ticlawk 0.1.15 → 0.1.16-dev.10

package/src/core/agent-home.mjs

@@ -0,0 +1,85 @@
+/**
+ * Per-agent home directory: ~/.ticlawk/agents/<agent_id>/
+ *
+ * The agent's authoritative workspace. The daemon spawns every runtime
+ * with this as cwd; the agent's MEMORY.md, notes/, and any artifacts
+ * it produces live here. No project binding — one MEMORY.md per agent,
+ * lives in cwd, agent reads it via `cat MEMORY.md`.
+ */
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { AF_HOME } from './config.mjs';
+
+export const AF_AGENTS_DIR = join(AF_HOME, 'agents');
+
+export function getAgentHome(agentId) {
+  if (!agentId) throw new Error('getAgentHome: agentId is required');
+  return join(AF_AGENTS_DIR, String(agentId));
+}
+
+export function getAgentMemoryPath(agentId) {
+  return join(getAgentHome(agentId), 'MEMORY.md');
+}
+
+/**
+ * Make sure the agent home dir exists + has a starter MEMORY.md. Idempotent;
+ * safe to call on every spawn. The daemon does this before driver.spawn()
+ * so cwd is always a real, writable directory.
+ *
+ * Pass `displayName` only when seeding for the first time — existing
+ * MEMORY.md is never overwritten (the agent owns it).
+ */
+export function ensureAgentHome(agentId, { displayName } = {}) {
+  const home = getAgentHome(agentId);
+  mkdirSync(home, { recursive: true });
+  const memoryPath = getAgentMemoryPath(agentId);
+  if (!existsSync(memoryPath)) {
+    writeFileSync(memoryPath, buildInitialMemoryMd({ displayName, home }), 'utf8');
+  }
+  return home;
+}
+
+function buildInitialMemoryMd({ displayName, home }) {
+  const lines = [
+    `# ${displayName || 'Agent'}`,
+    '',
+    '## Role',
+    '<your role definition, evolved over time>',
+    '',
+    '## Workspace',
+    home,
+    '',
+  ];
+  lines.push(
+    '## Key Knowledge',
+    '- (none yet — populate as you learn the user, project, and domain)',
+    '',
+    '## Active Context',
+    '- (none)',
+    '',
+    '## How to update this file',
+    'MEMORY.md is your entry point. Read it at the top of every turn. Add a',
+    '`notes/<topic>.md` for each long-lived knowledge area and link it here.',
+    '',
+  );
+  return lines.join('\n');
+}
+
+/**
+ * Best-effort read of the "## Workspace" line from a MEMORY.md. Useful
+ * if some code wants to know where the agent currently believes it
+ * works (e.g. for UI display). The daemon does NOT use this for spawn
+ * cwd — spawn cwd is always getAgentHome(id).
+ */
+export function readWorkspaceFromMemory(agentId) {
+  const memoryPath = getAgentMemoryPath(agentId);
+  if (!existsSync(memoryPath)) return null;
+  try {
+    const text = readFileSync(memoryPath, 'utf8');
+    const m = text.match(/^##\s+Workspace\s*\n([^\n]+)/m);
+    return m ? m[1].trim() : null;
+  } catch {
+    return null;
+  }
+}

package/src/core/config.mjs

@@ -17,7 +17,6 @@ export const AF_HOME = process.env.TICLAWK_HOME || join(homedir(), '.ticlawk');
 export const AF_CONFIG_PATH = join(AF_HOME, '.config');
 export const AF_LOG_PATH = join(AF_HOME, 'ticlawk.log');
 export const AF_CRASH_LOG_PATH = join(AF_HOME, 'ticlawk-crash.log');
-export const AF_ADAPTER_KEY = 'AF_ADAPTER';
 export const AF_STREAMING_KEY = 'AF_STREAMING';
 export const AF_STREAMING_RUNTIME_KEYS = Object.fromEntries(
   RUNTIME_DEFINITIONS
@@ -31,28 +30,14 @@ export const RUNTIME_EXECUTABLE_CONFIG_KEYS = Object.fromEntries(
     .filter((runtime) => runtime.executableConfigKey)
     .map((runtime) => [runtime.name, runtime.executableConfigKey])
 );
-export const SUPPORTED_ADAPTERS = ['ticlawk', 'telegram'];
 // Public CLI keys stay kebab/dotted for usability; the persisted .config file
 // stores env-style names because systemd/launchd load it directly.
 export const ADAPTER_CONFIG_KEYS = {
-  'telegram.bot-token': 'TELEGRAM_BOT_TOKEN',
   'ticlawk.connector-api-key': TICLAWK_CONNECTOR_API_KEY,
   'ticlawk.api-url': 'TICLAWK_API_URL',
   'ticlawk.connector-ws-url': TICLAWK_CONNECTOR_WS_URL,
 };
 
-export function normalizeAdapterName(value) {
-  const normalized = String(value || '').trim().toLowerCase().replace(/[-\s]+/g, '_');
-  if (!normalized) return null;
-  if (SUPPORTED_ADAPTERS.includes(normalized)) return normalized;
-  return null;
-}
-
-export function getConfiguredAdapter(config = null) {
-  const source = config || loadPersistentConfig();
-  return normalizeAdapterName(source[AF_ADAPTER_KEY]) || 'ticlawk';
-}
-
 export function normalizeAdapterConfigTarget(target) {
   const normalized = String(target || '').trim().toLowerCase();
   const configKey = ADAPTER_CONFIG_KEYS[normalized];

package/src/core/http.mjs

@@ -1,4 +1,32 @@
 import { createServer } from 'node:http';
+import {
+  handleAttachmentUpload,
+  handleAttachmentView,
+  handleGroupCreate,
+  handleGroupMembers,
+  handleGroupMembersAdd,
+  handleGroupMembersRemove,
+  handleMessageCheck,
+  handleMessageReact,
+  handleMessageRead,
+  handleMessageSearch,
+  handleMessageSend,
+  handleProfileAvatarUpload,
+  handleProfileShow,
+  handleProfileUpdate,
+  handleReminderCancel,
+  handleReminderList,
+  handleReminderLog,
+  handleReminderSchedule,
+  handleReminderSnooze,
+  handleReminderUpdate,
+  handleServerInfo,
+  handleTaskClaim,
+  handleTaskCreate,
+  handleTaskList,
+  handleTaskUnclaim,
+  handleTaskUpdate,
+} from './agent-cli-handlers.mjs';
 
 function writeJson(res, statusCode, body) {
   res.writeHead(statusCode, { 'Content-Type': 'application/json' });
@@ -13,36 +41,197 @@ async function readBody(req) {
   return body;
 }
 
-export function startLocalHttpServer({ port, adapter }) {
+async function readJsonBody(req) {
+  const raw = await readBody(req);
+  if (!raw) return {};
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
+function parseQuery(url) {
+  const out = {};
+  const idx = url.indexOf('?');
+  if (idx < 0) return out;
+  const qs = new URLSearchParams(url.slice(idx + 1));
+  for (const [k, v] of qs.entries()) out[k] = v;
+  return out;
+}
+
+export function startLocalHttpServer({ port, adapter, ctx }) {
+  // The agent-cli handlers need a tiny binding-lookup surface to
+  // validate TICLAWK_RUNTIME_AGENT_ID against locally bound agents.
+  // We accept the same ctx the adapter was constructed with.
+  const cliCtx = ctx || { listBindings: () => [] };
+
   const server = createServer(async (req, res) => {
     res.setHeader('Access-Control-Allow-Origin', '*');
     res.setHeader('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, X-Ticlawk-Acting-Agent-Id, X-Ticlawk-Runtime-Host-Id, X-Ticlawk-Runtime-Session-Id');
     if (req.method === 'OPTIONS') {
       res.writeHead(204);
       res.end();
       return;
     }
 
-    if (req.method === 'GET' && req.url === '/health') {
-      try {
+    const method = (req.method || 'GET').toUpperCase();
+    const urlNoQuery = (req.url || '').split('?')[0];
+
+    try {
+      if (method === 'GET' && urlNoQuery === '/health') {
         const health = await adapter.health();
-        writeJson(res, 200, {
-          ok: true,
-          adapter: adapter.id,
-          ...health,
-        });
-      } catch (err) {
-        writeJson(res, 500, {
-          ok: false,
-          adapter: adapter.id,
-          error: err?.message || 'health check failed',
-        });
+        writeJson(res, 200, { ok: true, adapter: adapter.id, ...health });
+        return;
       }
-      return;
-    }
 
-    writeJson(res, 404, { error: 'not found' });
+      // ── Agent CLI surface (called from runtime CLI tools) ──
+      if (urlNoQuery === '/agent/message/send' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleMessageSend(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/message/read' && method === 'GET') {
+        const r = await handleMessageRead(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/task/create' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleTaskCreate(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/task/claim' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleTaskClaim(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/task/unclaim' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleTaskUnclaim(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/task/update' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleTaskUpdate(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/task/list' && method === 'GET') {
+        const r = await handleTaskList(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/message/react' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleMessageReact(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/message/check' && method === 'GET') {
+        const r = await handleMessageCheck(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/message/search' && method === 'GET') {
+        const r = await handleMessageSearch(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/profile/show' && method === 'GET') {
+        const r = await handleProfileShow(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/profile/update' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleProfileUpdate(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/profile/avatar' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleProfileAvatarUpload(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/attachment/upload' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleAttachmentUpload(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/attachment/view' && method === 'GET') {
+        const r = await handleAttachmentView(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/reminder/schedule' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleReminderSchedule(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/reminder/list' && method === 'GET') {
+        const r = await handleReminderList(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/reminder/snooze' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleReminderSnooze(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/reminder/update' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleReminderUpdate(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/reminder/cancel' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleReminderCancel(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/reminder/log' && method === 'GET') {
+        const r = await handleReminderLog(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/group/members' && method === 'GET') {
+        const r = await handleGroupMembers(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/group/create' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleGroupCreate(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/group/members/add' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleGroupMembersAdd(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/group/members/remove' && method === 'POST') {
+        const body = await readJsonBody(req);
+        if (body === null) return writeJson(res, 400, { error: 'invalid json body' });
+        const r = await handleGroupMembersRemove(req, body, cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+      if (urlNoQuery === '/agent/server/info' && method === 'GET') {
+        const r = await handleServerInfo(req, parseQuery(req.url || ''), cliCtx);
+        return writeJson(res, r.status, r.body);
+      }
+
+      writeJson(res, 404, { error: 'not found' });
+    } catch (err) {
+      writeJson(res, 500, {
+        ok: false,
+        adapter: adapter.id,
+        error: err?.message || String(err),
+      });
+    }
   });
 
   server.on('error', (err) => {
@@ -59,6 +248,10 @@ export function startLocalHttpServer({ port, adapter }) {
     console.log(`[relay] HTTP server listening on :${port}`);
     console.log(`[relay]   adapter: ${adapter.id}`);
     console.log('[relay]   GET  /health   - daemon status check');
+    console.log('[relay]   POST /agent/message/send  - chat send (CLI -> daemon -> backend)');
+    console.log('[relay]   GET  /agent/message/read');
+    console.log('[relay]   POST /agent/task/claim | update');
+    console.log('[relay]   GET  /agent/task/list | /agent/group/members | /agent/server/info');
   });
 
   return server;

package/src/core/reminder-ticker.mjs

@@ -0,0 +1,70 @@
+/**
+ * Daemon-side reminder ticker.
+ *
+ * Runs every 60s. POSTs /api/agent/reminders/fire-due via the existing
+ * service-role connector path. The edge function calls the
+ * fire_due_reminders SQL function which atomically claims due
+ * reminders, posts a system message into each anchor conversation, and
+ * inserts the explicit message_delivery row to the owner agent.
+ *
+ * Failures are logged at boundaries and do not retry — the next tick
+ * picks them up. This is the only writer of "reminder fired" state, so
+ * there is no double-fire risk even across multiple daemon restarts
+ * (FOR UPDATE SKIP LOCKED inside the SQL function serialises).
+ *
+ * Disabled by setting TICLAWK_DISABLE_REMINDER_TICKER=1 in the
+ * environment (useful if you want to drive firing from elsewhere).
+ */
+
+import { fireDueReminders } from '../adapters/ticlawk/api.mjs';
+import { debugError, debugLog } from './logger.mjs';
+
+const DEFAULT_INTERVAL_MS = 60 * 1000;
+
+export function startReminderTicker({
+  intervalMs = DEFAULT_INTERVAL_MS,
+} = {}) {
+  if (String(process.env.TICLAWK_DISABLE_REMINDER_TICKER || '').trim() === '1') {
+    debugLog('reminder-ticker', 'disabled', { reason: 'TICLAWK_DISABLE_REMINDER_TICKER=1' });
+    return { stop: () => {} };
+  }
+
+  let stopped = false;
+  let timer = null;
+
+  async function tick() {
+    if (stopped) return;
+    try {
+      const res = await fireDueReminders();
+      const count = res?.fired_count || 0;
+      if (count > 0) {
+        debugLog('reminder-ticker', 'fired', {
+          count,
+          ids: (res?.fired || []).map((r) => r?.reminder_id),
+        });
+      }
+    } catch (err) {
+      debugError('reminder-ticker', 'tick.failed', {
+        error: err?.message || String(err),
+        status: err?.status || null,
+      });
+    } finally {
+      if (!stopped) timer = setTimeout(tick, intervalMs);
+    }
+  }
+
+  debugLog('reminder-ticker', 'start', { intervalMs });
+  // Start with an initial small delay so the daemon's HTTP server is
+  // up before the first tick.
+  timer = setTimeout(tick, 5000);
+
+  return {
+    stop() {
+      stopped = true;
+      if (timer) {
+        clearTimeout(timer);
+        timer = null;
+      }
+    },
+  };
+}

package/src/core/runtime-contract.mjs

@@ -42,7 +42,7 @@ import { normalizeServiceType } from './runtime-registry.mjs';
  * @property {(bindingId: string) => any} getBinding
  * @property {(filters?: Record<string, any>) => any[]} listBindings
  * @property {(bindingId: string) => Promise<void>} [deleteBinding]
- * @property {(binding: any) => Promise<any>} [cacheBinding]
+ * @property {(binding: any) => Promise<any>} [persistBinding]
  * @property {(binding: any) => Promise<any>} upsertBinding
  * @property {(inbound: any, runtimeName: string) => Promise<string>} buildImageMessageFromInbound
  * @property {any} logger

package/src/core/runtime-env.mjs

@@ -1,9 +1,45 @@
+/**
+ * Build the env passed to a spawned runtime (Codex/Claude Code/...).
+ *
+ * The blanket "strip everything TICLAWK_*" rule from earlier versions was
+ * too aggressive: it also wiped out the agent-context env we inject for
+ * the agent CLI to talk back to the local daemon. We now use a precise
+ * denylist of secret/config keys and explicitly allow the
+ * TICLAWK_RUNTIME_* and TICLAWK_API_URL keys through (the latter is
+ * read-only from the runtime's perspective — it never holds a credential
+ * on its own).
+ */
+
+// Keys the daemon must never leak into child runtime processes.
+// These hold credentials or operator config the agent shouldn't see.
+const STRIPPED_KEYS = new Set([
+  'TICLAWK_CONNECTOR_API_KEY',
+  'TICLAWK_CONNECTOR_WS_URL',
+  'TICLAWK_SETUP_CODE',
+]);
+
 export function buildRuntimeEnv(extra = {}) {
   const env = { ...process.env, ...extra };
-  for (const key of Object.keys(env)) {
-    if (key.startsWith('TICLAWK_')) {
-      delete env[key];
-    }
-  }
+  for (const key of STRIPPED_KEYS) delete env[key];
   return env;
 }
+
+/**
+ * Build the per-agent runtime env block. The daemon includes the
+ * resulting fields in `buildRuntimeEnv({ ...buildAgentRuntimeEnv(...) })`
+ * when spawning a runtime, so the agent CLI can talk back to the local
+ * daemon with a validated identity.
+ */
+export function buildAgentRuntimeEnv({
+  agentId,
+  sessionId,
+  hostId,
+  daemonUrl,
+} = {}) {
+  const out = {};
+  if (agentId) out.TICLAWK_RUNTIME_AGENT_ID = String(agentId);
+  if (sessionId) out.TICLAWK_RUNTIME_SESSION_ID = String(sessionId);
+  if (hostId) out.TICLAWK_RUNTIME_HOST_ID = String(hostId);
+  out.TICLAWK_RUNTIME_DAEMON_URL = daemonUrl || 'http://127.0.0.1:8741';
+  return out;
+}

package/src/core/runtime-support.mjs

@@ -1,4 +1,5 @@
 import { getStreamingMode } from './config.mjs';
+import { getAgentHome } from './agent-home.mjs';
 const ERROR_MAX_CHARS = 500;
 const DEFAULT_DELTA_FLUSH_MS = 250;
 const DEFAULT_DELTA_FLUSH_CHARS = 64;
@@ -15,7 +16,7 @@ function runtimeContextLines(binding, info = {}) {
   const lines = [];
   if (meta.sessionId) lines.push(`Session: ${meta.sessionId}`);
   if (info.turnId) lines.push(`Turn: ${info.turnId}`);
-  if (meta.cwd || meta.workdir) lines.push(`Workdir: ${meta.cwd || meta.workdir}`);
+  if (binding?.id) lines.push(`Workdir: ${getAgentHome(binding.id)}`);
   return lines;
 }
 
@@ -41,57 +42,43 @@ export function shouldStreamRuntime(runtimeName, runtime) {
   return Boolean(runtime?.runTurnStream) && getStreamingMode(runtimeName);
 }
 
-export async function sendAdapterMessage(adapter, binding, payload) {
-  await adapter.send(binding, payload);
-}
-
-export async function sendResult(adapter, binding, inbound, result) {
-  if (!result?.text && (!result?.mediaUrls || result.mediaUrls.length === 0)) return;
-  await sendAdapterMessage(adapter, binding, {
-    type: 'assistant',
-    text: result.text || '',
-    media: result.media || [],
-    turnId: inbound.messageId || result?.turnId || null,
-    replyToMessageId: inbound.messageId || null,
-  });
-}
-
 export async function reportSubprocessFailure({ adapter, binding, inbound, runtimeName, info }) {
   if (!info || info.ok) return;
   const seconds = ((info.durationMs || 0) / 1000).toFixed(1);
-  if (runtimeName === 'Codex' && isRuntimeGatewayFailure(info)) {
-    await sendAdapterMessage(adapter, binding, {
-      type: 'assistant',
-      text: buildCodexGatewayFailureText({ binding, info, seconds }),
-      media: [],
-      turnId: inbound?.messageId || null,
-      replyToMessageId: inbound?.messageId || null,
-    });
-    return;
-  }
 
-  let summary;
-  if (info.kind === 'killed') {
-    summary = `⚠️ ${runtimeName} was killed by signal ${info.signal} after ${seconds}s.`;
-  } else if (info.kind === 'spawn-failed') {
-    summary = `⚠️ ${runtimeName} failed to spawn: ${info.error || 'unknown error'}.`;
-  } else if (info.kind === 'gateway-timeout') {
-    summary = `⚠️ ${runtimeName} did not respond after ${seconds}s (timeout).`;
-  } else if (info.kind === 'gateway-error') {
-    summary = `⚠️ ${runtimeName} returned an error after ${seconds}s.`;
-  } else if (typeof info.code === 'number') {
-    summary = `⚠️ ${runtimeName} exited with code ${info.code} after ${seconds}s.`;
+  let text;
+  if (runtimeName === 'Codex' && isRuntimeGatewayFailure(info)) {
+    text = buildCodexGatewayFailureText({ binding, info, seconds });
   } else {
-    summary = `⚠️ ${runtimeName} failed after ${seconds}s.`;
+    let summary;
+    if (info.kind === 'killed') {
+      summary = `⚠️ ${runtimeName} was killed by signal ${info.signal} after ${seconds}s.`;
+    } else if (info.kind === 'spawn-failed') {
+      summary = `⚠️ ${runtimeName} failed to spawn: ${info.error || 'unknown error'}.`;
+    } else if (info.kind === 'gateway-timeout') {
+      summary = `⚠️ ${runtimeName} did not respond after ${seconds}s (timeout).`;
+    } else if (info.kind === 'gateway-error') {
+      summary = `⚠️ ${runtimeName} returned an error after ${seconds}s.`;
+    } else if (typeof info.code === 'number') {
+      summary = `⚠️ ${runtimeName} exited with code ${info.code} after ${seconds}s.`;
+    } else {
+      summary = `⚠️ ${runtimeName} failed after ${seconds}s.`;
+    }
+    const detail = truncateError(info.errorMessage);
+    text = detail ? `${summary}\n\n${detail}` : `${summary}\n\nCheck ~/.ticlawk/ticlawk.log on the host for details.`;
   }
-  const detail = truncateError(info.errorMessage);
-  const text = detail ? `${summary}\n\n${detail}` : `${summary}\n\nCheck ~/.ticlawk/ticlawk.log on the host for details.`;
-  await sendAdapterMessage(adapter, binding, {
-    type: 'assistant',
+
+  // Runtime never got to invoke `ticlawk message send`, so the daemon
+  // speaks for the agent. visibility='admin' so the message reaches
+  // owner/admin members only — the enqueue_message_deliveries trigger
+  // skips fan-out to member-role agents, breaking what would otherwise
+  // be a failure→fan-out→failure cascade when several agents share a
+  // broken runtime.
+  await adapter.postAgentReply(binding, {
+    conversationId: inbound?.conversationId || null,
     text,
-    media: [],
-    turnId: inbound?.messageId || null,
     replyToMessageId: inbound?.messageId || null,
+    visibility: 'admin',
   });
 }
 

package/src/core/ticlawk-control.mjs

@@ -1,5 +1,4 @@
 import { Bus } from './bus.mjs';
-import { getConfiguredAdapter } from './config.mjs';
 import { createAdapter } from './adapter-registry.mjs';
 import { getBinding, listBindings, upsertBinding, deleteBinding, findBindingByTarget } from './bindings/store.mjs';
 import { buildRuntimeContext, normalizeServiceType } from './runtime-registry.mjs';
@@ -31,7 +30,7 @@ function createUpsertBindingWithSync(runtimes, adapter) {
   };
 }
 
-function createCacheBinding(runtimes, getAdapter) {
+function createPersistBinding(runtimes, getAdapter) {
   return async (binding) => {
     const nextBinding = await upsertBinding(binding);
     const runtime = nextBinding?.runtime ? runtimes[nextBinding.runtime] : null;
@@ -43,11 +42,13 @@ function createCacheBinding(runtimes, getAdapter) {
   };
 }
 
-export async function createTiclawkController(adapterId = getConfiguredAdapter()) {
+const ADAPTER_ID = 'ticlawk';
+
+export async function createTiclawkController(adapterId = ADAPTER_ID) {
   const { runtimes } = await buildRuntimeContext();
   const resolveRuntimeBinding = createResolveRuntimeBinding(runtimes);
   let adapter;
-  const cacheBinding = createCacheBinding(runtimes, () => adapter);
+  const persistBinding = createPersistBinding(runtimes, () => adapter);
   let syncBinding = async (binding) => {
     if (!adapter) {
       throw new Error('adapter not initialized');
@@ -63,7 +64,7 @@ export async function createTiclawkController(adapterId = getConfiguredAdapter()
     deleteBinding,
     findBindingByTarget,
     resolveRuntimeBinding,
-    cacheBinding: (binding) => cacheBinding(binding),
+    persistBinding: (binding) => persistBinding(binding),
     upsertBinding: (binding) => syncBinding(binding),
     buildImageMessageFromInbound,
     logger,
@@ -74,7 +75,7 @@ export async function createTiclawkController(adapterId = getConfiguredAdapter()
 }
 
 export async function runTiclawkConnect(payload) {
-  const adapterId = payload?.adapter || getConfiguredAdapter();
+  const adapterId = payload?.adapter || ADAPTER_ID;
   const { adapter } = await createTiclawkController(adapterId);
   if (typeof adapter.connect !== 'function') {
     return {