feat(gastown): replace binary is_admin gate with PostHog feature flags (#904)

* feat(gastown): replace binary is_admin gate with PostHog feature flags (#901)

Replace the binary is_admin check from #537 with PostHog feature flags
for progressive rollout. Flag management (allowlists, percentage rollout,
kill-switch) is handled entirely through the PostHog dashboard — no
custom DB tables or admin UI needed.

Gate points updated:
- 9 Next.js pages use isFeatureFlagEnabled('gastown-access', user.id)
- Sidebar uses useFeatureFlagEnabled('gastown-access')
- Token endpoint evaluates the flag and embeds gastownAccess in the JWT
- Worker checks gastownAccess JWT claim (isAdmin fallback for compat)

Sub-feature flag names defined: gastown-convoys, gastown-pr-merge,
gastown-multi-rig (to be created in PostHog when needed).

Closes #901

* fix: address PR review comments

- Switch from isFeatureFlagEnabled to isReleaseToggleEnabled for strict
  boolean auth checks (prevents multivariate variants from granting access)
- Remove dev-mode bypass — gate in dev too via PostHog
- Abstract requireGastownAccess into gastownProcedure composable tRPC
  middleware in init.ts, replacing manual requireGastownAccess(ctx) calls
- Remove sub-feature flags (convoys, pr_merge, multi_rig) — only
  gastown-access remains

* fix: use strict boolean check for client-side gastown flag

Use useFeatureFlagVariantKey === true instead of useFeatureFlagEnabled
to align the sidebar with the server-side isReleaseToggleEnabled check.
This prevents multivariate string variants from showing the nav item
when server-side access would be denied.

* fix: use isFeatureFlagEnabled with dev override for gastown-access

Switch all gate points from isReleaseToggleEnabled back to
isFeatureFlagEnabled. Add a DEV_ENABLED_FLAGS set to
posthog-feature-flags.ts that returns true for gastown-access in
non-production environments so local dev works without PostHog
configuration. Sidebar reverts to useFeatureFlagEnabled.

* refactor: move dev override into isGastownEnabled, revert posthog-feature-flags.ts

Move the dev-mode override out of the shared posthog-feature-flags.ts
module and into isGastownEnabled in src/lib/gastown/feature-flags.ts.
All pages and the token endpoint now call isGastownEnabled(user.id)
which returns true in non-production and delegates to
isFeatureFlagEnabled in production. The sidebar uses
useFeatureFlagEnabled || isDevelopment for the same effect client-side.

* feat(gastown): witness/deacon patrol, mayor codebase browsing, and UI improvements (#442) (#924)

Alarm-driven patrol system (witness & deacon):
- Tiered GUPP violation handling (30min warn, 1h escalate+triage, 2h force-stop)
- Orphaned work detection, stale hook recovery, agent GC, crash loop detection
- Per-bead timeout enforcement with agent container termination
- On-demand LLM triage agent for ambiguous situations
- Triage action validation, access control, and snapshot-based resolution
- Stranded convoy feeding with immediate dispatch eligibility

Mayor codebase browsing:
- Browse worktrees at /workspace/rigs/<rigId>/browse/ for read-only access
- POST /repos/setup container endpoint for proactive repo cloning
- System prompt written to AGENTS.md so mayor and sub-agents share context
- Git credential race fix: refreshGitCredentials runs before configureRig
- GIT_TERMINAL_PROMPT=0 to prevent credential prompt hangs

Agent dispatch improvements:
- startPoint parameter for convoy agents to branch from feature branch
- platformIntegrationId and KILOCODE_TOKEN plumbed through repo setup
- Existing users arm watchdog on DO init
- RESTART_WITH_BACKOFF uses dispatch cooldown delay

Rig deletion fix:
- tRPC deleteRig now calls TownDO.removeRig (was missing)
- addRig handles stale name conflicts via catch-and-retry

Real-time alarm status UI:
- Hibernatable WebSocket for live alarm status push
- Status tab in terminal bar with agent/bead/patrol cards

Other UI:
- Convoy title and branch use flex-based truncation instead of fixed max-width
- Status pane card padding normalized to p-2
- Legacy agent roles accepted in Zod schemas for backward compat
- PostHog feature flag integration for gastown access gating

* fix(gastown): only stop agent on triage resolve if still hooked to snapshot bead

CLOSE_BEAD and REASSIGN_BEAD now check that the agent's current hook
matches the snapshot bead from the triage request before calling
stopAgentInContainer. If the agent has moved on to different work,
stopping it would abort unrelated sessions.

* style: fix prettier formatting in gastown type declarations

* fix: resolve lint errors (no-base-to-string, unused vars)

* fix(gastown): triage agent should call gt_done not gt_bead_close

gt_bead_close only marks the bead closed without unhooking the agent
or resetting it to idle, leaking agent records. gt_done triggers the
agentDone path which has the patrol-created triage fast-path that
properly closes the batch, unhooks, and returns the agent to idle.

* fix(gastown): refinery singleton, container eviction recovery, review queue safety

- Treat refinery as per-rig singleton in getOrCreateAgent to prevent
  UNIQUE constraint on identity when a refinery already exists
- Re-queue review entry (reset to open) when refinery is busy instead
  of leaving it stuck in in_progress
- Return 'not_found' (not 'unknown') from checkAgentContainerStatus on
  404, so witnessPatrol immediately resets and redispatches agents after
  container eviction instead of waiting for the 2-hour GUPP timeout

* fix(gastown): triage prompt, timestamp format, per-rig creds, browse refresh

- Remove remaining gt_bead_close reference in triage prompt (line 72)
  that contradicted the gt_done instruction on line 49
- Use strftime with ISO format in orphanedHooks SQL query to match
  the toISOString() format stored in last_activity_at
- Resolve git credentials per-rig in mayor browse setup instead of
  sharing one credential set across all rigs
- Browse worktree refresh uses fetch+reset instead of checkout to
  avoid wrong-branch errors (worktree is on synthetic browse branch)

* fix(gastown): escalations now create triage requests for automated follow-up

Previously, gt_escalate created an escalation bead and optionally
notified the mayor, but nothing automated acted on it. Escalation
beads sat open with no assignee indefinitely.

Now routeEscalation creates a triage request alongside the escalation
bead, feeding the escalation into the patrol→triage→resolve loop.
The triage agent can then RESTART, REASSIGN, CLOSE, or ESCALATE_TO_MAYOR
with the full context of the original escalation.

When a triage request linked to an escalation is resolved, the
escalation bead is also closed automatically.

Also adds 'escalation' to the TriageType union and enriches the
ESCALATE_TO_MAYOR mayor message with agent and bead context.

* feat(gastown): store convoy_id and source_bead_id in escalation metadata

When an agent escalates from within a convoy, the escalation bead and
its triage request now carry convoy_id and source_bead_id in their
metadata. This associates escalations with their convoy for display
purposes and lays groundwork for Phase 4 convoy-aware triage handling.

* fix(gastown): escalation metadata path, polling fallback, refinery rollback, regen types

- Fix escalation_bead_id lookup in resolveTriage to read from
  metadata.context (matching createTriageRequest's structure)
- Add polling fallback to AlarmStatusPane via tRPC getAlarmStatus
  query when WebSocket fails, with 5s refetch interval
- Reset refinery to idle when container start fails in processReviewQueue
- Regenerate gastown type declarations to include getAlarmStatus

Author: jrf0110

cloudflare-gastown/container/plugin/client.ts

@@ -174,6 +174,21 @@ export class GastownClient {
       body: JSON.stringify({ summary }),
     });
   }
+
+  /**
+   * Resolve a triage_request bead with the chosen action and notes.
+   * The TownDO closes the triage request and executes any side effects.
+   */
+  async resolveTriage(input: {
+    triage_request_bead_id: string;
+    action: string;
+    resolution_notes: string;
+  }): Promise<Bead> {
+    return this.request<Bead>(this.rigPath('/triage/resolve'), {
+      method: 'POST',
+      body: JSON.stringify(input),
+    });
+  }
 }
 
 /**

cloudflare-gastown/container/plugin/tools.ts

@@ -184,5 +184,32 @@ export function createTools(client: GastownClient) {
         return `Advanced to step ${result.currentStep + 1} of ${result.totalSteps}.`;
       },
     }),
+
+    gt_triage_resolve: tool({
+      description:
+        'Resolve a triage request with your chosen action. The TownDO will execute ' +
+        'the action (restart agent, close bead, escalate, etc.) and close the triage request.',
+      args: {
+        triage_request_bead_id: tool.schema
+          .string()
+          .describe('The UUID of the triage_request bead to resolve'),
+        action: tool.schema
+          .string()
+          .describe(
+            'The chosen action from the available options (e.g. RESTART, ESCALATE_TO_MAYOR, CLOSE_BEAD)'
+          ),
+        resolution_notes: tool.schema
+          .string()
+          .describe('Brief explanation of your reasoning for choosing this action'),
+      },
+      async execute(args) {
+        const bead = await client.resolveTriage({
+          triage_request_bead_id: args.triage_request_bead_id,
+          action: args.action,
+          resolution_notes: args.resolution_notes,
+        });
+        return `Triage request ${args.triage_request_bead_id} resolved with action: ${args.action}`;
+      },
+    }),
   };
 }

cloudflare-gastown/container/plugin/types.ts

@@ -30,7 +30,7 @@ export type Bead = {
   closed_at: string | null;
 };
 
-export type AgentRole = 'polecat' | 'refinery' | 'mayor' | 'witness';
+export type AgentRole = 'polecat' | 'refinery' | 'mayor';
 export type AgentStatus = 'idle' | 'working' | 'stalled' | 'dead';
 
 export type Agent = {

cloudflare-gastown/container/src/agent-runner.ts

@@ -1,7 +1,7 @@
 import type { Config } from '@kilocode/sdk';
 import { z } from 'zod';
 import { writeFile } from 'node:fs/promises';
-import { cloneRepo, createWorktree } from './git-manager';
+import { cloneRepo, createWorktree, setupRigBrowseWorktree } from './git-manager';
 import { startAgent } from './process-manager';
 import { getCurrentTownConfig } from './control-server';
 import type { ManagedAgent, StartAgentRequest } from './types';
@@ -210,15 +210,16 @@ async function configureGitCredentials(
  * is available, call the Next.js server to resolve fresh credentials.
  * Returns the (potentially enriched) envVars.
  */
-async function resolveGitCredentialsIfMissing(
-  request: StartAgentRequest
-): Promise<Record<string, string>> {
-  const envVars = { ...(request.envVars ?? {}) };
+export async function resolveGitCredentials(params: {
+  envVars?: Record<string, string>;
+  platformIntegrationId?: string;
+}): Promise<Record<string, string>> {
+  const envVars = { ...(params.envVars ?? {}) };
   const hasToken = !!(envVars.GIT_TOKEN || envVars.GITHUB_TOKEN || envVars.GITLAB_TOKEN);
 
   if (hasToken) return envVars;
 
-  const integrationId = request.platformIntegrationId;
+  const integrationId = params.platformIntegrationId;
   const kiloToken = envVars.KILOCODE_TOKEN;
   // The Next.js server URL — in dev it's localhost:3000, in prod it's the main app URL.
   // We derive it from KILO_API_URL (the gateway URL) or fall back to localhost.
@@ -360,6 +361,58 @@ async function createMayorWorkspace(rigId: string): Promise<string> {
   return dir;
 }
 
+/**
+ * Write the mayor's system prompt to AGENTS.md in the workspace.
+ *
+ * kilo/opencode reads AGENTS.md from the project root for ALL sessions,
+ * including built-in sub-agents (explore, general). By writing the full
+ * system prompt here instead of passing it via the session.prompt API,
+ * the mayor and all its sub-agents share the exact same instructions.
+ *
+ * The system prompt comes from the TownDO (buildMayorSystemPrompt) and
+ * is the single source of truth. When it changes (gastown updates,
+ * user customization), the TownDO sends the updated prompt and we
+ * rewrite this file.
+ */
+async function writeMayorSystemPromptToAgentsMd(
+  workspaceDir: string,
+  systemPrompt: string
+): Promise<void> {
+  const { writeFile, readdir, stat } = await import('node:fs/promises');
+  const path = await import('node:path');
+
+  // Append a dynamic section listing discovered browse worktrees so
+  // sub-agents know where to find rig codebases.
+  const rigsRoot = '/workspace/rigs';
+  let rigDirs: string[] = [];
+  try {
+    rigDirs = await readdir(rigsRoot);
+  } catch {
+    // No rigs directory yet
+  }
+
+  const browseEntries: string[] = [];
+  for (const entry of rigDirs) {
+    if (entry.startsWith('mayor-')) continue;
+    const browseDir = path.join(rigsRoot, entry, 'browse');
+    try {
+      const s = await stat(browseDir);
+      if (s.isDirectory()) {
+        browseEntries.push(`- **${entry}**: \`${browseDir}\``);
+      }
+    } catch {
+      // No browse worktree yet
+    }
+  }
+
+  const browseSuffix =
+    browseEntries.length > 0
+      ? `\n\n## Discovered Browse Worktrees\n\n${browseEntries.join('\n')}`
+      : '';
+
+  await writeFile(path.join(workspaceDir, 'AGENTS.md'), systemPrompt + browseSuffix);
+}
+
 /**
  * Run the full agent startup sequence:
  * 1. Clone/fetch the rig's git repo (or create minimal workspace for mayor)
@@ -368,17 +421,60 @@ async function createMayorWorkspace(rigId: string): Promise<string> {
  * 4. Start a kilo serve instance for the worktree (or reuse existing)
  * 5. Create a session and send the initial prompt via HTTP API
  */
-export async function runAgent(request: StartAgentRequest): Promise<ManagedAgent> {
+export async function runAgent(originalRequest: StartAgentRequest): Promise<ManagedAgent> {
+  let request = originalRequest;
   let workdir: string;
 
   if (request.role === 'mayor') {
     // Mayor doesn't need a repo clone — just a git-initialized directory
     workdir = await createMayorWorkspace(request.rigId);
+
+    // On fresh containers the browse worktrees won't exist yet. Set them
+    // up for all known rigs before writing AGENTS.md so the mayor (and its
+    // sub-agents) can immediately browse codebases.
+    if (request.rigs?.length) {
+      // Resolve credentials per-rig since each may use a different
+      // GitHub App installation (platformIntegrationId).
+      const baseEnvVars = request.envVars ?? {};
+      await Promise.allSettled(
+        request.rigs.map(async rig => {
+          try {
+            const envVars = await resolveGitCredentials({
+              envVars: baseEnvVars,
+              platformIntegrationId: rig.platformIntegrationId,
+            });
+            await setupRigBrowseWorktree({
+              rigId: rig.rigId,
+              gitUrl: rig.gitUrl,
+              defaultBranch: rig.defaultBranch,
+              envVars,
+            });
+          } catch (err) {
+            const msg = err instanceof Error ? err.message.split('\n')[0] : String(err);
+            console.warn(`[runAgent] browse worktree setup failed for rig=${rig.rigId}: ${msg}`);
+          }
+        })
+      );
+    }
+
+    // Write the system prompt to AGENTS.md so the mayor AND its built-in
+    // sub-agents (explore, general) all share the same instructions.
+    // The system prompt is NOT passed via the session.prompt API — AGENTS.md
+    // is the sole source of truth for the mayor's instructions.
+    if (request.systemPrompt) {
+      await writeMayorSystemPromptToAgentsMd(workdir, request.systemPrompt);
+    }
   } else {
     // Resolve git credentials if missing. When the town config doesn't have
     // a token (common on first dispatch after rig creation), fetch one from
     // the Next.js server using the platform_integration_id.
-    const envVars = await resolveGitCredentialsIfMissing(request);
+    const envVars = await resolveGitCredentials(request);
+
+    // Merge resolved credentials back into the request so buildAgentEnv
+    // can propagate GIT_TOKEN/GH_TOKEN to the spawned kilo serve process.
+    // Without this, rigs using platformIntegrationId would clone successfully
+    // but the agent session itself would lack git push / gh credentials.
+    request = { ...request, envVars };
 
     await cloneRepo({
       rigId: request.rigId,
@@ -390,6 +486,8 @@ export async function runAgent(request: StartAgentRequest): Promise<ManagedAgent
     workdir = await createWorktree({
       rigId: request.rigId,
       branch: request.branch,
+      startPoint: request.startPoint,
+      defaultBranch: request.defaultBranch,
     });
 
     // Set up git credentials so the agent can push
@@ -401,5 +499,13 @@ export async function runAgent(request: StartAgentRequest): Promise<ManagedAgent
 
   const env = buildAgentEnv(request);
 
-  return startAgent(request, workdir, env);
+  // For the mayor, the system prompt lives in AGENTS.md (written above)
+  // so all sessions — including sub-agents — share it. Don't also pass
+  // it via the session.prompt API to avoid duplication. Setting to
+  // undefined (not '') so the SDK omits it entirely and kilo serve
+  // uses its default system prompt + AGENTS.md, rather than treating
+  // an empty string as an explicit override.
+  const startRequest = request.role === 'mayor' ? { ...request, systemPrompt: undefined } : request;
+
+  return startAgent(startRequest, workdir, env);
 }

cloudflare-gastown/container/src/control-server.ts

@@ -1,6 +1,6 @@
 import { Hono } from 'hono';
 import { z } from 'zod';
-import { runAgent } from './agent-runner';
+import { runAgent, resolveGitCredentials } from './agent-runner';
 import {
   stopAgent,
   sendMessage,
@@ -13,8 +13,8 @@ import {
   registerEventSink,
 } from './process-manager';
 import { startHeartbeat, stopHeartbeat } from './heartbeat';
-import { mergeBranch } from './git-manager';
-import { StartAgentRequest, SendMessageRequest, MergeRequest } from './types';
+import { mergeBranch, setupRigBrowseWorktree } from './git-manager';
+import { StartAgentRequest, SendMessageRequest, MergeRequest, SetupRepoRequest } from './types';
 import type {
   AgentStatusResponse,
   HealthResponse,
@@ -105,7 +105,7 @@ app.post('/agents/start', async c => {
   console.log(
     `[control-server] /agents/start: role=${parsed.data.role} name=${parsed.data.name} rigId=${parsed.data.rigId} agentId=${parsed.data.agentId}`
   );
-  console.log(`[control-server] system prompt length: ${parsed.data.systemPrompt.length}`);
+  console.log(`[control-server] system prompt length: ${parsed.data.systemPrompt?.length ?? 0}`);
 
   try {
     const agent = await runAgent(parsed.data);
@@ -228,6 +228,53 @@ export function consumeStreamTicket(ticket: string): string | null {
   return entry.agentId;
 }
 
+// POST /repos/setup
+// Proactively clone a rig's repo and create a browse worktree so the
+// mayor (and future agents) have immediate access to the codebase.
+// Called by the TownDO when a new rig is added.
+app.post('/repos/setup', async c => {
+  const body: unknown = await c.req.json().catch(() => null);
+  const parsed = SetupRepoRequest.safeParse(body);
+  if (!parsed.success) {
+    return c.json({ error: 'Invalid request body', issues: parsed.error.issues }, 400);
+  }
+
+  const req = parsed.data;
+  console.log(`[control-server] /repos/setup: rigId=${req.rigId} gitUrl=${req.gitUrl}`);
+
+  // Run in background so we return 202 immediately.
+  // Errors are caught and logged — never propagated as unhandled rejections.
+  const doSetup = async () => {
+    try {
+      // Resolve git credentials from platformIntegrationId if no token
+      // is present in envVars (e.g. rigs using GitHub App installations).
+      const envVars = await resolveGitCredentials({
+        envVars: req.envVars,
+        platformIntegrationId: req.platformIntegrationId,
+      });
+
+      const browseDir = await setupRigBrowseWorktree({
+        rigId: req.rigId,
+        gitUrl: req.gitUrl,
+        defaultBranch: req.defaultBranch,
+        envVars,
+      });
+      console.log(`[control-server] /repos/setup: done rigId=${req.rigId} browse=${browseDir}`);
+    } catch (err) {
+      // Log as a warning, not an error — this is a best-effort background
+      // operation. The mayor and agents can still function without the
+      // browse worktree; it will be retried on the next agent dispatch.
+      const message = err instanceof Error ? err.message : String(err);
+      console.warn(
+        `[control-server] /repos/setup: FAILED for rigId=${req.rigId}: ${message.split('\n')[0]}`
+      );
+    }
+  };
+  doSetup().catch(() => {});
+
+  return c.json({ status: 'accepted', message: 'Repo setup started' }, 202);
+});
+
 // POST /git/merge
 // Deterministic merge of a polecat branch into the target branch.
 // Called by the Rig DO's processReviewQueue → startMergeInContainer.