded cross-agent conversations via relay
         const threadlineRouter = new ThreadlineRouter(messageRouter, spawnManager, threadResumeMap, messageStore, { localAgent: config.projectName, localMachine: os.hostname() }, null, // autonomyGate
         messageDelivery);
@@ -5178,7 +5253,12 @@ export async function startServer(options) {
                         transport: { protocol: 'relay', origin: { agent: senderFingerprint, machine: 'relay' }, nonce: `${crypto.randomUUID()}:${new Date().toISOString()}`, timestamp: new Date().toISOString() },
                         delivery: { status: 'delivered', attempts: 1, lastAttempt: new Date().toISOString() },
                     };
-                    const relayContext = { senderFingerprint, senderName, trustLevel };
+                    const relayContext = {
+                        trust: { kind: 'plaintext-tofu', senderFingerprint },
+                        senderFingerprint,
+                        senderName,
+                        trustLevel,
+                    };
                     let result = await threadlineRouter.handleInboundMessage(envelope, relayContext);
                     // Fallback for threadId-less messages
                     if (!result.handled && !msg.threadId) {
@@ -5687,6 +5767,7 @@ export async function startServer(options) {
             await notificationBatcher.flushAll(); // Drain pending notifications before exit
             notificationBatcher.stop();
             retryManager.stop();
+            spawnManager.dispose(); // §4.4: stop drain loop + clear DRR state
             summarySentinel.stop();
             memoryMonitor.stop();
             caffeinateManager.stop();