brigade-cli 0.7.0__tar.gz → 0.8.0__tar.gz

{brigade_cli-0.7.0 → brigade_cli-0.8.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: brigade-cli
-Version: 0.7.0
+Version: 0.8.0
 Summary: Run your agent brigade: an operator-system CLI that bootstraps, checks, and operates agent workspaces across harnesses.
 Author-email: Solomon Neas <srneas@gmail.com>
 License: MIT
@@ -60,6 +60,52 @@ It is meant for people running real tools, real docs, and real automation across
 
 The cookbook explains the why. This package gives you the kitchen.
 
+## The design
+
+One memory owner stays canonical.
+That is typically OpenClaw or Hermes when present, otherwise `this-repo`.
+Writer harnesses drop handoffs into their own inboxes, and the ingester scans all of them.
+
+```mermaid
+flowchart TB
+    CC["<b>Claude Code</b>"]
+    CX["<b>Codex</b>"]
+    CCI[".claude/memory-handoffs/"]
+    CXI[".codex/memory-handoffs/"]
+    CC --> CCI
+    CX --> CXI
+
+    ING(["<b>brigade ingest</b>"])
+    CCI --> ING
+    CXI --> ING
+
+    OUT["memory/cards/*.md · TOOLS.md · USER.md<br/>rules/*.md · .learnings/*.md"]
+    ING --> OUT
+
+    classDef harness fill:#e0f2fe,stroke:#0284c7,color:#075985;
+    classDef inbox fill:#f1f5f9,stroke:#94a3b8,color:#334155;
+    classDef ingest fill:#fef3c7,stroke:#d97706,color:#92400e;
+    classDef store fill:#dcfce7,stroke:#16a34a,color:#166534;
+    class CC,CX harness;
+    class CCI,CXI inbox;
+    class ING ingest;
+    class OUT store;
+```
+
+The ingester is intentionally conservative.
+Safe card handoffs become cards.
+Targeted updates append to the right file.
+Ambiguous material gets kicked out for review instead of being trusted automatically.
+
+For users running multiple agent homes, treat the owner workspace as the hub.
+Remote or secondary workspaces can write handoffs into their own per-harness inboxes.
+A trusted sync can pull those files into a staging inbox on the owner.
+That keeps agents informed without creating multiple canonical memories.
+
+Token-heavy terminal work gets the same treatment.
+Make the wrapper explicit, make the escape hatch obvious, and tell every harness what is happening.
+The TokenJuice starter card documents Claude Code's PreToolUse wrapper path, Codex's hook setup, and the savings model.
+
 ## What you get
 
 Brigade has grown from a bootstrap kit into a local control plane for agent work. The current public surface includes:
@@ -84,8 +130,10 @@ The installable source files live under `src/brigade/templates/`; root workspace
 
 See [`ROADMAP.md`](ROADMAP.md) for the daily-driver, scanner inbox, chat-surface scanner, and memory-card decay roadmap. The active phase queue for roadmap completion hardening is tracked in [`docs/phase-61-100-plan.md`](docs/phase-61-100-plan.md).
 The production-hardening queue for the daily operator system is tracked in [`docs/phase-115-164-plan.md`](docs/phase-115-164-plan.md).
+
 Long unattended phase work is audited through the local phase execution ledger described in [`docs/phase-execution-ledger.md`](docs/phase-execution-ledger.md). Future multi-phase work is not complete unless each phase has ledger evidence or an explicit deferral.
 Phase ledger closeouts let an operator mark completed phase evidence as reviewed, deferred, blocked, or archived, and stale unreviewed completed phases surface in doctor output.
+
 Phase execution sessions group a declared AFK range into one local record with current phase, status, commit and test counts, report references, closeout state, and the next recommended command.
 Session next/resume commands identify the safest next local command and record resume metadata without executing hidden work.
 Session checkpoints record local recovery points with safe summaries, notes, current next-step state, and suggested commands without executing the suggested command.
@@ -93,6 +141,7 @@ Session checkpoint list/show/compare commands inspect those local recovery point
 Session checkpoint import commands route blocked or stale checkpoint issues into the normal work inbox as deduped local tasks.
 Session next/resume output includes the latest checkpoint summary and issue counts when checkpoint recovery metadata exists.
 Session recovery notes record safe summaries, notes, and evidence labels for AFK resume context, with list/show/closeout commands and activity timeline entries.
+
 Daily planning can surface checkpoint issues as local candidates that point at checkpoint import commands instead of hiding AFK recovery drift.
 Daily run can also write one local phase session checkpoint as its single bounded action when the selected session needs safe AFK recovery metadata.
 Session risk output summarizes next-step blockers, checkpoint drift, open recovery notes, and phase doctor issues in one read-only view.
@@ -100,6 +149,7 @@ Session verification output rolls up expected, passed, failed, skipped, and defe
 Session privacy output rolls up clean, blocked, and missing privacy checks across a whole AFK session range.
 Session handoff output rolls up linted, drafted, failed, deferred, and missing handoff evidence across a whole AFK session range.
 Session report bundles collect the phase records, checks, actions, imports, commits, tests, and blockers into local Markdown and JSON evidence.
+
 The daily driver can surface active phase sessions and run exactly one safe session step, such as building a session report or writing session closeout metadata.
 Release and operator review surfaces include phase session state so stale or unreported AFK work blocks publish review visibly.
 Release doctor also reports blocked or stale phase-session checkpoint evidence before publish review.
@@ -109,6 +159,7 @@ Work brief includes the latest phase-session checkpoint and compare summary in t
 Phase action planning can turn blocked or stale phase-session checkpoint issues into local phase actions.
 Session checkpoint archive moves old recovery points into local JSONL metadata so they stop driving latest-checkpoint health.
 Session report bundles include a recovery section with checkpoint and recovery-note summaries.
+
 `brigade work phases evidence add` appends local files, tests, report ids, handoff paths, and notes to a phase record without running commands.
 `brigade work phases verify plan/record` keeps expected verification and recorded outcomes visible without executing tests.
 `brigade work phases reconcile` checks recorded commit and push evidence against local git state without changing git.
@@ -119,13 +170,16 @@ Session report bundles include a recovery section with checkpoint and recovery-n
 `brigade work phases session import-issues` routes unresolved AFK session blockers into the work inbox with phase-session provenance and dedupe.
 `brigade work phases goal scaffold` writes a local editable `/goal` draft from ledger state, session evidence, blockers, and roadmap references without copying private evidence.
 `brigade work phases session gate` is the final read-only AFK claim check, and release evidence includes its latest result.
+
 Phase ledger compare checks make it clear when local HEAD, referenced files, reports, or doctor issue counts drift after a phase is recorded.
 Phase ledger action queues turn those ledger issues into local metadata-only next steps without executing commands.
 The daily driver can select those phase-ledger actions when they block AFK or release completion, then start one action or build one phase report as a bounded local step.
+
 Release readiness and candidate compare include phase closeout and report references so publish review can catch unreviewed or stale phase evidence.
 Phase report closeouts let an operator review, defer, supersede, or archive a generated phase report without changing its evidence.
 Phase report compare checks saved report bundles against current ledger state before relying on them.
 Work brief and center status include open phase action counts so ledger follow-ups stay visible in the daily loop.
+
 Open phase actions can be imported into the normal work inbox when they need a reviewed task.
 Release candidate evidence includes the latest phase report compare summary.
 The current AFK ledger hardening tranche is described in [`docs/phase-226-250-plan.md`](docs/phase-226-250-plan.md).
@@ -1143,41 +1197,6 @@ The normal exception is your own configured tooling:
 - the `pre-push` hook runs the local `content-guard` scanner before commits leave the machine
 - `brigade security enrich` can call MISP only when you explicitly configure and run the `misp` provider
 
-## The design
-
-One memory owner stays canonical.
-That is typically OpenClaw or Hermes when present, otherwise `this-repo`.
-Writer harnesses drop handoffs into their own inboxes, and the ingester scans all of them.
-
-```text
-Claude Code              Codex
-     |                     |
-     v                     v
-.claude/memory-handoffs/ .codex/memory-handoffs/
-     \                   /
-      \                 /
-       v               v
-      brigade ingest
-              |
-              v
-  memory/cards/*.md, TOOLS.md, USER.md,
-  rules/*.md, .learnings/*.md
-```
-
-The ingester is intentionally conservative.
-Safe card handoffs become cards.
-Targeted updates append to the right file.
-Ambiguous material gets kicked out for review instead of being trusted automatically.
-
-For users running multiple agent homes, treat the owner workspace as the hub.
-Remote or secondary workspaces can write handoffs into their own per-harness inboxes.
-A trusted sync can pull those files into a staging inbox on the owner.
-That keeps agents informed without creating multiple canonical memories.
-
-Token-heavy terminal work gets the same treatment.
-Make the wrapper explicit, make the escape hatch obvious, and tell every harness what is happening.
-The TokenJuice starter card documents Claude Code's PreToolUse wrapper path, Codex's hook setup, and the savings model.
-
 ## Maintenance and utility commands
 
 A few commands sit outside the daily loop:

{brigade_cli-0.7.0 → brigade_cli-0.8.0}/README.md

@@ -37,6 +37,52 @@ It is meant for people running real tools, real docs, and real automation across
 
 The cookbook explains the why. This package gives you the kitchen.
 
+## The design
+
+One memory owner stays canonical.
+That is typically OpenClaw or Hermes when present, otherwise `this-repo`.
+Writer harnesses drop handoffs into their own inboxes, and the ingester scans all of them.
+
+```mermaid
+flowchart TB
+    CC["<b>Claude Code</b>"]
+    CX["<b>Codex</b>"]
+    CCI[".claude/memory-handoffs/"]
+    CXI[".codex/memory-handoffs/"]
+    CC --> CCI
+    CX --> CXI
+
+    ING(["<b>brigade ingest</b>"])
+    CCI --> ING
+    CXI --> ING
+
+    OUT["memory/cards/*.md · TOOLS.md · USER.md<br/>rules/*.md · .learnings/*.md"]
+    ING --> OUT
+
+    classDef harness fill:#e0f2fe,stroke:#0284c7,color:#075985;
+    classDef inbox fill:#f1f5f9,stroke:#94a3b8,color:#334155;
+    classDef ingest fill:#fef3c7,stroke:#d97706,color:#92400e;
+    classDef store fill:#dcfce7,stroke:#16a34a,color:#166534;
+    class CC,CX harness;
+    class CCI,CXI inbox;
+    class ING ingest;
+    class OUT store;
+```
+
+The ingester is intentionally conservative.
+Safe card handoffs become cards.
+Targeted updates append to the right file.
+Ambiguous material gets kicked out for review instead of being trusted automatically.
+
+For users running multiple agent homes, treat the owner workspace as the hub.
+Remote or secondary workspaces can write handoffs into their own per-harness inboxes.
+A trusted sync can pull those files into a staging inbox on the owner.
+That keeps agents informed without creating multiple canonical memories.
+
+Token-heavy terminal work gets the same treatment.
+Make the wrapper explicit, make the escape hatch obvious, and tell every harness what is happening.
+The TokenJuice starter card documents Claude Code's PreToolUse wrapper path, Codex's hook setup, and the savings model.
+
 ## What you get
 
 Brigade has grown from a bootstrap kit into a local control plane for agent work. The current public surface includes:
@@ -61,8 +107,10 @@ The installable source files live under `src/brigade/templates/`; root workspace
 
 See [`ROADMAP.md`](ROADMAP.md) for the daily-driver, scanner inbox, chat-surface scanner, and memory-card decay roadmap. The active phase queue for roadmap completion hardening is tracked in [`docs/phase-61-100-plan.md`](docs/phase-61-100-plan.md).
 The production-hardening queue for the daily operator system is tracked in [`docs/phase-115-164-plan.md`](docs/phase-115-164-plan.md).
+
 Long unattended phase work is audited through the local phase execution ledger described in [`docs/phase-execution-ledger.md`](docs/phase-execution-ledger.md). Future multi-phase work is not complete unless each phase has ledger evidence or an explicit deferral.
 Phase ledger closeouts let an operator mark completed phase evidence as reviewed, deferred, blocked, or archived, and stale unreviewed completed phases surface in doctor output.
+
 Phase execution sessions group a declared AFK range into one local record with current phase, status, commit and test counts, report references, closeout state, and the next recommended command.
 Session next/resume commands identify the safest next local command and record resume metadata without executing hidden work.
 Session checkpoints record local recovery points with safe summaries, notes, current next-step state, and suggested commands without executing the suggested command.
@@ -70,6 +118,7 @@ Session checkpoint list/show/compare commands inspect those local recovery point
 Session checkpoint import commands route blocked or stale checkpoint issues into the normal work inbox as deduped local tasks.
 Session next/resume output includes the latest checkpoint summary and issue counts when checkpoint recovery metadata exists.
 Session recovery notes record safe summaries, notes, and evidence labels for AFK resume context, with list/show/closeout commands and activity timeline entries.
+
 Daily planning can surface checkpoint issues as local candidates that point at checkpoint import commands instead of hiding AFK recovery drift.
 Daily run can also write one local phase session checkpoint as its single bounded action when the selected session needs safe AFK recovery metadata.
 Session risk output summarizes next-step blockers, checkpoint drift, open recovery notes, and phase doctor issues in one read-only view.
@@ -77,6 +126,7 @@ Session verification output rolls up expected, passed, failed, skipped, and defe
 Session privacy output rolls up clean, blocked, and missing privacy checks across a whole AFK session range.
 Session handoff output rolls up linted, drafted, failed, deferred, and missing handoff evidence across a whole AFK session range.
 Session report bundles collect the phase records, checks, actions, imports, commits, tests, and blockers into local Markdown and JSON evidence.
+
 The daily driver can surface active phase sessions and run exactly one safe session step, such as building a session report or writing session closeout metadata.
 Release and operator review surfaces include phase session state so stale or unreported AFK work blocks publish review visibly.
 Release doctor also reports blocked or stale phase-session checkpoint evidence before publish review.
@@ -86,6 +136,7 @@ Work brief includes the latest phase-session checkpoint and compare summary in t
 Phase action planning can turn blocked or stale phase-session checkpoint issues into local phase actions.
 Session checkpoint archive moves old recovery points into local JSONL metadata so they stop driving latest-checkpoint health.
 Session report bundles include a recovery section with checkpoint and recovery-note summaries.
+
 `brigade work phases evidence add` appends local files, tests, report ids, handoff paths, and notes to a phase record without running commands.
 `brigade work phases verify plan/record` keeps expected verification and recorded outcomes visible without executing tests.
 `brigade work phases reconcile` checks recorded commit and push evidence against local git state without changing git.
@@ -96,13 +147,16 @@ Session report bundles include a recovery section with checkpoint and recovery-n
 `brigade work phases session import-issues` routes unresolved AFK session blockers into the work inbox with phase-session provenance and dedupe.
 `brigade work phases goal scaffold` writes a local editable `/goal` draft from ledger state, session evidence, blockers, and roadmap references without copying private evidence.
 `brigade work phases session gate` is the final read-only AFK claim check, and release evidence includes its latest result.
+
 Phase ledger compare checks make it clear when local HEAD, referenced files, reports, or doctor issue counts drift after a phase is recorded.
 Phase ledger action queues turn those ledger issues into local metadata-only next steps without executing commands.
 The daily driver can select those phase-ledger actions when they block AFK or release completion, then start one action or build one phase report as a bounded local step.
+
 Release readiness and candidate compare include phase closeout and report references so publish review can catch unreviewed or stale phase evidence.
 Phase report closeouts let an operator review, defer, supersede, or archive a generated phase report without changing its evidence.
 Phase report compare checks saved report bundles against current ledger state before relying on them.
 Work brief and center status include open phase action counts so ledger follow-ups stay visible in the daily loop.
+
 Open phase actions can be imported into the normal work inbox when they need a reviewed task.
 Release candidate evidence includes the latest phase report compare summary.
 The current AFK ledger hardening tranche is described in [`docs/phase-226-250-plan.md`](docs/phase-226-250-plan.md).
@@ -1120,41 +1174,6 @@ The normal exception is your own configured tooling:
 - the `pre-push` hook runs the local `content-guard` scanner before commits leave the machine
 - `brigade security enrich` can call MISP only when you explicitly configure and run the `misp` provider
 
-## The design
-
-One memory owner stays canonical.
-That is typically OpenClaw or Hermes when present, otherwise `this-repo`.
-Writer harnesses drop handoffs into their own inboxes, and the ingester scans all of them.
-
-```text
-Claude Code              Codex
-     |                     |
-     v                     v
-.claude/memory-handoffs/ .codex/memory-handoffs/
-     \                   /
-      \                 /
-       v               v
-      brigade ingest
-              |
-              v
-  memory/cards/*.md, TOOLS.md, USER.md,
-  rules/*.md, .learnings/*.md
-```
-
-The ingester is intentionally conservative.
-Safe card handoffs become cards.
-Targeted updates append to the right file.
-Ambiguous material gets kicked out for review instead of being trusted automatically.
-
-For users running multiple agent homes, treat the owner workspace as the hub.
-Remote or secondary workspaces can write handoffs into their own per-harness inboxes.
-A trusted sync can pull those files into a staging inbox on the owner.
-That keeps agents informed without creating multiple canonical memories.
-
-Token-heavy terminal work gets the same treatment.
-Make the wrapper explicit, make the escape hatch obvious, and tell every harness what is happening.
-The TokenJuice starter card documents Claude Code's PreToolUse wrapper path, Codex's hook setup, and the savings model.
-
 ## Maintenance and utility commands
 
 A few commands sit outside the daily loop:

{brigade_cli-0.7.0 → brigade_cli-0.8.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "brigade-cli"
-version = "0.7.0"
+version = "0.8.0"
 description = "Run your agent brigade: an operator-system CLI that bootstraps, checks, and operates agent workspaces across harnesses."
 readme = "README.md"
 requires-python = ">=3.10"

brigade_cli-0.8.0/src/brigade/budgets.py

@@ -0,0 +1,83 @@
+"""Canonical size/staleness budgets for the brigade operator system.
+
+This is the single source of truth for the numbers that govern how much content
+may live in bootstrap files and memory cards, how long handoffs may sit before
+they count as a stalled backlog, and how stale a memory-care scan may get.
+
+brigade's own `doctor`, `ingest`, `handoff`, and `repos` stations all import
+from here so the preventive guards and the post-hoc warnings can never disagree.
+Satellite tools (bootstrap-doctor, memory-doctor) are intended to depend on
+brigade and consume these definitions rather than redeclaring them, so updating
+a budget here updates every downstream consumer.
+"""
+from __future__ import annotations
+
+from pathlib import Path
+
+# --- Bootstrap files -------------------------------------------------------
+# OpenClaw loads these into the session prefix every turn. There is an empirical
+# soft ceiling around 12,000 chars per file before content is silently truncated
+# mid-session. Per-file budgets stay below that with headroom.
+BOOTSTRAP_BUDGETS: dict[str, int] = {
+    "AGENTS.md": 12_000,
+    "CLAUDE.md": 6_000,
+    "MEMORY.md": 7_000,
+    "TOOLS.md": 10_000,
+    "USER.md": 8_000,
+    "SAFETY_RULES.md": 10_000,
+    "INSTALL_FOR_AGENTS.md": 8_000,
+    "SOUL.md": 8_000,
+    "IDENTITY.md": 4_000,
+    "HEARTBEAT.md": 5_000,
+}
+
+# Flat whole-file thresholds for the simpler bootstrap auditor model (one soft
+# warning level and one hard limit applied across tracked files), as opposed to
+# the per-file BOOTSTRAP_BUDGETS above. Canonical here so the bootstrap-doctor
+# satellite sources them instead of redeclaring its own (which had drifted).
+# Invariant: soft < hard < ceiling. The ceiling is the empirical truncation point.
+DEFAULT_BOOTSTRAP_SOFT_LIMIT = 10_000
+DEFAULT_BOOTSTRAP_HARD_LIMIT = 11_500
+BOOTSTRAP_HARD_LIMIT_CEILING = 12_000
+
+# --- Memory cards ----------------------------------------------------------
+MEMORY_CARD_BUDGET_BYTES = 8_000
+
+# --- MEMORY.md index -------------------------------------------------------
+# The flat index should stay short; detail belongs in topic cards.
+MEMORY_INDEX_MAX_LINES = 180
+
+# --- Staleness thresholds --------------------------------------------------
+# A memory-care decay scan older than this is considered stale.
+MEMORY_CARE_SCAN_STALE_DAYS = 7
+# A handoff inbox with pending files older than this is a stalled backlog:
+# handoffs are being written but nothing is ingesting them.
+HANDOFF_BACKLOG_STALE_DAYS = 3
+HANDOFF_BACKLOG_STALE_SECONDS = HANDOFF_BACKLOG_STALE_DAYS * 24 * 60 * 60
+
+
+def bootstrap_budget(name: str) -> int | None:
+    """Byte budget for a bootstrap file basename, or None if it is not tracked."""
+    return BOOTSTRAP_BUDGETS.get(name)
+
+
+def is_bootstrap_target(rel_path: str) -> bool:
+    """True if a routing target basename is a budgeted bootstrap file."""
+    return Path(rel_path).name in BOOTSTRAP_BUDGETS
+
+
+def route_would_exceed_budget(dest: Path, addition: str) -> tuple[bool, int | None]:
+    """Whether appending `addition` to a bootstrap file would exceed its budget.
+
+    Returns (would_exceed, budget). Non-bootstrap targets (e.g. .learnings/*)
+    are never guarded: (False, None).
+    """
+    budget = BOOTSTRAP_BUDGETS.get(dest.name)
+    if budget is None:
+        return False, None
+    try:
+        existing = dest.stat().st_size if dest.is_file() else 0
+    except OSError:
+        existing = 0
+    projected = existing + len(addition.encode("utf-8"))
+    return projected > budget, budget

{brigade_cli-0.7.0 → brigade_cli-0.8.0}/src/brigade/cli.py

@@ -361,6 +361,12 @@ def _build_parser() -> argparse.ArgumentParser:
     p_repos_import.add_argument("--target", "-t", type=Path, default=Path("."), help="Repo or workspace to inspect.")
     p_repos_import.add_argument("--dry-run", action="store_true", help="Show counts without writing imports.")
     p_repos_import.add_argument("--json", action="store_true", help="Print machine-readable JSON.")
+    p_repos_ingest = repos_sub.add_parser("ingest", help="Ingest every fleet repo's handoffs into the canonical owner.")
+    p_repos_ingest.add_argument("--target", "-t", type=Path, default=Path("."), help="Canonical memory owner (where the fleet config lives).")
+    p_repos_ingest.add_argument("--apply", action="store_true", help="Write changes. Default is a dry run.")
+    p_repos_ingest.add_argument("--no-promote-cards", action="store_true", help="Do not auto-promote cards.")
+    p_repos_ingest.add_argument("--no-route-documents", action="store_true", help="Do not auto-route documents.")
+    p_repos_ingest.add_argument("--json", action="store_true", help="Print machine-readable JSON.")
     p_repos_health_commands = repos_sub.add_parser("health-commands", help="Inspect configured optional repo health commands.")
     p_repos_health_commands.add_argument("--target", "-t", type=Path, default=Path("."), help="Repo or workspace to inspect.")
     p_repos_health_commands.add_argument("--json", action="store_true", help="Print machine-readable JSON.")
@@ -2489,6 +2495,14 @@ def main(argv=None) -> int:
             return repos_cmd.doctor(target=args.target, json_output=args.json)
         if args.repos_command == "import-issues":
             return repos_cmd.import_issues(target=args.target, dry_run=args.dry_run, json_output=args.json)
+        if args.repos_command == "ingest":
+            return repos_cmd.ingest_fleet(
+                target=args.target,
+                apply=args.apply,
+                promote_cards=not args.no_promote_cards,
+                route_documents=not args.no_route_documents,
+                json_output=args.json,
+            )
         if args.repos_command == "health-commands":
             return repos_cmd.health_commands(target=args.target, json_output=args.json)
         if args.repos_command == "discover":

{brigade_cli-0.7.0 → brigade_cli-0.8.0}/src/brigade/doctor.py

@@ -17,20 +17,11 @@ WARN = "WARN"
 FAIL = "FAIL"
 MANUAL = "MANUAL"
 
-BOOTSTRAP_BUDGETS = {
-    "AGENTS.md": 12_000,
-    "CLAUDE.md": 6_000,
-    "MEMORY.md": 7_000,
-    "TOOLS.md": 10_000,
-    "USER.md": 8_000,
-    "SAFETY_RULES.md": 10_000,
-    "INSTALL_FOR_AGENTS.md": 8_000,
-    "SOUL.md": 8_000,
-    "IDENTITY.md": 4_000,
-    "HEARTBEAT.md": 5_000,
-}
-MEMORY_CARD_BUDGET_BYTES = 8_000
-MEMORY_CARE_SCAN_STALE_DAYS = 7
+from .budgets import (
+    BOOTSTRAP_BUDGETS,
+    MEMORY_CARD_BUDGET_BYTES,
+    MEMORY_CARE_SCAN_STALE_DAYS,
+)
 
 from .station import DoctorContext
 

{brigade_cli-0.7.0 → brigade_cli-0.8.0}/src/brigade/handoff_cmd.py

@@ -19,6 +19,12 @@ WRITER_INBOXES = (".claude/memory-handoffs", ".codex/memory-handoffs")
 IGNORED_HANDOFF_NAMES = {"TEMPLATE.md"}
 DEFAULT_STALE_AFTER_MINUTES = 90
 HANDOFF_DRAFT_STALE_HOURS = 72
+# A handoff inbox with pending files whose oldest entry is older than this is
+# treated as a stalled backlog: handoffs are being written but nothing is
+# ingesting them. Catches the silent pile-up where a repo's inbox is never
+# reached by the canonical ingester (e.g. an uncovered repo in the fleet).
+# Canonical value lives in budgets.py so doctor/ingest/repos all agree.
+from .budgets import HANDOFF_BACKLOG_STALE_SECONDS as BACKLOG_STALE_SECONDS
 MAX_INGESTOR_WARNING_SIGNALS = 5
 CARD_ACTIONS = ("create-card", "update-card")
 NO_CARD_ACTION = "no-card"
@@ -68,6 +74,7 @@ class InboxHealth:
     pending: int
     processed: int
     watched: bool
+    oldest_pending_age_seconds: int | None = None
 
     def as_dict(self) -> dict[str, Any]:
         return {
@@ -77,6 +84,7 @@ class InboxHealth:
             "pending": self.pending,
             "processed": self.processed,
             "watched": self.watched,
+            "oldest_pending_age_seconds": self.oldest_pending_age_seconds,
         }
 
 
@@ -322,6 +330,29 @@ def doctor_checks(target: Path, sources: Path | None = None) -> list[tuple[str,
         )
         checks.append((level, f"handoff_watch: {inbox.inbox}", detail))
 
+    stale_backlog = [
+        inbox
+        for inbox in health.inboxes
+        if inbox.pending
+        and inbox.oldest_pending_age_seconds is not None
+        and inbox.oldest_pending_age_seconds >= BACKLOG_STALE_SECONDS
+    ]
+    if stale_backlog:
+        pending_total = sum(inbox.pending for inbox in stale_backlog)
+        oldest = max(
+            inbox.oldest_pending_age_seconds or 0 for inbox in stale_backlog
+        )
+        oldest_days = oldest // (24 * 60 * 60)
+        names = ", ".join(inbox.inbox for inbox in stale_backlog)
+        checks.append(
+            (
+                WARN,
+                "handoff_backlog",
+                f"{pending_total} pending handoff(s) not ingested, oldest {oldest_days}d old "
+                f"({names}); ingester is not reaching this inbox",
+            )
+        )
+
     if source_config := _source_config_for_checks(health.target, health.sources_path):
         for watched_inbox in source_config.watched:
             watched_path = watched_inbox.root / watched_inbox.inbox
@@ -2475,9 +2506,28 @@ def _inspect_inbox(target: Path, rel: str, watched: tuple[WatchedInbox, ...]) ->
         pending=_count_pending(path),
         processed=_count_processed(path),
         watched=_is_watched(target, rel, watched),
+        oldest_pending_age_seconds=_oldest_pending_age_seconds(path),
     )
 
 
+def _oldest_pending_age_seconds(path: Path) -> int | None:
+    """Age in seconds of the oldest pending handoff, or None if the inbox is empty."""
+    if not path.is_dir():
+        return None
+    oldest_mtime: float | None = None
+    for candidate in path.glob("*.md"):
+        if not candidate.is_file():
+            continue
+        if candidate.name.startswith(".") or candidate.name in IGNORED_HANDOFF_NAMES:
+            continue
+        mtime = candidate.stat().st_mtime
+        if oldest_mtime is None or mtime < oldest_mtime:
+            oldest_mtime = mtime
+    if oldest_mtime is None:
+        return None
+    return max(0, int(time.time() - oldest_mtime))
+
+
 def _count_pending(path: Path) -> int:
     if not path.is_dir():
         return 0

{brigade_cli-0.7.0 → brigade_cli-0.8.0}/src/brigade/ingest.py

@@ -16,6 +16,8 @@ from datetime import datetime, timezone
 from pathlib import Path
 from typing import Dict, List
 
+from . import budgets
+
 SECTION_RE = re.compile(r"^##\s+(?P<name>.+?)\s*$", re.MULTILINE)
 SAFE_CARD_NAME_RE = re.compile(r"^[A-Za-z0-9._-]+\.md$")
 SAFE_RULE_PATH_RE = re.compile(r"^rules/[A-Za-z0-9._-]+\.md$")
@@ -85,24 +87,58 @@ def run(
     dry_run: bool = False,
     promote_cards: bool = False,
     route_documents: bool = False,
+    owner: Path | None = None,
 ) -> int:
     """Process handoffs.
 
+    Reads handoffs from `target`'s writer inboxes. By default the resulting
+    cards/documents and review drafts are written back into `target` itself.
+    Pass `owner` to write them into a different canonical memory owner instead
+    (the fleet model: many writer repos, one owner); processed handoffs are
+    still archived in the source repo they came from.
+
     `promote_cards` and `route_documents` are opt-in. With neither flag,
     every handoff routes to the review inbox so a human picks the action.
     Match the cookbook wrapper by passing both flags explicitly.
     """
-    target = target.expanduser().resolve()
-    inbox_dir = target / "memory" / "handoff-inbox"
+    source = target.expanduser().resolve()
+    owner = source if owner is None else owner.expanduser().resolve()
+    stats = IngestStats()
+    rc = ingest_into(
+        source=source,
+        owner=owner,
+        stats=stats,
+        dry_run=dry_run,
+        promote_cards=promote_cards,
+        route_documents=route_documents,
+    )
+    if rc != 0:
+        return rc
+    _report(stats, dry_run=dry_run)
+    return 0
 
-    handoff_dirs = _resolve_inbox_paths(target)
+
+def ingest_into(
+    *,
+    source: Path,
+    owner: Path,
+    stats: IngestStats,
+    dry_run: bool = False,
+    promote_cards: bool = False,
+    route_documents: bool = False,
+) -> int:
+    """Ingest `source`'s handoffs into `owner`'s memory, accumulating `stats`.
+
+    Returns 0 on success, 2 if `source` has no handoff inbox. Used directly by
+    the fleet driver so it can sweep many sources into one owner and report once.
+    """
+    inbox_dir = owner / "memory" / "handoff-inbox"
+    handoff_dirs = _resolve_inbox_paths(source)
     if not handoff_dirs:
-        legacy = target / ".claude" / "memory-handoffs"
+        legacy = source / ".claude" / "memory-handoffs"
         print(f"brigade ingest: no handoff inbox at {legacy}", file=sys.stderr)
         return 2
 
-    stats = IngestStats()
-
     for handoffs_dir in handoff_dirs:
         processed_dir = handoffs_dir / "processed"
         for path in _list_handoffs(handoffs_dir):
@@ -110,14 +146,14 @@ def run(
             sections = parse(path)
             outcome = decide(
                 sections,
-                target=target,
+                target=owner,
                 promote_cards=promote_cards,
                 route_documents=route_documents,
             )
             action = _execute(
                 outcome,
                 handoff_path=path,
-                target=target,
+                target=owner,
                 sections=sections,
                 inbox_dir=inbox_dir,
                 processed_dir=processed_dir,
@@ -132,8 +168,6 @@ def run(
                 stats.inboxed += 1
             elif action.kind == "skipped":
                 stats.skipped += 1
-
-    _report(stats, dry_run=dry_run)
     return 0
 
 
@@ -198,7 +232,21 @@ def decide(
                 "inboxed",
                 reason="document content contains `##` headings (would parse as new section)",
             )
-        return Outcome("routed", dest=target / document)
+        dest = target / document
+        # Bootstrap files load into the session prefix every turn and silently
+        # truncate past ~12k chars. Refuse an append that would push the file
+        # over its budget; route to the inbox so a human trims or re-homes it.
+        addition = "\n\n" + content.strip() + "\n"
+        would_exceed, budget = budgets.route_would_exceed_budget(dest, addition)
+        if would_exceed:
+            return Outcome(
+                "inboxed",
+                reason=(
+                    f"bootstrap budget guard: appending to {document} would exceed "
+                    f"its {budget}B budget; trim the file or promote to a memory card"
+                ),
+            )
+        return Outcome("routed", dest=dest)
 
     if action == "":
         return Outcome("inboxed", reason="missing `Recommended memory action`")