﻿2026-06-21T04:47:54.0569126Z ##[group]Run ./traceable-reqs lint || true
2026-06-21T04:47:54.0569278Z [36;1m./traceable-reqs lint || true[0m
2026-06-21T04:47:54.0582135Z shell: /usr/bin/bash -e {0}
2026-06-21T04:47:54.0582227Z ##[endgroup]
2026-06-21T04:47:54.0831022Z Requirement quality findings (241); 275 requirements queued for agent review:
2026-06-21T04:47:54.0831956Z   [must] requirement_quality REQ-API-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0832543Z   [must] requirement_quality REQ-API-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0832958Z   [must] requirement_quality REQ-API-4 criterion=length — title is 67 words; want 3..=25
2026-06-21T04:47:54.0833349Z   [must] requirement_quality REQ-CLI-1 criterion=length — title is 47 words; want 3..=25
2026-06-21T04:47:54.0833748Z   [must] requirement_quality REQ-CLI-2 criterion=length — title is 37 words; want 3..=25
2026-06-21T04:47:54.0834178Z   [must] requirement_quality REQ-CLI-3 criterion=length — title is 37 words; want 3..=25
2026-06-21T04:47:54.0834625Z   [must] requirement_quality REQ-CLI-4 criterion=length — title is 89 words; want 3..=25
2026-06-21T04:47:54.0835264Z   [must] requirement_quality REQ-CLI-HELP-MARKDOWN criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0835742Z   [must] requirement_quality REQ-CLI-HELP-MARKDOWN criterion=length — title is 156 words; want 3..=25
2026-06-21T04:47:54.0836402Z   [must] requirement_quality REQ-CLI-OUTPUT-MARKDOWN criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0836886Z   [must] requirement_quality REQ-CLI-OUTPUT-MARKDOWN criterion=length — title is 199 words; want 3..=25
2026-06-21T04:47:54.0837312Z   [must] requirement_quality REQ-CONSENT-1 criterion=length — title is 41 words; want 3..=25
2026-06-21T04:47:54.0837736Z   [must] requirement_quality REQ-CONSENT-2 criterion=length — title is 37 words; want 3..=25
2026-06-21T04:47:54.0838495Z   [must] requirement_quality REQ-CONSENT-3 criterion=length — title is 82 words; want 3..=25
2026-06-21T04:47:54.0839182Z   [must] requirement_quality REQ-CONV-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0839502Z   [must] requirement_quality REQ-CONV-1 criterion=length — title is 73 words; want 3..=25
2026-06-21T04:47:54.0839758Z   [must] requirement_quality REQ-CONV-2 criterion=length — title is 47 words; want 3..=25
2026-06-21T04:47:54.0840126Z   [must] requirement_quality REQ-DAEMON-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0840388Z   [must] requirement_quality REQ-DAEMON-5 criterion=length — title is 64 words; want 3..=25
2026-06-21T04:47:54.0840746Z   [must] requirement_quality REQ-DAEMON-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0841017Z   [must] requirement_quality REQ-DAEMON-6 criterion=length — title is 84 words; want 3..=25
2026-06-21T04:47:54.0841379Z   [must] requirement_quality REQ-DAEMON-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0841629Z   [must] requirement_quality REQ-DAEMON-7 criterion=length — title is 62 words; want 3..=25
2026-06-21T04:47:54.0841882Z   [must] requirement_quality REQ-DAEMON-8 criterion=length — title is 44 words; want 3..=25
2026-06-21T04:47:54.0842230Z   [must] requirement_quality REQ-DAEMON-9 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0842493Z   [must] requirement_quality REQ-DAEMON-9 criterion=length — title is 114 words; want 3..=25
2026-06-21T04:47:54.0842860Z   [must] requirement_quality REQ-ELEVATE-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0843122Z   [must] requirement_quality REQ-ELEVATE-1 criterion=length — title is 121 words; want 3..=25
2026-06-21T04:47:54.0843695Z   [must] requirement_quality REQ-ENDPOINT-LIST-MERGE-LOCAL criterion=length — title is 95 words; want 3..=25
2026-06-21T04:47:54.0844108Z   [must] requirement_quality REQ-ENDPOINT-PURGE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0844409Z   [must] requirement_quality REQ-ENDPOINT-PURGE criterion=length — title is 220 words; want 3..=25
2026-06-21T04:47:54.0844723Z   [must] requirement_quality REQ-ENDPOINT-STOP-OFFLINE criterion=length — title is 58 words; want 3..=25
2026-06-21T04:47:54.0845086Z   [must] requirement_quality REQ-EP-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0845334Z   [must] requirement_quality REQ-EP-6 criterion=length — title is 58 words; want 3..=25
2026-06-21T04:47:54.0845611Z   [must] requirement_quality REQ-EP-7 criterion=length — title is 68 words; want 3..=25
2026-06-21T04:47:54.0846024Z   [must] requirement_quality REQ-HAZARD-ATTACH-WEDGE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0846367Z   [must] requirement_quality REQ-HAZARD-ATTACH-WEDGE criterion=length — title is 244 words; want 3..=25
2026-06-21T04:47:54.0846770Z   [must] requirement_quality REQ-HAZARD-BIND-CWD-UNSET criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0847171Z   [must] requirement_quality REQ-HAZARD-BIND-CWD-UNSET criterion=length — title is 130 words; want 3..=25
2026-06-21T04:47:54.0847604Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESPAWN-PATH criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0847919Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESPAWN-PATH criterion=length — title is 119 words; want 3..=25
2026-06-21T04:47:54.0848405Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESTART-LIFECYCLE-REHYDRATE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0848929Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESTART-LIFECYCLE-REHYDRATE criterion=length — title is 125 words; want 3..=25
2026-06-21T04:47:54.0849580Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESTART-PSYCHE-DUP criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0849932Z   [must] requirement_quality REQ-HAZARD-BRAIN-RESTART-PSYCHE-DUP criterion=length — title is 199 words; want 3..=25
2026-06-21T04:47:54.0850372Z   [must] requirement_quality REQ-HAZARD-BROKER-PROCESS-ISOLATION criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0850725Z   [must] requirement_quality REQ-HAZARD-BROKER-PROCESS-ISOLATION criterion=length — title is 114 words; want 3..=25
2026-06-21T04:47:54.0851162Z   [must] requirement_quality REQ-HAZARD-BROKER-QUIC-DEADLINE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0851501Z   [must] requirement_quality REQ-HAZARD-BROKER-QUIC-DEADLINE criterion=length — title is 162 words; want 3..=25
2026-06-21T04:47:54.0851944Z   [must] requirement_quality REQ-HAZARD-BROKER-SEED-WIRE-SKEW criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0852275Z   [must] requirement_quality REQ-HAZARD-BROKER-SEED-WIRE-SKEW criterion=length — title is 193 words; want 3..=25
2026-06-21T04:47:54.0852614Z   [must] requirement_quality REQ-HAZARD-CONFLICT-BOTH-PRESERVED criterion=length — title is 29 words; want 3..=25
2026-06-21T04:47:54.0853058Z   [must] requirement_quality REQ-HAZARD-CONTROLLER-RETAKE-FLOOR criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0853386Z   [must] requirement_quality REQ-HAZARD-CONTROLLER-RETAKE-FLOOR criterion=length — title is 184 words; want 3..=25
2026-06-21T04:47:54.0853834Z   [must] requirement_quality REQ-HAZARD-CONTROLLER-WRITER-REORDER criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0854325Z   [must] requirement_quality REQ-HAZARD-CONTROLLER-WRITER-REORDER criterion=length — title is 643 words; want 3..=25
2026-06-21T04:47:54.0854659Z   [must] requirement_quality REQ-HAZARD-DAEMON-SCHED-NONBLOCKING criterion=length — title is 32 words; want 3..=25
2026-06-21T04:47:54.0855096Z   [must] requirement_quality REQ-HAZARD-DAEMON-STOP-BARRIER criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0855411Z   [must] requirement_quality REQ-HAZARD-DAEMON-STOP-BARRIER criterion=length — title is 80 words; want 3..=25
2026-06-21T04:47:54.0855828Z   [must] requirement_quality REQ-HAZARD-DAEMON-STOP-REAP criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0856147Z   [must] requirement_quality REQ-HAZARD-DAEMON-STOP-REAP criterion=length — title is 90 words; want 3..=25
2026-06-21T04:47:54.0856566Z   [must] requirement_quality REQ-HAZARD-DEFERRED-MANIFEST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0857018Z   [must] requirement_quality REQ-HAZARD-DEFERRED-MANIFEST criterion=length — title is 112 words; want 3..=25
2026-06-21T04:47:54.0857358Z   [must] requirement_quality REQ-HAZARD-DETACHED-PIPE-INHERIT criterion=length — title is 52 words; want 3..=25
2026-06-21T04:47:54.0857808Z   [must] requirement_quality REQ-HAZARD-DRIVEN-BY-IDLE-REMOTE-EVICT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0858174Z   [must] requirement_quality REQ-HAZARD-DRIVEN-BY-IDLE-REMOTE-EVICT criterion=length — title is 232 words; want 3..=25
2026-06-21T04:47:54.0858593Z   [must] requirement_quality REQ-HAZARD-DRIVEN-BY-SELFHEAL criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0858917Z   [must] requirement_quality REQ-HAZARD-DRIVEN-BY-SELFHEAL criterion=length — title is 77 words; want 3..=25
2026-06-21T04:47:54.0859466Z   [must] requirement_quality REQ-HAZARD-EFFECT-JOURNAL-PTY-WEDGE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0859818Z   [must] requirement_quality REQ-HAZARD-EFFECT-JOURNAL-PTY-WEDGE criterion=length — title is 440 words; want 3..=25
2026-06-21T04:47:54.0860254Z   [must] requirement_quality REQ-HAZARD-ELEVATED-DAEMON-SPAWN criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0860588Z   [must] requirement_quality REQ-HAZARD-ELEVATED-DAEMON-SPAWN criterion=length — title is 58 words; want 3..=25
2026-06-21T04:47:54.0861036Z   [must] requirement_quality REQ-HAZARD-ENDPOINT-RUN-ATTACH-OUTPUT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0861394Z   [must] requirement_quality REQ-HAZARD-ENDPOINT-RUN-ATTACH-OUTPUT criterion=length — title is 228 words; want 3..=25
2026-06-21T04:47:54.0861789Z   [must] requirement_quality REQ-HAZARD-ENV-SUBST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0862104Z   [must] requirement_quality REQ-HAZARD-ENV-SUBST criterion=length — title is 168 words; want 3..=25
2026-06-21T04:47:54.0862523Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-CR-LINESAFE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0862854Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-CR-LINESAFE criterion=length — title is 73 words; want 3..=25
2026-06-21T04:47:54.0863279Z   [must] requirement_quality REQ-HAZARD-ENVELOPE-PARSER-SAFE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0863579Z   [must] requirement_quality REQ-HAZARD-EPOCH-RESET criterion=length — title is 60 words; want 3..=25
2026-06-21T04:47:54.0863980Z   [must] requirement_quality REQ-HAZARD-GEN-START-NOW criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0864347Z   [must] requirement_quality REQ-HAZARD-HOSTED-LIVENESS-RECONCILE criterion=length — title is 175 words; want 3..=25
2026-06-21T04:47:54.0864895Z   [must] requirement_quality REQ-HAZARD-INJECT-CONTROL-COEXIST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0865233Z   [must] requirement_quality REQ-HAZARD-INJECT-CONTROL-COEXIST criterion=length — title is 340 words; want 3..=25
2026-06-21T04:47:54.0865661Z   [must] requirement_quality REQ-HAZARD-INPUT-ACK-BACKPRESSURE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0865990Z   [must] requirement_quality REQ-HAZARD-INPUT-ACK-BACKPRESSURE criterion=length — title is 343 words; want 3..=25
2026-06-21T04:47:54.0866315Z   [must] requirement_quality REQ-HAZARD-INSTANT-UNDERFLOW criterion=length — title is 30 words; want 3..=25
2026-06-21T04:47:54.0866673Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-BOOT-LIVENESS-GATE criterion=length — title is 122 words; want 3..=25
2026-06-21T04:47:54.0867240Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-BOOT-RACE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0867568Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-BOOT-RACE criterion=length — title is 158 words; want 3..=25
2026-06-21T04:47:54.0868391Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-NONRESIDENT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0868720Z   [must] requirement_quality REQ-HAZARD-LIVEHOST-NONRESIDENT criterion=length — title is 171 words; want 3..=25
2026-06-21T04:47:54.0869139Z   [must] requirement_quality REQ-HAZARD-PAIR-RATE-LIMIT criterion=length — title is 37 words; want 3..=25
2026-06-21T04:47:54.0869482Z   [must] requirement_quality REQ-HAZARD-PAIR-SEED-ROTATION criterion=length — title is 33 words; want 3..=25
2026-06-21T04:47:54.0869904Z   [must] requirement_quality REQ-HAZARD-PAIR-TRANSCRIPT-BIND criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0870360Z   [must] requirement_quality REQ-HAZARD-PSYCHE-OUTBOUND-PROXY criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0870700Z   [must] requirement_quality REQ-HAZARD-PSYCHE-OUTBOUND-PROXY criterion=length — title is 27 words; want 3..=25
2026-06-21T04:47:54.0871138Z   [must] requirement_quality REQ-HAZARD-PTY-INPUT-WRITER-WEDGE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0871645Z   [must] requirement_quality REQ-HAZARD-PTY-INPUT-WRITER-WEDGE criterion=length — title is 287 words; want 3..=25
2026-06-21T04:47:54.0872217Z   [must] requirement_quality REQ-HAZARD-PUMP-IPC-DEADLINE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0872555Z   [must] requirement_quality REQ-HAZARD-PUMP-IPC-DEADLINE criterion=length — title is 38 words; want 3..=25
2026-06-21T04:47:54.0872974Z   [must] requirement_quality REQ-HAZARD-RC-ATTACH-FAILFAST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0873300Z   [must] requirement_quality REQ-HAZARD-RC-ATTACH-FAILFAST criterion=length — title is 163 words; want 3..=25
2026-06-21T04:47:54.0873729Z   [must] requirement_quality REQ-HAZARD-RC-ATTACH-ONLINE-RACE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0874069Z   [must] requirement_quality REQ-HAZARD-RC-ATTACH-ONLINE-RACE criterion=length — title is 184 words; want 3..=25
2026-06-21T04:47:54.0874454Z   [must] requirement_quality REQ-HAZARD-RC-EOF criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0874737Z   [must] requirement_quality REQ-HAZARD-RC-EOF criterion=length — title is 208 words; want 3..=25
2026-06-21T04:47:54.0875174Z   [must] requirement_quality REQ-HAZARD-RC-INPUT-KEY-ENCODING criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0875628Z   [must] requirement_quality REQ-HAZARD-RC-INPUT-KEY-ENCODING criterion=length — title is 222 words; want 3..=25
2026-06-21T04:47:54.0876051Z   [must] requirement_quality REQ-HAZARD-REGISTRY-GHOST-ROWS criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0876385Z   [must] requirement_quality REQ-HAZARD-REGISTRY-GHOST-ROWS criterion=length — title is 66 words; want 3..=25
2026-06-21T04:47:54.0876714Z   [must] requirement_quality REQ-HAZARD-ROLLBACK-STATE-COMPAT criterion=length — title is 72 words; want 3..=25
2026-06-21T04:47:54.0877123Z   [must] requirement_quality REQ-HAZARD-ROSTER-GHOST criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0877433Z   [must] requirement_quality REQ-HAZARD-ROSTER-GHOST criterion=length — title is 116 words; want 3..=25
2026-06-21T04:47:54.0877829Z   [must] requirement_quality REQ-HAZARD-SELF-ELEVATE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0878238Z   [must] requirement_quality REQ-HAZARD-SELF-ELEVATE criterion=length — title is 101 words; want 3..=25
2026-06-21T04:47:54.0878546Z   [must] requirement_quality REQ-HAZARD-SUDO-SECURE-PATH criterion=length — title is 43 words; want 3..=25
2026-06-21T04:47:54.0879056Z   [must] requirement_quality REQ-HAZARD-TEMPLATE-ARGV-FILL criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0879380Z   [must] requirement_quality REQ-HAZARD-TEMPLATE-ARGV-FILL criterion=length — title is 166 words; want 3..=25
2026-06-21T04:47:54.0879800Z   [must] requirement_quality REQ-HAZARD-UNHOST-PSYCHE-REAP criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0880125Z   [must] requirement_quality REQ-HAZARD-UNHOST-PSYCHE-REAP criterion=length — title is 161 words; want 3..=25
2026-06-21T04:47:54.0880567Z   [must] requirement_quality REQ-HAZARD-VIEWER-CLOSE-DETACH criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0880892Z   [must] requirement_quality REQ-HAZARD-VIEWER-CLOSE-DETACH criterion=length — title is 437 words; want 3..=25
2026-06-21T04:47:54.0881302Z   [must] requirement_quality REQ-HAZARD-VIEWER-ISOLATION criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0881622Z   [must] requirement_quality REQ-HAZARD-VIEWER-ISOLATION criterion=length — title is 118 words; want 3..=25
2026-06-21T04:47:54.0881937Z   [must] requirement_quality REQ-HAZARD-WAN-ORIGIN-AUTH criterion=length — title is 37 words; want 3..=25
2026-06-21T04:47:54.0882382Z   [must] requirement_quality REQ-HAZARD-WIN-PTY-PROGRAM-RESOLVE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0882725Z   [must] requirement_quality REQ-HAZARD-WIN-PTY-PROGRAM-RESOLVE criterion=length — title is 96 words; want 3..=25
2026-06-21T04:47:54.0883054Z   [must] requirement_quality REQ-HAZARD-WMI-DAEMON-WINDOW criterion=length — title is 101 words; want 3..=25
2026-06-21T04:47:54.0883331Z   [must] requirement_quality REQ-HOST-RUN-1 criterion=length — title is 88 words; want 3..=25
2026-06-21T04:47:54.0883591Z   [must] requirement_quality REQ-HOST-RUN-2 criterion=length — title is 97 words; want 3..=25
2026-06-21T04:47:54.0883851Z   [must] requirement_quality REQ-INST-15 criterion=length — title is 32 words; want 3..=25
2026-06-21T04:47:54.0884213Z   [must] requirement_quality REQ-INSTALL-10 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0884471Z   [must] requirement_quality REQ-INSTALL-10 criterion=length — title is 58 words; want 3..=25
2026-06-21T04:47:54.0884728Z   [must] requirement_quality REQ-INSTALL-11 criterion=length — title is 78 words; want 3..=25
2026-06-21T04:47:54.0884991Z   [must] requirement_quality REQ-INSTALL-12 criterion=length — title is 116 words; want 3..=25
2026-06-21T04:47:54.0885376Z   [must] requirement_quality REQ-INSTALL-2 criterion=length — title is 2 word(s); want 3..=25
2026-06-21T04:47:54.0885744Z   [must] requirement_quality REQ-INSTALL-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0886020Z   [must] requirement_quality REQ-INSTALL-6 criterion=length — title is 56 words; want 3..=25
2026-06-21T04:47:54.0886367Z   [must] requirement_quality REQ-INSTALL-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0886626Z   [must] requirement_quality REQ-INSTALL-7 criterion=length — title is 50 words; want 3..=25
2026-06-21T04:47:54.0886878Z   [must] requirement_quality REQ-INSTALL-8 criterion=length — title is 55 words; want 3..=25
2026-06-21T04:47:54.0887240Z   [must] requirement_quality REQ-INSTALL-9 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0887503Z   [must] requirement_quality REQ-INSTALL-9 criterion=length — title is 62 words; want 3..=25
2026-06-21T04:47:54.0887960Z   [must] requirement_quality REQ-KICK-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0888218Z   [must] requirement_quality REQ-KICK-1 criterion=length — title is 133 words; want 3..=25
2026-06-21T04:47:54.0888589Z   [must] requirement_quality REQ-MANIFEST-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0888855Z   [must] requirement_quality REQ-MANIFEST-3 criterion=length — title is 26 words; want 3..=25
2026-06-21T04:47:54.0889183Z   [must] requirement_quality REQ-MANIFEST-4 criterion=length — title is 31 words; want 3..=25
2026-06-21T04:47:54.0889493Z   [must] requirement_quality REQ-MANIFEST-5 criterion=length — title is 132 words; want 3..=25
2026-06-21T04:47:54.0889755Z   [must] requirement_quality REQ-MANIFEST-6 criterion=length — title is 84 words; want 3..=25
2026-06-21T04:47:54.0890026Z   [must] requirement_quality REQ-MANIFEST-7 criterion=length — title is 120 words; want 3..=25
2026-06-21T04:47:54.0890283Z   [must] requirement_quality REQ-MANIFEST-8 criterion=length — title is 77 words; want 3..=25
2026-06-21T04:47:54.0890532Z   [must] requirement_quality REQ-MESH-1 criterion=length — title is 86 words; want 3..=25
2026-06-21T04:47:54.0890885Z   [must] requirement_quality REQ-MESH-2 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0891132Z   [must] requirement_quality REQ-MESH-2 criterion=length — title is 120 words; want 3..=25
2026-06-21T04:47:54.0891490Z   [must] requirement_quality REQ-MESH-3 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0891741Z   [must] requirement_quality REQ-MESH-3 criterion=length — title is 86 words; want 3..=25
2026-06-21T04:47:54.0892078Z   [must] requirement_quality REQ-MESH-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0892341Z   [must] requirement_quality REQ-MESH-4 criterion=length — title is 99 words; want 3..=25
2026-06-21T04:47:54.0892689Z   [must] requirement_quality REQ-MESH-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0892937Z   [must] requirement_quality REQ-MESH-5 criterion=length — title is 72 words; want 3..=25
2026-06-21T04:47:54.0893290Z   [must] requirement_quality REQ-MESH-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0893533Z   [must] requirement_quality REQ-MESH-6 criterion=length — title is 56 words; want 3..=25
2026-06-21T04:47:54.0893896Z   [must] requirement_quality REQ-MIGRATE-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0894151Z   [must] requirement_quality REQ-MSG-4 criterion=length — title is 31 words; want 3..=25
2026-06-21T04:47:54.0894392Z   [must] requirement_quality REQ-MSG-5 criterion=length — title is 38 words; want 3..=25
2026-06-21T04:47:54.0894763Z   [must] requirement_quality REQ-MSG-6 criterion=length — title is 65 words; want 3..=25
2026-06-21T04:47:54.0895145Z   [must] requirement_quality REQ-MSG-ENVELOPE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0895426Z   [must] requirement_quality REQ-MSG-ENVELOPE criterion=length — title is 153 words; want 3..=25
2026-06-21T04:47:54.0895862Z   [must] requirement_quality REQ-MSG-IDLE-TRANSLATION-BINARY criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0896191Z   [must] requirement_quality REQ-MSG-IDLE-TRANSLATION-BINARY criterion=length — title is 221 words; want 3..=25
2026-06-21T04:47:54.0896552Z   [must] requirement_quality REQ-PAIR-8 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0896791Z   [must] requirement_quality REQ-PAIR-8 criterion=length — title is 67 words; want 3..=25
2026-06-21T04:47:54.0897266Z   [must] requirement_quality REQ-PICKER-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0897539Z   [must] requirement_quality REQ-PICKER-1 criterion=length — title is 156 words; want 3..=25
2026-06-21T04:47:54.0897796Z   [must] requirement_quality REQ-PICKER-2 criterion=length — title is 77 words; want 3..=25
2026-06-21T04:47:54.0898058Z   [must] requirement_quality REQ-PICKER-3 criterion=length — title is 120 words; want 3..=25
2026-06-21T04:47:54.0898421Z   [must] requirement_quality REQ-PICKER-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0898669Z   [must] requirement_quality REQ-PICKER-4 criterion=length — title is 84 words; want 3..=25
2026-06-21T04:47:54.0899089Z   [must] requirement_quality REQ-PICKER-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0899344Z   [must] requirement_quality REQ-PICKER-5 criterion=length — title is 147 words; want 3..=25
2026-06-21T04:47:54.0899795Z   [must] requirement_quality REQ-PICKER-ADAPTER-DESCRIPTION criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0900128Z   [must] requirement_quality REQ-PICKER-ADAPTER-DESCRIPTION criterion=length — title is 64 words; want 3..=25
2026-06-21T04:47:54.0900429Z   [must] requirement_quality REQ-PICKER-HISTORY-FRESH criterion=length — title is 51 words; want 3..=25
2026-06-21T04:47:54.0900777Z   [must] requirement_quality REQ-PICKER-HISTORY-FRESH criterion=tbd-todo — title contains placeholder marker 'TBD'
2026-06-21T04:47:54.0901073Z   [must] requirement_quality REQ-PICKER-ONLINE-ACTION criterion=length — title is 74 words; want 3..=25
2026-06-21T04:47:54.0901416Z   [must] requirement_quality REQ-PICKER-ONLINE-ACTION criterion=tbd-todo — title contains placeholder marker 'TBD'
2026-06-21T04:47:54.0901812Z   [must] requirement_quality REQ-PICKER-UX-V013 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0902102Z   [must] requirement_quality REQ-PICKER-UX-V013 criterion=length — title is 86 words; want 3..=25
2026-06-21T04:47:54.0902466Z   [must] requirement_quality REQ-PRES-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0902724Z   [must] requirement_quality REQ-PRES-1 criterion=length — title is 48 words; want 3..=25
2026-06-21T04:47:54.0902968Z   [must] requirement_quality REQ-RC-1 criterion=length — title is 94 words; want 3..=25
2026-06-21T04:47:54.0903372Z   [must] requirement_quality REQ-RC-KEY-VT-TRANSLATE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0903677Z   [must] requirement_quality REQ-RC-KEY-VT-TRANSLATE criterion=length — title is 249 words; want 3..=25
2026-06-21T04:47:54.0904073Z   [must] requirement_quality REQ-RC-MOUSE-FORWARD criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0904480Z   [must] requirement_quality REQ-RC-MOUSE-FORWARD criterion=length — title is 218 words; want 3..=25
2026-06-21T04:47:54.0904863Z   [must] requirement_quality REQ-RC-WIN-PASTE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0905148Z   [must] requirement_quality REQ-RC-WIN-PASTE criterion=length — title is 226 words; want 3..=25
2026-06-21T04:47:54.0905511Z   [must] requirement_quality REQ-RCVIEW-1 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0905773Z   [must] requirement_quality REQ-RCVIEW-1 criterion=length — title is 197 words; want 3..=25
2026-06-21T04:47:54.0906177Z   [must] requirement_quality REQ-READY-AGENT-RESUME criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0906478Z   [must] requirement_quality REQ-READY-AGENT-RESUME criterion=length — title is 165 words; want 3..=25
2026-06-21T04:47:54.0906970Z   [must] requirement_quality REQ-RUN-PICKER criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0907255Z   [must] requirement_quality REQ-RUN-PICKER criterion=length — title is 203 words; want 3..=25
2026-06-21T04:47:54.0907635Z   [must] requirement_quality REQ-RUN-SHORTCUT criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0907917Z   [must] requirement_quality REQ-RUN-SHORTCUT criterion=length — title is 226 words; want 3..=25
2026-06-21T04:47:54.0908183Z   [must] requirement_quality REQ-SEAM-SPAWN criterion=length — title is 2 word(s); want 3..=25
2026-06-21T04:47:54.0908580Z   [must] requirement_quality REQ-SEND-SPT-HOSTED criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0908875Z   [must] requirement_quality REQ-SEND-SPT-HOSTED criterion=length — title is 169 words; want 3..=25
2026-06-21T04:47:54.0909357Z   [must] requirement_quality REQ-SESSION-RESUME-TEMPLATE criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0909695Z   [must] requirement_quality REQ-SESSION-RESUME-TEMPLATE criterion=length — title is 287 words; want 3..=25
2026-06-21T04:47:54.0909957Z   [must] requirement_quality REQ-SHELL-1 criterion=length — title is 36 words; want 3..=25
2026-06-21T04:47:54.0910207Z   [must] requirement_quality REQ-SHELL-2 criterion=length — title is 49 words; want 3..=25
2026-06-21T04:47:54.0910460Z   [must] requirement_quality REQ-SHELL-3 criterion=length — title is 80 words; want 3..=25
2026-06-21T04:47:54.0910807Z   [must] requirement_quality REQ-SHELL-4 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0911070Z   [must] requirement_quality REQ-SHELL-4 criterion=length — title is 84 words; want 3..=25
2026-06-21T04:47:54.0911319Z   [must] requirement_quality REQ-SHELL-5 criterion=length — title is 49 words; want 3..=25
2026-06-21T04:47:54.0911675Z   [must] requirement_quality REQ-START-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0911933Z   [must] requirement_quality REQ-START-5 criterion=length — title is 129 words; want 3..=25
2026-06-21T04:47:54.0912192Z   [must] requirement_quality REQ-STORE-1 criterion=length — title is 34 words; want 3..=25
2026-06-21T04:47:54.0912459Z   [must] requirement_quality REQ-SUBNET-5 criterion=length — title is 52 words; want 3..=25
2026-06-21T04:47:54.0912819Z   [must] requirement_quality REQ-SUBNET-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0913074Z   [must] requirement_quality REQ-SUBNET-6 criterion=length — title is 38 words; want 3..=25
2026-06-21T04:47:54.0913438Z   [must] requirement_quality REQ-SUBNET-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0913689Z   [must] requirement_quality REQ-SUBNET-7 criterion=length — title is 75 words; want 3..=25
2026-06-21T04:47:54.0914062Z   [must] requirement_quality REQ-SUBNET-8 criterion=length — title is 53 words; want 3..=25
2026-06-21T04:47:54.0914424Z   [must] requirement_quality REQ-TERM-5 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0914672Z   [must] requirement_quality REQ-TERM-5 criterion=length — title is 71 words; want 3..=25
2026-06-21T04:47:54.0915036Z   [must] requirement_quality REQ-TERM-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0915290Z   [must] requirement_quality REQ-TERM-6 criterion=length — title is 53 words; want 3..=25
2026-06-21T04:47:54.0915641Z   [must] requirement_quality REQ-TERM-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0915893Z   [must] requirement_quality REQ-TERM-7 criterion=length — title is 55 words; want 3..=25
2026-06-21T04:47:54.0916246Z   [must] requirement_quality REQ-UPD-6 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0916605Z   [must] requirement_quality REQ-UPD-6 criterion=length — title is 32 words; want 3..=25
2026-06-21T04:47:54.0916953Z   [must] requirement_quality REQ-UPD-7 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0917205Z   [must] requirement_quality REQ-UPD-7 criterion=length — title is 88 words; want 3..=25
2026-06-21T04:47:54.0917554Z   [must] requirement_quality REQ-UPD-8 criterion=contains-and — title contains ' and ' — may smuggle multiple capabilities
2026-06-21T04:47:54.0917796Z   [must] requirement_quality REQ-UPD-8 criterion=length — title is 115 words; want 3..=25
2026-06-21T04:47:54.0918053Z   [must] requirement_quality REQ-UPD-9 criterion=length — title is 110 words; want 3..=25
2026-06-21T04:47:54.0918321Z   [must] requirement_quality REQ-WHOAMI-1 criterion=length — title is 76 words; want 3..=25
2026-06-21T04:47:54.0918354Z 
2026-06-21T04:47:54.0918462Z # Requirement quality review
2026-06-21T04:47:54.0918505Z 
2026-06-21T04:47:54.0918715Z You are reviewing 275 requirement(s) from `traceable-reqs.toml` against a quality
2026-06-21T04:47:54.0918912Z rubric. Deterministic checks (length, contains-and, tbd-todo, duplicate-titles,
2026-06-21T04:47:54.0919179Z trailing-etc) have already run and surfaced as `requirement_quality` findings on
2026-06-21T04:47:54.0919326Z this command's output. Your task is the rubric items below.
2026-06-21T04:47:54.0919359Z 
2026-06-21T04:47:54.0919445Z ## Rubric
2026-06-21T04:47:54.0919484Z 
2026-06-21T04:47:54.0919745Z - **singular** — describes one capability; no smuggled "and"/"or" across distinct actions.
2026-06-21T04:47:54.0919978Z - **verifiable** — states an observable behavior a test or reviewer could confirm.
2026-06-21T04:47:54.0920195Z - **atomic** — cannot be split into two requirements without losing meaning.
2026-06-21T04:47:54.0920364Z - **active-voice** — clear subject and active verb.
2026-06-21T04:47:54.0920406Z 
2026-06-21T04:47:54.0920648Z If a criterion is borderline or doesn't apply, abstain — only emit findings for
2026-06-21T04:47:54.0920748Z clear concerns.
2026-06-21T04:47:54.0920782Z 
2026-06-21T04:47:54.0920873Z ## Requirements
2026-06-21T04:47:54.0920911Z 
2026-06-21T04:47:54.0921000Z ### REQ-ARCH-1
2026-06-21T04:47:54.0921130Z - Title: Many small acyclically-layered crates
2026-06-21T04:47:54.0921226Z - Required stages: impl
2026-06-21T04:47:54.0921263Z 
2026-06-21T04:47:54.0921358Z ### REQ-ARCH-2
2026-06-21T04:47:54.0921502Z - Title: Public SDK surface is spt-proto, spt-runtime, spt-msg
2026-06-21T04:47:54.0921606Z - Required stages: impl
2026-06-21T04:47:54.0921634Z 
2026-06-21T04:47:54.0921731Z ### REQ-ARCH-3
2026-06-21T04:47:54.0921921Z - Title: Wire-protocol version independent of crate semver, N-1 compat window
2026-06-21T04:47:54.0922021Z - Required stages: impl, unit
2026-06-21T04:47:54.0922046Z 
2026-06-21T04:47:54.0922132Z ### REQ-ARCH-4
2026-06-21T04:47:54.0922307Z - Title: Copy-verbatim the commodity layer from the sister project
2026-06-21T04:47:54.0922512Z - Required stages: impl, unit
2026-06-21T04:47:54.0922536Z 
2026-06-21T04:47:54.0922627Z ### REQ-DAEMON-1
2026-06-21T04:47:54.0922785Z - Title: One per-machine spt-daemon owning all per-machine state
2026-06-21T04:47:54.0922898Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0922932Z 
2026-06-21T04:47:54.0923033Z ### REQ-DAEMON-2
2026-06-21T04:47:54.0923165Z - Title: Broker/brain split for seamless self-update
2026-06-21T04:47:54.0923264Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0923303Z 
2026-06-21T04:47:54.0923398Z ### REQ-DAEMON-3
2026-06-21T04:47:54.0923543Z - Title: Any api invocation auto-starts the daemon if absent
2026-06-21T04:47:54.0923658Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0923692Z 
2026-06-21T04:47:54.0923788Z ### REQ-DAEMON-4
2026-06-21T04:47:54.0923901Z - Title: Honor every KNOWN-HAZARDS invariant
2026-06-21T04:47:54.0924007Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0924140Z 
2026-06-21T04:47:54.0924239Z ### REQ-STORE-1
2026-06-21T04:47:54.0925079Z - Title: spt-store::BranchStore (git branch as versioned KV; commit=checkpoint/tip=resume, atomic multi-key, merge-native sync) is the substrate for coarse/durable/audited state (context, registry snapshot+distribution, daemon checkpoint); hot paths (B5 fsync journal) + indexed queries (SQLite spool) excluded (ADR-0011)
2026-06-21T04:47:54.0925189Z - Required stages: impl, unit
2026-06-21T04:47:54.0925228Z 
2026-06-21T04:47:54.0925318Z ### REQ-MANIFEST-1
2026-06-21T04:47:54.0925499Z - Title: Per-adapter manifest with adapter_name and min_spt_core_version
2026-06-21T04:47:54.0925605Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0925638Z 
2026-06-21T04:47:54.0925737Z ### REQ-MANIFEST-2
2026-06-21T04:47:54.0926215Z - Title: Adapter profiles — sparse leaf-replace overlays (shipped + local), composite <adapter>:<profile> addressing, shadow-refusal, tighten-only consent floors
2026-06-21T04:47:54.0926326Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0926368Z 
2026-06-21T04:47:54.0926467Z ### REQ-MANIFEST-3
2026-06-21T04:47:54.0927064Z - Title: Adapter strings — [strings] KV tree, dot-path get-string resolving through the profile leaf-replace overlay, set-string editing a local profile's [strings] only; data-only (nothing executes a string)
2026-06-21T04:47:54.0927175Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0927208Z 
2026-06-21T04:47:54.0927298Z ### REQ-MANIFEST-4
2026-06-21T04:47:54.0927965Z - Title: Keyword hints — [[hints]] {keywords (literal/regex), text}; spt api hint --session emits at most one matched hint per message, once per session (seen-set), declaration-order first match; profiles overlay [[hints]] by leaf-replace
2026-06-21T04:47:54.0928075Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0928114Z 
2026-06-21T04:47:54.0928200Z ### REQ-MANIFEST-5
2026-06-21T04:47:54.0931152Z - Title: File-backed adapter [strings] (M12-W3-T3.1): a [strings] dot-path value MAY be an inline-table FILE POINTER `key = { file = "rel/path" }` resolved to the file's contents at get-string time, keeping large bodies (skill-instructions, hint text) out of the manifest. A value-position table with a `file` key IS the pointer form (reserved — cannot double as data). Per-adapter aux storage `adapters/<adapter>/strings/`; pointers resolve relative to it with CONTAINMENT (reject `..`/absolute escaping the dir). UPDATE-SAFETY: a LOCAL profile's file-pointers resolve relative to the user-owned local-profile dir (NOT adapter-shipped strings/, which adapter updates overwrite), or the local profile inlines. Validate-at-register (fail-fast on a bad/escaping/missing pointer) + LAZY read at get-string (live file edits reflect, no re-register) + skip-diagnostics on missing-at-read (no hard-crash, mirrors [digest]). Rides the same leaf-replace profile overlay as the rest of [strings].
2026-06-21T04:47:54.0931270Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0931308Z 
2026-06-21T04:47:54.0931409Z ### REQ-MANIFEST-6
2026-06-21T04:47:54.0933546Z - Title: Cross-adapter fallback target addressing (M12-W3-T3.2): a cross-adapter fallback target is addressed as `<adapter>:<profile>` (not just a bare adapter_name), resolved through the one composite-addressing resolver (registry::resolve_option) at every adapter-option read site so a fallback may select a shipped/local profile (e.g. a `ccs` profile). CONTEXT.md §cross-adapter-fallback reconciled ("ccs is a profile; cross-adapter fallback may target <adapter>:<profile>"). Contract-only this milestone: the node-wide fallback SETTING + its rate-limit invocation are deferred to the consuming milestone (the runtime path does not exist yet); this REQ guarantees the ADDRESSING resolves.
2026-06-21T04:47:54.0933655Z - Required stages: doc, unit
2026-06-21T04:47:54.0933693Z 
2026-06-21T04:47:54.0933787Z ### REQ-MANIFEST-7
2026-06-21T04:47:54.0936757Z - Title: Adapter-declared shortcut basename (M12-W2 follow-on): an optional `[adapter] shortcut_basename` manifest field names the basename the `spt endpoint run` picker bakes into the generated `<basename>-<id>` launcher shortcut (REQ-RUN-SHORTCUT). Absent ⇒ the harness-agnostic default `spt` (→ `spt-<id>`); an adapter sets it to brand its shortcuts (claude-spt → `cc` → `cc-<id>`), so the Claude-Code-ness lives in the PUBLISHED adapter manifest, never hardcoded in spt-core. The picker reads it from the RESOLVED manifest of the selected adapter (registry::resolve_option), falling back to `spt` when absent/empty/unresolvable. Additive + N-1-safe (serde-default Option, omitted from serialization when absent; old manifests parse clean); manifest.schema.json regenerated from the derive (ADR-0001, CI drift-gated). Documented in docs/MANIFEST.md `[adapter]` section + the claude-spt worked example — the adapter-author contract perri builds spt-claude-code against.
2026-06-21T04:47:54.0936971Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0937009Z 
2026-06-21T04:47:54.0937100Z ### REQ-MANIFEST-8
2026-06-21T04:47:54.0939316Z - Title: [adapter] host_binaries declares the harness executable basenames a kind="harness" adapter hosts agents inside (e.g. host_binaries = ["claude"]); bind-time pid→exe-basename match (case-insensitive, .exe-stripped) over the seed's parent_pid selects the candidate adapter set; zero matches → a friendly error naming the binary + the --adapter escape hatch. Additive + N-1-safe: optional Vec<String>, #[serde(default, skip_serializing_if = "Vec::is_empty")] (omitted-serialized like shortcut_basename, old manifests parse clean); manifest.schema.json regenerated from the derive (ADR-0001, CI drift-gated). The match-key for ADR-0021 adapter-agnostic bind-time resolution. (v0.9.0)
2026-06-21T04:47:54.0939464Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.0939502Z 
2026-06-21T04:47:54.0939592Z ### REQ-SEAM-SPAWN
2026-06-21T04:47:54.0939693Z - Title: spawn-session seam
2026-06-21T04:47:54.0939789Z - Required stages: impl, unit
2026-06-21T04:47:54.0939812Z 
2026-06-21T04:47:54.0939911Z ### REQ-SEAM-POSTSPAWN
2026-06-21T04:47:54.0940041Z - Title: post-spawn / api bind seam with boot nonce
2026-06-21T04:47:54.0940141Z - Required stages: impl, unit
2026-06-21T04:47:54.0940179Z 
2026-06-21T04:47:54.0940274Z ### REQ-SEAM-PSYCHE
2026-06-21T04:47:54.0940399Z - Title: spawn-psyche seam (fresh + resume templates)
2026-06-21T04:47:54.0940508Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0940546Z 
2026-06-21T04:47:54.0940638Z ### REQ-SEAM-HISTORY
2026-06-21T04:47:54.0940813Z - Title: History subsystem (fetcher / locate-normalize / native store)
2026-06-21T04:47:54.0940919Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0940958Z 
2026-06-21T04:47:54.0941047Z ### REQ-SEAM-ACTIVITY
2026-06-21T04:47:54.0941214Z - Title: Activity/idle reported via api sentinels, not PTY quiescence
2026-06-21T04:47:54.0941310Z - Required stages: impl, unit
2026-06-21T04:47:54.0941343Z 
2026-06-21T04:47:54.0941446Z ### REQ-SEAM-INJECT
2026-06-21T04:47:54.0941604Z - Title: inject-input methods configurable per activity-state
2026-06-21T04:47:54.0941712Z - Required stages: impl, unit
2026-06-21T04:47:54.0941868Z 
2026-06-21T04:47:54.0941974Z ### REQ-SEAM-RESUME
2026-06-21T04:47:54.0942149Z - Title: resume-session seam (fresh-with-preload / continue-existing)
2026-06-21T04:47:54.0942250Z - Required stages: impl, unit
2026-06-21T04:47:54.0942289Z 
2026-06-21T04:47:54.0942384Z ### REQ-SEAM-CAPABILITY
2026-06-21T04:47:54.0942527Z - Title: Hostable endpoint-types capability declaration
2026-06-21T04:47:54.0942632Z - Required stages: impl, unit
2026-06-21T04:47:54.0942655Z 
2026-06-21T04:47:54.0942750Z ### REQ-SEAM-UPDATE
2026-06-21T04:47:54.0942899Z - Title: Adapter-update avenue (file-pull / delegated command)
2026-06-21T04:47:54.0943004Z - Required stages: impl, unit
2026-06-21T04:47:54.0943037Z 
2026-06-21T04:47:54.0943127Z ### REQ-API-1
2026-06-21T04:47:54.0943290Z - Title: api prefix and adapter_name on every machinery invocation
2026-06-21T04:47:54.0943394Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0943519Z 
2026-06-21T04:47:54.0943623Z ### REQ-API-2
2026-06-21T04:47:54.0943820Z - Title: The api subcommand surface (bind/listen/poll/state/worker/boundary/...)
2026-06-21T04:47:54.0943928Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0943961Z 
2026-06-21T04:47:54.0944047Z ### REQ-API-3
2026-06-21T04:47:54.0944177Z - Title: commune/signoff are file-drops, not commands
2026-06-21T04:47:54.0944286Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0944318Z 
2026-06-21T04:47:54.0944404Z ### REQ-API-4
2026-06-21T04:47:54.0945923Z - Title: api resolves the adapter manifest (+ profile + install dir) from `--adapter name:profile` via the registry when `--manifest` is omitted; `--manifest` becomes an optional OVERRIDE (unregistered / local-dev manifests). Removes the require-both-flags redundancy — a registered adapter's live bringup / digest / capability needs only `--adapter` — and yields the precise install dir (the record's source_dir) rather than the --manifest parent, closing the copy-mode psyche-binary edge (v0.8.0)
2026-06-21T04:47:54.0946043Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0946091Z 
2026-06-21T04:47:54.0946180Z ### REQ-START-1
2026-06-21T04:47:54.0946363Z - Title: Adapters never resolve SPT_HOME; binary on PATH; api bridging only
2026-06-21T04:47:54.0946472Z - Required stages: impl, unit
2026-06-21T04:47:54.0946509Z 
2026-06-21T04:47:54.0956206Z ### REQ-START-2
2026-06-21T04:47:54.0956416Z - Title: Harness-hosted startup: api seed then listen
2026-06-21T04:47:54.0956530Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0956569Z 
2026-06-21T04:47:54.0956670Z ### REQ-START-3
2026-06-21T04:47:54.0956850Z - Title: spt-hosted startup: spawn-session then api bind (no file)
2026-06-21T04:47:54.0956956Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0956994Z 
2026-06-21T04:47:54.0957083Z ### REQ-START-4
2026-06-21T04:47:54.0957208Z - Title: Adapter-injected env aliases (SPT/OWL/LIVE)
2026-06-21T04:47:54.0957318Z - Required stages: impl, unit
2026-06-21T04:47:54.0957356Z 
2026-06-21T04:47:54.0957464Z ### REQ-START-5
2026-06-21T04:47:54.0960360Z - Title: Adapter-agnostic harness-hosted seed + bind-time adapter/profile resolution (ADR-0021): `api seed` carries only parent_pid + session_id (+ optional cwd), no --adapter — a pure "a harness session exists at this pid" record; --adapter becomes an OPTIONAL override across the whole api group (an explicit name[:profile] for adapter dev, never required). Omitted, listen/poll resolve the owning adapter/profile AT BIND as a pure read against the live registry — never a seed-time snapshot that can drift: seed parent_pid → exe basename → host_binaries candidate set (REQ-MANIFEST-8) → active-profile pointer (REQ-INSTALL-12) primary, else greatest-registered_at_ms candidate base profile (name-asc tie) → friendly zero-match error. Covers BOTH LiveAgent (listen) and ReadyAgent (poll) bringup. Restores legacy parity: `$LIVE start <id>` → `$SPT listen <id>` with no mandatory --adapter, one generic SessionStart hook per harness binary. (v0.9.0)
2026-06-21T04:47:54.0960499Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.0960684Z 
2026-06-21T04:47:54.0960784Z ### REQ-EP-1
2026-06-21T04:47:54.0960914Z - Title: Day-one endpoint types; open type system
2026-06-21T04:47:54.0961023Z - Required stages: impl, unit
2026-06-21T04:47:54.0961061Z 
2026-06-21T04:47:54.0961162Z ### REQ-EP-2
2026-06-21T04:47:54.0961313Z - Title: Agent endpoints vs Shells distinction in the type model
2026-06-21T04:47:54.0961419Z - Required stages: impl, unit
2026-06-21T04:47:54.0961458Z 
2026-06-21T04:47:54.0961538Z ### REQ-EP-3
2026-06-21T04:47:54.0961710Z - Title: Messaging payloads carry typed operation commands + file blobs
2026-06-21T04:47:54.0961810Z - Required stages: impl, unit
2026-06-21T04:47:54.0961847Z 
2026-06-21T04:47:54.0961933Z ### REQ-EP-4
2026-06-21T04:47:54.0962078Z - Title: PresenceChannel broker endpoint (seam day-one)
2026-06-21T04:47:54.0962176Z - Required stages: impl, unit
2026-06-21T04:47:54.0962205Z 
2026-06-21T04:47:54.0962286Z ### REQ-EP-5
2026-06-21T04:47:54.0963027Z - Title: Concrete shell instantiation model: spawn-mints-instance (vs relink/online), registered-on-node permission + broadcast-is-discovery, per-shell require_approval gate, max_instances_per_owner + over_cap, instance aliasing, discovery scope
2026-06-21T04:47:54.0963137Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0963165Z 
2026-06-21T04:47:54.0963246Z ### REQ-EP-6
2026-06-21T04:47:54.0964677Z - Title: Gateway type acceptance: a Gateway-typed perch binds (api bind --type, open type system — un-hardcode the live_agent default), advertises/addressable like any endpoint, owns shells (owner validation not agent-family-gated), subscribes to digests, and is the user-msg identity gate's user-backed origin (REQ-MSG-5); in-tree mock-gateway fixture (R-DOCS-2 pattern, no downstream adapter code). Cross-node WAN Gateway-origin (registry endpoint_type trust) tracked by REQ-MSG-6
2026-06-21T04:47:54.0964781Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0964820Z 
2026-06-21T04:47:54.0964911Z ### REQ-EP-7
2026-06-21T04:47:54.0966524Z - Title: Durable live-role.md: a per-agent broad-purpose statement in tracked/agents/<id>/ beside live-context.md (replicates with the mind on the same a-<id> branch); renders FIRST at start-transition context injection (role -> live-context -> project-context); SOLE writer `spt endpoint role --overwrite <file>` — mechanical no-automated-writer guarantee (echo-commune ingest / signoff / Psyche reconcile structurally exclude it). The user-backed-origin hard gate on the writer is a deferred later tightening (rides the user-msg identity plumbing)
2026-06-21T04:47:54.0966634Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0966667Z 
2026-06-21T04:47:54.0966752Z ### REQ-INST-1
2026-06-21T04:47:54.0966905Z - Title: endpoint ID vs instance split (adapter-agnostic ID)
2026-06-21T04:47:54.0966991Z - Required stages: 
2026-06-21T04:47:54.0967029Z 
2026-06-21T04:47:54.0967110Z ### REQ-INST-2
2026-06-21T04:47:54.0967225Z - Title: Per-node files, synced Psyche mind
2026-06-21T04:47:54.0967333Z - Required stages: impl, unit
2026-06-21T04:47:54.0967377Z 
2026-06-21T04:47:54.0967463Z ### REQ-INST-3
2026-06-21T04:47:54.0967606Z - Title: Dormant (warm) / suspended (cold) resting states
2026-06-21T04:47:54.0967706Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0967734Z 
2026-06-21T04:47:54.0967827Z ### REQ-INST-4
2026-06-21T04:47:54.0967996Z - Title: active to dormant/suspended fires a transition echo commune
2026-06-21T04:47:54.0968095Z - Required stages: impl, unit
2026-06-21T04:47:54.0968124Z 
2026-06-21T04:47:54.0968210Z ### REQ-INST-5
2026-06-21T04:47:54.0968365Z - Title: Two-tier context sync (live to all, project to same-project)
2026-06-21T04:47:54.0968471Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0968499Z 
2026-06-21T04:47:54.0968581Z ### REQ-INST-6
2026-06-21T04:47:54.0968751Z - Title: Deferred messages not delivered to dormant/suspended instances
2026-06-21T04:47:54.0968853Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0968890Z 
2026-06-21T04:47:54.0969056Z ### REQ-INST-7
2026-06-21T04:47:54.0969304Z - Title: Subnet registry + bare-id resolution policy
2026-06-21T04:47:54.0969415Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0969453Z 
2026-06-21T04:47:54.0969538Z ### REQ-INST-8
2026-06-21T04:47:54.0969691Z - Title: Remote-control mode distinct from local operation
2026-06-21T04:47:54.0969792Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0969825Z 
2026-06-21T04:47:54.0969911Z ### REQ-INST-9
2026-06-21T04:47:54.0970083Z - Title: Multi-subnet membership (same-user N subnets; cross-user seam)
2026-06-21T04:47:54.0970182Z - Required stages: impl, unit
2026-06-21T04:47:54.0970215Z 
2026-06-21T04:47:54.0970306Z ### REQ-INST-10
2026-06-21T04:47:54.0970501Z - Title: Qualified addressing [subnet:]id[@node] + ambiguity forces qualification
2026-06-21T04:47:54.0970606Z - Required stages: impl, unit
2026-06-21T04:47:54.0970641Z 
2026-06-21T04:47:54.0970727Z ### REQ-INST-11
2026-06-21T04:47:54.0970934Z - Title: spt rename <id> rippled to all instances (collision-checked, 6.5-reconciled)
2026-06-21T04:47:54.0971136Z - Required stages: impl, unit
2026-06-21T04:47:54.0971178Z 
2026-06-21T04:47:54.0971258Z ### REQ-INST-12
2026-06-21T04:47:54.0971530Z - Title: Endpoint visibility per-(endpoint,subnet): excluded semantics, OR-of-defaults + override, gates sync
2026-06-21T04:47:54.0971631Z - Required stages: impl, unit
2026-06-21T04:47:54.0971670Z 
2026-06-21T04:47:54.0971759Z ### REQ-INST-13
2026-06-21T04:47:54.0971926Z - Title: Subnet-exclusive sync + per-endpoint subnet-membership list
2026-06-21T04:47:54.0972027Z - Required stages: impl, unit
2026-06-21T04:47:54.0972065Z 
2026-06-21T04:47:54.0972155Z ### REQ-INST-14
2026-06-21T04:47:54.0972503Z - Title: Resource advertisement (subnet resource registry): free-text blurb, both-authored, registry projection, visibility/whitelist-gated
2026-06-21T04:47:54.0972614Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0972652Z 
2026-06-21T04:47:54.0972736Z ### REQ-INST-15
2026-06-21T04:47:54.0973425Z - Title: Immutable home subnet (assigned at creation: auto-if-one/ask-if-many) + spt fork (cross-subnet clone to a new identity, copy-then-diverge, not re-home); adapter chosen at creation from registered hostable adapters, changed only via launch/resume-under-new (ADR-0010)
2026-06-21T04:47:54.0973534Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0973572Z 
2026-06-21T04:47:54.0973659Z ### REQ-REACH-1
2026-06-21T04:47:54.0973787Z - Title: Off-node remote-drive detection + file transfer
2026-06-21T04:47:54.0973897Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0973931Z 
2026-06-21T04:47:54.0974022Z ### REQ-REACH-2
2026-06-21T04:47:54.0974173Z - Title: Remote command execution (deferred, consent-gated)
2026-06-21T04:47:54.0974260Z - Required stages: 
2026-06-21T04:47:54.0974302Z 
2026-06-21T04:47:54.0974392Z ### REQ-MSG-1
2026-06-21T04:47:54.0974812Z - Title: Local message delivery: TCP-first to a registered address, spool fallback when offline; id->address via registry (stale-clean first); reply routing (__REPLY_TO__)
2026-06-21T04:47:54.0974918Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0974955Z 
2026-06-21T04:47:54.0975036Z ### REQ-MSG-2
2026-06-21T04:47:54.0975284Z - Title: spt binary CLI surface: send/ring/ready(+--once)/list/stop/whoami, stable arg shapes + exit codes
2026-06-21T04:47:54.0975389Z - Required stages: impl, unit
2026-06-21T04:47:54.0975418Z 
2026-06-21T04:47:54.0975505Z ### REQ-MSG-3
2026-06-21T04:47:54.0975863Z - Title: Ready-agent lifecycle: register perch (info.json + listener + registry address) on ready, drain spooled backlog on startup, clean teardown
2026-06-21T04:47:54.0975971Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0976009Z 
2026-06-21T04:47:54.0976089Z ### REQ-MSG-4
2026-06-21T04:47:54.0976869Z - Title: Listener stream stdout emits EVENT envelope lines (sister-format, ADR-0001): parse the __REPLY_TO__ frame, pass pre-formed typed envelopes through verbatim (no double-wrap), compose <EVENT type="msg" from=…> otherwise, chunk oversized lines into EVENT-PART
2026-06-21T04:47:54.0977065Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0977089Z 
2026-06-21T04:47:54.0977179Z ### REQ-MSG-ENVELOPE
2026-06-21T04:47:54.0980805Z - Title: The <EVENT type="msg" from=…>body</EVENT> envelope (spt-proto::event, the ADR-0001 grammar) is the SOLE canonical arriving-message format at EVERY harness arriving-message surface on an AGENT perch — api listen AND api poll/worker-poll, byte-identical (reverses REQ-MSG-4's 'hook drains keep the raw frame by contract'). SCOPE CARVE-OUT: the shell-command relay (api poll <shell-id> --link, cmd_poll_shell) is a distinct internal transport carrying RAW MAC'd stamped frames the shell child consumes verbatim — NOT an arriving-message surface, deliberately EXEMPT from <EVENT> composition (notify_shell_e2e guards this boundary). __REPLY_TO__ — mis-elevated during the clean-room port to a fake ADR-0001 'stable wire format' (spt-msg/wire.rs, lib.rs) — is REMOVED entirely (spool format_row, the spt-msg TCP frame, emit parse_frame); (from, body) carried structurally, <EVENT> composed once at the delivery boundary. No legacy sister-interop (spt-core never required it). Reply-correlation rebinds onto the structural from / <EVENT from=…> attribute (ADR-0009 access-gate + ADR-0012 Psyche/spt-live reply-target). Self-delimiting by construction → finding F-002 (non-self-delimiting multi-message poll) dissolves. ADR-0020.
2026-06-21T04:47:54.0981057Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.0981085Z 
2026-06-21T04:47:54.0981171Z ### REQ-MSG-5
2026-06-21T04:47:54.0981866Z - Title: user-msg envelope kind + daemon identity gate: a Gateway endpoint / the local user's CLI author user-msg (the user's authority); agent-family senders re-stamped to plain msg; identity-gated never payload-trusted (KH 7.3/7.5); wire-additive (N-1 receivers tolerate the new type)
2026-06-21T04:47:54.0981977Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0982015Z 
2026-06-21T04:47:54.0982104Z ### REQ-MSG-6
2026-06-21T04:47:54.0983659Z - Title: cross-node Gateway user-msg honored via advertised endpoint_type: a user-msg from a Gateway-typed origin survives the receive_wan funnel as user-msg (vs the fail-closed re-stamp), keyed on the QUIC-handshake-proven origin node (never wire `from`). Trust boundary = subnet membership (operator-ratified 2026-06-13); no defense against an in-subnet member forging the type. Instance.endpoint_type is an additive serde-default field extending REQ-INST-7's data model. Absent/unknown type → re-stamp (N-1 rollout grace)
2026-06-21T04:47:54.0983777Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.0983811Z 
2026-06-21T04:47:54.0983906Z ### REQ-NODE-IDENTITY
2026-06-21T04:47:54.0984119Z - Title: Ed25519 identity primitive: keypair, detached sign/verify, stable pubkey<->hex
2026-06-21T04:47:54.0984214Z - Required stages: impl, unit
2026-06-21T04:47:54.0984253Z 
2026-06-21T04:47:54.0984337Z ### REQ-NET-1
2026-06-21T04:47:54.0984510Z - Title: WAN messaging first-class, behind default-on net feature flag
2026-06-21T04:47:54.0984615Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0984647Z 
2026-06-21T04:47:54.0984733Z ### REQ-NET-2
2026-06-21T04:47:54.0984896Z - Title: n0 relay default + self-host knob + plain-language disclosure
2026-06-21T04:47:54.0984995Z - Required stages: impl
2026-06-21T04:47:54.0985024Z 
2026-06-21T04:47:54.0985111Z ### REQ-NET-3
2026-06-21T04:47:54.0985272Z - Title: Cross-node Psyche sync over P2P replaces gh-repo-sync
2026-06-21T04:47:54.0985367Z - Required stages: impl, unit
2026-06-21T04:47:54.0985402Z 
2026-06-21T04:47:54.0985497Z ### REQ-PAIR-1
2026-06-21T04:47:54.0985597Z - Title: TOTP-seeded SPAKE2 pairing
2026-06-21T04:47:54.0985702Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0985741Z 
2026-06-21T04:47:54.0985831Z ### REQ-PAIR-2
2026-06-21T04:47:54.0985964Z - Title: Local trust store with TOFU + warn-on-change
2026-06-21T04:47:54.0986055Z - Required stages: 
2026-06-21T04:47:54.0986080Z 
2026-06-21T04:47:54.0986169Z ### REQ-PAIR-3
2026-06-21T04:47:54.0986312Z - Title: Fetch current pairing code from any paired node
2026-06-21T04:47:54.0986516Z - Required stages: impl, unit
2026-06-21T04:47:54.0986540Z 
2026-06-21T04:47:54.0986630Z ### REQ-PAIR-4
2026-06-21T04:47:54.0986735Z - Title: Subnet naming on first pairing
2026-06-21T04:47:54.0986824Z - Required stages: impl, unit
2026-06-21T04:47:54.0986857Z 
2026-06-21T04:47:54.0986956Z ### REQ-PAIR-5
2026-06-21T04:47:54.0987238Z - Title: Multi-subnet pairing: subnet-name discovery input, create-new-names-up-front, rendezvous-token hashing
2026-06-21T04:47:54.0987349Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0987382Z 
2026-06-21T04:47:54.0987468Z ### REQ-PAIR-6
2026-06-21T04:47:54.0987711Z - Title: Elevation-gated per-subnet code fetch (UAC/root or elevated agent; else authenticator app)
2026-06-21T04:47:54.0987811Z - Required stages: impl, unit
2026-06-21T04:47:54.0987848Z 
2026-06-21T04:47:54.0987935Z ### REQ-PAIR-7
2026-06-21T04:47:54.0988087Z - Title: Subnet icon (inline image metadata, GUI-only consumer)
2026-06-21T04:47:54.0988259Z - Required stages: 
2026-06-21T04:47:54.0988303Z 
2026-06-21T04:47:54.0988383Z ### REQ-SUBNET-1
2026-06-21T04:47:54.0988693Z - Title: spt subnet noun namespace: status view (bare + status [NAME] [--nodes]), create (QR/otpauth), show-code; spt pair deleted
2026-06-21T04:47:54.0988793Z - Required stages: impl, unit
2026-06-21T04:47:54.0988831Z 
2026-06-21T04:47:54.0988927Z ### REQ-SUBNET-2
2026-06-21T04:47:54.0989221Z - Title: Guided join e2e: spt subnet join CLI initiator + always-on daemon pairing responder
2026-06-21T04:47:54.0989316Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0989353Z 
2026-06-21T04:47:54.0989433Z ### REQ-SUBNET-3
2026-06-21T04:47:54.0989692Z - Title: Node labels: hostname-default, gossiped, addressable in @node qualifiers (refuse-on-ambiguity)
2026-06-21T04:47:54.0989795Z - Required stages: impl, unit
2026-06-21T04:47:54.0989828Z 
2026-06-21T04:47:54.0989916Z ### REQ-SUBNET-4
2026-06-21T04:47:54.0990172Z - Title: Subnet membership mutations elevation-gated (create = seed reveal; join = trust-boundary enrollment)
2026-06-21T04:47:54.0990287Z - Required stages: impl, unit
2026-06-21T04:47:54.0990321Z 
2026-06-21T04:47:54.0990406Z ### REQ-DOCS-6
2026-06-21T04:47:54.0990716Z - Title: spt how-to <topic>: in-binary task-oriented agent instructions (anti-drift; quickstart prompts point agents at it)
2026-06-21T04:47:54.0990816Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0990840Z 
2026-06-21T04:47:54.0990921Z ### REQ-SEC-1
2026-06-21T04:47:54.0991293Z - Title: Per-endpoint access whitelist: origin-node gate, stateful-firewall (reply/outbound exempt), node-now/user-later, outer gate before grants
2026-06-21T04:47:54.0991393Z - Required stages: impl, unit
2026-06-21T04:47:54.0991426Z 
2026-06-21T04:47:54.0991514Z ### REQ-NOTIF-1
2026-06-21T04:47:54.0991856Z - Title: Notification primitive: per-subnet replicated spool, seen/dismissed, resurface-at-boundary, subsumes update+consent prompts
2026-06-21T04:47:54.0991955Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0991993Z 
2026-06-21T04:47:54.0992078Z ### REQ-NOTIF-2
2026-06-21T04:47:54.0992327Z - Title: spt notify (agent-issued subnet notif) + notif_command manifest seam (harness + shell adapters)
2026-06-21T04:47:54.0992441Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.0992465Z 
2026-06-21T04:47:54.0992551Z ### REQ-UPD-1
2026-06-21T04:47:54.0992669Z - Title: Peer-propagated update over P2P
2026-06-21T04:47:54.0992776Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0992809Z 
2026-06-21T04:47:54.0992889Z ### REQ-UPD-2
2026-06-21T04:47:54.0993022Z - Title: All binaries signature-verified before handoff
2026-06-21T04:47:54.0993133Z - Required stages: impl, unit
2026-06-21T04:47:54.0993171Z 
2026-06-21T04:47:54.0993252Z ### REQ-UPD-3
2026-06-21T04:47:54.0993429Z - Title: No endpoint process terminates/suspends during self-update
2026-06-21T04:47:54.0993538Z - Required stages: impl, unit, int
2026-06-21T04:47:54.0993571Z 
2026-06-21T04:47:54.0993656Z ### REQ-UPD-4
2026-06-21T04:47:54.0993829Z - Title: Update gated on user confirmation by default; opt-in full-auto
2026-06-21T04:47:54.0994039Z - Required stages: impl, unit
2026-06-21T04:47:54.0994073Z 
2026-06-21T04:47:54.0994158Z ### REQ-UPD-5
2026-06-21T04:47:54.0994290Z - Title: spt-core ripple-updates registered adapters
2026-06-21T04:47:54.0994385Z - Required stages: impl, unit
2026-06-21T04:47:54.0994419Z 
2026-06-21T04:47:54.0994499Z ### REQ-UPD-6
2026-06-21T04:47:54.0995293Z - Title: Platform-targeted update sets and debug rollout: signed multi-platform update metadata, recipient platform selection, channel-scoped monotonic counters, debug-channel opt-in via release-key overlay, local staging plus pull-based peer propagation, and maintainer-only convergence tooling (ADR-0016)
2026-06-21T04:47:54.0995390Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.0995428Z 
2026-06-21T04:47:54.0995508Z ### REQ-UPD-7
2026-06-21T04:47:54.0997479Z - Title: Origin-source update bootstrap (`spt update fetch`): pull the latest signed release directly from the GitHub release origin (`SaberMage/spt-releases`) — the per-platform artifact + its `<asset>.release.json` SignedRelease metadata — and stage it through the EXISTING verify→stage pipeline (the same `plan_verified` gate: two-key signature + channel + monotonic rollback floor + SHA-256), after which the normal consent-notif / `spt update apply` flow is unchanged. Closes the peer-only-discovery gap (REQ-UPD-1): a first-in-fleet / isolated node can update with no peer to pull from. The signed-release anchor keeps the GitHub transport untrusted-but-verified.
2026-06-21T04:47:54.0997685Z - Required stages: impl, unit
2026-06-21T04:47:54.0997723Z 
2026-06-21T04:47:54.0997808Z ### REQ-UPD-8
2026-06-21T04:47:54.1000351Z - Title: Platform-safe `spt update fetch` + apply platform-guard (v0.3.1 cross-OS brick fix): `spt update fetch` stages the signed multi-platform `SignedUpdateSet` (`update-set.json` + every platform artifact it names), never a platform-blind single `SignedRelease`, so local apply selects `current_platform()` and P2P re-serve lets each peer select ITS own platform. Defense-in-depth: `apply_staged` REFUSES a staged single-release artifact unless it is platform-stamped for THIS node (an unstamped pre-v0.3.2 single, or a single stamped for another OS, fail-safe refuses — the guard that alone prevents the v0.3.1 brick where a Linux ELF was applied as `spt.exe`). UX: a friendly post-apply message (`Updated spt-core to vX.Y.Z.` + changelog URL) driven by an additive `product_version` metadata field, with a release-counter fallback when absent.
2026-06-21T04:47:54.1000476Z - Required stages: impl, unit
2026-06-21T04:47:54.1000514Z 
2026-06-21T04:47:54.1000595Z ### REQ-UPD-9
2026-06-21T04:47:54.1003088Z - Title: `gh_release` adapter [update] avenue (optional signing): an adapter declares `[update] avenue = "gh_release", repo = "user/repo"` (+ optional `asset`, default `adapter.spt`; + optional Ed25519 `signing_key`); spt-core's ripple compares the repo's LATEST GitHub release version against the installed adapter version and, when newer, auto-updates by fetching the release `.spt` archive (the REQ-INSTALL-9 `--release` fetch primitive) → verifies the `.spt` against `signing_key` if declared, else HTTPS+GitHub first-acquisition trust → re-extracts + re-registers the adapter root. Lets a harness adapter ship updates from its own GitHub releases with NO signing tooling or plugin coupling (removes the perri file_pull/delegated avenue blockers). Acquisition-trust mirrors `--release` + the installer first-fetch; does not alter spt-core self-update (REQ-UPD-1..8).
2026-06-21T04:47:54.1003206Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1003244Z 
2026-06-21T04:47:54.1003341Z ### REQ-TERM-1
2026-06-21T04:47:54.1003493Z - Title: Process-supervisor terminal wrapper hosting broker PTYs
2026-06-21T04:47:54.1003597Z - Required stages: impl, unit
2026-06-21T04:47:54.1003631Z 
2026-06-21T04:47:54.1003721Z ### REQ-TERM-2
2026-06-21T04:47:54.1003888Z - Title: session-surface abstraction; send-keys + send-line injection
2026-06-21T04:47:54.1004093Z - Required stages: impl, unit
2026-06-21T04:47:54.1004131Z 
2026-06-21T04:47:54.1004216Z ### REQ-TERM-3
2026-06-21T04:47:54.1004347Z - Title: Byte-stream remote terminal streaming for v1
2026-06-21T04:47:54.1004441Z - Required stages: impl, unit
2026-06-21T04:47:54.1004469Z 
2026-06-21T04:47:54.1004561Z ### REQ-TERM-4
2026-06-21T04:47:54.1005017Z - Title: Live activity buffer (session digest): projection of normalized session logs, snapshot-pull (spt endpoint digest) + structured-delta-stream contract + api digest-entry push
2026-06-21T04:47:54.1005124Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1005158Z 
2026-06-21T04:47:54.1005244Z ### REQ-TERM-5
2026-06-21T04:47:54.1006727Z - Title: Adapter-declared digest extractor seam: a `[digest]` manifest section declaring an imperative extractor (native harness log -> the {role,text,tool,ts} contract; defaults to the [history] source files with an own-source escape hatch), `api digest-entry` push fallback, register-time validation of the section, adapter-declared presentation defaults (window depth, arg-truncation, sprint-collapse) that any consumer may override, and a `spt adapter digest-proof` author tool plus runtime skip-diagnostics (no silent drop). Reverses M9's no-manifest-seam stance; no declarative DSL.
2026-06-21T04:47:54.1006932Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1006970Z 
2026-06-21T04:47:54.1007060Z ### REQ-TERM-6
2026-06-21T04:47:54.1008096Z - Title: Thread-spanning digest across session boundaries: a per-endpoint session ledger (`<perch>/sessions.log`) appended at first bind and by `api boundary` on `/clear`|`/compact` session rotation, the digest enumerating the last K sessions so its rolling window bridges a boundary, and a distinctive in-timeline boundary marker (DigestEntry::Boundary). The digest follows the live-agent thread, not a single session.
2026-06-21T04:47:54.1008188Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1008221Z 
2026-06-21T04:47:54.1008316Z ### REQ-TERM-7
2026-06-21T04:47:54.1009499Z - Title: Two-origin digest merge: spt-owned context-injection entries (psyche_download | echo_mirror | owl_message) appended by spt to the endpoint `digest.log`, timestamp-interleaved with the adapter's extracted activity records into one ordered timeline, via a distinct context-injection record category. Data model only this milestone; GUI collapse/expand and the echo-reads-digest delta loop are deferred to the surfaces that consume them.
2026-06-21T04:47:54.1009599Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1009636Z 
2026-06-21T04:47:54.1009728Z ### REQ-FRONT-1
2026-06-21T04:47:54.1009898Z - Title: Day-one launcher/manager frontend (list/launch/attach/init)
2026-06-21T04:47:54.1009990Z - Required stages: 
2026-06-21T04:47:54.1010024Z 
2026-06-21T04:47:54.1010119Z ### REQ-HOST-RUN-1
2026-06-21T04:47:54.1012432Z - Title: spt-hosted harness bringup: `spt endpoint run` spawns an adapter's `[session.self]` command template into a broker-held PTY (the spawn-session seam, brain.rs spawn_session_pid — same broker path shellhost.rs launch_shell_brokered_in uses for shells, now for kind="harness" self-role), registers the perch under the given endpoint id, returns the id. Reverses today's harness-hosted-only launch (external launcher → `api bind`). Non-interactive flag set (--adapter <a[:profile]> --id <id> --create --resume <session> --attach|--start|--view) covers every terminal action of the W2 interactive picker so shortcuts (cc-<id>) bake fully non-interactive launches; composite adapter:profile resolves via registry::resolve_option leaf-replace overlay.
2026-06-21T04:47:54.1012547Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1012571Z 
2026-06-21T04:47:54.1012663Z ### REQ-RC-1
2026-06-21T04:47:54.1014625Z - Title: `spt rc <id>` — user CLI attaching a local terminal to a broker-held PTY, reusing the cross-node attach machinery (attach.rs request_attach → send_attach_input pump, spt-net AttachRecord codec); local attach is the degenerate single-node case of the cross-node path (rides REQ-TERM-3 byte-stream streaming). Read-only `--view` (watch, no stdin forwarded). Clean detach that does NOT terminate the broker-held session (KNOWN-HAZARDS: PTY ownership stays with the broker; no termination on detach). Explicit detach keybind that cannot collide with harness passthrough input (legacy capsule used a ctrl-b prefix); documented. ConPTY DSR auto-answer in the attach reader (hazard 5.5).
2026-06-21T04:47:54.1014840Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1014874Z 
2026-06-21T04:47:54.1014973Z ### REQ-HOST-RUN-2
2026-06-21T04:47:54.1016648Z - Title: Project-scoped working directory for spt-hosted bringup: `spt endpoint run` lands the broker-spawned harness PTY in the user's PROJECT cwd, not the daemon's, via an additive `SpawnReq.cwd` field carried through the broker PTY spawn (portable-pty CommandBuilder cwd). N-1-safe wire change (additive, defaulted). Required because the consumer (Claude Code) is project-scoped: broker-inherited cwd = the daemon's cwd = the wrong `.claude`, wrong session history, wrong digest source; `cc <id>` at a project root MUST land the harness in that project. W1 ships broker-inherited cwd as a bringup-proof shortcut only; this REQ must land before the M12 gate (doyle, 2026-06-14).
2026-06-21T04:47:54.1016872Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1016910Z 
2026-06-21T04:47:54.1017009Z ### REQ-RUN-PICKER
2026-06-21T04:47:54.1021743Z - Title: Interactive `spt endpoint run` picker (ratatui TUI): bare `spt endpoint run` (no --adapter/--id) enters an in-process picker (flags-present = the REQ-HOST-RUN-1 non-interactive path, untouched). Layer 1 picks kind (Create new | Pick existing). Create-new: choose a registered kind="harness" adapter with its shipped+local profiles tree-nested (registry::registered / manifest.profiles / local_profile_names) → enter a charset-validated id → start. Pick-existing: category select (left/right) over [<cwd-project> | Local node | Subnet], endpoints grouped + alphabetically sorted per category, a status square per endpoint (online green ■ / offline gray ▢ — the blue "attached" tri-state + Kick are DEFERRED to a broker attach-presence slice, M12-W2-RULING Q1), type-to-filter (`/`, nucleo-matcher), a pinned keybind legend, and a right-half two-pane description (harness adapter:profile · best-effort project history newest→oldest from the contextstore p-<project> branches, empty-if-none · `spt endpoint description`). Confirm layer offers status-dependent options — Attach/Start/View (rc pump / cmd_endpoint_run) · Instantiate-locally (remote) · Change-harness-adapter (offline) · Fork (cmd_fork) · Resume-from-history (offline+LOCAL only; enumerate spt_store::sessions::last_k, titles `<project> @ <ts> (…id5)`, feed session_id → cmd_endpoint_run --resume). A single action enum is the source of truth so a future tap-mode (phone PTY) layers on without re-coupling to keybinds. EVERY terminal action routes through cmd_endpoint_run / existing CLI fns — no second bringup path.
2026-06-21T04:47:54.1021882Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1021920Z 
2026-06-21T04:47:54.1022010Z ### REQ-RUN-SHORTCUT
2026-06-21T04:47:54.1026616Z - Title: `<basename>-<id>` launcher shortcut generation (picker `s` keybind, M12-W2-T2.4): from any pre-start options set the picker writes/updates a `<basename>-<id>` launcher at the project root baking the current selection's non-interactive `spt endpoint run` flags (terminal actions only: adapter[:profile] + id + (create|resume) + (start|attach|view); Kick/Instantiate/Change-adapter/Fork are interactive-only, not bakeable). BASENAME IS A PARAMETER (operator rev. 2026-06-14): harness-agnostic spt-core defaults to `spt` (→ `spt-<id>`); an adapter/flow OVERRIDES it (spt-claude-code → `cc`), so spt-core NEVER bakes `cc` (a harness name) into itself. The basename must be a DISTINCT token, never bare `spt` (a `spt.cmd` would shadow the real `spt.exe` only under cmd.exe cwd-first search, silently no-op in PowerShell/Unix, and self-recurse). The script is the CURRENT OS's native form — `.cmd` on Windows (NOT `.ps1`: default PATHEXT excludes `.ps1` so a bare/ext-less name never resolves one; `.cmd` is PATHEXT-resolvable), POSIX `sh` (+chmod +x) on Unix (a single portable form can't be both). The generated header documents the invocation reality (cmd.exe bare `<name>` in the project dir / PowerShell `.\<name>` / Unix `./<name>`; a truly-bare basename on PATH = a PATH-installed launcher, `/spt:setup`'s job). Overwrite is SENTINEL-guarded: the generator writes + checks a generated-by header marker — it overwrites its own prior output freely, but REFUSES + warns if a same-named file lacks the sentinel (never clobber a user file). Requires the additive `--create` flag on `Run{}` (the default-fresh made explicit; N-1-safe).
2026-06-21T04:47:54.1026831Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1026874Z 
2026-06-21T04:47:54.1026959Z ### REQ-ELEVATE-1
2026-06-21T04:47:54.1030066Z - Title: Cross-platform self-elevating re-launch for privilege-gated commands: a pure decision seam `decide_elevation_path(os, elevation, interactive_tty, has_display, has_pkexec, has_term_emulator) -> ElevatePath{AlreadyElevated, InlineSudo, UacWindow, Pkexec, TerminalEmulator, PrintHint}` selecting how to re-acquire privilege, and the per-OS impure launchers it dispatches — Windows UAC console (ShellExecuteW `runas` on the abs-exe + verbatim argv; the elevated child does the work, prints 'You can close this window', and pauses for a keypress; the original prints 'Elevated terminal launched…' and exits 0; NEVER pipes the child's stdout back across the privilege boundary), Linux desktop pkexec (preferred, native polkit GUI auth) else x-terminal-emulator -e sudo (fallback list x-terminal-emulator→gnome-terminal→konsole→xterm), the existing interactive-TTY inline sudo, and the headless/no-path floor that prints the absolute-path command. Reused by every gated command (not subnet-specific). Generalizes should_auto_elevate.
2026-06-21T04:47:54.1030286Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1030328Z 
2026-06-21T04:47:54.1030423Z ### REQ-WHOAMI-1
2026-06-21T04:47:54.1031984Z - Title: `spt whoami` is a thin ALIAS for `spt endpoint list` (full output: the SELF pin + the subnet roster) — the standalone bare-id command is dropped (the `id=$(spt whoami)` capture was never a real pattern: env vars don't persist between agent tool calls). The one new render: the `endpoint list` SELF pin carries the Self endpoint's authored `endpoint description` (info::read_info(...).resources) when present, inline after the liveness state. whoami stays a top-level hot-path verb (parse unchanged, REQ-MSG-9).
2026-06-21T04:47:54.1032093Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1032127Z 
2026-06-21T04:47:54.1032213Z ### REQ-RCVIEW-1
2026-06-21T04:47:54.1036583Z - Title: Remote-attach controller/viewer model (CONTEXT.md:317): a session's broker OutputLog serves ONE interactive controller (input + EXCLUSIVE PTY resize; its viewport sets the size, sent on attach + every window change via crossterm Event::Resize) plus ANY NUMBER of read-only `--view` attachers (output-only, no input, no resize; client-side letterbox — center+pad when larger, clip+1-line indicator when smaller; only the local ctrl-b d detach chord). Attach intent is three-valued (`Viewer | Control | Take`, wire-default Control): Control to a FREE endpoint becomes controller, Control to a CONTROLLED endpoint is REFUSED with guidance (`--view`/`--take`) — never auto-viewer, never silent-displace. Wire adds (additive, N-1 skip-unknown): `Request.intent`, `Resize{rows,cols}` (controller-only), `Size{rows,cols}` (→viewer), `Displaced{by}` (→displaced controller). The brain-resume cursor (delivered_through, ADR-0018) tracks the CONTROLLER ONLY; viewers replay from their own from_seq and never move it. Dormancy keys on the controller ONLY: controller attach wakes / controller detach goes dormant (even with viewers present); viewer attach/detach is wake-neutral and may watch a dormant endpoint as-is. v1: viewing is gated identically to driving — a viewer runs the same access_check(Unsolicited) as a controller (watching reveals full session contents = a real disclosure); a lighter distinct watch-gate is deferred to cross-subnet/finer-consent (CONTEXT.md:317 'driving ≠ watching' = the future seam).
2026-06-21T04:47:54.1036834Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1036871Z 
2026-06-21T04:47:54.1036963Z ### REQ-KICK-1
2026-06-21T04:47:54.1039469Z - Title: Explicit, loud controller displacement: `spt rc kick <target>` / `--take` (Take intent) kicks the incumbent controller and becomes controller; the displaced controller receives a LOUD `Displaced{by}` notice and is FULLY DETACHED (not demoted to a viewer). A default attach to a controlled endpoint is NEVER a silent displace (it is the Control busy-refusal). An old (N-1) rc omits intent → Control, so it can drive a free endpoint but CANNOT `--take` — it can never silently steal, and gets a clean busy-refusal instead. Taking control rides the same access_check(endpoint, origin, Unsolicited) as a normal control attach (if you may drive, you may take — no elevated kick policy). The picker surfaces 'Kick <node> and attach' (Take) only on a controlled (blue ■) endpoint, via the existing attach dispatch (single-bringup-path: intent is a parameter).
2026-06-21T04:47:54.1039705Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1039728Z 
2026-06-21T04:47:54.1039825Z ### REQ-PICKER-1
2026-06-21T04:47:54.1043346Z - Title: The picker renders a FOUR-state endpoint status (extending the W2 online/offline duality): the list-item square AND a color-coded STATUS line at the top of the pick-existing right-side details both show — gray OFFLINE; green ONLINE (online + PTY-controllable spt-hosted, not controlled); amber 'ONLINE - HARNESS ONLY' (online but NOT broker-PTY-controllable = harness-hosted, no broker PTY seat — today mis-shows green); blue 'ONLINE + CONTROLLED' (online + driven_by.is_some()). Derived on EndpointRow from {offline | controllable | driven_by} with precedence offline→gray, else driven_by→blue, else !controllable→amber, else green (driven_by outranks harness-only; mutually exclusive in practice — a harness-only endpoint has no broker PTY to control). The controllable discriminator is a NEW InfoJson.controllable: Option<bool> (serde-default, N-1-safe), stamped at the establish seam — cmd_listen (harness-hosted relay, no broker PTY) → Some(false); cmd_bind live_agent (spt-hosted broker PTY) → Some(true); absent → not-controllable (amber) default (harness-hosted is the common mis-reported case; one bind self-corrects). Store-projection-only (no live daemon query — doyle ruling). (v0.10.0)
2026-06-21T04:47:54.1043473Z - Required stages: impl, unit
2026-06-21T04:47:54.1043512Z 
2026-06-21T04:47:54.1043598Z ### REQ-PICKER-2
2026-06-21T04:47:54.1045400Z - Title: The picker's project-history loader reads the git-backed context store, not the bare working tree: data.rs project_history_for enumerates an endpoint's projects via the BranchStore branch set (the context store keeps per-project context in git branches — contextstore::project_branch(project_id), checked out to projects/<project>/<id>/ only on-demand) instead of raw std::fs::read_dir over the empty working tree (which returned empty for ALL rows incl wall-a — the operator bug). Ordered newest→oldest by branch commit recency; degrades to empty (informational pane), never fails. (v0.10.0)
2026-06-21T04:47:54.1045518Z - Required stages: impl, unit
2026-06-21T04:47:54.1045552Z 
2026-06-21T04:47:54.1045639Z ### REQ-PICKER-3
2026-06-21T04:47:54.1048133Z - Title: A self-owned subnet row reconciles its status to the LIVE roster: a Subnet-category row whose endpoint_id overlaps a local (is_local) roster id is self-owned (this node hosts it), so its status square is OVERRIDDEN with the live roster status — the WAN registry snapshot (wansend::load_snapshots) is a periodically-advertised, independently-stale projection, while the local roster (p.alive) is ground truth for an endpoint this node hosts. One status square per endpoint (CONTEXT.md:348-350 — nothing licenses opposite squares for one endpoint across its Local vs Subnet listings). A reconcile pass in data.rs after the local_rows + subnet_rows gather; BOTH category listings are preserved (Local + Subnet are legitimately distinct views — you are in your own subnet), only the STATUS is unified. (v0.10.0)
2026-06-21T04:47:54.1048361Z - Required stages: impl, unit
2026-06-21T04:47:54.1048395Z 
2026-06-21T04:47:54.1048482Z ### REQ-PICKER-4
2026-06-21T04:47:54.1050447Z - Title: The picker's Subnet category renders the canonical node LABEL, not bare key-hex: a subnet row's node renders as 'LABEL (keyprefix…)' (e.g. 'HFENDULEAM (bcead52b…)') per CONTEXT.md:650 + Instance.node_label, NOT the raw node key-hex (SPT_DEV:14efb80cb… — a picker-only regression because resource_projection→ResourceRow drops node_label, so data.rs subnet_rows uses the raw row.node). Thread node_label into the picker subnet path (ResourceRow gains node_label, or subnet_rows looks it up via the registry's node_labels) and REUSE the one canonical render (format!("{l} ({}…)", key_prefix) — cli.rs / wansend.rs), never a re-implementation. (v0.10.0)
2026-06-21T04:47:54.1050666Z - Required stages: impl, unit
2026-06-21T04:47:54.1050700Z 
2026-06-21T04:47:54.1050790Z ### REQ-PICKER-5
2026-06-21T04:47:54.1053828Z - Title: `spt endpoint list` (bare/subnet view) renders an ALIGNED table with canonical node labels: cmd_endpoint_list prints subnet rows with `\t` TAB separators (cli.rs:~1651-1662) so variable-width endpoint_ids snap fields to different tab-stops → a RAGGED status column (operator screenshot: X/help statuses misaligned vs rt-*/sptc-*/wall-a); and it calls the node renderer with no label → bare key-hex for every row (SAME ResourceRow-drops-node_label root as REQ-PICKER-4). FIX: max-width per-column padding (mirror render_node_rows' pad, pad by char count not byte len — '…' is multibyte) replacing the tabs, and render the node via the shared node_label_display now that ResourceRow carries node_label (REQ-PICKER-4). Extract a pure row-formatter seam so the alignment+label is unit-testable. ALSO: the bare list is the SUBNET view (a just-run LOCAL perch is invisible cross-subnet until the next advertise tick), so emit a `--local` hint line so a freshly-run endpoint isn't perceived as lost. (v0.10.0; operator-flagged + doyle dispatch 2026-06-17)
2026-06-21T04:47:54.1053949Z - Required stages: impl, unit
2026-06-21T04:47:54.1053987Z 
2026-06-21T04:47:54.1054086Z ### REQ-SEND-SPT-HOSTED
2026-06-21T04:47:54.1057698Z - Title: An inbound `spt send` is DELIVERED to an spt-hosted endpoint (brought up via `spt endpoint run` → `api bind`, broker holds its PTY, NO `api listen` relay). Today cmd_bind→establish_perch (api/startup.rs ~441) writes info.json + ready marker + controllable=Some(true) but registers NO message-listener / NO address, so deliver.rs resolve_address→None→spool (deliver.rs:132-140) and the message NEVER reaches the live PTY — the endpoint reads 'online' (ready marker) yet `spt send` silently SPOOLS ('online but not deliverable' lie). Per CONTEXT:187-188 the daemon owns the PTY and delivers, manifest-configurable per activity-state (direct PTY injection / relay / HTTP). FIX: route an inbound send for an spt-hosted target through the daemon → broker InputReq → session.write_input PTY-inject (broker.rs dispatch_input/write_input ~988-1022), the same path the brain uses; the live-delivery handshake must report Sent (not Queued) and stop the spool-only fallback for a broker-hosted, PTY-resident endpoint. Detection is local: controllable==Some(true) + spt-hosted state + resolve_address==None. = the spt-core HALF of the wall-b finding (perri owns the adapter half: bind-hook fired-zero-perch + the missing endpoint-run int test). (post-v0.10.0)
2026-06-21T04:47:54.1057822Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1057855Z 
2026-06-21T04:47:54.1057944Z ### REQ-HAZARD-RC-EOF
2026-06-21T04:47:54.1061885Z - Title: A severed broker stream during a live rc session surfaces GRACEFULLY, never as a raw io error that crashes the PTY. The rc read-loop (rc.rs:352-362) continues only on WouldBlock/TimedOut; ANY other read_event_until error — including UnexpectedEof 'failed to fill whole buffer' — returns Err → RC_FAIL → the PTY 'crashes' from the user's view. Confirmed trigger: a deliberate `spt daemon stop` (broker bounce) severs an active rc (perri stopped the daemon to release owlery watch handles). Same severed-broker-stream EOF class as the v0.9.1 seed fix (seed_fail_message) and the listener-death case — spt-core must classify a broker-gone EOF and (a) surface a CLEAR actionable message ('daemon stopped/restarted — re-run / reconnect'), never the raw buffer error, and ideally (b) AUTO-REATTACH to the same session on the fresh broker (the broker is the daemon-lifetime anchor; it returns on the next `spt api` call). FOLD two side-observations: (1) `spt daemon stop` SILENTLY drops active rc/live sessions — warn ('N active session(s) will drop') or graceful-detach on stop; (2) the daemon holds owlery WATCH HANDLES on perch dirs so a torn-down perch dir stays 'Device busy' until a full daemon stop releases them (perri's rt-* cleanup) — a torn-down perch's handle should release without a daemon stop. doyle Finding C, root-caused. (post-v0.10.0)
2026-06-21T04:47:54.1062229Z - Required stages: impl, unit
2026-06-21T04:47:54.1062267Z 
2026-06-21T04:47:54.1062375Z ### REQ-HAZARD-DEFERRED-MANIFEST
2026-06-21T04:47:54.1064656Z - Title: A pointer-mode (delegated / GhReleaseManaged) adapter whose binary/manifest is not yet extracted is reported with a CLEAR diagnostic, never silently dropped. Today such an adapter reads its manifest LIVE from source_dir (registry.rs manifest_dir ~146/149); a deferred / un-extracted install makes load_manifest fail → registered() (~410, filter_map(.ok())) SILENTLY DROPS the row → downstream ADAPTER_UNRESOLVED + a cryptic os-error-2 on `spt adapter use`. FIX: surface a clear diagnostic at the resolver + at `adapter use` (name the adapter + the deferred/missing-manifest cause + the fix), not a silent filter-drop and not a bare os-error-2; consider an eager manifest copy at register time so host_binaries survive before the binary download completes. doyle Finding A. (post-v0.10.0)
2026-06-21T04:47:54.1064781Z - Required stages: impl, unit
2026-06-21T04:47:54.1064814Z 
2026-06-21T04:47:54.1064918Z ### REQ-HAZARD-ENV-SUBST
2026-06-21T04:47:54.1068253Z - Title: `spt endpoint run` HONORS manifest [env.<VAR>] direction=inject values (with {key} substitution) on the spt-hosted spawn. Today only the [session.self] command ARGV is {id}-substituted; the [env] inject value is NEITHER substituted NOR applied — manifest.schema.json promises EnvVar.value = 'Value to inject (with substitution)' but prepare_harness_spawn fills only argv and SpawnReq carries no env, so a [env.SPT_ENDPOINT_ID].value='{id}' arrives EMPTY. A FLAGLESS harness (bare `claude`, no argv slot for {id}) then routes the id via [env] → empty → SessionStart sees empty $SPT_ENDPOINT_ID → seeds-by-PPID instead of binding → ZERO perch → NO_PERCH (the actual wall-b bind blocker; perri hard-repro'd). SILENT failure (empty inject, no error). FIX (doyle ruled a): fill every [env] inject value from the SAME {key} catalog as argv/role (mirror F-009 TEMPLATE fill, whole-string fill_template for an env value), thread it through SpawnReq.env → the broker sets it on the spawned PTY child. Correctness fix — schema already promises it, NO manifest change, NO new binary. PAIRS with REQ-SEND-SPT-HOSTED to make endpoint run fully work. doyle F-013. (post-v0.10.0)
2026-06-21T04:47:54.1068387Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1068424Z 
2026-06-21T04:47:54.1068523Z ### REQ-HAZARD-ROSTER-GHOST
2026-06-21T04:47:54.1070984Z - Title: A LOCAL subnet roster entry whose backing perch is erased does NOT keep advertising Active (no phantom perch-less endpoint). `api session-end <id> --erase` removes the perch (owlery dir gone) but the subnet roster (identity/registry/<subnet>.json) keeps the endpoint's instance row ACTIVE with no backing perch; `endpoint stop` says 'address unregistered' yet the line persists; no CLI verb forgets a roster entry, and a hand-edit is re-added by the single-writer daemon advertiser. FIX: daemon-side self-heal — the advertiser DROPS/forgets a LOCAL roster entry whose backing perch no longer exists (stops advertising it Active), and/or a `forget`/evict verb; verify whether the epoch lease eventually evicts it (slow-self-heal) vs a real leak and scope accordingly. doyle secondary finding (perri). (post-v0.10.0)
2026-06-21T04:47:54.1071207Z - Required stages: impl, unit
2026-06-21T04:47:54.1071245Z 
2026-06-21T04:47:54.1071347Z ### REQ-HAZARD-HOSTED-LIVENESS-RECONCILE
2026-06-21T04:47:54.1075278Z - Title: B2 KEYSTONE: a daemon-hosted (spt-hosted) endpoint's info.json status is RECONCILED to real liveness, not left latched online. The broker exit-waiter (broker.rs:889-910) reaps its in-mem session table + emits ExitEvent but NEVER touches info.json; lifecycle::mark_offline only fires on Psyche teardown — so a dead/exited harness (operator closed the tab) stays status=online forever (is_perch_alive returns ONLINE for daemon-hosted, liveness.rs:80-93). FIX (doyle ruled PULL-PRIMARY — the live-status analog of REQ-HAZARD-ROSTER-GHOST): the livehost reconcile loop (reconcile_once livehost.rs:226-313) queries the broker's live session set (KIND_SESSIONS) each tick and, for any status=online live_agent perch PAST the boot grace whose endpoint has NO live broker session, marks it offline (lifecycle::mark_offline → status=offline → is_perch_alive=false). GATED on spt-hosted (controllable==Some(true)) so a HARNESS-HOSTED relay live agent (api listen, legitimately online with no broker session) is NEVER mis-marked. Crash-robust + self-healing on the next tick (clear-on-event is not crash-robust alone). PUSH (brain ExitEvent→mark_offline) is an OPTIONAL fast-path only if the daemon brain is reliably subscribed to all hosted sessions; correctness rides the pull. Broker stays stateless (ADR-0004 §B — brain owns the info.json write). (v0.12.0)
2026-06-21T04:47:54.1075507Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1075545Z 
2026-06-21T04:47:54.1075651Z ### REQ-HAZARD-RC-ATTACH-FAILFAST
2026-06-21T04:47:54.1078862Z - Title: B1: `spt rc <id>` to a DEAD or non-streaming session fails fast with a clear message, never an INFINITE blank screen. Today rc.rs run_attach (209-231) + pump spawns PUMP_IPC_READER and blocks: the poll times out each slice but the stream never produces output, so the operator sees a permanent blank (operator: fresh wall-f attached, closed tab, then `spt rc wall-f` HUNG — the broker still resolved a session for it). FIX: (a) once B2 lands, gate attach on is_online/status — an offline endpoint yields a clean 'endpoint offline, start it' not an attach; (b) fail-fast — if the attach-open ack / first output does not arrive within a bound, surface a clear message, never an infinite blank; (c) the broker EOFs the attach stream when the session's child is dead, so rc's existing PumpEnd::BrokerGone graceful path (REQ-HAZARD-RC-EOF) catches it. PIN the exact sub-mechanism with a repro test FIRST (dead-session-lingers-in-broker vs reaped-but-rc-waits vs alive-resting-no-wake — the wall-f Windows tab-close: child alive-silent vs dead-not-reaped). (v0.12.0)
2026-06-21T04:47:54.1079083Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1079121Z 
2026-06-21T04:47:54.1079222Z ### REQ-ENDPOINT-STOP-OFFLINE
2026-06-21T04:47:54.1080496Z - Title: H3: `spt endpoint stop <id>` marks the endpoint OFFLINE (alive=false), not merely de-readied. cmd_stop (cli.rs:2994-3010) removes the ready marker + unregisters the address but does NOT set status offline, so a stopped daemon-hosted endpoint still reports alive=true (status=online latch). FIX: add set_status(perch, STATUS_OFFLINE) to cmd_stop — folds with B2 (same setter). Unit: stop → is_perch_alive=false / alive=false. (v0.12.0)
2026-06-21T04:47:54.1080600Z - Required stages: impl, unit
2026-06-21T04:47:54.1080629Z 
2026-06-21T04:47:54.1080743Z ### REQ-HAZARD-DAEMON-STOP-BARRIER
2026-06-21T04:47:54.1082461Z - Title: B3: `spt daemon stop` then an immediate `spt daemon start` does NOT race — stop fully completes before it returns. Today request_stop (seedmap.rs:240-255) returns on the KIND_STOPPING ack (sent seedmap.rs:174-176) BEFORE the seed socket unbinds, so a following is_running ping (daemon.rs:375) wins the exit window and start reports ALREADY_RUNNING (operator: daemon stop → STOPPED then start → ALREADY_RUNNING). FIX: unbind/stop-gate the seed socket BEFORE acking KIND_STOPPING, OR request_stop waits for a ping-to-fail before returning. Unit: stop then immediate is_running()==false. (v0.12.0)
2026-06-21T04:47:54.1082681Z - Required stages: impl, unit
2026-06-21T04:47:54.1082714Z 
2026-06-21T04:47:54.1082819Z ### REQ-HAZARD-DAEMON-STOP-REAP
2026-06-21T04:47:54.1084594Z - Title: Breap: `spt daemon stop` REAPS the spt-hosted children it spawned — no orphaned psyche/harness processes. Today a stop leaves ~8 orphaned claude-spt-psyche.exe + spt.exe: Psyches are spawned DETACHED (runtime.rs:342-356, the Child is dropped — 'Detached' ~349) and the livehost stop flag Arc<AtomicBool> is NEVER raised (brainproc.rs:227-230 holds it 'for symmetry'). FIX: on stop, raise the livehost stop flag AND kill the spawned psyche/spt-hosted children — via a Windows job object / Unix process-group so the children die with the daemon (not detached-immortal). Folds with B3 (both the stop path). (v0.12.0)
2026-06-21T04:47:54.1084803Z - Required stages: impl, unit
2026-06-21T04:47:54.1084841Z 
2026-06-21T04:47:54.1084972Z ### REQ-HAZARD-LIVEHOST-BOOT-LIVENESS-GATE
2026-06-21T04:47:54.1087292Z - Title: B5: `spt daemon start` does NOT revive phantom Psyches for dead-but-online-latched perches. Today reconcile_once (livehost.rs:285) spawns a Psyche per status=online live_agent perch at boot WITHOUT verifying the harness child / {id}-psyche is actually alive — so a Cold start after an unclean stop revives N psyches for N dead-but-latched perches (3 psyches for 3 dead perches). FIX: gate the boot psyche-spawn on real child-liveness — a perch with NO live broker session (the B2 reconcile signal) is marked OFFLINE at boot instead of hosted, so a dead-harness perch is never revived. Shares the B2 reconcile loop (this is its boot-gate arm); composes with B2's honest latch. Also closes wall-a's psyche_host_error gap (residency-confirm does not run at boot tick-1, livehost.rs:395-441 / 257-263). (v0.12.0)
2026-06-21T04:47:54.1087420Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1087458Z 
2026-06-21T04:47:54.1087578Z ### REQ-HAZARD-BRAIN-RESTART-LIFECYCLE-REHYDRATE
2026-06-21T04:47:54.1090188Z - Title: B4 (deepest): a bare brain restart (broker survives) REHYDRATES the live-agent lifecycle so post-restart endpoints are hosted + attachable. Today resume_sessions (brainproc.rs:186, brain.rs:797-809) re-subscribes to the broker's PTY sessions but ALL BrainLifecycle instances (lifecycle.rs:58-130; the ephemeral brain.rs:254-275) are LOST on restart → a post-restart live endpoint gets no livehost → its Psyche is never (re)hosted and new spawns die / can't attach until a FULL daemon reset (operator: perri's brain kill+restart wedged everything until a full daemon kill). FIX: on brain startup, rebuild a BrainLifecycle per resumed live-capable session — load the manifest from the adapter registry → instantiate → start the pulse — the rehydrate the resume no-op cannot do. Composes with B2 (the reconcile re-hosts from the honest on-disk status after rehydrate). (v0.12.0)
2026-06-21T04:47:54.1090311Z - Required stages: 
2026-06-21T04:47:54.1090345Z 
2026-06-21T04:47:54.1090460Z ### REQ-HAZARD-BRAIN-RESTART-PSYCHE-DUP
2026-06-21T04:47:54.1094156Z - Title: A bare brain restart leaves EXACTLY ONE `{id}-psyche` process per endpoint — no duplicate. On an abrupt brain death stop_host never runs (the LiveSet + owned child handles die with the brain) and Breap's job/group only reaps at DAEMON stop, so the PRIOR brain's Psyche stays ALIVE; the respawned brain's reconcile re-hosts a SECOND Psyche and overwrites the `{id}-psyche` perch pid, leaving the old one untracked + alive = a duplicate that lingers until daemon-stop (the operator's 'brain kill+restart wedged everything'). FIX: at brain start, BEFORE the first reconcile re-hosts, reap any pre-existing `{id}-psyche` orphan — ID-SPECIFICALLY (recycle-safe on the shared box, where sibling agents share the `claude` basename): scoped-kill the recorded pid ONLY IF it is alive AND its exe basename == the adapter's psyche program (normalize_basename) AND its COMMAND LINE contains the full psyche id `<id>-psyche` (baked via {id}); a sibling never carries THIS id, and any unreadable signal FAILS SAFE (decline to reap — a missed dup is bounded by Breap, a wrong-kill is catastrophic). CAVEAT: the cmdline carries `<id>-psyche` only when the adapter's psyche_init.command uses {id} (the norm); a non-{id} adapter safely MISSES the reap (today's behavior, Breap bounds it) — never a wrong-kill. (v0.12.0)
2026-06-21T04:47:54.1094384Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1094423Z 
2026-06-21T04:47:54.1094529Z ### REQ-HAZARD-UNHOST-PSYCHE-REAP
2026-06-21T04:47:54.1097776Z - Title: On un-host, the detached `{id}-psyche` HARNESS PROCESS is reaped — not just its in-brain pulse-driver thread. Today stop_host (livehost.rs:203) trips the HostedLife stop flag + JOINS the driver thread, but the Psyche is a detached harness process (spawn_psyche → ManifestRuntime detached spawn, runtime.rs:341-356; its pid is untracked in HostedLife though stamped on the `{id}-psyche` perch, where residency-confirm already reads it). So endpoint-stop / mid-life agent-death / a B2/B5 offline-then-unhost leaves the psyche process ORPHANED, alive until the next daemon-stop (where Breap's job/group reaps the whole brain subtree). The Psyche STAYS a harness process by design (CONTEXT.md 97/203/251 — headless harness session, its own perch) — the fix does NOT move it in-brain; it SCOPED-kills the `{id}-psyche` pid on un-host (never machine-wide — shared box). Track the pid in HostedLife at host_one (cleanest) or read the `{id}-psyche` perch pid at stop_host. Composes with H3 (endpoint stop → offline → reconcile un-host → reap) and B2/B5 (the offline arms that trigger un-host). (v0.12.0)
2026-06-21T04:47:54.1097899Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1097937Z 
2026-06-21T04:47:54.1098038Z ### REQ-ENDPOINT-PURGE
2026-06-21T04:47:54.1102782Z - Title: `spt endpoint purge <id>` fully removes an endpoint AND every record keyed on it — the formal teardown devs/CI need for clean test setup/reset. NOT consent-gated (a local dev/test op — no peer consent). OFFLINE-ONLY: refuses while the endpoint is online / daemon-hosted (deleting records out from under a live host risks the daemon re-creating or re-hosting mid-purge); `--force` STOPS it first (endpoint stop → wait for the daemon reconcile to un-host + reap the Psyche) THEN purges. Confirms interactively unless `--yes` (the CI path). Refuses purging the CALLER's OWN running id. All LOCAL — purge reaches only THIS node's records; a remote endpoint's records can't be touched, and its subnet-registry rows decay via the epoch-lease eviction (REQ-HAZARD-REGISTRY-DECAY). Removes: (1) the perch dir TREE recursively — owlery/<id>/ incl every nested {id}-psyche / {id}-w* / shells child (info.json, ready marker, sessions.log ledger, spool.db, inbox, .idle/.more-done sentinels, auth token); (2) the registry address (registry::unregister_address); (3) the context store — ContextStore::remove_endpoint(id): the a-<id> branch+worktree + the <id>/ rows from every p-<project> branch (the same fn `fork --delete-source` already uses); (4) node-local trust rows keyed on the id — access.json + visibility.json. Reuse-heavy: it is `fork --delete-source` generalized (recursive perch remove + unregister + remove_endpoint) + the trust-record cleanup; `endpoint rename` already enumerates the same record set + uses the same offline-only gate. (v0.12.0)
2026-06-21T04:47:54.1103038Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1103066Z 
2026-06-21T04:47:54.1103171Z ### REQ-READY-AGENT-RESUME
2026-06-21T04:47:54.1106591Z - Title: An offline ReadyAgent shows in `spt endpoint run`'s picker Resume-from-history and resumes correctly — closing the gap that today only LiveAgents do. ROOT: a harness-hosted ready bind (ReadyAgent::start_homed, ready.rs) writes info.json DIRECTLY and never appends the session ledger (unlike the shared establish_perch:250 live path), so a ready agent — though it has a session_id — produces ZERO ledger rows → the picker's offline+local Resume-from-history (which gates on ledger rows) never offers it. FIX (1): ledger the ready bind (ReadyAgent::start_homed → sessions::append Boot, mirroring establish_perch). FIX (2): `spt endpoint run --resume <session>` honors the adapter MANIFEST's endpoint TYPE — a ReadyAgent manifest (no [session.psyche_init]) resumes as a ready endpoint (poll listener, NO psyche-host); a LiveAgent (with psyche_init) as live. NO new bringup mode + NO picker changes (operator 2026-06-18): `spt endpoint run` is the spt-hosted ENDPOINT bringup for BOTH types, the type IS the adapter-manifest's concern (psyche-host already keys on psyche_init presence) — so (2) likely already holds; VERIFY at code, build only the residual. (v0.12.0)
2026-06-21T04:47:54.1106829Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1106864Z 
2026-06-21T04:47:54.1106968Z ### REQ-PICKER-ADAPTER-DESCRIPTION
2026-06-21T04:47:54.1108321Z - Title: The Create-new adapter-CHOICE screen of `spt endpoint run`'s picker shows a right-hand Description panel (like the Pick-existing endpoint picker's two-pane) surfacing per-adapter detail: install date, last-updated, adapter TYPE / the endpoint types it hosts, and the adapter description — so the user can see WHAT each adapter is before choosing it (today the selector lists bare names). DEFERRED fast-follow to v0.12.0 (operator 2026-06-18). (post-v0.12.0)
2026-06-21T04:47:54.1108423Z - Required stages: 
2026-06-21T04:47:54.1108460Z 
2026-06-21T04:47:54.1108573Z ### REQ-HAZARD-VIEWER-ISOLATION
2026-06-21T04:47:54.1110721Z - Title: A slow / dead / hostile VIEWER must NEVER stall the controller, the PTY child, or the session drain thread. The broker drain fans output to the controller on the authoritative blocking bounded path (advances delivered_through) but to each viewer via a bounded per-viewer channel with a dedicated writer thread; the drain `try_send`s under the log lock and a viewer whose bounded queue OVERFLOWS (can't keep up) is EVICTED (queue dropped, writer thread ends, removed from the viewers map) — the drain thread NEVER touches a viewer socket, so no viewer write can backpressure or block it. A soft viewer cap bounds the thread count. Viewer eviction never perturbs the controller stream, the delivered_through cursor, or the child.
2026-06-21T04:47:54.1110845Z - Required stages: unit, int
2026-06-21T04:47:54.1110884Z 
2026-06-21T04:47:54.1110989Z ### REQ-INSTALL-1
2026-06-21T04:47:54.1111184Z - Title: Two install paths; signed one-line script; OS-service registration
2026-06-21T04:47:54.1111289Z - Required stages: doc, impl, int
2026-06-21T04:47:54.1111331Z 
2026-06-21T04:47:54.1111460Z ### REQ-INSTALL-2
2026-06-21T04:47:54.1111689Z - Title: Marketplace-repackaging-friendly install
2026-06-21T04:47:54.1111790Z - Required stages: doc
2026-06-21T04:47:54.1111824Z 
2026-06-21T04:47:54.1111923Z ### REQ-INSTALL-3
2026-06-21T04:47:54.1112051Z - Title: Idempotent + interactive-optional first run
2026-06-21T04:47:54.1112153Z - Required stages: impl, int
2026-06-21T04:47:54.1112191Z 
2026-06-21T04:47:54.1112276Z ### REQ-INSTALL-4
2026-06-21T04:47:54.1112886Z - Title: Adapter registration lifecycle: spt adapter add (--github, manifest-first, install-is-first-update) + soft-deregister remove + optional manifest uninstall template; node-local registered-adapter set self-update ripples over
2026-06-21T04:47:54.1112996Z - Required stages: impl, unit
2026-06-21T04:47:54.1113024Z 
2026-06-21T04:47:54.1113112Z ### REQ-MIGRATE-1
2026-06-21T04:47:54.1113276Z - Title: Auto-detect and migrate a legacy claude_skill_owl install
2026-06-21T04:47:54.1113366Z - Required stages: 
2026-06-21T04:47:54.1113404Z 
2026-06-21T04:47:54.1113494Z ### REQ-INFRA-1
2026-06-21T04:47:54.1113673Z - Title: GitHub issue tracking for v1; tangled.org as migration target
2026-06-21T04:47:54.1113760Z - Required stages: 
2026-06-21T04:47:54.1113799Z 
2026-06-21T04:47:54.1113893Z ### REQ-INSTALL-5
2026-06-21T04:47:54.1114351Z - Title: Non-interactive install path: the canonical one-liner doubles as every adapter's pack-in on-demand install (no second mechanism); sha256-verified fetch; user-PATH registration
2026-06-21T04:47:54.1114452Z - Required stages: impl, int
2026-06-21T04:47:54.1114480Z 
2026-06-21T04:47:54.1114575Z ### REQ-INSTALL-9
2026-06-21T04:47:54.1115749Z - Title: Adapter add from a GitHub release archive: `spt adapter add --release <user/repo> [--tag <tag>] [--asset <name>]` fetches a `.spt` tar asset over HTTPS+GitHub trust, extracts it to the durable adapters/_github home, and registers the root — ships built binaries source-free and versioned (the distribution path for an adapter whose dev repo is a monorepo subdir, where --github root-only clone does not fit)
2026-06-21T04:47:54.1115966Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1116005Z 
2026-06-21T04:47:54.1116103Z ### REQ-INSTALL-10
2026-06-21T04:47:54.1117328Z - Title: Windows at-logon autostart runs the daemon in the background with no persistent window: the scheduled task launches `spt daemon start` (which spawn_detaches a console-less DETACHED_PROCESS daemon and exits) rather than the foreground `spt daemon run` — Task Scheduler's interactive ONLOGON launch of a long-lived console process otherwise leaves a visible console window for the daemon's whole lifetime (v0.7.4)
2026-06-21T04:47:54.1117433Z - Required stages: impl, unit
2026-06-21T04:47:54.1117466Z 
2026-06-21T04:47:54.1117557Z ### REQ-INSTALL-11
2026-06-21T04:47:54.1119381Z - Title: Adapter command templates resolve their program against the adapter's install dir BEFORE PATH: a `.spt`-shipped binary (dropped to adapters/_github/<safe>/ by --release/--github acquisition, or kept in the source_dir under copy-mode where only manifest+strings/ are copied to adapters/<name>) runs without any PATH placement — a bare-name template token (e.g. `claude-spt-digest ...`) is rewritten to <install_dir>/<program>(.exe on Windows) when that file exists, else left bare for the PATH fallback. Makes a `.spt` self-contained (closes the --release bundled-binary gap perri confirmed) (v0.7.4)
2026-06-21T04:47:54.1119507Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1119545Z 
2026-06-21T04:47:54.1119641Z ### REQ-INSTALL-12
2026-06-21T04:47:54.1122188Z - Title: Durable active-profile pointer for bind-time profile selection (ADR-0021): adapters/active-profiles.toml at the registry ROOT (sibling to the per-adapter <name>/ dirs, so adapter add/update/remove — which only rewrite a <name>/ subdir — can never clobber it), a flat host_binary → "adapter[:profile]" map. Read at bind as the PRIMARY profile selector; unset → the registered_at_ms fallback (REQ-START-5). Written ONLY by `spt adapter use <adapter>[:profile]` (resolves the adapter's host_binaries → sets each binary→adapter[:profile]); `spt adapter use --clear <adapter|binary>` drops. NEVER auto-written by install/update/adapter add (that is precisely what would let an update silently flip the active profile). A stale pointer (uninstalled adapter / deleted profile) self-heals: ignored, fall back, warn once. Pruned on adapter remove. Atomic write (spt_store atomic). (v0.9.0)
2026-06-21T04:47:54.1122417Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1122455Z 
2026-06-21T04:47:54.1122540Z ### REQ-REL-1
2026-06-21T04:47:54.1122902Z - Title: spt-releases publish-target repo: README public face, licensing split, Pages docs at the permanent lapse-proof canonical URL (ADR-0014)
2026-06-21T04:47:54.1123008Z - Required stages: doc, impl
2026-06-21T04:47:54.1123042Z 
2026-06-21T04:47:54.1123126Z ### REQ-REL-2
2026-06-21T04:47:54.1123580Z - Title: Release asset set consumable by the self-updater: platform binaries, SHA256SUMS, SignedRelease metadata, manifest schema, mock-adapter zip; tag-triggered cross-repo pipeline
2026-06-21T04:47:54.1123696Z - Required stages: impl, int
2026-06-21T04:47:54.1123724Z 
2026-06-21T04:47:54.1123798Z ### REQ-REL-3
2026-06-21T04:47:54.1124219Z - Title: Two-key release-signing trust anchor: primary + offline never-used recovery, both pubkeys embedded in the binary's trusted set, manual local signing (ADR-0015)
2026-06-21T04:47:54.1124325Z - Required stages: impl, unit
2026-06-21T04:47:54.1124354Z 
2026-06-21T04:47:54.1124439Z ### REQ-DOCS-1
2026-06-21T04:47:54.1124626Z - Title: Dual-audience docs (human + AI dev-agent), markdown once / two depths
2026-06-21T04:47:54.1124721Z - Required stages: doc, impl
2026-06-21T04:47:54.1124759Z 
2026-06-21T04:47:54.1124859Z ### REQ-DOCS-2
2026-06-21T04:47:54.1125012Z - Title: Sub-10-minute runnable killer quickstart per audience
2026-06-21T04:47:54.1125111Z - Required stages: doc, int
2026-06-21T04:47:54.1125149Z 
2026-06-21T04:47:54.1125236Z ### REQ-DOCS-3
2026-06-21T04:47:54.1125517Z - Title: Diátaxis structure; one canonical way to do X
2026-06-21T04:47:54.1125627Z - Required stages: doc
2026-06-21T04:47:54.1125665Z 
2026-06-21T04:47:54.1125755Z ### REQ-DOCS-4
2026-06-21T04:47:54.1125928Z - Title: Agent-consumable layer (llms.txt, manifest schema, MCP, CLI help)
2026-06-21T04:47:54.1126041Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1126079Z 
2026-06-21T04:47:54.1126156Z ### REQ-DOCS-5
2026-06-21T04:47:54.1126346Z - Title: Anti-drift: rustdoc/schema/exports/CLI-help generated + CI-checked
2026-06-21T04:47:54.1126441Z - Required stages: impl, int
2026-06-21T04:47:54.1126469Z 
2026-06-21T04:47:54.1126579Z ### REQ-HAZARD-GRACE-BEFORE-SIGNOFF
2026-06-21T04:47:54.1126762Z - Title: Grace-period wait completes before composing INIT_SIGNOFF (1.1)
2026-06-21T04:47:54.1126863Z - Required stages: impl, unit
2026-06-21T04:47:54.1126901Z 
2026-06-21T04:47:54.1127006Z ### REQ-HAZARD-INFO-JSON-TORN-READ
2026-06-21T04:47:54.1127149Z - Title: State-file reads tolerate concurrent writes (1.2)
2026-06-21T04:47:54.1127255Z - Required stages: impl, unit
2026-06-21T04:47:54.1127297Z 
2026-06-21T04:47:54.1127401Z ### REQ-HAZARD-STALE-INDEX-LOCK
2026-06-21T04:47:54.1127526Z - Title: Sweep stale lockfiles on daemon boot (1.3)
2026-06-21T04:47:54.1127631Z - Required stages: impl, unit
2026-06-21T04:47:54.1127669Z 
2026-06-21T04:47:54.1127769Z ### REQ-HAZARD-DEFERRED-DRAIN
2026-06-21T04:47:54.1127941Z - Title: Deferred spool rows excluded from the event-stream drain (1.4)
2026-06-21T04:47:54.1128050Z - Required stages: impl, unit
2026-06-21T04:47:54.1128084Z 
2026-06-21T04:47:54.1128185Z ### REQ-HAZARD-WORKER-PATH
2026-06-21T04:47:54.1128356Z - Title: Single source of truth for Worker/Psyche perch location (1.5)
2026-06-21T04:47:54.1128442Z - Required stages: impl, unit
2026-06-21T04:47:54.1128481Z 
2026-06-21T04:47:54.1128584Z ### REQ-HAZARD-PARENT-PID-PREFER
2026-06-21T04:47:54.1128752Z - Title: Prefer stable parent PID / broker handle over ephemeral PID (2.1)
2026-06-21T04:47:54.1128852Z - Required stages: 
2026-06-21T04:47:54.1128894Z 
2026-06-21T04:47:54.1129186Z ### REQ-HAZARD-STDIN-SESSION-ID
2026-06-21T04:47:54.1129317Z - Title: Stdin session_id precedence over env (2.2)
2026-06-21T04:47:54.1129418Z - Required stages: 
2026-06-21T04:47:54.1129446Z 
2026-06-21T04:47:54.1129561Z ### REQ-HAZARD-HANDOFF-ARGV-COMPAT
2026-06-21T04:47:54.1129703Z - Title: Broker/brain IPC + handoff argv version-tolerant (2.3)
2026-06-21T04:47:54.1129810Z - Required stages: impl, unit
2026-06-21T04:47:54.1129842Z 
2026-06-21T04:47:54.1129942Z ### REQ-HAZARD-GEN-START-NOW
2026-06-21T04:47:54.1130076Z - Title: gen_start = now() on cold-start and handoff (2.4)
2026-06-21T04:47:54.1130176Z - Required stages: impl, int
2026-06-21T04:47:54.1130205Z 
2026-06-21T04:47:54.1130304Z ### REQ-HAZARD-EPHEMERAL-CLEANUP
2026-06-21T04:47:54.1130463Z - Title: Ephemeral perch cleanup on every ring exit path (3.1)
2026-06-21T04:47:54.1130562Z - Required stages: impl, unit
2026-06-21T04:47:54.1130600Z 
2026-06-21T04:47:54.1130715Z ### REQ-HAZARD-STALE-SIGNOFF-SENTINEL
2026-06-21T04:47:54.1130882Z - Title: Stale signoff sentinel does not kill a fresh start (3.2)
2026-06-21T04:47:54.1130987Z - Required stages: impl, unit
2026-06-21T04:47:54.1131026Z 
2026-06-21T04:47:54.1131135Z ### REQ-HAZARD-ECHO-BEFORE-SIGNOFF
2026-06-21T04:47:54.1131306Z - Title: Echo-commune fires before INIT_SIGNOFF on orphan teardown (3.3)
2026-06-21T04:47:54.1131412Z - Required stages: impl, unit
2026-06-21T04:47:54.1131436Z 
2026-06-21T04:47:54.1131534Z ### REQ-HAZARD-ENVELOPE-DECODE-ORDER
2026-06-21T04:47:54.1131677Z - Title: Envelope decode order, ampersand decoded last (4.1)
2026-06-21T04:47:54.1131771Z - Required stages: impl, unit
2026-06-21T04:47:54.1131809Z 
2026-06-21T04:47:54.1131913Z ### REQ-HAZARD-ENVELOPE-CR-LINESAFE
2026-06-21T04:47:54.1133616Z - Title: Envelope CR-linesafety (4.1): the line-framed EVENT codec must neutralize raw carriage returns — `event_body_escape` folds CRLF/lone-CR to the codec's representable linebreak (`\n`→`<br>`) BEFORE framing, so a body carrying `\r` (Windows `echo`/CRLF text crossing nodes) cannot survive into the single-line envelope and trigger a receiver terminal CR→col0 overwrite that corrupts the frame. Robustness on unrepresentable input, NOT a wire-format change (decoder untouched, amp-last invariant held). Belt-and-suspenders: `spt send`/`ring` also trim stdin (parity with `notify`).
2026-06-21T04:47:54.1133844Z - Required stages: impl, unit
2026-06-21T04:47:54.1133884Z 
2026-06-21T04:47:54.1133983Z ### REQ-HAZARD-ENVELOPE-PARSER-SAFE
2026-06-21T04:47:54.1134140Z - Title: Two-slice envelope parser is panic-free and tolerant (4.2)
2026-06-21T04:47:54.1134236Z - Required stages: impl, unit
2026-06-21T04:47:54.1134280Z 
2026-06-21T04:47:54.1134382Z ### REQ-HAZARD-EVENTPART-REASSEMBLY
2026-06-21T04:47:54.1134587Z - Title: EVENT-PART split/reassembly is byte-exact; orphan parts dropped silently
2026-06-21T04:47:54.1134690Z - Required stages: impl, unit
2026-06-21T04:47:54.1134723Z 
2026-06-21T04:47:54.1134823Z ### REQ-HAZARD-ID-CHARSET
2026-06-21T04:47:54.1135066Z - Title: Addressable-id charset reserves :/@ delimiters; validated at every creation seam (4.6)
2026-06-21T04:47:54.1135171Z - Required stages: impl, unit
2026-06-21T04:47:54.1135210Z 
2026-06-21T04:47:54.1135324Z ### REQ-HAZARD-REGISTRY-STALE-CLEAN
2026-06-21T04:47:54.1135486Z - Title: Stale registry entries degrade to fallback, never hard-fail (4.3)
2026-06-21T04:47:54.1135591Z - Required stages: impl, unit
2026-06-21T04:47:54.1135630Z 
2026-06-21T04:47:54.1135733Z ### REQ-HAZARD-REGISTRY-CONCURRENT
2026-06-21T04:47:54.1135973Z - Title: Concurrent SQLite openers (registry/spool) must not fail with 'database is locked' (4.7)
2026-06-21T04:47:54.1136072Z - Required stages: impl, unit
2026-06-21T04:47:54.1136106Z 
2026-06-21T04:47:54.1136202Z ### REQ-HAZARD-REGISTRY-DIR-CREATE
2026-06-21T04:47:54.1136563Z - Title: SQLite store opens create their parent dir themselves — a fresh-home registry op must not SQLITE_CANTOPEN (4.9)
2026-06-21T04:47:54.1136668Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1136716Z 
2026-06-21T04:47:54.1136911Z ### REQ-HAZARD-REGISTRY-EPOCH-LEASE
2026-06-21T04:47:54.1137337Z - Title: Registry merge ordered by per-node monotonic epoch, never wall-clock — a stale Active can't clobber a newer Offline (4.8, red-team #8)
2026-06-21T04:47:54.1137438Z - Required stages: impl, unit
2026-06-21T04:47:54.1137476Z 
2026-06-21T04:47:54.1137590Z ### REQ-HAZARD-DEFERRED-SURVIVE-DRAIN
2026-06-21T04:47:54.1137709Z - Title: Deferred rows survive poll drain (4.4)
2026-06-21T04:47:54.1137810Z - Required stages: impl, unit
2026-06-21T04:47:54.1137848Z 
2026-06-21T04:47:54.1137957Z ### REQ-HAZARD-INBOX-NO-DOUBLE
2026-06-21T04:47:54.1138082Z - Title: No double-delivery via legacy inbox (4.5)
2026-06-21T04:47:54.1138182Z - Required stages: impl, unit
2026-06-21T04:47:54.1138220Z 
2026-06-21T04:47:54.1138324Z ### REQ-HAZARD-WINDOWS-PID-RECYCLE
2026-06-21T04:47:54.1138472Z - Title: Windows PID-recycling false positives guarded (5.1)
2026-06-21T04:47:54.1138577Z - Required stages: impl, unit
2026-06-21T04:47:54.1138615Z 
2026-06-21T04:47:54.1138717Z ### REQ-HAZARD-EBUSY-RENAME
2026-06-21T04:47:54.1138863Z - Title: tmp-write + atomic-rename + retry on Windows EBUSY (5.2)
2026-06-21T04:47:54.1139022Z - Required stages: impl, unit
2026-06-21T04:47:54.1139050Z 
2026-06-21T04:47:54.1139163Z ### REQ-HAZARD-SUBPROCESS-TIMEOUT
2026-06-21T04:47:54.1139298Z - Title: Every harness/git subprocess has a timeout (5.3)
2026-06-21T04:47:54.1139398Z - Required stages: impl, unit
2026-06-21T04:47:54.1139435Z 
2026-06-21T04:47:54.1139531Z ### REQ-HAZARD-UNC-PATH-STRIP
2026-06-21T04:47:54.1139675Z - Title: Strip Windows UNC prefix on serialized paths (5.4)
2026-06-21T04:47:54.1139778Z - Required stages: impl, unit
2026-06-21T04:47:54.1139816Z 
2026-06-21T04:47:54.1139920Z ### REQ-HAZARD-SINGLE-PATH-SOURCE
2026-06-21T04:47:54.1140089Z - Title: Single path/registry source of truth; no layout ambiguity (6.1)
2026-06-21T04:47:54.1140197Z - Required stages: impl, unit
2026-06-21T04:47:54.1140351Z 
2026-06-21T04:47:54.1140446Z ### REQ-HAZARD-SOFT-CLEANUP
2026-06-21T04:47:54.1140632Z - Title: Soft-cleanup preserves state, removes only the ready marker (6.2)
2026-06-21T04:47:54.1140736Z - Required stages: impl, unit
2026-06-21T04:47:54.1140770Z 
2026-06-21T04:47:54.1140874Z ### REQ-HAZARD-CASCADE-WIPE-GUARD
2026-06-21T04:47:54.1141032Z - Title: No hard-delete of a parent hosting non-empty children (6.3)
2026-06-21T04:47:54.1141132Z - Required stages: impl, unit
2026-06-21T04:47:54.1141169Z 
2026-06-21T04:47:54.1141290Z ### REQ-HAZARD-DROP-FILE-SINGLE-WRITER
2026-06-21T04:47:54.1141428Z - Title: Drop files are daemon-owned single-writer (6.4)
2026-06-21T04:47:54.1141528Z - Required stages: impl, unit
2026-06-21T04:47:54.1141562Z 
2026-06-21T04:47:54.1141676Z ### REQ-HAZARD-DIRECT-WRITE-PRECEDENCE
2026-06-21T04:47:54.1141876Z - Title: Direct-write precedence marker (with node id) guards stale overwrite (6.5)
2026-06-21T04:47:54.1141976Z - Required stages: impl, unit
2026-06-21T04:47:54.1142014Z 
2026-06-21T04:47:54.1142127Z ### REQ-HAZARD-CONFLICT-BOTH-PRESERVED
2026-06-21T04:47:54.1142665Z - Title: A surfaced concurrent context pair is durably preserved (both versions, tracked artifacts) until a strictly dominating write clears it; no reconcile failure path discards an unmerged version (6.6, ADR-0013)
2026-06-21T04:47:54.1142768Z - Required stages: impl, unit
2026-06-21T04:47:54.1142797Z 
2026-06-21T04:47:54.1142898Z ### REQ-HAZARD-DETACHED-PIPE-INHERIT
2026-06-21T04:47:54.1143961Z - Title: Windows detached long-lived children must not inherit a captured caller's pipe: every detach-spawn of an immortal child (daemon, shell binary) runs bInheritHandles=FALSE, or a caller capturing output anywhere up the process chain hangs forever on a pipe that never EOFs — std-handle flag stripping is NOT sufficient (grandparent strays still flow) (5.6)
2026-06-21T04:47:54.1144070Z - Required stages: impl, unit
2026-06-21T04:47:54.1144109Z 
2026-06-21T04:47:54.1144205Z ### REQ-HAZARD-CONPTY-DSR
2026-06-21T04:47:54.1144419Z - Title: ConPTY reader must auto-answer DSR (ESC[6n) or all child output stalls (5.5)
2026-06-21T04:47:54.1144618Z - Required stages: impl, unit
2026-06-21T04:47:54.1144657Z 
2026-06-21T04:47:54.1144763Z ### REQ-HAZARD-WIN-PTY-PROGRAM-RESOLVE
2026-06-21T04:47:54.1146666Z - Title: Native-PTY spawn must resolve a bare program name with PATHEXT precedence and run a non-PE target through its interpreter: portable-pty's own `which` takes the FIRST PATH match — an extensionless shebang shim (e.g. a node CLI `ccs` shipped beside `ccs.cmd`) — and CreateProcessW then rejects the non-PE file with os error 193 ('not a valid Win32 application'); spt-term resolves the program itself (PATHEXT order prefers .EXE over .CMD; .cmd/.bat → cmd.exe /d /c, .ps1 → powershell -NoProfile -File) so a bare harness/shell [session.self] command actually launches on Windows. Unix is a passthrough (execve honours the shebang).
2026-06-21T04:47:54.1146776Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1146813Z 
2026-06-21T04:47:54.1146923Z ### REQ-HAZARD-CHILD-CONSOLE-FLASH
2026-06-21T04:47:54.1147344Z - Title: Console-subsystem children of the console-less daemon spawn with CREATE_NO_WINDOW, or each spawn flashes a visible blank window on the user's desktop (5.8)
2026-06-21T04:47:54.1147443Z - Required stages: impl, unit
2026-06-21T04:47:54.1147476Z 
2026-06-21T04:47:54.1147584Z ### REQ-HAZARD-INSTANT-UNDERFLOW
2026-06-21T04:47:54.1148122Z - Title: Scheduling never subtracts a Duration from Instant::now() (underflow-panics on a host booted more recently than the offset); 'due now / never run' is Option<Instant>=None gated on forward duration_since only (5.9)
2026-06-21T04:47:54.1148226Z - Required stages: impl, unit
2026-06-21T04:47:54.1148255Z 
2026-06-21T04:47:54.1148360Z ### REQ-HAZARD-PUMP-IPC-DEADLINE
2026-06-21T04:47:54.1149228Z - Title: The single-threaded peer pump's brain-IPC reads are deadline-bounded (PUMP_PEER_IO_TIMEOUT, total-wait per call); a TimedOut read POISONS the client and escalates to a SUPERVISED RESTART, never a per-peer retry — a black-holed peer must never wedge the whole pump
2026-06-21T04:47:54.1149438Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1149466Z 
2026-06-21T04:47:54.1149577Z ### REQ-HAZARD-BROKER-QUIC-DEADLINE
2026-06-21T04:47:54.1152583Z - Title: The broker bounds every brain-waiting QUIC op (dial / open_stream / send_stream) so a black-holed or dead peer fails PROMPTLY with an ORDINARY error the broker REPLIES, never an unbounded await. The bound (< the brain's 30s PUMP_PEER_IO_TIMEOUT so the BROKER fires first) surfaces to the pump as a normal broker error reply → peer_outcome's non-TimedOut arm → drop conn + redial next tick, the round CONTINUES and the heartbeat keeps advancing — it must NEVER manifest as the brain's own read-deadline (the A-half poison → supervised-restart path REQ-HAZARD-PUMP-IPC-DEADLINE guards). Exactly-once is preserved: a timed-out journaled op fails INSIDE its apply_once closure so no phantom conn_id/stream_id is recorded and a fresh tick re-dials cleanly. The happy path is unchanged (a live peer completes with zero added latency; the bound only bites a non-responsive peer). This is the ROOT-cause cure for the 2.2h hfenduleam pump wedge — a dead roster peer whose QUIC path the broker awaited unbounded — recurring on hfenduleam 2026-06-16.
2026-06-21T04:47:54.1152793Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1152821Z 
2026-06-21T04:47:54.1152924Z ### REQ-HAZARD-BROKER-SEED-WIRE-SKEW
2026-06-21T04:47:54.1156496Z - Title: A daemon-state wire-format change (e.g. the v0.9.0 adapter-agnostic Seed) does NOT take effect until a DELIBERATE full broker restart: the broker serves the seed-control channel and is RESIDENT across a brain-only self-update (ADR-0004 no-terminate-during-update forbids auto-killing it), so a NEW-version CLI talking to a still-resident OLD broker fails the seed handshake — the old broker cannot deserialize the new Seed (its formerly-required `adapter` field is gone) and drops the conn without an ack, which surfaces to the CLI as a raw UnexpectedEof 'failed to fill whole buffer'. spt-core must (a) surface an ACTIONABLE diagnostic on that seed-ack EOF (name the stale-broker cause + the `spt daemon stop` fix — the broker restarts on the next api call), never the cryptic io error; and (b) document the operational rule (a deliberate broker restart is required on any daemon-state wire change — NOT automatic) + the FORWARD discipline (daemon-state/Seed schema changes stay additive + serde-default so a resident OLD broker tolerates a NEW CLI across a brain-only update; note this would NOT have rescued 0.9.0 itself, since the old broker's `adapter` was a required field). perri PREP-4 FINDING 1 (v0.9.0 CLI vs stale 0.8.x broker).
2026-06-21T04:47:54.1156721Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1156755Z 
2026-06-21T04:47:54.1156863Z ### REQ-HAZARD-SUDO-SECURE-PATH
2026-06-21T04:47:54.1157689Z - Title: Elevation guidance on Unix names the binary's ABSOLUTE path under sudo (a user-local install ~/.local/bin · ~/.cargo/bin is not on sudo's secure_path, so bare `sudo spt` dies 'command not found'); gated commands auto-elevate on an interactive TTY, else print the runnable hint (5.10)
2026-06-21T04:47:54.1157803Z - Required stages: impl, unit
2026-06-21T04:47:54.1157842Z 
2026-06-21T04:47:54.1157933Z ### REQ-HAZARD-SELF-ELEVATE
2026-06-21T04:47:54.1160151Z - Title: Self-elevation (REQ-ELEVATE-1) re-runs the EXACT original invocation with the binary's ABSOLUTE exe path — never widening privilege scope, never adding/altering args, never via a PATH-resolved bare name, never via a shell-interpolated command string (argv-array only, no `sh -c`); the elevated child drops state back to the user (composes with the 5.7 de-elevation) and NEVER re-elevates (loop-safe: decide_elevation_path returns AlreadyElevated whenever the process is already Elevated, on every OS). The user's UAC/polkit/sudo prompt is the only consent gate — we never bypass it; the print-hint floor prints the absolute-path command too. The unprivileged parent never depends on (pipes/captures) the privileged child's stdout.
2026-06-21T04:47:54.1160375Z - Required stages: unit
2026-06-21T04:47:54.1160413Z 
2026-06-21T04:47:54.1160514Z ### REQ-HAZARD-LOCAL-API-AUTH
2026-06-21T04:47:54.1160718Z - Title: Every local `api` mutation authenticated to an endpoint/session (codex #13)
2026-06-21T04:47:54.1160824Z - Required stages: impl, unit
2026-06-21T04:47:54.1160848Z 
2026-06-21T04:47:54.1160946Z ### REQ-HAZARD-RESTART-IDEMPOTENT
2026-06-21T04:47:54.1161200Z - Title: Idempotent/exactly-once delivery across brain restart at every broker boundary (codex #14)
2026-06-21T04:47:54.1161303Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1161341Z 
2026-06-21T04:47:54.1161442Z ### REQ-HAZARD-UPDATE-ROLLBACK
2026-06-21T04:47:54.1161684Z - Title: Self-update rejects version rollback; metadata expiry + adapter content signing (codex #5)
2026-06-21T04:47:54.1161786Z - Required stages: impl, unit
2026-06-21T04:47:54.1161823Z 
2026-06-21T04:47:54.1161937Z ### REQ-HAZARD-DAEMON-HOSTED-LIVENESS
2026-06-21T04:47:54.1162348Z - Title: Daemon-hosted perches (Psyche, spt-hosted Self) derive liveness from the daemon endpoint table + info.json status, never is_process_alive(info.pid) (2.5)
2026-06-21T04:47:54.1162458Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1162495Z 
2026-06-21T04:47:54.1162605Z ### REQ-HAZARD-BROKER-PROCESS-ISOLATION
2026-06-21T04:47:54.1165162Z - Title: Broker and brain are separate processes: the broker runs as its own long-lived per-machine process that survives every brain restart, so a routine (brain-only) self-update restarts the brain onto the swapped binary while every hosted endpoint (PTY child, live QUIC conn, listening socket) stays untouched at the PROCESS level. The in-process-thread broker (daemon.rs:165-170) is a regression that silently unrealizes REQ-UPD-3 — apply degrades to an in-process Brain::handoff no-op and new code does not run until an unrelated restart (KNOWN-HAZARDS 6.7). Evidence must prove process-level survival (SPIKE-01/03 productionized as int: PTY child + live QUIC survive a brain-PROCESS restart onto a swapped binary), re-pointing the regression-masked in-process int tags currently on REQ-DAEMON-2 / REQ-UPD-3 (ADR-0018).
2026-06-21T04:47:54.1165382Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1165419Z 
2026-06-21T04:47:54.1165530Z ### REQ-HAZARD-ROLLBACK-STATE-COMPAT
2026-06-21T04:47:54.1167157Z - Title: A brain must not irreversibly migrate durable state before update ready-promotion: the readiness-gated auto-rollback (ADR-0018 Q7) spawns the N-1 binary against durable state the new brain may have written, so every pre-ready write must stay N-1-readable (schema migrations gated behind ready-promotion, or written N-1-tolerant/additive). Else the first in-place schema migration silently bricks rollback (KNOWN-HAZARDS 6.8). Free now — a 2026-06-09 audit confirmed zero state-migration code exists; unmintable retroactively once a migration ships.
2026-06-21T04:47:54.1167272Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1167310Z 
2026-06-21T04:47:54.1167418Z ### REQ-HAZARD-BRAIN-RESPAWN-PATH
2026-06-21T04:47:54.1169971Z - Title: The broker respawns the brain onto the APPLIED bytes, not the renamed old binary: the candidate-binary default is the canonical exe path captured ONCE at broker start, never a per-spawn std::env::current_exe() — on Linux current_exe (readlink /proc/self/exe) is inode-tracking and follows the `apply` rename (spt -> spt.old-N), so a resident broker would respawn the brain onto OLD bytes while recording `applied` (Windows GetModuleFileName is path-at-start, so Windows was green; ADR-0018 Q3 silently assumed path-string semantics). Backstop: promotion gates on bytes — a trial promotes only if brain.ready exe_hash == the staged artifact hash for this platform, else auto-rollback + loud notif (readiness != new-bytes was the false-success that recorded applied:8 over a v0.4.0 brain on kitsubito, 2026-06-11). KNOWN-HAZARDS 6.11.
2026-06-21T04:47:54.1170082Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1170229Z 
2026-06-21T04:47:54.1170334Z ### REQ-HAZARD-PSYCHE-OUTBOUND-PROXY
2026-06-21T04:47:54.1171112Z - Title: Psyche outbound captured + sanitized: the live-Psyche turn driver captures stdout (never Stdio::null), and the daemon strips/re-stamps Psyche-supplied from=/target and constrains routing (reply→__REPLY_TO__ sender, notify→own user/subnet) (7.3)
2026-06-21T04:47:54.1171211Z - Required stages: impl, unit
2026-06-21T04:47:54.1171249Z 
2026-06-21T04:47:54.1171355Z ### REQ-HAZARD-DAEMON-SCHED-NONBLOCKING
2026-06-21T04:47:54.1171987Z - Title: Per-agent pulse/psyche/echo-commune scheduling must not serialize across agents: each agent's bounded LLM call (echo-commune summarizer, Psyche turn) runs off the shared scheduler so one slow/hung call cannot stall another agent's tick (7.4)
2026-06-21T04:47:54.1172088Z - Required stages: impl, unit
2026-06-21T04:47:54.1172126Z 
2026-06-21T04:47:54.1172239Z ### REQ-HAZARD-PAIR-TRANSCRIPT-BIND
2026-06-21T04:47:54.1172869Z - Title: Pairing transcript binds roles, both node pubkeys, subnet ID, seed epoch, TOTP time-step, and confirmation MACs — or unknown-key-share/reflection/wrong-subnet/replay pairing remain possible (ADR-0005 #12)
2026-06-21T04:47:54.1172985Z - Required stages: impl, unit
2026-06-21T04:47:54.1173022Z 
2026-06-21T04:47:54.1173131Z ### REQ-HAZARD-PAIR-SEED-ROTATION
2026-06-21T04:47:54.1173634Z - Title: Removing a node rotates the subnet seed (epoch bump) so an old node/old seed cannot rejoin; trust-store delete alone is NOT revocation because the seed is replicated to every trusted node (ADR-0005 #10)
2026-06-21T04:47:54.1173742Z - Required stages: impl, unit
2026-06-21T04:47:54.1173770Z 
2026-06-21T04:47:54.1173865Z ### REQ-HAZARD-PAIR-RATE-LIMIT
2026-06-21T04:47:54.1174702Z - Title: Subnet-global pairing rate limit: one active ceremony per subnet, shared attempt counter, exponential backoff — a public pre-trust relay + multiple seed-holders otherwise enables distributed SPAKE2 guessing (and ±1 TOTP window triples the valid-password space) (ADR-0005 #11)
2026-06-21T04:47:54.1174826Z - Required stages: impl, unit
2026-06-21T04:47:54.1174960Z 
2026-06-21T04:47:54.1175069Z ### REQ-HAZARD-WAN-ORIGIN-AUTH
2026-06-21T04:47:54.1175848Z - Title: WAN-inbound origin is transport truth, never payload: the access gate's subject (ADR-0009 origin-node whitelist) is the QUIC handshake-proven remote node id from the broker's conn/stream table — a forged origin/node field inside record bytes is inert (7.5)
2026-06-21T04:47:54.1175960Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1175994Z 
2026-06-21T04:47:54.1176085Z ### REQ-CONSENT-1
2026-06-21T04:47:54.1176959Z - Title: Consent grant store: capability x subject-agent x target-node rows, enforced at the target node, subnet-settable (replicates as security material near the trust store), revocable; gated-capability ids (remote-exec, instantiate-anywhere) reserved-but-refusing; v1 consumers are the shell spawn gates (CONTEXT Consent & security gates)
2026-06-21T04:47:54.1177059Z - Required stages: impl, unit
2026-06-21T04:47:54.1177097Z 
2026-06-21T04:47:54.1177198Z ### REQ-CONSENT-2
2026-06-21T04:47:54.1177983Z - Title: Interactive consent escalation: an ungated high-risk action routes a consent prompt to the user's most-recently-active session; allow-once / allow-always (writes a grant) / deny; pre-consent flags (can_shutdown, shell_wake_spawn_anywhere) author grants via manifest/settings (CONTEXT Consent & security gates)
2026-06-21T04:47:54.1178099Z - Required stages: impl, unit
2026-06-21T04:47:54.1178137Z 
2026-06-21T04:47:54.1178232Z ### REQ-PRES-1
2026-06-21T04:47:54.1179616Z - Title: Presence resolution: the presence datum (last_active_node, last_active_endpoint, ts) gossiped subnet-wide via the agent-interaction heartbeat (rides registry distribution, visibility-gated) + one first-class most-recently-active resolution API consumed by notif first-fire, update-consent delivery, consent escalation, and shell wake resolution (M5 scope decision 1: resolution only — the PresenceChannel endpoint stays deferred)
2026-06-21T04:47:54.1179826Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1179868Z 
2026-06-21T04:47:54.1179954Z ### REQ-SHELL-1
2026-06-21T04:47:54.1180804Z - Title: Shell hosting machinery: shell perch under the owner (type/owner/adapter_name/status/alias), broker-launched binary + api bind local-link handshake, the three channels (command durable, text+file durable + progress-queryable, sensory REST-only never spooled + dropped-unless-owner-live), owner exclusivity (CONTEXT Shell model)
2026-06-21T04:47:54.1180908Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1180947Z 
2026-06-21T04:47:54.1181028Z ### REQ-SHELL-2
2026-06-21T04:47:54.1182447Z - Title: Shell sleep/wake: link-break always closes the binary (pre-close instruction + termination timeout), ephemeral teardown vs persistent offline/relink, wake_command wake-watcher (offline-only, exit-opcode supervision, exponential backoff + give-up), state-keyed wake resolution (dormant/suspended/active-elsewhere; no-reachable refuses — spawn-anywhere branch deferred), spt shutdown owner cascade + api owner-shutdown gated by can_shutdown (CONTEXT Shell sleep/wake)
2026-06-21T04:47:54.1182562Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1182592Z 
2026-06-21T04:47:54.1182714Z ### REQ-HAZARD-ELEVATED-DAEMON-SPAWN
2026-06-21T04:47:54.1183973Z - Title: The daemon always runs unelevated in the invoking user's universe, regardless of which command spawns it: an elevated spawner de-elevates (Windows: UAC linked token via CreateProcessWithTokenW; Linux: drop to SUDO_UID/SUDO_GID + the invoker's HOME) — an elevated daemon's pipes deny unelevated clients (every later spt reads not-running→spawn→bind Access-denied) and a sudo'd daemon roots the user's state universe (5.7)
2026-06-21T04:47:54.1184078Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1184117Z 
2026-06-21T04:47:54.1184213Z ### REQ-HAZARD-REGISTRY-GHOST-ROWS
2026-06-21T04:47:54.1185473Z - Title: A dead node identity's registry rows must decay: only the per-(endpoint,node) epoch lease supersedes rows, so without eviction a vanished node's rows are immortal and poison bare-id resolution with phantom AcrossNodes ambiguity — evict rows whose author node has not been heard (admitted inbound feed) within the eviction window; own rows never decay; a revived node re-inserts from its durable epoch within one pump cadence (4.10)
2026-06-21T04:47:54.1185691Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1185720Z 
2026-06-21T04:47:54.1185801Z ### REQ-CLI-1
2026-06-21T04:47:54.1186835Z - Title: spt endpoint noun namespace: absorbs fork/suspend/wake/shutdown/rename/stop/digest + access (ported 1:1: allow|revoke|open|list, decision 21) + description (ex-resources blurb; bare=show, set=author); merged endpoint list [--local|--subnet <name>] grouped by subnet with SELF pinned, --detail adding the ex-resources yellow-pages blurb projection; bare spt endpoint = the list (M8 decisions 1-2, 25)
2026-06-21T04:47:54.1186926Z - Required stages: impl, unit
2026-06-21T04:47:54.1186960Z 
2026-06-21T04:47:54.1187122Z ### REQ-CLI-2
2026-06-21T04:47:54.1187805Z - Title: spt daemon noun: run|stop|status (hidden daemon verb becomes daemon run; agent-endpoint shutdown keeps its name under endpoint); daemon status renders the pump heartbeat (last-tick recency) so a half-dead daemon is never rendered implied-healthy (M8 decisions 5, 23)
2026-06-21T04:47:54.1187914Z - Required stages: impl, unit
2026-06-21T04:47:54.1187953Z 
2026-06-21T04:47:54.1188039Z ### REQ-CLI-3
2026-06-21T04:47:54.1188735Z - Title: Agent hot path stays flat across the M8 reorg: send/ring/ready/whoami/how-to unchanged; notify moves to subnet notify while notif stays top-level; breaking renames land clean with no deprecation shims (zero external CLI consumers pre-spt-claude-code) (M8 decisions 3-4, 9)
2026-06-21T04:47:54.1188840Z - Required stages: impl, unit
2026-06-21T04:47:54.1188878Z 
2026-06-21T04:47:54.1189040Z ### REQ-CLI-4
2026-06-21T04:47:54.1191063Z - Title: User-facing CLI output is human-readable: DIRECT-USER commands (e.g. adapter update/list/use) render friendly prose instead of raw CODE:RESULT markers — "claude-spt is up to date (0.2.0)." not "ADAPTER_UPDATE_UPTODATE:claude-spt: installed 0.2.0, latest 0.2.0". Strictly bounded to the direct-user surface: the adapter-PARSED bringup tokens (SEEDED/BOUND/READY/NO_SEED on seed/listen, which adapters grep) stay machine-parseable — humanization is additive (a human line beside the marker, or a --porcelain/--quiet split), never a silent rename of a dual-contract marker. The user-facing bringup composition belongs to the adapter (perri); this REQ owns only the direct-user CLI surface. (v0.9.0)
2026-06-21T04:47:54.1191179Z - Required stages: 
2026-06-21T04:47:54.1191216Z 
2026-06-21T04:47:54.1191306Z ### REQ-SUBNET-5
2026-06-21T04:47:54.1192379Z - Title: Per-subnet serve-state: spt subnet detach <NAME> [--save] / attach <NAME> [--save] — daemon keeps running, stops/starts advertising + connecting for that subnet (peer pump + responder selective); --save persists the startup default in daemon config; the all-attached banner gains per-subnet states (M8 decision 6, --save renamed from --auto per decision 25 session)
2026-06-21T04:47:54.1192509Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1192547Z 
2026-06-21T04:47:54.1192631Z ### REQ-SUBNET-6
2026-06-21T04:47:54.1193289Z - Title: Trust lifecycle verbs, elevation-gated: spt subnet leave <NAME> (membership exit) and spt subnet prune <node> (removes a dead identity's trust + registry rows, killing its dead dials; trust mutation = security surface, REQ-PAIR-6 gate machinery) (M8 decisions 6-7)
2026-06-21T04:47:54.1193399Z - Required stages: impl, unit
2026-06-21T04:47:54.1193433Z 
2026-06-21T04:47:54.1193523Z ### REQ-SUBNET-7
2026-06-21T04:47:54.1195104Z - Title: Per-machine re-pair trust overwrite: registry rows carry a hashed stable machine identifier (OS machine id /etc/machine-id|MachineGuid, domain-separated SHA-256 before gossip, spt-minted persisted UUID fallback; additive serde-default field — old rows parse clean); a COMPLETED pairing ceremony presenting the same node label AND machine id as an existing trusted row evicts the superseded identity's trust + registry rows on the seed-holder and replicates the eviction; a gossiped claim alone never evicts trust (M8 decisions 13, 22)
2026-06-21T04:47:54.1195327Z - Required stages: impl, unit
2026-06-21T04:47:54.1195345Z 
2026-06-21T04:47:54.1195442Z ### REQ-SUBNET-8
2026-06-21T04:47:54.1196508Z - Title: Status render honesty: zero-subnet text is daemon-aware ('No subnets registered — this node is standalone.' + daemon-running-dependent blurb, never implying messaging works while the daemon is down); hint footer prints on bare spt subnet only (status drops it); a stalled pump is surfaced in subnet status, never rendered implied-healthy (M8 decisions 11-12, 23)
2026-06-21T04:47:54.1196619Z - Required stages: impl, unit
2026-06-21T04:47:54.1196653Z 
2026-06-21T04:47:54.1196747Z ### REQ-INSTALL-6
2026-06-21T04:47:54.1197890Z - Title: Linux elevation install leg: install.sh symlinks the binary into a sudo-reachable path (/usr/local/bin; graceful print-the-one-liner when unelevated) so sudo spt resolves; first sudo spt detects elevation and prompts ONCE for the default user account — thereafter any elevated daemon launch runs daemon + state under that account, never root (KH 5.7 interplay verified) (M8 decision 8)
2026-06-21T04:47:54.1198103Z - Required stages: impl, unit
2026-06-21T04:47:54.1198136Z 
2026-06-21T04:47:54.1198217Z ### REQ-INSTALL-7
2026-06-21T04:47:54.1199409Z - Title: Windows inbound reachability: the elevated install leg registers the inbound-UDP firewall rule (New-NetFirewallRule); the daemon self-detects blocked inbound and renders it as the no-connection state in subnet status + the coming-online banner (covers user-scope installs that skip the elevated leg — never a silent NO_SEED_HOLDER dead-end) (M8 root cause 3)
2026-06-21T04:47:54.1199506Z - Required stages: impl
2026-06-21T04:47:54.1199544Z 
2026-06-21T04:47:54.1199633Z ### REQ-INSTALL-8
2026-06-21T04:47:54.1200656Z - Title: OS-service registration (REQ-INSTALL-1's deferred third leg): Linux systemd USER service + loginctl enable-linger (linger rides the elevated install leg; daemon starts at boot pre-login, user universe per KH 5.7, systemctl --user managed); Windows scheduled task at-logon (interactive session, no stored credentials); a node is reachable after reboot without any manual spt invocation (M8 decision 17)
2026-06-21T04:47:54.1200770Z - Required stages: impl
2026-06-21T04:47:54.1200808Z 
2026-06-21T04:47:54.1200895Z ### REQ-CONV-1
2026-06-21T04:47:54.1202257Z - Title: Peer address seeding, both cold starts: durable peer-addrs.json (identity dir) maps peer pubkey → last-known dialable address; the pump's resolver consults it FIRST with id-only discovery fallback on miss or dial failure (a stale addr never strands a peer); written by the pairing ceremony (both sides, from the live connection) and by the pump on successful connect; post-join first sync and post-restart resync converge in seconds, not ~1 min (M8 decisions 14, 20)
2026-06-21T04:47:54.1202368Z - Required stages: impl, unit
2026-06-21T04:47:54.1202406Z 
2026-06-21T04:47:54.1202501Z ### REQ-CONV-2
2026-06-21T04:47:54.1203557Z - Title: Event-driven advertisement: endpoint online/offline transitions (ready-listener start/stop, rest-state transition, perch death) trigger an immediate advertise_local + peer push as a WAKE of the existing pump loop (no second advertisement path — epoch lease + visibility gates ride unchanged); the cadence stays the steady-state floor (M8 decision 15)
2026-06-21T04:47:54.1203664Z - Required stages: impl, unit
2026-06-21T04:47:54.1203702Z 
2026-06-21T04:47:54.1203783Z ### REQ-PAIR-8
2026-06-21T04:47:54.1205023Z - Title: NTP TOTP offset: the pairing ceremony queries NTP at ceremony time (both sides) and applies the derived offset to the TOTP calculation in-process only; system-clock fallback when NTP is unreachable (offline LAN pairing unaffected — NTP failure never blocks a pairing that succeeds today); never sets the OS clock; no background sync loop (M8 decision 18; field trigger: enlyzeam clock >1 min off exceeds the ±1 window)
2026-06-21T04:47:54.1205267Z - Required stages: impl, unit
2026-06-21T04:47:54.1205295Z 
2026-06-21T04:47:54.1205379Z ### REQ-DAEMON-5
2026-06-21T04:47:54.1206631Z - Title: Pump liveness: the peer pump writes a last-tick heartbeat consumed by daemon status / subnet status (decision 23 render legs in REQ-CLI-2/REQ-SUBNET-8); the daemon supervises the pump task — a panic is caught, logged loudly, and the pump restarts with capped backoff (≤5 min), so a 5.9-class death self-heals visibly instead of silently halving the daemon (M8 decision 23; field motivation: hfenduleam 2026-06-07 half-death)
2026-06-21T04:47:54.1206735Z - Required stages: impl, unit
2026-06-21T04:47:54.1206773Z 
2026-06-21T04:47:54.1206851Z ### REQ-DAEMON-6
2026-06-21T04:47:54.1208720Z - Title: Service-aware `daemon start`/`stop`: when an OS service manager has a registered spt-daemon for this user, `spt daemon start` and `spt daemon stop` drive THAT service (so stop doesn't IPC-kill a unit that auto-restart-fights for the broker socket — the kitsubito 2026-06-08 loop). `start` graduates from a `run` alias to a first-class background verb (ensure-up, idempotent, non-blocking); stop routes managed→manager, manual→IPC. Linux=systemd user unit (`systemctl --user start|stop|is-active spt-daemon`, detected by unit-file presence); Windows=no controllable manager (the logon task is boot-only), so start=detached spawn / stop=IPC.
2026-06-21T04:47:54.1208930Z - Required stages: impl, unit
2026-06-21T04:47:54.1209053Z 
2026-06-21T04:47:54.1209141Z ### REQ-DAEMON-7
2026-06-21T04:47:54.1210503Z - Title: `daemon run` is foreground-consistent on every platform: the invoking process IS the daemon, blocks until signalled, never auto-detaches or respawns into an invisible background task. The detached/de-elevated background behavior lives ONLY in `start`. Windows: an ELEVATED `daemon run` refuses with guidance (use `start`, or an unelevated shell) instead of respawning detached/de-elevated and vanishing (KH 5.7 preserved — it still never serves elevated).
2026-06-21T04:47:54.1210623Z - Required stages: impl, unit
2026-06-21T04:47:54.1210657Z 
2026-06-21T04:47:54.1210748Z ### REQ-DAEMON-8
2026-06-21T04:47:54.1211664Z - Title: Internal auto-start prefers the service: `ensure_running` (any spt command's implicit daemon start, REQ-DAEMON-3) routes through the service-aware start path — when a manager has a registered service it starts THAT, never a competing manual `spawn_detached` daemon that would fight the service for the socket.
2026-06-21T04:47:54.1211764Z - Required stages: impl, unit
2026-06-21T04:47:54.1211802Z 
2026-06-21T04:47:54.1211902Z ### REQ-DAEMON-9
2026-06-21T04:47:54.1214156Z - Title: Net-bind boot-race resilience: a daemon that comes up net-less (NetHost::start failed — e.g. the systemd unit autostarted before the network/DNS stack was ready, `Failed to create an address lookup service`) must SELF-HEAL — retry the net bring-up in the background with capped backoff and, on success, attach net to the broker + spawn the dispatcher/peer-pump (which today are gated on `net_up` at boot and so never start, leaving the node silently unreachable until a manual restart — kitsubito 2026-06-08). Status surfaces the net-less state honestly (a net-less broker renders as 'no connection', not only a pump-STALLED line with a bogus pre-boot heartbeat age). The installer's autostart unit waits for the network (`Wants=/After=network-online.target`) as belt-and-suspenders.
2026-06-21T04:47:54.1214262Z - Required stages: impl, unit
2026-06-21T04:47:54.1214300Z 
2026-06-21T04:47:54.1214404Z ### REQ-HAZARD-LIVEHOST-BOOT-RACE
2026-06-21T04:47:54.1217958Z - Title: The brain's daemon-hosted Psyche lifecycle surfaces a host-FAILURE on the live perch (harness-diagnosable) and runs net-INDEPENDENTLY. When reconcile_once→host_one→spawn_psyche fails for a state=live_agent+status=online endpoint (e.g. the adapter's psyche binary absent from its install dir, REQ-INSTALL-11), the failure MUST be written to the perch info.json as a CURRENT-STATE field (reason + ts + attempt count; overwritten each 5s retry, CLEARED on successful host) and surfaced by `spt endpoint list`/status — never left as an eprintln on the brain's invisible stderr where a harness reading only perch state is blind. status=online stays authoritative (agent reachable; only the Psyche is missing — brain-restart rehydrate legitimately has online-without-Psyche windows), so this is a SEPARATE psyche-host-health field, never a status de-stamp. Net-independence is a locked-in invariant: spawn_live_host (brainproc.rs:230) reaches the reconcile and hosts the Psyche on a net-less/unpaired/peer-pump-STALLED node, proven by a REAL detached-daemon E2E (real broker→brain-child, real api seed+listen, real install-dir psyche binary). spt-core SURFACES the failure; the adapter owns fixing its packaging.
2026-06-21T04:47:54.1218192Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1218225Z 
2026-06-21T04:47:54.1218326Z ### REQ-HAZARD-TEMPLATE-ARGV-FILL
2026-06-21T04:47:54.1222249Z - Title: Command-template substitution fills argv ELEMENTS, not a re-tokenized string: spt-core currently `fill_template`s {key} values INTO the command STRING and THEN `tokenize`s the filled string (runtime.rs:94/122), so a multi-word {key} value whitespace-SPLITS into multiple argv tokens unless the adapter hand-quotes the placeholder, and a value containing a `"` (or `;`) injects/breaks tokenization (shell-injection-adjacent). A filled value MUST become exactly ONE argv element regardless of spaces/quotes in the value. Fix: tokenize the TEMPLATE into argv FIRST, then `fill_template` EACH token, so a `{key}` slot resolves to a single element and the value never participates in tokenization (no whitespace-split, no quote/semicolon injection); preserve the missing-key / empty-command errors and `{{`/`}}` non-interpretation. perri's F-009 (v0.8.1 dogfood, argv-capture-confirmed): a multi-word `{psyche_prompt}` = "PSYCHE REVIVAL time: epoch-ms:… incoming event: (none)" arrived as argv[6..12] (7 stray tokens), the harness runner strict-parsed `--prompt` against the 2nd word, exited 2 within ~1s → phantom hosted perch. Applies to EVERY [session.<role>] template (psyche_init, extractor, notif, …); digest survives today only because its fills ({session_id}/{source}) are single-token.
2026-06-21T04:47:54.1222390Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1222428Z 
2026-06-21T04:47:54.1222549Z ### REQ-HAZARD-LIVEHOST-NONRESIDENT
2026-06-21T04:47:54.1225799Z - Title: A daemon-hosted Psyche that spawns then EXITS IMMEDIATELY is a host failure, surfaced like a spawn failure (closes the v0.8.1 residual masking): the REQ-HAZARD-LIVEHOST-BOOT-RACE signal stamps `psyche_host_error` only when `spawn_psyche` returns Err, NOT when the detached spawn() returns Ok but the child dies within moments (e.g. a bad-argv child exiting 2 — the F-009 case). That leaves the residual 'online + no Psyche + no cause' gap: the nested `{id}-psyche` info.json is written status=online with a real-but-DEAD pid and the PARENT perch carries NO psyche_host_error (perri's F-010: tasklist showed 0 host procs across the window while info.json read online). The host MUST confirm RESIDENCY — a hosted child not alive (or whose `{id}-psyche` perch never re-registers / has a dead pid) within N seconds of spawn is treated as a host failure: stamp the parent perch `psyche_host_error{reason:"host not resident within <n>s (psyche perch missing/dead pid)"}` (and do not leave a phantom online nested perch). Closes the last masking gap the v0.8.1 fix left open. perri's F-010 (v0.8.1 dogfood). Sibling of REQ-HAZARD-LIVEHOST-BOOT-RACE.
2026-06-21T04:47:54.1225937Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1225971Z 
2026-06-21T04:47:54.1230060Z ### REQ-HAZARD-EPOCH-RESET
2026-06-21T04:47:54.1231443Z - Title: Advertisement-epoch reset strands a node: peers' higher last-seen epoch drops the reset node's fresh advertisements as Stale until the counter outruns history. Common case (full reinstall/re-pair) is mitigated by REQ-SUBNET-7's ceremony eviction (peer-side epoch memory dies with the deleted row — acceptance-verified); the residual narrow slice (epoch file lost, identity kept) is documented, guard deferred to a field hit (4.11)
2026-06-21T04:47:54.1231700Z - Required stages: 
2026-06-21T04:47:54.1231738Z 
2026-06-21T04:47:54.1231825Z ### REQ-MESH-1
2026-06-21T04:47:54.1233910Z - Title: Membership proof (seed-proof): symmetric current-epoch seed-knowledge replaces is_trusted at EVERY inbound gate (registry apply, WAN receive, sync, notif, connection accept). MK = HKDF(seed, domain ‖ subnet_id ‖ seed_epoch); mutual channel-bound challenge-response at connect (transcript binds both handshake-proven node pubkeys, both nonces, subnet_id, seed_epoch, role); verified once per connection, cached on the broker ConnEntry, kept warm via QUIC keep-alive so re-proof is restart/partition/rotation-only. Exact-epoch match (re-seed is the sole N-1 exception). SECURITY INVARIANTS: channel-bound (no cross-connection replay), mutual, accepts a member it never paired (the mesh property).
2026-06-21T04:47:54.1234134Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1234157Z 
2026-06-21T04:47:54.1234243Z ### REQ-MESH-2
2026-06-21T04:47:54.1236797Z - Title: Member roster: node-level union-merge grow-set (per member: pubkey, label, machine_id, last-known address, last-seen — NOT the seed), the discovery directory the mesh dials by. Seeded IN FULL at pairing (seed-holder hands joiner the whole current roster, incl. offline members — folds in deferred pairing-time hostname capture + post-join address seeding); each node authors its own entry stamped with its lease_epoch, merged strictly-greater-wins (the node_label lease); exchanged only over seed-proof'd member connections; forgery-inert (a fake entry names a pubkey that still can't seed-proof). Removal needs a TOMBSTONE — a per-pubkey revoked marker that propagates, dominates the entry, gates admission (seed-proof ∧ ¬tombstoned), and prevents reinsert; cleared by a completed re-pair of that pubkey. Persists through silence (offline member keeps its entry).
2026-06-21T04:47:54.1236927Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1236966Z 
2026-06-21T04:47:54.1237055Z ### REQ-MESH-3
2026-06-21T04:47:54.1238678Z - Title: Mesh row fan-out: registry rows stay OWN-AUTHORED; the only change is the push target widens from directly-paired peers to ALL roster members (a wider DIRECT fan-out, never a third-party relay). Every row/message still arrives from its author over a handshake → KNOWN-HAZARDS 7.5 (origin = handshake node) and 4.10 (eviction lease: any future update comes from that node itself, alive) PRESERVED VERBATIM. Closes the staggered A→B→C repro: C (roster-seeded with A at pairing) initiates to A, seed-proof admits C unpaired, A learns C, both push directly.
2026-06-21T04:47:54.1238782Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1238811Z 
2026-06-21T04:47:54.1238898Z ### REQ-MESH-4
2026-06-21T04:47:54.1241145Z - Title: Revoke + timeboxed seed rotation + re-seed grace: `spt subnet revoke <node>...` (list, elevation-gated, revoke-only) writes roster tombstones immediately, then schedules ONE seed rotation (re-mint seed, bump seed_epoch, push new seed CONFIDENTIALLY over member-auth'd TLS connections — never in roster/registry gossip — force-drop revokees) at the close of a coalescing window (default 1h); further revokes in the window join the same rotation (one epoch bump). `--force-rotate-seed` rotates immediately (compromised-node path). RE-SEED GRACE: a node proving the immediately-prior epoch (N-1) AND still on the roster gets a re-seed-only restricted connection (auto-heals a benign offliner); revoked/off-roster denied; ≥2 stale → re-pair.
2026-06-21T04:47:54.1241273Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1241311Z 
2026-06-21T04:47:54.1241407Z ### REQ-MESH-5
2026-06-21T04:47:54.1242755Z - Title: Hard cutover from pairwise trust: delete peers.json + the is_trusted authorization path (no migration — expendable test fleet, re-pairs fresh under the new model, user decision 2026-06-08). Warn-on-change DEMOTED from a gate to an awareness notice anchored on machine_id (not label): 'machine M, last seen as K1, now presents K2' — fires the same event as the REQ-SUBNET-7 re-pair overwrite. The TrustStore/peers.json code and its call sites are removed, not left dead.
2026-06-21T04:47:54.1242981Z - Required stages: impl, unit
2026-06-21T04:47:54.1243011Z 
2026-06-21T04:47:54.1243097Z ### REQ-MESH-6
2026-06-21T04:47:54.1244274Z - Title: Concurrent liveness probes: `spt subnet status --nodes` fans out its offline/serve-probes (REQ-SUBNET-5) CONCURRENTLY — total wall-time bounded by the single-probe ceiling (~3s), never k×ceiling. The mesh makes a node see ALL members (many possibly offline), so a serial probe loop would be offline_count×3s. (Planning verifies the current REQ-SUBNET-5 probe loop's behavior and fixes it if serial.)
2026-06-21T04:47:54.1244379Z - Required stages: impl, unit
2026-06-21T04:47:54.1244417Z 
2026-06-21T04:47:54.1244502Z ### REQ-SHELL-3
2026-06-21T04:47:54.1246442Z - Title: Drive channel (owner->shell, REST-only, never-spooled, latest-wins): the owner->shell mirror of sensory for continuous real-time control (scroll/crank/stick/avatar) — a [shell.drive] manifest vocab + EVENT_TYPE_DRIVE frame, delivered to the ONLINE binary only via a single live slot (a new frame supersedes an undelivered one — no spool, no queue, no replay on relink), dropped-with-diagnostic if the shell is offline; cross-node rides the ephemeral link (REST class), never the durable shell spool. Commands = discrete+durable; drive = continuous+ephemeral (CONTEXT:260, minted 2026-06-11 Gateway grill).
2026-06-21T04:47:54.1246567Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1246596Z 
2026-06-21T04:47:54.1246676Z ### REQ-SHELL-4
2026-06-21T04:47:54.1248423Z - Title: Shell tunnel (reliable-ordered opaque byte stream): an owner<->shell link may hold a long-lived, reliable-ordered, link-bound QUIC stream pair carrying opaque wire protocol traffic the channel taxonomy must NOT reinterpret (first consumer usbip URB) — manifest opt-in, not enveloped, not MAC-framed, not spooled; the link lifecycle governs it (a link-break closes the tunnel). Reliable-ordered ⇒ congestion surfaces as lag never loss ⇒ acceptable only on-LAN: the on-LAN posture is documented and the tunnel is NOT proven cross-WAN (CONTEXT:262, minted 2026-06-11 Gateway grill; doyle gate C2).
2026-06-21T04:47:54.1248547Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1248585Z 
2026-06-21T04:47:54.1248685Z ### REQ-CONSENT-3
2026-06-21T04:47:54.1250586Z - Title: Per-capability approval gates (class-keyed): the require_approval enum may ride INDIVIDUAL [shell.capabilities] entries — gating the dangerous ACT, not just the spawn — with an optional class_key scoping the grant qualifier finer than the capability id ((owner endpoint x device class x node); a remembered HID-class attach grant never authorizes a storage-class attach). Reuses the grant store + interactive escalation + tighten-only floor (REQ-CONSENT-1/2 plumbing). Spawn gates govern EXISTENCE; capability gates govern ACTS — an explicitly distinct invariant (CONTEXT:283, ratified 2026-06-11 Gateway grill).
2026-06-21T04:47:54.1250711Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1250735Z 
2026-06-21T04:47:54.1250828Z ### REQ-SHELL-5
2026-06-21T04:47:54.1252001Z - Title: Shell ownership is owner-type-agnostic: any non-Shell endpoint type may own/spawn/drive/command/link a shell (Gateway the named first) — control-exclusivity keys on the owner endpoint_id, NEVER on the owner's endpoint type. No ownership path (mint, launch, owner-from-link, cmd, drive, tunnel, sleep/wake, owner-shutdown) inspects the owner's type (CONTEXT:264, ratified 2026-06-11 Gateway grill).
2026-06-21T04:47:54.1252110Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1252148Z 
2026-06-21T04:47:54.1252253Z ### REQ-HAZARD-VIEWER-CLOSE-DETACH
2026-06-21T04:47:54.1261975Z - Title: A VIEW is independent from the endpoint: closing the tab/window where `spt endpoint run` was invoked must detach ONLY the `spt rc` attach pump — the daemon-hosted harness keeps running and stays re-attachable via `spt rc <id>`. ROOT (Windows, v0.12.0 real-harness defect): the daemon never breaks away from the launching terminal's Job Object. Windows Terminal / VS Code place the launched shell AND every descendant into a Job Object with JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE; closing the tab drops the terminal's last job handle → the OS terminates every process still in that job. A child escapes only with CREATE_BREAKAWAY_FROM_JOB — used NOWHERE in the tree. Both daemon spawn paths (daemon.rs:707 detached_no_inherit = DETACHED_PROCESS|CREATE_NEW_PROCESS_GROUP|CREATE_NO_WINDOW; deelevate.rs:519 elevated = CREATE_NEW_CONSOLE|...) drop the CONSOLE but NOT job membership, so the daemon's freshly broker-spawned ConPTY harness subtree is reaped on tab-close. The ConPTY/pseudoconsole isolation itself is CORRECT (portable-pty builds the pseudoconsole in the daemon; no console signal / handle leak) — the leaking lifetime binding is the Job Object, not the console. FIX: add CREATE_BREAKAWAY_FROM_JOB to both daemon spawn paths AND pin each broker-spawned harness into a DAEMON-OWNED Job Object (mirror reap.rs/Breap) as backstop (survives even where a terminal sets SILENT_BREAKAWAY_OK=false). Unix: the daemon's own session detachment (new session, no controlling terminal) already keeps a closing terminal's SIGHUP off its children — verify, add a guard test, no code expected. FIX UPDATE (v0.12.1 L1.5, doyle re-scope operator-approved 2026-06-18): job-neutral daemon launch is now PRIMARY, breakaway DEMOTED to a fallback rung. ROOT reframed — the daemon INHERITS the terminal's Job because spawn_detached runs FROM the terminal-child CLI (DETACHED_PROCESS detaches the console, not the job); breakaway tried to claw back out but a job CAN deny it (the L1 finding). FIX: launch the cold-started daemon via a job-NEUTRAL creator so it is WmiPrvSE/Task-Scheduler-owned, OUTSIDE any terminal job from birth (why Task-Scheduler-autostarted daemons never had this bug). Launcher ladder (first-success-wins, daemon.rs spawn_detached → BOTH cold-start AND `spt daemon start`): (1) WMI Win32_Process.Create via ABSOLUTE powershell -EncodedCommand (KH 5.12 abs path; base64-UTF16LE dodges all quoting; success requires BOTH ReturnValue==0 AND a parsed ProcessId, else fall-through — never a silent launched), forwarding SPT_* env via a `cmd /c set … & start /b` wrapper because a WMI/scheduler child does NOT inherit transient shell env (verified — SPT_HOME would be lost, wrong universe); (2) schtasks one-shot (same env wrapper; best-effort fallback); (3) CREATE_BREAKAWAY_FROM_JOB (the L1 code, reordered below); (4) in-job last resort (logs DETACH_IN_JOB + tab-close caveat). detached_no_inherit (breakaway-then-in-job) is UNCHANGED for its other caller shellhost::launch_shell (a daemon-spawned shell is already job-neutral once the daemon is). The elevated deelevate path keeps its L1 breakaway for now (elevated-case WMI-reparent = FOLLOW-UP). (v0.12.1)
2026-06-21T04:47:54.1262365Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1262398Z 
2026-06-21T04:47:54.1262508Z ### REQ-HAZARD-ATTACH-WEDGE
2026-06-21T04:47:54.1267716Z - Title: A legitimately dead PTY child (real crash/kill) + an undrained operator pump must NOT wedge the broker for all other clients. ROOT (v0.12.0 real-harness defect): loopback attach output is a blocking write_all into a bounded 64KB tokio duplex (nethost.rs:1040,1090); when the operator's rc pump stops draining (tab closed) the buffer fills and write_all blocks forever (the 'loopback never hangs' assumption at nethost.rs:1103 is false), parking a worker in the 2-worker net runtime (nethost.rs:640); a couple of these saturate BOTH workers → every new attach / `endpoint run` stalls right after 'PUMP_IPC_READER: spawned' → 30s FIRST_EVENT_GRACE → 'no output / dead or wedged'; `daemon stop` cannot join the stuck workers. DISTINCT from the removed B1 path-(c) mutex deadlock. DISPOSITION = PROVE-DON'T-CHANGE (doyle GATE-PASS @e883f45, 2026-06-18): this ROOT is the SUPERSEDED v0.12.0 hypothesis — the post-L0 code ALREADY prevents the wedge, so NO fail-fast / worker-count code was added. serve_attach forwards fire-and-forget (net_stream_send op_id=None) and the broker-side send_stream is already BROKER-QUIC-DEADLINE-bounded (bounded_block_on, 10s); the loopback duplex is drained broker-INTERNALLY by the operator row's own read pump (RecvHalf::Loopback, retentive_cap==0 → evict-not-park) so a dead rc (a dropped IPC subscriber) never backs peer_w up; bounded_block_on parks the BROKER DISPATCH thread, not a net worker → no worker-pool exhaustion (full mechanism in the required_stages comment). Folds the status=online sub-check: a dead spt-hosted endpoint is marked OFFLINE within one reconcile tick on abrupt child death (broker exit-waiter reaps the session → B2 sees it absent) — PROVEN, no change. (v0.12.1)
2026-06-21T04:47:54.1267915Z - Required stages: int
2026-06-21T04:47:54.1267939Z 
2026-06-21T04:47:54.1268045Z ### REQ-PICKER-HISTORY-FRESH
2026-06-21T04:47:54.1269290Z - Title: The `spt endpoint run` picker shows project history for FRESH endpoints (operator-raised v0.12.0 real-harness finding). Symptom: a fresh endpoint shows no project history in the picker. ROOT TBD — investigate the project-history loader (v0.10.0 PICKER-2, picker/data.rs) before fixing: distinguish a real loader bug from 'fresh = no history yet' semantics. (v0.12.1)
2026-06-21T04:47:54.1269400Z - Required stages: impl, unit
2026-06-21T04:47:54.1269428Z 
2026-06-21T04:47:54.1269538Z ### REQ-PICKER-ONLINE-ACTION
2026-06-21T04:47:54.1271068Z - Title: The `spt endpoint run` picker shows the correct action for an ALREADY-ONLINE endpoint — Attach, NOT 'Start now' (operator-raised v0.12.0 real-harness finding). Symptom: the picker offers 'Start now' for endpoints that are already online. ROOT TBD — investigate the status→action mapping (v0.10.0 PICKER-1 four-state status, picker/model.rs): is it reading live/online state correctly, or rendering stale/wedged broker state (i.e. partly a symptom of the broker wedge / status=online latch)? Fix so online → Attach. (v0.12.1)
2026-06-21T04:47:54.1271189Z - Required stages: impl, unit
2026-06-21T04:47:54.1271227Z 
2026-06-21T04:47:54.1271326Z ### REQ-ENDPOINT-LIST-MERGE-LOCAL
2026-06-21T04:47:54.1273068Z - Title: `spt endpoint list` always merges this node's LOCAL (unadvertised) perches into the view; the `--local` flag is REMOVED (operator decision 2026-06-17). Rationale: `spt whoami` is a thin alias of `endpoint list` — a just-online agent running `whoami` must see its OWN perch, or it gets an omitted-self view ('chaos'). FIX: drop the `--local` flag + its `--detail` conflict test + the v0.10.0 REQ-PICKER-5 hint line (cli.rs:1678) + cmd_list_local; the bare list merges local perches into the subnet view; fix the whoami alias path accordingly. Run `cargo run -p xtask -- gen` (docs-drift, DEFAULT target). (v0.12.1)
2026-06-21T04:47:54.1273178Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1273216Z 
2026-06-21T04:47:54.1273340Z ### REQ-HAZARD-ENDPOINT-RUN-ATTACH-OUTPUT
2026-06-21T04:47:54.1278252Z - Title: A clean `spt rc` attach to a LIVE spt-hosted (`endpoint run`) harness must DELIVER the harness's PTY output. KEYSTONE — the operator's central 'attach shows no output' symptom, reproduced on the real dummy-harness fixture (v0.12.1 Wave 1) with NO death and NO wedge: bringup succeeds (online, harness pid alive + heartbeating, psyche hosted), the attach CONNECTS (PUMP_IPC_READER spawned, no RC_FAIL, holds the full window) — but receives EXACTLY 0 bytes over 10s of the harness's flushed [session.self] stdout. DISTINCT from REQ-HAZARD-VIEWER-CLOSE-DETACH (death) and REQ-HAZARD-ATTACH-WEDGE (dead-child backpressure): here the harness is ALIVE and the attach is a clean first subscribe. This BLOCKS the 'view is independent' invariant — re-attach is meaningless if a live endpoint-run harness shows nothing. KNOWN-GOOD (rules out 'no drain'): attach.rs `local_attach_via_loopback_conn_rides_the_same_pump` + `broker_spawns_the_pty_child_in_the_requested_cwd` prove the broker DOES drain+fan a `spawn_session` PTY child to a loopback attach over the SAME transport rc uses. Both spawn_session and endpoint-run's spawn_session_pid send KIND_SPAWN → the same dispatch_spawn (broker.rs:706/835) which starts the per-session drain+OutputLog — so the gap is NARROWER than 'no drain', endpoint-run-specific. Root candidates: (a) spawn_session_pid's SpawnReq stdio/env/cwd differs so the dummy's stdout isn't the captured ConPTY; (b) the harness stdout WRITE BLOCKS because the ConPTY buffer fills (drain not reading THIS pty) — explains alive-but-0-bytes; (c) ConPTY reader-park (KH 7.6) on this path; (d) `spt rc` resolve_session/subscribe for an endpoint-run session subscribes to the wrong/empty log. (v0.12.1)
2026-06-21T04:47:54.1278490Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1278514Z 
2026-06-21T04:47:54.1278615Z ### REQ-CLI-HELP-MARKDOWN
2026-06-21T04:47:54.1281657Z - Title: `spt --help` (and every subcommand --help) renders the inline Markdown authored in the clap doc-comments as terminal styling, never as literal markers: `**bold**` → ANSI bold, `` `code` `` → ANSI cyan, `[text](url)` → `text`. The markers are STRIPPED either way — a raw `**` or backtick must NEVER reach the user (the operator-reported v0.12.0 defect: help text reads `**ctrl-b**` and stray backticks verbatim). Color/bold escapes are emitted ONLY when the help is going to a real terminal AND color is not suppressed (NO_COLOR unset · CLICOLOR != 0 · CLICOLOR_FORCE forces on); a pipe / redirect / CI / NO_COLOR falls back to strip-only (clean plaintext, zero escapes) so machine-readable help is byte-identical regardless of marker syntax. Pure transform over the clap-rendered help string at the single run()/bare_invocation chokepoint; preserves pre-existing ANSI (CSI sequences passed through untouched), never spans markers across a newline, leaves unmatched/empty markers literal, and does not alter the help layout. (v0.12.1)
2026-06-21T04:47:54.1281876Z - Required stages: impl, unit
2026-06-21T04:47:54.1281910Z 
2026-06-21T04:47:54.1282021Z ### REQ-HAZARD-WMI-DAEMON-WINDOW
2026-06-21T04:47:54.1284448Z - Title: `spt daemon start` launches the daemon with NO visible console window. REGRESSION (v0.12.1 L1.5): the WMI job-neutral launch (spawn_daemon_via_wmi) set CREATE_NO_WINDOW on the launching powershell but NOT on the Win32_Process.Create call — Win32_Process.Create does not inherit it, so the spawned cmd.exe env-forwarding wrapper popped a console window on every cold-start (violating REQ-INSTALL-10's v0.7.4 no-persistent-window invariant; the old detached_no_inherit path set DETACHED_PROCESS|CREATE_NO_WINDOW). FIX: pass a Win32_ProcessStartup with CreateFlags=DETACHED_PROCESS (0x8 — no console so no window; CREATE_NO_WINDOW 0x08000000 is NOT a valid Win32_ProcessStartup flag → ReturnValue 21 invalid-param, which is why the naive port fails) + ShowWindow=SW_HIDE(0) belt, via the ProcessStartupInformation argument. (v0.12.2)
2026-06-21T04:47:54.1284554Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1284593Z 
2026-06-21T04:47:54.1284702Z ### REQ-CLI-OUTPUT-MARKDOWN
2026-06-21T04:47:54.1289151Z - Title: Human-prose COMMAND OUTPUT (not just `--help`) renders the inline Markdown authored in its source strings as terminal styling, never literal markers: `` `code` `` → ANSI cyan, `**bold**` → ANSI bold, `[text](url)` → `text`, markers STRIPPED either way. REQ-CLI-HELP-MARKDOWN only hooked the clap `--help` chokepoint, so command output still printed raw Markdown (audit: `spt how-to` topic text showed `# headers`/backticks, `spt subnet`/`subnet status` hint footers showed stray backticks, the daemon-status `not running` line, the `ENDPOINT_RUN_STARTED` attach hint, and the daemon's `SUBNET_DETACHED` startup line — 13 prose surfaces). The same line-bounded pure `helpfmt::render` is applied at each emit site, color-gated by the OUTPUT STREAM's own tty (`stdout_color` for print/println, the new `stderr_color` for eprintln). HARNESS-SAFETY (binding): color is tty-gated, so an adapter (piped / non-tty / NO_COLOR) gets STRIP mode = zero ANSI + markers removed; every dual-contract MACHINE token on a rendered line (`ENDPOINT_RUN_STARTED:`, `NO_SUCH_TOPIC:`, `SUBNET_DETACHED:`) carries NO Markdown markers, so it survives strip byte-intact — the adapter parse is never perturbed. Pure-machine output (the `<EVENT …>` envelope, bringup parse-tokens SEEDED/BOUND/READY/NO_SEED, `--json`, QR) is NEVER routed through the renderer. The one spt-daemon source string (`SUBNET_DETACHED`, the bin-local renderer is unreachable from the daemon crate) is authored marker-free instead. (v0.12.2)
2026-06-21T04:47:54.1289394Z - Required stages: impl, unit
2026-06-21T04:47:54.1289433Z 
2026-06-21T04:47:54.1289551Z ### REQ-HAZARD-INJECT-CONTROL-COEXIST
2026-06-21T04:47:54.1296937Z - Title: SPINE INVARIANT (v0.13.0 keystone): the broker must accept INJECTED keystrokes into an spt-hosted PTY (the v0.11.0 raw direct-inject today; the ADR-0022 translation-binary choreography tomorrow) WHILE a live `spt rc` controller is attached to the SAME PTY, without (a) the operator losing control, (b) the endpoint latching ONLINE+CONTROLLED, or (c) the broker wedging. The injection inlet is PERMANENT — spt-claude-code requires keystroke injection — so this is root-caused + fixed at the PTY-injection layer, IN STEP with the ADR-0022 delivery redesign that formalizes the inlet. REOPENS the wedge facet of REQ-HAZARD-ATTACH-WEDGE: the v0.12.1 prove-don't-change covered only DEAD-CHILD backpressure, NOT the injection trigger (operator's signal — one injected keystroke succeeds, the next wedges → the single-threaded broker parks on a blocking PTY/loopback write after injection-induced harness output). REPRO-FIRST on the real dummy-harness fixture (NO theory): instrument to nail the exact blocking call before any fix. Fix candidates: non-blocking/fail-fast PTY write, split input/output, bounded-evicting. Mechanism shared with W2 — spt-core owns EVERY PTY write and applies an injected sequence ATOMICALLY (controller input buffered during the sequence, flushed after) so a stash/restore can't be clobbered. CONFIRMED ROOT (doyle /diagnose 2026-06-19, code-grounded): Broker::append (broker.rs:205-227) fans each live output chunk to the CONTROLLER on a SYNCHRONOUS BLOCKING write_frame held inline in the session's drain thread (the 'authoritative, advances delivered_through' path, D4-1), while VIEWERS use a dedicated writer thread + bounded evicting sync_channel (add_viewer:273 / viewer_writer) that can never stall the drain. So a slow/backed-up controller socket — or the full 64KB loopback duplex (the ATTACH-WEDGE buffer) — BLOCKS the drain thread → output stalls → keystroke echoes stall (PERCEIVED input lag) → unrecoverable wedge when the consumer never drains. TRIGGERS ON NORMAL INTERACTIVE rc USE under heavy harness output (TUI redraw), NOT only message injection — same root, wider repro. FIX DIRECTION: move controller delivery off the drain thread onto a dedicated writer (the viewer_writer pattern) BUT preserve the authoritative cursor — block the WRITER thread (not the drain), bound the wedge (deadline → detach/mark-gone, never park forever), never silently evict the operator's authoritative view. (v0.13.0)
2026-06-21T04:47:54.1297208Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1297237Z 
2026-06-21T04:47:54.1297356Z ### REQ-MSG-IDLE-TRANSLATION-BINARY
2026-06-21T04:47:54.1302297Z - Title: spt-hosted idle message delivery via an adapter TRANSLATION BINARY (ADR-0022). New opt-in manifest section `[message-idle-translation-binary]` = a TABLE carrying a `path` scalar (doyle OPT-B ruling: modeled as a table, not a bare top-level scalar, so a preceding section cannot silently absorb it + N+1 extensible; spt-core does NOT deny_unknown_fields, so a future key degrades gracefully); spt-core LIFECYCLE-manages it (spawn when the endpoint comes up, terminate when it goes down). The binary is a PURE stdin→stdout filter; spt-core owns EVERY PTY write. stdin (JSON-lines): `{type:"init",endpoint_id,node}` first · `{type:"event",envelope:"<EVENT…>"}` per inbound message (ADR-0020 envelope) · `{type:"input"}` content-free ping on each operator keystroke (binary tracks user-idle for its own idle-gated buffering; PTY input content NOT duplicated). stdout (JSON-lines): keystroke-commands `{key:…}`/`{delay_ms:…}`/`{text:…}` (extensible). spt-core applies the emitted sequence to the broker PTY ATOMICALLY (the W1 coordination — REQ-HAZARD-INJECT-CONTROL-COEXIST). The daemon poll feed is the ONE idle substrate for both topologies (Q1=A): harness-hosted consumer = the Monitor child, spt-hosted consumer = this binary; spt-core PREFERS a perch's poll listener if one exists (so spt-hosted can run a listener AND keep `spt rc`). Idle-only; busy/mid-turn = adapter hook-injection. Closes the current grounding gap: `api bind` registers no listener port → a listener-less spt-hosted perch SPOOLS inbound (only spooling+adapter-poll works today) → this delivers real inbound into the PTY. The v0.11.0 raw inject is the degenerate `{text:payload}{key:enter}` case. (v0.13.0)
2026-06-21T04:47:54.1302635Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1302678Z 
2026-06-21T04:47:54.1302787Z ### REQ-HAZARD-BIND-CWD-UNSET
2026-06-21T04:47:54.1305316Z - Title: A bound endpoint's `info.cwd` is SET at bind so a freshly-created perch appears under its own project tab. ROOT (found, v0.13.0): `info.cwd` is NEVER set on bind — `cmd_bind` (spt-hosted) and `bind_from_seed` (harness-hosted) never thread cwd into `establish_perch`/`rec.cwd`. FIX: `cmd_bind` reads its own `current_dir` (the broker spawned it in `project_cwd`); `bind_from_seed` passes `seed.cwd` (already captured at seed time, currently DISCARDED). DISTINCT from REQ-PICKER-HISTORY-FRESH (v0.12.1) — that unioned cwd-origin into picker MEMBERSHIP but tested merge_origin_project with a PROVIDED origin; it never asserted `info.cwd` is actually set on bind, so a real `endpoint run` perch still had an empty cwd and the union had nothing to union. This is the v0.12.1 P1 'appears under its own project right away' claim that was REFUTED in the changelog — delivered for real here. (v0.13.0)
2026-06-21T04:47:54.1305450Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1305489Z 
2026-06-21T04:47:54.1305587Z ### REQ-PICKER-UX-V013
2026-06-21T04:47:54.1307168Z - Title: `spt endpoint run` picker UX (v0.13.0 operator dogfooding): (1) SKIP the first screen — open directly on 'Pick existing'; `n` jumps to 'Create new'. (2) AUTO-ATTACH after both Start-new AND Resume-from-history (both currently don't attach and show no stdout); add an `h` shortcut to run headless (no attach). (3) 'controlled by' shows the node NAME (node_label_display), not the raw hex. (4) Clean up Start-new output — drop the Rust `pid=Some(142748)` leak and the 'harness binds its perch on startup' internals; user-friendly, not a process log. (v0.13.0)
2026-06-21T04:47:54.1307272Z - Required stages: 
2026-06-21T04:47:54.1307306Z 
2026-06-21T04:47:54.1307421Z ### REQ-HAZARD-DRIVEN-BY-SELFHEAL
2026-06-21T04:47:54.1308921Z - Title: An spt-hosted endpoint's ONLINE+CONTROLLED state (`driven_by`) must CLEAR even when the detach IPC is lost — do NOT rely on the detach signal (same lesson as REQ-HAZARD-HOSTED-LIVENESS-RECONCILE B2): the reconcile loop clears `driven_by` when the endpoint has no live controller/session. Today a wedged or lost pump never delivers the detach, so the endpoint stays latched CONTROLLED forever. Composes with W1 (the wedge no longer blocks the detach) and rides the same pull-primary reconcile substrate as B2. (v0.13.0)
2026-06-21T04:47:54.1309112Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1309140Z 
2026-06-21T04:47:54.1309260Z ### REQ-HAZARD-DRIVEN-BY-IDLE-REMOTE-EVICT
2026-06-21T04:47:54.1313942Z - Title: An spt-hosted endpoint driven by a REMOTE controller whose remote is gone but whose broker connection stays OPEN (a wedged/lost pump that never delivers the detach) AND whose session is IDLE (no output) stays latched ONLINE+CONTROLLED forever: the W1 drain-evict only fires on OUTPUT (CONTROLLER_WRITE_DEADLINE on a backed-up write), a clean disconnect self-heals via detach_if→clear_controller, but an idle session with a half-open/wedged controller connection produces neither signal. PROVED repro-first on a real broker (v0.13.0 W5, inject_control_wedge.rs w5_a2): controller_by STAYS Some(origin) and driven_by STAYS Some after the remote is abandoned without a clean EOF on an idle session — so the brain reconcile CANNOT detect it from KIND_SESSIONS controller_by (the broker still reports it controlled). FIX DIRECTION (doyle ruling 2026-06-19, broker-side single-writer — the broker owns driven_by/clear_controller): wire the EXISTING D4c NetPresence connection-disconnect event → clear_controller for any session whose controller identity == the dead origin (become_controller already stores Some(origin); presence events already exist — modest wiring, NOT a new probe). The liveness ORACLE is QUIC's own keepalive/idle-timeout: a presence-disconnect IS a real QUIC conn close, already tolerant of transient blips within the keepalive window, so NO heavy partition ADR is needed UNLESS the QUIC timeout proves too slow for the UX (then mint an ADR for a faster controller-heartbeat + its false-evict bound). Composes with W1 (output path) + W5 Gap B (no-session) — this is the third, idle-remote, leg. (v0.13.0 follow-up)
2026-06-21T04:47:54.1314260Z - Required stages: 
2026-06-21T04:47:54.1314292Z 
2026-06-21T04:47:54.1314399Z ### REQ-HAZARD-RC-INPUT-KEY-ENCODING
2026-06-21T04:47:54.1318873Z - Title: An `spt rc` session forwards the Backspace key as the VT DEL byte (0x7f), so the hosted TUI (Claude Code) deletes ONE character — never a whole word. SYMPTOM (operator dogfooding): Backspace in an rc session always behaves like ctrl+Backspace — deletes the entire last word. ROOT (doyle /diagnose, code-grounded, byte PENDING HITL confirm): rc is a RAW VERBATIM byte pump — spawn_stdin_reader (rc.rs:152) reads std::io::stdin() bytes under crossterm raw mode and forwards them unchanged (parse_stdin_chunk only intercepts the ctrl-b detach prefix); there is NO key-event encoding and NO 0x08↔0x7f normalization ANYWHERE in the tree (grep: zero SetConsoleMode / ENABLE_VIRTUAL_TERMINAL_INPUT). On Windows, crossterm enable_raw_mode does NOT set ENABLE_VIRTUAL_TERMINAL_INPUT, so the LEGACY console delivers ^H (0x08, ctrl+h) for Backspace instead of VT DEL (0x7f); Claude Code maps ^H → backward-kill-word → the observed whole-word delete. CONFIRM-FIRST (build the loop): an env-gated hexdump in spawn_stdin_reader (SPT_RC_DEBUG_KEYS) prints the forwarded byte; operator presses Backspace + ctrl+Backspace in a real rc session. FIX CANDIDATES: (a) enable ENABLE_VIRTUAL_TERMINAL_INPUT on the rc stdin console on Windows so the console emits proper VT (Backspace→0x7f, arrows/Home/End as CSI) — cleanest, fixes the whole key map not just Backspace; (b) narrow normalize bare 0x08→0x7f in the rc input path (riskier — a real ctrl+h is also 0x08). Prefer (a) unless it regresses other keys. Add a KNOWN-HAZARDS.md entry on landing. (v0.13.0)
2026-06-21T04:47:54.1319058Z - Required stages: impl, unit
2026-06-21T04:47:54.1319101Z 
2026-06-21T04:47:54.1319221Z ### REQ-HAZARD-EFFECT-JOURNAL-PTY-WEDGE
2026-06-21T04:47:54.1328150Z - Title: The effect journal serializes EVERY PTY effect under one mutex held ACROSS two fsyncs AND the blocking PTY write — so interactive input stutters and ultimately wedges the daemon hard. ROOT (doyle /diagnose, code-grounded + MEASURED on the operator's real Windows box, 2026-06-19): EffectJournal::apply_once (effect.rs:168-188) takes `inner.lock()` and holds it across `write_line(PENDING)` → `effect()` → `write_line(DONE)`, where write_line (effect.rs:235-239) does flush()+sync_all() (a full FlushFileBuffers) — so each effect pays TWO fsyncs under a GLOBAL lock, and the closure `effect()` (the actual PTY write, broker.rs:1257 EffectKind::PtyWrite via attach.rs:197 send_effect) runs while the lock is held. Two operator-visible facets, ONE root: (A) STUTTER/LAG — every keystroke is a PtyWrite effect = 2× sync_all serialized; measured fsync on %LOCALAPPDATA%\spt-core = median 6.5ms, spikes to 198ms (C: was recently at 100%), so ~13ms+ per keystroke best case, hundreds under contention → 'many but not all keypresses take 100s of ms, choppy, worsens with volume'. (B) HARD PERMANENT WEDGE — when a PtyWrite `effect()` blocks (ConPTY input buffer full / harness not draining stdin), the journal lock is held INDEFINITELY → the single-threaded inbound-stream dispatch (dispatch.rs serve_attach, which both applies input effects AND opens attaches) can never progress → EVERY subsequent attach (`spt rc --view`/`--take`) fails with 'attach request: brain IPC read deadline elapsed' (confirmed: two retries deadline identically; broker control-plane KIND queries still answer — different thread). This REFUTES the W2-deferred ruling that park-(b)/(c) is 'Windows-benign because ConPTY absorbs 4MiB' — on the real box the input path wedges regardless. DISTINCT from W1 (REQ-HAZARD-INJECT-CONTROL-COEXIST = the OUTPUT drain, correctly fixed @8b5583e; output uses broker.rs:1106 append, NOT the fsync journal). This is the INPUT/effect-journal path W1 never touched, and it is THE wedge the operator hits with --take/--view. FIX DIRECTION (candidates, repro-first — extend inject_control_wedge.rs to a REAL backed-up-PTY-consumer + a real rc-client attach assertion, the gap W1's gate missed): (1) do NOT hold the journal lock across effect() — reserve the key + fsync PENDING under lock, RELEASE, run effect(), re-acquire to fsync DONE + mark applied (preserve crash-idempotency via the per-key reservation, not a global hold); (2) bound/fail-fast the PtyWrite itself (the W2-deferred park bound — write_input must never block indefinitely, DSR-answer must not hold the writer mutex across a blocking write); (3) drop per-keystroke fsync on the interactive path — PtyWrite effects are EPHEMERAL (a keystroke lost on a broker crash is retyped; PTY state is not reconstructed from keystroke replay), so in-memory applied-set dedup suffices (the broker survives the brain — that IS the dedup anchor), with async/batched fsync or no-fsync for EffectKind::PtyWrite while durable kinds (NetSend/NetDial/Registry/Spool) keep their fsync. Combine (1)+(3) at minimum. Add a KNOWN-HAZARDS.md entry on landing. (v0.13.0)
2026-06-21T04:47:54.1328508Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1328536Z 
2026-06-21T04:47:54.1328641Z ### REQ-HAZARD-RC-ATTACH-ONLINE-RACE
2026-06-21T04:47:54.1332267Z - Title: `spt endpoint run` in an ATTACH/VIEW terminal action attaches BEFORE the freshly-spawned endpoint is online, so the attach races (or outright loses to) the harness bind. ROOT (doyle /diagnose, code-grounded): cmd_endpoint_run (cli.rs) does launch_harness_brokered_in -> (if start: return) -> run_attach with NO await-online between them. launch_harness_brokered_in returns once the harness PROCESS is spawned, but the broker-PTY bind (info status -> STATUS_ONLINE + the live session) lands ASYNC. Both picker attach paths route here with start=false (RunMode::Attach -> cmd_endpoint_run start=false,view=false): Start-now catches the endpoint mid-bringup -> run_attach attempts + loses the handshake race; Resume-from-history catches it still fully OFFLINE -> run_attach's status-gate (REQ-HAZARD-RC-ATTACH-FAILFAST) short-circuits 'offline - nothing to attach' and NEVER attempts. SAME root, two faces (the W4 attach-by-default surfaced both; an online endpoint is unaffected - the picker returns Outcome::Attach, not Run). FIX: in cmd_endpoint_run, when the terminal action is attach/view (NOT start), AWAIT the endpoint online between launch_harness_brokered_in success and run_attach - poll spt_store::info read_info().status to STATUS_ONLINE with a bounded harness-boot deadline (~25s) at a tight interval; on online -> run_attach; on timeout -> ENDPOINT_RUN_ONLINE_TIMEOUT err (do NOT attach a dead bringup). (v0.13.0)
2026-06-21T04:47:54.1332400Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1332433Z 
2026-06-21T04:47:54.1332541Z ### REQ-RC-KEY-VT-TRANSLATE
2026-06-21T04:47:54.1338228Z - Title: On Windows, `spt rc` translates CONSOLE KEY EVENTS to standard xterm VT so ALL keys reach the hosted harness — arrows/Home/End/PgUp/PgDn/Insert/Delete/F-keys, every modifier combo, Backspace/Ctrl+Backspace — not just the byte-emitting ones. ROOT (operator HITL, doyle /diagnose): `spt rc` reads raw STDIN BYTES (spawn_stdin_reader, std::io::stdin().read); on the Windows LEGACY console (no ENABLE_VIRTUAL_TERMINAL_INPUT) the special keys produce console KEY_EVENTs, NOT stdin bytes, so the byte-pump sees nothing → those keys are DEAD. Enabling ENABLE_VIRTUAL_TERMINAL_INPUT was rejected (W7 dc07c39): on Windows Terminal it yields harness-specific win32-input-mode + broke ctrl-b detach. FIX (agnostic, full fidelity): on Windows, replace the stdin byte-read with a crossterm EVENT source (crossterm 0.28 already a dep; the picker already reads events) and translate each KeyEvent → STANDARD xterm VT bytes via a PURE translate_key_event(KeyEvent)->Vec<u8> (copy a known-correct xterm table verbatim, ADR-0001 spirit), forwarded through the SAME rc pump — the harness receives ordinary xterm VT (harness-AGNOSTIC, no win32-input-mode). Press-only (drop Repeat/Release). Detach stays the ctrl-b+'d' PREFIX, event-sourced (doyle Option B): Ctrl+B arms; armed+plain-'d'⇒Detach; armed+Ctrl+B⇒emit literal 0x02; armed+other⇒0x02 then translate(other). Non-tty stdin (piped/tests) → FALL BACK to the byte-read path (keeps e2e byte-injection working). UNIX UNCHANGED (its raw-mode byte stream already delivers proper VT; cfg-split, zero Unix regression). SUPERSEDES the W7 normalize_key_byte swap on Windows — the translator emits 0x7f for Backspace and 0x08 for Ctrl+Backspace natively (REQ-HAZARD-RC-INPUT-KEY-ENCODING folded in). NO int (a live interactive console can't be driven in CI — HITL, REQ-RUN-PICKER/RC-1 precedent); the exhaustive non-vacuous translate_key_event mapping unit + the event-detach unit ARE the surface. (v0.13.0)
2026-06-21T04:47:54.1338576Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1338614Z 
2026-06-21T04:47:54.1338729Z ### REQ-HAZARD-PTY-INPUT-WRITER-WEDGE
2026-06-21T04:47:54.1344922Z - Title: Pasting into an `spt rc` session WEDGES the broker — after a paste the operator can no longer type AND can no longer attach to NEW or EXISTING sessions (`brain IPC read deadline`). ROOT (doyle /diagnose, code-grounded): the operator-keystroke path rc -> net-stream Input -> serve_attach (attach.rs:197 brain.send_effect) -> KIND_INPUT -> broker dispatch loop (broker.rs:1091) -> dispatch_input (broker.rs:1459) -> session.write_input(&bytes) runs SYNCHRONOUSLY on the broker request-handling thread. W1b (REQ-HAZARD-EFFECT-JOURNAL-PTY-WEDGE) released the journal lock across the effect (fix 1) + made PtyWrite ephemeral/no-fsync (fix 3) but EXPLICITLY DEFERRED fix (2) — bound/fail-fast the PtyWrite itself. A single keystroke never fills the ConPTY input buffer; a PASTE BURST does -> write_input blocks -> the dispatch thread cannot service the next frame (a re-attach subscribe, a become_controller restore-write, an inject-floor flush) -> wedge. Not a bug-2 regression (the byte path funnels to the same write_input; paste just reliably fills the buffer). FIX (doyle design, V0.13.0-P0-PTY-INPUT-WRITER-DESIGN.md, CONTEXT L33 broker-owns-PTY/minimal + L435 SessionSurface + single-writer pattern): one dedicated per-session INPUT-WRITER THREAD = the SOLE caller of the blocking write_input, fed by a BOUNDED FIFO channel; every caller (dispatch_input, serve_attach->send_effect, inject-floor flush) ENQUEUES + returns immediately, never blocks. A blocked/slow harness blocks ONLY its own writer thread, never the broker dispatch. Backpressure (operator ruling): queue full => DROP excess input + stamp the session INPUT_BACKPRESSURE (visible health signal); the daemon NEVER wedges; a merely-slow harness self-heals as the writer drains. Exactly-once preserved (PtyWrite ephemeral: apply_once effect = the non-blocking enqueue => Applied; ack now means accepted+ordered, benign — rc does not gate on landing); order preserved (single FIFO + single writer); inject-floor (W2 Layer C) choreography moves to the lone writer. Completes the W1b-deferred fix (2), cross-platform (cfg(unix) forkpty park folds in). (v0.13.0)
2026-06-21T04:47:54.1345153Z - Required stages: impl, unit, int
2026-06-21T04:47:54.1345191Z 
2026-06-21T04:47:54.1345300Z ### REQ-SESSION-RESUME-TEMPLATE
2026-06-21T04:47:54.1352183Z - Title: Resuming an endpoint session that HAS conversation history brings up a BLANK session. ROOT (doyle, code-grounded + CONTEXT — case-3 spt-core MISSING feature, NOT a perri docs-miss): CONTEXT L127-129 already defines the resume-session seam ('continue-existing: resume an existing harness session under the adapter — its NATIVE resume'), and the manifest already has the resume-variant pattern (Session has BOTH psyche_init AND psyche_resume, manifest.rs:217-219) — but the agent's own session has ONLY self_ (`[session.self]`, no resume sibling). cmd_endpoint_run (cli.rs:1304) re-passes the session_id through `[session.self]` on resume (resume.unwrap_or_else(mint_session_id)), so the adapter's FRESH command (e.g. `claude --session-id ..`) runs again instead of the harness NATIVE resume (`claude -r ..`) -> CC starts a fresh transcript -> blank. spt-core forwards session_id + cwd faithfully; it just has no way to express the native-resume invocation. SECOND GAP: CC resolves a transcript by session_id + cwd, but the session ledger records only {ts, session_id, trigger} (no cwd), so picker Resume-from-history (cross-project rows) can't restore the right cwd. FIX (doyle design, V0.13.0-P2-SESSION-RESUME-DESIGN.md, mirrors psyche_init->psyche_resume exactly): (A) add a `[session.resume]` role (resume: Option<SessionRole> on Session + roles()/is_empty()); cmd_endpoint_run selects it when --resume is set AND it's declared (fill {id}/{session_id}=resumed id/{session_name} + the resume cwd), else FALL BACK to `[session.self]` (full back-compat). (B) record cwd PER ledger row (operator ruling): {ts, session_id, trigger, cwd} additive serde-default; resume cwd = resumed row cwd -> else perch info.cwd -> else current_dir (back-compat for old rows + single-project endpoints); picker threads the selected row's cwd through Outcome::Run -> cmd_endpoint_run. (C) public docs (MANIFEST + harness-contract) teach `[session.resume]` so perri builds the adapter side BLIND. Adapter follow-on (perri, AFTER spt-core ships+docs): declare `[session.resume] command = claude -r {session_id} --remote-control {id} --dangerously-skip-permissions` from the resume cwd. Completes REQ-READY-AGENT-RESUME / REQ-RUN-PICKER resume-from-history. (v0.13.0)
2026-06-21T04:47:54.1352435Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1352470Z 
2026-06-21T04:47:54.1352569Z ### REQ-RC-WIN-PASTE
2026-06-21T04:47:54.1357215Z - Title: In an `spt rc` session neither ctrl+V nor right-click pastes (CC explicitly supports ctrl+V). ROOT (doyle /diagnose): RawGuard does only enable_raw_mode (no bracketed paste / no mouse capture / no clipboard interception); the Windows console delivers a paste as synthetic per-char KEY EVENTs (no crossterm Event::Paste), and ctrl+V translates to bare ^V forwarded to CC — but CC runs DAEMON-SIDE with NO access to the operator's LOCAL clipboard, so remote paste is fundamentally CLIENT-ORIGINATED. A multi-line paste-as-keys also becomes a \r submit-storm. FIX (doyle design, V0.13.0-P1-RC-PASTE-DESIGN.md, cfg(windows), folds into the bug-2 event path): on a paste gesture rc reads the LOCAL clipboard + forwards a BRACKETED PASTE (ESC[200~ + content + ESC[201~); CC has bracketed-paste mode on (its TUI sets ESC[?2004h) so it treats it as a paste — content intact, no submit-storm, harness-AGNOSTIC. ctrl+V: intercept Char('v')+CONTROL in the event loop -> read_clipboard -> bracketed paste. Right-click: RawGuard also EnableMouseCapture (disables console QuickEdit + enables ENABLE_MOUSE_INPUT so right-click surfaces as Event::Mouse on legacy cmd/powershell) -> right-button -> read_clipboard -> bracketed paste; DROP all other mouse (CC has no mouse features, operator-confirmed, so capture costs nothing). read_clipboard = clipboard-win crate (cfg(windows), minimal); empty/failed = clean no-op. Content forwarded VERBATIM (literal pasted text, no per-char translation). Unix UNCHANGED (its terminal pastes natively through the byte pump). DEPENDS ON P0 (a paste chunk must not wedge the broker). (v0.13.0)
2026-06-21T04:47:54.1357449Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1357487Z 
2026-06-21T04:47:54.1357593Z ### REQ-HAZARD-INPUT-ACK-BACKPRESSURE
2026-06-21T04:47:54.1364904Z - Title: A FLOOD of operator input on one brain↔broker connection deadlocks the broker PERMANENTLY (entire broker — no new/existing attach; the controller stays latched because the per-conn handler can't process the detach). ROOT (doyle /diagnose, code-grounded + HITL capture, the v0.13.0 P1 ctrl+V re-open): `serve_attach` processes a whole `NetStreamData` batch of N operator `Input` records in its inner `for rec in decoder.push()` loop, calling `brain.send_effect(op_id, &bytes)` N times WITHOUT returning to `read_event()` — so the brain writes N `KIND_INPUT` frames back-to-back and drains nothing. The broker's single-threaded per-conn handler answers EACH with `send_frame(applied_envelope)` on the SAME conn (B5 exactly-once ack, KNOWN-HAZARDS 7.2). With the brain not reading, the broker→brain return direction fills (~10 frames = the IPC pipe buffer) → `send_frame` BLOCKS → the handler stops reading → the brain's writes block too → mutual full-duplex DEADLOCK. Capture pinned it: 11 input frames, write_input 11/11 (P0 holds — the PTY write is fine), ack send START=11 / END=10 (frame #11's applied-ack never returns). Same class as the v0.12.1 L0 two-conn split. Windows Terminal's ctrl+V paste accelerator was the trigger (injects the clipboard as a char-by-char key flood) but the deadlock is generic to ANY input flood, NOT ctrl+V-specific and NOT a P0 (PTY-write) or W1 (output-drain) regression. The applied-ack is load-bearing ONLY for `shellchan` (one-at-a-time spool delivery WAITS on `BrokerEvent::Applied`); `serve_attach` DISCARDS it (the operator/rc path is fire-and-forward, op_id for dedup only, never gates on the ack). FIX (doyle-approved): CONDITIONAL ACK — `InputReq` gains `ack: bool` (serde default = true, N-1-safe: an older brain's input still acks = today's behavior). `serve_attach`'s operator path calls `send_effect_no_ack` (ack=false) → `dispatch_input` writes NO applied frame → the per-conn handler never writes back while servicing the flood → it always drains → no deadlock (cures ANY input flood). `shellchan` keeps `send_effect` (ack=true) and its `Applied`-wait. Exactly-once PRESERVED: the broker still dedups by (session, op_id) at the applied-set regardless of the ack. N-1 caveat: an OLD resident broker (self-update window) ignores `ack=false` → still acks → the deadlock persists until a broker restart (inherent KNOWN-HAZARDS 7.9 broker-resident-wire-change class). (v0.13.0)
2026-06-21T04:47:54.1365142Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1365180Z 
2026-06-21T04:47:54.1365277Z ### REQ-RC-MOUSE-FORWARD
2026-06-21T04:47:54.1369670Z - Title: On Windows, `spt rc` must FORWARD scroll-wheel events to the harness when the harness has mouse reporting on. ROOT (operator HITL): P1's RawGuard EnableMouseCapture (added for right-click paste, REQ-RC-WIN-PASTE) makes Windows Terminal forward ALL mouse — including the scroll wheel — to rc instead of scrolling its own buffer, but the rc mouse handler dropped everything except right-button-down → scroll DIED (and WT's native scrollback is stolen by the capture). Operator ruling: keep mouse capture + right-click bracketed paste AND forward scroll to the harness. FIX (doyle design, cfg(windows), folds into the rc mouse handler): TRACK the harness's mouse-reporting mode by scanning its OUTPUT stream for the DECSET set/reset — ESC[?1000h/1002h/1003h (mouse on) + ESC[?1006h (SGR ext) and their ...l (off) — into a shared MouseMode{enabled,sgr} (pump writes from output, stdin reader reads); the scan survives a sequence SPLIT across output chunks (a bounded carry buffer). The mouse handler: right-button-DOWN -> bracketed clipboard paste (unchanged, REQ-RC-WIN-PASTE); ScrollUp/Down -> translate to an xterm SGR mouse report (ESC[<64;col+1;row+1M up / ESC[<65;..M down, 0-based crossterm -> 1-based xterm) and forward ONLY when enabled && sgr (else DROP — a legacy X10 report the harness may not parse is garbage); Moved/drag/left/middle -> DROP (scroll is the operator's need; click-forward risks garbage, no click-to-position). Unix UNCHANGED (no capture; the terminal scrolls natively). (v0.13.0)
2026-06-21T04:47:54.1369899Z - Required stages: doc, impl, unit
2026-06-21T04:47:54.1369937Z 
2026-06-21T04:47:54.1370057Z ### REQ-HAZARD-CONTROLLER-WRITER-REORDER
2026-06-21T04:47:54.1383762Z - Title: Two `controller_writer` threads must never race ONE brain↔broker connection's socket. ROOT (doyle, instrumented RACEDIAG repro on kitsubito): on a brain-restart re-serve the handoff brain registers as controller on the SAME session TWICE over the SAME `Brain::conn` socket — (1) `Brain::handoff` eagerly `subscribe(prior.session_id, prior.next_seq=1)` → `become_controller(from_seq=1)`, initial=[1], spawns writer-A (writes seq 1); (2) `serve_attach` re-handles the replayed `Request{from_seq:0}` → `attach_as(sid,0)` → `become_controller(from_seq=0)`, initial=[0,1], spawns writer-B (writes 0 then 1). `become_controller` (broker.rs) drops the prior `ControllerSink` (its `tx`) but does NOT stop the prior writer thread — writer-A keeps flushing its owned `initial` batch, and both writers hold clones of the same `SharedSend` (`Arc<Mutex<socket>>`) with NO inter-thread ordering. When writer-A's seq 1 wins the socket before writer-B's seq 0, the strict legacy consumer (brain.rs read_event reject-gap path) sees `output gap: got seq 1 want 0` → the test `attach_survives_target_brain_restart_exactly_once` panics at `.expect("re-serve")` OR HANGS in `render_until` (serve thread died on the gap → MARKER_TWO never reaches the wire). `prior.next_seq` is life1's CONSUMPTION cursor, NOT life2's connection state — life2's socket has been sent NOTHING, so a `from_seq=0` full replay on a connection that already streamed seq 1 is contradictory. Snap-above tolerance ALONE can't fix it (it would dedup-drop the late seq 0 → byte loss → the exactly-once byte-identity assert fails). PRE-EXISTING, surfaced by the v0.13.0 green-both-runners release gate; P1b is INNOCENT (its diff touches only input-ack machinery, proven mechanically + the test passes post-P1b in isolation). Sibling flaky cluster: `inject_control_wedge::g2`, `broker::spawn_env_reaches_child`. INVARIANT: on a single brain↔broker connection the controller output-frame stream is monotonic non-decreasing in seq (modulo dedup re-sends); exactly ONE `controller_writer` is ever live per connection; a SUPERSEDED writer writes NO further frames; a re-serve never replays a seq below what the connection already received. FIX (doyle design, corrected at the gate 2026-06-20): fix #1 as designed ('drop handoff's eager subscribe so serve_attach's attach_as is the sole registration') was REVERTED — handoff's `subscribe(prior.next_seq)` IS the standalone-resume mechanism (the brain-only update engine `apply_brain_only` + the `handoff`/`idempotent`/`daemon_e2e` int tests replay output through it with NO `serve_attach`; dropping it hung every resume-via-handoff test). The shipped fix is three parts: (1) CORRECTNESS — `Brain::handoff` seeds `session_cursors` at `prior.next_seq` so the consumer runs the production dedup-below+snap-above path, never the strict reject-gap legacy trap; this is COMPLETE (not merely tolerant) because every `controller_writer` emits an ASCENDING seq stream and the surviving writer (serve_attach's attach_as(sid,0)) offers the complete `[0,end]` range, so a snap-above merge of ascending writers delivers `[K,end]` with no skip/dup (first sighting of any seq>M is preceded by M on that writer). (2) INVARIANT — `controller_writer`'s INITIAL-BATCH replay is epoch-gated: `controller_epoch` is a shared `Arc<AtomicU64>`, the writer re-reads it UNDER `send.lock()` (atomically with `write_frame`) and returns the instant it is superseded — no check-then-block-then-write window, no superseded replay (W1-safe: never blocks the drain under `Mutex<OutputLog>`). The LIVE loop is NOT gated (new output only flows to the current controller; a superseded writer must still deliver its terminal `Displaced` kick — gating it suppressed the loud-take notice; it ends on `tx`-drop). (3) EXPLICIT-RESUME / OPERATOR-STREAM BOUNDARY (the LOAD-BEARING fix — kitsubito RACEDIAG ~33% repro the keystones missed) — `Brain::subscribe_with` (shared by attach/attach_as) resets the resume-mode dedup cursor to `from_seq`. The handoff eager subscribe makes serve_attach's brain receive the replay's seq K BEFORE the operator Request is processed (`attached`=false); that frame is dropped by the if-attached forward gate but the snap-above cursor already advanced past K, and `attach_as(sid,0)`'s re-subscribe used to leave the cursor advanced → the broker's re-send of seq K arrives below it, deduped, never forwarded → operator viewport forward-gap (silent content loss in the real rc consumer). Resetting to from_seq on the attach_as re-subscribe re-delivers from 0 (operator dedups the overlap) so seq K reaches the viewport. The epoch gate (2) is sound (RACEDIAG: zero socket interleaving above K); cold-start brains (empty map — production dispatch serve) keep the legacy next_seq path, so production is unaffected. (v0.13.0)
2026-06-21T04:47:54.1384221Z - Required stages: doc, impl, unit, int
2026-06-21T04:47:54.1384249Z 
2026-06-21T04:47:54.1384363Z ### REQ-HAZARD-CONTROLLER-RETAKE-FLOOR
2026-06-21T04:47:54.1388591Z - Title: `become_controller` should STRUCTURALLY refuse a controller re-take whose `from_seq` falls below the connection's already-delivered contiguous floor — making the P1c reorder invariant un-reintroducible by a future caller, not just removed at the one caller. ROOT/SCOPE (doyle proposed, P1c gate dialogue): P1c fixes REQ-HAZARD-CONTROLLER-WRITER-REORDER three ways (handoff single-take + epoch-gate-under-lock + session_cursors seed), removing the one decreasing-floor double-take and bounding any other to already-committed-only. A self-enforcing broker guard would refuse the bad SHAPE outright. BLOCKER: the obvious predicate (`from_seq >= delivered_through`) is UNSAFE because `delivered_through` is SESSION-WIDE (the `Arc<AtomicU64>` on `OutputLog`, shared by all controllers/viewers, advanced monotonic-MAX; `resume_seq` reads it) — a normal fresh-operator `from_seq=0` attach to a producing session legitimately sits below it (full ring replay + consumer dedup-below/snap-above), and monotonic-MAX can't distinguish the hazard (a `seq1`-without-`seq0` write reads as `2`). The structurally-correct guard needs a NEW per-connection contiguous-sent cursor (the true highest-contiguous seq this socket has received) that does not exist today; the guard then refuses a re-take below THAT. Bigger than P1c; no live gap (P1c fully fixes the actual bug). Mint/refine stages when the per-connection cursor is built. (v0.13.0 follow-up, post-ship)
2026-06-21T04:47:54.1388706Z - Required stages: 
2026-06-21T04:47:54.1388744Z 
2026-06-21T04:47:54.1388839Z ## How to report back
2026-06-21T04:47:54.1388867Z 
2026-06-21T04:47:54.1389097Z For every (requirement, failing criterion) pair, emit one finding:
2026-06-21T04:47:54.1389129Z 
2026-06-21T04:47:54.1389206Z     {
2026-06-21T04:47:54.1389307Z       "code": "requirement_quality",
2026-06-21T04:47:54.1389411Z       "requirementId": "REQ-...",
2026-06-21T04:47:54.1389579Z       "criterion": "singular" | "verifiable" | "atomic" | "active-voice",
2026-06-21T04:47:54.1389678Z       "message": "<short reason>",
2026-06-21T04:47:54.1389797Z       "suggestedRevision": "<optional rewrite>"
2026-06-21T04:47:54.1389889Z     }
2026-06-21T04:47:54.1389918Z 
2026-06-21T04:47:54.1390083Z Wrap your response as { "findings": [ ... ] } listing only your concerns; the
2026-06-21T04:47:54.1390237Z deterministic findings above don't need to be repeated.
