﻿2026-06-19T05:17:21.7171453Z ##[group]Run ./traceable-reqs lint || true
2026-06-19T05:17:21.7171601Z [36;1m./traceable-reqs lint || true[0m
2026-06-19T05:17:21.7184189Z shell: /usr/bin/bash -e {0}
2026-06-19T05:17:21.7184265Z ##[endgroup]
2026-06-19T05:17:21.7409701Z Requirement quality findings (204); 256 requirements queued for agent review:
2026-06-19T05:17:21.7410716Z   [must] requirement_quality REQ-API-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7411426Z   [must] requirement_quality REQ-API-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7411928Z   [must] requirement_quality REQ-API-4 criterion=length — title is 67 words; want 3..=25
2026-06-19T05:17:21.7412414Z   [must] requirement_quality REQ-CLI-1 criterion=length — title is 47 words; want 3..=25
2026-06-19T05:17:21.7412880Z   [must] requirement_quality REQ-CLI-2 criterion=length — title is 37 words; want 3..=25
2026-06-19T05:17:21.7413349Z   [must] requirement_quality REQ-CLI-3 criterion=length — title is 37 words; want 3..=25
2026-06-19T05:17:21.7413894Z   [must] requirement_quality REQ-CLI-4 criterion=length — title is 89 words; want 3..=25
2026-06-19T05:17:21.7414675Z   [must] requirement_quality REQ-CLI-HELP-MARKDOWN criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7415878Z   [must] requirement_quality REQ-CLI-HELP-MARKDOWN criterion=length — title is 156 words; want 3..=25
2026-06-19T05:17:21.7416207Z   [must] requirement_quality REQ-CONSENT-1 criterion=length — title is 41 words; want 3..=25
2026-06-19T05:17:21.7416512Z   [must] requirement_quality REQ-CONSENT-2 criterion=length — title is 37 words; want 3..=25
2026-06-19T05:17:21.7416794Z   [must] requirement_quality REQ-CONSENT-3 criterion=length — title is 82 words; want 3..=25
2026-06-19T05:17:21.7417204Z   [must] requirement_quality REQ-CONV-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7417504Z   [must] requirement_quality REQ-CONV-1 criterion=length — title is 73 words; want 3..=25
2026-06-19T05:17:21.7417776Z   [must] requirement_quality REQ-CONV-2 criterion=length — title is 47 words; want 3..=25
2026-06-19T05:17:21.7418189Z   [must] requirement_quality REQ-DAEMON-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7418846Z   [must] requirement_quality REQ-DAEMON-5 criterion=length — title is 64 words; want 3..=25
2026-06-19T05:17:21.7419332Z   [must] requirement_quality REQ-DAEMON-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7419694Z   [must] requirement_quality REQ-DAEMON-6 criterion=length — title is 84 words; want 3..=25
2026-06-19T05:17:21.7420314Z   [must] requirement_quality REQ-DAEMON-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7420782Z   [must] requirement_quality REQ-DAEMON-7 criterion=length — title is 62 words; want 3..=25
2026-06-19T05:17:21.7421230Z   [must] requirement_quality REQ-DAEMON-8 criterion=length — title is 44 words; want 3..=25
2026-06-19T05:17:21.7421686Z   [must] requirement_quality REQ-DAEMON-9 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7422000Z   [must] requirement_quality REQ-DAEMON-9 criterion=length — title is 114 words; want 3..=25
2026-06-19T05:17:21.7422417Z   [must] requirement_quality REQ-ELEVATE-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7422713Z   [must] requirement_quality REQ-ELEVATE-1 criterion=length — title is 121 words; want 3..=25
2026-06-19T05:17:21.7423089Z   [must] requirement_quality REQ-ENDPOINT-LIST-MERGE-LOCAL criterion=length — title is 95 words; want 3..=25
2026-06-19T05:17:21.7423547Z   [must] requirement_quality REQ-ENDPOINT-PURGE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7424077Z   [must] requirement_quality REQ-ENDPOINT-PURGE criterion=length — title is 220 words; want 3..=25
2026-06-19T05:17:21.7424434Z   [must] requirement_quality REQ-ENDPOINT-STOP-OFFLINE criterion=length — title is 58 words; want 3..=25
2026-06-19T05:17:21.7424839Z   [must] requirement_quality REQ-EP-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7425131Z   [must] requirement_quality REQ-EP-6 criterion=length — title is 58 words; want 3..=25
2026-06-19T05:17:21.7425402Z   [must] requirement_quality REQ-EP-7 criterion=length — title is 68 words; want 3..=25
2026-06-19T05:17:21.7425870Z   [must] requirement_quality REQ-HAZARD-ATTACH-WEDGE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7426217Z   [must] requirement_quality REQ-HAZARD-ATTACH-WEDGE criterion=length — title is 244 words; want 3..=25
2026-06-19T05:17:21.7426663Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESPAWN-PATH criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7426997Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESPAWN-PATH criterion=length — title is 119 words; want 3..=25
2026-06-19T05:17:21.7427463Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESTART-LIFECYCLE-REHYDRATE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7427841Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESTART-LIFECYCLE-REHYDRATE criterion=length — title is 125 words; want 3..=25
2026-06-19T05:17:21.7428283Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESTART-PSYCHE-DUP criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7428617Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESTART-PSYCHE-DUP criterion=length — title is 199 words; want 3..=25
2026-06-19T05:17:21.7429129Z   [must] requirement_quality REQ-HAZARD-BROKER-PROCESS-ISOLATION criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7429487Z   [must] requirement_quality REQ-HAZARD-BROKER-PROCESS-ISOLATION criterion=length — title is 114 words; want 3..=25
2026-06-19T05:17:21.7429897Z   [must] requirement_quality REQ-HAZARD-BROKER-QUIC-DEADLINE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7430335Z   [must] requirement_quality REQ-HAZARD-BROKER-QUIC-DEADLINE criterion=length — title is 162 words; want 3..=25
2026-06-19T05:17:21.7430761Z   [must] requirement_quality REQ-HAZARD-BROKER-SEED-WIRE-SKEW criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7431085Z   [must] requirement_quality REQ-HAZARD-BROKER-SEED-WIRE-SKEW criterion=length — title is 193 words; want 3..=25
2026-06-19T05:17:21.7431419Z   [must] requirement_quality REQ-HAZARD-CONFLICT-BOTH-PRESERVED criterion=length — title is 29 words; want 3..=25
2026-06-19T05:17:21.7440295Z   [must] requirement_quality REQ-HAZARD-DAEMON-SCHED-NONBLOCKING criterion=length — title is 32 words; want 3..=25
2026-06-19T05:17:21.7440890Z   [must] requirement_quality REQ-HAZARD-DAEMON-STOP-BARRIER criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7441234Z   [must] requirement_quality REQ-HAZARD-DAEMON-STOP-BARRIER criterion=length — title is 80 words; want 3..=25
2026-06-19T05:17:21.7441673Z   [must] requirement_quality REQ-HAZARD-DAEMON-STOP-REAP criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7441984Z   [must] requirement_quality REQ-HAZARD-DAEMON-STOP-REAP criterion=length — title is 90 words; want 3..=25
2026-06-19T05:17:21.7442406Z   [must] requirement_quality REQ-HAZARD-DEFERRED-MANIFEST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7442735Z   [must] requirement_quality REQ-HAZARD-DEFERRED-MANIFEST criterion=length — title is 112 words; want 3..=25
2026-06-19T05:17:21.7443059Z   [must] requirement_quality REQ-HAZARD-DETACHED-PIPE-INHERIT criterion=length — title is 52 words; want 3..=25
2026-06-19T05:17:21.7443679Z   [must] requirement_quality REQ-HAZARD-ELEVATED-DAEMON-SPAWN criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7444008Z   [must] requirement_quality REQ-HAZARD-ELEVATED-DAEMON-SPAWN criterion=length — title is 58 words; want 3..=25
2026-06-19T05:17:21.7444450Z   [must] requirement_quality REQ-HAZARD-ENDPOINT-RUN-ATTACH-OUTPUT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7444801Z   [must] requirement_quality REQ-HAZARD-ENDPOINT-RUN-ATTACH-OUTPUT criterion=length — title is 228 words; want 3..=25
2026-06-19T05:17:21.7445174Z   [must] requirement_quality REQ-HAZARD-ENV-SUBST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7445460Z   [must] requirement_quality REQ-HAZARD-ENV-SUBST criterion=length — title is 168 words; want 3..=25
2026-06-19T05:17:21.7445879Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-CR-LINESAFE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7446203Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-CR-LINESAFE criterion=length — title is 73 words; want 3..=25
2026-06-19T05:17:21.7446636Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-PARSER-SAFE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7446928Z   [must] requirement_quality REQ-HAZARD-EPOCH-RESET criterion=length — title is 60 words; want 3..=25
2026-06-19T05:17:21.7447322Z   [must] requirement_quality REQ-HAZARD-GEN-START-NOW criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7447659Z   [must] requirement_quality REQ-HAZARD-HOSTED-LIVENESS-RECONCILE criterion=length — title is 175 words; want 3..=25
2026-06-19T05:17:21.7447968Z   [must] requirement_quality REQ-HAZARD-INSTANT-UNDERFLOW criterion=length — title is 30 words; want 3..=25
2026-06-19T05:17:21.7448317Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-BOOT-LIVENESS-GATE criterion=length — title is 122 words; want 3..=25
2026-06-19T05:17:21.7448737Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-BOOT-RACE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7449252Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-BOOT-RACE criterion=length — title is 158 words; want 3..=25
2026-06-19T05:17:21.7449728Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-NONRESIDENT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7450054Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-NONRESIDENT criterion=length — title is 171 words; want 3..=25
2026-06-19T05:17:21.7450360Z   [must] requirement_quality REQ-HAZARD-PAIR-RATE-LIMIT criterion=length — title is 37 words; want 3..=25
2026-06-19T05:17:21.7450664Z   [must] requirement_quality REQ-HAZARD-PAIR-SEED-ROTATION criterion=length — title is 33 words; want 3..=25
2026-06-19T05:17:21.7451088Z   [must] requirement_quality REQ-HAZARD-PAIR-TRANSCRIPT-BIND criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7451513Z   [must] requirement_quality REQ-HAZARD-PSYCHE-OUTBOUND-PROXY criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7451843Z   [must] requirement_quality REQ-HAZARD-PSYCHE-OUTBOUND-PROXY criterion=length — title is 27 words; want 3..=25
2026-06-19T05:17:21.7452252Z   [must] requirement_quality REQ-HAZARD-PUMP-IPC-DEADLINE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7452567Z   [must] requirement_quality REQ-HAZARD-PUMP-IPC-DEADLINE criterion=length — title is 38 words; want 3..=25
2026-06-19T05:17:21.7452971Z   [must] requirement_quality REQ-HAZARD-RC-ATTACH-FAILFAST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7453390Z   [must] requirement_quality REQ-HAZARD-RC-ATTACH-FAILFAST criterion=length — title is 163 words; want 3..=25
2026-06-19T05:17:21.7453758Z   [must] requirement_quality REQ-HAZARD-RC-EOF criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7454029Z   [must] requirement_quality REQ-HAZARD-RC-EOF criterion=length — title is 208 words; want 3..=25
2026-06-19T05:17:21.7454441Z   [must] requirement_quality REQ-HAZARD-REGISTRY-GHOST-ROWS criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7454756Z   [must] requirement_quality REQ-HAZARD-REGISTRY-GHOST-ROWS criterion=length — title is 66 words; want 3..=25
2026-06-19T05:17:21.7455073Z   [must] requirement_quality REQ-HAZARD-ROLLBACK-STATE-COMPAT criterion=length — title is 72 words; want 3..=25
2026-06-19T05:17:21.7455462Z   [must] requirement_quality REQ-HAZARD-ROSTER-GHOST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7455763Z   [must] requirement_quality REQ-HAZARD-ROSTER-GHOST criterion=length — title is 116 words; want 3..=25
2026-06-19T05:17:21.7456153Z   [must] requirement_quality REQ-HAZARD-SELF-ELEVATE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7456444Z   [must] requirement_quality REQ-HAZARD-SELF-ELEVATE criterion=length — title is 101 words; want 3..=25
2026-06-19T05:17:21.7456744Z   [must] requirement_quality REQ-HAZARD-SUDO-SECURE-PATH criterion=length — title is 43 words; want 3..=25
2026-06-19T05:17:21.7457154Z   [must] requirement_quality REQ-HAZARD-TEMPLATE-ARGV-FILL criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7457469Z   [must] requirement_quality REQ-HAZARD-TEMPLATE-ARGV-FILL criterion=length — title is 166 words; want 3..=25
2026-06-19T05:17:21.7457877Z   [must] requirement_quality REQ-HAZARD-UNHOST-PSYCHE-REAP criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7458199Z   [must] requirement_quality REQ-HAZARD-UNHOST-PSYCHE-REAP criterion=length — title is 161 words; want 3..=25
2026-06-19T05:17:21.7458611Z   [must] requirement_quality REQ-HAZARD-VIEWER-CLOSE-DETACH criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7459100Z   [must] requirement_quality REQ-HAZARD-VIEWER-CLOSE-DETACH criterion=length — title is 437 words; want 3..=25
2026-06-19T05:17:21.7459517Z   [must] requirement_quality REQ-HAZARD-VIEWER-ISOLATION criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7459822Z   [must] requirement_quality REQ-HAZARD-VIEWER-ISOLATION criterion=length — title is 118 words; want 3..=25
2026-06-19T05:17:21.7460127Z   [must] requirement_quality REQ-HAZARD-WAN-ORIGIN-AUTH criterion=length — title is 37 words; want 3..=25
2026-06-19T05:17:21.7460554Z   [must] requirement_quality REQ-HAZARD-WIN-PTY-PROGRAM-RESOLVE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7460891Z   [must] requirement_quality REQ-HAZARD-WIN-PTY-PROGRAM-RESOLVE criterion=length — title is 96 words; want 3..=25
2026-06-19T05:17:21.7461158Z   [must] requirement_quality REQ-HOST-RUN-1 criterion=length — title is 88 words; want 3..=25
2026-06-19T05:17:21.7461420Z   [must] requirement_quality REQ-HOST-RUN-2 criterion=length — title is 97 words; want 3..=25
2026-06-19T05:17:21.7461667Z   [must] requirement_quality REQ-INST-15 criterion=length — title is 32 words; want 3..=25
2026-06-19T05:17:21.7462030Z   [must] requirement_quality REQ-INSTALL-10 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7462282Z   [must] requirement_quality REQ-INSTALL-10 criterion=length — title is 58 words; want 3..=25
2026-06-19T05:17:21.7462535Z   [must] requirement_quality REQ-INSTALL-11 criterion=length — title is 78 words; want 3..=25
2026-06-19T05:17:21.7462903Z   [must] requirement_quality REQ-INSTALL-12 criterion=length — title is 116 words; want 3..=25
2026-06-19T05:17:21.7463160Z   [must] requirement_quality REQ-INSTALL-2 criterion=length — title is 2 word(s); want 3..=25
2026-06-19T05:17:21.7463521Z   [must] requirement_quality REQ-INSTALL-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7463784Z   [must] requirement_quality REQ-INSTALL-6 criterion=length — title is 56 words; want 3..=25
2026-06-19T05:17:21.7464133Z   [must] requirement_quality REQ-INSTALL-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7464385Z   [must] requirement_quality REQ-INSTALL-7 criterion=length — title is 50 words; want 3..=25
2026-06-19T05:17:21.7464624Z   [must] requirement_quality REQ-INSTALL-8 criterion=length — title is 55 words; want 3..=25
2026-06-19T05:17:21.7464972Z   [must] requirement_quality REQ-INSTALL-9 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7465219Z   [must] requirement_quality REQ-INSTALL-9 criterion=length — title is 62 words; want 3..=25
2026-06-19T05:17:21.7465566Z   [must] requirement_quality REQ-KICK-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7465821Z   [must] requirement_quality REQ-KICK-1 criterion=length — title is 133 words; want 3..=25
2026-06-19T05:17:21.7466178Z   [must] requirement_quality REQ-MANIFEST-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7466431Z   [must] requirement_quality REQ-MANIFEST-3 criterion=length — title is 26 words; want 3..=25
2026-06-19T05:17:21.7466680Z   [must] requirement_quality REQ-MANIFEST-4 criterion=length — title is 31 words; want 3..=25
2026-06-19T05:17:21.7466942Z   [must] requirement_quality REQ-MANIFEST-5 criterion=length — title is 132 words; want 3..=25
2026-06-19T05:17:21.7467200Z   [must] requirement_quality REQ-MANIFEST-6 criterion=length — title is 84 words; want 3..=25
2026-06-19T05:17:21.7467456Z   [must] requirement_quality REQ-MANIFEST-7 criterion=length — title is 120 words; want 3..=25
2026-06-19T05:17:21.7467710Z   [must] requirement_quality REQ-MANIFEST-8 criterion=length — title is 77 words; want 3..=25
2026-06-19T05:17:21.7468048Z   [must] requirement_quality REQ-MESH-1 criterion=length — title is 86 words; want 3..=25
2026-06-19T05:17:21.7468394Z   [must] requirement_quality REQ-MESH-2 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7468679Z   [must] requirement_quality REQ-MESH-2 criterion=length — title is 120 words; want 3..=25
2026-06-19T05:17:21.7469084Z   [must] requirement_quality REQ-MESH-3 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7469350Z   [must] requirement_quality REQ-MESH-3 criterion=length — title is 86 words; want 3..=25
2026-06-19T05:17:21.7469694Z   [must] requirement_quality REQ-MESH-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7469938Z   [must] requirement_quality REQ-MESH-4 criterion=length — title is 99 words; want 3..=25
2026-06-19T05:17:21.7470271Z   [must] requirement_quality REQ-MESH-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7470515Z   [must] requirement_quality REQ-MESH-5 criterion=length — title is 72 words; want 3..=25
2026-06-19T05:17:21.7470853Z   [must] requirement_quality REQ-MESH-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7471090Z   [must] requirement_quality REQ-MESH-6 criterion=length — title is 56 words; want 3..=25
2026-06-19T05:17:21.7471437Z   [must] requirement_quality REQ-MIGRATE-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7471680Z   [must] requirement_quality REQ-MSG-4 criterion=length — title is 31 words; want 3..=25
2026-06-19T05:17:21.7472009Z   [must] requirement_quality REQ-MSG-5 criterion=length — title is 38 words; want 3..=25
2026-06-19T05:17:21.7472241Z   [must] requirement_quality REQ-MSG-6 criterion=length — title is 65 words; want 3..=25
2026-06-19T05:17:21.7472614Z   [must] requirement_quality REQ-MSG-ENVELOPE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7472891Z   [must] requirement_quality REQ-MSG-ENVELOPE criterion=length — title is 153 words; want 3..=25
2026-06-19T05:17:21.7473225Z   [must] requirement_quality REQ-PAIR-8 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7473468Z   [must] requirement_quality REQ-PAIR-8 criterion=length — title is 67 words; want 3..=25
2026-06-19T05:17:21.7473815Z   [must] requirement_quality REQ-PICKER-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7474077Z   [must] requirement_quality REQ-PICKER-1 criterion=length — title is 156 words; want 3..=25
2026-06-19T05:17:21.7474330Z   [must] requirement_quality REQ-PICKER-2 criterion=length — title is 77 words; want 3..=25
2026-06-19T05:17:21.7474583Z   [must] requirement_quality REQ-PICKER-3 criterion=length — title is 120 words; want 3..=25
2026-06-19T05:17:21.7475026Z   [must] requirement_quality REQ-PICKER-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7475279Z   [must] requirement_quality REQ-PICKER-4 criterion=length — title is 84 words; want 3..=25
2026-06-19T05:17:21.7475631Z   [must] requirement_quality REQ-PICKER-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7475871Z   [must] requirement_quality REQ-PICKER-5 criterion=length — title is 147 words; want 3..=25
2026-06-19T05:17:21.7476291Z   [must] requirement_quality REQ-PICKER-ADAPTER-DESCRIPTION criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7476625Z   [must] requirement_quality REQ-PICKER-ADAPTER-DESCRIPTION criterion=length — title is 64 words; want 3..=25
2026-06-19T05:17:21.7476921Z   [must] requirement_quality REQ-PICKER-HISTORY-FRESH criterion=length — title is 51 words; want 3..=25
2026-06-19T05:17:21.7477259Z   [must] requirement_quality REQ-PICKER-HISTORY-FRESH criterion=tbd-todo — title contains placeholder marker 'TBD'
2026-06-19T05:17:21.7477550Z   [must] requirement_quality REQ-PICKER-ONLINE-ACTION criterion=length — title is 74 words; want 3..=25
2026-06-19T05:17:21.7477878Z   [must] requirement_quality REQ-PICKER-ONLINE-ACTION criterion=tbd-todo — title contains placeholder marker 'TBD'
2026-06-19T05:17:21.7478221Z   [must] requirement_quality REQ-PRES-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7478466Z   [must] requirement_quality REQ-PRES-1 criterion=length — title is 48 words; want 3..=25
2026-06-19T05:17:21.7478700Z   [must] requirement_quality REQ-RC-1 criterion=length — title is 94 words; want 3..=25
2026-06-19T05:17:21.7479098Z   [must] requirement_quality REQ-RCVIEW-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7479353Z   [must] requirement_quality REQ-RCVIEW-1 criterion=length — title is 197 words; want 3..=25
2026-06-19T05:17:21.7479745Z   [must] requirement_quality REQ-READY-AGENT-RESUME criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7480031Z   [must] requirement_quality REQ-READY-AGENT-RESUME criterion=length — title is 165 words; want 3..=25
2026-06-19T05:17:21.7480384Z   [must] requirement_quality REQ-RUN-PICKER criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7480647Z   [must] requirement_quality REQ-RUN-PICKER criterion=length — title is 203 words; want 3..=25
2026-06-19T05:17:21.7481009Z   [must] requirement_quality REQ-RUN-SHORTCUT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7481394Z   [must] requirement_quality REQ-RUN-SHORTCUT criterion=length — title is 226 words; want 3..=25
2026-06-19T05:17:21.7481645Z   [must] requirement_quality REQ-SEAM-SPAWN criterion=length — title is 2 word(s); want 3..=25
2026-06-19T05:17:21.7482036Z   [must] requirement_quality REQ-SEND-SPT-HOSTED criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7482317Z   [must] requirement_quality REQ-SEND-SPT-HOSTED criterion=length — title is 169 words; want 3..=25
2026-06-19T05:17:21.7482565Z   [must] requirement_quality REQ-SHELL-1 criterion=length — title is 36 words; want 3..=25
2026-06-19T05:17:21.7482816Z   [must] requirement_quality REQ-SHELL-2 criterion=length — title is 49 words; want 3..=25
2026-06-19T05:17:21.7483051Z   [must] requirement_quality REQ-SHELL-3 criterion=length — title is 80 words; want 3..=25
2026-06-19T05:17:21.7483398Z   [must] requirement_quality REQ-SHELL-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7483642Z   [must] requirement_quality REQ-SHELL-4 criterion=length — title is 84 words; want 3..=25
2026-06-19T05:17:21.7483881Z   [must] requirement_quality REQ-SHELL-5 criterion=length — title is 49 words; want 3..=25
2026-06-19T05:17:21.7484323Z   [must] requirement_quality REQ-START-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7484571Z   [must] requirement_quality REQ-START-5 criterion=length — title is 129 words; want 3..=25
2026-06-19T05:17:21.7484814Z   [must] requirement_quality REQ-STORE-1 criterion=length — title is 34 words; want 3..=25
2026-06-19T05:17:21.7485066Z   [must] requirement_quality REQ-SUBNET-5 criterion=length — title is 52 words; want 3..=25
2026-06-19T05:17:21.7485409Z   [must] requirement_quality REQ-SUBNET-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7485666Z   [must] requirement_quality REQ-SUBNET-6 criterion=length — title is 38 words; want 3..=25
2026-06-19T05:17:21.7486020Z   [must] requirement_quality REQ-SUBNET-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7486268Z   [must] requirement_quality REQ-SUBNET-7 criterion=length — title is 75 words; want 3..=25
2026-06-19T05:17:21.7486520Z   [must] requirement_quality REQ-SUBNET-8 criterion=length — title is 53 words; want 3..=25
2026-06-19T05:17:21.7486861Z   [must] requirement_quality REQ-TERM-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7487095Z   [must] requirement_quality REQ-TERM-5 criterion=length — title is 71 words; want 3..=25
2026-06-19T05:17:21.7487433Z   [must] requirement_quality REQ-TERM-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7487676Z   [must] requirement_quality REQ-TERM-6 criterion=length — title is 53 words; want 3..=25
2026-06-19T05:17:21.7488020Z   [must] requirement_quality REQ-TERM-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7488253Z   [must] requirement_quality REQ-TERM-7 criterion=length — title is 55 words; want 3..=25
2026-06-19T05:17:21.7488606Z   [must] requirement_quality REQ-UPD-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7488834Z   [must] requirement_quality REQ-UPD-6 criterion=length — title is 32 words; want 3..=25
2026-06-19T05:17:21.7489226Z   [must] requirement_quality REQ-UPD-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7489487Z   [must] requirement_quality REQ-UPD-7 criterion=length — title is 88 words; want 3..=25
2026-06-19T05:17:21.7489827Z   [must] requirement_quality REQ-UPD-8 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-19T05:17:21.7490180Z   [must] requirement_quality REQ-UPD-8 criterion=length — title is 115 words; want 3..=25
2026-06-19T05:17:21.7490423Z   [must] requirement_quality REQ-UPD-9 criterion=length — title is 110 words; want 3..=25
2026-06-19T05:17:21.7490677Z   [must] requirement_quality REQ-WHOAMI-1 criterion=length — title is 76 words; want 3..=25
2026-06-19T05:17:21.7490710Z 
2026-06-19T05:17:21.7490824Z # Requirement quality review
2026-06-19T05:17:21.7490853Z 
2026-06-19T05:17:21.7491039Z You are reviewing 256 requirement(s) from `traceable-reqs.toml` against a quality
2026-06-19T05:17:21.7491236Z rubric. Deterministic checks (length, contains-and, tbd-todo, duplicate-titles,
2026-06-19T05:17:21.7491420Z trailing-etc) have already run and surfaced as `requirement_quality` findings on
2026-06-19T05:17:21.7491564Z this command's output. Your task is the rubric items below.
2026-06-19T05:17:21.7491597Z 
2026-06-19T05:17:21.7491677Z ## Rubric
2026-06-19T05:17:21.7491711Z 
2026-06-19T05:17:21.7491954Z - **singular** — describes one capability; no smuggled "and"/"or" across distinct actions.
2026-06-19T05:17:21.7492192Z - **verifiable** — states an observable behavior a test or reviewer could confirm.
2026-06-19T05:17:21.7492408Z - **atomic** — cannot be split into two requirements without losing meaning.
2026-06-19T05:17:21.7492557Z - **active-voice** — clear subject and active verb.
2026-06-19T05:17:21.7492690Z 
2026-06-19T05:17:21.7492915Z If a criterion is borderline or doesn't apply, abstain — only emit findings for
2026-06-19T05:17:21.7493009Z clear concerns.
2026-06-19T05:17:21.7493042Z 
2026-06-19T05:17:21.7493125Z ## Requirements
2026-06-19T05:17:21.7493153Z 
2026-06-19T05:17:21.7493234Z ### REQ-ARCH-1
2026-06-19T05:17:21.7493348Z - Title: Many small acyclically-layered crates
2026-06-19T05:17:21.7493445Z - Required stages: impl
2026-06-19T05:17:21.7493473Z 
2026-06-19T05:17:21.7493548Z ### REQ-ARCH-2
2026-06-19T05:17:21.7493696Z - Title: Public SDK surface is spt-proto, spt-runtime, spt-msg
2026-06-19T05:17:21.7493807Z - Required stages: impl
2026-06-19T05:17:21.7493839Z 
2026-06-19T05:17:21.7493920Z ### REQ-ARCH-3
2026-06-19T05:17:21.7494103Z - Title: Wire-protocol version independent of crate semver, N-1 compat window
2026-06-19T05:17:21.7494192Z - Required stages: impl, unit
2026-06-19T05:17:21.7494225Z 
2026-06-19T05:17:21.7494320Z ### REQ-ARCH-4
2026-06-19T05:17:21.7494474Z - Title: Copy-verbatim the commodity layer from the sister project
2026-06-19T05:17:21.7494568Z - Required stages: impl, unit
2026-06-19T05:17:21.7494602Z 
2026-06-19T05:17:21.7494684Z ### REQ-DAEMON-1
2026-06-19T05:17:21.7494831Z - Title: One per-machine spt-daemon owning all per-machine state
2026-06-19T05:17:21.7494930Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7494963Z 
2026-06-19T05:17:21.7495045Z ### REQ-DAEMON-2
2026-06-19T05:17:21.7495174Z - Title: Broker/brain split for seamless self-update
2026-06-19T05:17:21.7495282Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7495311Z 
2026-06-19T05:17:21.7495398Z ### REQ-DAEMON-3
2026-06-19T05:17:21.7495540Z - Title: Any api invocation auto-starts the daemon if absent
2026-06-19T05:17:21.7495636Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7495665Z 
2026-06-19T05:17:21.7495751Z ### REQ-DAEMON-4
2026-06-19T05:17:21.7495855Z - Title: Honor every KNOWN-HAZARDS invariant
2026-06-19T05:17:21.7495951Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7495984Z 
2026-06-19T05:17:21.7496061Z ### REQ-STORE-1
2026-06-19T05:17:21.7496880Z - Title: spt-store::BranchStore (git branch as versioned KV; commit=checkpoint/tip=resume, atomic multi-key, merge-native sync) is the substrate for coarse/durable/audited state (context, registry snapshot+distribution, daemon checkpoint); hot paths (B5 fsync journal) + indexed queries (SQLite spool) excluded (ADR-0011)
2026-06-19T05:17:21.7496986Z - Required stages: impl, unit
2026-06-19T05:17:21.7497015Z 
2026-06-19T05:17:21.7497109Z ### REQ-MANIFEST-1
2026-06-19T05:17:21.7497289Z - Title: Per-adapter manifest with adapter_name and min_spt_core_version
2026-06-19T05:17:21.7497593Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7497621Z 
2026-06-19T05:17:21.7497713Z ### REQ-MANIFEST-2
2026-06-19T05:17:21.7498188Z - Title: Adapter profiles — sparse leaf-replace overlays (shipped + local), composite <adapter>:<profile> addressing, shadow-refusal, tighten-only consent floors
2026-06-19T05:17:21.7498294Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7498327Z 
2026-06-19T05:17:21.7498417Z ### REQ-MANIFEST-3
2026-06-19T05:17:21.7499070Z - Title: Adapter strings — [strings] KV tree, dot-path get-string resolving through the profile leaf-replace overlay, set-string editing a local profile's [strings] only; data-only (nothing executes a string)
2026-06-19T05:17:21.7499176Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7499200Z 
2026-06-19T05:17:21.7499304Z ### REQ-MANIFEST-4
2026-06-19T05:17:21.7499980Z - Title: Keyword hints — [[hints]] {keywords (literal/regex), text}; spt api hint --session emits at most one matched hint per message, once per session (seen-set), declaration-order first match; profiles overlay [[hints]] by leaf-replace
2026-06-19T05:17:21.7500089Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7500118Z 
2026-06-19T05:17:21.7500199Z ### REQ-MANIFEST-5
2026-06-19T05:17:21.7502982Z - Title: File-backed adapter [strings] (M12-W3-T3.1): a [strings] dot-path value MAY be an inline-table FILE POINTER `key = { file = "rel/path" }` resolved to the file's contents at get-string time, keeping large bodies (skill-instructions, hint text) out of the manifest. A value-position table with a `file` key IS the pointer form (reserved — cannot double as data). Per-adapter aux storage `adapters/<adapter>/strings/`; pointers resolve relative to it with CONTAINMENT (reject `..`/absolute escaping the dir). UPDATE-SAFETY: a LOCAL profile's file-pointers resolve relative to the user-owned local-profile dir (NOT adapter-shipped strings/, which adapter updates overwrite), or the local profile inlines. Validate-at-register (fail-fast on a bad/escaping/missing pointer) + LAZY read at get-string (live file edits reflect, no re-register) + skip-diagnostics on missing-at-read (no hard-crash, mirrors [digest]). Rides the same leaf-replace profile overlay as the rest of [strings].
2026-06-19T05:17:21.7503202Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7503240Z 
2026-06-19T05:17:21.7503331Z ### REQ-MANIFEST-6
2026-06-19T05:17:21.7505340Z - Title: Cross-adapter fallback target addressing (M12-W3-T3.2): a cross-adapter fallback target is addressed as `<adapter>:<profile>` (not just a bare adapter_name), resolved through the one composite-addressing resolver (registry::resolve_option) at every adapter-option read site so a fallback may select a shipped/local profile (e.g. a `ccs` profile). CONTEXT.md §cross-adapter-fallback reconciled ("ccs is a profile; cross-adapter fallback may target <adapter>:<profile>"). Contract-only this milestone: the node-wide fallback SETTING + its rate-limit invocation are deferred to the consuming milestone (the runtime path does not exist yet); this REQ guarantees the ADDRESSING resolves.
2026-06-19T05:17:21.7505457Z - Required stages: doc, unit
2026-06-19T05:17:21.7505485Z 
2026-06-19T05:17:21.7505571Z ### REQ-MANIFEST-7
2026-06-19T05:17:21.7508482Z - Title: Adapter-declared shortcut basename (M12-W2 follow-on): an optional `[adapter] shortcut_basename` manifest field names the basename the `spt endpoint run` picker bakes into the generated `<basename>-<id>` launcher shortcut (REQ-RUN-SHORTCUT). Absent ⇒ the harness-agnostic default `spt` (→ `spt-<id>`); an adapter sets it to brand its shortcuts (claude-spt → `cc` → `cc-<id>`), so the Claude-Code-ness lives in the PUBLISHED adapter manifest, never hardcoded in spt-core. The picker reads it from the RESOLVED manifest of the selected adapter (registry::resolve_option), falling back to `spt` when absent/empty/unresolvable. Additive + N-1-safe (serde-default Option, omitted from serialization when absent; old manifests parse clean); manifest.schema.json regenerated from the derive (ADR-0001, CI drift-gated). Documented in docs/MANIFEST.md `[adapter]` section + the claude-spt worked example — the adapter-author contract perri builds spt-claude-code against.
2026-06-19T05:17:21.7508681Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7508710Z 
2026-06-19T05:17:21.7508811Z ### REQ-MANIFEST-8
2026-06-19T05:17:21.7510985Z - Title: [adapter] host_binaries declares the harness executable basenames a kind="harness" adapter hosts agents inside (e.g. host_binaries = ["claude"]); bind-time pid→exe-basename match (case-insensitive, .exe-stripped) over the seed's parent_pid selects the candidate adapter set; zero matches → a friendly error naming the binary + the --adapter escape hatch. Additive + N-1-safe: optional Vec<String>, #[serde(default, skip_serializing_if = "Vec::is_empty")] (omitted-serialized like shortcut_basename, old manifests parse clean); manifest.schema.json regenerated from the derive (ADR-0001, CI drift-gated). The match-key for ADR-0021 adapter-agnostic bind-time resolution. (v0.9.0)
2026-06-19T05:17:21.7511092Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7511125Z 
2026-06-19T05:17:21.7511215Z ### REQ-SEAM-SPAWN
2026-06-19T05:17:21.7511319Z - Title: spawn-session seam
2026-06-19T05:17:21.7511412Z - Required stages: impl, unit
2026-06-19T05:17:21.7511558Z 
2026-06-19T05:17:21.7511654Z ### REQ-SEAM-POSTSPAWN
2026-06-19T05:17:21.7511778Z - Title: post-spawn / api bind seam with boot nonce
2026-06-19T05:17:21.7511872Z - Required stages: impl, unit
2026-06-19T05:17:21.7511906Z 
2026-06-19T05:17:21.7511993Z ### REQ-SEAM-PSYCHE
2026-06-19T05:17:21.7512125Z - Title: spawn-psyche seam (fresh + resume templates)
2026-06-19T05:17:21.7512226Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7512259Z 
2026-06-19T05:17:21.7512337Z ### REQ-SEAM-HISTORY
2026-06-19T05:17:21.7512498Z - Title: History subsystem (fetcher / locate-normalize / native store)
2026-06-19T05:17:21.7512583Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7512618Z 
2026-06-19T05:17:21.7512708Z ### REQ-SEAM-ACTIVITY
2026-06-19T05:17:21.7512865Z - Title: Activity/idle reported via api sentinels, not PTY quiescence
2026-06-19T05:17:21.7512947Z - Required stages: impl, unit
2026-06-19T05:17:21.7512981Z 
2026-06-19T05:17:21.7513070Z ### REQ-SEAM-INJECT
2026-06-19T05:17:21.7513206Z - Title: inject-input methods configurable per activity-state
2026-06-19T05:17:21.7513302Z - Required stages: impl, unit
2026-06-19T05:17:21.7513336Z 
2026-06-19T05:17:21.7513415Z ### REQ-SEAM-RESUME
2026-06-19T05:17:21.7513567Z - Title: resume-session seam (fresh-with-preload / continue-existing)
2026-06-19T05:17:21.7513663Z - Required stages: impl, unit
2026-06-19T05:17:21.7513692Z 
2026-06-19T05:17:21.7513786Z ### REQ-SEAM-CAPABILITY
2026-06-19T05:17:21.7513920Z - Title: Hostable endpoint-types capability declaration
2026-06-19T05:17:21.7514016Z - Required stages: impl, unit
2026-06-19T05:17:21.7514040Z 
2026-06-19T05:17:21.7514120Z ### REQ-SEAM-UPDATE
2026-06-19T05:17:21.7514269Z - Title: Adapter-update avenue (file-pull / delegated command)
2026-06-19T05:17:21.7514354Z - Required stages: impl, unit
2026-06-19T05:17:21.7514387Z 
2026-06-19T05:17:21.7514473Z ### REQ-API-1
2026-06-19T05:17:21.7514626Z - Title: api prefix and adapter_name on every machinery invocation
2026-06-19T05:17:21.7514721Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7514754Z 
2026-06-19T05:17:21.7514835Z ### REQ-API-2
2026-06-19T05:17:21.7515007Z - Title: The api subcommand surface (bind/listen/poll/state/worker/boundary/...)
2026-06-19T05:17:21.7515107Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7515140Z 
2026-06-19T05:17:21.7515223Z ### REQ-API-3
2026-06-19T05:17:21.7515345Z - Title: commune/signoff are file-drops, not commands
2026-06-19T05:17:21.7515441Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7515475Z 
2026-06-19T05:17:21.7515543Z ### REQ-API-4
2026-06-19T05:17:21.7516971Z - Title: api resolves the adapter manifest (+ profile + install dir) from `--adapter name:profile` via the registry when `--manifest` is omitted; `--manifest` becomes an optional OVERRIDE (unregistered / local-dev manifests). Removes the require-both-flags redundancy — a registered adapter's live bringup / digest / capability needs only `--adapter` — and yields the precise install dir (the record's source_dir) rather than the --manifest parent, closing the copy-mode psyche-binary edge (v0.8.0)
2026-06-19T05:17:21.7517176Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7517209Z 
2026-06-19T05:17:21.7517290Z ### REQ-START-1
2026-06-19T05:17:21.7517458Z - Title: Adapters never resolve SPT_HOME; binary on PATH; api bridging only
2026-06-19T05:17:21.7517552Z - Required stages: impl, unit
2026-06-19T05:17:21.7517586Z 
2026-06-19T05:17:21.7517667Z ### REQ-START-2
2026-06-19T05:17:21.7517796Z - Title: Harness-hosted startup: api seed then listen
2026-06-19T05:17:21.7517895Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7517924Z 
2026-06-19T05:17:21.7518005Z ### REQ-START-3
2026-06-19T05:17:21.7518158Z - Title: spt-hosted startup: spawn-session then api bind (no file)
2026-06-19T05:17:21.7518257Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7518281Z 
2026-06-19T05:17:21.7518362Z ### REQ-START-4
2026-06-19T05:17:21.7518485Z - Title: Adapter-injected env aliases (SPT/OWL/LIVE)
2026-06-19T05:17:21.7518579Z - Required stages: impl, unit
2026-06-19T05:17:21.7518674Z 
2026-06-19T05:17:21.7518755Z ### REQ-START-5
2026-06-19T05:17:21.7521517Z - Title: Adapter-agnostic harness-hosted seed + bind-time adapter/profile resolution (ADR-0021): `api seed` carries only parent_pid + session_id (+ optional cwd), no --adapter — a pure "a harness session exists at this pid" record; --adapter becomes an OPTIONAL override across the whole api group (an explicit name[:profile] for adapter dev, never required). Omitted, listen/poll resolve the owning adapter/profile AT BIND as a pure read against the live registry — never a seed-time snapshot that can drift: seed parent_pid → exe basename → host_binaries candidate set (REQ-MANIFEST-8) → active-profile pointer (REQ-INSTALL-12) primary, else greatest-registered_at_ms candidate base profile (name-asc tie) → friendly zero-match error. Covers BOTH LiveAgent (listen) and ReadyAgent (poll) bringup. Restores legacy parity: `$LIVE start <id>` → `$SPT listen <id>` with no mandatory --adapter, one generic SessionStart hook per harness binary. (v0.9.0)
2026-06-19T05:17:21.7521627Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7521662Z 
2026-06-19T05:17:21.7521747Z ### REQ-EP-1
2026-06-19T05:17:21.7521865Z - Title: Day-one endpoint types; open type system
2026-06-19T05:17:21.7521967Z - Required stages: impl, unit
2026-06-19T05:17:21.7522000Z 
2026-06-19T05:17:21.7522076Z ### REQ-EP-2
2026-06-19T05:17:21.7522229Z - Title: Agent endpoints vs Shells distinction in the type model
2026-06-19T05:17:21.7522324Z - Required stages: impl, unit
2026-06-19T05:17:21.7522357Z 
2026-06-19T05:17:21.7522437Z ### REQ-EP-3
2026-06-19T05:17:21.7522610Z - Title: Messaging payloads carry typed operation commands + file blobs
2026-06-19T05:17:21.7522715Z - Required stages: impl, unit
2026-06-19T05:17:21.7522743Z 
2026-06-19T05:17:21.7522824Z ### REQ-EP-4
2026-06-19T05:17:21.7522959Z - Title: PresenceChannel broker endpoint (seam day-one)
2026-06-19T05:17:21.7523058Z - Required stages: impl, unit
2026-06-19T05:17:21.7523091Z 
2026-06-19T05:17:21.7523178Z ### REQ-EP-5
2026-06-19T05:17:21.7523785Z - Title: Concrete shell instantiation model: spawn-mints-instance (vs relink/online), registered-on-node permission + broadcast-is-discovery, per-shell require_approval gate, max_instances_per_owner + over_cap, instance aliasing, discovery scope
2026-06-19T05:17:21.7523877Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7523910Z 
2026-06-19T05:17:21.7523994Z ### REQ-EP-6
2026-06-19T05:17:21.7525381Z - Title: Gateway type acceptance: a Gateway-typed perch binds (api bind --type, open type system — un-hardcode the live_agent default), advertises/addressable like any endpoint, owns shells (owner validation not agent-family-gated), subscribes to digests, and is the user-msg identity gate's user-backed origin (REQ-MSG-5); in-tree mock-gateway fixture (R-DOCS-2 pattern, no downstream adapter code). Cross-node WAN Gateway-origin (registry endpoint_type trust) tracked by REQ-MSG-6
2026-06-19T05:17:21.7525587Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7525624Z 
2026-06-19T05:17:21.7525715Z ### REQ-EP-7
2026-06-19T05:17:21.7527287Z - Title: Durable live-role.md: a per-agent broad-purpose statement in tracked/agents/<id>/ beside live-context.md (replicates with the mind on the same a-<id> branch); renders FIRST at start-transition context injection (role -> live-context -> project-context); SOLE writer `spt endpoint role --overwrite <file>` — mechanical no-automated-writer guarantee (echo-commune ingest / signoff / Psyche reconcile structurally exclude it). The user-backed-origin hard gate on the writer is a deferred later tightening (rides the user-msg identity plumbing)
2026-06-19T05:17:21.7527393Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7527431Z 
2026-06-19T05:17:21.7527512Z ### REQ-INST-1
2026-06-19T05:17:21.7527646Z - Title: endpoint ID vs instance split (adapter-agnostic ID)
2026-06-19T05:17:21.7527741Z - Required stages: 
2026-06-19T05:17:21.7527769Z 
2026-06-19T05:17:21.7527855Z ### REQ-INST-2
2026-06-19T05:17:21.7528065Z - Title: Per-node files, synced Psyche mind
2026-06-19T05:17:21.7528165Z - Required stages: impl, unit
2026-06-19T05:17:21.7528198Z 
2026-06-19T05:17:21.7528275Z ### REQ-INST-3
2026-06-19T05:17:21.7528418Z - Title: Dormant (warm) / suspended (cold) resting states
2026-06-19T05:17:21.7528518Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7528546Z 
2026-06-19T05:17:21.7528633Z ### REQ-INST-4
2026-06-19T05:17:21.7528789Z - Title: active to dormant/suspended fires a transition echo commune
2026-06-19T05:17:21.7528893Z - Required stages: impl, unit
2026-06-19T05:17:21.7528922Z 
2026-06-19T05:17:21.7529073Z ### REQ-INST-5
2026-06-19T05:17:21.7529229Z - Title: Two-tier context sync (live to all, project to same-project)
2026-06-19T05:17:21.7529355Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7529388Z 
2026-06-19T05:17:21.7529473Z ### REQ-INST-6
2026-06-19T05:17:21.7529645Z - Title: Deferred messages not delivered to dormant/suspended instances
2026-06-19T05:17:21.7529749Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7529783Z 
2026-06-19T05:17:21.7529868Z ### REQ-INST-7
2026-06-19T05:17:21.7529998Z - Title: Subnet registry + bare-id resolution policy
2026-06-19T05:17:21.7530092Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7530121Z 
2026-06-19T05:17:21.7530217Z ### REQ-INST-8
2026-06-19T05:17:21.7530360Z - Title: Remote-control mode distinct from local operation
2026-06-19T05:17:21.7530455Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7530488Z 
2026-06-19T05:17:21.7530580Z ### REQ-INST-9
2026-06-19T05:17:21.7530736Z - Title: Multi-subnet membership (same-user N subnets; cross-user seam)
2026-06-19T05:17:21.7530842Z - Required stages: impl, unit
2026-06-19T05:17:21.7530861Z 
2026-06-19T05:17:21.7530956Z ### REQ-INST-10
2026-06-19T05:17:21.7531147Z - Title: Qualified addressing [subnet:]id[@node] + ambiguity forces qualification
2026-06-19T05:17:21.7531247Z - Required stages: impl, unit
2026-06-19T05:17:21.7531281Z 
2026-06-19T05:17:21.7531361Z ### REQ-INST-11
2026-06-19T05:17:21.7531567Z - Title: spt rename <id> rippled to all instances (collision-checked, 6.5-reconciled)
2026-06-19T05:17:21.7531666Z - Required stages: impl, unit
2026-06-19T05:17:21.7531703Z 
2026-06-19T05:17:21.7531779Z ### REQ-INST-12
2026-06-19T05:17:21.7532048Z - Title: Endpoint visibility per-(endpoint,subnet): excluded semantics, OR-of-defaults + override, gates sync
2026-06-19T05:17:21.7532145Z - Required stages: impl, unit
2026-06-19T05:17:21.7532173Z 
2026-06-19T05:17:21.7532264Z ### REQ-INST-13
2026-06-19T05:17:21.7532431Z - Title: Subnet-exclusive sync + per-endpoint subnet-membership list
2026-06-19T05:17:21.7532517Z - Required stages: impl, unit
2026-06-19T05:17:21.7532650Z 
2026-06-19T05:17:21.7532745Z ### REQ-INST-14
2026-06-19T05:17:21.7533088Z - Title: Resource advertisement (subnet resource registry): free-text blurb, both-authored, registry projection, visibility/whitelist-gated
2026-06-19T05:17:21.7533190Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7533222Z 
2026-06-19T05:17:21.7533322Z ### REQ-INST-15
2026-06-19T05:17:21.7533990Z - Title: Immutable home subnet (assigned at creation: auto-if-one/ask-if-many) + spt fork (cross-subnet clone to a new identity, copy-then-diverge, not re-home); adapter chosen at creation from registered hostable adapters, changed only via launch/resume-under-new (ADR-0010)
2026-06-19T05:17:21.7534096Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7534125Z 
2026-06-19T05:17:21.7534209Z ### REQ-REACH-1
2026-06-19T05:17:21.7534346Z - Title: Off-node remote-drive detection + file transfer
2026-06-19T05:17:21.7534437Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7534466Z 
2026-06-19T05:17:21.7534550Z ### REQ-REACH-2
2026-06-19T05:17:21.7534697Z - Title: Remote command execution (deferred, consent-gated)
2026-06-19T05:17:21.7534788Z - Required stages: 
2026-06-19T05:17:21.7534817Z 
2026-06-19T05:17:21.7534897Z ### REQ-MSG-1
2026-06-19T05:17:21.7535311Z - Title: Local message delivery: TCP-first to a registered address, spool fallback when offline; id->address via registry (stale-clean first); reply routing (__REPLY_TO__)
2026-06-19T05:17:21.7535508Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7535536Z 
2026-06-19T05:17:21.7535622Z ### REQ-MSG-2
2026-06-19T05:17:21.7535870Z - Title: spt binary CLI surface: send/ring/ready(+--once)/list/stop/whoami, stable arg shapes + exit codes
2026-06-19T05:17:21.7535970Z - Required stages: impl, unit
2026-06-19T05:17:21.7536004Z 
2026-06-19T05:17:21.7536094Z ### REQ-MSG-3
2026-06-19T05:17:21.7536442Z - Title: Ready-agent lifecycle: register perch (info.json + listener + registry address) on ready, drain spooled backlog on startup, clean teardown
2026-06-19T05:17:21.7536547Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7536581Z 
2026-06-19T05:17:21.7536658Z ### REQ-MSG-4
2026-06-19T05:17:21.7537437Z - Title: Listener stream stdout emits EVENT envelope lines (sister-format, ADR-0001): parse the __REPLY_TO__ frame, pass pre-formed typed envelopes through verbatim (no double-wrap), compose <EVENT type="msg" from=…> otherwise, chunk oversized lines into EVENT-PART
2026-06-19T05:17:21.7537537Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7537566Z 
2026-06-19T05:17:21.7537662Z ### REQ-MSG-ENVELOPE
2026-06-19T05:17:21.7541254Z - Title: The <EVENT type="msg" from=…>body</EVENT> envelope (spt-proto::event, the ADR-0001 grammar) is the SOLE canonical arriving-message format at EVERY harness arriving-message surface on an AGENT perch — api listen AND api poll/worker-poll, byte-identical (reverses REQ-MSG-4's 'hook drains keep the raw frame by contract'). SCOPE CARVE-OUT: the shell-command relay (api poll <shell-id> --link, cmd_poll_shell) is a distinct internal transport carrying RAW MAC'd stamped frames the shell child consumes verbatim — NOT an arriving-message surface, deliberately EXEMPT from <EVENT> composition (notify_shell_e2e guards this boundary). __REPLY_TO__ — mis-elevated during the clean-room port to a fake ADR-0001 'stable wire format' (spt-msg/wire.rs, lib.rs) — is REMOVED entirely (spool format_row, the spt-msg TCP frame, emit parse_frame); (from, body) carried structurally, <EVENT> composed once at the delivery boundary. No legacy sister-interop (spt-core never required it). Reply-correlation rebinds onto the structural from / <EVENT from=…> attribute (ADR-0009 access-gate + ADR-0012 Psyche/spt-live reply-target). Self-delimiting by construction → finding F-002 (non-self-delimiting multi-message poll) dissolves. ADR-0020.
2026-06-19T05:17:21.7541382Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7541416Z 
2026-06-19T05:17:21.7541498Z ### REQ-MSG-5
2026-06-19T05:17:21.7542179Z - Title: user-msg envelope kind + daemon identity gate: a Gateway endpoint / the local user's CLI author user-msg (the user's authority); agent-family senders re-stamped to plain msg; identity-gated never payload-trusted (KH 7.3/7.5); wire-additive (N-1 receivers tolerate the new type)
2026-06-19T05:17:21.7542392Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7542421Z 
2026-06-19T05:17:21.7542515Z ### REQ-MSG-6
2026-06-19T05:17:21.7544026Z - Title: cross-node Gateway user-msg honored via advertised endpoint_type: a user-msg from a Gateway-typed origin survives the receive_wan funnel as user-msg (vs the fail-closed re-stamp), keyed on the QUIC-handshake-proven origin node (never wire `from`). Trust boundary = subnet membership (operator-ratified 2026-06-13); no defense against an in-subnet member forging the type. Instance.endpoint_type is an additive serde-default field extending REQ-INST-7's data model. Absent/unknown type → re-stamp (N-1 rollout grace)
2026-06-19T05:17:21.7544154Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7544188Z 
2026-06-19T05:17:21.7544298Z ### REQ-NODE-IDENTITY
2026-06-19T05:17:21.7544492Z - Title: Ed25519 identity primitive: keypair, detached sign/verify, stable pubkey<->hex
2026-06-19T05:17:21.7544594Z - Required stages: impl, unit
2026-06-19T05:17:21.7544628Z 
2026-06-19T05:17:21.7544713Z ### REQ-NET-1
2026-06-19T05:17:21.7544878Z - Title: WAN messaging first-class, behind default-on net feature flag
2026-06-19T05:17:21.7545096Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7545119Z 
2026-06-19T05:17:21.7545204Z ### REQ-NET-2
2026-06-19T05:17:21.7545358Z - Title: n0 relay default + self-host knob + plain-language disclosure
2026-06-19T05:17:21.7545457Z - Required stages: impl
2026-06-19T05:17:21.7545485Z 
2026-06-19T05:17:21.7545571Z ### REQ-NET-3
2026-06-19T05:17:21.7545720Z - Title: Cross-node Psyche sync over P2P replaces gh-repo-sync
2026-06-19T05:17:21.7545829Z - Required stages: impl, unit
2026-06-19T05:17:21.7545853Z 
2026-06-19T05:17:21.7545940Z ### REQ-PAIR-1
2026-06-19T05:17:21.7546039Z - Title: TOTP-seeded SPAKE2 pairing
2026-06-19T05:17:21.7546148Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7546182Z 
2026-06-19T05:17:21.7546264Z ### REQ-PAIR-2
2026-06-19T05:17:21.7546397Z - Title: Local trust store with TOFU + warn-on-change
2026-06-19T05:17:21.7546482Z - Required stages: 
2026-06-19T05:17:21.7546511Z 
2026-06-19T05:17:21.7546612Z ### REQ-PAIR-3
2026-06-19T05:17:21.7546750Z - Title: Fetch current pairing code from any paired node
2026-06-19T05:17:21.7546845Z - Required stages: impl, unit
2026-06-19T05:17:21.7546875Z 
2026-06-19T05:17:21.7546955Z ### REQ-PAIR-4
2026-06-19T05:17:21.7547060Z - Title: Subnet naming on first pairing
2026-06-19T05:17:21.7547155Z - Required stages: impl, unit
2026-06-19T05:17:21.7547190Z 
2026-06-19T05:17:21.7547270Z ### REQ-PAIR-5
2026-06-19T05:17:21.7547547Z - Title: Multi-subnet pairing: subnet-name discovery input, create-new-names-up-front, rendezvous-token hashing
2026-06-19T05:17:21.7547651Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7547683Z 
2026-06-19T05:17:21.7547773Z ### REQ-PAIR-6
2026-06-19T05:17:21.7548007Z - Title: Elevation-gated per-subnet code fetch (UAC/root or elevated agent; else authenticator app)
2026-06-19T05:17:21.7548102Z - Required stages: impl, unit
2026-06-19T05:17:21.7548136Z 
2026-06-19T05:17:21.7548218Z ### REQ-PAIR-7
2026-06-19T05:17:21.7548364Z - Title: Subnet icon (inline image metadata, GUI-only consumer)
2026-06-19T05:17:21.7548461Z - Required stages: 
2026-06-19T05:17:21.7548495Z 
2026-06-19T05:17:21.7548589Z ### REQ-SUBNET-1
2026-06-19T05:17:21.7548894Z - Title: spt subnet noun namespace: status view (bare + status [NAME] [--nodes]), create (QR/otpauth), show-code; spt pair deleted
2026-06-19T05:17:21.7549047Z - Required stages: impl, unit
2026-06-19T05:17:21.7549075Z 
2026-06-19T05:17:21.7549167Z ### REQ-SUBNET-2
2026-06-19T05:17:21.7549376Z - Title: Guided join e2e: spt subnet join CLI initiator + always-on daemon pairing responder
2026-06-19T05:17:21.7549477Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7549510Z 
2026-06-19T05:17:21.7549709Z ### REQ-SUBNET-3
2026-06-19T05:17:21.7550104Z - Title: Node labels: hostname-default, gossiped, addressable in @node qualifiers (refuse-on-ambiguity)
2026-06-19T05:17:21.7550250Z - Required stages: impl, unit
2026-06-19T05:17:21.7550288Z 
2026-06-19T05:17:21.7550422Z ### REQ-SUBNET-4
2026-06-19T05:17:21.7550770Z - Title: Subnet membership mutations elevation-gated (create = seed reveal; join = trust-boundary enrollment)
2026-06-19T05:17:21.7550870Z - Required stages: impl, unit
2026-06-19T05:17:21.7550903Z 
2026-06-19T05:17:21.7550988Z ### REQ-DOCS-6
2026-06-19T05:17:21.7551293Z - Title: spt how-to <topic>: in-binary task-oriented agent instructions (anti-drift; quickstart prompts point agents at it)
2026-06-19T05:17:21.7551391Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7551418Z 
2026-06-19T05:17:21.7551500Z ### REQ-SEC-1
2026-06-19T05:17:21.7551866Z - Title: Per-endpoint access whitelist: origin-node gate, stateful-firewall (reply/outbound exempt), node-now/user-later, outer gate before grants
2026-06-19T05:17:21.7551962Z - Required stages: impl, unit
2026-06-19T05:17:21.7551991Z 
2026-06-19T05:17:21.7552081Z ### REQ-NOTIF-1
2026-06-19T05:17:21.7552405Z - Title: Notification primitive: per-subnet replicated spool, seen/dismissed, resurface-at-boundary, subsumes update+consent prompts
2026-06-19T05:17:21.7552758Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7552791Z 
2026-06-19T05:17:21.7552875Z ### REQ-NOTIF-2
2026-06-19T05:17:21.7553117Z - Title: spt notify (agent-issued subnet notif) + notif_command manifest seam (harness + shell adapters)
2026-06-19T05:17:21.7553269Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7553313Z 
2026-06-19T05:17:21.7553404Z ### REQ-UPD-1
2026-06-19T05:17:21.7553526Z - Title: Peer-propagated update over P2P
2026-06-19T05:17:21.7553623Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7553656Z 
2026-06-19T05:17:21.7553751Z ### REQ-UPD-2
2026-06-19T05:17:21.7553899Z - Title: All binaries signature-verified before handoff
2026-06-19T05:17:21.7554004Z - Required stages: impl, unit
2026-06-19T05:17:21.7554038Z 
2026-06-19T05:17:21.7554123Z ### REQ-UPD-3
2026-06-19T05:17:21.7554276Z - Title: No endpoint process terminates/suspends during self-update
2026-06-19T05:17:21.7554381Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7554419Z 
2026-06-19T05:17:21.7554504Z ### REQ-UPD-4
2026-06-19T05:17:21.7554662Z - Title: Update gated on user confirmation by default; opt-in full-auto
2026-06-19T05:17:21.7554757Z - Required stages: impl, unit
2026-06-19T05:17:21.7554790Z 
2026-06-19T05:17:21.7554873Z ### REQ-UPD-5
2026-06-19T05:17:21.7555000Z - Title: spt-core ripple-updates registered adapters
2026-06-19T05:17:21.7555096Z - Required stages: impl, unit
2026-06-19T05:17:21.7555129Z 
2026-06-19T05:17:21.7555207Z ### REQ-UPD-6
2026-06-19T05:17:21.7556013Z - Title: Platform-targeted update sets and debug rollout: signed multi-platform update metadata, recipient platform selection, channel-scoped monotonic counters, debug-channel opt-in via release-key overlay, local staging plus pull-based peer propagation, and maintainer-only convergence tooling (ADR-0016)
2026-06-19T05:17:21.7556113Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7556141Z 
2026-06-19T05:17:21.7556233Z ### REQ-UPD-7
2026-06-19T05:17:21.7558267Z - Title: Origin-source update bootstrap (`spt update fetch`): pull the latest signed release directly from the GitHub release origin (`SaberMage/spt-releases`) — the per-platform artifact + its `<asset>.release.json` SignedRelease metadata — and stage it through the EXISTING verify→stage pipeline (the same `plan_verified` gate: two-key signature + channel + monotonic rollback floor + SHA-256), after which the normal consent-notif / `spt update apply` flow is unchanged. Closes the peer-only-discovery gap (REQ-UPD-1): a first-in-fleet / isolated node can update with no peer to pull from. The signed-release anchor keeps the GitHub transport untrusted-but-verified.
2026-06-19T05:17:21.7558367Z - Required stages: impl, unit
2026-06-19T05:17:21.7558482Z 
2026-06-19T05:17:21.7558568Z ### REQ-UPD-8
2026-06-19T05:17:21.7561039Z - Title: Platform-safe `spt update fetch` + apply platform-guard (v0.3.1 cross-OS brick fix): `spt update fetch` stages the signed multi-platform `SignedUpdateSet` (`update-set.json` + every platform artifact it names), never a platform-blind single `SignedRelease`, so local apply selects `current_platform()` and P2P re-serve lets each peer select ITS own platform. Defense-in-depth: `apply_staged` REFUSES a staged single-release artifact unless it is platform-stamped for THIS node (an unstamped pre-v0.3.2 single, or a single stamped for another OS, fail-safe refuses — the guard that alone prevents the v0.3.1 brick where a Linux ELF was applied as `spt.exe`). UX: a friendly post-apply message (`Updated spt-core to vX.Y.Z.` + changelog URL) driven by an additive `product_version` metadata field, with a release-counter fallback when absent.
2026-06-19T05:17:21.7561134Z - Required stages: impl, unit
2026-06-19T05:17:21.7561177Z 
2026-06-19T05:17:21.7561258Z ### REQ-UPD-9
2026-06-19T05:17:21.7563715Z - Title: `gh_release` adapter [update] avenue (optional signing): an adapter declares `[update] avenue = "gh_release", repo = "user/repo"` (+ optional `asset`, default `adapter.spt`; + optional Ed25519 `signing_key`); spt-core's ripple compares the repo's LATEST GitHub release version against the installed adapter version and, when newer, auto-updates by fetching the release `.spt` archive (the REQ-INSTALL-9 `--release` fetch primitive) → verifies the `.spt` against `signing_key` if declared, else HTTPS+GitHub first-acquisition trust → re-extracts + re-registers the adapter root. Lets a harness adapter ship updates from its own GitHub releases with NO signing tooling or plugin coupling (removes the perri file_pull/delegated avenue blockers). Acquisition-trust mirrors `--release` + the installer first-fetch; does not alter spt-core self-update (REQ-UPD-1..8).
2026-06-19T05:17:21.7563926Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7563950Z 
2026-06-19T05:17:21.7564034Z ### REQ-TERM-1
2026-06-19T05:17:21.7564198Z - Title: Process-supervisor terminal wrapper hosting broker PTYs
2026-06-19T05:17:21.7564293Z - Required stages: impl, unit
2026-06-19T05:17:21.7564321Z 
2026-06-19T05:17:21.7564401Z ### REQ-TERM-2
2026-06-19T05:17:21.7564579Z - Title: session-surface abstraction; send-keys + send-line injection
2026-06-19T05:17:21.7564668Z - Required stages: impl, unit
2026-06-19T05:17:21.7564702Z 
2026-06-19T05:17:21.7564793Z ### REQ-TERM-3
2026-06-19T05:17:21.7564926Z - Title: Byte-stream remote terminal streaming for v1
2026-06-19T05:17:21.7565017Z - Required stages: impl, unit
2026-06-19T05:17:21.7565050Z 
2026-06-19T05:17:21.7565133Z ### REQ-TERM-4
2026-06-19T05:17:21.7565574Z - Title: Live activity buffer (session digest): projection of normalized session logs, snapshot-pull (spt endpoint digest) + structured-delta-stream contract + api digest-entry push
2026-06-19T05:17:21.7565680Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7565719Z 
2026-06-19T05:17:21.7565809Z ### REQ-TERM-5
2026-06-19T05:17:21.7567250Z - Title: Adapter-declared digest extractor seam: a `[digest]` manifest section declaring an imperative extractor (native harness log -> the {role,text,tool,ts} contract; defaults to the [history] source files with an own-source escape hatch), `api digest-entry` push fallback, register-time validation of the section, adapter-declared presentation defaults (window depth, arg-truncation, sprint-collapse) that any consumer may override, and a `spt adapter digest-proof` author tool plus runtime skip-diagnostics (no silent drop). Reverses M9's no-manifest-seam stance; no declarative DSL.
2026-06-19T05:17:21.7567356Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7567389Z 
2026-06-19T05:17:21.7567474Z ### REQ-TERM-6
2026-06-19T05:17:21.7568494Z - Title: Thread-spanning digest across session boundaries: a per-endpoint session ledger (`<perch>/sessions.log`) appended at first bind and by `api boundary` on `/clear`|`/compact` session rotation, the digest enumerating the last K sessions so its rolling window bridges a boundary, and a distinctive in-timeline boundary marker (DigestEntry::Boundary). The digest follows the live-agent thread, not a single session.
2026-06-19T05:17:21.7568715Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7568752Z 
2026-06-19T05:17:21.7568836Z ### REQ-TERM-7
2026-06-19T05:17:21.7570401Z - Title: Two-origin digest merge: spt-owned context-injection entries (psyche_download | echo_mirror | owl_message) appended by spt to the endpoint `digest.log`, timestamp-interleaved with the adapter's extracted activity records into one ordered timeline, via a distinct context-injection record category. Data model only this milestone; GUI collapse/expand and the echo-reads-digest delta loop are deferred to the surfaces that consume them.
2026-06-19T05:17:21.7570545Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7570583Z 
2026-06-19T05:17:21.7570682Z ### REQ-FRONT-1
2026-06-19T05:17:21.7570854Z - Title: Day-one launcher/manager frontend (list/launch/attach/init)
2026-06-19T05:17:21.7570950Z - Required stages: 
2026-06-19T05:17:21.7570983Z 
2026-06-19T05:17:21.7571062Z ### REQ-HOST-RUN-1
2026-06-19T05:17:21.7573521Z - Title: spt-hosted harness bringup: `spt endpoint run` spawns an adapter's `[session.self]` command template into a broker-held PTY (the spawn-session seam, brain.rs spawn_session_pid — same broker path shellhost.rs launch_shell_brokered_in uses for shells, now for kind="harness" self-role), registers the perch under the given endpoint id, returns the id. Reverses today's harness-hosted-only launch (external launcher → `api bind`). Non-interactive flag set (--adapter <a[:profile]> --id <id> --create --resume <session> --attach|--start|--view) covers every terminal action of the W2 interactive picker so shortcuts (cc-<id>) bake fully non-interactive launches; composite adapter:profile resolves via registry::resolve_option leaf-replace overlay.
2026-06-19T05:17:21.7573887Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7573920Z 
2026-06-19T05:17:21.7574005Z ### REQ-RC-1
2026-06-19T05:17:21.7576903Z - Title: `spt rc <id>` — user CLI attaching a local terminal to a broker-held PTY, reusing the cross-node attach machinery (attach.rs request_attach → send_attach_input pump, spt-net AttachRecord codec); local attach is the degenerate single-node case of the cross-node path (rides REQ-TERM-3 byte-stream streaming). Read-only `--view` (watch, no stdin forwarded). Clean detach that does NOT terminate the broker-held session (KNOWN-HAZARDS: PTY ownership stays with the broker; no termination on detach). Explicit detach keybind that cannot collide with harness passthrough input (legacy capsule used a ctrl-b prefix); documented. ConPTY DSR auto-answer in the attach reader (hazard 5.5).
2026-06-19T05:17:21.7577058Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7577081Z 
2026-06-19T05:17:21.7577171Z ### REQ-HOST-RUN-2
2026-06-19T05:17:21.7578826Z - Title: Project-scoped working directory for spt-hosted bringup: `spt endpoint run` lands the broker-spawned harness PTY in the user's PROJECT cwd, not the daemon's, via an additive `SpawnReq.cwd` field carried through the broker PTY spawn (portable-pty CommandBuilder cwd). N-1-safe wire change (additive, defaulted). Required because the consumer (Claude Code) is project-scoped: broker-inherited cwd = the daemon's cwd = the wrong `.claude`, wrong session history, wrong digest source; `cc <id>` at a project root MUST land the harness in that project. W1 ships broker-inherited cwd as a bringup-proof shortcut only; this REQ must land before the M12 gate (doyle, 2026-06-14).
2026-06-19T05:17:21.7579040Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7579074Z 
2026-06-19T05:17:21.7579180Z ### REQ-RUN-PICKER
2026-06-19T05:17:21.7583913Z - Title: Interactive `spt endpoint run` picker (ratatui TUI): bare `spt endpoint run` (no --adapter/--id) enters an in-process picker (flags-present = the REQ-HOST-RUN-1 non-interactive path, untouched). Layer 1 picks kind (Create new | Pick existing). Create-new: choose a registered kind="harness" adapter with its shipped+local profiles tree-nested (registry::registered / manifest.profiles / local_profile_names) → enter a charset-validated id → start. Pick-existing: category select (left/right) over [<cwd-project> | Local node | Subnet], endpoints grouped + alphabetically sorted per category, a status square per endpoint (online green ■ / offline gray ▢ — the blue "attached" tri-state + Kick are DEFERRED to a broker attach-presence slice, M12-W2-RULING Q1), type-to-filter (`/`, nucleo-matcher), a pinned keybind legend, and a right-half two-pane description (harness adapter:profile · best-effort project history newest→oldest from the contextstore p-<project> branches, empty-if-none · `spt endpoint description`). Confirm layer offers status-dependent options — Attach/Start/View (rc pump / cmd_endpoint_run) · Instantiate-locally (remote) · Change-harness-adapter (offline) · Fork (cmd_fork) · Resume-from-history (offline+LOCAL only; enumerate spt_store::sessions::last_k, titles `<project> @ <ts> (…id5)`, feed session_id → cmd_endpoint_run --resume). A single action enum is the source of truth so a future tap-mode (phone PTY) layers on without re-coupling to keybinds. EVERY terminal action routes through cmd_endpoint_run / existing CLI fns — no second bringup path.
2026-06-19T05:17:21.7584292Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7584330Z 
2026-06-19T05:17:21.7584425Z ### REQ-RUN-SHORTCUT
2026-06-19T05:17:21.7589233Z - Title: `<basename>-<id>` launcher shortcut generation (picker `s` keybind, M12-W2-T2.4): from any pre-start options set the picker writes/updates a `<basename>-<id>` launcher at the project root baking the current selection's non-interactive `spt endpoint run` flags (terminal actions only: adapter[:profile] + id + (create|resume) + (start|attach|view); Kick/Instantiate/Change-adapter/Fork are interactive-only, not bakeable). BASENAME IS A PARAMETER (operator rev. 2026-06-14): harness-agnostic spt-core defaults to `spt` (→ `spt-<id>`); an adapter/flow OVERRIDES it (spt-claude-code → `cc`), so spt-core NEVER bakes `cc` (a harness name) into itself. The basename must be a DISTINCT token, never bare `spt` (a `spt.cmd` would shadow the real `spt.exe` only under cmd.exe cwd-first search, silently no-op in PowerShell/Unix, and self-recurse). The script is the CURRENT OS's native form — `.cmd` on Windows (NOT `.ps1`: default PATHEXT excludes `.ps1` so a bare/ext-less name never resolves one; `.cmd` is PATHEXT-resolvable), POSIX `sh` (+chmod +x) on Unix (a single portable form can't be both). The generated header documents the invocation reality (cmd.exe bare `<name>` in the project dir / PowerShell `.\<name>` / Unix `./<name>`; a truly-bare basename on PATH = a PATH-installed launcher, `/spt:setup`'s job). Overwrite is SENTINEL-guarded: the generator writes + checks a generated-by header marker — it overwrites its own prior output freely, but REFUSES + warns if a same-named file lacks the sentinel (never clobber a user file). Requires the additive `--create` flag on `Run{}` (the default-fresh made explicit; N-1-safe).
2026-06-19T05:17:21.7589411Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7589439Z 
2026-06-19T05:17:21.7589529Z ### REQ-ELEVATE-1
2026-06-19T05:17:21.7592514Z - Title: Cross-platform self-elevating re-launch for privilege-gated commands: a pure decision seam `decide_elevation_path(os, elevation, interactive_tty, has_display, has_pkexec, has_term_emulator) -> ElevatePath{AlreadyElevated, InlineSudo, UacWindow, Pkexec, TerminalEmulator, PrintHint}` selecting how to re-acquire privilege, and the per-OS impure launchers it dispatches — Windows UAC console (ShellExecuteW `runas` on the abs-exe + verbatim argv; the elevated child does the work, prints 'You can close this window', and pauses for a keypress; the original prints 'Elevated terminal launched…' and exits 0; NEVER pipes the child's stdout back across the privilege boundary), Linux desktop pkexec (preferred, native polkit GUI auth) else x-terminal-emulator -e sudo (fallback list x-terminal-emulator→gnome-terminal→konsole→xterm), the existing interactive-TTY inline sudo, and the headless/no-path floor that prints the absolute-path command. Reused by every gated command (not subnet-specific). Generalizes should_auto_elevate.
2026-06-19T05:17:21.7592744Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7592781Z 
2026-06-19T05:17:21.7592871Z ### REQ-WHOAMI-1
2026-06-19T05:17:21.7594397Z - Title: `spt whoami` is a thin ALIAS for `spt endpoint list` (full output: the SELF pin + the subnet roster) — the standalone bare-id command is dropped (the `id=$(spt whoami)` capture was never a real pattern: env vars don't persist between agent tool calls). The one new render: the `endpoint list` SELF pin carries the Self endpoint's authored `endpoint description` (info::read_info(...).resources) when present, inline after the liveness state. whoami stays a top-level hot-path verb (parse unchanged, REQ-MSG-9).
2026-06-19T05:17:21.7594508Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7594537Z 
2026-06-19T05:17:21.7594618Z ### REQ-RCVIEW-1
2026-06-19T05:17:21.7599164Z - Title: Remote-attach controller/viewer model (CONTEXT.md:317): a session's broker OutputLog serves ONE interactive controller (input + EXCLUSIVE PTY resize; its viewport sets the size, sent on attach + every window change via crossterm Event::Resize) plus ANY NUMBER of read-only `--view` attachers (output-only, no input, no resize; client-side letterbox — center+pad when larger, clip+1-line indicator when smaller; only the local ctrl-b d detach chord). Attach intent is three-valued (`Viewer | Control | Take`, wire-default Control): Control to a FREE endpoint becomes controller, Control to a CONTROLLED endpoint is REFUSED with guidance (`--view`/`--take`) — never auto-viewer, never silent-displace. Wire adds (additive, N-1 skip-unknown): `Request.intent`, `Resize{rows,cols}` (controller-only), `Size{rows,cols}` (→viewer), `Displaced{by}` (→displaced controller). The brain-resume cursor (delivered_through, ADR-0018) tracks the CONTROLLER ONLY; viewers replay from their own from_seq and never move it. Dormancy keys on the controller ONLY: controller attach wakes / controller detach goes dormant (even with viewers present); viewer attach/detach is wake-neutral and may watch a dormant endpoint as-is. v1: viewing is gated identically to driving — a viewer runs the same access_check(Unsolicited) as a controller (watching reveals full session contents = a real disclosure); a lighter distinct watch-gate is deferred to cross-subnet/finer-consent (CONTEXT.md:317 'driving ≠ watching' = the future seam).
2026-06-19T05:17:21.7599517Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7599545Z 
2026-06-19T05:17:21.7599631Z ### REQ-KICK-1
2026-06-19T05:17:21.7602010Z - Title: Explicit, loud controller displacement: `spt rc kick <target>` / `--take` (Take intent) kicks the incumbent controller and becomes controller; the displaced controller receives a LOUD `Displaced{by}` notice and is FULLY DETACHED (not demoted to a viewer). A default attach to a controlled endpoint is NEVER a silent displace (it is the Control busy-refusal). An old (N-1) rc omits intent → Control, so it can drive a free endpoint but CANNOT `--take` — it can never silently steal, and gets a clean busy-refusal instead. Taking control rides the same access_check(endpoint, origin, Unsolicited) as a normal control attach (if you may drive, you may take — no elevated kick policy). The picker surfaces 'Kick <node> and attach' (Take) only on a controlled (blue ■) endpoint, via the existing attach dispatch (single-bringup-path: intent is a parameter).
2026-06-19T05:17:21.7602138Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7602171Z 
2026-06-19T05:17:21.7602264Z ### REQ-PICKER-1
2026-06-19T05:17:21.7605648Z - Title: The picker renders a FOUR-state endpoint status (extending the W2 online/offline duality): the list-item square AND a color-coded STATUS line at the top of the pick-existing right-side details both show — gray OFFLINE; green ONLINE (online + PTY-controllable spt-hosted, not controlled); amber 'ONLINE - HARNESS ONLY' (online but NOT broker-PTY-controllable = harness-hosted, no broker PTY seat — today mis-shows green); blue 'ONLINE + CONTROLLED' (online + driven_by.is_some()). Derived on EndpointRow from {offline | controllable | driven_by} with precedence offline→gray, else driven_by→blue, else !controllable→amber, else green (driven_by outranks harness-only; mutually exclusive in practice — a harness-only endpoint has no broker PTY to control). The controllable discriminator is a NEW InfoJson.controllable: Option<bool> (serde-default, N-1-safe), stamped at the establish seam — cmd_listen (harness-hosted relay, no broker PTY) → Some(false); cmd_bind live_agent (spt-hosted broker PTY) → Some(true); absent → not-controllable (amber) default (harness-hosted is the common mis-reported case; one bind self-corrects). Store-projection-only (no live daemon query — doyle ruling). (v0.10.0)
2026-06-19T05:17:21.7606138Z - Required stages: impl, unit
2026-06-19T05:17:21.7606175Z 
2026-06-19T05:17:21.7606270Z ### REQ-PICKER-2
2026-06-19T05:17:21.7608060Z - Title: The picker's project-history loader reads the git-backed context store, not the bare working tree: data.rs project_history_for enumerates an endpoint's projects via the BranchStore branch set (the context store keeps per-project context in git branches — contextstore::project_branch(project_id), checked out to projects/<project>/<id>/ only on-demand) instead of raw std::fs::read_dir over the empty working tree (which returned empty for ALL rows incl wall-a — the operator bug). Ordered newest→oldest by branch commit recency; degrades to empty (informational pane), never fails. (v0.10.0)
2026-06-19T05:17:21.7608253Z - Required stages: impl, unit
2026-06-19T05:17:21.7608286Z 
2026-06-19T05:17:21.7608387Z ### REQ-PICKER-3
2026-06-19T05:17:21.7610826Z - Title: A self-owned subnet row reconciles its status to the LIVE roster: a Subnet-category row whose endpoint_id overlaps a local (is_local) roster id is self-owned (this node hosts it), so its status square is OVERRIDDEN with the live roster status — the WAN registry snapshot (wansend::load_snapshots) is a periodically-advertised, independently-stale projection, while the local roster (p.alive) is ground truth for an endpoint this node hosts. One status square per endpoint (CONTEXT.md:348-350 — nothing licenses opposite squares for one endpoint across its Local vs Subnet listings). A reconcile pass in data.rs after the local_rows + subnet_rows gather; BOTH category listings are preserved (Local + Subnet are legitimately distinct views — you are in your own subnet), only the STATUS is unified. (v0.10.0)
2026-06-19T05:17:21.7610937Z - Required stages: impl, unit
2026-06-19T05:17:21.7610965Z 
2026-06-19T05:17:21.7611049Z ### REQ-PICKER-4
2026-06-19T05:17:21.7612852Z - Title: The picker's Subnet category renders the canonical node LABEL, not bare key-hex: a subnet row's node renders as 'LABEL (keyprefix…)' (e.g. 'HFENDULEAM (bcead52b…)') per CONTEXT.md:650 + Instance.node_label, NOT the raw node key-hex (SPT_DEV:14efb80cb… — a picker-only regression because resource_projection→ResourceRow drops node_label, so data.rs subnet_rows uses the raw row.node). Thread node_label into the picker subnet path (ResourceRow gains node_label, or subnet_rows looks it up via the registry's node_labels) and REUSE the one canonical render (format!("{l} ({}…)", key_prefix) — cli.rs / wansend.rs), never a re-implementation. (v0.10.0)
2026-06-19T05:17:21.7612960Z - Required stages: impl, unit
2026-06-19T05:17:21.7612994Z 
2026-06-19T05:17:21.7613075Z ### REQ-PICKER-5
2026-06-19T05:17:21.7615986Z - Title: `spt endpoint list` (bare/subnet view) renders an ALIGNED table with canonical node labels: cmd_endpoint_list prints subnet rows with `\t` TAB separators (cli.rs:~1651-1662) so variable-width endpoint_ids snap fields to different tab-stops → a RAGGED status column (operator screenshot: X/help statuses misaligned vs rt-*/sptc-*/wall-a); and it calls the node renderer with no label → bare key-hex for every row (SAME ResourceRow-drops-node_label root as REQ-PICKER-4). FIX: max-width per-column padding (mirror render_node_rows' pad, pad by char count not byte len — '…' is multibyte) replacing the tabs, and render the node via the shared node_label_display now that ResourceRow carries node_label (REQ-PICKER-4). Extract a pure row-formatter seam so the alignment+label is unit-testable. ALSO: the bare list is the SUBNET view (a just-run LOCAL perch is invisible cross-subnet until the next advertise tick), so emit a `--local` hint line so a freshly-run endpoint isn't perceived as lost. (v0.10.0; operator-flagged + doyle dispatch 2026-06-17)
2026-06-19T05:17:21.7616222Z - Required stages: impl, unit
2026-06-19T05:17:21.7616256Z 
2026-06-19T05:17:21.7616347Z ### REQ-SEND-SPT-HOSTED
2026-06-19T05:17:21.7619955Z - Title: An inbound `spt send` is DELIVERED to an spt-hosted endpoint (brought up via `spt endpoint run` → `api bind`, broker holds its PTY, NO `api listen` relay). Today cmd_bind→establish_perch (api/startup.rs ~441) writes info.json + ready marker + controllable=Some(true) but registers NO message-listener / NO address, so deliver.rs resolve_address→None→spool (deliver.rs:132-140) and the message NEVER reaches the live PTY — the endpoint reads 'online' (ready marker) yet `spt send` silently SPOOLS ('online but not deliverable' lie). Per CONTEXT:187-188 the daemon owns the PTY and delivers, manifest-configurable per activity-state (direct PTY injection / relay / HTTP). FIX: route an inbound send for an spt-hosted target through the daemon → broker InputReq → session.write_input PTY-inject (broker.rs dispatch_input/write_input ~988-1022), the same path the brain uses; the live-delivery handshake must report Sent (not Queued) and stop the spool-only fallback for a broker-hosted, PTY-resident endpoint. Detection is local: controllable==Some(true) + spt-hosted state + resolve_address==None. = the spt-core HALF of the wall-b finding (perri owns the adapter half: bind-hook fired-zero-perch + the missing endpoint-run int test). (post-v0.10.0)
2026-06-19T05:17:21.7620175Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7620209Z 
2026-06-19T05:17:21.7620303Z ### REQ-HAZARD-RC-EOF
2026-06-19T05:17:21.7624035Z - Title: A severed broker stream during a live rc session surfaces GRACEFULLY, never as a raw io error that crashes the PTY. The rc read-loop (rc.rs:352-362) continues only on WouldBlock/TimedOut; ANY other read_event_until error — including UnexpectedEof 'failed to fill whole buffer' — returns Err → RC_FAIL → the PTY 'crashes' from the user's view. Confirmed trigger: a deliberate `spt daemon stop` (broker bounce) severs an active rc (perri stopped the daemon to release owlery watch handles). Same severed-broker-stream EOF class as the v0.9.1 seed fix (seed_fail_message) and the listener-death case — spt-core must classify a broker-gone EOF and (a) surface a CLEAR actionable message ('daemon stopped/restarted — re-run / reconnect'), never the raw buffer error, and ideally (b) AUTO-REATTACH to the same session on the fresh broker (the broker is the daemon-lifetime anchor; it returns on the next `spt api` call). FOLD two side-observations: (1) `spt daemon stop` SILENTLY drops active rc/live sessions — warn ('N active session(s) will drop') or graceful-detach on stop; (2) the daemon holds owlery WATCH HANDLES on perch dirs so a torn-down perch dir stays 'Device busy' until a full daemon stop releases them (perri's rt-* cleanup) — a torn-down perch's handle should release without a daemon stop. doyle Finding C, root-caused. (post-v0.10.0)
2026-06-19T05:17:21.7624161Z - Required stages: impl, unit
2026-06-19T05:17:21.7624195Z 
2026-06-19T05:17:21.7624295Z ### REQ-HAZARD-DEFERRED-MANIFEST
2026-06-19T05:17:21.7626498Z - Title: A pointer-mode (delegated / GhReleaseManaged) adapter whose binary/manifest is not yet extracted is reported with a CLEAR diagnostic, never silently dropped. Today such an adapter reads its manifest LIVE from source_dir (registry.rs manifest_dir ~146/149); a deferred / un-extracted install makes load_manifest fail → registered() (~410, filter_map(.ok())) SILENTLY DROPS the row → downstream ADAPTER_UNRESOLVED + a cryptic os-error-2 on `spt adapter use`. FIX: surface a clear diagnostic at the resolver + at `adapter use` (name the adapter + the deferred/missing-manifest cause + the fix), not a silent filter-drop and not a bare os-error-2; consider an eager manifest copy at register time so host_binaries survive before the binary download completes. doyle Finding A. (post-v0.10.0)
2026-06-19T05:17:21.7626707Z - Required stages: impl, unit
2026-06-19T05:17:21.7626735Z 
2026-06-19T05:17:21.7626830Z ### REQ-HAZARD-ENV-SUBST
2026-06-19T05:17:21.7630135Z - Title: `spt endpoint run` HONORS manifest [env.<VAR>] direction=inject values (with {key} substitution) on the spt-hosted spawn. Today only the [session.self] command ARGV is {id}-substituted; the [env] inject value is NEITHER substituted NOR applied — manifest.schema.json promises EnvVar.value = 'Value to inject (with substitution)' but prepare_harness_spawn fills only argv and SpawnReq carries no env, so a [env.SPT_ENDPOINT_ID].value='{id}' arrives EMPTY. A FLAGLESS harness (bare `claude`, no argv slot for {id}) then routes the id via [env] → empty → SessionStart sees empty $SPT_ENDPOINT_ID → seeds-by-PPID instead of binding → ZERO perch → NO_PERCH (the actual wall-b bind blocker; perri hard-repro'd). SILENT failure (empty inject, no error). FIX (doyle ruled a): fill every [env] inject value from the SAME {key} catalog as argv/role (mirror F-009 TEMPLATE fill, whole-string fill_template for an env value), thread it through SpawnReq.env → the broker sets it on the spawned PTY child. Correctness fix — schema already promises it, NO manifest change, NO new binary. PAIRS with REQ-SEND-SPT-HOSTED to make endpoint run fully work. doyle F-013. (post-v0.10.0)
2026-06-19T05:17:21.7630353Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7630382Z 
2026-06-19T05:17:21.7630492Z ### REQ-HAZARD-ROSTER-GHOST
2026-06-19T05:17:21.7632799Z - Title: A LOCAL subnet roster entry whose backing perch is erased does NOT keep advertising Active (no phantom perch-less endpoint). `api session-end <id> --erase` removes the perch (owlery dir gone) but the subnet roster (identity/registry/<subnet>.json) keeps the endpoint's instance row ACTIVE with no backing perch; `endpoint stop` says 'address unregistered' yet the line persists; no CLI verb forgets a roster entry, and a hand-edit is re-added by the single-writer daemon advertiser. FIX: daemon-side self-heal — the advertiser DROPS/forgets a LOCAL roster entry whose backing perch no longer exists (stops advertising it Active), and/or a `forget`/evict verb; verify whether the epoch lease eventually evicts it (slow-self-heal) vs a real leak and scope accordingly. doyle secondary finding (perri). (post-v0.10.0)
2026-06-19T05:17:21.7632908Z - Required stages: impl, unit
2026-06-19T05:17:21.7632942Z 
2026-06-19T05:17:21.7633056Z ### REQ-HAZARD-HOSTED-LIVENESS-RECONCILE
2026-06-19T05:17:21.7636900Z - Title: B2 KEYSTONE: a daemon-hosted (spt-hosted) endpoint's info.json status is RECONCILED to real liveness, not left latched online. The broker exit-waiter (broker.rs:889-910) reaps its in-mem session table + emits ExitEvent but NEVER touches info.json; lifecycle::mark_offline only fires on Psyche teardown — so a dead/exited harness (operator closed the tab) stays status=online forever (is_perch_alive returns ONLINE for daemon-hosted, liveness.rs:80-93). FIX (doyle ruled PULL-PRIMARY — the live-status analog of REQ-HAZARD-ROSTER-GHOST): the livehost reconcile loop (reconcile_once livehost.rs:226-313) queries the broker's live session set (KIND_SESSIONS) each tick and, for any status=online live_agent perch PAST the boot grace whose endpoint has NO live broker session, marks it offline (lifecycle::mark_offline → status=offline → is_perch_alive=false). GATED on spt-hosted (controllable==Some(true)) so a HARNESS-HOSTED relay live agent (api listen, legitimately online with no broker session) is NEVER mis-marked. Crash-robust + self-healing on the next tick (clear-on-event is not crash-robust alone). PUSH (brain ExitEvent→mark_offline) is an OPTIONAL fast-path only if the daemon brain is reliably subscribed to all hosted sessions; correctness rides the pull. Broker stays stateless (ADR-0004 §B — brain owns the info.json write). (v0.12.0)
2026-06-19T05:17:21.7637140Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7637174Z 
2026-06-19T05:17:21.7637277Z ### REQ-HAZARD-RC-ATTACH-FAILFAST
2026-06-19T05:17:21.7640565Z - Title: B1: `spt rc <id>` to a DEAD or non-streaming session fails fast with a clear message, never an INFINITE blank screen. Today rc.rs run_attach (209-231) + pump spawns PUMP_IPC_READER and blocks: the poll times out each slice but the stream never produces output, so the operator sees a permanent blank (operator: fresh wall-f attached, closed tab, then `spt rc wall-f` HUNG — the broker still resolved a session for it). FIX: (a) once B2 lands, gate attach on is_online/status — an offline endpoint yields a clean 'endpoint offline, start it' not an attach; (b) fail-fast — if the attach-open ack / first output does not arrive within a bound, surface a clear message, never an infinite blank; (c) the broker EOFs the attach stream when the session's child is dead, so rc's existing PumpEnd::BrokerGone graceful path (REQ-HAZARD-RC-EOF) catches it. PIN the exact sub-mechanism with a repro test FIRST (dead-session-lingers-in-broker vs reaped-but-rc-waits vs alive-resting-no-wake — the wall-f Windows tab-close: child alive-silent vs dead-not-reaped). (v0.12.0)
2026-06-19T05:17:21.7640818Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7640851Z 
2026-06-19T05:17:21.7640957Z ### REQ-ENDPOINT-STOP-OFFLINE
2026-06-19T05:17:21.7642231Z - Title: H3: `spt endpoint stop <id>` marks the endpoint OFFLINE (alive=false), not merely de-readied. cmd_stop (cli.rs:2994-3010) removes the ready marker + unregisters the address but does NOT set status offline, so a stopped daemon-hosted endpoint still reports alive=true (status=online latch). FIX: add set_status(perch, STATUS_OFFLINE) to cmd_stop — folds with B2 (same setter). Unit: stop → is_perch_alive=false / alive=false. (v0.12.0)
2026-06-19T05:17:21.7642344Z - Required stages: impl, unit
2026-06-19T05:17:21.7642372Z 
2026-06-19T05:17:21.7642472Z ### REQ-HAZARD-DAEMON-STOP-BARRIER
2026-06-19T05:17:21.7644151Z - Title: B3: `spt daemon stop` then an immediate `spt daemon start` does NOT race — stop fully completes before it returns. Today request_stop (seedmap.rs:240-255) returns on the KIND_STOPPING ack (sent seedmap.rs:174-176) BEFORE the seed socket unbinds, so a following is_running ping (daemon.rs:375) wins the exit window and start reports ALREADY_RUNNING (operator: daemon stop → STOPPED then start → ALREADY_RUNNING). FIX: unbind/stop-gate the seed socket BEFORE acking KIND_STOPPING, OR request_stop waits for a ping-to-fail before returning. Unit: stop then immediate is_running()==false. (v0.12.0)
2026-06-19T05:17:21.7644255Z - Required stages: impl, unit
2026-06-19T05:17:21.7644293Z 
2026-06-19T05:17:21.7644398Z ### REQ-HAZARD-DAEMON-STOP-REAP
2026-06-19T05:17:21.7646107Z - Title: Breap: `spt daemon stop` REAPS the spt-hosted children it spawned — no orphaned psyche/harness processes. Today a stop leaves ~8 orphaned claude-spt-psyche.exe + spt.exe: Psyches are spawned DETACHED (runtime.rs:342-356, the Child is dropped — 'Detached' ~349) and the livehost stop flag Arc<AtomicBool> is NEVER raised (brainproc.rs:227-230 holds it 'for symmetry'). FIX: on stop, raise the livehost stop flag AND kill the spawned psyche/spt-hosted children — via a Windows job object / Unix process-group so the children die with the daemon (not detached-immortal). Folds with B3 (both the stop path). (v0.12.0)
2026-06-19T05:17:21.7646222Z - Required stages: impl, unit
2026-06-19T05:17:21.7646254Z 
2026-06-19T05:17:21.7646369Z ### REQ-HAZARD-LIVEHOST-BOOT-LIVENESS-GATE
2026-06-19T05:17:21.7648616Z - Title: B5: `spt daemon start` does NOT revive phantom Psyches for dead-but-online-latched perches. Today reconcile_once (livehost.rs:285) spawns a Psyche per status=online live_agent perch at boot WITHOUT verifying the harness child / {id}-psyche is actually alive — so a Cold start after an unclean stop revives N psyches for N dead-but-latched perches (3 psyches for 3 dead perches). FIX: gate the boot psyche-spawn on real child-liveness — a perch with NO live broker session (the B2 reconcile signal) is marked OFFLINE at boot instead of hosted, so a dead-harness perch is never revived. Shares the B2 reconcile loop (this is its boot-gate arm); composes with B2's honest latch. Also closes wall-a's psyche_host_error gap (residency-confirm does not run at boot tick-1, livehost.rs:395-441 / 257-263). (v0.12.0)
2026-06-19T05:17:21.7648835Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7648859Z 
2026-06-19T05:17:21.7649079Z ### REQ-HAZARD-BRAIN-RESTART-LIFECYCLE-REHYDRATE
2026-06-19T05:17:21.7651537Z - Title: B4 (deepest): a bare brain restart (broker survives) REHYDRATES the live-agent lifecycle so post-restart endpoints are hosted + attachable. Today resume_sessions (brainproc.rs:186, brain.rs:797-809) re-subscribes to the broker's PTY sessions but ALL BrainLifecycle instances (lifecycle.rs:58-130; the ephemeral brain.rs:254-275) are LOST on restart → a post-restart live endpoint gets no livehost → its Psyche is never (re)hosted and new spawns die / can't attach until a FULL daemon reset (operator: perri's brain kill+restart wedged everything until a full daemon kill). FIX: on brain startup, rebuild a BrainLifecycle per resumed live-capable session — load the manifest from the adapter registry → instantiate → start the pulse — the rehydrate the resume no-op cannot do. Composes with B2 (the reconcile re-hosts from the honest on-disk status after rehydrate). (v0.12.0)
2026-06-19T05:17:21.7651736Z - Required stages: 
2026-06-19T05:17:21.7651768Z 
2026-06-19T05:17:21.7651884Z ### REQ-HAZARD-BRAIN-RESTART-PSYCHE-DUP
2026-06-19T05:17:21.7655468Z - Title: A bare brain restart leaves EXACTLY ONE `{id}-psyche` process per endpoint — no duplicate. On an abrupt brain death stop_host never runs (the LiveSet + owned child handles die with the brain) and Breap's job/group only reaps at DAEMON stop, so the PRIOR brain's Psyche stays ALIVE; the respawned brain's reconcile re-hosts a SECOND Psyche and overwrites the `{id}-psyche` perch pid, leaving the old one untracked + alive = a duplicate that lingers until daemon-stop (the operator's 'brain kill+restart wedged everything'). FIX: at brain start, BEFORE the first reconcile re-hosts, reap any pre-existing `{id}-psyche` orphan — ID-SPECIFICALLY (recycle-safe on the shared box, where sibling agents share the `claude` basename): scoped-kill the recorded pid ONLY IF it is alive AND its exe basename == the adapter's psyche program (normalize_basename) AND its COMMAND LINE contains the full psyche id `<id>-psyche` (baked via {id}); a sibling never carries THIS id, and any unreadable signal FAILS SAFE (decline to reap — a missed dup is bounded by Breap, a wrong-kill is catastrophic). CAVEAT: the cmdline carries `<id>-psyche` only when the adapter's psyche_init.command uses {id} (the norm); a non-{id} adapter safely MISSES the reap (today's behavior, Breap bounds it) — never a wrong-kill. (v0.12.0)
2026-06-19T05:17:21.7655615Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7655658Z 
2026-06-19T05:17:21.7655753Z ### REQ-HAZARD-UNHOST-PSYCHE-REAP
2026-06-19T05:17:21.7658790Z - Title: On un-host, the detached `{id}-psyche` HARNESS PROCESS is reaped — not just its in-brain pulse-driver thread. Today stop_host (livehost.rs:203) trips the HostedLife stop flag + JOINS the driver thread, but the Psyche is a detached harness process (spawn_psyche → ManifestRuntime detached spawn, runtime.rs:341-356; its pid is untracked in HostedLife though stamped on the `{id}-psyche` perch, where residency-confirm already reads it). So endpoint-stop / mid-life agent-death / a B2/B5 offline-then-unhost leaves the psyche process ORPHANED, alive until the next daemon-stop (where Breap's job/group reaps the whole brain subtree). The Psyche STAYS a harness process by design (CONTEXT.md 97/203/251 — headless harness session, its own perch) — the fix does NOT move it in-brain; it SCOPED-kills the `{id}-psyche` pid on un-host (never machine-wide — shared box). Track the pid in HostedLife at host_one (cleanest) or read the `{id}-psyche` perch pid at stop_host. Composes with H3 (endpoint stop → offline → reconcile un-host → reap) and B2/B5 (the offline arms that trigger un-host). (v0.12.0)
2026-06-19T05:17:21.7659085Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7659119Z 
2026-06-19T05:17:21.7659220Z ### REQ-ENDPOINT-PURGE
2026-06-19T05:17:21.7663774Z - Title: `spt endpoint purge <id>` fully removes an endpoint AND every record keyed on it — the formal teardown devs/CI need for clean test setup/reset. NOT consent-gated (a local dev/test op — no peer consent). OFFLINE-ONLY: refuses while the endpoint is online / daemon-hosted (deleting records out from under a live host risks the daemon re-creating or re-hosting mid-purge); `--force` STOPS it first (endpoint stop → wait for the daemon reconcile to un-host + reap the Psyche) THEN purges. Confirms interactively unless `--yes` (the CI path). Refuses purging the CALLER's OWN running id. All LOCAL — purge reaches only THIS node's records; a remote endpoint's records can't be touched, and its subnet-registry rows decay via the epoch-lease eviction (REQ-HAZARD-REGISTRY-DECAY). Removes: (1) the perch dir TREE recursively — owlery/<id>/ incl every nested {id}-psyche / {id}-w* / shells child (info.json, ready marker, sessions.log ledger, spool.db, inbox, .idle/.more-done sentinels, auth token); (2) the registry address (registry::unregister_address); (3) the context store — ContextStore::remove_endpoint(id): the a-<id> branch+worktree + the <id>/ rows from every p-<project> branch (the same fn `fork --delete-source` already uses); (4) node-local trust rows keyed on the id — access.json + visibility.json. Reuse-heavy: it is `fork --delete-source` generalized (recursive perch remove + unregister + remove_endpoint) + the trust-record cleanup; `endpoint rename` already enumerates the same record set + uses the same offline-only gate. (v0.12.0)
2026-06-19T05:17:21.7664017Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7664045Z 
2026-06-19T05:17:21.7664145Z ### REQ-READY-AGENT-RESUME
2026-06-19T05:17:21.7667475Z - Title: An offline ReadyAgent shows in `spt endpoint run`'s picker Resume-from-history and resumes correctly — closing the gap that today only LiveAgents do. ROOT: a harness-hosted ready bind (ReadyAgent::start_homed, ready.rs) writes info.json DIRECTLY and never appends the session ledger (unlike the shared establish_perch:250 live path), so a ready agent — though it has a session_id — produces ZERO ledger rows → the picker's offline+local Resume-from-history (which gates on ledger rows) never offers it. FIX (1): ledger the ready bind (ReadyAgent::start_homed → sessions::append Boot, mirroring establish_perch). FIX (2): `spt endpoint run --resume <session>` honors the adapter MANIFEST's endpoint TYPE — a ReadyAgent manifest (no [session.psyche_init]) resumes as a ready endpoint (poll listener, NO psyche-host); a LiveAgent (with psyche_init) as live. NO new bringup mode + NO picker changes (operator 2026-06-18): `spt endpoint run` is the spt-hosted ENDPOINT bringup for BOTH types, the type IS the adapter-manifest's concern (psyche-host already keys on psyche_init presence) — so (2) likely already holds; VERIFY at code, build only the residual. (v0.12.0)
2026-06-19T05:17:21.7667585Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7667614Z 
2026-06-19T05:17:21.7667718Z ### REQ-PICKER-ADAPTER-DESCRIPTION
2026-06-19T05:17:21.7669133Z - Title: The Create-new adapter-CHOICE screen of `spt endpoint run`'s picker shows a right-hand Description panel (like the Pick-existing endpoint picker's two-pane) surfacing per-adapter detail: install date, last-updated, adapter TYPE / the endpoint types it hosts, and the adapter description — so the user can see WHAT each adapter is before choosing it (today the selector lists bare names). DEFERRED fast-follow to v0.12.0 (operator 2026-06-18). (post-v0.12.0)
2026-06-19T05:17:21.7669369Z - Required stages: 
2026-06-19T05:17:21.7669402Z 
2026-06-19T05:17:21.7669503Z ### REQ-HAZARD-VIEWER-ISOLATION
2026-06-19T05:17:21.7671576Z - Title: A slow / dead / hostile VIEWER must NEVER stall the controller, the PTY child, or the session drain thread. The broker drain fans output to the controller on the authoritative blocking bounded path (advances delivered_through) but to each viewer via a bounded per-viewer channel with a dedicated writer thread; the drain `try_send`s under the log lock and a viewer whose bounded queue OVERFLOWS (can't keep up) is EVICTED (queue dropped, writer thread ends, removed from the viewers map) — the drain thread NEVER touches a viewer socket, so no viewer write can backpressure or block it. A soft viewer cap bounds the thread count. Viewer eviction never perturbs the controller stream, the delivered_through cursor, or the child.
2026-06-19T05:17:21.7671685Z - Required stages: unit, int
2026-06-19T05:17:21.7671714Z 
2026-06-19T05:17:21.7671798Z ### REQ-INSTALL-1
2026-06-19T05:17:21.7671974Z - Title: Two install paths; signed one-line script; OS-service registration
2026-06-19T05:17:21.7672075Z - Required stages: doc, impl, int
2026-06-19T05:17:21.7672202Z 
2026-06-19T05:17:21.7672293Z ### REQ-INSTALL-2
2026-06-19T05:17:21.7672422Z - Title: Marketplace-repackaging-friendly install
2026-06-19T05:17:21.7672517Z - Required stages: doc
2026-06-19T05:17:21.7672546Z 
2026-06-19T05:17:21.7672627Z ### REQ-INSTALL-3
2026-06-19T05:17:21.7672751Z - Title: Idempotent + interactive-optional first run
2026-06-19T05:17:21.7672841Z - Required stages: impl, int
2026-06-19T05:17:21.7672870Z 
2026-06-19T05:17:21.7672952Z ### REQ-INSTALL-4
2026-06-19T05:17:21.7673533Z - Title: Adapter registration lifecycle: spt adapter add (--github, manifest-first, install-is-first-update) + soft-deregister remove + optional manifest uninstall template; node-local registered-adapter set self-update ripples over
2026-06-19T05:17:21.7673644Z - Required stages: impl, unit
2026-06-19T05:17:21.7673677Z 
2026-06-19T05:17:21.7673767Z ### REQ-MIGRATE-1
2026-06-19T05:17:21.7673911Z - Title: Auto-detect and migrate a legacy claude_skill_owl install
2026-06-19T05:17:21.7674010Z - Required stages: 
2026-06-19T05:17:21.7674043Z 
2026-06-19T05:17:21.7674124Z ### REQ-INFRA-1
2026-06-19T05:17:21.7674283Z - Title: GitHub issue tracking for v1; tangled.org as migration target
2026-06-19T05:17:21.7674367Z - Required stages: 
2026-06-19T05:17:21.7674395Z 
2026-06-19T05:17:21.7674480Z ### REQ-INSTALL-5
2026-06-19T05:17:21.7674925Z - Title: Non-interactive install path: the canonical one-liner doubles as every adapter's pack-in on-demand install (no second mechanism); sha256-verified fetch; user-PATH registration
2026-06-19T05:17:21.7675025Z - Required stages: impl, int
2026-06-19T05:17:21.7675058Z 
2026-06-19T05:17:21.7675138Z ### REQ-INSTALL-9
2026-06-19T05:17:21.7676297Z - Title: Adapter add from a GitHub release archive: `spt adapter add --release <user/repo> [--tag <tag>] [--asset <name>]` fetches a `.spt` tar asset over HTTPS+GitHub trust, extracts it to the durable adapters/_github home, and registers the root — ships built binaries source-free and versioned (the distribution path for an adapter whose dev repo is a monorepo subdir, where --github root-only clone does not fit)
2026-06-19T05:17:21.7676407Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7676446Z 
2026-06-19T05:17:21.7676537Z ### REQ-INSTALL-10
2026-06-19T05:17:21.7677725Z - Title: Windows at-logon autostart runs the daemon in the background with no persistent window: the scheduled task launches `spt daemon start` (which spawn_detaches a console-less DETACHED_PROCESS daemon and exits) rather than the foreground `spt daemon run` — Task Scheduler's interactive ONLOGON launch of a long-lived console process otherwise leaves a visible console window for the daemon's whole lifetime (v0.7.4)
2026-06-19T05:17:21.7677916Z - Required stages: impl, unit
2026-06-19T05:17:21.7677949Z 
2026-06-19T05:17:21.7678035Z ### REQ-INSTALL-11
2026-06-19T05:17:21.7679811Z - Title: Adapter command templates resolve their program against the adapter's install dir BEFORE PATH: a `.spt`-shipped binary (dropped to adapters/_github/<safe>/ by --release/--github acquisition, or kept in the source_dir under copy-mode where only manifest+strings/ are copied to adapters/<name>) runs without any PATH placement — a bare-name template token (e.g. `claude-spt-digest ...`) is rewritten to <install_dir>/<program>(.exe on Windows) when that file exists, else left bare for the PATH fallback. Makes a `.spt` self-contained (closes the --release bundled-binary gap perri confirmed) (v0.7.4)
2026-06-19T05:17:21.7679919Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7679953Z 
2026-06-19T05:17:21.7680034Z ### REQ-INSTALL-12
2026-06-19T05:17:21.7682524Z - Title: Durable active-profile pointer for bind-time profile selection (ADR-0021): adapters/active-profiles.toml at the registry ROOT (sibling to the per-adapter <name>/ dirs, so adapter add/update/remove — which only rewrite a <name>/ subdir — can never clobber it), a flat host_binary → "adapter[:profile]" map. Read at bind as the PRIMARY profile selector; unset → the registered_at_ms fallback (REQ-START-5). Written ONLY by `spt adapter use <adapter>[:profile]` (resolves the adapter's host_binaries → sets each binary→adapter[:profile]); `spt adapter use --clear <adapter|binary>` drops. NEVER auto-written by install/update/adapter add (that is precisely what would let an update silently flip the active profile). A stale pointer (uninstalled adapter / deleted profile) self-heals: ignored, fall back, warn once. Pruned on adapter remove. Atomic write (spt_store atomic). (v0.9.0)
2026-06-19T05:17:21.7682739Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7682772Z 
2026-06-19T05:17:21.7682853Z ### REQ-REL-1
2026-06-19T05:17:21.7683212Z - Title: spt-releases publish-target repo: README public face, licensing split, Pages docs at the permanent lapse-proof canonical URL (ADR-0014)
2026-06-19T05:17:21.7683311Z - Required stages: doc, impl
2026-06-19T05:17:21.7683350Z 
2026-06-19T05:17:21.7683430Z ### REQ-REL-2
2026-06-19T05:17:21.7683875Z - Title: Release asset set consumable by the self-updater: platform binaries, SHA256SUMS, SignedRelease metadata, manifest schema, mock-adapter zip; tag-triggered cross-repo pipeline
2026-06-19T05:17:21.7683969Z - Required stages: impl, int
2026-06-19T05:17:21.7684003Z 
2026-06-19T05:17:21.7684089Z ### REQ-REL-3
2026-06-19T05:17:21.7684480Z - Title: Two-key release-signing trust anchor: primary + offline never-used recovery, both pubkeys embedded in the binary's trusted set, manual local signing (ADR-0015)
2026-06-19T05:17:21.7684589Z - Required stages: impl, unit
2026-06-19T05:17:21.7684622Z 
2026-06-19T05:17:21.7684713Z ### REQ-DOCS-1
2026-06-19T05:17:21.7684895Z - Title: Dual-audience docs (human + AI dev-agent), markdown once / two depths
2026-06-19T05:17:21.7684998Z - Required stages: doc, impl
2026-06-19T05:17:21.7685031Z 
2026-06-19T05:17:21.7685117Z ### REQ-DOCS-2
2026-06-19T05:17:21.7685261Z - Title: Sub-10-minute runnable killer quickstart per audience
2026-06-19T05:17:21.7685351Z - Required stages: doc, int
2026-06-19T05:17:21.7685384Z 
2026-06-19T05:17:21.7685466Z ### REQ-DOCS-3
2026-06-19T05:17:21.7685642Z - Title: Diátaxis structure; one canonical way to do X
2026-06-19T05:17:21.7685728Z - Required stages: doc
2026-06-19T05:17:21.7690714Z 
2026-06-19T05:17:21.7690823Z ### REQ-DOCS-4
2026-06-19T05:17:21.7691033Z - Title: Agent-consumable layer (llms.txt, manifest schema, MCP, CLI help)
2026-06-19T05:17:21.7691132Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7691166Z 
2026-06-19T05:17:21.7691263Z ### REQ-DOCS-5
2026-06-19T05:17:21.7691442Z - Title: Anti-drift: rustdoc/schema/exports/CLI-help generated + CI-checked
2026-06-19T05:17:21.7691548Z - Required stages: impl, int
2026-06-19T05:17:21.7691582Z 
2026-06-19T05:17:21.7691854Z ### REQ-HAZARD-GRACE-BEFORE-SIGNOFF
2026-06-19T05:17:21.7692030Z - Title: Grace-period wait completes before composing INIT_SIGNOFF (1.1)
2026-06-19T05:17:21.7692135Z - Required stages: impl, unit
2026-06-19T05:17:21.7692164Z 
2026-06-19T05:17:21.7692273Z ### REQ-HAZARD-INFO-JSON-TORN-READ
2026-06-19T05:17:21.7692411Z - Title: State-file reads tolerate concurrent writes (1.2)
2026-06-19T05:17:21.7692522Z - Required stages: impl, unit
2026-06-19T05:17:21.7692545Z 
2026-06-19T05:17:21.7692644Z ### REQ-HAZARD-STALE-INDEX-LOCK
2026-06-19T05:17:21.7692772Z - Title: Sweep stale lockfiles on daemon boot (1.3)
2026-06-19T05:17:21.7692872Z - Required stages: impl, unit
2026-06-19T05:17:21.7692896Z 
2026-06-19T05:17:21.7693003Z ### REQ-HAZARD-DEFERRED-DRAIN
2026-06-19T05:17:21.7693166Z - Title: Deferred spool rows excluded from the event-stream drain (1.4)
2026-06-19T05:17:21.7693257Z - Required stages: impl, unit
2026-06-19T05:17:21.7693290Z 
2026-06-19T05:17:21.7693389Z ### REQ-HAZARD-WORKER-PATH
2026-06-19T05:17:21.7693562Z - Title: Single source of truth for Worker/Psyche perch location (1.5)
2026-06-19T05:17:21.7693695Z - Required stages: impl, unit
2026-06-19T05:17:21.7693718Z 
2026-06-19T05:17:21.7693824Z ### REQ-HAZARD-PARENT-PID-PREFER
2026-06-19T05:17:21.7694000Z - Title: Prefer stable parent PID / broker handle over ephemeral PID (2.1)
2026-06-19T05:17:21.7694195Z - Required stages: 
2026-06-19T05:17:21.7694229Z 
2026-06-19T05:17:21.7694324Z ### REQ-HAZARD-STDIN-SESSION-ID
2026-06-19T05:17:21.7694445Z - Title: Stdin session_id precedence over env (2.2)
2026-06-19T05:17:21.7694534Z - Required stages: 
2026-06-19T05:17:21.7694563Z 
2026-06-19T05:17:21.7694663Z ### REQ-HAZARD-HANDOFF-ARGV-COMPAT
2026-06-19T05:17:21.7694816Z - Title: Broker/brain IPC + handoff argv version-tolerant (2.3)
2026-06-19T05:17:21.7694911Z - Required stages: impl, unit
2026-06-19T05:17:21.7694939Z 
2026-06-19T05:17:21.7695031Z ### REQ-HAZARD-GEN-START-NOW
2026-06-19T05:17:21.7695163Z - Title: gen_start = now() on cold-start and handoff (2.4)
2026-06-19T05:17:21.7695259Z - Required stages: impl, int
2026-06-19T05:17:21.7695293Z 
2026-06-19T05:17:21.7695394Z ### REQ-HAZARD-EPHEMERAL-CLEANUP
2026-06-19T05:17:21.7695539Z - Title: Ephemeral perch cleanup on every ring exit path (3.1)
2026-06-19T05:17:21.7695634Z - Required stages: impl, unit
2026-06-19T05:17:21.7695677Z 
2026-06-19T05:17:21.7695784Z ### REQ-HAZARD-STALE-SIGNOFF-SENTINEL
2026-06-19T05:17:21.7695930Z - Title: Stale signoff sentinel does not kill a fresh start (3.2)
2026-06-19T05:17:21.7696026Z - Required stages: impl, unit
2026-06-19T05:17:21.7696060Z 
2026-06-19T05:17:21.7696164Z ### REQ-HAZARD-ECHO-BEFORE-SIGNOFF
2026-06-19T05:17:21.7696346Z - Title: Echo-commune fires before INIT_SIGNOFF on orphan teardown (3.3)
2026-06-19T05:17:21.7696441Z - Required stages: impl, unit
2026-06-19T05:17:21.7696469Z 
2026-06-19T05:17:21.7696583Z ### REQ-HAZARD-ENVELOPE-DECODE-ORDER
2026-06-19T05:17:21.7696717Z - Title: Envelope decode order, ampersand decoded last (4.1)
2026-06-19T05:17:21.7696808Z - Required stages: impl, unit
2026-06-19T05:17:21.7696836Z 
2026-06-19T05:17:21.7696942Z ### REQ-HAZARD-ENVELOPE-CR-LINESAFE
2026-06-19T05:17:21.7698679Z - Title: Envelope CR-linesafety (4.1): the line-framed EVENT codec must neutralize raw carriage returns — `event_body_escape` folds CRLF/lone-CR to the codec's representable linebreak (`\n`→`<br>`) BEFORE framing, so a body carrying `\r` (Windows `echo`/CRLF text crossing nodes) cannot survive into the single-line envelope and trigger a receiver terminal CR→col0 overwrite that corrupts the frame. Robustness on unrepresentable input, NOT a wire-format change (decoder untouched, amp-last invariant held). Belt-and-suspenders: `spt send`/`ring` also trim stdin (parity with `notify`).
2026-06-19T05:17:21.7698792Z - Required stages: impl, unit
2026-06-19T05:17:21.7698816Z 
2026-06-19T05:17:21.7698927Z ### REQ-HAZARD-ENVELOPE-PARSER-SAFE
2026-06-19T05:17:21.7699189Z - Title: Two-slice envelope parser is panic-free and tolerant (4.2)
2026-06-19T05:17:21.7699303Z - Required stages: impl, unit
2026-06-19T05:17:21.7699441Z 
2026-06-19T05:17:21.7699547Z ### REQ-HAZARD-EVENTPART-REASSEMBLY
2026-06-19T05:17:21.7699737Z - Title: EVENT-PART split/reassembly is byte-exact; orphan parts dropped silently
2026-06-19T05:17:21.7699838Z - Required stages: impl, unit
2026-06-19T05:17:21.7699867Z 
2026-06-19T05:17:21.7699961Z ### REQ-HAZARD-ID-CHARSET
2026-06-19T05:17:21.7700200Z - Title: Addressable-id charset reserves :/@ delimiters; validated at every creation seam (4.6)
2026-06-19T05:17:21.7700299Z - Required stages: impl, unit
2026-06-19T05:17:21.7700332Z 
2026-06-19T05:17:21.7700434Z ### REQ-HAZARD-REGISTRY-STALE-CLEAN
2026-06-19T05:17:21.7700604Z - Title: Stale registry entries degrade to fallback, never hard-fail (4.3)
2026-06-19T05:17:21.7700689Z - Required stages: impl, unit
2026-06-19T05:17:21.7700722Z 
2026-06-19T05:17:21.7700828Z ### REQ-HAZARD-REGISTRY-CONCURRENT
2026-06-19T05:17:21.7701063Z - Title: Concurrent SQLite openers (registry/spool) must not fail with 'database is locked' (4.7)
2026-06-19T05:17:21.7701164Z - Required stages: impl, unit
2026-06-19T05:17:21.7701193Z 
2026-06-19T05:17:21.7701302Z ### REQ-HAZARD-REGISTRY-DIR-CREATE
2026-06-19T05:17:21.7701655Z - Title: SQLite store opens create their parent dir themselves — a fresh-home registry op must not SQLITE_CANTOPEN (4.9)
2026-06-19T05:17:21.7701865Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7701894Z 
2026-06-19T05:17:21.7701998Z ### REQ-HAZARD-REGISTRY-EPOCH-LEASE
2026-06-19T05:17:21.7702400Z - Title: Registry merge ordered by per-node monotonic epoch, never wall-clock — a stale Active can't clobber a newer Offline (4.8, red-team #8)
2026-06-19T05:17:21.7702504Z - Required stages: impl, unit
2026-06-19T05:17:21.7702537Z 
2026-06-19T05:17:21.7702637Z ### REQ-HAZARD-DEFERRED-SURVIVE-DRAIN
2026-06-19T05:17:21.7702753Z - Title: Deferred rows survive poll drain (4.4)
2026-06-19T05:17:21.7702847Z - Required stages: impl, unit
2026-06-19T05:17:21.7702875Z 
2026-06-19T05:17:21.7702976Z ### REQ-HAZARD-INBOX-NO-DOUBLE
2026-06-19T05:17:21.7703110Z - Title: No double-delivery via legacy inbox (4.5)
2026-06-19T05:17:21.7703195Z - Required stages: impl, unit
2026-06-19T05:17:21.7703223Z 
2026-06-19T05:17:21.7703322Z ### REQ-HAZARD-WINDOWS-PID-RECYCLE
2026-06-19T05:17:21.7703474Z - Title: Windows PID-recycling false positives guarded (5.1)
2026-06-19T05:17:21.7703573Z - Required stages: impl, unit
2026-06-19T05:17:21.7703601Z 
2026-06-19T05:17:21.7703702Z ### REQ-HAZARD-EBUSY-RENAME
2026-06-19T05:17:21.7703855Z - Title: tmp-write + atomic-rename + retry on Windows EBUSY (5.2)
2026-06-19T05:17:21.7703954Z - Required stages: impl, unit
2026-06-19T05:17:21.7703988Z 
2026-06-19T05:17:21.7704098Z ### REQ-HAZARD-SUBPROCESS-TIMEOUT
2026-06-19T05:17:21.7704231Z - Title: Every harness/git subprocess has a timeout (5.3)
2026-06-19T05:17:21.7704327Z - Required stages: impl, unit
2026-06-19T05:17:21.7704356Z 
2026-06-19T05:17:21.7704451Z ### REQ-HAZARD-UNC-PATH-STRIP
2026-06-19T05:17:21.7704594Z - Title: Strip Windows UNC prefix on serialized paths (5.4)
2026-06-19T05:17:21.7704704Z - Required stages: impl, unit
2026-06-19T05:17:21.7704728Z 
2026-06-19T05:17:21.7704823Z ### REQ-HAZARD-SINGLE-PATH-SOURCE
2026-06-19T05:17:21.7704995Z - Title: Single path/registry source of truth; no layout ambiguity (6.1)
2026-06-19T05:17:21.7705089Z - Required stages: impl, unit
2026-06-19T05:17:21.7705123Z 
2026-06-19T05:17:21.7705223Z ### REQ-HAZARD-SOFT-CLEANUP
2026-06-19T05:17:21.7705395Z - Title: Soft-cleanup preserves state, removes only the ready marker (6.2)
2026-06-19T05:17:21.7705481Z - Required stages: impl, unit
2026-06-19T05:17:21.7705514Z 
2026-06-19T05:17:21.7705615Z ### REQ-HAZARD-CASCADE-WIPE-GUARD
2026-06-19T05:17:21.7705766Z - Title: No hard-delete of a parent hosting non-empty children (6.3)
2026-06-19T05:17:21.7705867Z - Required stages: impl, unit
2026-06-19T05:17:21.7705902Z 
2026-06-19T05:17:21.7706020Z ### REQ-HAZARD-DROP-FILE-SINGLE-WRITER
2026-06-19T05:17:21.7706152Z - Title: Drop files are daemon-owned single-writer (6.4)
2026-06-19T05:17:21.7706339Z - Required stages: impl, unit
2026-06-19T05:17:21.7706372Z 
2026-06-19T05:17:21.7706476Z ### REQ-HAZARD-DIRECT-WRITE-PRECEDENCE
2026-06-19T05:17:21.7706677Z - Title: Direct-write precedence marker (with node id) guards stale overwrite (6.5)
2026-06-19T05:17:21.7706776Z - Required stages: impl, unit
2026-06-19T05:17:21.7706814Z 
2026-06-19T05:17:21.7706921Z ### REQ-HAZARD-CONFLICT-BOTH-PRESERVED
2026-06-19T05:17:21.7707439Z - Title: A surfaced concurrent context pair is durably preserved (both versions, tracked artifacts) until a strictly dominating write clears it; no reconcile failure path discards an unmerged version (6.6, ADR-0013)
2026-06-19T05:17:21.7707531Z - Required stages: impl, unit
2026-06-19T05:17:21.7707565Z 
2026-06-19T05:17:21.7707668Z ### REQ-HAZARD-DETACHED-PIPE-INHERIT
2026-06-19T05:17:21.7708709Z - Title: Windows detached long-lived children must not inherit a captured caller's pipe: every detach-spawn of an immortal child (daemon, shell binary) runs bInheritHandles=FALSE, or a caller capturing output anywhere up the process chain hangs forever on a pipe that never EOFs — std-handle flag stripping is NOT sufficient (grandparent strays still flow) (5.6)
2026-06-19T05:17:21.7708809Z - Required stages: impl, unit
2026-06-19T05:17:21.7708838Z 
2026-06-19T05:17:21.7708938Z ### REQ-HAZARD-CONPTY-DSR
2026-06-19T05:17:21.7709353Z - Title: ConPTY reader must auto-answer DSR (ESC[6n) or all child output stalls (5.5)
2026-06-19T05:17:21.7709439Z - Required stages: impl, unit
2026-06-19T05:17:21.7709473Z 
2026-06-19T05:17:21.7709587Z ### REQ-HAZARD-WIN-PTY-PROGRAM-RESOLVE
2026-06-19T05:17:21.7711359Z - Title: Native-PTY spawn must resolve a bare program name with PATHEXT precedence and run a non-PE target through its interpreter: portable-pty's own `which` takes the FIRST PATH match — an extensionless shebang shim (e.g. a node CLI `ccs` shipped beside `ccs.cmd`) — and CreateProcessW then rejects the non-PE file with os error 193 ('not a valid Win32 application'); spt-term resolves the program itself (PATHEXT order prefers .EXE over .CMD; .cmd/.bat → cmd.exe /d /c, .ps1 → powershell -NoProfile -File) so a bare harness/shell [session.self] command actually launches on Windows. Unix is a passthrough (execve honours the shebang).
2026-06-19T05:17:21.7711477Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7711514Z 
2026-06-19T05:17:21.7711614Z ### REQ-HAZARD-CHILD-CONSOLE-FLASH
2026-06-19T05:17:21.7712006Z - Title: Console-subsystem children of the console-less daemon spawn with CREATE_NO_WINDOW, or each spawn flashes a visible blank window on the user's desktop (5.8)
2026-06-19T05:17:21.7712106Z - Required stages: impl, unit
2026-06-19T05:17:21.7712139Z 
2026-06-19T05:17:21.7712238Z ### REQ-HAZARD-INSTANT-UNDERFLOW
2026-06-19T05:17:21.7712759Z - Title: Scheduling never subtracts a Duration from Instant::now() (underflow-panics on a host booted more recently than the offset); 'due now / never run' is Option<Instant>=None gated on forward duration_since only (5.9)
2026-06-19T05:17:21.7712864Z - Required stages: impl, unit
2026-06-19T05:17:21.7712897Z 
2026-06-19T05:17:21.7712993Z ### REQ-HAZARD-PUMP-IPC-DEADLINE
2026-06-19T05:17:21.7713778Z - Title: The single-threaded peer pump's brain-IPC reads are deadline-bounded (PUMP_PEER_IO_TIMEOUT, total-wait per call); a TimedOut read POISONS the client and escalates to a SUPERVISED RESTART, never a per-peer retry — a black-holed peer must never wedge the whole pump
2026-06-19T05:17:21.7713883Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7713911Z 
2026-06-19T05:17:21.7714011Z ### REQ-HAZARD-BROKER-QUIC-DEADLINE
2026-06-19T05:17:21.7716932Z - Title: The broker bounds every brain-waiting QUIC op (dial / open_stream / send_stream) so a black-holed or dead peer fails PROMPTLY with an ORDINARY error the broker REPLIES, never an unbounded await. The bound (< the brain's 30s PUMP_PEER_IO_TIMEOUT so the BROKER fires first) surfaces to the pump as a normal broker error reply → peer_outcome's non-TimedOut arm → drop conn + redial next tick, the round CONTINUES and the heartbeat keeps advancing — it must NEVER manifest as the brain's own read-deadline (the A-half poison → supervised-restart path REQ-HAZARD-PUMP-IPC-DEADLINE guards). Exactly-once is preserved: a timed-out journaled op fails INSIDE its apply_once closure so no phantom conn_id/stream_id is recorded and a fresh tick re-dials cleanly. The happy path is unchanged (a live peer completes with zero added latency; the bound only bites a non-responsive peer). This is the ROOT-cause cure for the 2.2h hfenduleam pump wedge — a dead roster peer whose QUIC path the broker awaited unbounded — recurring on hfenduleam 2026-06-16.
2026-06-19T05:17:21.7717185Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7717218Z 
2026-06-19T05:17:21.7717326Z ### REQ-HAZARD-BROKER-SEED-WIRE-SKEW
2026-06-19T05:17:21.7720857Z - Title: A daemon-state wire-format change (e.g. the v0.9.0 adapter-agnostic Seed) does NOT take effect until a DELIBERATE full broker restart: the broker serves the seed-control channel and is RESIDENT across a brain-only self-update (ADR-0004 no-terminate-during-update forbids auto-killing it), so a NEW-version CLI talking to a still-resident OLD broker fails the seed handshake — the old broker cannot deserialize the new Seed (its formerly-required `adapter` field is gone) and drops the conn without an ack, which surfaces to the CLI as a raw UnexpectedEof 'failed to fill whole buffer'. spt-core must (a) surface an ACTIONABLE diagnostic on that seed-ack EOF (name the stale-broker cause + the `spt daemon stop` fix — the broker restarts on the next api call), never the cryptic io error; and (b) document the operational rule (a deliberate broker restart is required on any daemon-state wire change — NOT automatic) + the FORWARD discipline (daemon-state/Seed schema changes stay additive + serde-default so a resident OLD broker tolerates a NEW CLI across a brain-only update; note this would NOT have rescued 0.9.0 itself, since the old broker's `adapter` was a required field). perri PREP-4 FINDING 1 (v0.9.0 CLI vs stale 0.8.x broker).
2026-06-19T05:17:21.7721086Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7721114Z 
2026-06-19T05:17:21.7721224Z ### REQ-HAZARD-SUDO-SECURE-PATH
2026-06-19T05:17:21.7722055Z - Title: Elevation guidance on Unix names the binary's ABSOLUTE path under sudo (a user-local install ~/.local/bin · ~/.cargo/bin is not on sudo's secure_path, so bare `sudo spt` dies 'command not found'); gated commands auto-elevate on an interactive TTY, else print the runnable hint (5.10)
2026-06-19T05:17:21.7722160Z - Required stages: impl, unit
2026-06-19T05:17:21.7722193Z 
2026-06-19T05:17:21.7722294Z ### REQ-HAZARD-SELF-ELEVATE
2026-06-19T05:17:21.7724386Z - Title: Self-elevation (REQ-ELEVATE-1) re-runs the EXACT original invocation with the binary's ABSOLUTE exe path — never widening privilege scope, never adding/altering args, never via a PATH-resolved bare name, never via a shell-interpolated command string (argv-array only, no `sh -c`); the elevated child drops state back to the user (composes with the 5.7 de-elevation) and NEVER re-elevates (loop-safe: decide_elevation_path returns AlreadyElevated whenever the process is already Elevated, on every OS). The user's UAC/polkit/sudo prompt is the only consent gate — we never bypass it; the print-hint floor prints the absolute-path command too. The unprivileged parent never depends on (pipes/captures) the privileged child's stdout.
2026-06-19T05:17:21.7724496Z - Required stages: unit
2026-06-19T05:17:21.7724524Z 
2026-06-19T05:17:21.7724622Z ### REQ-HAZARD-LOCAL-API-AUTH
2026-06-19T05:17:21.7724823Z - Title: Every local `api` mutation authenticated to an endpoint/session (codex #13)
2026-06-19T05:17:21.7724923Z - Required stages: impl, unit
2026-06-19T05:17:21.7724951Z 
2026-06-19T05:17:21.7725060Z ### REQ-HAZARD-RESTART-IDEMPOTENT
2026-06-19T05:17:21.7725294Z - Title: Idempotent/exactly-once delivery across brain restart at every broker boundary (codex #14)
2026-06-19T05:17:21.7725399Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7725533Z 
2026-06-19T05:17:21.7725642Z ### REQ-HAZARD-UPDATE-ROLLBACK
2026-06-19T05:17:21.7725867Z - Title: Self-update rejects version rollback; metadata expiry + adapter content signing (codex #5)
2026-06-19T05:17:21.7725966Z - Required stages: impl, unit
2026-06-19T05:17:21.7725995Z 
2026-06-19T05:17:21.7726106Z ### REQ-HAZARD-DAEMON-HOSTED-LIVENESS
2026-06-19T05:17:21.7726496Z - Title: Daemon-hosted perches (Psyche, spt-hosted Self) derive liveness from the daemon endpoint table + info.json status, never is_process_alive(info.pid) (2.5)
2026-06-19T05:17:21.7726601Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7726629Z 
2026-06-19T05:17:21.7726736Z ### REQ-HAZARD-BROKER-PROCESS-ISOLATION
2026-06-19T05:17:21.7729324Z - Title: Broker and brain are separate processes: the broker runs as its own long-lived per-machine process that survives every brain restart, so a routine (brain-only) self-update restarts the brain onto the swapped binary while every hosted endpoint (PTY child, live QUIC conn, listening socket) stays untouched at the PROCESS level. The in-process-thread broker (daemon.rs:165-170) is a regression that silently unrealizes REQ-UPD-3 — apply degrades to an in-process Brain::handoff no-op and new code does not run until an unrelated restart (KNOWN-HAZARDS 6.7). Evidence must prove process-level survival (SPIKE-01/03 productionized as int: PTY child + live QUIC survive a brain-PROCESS restart onto a swapped binary), re-pointing the regression-masked in-process int tags currently on REQ-DAEMON-2 / REQ-UPD-3 (ADR-0018).
2026-06-19T05:17:21.7729545Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7729579Z 
2026-06-19T05:17:21.7729684Z ### REQ-HAZARD-ROLLBACK-STATE-COMPAT
2026-06-19T05:17:21.7731284Z - Title: A brain must not irreversibly migrate durable state before update ready-promotion: the readiness-gated auto-rollback (ADR-0018 Q7) spawns the N-1 binary against durable state the new brain may have written, so every pre-ready write must stay N-1-readable (schema migrations gated behind ready-promotion, or written N-1-tolerant/additive). Else the first in-place schema migration silently bricks rollback (KNOWN-HAZARDS 6.8). Free now — a 2026-06-09 audit confirmed zero state-migration code exists; unmintable retroactively once a migration ships.
2026-06-19T05:17:21.7731398Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7731436Z 
2026-06-19T05:17:21.7731537Z ### REQ-HAZARD-BRAIN-RESPAWN-PATH
2026-06-19T05:17:21.7733879Z - Title: The broker respawns the brain onto the APPLIED bytes, not the renamed old binary: the candidate-binary default is the canonical exe path captured ONCE at broker start, never a per-spawn std::env::current_exe() — on Linux current_exe (readlink /proc/self/exe) is inode-tracking and follows the `apply` rename (spt -> spt.old-N), so a resident broker would respawn the brain onto OLD bytes while recording `applied` (Windows GetModuleFileName is path-at-start, so Windows was green; ADR-0018 Q3 silently assumed path-string semantics). Backstop: promotion gates on bytes — a trial promotes only if brain.ready exe_hash == the staged artifact hash for this platform, else auto-rollback + loud notif (readiness != new-bytes was the false-success that recorded applied:8 over a v0.4.0 brain on kitsubito, 2026-06-11). KNOWN-HAZARDS 6.11.
2026-06-19T05:17:21.7733993Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7734031Z 
2026-06-19T05:17:21.7734137Z ### REQ-HAZARD-PSYCHE-OUTBOUND-PROXY
2026-06-19T05:17:21.7734865Z - Title: Psyche outbound captured + sanitized: the live-Psyche turn driver captures stdout (never Stdio::null), and the daemon strips/re-stamps Psyche-supplied from=/target and constrains routing (reply→__REPLY_TO__ sender, notify→own user/subnet) (7.3)
2026-06-19T05:17:21.7734955Z - Required stages: impl, unit
2026-06-19T05:17:21.7734979Z 
2026-06-19T05:17:21.7735085Z ### REQ-HAZARD-DAEMON-SCHED-NONBLOCKING
2026-06-19T05:17:21.7735673Z - Title: Per-agent pulse/psyche/echo-commune scheduling must not serialize across agents: each agent's bounded LLM call (echo-commune summarizer, Psyche turn) runs off the shared scheduler so one slow/hung call cannot stall another agent's tick (7.4)
2026-06-19T05:17:21.7735883Z - Required stages: impl, unit
2026-06-19T05:17:21.7735911Z 
2026-06-19T05:17:21.7736013Z ### REQ-HAZARD-PAIR-TRANSCRIPT-BIND
2026-06-19T05:17:21.7736652Z - Title: Pairing transcript binds roles, both node pubkeys, subnet ID, seed epoch, TOTP time-step, and confirmation MACs — or unknown-key-share/reflection/wrong-subnet/replay pairing remain possible (ADR-0005 #12)
2026-06-19T05:17:21.7736751Z - Required stages: impl, unit
2026-06-19T05:17:21.7736784Z 
2026-06-19T05:17:21.7736884Z ### REQ-HAZARD-PAIR-SEED-ROTATION
2026-06-19T05:17:21.7737385Z - Title: Removing a node rotates the subnet seed (epoch bump) so an old node/old seed cannot rejoin; trust-store delete alone is NOT revocation because the seed is replicated to every trusted node (ADR-0005 #10)
2026-06-19T05:17:21.7737476Z - Required stages: impl, unit
2026-06-19T05:17:21.7737514Z 
2026-06-19T05:17:21.7737611Z ### REQ-HAZARD-PAIR-RATE-LIMIT
2026-06-19T05:17:21.7738443Z - Title: Subnet-global pairing rate limit: one active ceremony per subnet, shared attempt counter, exponential backoff — a public pre-trust relay + multiple seed-holders otherwise enables distributed SPAKE2 guessing (and ±1 TOTP window triples the valid-password space) (ADR-0005 #11)
2026-06-19T05:17:21.7738620Z - Required stages: impl, unit
2026-06-19T05:17:21.7738653Z 
2026-06-19T05:17:21.7738752Z ### REQ-HAZARD-WAN-ORIGIN-AUTH
2026-06-19T05:17:21.7739578Z - Title: WAN-inbound origin is transport truth, never payload: the access gate's subject (ADR-0009 origin-node whitelist) is the QUIC handshake-proven remote node id from the broker's conn/stream table — a forged origin/node field inside record bytes is inert (7.5)
2026-06-19T05:17:21.7739682Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7739716Z 
2026-06-19T05:17:21.7739797Z ### REQ-CONSENT-1
2026-06-19T05:17:21.7740638Z - Title: Consent grant store: capability x subject-agent x target-node rows, enforced at the target node, subnet-settable (replicates as security material near the trust store), revocable; gated-capability ids (remote-exec, instantiate-anywhere) reserved-but-refusing; v1 consumers are the shell spawn gates (CONTEXT Consent & security gates)
2026-06-19T05:17:21.7740752Z - Required stages: impl, unit
2026-06-19T05:17:21.7740785Z 
2026-06-19T05:17:21.7740872Z ### REQ-CONSENT-2
2026-06-19T05:17:21.7741634Z - Title: Interactive consent escalation: an ungated high-risk action routes a consent prompt to the user's most-recently-active session; allow-once / allow-always (writes a grant) / deny; pre-consent flags (can_shutdown, shell_wake_spawn_anywhere) author grants via manifest/settings (CONTEXT Consent & security gates)
2026-06-19T05:17:21.7741734Z - Required stages: impl, unit
2026-06-19T05:17:21.7741764Z 
2026-06-19T05:17:21.7741858Z ### REQ-PRES-1
2026-06-19T05:17:21.7743116Z - Title: Presence resolution: the presence datum (last_active_node, last_active_endpoint, ts) gossiped subnet-wide via the agent-interaction heartbeat (rides registry distribution, visibility-gated) + one first-class most-recently-active resolution API consumed by notif first-fire, update-consent delivery, consent escalation, and shell wake resolution (M5 scope decision 1: resolution only — the PresenceChannel endpoint stays deferred)
2026-06-19T05:17:21.7743233Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7743261Z 
2026-06-19T05:17:21.7743352Z ### REQ-SHELL-1
2026-06-19T05:17:21.7744181Z - Title: Shell hosting machinery: shell perch under the owner (type/owner/adapter_name/status/alias), broker-launched binary + api bind local-link handshake, the three channels (command durable, text+file durable + progress-queryable, sensory REST-only never spooled + dropped-unless-owner-live), owner exclusivity (CONTEXT Shell model)
2026-06-19T05:17:21.7744282Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7744316Z 
2026-06-19T05:17:21.7744392Z ### REQ-SHELL-2
2026-06-19T05:17:21.7745875Z - Title: Shell sleep/wake: link-break always closes the binary (pre-close instruction + termination timeout), ephemeral teardown vs persistent offline/relink, wake_command wake-watcher (offline-only, exit-opcode supervision, exponential backoff + give-up), state-keyed wake resolution (dormant/suspended/active-elsewhere; no-reachable refuses — spawn-anywhere branch deferred), spt shutdown owner cascade + api owner-shutdown gated by can_shutdown (CONTEXT Shell sleep/wake)
2026-06-19T05:17:21.7745991Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7746025Z 
2026-06-19T05:17:21.7746123Z ### REQ-HAZARD-ELEVATED-DAEMON-SPAWN
2026-06-19T05:17:21.7747397Z - Title: The daemon always runs unelevated in the invoking user's universe, regardless of which command spawns it: an elevated spawner de-elevates (Windows: UAC linked token via CreateProcessWithTokenW; Linux: drop to SUDO_UID/SUDO_GID + the invoker's HOME) — an elevated daemon's pipes deny unelevated clients (every later spt reads not-running→spawn→bind Access-denied) and a sudo'd daemon roots the user's state universe (5.7)
2026-06-19T05:17:21.7747507Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7747541Z 
2026-06-19T05:17:21.7747635Z ### REQ-HAZARD-REGISTRY-GHOST-ROWS
2026-06-19T05:17:21.7748860Z - Title: A dead node identity's registry rows must decay: only the per-(endpoint,node) epoch lease supersedes rows, so without eviction a vanished node's rows are immortal and poison bare-id resolution with phantom AcrossNodes ambiguity — evict rows whose author node has not been heard (admitted inbound feed) within the eviction window; own rows never decay; a revived node re-inserts from its durable epoch within one pump cadence (4.10)
2026-06-19T05:17:21.7749180Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7749213Z 
2026-06-19T05:17:21.7749312Z ### REQ-CLI-1
2026-06-19T05:17:21.7750323Z - Title: spt endpoint noun namespace: absorbs fork/suspend/wake/shutdown/rename/stop/digest + access (ported 1:1: allow|revoke|open|list, decision 21) + description (ex-resources blurb; bare=show, set=author); merged endpoint list [--local|--subnet <name>] grouped by subnet with SELF pinned, --detail adding the ex-resources yellow-pages blurb projection; bare spt endpoint = the list (M8 decisions 1-2, 25)
2026-06-19T05:17:21.7750425Z - Required stages: impl, unit
2026-06-19T05:17:21.7750463Z 
2026-06-19T05:17:21.7750543Z ### REQ-CLI-2
2026-06-19T05:17:21.7751198Z - Title: spt daemon noun: run|stop|status (hidden daemon verb becomes daemon run; agent-endpoint shutdown keeps its name under endpoint); daemon status renders the pump heartbeat (last-tick recency) so a half-dead daemon is never rendered implied-healthy (M8 decisions 5, 23)
2026-06-19T05:17:21.7751292Z - Required stages: impl, unit
2026-06-19T05:17:21.7751321Z 
2026-06-19T05:17:21.7751408Z ### REQ-CLI-3
2026-06-19T05:17:21.7752090Z - Title: Agent hot path stays flat across the M8 reorg: send/ring/ready/whoami/how-to unchanged; notify moves to subnet notify while notif stays top-level; breaking renames land clean with no deprecation shims (zero external CLI consumers pre-spt-claude-code) (M8 decisions 3-4, 9)
2026-06-19T05:17:21.7752289Z - Required stages: impl, unit
2026-06-19T05:17:21.7752324Z 
2026-06-19T05:17:21.7752400Z ### REQ-CLI-4
2026-06-19T05:17:21.7754394Z - Title: User-facing CLI output is human-readable: DIRECT-USER commands (e.g. adapter update/list/use) render friendly prose instead of raw CODE:RESULT markers — "claude-spt is up to date (0.2.0)." not "ADAPTER_UPDATE_UPTODATE:claude-spt: installed 0.2.0, latest 0.2.0". Strictly bounded to the direct-user surface: the adapter-PARSED bringup tokens (SEEDED/BOUND/READY/NO_SEED on seed/listen, which adapters grep) stay machine-parseable — humanization is additive (a human line beside the marker, or a --porcelain/--quiet split), never a silent rename of a dual-contract marker. The user-facing bringup composition belongs to the adapter (perri); this REQ owns only the direct-user CLI surface. (v0.9.0)
2026-06-19T05:17:21.7754498Z - Required stages: 
2026-06-19T05:17:21.7754537Z 
2026-06-19T05:17:21.7754624Z ### REQ-SUBNET-5
2026-06-19T05:17:21.7755680Z - Title: Per-subnet serve-state: spt subnet detach <NAME> [--save] / attach <NAME> [--save] — daemon keeps running, stops/starts advertising + connecting for that subnet (peer pump + responder selective); --save persists the startup default in daemon config; the all-attached banner gains per-subnet states (M8 decision 6, --save renamed from --auto per decision 25 session)
2026-06-19T05:17:21.7755786Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7755821Z 
2026-06-19T05:17:21.7755906Z ### REQ-SUBNET-6
2026-06-19T05:17:21.7756560Z - Title: Trust lifecycle verbs, elevation-gated: spt subnet leave <NAME> (membership exit) and spt subnet prune <node> (removes a dead identity's trust + registry rows, killing its dead dials; trust mutation = security surface, REQ-PAIR-6 gate machinery) (M8 decisions 6-7)
2026-06-19T05:17:21.7756655Z - Required stages: impl, unit
2026-06-19T05:17:21.7756703Z 
2026-06-19T05:17:21.7756789Z ### REQ-SUBNET-7
2026-06-19T05:17:21.7758343Z - Title: Per-machine re-pair trust overwrite: registry rows carry a hashed stable machine identifier (OS machine id /etc/machine-id|MachineGuid, domain-separated SHA-256 before gossip, spt-minted persisted UUID fallback; additive serde-default field — old rows parse clean); a COMPLETED pairing ceremony presenting the same node label AND machine id as an existing trusted row evicts the superseded identity's trust + registry rows on the seed-holder and replicates the eviction; a gossiped claim alone never evicts trust (M8 decisions 13, 22)
2026-06-19T05:17:21.7758538Z - Required stages: impl, unit
2026-06-19T05:17:21.7758572Z 
2026-06-19T05:17:21.7758653Z ### REQ-SUBNET-8
2026-06-19T05:17:21.7759778Z - Title: Status render honesty: zero-subnet text is daemon-aware ('No subnets registered — this node is standalone.' + daemon-running-dependent blurb, never implying messaging works while the daemon is down); hint footer prints on bare spt subnet only (status drops it); a stalled pump is surfaced in subnet status, never rendered implied-healthy (M8 decisions 11-12, 23)
2026-06-19T05:17:21.7759887Z - Required stages: impl, unit
2026-06-19T05:17:21.7759916Z 
2026-06-19T05:17:21.7759997Z ### REQ-INSTALL-6
2026-06-19T05:17:21.7761122Z - Title: Linux elevation install leg: install.sh symlinks the binary into a sudo-reachable path (/usr/local/bin; graceful print-the-one-liner when unelevated) so sudo spt resolves; first sudo spt detects elevation and prompts ONCE for the default user account — thereafter any elevated daemon launch runs daemon + state under that account, never root (KH 5.7 interplay verified) (M8 decision 8)
2026-06-19T05:17:21.7761226Z - Required stages: impl, unit
2026-06-19T05:17:21.7761259Z 
2026-06-19T05:17:21.7761345Z ### REQ-INSTALL-7
2026-06-19T05:17:21.7762397Z - Title: Windows inbound reachability: the elevated install leg registers the inbound-UDP firewall rule (New-NetFirewallRule); the daemon self-detects blocked inbound and renders it as the no-connection state in subnet status + the coming-online banner (covers user-scope installs that skip the elevated leg — never a silent NO_SEED_HOLDER dead-end) (M8 root cause 3)
2026-06-19T05:17:21.7762593Z - Required stages: impl
2026-06-19T05:17:21.7762626Z 
2026-06-19T05:17:21.7762721Z ### REQ-INSTALL-8
2026-06-19T05:17:21.7763708Z - Title: OS-service registration (REQ-INSTALL-1's deferred third leg): Linux systemd USER service + loginctl enable-linger (linger rides the elevated install leg; daemon starts at boot pre-login, user universe per KH 5.7, systemctl --user managed); Windows scheduled task at-logon (interactive session, no stored credentials); a node is reachable after reboot without any manual spt invocation (M8 decision 17)
2026-06-19T05:17:21.7763809Z - Required stages: impl
2026-06-19T05:17:21.7763838Z 
2026-06-19T05:17:21.7763923Z ### REQ-CONV-1
2026-06-19T05:17:21.7765250Z - Title: Peer address seeding, both cold starts: durable peer-addrs.json (identity dir) maps peer pubkey → last-known dialable address; the pump's resolver consults it FIRST with id-only discovery fallback on miss or dial failure (a stale addr never strands a peer); written by the pairing ceremony (both sides, from the live connection) and by the pump on successful connect; post-join first sync and post-restart resync converge in seconds, not ~1 min (M8 decisions 14, 20)
2026-06-19T05:17:21.7765358Z - Required stages: impl, unit
2026-06-19T05:17:21.7765393Z 
2026-06-19T05:17:21.7765474Z ### REQ-CONV-2
2026-06-19T05:17:21.7766504Z - Title: Event-driven advertisement: endpoint online/offline transitions (ready-listener start/stop, rest-state transition, perch death) trigger an immediate advertise_local + peer push as a WAKE of the existing pump loop (no second advertisement path — epoch lease + visibility gates ride unchanged); the cadence stays the steady-state floor (M8 decision 15)
2026-06-19T05:17:21.7766603Z - Required stages: impl, unit
2026-06-19T05:17:21.7766636Z 
2026-06-19T05:17:21.7766731Z ### REQ-PAIR-8
2026-06-19T05:17:21.7767925Z - Title: NTP TOTP offset: the pairing ceremony queries NTP at ceremony time (both sides) and applies the derived offset to the TOTP calculation in-process only; system-clock fallback when NTP is unreachable (offline LAN pairing unaffected — NTP failure never blocks a pairing that succeeds today); never sets the OS clock; no background sync loop (M8 decision 18; field trigger: enlyzeam clock >1 min off exceeds the ±1 window)
2026-06-19T05:17:21.7768135Z - Required stages: impl, unit
2026-06-19T05:17:21.7768169Z 
2026-06-19T05:17:21.7768260Z ### REQ-DAEMON-5
2026-06-19T05:17:21.7769545Z - Title: Pump liveness: the peer pump writes a last-tick heartbeat consumed by daemon status / subnet status (decision 23 render legs in REQ-CLI-2/REQ-SUBNET-8); the daemon supervises the pump task — a panic is caught, logged loudly, and the pump restarts with capped backoff (≤5 min), so a 5.9-class death self-heals visibly instead of silently halving the daemon (M8 decision 23; field motivation: hfenduleam 2026-06-07 half-death)
2026-06-19T05:17:21.7769652Z - Required stages: impl, unit
2026-06-19T05:17:21.7769685Z 
2026-06-19T05:17:21.7769775Z ### REQ-DAEMON-6
2026-06-19T05:17:21.7771625Z - Title: Service-aware `daemon start`/`stop`: when an OS service manager has a registered spt-daemon for this user, `spt daemon start` and `spt daemon stop` drive THAT service (so stop doesn't IPC-kill a unit that auto-restart-fights for the broker socket — the kitsubito 2026-06-08 loop). `start` graduates from a `run` alias to a first-class background verb (ensure-up, idempotent, non-blocking); stop routes managed→manager, manual→IPC. Linux=systemd user unit (`systemctl --user start|stop|is-active spt-daemon`, detected by unit-file presence); Windows=no controllable manager (the logon task is boot-only), so start=detached spawn / stop=IPC.
2026-06-19T05:17:21.7771743Z - Required stages: impl, unit
2026-06-19T05:17:21.7771772Z 
2026-06-19T05:17:21.7771863Z ### REQ-DAEMON-7
2026-06-19T05:17:21.7773181Z - Title: `daemon run` is foreground-consistent on every platform: the invoking process IS the daemon, blocks until signalled, never auto-detaches or respawns into an invisible background task. The detached/de-elevated background behavior lives ONLY in `start`. Windows: an ELEVATED `daemon run` refuses with guidance (use `start`, or an unelevated shell) instead of respawning detached/de-elevated and vanishing (KH 5.7 preserved — it still never serves elevated).
2026-06-19T05:17:21.7773386Z - Required stages: impl, unit
2026-06-19T05:17:21.7773420Z 
2026-06-19T05:17:21.7773510Z ### REQ-DAEMON-8
2026-06-19T05:17:21.7774403Z - Title: Internal auto-start prefers the service: `ensure_running` (any spt command's implicit daemon start, REQ-DAEMON-3) routes through the service-aware start path — when a manager has a registered service it starts THAT, never a competing manual `spawn_detached` daemon that would fight the service for the socket.
2026-06-19T05:17:21.7774511Z - Required stages: impl, unit
2026-06-19T05:17:21.7774549Z 
2026-06-19T05:17:21.7774629Z ### REQ-DAEMON-9
2026-06-19T05:17:21.7776840Z - Title: Net-bind boot-race resilience: a daemon that comes up net-less (NetHost::start failed — e.g. the systemd unit autostarted before the network/DNS stack was ready, `Failed to create an address lookup service`) must SELF-HEAL — retry the net bring-up in the background with capped backoff and, on success, attach net to the broker + spawn the dispatcher/peer-pump (which today are gated on `net_up` at boot and so never start, leaving the node silently unreachable until a manual restart — kitsubito 2026-06-08). Status surfaces the net-less state honestly (a net-less broker renders as 'no connection', not only a pump-STALLED line with a bogus pre-boot heartbeat age). The installer's autostart unit waits for the network (`Wants=/After=network-online.target`) as belt-and-suspenders.
2026-06-19T05:17:21.7776951Z - Required stages: impl, unit
2026-06-19T05:17:21.7776979Z 
2026-06-19T05:17:21.7777092Z ### REQ-HAZARD-LIVEHOST-BOOT-RACE
2026-06-19T05:17:21.7780627Z - Title: The brain's daemon-hosted Psyche lifecycle surfaces a host-FAILURE on the live perch (harness-diagnosable) and runs net-INDEPENDENTLY. When reconcile_once→host_one→spawn_psyche fails for a state=live_agent+status=online endpoint (e.g. the adapter's psyche binary absent from its install dir, REQ-INSTALL-11), the failure MUST be written to the perch info.json as a CURRENT-STATE field (reason + ts + attempt count; overwritten each 5s retry, CLEARED on successful host) and surfaced by `spt endpoint list`/status — never left as an eprintln on the brain's invisible stderr where a harness reading only perch state is blind. status=online stays authoritative (agent reachable; only the Psyche is missing — brain-restart rehydrate legitimately has online-without-Psyche windows), so this is a SEPARATE psyche-host-health field, never a status de-stamp. Net-independence is a locked-in invariant: spawn_live_host (brainproc.rs:230) reaches the reconcile and hosts the Psyche on a net-less/unpaired/peer-pump-STALLED node, proven by a REAL detached-daemon E2E (real broker→brain-child, real api seed+listen, real install-dir psyche binary). spt-core SURFACES the failure; the adapter owns fixing its packaging.
2026-06-19T05:17:21.7780860Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7780898Z 
2026-06-19T05:17:21.7781002Z ### REQ-HAZARD-TEMPLATE-ARGV-FILL
2026-06-19T05:17:21.7784668Z - Title: Command-template substitution fills argv ELEMENTS, not a re-tokenized string: spt-core currently `fill_template`s {key} values INTO the command STRING and THEN `tokenize`s the filled string (runtime.rs:94/122), so a multi-word {key} value whitespace-SPLITS into multiple argv tokens unless the adapter hand-quotes the placeholder, and a value containing a `"` (or `;`) injects/breaks tokenization (shell-injection-adjacent). A filled value MUST become exactly ONE argv element regardless of spaces/quotes in the value. Fix: tokenize the TEMPLATE into argv FIRST, then `fill_template` EACH token, so a `{key}` slot resolves to a single element and the value never participates in tokenization (no whitespace-split, no quote/semicolon injection); preserve the missing-key / empty-command errors and `{{`/`}}` non-interpretation. perri's F-009 (v0.8.1 dogfood, argv-capture-confirmed): a multi-word `{psyche_prompt}` = "PSYCHE REVIVAL time: epoch-ms:… incoming event: (none)" arrived as argv[6..12] (7 stray tokens), the harness runner strict-parsed `--prompt` against the 2nd word, exited 2 within ~1s → phantom hosted perch. Applies to EVERY [session.<role>] template (psyche_init, extractor, notif, …); digest survives today only because its fills ({session_id}/{source}) are single-token.
2026-06-19T05:17:21.7784890Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7784920Z 
2026-06-19T05:17:21.7785025Z ### REQ-HAZARD-LIVEHOST-NONRESIDENT
2026-06-19T05:17:21.7788202Z - Title: A daemon-hosted Psyche that spawns then EXITS IMMEDIATELY is a host failure, surfaced like a spawn failure (closes the v0.8.1 residual masking): the REQ-HAZARD-LIVEHOST-BOOT-RACE signal stamps `psyche_host_error` only when `spawn_psyche` returns Err, NOT when the detached spawn() returns Ok but the child dies within moments (e.g. a bad-argv child exiting 2 — the F-009 case). That leaves the residual 'online + no Psyche + no cause' gap: the nested `{id}-psyche` info.json is written status=online with a real-but-DEAD pid and the PARENT perch carries NO psyche_host_error (perri's F-010: tasklist showed 0 host procs across the window while info.json read online). The host MUST confirm RESIDENCY — a hosted child not alive (or whose `{id}-psyche` perch never re-registers / has a dead pid) within N seconds of spawn is treated as a host failure: stamp the parent perch `psyche_host_error{reason:"host not resident within <n>s (psyche perch missing/dead pid)"}` (and do not leave a phantom online nested perch). Closes the last masking gap the v0.8.1 fix left open. perri's F-010 (v0.8.1 dogfood). Sibling of REQ-HAZARD-LIVEHOST-BOOT-RACE.
2026-06-19T05:17:21.7788312Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7788345Z 
2026-06-19T05:17:21.7788450Z ### REQ-HAZARD-EPOCH-RESET
2026-06-19T05:17:21.7789772Z - Title: Advertisement-epoch reset strands a node: peers' higher last-seen epoch drops the reset node's fresh advertisements as Stale until the counter outruns history. Common case (full reinstall/re-pair) is mitigated by REQ-SUBNET-7's ceremony eviction (peer-side epoch memory dies with the deleted row — acceptance-verified); the residual narrow slice (epoch file lost, identity kept) is documented, guard deferred to a field hit (4.11)
2026-06-19T05:17:21.7789971Z - Required stages: 
2026-06-19T05:17:21.7790000Z 
2026-06-19T05:17:21.7790082Z ### REQ-MESH-1
2026-06-19T05:17:21.7792106Z - Title: Membership proof (seed-proof): symmetric current-epoch seed-knowledge replaces is_trusted at EVERY inbound gate (registry apply, WAN receive, sync, notif, connection accept). MK = HKDF(seed, domain ‖ subnet_id ‖ seed_epoch); mutual channel-bound challenge-response at connect (transcript binds both handshake-proven node pubkeys, both nonces, subnet_id, seed_epoch, role); verified once per connection, cached on the broker ConnEntry, kept warm via QUIC keep-alive so re-proof is restart/partition/rotation-only. Exact-epoch match (re-seed is the sole N-1 exception). SECURITY INVARIANTS: channel-bound (no cross-connection replay), mutual, accepts a member it never paired (the mesh property).
2026-06-19T05:17:21.7792220Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7792249Z 
2026-06-19T05:17:21.7792331Z ### REQ-MESH-2
2026-06-19T05:17:21.7794821Z - Title: Member roster: node-level union-merge grow-set (per member: pubkey, label, machine_id, last-known address, last-seen — NOT the seed), the discovery directory the mesh dials by. Seeded IN FULL at pairing (seed-holder hands joiner the whole current roster, incl. offline members — folds in deferred pairing-time hostname capture + post-join address seeding); each node authors its own entry stamped with its lease_epoch, merged strictly-greater-wins (the node_label lease); exchanged only over seed-proof'd member connections; forgery-inert (a fake entry names a pubkey that still can't seed-proof). Removal needs a TOMBSTONE — a per-pubkey revoked marker that propagates, dominates the entry, gates admission (seed-proof ∧ ¬tombstoned), and prevents reinsert; cleared by a completed re-pair of that pubkey. Persists through silence (offline member keeps its entry).
2026-06-19T05:17:21.7795025Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7795059Z 
2026-06-19T05:17:21.7795150Z ### REQ-MESH-3
2026-06-19T05:17:21.7796738Z - Title: Mesh row fan-out: registry rows stay OWN-AUTHORED; the only change is the push target widens from directly-paired peers to ALL roster members (a wider DIRECT fan-out, never a third-party relay). Every row/message still arrives from its author over a handshake → KNOWN-HAZARDS 7.5 (origin = handshake node) and 4.10 (eviction lease: any future update comes from that node itself, alive) PRESERVED VERBATIM. Closes the staggered A→B→C repro: C (roster-seeded with A at pairing) initiates to A, seed-proof admits C unpaired, A learns C, both push directly.
2026-06-19T05:17:21.7796845Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7796873Z 
2026-06-19T05:17:21.7796954Z ### REQ-MESH-4
2026-06-19T05:17:21.7799140Z - Title: Revoke + timeboxed seed rotation + re-seed grace: `spt subnet revoke <node>...` (list, elevation-gated, revoke-only) writes roster tombstones immediately, then schedules ONE seed rotation (re-mint seed, bump seed_epoch, push new seed CONFIDENTIALLY over member-auth'd TLS connections — never in roster/registry gossip — force-drop revokees) at the close of a coalescing window (default 1h); further revokes in the window join the same rotation (one epoch bump). `--force-rotate-seed` rotates immediately (compromised-node path). RE-SEED GRACE: a node proving the immediately-prior epoch (N-1) AND still on the roster gets a re-seed-only restricted connection (auto-heals a benign offliner); revoked/off-roster denied; ≥2 stale → re-pair.
2026-06-19T05:17:21.7799253Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7799291Z 
2026-06-19T05:17:21.7799369Z ### REQ-MESH-5
2026-06-19T05:17:21.7800699Z - Title: Hard cutover from pairwise trust: delete peers.json + the is_trusted authorization path (no migration — expendable test fleet, re-pairs fresh under the new model, user decision 2026-06-08). Warn-on-change DEMOTED from a gate to an awareness notice anchored on machine_id (not label): 'machine M, last seen as K1, now presents K2' — fires the same event as the REQ-SUBNET-7 re-pair overwrite. The TrustStore/peers.json code and its call sites are removed, not left dead.
2026-06-19T05:17:21.7800904Z - Required stages: impl, unit
2026-06-19T05:17:21.7800938Z 
2026-06-19T05:17:21.7801014Z ### REQ-MESH-6
2026-06-19T05:17:21.7802180Z - Title: Concurrent liveness probes: `spt subnet status --nodes` fans out its offline/serve-probes (REQ-SUBNET-5) CONCURRENTLY — total wall-time bounded by the single-probe ceiling (~3s), never k×ceiling. The mesh makes a node see ALL members (many possibly offline), so a serial probe loop would be offline_count×3s. (Planning verifies the current REQ-SUBNET-5 probe loop's behavior and fixes it if serial.)
2026-06-19T05:17:21.7802286Z - Required stages: impl, unit
2026-06-19T05:17:21.7802319Z 
2026-06-19T05:17:21.7802405Z ### REQ-SHELL-3
2026-06-19T05:17:21.7804141Z - Title: Drive channel (owner->shell, REST-only, never-spooled, latest-wins): the owner->shell mirror of sensory for continuous real-time control (scroll/crank/stick/avatar) — a [shell.drive] manifest vocab + EVENT_TYPE_DRIVE frame, delivered to the ONLINE binary only via a single live slot (a new frame supersedes an undelivered one — no spool, no queue, no replay on relink), dropped-with-diagnostic if the shell is offline; cross-node rides the ephemeral link (REST class), never the durable shell spool. Commands = discrete+durable; drive = continuous+ephemeral (CONTEXT:260, minted 2026-06-11 Gateway grill).
2026-06-19T05:17:21.7804337Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7804374Z 
2026-06-19T05:17:21.7804456Z ### REQ-SHELL-4
2026-06-19T05:17:21.7806168Z - Title: Shell tunnel (reliable-ordered opaque byte stream): an owner<->shell link may hold a long-lived, reliable-ordered, link-bound QUIC stream pair carrying opaque wire protocol traffic the channel taxonomy must NOT reinterpret (first consumer usbip URB) — manifest opt-in, not enveloped, not MAC-framed, not spooled; the link lifecycle governs it (a link-break closes the tunnel). Reliable-ordered ⇒ congestion surfaces as lag never loss ⇒ acceptable only on-LAN: the on-LAN posture is documented and the tunnel is NOT proven cross-WAN (CONTEXT:262, minted 2026-06-11 Gateway grill; doyle gate C2).
2026-06-19T05:17:21.7806291Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7806324Z 
2026-06-19T05:17:21.7806410Z ### REQ-CONSENT-3
2026-06-19T05:17:21.7808181Z - Title: Per-capability approval gates (class-keyed): the require_approval enum may ride INDIVIDUAL [shell.capabilities] entries — gating the dangerous ACT, not just the spawn — with an optional class_key scoping the grant qualifier finer than the capability id ((owner endpoint x device class x node); a remembered HID-class attach grant never authorizes a storage-class attach). Reuses the grant store + interactive escalation + tighten-only floor (REQ-CONSENT-1/2 plumbing). Spawn gates govern EXISTENCE; capability gates govern ACTS — an explicitly distinct invariant (CONTEXT:283, ratified 2026-06-11 Gateway grill).
2026-06-19T05:17:21.7808301Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7808330Z 
2026-06-19T05:17:21.7808411Z ### REQ-SHELL-5
2026-06-19T05:17:21.7809652Z - Title: Shell ownership is owner-type-agnostic: any non-Shell endpoint type may own/spawn/drive/command/link a shell (Gateway the named first) — control-exclusivity keys on the owner endpoint_id, NEVER on the owner's endpoint type. No ownership path (mint, launch, owner-from-link, cmd, drive, tunnel, sleep/wake, owner-shutdown) inspects the owner's type (CONTEXT:264, ratified 2026-06-11 Gateway grill).
2026-06-19T05:17:21.7809766Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7809794Z 
2026-06-19T05:17:21.7809890Z ### REQ-HAZARD-VIEWER-CLOSE-DETACH
2026-06-19T05:17:21.7819594Z - Title: A VIEW is independent from the endpoint: closing the tab/window where `spt endpoint run` was invoked must detach ONLY the `spt rc` attach pump — the daemon-hosted harness keeps running and stays re-attachable via `spt rc <id>`. ROOT (Windows, v0.12.0 real-harness defect): the daemon never breaks away from the launching terminal's Job Object. Windows Terminal / VS Code place the launched shell AND every descendant into a Job Object with JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE; closing the tab drops the terminal's last job handle → the OS terminates every process still in that job. A child escapes only with CREATE_BREAKAWAY_FROM_JOB — used NOWHERE in the tree. Both daemon spawn paths (daemon.rs:707 detached_no_inherit = DETACHED_PROCESS|CREATE_NEW_PROCESS_GROUP|CREATE_NO_WINDOW; deelevate.rs:519 elevated = CREATE_NEW_CONSOLE|...) drop the CONSOLE but NOT job membership, so the daemon's freshly broker-spawned ConPTY harness subtree is reaped on tab-close. The ConPTY/pseudoconsole isolation itself is CORRECT (portable-pty builds the pseudoconsole in the daemon; no console signal / handle leak) — the leaking lifetime binding is the Job Object, not the console. FIX: add CREATE_BREAKAWAY_FROM_JOB to both daemon spawn paths AND pin each broker-spawned harness into a DAEMON-OWNED Job Object (mirror reap.rs/Breap) as backstop (survives even where a terminal sets SILENT_BREAKAWAY_OK=false). Unix: the daemon's own session detachment (new session, no controlling terminal) already keeps a closing terminal's SIGHUP off its children — verify, add a guard test, no code expected. FIX UPDATE (v0.12.1 L1.5, doyle re-scope operator-approved 2026-06-18): job-neutral daemon launch is now PRIMARY, breakaway DEMOTED to a fallback rung. ROOT reframed — the daemon INHERITS the terminal's Job because spawn_detached runs FROM the terminal-child CLI (DETACHED_PROCESS detaches the console, not the job); breakaway tried to claw back out but a job CAN deny it (the L1 finding). FIX: launch the cold-started daemon via a job-NEUTRAL creator so it is WmiPrvSE/Task-Scheduler-owned, OUTSIDE any terminal job from birth (why Task-Scheduler-autostarted daemons never had this bug). Launcher ladder (first-success-wins, daemon.rs spawn_detached → BOTH cold-start AND `spt daemon start`): (1) WMI Win32_Process.Create via ABSOLUTE powershell -EncodedCommand (KH 5.12 abs path; base64-UTF16LE dodges all quoting; success requires BOTH ReturnValue==0 AND a parsed ProcessId, else fall-through — never a silent launched), forwarding SPT_* env via a `cmd /c set … & start /b` wrapper because a WMI/scheduler child does NOT inherit transient shell env (verified — SPT_HOME would be lost, wrong universe); (2) schtasks one-shot (same env wrapper; best-effort fallback); (3) CREATE_BREAKAWAY_FROM_JOB (the L1 code, reordered below); (4) in-job last resort (logs DETACH_IN_JOB + tab-close caveat). detached_no_inherit (breakaway-then-in-job) is UNCHANGED for its other caller shellhost::launch_shell (a daemon-spawned shell is already job-neutral once the daemon is). The elevated deelevate path keeps its L1 breakaway for now (elevated-case WMI-reparent = FOLLOW-UP). (v0.12.1)
2026-06-19T05:17:21.7819950Z - Required stages: doc, impl, unit, int
2026-06-19T05:17:21.7819983Z 
2026-06-19T05:17:21.7820078Z ### REQ-HAZARD-ATTACH-WEDGE
2026-06-19T05:17:21.7825194Z - Title: A legitimately dead PTY child (real crash/kill) + an undrained operator pump must NOT wedge the broker for all other clients. ROOT (v0.12.0 real-harness defect): loopback attach output is a blocking write_all into a bounded 64KB tokio duplex (nethost.rs:1040,1090); when the operator's rc pump stops draining (tab closed) the buffer fills and write_all blocks forever (the 'loopback never hangs' assumption at nethost.rs:1103 is false), parking a worker in the 2-worker net runtime (nethost.rs:640); a couple of these saturate BOTH workers → every new attach / `endpoint run` stalls right after 'PUMP_IPC_READER: spawned' → 30s FIRST_EVENT_GRACE → 'no output / dead or wedged'; `daemon stop` cannot join the stuck workers. DISTINCT from the removed B1 path-(c) mutex deadlock. DISPOSITION = PROVE-DON'T-CHANGE (doyle GATE-PASS @e883f45, 2026-06-18): this ROOT is the SUPERSEDED v0.12.0 hypothesis — the post-L0 code ALREADY prevents the wedge, so NO fail-fast / worker-count code was added. serve_attach forwards fire-and-forget (net_stream_send op_id=None) and the broker-side send_stream is already BROKER-QUIC-DEADLINE-bounded (bounded_block_on, 10s); the loopback duplex is drained broker-INTERNALLY by the operator row's own read pump (RecvHalf::Loopback, retentive_cap==0 → evict-not-park) so a dead rc (a dropped IPC subscriber) never backs peer_w up; bounded_block_on parks the BROKER DISPATCH thread, not a net worker → no worker-pool exhaustion (full mechanism in the required_stages comment). Folds the status=online sub-check: a dead spt-hosted endpoint is marked OFFLINE within one reconcile tick on abrupt child death (broker exit-waiter reaps the session → B2 sees it absent) — PROVEN, no change. (v0.12.1)
2026-06-19T05:17:21.7825415Z - Required stages: int
2026-06-19T05:17:21.7825453Z 
2026-06-19T05:17:21.7825552Z ### REQ-PICKER-HISTORY-FRESH
2026-06-19T05:17:21.7826626Z - Title: The `spt endpoint run` picker shows project history for FRESH endpoints (operator-raised v0.12.0 real-harness finding). Symptom: a fresh endpoint shows no project history in the picker. ROOT TBD — investigate the project-history loader (v0.10.0 PICKER-2, picker/data.rs) before fixing: distinguish a real loader bug from 'fresh = no history yet' semantics. (v0.12.1)
2026-06-19T05:17:21.7826725Z - Required stages: impl, unit
2026-06-19T05:17:21.7826754Z 
2026-06-19T05:17:21.7826855Z ### REQ-PICKER-ONLINE-ACTION
2026-06-19T05:17:21.7828357Z - Title: The `spt endpoint run` picker shows the correct action for an ALREADY-ONLINE endpoint — Attach, NOT 'Start now' (operator-raised v0.12.0 real-harness finding). Symptom: the picker offers 'Start now' for endpoints that are already online. ROOT TBD — investigate the status→action mapping (v0.10.0 PICKER-1 four-state status, picker/model.rs): is it reading live/online state correctly, or rendering stale/wedged broker state (i.e. partly a symptom of the broker wedge / status=online latch)? Fix so online → Attach. (v0.12.1)
2026-06-19T05:17:21.7828535Z - Required stages: impl, unit
2026-06-19T05:17:21.7828568Z 
2026-06-19T05:17:21.7828672Z ### REQ-ENDPOINT-LIST-MERGE-LOCAL
2026-06-19T05:17:21.7830443Z - Title: `spt endpoint list` always merges this node's LOCAL (unadvertised) perches into the view; the `--local` flag is REMOVED (operator decision 2026-06-17). Rationale: `spt whoami` is a thin alias of `endpoint list` — a just-online agent running `whoami` must see its OWN perch, or it gets an omitted-self view ('chaos'). FIX: drop the `--local` flag + its `--detail` conflict test + the v0.10.0 REQ-PICKER-5 hint line (cli.rs:1678) + cmd_list_local; the bare list merges local perches into the subnet view; fix the whoami alias path accordingly. Run `cargo run -p xtask -- gen` (docs-drift, DEFAULT target). (v0.12.1)
2026-06-19T05:17:21.7830557Z - Required stages: doc, impl, unit
2026-06-19T05:17:21.7830590Z 
2026-06-19T05:17:21.7830719Z ### REQ-HAZARD-ENDPOINT-RUN-ATTACH-OUTPUT
2026-06-19T05:17:21.7835536Z - Title: A clean `spt rc` attach to a LIVE spt-hosted (`endpoint run`) harness must DELIVER the harness's PTY output. KEYSTONE — the operator's central 'attach shows no output' symptom, reproduced on the real dummy-harness fixture (v0.12.1 Wave 1) with NO death and NO wedge: bringup succeeds (online, harness pid alive + heartbeating, psyche hosted), the attach CONNECTS (PUMP_IPC_READER spawned, no RC_FAIL, holds the full window) — but receives EXACTLY 0 bytes over 10s of the harness's flushed [session.self] stdout. DISTINCT from REQ-HAZARD-VIEWER-CLOSE-DETACH (death) and REQ-HAZARD-ATTACH-WEDGE (dead-child backpressure): here the harness is ALIVE and the attach is a clean first subscribe. This BLOCKS the 'view is independent' invariant — re-attach is meaningless if a live endpoint-run harness shows nothing. KNOWN-GOOD (rules out 'no drain'): attach.rs `local_attach_via_loopback_conn_rides_the_same_pump` + `broker_spawns_the_pty_child_in_the_requested_cwd` prove the broker DOES drain+fan a `spawn_session` PTY child to a loopback attach over the SAME transport rc uses. Both spawn_session and endpoint-run's spawn_session_pid send KIND_SPAWN → the same dispatch_spawn (broker.rs:706/835) which starts the per-session drain+OutputLog — so the gap is NARROWER than 'no drain', endpoint-run-specific. Root candidates: (a) spawn_session_pid's SpawnReq stdio/env/cwd differs so the dummy's stdout isn't the captured ConPTY; (b) the harness stdout WRITE BLOCKS because the ConPTY buffer fills (drain not reading THIS pty) — explains alive-but-0-bytes; (c) ConPTY reader-park (KH 7.6) on this path; (d) `spt rc` resolve_session/subscribe for an endpoint-run session subscribes to the wrong/empty log. (v0.12.1)
2026-06-19T05:17:21.7835773Z - Required stages: impl, unit, int
2026-06-19T05:17:21.7835803Z 
2026-06-19T05:17:21.7835904Z ### REQ-CLI-HELP-MARKDOWN
2026-06-19T05:17:21.7838813Z - Title: `spt --help` (and every subcommand --help) renders the inline Markdown authored in the clap doc-comments as terminal styling, never as literal markers: `**bold**` → ANSI bold, `` `code` `` → ANSI cyan, `[text](url)` → `text`. The markers are STRIPPED either way — a raw `**` or backtick must NEVER reach the user (the operator-reported v0.12.0 defect: help text reads `**ctrl-b**` and stray backticks verbatim). Color/bold escapes are emitted ONLY when the help is going to a real terminal AND color is not suppressed (NO_COLOR unset · CLICOLOR != 0 · CLICOLOR_FORCE forces on); a pipe / redirect / CI / NO_COLOR falls back to strip-only (clean plaintext, zero escapes) so machine-readable help is byte-identical regardless of marker syntax. Pure transform over the clap-rendered help string at the single run()/bare_invocation chokepoint; preserves pre-existing ANSI (CSI sequences passed through untouched), never spans markers across a newline, leaves unmatched/empty markers literal, and does not alter the help layout. (v0.12.1)
2026-06-19T05:17:21.7839109Z - Required stages: impl, unit
2026-06-19T05:17:21.7839142Z 
2026-06-19T05:17:21.7839237Z ## How to report back
2026-06-19T05:17:21.7839270Z 
2026-06-19T05:17:21.7839438Z For every (requirement, failing criterion) pair, emit one finding:
2026-06-19T05:17:21.7839471Z 
2026-06-19T05:17:21.7839552Z     {
2026-06-19T05:17:21.7839657Z       "code": "requirement_quality",
2026-06-19T05:17:21.7839753Z       "requirementId": "REQ-...",
2026-06-19T05:17:21.7839914Z       "criterion": "singular" | "verifiable" | "atomic" | "active-voice",
2026-06-19T05:17:21.7840006Z       "message": "<short reason>",
2026-06-19T05:17:21.7840124Z       "suggestedRevision": "<optional rewrite>"
2026-06-19T05:17:21.7840200Z     }
2026-06-19T05:17:21.7840234Z 
2026-06-19T05:17:21.7840407Z Wrap your response as { "findings": [ ... ] } listing only your concerns; the
2026-06-19T05:17:21.7840548Z deterministic findings above don't need to be repeated.
