﻿2026-06-17T00:59:16.3281531Z ##[group]Run ./traceable-reqs lint || true
2026-06-17T00:59:16.3281693Z [36;1m./traceable-reqs lint || true[0m
2026-06-17T00:59:16.3294721Z shell: /usr/bin/bash -e {0}
2026-06-17T00:59:16.3294832Z ##[endgroup]
2026-06-17T00:59:16.3506816Z Requirement quality findings (141); 220 requirements queued for agent review:
2026-06-17T00:59:16.3507866Z   [must] requirement_quality REQ-API-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3508659Z   [must] requirement_quality REQ-API-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3509325Z   [must] requirement_quality REQ-API-4 criterion=length — title is 67 words; want 3..=25
2026-06-17T00:59:16.3509866Z   [must] requirement_quality REQ-CLI-1 criterion=length — title is 47 words; want 3..=25
2026-06-17T00:59:16.3510402Z   [must] requirement_quality REQ-CLI-2 criterion=length — title is 37 words; want 3..=25
2026-06-17T00:59:16.3510991Z   [must] requirement_quality REQ-CLI-3 criterion=length — title is 37 words; want 3..=25
2026-06-17T00:59:16.3511607Z   [must] requirement_quality REQ-CONSENT-1 criterion=length — title is 41 words; want 3..=25
2026-06-17T00:59:16.3512169Z   [must] requirement_quality REQ-CONSENT-2 criterion=length — title is 37 words; want 3..=25
2026-06-17T00:59:16.3512728Z   [must] requirement_quality REQ-CONSENT-3 criterion=length — title is 82 words; want 3..=25
2026-06-17T00:59:16.3513439Z   [must] requirement_quality REQ-CONV-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3513886Z   [must] requirement_quality REQ-CONV-1 criterion=length — title is 73 words; want 3..=25
2026-06-17T00:59:16.3514340Z   [must] requirement_quality REQ-CONV-2 criterion=length — title is 47 words; want 3..=25
2026-06-17T00:59:16.3514759Z   [must] requirement_quality REQ-DAEMON-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3515074Z   [must] requirement_quality REQ-DAEMON-5 criterion=length — title is 64 words; want 3..=25
2026-06-17T00:59:16.3515464Z   [must] requirement_quality REQ-DAEMON-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3515755Z   [must] requirement_quality REQ-DAEMON-6 criterion=length — title is 84 words; want 3..=25
2026-06-17T00:59:16.3516193Z   [must] requirement_quality REQ-DAEMON-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3516498Z   [must] requirement_quality REQ-DAEMON-7 criterion=length — title is 62 words; want 3..=25
2026-06-17T00:59:16.3516818Z   [must] requirement_quality REQ-DAEMON-8 criterion=length — title is 44 words; want 3..=25
2026-06-17T00:59:16.3517205Z   [must] requirement_quality REQ-DAEMON-9 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3517500Z   [must] requirement_quality REQ-DAEMON-9 criterion=length — title is 114 words; want 3..=25
2026-06-17T00:59:16.3518233Z   [must] requirement_quality REQ-ELEVATE-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3518517Z   [must] requirement_quality REQ-ELEVATE-1 criterion=length — title is 121 words; want 3..=25
2026-06-17T00:59:16.3518880Z   [must] requirement_quality REQ-EP-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3519590Z   [must] requirement_quality REQ-EP-6 criterion=length — title is 58 words; want 3..=25
2026-06-17T00:59:16.3519957Z   [must] requirement_quality REQ-EP-7 criterion=length — title is 68 words; want 3..=25
2026-06-17T00:59:16.3520435Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESPAWN-PATH criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3520816Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESPAWN-PATH criterion=length — title is 119 words; want 3..=25
2026-06-17T00:59:16.3521326Z   [must] requirement_quality REQ-HAZARD-BROKER-PROCESS-ISOLATION criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3521980Z   [must] requirement_quality REQ-HAZARD-BROKER-PROCESS-ISOLATION criterion=length — title is 114 words; want 3..=25
2026-06-17T00:59:16.3522353Z   [must] requirement_quality REQ-HAZARD-CONFLICT-BOTH-PRESERVED criterion=length — title is 29 words; want 3..=25
2026-06-17T00:59:16.3522734Z   [must] requirement_quality REQ-HAZARD-DAEMON-SCHED-NONBLOCKING criterion=length — title is 32 words; want 3..=25
2026-06-17T00:59:16.3523101Z   [must] requirement_quality REQ-HAZARD-DETACHED-PIPE-INHERIT criterion=length — title is 52 words; want 3..=25
2026-06-17T00:59:16.3523638Z   [must] requirement_quality REQ-HAZARD-ELEVATED-DAEMON-SPAWN criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3524057Z   [must] requirement_quality REQ-HAZARD-ELEVATED-DAEMON-SPAWN criterion=length — title is 58 words; want 3..=25
2026-06-17T00:59:16.3524972Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-CR-LINESAFE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3525387Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-CR-LINESAFE criterion=length — title is 73 words; want 3..=25
2026-06-17T00:59:16.3525912Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-PARSER-SAFE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3526278Z   [must] requirement_quality REQ-HAZARD-EPOCH-RESET criterion=length — title is 60 words; want 3..=25
2026-06-17T00:59:16.3526772Z   [must] requirement_quality REQ-HAZARD-GEN-START-NOW criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3527155Z   [must] requirement_quality REQ-HAZARD-INSTANT-UNDERFLOW criterion=length — title is 30 words; want 3..=25
2026-06-17T00:59:16.3527678Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-BOOT-RACE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3528104Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-BOOT-RACE criterion=length — title is 158 words; want 3..=25
2026-06-17T00:59:16.3528622Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-NONRESIDENT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3529178Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-NONRESIDENT criterion=length — title is 171 words; want 3..=25
2026-06-17T00:59:16.3529658Z   [must] requirement_quality REQ-HAZARD-PAIR-RATE-LIMIT criterion=length — title is 37 words; want 3..=25
2026-06-17T00:59:16.3530060Z   [must] requirement_quality REQ-HAZARD-PAIR-SEED-ROTATION criterion=length — title is 33 words; want 3..=25
2026-06-17T00:59:16.3530584Z   [must] requirement_quality REQ-HAZARD-PAIR-TRANSCRIPT-BIND criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3531257Z   [must] requirement_quality REQ-HAZARD-PSYCHE-OUTBOUND-PROXY criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3531684Z   [must] requirement_quality REQ-HAZARD-PSYCHE-OUTBOUND-PROXY criterion=length — title is 27 words; want 3..=25
2026-06-17T00:59:16.3532201Z   [must] requirement_quality REQ-HAZARD-PUMP-IPC-DEADLINE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3532589Z   [must] requirement_quality REQ-HAZARD-PUMP-IPC-DEADLINE criterion=length — title is 38 words; want 3..=25
2026-06-17T00:59:16.3533113Z   [must] requirement_quality REQ-HAZARD-REGISTRY-GHOST-ROWS criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3533513Z   [must] requirement_quality REQ-HAZARD-REGISTRY-GHOST-ROWS criterion=length — title is 66 words; want 3..=25
2026-06-17T00:59:16.3533933Z   [must] requirement_quality REQ-HAZARD-ROLLBACK-STATE-COMPAT criterion=length — title is 72 words; want 3..=25
2026-06-17T00:59:16.3534502Z   [must] requirement_quality REQ-HAZARD-SELF-ELEVATE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3534831Z   [must] requirement_quality REQ-HAZARD-SELF-ELEVATE criterion=length — title is 101 words; want 3..=25
2026-06-17T00:59:16.3535174Z   [must] requirement_quality REQ-HAZARD-SUDO-SECURE-PATH criterion=length — title is 43 words; want 3..=25
2026-06-17T00:59:16.3535617Z   [must] requirement_quality REQ-HAZARD-TEMPLATE-ARGV-FILL criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3535975Z   [must] requirement_quality REQ-HAZARD-TEMPLATE-ARGV-FILL criterion=length — title is 166 words; want 3..=25
2026-06-17T00:59:16.3536415Z   [must] requirement_quality REQ-HAZARD-VIEWER-ISOLATION criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3536758Z   [must] requirement_quality REQ-HAZARD-VIEWER-ISOLATION criterion=length — title is 118 words; want 3..=25
2026-06-17T00:59:16.3537138Z   [must] requirement_quality REQ-HAZARD-WAN-ORIGIN-AUTH criterion=length — title is 37 words; want 3..=25
2026-06-17T00:59:16.3537429Z   [must] requirement_quality REQ-HOST-RUN-1 criterion=length — title is 88 words; want 3..=25
2026-06-17T00:59:16.3537710Z   [must] requirement_quality REQ-HOST-RUN-2 criterion=length — title is 97 words; want 3..=25
2026-06-17T00:59:16.3538000Z   [must] requirement_quality REQ-INST-15 criterion=length — title is 32 words; want 3..=25
2026-06-17T00:59:16.3538402Z   [must] requirement_quality REQ-INSTALL-10 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3538698Z   [must] requirement_quality REQ-INSTALL-10 criterion=length — title is 58 words; want 3..=25
2026-06-17T00:59:16.3539060Z   [must] requirement_quality REQ-INSTALL-11 criterion=length — title is 78 words; want 3..=25
2026-06-17T00:59:16.3539372Z   [must] requirement_quality REQ-INSTALL-2 criterion=length — title is 2 word(s); want 3..=25
2026-06-17T00:59:16.3539780Z   [must] requirement_quality REQ-INSTALL-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3540067Z   [must] requirement_quality REQ-INSTALL-6 criterion=length — title is 56 words; want 3..=25
2026-06-17T00:59:16.3540452Z   [must] requirement_quality REQ-INSTALL-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3540739Z   [must] requirement_quality REQ-INSTALL-7 criterion=length — title is 50 words; want 3..=25
2026-06-17T00:59:16.3541020Z   [must] requirement_quality REQ-INSTALL-8 criterion=length — title is 55 words; want 3..=25
2026-06-17T00:59:16.3541411Z   [must] requirement_quality REQ-INSTALL-9 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3541701Z   [must] requirement_quality REQ-INSTALL-9 criterion=length — title is 62 words; want 3..=25
2026-06-17T00:59:16.3542206Z   [must] requirement_quality REQ-KICK-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3542499Z   [must] requirement_quality REQ-KICK-1 criterion=length — title is 133 words; want 3..=25
2026-06-17T00:59:16.3542877Z   [must] requirement_quality REQ-MANIFEST-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3543173Z   [must] requirement_quality REQ-MANIFEST-3 criterion=length — title is 26 words; want 3..=25
2026-06-17T00:59:16.3543453Z   [must] requirement_quality REQ-MANIFEST-4 criterion=length — title is 31 words; want 3..=25
2026-06-17T00:59:16.3543739Z   [must] requirement_quality REQ-MANIFEST-5 criterion=length — title is 132 words; want 3..=25
2026-06-17T00:59:16.3544020Z   [must] requirement_quality REQ-MANIFEST-6 criterion=length — title is 84 words; want 3..=25
2026-06-17T00:59:16.3544312Z   [must] requirement_quality REQ-MANIFEST-7 criterion=length — title is 120 words; want 3..=25
2026-06-17T00:59:16.3544701Z   [must] requirement_quality REQ-MESH-1 criterion=length — title is 86 words; want 3..=25
2026-06-17T00:59:16.3545086Z   [must] requirement_quality REQ-MESH-2 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3545361Z   [must] requirement_quality REQ-MESH-2 criterion=length — title is 120 words; want 3..=25
2026-06-17T00:59:16.3545744Z   [must] requirement_quality REQ-MESH-3 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3546016Z   [must] requirement_quality REQ-MESH-3 criterion=length — title is 86 words; want 3..=25
2026-06-17T00:59:16.3546393Z   [must] requirement_quality REQ-MESH-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3546670Z   [must] requirement_quality REQ-MESH-4 criterion=length — title is 99 words; want 3..=25
2026-06-17T00:59:16.3547046Z   [must] requirement_quality REQ-MESH-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3547347Z   [must] requirement_quality REQ-MESH-5 criterion=length — title is 72 words; want 3..=25
2026-06-17T00:59:16.3547727Z   [must] requirement_quality REQ-MESH-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3547989Z   [must] requirement_quality REQ-MESH-6 criterion=length — title is 56 words; want 3..=25
2026-06-17T00:59:16.3548384Z   [must] requirement_quality REQ-MIGRATE-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3548656Z   [must] requirement_quality REQ-MSG-4 criterion=length — title is 31 words; want 3..=25
2026-06-17T00:59:16.3548928Z   [must] requirement_quality REQ-MSG-5 criterion=length — title is 38 words; want 3..=25
2026-06-17T00:59:16.3549300Z   [must] requirement_quality REQ-MSG-6 criterion=length — title is 65 words; want 3..=25
2026-06-17T00:59:16.3549728Z   [must] requirement_quality REQ-MSG-ENVELOPE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3550030Z   [must] requirement_quality REQ-MSG-ENVELOPE criterion=length — title is 153 words; want 3..=25
2026-06-17T00:59:16.3550392Z   [must] requirement_quality REQ-PAIR-8 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3550665Z   [must] requirement_quality REQ-PAIR-8 criterion=length — title is 67 words; want 3..=25
2026-06-17T00:59:16.3551036Z   [must] requirement_quality REQ-PRES-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3551304Z   [must] requirement_quality REQ-PRES-1 criterion=length — title is 48 words; want 3..=25
2026-06-17T00:59:16.3551570Z   [must] requirement_quality REQ-RC-1 criterion=length — title is 94 words; want 3..=25
2026-06-17T00:59:16.3551942Z   [must] requirement_quality REQ-RCVIEW-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3552343Z   [must] requirement_quality REQ-RCVIEW-1 criterion=length — title is 197 words; want 3..=25
2026-06-17T00:59:16.3552742Z   [must] requirement_quality REQ-RUN-PICKER criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3553036Z   [must] requirement_quality REQ-RUN-PICKER criterion=length — title is 203 words; want 3..=25
2026-06-17T00:59:16.3553428Z   [must] requirement_quality REQ-RUN-SHORTCUT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3553738Z   [must] requirement_quality REQ-RUN-SHORTCUT criterion=length — title is 226 words; want 3..=25
2026-06-17T00:59:16.3554018Z   [must] requirement_quality REQ-SEAM-SPAWN criterion=length — title is 2 word(s); want 3..=25
2026-06-17T00:59:16.3554290Z   [must] requirement_quality REQ-SHELL-1 criterion=length — title is 36 words; want 3..=25
2026-06-17T00:59:16.3554566Z   [must] requirement_quality REQ-SHELL-2 criterion=length — title is 49 words; want 3..=25
2026-06-17T00:59:16.3554944Z   [must] requirement_quality REQ-SHELL-3 criterion=length — title is 80 words; want 3..=25
2026-06-17T00:59:16.3555329Z   [must] requirement_quality REQ-SHELL-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3555607Z   [must] requirement_quality REQ-SHELL-4 criterion=length — title is 84 words; want 3..=25
2026-06-17T00:59:16.3555888Z   [must] requirement_quality REQ-SHELL-5 criterion=length — title is 49 words; want 3..=25
2026-06-17T00:59:16.3556174Z   [must] requirement_quality REQ-STORE-1 criterion=length — title is 34 words; want 3..=25
2026-06-17T00:59:16.3556470Z   [must] requirement_quality REQ-SUBNET-5 criterion=length — title is 52 words; want 3..=25
2026-06-17T00:59:16.3556861Z   [must] requirement_quality REQ-SUBNET-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3557147Z   [must] requirement_quality REQ-SUBNET-6 criterion=length — title is 38 words; want 3..=25
2026-06-17T00:59:16.3557535Z   [must] requirement_quality REQ-SUBNET-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3557821Z   [must] requirement_quality REQ-SUBNET-7 criterion=length — title is 75 words; want 3..=25
2026-06-17T00:59:16.3558095Z   [must] requirement_quality REQ-SUBNET-8 criterion=length — title is 53 words; want 3..=25
2026-06-17T00:59:16.3558476Z   [must] requirement_quality REQ-TERM-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3558743Z   [must] requirement_quality REQ-TERM-5 criterion=length — title is 71 words; want 3..=25
2026-06-17T00:59:16.3559183Z   [must] requirement_quality REQ-TERM-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3559503Z   [must] requirement_quality REQ-TERM-6 criterion=length — title is 53 words; want 3..=25
2026-06-17T00:59:16.3559880Z   [must] requirement_quality REQ-TERM-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3560147Z   [must] requirement_quality REQ-TERM-7 criterion=length — title is 55 words; want 3..=25
2026-06-17T00:59:16.3560507Z   [must] requirement_quality REQ-UPD-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3560786Z   [must] requirement_quality REQ-UPD-6 criterion=length — title is 32 words; want 3..=25
2026-06-17T00:59:16.3561163Z   [must] requirement_quality REQ-UPD-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3561431Z   [must] requirement_quality REQ-UPD-7 criterion=length — title is 88 words; want 3..=25
2026-06-17T00:59:16.3561802Z   [must] requirement_quality REQ-UPD-8 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-17T00:59:16.3562065Z   [must] requirement_quality REQ-UPD-8 criterion=length — title is 115 words; want 3..=25
2026-06-17T00:59:16.3562474Z   [must] requirement_quality REQ-UPD-9 criterion=length — title is 110 words; want 3..=25
2026-06-17T00:59:16.3562756Z   [must] requirement_quality REQ-WHOAMI-1 criterion=length — title is 76 words; want 3..=25
2026-06-17T00:59:16.3562793Z 
2026-06-17T00:59:16.3562908Z # Requirement quality review
2026-06-17T00:59:16.3562947Z 
2026-06-17T00:59:16.3563169Z You are reviewing 220 requirement(s) from `traceable-reqs.toml` against a quality
2026-06-17T00:59:16.3563388Z rubric. Deterministic checks (length, contains-and, tbd-todo, duplicate-titles,
2026-06-17T00:59:16.3563606Z trailing-etc) have already run and surfaced as `requirement_quality` findings on
2026-06-17T00:59:16.3563773Z this command's output. Your task is the rubric items below.
2026-06-17T00:59:16.3563801Z 
2026-06-17T00:59:16.3563901Z ## Rubric
2026-06-17T00:59:16.3563935Z 
2026-06-17T00:59:16.3564215Z - **singular** — describes one capability; no smuggled "and"/"or" across distinct actions.
2026-06-17T00:59:16.3564588Z - **verifiable** — states an observable behavior a test or reviewer could confirm.
2026-06-17T00:59:16.3564821Z - **atomic** — cannot be split into two requirements without losing meaning.
2026-06-17T00:59:16.3565003Z - **active-voice** — clear subject and active verb.
2026-06-17T00:59:16.3565036Z 
2026-06-17T00:59:16.3565285Z If a criterion is borderline or doesn't apply, abstain — only emit findings for
2026-06-17T00:59:16.3565403Z clear concerns.
2026-06-17T00:59:16.3565437Z 
2026-06-17T00:59:16.3565542Z ## Requirements
2026-06-17T00:59:16.3565576Z 
2026-06-17T00:59:16.3565670Z ### REQ-ARCH-1
2026-06-17T00:59:16.3565812Z - Title: Many small acyclically-layered crates
2026-06-17T00:59:16.3565936Z - Required stages: impl
2026-06-17T00:59:16.3565973Z 
2026-06-17T00:59:16.3566082Z ### REQ-ARCH-2
2026-06-17T00:59:16.3566259Z - Title: Public SDK surface is spt-proto, spt-runtime, spt-msg
2026-06-17T00:59:16.3566368Z - Required stages: impl
2026-06-17T00:59:16.3566396Z 
2026-06-17T00:59:16.3566506Z ### REQ-ARCH-3
2026-06-17T00:59:16.3566720Z - Title: Wire-protocol version independent of crate semver, N-1 compat window
2026-06-17T00:59:16.3566846Z - Required stages: impl, unit
2026-06-17T00:59:16.3566883Z 
2026-06-17T00:59:16.3566983Z ### REQ-ARCH-4
2026-06-17T00:59:16.3567170Z - Title: Copy-verbatim the commodity layer from the sister project
2026-06-17T00:59:16.3567293Z - Required stages: impl, unit
2026-06-17T00:59:16.3567326Z 
2026-06-17T00:59:16.3567431Z ### REQ-DAEMON-1
2026-06-17T00:59:16.3567603Z - Title: One per-machine spt-daemon owning all per-machine state
2026-06-17T00:59:16.3567722Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3567756Z 
2026-06-17T00:59:16.3567865Z ### REQ-DAEMON-2
2026-06-17T00:59:16.3568022Z - Title: Broker/brain split for seamless self-update
2026-06-17T00:59:16.3568143Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3568180Z 
2026-06-17T00:59:16.3568284Z ### REQ-DAEMON-3
2026-06-17T00:59:16.3568458Z - Title: Any api invocation auto-starts the daemon if absent
2026-06-17T00:59:16.3568584Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3568617Z 
2026-06-17T00:59:16.3568717Z ### REQ-DAEMON-4
2026-06-17T00:59:16.3568852Z - Title: Honor every KNOWN-HAZARDS invariant
2026-06-17T00:59:16.3569051Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3569080Z 
2026-06-17T00:59:16.3569171Z ### REQ-STORE-1
2026-06-17T00:59:16.3570087Z - Title: spt-store::BranchStore (git branch as versioned KV; commit=checkpoint/tip=resume, atomic multi-key, merge-native sync) is the substrate for coarse/durable/audited state (context, registry snapshot+distribution, daemon checkpoint); hot paths (B5 fsync journal) + indexed queries (SQLite spool) excluded (ADR-0011)
2026-06-17T00:59:16.3570210Z - Required stages: impl, unit
2026-06-17T00:59:16.3570243Z 
2026-06-17T00:59:16.3570354Z ### REQ-MANIFEST-1
2026-06-17T00:59:16.3570549Z - Title: Per-adapter manifest with adapter_name and min_spt_core_version
2026-06-17T00:59:16.3570782Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3570811Z 
2026-06-17T00:59:16.3570915Z ### REQ-MANIFEST-2
2026-06-17T00:59:16.3571424Z - Title: Adapter profiles — sparse leaf-replace overlays (shipped + local), composite <adapter>:<profile> addressing, shadow-refusal, tighten-only consent floors
2026-06-17T00:59:16.3571546Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3571584Z 
2026-06-17T00:59:16.3571695Z ### REQ-MANIFEST-3
2026-06-17T00:59:16.3572310Z - Title: Adapter strings — [strings] KV tree, dot-path get-string resolving through the profile leaf-replace overlay, set-string editing a local profile's [strings] only; data-only (nothing executes a string)
2026-06-17T00:59:16.3572438Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3572471Z 
2026-06-17T00:59:16.3572572Z ### REQ-MANIFEST-4
2026-06-17T00:59:16.3573255Z - Title: Keyword hints — [[hints]] {keywords (literal/regex), text}; spt api hint --session emits at most one matched hint per message, once per session (seen-set), declaration-order first match; profiles overlay [[hints]] by leaf-replace
2026-06-17T00:59:16.3573497Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3573536Z 
2026-06-17T00:59:16.3573655Z ### REQ-MANIFEST-5
2026-06-17T00:59:16.3576552Z - Title: File-backed adapter [strings] (M12-W3-T3.1): a [strings] dot-path value MAY be an inline-table FILE POINTER `key = { file = "rel/path" }` resolved to the file's contents at get-string time, keeping large bodies (skill-instructions, hint text) out of the manifest. A value-position table with a `file` key IS the pointer form (reserved — cannot double as data). Per-adapter aux storage `adapters/<adapter>/strings/`; pointers resolve relative to it with CONTAINMENT (reject `..`/absolute escaping the dir). UPDATE-SAFETY: a LOCAL profile's file-pointers resolve relative to the user-owned local-profile dir (NOT adapter-shipped strings/, which adapter updates overwrite), or the local profile inlines. Validate-at-register (fail-fast on a bad/escaping/missing pointer) + LAZY read at get-string (live file edits reflect, no re-register) + skip-diagnostics on missing-at-read (no hard-crash, mirrors [digest]). Rides the same leaf-replace profile overlay as the rest of [strings].
2026-06-17T00:59:16.3576708Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3576742Z 
2026-06-17T00:59:16.3576857Z ### REQ-MANIFEST-6
2026-06-17T00:59:16.3579041Z - Title: Cross-adapter fallback target addressing (M12-W3-T3.2): a cross-adapter fallback target is addressed as `<adapter>:<profile>` (not just a bare adapter_name), resolved through the one composite-addressing resolver (registry::resolve_option) at every adapter-option read site so a fallback may select a shipped/local profile (e.g. a `ccs` profile). CONTEXT.md §cross-adapter-fallback reconciled ("ccs is a profile; cross-adapter fallback may target <adapter>:<profile>"). Contract-only this milestone: the node-wide fallback SETTING + its rate-limit invocation are deferred to the consuming milestone (the runtime path does not exist yet); this REQ guarantees the ADDRESSING resolves.
2026-06-17T00:59:16.3579192Z - Required stages: doc, unit
2026-06-17T00:59:16.3579220Z 
2026-06-17T00:59:16.3579374Z ### REQ-MANIFEST-7
2026-06-17T00:59:16.3582402Z - Title: Adapter-declared shortcut basename (M12-W2 follow-on): an optional `[adapter] shortcut_basename` manifest field names the basename the `spt endpoint run` picker bakes into the generated `<basename>-<id>` launcher shortcut (REQ-RUN-SHORTCUT). Absent ⇒ the harness-agnostic default `spt` (→ `spt-<id>`); an adapter sets it to brand its shortcuts (claude-spt → `cc` → `cc-<id>`), so the Claude-Code-ness lives in the PUBLISHED adapter manifest, never hardcoded in spt-core. The picker reads it from the RESOLVED manifest of the selected adapter (registry::resolve_option), falling back to `spt` when absent/empty/unresolvable. Additive + N-1-safe (serde-default Option, omitted from serialization when absent; old manifests parse clean); manifest.schema.json regenerated from the derive (ADR-0001, CI drift-gated). Documented in docs/MANIFEST.md `[adapter]` section + the claude-spt worked example — the adapter-author contract perri builds spt-claude-code against.
2026-06-17T00:59:16.3582683Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3582717Z 
2026-06-17T00:59:16.3582828Z ### REQ-SEAM-SPAWN
2026-06-17T00:59:16.3582975Z - Title: spawn-session seam
2026-06-17T00:59:16.3583108Z - Required stages: impl, unit
2026-06-17T00:59:16.3583142Z 
2026-06-17T00:59:16.3583275Z ### REQ-SEAM-POSTSPAWN
2026-06-17T00:59:16.3583423Z - Title: post-spawn / api bind seam with boot nonce
2026-06-17T00:59:16.3583552Z - Required stages: impl, unit
2026-06-17T00:59:16.3583585Z 
2026-06-17T00:59:16.3583694Z ### REQ-SEAM-PSYCHE
2026-06-17T00:59:16.3583848Z - Title: spawn-psyche seam (fresh + resume templates)
2026-06-17T00:59:16.3583981Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3584018Z 
2026-06-17T00:59:16.3584120Z ### REQ-SEAM-HISTORY
2026-06-17T00:59:16.3584318Z - Title: History subsystem (fetcher / locate-normalize / native store)
2026-06-17T00:59:16.3584555Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3584588Z 
2026-06-17T00:59:16.3584692Z ### REQ-SEAM-ACTIVITY
2026-06-17T00:59:16.3584884Z - Title: Activity/idle reported via api sentinels, not PTY quiescence
2026-06-17T00:59:16.3585002Z - Required stages: impl, unit
2026-06-17T00:59:16.3585035Z 
2026-06-17T00:59:16.3585155Z ### REQ-SEAM-INJECT
2026-06-17T00:59:16.3585331Z - Title: inject-input methods configurable per activity-state
2026-06-17T00:59:16.3585447Z - Required stages: impl, unit
2026-06-17T00:59:16.3585475Z 
2026-06-17T00:59:16.3585588Z ### REQ-SEAM-RESUME
2026-06-17T00:59:16.3585785Z - Title: resume-session seam (fresh-with-preload / continue-existing)
2026-06-17T00:59:16.3585908Z - Required stages: impl, unit
2026-06-17T00:59:16.3585941Z 
2026-06-17T00:59:16.3586067Z ### REQ-SEAM-CAPABILITY
2026-06-17T00:59:16.3586228Z - Title: Hostable endpoint-types capability declaration
2026-06-17T00:59:16.3586357Z - Required stages: impl, unit
2026-06-17T00:59:16.3586386Z 
2026-06-17T00:59:16.3586480Z ### REQ-SEAM-UPDATE
2026-06-17T00:59:16.3586663Z - Title: Adapter-update avenue (file-pull / delegated command)
2026-06-17T00:59:16.3586786Z - Required stages: impl, unit
2026-06-17T00:59:16.3586818Z 
2026-06-17T00:59:16.3586922Z ### REQ-API-1
2026-06-17T00:59:16.3587117Z - Title: api prefix and adapter_name on every machinery invocation
2026-06-17T00:59:16.3587235Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3587268Z 
2026-06-17T00:59:16.3587379Z ### REQ-API-2
2026-06-17T00:59:16.3587598Z - Title: The api subcommand surface (bind/listen/poll/state/worker/boundary/...)
2026-06-17T00:59:16.3587722Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3587756Z 
2026-06-17T00:59:16.3587864Z ### REQ-API-3
2026-06-17T00:59:16.3588018Z - Title: commune/signoff are file-drops, not commands
2026-06-17T00:59:16.3588141Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3588174Z 
2026-06-17T00:59:16.3588276Z ### REQ-API-4
2026-06-17T00:59:16.3589847Z - Title: api resolves the adapter manifest (+ profile + install dir) from `--adapter name:profile` via the registry when `--manifest` is omitted; `--manifest` becomes an optional OVERRIDE (unregistered / local-dev manifests). Removes the require-both-flags redundancy — a registered adapter's live bringup / digest / capability needs only `--adapter` — and yields the precise install dir (the record's source_dir) rather than the --manifest parent, closing the copy-mode psyche-binary edge (v0.8.0)
2026-06-17T00:59:16.3589986Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3590014Z 
2026-06-17T00:59:16.3590118Z ### REQ-START-1
2026-06-17T00:59:16.3590320Z - Title: Adapters never resolve SPT_HOME; binary on PATH; api bridging only
2026-06-17T00:59:16.3590452Z - Required stages: impl, unit
2026-06-17T00:59:16.3590486Z 
2026-06-17T00:59:16.3590591Z ### REQ-START-2
2026-06-17T00:59:16.3590748Z - Title: Harness-hosted startup: api seed then listen
2026-06-17T00:59:16.3590869Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3591006Z 
2026-06-17T00:59:16.3591130Z ### REQ-START-3
2026-06-17T00:59:16.3591321Z - Title: spt-hosted startup: spawn-session then api bind (no file)
2026-06-17T00:59:16.3591441Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3591465Z 
2026-06-17T00:59:16.3591569Z ### REQ-START-4
2026-06-17T00:59:16.3591721Z - Title: Adapter-injected env aliases (SPT/OWL/LIVE)
2026-06-17T00:59:16.3591846Z - Required stages: impl, unit
2026-06-17T00:59:16.3591879Z 
2026-06-17T00:59:16.3591978Z ### REQ-EP-1
2026-06-17T00:59:16.3592126Z - Title: Day-one endpoint types; open type system
2026-06-17T00:59:16.3592243Z - Required stages: impl, unit
2026-06-17T00:59:16.3592271Z 
2026-06-17T00:59:16.3592375Z ### REQ-EP-2
2026-06-17T00:59:16.3592553Z - Title: Agent endpoints vs Shells distinction in the type model
2026-06-17T00:59:16.3592671Z - Required stages: impl, unit
2026-06-17T00:59:16.3592710Z 
2026-06-17T00:59:16.3592806Z ### REQ-EP-3
2026-06-17T00:59:16.3592995Z - Title: Messaging payloads carry typed operation commands + file blobs
2026-06-17T00:59:16.3593229Z - Required stages: impl, unit
2026-06-17T00:59:16.3593258Z 
2026-06-17T00:59:16.3593363Z ### REQ-EP-4
2026-06-17T00:59:16.3593516Z - Title: PresenceChannel broker endpoint (seam day-one)
2026-06-17T00:59:16.3593639Z - Required stages: impl, unit
2026-06-17T00:59:16.3593673Z 
2026-06-17T00:59:16.3593774Z ### REQ-EP-5
2026-06-17T00:59:16.3594446Z - Title: Concrete shell instantiation model: spawn-mints-instance (vs relink/online), registered-on-node permission + broadcast-is-discovery, per-shell require_approval gate, max_instances_per_owner + over_cap, instance aliasing, discovery scope
2026-06-17T00:59:16.3594569Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3594598Z 
2026-06-17T00:59:16.3594709Z ### REQ-EP-6
2026-06-17T00:59:16.3596149Z - Title: Gateway type acceptance: a Gateway-typed perch binds (api bind --type, open type system — un-hardcode the live_agent default), advertises/addressable like any endpoint, owns shells (owner validation not agent-family-gated), subscribes to digests, and is the user-msg identity gate's user-backed origin (REQ-MSG-5); in-tree mock-gateway fixture (R-DOCS-2 pattern, no downstream adapter code). Cross-node WAN Gateway-origin (registry endpoint_type trust) tracked by REQ-MSG-6
2026-06-17T00:59:16.3597635Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3597805Z 
2026-06-17T00:59:16.3597934Z ### REQ-EP-7
2026-06-17T00:59:16.3599761Z - Title: Durable live-role.md: a per-agent broad-purpose statement in tracked/agents/<id>/ beside live-context.md (replicates with the mind on the same a-<id> branch); renders FIRST at start-transition context injection (role -> live-context -> project-context); SOLE writer `spt endpoint role --overwrite <file>` — mechanical no-automated-writer guarantee (echo-commune ingest / signoff / Psyche reconcile structurally exclude it). The user-backed-origin hard gate on the writer is a deferred later tightening (rides the user-msg identity plumbing)
2026-06-17T00:59:16.3601299Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3601480Z 
2026-06-17T00:59:16.3601599Z ### REQ-INST-1
2026-06-17T00:59:16.3601948Z - Title: endpoint ID vs instance split (adapter-agnostic ID)
2026-06-17T00:59:16.3602262Z - Required stages: 
2026-06-17T00:59:16.3602411Z 
2026-06-17T00:59:16.3602519Z ### REQ-INST-2
2026-06-17T00:59:16.3602747Z - Title: Per-node files, synced Psyche mind
2026-06-17T00:59:16.3603051Z - Required stages: impl, unit
2026-06-17T00:59:16.3603212Z 
2026-06-17T00:59:16.3603327Z ### REQ-INST-3
2026-06-17T00:59:16.3603589Z - Title: Dormant (warm) / suspended (cold) resting states
2026-06-17T00:59:16.3603914Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3604090Z 
2026-06-17T00:59:16.3604190Z ### REQ-INST-4
2026-06-17T00:59:16.3604476Z - Title: active to dormant/suspended fires a transition echo commune
2026-06-17T00:59:16.3604815Z - Required stages: impl, unit
2026-06-17T00:59:16.3604978Z 
2026-06-17T00:59:16.3605086Z ### REQ-INST-5
2026-06-17T00:59:16.3605505Z - Title: Two-tier context sync (live to all, project to same-project)
2026-06-17T00:59:16.3605865Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3606042Z 
2026-06-17T00:59:16.3606151Z ### REQ-INST-6
2026-06-17T00:59:16.3606456Z - Title: Deferred messages not delivered to dormant/suspended instances
2026-06-17T00:59:16.3606814Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3606986Z 
2026-06-17T00:59:16.3607091Z ### REQ-INST-7
2026-06-17T00:59:16.3607334Z - Title: Subnet registry + bare-id resolution policy
2026-06-17T00:59:16.3607633Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3607802Z 
2026-06-17T00:59:16.3607911Z ### REQ-INST-8
2026-06-17T00:59:16.3608167Z - Title: Remote-control mode distinct from local operation
2026-06-17T00:59:16.3608490Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3608665Z 
2026-06-17T00:59:16.3608766Z ### REQ-INST-9
2026-06-17T00:59:16.3609138Z - Title: Multi-subnet membership (same-user N subnets; cross-user seam)
2026-06-17T00:59:16.3609505Z - Required stages: impl, unit
2026-06-17T00:59:16.3609768Z 
2026-06-17T00:59:16.3609872Z ### REQ-INST-10
2026-06-17T00:59:16.3610206Z - Title: Qualified addressing [subnet:]id[@node] + ambiguity forces qualification
2026-06-17T00:59:16.3610582Z - Required stages: impl, unit
2026-06-17T00:59:16.3610741Z 
2026-06-17T00:59:16.3610848Z ### REQ-INST-11
2026-06-17T00:59:16.3611177Z - Title: spt rename <id> rippled to all instances (collision-checked, 6.5-reconciled)
2026-06-17T00:59:16.3611554Z - Required stages: impl, unit
2026-06-17T00:59:16.3611716Z 
2026-06-17T00:59:16.3611830Z ### REQ-INST-12
2026-06-17T00:59:16.3612226Z - Title: Endpoint visibility per-(endpoint,subnet): excluded semantics, OR-of-defaults + override, gates sync
2026-06-17T00:59:16.3612670Z - Required stages: impl, unit
2026-06-17T00:59:16.3612837Z 
2026-06-17T00:59:16.3612943Z ### REQ-INST-13
2026-06-17T00:59:16.3613246Z - Title: Subnet-exclusive sync + per-endpoint subnet-membership list
2026-06-17T00:59:16.3613592Z - Required stages: impl, unit
2026-06-17T00:59:16.3613758Z 
2026-06-17T00:59:16.3613863Z ### REQ-INST-14
2026-06-17T00:59:16.3614345Z - Title: Resource advertisement (subnet resource registry): free-text blurb, both-authored, registry projection, visibility/whitelist-gated
2026-06-17T00:59:16.3614880Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3615051Z 
2026-06-17T00:59:16.3615171Z ### REQ-INST-15
2026-06-17T00:59:16.3616022Z - Title: Immutable home subnet (assigned at creation: auto-if-one/ask-if-many) + spt fork (cross-subnet clone to a new identity, copy-then-diverge, not re-home); adapter chosen at creation from registered hostable adapters, changed only via launch/resume-under-new (ADR-0010)
2026-06-17T00:59:16.3616869Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3617040Z 
2026-06-17T00:59:16.3617146Z ### REQ-REACH-1
2026-06-17T00:59:16.3617413Z - Title: Off-node remote-drive detection + file transfer
2026-06-17T00:59:16.3617728Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3617894Z 
2026-06-17T00:59:16.3618004Z ### REQ-REACH-2
2026-06-17T00:59:16.3618310Z - Title: Remote command execution (deferred, consent-gated)
2026-06-17T00:59:16.3618622Z - Required stages: 
2026-06-17T00:59:16.3618769Z 
2026-06-17T00:59:16.3618872Z ### REQ-MSG-1
2026-06-17T00:59:16.3619516Z - Title: Local message delivery: TCP-first to a registered address, spool fallback when offline; id->address via registry (stale-clean first); reply routing (__REPLY_TO__)
2026-06-17T00:59:16.3620108Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3620276Z 
2026-06-17T00:59:16.3620380Z ### REQ-MSG-2
2026-06-17T00:59:16.3620766Z - Title: spt binary CLI surface: send/ring/ready(+--once)/list/stop/whoami, stable arg shapes + exit codes
2026-06-17T00:59:16.3621191Z - Required stages: impl, unit
2026-06-17T00:59:16.3621357Z 
2026-06-17T00:59:16.3621456Z ### REQ-MSG-3
2026-06-17T00:59:16.3621957Z - Title: Ready-agent lifecycle: register perch (info.json + listener + registry address) on ready, drain spooled backlog on startup, clean teardown
2026-06-17T00:59:16.3622605Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3622777Z 
2026-06-17T00:59:16.3622892Z ### REQ-MSG-4
2026-06-17T00:59:16.3623820Z - Title: Listener stream stdout emits EVENT envelope lines (sister-format, ADR-0001): parse the __REPLY_TO__ frame, pass pre-formed typed envelopes through verbatim (no double-wrap), compose <EVENT type="msg" from=…> otherwise, chunk oversized lines into EVENT-PART
2026-06-17T00:59:16.3624638Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3624820Z 
2026-06-17T00:59:16.3624924Z ### REQ-MSG-ENVELOPE
2026-06-17T00:59:16.3628655Z - Title: The <EVENT type="msg" from=…>body</EVENT> envelope (spt-proto::event, the ADR-0001 grammar) is the SOLE canonical arriving-message format at EVERY harness arriving-message surface on an AGENT perch — api listen AND api poll/worker-poll, byte-identical (reverses REQ-MSG-4's 'hook drains keep the raw frame by contract'). SCOPE CARVE-OUT: the shell-command relay (api poll <shell-id> --link, cmd_poll_shell) is a distinct internal transport carrying RAW MAC'd stamped frames the shell child consumes verbatim — NOT an arriving-message surface, deliberately EXEMPT from <EVENT> composition (notify_shell_e2e guards this boundary). __REPLY_TO__ — mis-elevated during the clean-room port to a fake ADR-0001 'stable wire format' (spt-msg/wire.rs, lib.rs) — is REMOVED entirely (spool format_row, the spt-msg TCP frame, emit parse_frame); (from, body) carried structurally, <EVENT> composed once at the delivery boundary. No legacy sister-interop (spt-core never required it). Reply-correlation rebinds onto the structural from / <EVENT from=…> attribute (ADR-0009 access-gate + ADR-0012 Psyche/spt-live reply-target). Self-delimiting by construction → finding F-002 (non-self-delimiting multi-message poll) dissolves. ADR-0020.
2026-06-17T00:59:16.3632189Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3632379Z 
2026-06-17T00:59:16.3632489Z ### REQ-MSG-5
2026-06-17T00:59:16.3633332Z - Title: user-msg envelope kind + daemon identity gate: a Gateway endpoint / the local user's CLI author user-msg (the user's authority); agent-family senders re-stamped to plain msg; identity-gated never payload-trusted (KH 7.3/7.5); wire-additive (N-1 receivers tolerate the new type)
2026-06-17T00:59:16.3634223Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3634395Z 
2026-06-17T00:59:16.3634498Z ### REQ-MSG-6
2026-06-17T00:59:16.3636195Z - Title: cross-node Gateway user-msg honored via advertised endpoint_type: a user-msg from a Gateway-typed origin survives the receive_wan funnel as user-msg (vs the fail-closed re-stamp), keyed on the QUIC-handshake-proven origin node (never wire `from`). Trust boundary = subnet membership (operator-ratified 2026-06-13); no defense against an in-subnet member forging the type. Instance.endpoint_type is an additive serde-default field extending REQ-INST-7's data model. Absent/unknown type → re-stamp (N-1 rollout grace)
2026-06-17T00:59:16.3637651Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3637836Z 
2026-06-17T00:59:16.3637932Z ### REQ-NODE-IDENTITY
2026-06-17T00:59:16.3638290Z - Title: Ed25519 identity primitive: keypair, detached sign/verify, stable pubkey<->hex
2026-06-17T00:59:16.3638680Z - Required stages: impl, unit
2026-06-17T00:59:16.3638844Z 
2026-06-17T00:59:16.3639023Z ### REQ-NET-1
2026-06-17T00:59:16.3639319Z - Title: WAN messaging first-class, behind default-on net feature flag
2026-06-17T00:59:16.3639667Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3639843Z 
2026-06-17T00:59:16.3639945Z ### REQ-NET-2
2026-06-17T00:59:16.3640232Z - Title: n0 relay default + self-host knob + plain-language disclosure
2026-06-17T00:59:16.3640566Z - Required stages: impl
2026-06-17T00:59:16.3640713Z 
2026-06-17T00:59:16.3640828Z ### REQ-NET-3
2026-06-17T00:59:16.3641096Z - Title: Cross-node Psyche sync over P2P replaces gh-repo-sync
2026-06-17T00:59:16.3641424Z - Required stages: impl, unit
2026-06-17T00:59:16.3641590Z 
2026-06-17T00:59:16.3641686Z ### REQ-PAIR-1
2026-06-17T00:59:16.3642021Z - Title: TOTP-seeded SPAKE2 pairing
2026-06-17T00:59:16.3642282Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3642454Z 
2026-06-17T00:59:16.3642567Z ### REQ-PAIR-2
2026-06-17T00:59:16.3642815Z - Title: Local trust store with TOFU + warn-on-change
2026-06-17T00:59:16.3643106Z - Required stages: 
2026-06-17T00:59:16.3643234Z 
2026-06-17T00:59:16.3643345Z ### REQ-PAIR-3
2026-06-17T00:59:16.3643606Z - Title: Fetch current pairing code from any paired node
2026-06-17T00:59:16.3643897Z - Required stages: impl, unit
2026-06-17T00:59:16.3644064Z 
2026-06-17T00:59:16.3644173Z ### REQ-PAIR-4
2026-06-17T00:59:16.3644389Z - Title: Subnet naming on first pairing
2026-06-17T00:59:16.3644666Z - Required stages: impl, unit
2026-06-17T00:59:16.3644817Z 
2026-06-17T00:59:16.3644926Z ### REQ-PAIR-5
2026-06-17T00:59:16.3645330Z - Title: Multi-subnet pairing: subnet-name discovery input, create-new-names-up-front, rendezvous-token hashing
2026-06-17T00:59:16.3645786Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3645964Z 
2026-06-17T00:59:16.3646068Z ### REQ-PAIR-6
2026-06-17T00:59:16.3646541Z - Title: Elevation-gated per-subnet code fetch (UAC/root or elevated agent; else authenticator app)
2026-06-17T00:59:16.3646964Z - Required stages: impl, unit
2026-06-17T00:59:16.3647133Z 
2026-06-17T00:59:16.3647242Z ### REQ-PAIR-7
2026-06-17T00:59:16.3647500Z - Title: Subnet icon (inline image metadata, GUI-only consumer)
2026-06-17T00:59:16.3647817Z - Required stages: 
2026-06-17T00:59:16.3647962Z 
2026-06-17T00:59:16.3648072Z ### REQ-SUBNET-1
2026-06-17T00:59:16.3648511Z - Title: spt subnet noun namespace: status view (bare + status [NAME] [--nodes]), create (QR/otpauth), show-code; spt pair deleted
2026-06-17T00:59:16.3649050Z - Required stages: impl, unit
2026-06-17T00:59:16.3649227Z 
2026-06-17T00:59:16.3649350Z ### REQ-SUBNET-2
2026-06-17T00:59:16.3649709Z - Title: Guided join e2e: spt subnet join CLI initiator + always-on daemon pairing responder
2026-06-17T00:59:16.3650109Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3650293Z 
2026-06-17T00:59:16.3650403Z ### REQ-SUBNET-3
2026-06-17T00:59:16.3650788Z - Title: Node labels: hostname-default, gossiped, addressable in @node qualifiers (refuse-on-ambiguity)
2026-06-17T00:59:16.3651216Z - Required stages: impl, unit
2026-06-17T00:59:16.3651383Z 
2026-06-17T00:59:16.3651492Z ### REQ-SUBNET-4
2026-06-17T00:59:16.3651902Z - Title: Subnet membership mutations elevation-gated (create = seed reveal; join = trust-boundary enrollment)
2026-06-17T00:59:16.3652337Z - Required stages: impl, unit
2026-06-17T00:59:16.3652489Z 
2026-06-17T00:59:16.3652600Z ### REQ-DOCS-6
2026-06-17T00:59:16.3653037Z - Title: spt how-to <topic>: in-binary task-oriented agent instructions (anti-drift; quickstart prompts point agents at it)
2026-06-17T00:59:16.3653508Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3653690Z 
2026-06-17T00:59:16.3653794Z ### REQ-SEC-1
2026-06-17T00:59:16.3654301Z - Title: Per-endpoint access whitelist: origin-node gate, stateful-firewall (reply/outbound exempt), node-now/user-later, outer gate before grants
2026-06-17T00:59:16.3654859Z - Required stages: impl, unit
2026-06-17T00:59:16.3655020Z 
2026-06-17T00:59:16.3655130Z ### REQ-NOTIF-1
2026-06-17T00:59:16.3655604Z - Title: Notification primitive: per-subnet replicated spool, seen/dismissed, resurface-at-boundary, subsumes update+consent prompts
2026-06-17T00:59:16.3656152Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3656332Z 
2026-06-17T00:59:16.3656438Z ### REQ-NOTIF-2
2026-06-17T00:59:16.3656815Z - Title: spt notify (agent-issued subnet notif) + notif_command manifest seam (harness + shell adapters)
2026-06-17T00:59:16.3657253Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3657435Z 
2026-06-17T00:59:16.3657543Z ### REQ-UPD-1
2026-06-17T00:59:16.3657769Z - Title: Peer-propagated update over P2P
2026-06-17T00:59:16.3658046Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3658225Z 
2026-06-17T00:59:16.3658334Z ### REQ-UPD-2
2026-06-17T00:59:16.3658584Z - Title: All binaries signature-verified before handoff
2026-06-17T00:59:16.3659081Z - Required stages: impl, unit
2026-06-17T00:59:16.3659247Z 
2026-06-17T00:59:16.3659358Z ### REQ-UPD-3
2026-06-17T00:59:16.3659663Z - Title: No endpoint process terminates/suspends during self-update
2026-06-17T00:59:16.3659988Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3660163Z 
2026-06-17T00:59:16.3660269Z ### REQ-UPD-4
2026-06-17T00:59:16.3660550Z - Title: Update gated on user confirmation by default; opt-in full-auto
2026-06-17T00:59:16.3660896Z - Required stages: impl, unit
2026-06-17T00:59:16.3661056Z 
2026-06-17T00:59:16.3661160Z ### REQ-UPD-5
2026-06-17T00:59:16.3661418Z - Title: spt-core ripple-updates registered adapters
2026-06-17T00:59:16.3661723Z - Required stages: impl, unit
2026-06-17T00:59:16.3661877Z 
2026-06-17T00:59:16.3661981Z ### REQ-UPD-6
2026-06-17T00:59:16.3662902Z - Title: Platform-targeted update sets and debug rollout: signed multi-platform update metadata, recipient platform selection, channel-scoped monotonic counters, debug-channel opt-in via release-key overlay, local staging plus pull-based peer propagation, and maintainer-only convergence tooling (ADR-0016)
2026-06-17T00:59:16.3663987Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3664174Z 
2026-06-17T00:59:16.3664278Z ### REQ-UPD-7
2026-06-17T00:59:16.3666402Z - Title: Origin-source update bootstrap (`spt update fetch`): pull the latest signed release directly from the GitHub release origin (`SaberMage/spt-releases`) — the per-platform artifact + its `<asset>.release.json` SignedRelease metadata — and stage it through the EXISTING verify→stage pipeline (the same `plan_verified` gate: two-key signature + channel + monotonic rollback floor + SHA-256), after which the normal consent-notif / `spt update apply` flow is unchanged. Closes the peer-only-discovery gap (REQ-UPD-1): a first-in-fleet / isolated node can update with no peer to pull from. The signed-release anchor keeps the GitHub transport untrusted-but-verified.
2026-06-17T00:59:16.3668229Z - Required stages: impl, unit
2026-06-17T00:59:16.3668409Z 
2026-06-17T00:59:16.3668514Z ### REQ-UPD-8
2026-06-17T00:59:16.3671177Z - Title: Platform-safe `spt update fetch` + apply platform-guard (v0.3.1 cross-OS brick fix): `spt update fetch` stages the signed multi-platform `SignedUpdateSet` (`update-set.json` + every platform artifact it names), never a platform-blind single `SignedRelease`, so local apply selects `current_platform()` and P2P re-serve lets each peer select ITS own platform. Defense-in-depth: `apply_staged` REFUSES a staged single-release artifact unless it is platform-stamped for THIS node (an unstamped pre-v0.3.2 single, or a single stamped for another OS, fail-safe refuses — the guard that alone prevents the v0.3.1 brick where a Linux ELF was applied as `spt.exe`). UX: a friendly post-apply message (`Updated spt-core to vX.Y.Z.` + changelog URL) driven by an additive `product_version` metadata field, with a release-counter fallback when absent.
2026-06-17T00:59:16.3680043Z - Required stages: impl, unit
2026-06-17T00:59:16.3680254Z 
2026-06-17T00:59:16.3680377Z ### REQ-UPD-9
2026-06-17T00:59:16.3683078Z - Title: `gh_release` adapter [update] avenue (optional signing): an adapter declares `[update] avenue = "gh_release", repo = "user/repo"` (+ optional `asset`, default `adapter.spt`; + optional Ed25519 `signing_key`); spt-core's ripple compares the repo's LATEST GitHub release version against the installed adapter version and, when newer, auto-updates by fetching the release `.spt` archive (the REQ-INSTALL-9 `--release` fetch primitive) → verifies the `.spt` against `signing_key` if declared, else HTTPS+GitHub first-acquisition trust → re-extracts + re-registers the adapter root. Lets a harness adapter ship updates from its own GitHub releases with NO signing tooling or plugin coupling (removes the perri file_pull/delegated avenue blockers). Acquisition-trust mirrors `--release` + the installer first-fetch; does not alter spt-core self-update (REQ-UPD-1..8).
2026-06-17T00:59:16.3685547Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3685727Z 
2026-06-17T00:59:16.3685833Z ### REQ-TERM-1
2026-06-17T00:59:16.3686128Z - Title: Process-supervisor terminal wrapper hosting broker PTYs
2026-06-17T00:59:16.3686467Z - Required stages: impl, unit
2026-06-17T00:59:16.3686638Z 
2026-06-17T00:59:16.3686734Z ### REQ-TERM-2
2026-06-17T00:59:16.3687024Z - Title: session-surface abstraction; send-keys + send-line injection
2026-06-17T00:59:16.3687369Z - Required stages: impl, unit
2026-06-17T00:59:16.3687532Z 
2026-06-17T00:59:16.3687636Z ### REQ-TERM-3
2026-06-17T00:59:16.3687890Z - Title: Byte-stream remote terminal streaming for v1
2026-06-17T00:59:16.3688199Z - Required stages: impl, unit
2026-06-17T00:59:16.3688361Z 
2026-06-17T00:59:16.3688462Z ### REQ-TERM-4
2026-06-17T00:59:16.3689116Z - Title: Live activity buffer (session digest): projection of normalized session logs, snapshot-pull (spt endpoint digest) + structured-delta-stream contract + api digest-entry push
2026-06-17T00:59:16.3689764Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3690058Z 
2026-06-17T00:59:16.3690165Z ### REQ-TERM-5
2026-06-17T00:59:16.3691820Z - Title: Adapter-declared digest extractor seam: a `[digest]` manifest section declaring an imperative extractor (native harness log -> the {role,text,tool,ts} contract; defaults to the [history] source files with an own-source escape hatch), `api digest-entry` push fallback, register-time validation of the section, adapter-declared presentation defaults (window depth, arg-truncation, sprint-collapse) that any consumer may override, and a `spt adapter digest-proof` author tool plus runtime skip-diagnostics (no silent drop). Reverses M9's no-manifest-seam stance; no declarative DSL.
2026-06-17T00:59:16.3693432Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3693624Z 
2026-06-17T00:59:16.3693729Z ### REQ-TERM-6
2026-06-17T00:59:16.3694954Z - Title: Thread-spanning digest across session boundaries: a per-endpoint session ledger (`<perch>/sessions.log`) appended at first bind and by `api boundary` on `/clear`|`/compact` session rotation, the digest enumerating the last K sessions so its rolling window bridges a boundary, and a distinctive in-timeline boundary marker (DigestEntry::Boundary). The digest follows the live-agent thread, not a single session.
2026-06-17T00:59:16.3696141Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3696311Z 
2026-06-17T00:59:16.3696407Z ### REQ-TERM-7
2026-06-17T00:59:16.3697674Z - Title: Two-origin digest merge: spt-owned context-injection entries (psyche_download | echo_mirror | owl_message) appended by spt to the endpoint `digest.log`, timestamp-interleaved with the adapter's extracted activity records into one ordered timeline, via a distinct context-injection record category. Data model only this milestone; GUI collapse/expand and the echo-reads-digest delta loop are deferred to the surfaces that consume them.
2026-06-17T00:59:16.3699013Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3699174Z 
2026-06-17T00:59:16.3699323Z ### REQ-FRONT-1
2026-06-17T00:59:16.3699604Z - Title: Day-one launcher/manager frontend (list/launch/attach/init)
2026-06-17T00:59:16.3699924Z - Required stages: 
2026-06-17T00:59:16.3700075Z 
2026-06-17T00:59:16.3700176Z ### REQ-HOST-RUN-1
2026-06-17T00:59:16.3702728Z - Title: spt-hosted harness bringup: `spt endpoint run` spawns an adapter's `[session.self]` command template into a broker-held PTY (the spawn-session seam, brain.rs spawn_session_pid — same broker path shellhost.rs launch_shell_brokered_in uses for shells, now for kind="harness" self-role), registers the perch under the given endpoint id, returns the id. Reverses today's harness-hosted-only launch (external launcher → `api bind`). Non-interactive flag set (--adapter <a[:profile]> --id <id> --create --resume <session> --attach|--start|--view) covers every terminal action of the W2 interactive picker so shortcuts (cc-<id>) bake fully non-interactive launches; composite adapter:profile resolves via registry::resolve_option leaf-replace overlay.
2026-06-17T00:59:16.3704856Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3705042Z 
2026-06-17T00:59:16.3705143Z ### REQ-RC-1
2026-06-17T00:59:16.3707219Z - Title: `spt rc <id>` — user CLI attaching a local terminal to a broker-held PTY, reusing the cross-node attach machinery (attach.rs request_attach → send_attach_input pump, spt-net AttachRecord codec); local attach is the degenerate single-node case of the cross-node path (rides REQ-TERM-3 byte-stream streaming). Read-only `--view` (watch, no stdin forwarded). Clean detach that does NOT terminate the broker-held session (KNOWN-HAZARDS: PTY ownership stays with the broker; no termination on detach). Explicit detach keybind that cannot collide with harness passthrough input (legacy capsule used a ctrl-b prefix); documented. ConPTY DSR auto-answer in the attach reader (hazard 5.5).
2026-06-17T00:59:16.3709152Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3709353Z 
2026-06-17T00:59:16.3709452Z ### REQ-HOST-RUN-2
2026-06-17T00:59:16.3711309Z - Title: Project-scoped working directory for spt-hosted bringup: `spt endpoint run` lands the broker-spawned harness PTY in the user's PROJECT cwd, not the daemon's, via an additive `SpawnReq.cwd` field carried through the broker PTY spawn (portable-pty CommandBuilder cwd). N-1-safe wire change (additive, defaulted). Required because the consumer (Claude Code) is project-scoped: broker-inherited cwd = the daemon's cwd = the wrong `.claude`, wrong session history, wrong digest source; `cc <id>` at a project root MUST land the harness in that project. W1 ships broker-inherited cwd as a bringup-proof shortcut only; this REQ must land before the M12 gate (doyle, 2026-06-14).
2026-06-17T00:59:16.3713254Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3713423Z 
2026-06-17T00:59:16.3713540Z ### REQ-RUN-PICKER
2026-06-17T00:59:16.3718333Z - Title: Interactive `spt endpoint run` picker (ratatui TUI): bare `spt endpoint run` (no --adapter/--id) enters an in-process picker (flags-present = the REQ-HOST-RUN-1 non-interactive path, untouched). Layer 1 picks kind (Create new | Pick existing). Create-new: choose a registered kind="harness" adapter with its shipped+local profiles tree-nested (registry::registered / manifest.profiles / local_profile_names) → enter a charset-validated id → start. Pick-existing: category select (left/right) over [<cwd-project> | Local node | Subnet], endpoints grouped + alphabetically sorted per category, a status square per endpoint (online green ■ / offline gray ▢ — the blue "attached" tri-state + Kick are DEFERRED to a broker attach-presence slice, M12-W2-RULING Q1), type-to-filter (`/`, nucleo-matcher), a pinned keybind legend, and a right-half two-pane description (harness adapter:profile · best-effort project history newest→oldest from the contextstore p-<project> branches, empty-if-none · `spt endpoint description`). Confirm layer offers status-dependent options — Attach/Start/View (rc pump / cmd_endpoint_run) · Instantiate-locally (remote) · Change-harness-adapter (offline) · Fork (cmd_fork) · Resume-from-history (offline+LOCAL only; enumerate spt_store::sessions::last_k, titles `<project> @ <ts> (…id5)`, feed session_id → cmd_endpoint_run --resume). A single action enum is the source of truth so a future tap-mode (phone PTY) layers on without re-coupling to keybinds. EVERY terminal action routes through cmd_endpoint_run / existing CLI fns — no second bringup path.
2026-06-17T00:59:16.3722657Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3722837Z 
2026-06-17T00:59:16.3722957Z ### REQ-RUN-SHORTCUT
2026-06-17T00:59:16.3727696Z - Title: `<basename>-<id>` launcher shortcut generation (picker `s` keybind, M12-W2-T2.4): from any pre-start options set the picker writes/updates a `<basename>-<id>` launcher at the project root baking the current selection's non-interactive `spt endpoint run` flags (terminal actions only: adapter[:profile] + id + (create|resume) + (start|attach|view); Kick/Instantiate/Change-adapter/Fork are interactive-only, not bakeable). BASENAME IS A PARAMETER (operator rev. 2026-06-14): harness-agnostic spt-core defaults to `spt` (→ `spt-<id>`); an adapter/flow OVERRIDES it (spt-claude-code → `cc`), so spt-core NEVER bakes `cc` (a harness name) into itself. The basename must be a DISTINCT token, never bare `spt` (a `spt.cmd` would shadow the real `spt.exe` only under cmd.exe cwd-first search, silently no-op in PowerShell/Unix, and self-recurse). The script is the CURRENT OS's native form — `.cmd` on Windows (NOT `.ps1`: default PATHEXT excludes `.ps1` so a bare/ext-less name never resolves one; `.cmd` is PATHEXT-resolvable), POSIX `sh` (+chmod +x) on Unix (a single portable form can't be both). The generated header documents the invocation reality (cmd.exe bare `<name>` in the project dir / PowerShell `.\<name>` / Unix `./<name>`; a truly-bare basename on PATH = a PATH-installed launcher, `/spt:setup`'s job). Overwrite is SENTINEL-guarded: the generator writes + checks a generated-by header marker — it overwrites its own prior output freely, but REFUSES + warns if a same-named file lacks the sentinel (never clobber a user file). Requires the additive `--create` flag on `Run{}` (the default-fresh made explicit; N-1-safe).
2026-06-17T00:59:16.3732246Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3732430Z 
2026-06-17T00:59:16.3732534Z ### REQ-ELEVATE-1
2026-06-17T00:59:16.3735725Z - Title: Cross-platform self-elevating re-launch for privilege-gated commands: a pure decision seam `decide_elevation_path(os, elevation, interactive_tty, has_display, has_pkexec, has_term_emulator) -> ElevatePath{AlreadyElevated, InlineSudo, UacWindow, Pkexec, TerminalEmulator, PrintHint}` selecting how to re-acquire privilege, and the per-OS impure launchers it dispatches — Windows UAC console (ShellExecuteW `runas` on the abs-exe + verbatim argv; the elevated child does the work, prints 'You can close this window', and pauses for a keypress; the original prints 'Elevated terminal launched…' and exits 0; NEVER pipes the child's stdout back across the privilege boundary), Linux desktop pkexec (preferred, native polkit GUI auth) else x-terminal-emulator -e sudo (fallback list x-terminal-emulator→gnome-terminal→konsole→xterm), the existing interactive-TTY inline sudo, and the headless/no-path floor that prints the absolute-path command. Reused by every gated command (not subnet-specific). Generalizes should_auto_elevate.
2026-06-17T00:59:16.3738624Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3738805Z 
2026-06-17T00:59:16.3738905Z ### REQ-WHOAMI-1
2026-06-17T00:59:16.3740733Z - Title: `spt whoami` is a thin ALIAS for `spt endpoint list` (full output: the SELF pin + the subnet roster) — the standalone bare-id command is dropped (the `id=$(spt whoami)` capture was never a real pattern: env vars don't persist between agent tool calls). The one new render: the `endpoint list` SELF pin carries the Self endpoint's authored `endpoint description` (info::read_info(...).resources) when present, inline after the liveness state. whoami stays a top-level hot-path verb (parse unchanged, REQ-MSG-9).
2026-06-17T00:59:16.3742154Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3742325Z 
2026-06-17T00:59:16.3742435Z ### REQ-RCVIEW-1
2026-06-17T00:59:16.3746929Z - Title: Remote-attach controller/viewer model (CONTEXT.md:317): a session's broker OutputLog serves ONE interactive controller (input + EXCLUSIVE PTY resize; its viewport sets the size, sent on attach + every window change via crossterm Event::Resize) plus ANY NUMBER of read-only `--view` attachers (output-only, no input, no resize; client-side letterbox — center+pad when larger, clip+1-line indicator when smaller; only the local ctrl-b d detach chord). Attach intent is three-valued (`Viewer | Control | Take`, wire-default Control): Control to a FREE endpoint becomes controller, Control to a CONTROLLED endpoint is REFUSED with guidance (`--view`/`--take`) — never auto-viewer, never silent-displace. Wire adds (additive, N-1 skip-unknown): `Request.intent`, `Resize{rows,cols}` (controller-only), `Size{rows,cols}` (→viewer), `Displaced{by}` (→displaced controller). The brain-resume cursor (delivered_through, ADR-0018) tracks the CONTROLLER ONLY; viewers replay from their own from_seq and never move it. Dormancy keys on the controller ONLY: controller attach wakes / controller detach goes dormant (even with viewers present); viewer attach/detach is wake-neutral and may watch a dormant endpoint as-is. v1: viewing is gated identically to driving — a viewer runs the same access_check(Unsolicited) as a controller (watching reveals full session contents = a real disclosure); a lighter distinct watch-gate is deferred to cross-subnet/finer-consent (CONTEXT.md:317 'driving ≠ watching' = the future seam).
2026-06-17T00:59:16.3751169Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3751364Z 
2026-06-17T00:59:16.3751470Z ### REQ-KICK-1
2026-06-17T00:59:16.3754041Z - Title: Explicit, loud controller displacement: `spt rc kick <target>` / `--take` (Take intent) kicks the incumbent controller and becomes controller; the displaced controller receives a LOUD `Displaced{by}` notice and is FULLY DETACHED (not demoted to a viewer). A default attach to a controlled endpoint is NEVER a silent displace (it is the Control busy-refusal). An old (N-1) rc omits intent → Control, so it can drive a free endpoint but CANNOT `--take` — it can never silently steal, and gets a clean busy-refusal instead. Taking control rides the same access_check(endpoint, origin, Unsolicited) as a normal control attach (if you may drive, you may take — no elevated kick policy). The picker surfaces 'Kick <node> and attach' (Take) only on a controlled (blue ■) endpoint, via the existing attach dispatch (single-bringup-path: intent is a parameter).
2026-06-17T00:59:16.3756370Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3756560Z 
2026-06-17T00:59:16.3756689Z ### REQ-HAZARD-VIEWER-ISOLATION
2026-06-17T00:59:16.3759158Z - Title: A slow / dead / hostile VIEWER must NEVER stall the controller, the PTY child, or the session drain thread. The broker drain fans output to the controller on the authoritative blocking bounded path (advances delivered_through) but to each viewer via a bounded per-viewer channel with a dedicated writer thread; the drain `try_send`s under the log lock and a viewer whose bounded queue OVERFLOWS (can't keep up) is EVICTED (queue dropped, writer thread ends, removed from the viewers map) — the drain thread NEVER touches a viewer socket, so no viewer write can backpressure or block it. A soft viewer cap bounds the thread count. Viewer eviction never perturbs the controller stream, the delivered_through cursor, or the child.
2026-06-17T00:59:16.3761107Z - Required stages: unit, int
2026-06-17T00:59:16.3761276Z 
2026-06-17T00:59:16.3761381Z ### REQ-INSTALL-1
2026-06-17T00:59:16.3761695Z - Title: Two install paths; signed one-line script; OS-service registration
2026-06-17T00:59:16.3762059Z - Required stages: doc, impl, int
2026-06-17T00:59:16.3762229Z 
2026-06-17T00:59:16.3762335Z ### REQ-INSTALL-2
2026-06-17T00:59:16.3762587Z - Title: Marketplace-repackaging-friendly install
2026-06-17T00:59:16.3762883Z - Required stages: doc
2026-06-17T00:59:16.3763036Z 
2026-06-17T00:59:16.3763140Z ### REQ-INSTALL-3
2026-06-17T00:59:16.3763394Z - Title: Idempotent + interactive-optional first run
2026-06-17T00:59:16.3763699Z - Required stages: impl, int
2026-06-17T00:59:16.3763868Z 
2026-06-17T00:59:16.3763974Z ### REQ-INSTALL-4
2026-06-17T00:59:16.3764706Z - Title: Adapter registration lifecycle: spt adapter add (--github, manifest-first, install-is-first-update) + soft-deregister remove + optional manifest uninstall template; node-local registered-adapter set self-update ripples over
2026-06-17T00:59:16.3765463Z - Required stages: impl, unit
2026-06-17T00:59:16.3765632Z 
2026-06-17T00:59:16.3765741Z ### REQ-MIGRATE-1
2026-06-17T00:59:16.3766026Z - Title: Auto-detect and migrate a legacy claude_skill_owl install
2026-06-17T00:59:16.3766350Z - Required stages: 
2026-06-17T00:59:16.3766488Z 
2026-06-17T00:59:16.3766588Z ### REQ-INFRA-1
2026-06-17T00:59:16.3766887Z - Title: GitHub issue tracking for v1; tangled.org as migration target
2026-06-17T00:59:16.3767344Z - Required stages: 
2026-06-17T00:59:16.3767483Z 
2026-06-17T00:59:16.3767582Z ### REQ-INSTALL-5
2026-06-17T00:59:16.3768179Z - Title: Non-interactive install path: the canonical one-liner doubles as every adapter's pack-in on-demand install (no second mechanism); sha256-verified fetch; user-PATH registration
2026-06-17T00:59:16.3768800Z - Required stages: impl, int
2026-06-17T00:59:16.3769038Z 
2026-06-17T00:59:16.3769152Z ### REQ-INSTALL-9
2026-06-17T00:59:16.3770500Z - Title: Adapter add from a GitHub release archive: `spt adapter add --release <user/repo> [--tag <tag>] [--asset <name>]` fetches a `.spt` tar asset over HTTPS+GitHub trust, extracts it to the durable adapters/_github home, and registers the root — ships built binaries source-free and versioned (the distribution path for an adapter whose dev repo is a monorepo subdir, where --github root-only clone does not fit)
2026-06-17T00:59:16.3771686Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3771994Z 
2026-06-17T00:59:16.3772094Z ### REQ-INSTALL-10
2026-06-17T00:59:16.3773476Z - Title: Windows at-logon autostart runs the daemon in the background with no persistent window: the scheduled task launches `spt daemon start` (which spawn_detaches a console-less DETACHED_PROCESS daemon and exits) rather than the foreground `spt daemon run` — Task Scheduler's interactive ONLOGON launch of a long-lived console process otherwise leaves a visible console window for the daemon's whole lifetime (v0.7.4)
2026-06-17T00:59:16.3774670Z - Required stages: impl, unit
2026-06-17T00:59:16.3774832Z 
2026-06-17T00:59:16.3774947Z ### REQ-INSTALL-11
2026-06-17T00:59:16.3776840Z - Title: Adapter command templates resolve their program against the adapter's install dir BEFORE PATH: a `.spt`-shipped binary (dropped to adapters/_github/<safe>/ by --release/--github acquisition, or kept in the source_dir under copy-mode where only manifest+strings/ are copied to adapters/<name>) runs without any PATH placement — a bare-name template token (e.g. `claude-spt-digest ...`) is rewritten to <install_dir>/<program>(.exe on Windows) when that file exists, else left bare for the PATH fallback. Makes a `.spt` self-contained (closes the --release bundled-binary gap perri confirmed) (v0.7.4)
2026-06-17T00:59:16.3778557Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3778773Z 
2026-06-17T00:59:16.3778891Z ### REQ-REL-1
2026-06-17T00:59:16.3779468Z - Title: spt-releases publish-target repo: README public face, licensing split, Pages docs at the permanent lapse-proof canonical URL (ADR-0014)
2026-06-17T00:59:16.3780040Z - Required stages: doc, impl
2026-06-17T00:59:16.3780216Z 
2026-06-17T00:59:16.3780331Z ### REQ-REL-2
2026-06-17T00:59:16.3780946Z - Title: Release asset set consumable by the self-updater: platform binaries, SHA256SUMS, SignedRelease metadata, manifest schema, mock-adapter zip; tag-triggered cross-repo pipeline
2026-06-17T00:59:16.3781628Z - Required stages: impl, int
2026-06-17T00:59:16.3781814Z 
2026-06-17T00:59:16.3781920Z ### REQ-REL-3
2026-06-17T00:59:16.3782501Z - Title: Two-key release-signing trust anchor: primary + offline never-used recovery, both pubkeys embedded in the binary's trusted set, manual local signing (ADR-0015)
2026-06-17T00:59:16.3783116Z - Required stages: impl, unit
2026-06-17T00:59:16.3783284Z 
2026-06-17T00:59:16.3783388Z ### REQ-DOCS-1
2026-06-17T00:59:16.3783717Z - Title: Dual-audience docs (human + AI dev-agent), markdown once / two depths
2026-06-17T00:59:16.3784124Z - Required stages: doc, impl
2026-06-17T00:59:16.3784289Z 
2026-06-17T00:59:16.3784405Z ### REQ-DOCS-2
2026-06-17T00:59:16.3784690Z - Title: Sub-10-minute runnable killer quickstart per audience
2026-06-17T00:59:16.3785017Z - Required stages: doc, int
2026-06-17T00:59:16.3785188Z 
2026-06-17T00:59:16.3785292Z ### REQ-DOCS-3
2026-06-17T00:59:16.3785597Z - Title: Diátaxis structure; one canonical way to do X
2026-06-17T00:59:16.3785897Z - Required stages: doc
2026-06-17T00:59:16.3786179Z 
2026-06-17T00:59:16.3786293Z ### REQ-DOCS-4
2026-06-17T00:59:16.3786622Z - Title: Agent-consumable layer (llms.txt, manifest schema, MCP, CLI help)
2026-06-17T00:59:16.3787005Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3787185Z 
2026-06-17T00:59:16.3787296Z ### REQ-DOCS-5
2026-06-17T00:59:16.3787599Z - Title: Anti-drift: rustdoc/schema/exports/CLI-help generated + CI-checked
2026-06-17T00:59:16.3787974Z - Required stages: impl, int
2026-06-17T00:59:16.3788136Z 
2026-06-17T00:59:16.3788274Z ### REQ-HAZARD-GRACE-BEFORE-SIGNOFF
2026-06-17T00:59:16.3788670Z - Title: Grace-period wait completes before composing INIT_SIGNOFF (1.1)
2026-06-17T00:59:16.3789122Z - Required stages: impl, unit
2026-06-17T00:59:16.3789295Z 
2026-06-17T00:59:16.3789437Z ### REQ-HAZARD-INFO-JSON-TORN-READ
2026-06-17T00:59:16.3789738Z - Title: State-file reads tolerate concurrent writes (1.2)
2026-06-17T00:59:16.3792122Z - Required stages: impl, unit
2026-06-17T00:59:16.3792292Z 
2026-06-17T00:59:16.3792412Z ### REQ-HAZARD-STALE-INDEX-LOCK
2026-06-17T00:59:16.3792701Z - Title: Sweep stale lockfiles on daemon boot (1.3)
2026-06-17T00:59:16.3793129Z - Required stages: impl, unit
2026-06-17T00:59:16.3793290Z 
2026-06-17T00:59:16.3793414Z ### REQ-HAZARD-DEFERRED-DRAIN
2026-06-17T00:59:16.3793739Z - Title: Deferred spool rows excluded from the event-stream drain (1.4)
2026-06-17T00:59:16.3794083Z - Required stages: impl, unit
2026-06-17T00:59:16.3794248Z 
2026-06-17T00:59:16.3794364Z ### REQ-HAZARD-WORKER-PATH
2026-06-17T00:59:16.3794679Z - Title: Single source of truth for Worker/Psyche perch location (1.5)
2026-06-17T00:59:16.3795023Z - Required stages: impl, unit
2026-06-17T00:59:16.3795183Z 
2026-06-17T00:59:16.3795318Z ### REQ-HAZARD-PARENT-PID-PREFER
2026-06-17T00:59:16.3795654Z - Title: Prefer stable parent PID / broker handle over ephemeral PID (2.1)
2026-06-17T00:59:16.3795991Z - Required stages: 
2026-06-17T00:59:16.3796138Z 
2026-06-17T00:59:16.3796258Z ### REQ-HAZARD-STDIN-SESSION-ID
2026-06-17T00:59:16.3796543Z - Title: Stdin session_id precedence over env (2.2)
2026-06-17T00:59:16.3796844Z - Required stages: 
2026-06-17T00:59:16.3796987Z 
2026-06-17T00:59:16.3797106Z ### REQ-HAZARD-HANDOFF-ARGV-COMPAT
2026-06-17T00:59:16.3797421Z - Title: Broker/brain IPC + handoff argv version-tolerant (2.3)
2026-06-17T00:59:16.3797745Z - Required stages: impl, unit
2026-06-17T00:59:16.3797904Z 
2026-06-17T00:59:16.3798026Z ### REQ-HAZARD-GEN-START-NOW
2026-06-17T00:59:16.3798305Z - Title: gen_start = now() on cold-start and handoff (2.4)
2026-06-17T00:59:16.3798606Z - Required stages: impl, int
2026-06-17T00:59:16.3798776Z 
2026-06-17T00:59:16.3798896Z ### REQ-HAZARD-EPHEMERAL-CLEANUP
2026-06-17T00:59:16.3799301Z - Title: Ephemeral perch cleanup on every ring exit path (3.1)
2026-06-17T00:59:16.3799630Z - Required stages: impl, unit
2026-06-17T00:59:16.3799783Z 
2026-06-17T00:59:16.3799916Z ### REQ-HAZARD-STALE-SIGNOFF-SENTINEL
2026-06-17T00:59:16.3800245Z - Title: Stale signoff sentinel does not kill a fresh start (3.2)
2026-06-17T00:59:16.3800564Z - Required stages: impl, unit
2026-06-17T00:59:16.3800737Z 
2026-06-17T00:59:16.3800856Z ### REQ-HAZARD-ECHO-BEFORE-SIGNOFF
2026-06-17T00:59:16.3801199Z - Title: Echo-commune fires before INIT_SIGNOFF on orphan teardown (3.3)
2026-06-17T00:59:16.3801542Z - Required stages: impl, unit
2026-06-17T00:59:16.3801699Z 
2026-06-17T00:59:16.3801832Z ### REQ-HAZARD-ENVELOPE-DECODE-ORDER
2026-06-17T00:59:16.3802195Z - Title: Envelope decode order, ampersand decoded last (4.1)
2026-06-17T00:59:16.3802509Z - Required stages: impl, unit
2026-06-17T00:59:16.3802673Z 
2026-06-17T00:59:16.3802795Z ### REQ-HAZARD-ENVELOPE-CR-LINESAFE
2026-06-17T00:59:16.3804690Z - Title: Envelope CR-linesafety (4.1): the line-framed EVENT codec must neutralize raw carriage returns — `event_body_escape` folds CRLF/lone-CR to the codec's representable linebreak (`\n`→`<br>`) BEFORE framing, so a body carrying `\r` (Windows `echo`/CRLF text crossing nodes) cannot survive into the single-line envelope and trigger a receiver terminal CR→col0 overwrite that corrupts the frame. Robustness on unrepresentable input, NOT a wire-format change (decoder untouched, amp-last invariant held). Belt-and-suspenders: `spt send`/`ring` also trim stdin (parity with `notify`).
2026-06-17T00:59:16.3806412Z - Required stages: impl, unit
2026-06-17T00:59:16.3806575Z 
2026-06-17T00:59:16.3806703Z ### REQ-HAZARD-ENVELOPE-PARSER-SAFE
2026-06-17T00:59:16.3807041Z - Title: Two-slice envelope parser is panic-free and tolerant (4.2)
2026-06-17T00:59:16.3807394Z - Required stages: impl, unit
2026-06-17T00:59:16.3807557Z 
2026-06-17T00:59:16.3807685Z ### REQ-HAZARD-EVENTPART-REASSEMBLY
2026-06-17T00:59:16.3808053Z - Title: EVENT-PART split/reassembly is byte-exact; orphan parts dropped silently
2026-06-17T00:59:16.3808430Z - Required stages: impl, unit
2026-06-17T00:59:16.3808591Z 
2026-06-17T00:59:16.3808699Z ### REQ-HAZARD-ID-CHARSET
2026-06-17T00:59:16.3809199Z - Title: Addressable-id charset reserves :/@ delimiters; validated at every creation seam (4.6)
2026-06-17T00:59:16.3809660Z - Required stages: impl, unit
2026-06-17T00:59:16.3809942Z 
2026-06-17T00:59:16.3810063Z ### REQ-HAZARD-REGISTRY-STALE-CLEAN
2026-06-17T00:59:16.3810410Z - Title: Stale registry entries degrade to fallback, never hard-fail (4.3)
2026-06-17T00:59:16.3810767Z - Required stages: impl, unit
2026-06-17T00:59:16.3810924Z 
2026-06-17T00:59:16.3811049Z ### REQ-HAZARD-REGISTRY-CONCURRENT
2026-06-17T00:59:16.3811448Z - Title: Concurrent SQLite openers (registry/spool) must not fail with 'database is locked' (4.7)
2026-06-17T00:59:16.3811853Z - Required stages: impl, unit
2026-06-17T00:59:16.3812021Z 
2026-06-17T00:59:16.3812144Z ### REQ-HAZARD-REGISTRY-DIR-CREATE
2026-06-17T00:59:16.3812674Z - Title: SQLite store opens create their parent dir themselves — a fresh-home registry op must not SQLITE_CANTOPEN (4.9)
2026-06-17T00:59:16.3813141Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3813313Z 
2026-06-17T00:59:16.3813441Z ### REQ-HAZARD-REGISTRY-EPOCH-LEASE
2026-06-17T00:59:16.3814025Z - Title: Registry merge ordered by per-node monotonic epoch, never wall-clock — a stale Active can't clobber a newer Offline (4.8, red-team #8)
2026-06-17T00:59:16.3814554Z - Required stages: impl, unit
2026-06-17T00:59:16.3814706Z 
2026-06-17T00:59:16.3814836Z ### REQ-HAZARD-DEFERRED-SURVIVE-DRAIN
2026-06-17T00:59:16.3815121Z - Title: Deferred rows survive poll drain (4.4)
2026-06-17T00:59:16.3815402Z - Required stages: impl, unit
2026-06-17T00:59:16.3815565Z 
2026-06-17T00:59:16.3815688Z ### REQ-HAZARD-INBOX-NO-DOUBLE
2026-06-17T00:59:16.3815970Z - Title: No double-delivery via legacy inbox (4.5)
2026-06-17T00:59:16.3816265Z - Required stages: impl, unit
2026-06-17T00:59:16.3816419Z 
2026-06-17T00:59:16.3816547Z ### REQ-HAZARD-WINDOWS-PID-RECYCLE
2026-06-17T00:59:16.3816859Z - Title: Windows PID-recycling false positives guarded (5.1)
2026-06-17T00:59:16.3817178Z - Required stages: impl, unit
2026-06-17T00:59:16.3817339Z 
2026-06-17T00:59:16.3817455Z ### REQ-HAZARD-EBUSY-RENAME
2026-06-17T00:59:16.3817775Z - Title: tmp-write + atomic-rename + retry on Windows EBUSY (5.2)
2026-06-17T00:59:16.3818113Z - Required stages: impl, unit
2026-06-17T00:59:16.3818264Z 
2026-06-17T00:59:16.3818390Z ### REQ-HAZARD-SUBPROCESS-TIMEOUT
2026-06-17T00:59:16.3818685Z - Title: Every harness/git subprocess has a timeout (5.3)
2026-06-17T00:59:16.3819057Z - Required stages: impl, unit
2026-06-17T00:59:16.3819218Z 
2026-06-17T00:59:16.3819356Z ### REQ-HAZARD-UNC-PATH-STRIP
2026-06-17T00:59:16.3819654Z - Title: Strip Windows UNC prefix on serialized paths (5.4)
2026-06-17T00:59:16.3819979Z - Required stages: impl, unit
2026-06-17T00:59:16.3820135Z 
2026-06-17T00:59:16.3820260Z ### REQ-HAZARD-SINGLE-PATH-SOURCE
2026-06-17T00:59:16.3820599Z - Title: Single path/registry source of truth; no layout ambiguity (6.1)
2026-06-17T00:59:16.3820933Z - Required stages: impl, unit
2026-06-17T00:59:16.3821098Z 
2026-06-17T00:59:16.3821214Z ### REQ-HAZARD-SOFT-CLEANUP
2026-06-17T00:59:16.3821538Z - Title: Soft-cleanup preserves state, removes only the ready marker (6.2)
2026-06-17T00:59:16.3821999Z - Required stages: impl, unit
2026-06-17T00:59:16.3822175Z 
2026-06-17T00:59:16.3822295Z ### REQ-HAZARD-CASCADE-WIPE-GUARD
2026-06-17T00:59:16.3822624Z - Title: No hard-delete of a parent hosting non-empty children (6.3)
2026-06-17T00:59:16.3822953Z - Required stages: impl, unit
2026-06-17T00:59:16.3823105Z 
2026-06-17T00:59:16.3823234Z ### REQ-HAZARD-DROP-FILE-SINGLE-WRITER
2026-06-17T00:59:16.3823539Z - Title: Drop files are daemon-owned single-writer (6.4)
2026-06-17T00:59:16.3823845Z - Required stages: impl, unit
2026-06-17T00:59:16.3824001Z 
2026-06-17T00:59:16.3824127Z ### REQ-HAZARD-DIRECT-WRITE-PRECEDENCE
2026-06-17T00:59:16.3824505Z - Title: Direct-write precedence marker (with node id) guards stale overwrite (6.5)
2026-06-17T00:59:16.3824872Z - Required stages: impl, unit
2026-06-17T00:59:16.3825023Z 
2026-06-17T00:59:16.3825153Z ### REQ-HAZARD-CONFLICT-BOTH-PRESERVED
2026-06-17T00:59:16.3825872Z - Title: A surfaced concurrent context pair is durably preserved (both versions, tracked artifacts) until a strictly dominating write clears it; no reconcile failure path discards an unmerged version (6.6, ADR-0013)
2026-06-17T00:59:16.3826693Z - Required stages: impl, unit
2026-06-17T00:59:16.3826859Z 
2026-06-17T00:59:16.3826989Z ### REQ-HAZARD-DETACHED-PIPE-INHERIT
2026-06-17T00:59:16.3828238Z - Title: Windows detached long-lived children must not inherit a captured caller's pipe: every detach-spawn of an immortal child (daemon, shell binary) runs bInheritHandles=FALSE, or a caller capturing output anywhere up the process chain hangs forever on a pipe that never EOFs — std-handle flag stripping is NOT sufficient (grandparent strays still flow) (5.6)
2026-06-17T00:59:16.3829368Z - Required stages: impl, unit
2026-06-17T00:59:16.3829532Z 
2026-06-17T00:59:16.3829651Z ### REQ-HAZARD-CONPTY-DSR
2026-06-17T00:59:16.3829986Z - Title: ConPTY reader must auto-answer DSR (ESC[6n) or all child output stalls (5.5)
2026-06-17T00:59:16.3830362Z - Required stages: impl, unit
2026-06-17T00:59:16.3830539Z 
2026-06-17T00:59:16.3830672Z ### REQ-HAZARD-CHILD-CONSOLE-FLASH
2026-06-17T00:59:16.3831253Z - Title: Console-subsystem children of the console-less daemon spawn with CREATE_NO_WINDOW, or each spawn flashes a visible blank window on the user's desktop (5.8)
2026-06-17T00:59:16.3831817Z - Required stages: impl, unit
2026-06-17T00:59:16.3831983Z 
2026-06-17T00:59:16.3832103Z ### REQ-HAZARD-INSTANT-UNDERFLOW
2026-06-17T00:59:16.3832822Z - Title: Scheduling never subtracts a Duration from Instant::now() (underflow-panics on a host booted more recently than the offset); 'due now / never run' is Option<Instant>=None gated on forward duration_since only (5.9)
2026-06-17T00:59:16.3833523Z - Required stages: impl, unit
2026-06-17T00:59:16.3833684Z 
2026-06-17T00:59:16.3833803Z ### REQ-HAZARD-PUMP-IPC-DEADLINE
2026-06-17T00:59:16.3834743Z - Title: The single-threaded peer pump's brain-IPC reads are deadline-bounded (PUMP_PEER_IO_TIMEOUT, total-wait per call); a TimedOut read POISONS the client and escalates to a SUPERVISED RESTART, never a per-peer retry — a black-holed peer must never wedge the whole pump
2026-06-17T00:59:16.3835583Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3835746Z 
2026-06-17T00:59:16.3835869Z ### REQ-HAZARD-SUDO-SECURE-PATH
2026-06-17T00:59:16.3836846Z - Title: Elevation guidance on Unix names the binary's ABSOLUTE path under sudo (a user-local install ~/.local/bin · ~/.cargo/bin is not on sudo's secure_path, so bare `sudo spt` dies 'command not found'); gated commands auto-elevate on an interactive TTY, else print the runnable hint (5.10)
2026-06-17T00:59:16.3837705Z - Required stages: impl, unit
2026-06-17T00:59:16.3837866Z 
2026-06-17T00:59:16.3837984Z ### REQ-HAZARD-SELF-ELEVATE
2026-06-17T00:59:16.3840318Z - Title: Self-elevation (REQ-ELEVATE-1) re-runs the EXACT original invocation with the binary's ABSOLUTE exe path — never widening privilege scope, never adding/altering args, never via a PATH-resolved bare name, never via a shell-interpolated command string (argv-array only, no `sh -c`); the elevated child drops state back to the user (composes with the 5.7 de-elevation) and NEVER re-elevates (loop-safe: decide_elevation_path returns AlreadyElevated whenever the process is already Elevated, on every OS). The user's UAC/polkit/sudo prompt is the only consent gate — we never bypass it; the print-hint floor prints the absolute-path command too. The unprivileged parent never depends on (pipes/captures) the privileged child's stdout.
2026-06-17T00:59:16.3842453Z - Required stages: unit
2026-06-17T00:59:16.3842600Z 
2026-06-17T00:59:16.3842726Z ### REQ-HAZARD-LOCAL-API-AUTH
2026-06-17T00:59:16.3843064Z - Title: Every local `api` mutation authenticated to an endpoint/session (codex #13)
2026-06-17T00:59:16.3843435Z - Required stages: impl, unit
2026-06-17T00:59:16.3843600Z 
2026-06-17T00:59:16.3843725Z ### REQ-HAZARD-RESTART-IDEMPOTENT
2026-06-17T00:59:16.3844130Z - Title: Idempotent/exactly-once delivery across brain restart at every broker boundary (codex #14)
2026-06-17T00:59:16.3844564Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3844840Z 
2026-06-17T00:59:16.3844961Z ### REQ-HAZARD-UPDATE-ROLLBACK
2026-06-17T00:59:16.3845364Z - Title: Self-update rejects version rollback; metadata expiry + adapter content signing (codex #5)
2026-06-17T00:59:16.3845785Z - Required stages: impl, unit
2026-06-17T00:59:16.3845953Z 
2026-06-17T00:59:16.3846076Z ### REQ-HAZARD-DAEMON-HOSTED-LIVENESS
2026-06-17T00:59:16.3846640Z - Title: Daemon-hosted perches (Psyche, spt-hosted Self) derive liveness from the daemon endpoint table + info.json status, never is_process_alive(info.pid) (2.5)
2026-06-17T00:59:16.3847221Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3847393Z 
2026-06-17T00:59:16.3847513Z ### REQ-HAZARD-BROKER-PROCESS-ISOLATION
2026-06-17T00:59:16.3850293Z - Title: Broker and brain are separate processes: the broker runs as its own long-lived per-machine process that survives every brain restart, so a routine (brain-only) self-update restarts the brain onto the swapped binary while every hosted endpoint (PTY child, live QUIC conn, listening socket) stays untouched at the PROCESS level. The in-process-thread broker (daemon.rs:165-170) is a regression that silently unrealizes REQ-UPD-3 — apply degrades to an in-process Brain::handoff no-op and new code does not run until an unrelated restart (KNOWN-HAZARDS 6.7). Evidence must prove process-level survival (SPIKE-01/03 productionized as int: PTY child + live QUIC survive a brain-PROCESS restart onto a swapped binary), re-pointing the regression-masked in-process int tags currently on REQ-DAEMON-2 / REQ-UPD-3 (ADR-0018).
2026-06-17T00:59:16.3852497Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3852679Z 
2026-06-17T00:59:16.3852803Z ### REQ-HAZARD-ROLLBACK-STATE-COMPAT
2026-06-17T00:59:16.3854590Z - Title: A brain must not irreversibly migrate durable state before update ready-promotion: the readiness-gated auto-rollback (ADR-0018 Q7) spawns the N-1 binary against durable state the new brain may have written, so every pre-ready write must stay N-1-readable (schema migrations gated behind ready-promotion, or written N-1-tolerant/additive). Else the first in-place schema migration silently bricks rollback (KNOWN-HAZARDS 6.8). Free now — a 2026-06-09 audit confirmed zero state-migration code exists; unmintable retroactively once a migration ships.
2026-06-17T00:59:16.3856143Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3856317Z 
2026-06-17T00:59:16.3856436Z ### REQ-HAZARD-BRAIN-RESPAWN-PATH
2026-06-17T00:59:16.3859076Z - Title: The broker respawns the brain onto the APPLIED bytes, not the renamed old binary: the candidate-binary default is the canonical exe path captured ONCE at broker start, never a per-spawn std::env::current_exe() — on Linux current_exe (readlink /proc/self/exe) is inode-tracking and follows the `apply` rename (spt -> spt.old-N), so a resident broker would respawn the brain onto OLD bytes while recording `applied` (Windows GetModuleFileName is path-at-start, so Windows was green; ADR-0018 Q3 silently assumed path-string semantics). Backstop: promotion gates on bytes — a trial promotes only if brain.ready exe_hash == the staged artifact hash for this platform, else auto-rollback + loud notif (readiness != new-bytes was the false-success that recorded applied:8 over a v0.4.0 brain on kitsubito, 2026-06-11). KNOWN-HAZARDS 6.11.
2026-06-17T00:59:16.3861415Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3861601Z 
2026-06-17T00:59:16.3861728Z ### REQ-HAZARD-PSYCHE-OUTBOUND-PROXY
2026-06-17T00:59:16.3862648Z - Title: Psyche outbound captured + sanitized: the live-Psyche turn driver captures stdout (never Stdio::null), and the daemon strips/re-stamps Psyche-supplied from=/target and constrains routing (reply→__REPLY_TO__ sender, notify→own user/subnet) (7.3)
2026-06-17T00:59:16.3863464Z - Required stages: impl, unit
2026-06-17T00:59:16.3863654Z 
2026-06-17T00:59:16.3863779Z ### REQ-HAZARD-DAEMON-SCHED-NONBLOCKING
2026-06-17T00:59:16.3864555Z - Title: Per-agent pulse/psyche/echo-commune scheduling must not serialize across agents: each agent's bounded LLM call (echo-commune summarizer, Psyche turn) runs off the shared scheduler so one slow/hung call cannot stall another agent's tick (7.4)
2026-06-17T00:59:16.3865465Z - Required stages: impl, unit
2026-06-17T00:59:16.3865636Z 
2026-06-17T00:59:16.3865766Z ### REQ-HAZARD-PAIR-TRANSCRIPT-BIND
2026-06-17T00:59:16.3866565Z - Title: Pairing transcript binds roles, both node pubkeys, subnet ID, seed epoch, TOTP time-step, and confirmation MACs — or unknown-key-share/reflection/wrong-subnet/replay pairing remain possible (ADR-0005 #12)
2026-06-17T00:59:16.3867258Z - Required stages: impl, unit
2026-06-17T00:59:16.3867426Z 
2026-06-17T00:59:16.3867549Z ### REQ-HAZARD-PAIR-SEED-ROTATION
2026-06-17T00:59:16.3868213Z - Title: Removing a node rotates the subnet seed (epoch bump) so an old node/old seed cannot rejoin; trust-store delete alone is NOT revocation because the seed is replicated to every trusted node (ADR-0005 #10)
2026-06-17T00:59:16.3868900Z - Required stages: impl, unit
2026-06-17T00:59:16.3869171Z 
2026-06-17T00:59:16.3869292Z ### REQ-HAZARD-PAIR-RATE-LIMIT
2026-06-17T00:59:16.3870288Z - Title: Subnet-global pairing rate limit: one active ceremony per subnet, shared attempt counter, exponential backoff — a public pre-trust relay + multiple seed-holders otherwise enables distributed SPAKE2 guessing (and ±1 TOTP window triples the valid-password space) (ADR-0005 #11)
2026-06-17T00:59:16.3871176Z - Required stages: impl, unit
2026-06-17T00:59:16.3871346Z 
2026-06-17T00:59:16.3871462Z ### REQ-HAZARD-WAN-ORIGIN-AUTH
2026-06-17T00:59:16.3872377Z - Title: WAN-inbound origin is transport truth, never payload: the access gate's subject (ADR-0009 origin-node whitelist) is the QUIC handshake-proven remote node id from the broker's conn/stream table — a forged origin/node field inside record bytes is inert (7.5)
2026-06-17T00:59:16.3873194Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3873365Z 
2026-06-17T00:59:16.3873470Z ### REQ-CONSENT-1
2026-06-17T00:59:16.3874462Z - Title: Consent grant store: capability x subject-agent x target-node rows, enforced at the target node, subnet-settable (replicates as security material near the trust store), revocable; gated-capability ids (remote-exec, instantiate-anywhere) reserved-but-refusing; v1 consumers are the shell spawn gates (CONTEXT Consent & security gates)
2026-06-17T00:59:16.3875495Z - Required stages: impl, unit
2026-06-17T00:59:16.3875658Z 
2026-06-17T00:59:16.3875753Z ### REQ-CONSENT-2
2026-06-17T00:59:16.3876664Z - Title: Interactive consent escalation: an ungated high-risk action routes a consent prompt to the user's most-recently-active session; allow-once / allow-always (writes a grant) / deny; pre-consent flags (can_shutdown, shell_wake_spawn_anywhere) author grants via manifest/settings (CONTEXT Consent & security gates)
2026-06-17T00:59:16.3877624Z - Required stages: impl, unit
2026-06-17T00:59:16.3877795Z 
2026-06-17T00:59:16.3877900Z ### REQ-PRES-1
2026-06-17T00:59:16.3879584Z - Title: Presence resolution: the presence datum (last_active_node, last_active_endpoint, ts) gossiped subnet-wide via the agent-interaction heartbeat (rides registry distribution, visibility-gated) + one first-class most-recently-active resolution API consumed by notif first-fire, update-consent delivery, consent escalation, and shell wake resolution (M5 scope decision 1: resolution only — the PresenceChannel endpoint stays deferred)
2026-06-17T00:59:16.3881597Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3881863Z 
2026-06-17T00:59:16.3882018Z ### REQ-SHELL-1
2026-06-17T00:59:16.3883539Z - Title: Shell hosting machinery: shell perch under the owner (type/owner/adapter_name/status/alias), broker-launched binary + api bind local-link handshake, the three channels (command durable, text+file durable + progress-queryable, sensory REST-only never spooled + dropped-unless-owner-live), owner exclusivity (CONTEXT Shell model)
2026-06-17T00:59:16.3885127Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3885398Z 
2026-06-17T00:59:16.3885545Z ### REQ-SHELL-2
2026-06-17T00:59:16.3888203Z - Title: Shell sleep/wake: link-break always closes the binary (pre-close instruction + termination timeout), ephemeral teardown vs persistent offline/relink, wake_command wake-watcher (offline-only, exit-opcode supervision, exponential backoff + give-up), state-keyed wake resolution (dormant/suspended/active-elsewhere; no-reachable refuses — spawn-anywhere branch deferred), spt shutdown owner cascade + api owner-shutdown gated by can_shutdown (CONTEXT Shell sleep/wake)
2026-06-17T00:59:16.3890491Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3890752Z 
2026-06-17T00:59:16.3890917Z ### REQ-HAZARD-ELEVATED-DAEMON-SPAWN
2026-06-17T00:59:16.3893176Z - Title: The daemon always runs unelevated in the invoking user's universe, regardless of which command spawns it: an elevated spawner de-elevates (Windows: UAC linked token via CreateProcessWithTokenW; Linux: drop to SUDO_UID/SUDO_GID + the invoker's HOME) — an elevated daemon's pipes deny unelevated clients (every later spt reads not-running→spawn→bind Access-denied) and a sudo'd daemon roots the user's state universe (5.7)
2026-06-17T00:59:16.3895130Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3895372Z 
2026-06-17T00:59:16.3895545Z ### REQ-HAZARD-REGISTRY-GHOST-ROWS
2026-06-17T00:59:16.3897827Z - Title: A dead node identity's registry rows must decay: only the per-(endpoint,node) epoch lease supersedes rows, so without eviction a vanished node's rows are immortal and poison bare-id resolution with phantom AcrossNodes ambiguity — evict rows whose author node has not been heard (admitted inbound feed) within the eviction window; own rows never decay; a revived node re-inserts from its durable epoch within one pump cadence (4.10)
2026-06-17T00:59:16.3899864Z - Required stages: doc, impl, unit
2026-06-17T00:59:16.3900122Z 
2026-06-17T00:59:16.3900266Z ### REQ-CLI-1
2026-06-17T00:59:16.3902036Z - Title: spt endpoint noun namespace: absorbs fork/suspend/wake/shutdown/rename/stop/digest + access (ported 1:1: allow|revoke|open|list, decision 21) + description (ex-resources blurb; bare=show, set=author); merged endpoint list [--local|--subnet <name>] grouped by subnet with SELF pinned, --detail adding the ex-resources yellow-pages blurb projection; bare spt endpoint = the list (M8 decisions 1-2, 25)
2026-06-17T00:59:16.3903841Z - Required stages: impl, unit
2026-06-17T00:59:16.3904058Z 
2026-06-17T00:59:16.3904178Z ### REQ-CLI-2
2026-06-17T00:59:16.3905360Z - Title: spt daemon noun: run|stop|status (hidden daemon verb becomes daemon run; agent-endpoint shutdown keeps its name under endpoint); daemon status renders the pump heartbeat (last-tick recency) so a half-dead daemon is never rendered implied-healthy (M8 decisions 5, 23)
2026-06-17T00:59:16.3906647Z - Required stages: impl, unit
2026-06-17T00:59:16.3906856Z 
2026-06-17T00:59:16.3906981Z ### REQ-CLI-3
2026-06-17T00:59:16.3908187Z - Title: Agent hot path stays flat across the M8 reorg: send/ring/ready/whoami/how-to unchanged; notify moves to subnet notify while notif stays top-level; breaking renames land clean with no deprecation shims (zero external CLI consumers pre-spt-claude-code) (M8 decisions 3-4, 9)
2026-06-17T00:59:16.3909762Z - Required stages: impl, unit
2026-06-17T00:59:16.3909982Z 
2026-06-17T00:59:16.3910100Z ### REQ-SUBNET-5
2026-06-17T00:59:16.3911962Z - Title: Per-subnet serve-state: spt subnet detach <NAME> [--save] / attach <NAME> [--save] — daemon keeps running, stops/starts advertising + connecting for that subnet (peer pump + responder selective); --save persists the startup default in daemon config; the all-attached banner gains per-subnet states (M8 decision 6, --save renamed from --auto per decision 25 session)
2026-06-17T00:59:16.3913616Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3913840Z 
2026-06-17T00:59:16.3913969Z ### REQ-SUBNET-6
2026-06-17T00:59:16.3915153Z - Title: Trust lifecycle verbs, elevation-gated: spt subnet leave <NAME> (membership exit) and spt subnet prune <node> (removes a dead identity's trust + registry rows, killing its dead dials; trust mutation = security surface, REQ-PAIR-6 gate machinery) (M8 decisions 6-7)
2026-06-17T00:59:16.3916560Z - Required stages: impl, unit
2026-06-17T00:59:16.3916779Z 
2026-06-17T00:59:16.3916904Z ### REQ-SUBNET-7
2026-06-17T00:59:16.3919669Z - Title: Per-machine re-pair trust overwrite: registry rows carry a hashed stable machine identifier (OS machine id /etc/machine-id|MachineGuid, domain-separated SHA-256 before gossip, spt-minted persisted UUID fallback; additive serde-default field — old rows parse clean); a COMPLETED pairing ceremony presenting the same node label AND machine id as an existing trusted row evicts the superseded identity's trust + registry rows on the seed-holder and replicates the eviction; a gossiped claim alone never evicts trust (M8 decisions 13, 22)
2026-06-17T00:59:16.3922030Z - Required stages: impl, unit
2026-06-17T00:59:16.3922247Z 
2026-06-17T00:59:16.3922367Z ### REQ-SUBNET-8
2026-06-17T00:59:16.3924229Z - Title: Status render honesty: zero-subnet text is daemon-aware ('No subnets registered — this node is standalone.' + daemon-running-dependent blurb, never implying messaging works while the daemon is down); hint footer prints on bare spt subnet only (status drops it); a stalled pump is surfaced in subnet status, never rendered implied-healthy (M8 decisions 11-12, 23)
2026-06-17T00:59:16.3925909Z - Required stages: impl, unit
2026-06-17T00:59:16.3926127Z 
2026-06-17T00:59:16.3926252Z ### REQ-INSTALL-6
2026-06-17T00:59:16.3928225Z - Title: Linux elevation install leg: install.sh symlinks the binary into a sudo-reachable path (/usr/local/bin; graceful print-the-one-liner when unelevated) so sudo spt resolves; first sudo spt detects elevation and prompts ONCE for the default user account — thereafter any elevated daemon launch runs daemon + state under that account, never root (KH 5.7 interplay verified) (M8 decision 8)
2026-06-17T00:59:16.3930064Z - Required stages: impl, unit
2026-06-17T00:59:16.3930285Z 
2026-06-17T00:59:16.3940999Z ### REQ-INSTALL-7
2026-06-17T00:59:16.3942334Z - Title: Windows inbound reachability: the elevated install leg registers the inbound-UDP firewall rule (New-NetFirewallRule); the daemon self-detects blocked inbound and renders it as the no-connection state in subnet status + the coming-online banner (covers user-scope installs that skip the elevated leg — never a silent NO_SEED_HOLDER dead-end) (M8 root cause 3)
2026-06-17T00:59:16.3943391Z - Required stages: impl
2026-06-17T00:59:16.3943535Z 
2026-06-17T00:59:16.3943627Z ### REQ-INSTALL-8
2026-06-17T00:59:16.3944724Z - Title: OS-service registration (REQ-INSTALL-1's deferred third leg): Linux systemd USER service + loginctl enable-linger (linger rides the elevated install leg; daemon starts at boot pre-login, user universe per KH 5.7, systemctl --user managed); Windows scheduled task at-logon (interactive session, no stored credentials); a node is reachable after reboot without any manual spt invocation (M8 decision 17)
2026-06-17T00:59:16.3946077Z - Required stages: impl
2026-06-17T00:59:16.3946233Z 
2026-06-17T00:59:16.3946332Z ### REQ-CONV-1
2026-06-17T00:59:16.3947777Z - Title: Peer address seeding, both cold starts: durable peer-addrs.json (identity dir) maps peer pubkey → last-known dialable address; the pump's resolver consults it FIRST with id-only discovery fallback on miss or dial failure (a stale addr never strands a peer); written by the pairing ceremony (both sides, from the live connection) and by the pump on successful connect; post-join first sync and post-restart resync converge in seconds, not ~1 min (M8 decisions 14, 20)
2026-06-17T00:59:16.3949139Z - Required stages: impl, unit
2026-06-17T00:59:16.3949303Z 
2026-06-17T00:59:16.3949398Z ### REQ-CONV-2
2026-06-17T00:59:16.3950524Z - Title: Event-driven advertisement: endpoint online/offline transitions (ready-listener start/stop, rest-state transition, perch death) trigger an immediate advertise_local + peer push as a WAKE of the existing pump loop (no second advertisement path — epoch lease + visibility gates ride unchanged); the cadence stays the steady-state floor (M8 decision 15)
2026-06-17T00:59:16.3951673Z - Required stages: impl, unit
2026-06-17T00:59:16.3951811Z 
2026-06-17T00:59:16.3951897Z ### REQ-PAIR-8
2026-06-17T00:59:16.3953185Z - Title: NTP TOTP offset: the pairing ceremony queries NTP at ceremony time (both sides) and applies the derived offset to the TOTP calculation in-process only; system-clock fallback when NTP is unreachable (offline LAN pairing unaffected — NTP failure never blocks a pairing that succeeds today); never sets the OS clock; no background sync loop (M8 decision 18; field trigger: enlyzeam clock >1 min off exceeds the ±1 window)
2026-06-17T00:59:16.3954336Z - Required stages: impl, unit
2026-06-17T00:59:16.3954479Z 
2026-06-17T00:59:16.3954559Z ### REQ-DAEMON-5
2026-06-17T00:59:16.3955904Z - Title: Pump liveness: the peer pump writes a last-tick heartbeat consumed by daemon status / subnet status (decision 23 render legs in REQ-CLI-2/REQ-SUBNET-8); the daemon supervises the pump task — a panic is caught, logged loudly, and the pump restarts with capped backoff (≤5 min), so a 5.9-class death self-heals visibly instead of silently halving the daemon (M8 decision 23; field motivation: hfenduleam 2026-06-07 half-death)
2026-06-17T00:59:16.3957107Z - Required stages: impl, unit
2026-06-17T00:59:16.3957256Z 
2026-06-17T00:59:16.3957341Z ### REQ-DAEMON-6
2026-06-17T00:59:16.3959399Z - Title: Service-aware `daemon start`/`stop`: when an OS service manager has a registered spt-daemon for this user, `spt daemon start` and `spt daemon stop` drive THAT service (so stop doesn't IPC-kill a unit that auto-restart-fights for the broker socket — the kitsubito 2026-06-08 loop). `start` graduates from a `run` alias to a first-class background verb (ensure-up, idempotent, non-blocking); stop routes managed→manager, manual→IPC. Linux=systemd user unit (`systemctl --user start|stop|is-active spt-daemon`, detected by unit-file presence); Windows=no controllable manager (the logon task is boot-only), so start=detached spawn / stop=IPC.
2026-06-17T00:59:16.3961127Z - Required stages: impl, unit
2026-06-17T00:59:16.3961274Z 
2026-06-17T00:59:16.3961360Z ### REQ-DAEMON-7
2026-06-17T00:59:16.3962796Z - Title: `daemon run` is foreground-consistent on every platform: the invoking process IS the daemon, blocks until signalled, never auto-detaches or respawns into an invisible background task. The detached/de-elevated background behavior lives ONLY in `start`. Windows: an ELEVATED `daemon run` refuses with guidance (use `start`, or an unelevated shell) instead of respawning detached/de-elevated and vanishing (KH 5.7 preserved — it still never serves elevated).
2026-06-17T00:59:16.3964055Z - Required stages: impl, unit
2026-06-17T00:59:16.3964198Z 
2026-06-17T00:59:16.3964280Z ### REQ-DAEMON-8
2026-06-17T00:59:16.3965297Z - Title: Internal auto-start prefers the service: `ensure_running` (any spt command's implicit daemon start, REQ-DAEMON-3) routes through the service-aware start path — when a manager has a registered service it starts THAT, never a competing manual `spawn_detached` daemon that would fight the service for the socket.
2026-06-17T00:59:16.3966340Z - Required stages: impl, unit
2026-06-17T00:59:16.3966484Z 
2026-06-17T00:59:16.3966575Z ### REQ-DAEMON-9
2026-06-17T00:59:16.3968903Z - Title: Net-bind boot-race resilience: a daemon that comes up net-less (NetHost::start failed — e.g. the systemd unit autostarted before the network/DNS stack was ready, `Failed to create an address lookup service`) must SELF-HEAL — retry the net bring-up in the background with capped backoff and, on success, attach net to the broker + spawn the dispatcher/peer-pump (which today are gated on `net_up` at boot and so never start, leaving the node silently unreachable until a manual restart — kitsubito 2026-06-08). Status surfaces the net-less state honestly (a net-less broker renders as 'no connection', not only a pump-STALLED line with a bogus pre-boot heartbeat age). The installer's autostart unit waits for the network (`Wants=/After=network-online.target`) as belt-and-suspenders.
2026-06-17T00:59:16.3969212Z - Required stages: impl, unit
2026-06-17T00:59:16.3969246Z 
2026-06-17T00:59:16.3969361Z ### REQ-HAZARD-LIVEHOST-BOOT-RACE
2026-06-17T00:59:16.3972884Z - Title: The brain's daemon-hosted Psyche lifecycle surfaces a host-FAILURE on the live perch (harness-diagnosable) and runs net-INDEPENDENTLY. When reconcile_once→host_one→spawn_psyche fails for a state=live_agent+status=online endpoint (e.g. the adapter's psyche binary absent from its install dir, REQ-INSTALL-11), the failure MUST be written to the perch info.json as a CURRENT-STATE field (reason + ts + attempt count; overwritten each 5s retry, CLEARED on successful host) and surfaced by `spt endpoint list`/status — never left as an eprintln on the brain's invisible stderr where a harness reading only perch state is blind. status=online stays authoritative (agent reachable; only the Psyche is missing — brain-restart rehydrate legitimately has online-without-Psyche windows), so this is a SEPARATE psyche-host-health field, never a status de-stamp. Net-independence is a locked-in invariant: spawn_live_host (brainproc.rs:230) reaches the reconcile and hosts the Psyche on a net-less/unpaired/peer-pump-STALLED node, proven by a REAL detached-daemon E2E (real broker→brain-child, real api seed+listen, real install-dir psyche binary). spt-core SURFACES the failure; the adapter owns fixing its packaging.
2026-06-17T00:59:16.3973051Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3973089Z 
2026-06-17T00:59:16.3973194Z ### REQ-HAZARD-TEMPLATE-ARGV-FILL
2026-06-17T00:59:16.3976929Z - Title: Command-template substitution fills argv ELEMENTS, not a re-tokenized string: spt-core currently `fill_template`s {key} values INTO the command STRING and THEN `tokenize`s the filled string (runtime.rs:94/122), so a multi-word {key} value whitespace-SPLITS into multiple argv tokens unless the adapter hand-quotes the placeholder, and a value containing a `"` (or `;`) injects/breaks tokenization (shell-injection-adjacent). A filled value MUST become exactly ONE argv element regardless of spaces/quotes in the value. Fix: tokenize the TEMPLATE into argv FIRST, then `fill_template` EACH token, so a `{key}` slot resolves to a single element and the value never participates in tokenization (no whitespace-split, no quote/semicolon injection); preserve the missing-key / empty-command errors and `{{`/`}}` non-interpretation. perri's F-009 (v0.8.1 dogfood, argv-capture-confirmed): a multi-word `{psyche_prompt}` = "PSYCHE REVIVAL time: epoch-ms:… incoming event: (none)" arrived as argv[6..12] (7 stray tokens), the harness runner strict-parsed `--prompt` against the 2nd word, exited 2 within ~1s → phantom hosted perch. Applies to EVERY [session.<role>] template (psyche_init, extractor, notif, …); digest survives today only because its fills ({session_id}/{source}) are single-token.
2026-06-17T00:59:16.3977135Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3977286Z 
2026-06-17T00:59:16.3977393Z ### REQ-HAZARD-LIVEHOST-NONRESIDENT
2026-06-17T00:59:16.3980725Z - Title: A daemon-hosted Psyche that spawns then EXITS IMMEDIATELY is a host failure, surfaced like a spawn failure (closes the v0.8.1 residual masking): the REQ-HAZARD-LIVEHOST-BOOT-RACE signal stamps `psyche_host_error` only when `spawn_psyche` returns Err, NOT when the detached spawn() returns Ok but the child dies within moments (e.g. a bad-argv child exiting 2 — the F-009 case). That leaves the residual 'online + no Psyche + no cause' gap: the nested `{id}-psyche` info.json is written status=online with a real-but-DEAD pid and the PARENT perch carries NO psyche_host_error (perri's F-010: tasklist showed 0 host procs across the window while info.json read online). The host MUST confirm RESIDENCY — a hosted child not alive (or whose `{id}-psyche` perch never re-registers / has a dead pid) within N seconds of spawn is treated as a host failure: stamp the parent perch `psyche_host_error{reason:"host not resident within <n>s (psyche perch missing/dead pid)"}` (and do not leave a phantom online nested perch). Closes the last masking gap the v0.8.1 fix left open. perri's F-010 (v0.8.1 dogfood). Sibling of REQ-HAZARD-LIVEHOST-BOOT-RACE.
2026-06-17T00:59:16.3980969Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3981002Z 
2026-06-17T00:59:16.3981106Z ### REQ-HAZARD-EPOCH-RESET
2026-06-17T00:59:16.3982389Z - Title: Advertisement-epoch reset strands a node: peers' higher last-seen epoch drops the reset node's fresh advertisements as Stale until the counter outruns history. Common case (full reinstall/re-pair) is mitigated by REQ-SUBNET-7's ceremony eviction (peer-side epoch memory dies with the deleted row — acceptance-verified); the residual narrow slice (epoch file lost, identity kept) is documented, guard deferred to a field hit (4.11)
2026-06-17T00:59:16.3982495Z - Required stages: 
2026-06-17T00:59:16.3982529Z 
2026-06-17T00:59:16.3982622Z ### REQ-MESH-1
2026-06-17T00:59:16.3984708Z - Title: Membership proof (seed-proof): symmetric current-epoch seed-knowledge replaces is_trusted at EVERY inbound gate (registry apply, WAN receive, sync, notif, connection accept). MK = HKDF(seed, domain ‖ subnet_id ‖ seed_epoch); mutual channel-bound challenge-response at connect (transcript binds both handshake-proven node pubkeys, both nonces, subnet_id, seed_epoch, role); verified once per connection, cached on the broker ConnEntry, kept warm via QUIC keep-alive so re-proof is restart/partition/rotation-only. Exact-epoch match (re-seed is the sole N-1 exception). SECURITY INVARIANTS: channel-bound (no cross-connection replay), mutual, accepts a member it never paired (the mesh property).
2026-06-17T00:59:16.3984828Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3984856Z 
2026-06-17T00:59:16.3984937Z ### REQ-MESH-2
2026-06-17T00:59:16.3987437Z - Title: Member roster: node-level union-merge grow-set (per member: pubkey, label, machine_id, last-known address, last-seen — NOT the seed), the discovery directory the mesh dials by. Seeded IN FULL at pairing (seed-holder hands joiner the whole current roster, incl. offline members — folds in deferred pairing-time hostname capture + post-join address seeding); each node authors its own entry stamped with its lease_epoch, merged strictly-greater-wins (the node_label lease); exchanged only over seed-proof'd member connections; forgery-inert (a fake entry names a pubkey that still can't seed-proof). Removal needs a TOMBSTONE — a per-pubkey revoked marker that propagates, dominates the entry, gates admission (seed-proof ∧ ¬tombstoned), and prevents reinsert; cleared by a completed re-pair of that pubkey. Persists through silence (offline member keeps its entry).
2026-06-17T00:59:16.3987561Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3987594Z 
2026-06-17T00:59:16.3987686Z ### REQ-MESH-3
2026-06-17T00:59:16.3989360Z - Title: Mesh row fan-out: registry rows stay OWN-AUTHORED; the only change is the push target widens from directly-paired peers to ALL roster members (a wider DIRECT fan-out, never a third-party relay). Every row/message still arrives from its author over a handshake → KNOWN-HAZARDS 7.5 (origin = handshake node) and 4.10 (eviction lease: any future update comes from that node itself, alive) PRESERVED VERBATIM. Closes the staggered A→B→C repro: C (roster-seeded with A at pairing) initiates to A, seed-proof admits C unpaired, A learns C, both push directly.
2026-06-17T00:59:16.3989594Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3989627Z 
2026-06-17T00:59:16.3989727Z ### REQ-MESH-4
2026-06-17T00:59:16.3991876Z - Title: Revoke + timeboxed seed rotation + re-seed grace: `spt subnet revoke <node>...` (list, elevation-gated, revoke-only) writes roster tombstones immediately, then schedules ONE seed rotation (re-mint seed, bump seed_epoch, push new seed CONFIDENTIALLY over member-auth'd TLS connections — never in roster/registry gossip — force-drop revokees) at the close of a coalescing window (default 1h); further revokes in the window join the same rotation (one epoch bump). `--force-rotate-seed` rotates immediately (compromised-node path). RE-SEED GRACE: a node proving the immediately-prior epoch (N-1) AND still on the roster gets a re-seed-only restricted connection (auto-heals a benign offliner); revoked/off-roster denied; ≥2 stale → re-pair.
2026-06-17T00:59:16.3992110Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3992149Z 
2026-06-17T00:59:16.3992243Z ### REQ-MESH-5
2026-06-17T00:59:16.3993613Z - Title: Hard cutover from pairwise trust: delete peers.json + the is_trusted authorization path (no migration — expendable test fleet, re-pairs fresh under the new model, user decision 2026-06-08). Warn-on-change DEMOTED from a gate to an awareness notice anchored on machine_id (not label): 'machine M, last seen as K1, now presents K2' — fires the same event as the REQ-SUBNET-7 re-pair overwrite. The TrustStore/peers.json code and its call sites are removed, not left dead.
2026-06-17T00:59:16.3993743Z - Required stages: impl, unit
2026-06-17T00:59:16.3993786Z 
2026-06-17T00:59:16.3993880Z ### REQ-MESH-6
2026-06-17T00:59:16.3995063Z - Title: Concurrent liveness probes: `spt subnet status --nodes` fans out its offline/serve-probes (REQ-SUBNET-5) CONCURRENTLY — total wall-time bounded by the single-probe ceiling (~3s), never k×ceiling. The mesh makes a node see ALL members (many possibly offline), so a serial probe loop would be offline_count×3s. (Planning verifies the current REQ-SUBNET-5 probe loop's behavior and fixes it if serial.)
2026-06-17T00:59:16.3995163Z - Required stages: impl, unit
2026-06-17T00:59:16.3995196Z 
2026-06-17T00:59:16.3995292Z ### REQ-SHELL-3
2026-06-17T00:59:16.3997058Z - Title: Drive channel (owner->shell, REST-only, never-spooled, latest-wins): the owner->shell mirror of sensory for continuous real-time control (scroll/crank/stick/avatar) — a [shell.drive] manifest vocab + EVENT_TYPE_DRIVE frame, delivered to the ONLINE binary only via a single live slot (a new frame supersedes an undelivered one — no spool, no queue, no replay on relink), dropped-with-diagnostic if the shell is offline; cross-node rides the ephemeral link (REST class), never the durable shell spool. Commands = discrete+durable; drive = continuous+ephemeral (CONTEXT:260, minted 2026-06-11 Gateway grill).
2026-06-17T00:59:16.3997171Z - Required stages: impl, unit, int
2026-06-17T00:59:16.3997205Z 
2026-06-17T00:59:16.3997301Z ### REQ-SHELL-4
2026-06-17T00:59:16.3999128Z - Title: Shell tunnel (reliable-ordered opaque byte stream): an owner<->shell link may hold a long-lived, reliable-ordered, link-bound QUIC stream pair carrying opaque wire protocol traffic the channel taxonomy must NOT reinterpret (first consumer usbip URB) — manifest opt-in, not enveloped, not MAC-framed, not spooled; the link lifecycle governs it (a link-break closes the tunnel). Reliable-ordered ⇒ congestion surfaces as lag never loss ⇒ acceptable only on-LAN: the on-LAN posture is documented and the tunnel is NOT proven cross-WAN (CONTEXT:262, minted 2026-06-11 Gateway grill; doyle gate C2).
2026-06-17T00:59:16.3999347Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.3999385Z 
2026-06-17T00:59:16.3999486Z ### REQ-CONSENT-3
2026-06-17T00:59:16.4001298Z - Title: Per-capability approval gates (class-keyed): the require_approval enum may ride INDIVIDUAL [shell.capabilities] entries — gating the dangerous ACT, not just the spawn — with an optional class_key scoping the grant qualifier finer than the capability id ((owner endpoint x device class x node); a remembered HID-class attach grant never authorizes a storage-class attach). Reuses the grant store + interactive escalation + tighten-only floor (REQ-CONSENT-1/2 plumbing). Spawn gates govern EXISTENCE; capability gates govern ACTS — an explicitly distinct invariant (CONTEXT:283, ratified 2026-06-11 Gateway grill).
2026-06-17T00:59:16.4001413Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.4001447Z 
2026-06-17T00:59:16.4001531Z ### REQ-SHELL-5
2026-06-17T00:59:16.4002709Z - Title: Shell ownership is owner-type-agnostic: any non-Shell endpoint type may own/spawn/drive/command/link a shell (Gateway the named first) — control-exclusivity keys on the owner endpoint_id, NEVER on the owner's endpoint type. No ownership path (mint, launch, owner-from-link, cmd, drive, tunnel, sleep/wake, owner-shutdown) inspects the owner's type (CONTEXT:264, ratified 2026-06-11 Gateway grill).
2026-06-17T00:59:16.4002928Z - Required stages: doc, impl, unit, int
2026-06-17T00:59:16.4002966Z 
2026-06-17T00:59:16.4003067Z ## How to report back
2026-06-17T00:59:16.4003099Z 
2026-06-17T00:59:16.4003271Z For every (requirement, failing criterion) pair, emit one finding:
2026-06-17T00:59:16.4003305Z 
2026-06-17T00:59:16.4003386Z     {
2026-06-17T00:59:16.4003495Z       "code": "requirement_quality",
2026-06-17T00:59:16.4003600Z       "requirementId": "REQ-...",
2026-06-17T00:59:16.4003766Z       "criterion": "singular" | "verifiable" | "atomic" | "active-voice",
2026-06-17T00:59:16.4003870Z       "message": "<short reason>",
2026-06-17T00:59:16.4003985Z       "suggestedRevision": "<optional rewrite>"
2026-06-17T00:59:16.4004079Z     }
2026-06-17T00:59:16.4004116Z 
2026-06-17T00:59:16.4004288Z Wrap your response as { "findings": [ ... ] } listing only your concerns; the
2026-06-17T00:59:16.4004431Z deterministic findings above don't need to be repeated.
