reflectt-node 0.1.8 → 0.1.11

package/dist/server.js

@@ -69,9 +69,9 @@ import { researchManager } from './research.js';
 import { wsHeartbeat } from './ws-heartbeat.js';
 import { getBuildInfo } from './buildInfo.js';
 import { appendStoredLog, readStoredLogs, getStoredLogPath } from './logStore.js';
-import { getAgentRoles, getAgentRolesSource, loadAgentRoles, startConfigWatch, suggestAssignee, suggestReviewer, checkWipCap, saveAgentRoles, scoreAssignment, getAgentRole, getAgentAliases, setAgentDisplayName, resolveAgentMention } from './assignment.js';
+import { getAgentRoles, getAgentRolesSource, loadAgentRoles, startConfigWatch, suggestAssignee, suggestReviewer, checkWipCap, saveAgentRoles, getAgentRole, getAgentAliases, setAgentDisplayName, resolveAgentMention } from './assignment.js';
 import { initTelemetry, trackRequest as trackTelemetryRequest, trackError as trackTelemetryError, trackTaskEvent, getSnapshot as getTelemetrySnapshot, getTelemetryConfig } from './telemetry.js';
-import { recordUsage, recordUsageBatch, getUsageSummary, getUsageByAgent, getUsageByModel, getUsageByTask, getDailySpendByModel, getAvgCostByLane, getAvgCostByAgent, setCap, listCaps, deleteCap, checkCaps, getRoutingSuggestions, estimateCost, ensureUsageTables } from './usage-tracking.js';
+import { recordUsageBatch, getUsageSummary, getUsageByAgent, getUsageByModel, getUsageByTask, getDailySpendByModel, getAvgCostByLane, getAvgCostByAgent, setCap, listCaps, deleteCap, checkCaps, getRoutingSuggestions, estimateCost, ensureUsageTables } from './usage-tracking.js';
 import { getTeamConfigHealth } from './team-config.js';
 import { SecretVault } from './secrets.js';
 import { initGitHubActorAuth, resolveGitHubTokenForActor } from './github-actor-auth.js';
@@ -81,6 +81,7 @@ import { createGitHubIdentityProvider } from './github-identity.js';
 import { getProvisioningManager } from './provisioning.js';
 import { getWebhookDeliveryManager } from './webhooks.js';
 import { enrichWebhookPayload } from './github-webhook-attribution.js';
+import { formatGitHubEvent } from './github-webhook-chat.js';
 import { exportBundle, importBundle } from './portability.js';
 import { getNotificationManager } from './notifications.js';
 import { getConnectivityManager } from './connectivity.js';
@@ -275,6 +276,13 @@ function normalizeConfiguredModel(value) {
         error: `Unknown model identifier "${raw}". Allowed aliases: ${Object.keys(MODEL_ALIASES).join(', ')} or provider/model format.`,
     };
 }
+// ── Handoff state schema (max 3 columns per COO rule) ─────────────
+const VALID_HANDOFF_DECISIONS = ['approved', 'rejected', 'needs_changes', 'escalated'];
+const HandoffStateSchema = z.object({
+    reviewed_by: z.string().min(1),
+    decision: z.enum(VALID_HANDOFF_DECISIONS),
+    next_owner: z.string().min(1).optional(),
+}).strict();
 const UpdateTaskSchema = z.object({
     title: z.string().min(1).optional(),
     description: z.string().optional(),
@@ -4506,6 +4514,46 @@ export async function createServer() {
             matchType: resolved.matchType,
         };
     });
+    // ── Task handoff state ─────────────────────────────────────────────
+    app.get('/tasks/:id/handoff', async (request, reply) => {
+        const resolved = taskManager.resolveTaskId(request.params.id);
+        if (!resolved.task) {
+            reply.code(404);
+            return { error: 'Task not found' };
+        }
+        const meta = resolved.task.metadata;
+        const handoff = meta?.handoff_state ?? null;
+        return {
+            taskId: resolved.resolvedId,
+            status: resolved.task.status,
+            handoff_state: handoff,
+        };
+    });
+    app.put('/tasks/:id/handoff', async (request, reply) => {
+        const resolved = taskManager.resolveTaskId(request.params.id);
+        if (!resolved.task || !resolved.resolvedId) {
+            reply.code(404);
+            return { error: 'Task not found' };
+        }
+        const body = request.body;
+        const result = HandoffStateSchema.safeParse(body);
+        if (!result.success) {
+            reply.code(422);
+            return {
+                error: `Invalid handoff_state: ${result.error.issues.map(i => i.message).join(', ')}`,
+                hint: 'Required: reviewed_by (string), decision (approved|rejected|needs_changes|escalated). Optional: next_owner (string).',
+            };
+        }
+        const existingMeta = (resolved.task.metadata || {});
+        taskManager.updateTask(resolved.resolvedId, {
+            metadata: { ...existingMeta, handoff_state: result.data },
+        });
+        return {
+            success: true,
+            taskId: resolved.resolvedId,
+            handoff_state: result.data,
+        };
+    });
     // Task artifact visibility — resolves artifact paths and checks accessibility
     app.get('/tasks/:id/artifacts', async (request, reply) => {
         const resolved = resolveTaskFromParam(request.params.id, reply);
@@ -5672,7 +5720,9 @@ export async function createServer() {
                 || data.metadata?.skip_dedup === true
                 || data.metadata?.is_test === true;
             if (!skipDedup && data.assignee) {
-                const TASK_DEDUP_WINDOW_MS = 4 * 60 * 60 * 1000; // 4 hours
+                // 60-second window targets gateway reconnect double-fire (typical gap: <10s)
+                // without blocking legitimate same-title task creation later in the day.
+                const TASK_DEDUP_WINDOW_MS = 60_000; // 60 seconds
                 const cutoff = Date.now() - TASK_DEDUP_WINDOW_MS;
                 const normalizedTitle = data.title.trim().toLowerCase();
                 const activeTasks = taskManager.listTasks({ includeTest: true }).filter(t => t.status !== 'done'
@@ -5680,16 +5730,15 @@ export async function createServer() {
                     && t.createdAt >= cutoff
                     && t.title.trim().toLowerCase() === normalizedTitle);
                 if (activeTasks.length > 0) {
+                    // Return 200 with the existing task (collapse, not reject).
+                    // Agents that create-on-reconnect receive a success response identical
+                    // to what they'd get from a new creation — no retry loop triggered.
                     const existing = activeTasks[0];
-                    reply.code(409);
                     return {
-                        success: false,
-                        error: 'Duplicate task',
-                        code: 'DUPLICATE_TASK',
-                        status: 409,
-                        existing_id: existing.id,
-                        existing_status: existing.status,
-                        hint: `Task "${existing.title}" already exists for ${data.assignee} (${existing.id}, status: ${existing.status}). Created ${Math.round((Date.now() - existing.createdAt) / 60000)}m ago.`,
+                        success: true,
+                        task: existing,
+                        deduplicated: true,
+                        hint: `Duplicate suppressed — task "${existing.title}" already exists for ${data.assignee} (${existing.id}, status: ${existing.status}, created ${Math.round((Date.now() - existing.createdAt) / 1000)}s ago).`,
                     };
                 }
             }
@@ -6082,6 +6131,14 @@ export async function createServer() {
         const pruned = boardHealthWorker.pruneAuditLog(maxAgeDays);
         return { success: true, pruned };
     });
+    app.post('/board-health/quiet-window', async () => {
+        boardHealthWorker.resetQuietWindow();
+        return {
+            success: true,
+            quietUntil: Date.now() + (boardHealthWorker.getStatus().config?.restartQuietWindowMs ?? 300_000),
+            message: 'Quiet window reset — ready-queue alerts suppressed for restart window',
+        };
+    });
     // ── Agent change feed ─────────────────────────────────────────────────
     app.get('/feed/:agent', async (request) => {
         const { agent } = request.params;
@@ -6366,6 +6423,22 @@ export async function createServer() {
                     mergedMeta.reopened_from = existing.status;
                 }
             }
+            // ── Handoff state validation ──
+            if (mergedMeta.handoff_state && typeof mergedMeta.handoff_state === 'object') {
+                const handoffResult = HandoffStateSchema.safeParse(mergedMeta.handoff_state);
+                if (!handoffResult.success) {
+                    reply.code(422);
+                    return {
+                        success: false,
+                        error: `Invalid handoff_state: ${handoffResult.error.issues.map(i => i.message).join(', ')}`,
+                        code: 'INVALID_HANDOFF_STATE',
+                        hint: 'handoff_state must have: reviewed_by (string), decision (approved|rejected|needs_changes|escalated), optional next_owner (string). Max 3 fields per COO rule.',
+                        gate: 'handoff_state',
+                    };
+                }
+                // Stamp validated handoff
+                mergedMeta.handoff_state = handoffResult.data;
+            }
             // ── Cancel reason gate: require cancel_reason when transitioning to cancelled ──
             if (parsed.status === 'cancelled') {
                 const meta = (incomingMeta ?? {});
@@ -6818,20 +6891,24 @@ export async function createServer() {
             if (task.assignee) {
                 if (parsed.status === 'done') {
                     presenceManager.recordActivity(task.assignee, 'task_completed');
-                    presenceManager.updatePresence(task.assignee, 'working');
+                    presenceManager.updatePresence(task.assignee, 'working', null);
                     trackTaskEvent('completed');
                 }
                 else if (parsed.status === 'doing') {
-                    presenceManager.updatePresence(task.assignee, 'working');
+                    presenceManager.updatePresence(task.assignee, 'working', task.id);
                 }
                 else if (parsed.status === 'blocked') {
-                    presenceManager.updatePresence(task.assignee, 'blocked');
+                    presenceManager.updatePresence(task.assignee, 'blocked', task.id);
                 }
                 else if (parsed.status === 'validating') {
-                    presenceManager.updatePresence(task.assignee, 'reviewing');
+                    presenceManager.updatePresence(task.assignee, 'reviewing', task.id);
                 }
             }
             // ── Reviewer notification: @mention reviewer when task enters validating ──
+            // NOTE: A dedup_key is set here so the inline chat dedup guard suppresses
+            // any duplicate reviewRequested send that may arrive via the statusNotifTargets
+            // loop below for the same task+transition. Without it, two messages fire for
+            // every todo→validating transition (this direct send + the loop send).
             if (parsed.status === 'validating' && existing.status !== 'validating' && existing.reviewer) {
                 const taskMeta = task.metadata;
                 const prUrl = taskMeta?.review_handoff?.pr_url
@@ -6848,6 +6925,7 @@ export async function createServer() {
                         taskId: task.id,
                         reviewer: existing.reviewer,
                         prUrl: prUrl || undefined,
+                        dedup_key: `review-requested:${task.id}:${task.updatedAt}`,
                     },
                 }).catch(() => { }); // Non-blocking
             }
@@ -6971,13 +7049,17 @@ export async function createServer() {
             // Dedupe guard: prevent stale/out-of-order notification events
             const { shouldEmitNotification } = await import('./notificationDedupeGuard.js');
             for (const target of statusNotifTargets) {
-                // Check dedupe guard before emitting
+                // Check dedupe guard before emitting.
+                // Pass targetAgent so each recipient gets an independent cursor — prevents
+                // the first recipient's cursor update from suppressing later recipients for
+                // the same event (e.g. assignee + reviewer both getting taskCompleted on 'done').
                 const dedupeCheck = shouldEmitNotification({
                     taskId: task.id,
                     eventUpdatedAt: task.updatedAt,
                     eventStatus: parsed.status,
                     currentTaskStatus: task.status,
                     currentTaskUpdatedAt: task.updatedAt,
+                    targetAgent: target.agent,
                 });
                 if (!dedupeCheck.emit) {
                     console.log(`[NotifDedupe] Suppressed: ${dedupeCheck.reason}`);
@@ -6990,7 +7072,13 @@ export async function createServer() {
                     message: `Task ${task.id} → ${parsed.status}`,
                 });
                 if (routing.shouldNotify) {
-                    // Route through inbox/chat based on delivery method preference
+                    // Route through inbox/chat based on delivery method preference.
+                    // For reviewRequested, set a dedup_key matching the direct send above so the
+                    // inline chat dedup suppresses this copy (the direct send fires first with a
+                    // richer payload including PR URL and `to:` routing).
+                    const dedupKey = target.type === 'reviewRequested'
+                        ? `review-requested:${task.id}:${task.updatedAt}`
+                        : undefined;
                     chatManager.sendMessage({
                         from: 'system',
                         content: `@${target.agent} [${target.type}:${task.id}] ${task.title} → ${parsed.status}`,
@@ -7001,6 +7089,7 @@ export async function createServer() {
                             status: parsed.status,
                             updatedAt: task.updatedAt,
                             deliveryMethod: routing.deliveryMethod,
+                            ...(dedupKey ? { dedup_key: dedupKey } : {}),
                         },
                     }).catch(() => { }); // Non-blocking
                 }
@@ -7071,6 +7160,27 @@ export async function createServer() {
     };
     app.get('/agents', async () => buildRoleRegistryPayload());
     app.get('/agents/roles', async () => buildRoleRegistryPayload());
+    // Host-native identity resolution — resolves agent by name, alias, or display name
+    // without requiring the OpenClaw gateway. Merges YAML roles + agent_config table.
+    app.get('/agents/:name/identity', async (request) => {
+        const { name } = request.params;
+        const resolved = resolveAgentMention(name);
+        const role = resolved ? getAgentRole(resolved) : getAgentRole(name);
+        if (!role) {
+            return { found: false, query: name, hint: 'Agent not found in YAML roles or config' };
+        }
+        return {
+            found: true,
+            agentId: role.name,
+            displayName: role.displayName ?? role.name,
+            role: role.role,
+            description: role.description ?? null,
+            aliases: role.aliases ?? [],
+            affinityTags: role.affinityTags ?? [],
+            wipCap: role.wipCap,
+            source: 'yaml',
+        };
+    });
     // Team-scoped alias for assignment-engine consumers
     app.get('/team/roles', async () => {
         const payload = buildRoleRegistryPayload();
@@ -7494,55 +7604,7 @@ export async function createServer() {
         };
     });
     // ── Approval Queue ──────────────────────────────────────────────────
-    app.get('/approval-queue', async () => {
-        // Tasks in 'todo' that were auto-assigned (have suggestedAgent in metadata) or need assignment review
-        const allTasks = taskManager.listTasks({});
-        const todoTasks = allTasks.filter(t => t.status === 'todo');
-        const items = todoTasks.map(t => {
-            const task = t;
-            const meta = task.metadata || {};
-            const title = task.title || '';
-            const tags = Array.isArray(task.tags) ? task.tags : [];
-            const doneCriteria = Array.isArray(task.done_criteria) ? task.done_criteria : [];
-            // Score all agents for this task
-            const roles = getAgentRoles();
-            const agentOptions = roles.map(agent => {
-                const wipCount = allTasks.filter(at => at.status === 'doing' && (at.assignee || '').toLowerCase() === agent.name).length;
-                const s = scoreAssignment(agent, { title, tags, done_criteria: doneCriteria }, wipCount);
-                return {
-                    agentId: agent.name,
-                    name: agent.name,
-                    confidenceScore: Math.max(0, Math.min(1, s.score)),
-                    affinityTags: agent.affinityTags,
-                };
-            }).sort((a, b) => b.confidenceScore - a.confidenceScore);
-            const topAgent = agentOptions[0];
-            const suggestedAgent = task.assignee || topAgent?.agentId || null;
-            const confidenceScore = topAgent?.confidenceScore || 0;
-            const confidenceReason = topAgent && topAgent.confidenceScore > 0
-                ? `${topAgent.name}: affinity match on ${topAgent.affinityTags.slice(0, 3).join(', ')}`
-                : 'No strong affinity match';
-            return {
-                taskId: task.id,
-                title,
-                description: task.description || '',
-                priority: task.priority || 'P3',
-                suggestedAgent,
-                confidenceScore,
-                confidenceReason,
-                agentOptions,
-                status: 'pending',
-            };
-        });
-        const highConfidence = items.filter(i => i.confidenceScore >= 0.85);
-        const needsReview = items.filter(i => i.confidenceScore < 0.85);
-        return {
-            items: [...highConfidence, ...needsReview],
-            total: items.length,
-            highConfidenceCount: highConfidence.length,
-            needsReviewCount: needsReview.length,
-        };
-    });
+    // Note: GET /approval-queue is defined below near /approval-queue/:approvalId/decide
     app.post('/approval-queue/:taskId/approve', async (request, reply) => {
         const body = request.body;
         const taskId = request.params.taskId;
@@ -7698,6 +7760,88 @@ export async function createServer() {
             warnings: result.warnings,
         };
     });
+    // ── Presence Layer canvas state ─────────────────────────────────────
+    // Agent emits canvas_render state transitions for the Presence Layer.
+    // Deterministic event types. No "AI can emit anything" protocol.
+    const CANVAS_STATES = ['floor', 'listening', 'thinking', 'rendering', 'ambient', 'decision', 'urgent', 'handoff'];
+    const SENSOR_VALUES = [null, 'mic', 'camera', 'mic+camera'];
+    const CanvasRenderSchema = z.object({
+        state: z.enum(CANVAS_STATES),
+        sensors: z.enum(['mic', 'camera', 'mic+camera']).nullable().default(null),
+        agentId: z.string().min(1),
+        payload: z.object({
+            text: z.string().optional(),
+            media: z.unknown().optional(),
+            decision: z.object({
+                question: z.string(),
+                context: z.string().optional(),
+                decisionId: z.string(),
+                expiresAt: z.number().optional(),
+                autoAction: z.string().optional(),
+            }).optional(),
+            agents: z.array(z.object({
+                name: z.string(),
+                state: z.string(),
+                task: z.string().optional(),
+            })).optional(),
+            summary: z.object({
+                headline: z.string(),
+                items: z.array(z.string()).optional(),
+                cost: z.string().optional(),
+                duration: z.string().optional(),
+            }).optional(),
+        }).default({}),
+    });
+    // Current state per agent — in-memory, not persisted
+    const canvasStateMap = new Map();
+    // POST /canvas/state — agent emits a state transition
+    app.post('/canvas/state', async (request, reply) => {
+        const result = CanvasRenderSchema.safeParse(request.body);
+        if (!result.success) {
+            reply.code(422);
+            return {
+                error: `Invalid canvas state: ${result.error.issues.map(i => i.message).join(', ')}`,
+                hint: `state must be one of: ${CANVAS_STATES.join(', ')}`,
+                validStates: CANVAS_STATES,
+            };
+        }
+        const { state, sensors, agentId, payload } = result.data;
+        const now = Date.now();
+        // Store current state
+        canvasStateMap.set(agentId, { state, sensors, payload, updatedAt: now });
+        // Emit canvas_render event over SSE
+        eventBus.emit({
+            id: `crender-${now}-${Math.random().toString(36).slice(2, 8)}`,
+            type: 'canvas_render',
+            timestamp: now,
+            data: { state, sensors, agentId, payload },
+        });
+        return { success: true, state, agentId, timestamp: now };
+    });
+    // GET /canvas/state — current state for all agents (or one)
+    app.get('/canvas/state', async (request) => {
+        const query = request.query;
+        if (query.agentId) {
+            const entry = canvasStateMap.get(query.agentId);
+            return entry ?? { state: 'floor', sensors: null, payload: {}, updatedAt: null };
+        }
+        const all = {};
+        for (const [id, entry] of canvasStateMap) {
+            all[id] = entry;
+        }
+        return { agents: all, count: canvasStateMap.size };
+    });
+    // GET /canvas/states — valid state + sensor values (discovery)
+    app.get('/canvas/states', async () => ({
+        states: CANVAS_STATES,
+        sensors: SENSOR_VALUES,
+        schema: {
+            state: 'floor | listening | thinking | rendering | ambient | decision | urgent | handoff',
+            sensors: 'null | mic | camera | mic+camera (non-dismissable trust indicator)',
+            agentId: 'required — which agent is driving the canvas',
+            payload: 'optional — text, media, decision, agents, summary',
+        },
+    }));
     // GET /canvas/slots — current active slots
     app.get('/canvas/slots', async () => {
         return {
@@ -9272,6 +9416,26 @@ export async function createServer() {
         const allDrops = chatManager.getDropStats();
         const agentDrops = allDrops[agent];
         const focusSummary = getFocusSummary();
+        // Boot context: recent memories + active run (survives restart)
+        let bootMemories = [];
+        let activeRun = null;
+        try {
+            const { listMemories } = await import('./agent-memories.js');
+            const memories = listMemories({ agentId: agent, limit: 5 });
+            bootMemories = memories.map(m => ({
+                key: m.key, content: m.content.slice(0, 200),
+                namespace: m.namespace, updatedAt: m.updatedAt,
+            }));
+        }
+        catch { /* agent-memories not available */ }
+        try {
+            const { getActiveAgentRun } = await import('./agent-runs.js');
+            const run = getActiveAgentRun(agent, 'default');
+            if (run) {
+                activeRun = { id: run.id, objective: run.objective, status: run.status, startedAt: run.startedAt };
+            }
+        }
+        catch { /* agent-runs not available */ }
         return {
             agent, ts: Date.now(),
             active: slim(activeTask), next: pauseStatus.paused ? null : slim(nextTask),
@@ -9281,6 +9445,12 @@ export async function createServer() {
             ...(focusSummary ? { focus: focusSummary } : {}),
             ...(agentDrops ? { drops: { total: agentDrops.total, rolling_1h: agentDrops.rolling_1h } } : {}),
             ...(pauseStatus.paused ? { paused: true, pauseMessage: pauseStatus.message, resumesAt: pauseStatus.entry?.pausedUntil ?? null } : {}),
+            ...(bootMemories.length > 0 ? { memories: bootMemories } : {}),
+            ...(activeRun ? { run: activeRun } : {}),
+            ...(() => {
+                const p = presenceManager.getAllPresence().find(p => p.agent === agent);
+                return p?.waiting ? { waiting: p.waiting } : {};
+            })(),
             action: pauseStatus.paused ? `PAUSED: ${pauseStatus.message}`
                 : activeTask ? `Continue ${activeTask.id}`
                     : nextTask ? `Claim ${nextTask.id}`
@@ -9288,6 +9458,21 @@ export async function createServer() {
                             : 'HEARTBEAT_OK',
         };
     });
+    // ── Agent Waiting State ──────────────────────────────────────────────
+    // Agents signal they're blocked on human input. Shows in heartbeat + presence.
+    app.post('/agents/:agent/waiting', async (request, reply) => {
+        const agent = String(request.params.agent || '').trim().toLowerCase();
+        const body = request.body ?? {};
+        if (!body.reason)
+            return reply.code(400).send({ error: 'reason is required' });
+        presenceManager.setWaiting(agent, { reason: body.reason, waitingFor: body.waitingFor, taskId: body.taskId, expiresAt: body.expiresAt });
+        return { success: true, agent, status: 'waiting', waiting: { reason: body.reason, waitingFor: body.waitingFor, taskId: body.taskId, expiresAt: body.expiresAt } };
+    });
+    app.delete('/agents/:agent/waiting', async (request) => {
+        const agent = String(request.params.agent || '').trim().toLowerCase();
+        presenceManager.clearWaiting(agent);
+        return { success: true, agent, status: 'idle' };
+    });
     // ── Bootstrap: dynamic agent config generation ──────────────────────
     app.get('/bootstrap/heartbeat/:agent', async (request) => {
         const agent = String(request.params.agent || '').trim().toLowerCase();
@@ -9351,6 +9536,7 @@ If your heartbeat shows **no active task** and **no next task**:
 - Do not load full chat history.
 - Do not post plan-only updates.
 - If nothing changed and no direct action is required, reply \`HEARTBEAT_OK\`.
+- **Decision authority:** Team owns product/arch/process decisions. Escalate credentials, legal, and vision decisions to the admin/owner. See \`decision_authority\` block in \`defaults/TEAM-ROLES.yaml\` for the full list.
 `;
         // Stable hash for change detection (agents can cache and compare)
         const { createHash } = await import('node:crypto');
@@ -10455,17 +10641,12 @@ If your heartbeat shows **no active task** and **no next task**:
             return { success: false, error: 'agent and model are required' };
         }
         const event = recordUsage({
-            agent: body.agent,
-            task_id: body.task_id,
+            agentId: body.agent,
             model: body.model,
-            provider: body.provider || 'unknown',
-            input_tokens: Number(body.input_tokens) || 0,
-            output_tokens: Number(body.output_tokens) || 0,
-            estimated_cost_usd: body.estimated_cost_usd != null ? Number(body.estimated_cost_usd) : undefined,
-            category: body.category || 'other',
+            inputTokens: Number(body.input_tokens) || 0,
+            outputTokens: Number(body.output_tokens) || 0,
+            cost: body.estimated_cost_usd != null ? Number(body.estimated_cost_usd) : 0,
             timestamp: Number(body.timestamp) || Date.now(),
-            team_id: body.team_id,
-            metadata: body.metadata,
         });
         return { success: true, event };
     });
@@ -11027,6 +11208,21 @@ If your heartbeat shows **no active task** and **no next task**:
             });
             events.push(event);
         }
+        // Post GitHub events to the 'github' chat channel with remapped mentions.
+        // Pass enrichedBody (not body) so formatGitHubEvent has access to
+        // _reflectt_attribution and can mention the correct agent (@link not @kai).
+        if (provider === 'github') {
+            const ghEventType = request.headers['x-github-event'] || eventType;
+            const chatMessage = formatGitHubEvent(ghEventType, enrichedBody);
+            if (chatMessage) {
+                chatManager.sendMessage({
+                    from: 'github',
+                    content: chatMessage,
+                    channel: 'github',
+                    metadata: { source: 'github-webhook', eventType: ghEventType, delivery: request.headers['x-github-delivery'] },
+                }).catch(() => { }); // non-blocking
+            }
+        }
         reply.code(202);
         return { success: true, accepted: events.length, events: events.map(e => ({ id: e.id, idempotencyKey: e.idempotencyKey, status: e.status })) };
     });
@@ -11989,6 +12185,964 @@ If your heartbeat shows **no active task** and **no next task**:
     });
     // Start hourly auto-snapshot for alert-preflight daily metrics
     startAutoSnapshot();
+    // ─── Browser capability routes ───────────────────────────────────────────────
+    const browser = await import('./capabilities/browser.js');
+    app.get('/browser/config', async () => {
+        return browser.getBrowserConfig();
+    });
+    app.post('/browser/sessions', async (request, reply) => {
+        try {
+            const body = request.body;
+            if (!body?.agent)
+                return reply.code(400).send({ error: 'agent is required' });
+            const session = await browser.createSession({
+                agent: body.agent,
+                url: body.url,
+                headless: body.headless,
+                viewport: body.viewport,
+            });
+            const { _stagehand, _page, _idleTimer, ...safe } = session;
+            return reply.code(201).send(safe);
+        }
+        catch (err) {
+            const status = err.message?.includes('Max concurrent') || err.message?.includes('exceeded max') ? 429 : 500;
+            return reply.code(status).send({ error: err.message });
+        }
+    });
+    app.get('/browser/sessions', async () => {
+        return { sessions: browser.listSessions() };
+    });
+    app.get('/browser/sessions/:id', async (request, reply) => {
+        const session = browser.getSession(request.params.id);
+        if (!session)
+            return reply.code(404).send({ error: 'Session not found' });
+        const { _stagehand, _page, _idleTimer, ...safe } = session;
+        return safe;
+    });
+    app.delete('/browser/sessions/:id', async (request, reply) => {
+        await browser.closeSession(request.params.id);
+        return { ok: true };
+    });
+    app.post('/browser/sessions/:id/act', async (request, reply) => {
+        try {
+            const body = request.body;
+            if (!body?.instruction)
+                return reply.code(400).send({ error: 'instruction is required' });
+            const result = await browser.act(request.params.id, body.instruction);
+            return result;
+        }
+        catch (err) {
+            return reply.code(err.message?.includes('No active') ? 404 : 500).send({ error: err.message });
+        }
+    });
+    app.post('/browser/sessions/:id/extract', async (request, reply) => {
+        try {
+            const body = request.body;
+            if (!body?.instruction)
+                return reply.code(400).send({ error: 'instruction is required' });
+            const result = await browser.extract(request.params.id, body.instruction, body.schema);
+            return result;
+        }
+        catch (err) {
+            return reply.code(err.message?.includes('No active') ? 404 : 500).send({ error: err.message });
+        }
+    });
+    app.post('/browser/sessions/:id/observe', async (request, reply) => {
+        try {
+            const body = request.body;
+            if (!body?.instruction)
+                return reply.code(400).send({ error: 'instruction is required' });
+            const result = await browser.observe(request.params.id, body.instruction);
+            return result;
+        }
+        catch (err) {
+            return reply.code(err.message?.includes('No active') ? 404 : 500).send({ error: err.message });
+        }
+    });
+    app.post('/browser/sessions/:id/navigate', async (request, reply) => {
+        try {
+            const body = request.body;
+            if (!body?.url)
+                return reply.code(400).send({ error: 'url is required' });
+            const result = await browser.navigate(request.params.id, body.url);
+            return result;
+        }
+        catch (err) {
+            return reply.code(err.message?.includes('No active') ? 404 : 500).send({ error: err.message });
+        }
+    });
+    app.get('/browser/sessions/:id/screenshot', async (request, reply) => {
+        try {
+            const result = await browser.screenshot(request.params.id);
+            return result;
+        }
+        catch (err) {
+            return reply.code(err.message?.includes('No active') ? 404 : 500).send({ error: err.message });
+        }
+    });
+    // ── Agent Runs & Events ──────────────────────────────────────────────────
+    const { createAgentRun, updateAgentRun, getAgentRun, getActiveAgentRun, listAgentRuns, appendAgentEvent, listAgentEvents, VALID_RUN_STATUSES, } = await import('./agent-runs.js');
+    // Create a new agent run
+    app.post('/agents/:agentId/runs', async (request, reply) => {
+        const { agentId } = request.params;
+        const body = request.body;
+        if (!body?.objective)
+            return reply.code(400).send({ error: 'objective is required' });
+        const teamId = body.teamId ?? 'default';
+        try {
+            const run = createAgentRun(agentId, teamId, body.objective, {
+                taskId: body.taskId,
+                parentRunId: body.parentRunId,
+            });
+            return reply.code(201).send(run);
+        }
+        catch (err) {
+            return reply.code(500).send({ error: err.message });
+        }
+    });
+    // Update an agent run (status, context, artifacts)
+    app.patch('/agents/:agentId/runs/:runId', async (request, reply) => {
+        const { runId } = request.params;
+        const body = request.body;
+        if (body?.status && !VALID_RUN_STATUSES.includes(body.status)) {
+            return reply.code(400).send({ error: `Invalid status. Valid: ${VALID_RUN_STATUSES.join(', ')}` });
+        }
+        try {
+            const run = updateAgentRun(runId, {
+                status: body?.status,
+                contextSnapshot: body?.contextSnapshot,
+                artifacts: body?.artifacts,
+            });
+            if (!run)
+                return reply.code(404).send({ error: 'Run not found' });
+            return run;
+        }
+        catch (err) {
+            return reply.code(500).send({ error: err.message });
+        }
+    });
+    // List agent runs
+    app.get('/agents/:agentId/runs', async (request, reply) => {
+        const { agentId } = request.params;
+        const query = request.query;
+        const teamId = query.teamId ?? 'default';
+        const limit = query.limit ? parseInt(query.limit, 10) : undefined;
+        return listAgentRuns(agentId, teamId, { status: query.status, limit });
+    });
+    // Get active run for an agent
+    app.get('/agents/:agentId/runs/current', async (request, reply) => {
+        const { agentId } = request.params;
+        const query = request.query;
+        const teamId = query.teamId ?? 'default';
+        const run = getActiveAgentRun(agentId, teamId);
+        if (!run)
+            return reply.code(404).send({ error: 'No active run' });
+        return run;
+    });
+    // Append an event
+    const { validateRoutingSemantics } = await import('./agent-runs.js');
+    // GET /events/routing/validate — check if a payload passes routing semantics
+    app.post('/events/routing/validate', async (request) => {
+        const body = request.body;
+        if (!body?.eventType)
+            return { valid: false, errors: ['eventType is required'], warnings: [] };
+        return validateRoutingSemantics(body.eventType, body.payload ?? {});
+    });
+    app.post('/agents/:agentId/events', async (request, reply) => {
+        const { agentId } = request.params;
+        const body = request.body;
+        if (!body?.eventType)
+            return reply.code(400).send({ error: 'eventType is required' });
+        try {
+            const event = appendAgentEvent({
+                agentId,
+                runId: body.runId,
+                eventType: body.eventType,
+                payload: body.payload,
+                enforceRouting: body.enforceRouting,
+            });
+            return reply.code(201).send(event);
+        }
+        catch (err) {
+            if (err.message.includes('Routing semantics violation')) {
+                return reply.code(422).send({ error: err.message, hint: 'Actionable events require: action_required (string), urgency (low|normal|high|critical), owner (string). Optional: expires_at (number).' });
+            }
+            return reply.code(500).send({ error: err.message });
+            const message = String(err?.message || err);
+            if (message.includes('rationale')) {
+                return reply.code(400).send({ error: message });
+            }
+            return reply.code(500).send({ error: message });
+        }
+    });
+    // List agent events
+    app.get('/agents/:agentId/events', async (request, reply) => {
+        const { agentId } = request.params;
+        const query = request.query;
+        return listAgentEvents({
+            agentId,
+            runId: query.runId,
+            eventType: query.type,
+            since: query.since ? parseInt(query.since, 10) : undefined,
+            limit: query.limit ? parseInt(query.limit, 10) : undefined,
+        });
+    });
+    // ── Run Event Stream (SSE) ─────────────────────────────────────────────
+    // Real-time SSE stream for run events. Canvas subscribes here instead of polling.
+    // GET /agents/:agentId/runs/:runId/stream — stream events for a specific run
+    // GET /agents/:agentId/stream — stream all events for an agent
+    app.get('/agents/:agentId/runs/:runId/stream', async (request, reply) => {
+        const { agentId, runId } = request.params;
+        const run = getAgentRun(runId);
+        if (!run) {
+            reply.code(404);
+            return { error: 'Run not found' };
+        }
+        reply.raw.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive',
+            'X-Accel-Buffering': 'no',
+        });
+        // Send current run state as initial snapshot
+        reply.raw.write(`event: snapshot\ndata: ${JSON.stringify({ run, events: listAgentEvents({ runId, limit: 20 }) })}\n\n`);
+        // Subscribe to eventBus for this run's events
+        const listenerId = `run-stream-${runId}-${Date.now()}`;
+        let closed = false;
+        eventBus.on(listenerId, (event) => {
+            if (closed)
+                return;
+            const data = event.data;
+            // Forward events that match this agent or run
+            if (data && (data.runId === runId || data.agentId === agentId)) {
+                try {
+                    reply.raw.write(`event: ${event.type}\ndata: ${JSON.stringify(event)}\n\n`);
+                }
+                catch { /* connection closed */ }
+            }
+        });
+        // Heartbeat
+        const heartbeat = setInterval(() => {
+            if (closed) {
+                clearInterval(heartbeat);
+                return;
+            }
+            try {
+                reply.raw.write(`:heartbeat\n\n`);
+            }
+            catch {
+                clearInterval(heartbeat);
+            }
+        }, 15_000);
+        // Cleanup
+        request.raw.on('close', () => {
+            closed = true;
+            eventBus.off(listenerId);
+            clearInterval(heartbeat);
+        });
+    });
+    // Stream all events for an agent
+    app.get('/agents/:agentId/stream', async (request, reply) => {
+        const { agentId } = request.params;
+        reply.raw.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive',
+            'X-Accel-Buffering': 'no',
+        });
+        // Send recent events as snapshot
+        const recentEvents = listAgentEvents({ agentId, limit: 20 });
+        const activeRun = getActiveAgentRun(agentId, 'default');
+        reply.raw.write(`event: snapshot\ndata: ${JSON.stringify({ activeRun, events: recentEvents })}\n\n`);
+        const listenerId = `agent-stream-${agentId}-${Date.now()}`;
+        let closed = false;
+        eventBus.on(listenerId, (event) => {
+            if (closed)
+                return;
+            const data = event.data;
+            if (data && data.agentId === agentId) {
+                try {
+                    reply.raw.write(`event: ${event.type}\ndata: ${JSON.stringify(event)}\n\n`);
+                }
+                catch { /* connection closed */ }
+            }
+        });
+        const heartbeat = setInterval(() => {
+            if (closed) {
+                clearInterval(heartbeat);
+                return;
+            }
+            try {
+                reply.raw.write(`:heartbeat\n\n`);
+            }
+            catch {
+                clearInterval(heartbeat);
+            }
+        }, 15_000);
+        request.raw.on('close', () => {
+            closed = true;
+            eventBus.off(listenerId);
+            clearInterval(heartbeat);
+        });
+    });
+    // ── Workflow Templates ─────────────────────────────────────────────────
+    const { listWorkflowTemplates, getWorkflowTemplate, runWorkflow } = await import('./workflow-templates.js');
+    // GET /workflows — list available workflow templates
+    app.get('/workflows', async () => ({ templates: listWorkflowTemplates() }));
+    // GET /workflows/:id — get template details
+    app.get('/workflows/:id', async (request, reply) => {
+        const template = getWorkflowTemplate(request.params.id);
+        if (!template) {
+            reply.code(404);
+            return { error: 'Template not found' };
+        }
+        return {
+            id: template.id,
+            name: template.name,
+            description: template.description,
+            steps: template.steps.map(s => ({ name: s.name, description: s.description })),
+        };
+    });
+    // POST /workflows/:id/run — execute a workflow
+    app.post('/workflows/:id/run', async (request, reply) => {
+        const template = getWorkflowTemplate(request.params.id);
+        if (!template) {
+            reply.code(404);
+            return { error: 'Template not found' };
+        }
+        const body = request.body ?? {};
+        const agentId = body.agentId ?? 'link';
+        const teamId = body.teamId ?? 'default';
+        const result = await runWorkflow(template, agentId, teamId, body);
+        return result;
+    });
+    // ── Agent Messaging (Host-native) ─────────────────────────────────────
+    // Local agent-to-agent messaging. Replaces gateway for same-Host agents.
+    const { sendAgentMessage, listAgentMessages, listSentMessages, markMessagesRead, getUnreadCount, listChannelMessages } = await import('./agent-messaging.js');
+    // Send message
+    app.post('/agents/:agentId/messages/send', async (request, reply) => {
+        const { agentId } = request.params;
+        const body = request.body;
+        if (!body?.to)
+            return reply.code(400).send({ error: 'to (recipient agent) is required' });
+        if (!body?.content)
+            return reply.code(400).send({ error: 'content is required' });
+        const msg = sendAgentMessage({
+            fromAgent: agentId,
+            toAgent: body.to,
+            channel: body.channel,
+            content: body.content,
+            metadata: body.metadata,
+        });
+        // Emit event for SSE subscribers
+        eventBus.emit({
+            id: `amsg-evt-${Date.now()}`,
+            type: 'message_posted',
+            timestamp: Date.now(),
+            data: { messageId: msg.id, from: agentId, to: body.to, channel: msg.channel },
+        });
+        return reply.code(201).send(msg);
+    });
+    // Inbox
+    app.get('/agents/:agentId/messages', async (request) => {
+        const { agentId } = request.params;
+        const query = request.query;
+        return {
+            messages: listAgentMessages({
+                agentId,
+                channel: query.channel,
+                unreadOnly: query.unread === 'true',
+                since: query.since ? parseInt(query.since, 10) : undefined,
+                limit: query.limit ? parseInt(query.limit, 10) : undefined,
+            }),
+            unreadCount: getUnreadCount(agentId),
+        };
+    });
+    // Sent
+    app.get('/agents/:agentId/messages/sent', async (request) => {
+        const { agentId } = request.params;
+        const query = request.query;
+        return { messages: listSentMessages(agentId, query.limit ? parseInt(query.limit, 10) : undefined) };
+    });
+    // Mark read
+    app.post('/agents/:agentId/messages/read', async (request) => {
+        const { agentId } = request.params;
+        const body = request.body ?? {};
+        const marked = markMessagesRead(agentId, body.messageIds);
+        return { marked };
+    });
+    // Channel messages
+    app.get('/messages/channel/:channel', async (request) => {
+        const { channel } = request.params;
+        const query = request.query;
+        return {
+            messages: listChannelMessages(channel, {
+                since: query.since ? parseInt(query.since, 10) : undefined,
+                limit: query.limit ? parseInt(query.limit, 10) : undefined,
+            }),
+        };
+    });
+    // ── Run Retention / Archive ────────────────────────────────────────────
+    const { applyRunRetention, getRetentionStats } = await import('./agent-runs.js');
+    // GET /runs/retention/stats — preview what retention policy would do
+    app.get('/runs/retention/stats', async (request) => {
+        const query = request.query;
+        return getRetentionStats({
+            maxAgeDays: query.maxAgeDays ? parseInt(query.maxAgeDays, 10) : undefined,
+            maxCompletedRuns: query.maxCompletedRuns ? parseInt(query.maxCompletedRuns, 10) : undefined,
+        });
+    });
+    // POST /runs/retention/apply — apply retention policy
+    app.post('/runs/retention/apply', async (request) => {
+        const body = request.body ?? {};
+        return applyRunRetention({
+            policy: {
+                maxAgeDays: body.maxAgeDays,
+                maxCompletedRuns: body.maxCompletedRuns,
+                deleteArchived: body.deleteArchived,
+            },
+            agentId: body.agentId,
+            dryRun: body.dryRun,
+        });
+    });
+    // ── Artifact Store (Host-native) ──────────────────────────────────────
+    const { storeArtifact, getArtifact, readArtifactContent, listArtifacts, deleteArtifact, getStorageUsage } = await import('./artifact-store.js');
+    // Upload artifact
+    app.post('/agents/:agentId/artifacts', async (request, reply) => {
+        const { agentId } = request.params;
+        const body = request.body;
+        if (!body?.name)
+            return reply.code(400).send({ error: 'name is required' });
+        if (!body?.content)
+            return reply.code(400).send({ error: 'content is required' });
+        const contentBuf = body.encoding === 'base64' ? Buffer.from(body.content, 'base64') : Buffer.from(body.content);
+        const art = storeArtifact({ agentId, name: body.name, content: contentBuf, mimeType: body.mimeType, runId: body.runId, taskId: body.taskId, metadata: body.metadata });
+        return reply.code(201).send(art);
+    });
+    // List artifacts
+    app.get('/agents/:agentId/artifacts', async (request) => {
+        const { agentId } = request.params;
+        const query = request.query;
+        return {
+            artifacts: listArtifacts({ agentId, runId: query.runId, taskId: query.taskId, limit: query.limit ? parseInt(query.limit, 10) : undefined }),
+            usage: getStorageUsage(agentId),
+        };
+    });
+    // Get artifact metadata
+    app.get('/artifacts/:artifactId', async (request, reply) => {
+        const { artifactId } = request.params;
+        const art = getArtifact(artifactId);
+        if (!art)
+            return reply.code(404).send({ error: 'Artifact not found' });
+        return art;
+    });
+    // Download artifact content
+    app.get('/artifacts/:artifactId/content', async (request, reply) => {
+        const { artifactId } = request.params;
+        const content = readArtifactContent(artifactId);
+        if (!content)
+            return reply.code(404).send({ error: 'Artifact not found or file missing' });
+        const art = getArtifact(artifactId);
+        return reply.type(art.mimeType).send(content);
+    });
+    // Delete artifact
+    app.delete('/artifacts/:artifactId', async (request, reply) => {
+        const { artifactId } = request.params;
+        const deleted = deleteArtifact(artifactId);
+        if (!deleted)
+            return reply.code(404).send({ error: 'Artifact not found' });
+        return { deleted: true };
+    });
+    // Storage usage
+    app.get('/agents/:agentId/storage', async (request) => {
+        const { agentId } = request.params;
+        return getStorageUsage(agentId);
+    });
+    // ── Webhook Storage ──────────────────────────────────────────────────
+    const { storeWebhookPayload, getWebhookPayload, listWebhookPayloads, markPayloadProcessed, getUnprocessedCount, purgeOldPayloads } = await import('./webhook-storage.js');
+    // Ingest webhook payload
+    app.post('/webhooks/ingest', async (request, reply) => {
+        const body = request.body;
+        if (!body?.source)
+            return reply.code(400).send({ error: 'source is required' });
+        if (!body?.eventType)
+            return reply.code(400).send({ error: 'eventType is required' });
+        if (!body?.body)
+            return reply.code(400).send({ error: 'body (payload) is required' });
+        const headers = {};
+        for (const [k, v] of Object.entries(request.headers)) {
+            if (typeof v === 'string')
+                headers[k] = v;
+        }
+        const payload = storeWebhookPayload({ source: body.source, eventType: body.eventType, agentId: body.agentId, body: body.body, headers });
+        return reply.code(201).send(payload);
+    });
+    // List payloads
+    app.get('/webhooks/payloads', async (request) => {
+        const query = request.query;
+        return {
+            payloads: listWebhookPayloads({
+                source: query.source,
+                agentId: query.agentId,
+                unprocessedOnly: query.unprocessed === 'true',
+                since: query.since ? parseInt(query.since, 10) : undefined,
+                limit: query.limit ? parseInt(query.limit, 10) : undefined,
+            }),
+            unprocessedCount: getUnprocessedCount({ source: query.source, agentId: query.agentId }),
+        };
+    });
+    // Get single payload
+    app.get('/webhooks/payloads/:payloadId', async (request, reply) => {
+        const { payloadId } = request.params;
+        const payload = getWebhookPayload(payloadId);
+        if (!payload)
+            return reply.code(404).send({ error: 'Payload not found' });
+        return payload;
+    });
+    // Mark processed
+    app.post('/webhooks/payloads/:payloadId/process', async (request, reply) => {
+        const { payloadId } = request.params;
+        const marked = markPayloadProcessed(payloadId);
+        if (!marked)
+            return reply.code(404).send({ error: 'Payload not found or already processed' });
+        return { processed: true };
+    });
+    // Purge old processed payloads
+    app.post('/webhooks/purge', async (request) => {
+        const body = request.body ?? {};
+        const deleted = purgeOldPayloads(body.maxAgeDays ?? 30);
+        return { deleted };
+    });
+    // ── Approval Routing ────────────────────────────────────────────────────
+    const { listPendingApprovals, listApprovalQueue, submitApprovalDecision, } = await import('./agent-runs.js');
+    // List pending approvals (review_requested events needing action)
+    app.get('/approvals/pending', async (request) => {
+        const query = request.query;
+        return listPendingApprovals({
+            agentId: query.agentId,
+            limit: query.limit ? parseInt(query.limit, 10) : undefined,
+        });
+    });
+    // Dedicated approval queue — unified view of everything needing human decision.
+    // Answers: what needs decision, who owns it, when it expires, what happens if ignored.
+    app.get('/approval-queue', async (request) => {
+        const query = request.query;
+        const items = listApprovalQueue({
+            agentId: query.agentId,
+            category: query.category === 'review' || query.category === 'agent_action' ? query.category : undefined,
+            includeExpired: query.includeExpired === 'true',
+            limit: query.limit ? parseInt(query.limit, 10) : undefined,
+        });
+        return {
+            items,
+            count: items.length,
+            hasExpired: items.some(i => i.isExpired),
+        };
+    });
+    // Submit agent-action approval (approve_requested events)
+    app.post('/approval-queue/:approvalId/decide', async (request, reply) => {
+        const { approvalId } = request.params;
+        const body = request.body;
+        if (!body?.decision || !['approve', 'reject', 'defer'].includes(body.decision)) {
+            return reply.code(400).send({ error: 'decision must be "approve", "reject", or "defer"' });
+        }
+        if (!body?.actor) {
+            return reply.code(400).send({ error: 'actor is required' });
+        }
+        try {
+            const result = submitApprovalDecision({
+                eventId: approvalId,
+                decision: body.decision,
+                reviewer: body.actor,
+                comment: body.comment,
+            });
+            // Emit canvas_input event so Presence Layer updates
+            eventBus.emit({
+                id: `aq-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+                type: 'canvas_input',
+                timestamp: Date.now(),
+                data: {
+                    action: 'decision',
+                    approvalId,
+                    decision: body.decision,
+                    actor: body.actor,
+                },
+            });
+            return result;
+        }
+        catch (err) {
+            return reply.code(err.message.includes('not found') ? 404 : 400).send({ error: err.message });
+        }
+    });
+    // Submit approval decision
+    app.post('/approvals/:eventId/decide', async (request, reply) => {
+        const { eventId } = request.params;
+        const body = request.body;
+        if (!body?.decision || !['approve', 'reject'].includes(body.decision)) {
+            return reply.code(400).send({ error: 'decision must be "approve" or "reject"' });
+        }
+        if (!body?.reviewer) {
+            return reply.code(400).send({ error: 'reviewer is required' });
+        }
+        try {
+            const result = submitApprovalDecision({
+                eventId,
+                decision: body.decision,
+                reviewer: body.reviewer,
+                comment: body.comment,
+                rationale: body.rationale,
+            });
+            return result;
+        }
+        catch (err) {
+            return reply.code(err.message.includes('not found') ? 404 : 400).send({ error: err.message });
+        }
+    });
+    // ── Canvas Input ──────────────────────────────────────────────────────
+    // Human → agent control seam for the Presence Layer.
+    // Payload is intentionally small per COO spec: action + target + actor.
+    const CANVAS_INPUT_ACTIONS = ['decision', 'interrupt', 'pause', 'resume', 'mute', 'unmute'];
+    const CanvasInputSchema = z.object({
+        action: z.enum(CANVAS_INPUT_ACTIONS),
+        targetRunId: z.string().optional(), // which run to act on
+        decisionId: z.string().optional(), // for decision actions
+        choice: z.enum(['approve', 'deny', 'defer']).optional(), // for decision actions
+        actor: z.string().min(1), // who made this input
+        comment: z.string().optional(), // optional rationale
+    });
+    app.post('/canvas/input', async (request, reply) => {
+        const body = request.body;
+        const result = CanvasInputSchema.safeParse(body);
+        if (!result.success) {
+            reply.code(422);
+            return {
+                error: `Invalid canvas input: ${result.error.issues.map(i => i.message).join(', ')}`,
+                hint: 'Required: action (decision|interrupt|pause|resume|mute|unmute), actor. Optional: targetRunId, decisionId, choice, comment.',
+            };
+        }
+        const input = result.data;
+        const now = Date.now();
+        // Route by action type
+        if (input.action === 'decision') {
+            if (!input.decisionId || !input.choice) {
+                reply.code(422);
+                return { error: 'Decision action requires decisionId and choice (approve|deny|defer)' };
+            }
+            // Emit canvas_input event for SSE subscribers
+            eventBus.emit({ id: `cinput-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`, type: "canvas_input", timestamp: Date.now(), data: {
+                    action: input.action,
+                    decisionId: input.decisionId,
+                    choice: input.choice,
+                    actor: input.actor,
+                    comment: input.comment,
+                    timestamp: now,
+                } });
+            return {
+                success: true,
+                action: 'decision',
+                decisionId: input.decisionId,
+                choice: input.choice,
+                actor: input.actor,
+                timestamp: now,
+            };
+        }
+        if (input.action === 'interrupt' || input.action === 'pause') {
+            // Update active run if specified
+            const runId = input.targetRunId;
+            if (runId) {
+                try {
+                    updateAgentRun(runId, {
+                        status: input.action === 'interrupt' ? 'cancelled' : 'blocked',
+                    });
+                }
+                catch { /* run may not exist — still emit event */ }
+            }
+            eventBus.emit({ id: `cinput-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`, type: "canvas_input", timestamp: Date.now(), data: {
+                    action: input.action,
+                    targetRunId: runId || null,
+                    actor: input.actor,
+                    timestamp: now,
+                } });
+            return {
+                success: true,
+                action: input.action,
+                targetRunId: runId || null,
+                actor: input.actor,
+                timestamp: now,
+            };
+        }
+        if (input.action === 'resume') {
+            const runId = input.targetRunId;
+            if (runId) {
+                try {
+                    updateAgentRun(runId, { status: 'working' });
+                }
+                catch { /* run may not exist */ }
+            }
+            eventBus.emit({ id: `cinput-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`, type: "canvas_input", timestamp: Date.now(), data: {
+                    action: 'resume',
+                    targetRunId: runId || null,
+                    actor: input.actor,
+                    timestamp: now,
+                } });
+            return { success: true, action: 'resume', targetRunId: runId || null, actor: input.actor, timestamp: now };
+        }
+        // Mute/unmute — emit event only, no state change needed
+        eventBus.emit({ id: `cinput-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`, type: "canvas_input", timestamp: Date.now(), data: {
+                action: input.action,
+                actor: input.actor,
+                timestamp: now,
+            } });
+        return { success: true, action: input.action, actor: input.actor, timestamp: now };
+    });
+    // GET /canvas/input/schema — discovery endpoint
+    app.get('/canvas/input/schema', async () => ({
+        actions: CANVAS_INPUT_ACTIONS,
+        schema: {
+            action: 'decision | interrupt | pause | resume | mute | unmute',
+            targetRunId: 'optional — which run to act on',
+            decisionId: 'required for decision action — approval event ID',
+            choice: 'required for decision — approve | deny | defer',
+            actor: 'required — who made this input',
+            comment: 'optional — rationale',
+        },
+    }));
+    // ── Email / SMS relay ──────────────────────────────────────────────────
+    async function cloudRelay(path, body, reply) {
+        const cloudUrl = process.env.REFLECTT_CLOUD_URL;
+        const hostToken = process.env.REFLECTT_HOST_TOKEN;
+        if (!cloudUrl || !hostToken) {
+            reply.code(503);
+            return { error: 'Not connected to cloud. Configure REFLECTT_CLOUD_URL and REFLECTT_HOST_TOKEN.' };
+        }
+        try {
+            const res = await fetch(`${cloudUrl}${path}`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    Authorization: `Bearer ${hostToken}`,
+                },
+                body: JSON.stringify(body),
+            });
+            const data = await res.json().catch(() => ({}));
+            if (!res.ok) {
+                reply.code(res.status);
+                return data;
+            }
+            return data;
+        }
+        catch (err) {
+            reply.code(502);
+            return { error: `Cloud relay failed: ${err.message}` };
+        }
+    }
+    // Send email via cloud relay
+    app.post('/email/send', async (request, reply) => {
+        const body = request.body;
+        const from = typeof body.from === 'string' ? body.from.trim() : '';
+        const to = body.to;
+        const subject = typeof body.subject === 'string' ? body.subject.trim() : '';
+        if (!from)
+            return reply.code(400).send({ error: 'from is required' });
+        if (!to)
+            return reply.code(400).send({ error: 'to is required' });
+        if (!subject)
+            return reply.code(400).send({ error: 'subject is required' });
+        if (!body.html && !body.text)
+            return reply.code(400).send({ error: 'html or text body is required' });
+        // Use host-relay endpoint — authenticates with host credential, uses host's own teamId server-side
+        const hostId = process.env.REFLECTT_HOST_ID;
+        const relayPath = hostId ? `/api/hosts/${encodeURIComponent(hostId)}/relay/email` : '/api/hosts/relay/email';
+        return cloudRelay(relayPath, {
+            from,
+            to,
+            subject,
+            html: body.html,
+            text: body.text,
+            replyTo: body.replyTo,
+            cc: body.cc,
+            bcc: body.bcc,
+            agent: body.agentId || body.agent || 'unknown',
+        }, reply);
+    });
+    // Send SMS via cloud relay
+    app.post('/sms/send', async (request, reply) => {
+        const body = request.body;
+        const to = typeof body.to === 'string' ? body.to.trim() : '';
+        const msgBody = typeof body.body === 'string' ? body.body.trim() : '';
+        if (!to)
+            return reply.code(400).send({ error: 'to is required (phone number)' });
+        if (!msgBody)
+            return reply.code(400).send({ error: 'body is required' });
+        const hostIdSms = process.env.REFLECTT_HOST_ID;
+        const smsRelayPath = hostIdSms ? `/api/hosts/${encodeURIComponent(hostIdSms)}/relay/sms` : '/api/hosts/relay/sms';
+        return cloudRelay(smsRelayPath, {
+            to,
+            body: msgBody,
+            from: body.from,
+            agent: body.agentId || body.agent || 'unknown',
+        }, reply);
+    });
+    // ── Agent Config ──────────────────────────────────────────────────────
+    // Per-agent model preference, cost cap, and settings.
+    // This is the policy anchor for cost enforcement.
+    const { getAgentConfig, listAgentConfigs, setAgentConfig, deleteAgentConfig, checkCostCap } = await import('./agent-config.js');
+    // GET /agents/:agentId/config — get config for an agent
+    app.get('/agents/:agentId/config', async (request) => {
+        const config = getAgentConfig(request.params.agentId);
+        return config ?? { agentId: request.params.agentId, configured: false };
+    });
+    // PUT /agents/:agentId/config — upsert config for an agent
+    app.put('/agents/:agentId/config', async (request, reply) => {
+        const body = request.body ?? {};
+        try {
+            const config = setAgentConfig(request.params.agentId, {
+                teamId: typeof body.teamId === 'string' ? body.teamId : undefined,
+                model: body.model !== undefined ? body.model : undefined,
+                fallbackModel: body.fallbackModel !== undefined ? body.fallbackModel : undefined,
+                costCapDaily: body.costCapDaily !== undefined ? body.costCapDaily : undefined,
+                costCapMonthly: body.costCapMonthly !== undefined ? body.costCapMonthly : undefined,
+                maxTokensPerCall: body.maxTokensPerCall !== undefined ? body.maxTokensPerCall : undefined,
+                settings: body.settings !== undefined ? body.settings : undefined,
+            });
+            return config;
+        }
+        catch (err) {
+            reply.code(400);
+            return { error: err.message };
+        }
+    });
+    // DELETE /agents/:agentId/config — remove config for an agent
+    app.delete('/agents/:agentId/config', async (request, reply) => {
+        const deleted = deleteAgentConfig(request.params.agentId);
+        if (!deleted) {
+            reply.code(404);
+            return { error: 'Config not found' };
+        }
+        return { success: true };
+    });
+    // GET /agent-configs — list all agent configs
+    app.get('/agent-configs', async (request) => {
+        const query = request.query;
+        return { configs: listAgentConfigs({ teamId: query.teamId }) };
+    });
+    // GET /agents/:agentId/cost-check — runtime cost enforcement check
+    // Used by the runtime before making model calls.
+    app.get('/agents/:agentId/cost-check', async (request) => {
+        const query = request.query;
+        const dailySpend = query.dailySpend ? parseFloat(query.dailySpend) : 0;
+        const monthlySpend = query.monthlySpend ? parseFloat(query.monthlySpend) : 0;
+        return checkCostCap(request.params.agentId, dailySpend, monthlySpend);
+    });
+    // ── Cost-Policy Enforcement Middleware ──────────────────────────────────
+    const { enforcePolicy, recordUsage, getDailySpend, getMonthlySpend, purgeUsageLog, ensureUsageLogTable, } = await import('./cost-enforcement.js');
+    ensureUsageLogTable();
+    // POST /agents/:agentId/enforce-cost — runtime enforcement before model calls
+    app.post('/agents/:agentId/enforce-cost', async (request, reply) => {
+        const result = enforcePolicy(request.params.agentId);
+        const status = result.action === 'deny' ? 403 : 200;
+        return reply.code(status).send(result);
+    });
+    // GET /agents/:agentId/spend — current daily + monthly spend
+    app.get('/agents/:agentId/spend', async (request) => {
+        const { agentId } = request.params;
+        return {
+            agentId,
+            dailySpend: getDailySpend(agentId),
+            monthlySpend: getMonthlySpend(agentId),
+        };
+    });
+    // POST /usage/record — record a usage event
+    app.post('/usage/record', async (request, reply) => {
+        const body = request.body;
+        if (!body?.agentId)
+            return reply.code(400).send({ error: 'agentId is required' });
+        if (!body?.model)
+            return reply.code(400).send({ error: 'model is required' });
+        if (typeof body.cost !== 'number')
+            return reply.code(400).send({ error: 'cost is required (number)' });
+        recordUsage({
+            agentId: body.agentId,
+            model: body.model,
+            inputTokens: body.inputTokens ?? 0,
+            outputTokens: body.outputTokens ?? 0,
+            cost: body.cost,
+            timestamp: Date.now(),
+        });
+        return reply.code(201).send({ ok: true });
+    });
+    // POST /usage/purge — purge old usage records
+    app.post('/usage/purge', async (request) => {
+        const body = request.body;
+        const deleted = purgeUsageLog(body?.maxAgeDays ?? 90);
+        return { deleted };
+    });
+    // ── Agent Memories ─────────────────────────────────────────────────────
+    const { setMemory, getMemory, listMemories, deleteMemory, deleteMemoryById, purgeExpiredMemories, countMemories, } = await import('./agent-memories.js');
+    // Set (create or update) a memory
+    app.put('/agents/:agentId/memories', async (request, reply) => {
+        const { agentId } = request.params;
+        const body = request.body;
+        if (!body?.key)
+            return reply.code(400).send({ error: 'key is required' });
+        if (body.content === undefined || body.content === null)
+            return reply.code(400).send({ error: 'content is required' });
+        try {
+            const memory = setMemory({
+                agentId,
+                namespace: body.namespace,
+                key: body.key,
+                content: body.content,
+                tags: body.tags,
+                expiresAt: body.expiresAt,
+            });
+            return reply.code(200).send(memory);
+        }
+        catch (err) {
+            return reply.code(500).send({ error: err.message });
+        }
+    });
+    // Get a specific memory by key
+    app.get('/agents/:agentId/memories/:key', async (request, reply) => {
+        const { agentId, key } = request.params;
+        const query = request.query;
+        const memory = getMemory(agentId, key, query.namespace);
+        if (!memory)
+            return reply.code(404).send({ error: 'Memory not found' });
+        return memory;
+    });
+    // List memories for an agent
+    app.get('/agents/:agentId/memories', async (request, reply) => {
+        const { agentId } = request.params;
+        const query = request.query;
+        return listMemories({
+            agentId,
+            namespace: query.namespace,
+            tag: query.tag,
+            search: query.search,
+            limit: query.limit ? parseInt(query.limit, 10) : undefined,
+        });
+    });
+    // Delete a memory by key
+    app.delete('/agents/:agentId/memories/:key', async (request, reply) => {
+        const { agentId, key } = request.params;
+        const query = request.query;
+        const deleted = deleteMemory(agentId, key, query.namespace);
+        if (!deleted)
+            return reply.code(404).send({ error: 'Memory not found' });
+        return { deleted: true };
+    });
+    // Count memories
+    app.get('/agents/:agentId/memories/count', async (request, reply) => {
+        const { agentId } = request.params;
+        const query = request.query;
+        return { count: countMemories(agentId, query.namespace) };
+    });
+    // Purge expired memories (housekeeping)
+    app.post('/agents/memories/purge', async (_request, reply) => {
+        const purged = purgeExpiredMemories();
+        return { purged };
+    });
     return app;
 }
 //# sourceMappingURL=server.js.map